Biometric Security

Biometric Security
Copyright © 2015. Cambridge Scholars Publisher. All rights reserved.
Biometric Security, edited by David Chek Ling Ngo, et al., Cambridge Scholars Publisher, 2015. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/aut/detail.action?docID=2076603.
Created from aut on 2020-03-10 15:37:43.
Biometric Security
Edited by
David Chek Ling Ngo,

Andrew Beng Jin Teoh
and Jiankun Hu
Biometric Security
Edited by David Chek Ling Ngo, Andrew Beng Jin Teoh and Jiankun Hu
This book first published 2015
Cambridge Scholars Publishing
Lady Stephenson Library, Newcastle upon Tyne, NE6 2PA, UK
British Library Cataloguing in Publication Data

A catalogue record for this book is available from the British Library
Copyright © 2015 by David Chek Ling Ngo, Andrew Beng Jin Teoh,
Jiankun Hu and contributors
All rights for this book reserved. No part of this book may be reproduced,
stored in a retrieval system, or transmitted, in any form or by any means,
electronic, mechanical, photocopying, recording or otherwise, without
the prior permission of the copyright owner.
ISBN (10): 1-4438-7183-4

ISBN (13): 978-1-4438-7183-9
TABLE OF CONTENTS
Preface ....................................................................................................... vii
Part 1. Biometric Template Protection
Chapter One ................................................................................................. 2

Cancelable Biometrics and Data Separation Schemes
Kenta Takahashi
Chapter Two .............................................................................................. 37

Minutiae-based Fingerprint Representations: Review, Privacy,
Security and Cryptographic Realization
Zhe Jin, Syh-Yuan Tan, Andrew Teoh Beng Jin and Bok-Min Goi
Chapter Three ............................................................................................ 92

Palmprint Template Protection Technologies
Lu Leng
Part 2. Biometric Key and Encryption
Chapter Four ............................................................................................ 134

Biometric Discretization for Template Protection and Cryptographic
Key Generation
Meng-Hui Lim
Chapter Five ............................................................................................ 165

De-Identifying Biometric Images by Decomposition and Mixing
Asem Othman and Arun Ross
Part 3. Biometric System Analysis
Chapter Six .............................................................................................. 198

BioPACE: Biometric-Protected Authentication Connection Establishment
Nicolas Buchmann, Christian Rathgeb, Roel Peeters, Harald Baier
and Christoph Busch
vi Table of Contents
Chapter Seven.......................................................................................... 224

Privacy and Security Assessment of Biometric Systems
Mohamad El-Abed, Patrick Lacharme and Christophe Rosenberger
Chapter Eight ........................................................................................... 255

A Generalized Framework for Privacy and Security Assessment
of Biometric Template Protection
Xuebing Zhou and Bian Yang
Part 4. Privacy-Enhanced Biometric Systems
Chapter Nine............................................................................................ 274

Secure and Efficient Iris and Fingerprint Identification
Marina Blanton and Paolo Gasti
Chapter Ten ............................................................................................. 312

Identification Over Outsourced Biometric Data
Julien Bringer, Hervé Chabanne and Alain Patey
Chapter Eleven ........................................................................................ 351

A Collaborative Framework Design for Distributed
Biometrics-based Authentication in the Cloud
Kok-Seng Wong and Myung Ho Kim
Chapter Twelve ....................................................................................... 381

Secure Two-Party Computation and Biometric Identification
Julien Bringer, Hervé Chabanne and Alain Patey
Part 5. Other Biometric Security Technologies
Chapter Thirteen ...................................................................................... 428

Watermarked Biometrics
Fengling Han, Ron van Schyndel and Mohammed Ahmad A Alkhathami
Chapter Fourteen ..................................................................................... 459

3D Fingerprints: A Survey
Wei Zhou, Jiankun Hu, Song Wang, Ian Petersen
and Mohammed Bennamoun
PREFACE
Modern biometrics is defined as the science of using biological

properties to identify individuals. Biometrics delivers an enhanced level of
security by means of a “proof of property”, where the claimant presents
“proofs” that directly connect with their own intrinsic physical or
behavioral characteristics. Security by means of biometrics implies that the
user is spared from having to remember a password, or to carry a token,
and that the identity of the user is much more difficult to duplicate or share
with others, owing to the uniqueness and non-repudiation nature of
biometrics.
The design and deployment of a biometric system, however, obscures
many pitfalls, which, when underestimated, can lead to major security
risks and privacy threats. Since there exists a strong binding between the
user and their identity, biometric identity theft and privacy invasion have
become issues of great concern. A biometric template, once compromised,
is difficult to revoke or replace; furthermore, it is rendered unusable, just
as with a password. The avoidance of a database storing biometrics, or
perhaps storing them to the fullest extent possible, has emerged as a

preventive and defensive measure.
This book volume is a reference work containing articles on a
comprehensive range of topics that discuss recent advances and
discoveries in “biometric security and privacy”, a relatively new and
multidisciplinary research which emerged in the late 90’s, so to address
two essential problems: the privacy concerns as well as the security
concerns associated with biometric systems. It compiles a total of fourteen
articles, all contributed by thirty-two eminent researchers in the field, thus
providing a concise and accessible coverage of not only general issues, but
also providing state-of-the-art, reliable solutions, so to address these issues
in five parts: (1) Biometric Template Protection, which covers cancellable
biometrics and its parameter management protocol; (2) Biometric Key and
Encryption, focusing on biometric key generation and visual biometric
cryptography; (3) Biometric Systems Analysis, dealing with biometric
system security, and privacy evaluation and assessment; (4) Privacy
Enhanced Biometric Systems, covering privacy-enhanced biometric
system protocol design and implementation; and (5) Other Biometric
Security Technologies.
Specifically, the book is organized as follows:
viii Preface
Part 1
Chapter 1, “Cancelable Biometrics and Data Separation Schemes,”
discusses several typical parameter management schemes for cancellable
biometrics and their limitations. The chapter introduces a scheme based on
server-side parameter management, in detail, so to address the usability
problem, and also discusses a number of authentication protocols for this
scheme. The security and usability of the schemes are also discussed and
compared.
Chapter 2, “Minutiae-based Fingerprint Representations: Review,
Privacy, Security and Cryptographic Realization,” presents an overview
for fixed-length and variable-size minutiae-based fingerprint representations.
It makes use of three methods, so to provide a case study on the generation
of fingerprint representations from minutiae. An instance of cryptographic
realization using minutiae-based fingerprint representation is also
demonstrated.
Chapter 3, “Palmprint Template Protection Technologies,” introduces
and compares the existing palmprint template protection technologies,
which can be divided into three categories, namely palmprint cryptosystems,
cancelable palmprint, and hybrid methods. The future outlook of these
technologies is highlighted.
Part 2
Chapter 4, “Biometric Discretization for Template Protection and
Cryptographic Key Generation,” reviews recent advances on quantization,
as well as on feature encoding in biometric discretization. The author also
presents an extensive comparative study of several state-of-the-art
discretization schemes, and suggests future directions.
Chapter 5, “Biometric Privacy Using Visual Cryptography and Mixing
Techniques,” explores methods that can be used to extend privacy to
biometric data in the context of an operational system. The authors discuss
a method based on Visual Cryptography that de-identifies a face or
fingerprint image prior to storing it by decomposing the original image
into two images in such a way that the original image can be revealed only
when both images are simultaneously made available; further, each
component image does not reveal the identity of the original image. They
also discuss a method based on the concept of mixing, so to extend privacy
to fingerprint images.
Biometric Security ix
Part 3
Chapter 6, “BioPACE: Biometric-Protected Authentication Connection
Establishment,” introduces BioPACE, a biometrics based authentication
protocol. The operation mode of BioPACE is described in detail, the
integration of biometric information is investigated and a security
assessment is given.
Chapter 7, “Privacy and Security Assessment of Biometric Systems,”
illustrates various security and privacy issues, as well as the evaluation of
biometric systems. The EvaBio tool - an evaluation tool for the security
and privacy assessment of biometric systems, is also introduced.
Chapter 8, “A Generalized Framework for Privacy and Security
Assessment of Biometric Template Protection,” establishes a comprehensive
evaluation framework for biometric template security and privacy. The
assessment framework is composed of three components; goals
identification, threat models determination, and evaluation metrics and
process development. A case study on iris fuzzy commitment is
demonstrated.
Part 4
Chapter 9, “Secure and Efficient Iris and Fingerprint Identification,”
presents the design, security analysis, and performance of privacy-

preserving identification protocols for iris codes and fingerprints. The
authors also demonstrate, with certain optimizations, that such techniques
are suitable for practical use on large data sets.
Chapter 10, “Identification over Outsourced Biometric Data,”
introduces several protocols for outsourcing biometric data to an untrusted
server while maintaining identification functionalities without compromising
confidentiality of the data or privacy of the requests.
Chapter 11, “A Collaborative Framework Design for Distributed
Biometrics-based Authentication in the Cloud,” outlines a privacy-
preserved and security-protected solution for biometric data stored in the
cloud.
Chapter 12, “Secure Two-Party Computation and Biometric
Identification,” summarizes secure Two-Party Computation concepts and
techniques that can be applied to privacy-preserving biometric
identification.
x Preface
Part 5
Chapter 13, “Biometric Watermarking,” discusses the use of
biometrics in remote identity authentication services via watermarking
technology. The authors showcase a case study of watermark embedding
of fingerprint images based on Wong’s original algorithm, the Discrete
Cosine Transform (DCT), and the Dual Tree Complex Wavelet Transform
(DTCWT).
Chapter 14, “The 3D Fingerprints-A Survey,” investigates the
acquisition of 3D fingerprint images, the compatibility between 3D
fingerprints and 2D fingerprints, and the feature representations of 3D
fingerprints. Specific recommendations for future research directions in
3D fingerprints are also provided.
The target audience for the book includes researchers, scholars,
graduate students, engineers, IT practitioners and developers who are
interested in security and privacy related issues in biometric systems. Also,
managers of organizations with strong security needs will find this book of
great value.
The editors would like to express their sincere gratitude to all
distinguished contributors who make this book possible, and the group of
reviewers who have offered invaluable comments to improve the quality
of each and every chapter. A dedicated team at Cambridge Scholars
Publishing has also assisted the editors continuously from inception to

final production of the book. We thank them for their painstaking efforts
in all stages of production. We gratefully acknowledge the financial
support that we have received from Sunway University.
A B J Teoh, D C L Ngo and J Hu

January 15
PART 1.
BIOMETRIC TEMPLATE PROTECTION

CHAPTER ONE
CANCELABLE BIOMETRICS AND DATA

SEPARATION SCHEMES
KENTA TAKAHASHI
HITACHI, LTD., YOKOHAMA RESEARCH LABORATORY,
KANAGAWA, JAPAN
Abstract
Protecting biometric information is a critical issue in biometric systems,
since biometric characteristics such as fingerprints, irises, and face and
vein patterns, constitute privacy information, and more importantly, they
cannot be changed or revoked like passwords. To address this issue, a
privacy-preserving biometric authentication scheme called cancellable

biometrics has been studied, in which the biometric features are
transformed by a kind of encryption or one-way function, and matched
without restoring the original features. The transformation function is
determined by a user-specific parameter, which plays a similar role to an
encryption key or a salt. To secure biometric features using cancellable
biometrics, the parameters must be managed separately from the
transformed features.
In this chapter, firstly, several studies on cancellable biometrics are
reviewed. Secondly several typical schemes for parameter management
are introduced and their limitations, mainly of usability, are discussed.
Subsequently, another scheme based on server-side parameter
management is introduced, so to address the usability problem, and several
authentication protocols for this scheme are presented. Finally, the security
and usability of the schemes are discussed and compared.
Keywords: biometrics, cancellable biometrics, template protection,

information security
Cancelable Biometrics and Data Separation Schemes 3
1 Introduction
Biometric authentication technology, a technology which automatically
identifies a person based on his/her physical or behavioral features, has
been used for user authentication for various applications, such as physical
access control and computer application login. In future, this technology is
expected to be applied to remote user authentication over networks, e.g.
Internet banking, e-commerce, and various cloud services. A typical
remote biometric authentication system consists of an authentication
server and client terminals with biometric sensors [23]. The server retains
the biometric feature data associated with user IDs called templates, in a
database.
However, problems emerge. The first is a security concern: Because
biometric features such as fingerprint patterns are unchangeable, unlike
passwords, they cannot be changed or revoked even if the templates or
feature data are compromised. The second is a privacy concern: Biometric
information is strongly linked to a person’s identity, and hence some users
have refrained from disclosing their biometric data to servers over the
network.
Conventional remote biometric authentication systems have dealt with
these problems by encrypting templates in the databases, and by using
cryptographic communication. However, the encrypted templates must be
decrypted in the server, so to perform pattern matching at the time of

authentication. Thus, a skilled attacker or a malicious administrator of the
server can acquire the original templates. Biometric template protection
(BTP) schemes, which address these issues, have been studied for
approximately a decade, and can broadly be classified into two categories;
feature transformation and biometric cryptosystems [13].
The biometric cryptosystems [38], such as ones employing fuzzy vault
(e.g. [18]), take the approach of extracting stable binary representations
from noisy biometrics data (biometric key generation), and using it as a
cryptographic key or a password. However, since most biometric key
generation methods rely on error correcting code theory, the performance,
i.e. false rejection rate (FRR) and false acceptance rate (FAR), of
biometric cryptosystems is limited by the error-correcting capability.
Generating a stable key from noisy biometric data, but culminating in a
practical performance, is a major challenge in this approach.
The feature transformation approach was first proposed by Ratha, et.
al. [22], named cancellable biometrics. Here, we label the set of BTP
methods based on this approach ‘cancellable biometrics’. In cancellable
biometrics, biometric features are transformed and matched in the
4 Chapter One
transformed domain, directly without restoring the original feature. The

transformation function is determined by a (typically user-specific)
parameter, which may be a set of multiple parameter values. The
parameter plays a similar role as an encryption key or a salt. Even if the
transformed template (the cancellable template) or the parameter is com-
promised, their effect can be revoked by changing the parameter and
reissuing a cancellable template via a new parameter, without changing the
original biometric features. In this chapter, we firstly provide an overview
of the BTP scheme and then review several studies on cancellable
biometrics.
Various methods pertaining to cancellable biometrics such as [2, 25,
21, 3, 30, 31] have the potential to take advantage of sophisticated
conventional matchers, with practical accuracy. In addition, several feature
transformation functions are considered to have high security in the sense
that it is impossible or computationally difficult to restore or guess the
original template from a cancellable template without knowing the
parameter. For example, transformations proposed in [30] are
mathematically proven to be information-theoretically secure.
Many of these transformations including [2, 25, 7, 30] are types of
encryptions where the parameter plays a key role. Using the analogy of
encryption, it is possible to decrypt the original template from the
cancellable template by using the parameter. In other words, an attacker,
with a cancellable template and a corresponding parameter, can obtain the

original template using these transformations. Therefore, it is important to
manage the parameter securely and separately from the cancellable
template in order not to compromise the security of the encryptions and
original templates simultaneously. Even if one of the two data, i.e., the
parameter or the cancellable template, is compromised, it is possible to
recover security by revoking and replacing both data, i.e., changing the
parameter and replacing the cancellable template.
We may note, in passing, that there are many studies on one-way or
non-invertible transformations for cancellable biometrics, such as [27,
33, 36, 21, 37, 39]. These studies aim at constructing transformations
which make it suƥciently hard to recover the original template, even if
both the cancellable template and the corresponding parameter are known.
However, recent studies show vulnerabilities in the sense that it is easy to
find either a close approximation of the original template or a pre-image of
the cancellable template [20, 16, 17]. Note that the original template is not
necessary, but one of the pre-images (or one similar to it) is suƥcient for
impersonation attack [17]. The diƥculty of finding a biometric feature
from a cancellable template that is close enough to “match” the original
template is called authorised-leakage irreversibility in [26]. As pointed out

in [26], breaking authorised-leakage irreversibility is not difficult unless
the FAR is extremely low. Otherwise, an attacker can perform an oƫine
FAR attack as follows; for each sample from a suƥciently large biometric
database of real or artificially generated features, the attacker transforms
the sample, and compares it to the cancellable template. To prevent attacks
to authorised-leakage irreversibility, including the oƫine FAR attack,
again, data separation is recommended even for one-way or non-invertible
transformation.
The rest of this chapter is organized as follows. Sec. 2 is an overview
of the BTP and the cancellable biometrics scheme. In Sec. 3, several
algorithms for cancellable biometrics as examples are reviewed. In Sec. 4,
naive parameter management schemes for cancellable biometrics are
introduced, and their limitations, mainly of usability of authentication
systems, are discussed. In Sec. 5, another parameter management scheme
with high usability and security is introduced, which is based on a server-
side parameter management model and an authentication protocol using
one-time parameters and one-time templates. In Sec. 6, the security of the
introduced scheme is evaluated, and its usability is compared with other
schemes. Finally, the chapter is summarized in Sec. 7.
2 Biometric Template Protection and Cancelable

Biometrics
2.1 Architecture Overview
An overview of BTP architecture described in the ISO/IEC24745 is
provided in Fig.1. During enrollment, the extracted biometric feature is
encoded by a pseudonymous identifier encoder (PIE) to generate a
pseudonymous identifier (PI) and auxiliary data (AD). The PI and AD pair
is called a renewable biometric reference (RBR). During authentication,
the newly extracted biometric feature is transformed to a pseudonymous
identifier (PI*) by a pseudonymous identifier recorder (PIR). Following
this, the pseudonymous identity comparator (PIC) compares PI and PI*
and returns a similarity score.
In the context of cancellable biometrics, an AD is called a parameter
and a PI is called a cancellable template. As discussed above, the
cancellable template (PI) and the parameter (AD) should be stored and
managed separately, in order to avoid being compromised simultaneously.
In the ISO/IEC24745, eight system models (Models A to H) with diěerent
scenarios for the storage of PIs and ADs are listed [11]. However, data
6 Chapterr One
Figure 1: Arcchitecture for biiometric templaate protection [111]
separation iss considered only

o in two mo odels (Modelss G and H).
Furthermoree, in one of thee two models (Model H), w where the PI iss stored
in a client annd the AD is stored
s in a tok
ken, the client reads the AD
D from the
token at the authenticationn stage. Thereefore, the PI annd AD may leeak
immediatelyy from a maliccious or vulnerable client. Inn this sense, this
model is nott a secure dataa separation model
m for BTPP.
A typicaal data separatiion model for cancellable bbiometrics and

d data
flow is show
wn in Fig.2.
Figure 2: Typpical system moodel of cancellaable biometrics
Let ܺǡ ܻ denote biometric features for enrollment and authentication

respectively, and ‫ܭ‬ǡ ܶ denote a parameter and a cancellable template
respectively. A PIE can be constructed using a parameter generation
function Gen and a feature transformation function, ‫ܨ‬ா . Typically, Gen
generates a parameter ‫ ܭ‬randomly using, for example, a pseudo random
generator. Here, a PIR, of a feature transformation function, ‫ܨ‬஺ , can be
constructed. The transformation functions ‫ܨ‬ா and ‫ܨ‬஺ , which can be the
same (e.g., [35]) or diơerent (e.g., [29]), are defined as follows:
‫ܨ‬ா ǡ ‫ܨ‬஺ ǣ ࣲ ൈ ࣥ ՜ ࣮ǡ (1)
where ࣲ㻌is the biometric feature space, ࣥ㻌is the parameter space, and ࣮㻌is
the transformed feature space.
In the enrollment stage, a biometric feature data ܺ is transformed to a
cancellable template ܶ ൌ ‫ܨ‬ா ሺܺǡ ‫ܭ‬ሻ based on a randomly generated
parameter ‫ܭ‬, and stored in the server as a PI. ‫ ܭ‬is stored in a client-side
storage device such as a USB token or a smart card. In the authentication
stage, a newly extracted feature Y is transformed to ܸ ൌ ‫ܨ‬஺ ሺܻǡ ‫ܭ‬ሻusing
the parameter ‫ ܭ‬retrieved from the storage and sent to the server as a PI*.
The server compares V and T and evaluates the similarity. The
transformation functions ‫ܨ‬ா and ‫ܨ‬஺ can be the same or diěerent. Even if
the cancellable template ܶ ൌ ‫ܨ‬ா ሺܺǡ ‫ܭ‬ሻ or the parameter K leaks out,
either can be revoked by generating a new parameter ‫ܭ‬Ԣ㻌and replacing T

with ܶԢ ൌ ‫ܨ‬ா ሺܺǡ ‫ܭ‬Ԣሻ.
2.2 Desirable Properties

Desirable properties or criteria for performance evaluation of BTP systems
have been considered and discussed in literature, for example [13, 17, 6],
and organized in [26] into three categories of performance: technical,
protection, and operational.
The technical performance includes accuracy (or accuracy degradation),
throughput, and so on. The operational performance includes modality
independence, interoperability, and so on. Refer to [26] for the detail.
In this chapter, we focus on the protection performance or security, i.e.,
irreversibility and unlinkability. Irreversibility refers to the secrecy of the
original biometric feature from the renewable biometric reference
RBR=(PI,AD) or the PI alone or the AD alone. This property is subdivided
into (i) full-leakage irreversibility (FLI), and (ii) authorized-leakage
8 Chapter One
irreversibility (ALI)1. The FLI refers to a diĜculty to determine the exact

original feature, whereas ALI refers to a difficulty to determine a feature
similar to the original feature adequate to pass authentication. From a
security point of view, the ALI is more important than the FLI. However,
as mentioned above, if an attacker knows the RBR=(PI,AD), the ALI
cannot be achieved in practice, due to the effect of the oĝine FAR attack,
unless the FAR is extremely low. Therefore, here, we discuss the ALI
from the PI alone or the AD alone.
Alternatively, unlinkability refers to the diĜculty of cross-comparison
of the RBRs or the PIs or the ADs, and determines if they are generated
from the same biometric feature or not. If the operators of the systems
collude with each other, they may be able to relate the user ID of each
system by cross-comparing the DBs. Unlinkability is necessary so to
prohibit successful cross-comparison, and to protect the privacy of users
who have enrolled the RBRs to diěerent systems. As is the case with
irreversibility, attackers who know the RBR1 = (PI1ǡ AD1) and RBR2 =
(PI2 ǡ AD2) can perform an oĝine FAR attack to break unlinkability: For
each sample from a suĜciently large biometric database, the attacker tries
to transform and match it against each RBRi (i = 1ǡ 2). If the attacker finds
a sample which matches both RBR1 and RBR2, he/she can guess that
these are from the same biometric feature with high probability. Therefore,
as well as irreversibility, we discuss unlinkability from the PI alone or the
AD alone.
3 Examples of Cancelable Biometrics

3.1 Geometric Transformation
Ratha et al. proposed several feature transformation functions for minutiae

matching-based cancellable fingerprint templates, i.e., Cartesian, polar
and functional transformations [21].
We assume that fingerprint features X are represented as minutiae: a set
of feature points ܺ ൌ ሼሺ‫ݔ‬௜ ǡ ‫ݕ‬௜ ǡ ߠ௜ ሻȁ݅ ൌ ͳǡ ‫ ڮ‬ǡ ݊ሽ 㻌where ሺ‫ݔ‬௜ ǡ ‫ݕ‬௜ ሻ and ߠ௜ are
the coordinates and the ridge direction of the i-th feature point extracted
from a fingerprint image. The origin of the coordinate system is set based
on the position of a singular point, such as the core of the fingerprint.
1
Although another property: pseudo-authorized-leakage irreversibility (PLI) is
defined in [26], we do not distinguish the PLI from the ALI to reduce argument.
3.1.1 Cartesian Transformation
The Cartesian transformation divides the feature space, i.e., the fingerprint
image region, into ܰ ൌ ܰई ൈ ܰ௬ cells of fixed size, after which the cell
positions are shuĝed. Fig.3 illustrates an example of a Cartesian
transformation where ܰ ൌ ͷ ൈ ͷ. In this case, for example, the 3rd and
14th cells are transformed to the same 9th cell. The transformation is not
necessarily a strict permutation, and allows overlapping; more than one
cell can be mapped to the same position. All the minutiae within each cell
are moved along with the cell position, retaining their relative positions.
For each minutiae (xǡ yǡ Ʌ) within a cell position ܿ௜ ‫ א‬ሼͳǡʹǡ ‫ ڮ‬ǡ ܰሽ, the
transformation function can be written as follows:
‫ ݔ‬ᇱ ൌ ‫ ݔ‬൅ ܲ௫ ሺܿ௜ᇱ ሻ െ ܲ௫ ሺܿ௜ ሻǡ

‫ ݕ‬ᇱ ൌ ‫ ݕ‬൅ ܲ௬ ሺܿ௜ᇱ ሻ െ ܲ௬ ሺܿ௜ ሻǡ
ߠ ᇱ ൌ ߠǡ
where ሺܲ௫ ሺܿ௜ ሻǡ ܲ௬ ሺܿ௜ ሻሻ are the coordinates of the center of the ܿ௜ -th cell,
and ܿ௜ᇱ is the position where the ܿ௜ -th cell is mapped.
The cell mapping can be written as
ࢉԢ ൌ ‫ࢉܭ‬ (2)
where ࢉ ൌ ሺܿଵ ǥ ǡ ܿே ሻ் ,ࢉᇱ ൌ ሺܿଵᇱ ǥ ǡ ܿேᇱ ሻ் and ‫ ܭ‬is a mapping matrix of size
ܰ ൈ ܰ . Each row vector of K contains only one “1” and the other
elements are all “0”: For example, in the case of Fig.3,
ࢉ ൌ ሺͳǡ ʹǡ ͵ǡ ǥǡ ʹͷሻ் and ࢉᇱ ൌ ሺͳʹǡ ͵ǡ ͻǡ ǥǡ ͳͶሻ் . This means that the 1st
cell is transformed to the 12th position, the 2nd cell is transformed to the
3rd position, and so on.
The transformation functions for enrollment ‫ܨ‬ா and for authentication
‫ܨ‬஺ are the same, and the mapping matrix K plays the role of a parameter
for the transformation ܶ ൌ ‫ܨ‬ா ሺܺǡ ‫ܭ‬ሻǡܸ ൌ ‫ܨ‬஺ ሺܻǡ ‫ܭ‬ሻሺൌ ‫ܨ‬ா ሺܻǡ ‫ܭ‬ሻሻ.
10 Chapterr One
Figure 3: Carrtesian transform

mation
The primaryy drawback off the Cartesiaan transformattion is, as desscribed in

[21], the boundary probblem: If an original minnutiae point crossesc a
boundary of cells or seectors dividing the featuree space due to minor
deviation of image aliggnment or disstortion of a fingerprint, then the
transformedd version of the minutiaae point is llocated far from f the
appropriate position.
3.1.2 Funcctional Transformation
To avoid thhe boundary problem,

p the transformatioon function should
s be
locally smoooth. How- evver, if the min nutiae positionns after transfformation
are highly ccorrelated, thee transformatio
on can be invverted easily. Thus, the
transformatiion should nott be globally smooth.
s
The thirdd method, i.ee., the function
nal transform
mations, is desscribed as
follows:
‫ ݔ‬ᇱ ൌ ‫ ݔ‬൅ ݂ሺ‫ݔ‬ǡ ‫ݕ‬ሻǡ

‫ ݕ‬ᇱ ൌ ‫ ݕ‬൅ ݃ሺ‫ݔ‬ǡ ‫ݕ‬ሻǡ
Ʌᇱ ൌ Ʌ ൅ ݄ሺ‫ݔ‬ǡ ‫ݕ‬ሻʹߨǡ
where f ǡ ǡ h are noonlinear perturrbation functioons. By designning f ǡ ǡ

h approopriately, the above transfo ormation becoomes a “locally smooth
but not globbally smooth”” function. Seee [21] for thee details and examples
of the funcction design. Figure 4 sho ows an exam mple of the functional
f
transformatiion.
Cancelable Biometrics
B and Data
D Separationn Schemes 11
Lee, et. al. [14] alsso proposed a locally sm mooth functio

on for a
cancellable fingerprint teemplate which
h does not nneed alignmen
nt for the
matching prrocess.
3.22 Random
m Projection
Teoh et al. proposed Biohashing [35] for canc ellable biomeetrics and
applied thiss to fingerprrints [35], thhe face [33]], the palm [8], etc.
Biohashing is based on a linear transforrmation of thee feature vecto
or
Figure 4: Funnctional transforrmation
from m dimeensional spacee to n(δm) dim mensional subbspace with a randomly

r
selected basis, i.e., random
m projection.
Let us aassume that a biometric feeature ࢞ ‫ܴ א‬௠ is extracted as an m-

dimensionall vector. In
[33], forr example, thee Fisher Discrriminant Analyysis (FDA) iss used for
extracting ffeature vectorrs from facee images. Thhe Biohashing g can be
written as foollows:
࢚ ൌ ሺ‫ ݔܭ‬െ ߬ ȉ ͳሻ (3)
where K is a user-specificc ݊ ൈ ݉ rando om matrix whoose elements ‫ܭ‬௜ǡ௝ are

independenttly and identiccally distributeed (i.i.d.) accoording to a norrmal
distribution N(0ǡ1) and ૚ ൌ ሺͳǡ ͳǡ ǥǡ ͳሻܶ.
ͳ
ǣԹ௡ ՜ ሼͲǡͳሽ௡ 㻌is defined as folloows:㻌
Ͳ
Ͳሺ‫ݕ‬௜ ൑ Ͳሻ
ሺሺ‫ݕ‬ଵ ǡ ǥ ǡ ‫ݕ‬௡ ሻ் ሻ ൌ ሺ‫ݐ‬ଵ ǡ ǥ ǡ ‫ݐ‬௡ ሻ் ǡ ‫ݐ‬௜ ൌ ൜
ͳ ሺ‫ݕ‬௜ ൐ Ͳሻ
12 Chapter One
߬is a preset threshold and normally set to ߬ ൌ Ͳ [37]. Thus, hereafter, we

assume ɒ = 0. The Biohashing is used for the transformation function for
enrollment ‫ܨ‬ா and for authentication ‫ܨ‬஺ :
࢚ ൌ ‫ܨ‬ா ሺ࢞ǡ ‫ܭ‬ሻ ൌ ሺ‫࢞ܭ‬ሻ

࢜ ൌ ‫ܨ‬஺ ሺ࢟ǡ ‫ܭ‬ሻ ൌ ሺ‫࢟ܭ‬ሻ
The matching decision is made based on the Hamming distance between

the cancellable template ࢚ and the transformed feature ࢜. The Biohashing
does not fully keep the distance structure between feature vectors, and the
matching accuracy is inevitably degraded to some degree.
Chikkerur, et. al. [7] also proposed a transformation function for
cancellable fingerprint templates based on the random projection. Their
method extracts a local image (called a patch) around each minutiae, and
transforms it by a projection matrix which does not change the dot product
measure of two patches.
3.3 Algebraic Transformation

Takahashi, et. al. proposed the correlation-invariant random filtering
(CIRF) [29] which can be applied to construct cancellable biometrics for
any kind of biometric authentication whose matching algorithm is based
on the correlation-based template matching. In essence, the CIRF

transforms a feature (typically an image) by convolution with a random
image K, which plays a role as a parameter. To calculate the convolution,
the CIRF utilizes the number theoretic transform (NTT) [19, 1], a kind of
discrete Fourier transform (DFT) defined over a finite field Fq. Owing to
some properties of the NTT, the CIRF fully keeps the matching accuracy
as well as possessing information-theoretical security in the sense that the
transformed feature does not leak any information about the original
feature: The CIRF satisfies ALI. Hereafter, we review the CIRF.
Template matching is a well-known technique for image matching,
which finds areas of an image, called a search image, that matches (i.e. is
similar) to a certain small image, called a template image (see Fig.2).
Template matching is used for various biometric verification systems such
as the fingerprint [15], the face [4], and the iris [10].
B and Data
Figure 5: Tem
mplate matchingg
Here, we assume that a biometric featu ure is represennted as an imaage (i.e. a

two-dimensiional array off intensity values), each pixxel value is an n integer,
and similaritty is evaluatedd using cross- correlation.
Let ܺሾ݅ǡǡ ݆ሿሺͲ ൑ ݅ ൏ ‫ݓ‬௑ ǡ Ͳ ൑ ݆ ൏ ݄௑ ሻ be a tem mplate image of size
‫ݓ‬௑ ൈ ݄௑ , aand ܻሾ݅ǡ ݆ሿሺͲ ൑ ݅ ൏ ‫ݓ‬௒ ǡ Ͳ ൑ ݆ ൏ ݄௒ ሻ be a search imag ge of size
‫ݓ‬௒ ൈ ݄௒ . W We assume that ‫ݓ‬௑ ൑ ‫ݓ‬௒ ǡ ݄௑ ൑ ݄௒ . The cross-co orrelation
function ‫ څ‬is defined byb
௪೉ ିଵ ௛೉ ିଵ
ሺܺ ‫ܻ څ‬
ܻሻ ൌ ሾᇞ ݅ǡᇞ ݆ሿሿ ൌ ෍ ෍ ܺሾ݅ǡ ݆ሿܻሾ݅ ൅ᇞ
ᇞ ݅ǡ ݆ ൅ᇞ ݆ሿ (4)
௜ୀ଴ ௝ୀ଴
The cross-ccorrelation fuunction X Y can also be expresseed in the

following linnear convoluttion formula:
ܻ෠
ሺܺ ‫ܻ څ‬ሻሾο݅ǡ ο݆ሿ ൌ ൫ܺ ‫ܻ כ‬൯ሾο݅ǡ ο݆ሿ
௪೉ ିଵ
ଵ ௛೉ ିଵ
ܻ෠ሾ‫ݓ‬௒ െ ο݅ െ ݅ െ ͳǡ ݄௒ െ ο݆ െ ݆ െ ͳሿ
ൌ ෍ ෍ ܺሾ݅ǡ ݆ሿܻ
௜ୀ଴ ௝ୀ଴
where ܻ෠dennotes the flippped image of ܻ , i.e. ܻ෠ሾ݅ǡ ݆ሿ ൌ ܻሾ‫ݓ‬௒ െ ݅ െ ͳǡ ݄௒ െ

݆ െ ͳሿ, and ܺ ‫ܻ כ‬෠ denotess the linear con
nvolution of ܺ and ܻ෠ .
ሺܺ ‫ܻ څ‬ሻሻሾο݅ǡ ο݆ሿ indiicates the crross-correlatioon value betwween the
images ܺ ǡܻܻ when ܺ is displaced
d by ሺο݅ǡ ο݆ሻ fromm ܻ. The dispplacement
ሺο݅ǡ ο݆ሻ is alllowed withinn the following
g region:
14 Chapter One
‫ ܦ‬ൌ ሼሺο݅ǡ ο݆ሻȁͲ ൑ ο݅ ൑ ‫ݓ‬௒ െ ‫ݓ‬௑ ǡ Ͳ ൑ ο݆ ൑ ݄௒ െ ݄௑ ሽ (5)
Here, we introduce the following transformation ृǣ ॲ௠௡ ௠௡

௤ ՜ ॲ௤ ǡ
௠ିଵ ௡ିଵ
௨௜ ௨௝ ෨ ሾ݅ǡ (6)
ृ൫ܺ෨൯ሾ‫ݑ‬ǡ ‫ݒ‬ሿ ൌ ෍ ෍ ߱௠ ߱௡ ܺ ݆ሿ ‫ݍ‬
௜ୀ଴ ௝ୀ଴

where q is a prime number and ɘm, ɘn are the elements of the Galois
field ॲ௤ ൌ ԺȀ‫ݍ‬Ժ whose orders are ݉ǡ ݊ respectively. It is assured that
߱௠ ǡ ߱௡ ‫ॲ א‬௤ exist if ݉ǡ ݊ȁ‫ ݍ‬െ ͳ i.e., ݉ǡ ݊ divide q䌦1. ृ is a kind of DFT
defined over ॲ௤ , and called the number theoretic transform (NTT).
Hereafter, let us assume all the numerical operations are performed over
ॲ௤ and let us omit the notation “mod q”, if not otherwise specified. It is
well known that F has an inverse transformation ृିଵ and has a cyclic
convolution property (CCP) [1]:
ृሺܺ෨ ٘ ܻ෨ ሻ ൌ ृሺܺ෨ሻ ‫ृ ל‬ሺܻ෨ሻ (7)
where ܺ෨ ٘ ܻ෨ denotes the cyclic convolution:

(8)
௠ିଵ ௡ିଵ
ܺ෨ ٘ ܻ෨ሾο݅ǡ ο݆ሿ ൌ ෍ ෍ ܺ෨ሾ݅ǡ ݆ሿܻ෨ሾ݅ ᇱ ǡ ݆Ԣሿ

௜ୀ଴ ௝ୀ଴
ሺ݅ ᇱ ൌ ݉ െ ο݅ െ ݅ െ ͳ ݉ǡ ݆Ԣ ൌ ݊ െ ο݆ െ ݆ െ ͳ ݊ ሻ
and ‫ ܤ ל ܣ‬denotes pixel-wise multiplication, i.e., ሺ‫ܤ ל ܣ‬ሻሾ‫ݑ‬ǡ ‫ݒ‬ሿ ൌ

‫ܣ‬ሾ‫ݑ‬ǡ ‫ݒ‬ሿ‫ܤ‬ሾ‫ݑ‬ǡ ‫ݒ‬ሿ.
The CIRF makes use of the CCP of NTT to calculate the cross-
correlation for template matching. Firstly, the size of the images ܺǡ ܻ෠ is
extended to ݉ ൈ ݊, where mǡ n are any integers satisfying mǡ n 㼨㻌q 䌦㻌1
and ‫ݓ‬௒ ൑ ݉ǡ ݄௒ ൑ ݊. The extended area is padded with zeros. Let ܺ෨ǡ ܻ෨ be
the extended images. Secondly, ृ is applied to the extended images, and
then, transformed by using an image of size ݉ ൈ ݊ whose pixels are all
non-zero random values in ॲ௤ (i.e., ‫ܭ‬ሾ‫ݑ‬ǡ ‫ݒ‬ሿ ‫כॲ א‬௤ where ॲ‫כ‬௤ ൌ ॲ௤ െ ሼͲሽ) as
follows:
ܶ ൌ ‫ܨ‬ா ሺܺǡ ‫ܭ‬ሻ ൌ ृ൫ܺ෨൯ ‫ܭ ל‬ǡ ܸ ൌ ‫ܨ‬஺ ሺܻǡ ‫ܭ‬ሻ ൌ ृ൫ܻ෨൯ ‫ି ܭ ל‬ଵ (9)
where ‫ି ܭ‬ଵ ሾ‫ݑ‬ǡ ‫ݒ‬ሿ ൌ ‫ܭ‬ሾ‫ݑ‬ǡ ‫ݒ‬ሿିଵ . T plays a role as a cancellable template
generated in the enrollment stage, and V as a transformed feature in the
authentication stage. K is called a random filter, and plays the role of a
parameter. We can calculate the cyclic convolution ܺ෨ ٘ ܻ෨ from T and V
as follows:
ृିଵ ሺܶ ‫ܸ ל‬ሻ ൌ ृିଵ ቀृ൫ܺ෨൯ ‫ृ ל‬൫ܻ෨൯ቁ ൌ ܺ෨ ٘ ܻ෨Ǥ (10)
Since the extended areas of ܺ෨ and ܻ෨ are padded with 0 and do not
contribute to the calculation of the cyclic convolution, the linear
convolution (5), and hence the cross-correlation X ‫ څ‬Y (4), within the
region D (5), can be calculated exactly. Therefore, the CIRF does not
degrade the accuracy performance of the template matching.
Furthermore, as for the security, the following theorems hold.
Theorem 1 (Irreversibility). Let ܶ ൌ ‫ܨ‬ா ሺܺǡ ‫ܭ‬ሻ. If ܺ෨ does not contain zero
pixels, i.e.,ृ൫ܺ෨൯ሾ‫ݑ‬ǡ ‫ݒ‬ሿ ് Ͳ for all (uǡ) (*1),
ሺܺȁܶሻ ൌ ሺܺሻ ֞ ሺܺǢ ܶሻ ൌ ͲǤ (11)
I(X; T ) denotes the mutual information between X and T . Refer to [30] for
the proof. This theorem indicates that the cancellable template T does not
leak any information about the original feature ܺ෨ , i.e., the CIRF satisfies
the ALI. The same property holds for ܸ ൌ ‫ܨ‬஺ ሺܻǡ ‫ܭ‬ሻ, i.e., I(Y ; V ) = 0.
Theorem 2 (Unlinkability). Let ܶଵ ൌ ‫ܨ‬ா ሺܺǡ ‫ܭ‬ଵ ሻ and ܶଶ ൌ ‫ܨ‬ா ሺܺǡ ‫ܭ‬ଶ ሻ . If
the same condition (*1) as in the Theorem.1 holds,
ሺܶଵ ȁܶଶ ሻ ൌ ሺܶଵ ሻ ֞ ሺܶଵ Ǣ ܶଶ ሻ ൌ ͲǤ (12)
Refer to [30] for the proof. This theorem means that two cancellable
templates ܶଵ ǡ ܶଶ generated from the same biometric feature are statistically
independent, thereby they have no correlation.
The primary limitation of the CIRF is that the proof of irreversibility
and the unlinkability require the condition (*1) in reference to the original
feature image. In [31] this problem is solved by generalizing the CIRF
based on a quotient polynomial ring.
4 Naive Parameter Management Schemes

In this section, we explain three naive parameter management schemes
based on the following system models: (1) Store on Client model, (2)
16 Chapter One
Store on Token model and (3) Password-Based Parameter Generation

model, and describe enrollment and authentication protocols for each
model. Hereafter, we simply refer to the parameter management schemes
based on each system model and set of protocols as SOC, SOT and PBPG
schemes.
4.1 Store on Client

In the SOC scheme, the parameter is stored and managed in a client such
as a PC, a mobile terminal or a sensor device. Enrollment and
authentication protocols for the SOC model are as follows.
Enrollment protocol for the SOC model

1. A user inputs his/her ID and biometric information to an
enrollment client.
2. A parameter K is chosen by the enrollment client and stored in the
authentication client associated with the ID.
3. The enrollment client extracts a template X from the user’s
biometric information, transforms it to ܶ ൌ ‫ܨ‬ா ሺܺǡ ‫ܭ‬ሻ and sends it
to the authentication server.
4. The authentication server stores the cancellable template T
associated with the ID.
Authentication protocol for the SOC model

authentication client.
2. The authentication client extracts a biometric feature data Y ,
transforms it to ܸ ൌ ‫ܨ‬஺ ሺܻǡ ‫ܭ‬ሻ using the parameter K associated
with the ID, and sends it to the authentication server.
3. The authentication server matches the transformed feature V to the
cancellable template T to decide acceptance or rejection.
Unlike the SOT scheme and the PBPG scheme described in the following
subsections, the SOC scheme does not need a hardware token or a
password. However, if the clients are shared by a large number of users,
such as is the case with bank ATMs, POS and kiosk terminals, each client
has to store and manage the parameters of all the potential users. In this
case, if only one of the authentication clients is compromised, all the
parameters in all the clients have to be revoked at once, which would
require a large operational cost. It should be noted that the risk of
compromise is proportional to the number of clients. For this reason,
authentication clients available to a user should be limited to only a few

predetermined ones. This limitation may reduce the usability of the
authentication system. The SOC scheme is discussed in, for example, [3].
4.2 Store on Token

In the SOT scheme, the parameter is stored in a hardware token such as a
smart card or a USB token, and managed by each user. Enrollment and
authentication protocols for the SOT model are as follows.
Enrollment protocol for the SOT model

enrollment client.
2. A parameter K is chosen by the enrollment client and stored in a
hardware token.
3. The enrollment client extracts a template X from user’s biometric
information, transforms it to ܶ ൌ ‫ܨ‬ா ሺܺǡ ‫ܭ‬ሻ, and sends it to the
authentication server.
Authentication protocol for the SOT model


2. The authentication client reads the parameter K from the token,
extracts biometric feature data Y , transform it to ܸ ൌ ‫ܨ‬஺ ሺܻǡ ‫ܭ‬ሻ,
and sends it to the authentication server.
cancellable template T so to decide acceptance or rejection.
The SOT scheme can be viewed as two-factor authentication using a

hardware token and biometrics if it is suĜciently hard to impersonate a
user without knowing both the biometric feature and the parameter. From
another point of view, however, the SOT scheme reduces the usability of
the authentication system because it requires a user to carry a hardware
token which is easily misplaced. The SOT scheme is discussed in, for
example, [34].
18 Chapter One
4.3 Password-Based Parameter Generation

The PBPG scheme is similar to well-known password-based encryption
(PBE) [24]. In this scheme, the parameter is generated from a user’s
secret knowledge, such as a password. Enrollment and authentication
protocols for the PBPG model are as follows.
Enrollment protocol for the PBPG model

1. A user inputs his/her ID, password and biometric information to
an enrollment client.
2. The enrollment client generates a parameter K from the password
using e.g., a secure hash function, extracts a template X from
user’s biometric information, transforms it to ܶ ൌ ‫ܨ‬ா ሺܺǡ ‫ܭ‬ሻ, and
sends it to the authentication server.
Authentication protocol for the PBPG model

1. A user inputs his/her ID, password and biometric information to
an authentication client.
2. The authentication client generates a parameter K from the
password, extracts a biometric feature data Y , transforms it to
ܸ ൌ ‫ܨ‬஺ ሺܻǡ ‫ܭ‬ሻ using the parameter K associated with the ID, and
sends it to the authentication server.
cancellable template T so to decide acceptance or rejection.
As with the SOT scheme, the PBPG scheme can also be viewed as
two-factor authentication using passwords and biometrics if it is
sufficiently hard to impersonate a user without knowing both the biometric
feature and the parameter. Note, however, easy-to-remember passwords
will not have enough complexity against dictionary attacks to recover the
original feature from the transformed one. Sufficiently complex passwords
are required to secure the template, which would reduce the usability of
the authentication system.
5 Another Parameter Management Scheme

for Cancelable Biometrics
In the previous section, we described the three naive schemes for
parameter management of cancellable biometrics. However, they all have
limitations in terms of usability: the SOC scheme limits a user to using
individually predetermined authentication clients, the SOT scheme
requires a user to carry a hardware token, and the PBPG scheme requires a
user to remember a sufficiently complex password.
In this section, we will introduce another parameter management
scheme that meets the following requirements.
(i) It should not require a user to carry a hardware token or to

remember a password for authentication.
(ii) It should enable users to use any client connected to the system for
authentication.
(iii) It should keep the parameters secure, irrespective of the number
and vulnerabilities of the clients.
To this end, we consider another system model, i.e., the Store on

Server (SOS), where a parameter management server is used in addition to
the authentication server. As we show, however, a naive authentication
protocol for this model does not satisfy the requirement (iii) and degrades
the security of cancellable biometrics. To address this issue, a secure
authentication protocol based on one-time parameters and one-time
templates is introduced.
5.1 Store on Server

Fig. 6 shows an overview of the SOS model. The authentication system
consists of enrollment clients, authentication clients, an authentication
server, and a parameter management server. The parameter management
server stores the parameters of all users, while the authentication server
stores the cancellable templates, both associated with the user IDs.
We assume that the following requirements are fulfilled.
(A1) The authentication server and the parameter management server are
administered separately by diěerent administrators or organizations, and
they do not collude with each other. This requirement is necessary because
if the parameters and cancellable templates are compromised at once, the
FAR attack can be performed.
20 Chapterr One
Figure 6: Storre on Server
(A2) The ccommunicationn channel beetween each ppair of entitiees of the

system (e.gg., between an authentication clientt and the parameter p
managemennt server, betw ween the authentication serrver and the parameter
p
managemennt server and so on) is enccrypted indepeendently, e.g. by SSL.
Thus, for exxample, the paarameter manaagement serveer cannot eaveesdrop on
the communnication betweeen an authenttication clientt and the autheentication
server. Thiss requirement is necessary to prevent reecovery of thee original
biometric feeatures or tempplates from th

he transmitted data over the channel.
(A3) The ennrollment cliennts are securelly managed annd trustworthy

y.
(A4) The auuthentication clients are ta amper evidentt [12] so thatt users or
operators caan easily find unauthorized d alternations, e.g. by securrity seals,
so to detectt physical tam mpering and digital
d signatuures to detect software
tampering. Thus, we assume a that the risk is small for biometric
b
information to be comprromised at an altered cliennt used by a legitimate
l
user during authenticatioon. Note, ho owever, an atttacker may utilize
u an
altered cliennt to obtain some informatio
on from the seervers by execcuting the
authenticatioon protocol.
The enroollment protoccol for the SOS model is as follows:
Enrollment pprotocol for thhe SOS modell

1. A uuser inputs his/her ID and a biometriic informatio
on to an
enroollment client..
2. The enrollment client
c chooses a parameter K randomly and
a sends
it to the parameter managemen nt server.
3. The parameter management server stores the parameter K

4. The enrollment client extracts a template X from a user’s biometric
information, transforms it to ܶ ൌ ‫ܨ‬ா ሺܺǡ ‫ܭ‬ሻ using the parameter K,
6. The original template X is cleaned up from the enrollment
terminal.
5.2 Authentication Protocols

Here, we consider the authentication protocols for the SOS model.
5.2.1 Naive Authentication Protocol
Naive authentication protocol for the SOS model

2. The authentication client sends the ID to the parameter
management server.
3. The parameter management server sends the parameter K back to
the client.
4. The client extracts the feature data Y from a user’s biometric
information, transforms it to ܸ ൌ ‫ܨ‬஺ ሺܻǡ ‫ܭ‬ሻ using the parameter K,
5. The authentication server matches the cancellable template T to
the transformed feature V and decides whether to accept or reject
the user.
There is a problem: this protocol does not satisfy the requirement (iii).
In fact, the parameter K is disclosed to any authentication client connected
to the system. Thus, if there is a malicious or altered authentication client
abused by an attacker, the parameters of arbitrary user IDs can be stolen
easily at any time. The probability of this risk is proportional to the
number of authentication clients, which can be abused.
Remember that if the parameter K and the cancellable template
ܶ ൌ ‫ܨ‬ா ሺܺǡ ‫ܭ‬ሻ are compromised at once, the FAR attack can be performed.
Thus, if an attacker can obtain K at any time, the secrecy of X depends
only on the management of T by the authentication sever.
To deal with this problem, a protocol using one-time parameters and
22 Chapter One
one-time templates, which are valid during a session only, is introduced.
5.2.2 Secure Authentication Protocol
We assume the transformation function ‫ כܨ‬, i.e. ‫ܨ‬ா or ‫ܨ‬஺ , and the
parameter space ࣥ㻘㻌satisfy the following mathematical conditions:
Cond.: There exist functions
߶ǣ ࣥ ൈ ࣬ ՜ ࣥǡ ߰ǣ ࣮ ൈ ࣬ ՜ ࣮ (13)
such that for any ܴ ‫࣬ א‬ǡ ‫ ࣥ א ܭ‬㻘㻌 and ܺ ‫ ࣲ א‬㻘㻌 the following equation
holds:
‫ כܨ‬൫ܺǡ ߶ሺ‫ܭ‬ǡ ܴሻ൯ ൌ ߰ሺ‫ כܨ‬ሺܺǡ ‫ܭ‬ሻǡ ܴሻǡ (14)
where 㻾㻌 is a secondary parameter space. If we denote ݂௑ ሺ‫ܭ‬ሻ ൌ

‫ כܨ‬ሺܺǡ ‫ܭ‬ሻǡ ߶ோ ሺ‫ܭ‬ሻ ൌ ߶ሺ‫ܭ‬ǡ ܴሻǡ ߰ோ ሺܻሻ ൌ ߰ሺܻǡ ܴሻ , the condition can be
written as
݂௑ ൫߶ோ ሺ‫ܭ‬ሻ൯ ൌ ߰ோ ሺ݂௑ ሺ‫ܭ‬ሻሻ (15)
Based on the condition, we can construct a secure authentication protocol

as follows. Fig.7 shows the outline of this protocol.
Secure authentication protocol for the SOS model

2. The authentication client sends the ID to the parameter
management server.
3. The parameter management server chooses a secondary parameter
ܴ ‫ ࣬ א‬randomly and generates a one-time parameter ‫ ܭ‬ᇱ ൌ
߶ሺ‫ܭ‬ǡ ܴሻ based on the original parameter ‫ ܭ‬associated with the ID.
The ‫ܭ‬Ԣ is sent back to the client and the R is sent to the
authentication server.
4. The client extracts the feature data Y from a user’s biometric
information, transforms it to ܸ ᇱ ൌ ‫ܨ‬஺ ሺܻǡ ‫ܭ‬Ԣሻ using the one-time
parameter ‫ܭ‬Ԣ, and sends it to the authentication server.
5. The authentication server generates a one-time template ܶԢ ൌ
߰ሺܶǡ ܴሻ based on the cancellable template T and the secondary
parameter R.
B and Data
6. The authenticatioon server mattches the trannsformed featture ܸ ᇱ 㻌to

the oone-time tempplate ܶ ᇱ so to select acceptaance or rejection.
Figure 7: Secure Protocol
By the Cond
d.,
ܶᇱ ߰ ܴሻ ൌ ߰ሺሺ‫ܨ‬ா ሺܺǡ ‫ܭ‬ሻǡ ܴሻ

ൌ ߰ሺܶǡ
ൌ ‫ܨ‬ா ൫ܺǡ ߶ሺ‫ܭ‬ǡ ܴሻሻ൯ ൌ ‫ܨ‬ா ሺܺǡ ‫ܭ‬ԢԢሻ (16)
holds. Sincee ܶ ᇱ ൌ ‫ܨ‬ா ሺܺǡ ‫ܭ‬Ԣሻ

‫ ܭ‬and ܸ ᇱ ൌ ‫ܨ‬஺ ሺܻǡ ‫ܭ‬Ԣሻ corrrespond, with respect
to the same parameter ‫ܭ‬ԢԢ ‫ࣥ א‬, the au uthentication sserver can maatch them
properly, annd thus the accuracy perforrmance, e.g., F FAR and FRR R, are not
aěected by iintroducing thhe one-time paarameter and tthe one-time template.
t
As for seecurity, the prrotocol has thee following prroperties:
x The authenticationn server keeps the cancellaable templatee T secret

from the authenttication clientt and the paarameter man nagement
serveer.
x The parameter maanagement seerver keeps thhe parameter K secret
from the authentication client an nd the authenttication serverr.
x The authenticationn client keepss the feature ddata Y secret from the
autheentication servver and the parameter manaagement serveer.
x Nonee of the entitiees, except the enrollment cliient only at th
he time of
enrolllment, knowss the original template
t X.
24 Chapter One
Further discussion on security of the protocol will be given in Sec. 6.1.
5.3 Examples of Concrete Constructions

The secure protocol can be realized for any transformation functions of
cancellable biometrics satisfying the Cond. such as [2, 25, 33, 32, 21, 30,
28]. Following, we show several examples of concrete constructions.
5.3.1 Cartesian Transformation
Here, we present concrete constructions of ߶ and ߰ for the Cartesian

transformation.
As described in Sec.3.1, cell mapping of the Cartesian transformation
can be written as
ࢉᇱ ൌ ‫ࢉܭ‬ (17)
where ࢉǡ ࢉԢ 㻌㻌 represent the cell position vectors before and after the
transformation, and K is a mapping matrix. The transformation functions
can be written as ܶ ൌ ‫ܨ‬ா ሺܺǡ ‫ܭ‬ሻǡܸ ൌ ‫ܨ‬஺ ሺܻǡ ‫ܭ‬ሻሺൌ ‫ܨ‬ா ሺܻǡ ‫ܭ‬ሻሻ, where Xǡ Y
are the sets of minutiae (c.f., Sec.3.1).
Let ࣥ㻌be a set of possible mapping matrices. When ࢉԢ is mapped to ࢉԢԢ
according to another mapping matrix ܴ ‫ࣥ א‬, the composite mapping is

described as follows:
ࢉᇱᇱ ൌ ܴࢉᇱ ൌ ܴ‫ ࢉܭ‬ൌ ‫ܭ‬Ԣࢉǡ (18)
where ‫ ܭ‬ᇱ ൌ ܴ‫ࣥ א ܭ‬㻌is a new mapping matrix (i.e., a one-time parameter)
corresponding to the composite transformation function ‫ܨ‬ா ሺ‫ܨ‬ா ሺܺǡ ‫ܭ‬ሻǡ ܴሻ.
Now, we can construct the functions ࢥǡɗas follows. Let ࣬ ൌ ࣥ
and
߶ሺ‫ܭ‬ǡ ܴሻ ൌ ܴ‫ܭ‬ǡ ߰ሺܶǡ ܴሻ ൌ ‫ܨ‬ா ሺܶǡ ܴሻ (19)
From the above consideration, it is easily confirmed that (14) is

satisfied:
‫ܨ‬ா ൫ܺǡ ߶ሺ‫ܭ‬ǡ ܴሻ൯ ൌ ‫ܨ‬ா ሺܺǡ ܴ‫ܭ‬ሻ ൌ ߰ሺ‫ܨ‬ா ሺܺǡ ‫ܭ‬ሻǡ ܴሻ (20)
5.3.2 Biohashing
The transformation functions of the Biohashing can be written as follows

(c.f., Sec.3.2):
࢚ ൌ ‫ܨ‬ா ሺ࢞ǡ ‫ܭ‬ሻ ൌ ሺ‫࢞ܭ‬ሻ

࢜ ൌ ‫ܨ‬஺ ሺ࢟ǡ ‫ܭ‬ሻ ൌ ሺ‫࢟ܭ‬ሻǤ
where Sig is the sign function. The matching decision is based on the
Hamming distance between the cancellable template ࢚ and the transformed
feature ࢜.
Let ࣥ 㻌be a space of random matrices whose elements are i.i.d.
according to N(0ǡ 1). Let P be a randomly selected ݊ ൈ ݊ permutation
matrix, i.e., each column and each row contain only one “1” and the other
elements are all “0”, and let ܵ be a randomly selected ݊ ൈ ݊ diagonal sign
matrix defined by
ͳ ‫ ݎ݋‬െ ͳ ሺ݅ ൌ ݆ሻ
ܵ௜ǡ௝ ൌ ൜ (21)
Ͳ ሺ݅ ് ݆ሻ
For a random matrix ‫ࣥ א ܭ‬, the row permutation (by multiplying P) and
the sign inversion (by multiplying S ) keep the statistical property, i.e. each
element of
‫ ܭ‬ᇱ ൌ ܵܲ‫ܭ‬Ǥ (22)
is also i.i.d. according to N(0ǡ 1) and consequently ‫ ܭ‬ᇱ ‫ࣥ א‬. Furthermore,

the following equation holds for an arbitrary ऊ ‫ א‬Թ௡ :
ሺܲऊሻ ൌ ܲ ሺऊሻ (23)

ሺܵऊሻ ൌ ሺऊሻ ൅ ࢈௦ ʹ (24)
where ࢈௦ is a binary vector such that ሺ࢈௦ ሻ௜ ൌ Ͳ if ܵ௜ǡ௝ ൌ ͳ and ሺ࢈௦ ሻ௜ ൌ ͳ

if ܵ௜ǡ௝ ൌ െͳሺ݅ ൌ ͳǡ ǥ ǡ ݊ሻ
Let ࣬ ൌ ࣪ ൈ ࣭ 㻌where ࣪ and ࣭ are the sets of permutation matrices
and diagonal sign matrices respectively and let ܴ ൌ ܲܵ ‫ ࣬ א‬. The
functions ‫׋‬,andɗcan be constructed as follows:
߶ሺ‫ܭ‬ǡ ܴሻ ൌ ܵܲ‫ܭ‬ǡ (25)

߰ሺ࢚ǡ ܴሻ ൌ ࢚ܲ ൅ ࢈௦ ʹ (26)
26 Chapter One
From (23)(24), it is easily confirmed that ߶ǡ ܽ݊݀߰ satisfy the condition

(14):
‫ܨ‬ா ൫࢞ǡ ߶ሺ‫ܭ‬ǡ ܴሻ൯ ൌ ‫ܨ‬ா ሺ࢞ǡ ܵܲ‫ܭ‬ሻ

ൌ ሺܵܲ‫࢞ܭ‬ሻ
ൌ ܲሺ‫࢞ܭ‬ሻ ൅ ࢈௦ ʹ
ൌ ߰ሺ‫ܨ‬ா ሺ࢞ǡ ‫ܭ‬ሻǡ ܴሻǡ
and the same goes for ‫ܨ‬஺ .
5.3.3 Correlation Invariant Random Filtering
The transformation functions of the CIRF can be written as follows (c.f.,

Sec.3.3):
ܶ ൌ ‫ܨ‬ா ሺܺǡ ‫ܭ‬ሻ ൌ ृሺܺሻ ‫ܭ ל‬ (27)

ܸ ൌ ‫ܨ‬஺ ሺܻǡ ‫ܭ‬ሻ ൌ ृ൫ܻ෨൯ ‫ି ܭ ל‬ଵ ǡ (28)
where ृ is the two-dimensional number theoretic transform and K is an

image whose pixel values are randomly chosen non-zero elements in ॲ‫כ‬௤ ,
where q is a prime.
We can construct an authentication protocol for the SOS model using
the CIRF as follows: Let ࣬ ൌ ࣥ㻌and
߶ሺ‫ܭ‬ǡ ܴሻ ൌ ‫ܴ ל ܭ‬ǡ ߰ሺܶǡ ܴሻ ൌ ܶ ‫ܴ ל‬ (29)
We can easily confirm that (14) is satisfied:
‫ܨ‬ா ൫ܺǡ ߶ሺ‫ܭ‬ǡ ܴሻ൯ ൌ ृሺܺሻ ‫ ל‬ሺ‫ܴ ל ܭ‬ሻ

ൌ ሺृሺܺሻ ‫ܭ ל‬ሻ ‫ܴ ל‬
ൌ ߰ሺ‫ܨ‬ா ሺܺǡ ‫ܭ‬ሻǡ ܴሻǡ
and the same goes for ‫ܨ‬஺ .
6 Security Evaluation and Discussion

In this section, we firstly evaluate the security of the parameter
management scheme described in Sec.5, which we call the SOS scheme
hereafter. Then we compare the SOS scheme with the naive ones
described in Sec.4, and discuss the advantages and disadvantages.
6.1 Security of the SOS scheme

As for the SOS scheme, here we evaluate the irreversibility (ALI),
considering the following three kinds of attackers: (1) malicious outsiders
who have free access to the client, (2) the semi- honest authentication
server, and (3) the semi-honest parameter management server, as well as
the unlinkability.
6.1.1 Irreversibility against Outsiders
Let us consider security against malicious outsiders who have free access
to the client. Note that from the assumption (A4) in Sec.5.1, the attacker
cannot obtain biometric data from the client during authentication operated
by genuine users. Thus, we can ignore the risk of compromise of
biometric data from the client. However, the attacker can obtain a one-
time parameter‫ ܭ‬ᇱ ൌ ߶ሺ‫ܭ‬ǡ ܴሻ from the client and may try to guess the
original parameter ‫ܭ‬. Hereafter we discuss the difficulty of guessing ‫ܭ‬
from ‫ܭ‬Ԣ.㻌
The set of possible candidates of the original parameter K given a one-
time parameter ‫ܭ‬Ԣcan be written as follows:
෩ ȁ‫ܴ׌‬෨ ‫࣬ א‬Ǣ ‫ ܭ‬ᇱ ൌ ߶ሺ‫ܭ‬

ࣥ௄ᇱ ൌ ൛‫ܭ‬ ෩ ǡ ܴ෨ሻൟ ‫ࣥ ك‬ (30)
If the number of the candidates, i.e. ȁࣥ௄ᇱ ȁ, is suĜciently large, we can say
that it is suĜciently difficult to guess ‫ ܭ‬from ‫ܭ‬Ԣ.
In the case of the Cartesian transform, although㻌 ȁࣥ௄ᇱ ȁ 㻌varies
depending on ‫ܭ‬Ԣ, we can evaluate the lower bound of ȁࣥ௄ᇱ ȁ as follows: Let
ࣥ෡ be the set of permutation matrices of size ܰ ൈ ܰ (where ܰ ൌ ܰ௫ ൈ ܰ௬
is the number cells). By definition, ࣥ ෡ ‫ࣥ ؿ‬. Note that each permutation
෩ ෡ ෩
matrix ‫ ࣥ א ܭ‬has an inverse matrix ‫ି ܭ‬ଵ . Therefore, for each ‫ܭ‬Ԣ ‫ ࣥ א‬and
for each ‫ܭ‬ ෩‫ࣥא‬ ෡ , there exists ܴ ‫࣬ א‬ሺൌ ࣥሻ such that ‫ ܭ‬ᇱ ൌ ߶൫‫ܭ‬ ෩ ǡ ܴ෨൯ ൌ ‫ܭ‬
෩ ܴ෨;
in fact, ܴ ൌ ‫ܭ‬ ෩ ‫ܭ‬Ԣ. This means that ࣥ
ିଵ ෡ ‫ࣥ ك‬௄ᇱ and ȁࣥ௄ᇱ ȁ ൒ หࣥ ෡ ห ൌ ܰǨ ൌ
ሺ‫ܹܪ‬ሻǨǤ For example, if we let ܰ௫ ൌ ܰ௬ ൌ ͳͲ , หࣥ ෩௄ᇱ ห ൒ ͳͲͲǨ ൎ ͻǤ͵ ൈ
ͳͲͲଵହ଻ .
In the case of the Biohashing, for each ܴ ൌ ሺܲǡ ܵሻ ‫ ࣬ א‬where ܲ ‫࣪ א‬㻌is
a ݊ ൈ ݊ permutation matrix and ܵ ‫ ࣭ א‬is a ݊ ൈ ݊ diagonal sign matrix,
there exist ܲିଵ and ܵ ିଵ . Thus, we can write
෩ȁ‫׌‬ሺܲǡ ܵሻ ‫࣬ א‬Ǣ ‫ ܭ‬ᇱ ൌ ܵܲ‫ܭ‬

ࣥ௄ᇲ ൌ ൛‫ܭ‬ ෩ ൟ
ିଵ ିଵ ᇱ
ൌ ሼܲ ܵ ‫ ܭ‬ȁܲ ‫࣪ א‬ǡ ܵ ‫࣭ א‬ሽǤ
28 Chapter One
Since each element of a random matrix K is a real number and is chosen

randomly according to N(0ǡ 1), K almost surely has full rank. In this case
‫ ܭ‬ᇱ ൌ ܵܲ‫ ܭ‬is also full rank and if ܲିଵ ܵ ିଵ ‫ ܭ‬ᇱ ൌ ܲᇱିଵ ܵ ᇱିଵ ‫ ܭ‬ᇱ then ܵ ൌ
ܵ ᇱ ǡ ܲ ൌ ܲԢ. Therefore, there is a one-to-one mapping between ܲିଵ ܵ ିଵ ‫ܭ‬Ԣ ‫א‬
ࣥ௄ᇱ 㻌㻌and ሺܲǡ ܵሻ ‫࣬ א‬, and thus
ȁࣥ௄ᇲ ȁ ൌ ȁ࣬ȁ ൌ ȁ࣭ȁ ൈ ȁ࣪ȁ ൌ ʹ௡ ݊ǨǤ (31)
For example, if we let n = 90, which is the experimental parameter used in

[33], we get ȁࣥ௄ᇱ ȁ ൎ ͳǤͺ ൈ ͳͲଵ଺ହ .
In the case of CIRF, for each ‫ܭ‬Ԣ ‫ ࣥ א‬and for each ‫ܭ‬ ෩ ‫ࣥ א‬, there exists
ܴ ‫࣬ א‬ሺൌ ࣥሻ such that ‫ ܭ‬ᇱ ൌ ߶൫‫ܭ‬ ෩ ǡ ܴ൯ ൌ ‫ܭ‬
෩ ‫ ; ܴ ל‬in fact, ܴ ൌ ‫ܭ‬
෩ ିଵ ‫ܭ ל‬Ԣ .
Therefore, ࣥ௄ᇱ ൌ ࣥ and the number of possible candidates of ‫ ܭ‬given ‫ܭ‬Ԣ
௠௡
is ȁࣥ௄ᇱ ȁ ൌ ห൫ॲ‫כ‬௤ ൯ ห ൌ ሺ‫ ݍ‬െ ͳሻ௪௛ Ǥ By substituting the parameters for
generating a cancellable fingerprint template described in [29]: ݉ ൌ ݊ ൌ
ʹͺǡ ‫ ݍ‬ൌ ͵͵͹, we get ȁࣥ௄ᇱ ȁ ൎ ͶǤͷ ൈ ͳͲଵଽ଼଴ 㻚
In all the cases above, ȁࣥ௄ᇱ ȁ㻌is suĜciently large and we can say that it
is hard to guess the original parameter K from a one-time parameter ‫ܭ‬Ԣ.
Especially, in the last case, for any fixed ‫ ࣥ א ܭ‬, the mapping from
ܴ ‫࣬ א‬ሺൌ ࣥሻ to ‫ ܭ‬ᇱ ൌ ‫ ࣥ א ܴ ל ܭ‬, is one-to-one. Since R is chosen
uniformly randomly over ࣬ǡ ‫ܭ‬Ԣ 㻌is also uniformly distributed over ࣥ㻌
regardless of ‫ ܭ‬. Thus, ‫ ܭ‬and ‫ܭ‬Ԣ 㻌㻌 are statistically independent and

ሺ‫ ܭ‬ᇱ Ǣ ‫ܭ‬ሻ ൌ Ͳ, where
ሺ‫ ܭ‬ᇱ ǡ ‫ܭ‬ሻ

ሺ‫ ܭ‬ᇱ Ǣ ‫ܭ‬ሻ ൌ ෍ ෍ ሺ‫ ܭ‬ᇱ ǡ ‫ܭ‬ሻ (32)
ሺ‫ ܭ‬ᇱ ሻ ሺ‫ܭ‬ሻ
௄ ᇲ ‫ ࣥא‬௄‫ࣥא‬
is the mutual information between ‫ܭ‬Ԣ and K. If we regard ‫ܭ‬Ԣ as a

ciphertext of a plaintext K, the cryptosystem has information theoretic
security (or perfect secrecy [5]): ‫ܭ‬Ԣ provides no information about K.
In general we can prove the following theorem.
Theorem 3. Assumeࣥ ൌ ࣬ and let us denote that ‫ ܴ ל ܭ‬ൌ ߶ሺ‫ܭ‬ǡ ܴሻ for

‫ܭ‬ǡ ܴ ‫ࣥ א‬. If ሺࣥǡ‫ל‬ሻ forms a group, then the SOS scheme is information-
theoretically secure against outsiders, i.e. ‫ܫ‬ሺ‫ ܭ‬ᇱ Ǣ ‫ܭ‬ሻ ൌ Ͳ where ‫ ܭ‬ᇱ ൌ ‫ל ܭ‬
ܴ.
Proof. For any fixed ‫ࣥ א ܭ‬, the mapping from ܴ ‫ ࣥ א‬to ‫ ܭ‬ᇱ ൌ ‫ࣥ א ܴ ל ܭ‬㻌
is one-to-one. This is because if ‫ ܴ ל ܭ‬ൌ ‫ܴ ל ܭ‬Ԣ, by applying ‫ି ܭ‬ଵ to the
both sides we obtain ܴ ൌ ܴԢ. Therefore, if ࣬ ‫ ࣥ א‬is uniformly distributed,

‫ܭ‬Ԣ ‫ ࣥ א‬㻌is also uniformly distributed regardless of K. Thus, K is
independent of ‫ܭ‬Ԣ㻌and thus ሺ‫ ܭ‬ᇱ Ǣ ‫ܭ‬ሻ ൌ Ͳ.
In addition to the CIRF, several algorithms of cancellable biometrics
such as [2, 25, 31] satisfy the conditions of Theorem 3. (QED)
6.1.2 Irreversibility against the Authentication Server
Let us consider the secrecy of the original biometric features Xǡ Y
against the semi-honest authentication server who does not collude with
the parameter server or abuse the client, but tries to guess Xǡ Y from all the
received information: ܶ ൌ ‫ܨ‬ா ሺܺǡ ‫ܭ‬ሻ , ܸ ᇱ ൌ ‫ܨ‬஺ ሺܻǡ ‫ܭ‬Ԣሻ and R where ‫ ܭ‬ᇱ ൌ
߶ሺ‫ܭ‬ǡ ܴሻ.
We are interested in whether the SOS scheme degrades the
irreversibility compared with conventional schemes of cancellable
biometrics, where the authentication server receives ܶ ൌ ‫ܨ‬ா ሺܺǡ ‫ܭ‬ሻ and
ܸ ൌ ‫ܨ‬஺ ሺܻǡ ‫ܭ‬ሻ. Thus, we can prove the following theorem:
Theorem 4. If ܴ ‫࣬ א‬㻌is independent of Xǡ Yǡ T ǡ V , as is the case for the

secure protocol, then
ሺܺǡ ܻǢ ܶǡ ܸ ᇱ ǡ ܴሻ ൑ ሺܺǡ ܻǢ ܶ ǡ ܸ ሻǤ (33)

Proof: Since R is independent of XǡYǡT ǡV ,
ሺܺǡ ܻǢ ܶǡ ܸ ሻ ൌ ሺܺǡ ܻ Ǣ ܶ ǡ ܸǡ ܴሻǤ (34)
From condition (14),
ܸ ᇱ ൌ ‫ܨ‬஺ ሺܻǡ ߶ሺ‫ܭ‬ǡ ܴሻሻ ൌ ߰ሺ‫ܨ‬஺ ሺܻǡ ‫ܭ‬ሻǡ ܴሻ ൌ ߰ሺܸǡ ܴሻǤ (35)
Furthermore, since ܶ ൌ ‫ܨ‬ா ሺܺǡ ‫ܭ‬ሻ , the probability distribution of T is

determined by X. Thereforeǡ ሺܺǡ ܻሻ ՜ ሺܶǡ ܸǡ ܴሻ ՜ ሺܶǡ ܸԢǡ ܴሻ forms a
Markov chain. From the information processing theorem of mutual
information [9], the following inequality holds:
ሺܺǡ ܻǢ ܶǡ ܸ ᇱ ǡ ܴሻ ൑ ሺܺǡ ܻ Ǣ ܶ ǡ ܸǡ ܴሻǤ (36)
From (34)(36), the theorem holds.(QED)

The equality holds when ሺܺǡ ܻሻ ՜ ሺܶǡ ܸԢǡ ܴሻ ՜ ሺܶǡ ܸǡ ܴሻ forms a
Markov chain, e.g. there exists an inverse function ߰ ିଵ such that ܸ ൌ
30 Chapter One
߰ ିଵ ሺܸԢǡ ܴሻ.
This theorem indicates that in the SOS scheme, the authentication
server can obtain no more information about the original biometric
features than in the conventional schemes.
6.1.3 Irreversibility against the Parameter Server
Let us consider the secrecy of the original biometric features Xǡ Y against
the semi-honest parameter server who does not collude with the
authentication server. Note that the parameter server does not receive
information other than K. Therefore, the irreversibility against the
parameter server is completely the same as the irreversibility against an
attacker who obtained the parameter K in the conventional scheme of
cancellable biometrics.
In most algorithms of cancellable biometrics, the parameter K is
chosen randomly and independently of the biometric feature X. Thus, in
this case, K provides no information about X, i.e. I(X; K) = 0.
6.1.4 Unlinkability
As mentioned above, in most cases of cancellable biometrics, the

parameter K is chosen independently of the biometric feature X, and thus
I(X; K) = 0. In this case, an attacker who obtained two parameters ‫ܭ‬ଵ ǡ
‫ܭ‬ଶ cannot tell whether they correspond to the same biometric feature or
not. Therefore the unlinkability against outsiders or semi-honest parameter
server is satisfied in the SOS scheme.
In the following, we discuss the unlinkability against a semi-honest
authentication server. Let us consider that there are two authentication
systems of the SOS scheme, and the authentication servers collude with
each other to “cross-match” the cancellable templates and other
information obtained through authentication.
As described in 6.1.2, one authentication server can know ܶ ൌ
‫ܨ‬ா ሺܺǡ ‫ܭ‬ሻǡ ܸ ᇱ ൌ ‫ܨ‬஺ ൫ܻǡ ߶ሺ‫ܭ‬ǡ ܴሻ൯ , and R, during authentication. Let ܶ෨ ൌ
෩ ൯ǡ ܸ ᇱ ൌ ‫ܨ‬஺ ሺܻǡ ߶ሺ‫ܭ‬
‫ܨ‬ா ൫ܺǡ ‫ܭ‬ ෩ ǡ ܴ෨ሻሻ, and ܴ෨ be the corresponding information
obtained by the other authentication server.
Since ܸԢ is determined by (V, R) (c.f. (35)),
ሺܶ෨ǡ ܸ෨ǡ ܴ෨ሻ ՜ ሺܶ ǡ ܸǡ ܴሻ ՜ ሺܶ ǡ ܸԢǡ ܴሻ (37)
forms a Markov chain, and in the same way,
ሺܶǡ ܸ ᇱ ǡ ܴሻ ՜ ൫ܶ෨ ǡ ܸ෨ ǡ ܴ෨ ൯ ՜ ൫ܶ෨ ǡ ܸ෨ ᇱ ǡ ܴ෨൯ (38)
also forms a Markov chain. From the information processing theorem,
ሺܶ෨ǡ ܸ෨ ǡ ܴ෨ Ǣ ܶ ǡ ܸԢǡ ܴሻ൑ ሺܶ෨ ǡ ܸ෨ ǡ ܴ෨ Ǣ ܶ ǡ ܸǡ ܴሻǡ (39)

ሺܶǡ ܸǡ ܴǢ ܶ෨ ǡ ܸ෨Ԣǡ ܴ෨ሻ൑ ሺܶ ǡ ܸԢǡ ܴǢ ܶ෨ ǡ ܸ෨ ǡ ܴ෨ ሻǡ (40)
and therefore the following inequality holds.
ሺܶǡ ܸǡ ܴǢ ܶ෨ ǡ ܸ෨Ԣǡ ܴ෨ሻ൑ ሺܶ෨ǡ ܸ෨ ǡ ܴ෨ Ǣ ܶ ǡ ܸǡ ܴሻǤ (41)
Since R is independent of ܶ෨ǡ ܸ෨ ǡ ܴ෨ , and ܴ෨ is independent of T ǡ Vǡ R, the

right hand side of the above inequality can be rewritten as follows:
൫ܶǡ ܸǡ ܴǢܶ෨ ǡ ܸ෨ ᇱ ǡ ܴ෨ ൯ ൑ ൫ܶ෨ ǡ ܸ෨ Ǣ ܶ ǡ ܸ ൯Ǥ (42)
This means that the amount of information about the “linkage” between
the original features obtainable from cancellable templates across the
authentication servers of the SOS scheme is less than or equal to that of
conventional schemes of cancellable biometrics.
6.2 Comparison of the Schemes

Table.1 shows the comparison of the four parameter management
schemes: Store on Client (SOC), Store on Token (SOT), Password-Based
Parameter Generation (PBPG) and Store on Server (SOS).
Concerning usability, the SOT and PBPG schemes require users to
carry hardware tokens or to remember complex passwords. Alternatively,
the SOC and SOS schemes do not require any token or password.
However, the SOC scheme limits users to use individually predetermined
authentication clients, whereas the SOS scheme does not have such
limitation.
As for the authentication strength, the SOT and PBPG schemes may be
viewed as two-factor authentication, whereas the SOC and SOS schemes
are only biometrics-based authentication.
Regardless of the scheme, each client has to be equipped with a
biometric sensor and a device to input user ID. However, the PBPG
scheme requires a user to input a suƥciently complex password in
addition to the user ID. Thus, a keyboard might be preferable for an input
device in PBPG scheme, whereas a ten key or a touch panel would be
32 Chapter One
suƥcient for the other schemes.

In the SOT scheme, the user must be equipped with a hardware token
such as a smart card and to manage the lifecycle of the tokens. Thus, the
total system cost of this scheme may be larger than that of the others.
From these observations, we may say that the SOC scheme is suitable
for applications where personal devices (e.g. home PCs, oĜce PCs, smart
phones, etc.) are used for authentication, such as login to membership
websites.
The SOT and PBPG schemes, which can be regarded as two-factor
authentication, are suitable for applications requiring high security. In
particular, the PBPG scheme would be suited for the Internet banking or
logical access control to important systems where the authentication
clients, such as PCs, are typically equipped with keyboards, and it is not
difficult for users to input passwords. Alternatively, the SOT scheme
would be suited for banking ATM or physical access control of important
facilities. Here, the authentication clients are typically dedicated devices
where the input devices may be poor.
The SOS scheme can be applied to any application requiring usability,
i.e. without smart cards or passwords and availability from any
authentication client, such as a kiosk terminal, a shared office PC and an
amusement facility.
Table 1: Comparison of the parameter management schemes
7 Conclusion
Biometric template protection (BTP) schemes have been studied for about
a decade. These schemes can be broadly classified into two categories,
namely cancellable biometrics (feature transformations) and biometric
cryptosystems. In this chapter, we overviewed the BTP architecture in Sec.
2 and reviewed several studies on cancellable biometrics in Sec. 3.
To assure the irreversibility of cancellable templates in practice, the
parameters should be managed separately from the cancellable templates.
In Sec. 4 we presented several naive schemes for parameter management:
The Store on Client (SOC), Store on Token (SOT) and Password-Based
Parameter Generation (PBPG). All these schemes, however, have
limitations in usability; the SOC scheme limits the available authentication
clients, the SOT scheme requires a user to carry a hardware token, and the
PBPG scheme requires a user to remember a password.
In Sec. 5 we presented a parameter management scheme with high
usability, i.e., the Store on Server (SOS) scheme, in which the parameters
are stored in a parameter management server administered separately from
the authentication server which manages the cancellable templates.
However, a naive authentication protocol for the SOS scheme is
vulnerable in that the parameters are easily compromised from
authentication clients. To deal with this problem, a secure protocol based
on one-time parameters and one-time templates, which are valid during an

authentication session only, is introduced. We showed concrete
constructions of the secure protocol incorporating several established
algorithms of cancellable biometrics.
Finally, in Sec. 6 we evaluated the security of the SOS scheme,
compared it to other schemes, and discussed its advantages and
disadvantages. The results will guide the design of cancellable biometric
authentication systems.
References
[1] R. C. Agarwal and C. S. Burrus. Number theoretic transforms to
implement fast digital convolution. In Proc. of IEEE, volume 63, pages
550–560, 1975.
[2] M. Braithwaite, U. Cahn von Seelen, J. Cambier, J. Daugman, R.
Glass, R. Moore, and I. Scott. Application-specific biometric
templates. In AutoID02, pages 167–171, 2002.
[3] J. Bringer, H. Chabanne, and B. Kindarji. Anonymous identification
with cancelable biometrics. In Proc. ISPA 2009, 2009.
34 Chapter One
[4] R. Brunelli and T. Poggio. Face recognition: features versus templates.

IEEE Transactions on Pattern Analysis and Machine Intelligence,
15:1042–1052, 1993.
[5] A. Buchman. Introduction to Cryptography. Springer, second edition,
2004.
[6] I. Buhan, E. Kelkboom, and K. Simoens. A survey of the security and
privacy measures for anonymous biometric authentication systems. In
6th International Conference on In- telligent Information Hiding and
Multimedia Signal Processing (IIH-MSP 2010), 2010.
[7] S. Chikkerur, N. K. Ratha, H. Connell, and R. M. Bolle. Generating
registration-free cancelable fingerprint templates. In Proc. of BTAS08,
pages 1–6, 2008.
[8] T. Connie, A. Teoh, M. Goh, and D. Ngo. Palmhashing: a novel
approach for cancelable biometrics. Information Processing Letters,
93:1–5, 2005.
[9] T. M. Cover and Joy A. Thomas. Elements of Information Theory.
John Wiley & Sons, second edition, 2006.
[10] J. Daugman. How iris recognition works. IEEE Transactions on
Circuits and Systems for Video Technology, 14:21–30, 2004.
[11] ISO/IEC JTC 1/SC 27 24745. Biometric information protection,
2011.
[12] ISO/TC68/SC6, ISO 13491-1. Banking - secure cryptographic
devices (retail) – part1: Concepts, requirements and evaluation

methods, 1996.
[13] A. K. Jain, K. Nandakumar, and A. Nagar. Biometric template
security. EURASIP Journal on Advances in Signal Processing, 2008.
[14] C. Lee, J. Choi, K. Toh, S. Lee, and J. Kim. Alignment-free
cancelable fingerprint templates based on local minutiae information.
IEEE Trans. on Systems, Man, and Cybernet- ics - Part B, 37:980–992,
2007.
[15] M. Mimura, S. Ishida, and Y. Seto. Development of personal
authentication techniques using fingerprint matching embedded in
smart cards. IEICE Trans. on Information and Systems, E84-
D(7):812–818, 2001.
[16] A. Nagar and A. K. Jain. On the security of non-invertible fingerprint
template transforms. In Proc. of IEEE Workshop on Information
Forensics and Security, 2009.
[17] A. Nagar, K. Nandakumar, and A. K. Jain. Biometric template
transformation: a security analysis. In Media Forensics and
Security’10, 2010.
[18] K. Nandakumar, A. K. Jain, and S. Pankanti. Fingerprint-based fuzzy
vault: Implementation and performance. IEEE Trans. on Information

Forensics and Security, 2:744–757, 2007.
[19] J. M. Pollard. The fast fourier transform in a finite field. Mathematics
of Computation, 25:365–374, 1971.
[20] F. Quan, S. Fei, C. Anni, and Z. Feifei. Cracking cancelable
fingerprint template of Ratha. In ISCSCT’08, volume 2, pages 572–
575, 2008.
[21] N. K. Ratha, S. Chikkerur, J. H. Connell, and R. M. Bolle. Generating
cancelable fingerprint templates. IEEE Trans. on Pattern Analysis and
Machine Intelligence, 29(4):561–572, 2007.
[22] N. K. Ratha, J. H. Connell, and R. M. Bolle. Enhancing security and
privacy in biometric- based authentication systems. IBM System
Journal, 40(3), 2001.
[23] Paul Reid. Biometrics for Network Security. Prentice Hall PTR, 2003.
[24] RSA Laboratories. PKCS # 5: Password-based cryptography
specification version2.0, 2000.
[25] M. Savvides, B. Vijayakumar, and P. K. Khosla. Cancelable
biometric filters for face recognition. In Proc. of ICPR2004, pages
922–925, 2004.
[26] K. Simoens, B. Yang, X. Zhou, F. Beato, C. Busch, E. Newton, and
B. Preneel. Criteria towards metrics for benchmarking template
protection algorithms. In Proceedings of the 5th IAPR International
Conference on Biometrics (ICB 2012), 2012.

[27] Y. Sutcu, H. T. Sencar, and N. Memon. A secure biometric
authentication scheme based on robust hashing. In MM&Sec ’05:
Proceedings of the 7th workshop on Multimedia and security, pages
111 – 116, New York, NY, USA, 2005. ACM.
[28] K. Takahashi. Unconditionally provably secure cancellable
biometrics based on a quotient polynomial ring. In International Joint
Conference on Biometrics (IJCB 11), 2011.
[29] K. Takahashi and S. Hirata. Generating provably secure cancelable
fingerprint templates based on correlation-invariant random filtering.
In Proc. of BTAS2009, 2009.
[30] K. Takahashi and S. Hirata. Cancelable biometrics with provable
security and its application to fingerprint verification. IEICE
Transactions, 94-A(1):233–244, 2011.
[31] K. Takahashi and K. Naganuma. Unconditionally provably secure
cancellable biometrics based on a quotient polynomial ring. IET
Biometrics, 1:63–71, 2012.
[32] A. B. J. Teoh and T. Y. Chong. Cancelable biometrics realization
with multispace random projections. IEEE Trans. on Systems, Man,
36 Chapter One
and Cybernetics - Part B, 37:1096–1106, 2007.

[33] A. B. J. Teoh, A. Goh, and D. C.L. Ngo. Random multispace
quantization as an analytic mechanism for biohashing of biometric and
random identity inputs. IEEE Transactions on Pattern Analysis and
Machine Intelligence, 28:1892–1901, 2006.
[34] A. B. J. Teoh and D. C. L. Ngo. Biophasor: Token supplemented
cancellable biometrics. In ICARCV06, pages 1–5, 2006.
[35] A. B. J. Teoh, D. C. L. Ngo, and A. Goh. Biohashing: two factor
authentication featuring fingerprint data and tokenised random number.
PATTERN RECOGNITION, 37:2245–2255, 2004.
[36] A.B.J. Teoh, K.A. Toh, and W.K. Yip. 2ˆn discretisation of biophasor
in cancellable biometrics. In ICB07, pages 435–444, 2007.
[37] A.B.J. Teoh, W.K. Yip, and S.Y. Lee. Cancellable biometrics and
annotations on biohash. Pattern Recognition, 41(6):2034–2044, June
2008.
[38] U. Uludag, S. Pankanti, S. Prabhakar, and A. Jain. Biometric
cryptosystems: Issues and challenges. Proc. IEEE, 92(6):948–960,
2004.
[39] Y. Wang and K.N. Plataniotis. An analysis of random projection for
changeable and privacy-preserving biometric verification. IEEE Trans.
on Systems, Man, and Cybernetics - Part B, 40:1096–1106, 2010.
CHAPTER TWO
MINUTIAE-BASED FINGERPRINT
REPRESENTATIONS:
REVIEW, PRIVACY, SECURITY
AND CRYPTOGRAPHIC REALIZATION
ZHE JIN,1 SYH-YUAN TAN,2

ANDREW TEOH BENG JIN3 AND BOK-MIN GOI1
1
FACULTY OF ENGINEERING AND SCIENCE, UNIVERSITY TUNKU
ABDUL RAHMAN, KUALA LUMPUR, MALAYSIA
2
FACULTY OF INFORMATION SCIENCE AND TECHNOLOGY,
MULTIMEDIA UNIVERSITY, MELAKA, MALAYSIA
3
SCHOOL OF ELECTRICAL AND ELECTRONIC ENGINEERING,
YONSEI UNIVERSITY, SEOUL, SOUTH KOREA
Abstract
Unlike global feature such as singular point, minutia features provide high
reliability, robustness and discriminability for fingerprint analysis.
However, privacy invasion can occur if minutiae are compromised, since a
number of methods have been demonstrated to successfully reconstruct
fingerprint images from minutia templates. To alleviate the possibility of
minutia compromise and to address the privacy and security concerns, in
the past decade, many studies have attempted to transform minutiae into
secure representations while trying to retain high accuracy performance. In
this chapter, we present an overview of the security and privacy issues in
various well-known minutia-based fingerprint representations, which can
be divided into two categories: fixed-length and variable-size. Three
methods are used to demonstrate how to represent minutiae in variable-
size, and a cryptographic realization is developed to make such
representation secure against attackers.
38 Chapter Two
Keywords: Fingerprint, Minutia-based Representation, Privacy and

Security, Cryptographic Realization.
1 Introduction
At the local level of a fingerprint image, there are approximately 150
different local ridge characteristics. Among these characteristics, two most
prominent ridge characteristics include ridge endings and ridge
bifurcations [1]. A ridge ending is a ridge point that ends abruptly,
whereas a ridge bifurcation is a ridge point that forks or diverges into
branch ridges. They are named minutiae collectively, with each minutia
associated with a number of attributes, including location coordinates,
orientation, type (e.g. ridge ending or ridge bifurcation), a weight based on
the quality of the fingerprint image in the neighbourhood of each minutia,
and so on. However, in the ISO/IEC 19794-2 compliant format, only two
attributes are included: minutia location and orientation, which are usually
considered as the most stable features [1].
In general, minutiae are the most widely used features for representing
a fingerprint for recognition. This is attributed to the following
observations: (i) minutiae are generally reliable and robust to fingerprint
image elastic deformation; (ii) unlike global feature such as singular point
or coarse ridge line shape, minutiae provide sufficient distinctiveness for
accurate matching [1]. Fingerprint minutiae, alternatively, are unordered

and variable in size. This is because multiple impressions of the same
finger can vary largely from one to another caused by rotation, translation,
and skin elastic deformation, and such deformation can lead to spurious
and missing genuine minutiae. Figure 1 shows two different impressions
of the same finger with a very different number of detected minutiae.
For achieving better discriminability and non-invertibility, many
minutia descriptors have been developed as alternative approaches to
minutia representation [2]. A descriptor of minutiae characterises the local
neighbourhood information of the minutiae (e.g. intensity of image, ridge
frequency, etc.). Generally, minutiae descriptors can be divided into three
categories according to the underlying features [2]: (i) Image feature-based
descriptors, (ii) minutia feature-based descriptors, and (iii) texture feature-
based descriptors. The image feature-based descriptor extracts intensity
information of the local region around a central minutia. The minutia
feature-based descriptor describes information of a set of neighbour
minutiae with respect to a central minutia. The texture feature-based
descriptor captures texture information around a central minutia, such as
Minutiaee-based Fingerp
print Representaations 39
ridge orienttation and freequency. In this chapter, we focus mainly

m on
minutia featture-based desscriptors.
Figure 1. Two different imppressions of the same finger frrom FVC2004 DB1, D with
8 minutiae exxtracted on the left image, wh hile 36 minutiaee occur on the right. The
circle and squuare markers reppresent minutiaae and core poinnts, respectively
y.
Due to the high accuuracy perform mance of minnutia-based fiingerprint

matching, fiingerprints aree among the mostm popular choices as methods
m of
identity veriification or iddentification. However, oveer the last deecade, the
public has rraised much concern

c about the securityy and privacy of using
biometric ddata. Public worry aboutt the invasioon of privacy y is not
uncommon, since the biometric
b datta is inextriccably bound to one’s
identity, annd a comprom mise of it would lead to a permanen nt loss of
identity. Foor this reasonn, a biometriic system wiith a strong template
protection mmechanism needs to be desiigned. In geneeral, the desig gn criteria
for biometric template prootection schem me should incllude [1, 3];
x Diverrsity - cross--matching bettween multiplle reference templates

t
from the same userr across differrent applicatioons must be prrohibited;
x Revoocability - a new templatte can be reeissued when n the old
proteected templatee is compromised;
x Non--invertibility - it should be computaationally hard d for an
adverrsary to deriive the origiinal biometriic template from f the
proteected templatee;
x Perfoormance - the recognition accuracy
a in terrms of False Rejection
R
Rate (FRR) or Falsse Acceptancee Rate (FAR) should be satisfactory.
40 Chapter Two
As a result, many schemes have been proposed in literature as a possible

solution to protect biometric templates. Among these proposals, two
categories emerge: the irreversible transform approach (or biometric
cryptosystems), and the feature transformation approach (or cancellable
biometrics) [4]. A biometric cryptosystem serves the purpose of either
securing a cryptographic key by using biometric features (key binding) or
generating a cryptographic key directly from biometric features (key
generation). For the key binding approach, two well-known instances,
fuzzy commitment and fuzzy vault, are proposed by Juels and Wattenberg
[5], and Juels and Sudan [6] respectively. Dodis et al. [7] introduces
cryptographic primitives for key generation, known as secure sketch and
fuzzy extractor.
Alternatively, cancellable biometrics [8] ensures the security and
privacy of a biometric template. Hence, instead of storing the original
biometric data, only the transformed biometric templates are stored. In the
event that a template is compromised, a new template can be regenerated
from the same biometrics.
Pertaining to biometric representations, three types are available in
literature: (i) binary representation, (ii) integer representation, and (iii)
real-value representation. Among these three types of representation, the
binary representation has greater advantages in serving the purpose of
protecting biometric template. For instance, a binary representation has a
higher computational complexity against inversion attacks to recover the

original minutia information, and is well compatible with biometric
cryptosystems. Most of the existing feature extractors generate the integer
or real-valued representation rather than the binary representation;
however, IrisCode [9] and Competitive Palm print code [10] are two
exceptional examples of producing the binary template. Fortunately, a
number of techniques have been designed for integer-to-bits and real-to-
bits conversions. Grey-code and Linearly Separable SubCode [11] are two
instances of allowing integer-to-bits conversion. Furthermore, real-to-bits
conversion can be accomplished by a number of efficient quantisation-
encoding methods, such as DROBA [12] and reliability-based quantisation
[13].
The primary objective of this chapter is two-fold: (1) to provide an
overview of minutia-based fingerprint representations in terms of their
privacy, security and accuracy performance, and (2) to develop a
technique for securing the fingerprint minutia representation. The chapter
is organized as follows: a literature review on some well-known minutia-
based fingerprint representations is presented in Section 2. Section 3
demonstrates how fingerprint representations can be generated from
Minutiae-based Fingerprint Representations 41
minutiae. This is followed by the implementation of a cryptographic

realization of security and privacy in such fingerprint representations in
Section 4. Finally, Section 5 summarizes the chapter.
2 Literature review
In this section, we provide an overview of various minutia-based
fingerprint representations converted from fingerprint minutiae. Broadly
speaking, two categories can be named, fixed-length representation and
variable-size representation. The fixed-length representation refers to
ordered fixed-length vectors transformed from minutiae of fingerprints.
The fixed-length representation can be in integer, real value, or bit-string.
On the other hand, the variable-size representation refers to templates with
variations in size based on the number of minutiae in fingerprints. In
general, a variable-size representation can be represented in matrix with
size ݉ ൈ ݊, where m is determined by the number of minutiae extracted
from the fingerprint image, and n is the length of the feature vector
associated with the minutiae. Similar to the fixed-length representation,
the variable-size representation can also appear in integer, real value, or
bit-string. The ordinary minutia representation is indeed under this
category where n = 3, i.e. coordinates x and y, and orientation ș. Table 1.
lists various minutia-based fingerprint representations available in
literature.
Generally speaking, the fixed-length representation provides great
advantage over the others in adapting biometric cryptographic protocols
and cryptosystem schemes like fuzzy commitment [5]. On the other hand,
a variable-size representation is usually generated using every minutia
(called reference minutia), thus retaining the local neighborhood structure.
Furthermore, the variable-size representation allows performing a two-
stage matching procedure, which was first introduced by Jiang and Yau
[14]. This procedure has shown better robustness for matching over
precious approaches. In comparison, the variable-size representation is
more suitable for cancellable biometrics [8].
42 Chapter Two
Table 1. List of various minutia-based representations available in

literature.
Methods Proposed Techniques Type Categories

Fixed-length Representation
Sutcu et al., [15, Geometric Integer
16] Transformation
Jakubowski and Randomized Radon
Integer
Venkatesan [18] Transforms
Sutcu et al., [17] Local Point Binary
Reference-
Aggregation
based
Nagar et al., [20] Local Point Binary
approach
Aggregation
Bringer and Minutiae Vicinity-based Binary
Despiegel [21] Histogram
Liu et al., [22] Random Local Region Real
Descriptor
Farooq et al., [24] Minutiae Triplet based Binary
Histogram-
Histogram
based
Jin et al., [25] Minutiae Pair based Binary
approach
Histogram
Xu et al., [26] Spectral Minutiae Real Spectral

Nandakumar [27] Binarised Phase Binary Transform
Spectrum (BiPS) approach
Variable-size Representation
Jin et al., [19] Random Triangle Binary
Hashing
Lee and Kim [28] 3 Dimensional Array Binary
Jin et al., [29] Polar Grid 3-Tuple Binary
Quantisation
Reference
Cappelli et al., Minutiae Cylinder-code Binary
based
[30] (MCC)
approach
Yang and Busch Minutia Vicinity Real
[31]
Densely infinite-to-one
Wang and Hu [32] Real
mapping (DITOM)
Wong, et al., [33] Multi-line Code Binary
2.1 Fixed-length representations

The fixed-length representation can be broadly divided into three
categories: (1) the reference-based approach, (2) the histogram-based
approach, and (3) the spectral transform approach. In the reference-based
approach, a fixed-size reference, such as the circumference of a circle [15,
16] or N random cuboids outlined in [17], is usually determined first.
Biometric features are then extracted and quantized into a fixed-length
representation with respect to the reference. In the histogram-based
approach, a fixed-length representation is generated based on the frequency
histogram of extracted features, erected over discrete intervals in the feature
space. In the spectral transform approach, a specific spectral transform
technique, such as the Fourier Transform, is used to transform the minutiae
to a corresponding domain, so that a fixed-length representation can be
generated using specific analytical methods in that domain.
2.1.1 Reference-based methods
Sutcu et al. [15, 16] proposed a geometric transformation to convert

fingerprint minutiae into a fixed-length feature vector. This method uses
the circumference of a circle as reference and divides it into m equal-width
arcs. For every minutia pair, a straight line passes through these two points
and its intersections on the circle's circumference become marked, as

shown in Figure 2. A m dimensional integer feature vector is then
constructed by counting the number of projected minutiae in the respective
arcs. One limitation of this method is that the transformation is not
rotation-invariant, thus the fingerprints have to be aligned before
transformation. The additional information such as registration point (e.g.
core or delta point) is required for aligning two fingerprint images to be
matched.
In another instance, namely local point aggregation, Sutcu et al. [17]
define a set of m random cuboids as reference points on the fingerprint
image, and construct an m-dimensional integer feature vector using the
number the minutiae points in each cuboid. The feature vector is then
binarised into a bit-string using user-specific thresholds obtained from the
median of population minutiae quantity within each cuboid. Yet, this
method assumes that all fingerprint images has to be pre-aligned. For
accuracy performance, the proposed method achieves a low error rate
when the auxiliary information (i.e. the token to generate random cuboids)
is stored securely. The overall process is demonstrated in Figure 3. The
proposed method achieves a low error rate when the helper data is stored
securely. However, the security and privacy is underestimated in the event
44 Chapter Two
that helper data is stolen. Apart from this meth thod, Jakubow wski and
Venkatesan [18] proposeed a randomizzed radon traansform, and Jin et al.
[19] proposeed a random triangle hashing scheme. B Both of these methods
adopt a simmilar strategy in converting
g the minutiaee representation into a
discrete featture vector.
Figure 2. Illlustrates the geometric

g tran
nsformation froom fingerprintt minutiae
proposed by S
Sutcu et al. [15,, 16].
monstrating the local point agg

Figure 3. Dem gregation approoach proposed by
b Sutcu et
al. [17].
Nagar et all. [20] considder a more robust set of features than n Sutcu’s
approach byy considering the average minutia
m coorddinate within a cuboid,
the standardd deviation off the minutiae coordinates, aand the aggreegate wall
distance. Thhis method offers
o high accuracy
a perfformance but requires
registration points (e.g. high curvatu ure points) too align the fiingerprint
image prior to feature exxtraction. The detection of registration points
p can
be challengiing on poor-quuality images.
Bringer and Despiegeel [21] generatted a minutiaee-vicinity-based binary
feature vecctor, wherebyy a minutiaee vicinity iss referred to o as the
neighbourhoood structure around a ceentral minutiaa within a pre-defined
radius. This method exxtracts N nu umber repressentative viciinities as
reference ussing a vicinityy-selection proocedure. Withh a number of minutia
vicinities exxtracted from
m each fingerrprint, each vvicinity of th he query
template is matched aggainst N num mber of vicinnities of the enrolled
template to identify the correspondin ng enrolled vvicinity to eaach query
vicinity. Coonsequently, the
t matching g score is cooncatenated to o yield a
fixed-lengthh real-valued feature vecttor with N ccomponents, and then
binarised to a bit-string. Figure 4 dep picts the mechhanism for ob btaining a
binary vectoor from a set of representaative vicinitie s and query vicinities.
v
The resultaant bit-string is of approx ximately 50,0000 bits long, which
requires highh storage capaability.
Figure 4. DDepicts the viccinity based mechanism

m prooposed by Brringer and
Despiegel [211].
46 Chapter Two
Liu et al. [22] proposed a fixed-length feature representation by using a

minutiae descriptor, namely Random local region descriptor (RLRD).
RLRD adopts Tico’s sampling structure [23] and take it as a reference.
The RLRD is an orientation-based local structure, wherein a reference
point is generated randomly and a set of uniformly random sampling
points are generated along the circumference around the reference point.
The order of sampling points is determined via a random seed. The RLRD
feature is defined as the angle difference of local ridge direction between
the sampling point and reference point. For each sampling structure, a
real-valued fixed-length vector can be generated since the number of
sampling points is fixed. The real-valued RLRD feature vector can be
further converted into a bit-string for secure sketches measured in the
Hamming space. However, the registration point (core or highest curvature
point) has to be used to align the enrolled and query images before further
processing.
2.1.2 Histogram-based Methods
For the histogram approach, Farooq et al. [24] generate a binary

fingerprint representation based on the histograms of triangular features
generated from minutiae triplets. Seven invariant features emerge: lengths
of three sides (A1, A2, A3,), three angles between each side and each
minutia orientation (S1, S2, S3); and height (H) of the triangle are extracted
and quantized into 24 bits, which yields a 224-bit binary string. Figure 5.
shows the main idea of the proposed scheme. However, this method
requires high computational cost due to the exhaustive calculation of
features for all possible minutiae triplets. Following this work, Jin et al.
[25] attempted to reduce the length of bit-string by using minutiae pairs
instead of minutiae triplets. Four invariant features, i.e. Euclidean distance
between two minutiae, angular difference between two minutiae, two
angles between minutia orientation, and the segment connecting two
minutiae, are extracted for histogram binning. Consequently, the size of
template is reduced to 218 and the performance is enhanced using a
majority-voting-based training process.
2.1.3 Spectral-Transform-based Methods
Xu et al. [26] proposed a Spectral Minutiae approach to convert a set of

minutiae into a fixed-length feature vector. The proposed approach
performs Fourier transform on a minutia set, and re-maps the Fourier spectral
Figure 5. Shhows the minuutiae triplet baased bit-string generation pro

oposed by
Farooq et al. [24].
48 Chapter Two
spectral magnitude onto polar-logarithmic coordinates. By doing so, the

spectral minutiae representation is invariant to rotation, shifting and
scaling variations. An analytical representation for minutiae is further
proposed to minimize error, which can directly be evaluated on polar-
logarithmic grids. As the number of grids is fixed, a fixed-length
representation can be derived. However, the accuracy of this approach
over point-to-point (minutiae) and two-stage procedure matching (minutia
descriptor) approaches is inferior.
Instead of using a magnitude spectrum in Xu et al. [26], Nandakumar
resorts to phase spectra of minutiae, namely the Binarised Phase Spectrum
(BiPS) [27]. By incorporating fuzzy commitment and reliable bits
selection for binarisation techniques, BiPS achieves state-of-the-art
accuracy performance over other biometric cryptosystems. However, BiPS
is not rotation-, shifting- and scaling-invariant. Hence, a proper alignment
(focal point estimation) is still required.
2.2 Variable-Size Representations

The variable-size fingerprint representation is another major approach
often reported in literature. The main advantage of the variable-size
representation is that it is alignment-free due to the employment of
localized minutiae structure (neighbourhood structure).
Lee et al. [28] proposed a cancellable fingerprint template (bit-string)

using fingerprint minutiae as shown in Figure 6(a). A 3-dimensional array
illustrated in Figure 6(b) is first defined and a number of cells contained in
the 3D array are determined by the quantisation level. One of the minutiae
is then selected as the reference minutiae and the other minutiae are
translated and rotated based on reference minutia. The transformed
minutiae fall into each cell according to the x-axis, y-axis, and orientation.
Each cell is marked as ‘1’ if it contains more than one minutia, and ‘0’
otherwise. Thus, a 1D bit-string is generated by visiting the cells
sequentially. It is noted that the bit-string generated thus far is only based
on one reference minutia. The processes aforementioned are repeated by
using different minutiae as reference minutiae until the entire minutiae set
has been traversed. The binary template is ݊ ൈ ݈ matrix, where n and l
depict the number of minutiae, and the length of the 1D bit-string
generated based on one minutia respectively. The resultant bit-string is
permuted based on a user-specific PIN for revocability purposes.
However, in the same PIN scenario, the accuracy performance deteriorated
significantly.
Figure 6. Shoows (a) the blocck diagram of generating

g the bbit-string from fingerprint
f
minutiae propposed by Lee annd Kim [28]; (bb) the 3-dimensiional array.
50 Chapter Two
Instead of uusing equal-siized cells, Jin

n et al. [29] ppropose a quaantisation
method usinng polar-basedd sectors, wheere the area off each sector differs
d by
the radius. Subsequentlyy, the sectors near the refference minuttiae have
smaller areaas and other properties.
p Thiis leads to thee smaller (resp. larger)
quantisationn step around (resp. furtherr away from) the reference minutiae
to tolerate fingerprint elastic
e deform
mation. Expeeriments show w certain
performancee improvemennt under the “sstolen token” scenario (a. k. k a. same
PINs scenarrio: verificatioon of an imp poster’s biomeetrics using the
t stolen
token of the target user).
A state-of-the-art finggerprint tempplate represenntation is prop posed by
Cappelli et al. [30], namely Minutiae Cylinder-Codde (MCC), as depicted
in Figure 7. The method shares the sam me concept oof tessellation with Lee
and Kim [228] in quantisation. Differeent to the proocess by Lee and Kim
[28] that counts the numbber of minutiae in each ceell, MCC conssiders the
probability of finding a minutia within a certainn range (fixed d radius)
around the ccell. Compareed to nearest-n neighbour-bassed structure [1] (i.e. a
local structture containinng a central minutia witth k spatially y closest
minutiae); MMCC as a fixeed radius-baseed structure [11] (i.e. a local structure
containing a number of neighbour
n minnutiae that aree closer than a radius R
from the cenntral minutia) is not greatly
y affected by thhe presence of
o missing
or spurious mminutiae. Thuus, this would improve accuuracy performance.
Figure 7. Shhows the basic idea of minuttiae cylinder-coode (MCC) pro

oposed by
Cappelli et al. [30].
Yang annd Busch [31] proposed a fingerprinnt template protection p

method baseed on minutiaa vicinity. Giv ven N minutiiae {mi |i=1, 2,…, N},
each minutia mi with thee three nearestt neighbourinng minutiae {cci1,ci2 and
ci3} togetherr form a set off minutia vicin
nity Vi ={mi, c i1,ci2,ci3|i=1, 2,…, N}.
Each minutiia vicinity coomprises 12 orientation
o vecctors: miĺci1, ci2ĺci3,
ci3ĺci1, etc. The four coordinate pairs of Vi are then transformed, based on
the 5 (out of 12) randomly selected orientation vectors in the respective
minutia vicinity. Next, the random offsets are added to each Vi, in order to
conceal the local topological relationship among the minutiae in the
vicinity. The transformed minutiae are thus regarded as a protected
minutia vicinity with stored random offsets.
However, Simoens et al. [32] points out that the coordinates and
orientations of minutiae in [31] could easily be revealed if both random
offsets and orientation vectors are disclosed to the adversary. They also
show that the attack complexity is considerably low (e.g., only 217
attempts are required when the random offset table is known, and with
reference to 2120 attempts when the random offsets table is not known).
Wang and Hu [33] propose a cancellable fingerprint template based on
a dense infinite-to-one mapping technique. By refining the features
considered in [25], the proposed method elaborates three invariant features
from a pair of minutiae. The three features are Euclidean distance between
two minutiae, the angle between the orientation of reference minutia and
the direction of the line segment connecting the two minutiae, and the
angle between the orientation of neighbour minutia and the direction of the
line segment connecting the two minutiae. The extracted features are then
quantized, hashed and binarised. Lastly, a complex vector is generated
from the resultant bit-string by applying a discrete Fourier transform, and
the final template is obtained by blending the complex vector with a

randomly generated parametric matrix.
Recently, Multi-line Code (MLC) proposed by Wong, et al. [34] is a
minutia descriptor constructed based on multiple lines centred at a
reference minutia. Firstly, a straight line is drawn following the direction
of the reference minutiae, and constructs a number of overlapped circles
with a pre-defined radius. Then the neighbour minutiae are separated into
different bins according to their orientation. Following this, the mean of
the distances between the centre of the circle and the included minutiae for
each region is computed. In the binarisation stage, two techniques of
binarsation methods are used; 1-bit and k-bits binarisation. 1-bit
binarsation is implemented based on a threshold while grey code is used in
k-bits implementation.
From the above literature review, we made a number of observations
pertaining to the security and privacy concerns of the minutia-based
fingerprint representation: For the fixed-length representation, (a) since the
minimum entropy analysis of the resultant representation is absent in
geometric transformation methods [15, 16], the security of the
representation under different attack scenarios remains uncertain. (b) The
52 Chapter Two
local point aggregation method [17] has not been considered for the
scenario where stolen helper data is used by the adversary to gain
illegitimate access, which could lead to severe security threat. (c) The
performance of most of the afore-discussed methods [15, 16, 17, 20, 22,
27] depends on accurate pre-alignment or registration, which is infeasible
in practice. (d) Some methods either suffer from high computation cost
[24], or require large template storage [21]. (e) Although generally, the
spectral transform approach outperforms the reference- or histogram-based
approach in many ways, it is still not as accurate as the state-of-the-art
minutia-based variable-sized representations, e.g. MCC [30]. In the
variable-sized representation, we observe that (a) most of the “non-
invertible transforms” are in fact susceptible to partial or full inversion,
e.g. [30, 31, 33]. (b) A lost token attack is applicable if the token/PIN is
revealed to the adversary [28, 29, 31]. Since a fingerprint image can easily
be reconstructed from minutiae, unauthorised reconstruction of the
original biometric data constitutes invasion of privacy.
2.3 Privacy Issues of Minutiae-Based Representation

After Hill’s attempt to invert fingerprint minutiae [35], a number of
efficient methods have replicated the results of reconstructing a fingerprint
image from minutiae [36, 37, 38]. Generally, attack schemes reported in
literature can be categorized into: hill climbing and template inversion.

Hill climbing is an attack technique wherein the adversary initiates a
guess of minutiae points and iteratively refines the guess minutiae (e.g. to
add, delete minutiae, or modify the minutiae location and orientation)
based on the matching score obtained by comparing the guess minutiae
with the stored minutiae template. Finally, if the adversary gains access
the biometric system database, a similar guessed minutiae template can be
determined. The guessed minutiae template can be used for reconstructing
the fingerprint image. Invasion of user’s privacy thus occurs.
Several observations can be made regarding the hill climbing
technique: (i) Hill climbing does not require access to the stored minutiae
template, but rather the matching score in the iterative process; (ii)
theoretically, hill climb attack can be applied to all minutiae-based
matching algorithms where the computational time consumed in the
iterative process may not be feasible for the various matching algorithms,
and it is not guaranteed that the different impressions of the same
fingerprint can be reconstructed using hill climb under the same
circumstance. For instance, hill climbing may create many spurious
minutiae outside the domain of the original, and such a reconstructed
template may not lead to a high match score with another impression of
the same finger [2]; (iii) it is more complicated to reconstruct a minutiae
template using hill climbing when minutiae descriptors are used for
matching. This is because the matching score only reveals the similarity of
minutiae descriptors instead of the minutiae itself. For example, when a
100% similarity score is obtained, it only implies that a minutiae
descriptor has been perfectly reconstructed. However, there is no
indication of how to identify the reconstructed minutiae descriptor from
the set of synthetic minutia points because no information about the
location of the minutiae is revealed from the similarity score.
Template inversion is another approach used by the attacker to recover
the biometric image from the corresponding features inverted from the
stolen template [2]. Nagar [2] demonstrated the recovery of minutiae
information from a well-known binary representation, Binary Minutiae
Cylinder Codes (B-MCC) [30]. The method is a two-stage inversion
procedure which consists of Local Minutiae Recovery and Global
Minutiae Recovery. The experiment shows that the method makes possible
the recovery of sufficient minutiae information from the Binary Minutiae
Cylinder Codes (B-MCC) [30].
Furthermore, Ferrara et al. [39] also outlined an attack algorithm to
recover the minutiae information (i.e. location and orientation) from the
Minutiae Cylinder Codes (MCC). The attack algorithm was also composed
of two steps: Reconstruction of a neighbourhood from cylinder merging

and from neighbourhood merging. In the first step, minutiae
neighbourhoods with respect to each cylinder are estimated (i.e.
calculation of the likelihood matrix of the cylinder). Secondly, based on a
set of neighbourhoods constructed from each cylinder, a single set of
minutiae is obtained by merging the set of neighbourhoods. Experiments
show that the attack scheme can recover the original minutiae from an
MCC template (e.g. 81.9% of minutiae are recovered as shown in Table
III). Thereafter, a non-invertible transform method for MCC template has
been proposed by using binary principle component analysis, namely
protected minutia cylinder-code (P-MCC). Although the non-invertibility
of P-MCC template has been experimentally justified, it is still unable to
fully protect the genuine minutiae points. For instance, it was reported in
[39] that a portion of genuine minutiae (approximately 25.4%) could be
precisely recovered.
54 Chapter Two
3 Case Studies for Generating Binary Minutiae-Based

Fingerprint Representations
In this section, we provide a detailed coverage on converting minutiae into
a binary representation using three methods: (i) Random Triangle Hashing
[19], (ii) Minutiae Pair-based Histogram and Binarisation [25], and (iii)
Polar Grid-based 3-Tuple Quantisation [29].
3.1 Random Triangle Hashing

The random triangle hashing method [19] has been inspired by the idea of
local point aggregation proposed by Sutcu et al. [17], which transforms the
minutia set of a fingerprint into a fixed-length integer vector, and then,
binarises the integer vector into a bit-string template for verification. The
detailed steps are as follows:
1 Rotation and Translation of Minutiae. Suppose that ݉௜ ൌ

ሼ‫ݔ‬௜ ǡ ‫ݕ‬௜ ǡ ߠ௜ ሽ represents a set of minutia points, where ‫ݔ‬௜ , ‫ݕ‬௜ and ߠ௜ ‫ א‬ሾͲǡ ʹߨሻ
depict the Cartesian coordinate and the orientation of the ith minutia. All
the minutiae take turns to being reference minutiae, and the reference
minutiae are depicted as ݉௥ ൌ ሼ‫ݔ‬௥ ǡ ‫ݕ‬௥ ǡ ߠ௥ ሽ, and the remaining minutiae are
rotated and translated based on ݉௥ . The transformed minutiae ݉௜௧ ൌ
ሼ‫ݔ‬௜௧ ǡ ‫ݕ‬௜௧ ǡ ߠ௜௧ ሽ can be calculated as:
‫ݔ‬௜௧ ߠ௥ െߠ௥ Ͳ ‫ݔ‬௜ െ ‫ݔ‬௥ ‫ݎ‬௫ Ȁʹ

቎‫ݕ‬௜௧ ቏ ൌ ൥ ߠ௥ ߠ௥ Ͳ ൩ ൥െሺ‫ݕ‬ ௜ െ ‫ݕ‬௥ ሻ൩ ൅ ൥‫ݎ‬ ௬ Ȁʹ൩ (3.1)
ߠ௜௧ Ͳ Ͳ ͳ ߠ௜ െ ߠ௥ Ͳ
where ‫ݎ‬௫ and ‫ݎ‬௬ represent the width and height of a pre-defined two-
dimensional rectangle. The values of ‫ݎ‬௫ and ‫ݎ‬௬ are set as two times the size
of the input fingerprint image. This is to ensure that the reference minutia
is located in the centre of the pre-defined two-dimensional rectangle so
that this reference minutia acts as a registration point to align fingerprint
images in the same manner.
2 Random Triangle Hashing. Random triangle hashing essentially

involves three steps:
Step 1: The user-specific token. Each user is assigned a unique token
and this token is the source of randomness used for determining the
random triangles. The token is a set of random numbers that indicate the
locations off the three verrtexes that foorm the randoom triangles. Based
B on
the differentt user-specificc token, the method
m generaates a unique template
for each useer.
Step 2: HHashing. A seet of minutiaee is transform
med into a sho ort integer
vector. In shhort, it countss the number of
o minutiae coontained in th
he regions
of random triangles. The hashing process can be described d as the
following traansformation function:
݂ǣ ȳ ՜ ܼ ௡ (3.2)
where ȳ ൌ ሼ‫ݔ‬ǡ ‫ݕ‬ǡ ߠሽ and ߠ ‫ א‬ሾͲǡ ʹߨ ߨሻ represent the coordin nate and
orientation of a minutia, and ܼ ௡ is an a n-dimensioonal integer vector in
which each element dennotes the num mber of minuutiae to be fo ound in a
random trianngle.
Step 3: O
Orientation hiistogram binning. A histogrram is formed d to count
the number of minutiae that fall into o each of thhe disjoint bin ns in the
histogram. TThe disjoint biins refer to the pre-defined orientation raanges and
the entirely orientation raange is betweeen 0 and ʹߨ. As an examp ple, from
Figure 8, am
mong the five minutiae
m conttained in a triaangle, one of them
t falls
in the rangee ሾͲǡ ߨȀ͵ሻ, onne in ሾߨȀ͵ǡ ʹߨ ߨȀ͵ሻ, two in ሾሾͶߨȀ͵ǡ ͷߨȀ͵ሻ,, and one
in ሾͷߨȀ͵ǡ ʹߨߨሻ. If the orieentation rangee does not haave any correesponding
minutiae, the count is set to zero. Thesee numbers aree concatenated d together
to form a fixed-length (6 digits) building b blocck for each triangle.

Subsequentlly, the same process for the remainingg triangles is repeated.
The fixed-llength (6 diggits) vectors generated froom each triaangle are
concatenatedd to form thee hash vectorr that is used to construct the final
feature repreesentation in bit-string
b form
mat.
Figure 8. Shoows a histogram

m binning based
d on minutiae orrientation.
56 Chapter Two
3 Hash vector binarisation. After the integer hash vector is

acquired, a straightforward but efficient encoding technique is
employed, namely Bit-Block Coding. Initially, a fixed-length binary
block is initialized to zeroes. This binary block will be set to ones
according to the integer in the hash vector. For example, if the integer
in a hash block is 5, its binary counterpart will be 1111100000. By
repeating this process for the remaining hash blocks, all the integers in
the hash vector will be converted into bit-string. The length of the
resultant binary bit-string is݀ ൈ ݊ ൈ ݉, where d refers to the number
of hash blocks for each triangle, n denotes the total number of triangles
formed, and m is the number of bits used to represent the binary
counterpart of each hash block. The detailed description of this
encoding scheme together with a thorough analysis is presented by
Lim and Teoh [11].
4 The matching bit-string. Matching two bit-strings suggests the

calculation of the dissimilarity score between the enrolled bit-strings (ܾ ௘ )
and query bit-strings (ܾ ௤ ) as follows:
௘ ௤
σௗ௞ୀଵሺܾ௝ǡ௞ ْ ܾ௜ǡ௞ ሻ
‫݁ݎ݋ܿݏ‬ሺ݅ǡ ݆ሻ ൌ (3.3)
݈
௘ ௤
where ْ represents the bitwise XOR operation, ܾ௝ǡ௞ and ܾ௜ǡ௞ denote the kth
௘ ௤ ௘ ௤
bit in ܾ௝ and ܾ௜ , l represents the bit-length of ܾ௝ and ܾ௜ .
In a perfect environment, the two one-dimension bit strings generated
based on the same reference minutiae will be the same. However, there is
no information for us to locate the corresponding minutiae used for
alignment in the enrolled template and query template. Therefore, it
requires comparing all the one-dimensional bit-strings between the
enrolled and query sets, so to determine the closest pair. To do this, a
matrix D={dij} is used to store the dissimilarity scores, where ݀௜௝ ൌ
‫݁ݎ݋ܿݏ‬ሺ݅ǡ ݆ሻ. The next step is to calculate ത the mean of the minimum
distance for each column in dij , as shown in Eq. (3.4) and Eq. (3.5):
ܽ௝ ൌ ሼ݀௜௝ ሽ (3.4)
௜
j=1,2,3……n; (n is the number of columns for matrix D)
i=1,2,3……m; (m is the number of rows for matrix D)
௡
ͳ
ܿҧ ൌ ෍ ܽ௝ (3.5)
݊
௝ୀଵ
Similarly, the mean of the minimum distance of each row in dij is

computed and signified as ‫ݎ‬ҧ . The expressions are showed in Eq. (3.6) and
Eq. (3.7).
ܾ௜ ൌ ሼ݀௜௝ ሽ (3.6)
௝
௠
ͳ
‫ݎ‬ҧ ൌ ෍ ܾ௜ (3.7)
݉
௜ୀଵ
The smaller value of ത and ҧ is chosen as the final score, s, as in (3.8).

Each of ത and ҧ ranges between 0 and 1, where s = 0 indicates a perfect
match, and otherwise is not a perfect match.
ܿҧ ݂݅ ܿҧ ൑ ‫ݎ‬ҧ
‫ݏ‬ൌ൜ (3.8)
‫ݎ‬ҧ ݂݅ܿҧ ൐ ‫ݎ‬ҧ
3.2 Minutiae Pair-based Histogram and Binarisation

The second example we introduce in this section is the Minutiae Pair-
based Histogram and Binarisation [25], an extension of the Minutiae

Triplet-based Histogram proposed by Farooq et al. [24]. The main
objective of the Minutiae Pair-based Histogram and Binarisation method is
two-fold: (i) To reduce the bit-length and computation time. A 224 bit
binary template generated in Farooq et al. [24] is storage consuming and
computationally overloading, since the combination of minutiae triplets
must be computed in advance. (ii) To improve the accuracy performance.
As shown below, the accuracy of Farooq et al.’s method [24] degrades
significantly when the minutia extractor suffers from low quality image.
The minutiae pair-based histogram and binarisation improves the method
of Farooq et al. as follows:
1 Feature extraction from minutiae pair. The minutiae pair
essentially is a minutiae descriptor first introduced by Parziale and Niel
[40]. A single minutiae point suffers from elastic deformation from
fingerprint to fingerprint. Yet, the change of a minutiae pair formed by two
minutiae points is not evident under rigid transformation. In this method,
the four invariant features used are:
58 Chapter Two
a. The ddistance L beetween the twwo minutia, w where L is measured in

pixell units;
b. The angle Į between the orientation of the two minutiaee (angular
differrence betweenn ܱଵ and ܱଶ ), the range of the angle Į is ሾͲǡ ʹߨሻ,
ܱଵ aand ܱଶ represent the orieentation of m minutiae ݉ଵ and ݉ଶ
respeectively.
c. The angles ߚଵ andd ߚଶ between thet orientationn of each min nutia and
T range of ߚଵ and ߚଶ is ሾͲ
the seegment conneecting them. The Ͳǡ ߨሻ.
Figure 9. deemonstrates thhe invariant feeatures extractted from a min

nutia pair
formed by mminutia ݉ଵ and ݉ଶ .
Figure 9. Thee invariant featuures (L, Į, ߚଵ an

nd ߚଶ ) extractioon from a minuttiae pair.
2 Quuantisation. TheT invariant features are quantized to alleviate

the distortioon that occuurred during the image caapturing proccess. We
assume thatt the maximum m distance, L,
L between tw wo minutiae iss l pixels,
and L is quuantized into q segments, with each seegment contaaining l/q
pixels for eaach quantisatiion step. To represent thesee q segments in binary
form, log2(l//q) bits are reqquired.
Similarlyy, assume thatt the maximum m angle betwween the orienttations of
two minutiaae is 2ʌ, and the quantisatiion step is seet to be p, thu us ‫ߨʹہ‬Ȁ‫ۂ݌‬
bits are requuired to repressent the angle between the orientations ofo the two
minutiae, Į. The same prrocedure appliies to the rem maining featurees, i.e. ߚଵ
and ߚଶ .
After dettermining the number of bitts required to represent each feature,
we can quantize the feeature into binary b form. The feature value is
quantized baased on the inndex of the seegment it fallss within. Eachh segment
is labelled bby a binary deecimal code. IfI L is represeented by l bitss, angle ߙ
by a bits, anngle ߚଵ by b1 bits, and ߚଶ byb b2 bits, theen every minu utiae pair
can be repreesented by a bit string with length ݈௠௣ bits, where ݈௠௣ ൌ ݈ ൅
ߙ ൅ ܾଵ ൅ ܾଶ . The bit string is then converted to its corresponding integer,

such as 01111 00101 0011 0100 to 124212.
The same procedure is repeated on all the minutiae pairs found in the
ଵ
fingerprint image. In general, there are ‫ ݏ‬ൌ ௡‫ܥ‬ଶ ൌ ݊ሺ݊ െ ͳሻ possible
ଶ
combinations of the minutiae pairs that will be generated from a
fingerprint image, where n is the number of minutiae in a fingerprint.
3 Histogram Binning and Bit-string Generation. Since there are
ʹ௟೘೛ possible combinations of bits for each minutiae pair, a histogram mi
is formed to count the number of minutiae pairs that fall into each of the
disjoint bins in the histogram. Mathematically, the histogram binning
function is:
ଶ೗೘೛
‫ ݏ‬ൌ ෍ ݉௜ (3.9)
௜ୀଵ
where s is the total number of minutiae pair for all ʹ௟೘೛ of bins, ʹ௟೘೛ is the
total number of bins.
Next, the histogram mi is binarised by retaining the count of value 1
while setting the rest of the count values to 0. This is to ensure that the
fingerprint image can be represented by a set of unique minutiae pairs, i.e.
those that occur only once in the fingerprint image. The Binarisation rule
is:
ͳ ݂݅ ݉௜ ് ͳ
‫ א ݅׊‬ሾͲǡ ʹ௟೘೛ ሻǡ ܾ௜ ൌ ቄ (3.10)
Ͳ ‫݁ݏ݅ݓݎ݄݁ݐ݋‬
4 Calculating the Similarity Score between Bit-strings.

Originally, obtaining a matching score between a pair of bit-strings
generated from two fingerprints requires that we find the intersection
between the two bit-strings. This can be done by simply counting every
position in the bit-string that has a value of 1 in both the bit-strings.
However, this suffers from a drawback in that it depends on the magnitude
of the bit-string, with the magnitude defined by the total number of ones in
the bit-string [24]. For example, a fingerprint contains many minutiae, so
that this fingerprint can be richly represented by minutiae pairs, thus,
many 1s will appear in the bit-string (larger magnitude). Alternatively,
another fingerprint contains only a few minutiae so that fewer minutia
pairs will be formed. Consequently, the magnitude of the bit-string is
small. To account for the difference of magnitude, the geometric mean of
two magnitudes is used to normalize the matching score. Assume that
60 Chapter Two
ܾ ௘ represents an enrolled bit-string and ܾ ௤ represents the query bit-string,

then the similarity matching score can be calculated as follows:
σ௡௜ୀଵሺܾ௜௘ Ȉ ܾ௜௤ ሻ
ܵሺܾ ௘ ǡ ܾ ௤ ሻ ൌ
(3.11)
ටσ௡௜ୀଵ ܾ௜௘ σ௡௜ୀଵ ܾ௜௤
௤
where Ȉ represents a bitwise AND operator. σ௡௜ୀଵሺܾ௜௘ Ȉ ܾ௜ ሻ counts the
positions in the bit-strings that have a value of 1 in both enrolled and query
௤
templates, and then sums them. σ௡௜ୀଵ ܾ௜௘ and σ௡௜ୀଵ ܾ௜ denote the total
number of 1’s of the enrolled and query templates. The score ranges from
0 to 1, where S = 1 indicates a perfect match, and otherwise is not a perfect
match.
3.3 Polar Grid-based 3-Tuple Quantisation

The method proposed by Lee and Kim [28] employs a three-dimensional
array for quantisation. This quantisation method is an equal-size
quantisation, since all the cells in the three-dimensional array are equal in
size (i.e. width, height, and depth). However, non-linear deformation
usually occurs during fingerprint image acquisition. Thus, the polar grid-
based 3-tuple quantisation [29] is proposed to alleviate the non-linear

deformation problem. The entire process of this method is as follows:
1 Reference Minutia-based Polar Transform. Due to rotation
and translation variations, the locations and orientations of a single
minutia could be different when multiple fingerprint impressions apply.
However, based on a chosen reference minutia, the remaining minutiae
can be translated and rotated invariantly. With this property, the reference
minutiae can be utilized to align the remaining minutiae for invariant
transformation as described in the following three steps:
Step 1: Translation and Rotation of Minutia. Suppose that ݉ ൌ
ሼ‫ݔ‬௜ ǡ ‫ݕ‬௜ ǡ ߠ௜ ȁ݅ ൌ ͳǡ ǥ ǡ ܰሽ depicts a set of minutia points, where ‫ݔ‬௜ , ‫ݕ‬௜ and
ߠ௜ ‫ א‬ሾͲǡ ʹߨሻ represent the location in the Cartesian coordinate system and
the orientation of the ith minutia. One minutia is randomly selected as
reference minutia ݉௥ ൌ ሼ‫ݔ‬௥ ǡ ‫ݕ‬௥ ǡ ߠ௥ ሽ . The remaining N-1 minutiae are
rotated and translated based on the reference minutiae. The transformed
minutiae ݉௧ ൌ ሼ‫ݔ‬௜௧ ǡ ‫ݕ‬௜௧ ǡ ߠ௜௧ ȁ݅ ൌ ͳǡ ǥ ǡ ܰ െ ͳሽ , where ܰ depicts the total
number of minutiae, can be obtained as follows:
‫ݔ‬௧ ߠ௥ െߠ௥ ‫ݔ‬௜ െ ‫ݔ‬௥

ቈ ௜௧ ቉ ൌ ൤ ൨ቂ ቃ (3.12)
‫ݕ‬௜ ߠ௥ ߠ௥ െሺ‫ݕ‬௜ െ ‫ݕ‬௥ ሻ
ߠ௜ െ ߠ௥ Ǣ ߠ௜ ൒ ߠ௥
ߠ௜௧ ൌ ൜ ൠ (3.13)
͵͸Ͳ ൅ ߠ௜ െ ߠ௥ Ǣ ߠ௜ ൏ ߠ௥
Step 2: Shifting. The translated and rotated minutiae points are then
shifted to the new coordinates, based on the following equation:
‫ݔ‬௜ᇱ ‫ݔ‬௜௧ ‫ݓ‬௫ Ȁʹ

቎‫ݕ‬௜ᇱ ቏ ൌ ቎‫ݕ‬௜௧ ቏ ൅ ൥‫ݓ‬௬ Ȁʹ൩ (3.14)
ߠ௜ᇱ ߠ௜௧ Ͳ
where ‫ݔ‬௜ᇱ , ‫ݕ‬௜ᇱ and ߠ௜ᇱ ‫ א‬ሾͲǡ ʹߨሻ represent the new coordinates and
orientation, while ‫ݓ‬௫ ,‫ݓ‬௬ are two times the width and the height of the
fingerprint image. After going through Eq. (3.12) - (3.14), the transformed
minutiae ݉ᇱ ൌ ሼ‫ݔ‬௜ᇱ ǡ ‫ݕ‬௜ᇱ ǡ ߠ௜ᇱ ȁ݅ ൌ ͳǡ ǥ ǡ ܰ െ ͳሽ are located in a new 2-
dimensional space, with a width of ‫ݓ‬௫ and a height of ‫ݓ‬௬ . The new
coordinates of the reference minutia are now ሺ‫ݓ‬௫ Ȁʹǡ ‫ݓ‬௬ Ȁʹሻ- the centre of
the new 2-dimensional space. The remaining minutiae also shift
invariantly. Hence, the reference minutia serves the purpose of aligning
the remaining minutiae.

Step 3: Polar Transform. The reference minutia and the remaining
minutiae after translation, rotation, and shifting, are then transformed into
polar coordinates described as follows:
ଶ ଶ
ߩ௜ᇱ ൌ ට‫ݔ‬௜ᇱ ൅ ‫ݕ‬௜ᇱ (3.15)
‫ݕ‬௜ᇱ
ߙ௜ᇱ ൌ ሺ ᇱ ሻ (3.16)
‫ݔ‬௜
where ߩ௜ᇱ and ߙ௜ᇱ indicate the radial distance and the radial angle of the ith
minutia in Polar coordinates, and measured in pixels and degree ሾͲǡ ʹߨሻ
respectively.
2 3-Tuple-based Quantisation. The 3-tuple based quantisation is a
polar grid quantisation on all the minutiae. Subsequently, each of the
minutiae can be represented as a vector, ߱ ൌ ሼߩ௤ ǡ ߙ ௤ ǡ ߠ ௤ ሽ with three
positive integers, x, y, and z described as follows:
62 Chapter Two
௤
ߩ௜ ൌ ‫ߩہ‬௜ᇱ Ȁ‫ۂݔ‬ (3.17)
௤
ߙ௜ ൌ ‫ߙہ‬௜ᇱ Ȁ‫ۂݕ‬ (3.18)
௤
ߠ௜ ൌ ‫ߠہ‬௜ᇱ Ȁ‫ۂݖ‬ (3.19)
where / denotes the quotient, x, y and z indicate the radius of the polar grid
segment, radial angle for tolerance, and orientation angle to be tolerated,
respectively. The x is measured in pixels and y, z ‫ א‬ሾͲǡ ʹߨሻ . The
quantisation level is hence determined by x, y and z.
3 Bit-string Generation. Since there are ݈ ൌ ݉݊‫ ݋‬number of polar
grids available, where ݉ ൌ ‫ݓ‬௫ Ȁ‫ ݔ‬, ݊ ൌ ‫ݓ‬௬ Ȁ‫ ݕ‬, ‫ ݋‬ൌ ʹߨȀ‫ ݖ‬, a number of
histogram bins, hi, can be formed to record the number of minutiae that
fall in each of the polar grids. Mathematically, the total number histogram
bins can be calculated as:
௟
ܰ ൌ ෍ ݄௜ (3.20)
௜ୀଵ
where N depicts the total number of minutiae, and l is the total number of
polar grids (histogram bins).
The bit-string can be obtained based on the rule that if a polar grid
contains more than one minutia then it is marked as 1, otherwise 0. The
length of the resultant bit-string is l, which is equivalent to the total
number of polar grids. The Binarisation rule is given as:
ͳ ݂݅ ݄௜ ൒ ͳ
‫ א ݅׊‬ሾͲǡ ݈ሻǡ ܾ௜ ൌ ቄ (3.21)
Ͳ ‫݁ݏ݅ݓݎ݄݁ݐ݋‬
It should be noted that the bit-string generated thus far is based on only
one reference minutia. The processes aforementioned are repeated by
using different minutiae as reference minutiae until the entire minutiae set
has been traversed. Consequently, the length of the resultant bit string is
σே௜ୀଵ ݈௜ .
4 Calculating the Similarity Score between Bit-strings. The
matching score in between two bit-strings can be simply obtained by
finding the intersection of two bit-strings. However, the large difference of
magnitude defined by the total number of ones in the bit-string is a
drawback. Therefore, the matching score can be normalized as follows:
assume that ܾ ௘ represents the enrolled binary template, and ܾ ௤ represents
the query binary template, the similarity matching score can be calculated
as follows:
௤ ௤
ሺ݊௝ ൅ ݊௜௘ ሻ σௗ௞ୀଵሺܾ௝ǡ௞ Ȉ ܾ௜ǡ௞
௘
ሻ
‫݁ݎ݋ܿݏ‬ሺ݅ǡ ݆ሻ ൌ ௤ (3.22)
ሺ݊௝ ሻଶ ൅ ሺ݊௜௘ ሻଶ
ௗ
௤ ௤
݊௝ ൌ ෍ ܾ௝ǡ௞ (3.23)
௞ୀଵ
ௗ
݊௜௘ ൌ ෍ ܾ௜ǡ௞
௘ (3.24)
௞ୀଵ
௤ ௘
where Ȉ represents a bitwise AND operator. σௗ௞ୀଵሺܾ௝ǡ௞ Ȉ ܾ௜ǡ௞ ሻ counts the
positions in the bit-strings that have a value 1 in both query and enrolled
௤
templates, and sums them.݊௝ and ݊௜௘ denote the total number of 1’s of the
query and enrolled templates, respectively. The score ranges from 0 to 1,
where score = 1 indicates a perfect match, and otherwise is not a perfect
match.
Ideally, two bit-strings generated from the same reference minutia have
a perfect match. However, there is no information that indicates that the
reference minutia used in the enrolled template is the same as that used in
the query template. Thus, this requires that we compare all the bit-strings
generated based on the corresponding minutiae, and that we calculate the
maximum similarity score. To do this, a matrix D={dij} is used to store the
similarity scores, where ݀௜௝ ൌ ‫݁ݎ݋ܿݏ‬ሺ݅ǡ ݆ሻ. Next, we calculate ܿҧ the mean
of the maximum distance for each column in dij, shown below:
ܽ௝ ൌ ሼ݀௜௝ ሽ (3.25)
௜

௡
ͳ
ܿҧ ൌ ෍ ܽ௝ (3.26)
݊
௝ୀଵ
64 Chapter Two
Similarly, ‫ݎ‬ҧ the mean of the maximum distance of each row in dij is
computed as follows:
ܾ௜ ൌ ሼ݀௜௝ ሽ (3.27)
௝
௠
ͳ
‫ݎ‬ҧ ൌ ෍ ܾ௜ (3.28)
݉
௜ୀଵ
The bigger value of ܿҧ and ‫ݎ‬ҧ is taken as the final score, s, as in (3.29),
where each of ത and ҧ ranges between 0 and 1. s = 0 indicates a perfect
match, and otherwise is not a perfect match.
ܿҧ ݂݅ ܿҧ ൒ ‫ݎ‬ҧ
‫ݏ‬ൌ൜ (3.29)
‫ݎ‬ҧ ݂݅ܿҧ ൏ ‫ݎ‬ҧ
4 A Realisation of Fuzzy-Identity-based Identification

using Minutia-based Fingerprint Binary Representation
Symmetric key cryptography often comes to mind when a biometric value

is to be discretised. Asymmetric key cryptography, on the other hand, is
not well thought out, though it can provide more functionalities than the
symmetric key cryptography. This is due to the nature of the asymmetric
key cryptography, where the public key is derived from a carefully
selected private key, and the discretised biometric value cannot be used as
the private key, because it is unlikely for the biometric value, which is
unstable and unreliable, to meet some stringent mathematical requirements,
such as randomness, long bit length, and so on. Alternatively, using the
discretised biometric value as the public key is not achievable because the
extraction of the corresponding private key is not computationally feasible.
Fortunately, in one of the cryptography branches, namely, fuzzy
identity-based cryptography (FIBC), the relation of public and private keys
opposes this: Even if a private key is derived from the public key, given
the public key, it is computationally infeasible to extract the private key
without knowing the system secret. Moreover, although FIBC treats the
public key as noisy data, it is able to tolerate errors. The nature of FIBC
makes it a picture-perfect public key cryptography medium to
accommodate the unstable nature of biometrics, provided that the privacy
of biometrics can be sacrificed [41]. However, the privacy concern can be
rectified by using templatte protection techniques,

t ass discussed in
n previous
sections.
4.1 Asymmetric Keey Cryptogrraphy

Diffie and HHellman [42] pioneered
p the thought of puublic key crypptography
(PKC), andd solved the key distribu ution problem m in symmeetric key
cryptographhy. Soon afteer their worrk, Rivest, S Shamir and Adlemen
enriched PK KC by introdducing the concept of the digital signaature [43]
which can pprotect the authenticity
a an
nd integrity oof a public key
k in an
encryption sscheme. The useu of both a public
p key enncryption scheeme and a
digital signaature scheme gave birth to the de facto ccryptography standard,
namely, Pubblic Key Infraastructure (PK KI) [44]. Howeever, PKI view ws digital
signing as a certification process and it requires a C Certification Authority
A
(CA) to gennerate a certifficate in orderr to guaranteee the validity of a user
public key. T This leads to the storage an
nd key managgement problems of the
certificates aand public keyys.
Figure 10. Cooncept of Identiity-Based Crypttography.
The design of a secure and efficien nt cryptographhic scheme without

w a
certificate bbecomes the goal of man ny cryptograpphers. The co oncept of
identity-baseed cryptograpphy (IBC) waas introduced by Shamir [4 45] where
the public kkey is the userr’s public iden ntity (e.g. nam
me, ID numbeer, email,
etc.) as depiicted in Figure 10. A trusteed third party,, namely, a prrivate key
generator (PPKG), is required to generatte the user privvate key for every
e user
based on thheir public keey, thus rulin ng out the neeed for the sttorage of
certificates aand public keyys. Since the PKG
P knows thhe private key
y of every
user, the coompromise off the PKG maaster secret keey would theerefore be
more disastrrous than the compromise of the signingg key of the trraditional
Certificationn Authority. However,
H it is worthwhile tto note that IB
BC makes
66 Chapter Two
good use of the key escrow feature in closed group operations practice,
such as company proxies and gateways.
4.1.1 Identification Scheme
The cryptosystem in a PKC providing authentication (verification in

biometrics) with repudiation properties is called an identification scheme.
The seminal paper on identification schemes was published by Fiat and
Shamir [46]. An identification scheme guarantees one party (through
acquirement of affirmative evidence) of the identity of a second party
involved, and that the second party has been active during the creation of
evidence [47]. In other words, an identification protocol is an interactive
process that allows a prover holding a private key to identify
himself/herself to a verifier who holds the corresponding public key. At
the end of the identification protocol, the verifier learns nothing more than
that the prover owns a valid private key. In particular, the objectives of an
identification scheme take the following measures [47]:
1 If both parties Alice and Bob are honest, Bob can complete the
identification protocol to accept Alice’s identity as authentic.
2 Bob cannot reuse the communication history with Alice to
impersonate Alice to a third party.
3 If somebody else other than Alice is trying to impersonate Alice by
performing the identification protocol with Bob, the probability for

Bob to accept Alice’s identity is negligible.
4 The above points remain true even if:
a. A polynomially large number of identification protocols of
Alice and Bob have been observed.
b. An impersonator participated in pervious execution with either
Alice or Bob, or both of them.
c. Multiple clones of the identification protocol (possibly initiated
by impersonator) can be run in parallel.
One of the primary purposes of identification is to facilitate access control

to a resource where the access right is linked to a particular identity. Some
predominant applications of electronically proving one’s identity are in
credit cards, ATM machines, e-voting, computer remote control, and so on
[47].
The identification schemes with a PKC are well established but not
without certificates. In order to eliminate the certificate storage problem of
Certification Authority, some identity-based identification (IBI) schemes
[48,49] have been published, but are now facing the problem of identity
uniqueness iin practice, deespite that thee security of thhe scheme is provable.
A new useer needs to register an “identity”
“ wiith the system m where
troublesomee procedures anda documen nts are involveed. Besides, there
t will
be cases succh as the loss or
o outdate of user
u public keeys.
The soluution for thee above prob blems is thee fuzzy identtity-based
identificatioon (FIBI), whhich uses a usser public bioometric identiity easily
obtainable aas the public key
k [50].
4.2 Fuzzy Identity-Ba

ased Cryptoography
4.2.1 Fuzzy Identity-Bassed Encryptio
on Scheme
The marriaage of Identiity-based Cry yptosystem ((IBC) and biometrics

b
technology w was first introoduced by Sahhai and Waterrs [41], so to solve the
“identity” reegistration andd key revocattion problem in IBC. They y outlined
the concept of Fuzzy-IBC C (FIBC) by presenting onne of the prim mitives of
IBC, namelly the Fuzzy Identity-baseed encryptionn (FIBE) scheeme [41]
shown in Fiigure 11. FIB BE allows a user
u private kkey corresponding to a
user identityy set ‫( ܦܫ‬enroolled biometric identity) too decrypt a ciphertext
c
encrypted wwith a user puublic identity set‫ܦܫ‬Ԣ
s (queryy biometric identity), if
and only if the user idenntity sets ‫ ܦܫ‬and
a ‫ܦܫ‬Ԣ are at least overlap pped by a
predefined security paraameter. Somee may arguee that publiciizing the
enrolled bioometric data viiolates user prrivacy but thiss concern is resolvable
using biom metric templatte protection n techniques as discussed d in the
previous secctions.
Figure 11. Moodel of FIBE
68 Chapter Two
FIBC can be viewed as an extension of IBC, where public identity in IBC

is now a set of descriptive attributes. Therefore, IBC is actually a special
case of FIBC where there is only one value in the public identity. FIBC
was created to serve biometric identity-based encryption which has an
advantage over the uniqueness of the biometric identity. Moreover, since
biometric identity is naturally linked to humans, FIBC overcomes the key
revocation problem of IBC and PKC.
A few FIBE schemes [51,52,53] have appeared in literature, where
FIBE was extended to attribute-based encryption (ABE) [54,55]. [41]
claimed that FIBE is also an ABE, but their FIBE can only be considered a
general framework of ABE [54,55]. ABE inherits the main concept of
FIBE, whereby the identity set is considered an attribute set.
4.2.2 Fuzzy Identity-Based Signature Scheme
The Fuzzy identity-based signature (FIBS) – a second IBC primitive

underwent development, where several FIBS schemes [56, 57, 58, 59]
have been proposed up to date. The first FIBS was proposed by [56], by
adopting the key extraction technique of Sahai and Waters’ FIBE,
generating the signature by using the query public biometric identity‫ܦܫ‬Ԣ.
The signature of FIBS can be verified successfully if and only if ID
and ‫ܦܫ‬Ԣ overlap for a certain distance metric, where the ‫ ܦܫ‬is the enrolled
public biometric identity used by a PKG during key extraction, as depicted

in Figure 12. The work in [60] shows that the FIBS schemes in [57,58]
suffer from collusion attacks; however, with the binding of components of
a user secret key using a secret sharing scheme, first proposed in Sahai and
Waters’ FIBE [41], the problem is solved. [57,58] did not follow the same
construction as the Sahai-Waters FIBE, and thus left only [56,59] as the
secure FIBS schemes.
Figure 12. Model of FIBS.
4.2.3 Fuzzy Identity-Bassed Identifica

ation Scheme
Figure 13. Moodel of FIBI.
As a third primitive of o IBC, the Identity-basedd Identificatiion (IBI)

discussed inn Section 4.1.11 has also beeen fuzzified, nnamely Fuzzy y Identity-
based Identiification (FIBI) [50], by usiing a techniquue similar to FIBE
F and
FIBS. As shhown in Figuure 13., In FIIBI, a user w who holds thee enrolled
public biom metric identityy ‫ ܦܫ‬will be verified succcessfully by a verifier
which holdss the query biometric
b ntity ‫ܦܫ‬Ԣ if ‫ ܦܫ‬Ԣ is a genuinee identity
iden
and at least d elements off the user private key is connfirmed to be valid, i.e.
ȁ‫ ܦܫ ת ܦܫ‬ᇱ ȁ ൒ ݀. Thereforre, IBI is a sppecial case of FIBI where the public
identity in IIBI is a singlleton. The ad dvantage of F FIBI against FIBE

F and
FIBS is thatt it does not neeed a public directory
d to keeep the enrolleed ID and
it can proviide repudiatioon because th he identificatioon process iss done in
zero knowleedge protocoll. A prover caan send the eenrolled ‫ ܦܫ‬fro om smart
cards and thhe query ‫ܦܫ‬Ԣ from
f a biomeetric reader. UUntil the pressent, only
one FIBI schheme has appeared in the liiterature, and nno implementtation has
been given [50]. We suummarize the similarities oof these prim mitives in
Table 2.
Table 2. Sim
milarities of FIBC
F primitives
FIBE FIBS FIBI

Setup Same Same Same
Extract Same Same Same
Encrypt Encrypt to ID - -
Decrypt Decrypt - -
using ‫ܦܫ‬Ԣ
Sign - Sign ussing -
‫ܦܫ‬Ԣ
70 Chapter Two
Verify - Verify -
using ID
Prover
Identification Protocol - - authenticate
using ‫ܦܫ‬Ԣ
Authentication No Yes Yes
Repudiation No No Yes
Need Public Directory Yes No No
to store ID
4.3 Requirements of Fuzzy Identity-Based Cryptography

The realization of a cryptosystem in FIBC is not trivial since it requires:
1 A biometric trait to be represented in a fixed size discrete array,
2 Each trait element is in a discrete form,
3 Biometric and cryptography must share the same threshold (or
matching score).
The first and second requirements are due to the use of polynomials in
binding the public biometric identity to a user private key, whereby the
polynomial degree d is used as a threshold to verify the genuineness of
biometrics identity. The last requirement is caused by the way the matching
score works, because the AND operation is the only feasible method that can
calculate the matching score in the form of integers. We could view a real
number as a string, but this would require a biometric feature extraction
algorithm to reproduce an identical real number for matching using the
string representation; however, in practicality, this is unlikely to happen.
These requirements originated from the fact that FIBC tolerates errors via
polynomial interpolation. Unfortunately, most biometric modalities are
represented in a set of continuous arrays, such as real numbers.
In this section, we provide proof of the concept of FIBC, by realising
Tan et al.’s FIBI [50] scheme using the minutiae pair-based histogram and
Binarisation method in Section 3.2. The binary string representation
allows calculation of a system-wide biometrics matching score using bit-
wise AND operation which works exactly the same as the predefined
threshold d in the FIBI scheme. Although the current feature elements are
only 1 or 0, and can be used as the public identity elements for user private
key extraction, polynomial interpolation will fail during an identification
protocol, because we can only obtain two pairs of polynomial values (0,
q(0)) and (1,q(1)). Since the AND operation provides the matching score,
we use the index of the bit 1 instead, as a public identity element, and
hence overcome the polynomial interpolation problem. During

identification of the protocol, if the distance is at least as large as d, then d
elements (of the same index as the matched bits) from a user private key
can be used to reconstruct a (d-1)-degree random polynomial. We show
that our technique integrates the security features of both biometric and
cryptography effectively besides fitting well into FIBI in generating a
secure user private key as well as reconstructing the correct information at
the end of an identity verification process.
4.4 Overview on Tan et al.’s FIBI

Before discussing the implementation details of FIBI, we define a few
important symbols used in the scheme.
‫ ܼ א ܦܫ‬௡ – enroll biometric trait
‫ܦܫ‬Ԣ ‫ ܼ א‬௡ – query biometric trait
‫ܦܫ ת ܦܫ‬Ԣ– matching score of ID and ID’
d – security parameter of FIBI
q(x) – polynomial with the input x
H(i, X, v) – hashing algorithm with the input i, X and v
tkID – permutation token
ο௜ǡௌ ሺ‫ݔ‬ሻ – Lagrange coefficient with the input x
PKG
SETUP
1) Generate p, q s.t. q|(p-1)
bit length 2) ݃ ‫ܼ א‬௣ ǡ ‫ܼ א ݏ‬௤ ǡ
mpk = (p, q, g, v, H)
k ‫ି݃ ؠ ݒ‬௦ ݉‫݌݀݋‬
3)‫ܪ‬ǣ ሼͲǡͳሽ‫ כ‬ൈ ‫ ܩ‬ൈ ‫ ܩ‬՜ ܼଶ೗ሺೖሻ
4) Select a secure polynomial
degree d for interpolation.
EXTRACT
ID = {1, 5, 97789, 1) (d - 1)-degree polynomial
‫ݍ‬ሺȉሻ s.t. ‫ݍ‬ሺͲሻ ൌ ‫ ݑ‬՚ ܼ௤ ‫ ݇݌ݑ‬ൌ ሺሼߙ௜ ሽǡ ሼܻ௜ ሽǡ ‫݇ݐ‬ூ஽ ሻ
…, 262144}
2) ܺ ൌ ݃௨ ‫݌‬
3) ሼߙ௜ ሽ ൌ ሼ‫ܪ‬ሺ݅ǡ ܺǡ ‫ݒ‬ሻሽ௜‫א‬ூ஽
4) ሼܻ௜ ሽ ൌ ሼ‫ݍ‬ሺ݅ሻ ൅ ‫ߙݏ‬௜ ሽ௜‫א‬ூ஽
Figure 14. Setup and Extract algorithms performed by PKG.

72 Chapter Two
The FIBI scheme requires a Private Key Generator (PKG) which runs the
Setup algorithm as follows (Figure 14):
1 On input of a security parameter k, choose a large random prime

‫ ݌‬൐ ʹ௞ such that the discrete logarithm problem in the finite field
Zp is difficult.
2 Choose a large prime divisor q 2160 such that q|(p-1).
3 Choose a random generator ݃ ‫ܼ א‬௣ and a random value s in Zq to
compute v=g-s mod q.
4 Select a secure threshold t.
5 Choose a collision resistant hash function H (for instance SHA-1,
SHA-256, SHA-512 etc. [61]) which will take as input a string and
two elements in the group generated by the generator g.
The master public key, mpk=(p, q, g, v, H) will be made public while the
master secret key, msk=s will be kept secret to PKG only.
When a user enrols with the public biometric identity ID to generate
the user private key upk, PKG will run the Extract algorithm as follows
(Figure 14):
1 Choose a random value u Zq and random coefficients ai in Zq for

ͳ ൑ ݅ ൑ ‫ ݐ‬െ ͳ to construct a (t-1)-degree polynomial ‫ݍ‬ሺ‫ݔ‬ሻ ൌ ‫ ݑ‬൅
ܽଵ ‫ ݔ‬ଵ ൅ ‫ ڮ‬൅ ܽ௧ିଵ ‫ ݔ‬௧ିଵ ݉‫ݍ݀݋‬.

2 Compute ‫ ݔ‬ൌ ݃௨ and calculate the hash value
ߙ௜ ൌ ‫ܪ‬ሺ݅ǡ ܺǡ ‫ݒ‬ሻ݉‫ ݍ݀݋‬for every ݅ ‫ܦܫ א‬.
3 Compute ܻ௜ ൌ ‫ݍ‬ሺ݅ሻ ൅ ‫ߙݏ‬௜ for every ݅ ‫ܦܫ א‬.
4 PKG returns the ‫ ݇݌ݑ‬ൌ ሺሼߙ௜ ሽǡ ሼܻ௜ ሽǡ ‫݇ݐ‬ூ஽ ሻ to the user.
During the identification process as shown in Figure 15., the user (prover)
first sends a commitment to the verifier to initiate the protocol. In return,
the verifier sends the challenge to the user, and based on the challenge, the
user generates a response for the verifier. Ultimately, based on the user’s
response, the verifier will output reject or accept:
1 The user chooses random values ሼ‫ݎ‬௜ ሽ௜‫א‬ூ஽ ‫ܼ א‬௤ , computes ሼ‫ݔ‬௜ ሽ ൌ
ሼ݃௥೔ ሽ௜‫א‬ூ஽ ݉‫ ݌݀݋‬and the shares of ܺ ൌ ݃௨ ǣ ሼܺ௜ ሽ ൌ ሼ݃௒೔ ‫ ݒ‬ఈ೔ ሽ௜‫א‬ூ஽ ൌ
ሼ݃௤ሺ௜ሻ ሽ௜‫א‬ூ஽ . The user then sends ሺሼܺ௜ ሽǡ ሼ‫ݔ‬௜ ሽǡ ‫ܦܫ‬ǡ ‫ ܦܫ‬ᇱ ǡ ‫݇ݐ‬ூ஽ ሻ to the
verifier.
2 In return, the verifier chooses a random ܿ ‫ܼ א‬ଶ೗ሺೖሻ as the challenge
and sends c to the user.
3 As a response to the challenge, user calculates ሼ‫ݕ‬௜ ሽ ൌ ሼ‫ݎ‬௜ ൅

ܻܿ௜ ሽ௜‫א‬ூ஽ ݉‫ ݍ݀݋‬and sends ሼ‫ݕ‬௜ ሽ to verifier.
4 The verifier searches for ܵ ൌ ሼ‫ ܦܫ ת ܦܫ‬ᇱ ሽ and in the case of ȁܵȁ ൒ ‫ݐ‬,
ȁܵȁ െ ‫ݐ‬, elements are randomly picked and excluded so that ȁܵȁ ൌ ‫ݐ‬.
The verifier outputs 1 (accept) if, ݃ ௬೔ ൌ ‫ݔ‬௜ ሺܺ௜ Ȁ‫ ݒ‬ఈ೔ ሻ௖ for every
ο ሺ଴ሻ
݅ ‫ ܵ א‬, where ሼߙ௜ ሽ ൌ ሼ‫ܪ‬ሺ݅ǡ ܺǡ ‫ݒ‬ሻሽ௜‫א‬ௌ and ܺ ൌ ςௌ ܺ௜ ೔ǡೄ or 0
(reject) otherwise.
The polynomial ‫ݍ‬ሺȉሻ in an Extract algorithm is a Lagrange polynomial

that binds every ݅ ‫ ܦܫ א‬to the secret value u. It prevents FIBI from a
collusion attack, where more than one legitimate user cannot collude
together to generate a more privileged upk which users alone cannot
accomplish. The polynomial ‫ݍ‬ሺȉሻ ensures that the biometric trait ID is
genuine such that at least t out of n=|ID| attributes are matched in order to
recover the value X by computingܺ ൌ ݃௨ where ‫ ݑ‬ൌ σ௧ିଵ ఎ ‫ݍ‬ሺ݅ఎ ሻο௜ആ ǡௌ ሺͲሻ,
௫ି௝
ܵ ൌ ሼ‫ܦܫ ת ܦܫ‬Ԣሽ and ο௜ആǡௌ ሺ‫ݔ‬ሻ ൌ ς௝‫א‬ௌǡ௝‫ב‬௜ .
௜ି௝
Identification Protocol
ID, upk, mpk mpk
Prover 1) ሼܺ௜ ሽ ൌ ሼ݃௒೔ ‫ ݒ‬ఈ೔ ሽ௜‫א‬ூ஽ ݉‫݌ ݀݋‬ Verifier

ሼܺ௜ ሽǡ ሼ‫ݔ‬௜ ሽǡ ‫ܦܫ‬ǡ ‫ܦܫ‬ᇱ ǡ ‫݇ݐ‬ூ஽
ோ
2) ሼ‫ݎ‬௜ ሽ௜‫א‬ூ஽ ՚ ܼ௤
ோ
c ܿ ՚ ܼଶ೗ሺೖሻ
1) ሼ‫ݕ‬௜ ሽ ൌ ሼ‫ݎ‬௜ ൅ ܻܿ௜ ሽ௜‫א‬ூ஽ ‫ݍ‬

ሼ‫ݕ‬௜ ሽ
1) ܵ ൌ ሼ‫ܦܫ ת ܦܫ‬ᇱ ሽǡ ȁܵȁ ൌ ݀

2) For every ݅ ‫ܵ א‬, check
1 (accept) or 0 (reject) ݃ ௬೔ ൌ ‫ ݔ‬ሺܺ Ȁ‫ ݒ‬ఈ೔ ሻ௖ where
௜ ௜
ሼߙ௜ ሽ ൌ ሼ‫ܪ‬ሺ݅ǡ ܺǡ ‫ݒ‬ሻሽ௜‫א‬ௌ and
ο ሺ଴ሻ
ܺ ൌ ςௌ ܺ௜ ೔ǡೄ
Figure 15. Identification Protocol of prover and verifier.
74 Chapter Two
In the Identification Protocol, the user’s secret information ሼܻ௜ ሽ acts as

the password that proves to the verifier that the person (or to be exact, the
smart card) that initiates the protocol is indeed who he/it claims to be. But
there is a significant diversification where the values ሼܻ௜ ሽ are not revealed
throughout the identification protocol, or otherwise eavesdroppers or the
verifier itself can impersonate the user. The user proves that he knows the
values ሼܻ௜ ሽ by computing the values ሼ‫ݕ‬௜ ሽ as a response to a verifier’s
challenge. This type of protocol is called the honest verifier zero-
knowledge (HVZK) protocol [62]. We also note that this HVZK protocol
is different to the symmetric key cryptosystems’ challenge-and-response
protocol which requires the user and verifier to reach consensus on a
symmetric key prior to the execution of a protocol.
4.4.1 A Case Study
We now present a toy example for FIBI. Consider the scenario where a
credit card company would like to adopt FIBI as a customer identity
verification mechanism. The security administrator Bob will instruct the
Private Key Generator (PKG) to run the Setup algorithm of FIBI for
defining the security parameters mpk and msk as well as the desired
threshold t. To register a user Alice to the system, the PKG runs the
Extract algorithm which takes fingerprint images of Alice as the input. At
the end of biometric feature extraction, a bit string, b is generated and the
indexes of bit 1, ID, are recorded. Then ‫ݍ‬ሺ‫ܦܫ‬ሻ of the (t-1)-degree random
polynomial ‫ݍ‬ሺȉሻ is constructed and bound to the master secret key msk=s
along with the corresponding ߙூ஽ (See step 3 of the Extract algorithm in
Figure 14).
For the purpose of key revocation, the PKG may concatenate the credit
card expiry date to Alice’s ID in the Extract algorithm, such as ߙூ஽ ൌ
‫ܪ‬ሺ‫ܦܫ‬ȁȁ݁‫݁ݎ݅݌ݔ‬ௗ௔௧௘ ǡ ܺǡ ‫ݒ‬ሻ. The PKG will return to Alice her public key ID
and ‫ ݇݌ݑ‬ൌ ሺሼߙ௜ ሽǡ ሼܻ௜ ሽǡ ‫݇ݐ‬ூ஽ ሻ, which are stored in her cryptography-enabled
credit card. Since a biometric trait is used as the public key and no further
documentation is required, we can see that the credit card initialization
process can be completed within minutes under a trained operator.
After receiving her credit card, Alice plans to make some purchases,
and verifies her identity on a credit card verification device, V, comprised
of a fingerprint scanner and a credit card reader. Alice will give V her
fingerprint reading ‫ܦܫ‬Ԣ while scanning her credit card which contains her
public key ‫ ܦܫ‬and upk. V will first calculate Alice’s biometric matching
score ȁ‫ ܦܫ ת ܦܫ‬ᇱ ȁ and reject this if the matching score is lower than the
predefined threshold t. Otherwise, V continues to verify the validity of
Alice’s upk trough the Identification Protocol, and outputs reject or

accept.
Note that throughout the identity verification process, the verification
device V does not need to communicate with any database or authority in
order to verify Alice’s identity. The details of calculations of V outputs
accept are as depicted in Table 3.
Table 3. Toy Example of FIBI

Algorithm Parameters Value
q 557
q bit length 10
p 1102861
k=p bit length 21
Setup ݃ 273948
s 506
v 660497
H SHA-1
t 3
‫ܦܫ‬ {8, 15, 23, 28, 33}
‫ ܦܫ‬bit string 0000000010000001000000010000
1000010
ܷ 116
Extract
ܺ 669450
‫ݍ‬ሺȉሻ 116+520x+3x2
ߙ௜ {48, 288, 21, 469, 320}
ܻ {349, 30, 338, 350, 324}
ܺ௜ {953382, 177830, 1032349,
354429, 824705}
‫ݎ‬௜ {8, 14, 435, 106, 63}
‫ݔ‬ {633433, 828074, 735186,
404711, 994240}
Identification C 372
Protocol ‫ݕ‬௜ {55, 34, 289, 525, 279}
‫ ܦܫ‬ᇱ {2, 8, 14, 23, 28}
ᇱ
‫ ܦܫ‬bit string 0010000010000010000000010000
1000000
ȁ‫ ܦܫ ת ܦܫ‬ᇱ ȁ 3
ο௜ǡௌ ሺ‫ݔ‬ሻ {17, 49, 492}
76 Chapter Two
4.5 Experiment Results

The well-known public database FVC2002 (DB1, DB2) (2002) is used
to evaluate the proposed method. This dataset contains 100 fingers, with
each finger having 8 sample images; 5 out of the 8 images are randomly
selected as the training samples, and the remaining 3 images are used for
testing.
4.5.1 AND Operation as Matching Score
We calculate the matching score using the AND operation as follows.

e q
Assume that b d represents an enrolled bit-string and bd represents a query
bit-string, the matching score, s can be calculated as follows:
௡
௤ ௤
ܵ൫ܾௗ௘ ǡ ܾௗ ൯ ൌ ෍ ቀܾௗ௘೔ Ȉ ܾௗ೔ ቁ
௜ୀଵ
௤
where Ȉ represents a bit-wise AND operator. σ௡௜ୀଵ ቀܾௗ௘೔ Ȉ ܾௗ೔ ቁ counts the
positions in the bit-string that have a bit 1 in both enrolled and query
templates, and sums them. The resultant score is an integer which
௤
represents the matching score, hence ܵ൫ܾௗ௘ ǡ ܾௗ ൯ ൌ ȁ‫ܦܫ ת ܦܫ‬Ԣȁ.

Three performance measurements are used to evaluate the proposed
technique, namely the False Reject Rate, the False Acceptance Rate, and
the Equal Error Rate. FRR refers to the probability that the system fails to
detect a match between the input pattern and a matching template in the
database. It measures the percent of valid inputs which are incorrectly
rejected (FRR). Alternatively, FAR provides the probability that the
system incorrectly matches the input pattern to a non-matching template in
the database. It measures the percent of invalid inputs which are
incorrectly accepted (FAR). Recall that ܵ ൌ ȁ‫ܦܫ ת ܦܫ‬Ԣȁ, FRR and FAR can
be described as follows:
௡௨௠௕௘௥௢௙௥௘௝௘௖௧௘ௗ௚௘௡௨௜௡௘௨௦௘௥௦
‫ ܴܴܨ‬ൌ ൈ ͳͲͲΨ (4.1)
௧௢௧௔௟௡௨௠௕௘௥௢௙௚௘௡௨௜௡௘௔௖௖௘௦௦
௤
Noted a genuine user is rejected if ܵ൫ܾௗ௘ ǡ ܾௗ ൯ ൏ ݀.
௡௨௠௕௘௥௢௙௔௖௖௘௣௧௘ௗ௜௠௣௢௦௧௢௥
‫ ܴܣܨ‬ൌ ൈ ͳͲͲΨ (4.2)
௧௢௧௔௟௡௨௠௕௘௥௢௙௜௠௣௢௦௧௢௥௔௖௖௘௦௦
௤
Noted an impostor is accepted if ܵ൫ܾௗ௘ ǡ ܾௗ ൯ ൒ ݀.
where s and d represent the matching score and pre-defined threshold.

The Equal Error Rate indicates the rate at which both acceptance and
rejection are equal. EER provides an immediate way to compare the
accuracy between different biometrics systems. In general, the lower the
EER, the more accurate the system is considered to be (EER). With the
increase in threshold t, FAR decreases, while FRR increases.
Figure 16. depicts the plot of FAR and FRR against the threshold, t, for
FVC2002 DB1, where EER=3.9% at t=17 and at FAR=0%, and
FRR=27.67% when t=51. Similarly, Figure 17. illustrates the plot of FAR
and FRR against the threshold for FVC2002 DB2, where EER= 3.21% and
FAR = 0%, and FRR = 28% when t is set to 70.
Figure 16. FRR, FAR against threshold for FVC2002 DB1. (EER=3.9% at d=17
and FAR=0%, and FRR=27.67% when d=51).
78 Chapter Two
Figure 17. FRR, FAR against threshold for FVC2002 DB2. (EER=3.21% at d=30
and FAR=0%, and FRR=28% when d=70).
Table 4. A series of data for threshold (d), FAR and FRR for
FVC2002 DB1.
Threshold (d) FAR (%) FRR (%)

16 4.85 3.33
17 3.80 4.00
18 2.96 4.33
19 2.38 4.67
20 1.91 6.00
…… …… ……
50 0.01 26.00
51 0.00 26.67
52 0.00 29.33
Table 5. A series of data for threshold (d), FAR and FRR for
FVC2002 DB2.
Threshold (d) FAR (%) FRR (%)

29 3.97 3.00
30 3.42 3.00
31 2.89 3.33
32 2.50 3.33
33 2.15 4.00
…… …… ……
69 0.01 27.00
70 0.00 28.00
71 0.00 29.00
From Table 4-5, it can be observed that with an increase in threshold d,

FAR decreases while FRR increases.
As a cryptographic protocol, FIBI requires zero risk of intrusion,
though it might be less user convenient. Hence, FAR should be strictly
controlled to 0%, while FRR can be within a certain degree of
inconvenient tolerance. Thus, the threshold d is set to 51 for FVC2002
DB1 and 70 for FVC2002 DB2, so to satisfy a minimal FRR when
FAR=0%. Based on the selected thresholds d, FRRs for FVC2002 DB1,

DB2 are 26.67% and 28% respectively. High FRRs imply less user-
friendly. In other words, the threshold d is directly proportional to FRR,
which is inversely proportional to user convenience.
4.5.2 Normalized AND Operation as Matching Score
In order to increase the user convenience, we now normalize the matching

score as follows, so to achieve lower FRRs when FARs=0%:
σ௡௜ୀଵ ቀܾௗ௘೔ Ȉ ܾௗ௤ ቁ

௤ ೔
ܵ൫ܾௗ௘ ǡ ܾௗ ൯ ൌ
௤
ටσ௡௜ୀଵ ܾௗ௘೔ σ௡௜ୀଵ ܾௗ೔
௤
where Ȉ represents a bit-wise AND operator. σ௡௜ୀଵ ቀܾௗ௘೔ Ȉ ܾௗ೔ ቁ counts the
positions in the bit-string that have a bit 1 in both enrolled and query
௤
templates and sums them. σ௡௜ୀଵ ܾௗ௘೔ and σ௡௜ୀଵ ܾௗ೔ denote the total number of
1’s of the enrolled and query templates.
80 Chapter Two
The same experiment is run again using the normalized matching score.
The results are displayed in Tables 6-7. To avoid statistical biasness,
cross-validation by examining ‫ ଼଻ܥ‬ൌ ͺ combinations is performed. The
average FRR (when FAR=0%) is 0.625%, where the threshold t is set to
0.11 for DB1. Alternatively, the average FRR (when FAR=0%) is 0.25%,
where the threshold t is set to 0.08 for DB2.
Table 6. Performance results for cross validation using FVC2002 DB1.
Training Testing FRR (%) Threshold EER

Images (#th) Images (#th) when for EER (%)
FAR=0%
1,2,3,4,5,6,7 8 0.00 0.08-0.13 0.00
1,2,3,4,5,6,8 7 0.00 0.11-0.14 0.00
1,2,3,4,5,7,8 6 0.00 0.08-0.13 0.00
1,2,3,4,6,7,8 5 2.00 0.06 1.87
1,2,3,5,6,7,8 4 2.00 0.08-0.09 0.00
1,2,4,5,6,7,8 3 0.00 0.09-0.12 0.00
1,3,4,5,6,7,8 2 0.00 0.09-0.13 0.00
2,3,4,5,6,7,8 1 1.00 0.08-0.09 0.00
Average FRR 0.625% Average EER 0.2338
Table 7. Performance results for cross validation using FVC2002 DB2.
Training Testing FRR (%) Threshold EER

Images (#th) Images (#th) when for EER (%)
FAR=0%
1,2,3,4,5,6,7 8 0.00 0.08-0.10 0.00
1,2,3,4,5,6,8 7 0.00 0.08-0.14 0.00
1,2,3,4,5,7,8 6 0.00 0.09-0.11 0.00
1,2,3,4,6,7,8 5 1.00 0.08 0.99
1,2,3,5,6,7,8 4 1.00 0.08-0.09 0.00
1,2,4,5,6,7,8 3 0.00 0.08-0.12 0.00
1,3,4,5,6,7,8 2 0.00 0.08-0.14 0.00
2,3,4,5,6,7,8 1 0.00 0.09-0.12 0.00
Average FRR 0.25% Average EER 0.1238
Figure 18. depicts the plot of FAR and FRR against the normalized
threshold, when the fifth image is used for testing in FVC2002 DB1,
where EER= =1.44% at t=0.06 and FAR R=0%, and F FRR=2% when n t=0.11.
Similarly, F
Figure 19. illuustrates the plot
p of FAR and FRR ag gainst the
normalized tthreshold wheen the fifth im
mage is used ffor testing in FVC2002
F
DB2, wheree EER= 0.99% % when t=0.0 06 and FAR = 0%, and FR RR = 1%
when t=0.088.
Figure 18. F
FRR, FAR against the norm malized threshoold for FVC20
002 DB1.
(EER=1.44%% at t=0.06 and FAR=0%,

F and FRR=2%
F whenn t=0.11).
Figure 19. F
FRR, FAR against the norm malized threshoold for FVC20
002 DB2.
(EER=0.99%% at t=0.06 and FAR=0%,
F and FRR=1%
F whenn t=0.08).
82 Chapter Two
4.5.3 Discussion on Unnormalized and Normalized Matching Scores
At first glance, user convenience was significantly improved when the

normalized matching score was used as the threshold t for FIBI.
Unfortunately, t is now in the form of neither integer nor binary, which is
the fundamental requirement of FIBI. Although we can get around this
issue by assigning a random value for the polynomial threshold d, the
value d is now meaningless as all the errors have been blocked by the
normalized matching score, and have left no error for FIBI to tolerate.
An alternate way to preserve the user convenience brought by a
normalized matching score is to downgrade the FIBI scheme to the
original IBI scheme, as shown in Figure 20-21. Recall that an IBI scheme
views the public key as a publicly verified identity, the discretized binary
string (ID) works fine with IBI. As long as a prover can produce an ‫ ܦܫ‬ᇱ
which passes the normalized matching score during an identification
protocol, the verifier can confidently reuse the same binary string ID
which is used by a PKG to generate the user private key.
Some readers may have realized that the alternative way is purely an
implementation issue and the security of an ID is not covered by IBI
because the matching score is now independent from the IBI scheme. This
shares the similar concept of using biometric key extraction algorithms
such as Fuzzy Extractor, Fuzzy Vault, Fuzzy Commitment, Fuzzy Sketch,
etc. to generate a public key for the IBI scheme. On the contrary, FIBI
binds the ID and the matching score with its user private key generation
process, and thus one can mathematically prove the security of the
biometrics ID. The differences of unnormalized and normalized matching
scores are shown in Table 7.
PKG
SETUP
1) Generate p, q s.t. q|(p-1)
2) ݃ ‫ܼ א‬௣ ǡ ‫ܼ א ݏ‬௤ ǡ mpk = (p, q, g, v, H)
bit length k ‫ି݃ ؠ ݒ‬௦ ݉‫݌݀݋‬
3)‫ܪ‬ǣ ሼͲǡͳሽ‫ כ‬ൈ ‫ ܩ‬ൈ ‫ ܩ‬՜ ܼଶ೗ሺೖሻ
4) Select a secure polynomial
degree d for interpolation.
EXTRACT
ோ
ID = {1262144} 1) ‫ ݑ‬՚ ܼ௤ ‫ ݇݌ݑ‬ൌ ሺߙǡ ܻሻ
2) ܺ ൌ ݃௨ ‫݌‬
3) ߙ ൌ ‫ܪ‬ሺ‫ܦܫ‬ǡ ܺǡ ‫ݒ‬ሻ
4) ܻ ൌ ‫ ݑ‬൅ ‫ߙݏ‬
Figure 20. Setup and Extract algorithms performed by an IBI PKG.

Figure 21. Identification Protocol of a prover and verifier of IBI.
84 Chapter Two
Table 7. Comparisons of unnormalized and normalized matching

scores for FVC2002.
Biometric Cryptography Provable

Suitable
Matching Threshold Threshold Security
Crypto-
Score for
DB1 DB2 DB1 DB2 systems
Biometrics
Un-
51 70 51 70 Yes FIBC
normalized
Normalized 0.11 0.08 N/A N/A No IBC
As we desire the most promising solution for security, the remaining

sections will be based on the unnormalized matching score and FIBI
scheme.
4.6 FIBI Simulation and Computation Time

Using the public biometric identity extraction method presented in the
previous section, we managed to produce a 214 bit string given a user
fingerprint image, as well as to define the threshold d for a matching score
using the AND operation. Note that the change in the value of d will not
affect the security level of FIBI, but instead it affects the security of the
public biometric identity extraction method. When d=0, the ‫ ܦܫ‬ᇱ becomes a
singleton, and the FIBI scheme becomes an IBI scheme. The upk will
change to ܻ ൌ ‫ ݑ‬൅ ‫ܪݏ‬ሺ‫ܦܫ‬ǡ ܺǡ ‫ݒ‬ሻ, and the secret value u can be viewed as
‫ ݑ‬ൌ ‫ݍ‬ሺͲሻ, where ‫ݍ‬ሺ‫ݔ‬ሻ is a 0-degree random polynomial.
Although the resultant d from the experiment appeared to be quite
large, and subsequently yields a longer polynomial which consumes
undesirable processing time, we show in the simulation that the FIBI is
still considerably fast, and the extracted public biometric identity serves
the FIBI scheme perfectly.
4.6.1 Optimizations
After the first step of the protocol, the verifier can decide to continue or
abort the Identification Protocol, based on the condition ȁ‫ܦܫ ת ܦܫ‬Ԣ ൒ ݀ȁ.
If the condition is met, the verifier can now randomly select d elements
from ሼ‫ܦܫ ת ܦܫ‬Ԣሽ so to form the set S, such that ȁܵȁ ൌ ݀ and to send both
the set S and the challenge c to the prover. Thus prover and verifier can
reduce the computations in step 3 and step 4 for a factor of n-d. Note that
this optimization does not affect the security because the verifier only
ο ሺ଴ሻ
needs to know d out of n elements of ܺ௜ to reconstructܺ ൌ ςௌ ܺ௜ ೔ǡೄ ,
and so the prover only needs to prove partial knowledge of upk
corresponding to the set S, which constitutes a partial amount of the
elements of a public biometric identity.
Furthermore, some pre-calculations can be performed for the last step
of the identification protocol. Firstly, the PKG can compute, for the
verifier, the value v-1 during the setup phase, so to avoid the expensive
inverse computation of ‫ ݒ‬ఈ೔ for ͳ ൑ ߟ ൑ ‫ݐ‬. The value v-1 can be used in the
௑೔ആ ఈ೔ ആ
last step of every Identification Protocol, such that ഀ ൌ ܺ௜ആ ሺ‫ି ݒ‬ଵ ሻ .
௩ ೔ആ
Secondly, the verifier can compute the Lagrange coefficient on the point 0,
ο௜ǡௌ ሺͲሻ immediately after determining the set S in step 2, instead of doing
so after receiving the response in step 3.
4.6.2 Results
Using J2SE 6 and NetBeans as the IDE, the FIBI is implemented on an

Intel Core i5-750 2.67GHz, 2GB RAM with Windows XP Professional
Service Pack 3. For our experiment, fingerprint images are selected from
two datasets FVC2002 DB1 and FVC2002 DB2. Five out of eight
fingerprint images of each finger are used to generate the enroll public
biometric identity, ID for PKG, while the remaining three fingerprint
images are used as the query public biometric identity, ‫ܦܫ‬Ԣ in the
Identification Protocol. During the execution, we randomly select the enroll
IDi for the Extract algorithm and the query ‫ܦܫ‬Ԣ௜ǡ௝ for the Identification
Protocol, where dDB1=51 and dDB2=70 for respective databases, ͳ ൑ ݅ ൑ ͳͲ
and ͳ ൑ ݆ ൑ ͵. We set the prime q to 160 bits in length, and the prime p to
1024 bits in length, with SHA-1 as the hashing algorithm.
The FIBI is executed for 1000 rounds, where the algorithms Setup,
Extract, and Identification Protocols are executed sequentially. The
average timing is calculated in nanoseconds, as shown in Table 8.
Table 8. Average timing of 1000 rounds of FIBI
Time (ns)
Algorithm
FVC2002 DB1 FVC2002 DB2
Setup 79,404,858 65,972,061
Minutiae to bit string 143,200,000 223,400,000
Extract 64,518,216 102,428,066
Identification Protocol 1,545,331,531 2,218,116,221
86 Chapter Two
5 Conclusion
In this chapter, we review the security and privacy concerns associated
with the minutiae-based fingerprint representation, and then implement a
technique for securing fingerprint minutia templates by a cryptographic
realization. The first of the two parts investigates various minutia-based
fingerprint representations, which can be categorized as fixed-length and
variable-size. Three methods are used to demonstrate the generation of
fingerprint representations from minutiae. The second part of this chapter
introduces a cryptographic realization transforming such representations
into secure templates. The integration of biometrics and cryptography
based on fuzzy identity-based identification (FIBI) is illustrated by
manipulating fingerprint templates using a minutiae indexing mechanism.
The experimental result shows that our three-move identification protocol
for handling the FIBI scheme can be completed within two seconds, with
high accuracy performance FAR=0% and FRR=28%. Finally, we discuss
the impact of the normalized/unnormalized threshold on the security of
FIBI.
References
[1] D. Maltoni, D. Maio, A.K. Jain, and S. Prabhakar. Handbook of
fingerprint recognition. 2nd ed., Springer-Verlag, 2009.

[2] A. Nagar. “Biometric Template Security,” Ph.D. dissertation, Dept.
Comp. Sci. & Engn., Michigan State Univ, 2012.
[3] A. B. J. Teoh, A. Goh, and D. C. L. Ngo. “Random multispace
quantisation as an analytic mechanism for BioHashing of biometric
and random identity inputs,” IEEE Transactions on Pattern Analysis
and Machine Intelligence, 28.12 (2006): 1892–1901.
[4] A. K. Jain, K. Nandakumar, N Abhishek. “Biometric template
security,” EURASIP Journal of Advances in Signal Processing.
vol.2008, Article ID: 579416, 2008.
[5] A. Juels and M. Wattenberg. “A fuzzy commitment scheme,”
Proceedings of the 6th ACM Conference on Computer and
Communications Security, Singapore,1-4 November,1999, 28–36.
[6] A. Juels and M. Sudan. “A fuzzy vault scheme,” Proceedings of IEEE
International Symposium on Information Theory, Lausanne,
Switzerland, 30 June – 5 July 2002, 237-257.
[7] Y. Dodis, R. Ostrovsky, L. Reyzin, & A. Smith. “Fuzzy Extractors:
How to Generate Strong Keys from Biometrics and Other Noisy Data,”
SIAM Journal on Computing, 38.1 (2008): 523-540.
[8] N. K. Ratha, S. Chikkerur, J. H. Connell, and R. M. Bolle. “Generating

cancelable fingerprint templates,” IEEE Transactions on Pattern
Analysis and Machine Intelligence, 29.4 (2007): 561–572.
[9] J. G. Daugman. “High confidence visual recognition of persons by a
test of statistical independence,” IEEE Transactions on Pattern
Analysis and Machine Intelligence, 15.11 (1993): 1148-1161.
[10] A. K. Kong, D. Zhang. “Competitive coding scheme for palmprint
verification,” Proceedings of the 17th International Conference
on Pattern Recognition, Vol. 1. Cambridge, UK, 23-26 August 2004.
520-523.
[11] M. H. Lim and A. B. J. Teoh. “A Novel Encoding Scheme for
Effective Biometric Discretization: Linearly Separable Subcode,”
IEEE Transactions on Pattern Analysis and Machine Intelligence, 35.2
(2013): 300-313.
[12] C. Chen, R. N. J. Veldhuis, T. A. M. Kevenaar, and A. H. M.
Akkermans. “Biometric quantisation through detection rate optimized
bit allocation,” EURASIP J. Adv. Signal Process., 2009.29 (2009): 1–
16.
[13] M. H. Lim, A. B. J. Teoh, and K.-A. Toh. “An efficient dynamic
reliability-dependent bit allocation for biometric discretization,”
Pattern Recognition, 45.5 (2012): 1960–1971.
[14] X. Jiang and W.Y. Yau, “Fingerprint Minutiae Matching Based on
the Local and Global Structures,” Proceedings of the 15th International

Conference on Pattern Recognition, Vol. 2, Barcelona, Spain,
September 3-8, 2000. 6038-6041.
[15] Y. Sutcu, Q. Li, and N. Memon. “Secure Biometric Templates from
Fingerprint-Face Features,” Proceedings of Computer Vision and
Pattern Recognition Workshop on Biometrics, Minneapolis Minnesota
USA, 17-22 June 2007. 1-6.
[16] Y. Sutcu, H. T. Sencar, and N. Memon. “A geometric transformation
to protect minutiae-based fingerprint templates,” Proceedings of
Defense and Security Symposium, 6539.1 (2007): 65390E–65390E–8.
[17] Y. Sutcu, S. Rane, J. S. Yedidia, S. C. Draper, and A. Vetro. “Feature
extraction for a Slepian-Wolf biometric system using LDPC codes,”
Proceedings of IEEE International Symposium on Information Theory,
Toronto, Ontario, Canada, 6-11 July 2008. 2297 –2301.
[18] M. H. Jakubowski, & R. Venkatesan. “Randomized radon transforms
for biometric authentication via fingerprint hashing,” Proceedings of
the 2007 ACM workshop on Digital Rights Management, Alexandria,
Virginia, USA, 29 October, 2007. 90-94.
88 Chapter Two
[19] Z. Jin, A. B. J. Teoh, T. S. Ong & C. Tee. “Secure Minutiae-Based

Fingerprint Templates Using Random Triangle Hashing,” Proceedings
of the 1st International Visual Informatics Conference, Kuala Lumpur,
Malaysia, 11-13 November 2009. 521-531.
[20] A. Nagar, S. Rane, and A. Vetro. “Privacy and Security of Features
extracted from Minutiae Aggregates,” Proceedings of the IEEE
International Conference on Acoustics, Speech and Signal Processing,
Dallas, Texas, USA, 14–19 March 2010. 524–531.
[21] J. Bringer, and V. Despiegel. “Binary feature vector fingerprint
representation from minutiae vicinities,” Proceedings of the IEEE
International Conference on Biometrics: Theory Applications and
Systems (BTAS), Washington D.C. USA, 28-30 September 2010. 1–6.
[22] E. Liu, H. Zhao, J. Liang, L. Pang, H. Chen, and J. Tian. “Random
local region descriptor (RLRD): A new method for fixed-length feature
representation of fingerprint image and its application to template
protection,” Future Generation Computer Systems, 28.1 (2012):236–
243.
[23] M. Tico and P. Kuosmanen. “Fingerprint matching using an
orientation-based minutia descriptor,” IEEE Transactions on Pattern
Analysis and Machine Intelligence, 25.8 (2003):1009–1014.
[24] F. Farooq, R. Bolle, T. Jea, and N. Ratha. “Anonymous and revocable
fingerprint recognition,” Proceedings of the IEEE International
Conference on Computer Vision and Pattern Recognition, Minneapolis

Minnesota USA, 17-22 June 2007. 1-6.
[25] Z. Jin, A. B. J. Teoh, T. S. Ong, C. Tee. “A Revocable Fingerprint
Template for Security and Privacy Preserving”, KSII Transactions on
Internet and Information Systems. 4.6 (2010):1327-1341.
[26] H. Xu, R. Veldhuis, T. Kevenaar, A. Akkermans, and A. Bazen.
“Spectral minutiae: A fixed-length representation of a minutiae set,”
Proceedings of the IEEE International Conference on Computer Vision
and Pattern Recognition Workshop on Biometrics, Anchorage, Alaska,
USA, 24-26 June 2008. 1-6.
[27] K. Nandakumar. “A fingerprint cryptosystem based on minutiae
phase spectrum,” Proceedings of the IEEE International Workshop on
Information Forensics and Security, Seattle, USA, 12-15 December
2010. 1-6.
[28] C. Lee, and J. Kim. “Cancelable fingerprint templates using minutiae-
based bit-strings,” J Network Comput Appl, 33.3 (2010):236-246.
[29] Z. Jin, Andrew B. J. Teoh, T. S. Ong, C. Tee. “Fingerprint Template
Protection with Minutiae-based Bit-string for Security and Privacy
Preserving,” Expert Systems with Applications. 39.6 (2012): 6157–

6167.
[30] R. Cappelli, M. Ferrara, and D. Maltoni. “Minutia Cylinder-Code: a
new representation and matching technique for fingerprint
recognition,” IEEE Transactions on Pattern Analysis and Machine
Intelligence, 32.12 (2010): 2128 – 2141.
[31] B. Yang, and C. Busch. “Parameterized geometric alignment for
minutiae-based fingerprint template protection,” Proceedings of the
IEEE 3rd International Conference on Biometrics: Theory,
Applications and Systems (BTAS 09), Washington D.C. USA, 28-30
September 2009. 340-345.
[32] K. Simoens, C. M. Chang, and B. Preneel. “Reversing Protected
Minutiae Vicinities,” Proceedings of the IEEE 4th International
Conference on Biometrics: Theory, Applications and Systems (BTAS
10), Washington D.C. USA, 27-29 September 2010. 1-8.
[33] S. Wang, J. Hu. “Alignment-free cancelable fingerprint template
design: A densely infinite-to-one mapping (DITOM) approach,”
Pattern Recognition, 45.12 (2012): 4129-4137.
[34] W. J., Wong, A. B. J. Teoh, D. M. L. Wong, & Y. H. Kho. “Enhanced
multi-line code for minutiae-based fingerprint template
protection,” Pattern Recognition Letters, 34.11 (2013):1221-1229.
[35] C. Hill. “Risk of masquerade arising from the storage of biometrics,”
Master’s thesis, Australian National University, 2001.

[36] A. K. Ross, J. Shah, and A. K. Jain, “From Template to Image:
Reconstructing Fingerprints From Minutiae Points,” IEEE
Transactions on Pattern Analysis and Machine Intelligence, 29.4
(2007):544–560.
[37] R. Cappelli, A. Lumini, D. Maio, and D. Maltoni. “Fingerprint Image
Reconstruction From Standard Templates,” IEEE Transactions on
Pattern Analysis and Machine Intelligence, 29.9 (2007):1489–1503.
[38] J. Feng and A. K. Jain. “Fingerprint reconstruction: From minutiae to
phase,” IEEE Transactions on Pattern Analysis and Machine
Intelligence, 33.2 (2011):209–223.
[39] M. Ferrara, D. Maltoni, R. Cappelli. “Noninvertible Minutia
Cylinder-Code Representation,” IEEE Transactions on Information
Forensics and Security, 7.6 (2012):1727-1737.
[40] G. Parziale, and A. Niel. “A fingerprint matching using minutiae
triangulation,” Proceedings of The first International Conference on
Biometric Authentication, Hong Kong, 15-17 July 2004. 241-248.
90 Chapter Two
[41] A. Sahai, and B. Waters. “Fuzzy Identity-Based Encryption,”

Proceedings of the EUROCRYPT, Vol. 3494, Aarhus, Denmark, 22-26
May 2005. 457–473.
[42] W. Diffie, and M. E. Hellman. “New Directions in Cryptography,”
IEEE Transactions on Information Theory, 22.6 (1976): 644–654.
[43] R. L. Rivest, A. Shamir, and L. Adleman. “A method for obtaining
digital signatures and public-key cryptosystems,” Communications of
the ACM, 21.2 (1978), 120-126.
[44] “PKI Technical Standards.” Oasis PKI, n.d. Web. 8 June 2014.
(http://www.oasis-pki.org/resources/techstandards)
[45] A. Shamir. “Identity-Based Cryptosystems and Signature Schemes,”
Proceedings of the CRYPTO, Vol. 0196, Santa Barbara, California,
USA, 19-22 August 1984. 47–53.
[46] A. Fiat, and A. Shamir. “How to Prove Yourself: Practical Solutions
to Identification and Signature Problems,” Proceedings of the
CRYPTO, Vol. 263, Santa Barbara, California, USA. 1986. 186–194.
[47] A. J. Menezes, and T. Okamoto, and S. A. Vanstone. “Handbook of
Applied Cryptography.” New York: CRC Press, 1997.
[48] K. Kurosawa, and S.-H. Heng. “From Digital Signature to ID-Based
Identification/Signature,” Proceedings of the PKC, Vol. 2947,
Singapore, 1-4 March 2004. 248–261.
[49] M. Bellare, C. Namprempre, and G. Neven. “Security Proofs for
Identity-Based Identification and Signature Schemes,” Proceedings of

the EUROCRYPT, Vol. 3027, Interlaken, Switzerland, 2-6 May 2004.
268 – 286.
[50] S.-Y Tan, S.-H.Heng, B.-M. Goi, and SangJae Moon. “Fuzzy
Identity-Based Identification Scheme,” Proceedings of UNESST, Vol.
62, Jeju Island, Korea, 10-12 December 2009. 123-130.
[51] J. Baek, W. Susilo, and Jianying Zhou. “New Constructions of Fuzzy
Identity-Based Encryption,” Proceedings of the 14th ACM Conference
on Computer and Communication Security, Alexandria, USA, 29
October – 2 November 2007. 368 – 370.
[52] Y. Ren, D. Gu, S. Wang, and X. Zhang. “New Fuzzy Identity-Based
Encryption in the Standard Model.” Informatica, 21.3 (2010): 393–407.
[53] W. Shi, I. Jang, and S. Y. Hyeong. “An Improved Fuzzy Identity-
Based Encryption Scheme With Constant Size Ciphertext.”
International Journal of Digital Content Technology and its
Applications, 4.4 (2010). 7-14.
[54] V. Goyal, O. Pandey, A. Sahai, and B. Waters. “Attribute-Based
Encryption for Fine-Grained Access Control of Encrypted Data,”
Communication Security, Alexandria, USA, 30 October – 3 November

2006. 89–98.
[55] J. Bethencourt, A. Sahai, and B. Waters. “Ciphertext-Policy
Attribute-Based Encryption,” Proceedings of the 2007 IEEE
Symposium on Security and Privacy, Oakland, USA,20-23 May 2007.
321 – 334.
[56] P. Yang, Z. Cao, and X. Dong. “Fuzzy Identity Based Signature with
Application to Biometric Authentication.” Computers Electrical
Engineering, 37.4 (2011):532-540.
[57] W. Chen, L. Zhu, X. Cao, and Y. Geng. “A Novel Fuzzy Identity-
Based Signature with Dynamic Threshold,” Proceedings of Network
and System Security, Gold Coast, Australia, 19-21 October, 2009, 192-
198.
[58] C. J. Wang, and J. H. Kim. “Two Constructions Of Fuzzy Identity
Based Signature,” Proceedings of Biomedical Engineering and
Informatics, Tianjin, China, 17-19 October, 2009. 1-5.
[59] C. J. Wang, W. Chen, and Y. Liu. “A Fuzzy Identity Based Signature
Scheme,” Proceedings of E-Business and Information System Security,
Wuhan, China, 23-24 May 2009, 1-5.
[60] S.-Y. Tan, S.-H. Heng, and B.-M. Goi. “On the Security of Two
Fuzzy Identity-Based Signature Schemes,” Proceedings of the IFIP
International Conference on New Technologies, Mobility and Security,
Paris, France, 7-10 Feb. 2011, 1-5.

[61] “Secure Hash Standard.” National Institute of Standards, n.d. Web. 8
June 2014. (http://csrc.nist.gov/publications/fips/fips180-2/fips180-
2withchangenotice.pdf)
[62] O. Goldreich. “Foundation of Cryptography.” Volume 1, Basic Tools,
1st ed. New York: Cambridge University Press, 2007.
CHAPTER THREE
PALMPRINT TEMPLATE PROTECTION

TECHNOLOGIES
LU LENG
KEY LABORATORY OF NON-DESTRUCTIVE TEST (MINISTRY
OF EDUCATION), NANCHANG HANGKONG UNIVERSITY,
NANCHANG, P. R. CHINA
SCHOOL OF ELECTRICAL AND ELECTRONIC ENGINEERING,
COLLEGE OF ENGINEERING, YONSEI UNIVERSITY, SEOUL,
SOUTH KOREA
Abstract
Palmprint biometrics has been widely used for recognition or verification

due to its unique characteristics over other biometrics, such as high
accuracy, low cost and high user acceptance. However, as other
biometrics, palmprint biometrics is also vulnerable to the security and
privacy problems, and hence palmprint template protection is essential.
This chapter introduces and compares the existing palmprint template
protection technologies, which can be divided into three categories,
namely palmprint cryptosystems, cancellable palmprints, and hybrid
methods. Finally, conclusions are drawn and the future outlook is
summarized.
Keywords: Palmprint Template Protection, Palmprint Cryptosystem,

Cancellable Palmprint, Hybrid Protection.
1 Introduction
Compared with other biometrics such as the fingerprint, face, and iris, the
history of palmprint biometrics is relatively short. However, due to the
Palmprint Template Protection Technologies 93
characteristics of palmprint, such as high accuracy performance, low cost,

and good user acceptance, palmprint biometrics has been widely accepted
and deployed recently [1].
Unfortunately, the security and privacy problems that plague other
biometrics [2,3] also present themselves in palmprint biometrics. These
are as follows:
x Palmprint features are immutable, which implies that palmprint

templates cannot be revoked and reissued even if they are
compromised.
x With the widespread usage of palmprint systems, palmprint
templates are stored diversely in different databases. The security
levels of these databases differ. If the palmprint templates in a
database with low security level are compromised, the templates
stored in other databases are no longer safe.
x User privacy information, such as gene deficiency and health
condition, is likely to leak from original palmprint features.
Thus it is essential to develop palmprint template protection technologies

to avoid direct use of original palmprint features.
This chapter introduces and compares the existing palmprint template
protection technologies. Section 2 introduces the related preliminary
knowledge. The three categories of palmprint protection technologies,

namely palmprint cryptosystems, cancellable palmprints, and hybrid
approaches, are elaborated in Sections 3, 4 and 5, respectively. Finally,
conclusions are drawn, and the future outlook is presented in Section 6.
2 Preliminary Knowledge
Before delving into the palmprint template protection, we first provide a
brief account of the background of palmprint biometrics.
2.1 Palmprint Feature Representation and Matching

Palmprint refers to the features in the palm region between the root of
finger and wrist. Palmprints can be acquired in either online mode (e.g.
taken with a camera, webcam, or scanner) or offline mode (e.g. taken with
ink and paper).
Palmprints contain principal lines, wrinkles (secondary lines) and
epidermal ridges [4]. Thus several discriminant features, such as minutiae,
textures, indents, and marks, can be extracted for recognition/verification.
94 Chapter Three
According to the feature representations of palmprint, several matching

approaches have been proposed, which can be briefly classified into the
following:
(1) Geometry-based Palmprints
It is feasible to represent palmprint features using geometrical elements

such as lines, minutiae, as well as their orientations and types. Lines in
palmprints, such as principal lines (i.e. head line, life line and heart line),
and coarse wrinkles, are the basic features of palmprints. Similar to
fingerprints, palmprints can also employ minutiae for
recognition/verification; however, minutiae can be accurately detected
only in high resolution images.
Geometry-based matching finds geometrical alignment between
enrolled and query templates, and then computes the maximum number of
feature pairs or smallest/largest degree of dissimilarity/similarity [5].
(2) Feature-based Palmprints
The performance of geometry-based representation matching relies

heavily on image quality. Alternatively, other discriminant palmprint
features, such as magnitude, phase, or local orientation, can be modelled
and extracted.
Binary coding expresses features with a bit string, which saves
computation/storage cost and has favourable verification performance
even in large databases. In [6], palmprint images are filtered with a Gabor
filter; after this the real and imaginary results are respectively binarized to
be PalmCode. Thereafter, techniques like Fusion Code [7], Competitive
Code [8], Ordinal Code [9], Robust Line Orientation Code [10] and Binary
Orientation Co-Occurrence Vector [11] were developed further, taking full
advantage of the binarized features along with multi-orientations.
Feature-based matching measures the similarity/dissimilarity between
two feature vectors/matrices with Euclidean distance, Hamming distance,
angular distance, etc.
2.2 Matching between Palmprint Codes

The existing palmprint protection technologies are mainly designed to
generate protected binary palmprint codes. Thus the dissimilarities
between the protected templates in this chapter are mainly measured
through Hamming distance.
Assume a and b are two palmprint feature vectors expressed with

binary codes. The normalized Hamming distance between them is
computed by:
¦a i bi
H a, b i 1 (1)
n
where is a bitwise exclusive-or (XOR) operator, n is the length of a

and b, ai and bi are the i-th entries of a and b, respectively.
Assume that A and B are two palmprint feature matrices expressed
with binary codes. The normalized Hamming distance between them is
computed by:
m n
¦¦ A i, j Ǻi , j
H A, Ǻ (2)
i 1 j 1
mn
where the size of A and B is m×n, Ai,j and Bi,j are the entries of A and B in
the i-th row and j-th column, respectively.
2.3 Criteria of Biometric Template Protection

With the maturation of biometric technologies, security and privacy issues
have become the bottlenecks of practical application. To overcome the
deficiencies of direct usage of original biometric features, no original
features should be used or stored in biometric systems; therefore, original
features should be replaced with their protected versions.
Biometrics, as an invariable factor, is immutable; an external variable
factor is needed for the generation of a protected template. The variable
factor, such as token, key, seed, and ID card, can be changed or updated.
As shown in Figure 1, the biometric and variable factors are fused with a
specific function so to generate a protected template that is changeable.
96 Chapter Three
Original biometric Protected

Specific function
(invariable factor) biometric
Token/key/seed/ID card
(variable factor)
Figure 1. Framework of biometric template protection with variable factor.
Basic criteria evaluating biometric template protection include [12].
x Diversity: Original features can be fused with different variable

factors to generate diversified protected templates stored across
different databases. The diversity ensures the security of the
templates in various databases.
x Revocability/Reissuing: When the protected biometric template is
compromised, revocation can be carried out by changing the
variable factor. The dissimilarity between the previous and updated
protected templates should be large enough to ensure the
independency of two protected templates. In general, diversity and
revocability/reissuing are equivalent and can be collectively called
“changeability”.
x Non-invertibility: The specific function should be non-invertible

so that the original features cannot be restored; even if both the
protected biometric template and the variable factor are leaked.
Non-invertibility ensures the privacy of biometric data.
x Accuracy Performance: The accuracy performance of a protected
template should be evaluated in two scenarios. In the best-case
scenario, all users have their own distinct specific variable factors.
In the worst-case scenario, all users share the identical variable
factor. The worst-case scenario is equivalent to the case that users’
variable factors are stolen. The accuracy performance of a protected
template should be comparable to its original counterpart,
especially in the worst-case scenario. In other words, the accuracy
performance of original biometrics should not be obviously
degraded after being transformed by a specific function.
x Feature Correlation: In addition to the above criteria, a new
criterion is suggested to supplement the system, i.e. the correlation
between the adjacent entries in a protected template. A statistical
attack can damage a protected template if the adjacent entries are of
high correlation. Therefore, low feature correlation in a protected

template is required.
It is a great challenge to satisfy all criteria simultaneously. It is especially

very difficult to reconcile the contradiction between non-invertibility and
accuracy performance, that is, strong non-invertibility is likely to result in
deterioration of accuracy performance. However, weak non-invertibility
cannot ensure security level.
Palmprint template protection technologies can be briefly categorized
into palmprint cryptosystems, cancellable palmprints, and hybrid methods,
which are elaborated in the following sections.
3 Palmprint Cryptosystems
There are a large number of cryptosystems available. If palmprint features,
considered as an authentication factor, are embedded in the existing
cryptosystems, the application range of palmprint biometrics will become
much broader. With the reference of embedding mechanisms, existing
palmprint cryptosystems can be divided into palmprint key generation and
key-binding. Furthermore, key-binding-based palmprint protection
technologies include palmprint fuzzy commitment and palmprint fuzzy
vault.
3.1 Palmprint Key Generation

Palmprint key generation attempts to extract identical features from the
palmprint samples of the same class, which can be directly used as a secret
key in cryptosystems. The identical palmprint feature is called palmprint
key, which can be directly protected by using one-way functions, e.g.
MD5, SHA-1, etc. However, due to noise, imperfect acquisition and other
disturbances, it is very difficult, if not impossible, to extract identical
biometric features, including palmprint features.
In [13], Wu et al. used hash function to protect palmprint key, which
was extracted with BCH error correction code (ECC). The framework of
their scheme is shown in Figure 2.
98 Chapter Three
Plaintext S Encrypting
Ciphertext
Palmprint key Hash PB
CS
function
Palmprint Feature
extraction Error correction Database
encoding
(a) Encrypting phase.
Ciphertext CS
PB
Decrypting
Palmprint Plaintext
Database
key S
Palmprint Feature Error Hash

extraction correcting function
(b) Decrypting phase.

Figure 2. Cryptosystem with palmprint key.
In the encrypting phase, the enrolled binary feature code is firstly extracted
as a palmprint key. Then, the BCH code and hash value of the palmprint
key are computed. The BCH code constitutes two parts: the original word
and parity bits (PB) used for word correction. Here, plaintext S is
encrypted. Finally, PB and ciphertext CS are stored in the database.
In the decrypting phase, the query binary feature code is extracted and
its error is corrected with PB to recover the palmprint key. Finally, CS can
be decrypted and S is retrieved.
Advantages:
x ECC helps extract the identical feature code as a palmprint key

whose security is ensured by hash function.
Disadvantages:
x The palmprint key is not changeable.

x The parity bits (PB) stored in the database are likely to leak the
information of original palmprint feature code.
3.2 Palmprint Fuzzy Commitment

In [14], Wu et al. developed another palmprint cryptosystem based on
fuzzy commitment [15]. The framework of their scheme is shown in
Figure 3.
Template CS
Secret S Encoding XOR
Codeword
Palmprint Feature Database

extraction Feature code
(a) Enrolment phase.

Template CS Codeword
XOR
Feature
code Decoding
Database
Feature
Palmprint extraction Secret S
(b) Authentication phase.
Figure 3. Palmprint fuzzy commitment.
In the enrolment phase, a secret S is encoded as a codeword with Reed-

Solomon ECC. The enrolled feature code is bound with a codeword, i.e.
template CS is the XORing result of the codeword and feature code.
Thereafter, CS is stored in the database.
In the authentication phase, the query feature code is extracted and
used for de-binding, by XORing with CS to release the codeword. Finally,
S is retrieved by decoding using Reed-Solomon ECC.
100 Chapter Three
Advantages:
x The codeword is computed from secret S, rendering it

independent to the palmprint feature; therefore, the palmprint
feature is protected, despite that the codeword has been analysed.
Disadvantages:
x The palmprint feature is insecure once CS and S are leaked.

x CS is not uniformly distributed, nor is the codeword, which
degrades the privacy of original palmprint feature code.
3.3 Palmprint Fuzzy Vault

In fuzzy vault [16], the secret is encoded for polynomial construction.
Biometric features are projected onto a polynomial, and then embedded as
genuine points. A number of chaff points are generated, which are mixed
with genuine points. During the authentication stage, the genuine points
can be retrieved if the query biometric features are sufficiently close to the
enrolled features. Finally, the secret can be restored by using the
reconstructed polynomial.
In [17], Kumar et al. designed a palmprint fuzzy vault, shown in Figure
4.
In the enrolment phase, secret S is encoded to generate a codeword SE
with Reed-Solomon ECC. Following this, the codeword-grid is generated
by filling it with pseudo-random numbers (PRNs) and SE. Palmprint
features are extracted and normalized, and then a palmprint-grid is
generated, which is filled by the normalized features at the same position
of SE. A codeword-grid and palmprint-grid are bound to lock Vault V.
In the authentication phase, a query palmprint-grid is generated and
used to de-bind V. The true positions of SE can be retrieved with the
genuine palmprint-grid, so that the codeword can be restored. Through
decoding, V can be unlocked and S can be released.
Codeword-grid
Secret S SE Filling PRN
Encoding Binding
and SE
Palmprint Feature extraction Vault V

and normalization Palmprint-grid
Feature extraction
Palmprint
and normalization
Palmprint-grid Noise
codeword-grid
Vault V De-binding Retrieving
Noise codeword
Secret S Decoding

Figure 4. Palmprint fuzzy vault.
In [18], Liu et al. designed a multidimensional palmprint fuzzy vault. To

construct variance-tolerant space, a metric space is defined. The feature
vector is mapped into sub-vectors so to construct a linear subspace, in
which intra-class variances can be effectively tolerated. Multidimensional
palmprint fuzzy vault, which is locked with the sub-vectors, maintains
accuracy performance and security level.
Advantages:
x Similar to palmprint commitment scheme, the codeword for vault

V locking is computed from secret S, which is independent to
palmprint features.
Disadvantages:
x The palmprint feature is not secure once V and S are both leaked,
i.e. non-invertibility is not satisfied.
102 Chapter Three
x It is difficult to ensure that the genuine points and chaff points are
mixed uniformly.
x There is a conflict between security and accuracy. Security level is
low if the number of chaff points is small. However, it is hard to
retrieve enough genuine points if too many chaff points are added
into the vault.
x An attacker can exploit the correlation between the multiple
templates in different databases to retrieve genuine points.
3.4 Summary
Although several palmprint cryptosystems have been developed, a number
of open problems persist:
x The original palmprint feature should be immediately

transformed into a protected form after acquired, i.e. no original
feature should be used or stored in the systems. In addition, no
original feature can be restored or leaked.
x The computational complexity of error correction increases with
the size of the palmprint feature. Since computational complexity
hinders practical applications, how to reduce the computational
complexity is another important issue.
4 Cancellable Palmprints
Cancellable palmprint methods encrypt or transform an original palmprint
feature to its protected version through specific functions, a process which
can be briefly classified into invertible and non-invertible methods.
x Invertible methods attempt to protect palmprint features with the

help of cryptography. Since no original palmprint feature should
be used or stored, the protected feature can be verified directly,
which means that the restoration of original feature is forbidden.
Encrypted palmprint [19-21] and random field shift [22] are two
representative instances of this technique.
x Non-invertible methods employ non-invertible functions to
protect palmprint features, include Cancellable PalmCode [23],
PalmHashing [24], and cancellable palmprint codes [25,26].
4.1 Encrypted Palmprint

In Li et al.’s schemes [19-21], a pseudo-random binary sequence is
generated with a variable factor. The encrypted code is the XORing result
of the pseudo-random sequence (PRS) and feature code. The framework of
their encrypted palmprint is shown in Figure 5.
Palmprint Feature Feature Palmprint

extraction extraction
Feature code
PRS XOR XOR PRS
Encrypted code
Database Match
Result
Enrolment Authentication
Figure 5. Framework of encrypted palmprint.
The recognition/verification performance of encrypted palmprint code

should be analysed in the worst-case and best-case scenarios.

In the worst-case scenario, the intra-class and inter-class normalized
Hamming distances are not altered by the encryption with identical PRS.
Accordingly, the accuracy performance of encrypted palmprint code is
equal to that of its corresponding unprotected counterpart.
In the best-case scenario, all users have different variable factors, so
their PRSs differ. The inter-class normalized Hamming distances rely on
the different PRSs, which are commonly enlarged by the participation of
specific PRSs, so the accuracy performance of encrypted palmprint code is
improved in this case.
Advantages:
x The accuracy performance is not degraded, even in the worst-case

scenario.
104 Chapter Three
Disadvantages:
x The protected palmprint templates (encrypted codes) can be

directly used for recognition/verification only if the original
palmprint feature can be expressed in binary codes. Otherwise, the
original palmprint feature has to be restored during matching stage.
x When the variable factor and protected palmprint template are both
leaked, the original palmprint feature can be restored. Thus non-
invertibility is not satisfied.
4.2 Random Field Shift

In Kong et al.’s scheme [22], the region of interest (ROI) I is first cropped
and then filtered with Gabor filters along six directions. ȥ(x,y,Ȧ,ș) denotes
the function of Gabor filter, where Ȧ and ș are the radial frequency per
unit length and the direction, respectively. The competitive rule is the
winner-take-all rule, so the winning index of the Competitive Code is
computed by:
icmp=argminĲ(I(x,y)*ȥR(x,y,Ȧ,șĲ)) (3)
ȥR denotes the real part of ȥ. Since Ĳ {0,1,…,5} and șĲ=Ĳʌ/6, icmp

{0,1,…,5}. The bit representation and Hamming distance of Competitive

Code are shown in Table 1.
Table 1. Representation and Hamming distance of Competitive Code.
(a) Real-valued winning indices represented as three bits.
Winning index Bit 1 Bit 2 Bit 3

0 0 0 0
1 0 0 1
2 0 1 1
3 1 1 1
4 1 1 0
5 1 0 0
(b) Hamming distance between Competitive Codes.
Winning index 0 1 2 3 4 5
0 0 1 2 3 2 1
1 1 0 1 2 3 2
2 2 1 0 1 2 3
3 3 2 1 0 1 2
4 2 3 2 1 0 1
5 1 2 3 2 1 0
The random field shift employs a random orientation filter bank to

generate changeable palmprint feature codes.
Ȝ is a uniformly PRN, Ȝ {0,1,…,5}. A set of Ȝ are generated. Į=Ȝʌ/6.
Each Į, as a random direction field, is injected into the direction of the
Gabor filter of each pixel, so the winning index of a changeable
Competitive Code is computed by:
iccmp=argminĲ(I(x,y)*ȥR(x,y,Ȧ,șĲ+Į)) (4)
A changeable Competitive Code can be reissued by changing the random

direction field.
Eq.(4) is equal to:
iccmp=mod[argminĲ(I(x,y)*ȥR(x,y,Ȧ,șĲ))–Ȝ,6]=mod[icmp–Ȝ,6] (5)
The accuracy performance of a random field shift is analysed in the worst-

case and best-case scenarios, respectively.
In the worst-case scenario, all users share the identical variable factor,
and hence their random field shifts are identical. Assume A and B are two
winning index matrices of original Competitive Code, whose entries in the
i-th row and j-th column are ai,j and bi,j, respectively. The random field
shift matrix is S, whose entry is si,j. The corresponding changeable
winning index matrices of A and B are A' and B', respectively, whose
entries are a'i,j=mod[ai,j–si,j,6], b'i,j=mod[bi,j–si,j,6], respectively. According
to Table 1(b), with the same random field shift, the Hamming distance
between the bits, a'i,j and b'i,j, is equal to that between ai,j and bi,j. Thus the
intra-class and inter-class normalized Hamming distances are not changed
by random field shift. Accordingly, the accuracy performance of
changeable Competitive Code is equal to that of original Competitive
Code.
106 Chapter Three
In the best-case scenario, all users have different variable factors, so

their random field shifts differ. The definitions of A, B, ai,j and bi,j are the
same as those in the analysis of the worst-case scenario. The random field
shift matrices are SA and SB, whose entries are sAi,j and sBi,j, respectively.
The corresponding changeable winning index matrices of A and B are A'
and B', whose entries are a'i,j=mod[ai,j–sAi,j,6], b'i,j=mod[bi,j–sBi,j,6],
respectively. With different random field shifts sAi,j and sBi,j, the Hamming
distance between the bits of a'i,j and b'i,j relies on sAi,j and sBi,j. The inter-
class normalized Hamming distances are commonly enlarged by the
participation of different random field shifts, so the accuracy performance
of changeable Competitive Code is better than that of original Competitive
Code.
According to the study in [27], the encrypted palmprint and random
field shift are equivalent, so the advantages and disadvantages of random
field shift are identical to those of encrypted palmprint.
4.3 Cancellable PalmCode

Cancellable PalmCode is generated with the Gabor filters whose
parameters are perturbed by PRN [23]. The overall procedure of
cancellable PalmCode is described as follows.
Step 1. Crop ROI from original palmprint image
Step 2. Use variable factor to generate three PRNs
Step 3. Generate randomized Gabor filter
The general form of the circular Gabor filter is:
x, y , T , u , V
G
(6)
1 § x2 y2 ·
exp ¨ ¸ exp ª¬ 2S 1 ux cos T uy sin T º¼
2SV 2
© 2V ¹
2
where u denotes the frequency of the sinusoidal wave, ș denotes the

orientation of the function, and ı denotes the standard deviation of the
Gaussian envelope. To avoid the disturbance of brightness, a discrete
Gabor filter is turned to a zero direct current by:
S S
¦ ¦ G x, y,T , u,V
G x, y , T , u , V G
x, y , T , u , V i S j =S (7)
2S 1
2
where (2S+1)2 is the size of the filter.

The Gabor filter has three parameters, u, ș and ı. r1, r2, r3 denote the
three PRNs that randomize the three parameters, respectively. The
randomized parameters are:
uc r1 u u , T c r2 u T , V c r3 u V (8)
Substitute u, ș and ı with u', ș' and ı', then Eq.(6) and Eq.(7) become:
x, y, T c, uc, V c
G r
(9)
1 § x2 y2 ·
exp ¨ 2 ¸
exp ª¬ 2S 1 ucx cos T c ucy sin T c º¼
2SV c 2
© 2V c ¹
G r x, y, T c, uc, V c
S S
(10)
¦ ¦ G x, y,T c, uc, V c
r
x, y, T c, uc, V c i
G S j =S
2S 1
r 2
Step 4. Extract feature
The original palmprint images are filtered with a randomized Gabor filter,
so to extract features. X denotes the cancellable feature matrix with the
size of m×2n. xi,j denotes the entry of X, i=1,2,…,m, j=1,2,…,2n. The left
and right halves of X are generated with the real and imaginary parts of
Gabor filter, respectively.
Step 5. Binarize cancellable feature
xi,j is binarized to be one bit of cancellable PalmCode as:
0, if xi , j D
bi , j ® (11)
¯1, if xi , j t D
108 Chapter Three
Į is the predefined threshold value.
Step 6. Matching
The normalized Hamming distance between two cancellable PalmCodes is

calculated to measure their dissimilarity.
Advantages:
x Cancellable PalmCodes can be conveniently generated by

embedding the PRN in the parameters of Gabor filter.
Disadvantages:
x Since the accuracy performance of PalmCode is affected by the

parameters of the Gabor filter, parameter turbulence may
negatively affect the performance.
x Changeability requests that the two variable factors can generate
two cancellable templates with high dissimilarity. However, since
only three parameters of the Gabor filter are randomized, it is
probable that the dissimilarity of two cancellable templates is low,
which implies failure in updating the new template.
4.4 PalmHashing and Its Extensions

(1) PalmHashing
PalmHashing proposed by Connie et al. was an early work of cancellable

palmprint template [24]. The framework of PalmHashing is similar to that
of BioHashing proposed by Teoh et al. [28,29]. PalmHashing employs
random projection (RP) to fuse biometric features and a PRN set. The
PRNs are generated with user variable factors. The fusion results are then
thresholded to obtain cancellable codes. The overall procedure of
PalmHashing is described as follows.
Step 1. Crop ROI from original palmprint image
w, as a row vector with the length of n, is extracted by linear discriminant

analysis (LDA).
Step 3. Use variable factor to generate a pseudo-random matrix
The PRNs, obeying uniform distribution or normal distribution, are

generated with the variable factor so to construct a pseudo-random matrix
with a size of n×m, n>m.
Step 4. Orthogonalise the column vectors of the pseudo-random matrix
Apply Gram-Schmidt to process the pseudo-random matrix to be X, whose

column vectors are orthogonalized. Actually this step can be omitted.
Step 5. Perform random projection
The random projected vector of w is y=wX.
Step 6. Binarize random projected vector
yi, the i-th entry of y, is binarized to be one bit of PalmHashing as:

0, if yi D (12)
bi ®
¯1, if yi t D

Step 7. Matching
The normalized Hamming distance between two PalmHashing templates

measures their dissimilarity.
Advantages:
x PalmHashing makes the palmprint feature changeable, so to solve

the problem of revocability and reissuing.
x RP is a powerful method for dimensionality reduction, and is able
to preserve the pairwise distances of vectors in low-dimensional
space [30]. The compression ratio of PalmHashing can be defined
as the ratio between the lengths of the original vector and the
random projected vector, i.e. n/m. The non-invertibility becomes
stronger with the increase of compression ratio.
110 Chapter Three
Disadvantages:
x The quantization and high compression ratio can lead to

discrimination information loss, especially in the worst-case
scenario [31,32].
x The training of subspace algorithms, e.g. LDA, requests high
computational complexity, especially on large databases.
x The framework of PalmHashing aims at palmprint features
expressed as vectors. When the length of feature vector is long, the
computational complexity of RP is high and the size of the pseudo-
random matrix is large.
PalmHashing exists in one-dimensional (1D) mode. A number of features

are expressed as matrices, such as original image, two-dimensional (2D)
features extracted with 2D transformations, and 2D dimensionality
reduction algorithms. When the features are expressed as matrices, 2D
dimensionality reduction algorithms can leverage the matrix structure
directly, i.e. the feature matrices do not need to be reshaped to vectors, so
the computational complexity and storage cost are both reduced. Thus a
large number of dimensionality reduction algorithms were extended from
1D mode to 2D mode and two-directional two-dimensional ((2D)2) mode
[33-35].
Recent studies show that RP can be also extended from 1D to 2D mode

and (2D)2 mode [33-35]. With the help of RP extension, three extension
modes of PalmHashing were proposed successively.
(2) 2DPalmHashing
2DPalmHashing is the 2D extension of 1DPalmHashing [36]. When the

palmprint features are expressed as matrices, the overall procedure of
2DPalmHashing is described as follows.
Step 1. Same as Step 1 of 1DPalmHashing
Palmprint feature W, as a matrix with the size of m×n, is extracted by a

feature extraction algorithm. W can also be the original palmprint image.
Step 3. Use variable factor to generate a pseudo-random matrix
The size of the pseudo-random matrix X is n×b, b<n.
Step 5. Perform 2D random projection
The 2D random projected matrix of W is Y=WX.
Step 6. Binarize the random projected matrix
yi,j, the entry of Y, is binarized to be one entry of 2DPalmHashing as:
0, if yi , j D (13)
bi , j ®
¯1, if yi. j t D
2DPalmHashing employs 2DRP to reduce the dimensionality of the

feature matrix along a row orientation, i.e. the column number of the
feature matrix is reduced. 2DPalmHashing can also employ 2DRP to
reduce the dimensionality of the feature matrix along a column orientation.

In this case, the size of X in Step 3 is a×m, a<m. The row vectors are
orthogonalized in Step 4. In Step 5, the 2D random projected matrix of W
is Y=XW. The other steps remain unchanged.
Advantages:
x 2DRP leverages the matrix structure, i.e. the images or feature

matrices do not need to be reshaped to vectors, and hence 2DRP
facilitates the reduction of computational complexity and storage
cost.
Disadvantages:
x 2DPalmHashing inherits the 1st disadvantage of 1DPalmHashing.

x Since the dimensionality of the feature matrix is reduced along
only one orientation (row or column), the size of a 2D random
projected matrix is probable large.
112 Chapter Three
(3) (2D)2PalmHashing
2DPalmHashing reduces the dimensionality of a feature matrix along only

row (or column) orientation, while the dimensionality along the other
orientation remains. Thus the size of the projected matrix is probable huge.
As the (2D)2 extension of 1DPalmHashing, (2D)2PalmHashing reduces
the dimensionality of a feature matrix along both row and column
orientations [36]. When the palmprint features are expressed as matrices,
the overall procedure of (2D)2PalmHashing is described as follows.
Steps 1~2. Same as Steps 1~2 of 2DPalmHashing
Step 3. Use variable factor to generate two pseudo-random matrices
The sizes of two pseudo-random matrices are a×m and n×b, a<m, b<n.
Step 4. Orthogonalise the vectors of two pseudo-random matrices
Apply Gram-Schmidt to process one pseudo-random matrix to be XL,

whose row vectors are orthogonalized. Similarly, the other matrix is XR,
whose column vectors are orthogonalized by Gram-Schmidt.
Step 5. Perform (2D)2 random projection
The (2D)2 random projected matrix of W is Y=XLWXR.
Advantages:
x Similar to 2DPalmHashing, (2D)2PalmHashing also leverages the

matrix structure, so the computational complexity and storage
cost are both reduced.
x (2D)2PalmHashing reduces the dimensionalities of a feature
matrix along both row and column orientations, so it overcomes
the 2nd disadvantage of 2DPalmHashing.
Disadvantages:
x (2D)2PalmHashing has also the 1st disadvantage of

1DPalmHashing.
(4) (2D)2FusionPalmHashing
(2D)2PalmHashing only employs 2DRP for dimensionality reduction

along both row and column dimensions. Differently, in
(2D)2FusionPalmHashing, the dimensionalities of a feature matrix along
two (row and column) orientations are reduced by 2DRP and another 2D
dimensionality reduction algorithms, e.g. 2D principal component analysis
(2DPCA), 2DLDA, etc. Thus (2D)2FusionPalmHashing can play
complementary advantages of 2DRP and other 2D dimensionality
reduction algorithms [36].
When the palmprint features are expressed as matrices, the overall
procedure of (2D)2FusionPalmHashing is described as follows.
Step 5. Generate a mapping matrix Z for the dimensionality reduction

along column orientation, whose size is a×m, with a 2D dimensionality
reduction algorithm except 2DRP.
Step 6. Perform (2D)2 fusion random projection
The (2D)2 fusion projected matrix of W is Y=ZWX.

(2D)2FusionPalmHashing can also employ 2DRP and another 2D

dimensionality reduction algorithms to reduce the dimensionalities of the
palmprint feature matrix along column and row orientations, respectively.
In this case, the size of X in Step 4 is a×m. In Step 5, the size of Z is n×b.
In Step. 6, Y=XWZ. The other steps remain unchanged.
Advantages:
x (2D)2FusionPalmHashing also leverages the matrix structure, and

reduces both computational complexity and storage cost.
x (2D)2FusionPalmHashing combines 2DRP and other 2D
dimensionality reduction algorithms to effect complementary
advantages.
114 Chapter Three
Disadvantages:
x The 1st and 2nd disadvantages of 1DPalmHashing also emerge in

(2D)2FusionPalmHashing.
The original features of PalmHashing and its extensions are of real-value,

so quantization leads to discrimination information loss and accuracy
performance degrading, especially in the worst-case scenario. Thus
cancellable palmprint coding schemes were proposed for secure palmprint
verification with high accuracy performance.
4.5 Cancellable Palmprint Codes

Palmprint coding schemes can achieve high accuracy performance with
high matching speed and low storage capacity. More to this, they
overcome the errors propagated from the classification or hierarchical
systems for real-time recognition/verification in large databases.
Furthermore, coding schemes require no training. Thus cancellable
palmprint coding schemes are preferable.
In cancellable palmprint code generation, the Gabor features and PRNs
are fused with a specific function; and then the fused results are
thresholded. There are two cancellable palmprint coding schemes, namely
PalmPhasor Code [25] and PalmHash Code [26]. Both PalmHash Code
and PalmPhasor Code have their 1D and 2D modes [37].
The difference between the PalmHash Code and PalmPhasor Code is
that different cancellable transformations are employed. The difference
between 1D and 2D modes is whether the feature matrix needs to be
reshaped to a vector, and whether the cancellable transformation is in 2D
mode. Four types of cancellable palmprint codes are introduced.
(1) 1DPalmHash Code
The procedure for 1DPalmHash Code is described as follows.
Step 1. Preprocess palmprint image
I, as the ROI, is cropped; and its mean and variance are normalized.
Step 2. 2D Gabor filtering
Generate a circular 2DGabor filter along șĲ as:
W x, y , T , u , V =
G W
(14)
x2 y2 ½
2SV
1
2
exp ®
¯ 2V ¿
2 ¾ ^
exp 2S 1 ux cos TW uy sin TW `
șĲ [0,ʌ), u denotes the frequency of the sinusoidal wave, ı denotes the
standard deviation of the Gaussian envelope.
TW =
W 1 S ,W =1, 2,..., L (15)
L
L and Ĳ denote the number of șĲ and the Ĳ-th orientation, respectively. To

suppress illumination disturbance, the mean of a discrete 2DGabor filter is
subtracted by:
GW x, y , TW , u , V =
S S
¦ ¦ G W i, j,TW , u, V (16)
W x, y , T , u , V i
G
S j S
W
2S 1
2
(2S+1)2 is the size of the filter.

I is filtered with 2DGabor filter GĲ to extract feature matrix A W .
W
A I * GW (17)
* denotes convolution operation. ARĲ and AIĲ are the uniformly down-
sampled real and imaginary parts of A W , respectively. AĲ is the down-
sampled feature matrix, whose size is T×2T, where T=32.
AĲ=[ARĲ AIĲ] (18)
Reshape AĲ to a vector aĲ, whose entries are taken column-wise from AĲ.
116 Chapter Three
Step 4. PRN vector set generation
^ 2
`
A set of PRN vectors rj j 1, 2,..., T are generated with a variable
2T 2
factor, in which the entries obey standard normal distribution. Use Gram-
Schmidt process to transform PRN vectors into an orthonormal set
^r Aj
2
2T j 1, 2,..., T 2 . `
Step 5. Perform 1DHash projection
The 1DHash projected vector of aĲ is ĳĲ, whose entries are computed by:
2T 2
Mj W
¦ aW r
k 1
k A j ,k (19)
where aĲk and rA j ,k are the k-th entries of aĲ and rA j , respectively.
Step 6. Generate cancellable palmprint code M
The entries of M are computed by:

mWj step M Wj (20)
step(·) refers to unit step function.
Step 7. Matching
The normalized Hamming distance between two 1DPalmHash Codes

measures their dissimilarity.
(2) 1DPalmPhasor Code
The procedure of 1DPalmPhasor Code is described as follows.
Steps 1~3. Same as Steps 1~3 of 1DPalmHash Code
Different from 1DPalmHash Code, the entries of rj j 1, 2,..., T

2T 2
^ 2
`
obey non-zero standard normal distribution. Use Gram-Schmidt process to
transform PRN vectors into an orthonormal set rA j j 1, 2,..., T .
2T 2
^ 2
`
Step 5. Perform 1DPhasor projection
The 1DPhasor projected vector of aĲ is ĳĲ, whose entries are computed by:
2T 2 § aWk ·
M Wj ¦ arctan ¨¨ r ¸¸ (21)
k 1 © A j ,k ¹
(3) 2DPalmHash Code
The procedure of 2DPalmHash Code is described as follows.

AĲ does not need to be reshaped and maintains matrix structure.
A set of PRN vectors ^r j j 1, 2,..., T ` are generated with a variable

2T
factor, in which the entries obey standard normal distribution. Use Gram-
Schmidt process to transform PRN vectors into an orthonormal set
^rA j 2T j 1, 2,..., T ` .
Step 5. Perform 2DHash projection
The 2DHash projected matrix of AĲ is ĳĲ, whose entries are computed by:
2T
M iW, j ¦ aW
k 1
r
i ,k A j ,k (22)
118 Chapter Three
where aĲi,k is the entry of AĲ in the i-th row and k-th column. rA j , k is the k-
th entry of rA j .
Step 6. Generate cancellable palmprint code M
The entries of M are computed by:
miW, j step MiW, j (23)
Step 7. Same as Step 7 of 1DPalmHash Code
(4) 2DPalmPhasor Code
The procedure of 2DPalmPhasor Code is described as follows.

Different from 2DPalmHash Code, the entries of ^r j j 1, 2,..., T `

2T
obey non-zero standard normal distribution. Use Gram-Schmidt process to

^ `
transform PRN vectors into an orthonormal set rA j j 1, 2,..., T .

2T
Step 5. Perform 2DPhasor projection
The 2DPhasor projected matrix of AĲ is ĳĲ, whose entries are computed by:
2T § aiW,k ·
MiW, j ¦ arctan ¨¨ ¸¸ (24)
k 1 © rA j , k ¹
(5) Comparison
Table 2(a) compares 1D and 2D modes of cancellable palmprint codes.

Table 2(b) compares PalmHash Code and PalmPhasor Code.
Table 2. Comparison of cancellable palmprint codes.
(a) 1D mode vs. 2D mode.
1D 2D
Original feature vector matrix
Cancellable transformation 1D 2D
Projected feature vector matrix
Accuracy performance low high
Computational cost high low
Storage cost high low
(b) PalmHash Code vs. PalmPhasor Code.
PalmHash Code PalmPhasor Code

Cancellable
Hash projection Phasor projection
transformation
Linearity of projection linear non-linear
Computational cost low high
Security low high
4.6 Improving Measures of 2D Cancellable Palmprint Code

Two improving measures of 2D cancellable palmprint code were
introduced in [26]. The first is a transposition operation that suppresses
feature correlation and enhances accuracy performance. The other is the
fusion at score level that improves accuracy performance.
(1) Transposition
șĲ, the orientation of 2DGabor filter, can be altered in rotation to extract

2DGabor features along multiple orientations. With regard to 2D
cancellable palmprint code, when șĲĺʌ/2 (ĺ denotes approaching), the
feature correlation becomes stronger, and the accuracy performance
deteriorates. Transposition of the real and imaginary parts of the 2DGabor
feature matrix assists to suppress feature correlation and improve accuracy
performance.
120 Chapter Three
(a) Feature correlation
Assume the i-th row vector of ĳĲ (cancellable projected matrix) is the

fusion result of PRN vector set and the i-th row vector of AĲ with 2D
cancellable transformation. A W is 2DGabor feature matrix and AĲ is down-
sampled A W . For all the row vectors of ĳĲ, the PRN vector set generated
with one identical variable factor is fixed, so the vertical difference of ĳĲ is
only determined by the vertical difference of AĲ.
Assume the mean absolute partial differential of 2D variable X along
W
vertical orientation is denoted by wX wy m . When șĲĺʌ/2, wG wy m (G is
wAW wGW
2DGabor filter) decreases. A W I * GW , so I* . Accordingly
wy wy
W wy also decreases. The same goes for wAW wy . Thus the adjacent
wA
m m
rows of ĳĲ, which are generated by the fusion of the adjacent rows of AĲ
W
and identical PRN vector set, are similar, i.e. wĳ wy decreases. The m
W
small wĳ wy m leads to high vertical correlation. In a word, when
șĲĺʌ/2, the vertical correlation of 2D cancellable palmprint code becomes
stronger.
Transposition exchanges the row and column structures of matrix, so
the vertical difference and horizontal difference can be exchanged by

transposition. Assume the mean absolute partial differential of 2D variable
X along horizontal orientation is denoted by wX wx m . When șĲĺʌ/2,
since wA W wy decreases and wAW wx increases, small wA W wy can be
m m m
W W W
replaced with large wA wx m if wA wy m wA wx m . Accordingly
W wy
wA W
is enlarged with transposition. Thus wĳ wy m is also enlarged
m
and the vertical correlation is suppressed.
The approximation degree between șĲ and ʌ/2 can be measured by |ș–
ʌ/2|<İ. The value of İ for correlation suppression was discussed in [38,39].
(b) Accuracy performance
Binary palmprint codes are sensitive to rotation and translation. To remedy

the dislocation problem due to imperfect pre-processing, one binary
palmprint code is vertically and horizontally translated, and then matched
with another code many times. The final matching score is the minimum
distance of the multi-translated matchings.
In 1D cancellable palmprint code, the structure between the adjacent
entries in the matrix is completely destroyed, so translations are not
conducive to dislocation remedy.
With regard to 2D cancellable palmprint code, the structure between
the adjacent columns in the matrix is destroyed. Thus horizontal
translation fails to remedy horizontal dislocation. On the contrary, the i-th
row vector of ĳĲ is the fusion result of the PRN vector set and the i-th row
vector of AĲ with 2D cancellable transformation, so the structure between
the adjacent rows in the matrix is preserved. Thus vertical translation
assists to remedy vertical dislocation. This process informs to describe
why 2D cancellable palmprint codes outperform 1D cancellable palmprint
codes in terms of accuracy performance.
According to the aforementioned analysis on feature correlations, when
W W
șĲĺʌ/2, wĳ wy m decreases and wĳ wx m increases. In other words, the
vertically adjacent entries of ĳĲ are similar; while the horizontal adjacent
entries of ĳĲ are dissimilar. Thus the remedy of horizontal dislocation is
more important than that of vertical dislocation. However, horizontal
translation is useless to remedy horizontal dislocation, and hence accuracy
performance deteriorates.
When șĲĺʌ/2, the serious disturbance of horizontal dislocation can be
replaced with slight disturbance of vertical dislocation thanks to

transposition. Therefore, transposition relaxes the failure of horizontal
translation and improves accuracy performance.
The value of İ in |ș–ʌ/2|<İ for accuracy improvement was discussed in
[27].
(2) Fusion at score level
Assume that the matching score (normalized Hamming distance) along șĲ

is dĲ. The fusion matching score, according to mean rule (short for
arithmetic mean rule) is:
1 L
dF ¦ dW
LW 1
(25)
The decidability index d' measures how well the genuine and impostor
distributions are separated.
122 Chapter Three
PG P I
dc
V 2
G V I2 (26)
2
The following distributions all refer to matching score distributions. ȝG

and ȝI denote the expectations of genuine and impostor distributions,
respectively. ı2G and ı2I denote the variances of genuine and impostor
distributions, respectively. The effects of mean rule on the mean and
variance of distribution were analysed in [26].
(a) Expectation of mean rule fusion
1 L
Statement 1 E d F ¦ E dW , E(x) refers to the expectation of x.
LW 1
According to Statement 1, the expectation of the fusion score with mean

rule is the average expectation of the fused scores, so mean rule cannot
enlarge the numerator of decidability index.
(b) Variance of mean rule fusion

2 ª º
§1· « L
Statement 2 Var F ¨ ¸ «¦ W
d
© L¹ W 1
Var d 2 ¦
1dW1 d L1
cov dW1 , dW2
»
» , Var(x)

«¬ W1 1dW 2 d L »¼
refers to the variance of x. cov(x,y) refers to the covariance of x and y.
From Statement 2, two factors affect the variance of the fusion score with
mean rule. One is Var(dĲ); the other is cov dW1 , dW 2 .
§ ·

L
1
cov dW1 , dW 2 Var dW , so Var d F
Var ¨ ¦ dW ¸ . The denominator of
L ©W 1 ¹
the decidability index is reduced by mean rule, i.e. the decidability index is
enlarged, so accuracy performance improves.
However, with the increment of L, the correlation between the
matching scores along different șĲ becomes stronger, so cov dW1 , dW 2
increases. Thus the accuracy performance improvement by mean rule is
leveled off when L exceeds a threshold. Normally, L=4 or 6 is appropriate.
4.7 Summary
Invertible cancellable palmprints do not meet non-invertibility
requirements, so this technique is less useful in practice. However, the
security of non-invertible cancellable palmprints is seriously threatened by
the following factors:
x It was shown that the original biometric features can be

approximately restored with both stolen protected templates and
variable factors [40]. Another report showed that, even without
variable factors, approximated original biometric features could
also be revealed [41].
x [42,43] demonstrated the collision problem in biometric template
protected systems, whereby an attacker can impersonate a genuine
user by producing a fake “protected template”.
Thus it is an arduous task to design reliable non-invertible cancellable

palmprints, which are collision-free and preserve good performance.
5 Hybrid Methods
No single palmprint template protection method is able to satisfy all the
requirements simultaneously to our knowledge. Hybrid methods, which

can grab the advantages of both cancellable palmprints and palmprint
cryptosystems, are promising for further research.
5.1 Dual-key-binding Palmprint Cryptosystem

To make palmprint keys changeable, Leng and Zhang developed dual-key-
binding (DKB) palmprint cryptosystem, shown in Figure 6 [44]. Two
main measures are employed. The first includes the replacement of
palmprint features with cancellable features. The second requires that the
protection function should be controlled by both cancellable palmprint key
and variable factor.
124 Chapter Three
Palmprint Feature Cancellable

Variable
extraction transform and
factor
binarization
Cancellable
key
Encoding DKB
PB
Protection
Database function
DKB key
Palmprint Feature
extraction
Cancellable transform Variable

and binarization factor
Cancellable
PB key
Decoding DKB
Database
Protection
function
DKB key
Figure 6. Framework of dual-key-binding palmprint cryptosystem.
In the enrolment phase, the extracted feature and the variable factor are
fused with a cancellable transform to generate a cancellable key. The
parity bits (PB) of the cancellable key are computed with BCH ECC, and
stored in database. The cancellable key and variable factor are bound to
constitute a key that controls the protection function. The protection
function can be encryption, scrambling, or hash function. Since the
protection function is tied to its key, any DKB rule can be used, such as
concatenation of the cancellable key and the variable factor. The
protection function then converts the cancellable key into a DKB key.
In the authentication phase, the cancellable feature is generated with a
cancellable transformation. The errors are corrected with PB so that the
corrected code is identical to the cancellable key in the enrolment phase.
The subsequence steps follow the same as those in the enrolment phase.
Finally, an identical DKB key is retrieved.
Advantages:
x The original palmprint feature is replaced with the cancellable

features for a cancellable key generation and template protection.
x The protection function is controlled by the key produced by the
binding of cancellable key and variable factor, so the DKB key is
secure against chosen plaintext attacks.
x In DKB key generation, the invertible transform can be used in
place of non-invertible transform due to its performance
preservation property. Since the key of the protection function is
formed from the binding of cancellable palmprint key and variable

factor, an attacker cannot generate the DKB key without the two
factors at the same time. Thus the non-invertibility of the DKB key
can be satisfied even without using non-invertible transform.
x The feature correlation of the DKB key is dispersed by the
protection function, so it can largely resist statistical attacks.
Disadvantages:
x Parity bits (PB) stored in the database are likely to leak some
information of cancellable key.
5.2 Randomly Projected Palmprint Fuzzy Vault

Liu et al. developed another instance of hybrid method to protect
palmprint template, shown in Figure 7 [45]. A heterogeneous space is
designed by synergizing random projection (RP) and fuzzy vault. A new
chaff point generation method enhances the security of the heterogeneous
vault.
126 Chapter Three
Palmprint Feature Random

extraction projection
Genuine point
Secret key Encoding Fuzzification
generation
Vault
Enrolment
Authentication
Feature Random Genuine point
Palmprint extraction projection filtration
Secret key Decoding
Figure 7. Framework of randomly projected palmprint fuzzy vault.
Advantages:
x Randomly projected palmprint fuzzy vault improves accuracy

performance, security, and changeability simultaneously.
Disadvantages:
x Multiple random projected templates are generated as the genuine

points, so the privacy of original features is compromised.
x The entries in the genuine point obey normal distributed, which are
not uniformly distributed in the heterogeneous space.
5.3 Summary
Existing hybrid palmprint protection methods directly combine cancellable
palmprint and palmprint cryptosystems. However, how to effectively
couple them to contribute more is still unsolved satisfactorily.
6 Conclusions and Future Outlook

Table 3 summarizes the existing palmprint template protection
technologies.
Table 3. Categories of palmprint template protection technologies.
Category Subcategory Method Ref.

Palmprint key generation [13]
Palmprint Palmprint fuzzy
[14]
cryptosystem commitment
Palmprint fuzzy vault [17,18]
Encrypted palmprint [19-21]
Invertible
Random field shift [22]
Cancellable PalmCode [23]
Cancellable
PalmHashing and its
palmprint Non- [24,36]
extensions
invertible
Cancellable palmprint
[25,26]
codes
Dual-key-binding
[44]
palmprint cryptosystem
Hybrid
Randomly projected
[45]
palmprint fuzzy vault
The elaborations and comparisons in this chapter show that palmprint

template protection technologies still leave much room for improvement.
It is believed that, with the theoretical advancement and technological
progress, palmprint template protection technologies will become

increasingly mature in future.
Acknowledgments
This work was partially supported by National Natural Science Foundation
of China (61305010), Institute of BioMed-IT, Energy-IT and Smart-IT
Technology (BEST), a Brain Korea 21 Plus Program, Yonsei University
(2014-11-0007), Basic Science Research Program through National
Research Foundation (NRF) of Korea funded by Ministry of Science, ICT
and Future Planning (2013006574), China Postdoctoral Science
Foundation (2013M531554), Postdoctoral Foundation of Jiangxi Province
(2013RC20), Voyage Project of Jiangxi Province (201450) and Doctoral
Starting Foundation of Nanchang Hangkong University (EA201308058).
128 Chapter Three
References
[1] A. Kong, D. Zhang, and A. Kamel. “A survey of palmprint
recognition.” Pattern Recognition 42.7 (2009): 1408-1418.
[2] N. Ratha, J. Connell, and R. Bolle. “Enhancing security and privacy in
biometrics-based authentication systems.” IBM System Journal 40.3
(2001): 614-634.
[3] A.K. Jain, K. Nandakumar, and A. Nagar. “Biometric template
security.” EURASIP Journal on Advances Signal Processing, Special
Issue on Biometrics (2008): 1-20.
[4] D. Zhang. Palmprint authentication. Dordrecht: Kluwer Academic
Publishers, 2004. 11-16.
[5] A.B.J. Teoh, and L. Leng. Palmprint matching (in Encyclopedia of
Biometrics, 2nd edn). Berlin: Springer-Verlag Publisher, 2014. 1-8.
[6] D. Zhang, A. Kong, J. You, and M. Wong. “Online palmprint
identification.” IEEE Transactions on Pattern Analysis and Machine
Intelligence 25.9 (2003): 1041-1050.
[7] A.W.K. Kong, and D. Zhang. “Feature-level fusion for effective
palmprint authentication,” Proceedings of the 1st International
Conference on Biometric Authentication, Hong Kong, China, 15-17
July 2004. 761-767.
[8] A.W.K. Kong, and D. Zhang. “Competitive coding scheme for
palmprint verification,” Proceedings of the 17th International

Conference on Pattern Recognition, Cambridge, UK, 23-26 August
2004. 520-523.
[9] Z.N. Sun, T.N. Tan, Y.H. Wang, and S.Z. Li. “Ordinal palmprint
representation for personal identification,” Proceedings of the IEEE
International Conference on Computer Vision and Pattern
Recognition, San Diego, USA, 20-26 June 2005. 279-284.
[10] W. Jia, D.S. Huang, and D. Zhang. “Palmprint verification based on
robust line orientation code.” Pattern Recognition 41.5 (2008) 1504-
1513.
[11] Z.H. Guo, D. Zhang, L. Zhang, and W.M. Zuo. “Palmprint
verification using binary orientation co-occurrence vector.” Pattern
Recognition Letters 30.13 (2009): 1219-1227.
[12] A.B.J. Teoh, and M.H. Lim. “Cancelable biometrics.” Scholarpedia 5.
1 (2010) 9201-9201.
[13] X.Q. Wu, D. Zhang, and K.Q. Wang. “A palmprint cryptosystem,”
Proceedings of the International Conference on Advances in
Biometrics, Seoul, Korea, 27-29 August 2007. 1035-1042.
[14] X.Q. Wu, D. Zhang, and K.Q. Wang. “A cryptosystem based on

palmprint feature,” Proceedings of the 19th International Conference
on Pattern Recognition, Tampa, USA, 8-11 December 2008. 1-4.
[15] A. Juels, and M. Wattenberg. “A fuzzy commitment scheme,”
Communications Security, Singapore, 1-4 November 1999. 28-36.
[16] A. Juels, and M. Sudan. “A fuzzy vault scheme.” Designs, Codes and
Cryptography 38.2 (2006): 237-257.
[17] A. Kumar, and A. Kumar. “Development of a new cryptographic
construct using palmprint-based fuzzy vault.” EURASIP Journal on
Advances in Signal Processing (2009): 1-11.
[18] H.L. Liu, D.M. Sun, K. Xiong, and Z.D. Qiu. “Palmprint based
multidimensional fuzzy vault scheme.” The Scientific World Journal
(2014): 1-8.
[19] H.J. Li, and J.S. Zhang. “A novel chaotic stream cipher and its
application to palmprint template protection.” Chinese Physics B 19.4
(2010): 040505_1-040505_10.
[20] H.J. Li, J.S. Zhang, and Z.T. Zhang. “Generating cancelable palmprint
templates via coupled nonlinear dynamic filters and multiple
orientation palmcodes.” Information Science 180.20 (2010): 3876-
3893.
[21] H.J. Li, L.H. Wang, R.C. Zhang, and L. Wu. “A high performance
and secure palmprint template protection scheme.” Journal of

Software 7.8 (2012): 1827-1834.
[22] A. Kong, D. Zhang, and M. Kamel. “Three measures for secure
palmprint identification.” Pattern Recognition 41.4 (2008): 1329-
1337.
[23] L. Leng, J.S. Zhang, M.K. Khan, X. Chen, M. Ji, and K. Alghathbar.
“Cancelable PalmCode generated from randomized Gabor filters for
palmprint template protection.” Scientific Research and Essays 6.4
(2011) 784-792.
[24] T. Connie, A.B.J. Teoh, M. Goh, and D. Ngo. “PalmHashing: a novel
approach for cancelable biometrics.” Information Processing Letters
93.1 (2005): 1-5.
[25] L. Leng, J.S. Zhang, G. Chen, M.K. Khan, and P. Bai. “Two
dimensional PalmPhasor enhanced by multi-orientation score level
fusion,” Proceedings of the International Conference on Secure and
Trust Computing, Data Management and Applications, Loutraki,
Greece, 28-30 June 2011. 122-129.
[26] L. Leng, and J.S. Zhang. “PalmHash Code vs. PalmPhasor Code.”
Neurocomputing 108 (2013): 1-12.
130 Chapter Three
[27] L. Leng, A.B.J. Teoh, M. Li, and M.K. Khan. “A remote cancelable
palmprint authentication protocol based on multi-directional two-
dimensional PalmPhasor-fusion.” Security and Communication
Networks 7.11 (2014): 1860-1871.
[28] A.B.J. Teoh, D.C.L. Ngo, and A. Goh. “BioHashing: two factor
authentication featuring fingerprint data and tokenised random
number.” Pattern Recognition 37.1 (2004): 2245-2255.
[29] A.B.J. Teoh, and D.C.L. Ngo. “Cancellable biometrics featuring with
tokenised random number.” Pattern Recognition Letters 26.10 (2005)
1454-1460.
[30] W. Johnson, and J. Linderstrauss. “Extensions of lipshitz mapping
into Hilbert space.” Contemporary Mathematics 26 (1984): 189-206.
[31] K.H. Cheung, A. Kong, D. Zhang, M. Kamel, J.T. You, and H.W.
Lam. “An analysis on accuracy of cancelable biometrics based on
BioHashing,” Proceedings of the 9th International Conference on
Knowledge-Based Intelligent Information and Engineering Systems,
Melbourne, Australia, 14-16 September 2005. 1168-1172.
[32] A. Kong, K.H. Cheung, D. Zhang, and M. Kamel. “An analysis of
BioHashing and its variants.” Pattern Recognition 39.7 (2006): 1359-
1368.
[33] P. Sanguansat. “Two-dimensional random projection for face
recognition,” Proceedings of the 1st International Conference on
Pervasive Computing Signal Processing and Applications, Harbin,

China, 17-19 September 2010. 1107-1110.
[34] A. Eftekhari, M. Babaie-Zadeh, and H.A. Moghaddam. “Two-
dimensional random projection.” Signal Processing 91.7 (2011):
1589-1603.
[35] L. Leng, J.S. Zhang, G. Chen, M.K. Khan, and K. Alghathbar. “Two-
directional two-dimensional random projection and its variations for
face and palmprint recognition,” Proceedings of the International
Conference on Computational Science and Its Applications,
Santander, Spain, 20-23 June 2011. 458-470.
[36] L. Leng, S. Zhang, X. Bi, and M.K. Khan. “Two-dimensional
cancelable biometric scheme,” Proceedings of the International
Conference on Wavelet Analysis and Pattern Recognition, Xi’an,
China, 15-17 July 2012. 164-169.
[37] L. Leng, and J.S. Zhang. “Palmhash Code for palmprint verification
and protection,” Proceedings of the 25th IEEE Canadian Conference
on Electrical & Computer Engineering, Montreal, Canada, 29 April- 2
May 2012. 1-4.
[38] L. Leng, A.B.J. Teoh, M. Li, and M.K. Khan. “Orientation range for
transposition according to the correlation analysis of 2DPalmHash
Code,” Proceedings of the IEEE International Symposium on
Biometrics & Security Technologies, Chengdu, China, 2-5 July 2013.
230-234.
[39] L. Leng, A.B.J. Teoh, M. Li, and M.K. Khan. “Analysis of correlation
of 2DPalmHash Code and orientation range suitable for transposition.”
Neurocomputing, 131 (2014): 377-387.
[40] C. Li, and J.K. Hu. “Attacks via record multiplicity on cancelable
biometrics templates.” Concurrency and Computation: Practice and
Experience 26.8 (2014): 1593-1605.
[41] C. Rathgeb, and C. Busch. “Irreversibility analysis of feature
transform-based cancelable biometrics,” Proceedings of the 15th
International Conference on Computer Analysis of Images and
Patterns, York, UK, 27-29 August 2013. 177-184.
[42] Y.C. Feng, M.H. Lim, and P.C. Yuen. “Masquerade attack on
transform-based binary-template protection based on perceptron
learning.” Pattern Recognition 47.9 (2014): 3019-3033.
[43] Y.J. Lee, Y.S. Chung, and K.Y. Moon. “Inverse operation and
preimage attack on BioHashing,” Proceedings of the IEEE Workshop
on Computational Intelligence in Biometrics: Theory, Algorithms, and
Applications, Nashville, USA, 30 March-2 April 2009. 92-97.
[44] L. Leng, and J.S. Zhang. “Dual-key-binding cancelable palmprint

cryptosystem for palmprint protection and information security.”
Journal of Network and Computer Applications 34.6 (2011): 1979-
1989.
[45] H.L. Liu, D.M. Sun, K. Xiong, and Z.D. Qiu. “A hybrid approach to
protect palmprint templates.” The Scientific World Journal (2014): 1-
9.
PART 2.
BIOMETRIC KEY AND ENCRYPTION

CHAPTER FOUR
BIOMETRIC DISCRETIZATION FOR TEMPLATE

PROTECTION AND CRYPTOGRAPHIC
KEY GENERATION
MENG-HUI LIM
DEPARTMENT OF COMPUTER SCIENCE,
HONG KONG BAPTIST UNIVERSITY
Abstract
Biometric discretization converts real-valued biometric features (e.g., face,
fingerprint, and signature) into a binary string for template protection and
cryptographic key generation. Biometric discretization can be decomposed
into a quantization and an encoding process. The quantization process

partitions a feature space into a number of intervals, and the encoding
process labels every interval with a binary string, so that features falling
into an interval can be mapped to the corresponding label. The final binary
representation of a user can be produced by concatenating binary strings
from all individual feature spaces. A good design of a discretization
scheme often guarantees three properties of the discretized representation:
discriminative, informative and privacy-preserving. Therefore, it is
important to design a discretization scheme that extracts highly distinctive
binary biometric representation with strong unpredictability as well as zero
leakage of user information when auxiliary data is revealed. This chapter
reviews several recent advances on quantization as well as on feature
encoding in biometric discretization. It also presents an extensive
comparative study of several state-of-the-art discretization schemes, and
suggests several future directions.
Keywords: Biometrics, Discretization, Binarisation, Quantization, Feature

Encoding.
Biometric Discretization for Template Protection 135
1 Introduction
Uniqueness of biometric features has rendered biometrics a potential
source for biometric template protection and biometric-generated
cryptographic (Bio-Crypto) key generation. Template protection schemes
such as fuzzy commitment [9], fuzzy extractor [5], helper data system
[10][18][22], and secure sketch [12] leverage biometric features to protect
the biometric template itself; while Bio-Crypto key generation extracts a
digital key from biometrics, in which the Bio-Crypto key will later serve
as a “representative” cryptographic key that can be used in a variety of
cryptographic applications. Both these applications require biometrics to
be represented in binary. However, the commonly-extracted features of
many modalities (e.g., face, fingerprint, and signature) are inherently real-
valued. To bridge the gap between the required binary form of biometric
representation by these applications and the inherent continuous form of
extracted features, biometric discretization is developed.
Biometric discretization is the process of transforming a real-valued
biometric representation into its binary counterpart. In general, biometric
discretization can be decomposed into two essential components:
biometric quantization and feature encoding. These components may be
governed by a bit allocation algorithm that determines the quantity of
binary bits allocated to every feature dimension. According to the
background feature distribution estimated from a set of extracted feature

vectors belonging to a set of users, every ɗ-dimensional feature subspace
is initially quantized into intervals. Each ɗ-dimensional element of a
feature vector is then mapped to a short binary output, according to the
label of the interval into which the feature element falls. The final step is
to concatenate all individual binary outputs together to form the final
binary representation of a user. Figure 1. shows the block diagram of a
biometric discretization-based binary representation extractor.
Due to the intrinsic noisy nature of biometrics, the genuine user query
binary representation, extracted during verification, may contain bit
difference with respect to the reference template. The bit difference,
commonly measured in Hamming distance, is taken as a similarity
measure (the higher the Hamming distance, the lower the similarity
between two templates). A query binary biometric representation of a
genuine user will be accepted if the Hamming distance between the query
and enrolled binary representation is not more than the system decision
threshold. Otherwise, it will lead to a false reject. Alternatively, a query
binary representation of an imposter user will be rejected by the system if
136 Chapter Four
Enrolment: Verification:
Raw Biometric Data Raw Biometric Data
Acquisition Acquisition
Feature Extraction Feature Extraction
Real-valued features Real-valued features
Discretization Discretization
Bit Allocation Bit Allocation
Helper data Helper data
Quantization Quantization
Storage
Encoding Encoding
Concatenation Concatenation
Binary
Binary
Representation Representation
Helper data Helper data

Template Protection / De-commitment or
Storage
Bio-Crypto Key Reconstruction of
Generation Verification Reference Representation
Oracle
Verification of De-
committed output or
Reconstructed
Representation
Figure 1. A biometric-discretization-based binary representation extractor.
the Hamming distance between the query and the enrolled binary
representation is greater than the threshold. Otherwise, it will result in a
false accept. Hence, a false rejection rate (FRR) quantifies the likelihood
of incorrect rejection of a genuine user, while a false acceptance rate
(FAR) quantifies the likelihood of incorrect acceptance of an imposter by

the system. A trade-off usually exists between these two error rates.
1.1 FAR and FRR Formulations

Consider the case of ߰ ൌ ͳ, where discretization is applied on every
single-dimension basis. For the ݀-th feature dimension, the feature
component of the ݆-th user can be modeled by a Gaussian genuine-user
ଶ
probability-density function (pdf) ‫݌‬௝ௗ ሺ‫ݒ‬ሻ ൌ ࣨሺߤ௝ௗ ǡ ൫ߪ௝ௗ ൯ ሻ, due to the
potential intra-user variations, while the feature component of the entire
population can be modelled by another Gaussian background pdf‫݌‬௕ௗ ሺ‫ݒ‬ሻ ൌ
ଶ
ࣨሺߤ௕ௗ ǡ ൫ߪ௕ௗ ൯ ሻ, where ߤ and ߪ denote mean and standard deviation,
correspondingly. Let the probability of inducing a ݇ ௗ -bit error from
matching the ݀-th dimensional ݊ௗ -bit query binary string ࢈ࢊࢗ against the
corresponding template string ࢈ࢊ࢚ in the Hamming metric be expressed as
ܲ൫݀ு ൫࢈ࢊ࢚ ǡ ࢈ࢊࢗ ൯ ൌ ݇ ௗ ȁ݊ௗ ൯, where ݀ு is the Hamming distance operator.
The ݀-th dimensional False Acceptance Rate (FAR): ߙ ௗ ሺ݇ ௗ ȁ݊ௗ ሻand the
False Rejection Rate (FRR): ߚௗ ሺ݇ ௗ ȁ݊ௗ ሻof a ݊ௗ -bit discretization scheme
can then be quantified as
೏
ߙ௝ௗ ሺ݇ ௗ ȁ݊ௗ ሻ ൌ σ௞௭ୀ଴ ܲ௜௠ ൫݀ு ൫࢈ࢊ࢚ ǡ ࢈ࢊࢗ ൯ ൌ ‫ݖ‬൯
೏
௞ σ
ൌ σ௭ୀ଴ ௤ǡ୥୧୴ୣ୬ௗ ࢊ ࢊ ‫׬‬ ೏ ‫݌‬௕ௗ ሺ‫ݒ‬ሻ݀‫ݒ‬ (1)
ಹ ൫࢈࢚ ǡ࢈ࢗ ൯ୀ௭ ௜௡௧೜
௡೏
ߚ௝ௗ ሺ݇ ௗ ȁ݊ௗ ሻ ൌ ෍ ܲ௚௘ ൫݀ு ൫࢈ࢊ࢚ ǡ ࢈ࢊࢗ ൯ ൌ ‫ݖ‬൯
௭ୀ௞ ೏ ାଵ
௡ ೏
ൌ σ௭ୀ௞ ೏ ାଵ σ௤ǡ୥୧୴ୣ୬ௗ ࢊ ࢊ ‫׬‬ ೏ ‫݌‬௝ௗ ሺ‫ݒ‬ሻ݀‫ݒ‬ (2)
ಹ ൫࢈࢚ ǡ࢈ࢗ ൯ୀ௭ ௜௡௧೜
where ݅݊‫ݐ‬௤ௗ represents the interval with index ‫ ݍ‬on the ݀-th feature
dimension,ܲ௜௠ denotes the imposter's probability and ܲ௚௘ denotes the
genuine user's probability. Figure 2. presents a pictorial illustration of the
one-dimensional four-interval discretization with FAR and FRR
illustrations for ݇ ௗ ൌ Ͳ.
138 Chapter Four
Figure 2. A single-dimensional four-interval equal-width biometric quantization

with ߙ௝ௗ ሺ݇ ௗ ห݊ௗ ሻ (black) and ߚ௝ௗ ሺ݇ ௗ ห݊ௗ ሻ (grey) illustrations for ୢ ൌ Ͳ and ୢ ൌ
ʹ, given the background pdf (solid curve) and the genuine user pdf (dotted curve)
with the intervals labelled with discrete numbers {0,1,2,3} and binary codewords
{00,01,10,11}; and the genuine interval (the most probable interval within which a
genuine measurement would lie) embraced by the boundaries with the mark 'X'.
Auxiliary information about the quantized feature subspaces is stored as

helper data, in order to assist reproduction of the “similar” genuine binary
representation to the enrolled representation. Yet, such helper data, upon
compromise, should neither leak any helpful information regarding the
output binary string (security concern) nor the biometric feature itself
(privacy concern).
1.2 Evaluation Criteria

Biometric discretization can be evaluated according to the following three
criteria:
Performance: The significance of an input continuous feature
representation should at least be preserved by the output binary
representation of a discretization scheme. However, an exact preservation
for arbitrary precision of each input feature component is not realistically
achievable as it requires an infinite number of output bits to be allocated to
it. Therefore, through concatenating a finite number of output bits from
every feature component, the output binary representation is a "lossy"

representation of the input feature representation, yielding some precision
difference in the discretization performance with reference to the input-
feature-based matching performance. A better (dynamic) discretization
scheme usually performs a second feature selection or a bit allocation
process, so to ensure that only reliable feature components are extracted or
heavily weighted to obtain higher accuracy performance.
Security: High information in the binary representation of each user
has to be warranted in order for the biometric system to be resilient to
malicious adversarial attacks. Extraction of equally-probable binary
representations for the users is desirable as it maintains a huge key space
that renders prediction of binary representation of any target user
infeasible. This is extremely essential as a malicious impersonation could
take place in a straightforward manner if the correct binary representation
can be predicted with an overwhelming probability. Based on the
assumption that the input feature components are independent among each
other, the unpredictability of binary representation can be measured in
terms of entropy ǡ such that
೏
݈ ൌ െ σ஽ ௌ ିଵ ௗ ௗ
ௗୀ଴ σఎୀ଴ ‫݌‬ఎ ଶ ‫݌‬ఎ (3)
where ୢ஗ represents the probability occurrence of a output binary string

indexed by Ʉ ‫ א‬൛Ͳǡ ǥ ǡ ୢ െ ͳൟ, which is extracted from the -th feature

element. The entropy is maximal when the binary representation is
equally probable. Hence, security against brute force attack can be
toughened either through increasing the quantity ୢ of possible binary
outputs of each feature element or through increasing the number of input
feature elements. In addition, it is required that the revelation of helper
data must not expose any crucial information about the generated binary
string that may undermine the unpredictability of the binary
representation.
Privacy: A high level of protection must be exerted against an
adversary who could be interested in all user-specific information other
than the verification decision of the system. Apart from the biometric data,
it is important that unnecessary yet sensitive information such as ethnic
origin, gender, and medical condition should also be protected. Since
biometric data is inextricably linked to the user, it can never be reissued or
replaced once compromised. Therefore, the helper data of a discretization
scheme must not be correlated to the biometric data in order to defeat any
adversary’s privacy violation attempt in the case where helper data is
revealed. Otherwise, it would show no difference from storing the
140 Chapter Four
biometric features in the clear in the system database.

The outline of the chapter is as follows. Section 2 presents an overview
of recent advances in quantization. We present in Section 3 several state-
of-the-art advances in feature encoding. Section 4 presents a comparative
study of several state-of-the-art discretization schemes. Finally, future
movements are discussed in Section 5.
2 Advances in Quantisation
Biometric discretization can be classified according to its quantization
fashion: univariate vs. semi-multivariate vs. multivariate; and static vs.
dynamic. Considering that a -dimensional feature space is divided into
multiple ɗ-dimensional subspaces, univariate quantization takes ɗ ൌ ͳ
and performs quantization on every single-dimensional feature element by
assuming independence among these components. Semi-multivariate
quantization takes ͳ ൏ ɗ ൏ and performs quantization on each subset
of single-dimensional feature components by assuming independency
among these subsets. Finally, by taking ɗ ൌ ǡ multivariate discretization
performs quantization directly on a -dimensional feature space. The
discretization schemes in the literature mostly belong to a univariate
category and only a few belong to the semi-multivariate and multivariate
categories.
On another axis, static quantization creates equal partitions on each

feature subspace, while dynamic quantization optimizes recognition
performance by creating a varying number of partitions in each feature
subspace. Both static and dynamic quantization methods are only
applicable to univariate and semi-multivariate quantization methods. In
this section, we will review several recent advances on quantization in
biometric discretization. An overview of recent quantization techniques is
shown in Figure 3.
Medoid-based
Segmentation
Multivariate
[16]
Polar Quantization
Semi-Multivariate
Static
[2]
Quantization
Reliability-Dependent
Dynamic DROBA [13]
Bit Allocation [15]

Dynamic
DROBA [4]
Univariate
Quantization [21][23]
Quantization [6][11]
Equal Probable
Entropy-based
Quantization
Equal Width
Static
[3][10][22]
Figure 3. An overview of recent quantization techniques in biometric

discretization.
142 Chapter Four
2.1 [Univariate/Static] Equal-width and Equal-probable

Quantization
Equal-width quantization is the simplest quantization that partitions every
feature space into non-overlapping equal-width intervals [21][22]. Given
a value of , the width of each interval in the -th dimension ୢ can be
computed by
೏ ೏
௩೘ೌೣ ି௩೘೔೙
‫ݓ‬ௗ ൌ (4)
ௌ
ୢ ୢ
where ୫ୟ୶ and ୫୧୬ denote the maximum and minimum feature value in
the -th dimension, respectively. Despite its simplicity, equal-width
quantization is sensitive towards the range of the feature values. Hence,
the quantization outcome can easily be affected by outliers. In addition,
when the background probability distribution is not uniform, the samples
tend to have higher probabilities in certain intervals. An adversary could
search for and produce the label of the interval with the highest probability
as his guess for the output of a particular feature dimension, resulting in
suboptimal entropy of the final representation.
Alternatively, equal-probable quantization partitions every feature
space into non-overlapping intervals encapsulating equal background
ଵ
probability mass [3][10][22]. The constructed intervals constitute
ୗ
different widths when the background distribution is not uniform. This
quantization technique produces equally-probable binary representation
and offers maximum entropy for optimal security provision. Both equal-
width and equal-probable quantization schemes are illustrated in Figure 4.
(a) Equal-width (b) Equal-probable

quantization quantization
Figure 4. Illustrations of (a) equal-width and (b) equal-probable quantization, given

the background pdf (solid curve), the genuine user pdf (dotted curve), and the
quantization intervals (dashed lines), where the genuine interval is marked as ‘X’.
2.2 [Univariate/Static] Entropy-based Quantization

Entropy-based quantization [6][11] is a supervised quantization method
that splits every feature space recursively and induces intervals that favour
classification through minimizing class entropy in every interval. The class
information entropy of the segment induced by a specific cutpoint q on the

-th feature space is defined as
ȁॺభ ȁ ȁॺమ ȁ
‫ܧ‬ሺ݀ǡ ‫ݍ‬Ǣ ॺሻ ൌ ȁॺȁ
‫ܧ‬ሺॺଵ ሻ ൅ ȁॺȁ
‫ܧ‬ሺॺଶ ሻ (5)
where ࡱሺॺ૚ ሻ and ࡱሺॺ૛ ሻ are the entropy of subset ॺ૚ and ॺ૛ , respectively
and ȁॺȁ ൌ ȁॺ૚ ȁ ൅ ȁॺ૛ ȁ . The interval cutpoint ࢗ for which ࡱሺࢊǡ ࢗǢ ॺሻ is
minimal among all candidate cutpoints is taken to be the best cutpoint for
a split. The final intervals are induced in such a way that majority samples
enclosed within each interval belong to a specific identity.
2.3 [Univariate/Dynamic] Detection Rate-optimized Bit

Allocation
Detection Rate Optimized Bit Allocation (DROBA) [4] is a user-
specific method that allocates bits dynamically to each feature dimension,
depending on the discriminability of the user’s feature component.
Detection rate Ɂ, which is the highest user probability mass captured by a
144 Chapter Four
quantization interval (genuine interval) in each feature dimension, is taken

as the bit allocation measure. The objective of DROBA is to assign a
higher quantity of bits to a more discriminative feature of components and
a lower quantity of bits to less discriminative features of components, in
order to obtain weighted matching for better matching performance.
In the process of seeking the optimal number of quantization intervals
in a feature dimension, the value Ɂ varies with different settings of
quantization (that corresponds to the number of bits assigned to that
dimension) during bit-allocation evaluation. Mathematically, the detection
rate Ɂ corresponding to an ୢ -bit allocation in the -th feature dimension
can be computed by
ߜሺ݊ௗ ሻ ൌ ‫׬‬௜௡௧ ೏ ‫݌‬௝ௗ ሺ‫ݒ‬ሻ݀‫ݒ‬ (6)

೜ೕ
where ୢ୨ and ୢ୯ౠ represent the probability density function and the
genuine interval of the -th user, respectively.
DROBA
For the ݆-th user, ݆ ‫ͳ א‬ǡ ǥ ǡ ‫ܬ‬,
Enrolment
Input: ‫ܦ‬ǡ ܰǡ ݊௠௔௫ ;
Initialize:ሼ݊ௗ ሽ஽
ௗୀଵ ൌ ͲǤ
Repeat steps (a) and (b) for N times:
a) Identify among the feature spaces that has the
highest detection rate:
݀ ‫ כ‬ൌ ቊ ൫ߜሺ݊ௗ ൅ ͳሻ൯ȁ݊ௗ ൏ ݊௠௔௫ ቋ,
‫׊‬ௗ‫א‬ሼଵǡǥǡ஽ሽ
b) Add one to the allocated bits of the ݀ ‫כ‬
dimension:
‫כ‬ ‫כ‬
݊ௗ = ݊ௗ + 1,
஽
۱‫ ܜ܋ܝܚܜܛܖܗ‬ቄ݅݊‫ݐ‬ଵ ǡ ݅݊‫ݐ‬ଶ ǡ ǥ ǡ ݅݊‫ݐ‬ ቀ೙೏ ቁ ቅ if ݊ௗ ് Ͳ
ଶ ௗୀଵ
஽
ௗ ௗ
Store ݄݈݁‫݌‬௝ ൌ ൜݊ Ǣ ቄ݅݊‫ݐ‬ଵ ǡ ǥ ǡ ݅݊‫ݐ‬ ೏ ቅൠ Ǥ
ଶ೙ ௗୀଵ
Query
஽
Input: Real-valued extracted features ൛‫ݒ‬௝௜ௗ ൟ
ௗୀଵ
஽
۳‫݌݈݄݁ܜ܋܉ܚܜܠ‬௝ & ۱‫ ܜ܋ܝܚܜܛܖܗ‬ቄ݅݊‫ݐ‬ଵ ǡ ݅݊‫ݐ‬ଶ ǡ ǥ ǡ ݅݊‫ݐ‬ ቀ೙೏ ቁ ቅ
ଶ ௗୀଵ
஽
‫ ܌ܖ܉܍ܢܑܜܖ܉ܝۿ‬۳‫ ܍܌ܗ܋ܖ‬൛‫ݒ‬௝௜ௗ ൟ ՜
ௗୀଵ
೏ ஽
ቄࣟ ቀ࣫ ቀ‫ݒ‬௝௜ௗ ǡ ʹ௡ ቁ ǡ ݊ௗ ቁቅ where ࣟ൫࣫൫‫ݒ‬௝௜ௗ ǡ ͳ൯ǡ Ͳ൯ ൌ ‫׎‬Ǥ
ௗୀଵ
೏ ஽
Concatenate ቄࣟ ቀ࣫ ቀ‫ݒ‬௝௜ௗ ǡ ʹ௡ ቁ ǡ ݊ௗ ቁቅ ൌ ࢈ ࢗ࢐
ௗୀଵ
Output: Bit string ࢈࢐
ߜ௠௔௫ ൌ ς஽ ௗ
ௗୀଵ ߜሺ݊ ሻ
σವ ೏
೏సభ ௡ ୀே
Figure 5. DROBA algorithm.
The algorithmic description of DROBA is illustrated in Figure 5, where

୯ౠ denotes the final -bit query binary string of the -th user, ࣫ሺǡ ሻ
represents quantization of a feature based on an number of intervals,
ࣟ൫୯ ǡ ൯ represents encoding of a quantized feature ୯ using an number
of bits, ୨ denotes the -th user’s helper data, and
ୢ ቄଵ ǡ ଶ ǡ ǥ ǡ ቀ౤ౚ ቁ ቅ denotes the interval information (interval
ଶ
cutpoints).
This algorithm begins by initiating a two-interval quantization setting
(corresponding to 1-bit allocation setting) for all feature dimensions, and
identify among the dimensions the one that has the highest detection rate.
Once a dimension (say ‫ ) כ‬is found, a 1-bit allocation is officially assigned
to the ‫ כ‬-th dimension. For the next bit allocation, a new detection rate is
calculated for the ‫ כ‬-th dimension, based on the 2-bit allocation setting.
This detection rate will be compared to the 1-bit-allocation-based
detection rate of all other dimensions, and the dimension with the highest
detection rate will be selected for the second bit allocation. The same
procedure is repeated until all bits are allocated. Finally, an -bit query
binary string is derived from the feature dimensions.
With this, DROBA maximizes the overall detection rate through
extracting bits corresponding to quantization settings. In fact,
maximizing the overall detection rate is equivalent to maximizing the
probability of genuine features staying within the relative genuine
intervals, thus attempting to achieve a minimum intra-user variation in
producing the final binary string.
Compared to the entropy, equal-width and equal-probable quantization
schemes, the additionally-stored bit allocation information only describes
which of the feature components are more important. Hence, revealing it
to an adversary would not facilitate the reconstruction of the binary string
146 Chapter Four
nor the biometric features of the genuine user. Hence, security and privacy
violation using the helper data remain difficult.
2.4 [Univariate/Dynamic] Dynamic DROBA with Genuine

Interval Concealment
Dynamic DROBA [13] is an improved variant of DROBA, and
incorporates a dynamic search method in DROBA to capture miss-
detected discriminative features for more effective bit allocation. With
every one-bit increase in bit allocation, DROBA doubles the number of
intervals on a feature subspace, thus potentially cutting user pdf in the
middle at the interval cutpoints and affecting the detection rate of such
potentially discriminative feature components. These cutpoints are known
as “blind spots,” where the discriminability of a feature component could
be neglected if the corresponding user pdf is located at one of the blind
spots. As such, DROBA is suboptimal because the bit allocation could be
carried out irrespective of the discriminability of the feature components.
To complement DROBA in better accommodating the miss-detected
marginal features for each detection rate computation, Dynamic DROBA
seeks the best quantization setting with an interval-shifting-based genuine
interval search algorithm. Eventually, the sought quantization setting
would yield the largest detection rate among the settings. As a result,
Dynamic DROBA produces more effective bit allocation than DROBA.

However, a limitation of Dynamic DROBA is that, in the event of
helper data revelation, it would be very unlikely for a shifted quantization
setting to accommodate boundary features as they can already be well
fitted by the original mode. As a result, the unpredictability of
discretization output in each feature space reduces and lowers output
entropy results. To mitigate the information leakage resulting from the
dynamic search, a genuine interval concealment technique is incorporated,
in which an extended feature space is adopted for quantization, and
intervals other than the genuine interval are randomized to render the
original boundary intervals indistinguishable.
2.5 [Univariate/Dynamic] Reliability-dependent Bit Allocation

With the same objective as DROBA, the reliability-based bit allocation
(RDBA) [15] seeks an optimal number of bits ୢ to be allocated to each
feature dimension to extract most stable bits from a given set of
features. RDBA exploits bit agreement among discretized training
measurements of the same user as a bit allocation measure. By fixing a
maximum number ୫ୟ୶ of bits that can be allocated to each dimension,

this method initially encodes the training feature components of a user
using Binary Reflected Gray Code (BRGC)-encoding and derives a
reliability weight for each bit position of each feature component based on
the degree of bit agreement among the discretized training measurements.
These reliability weights can then be relied upon in allocating more bits to
discriminative feature components and vice versa.
This bit allocation scheme is divided into three phases: (i) statistical
analysis, (ii) rescaled reliability weight computation and (iii) bit allocation
with descendent sort of bit positions by discriminability and reliability of
feature elements. In the first phase, the feature dimensions are sorted
descending according to the signal to noise ratio vector of the -th user,
which can be computed based on statistics such as mean feature vector of
the -th user, grand mean vector of all enrollment features, intra-user
variance vector of the -th user, and the inter-user variance vector. The
second phase quantizes each feature dimension into ʹ୬ౣ౗౮ intervals,
discretizes each training feature component into ୫ୟ୶ bits and derives a
rescaled reliability weight for the -th bit of the -th feature component
for all and .
In the last phase, the algorithm performs bit allocation to the feature
dimensions through several rounds of evaluations based on a decrement
threshold ሺ୤୧୶ ൌ ͳ െ Τሻ for reliability weight. Beginning from the
highest ୤୧୶ , the algorithm searches through the sorted feature

components, identifies components whose reliability weight of the first bit
fulfills ୤୧୶ , and officially allocates one bit to these components in the first
round of evaluation. In each subsequent round of evaluation with unit step
increase in , the reliability weight of the ሺ ൅ ͳሻ-th bit of each -bit-
allocated feature component is evaluated with reference to the updated
୤୧୶ , and eligible components are identified for a further 1-bit allocation.
At any point of the bit allocation process, the algorithm terminates when a
total of bits have been allocated.
2.6 [Semi-Multivariate/Static] Polar Quantization

Chen et al. introduced a pairwise polar quantization technique [2] in which
every two feature components in Cartesian coordinates are paired up for
extracting the corresponding polar coordinates (phase and magnitude
features) for single-dimensional quantization. This quantization scheme
seeks an optimal feature pairing configuration so as to maximize the
discrimination of the binary string between the genuine and the imposter
Hamming distances (also known as the ratio of inter-user scatter to intra-
148 Chapter Four
user scatter). Due to that the distance between the mean of the feature pair
and the origin is found to dominate the inter- and intra-user scatters, two
feature pairing strategies are proposed to determine how the feature
components should be paired in order to optimize the discrimination of the
final binary string. The pairing strategies are:
¾ Long-Short Strategy: Selects two feature components; one with

large mean and another with small mean as a pair, keeping their
distance large
¾ Long-Long Strategy: Selects either both components with large
means or both components with small means, keeping their
distance far from the boundary
In [2], the Long-Short Strategy is applied on phase while the Long-Long

Strategy is applied on magnitude in forming feature pairs. The former
strategy is reported to provide reasonably good discretization performance.
2.7 [Multivariate] Medoid-based Segmentation

Medoid-based segmentation [16] partitions the entire -dimensional
feature space to produce segments from a dataset of users with
training samples per user. Each segment contains a representative point
(medoid) that characterizes the segment itself, such that the average
dissimilarity from the medoid to all training measurements in the segment
is minimal. Apart from being more robust to outliers, medoid-based
segmentation restricts segment representatives to sample points belonging
to the data set and thus explores a smaller solution space than other
centroid-based methods. Compared to univariate discretization techniques
that induce hyper-cubical/rectangular segments from a high dimensional
point of view, multivariate medoid-based segmentation produces convex
irregular hyper-polygonal segments shown in Figure 6., so to capture non-
uniform intra-user distribution that may not able to be well-captured by a
hyper-cubic/rectangular segment.
Multivariate Discretization
1
0.9
0.8
0.7
0.6
Dimension 2
0.5
0.4
0.3
0.2
0.1
0
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
Dimension 1
Figure 6. Irregular polygonal voronoi segments created using a

multivariate medoid-based segmentation, where each group of unique-
colored hollow shapes denotes the sample points of each user and each
filled star denotes the centroid of a voronoi segment.
Medoid-based Segmentation
1. Given ࢜࢐࢏ for ݆ ൌ ሼͳǡ ǥ ǡ ‫ܬ‬ሽ and ݅ ൌ ሼͳǡ ǥ ǡ ‫ܫ‬ሽǡ create an initial
solution ܵ‫ܮ‬௜௡௜௧ by randomly selecting a non-overlapping set of k
medoids (representatives), such that
ܵ‫ܮ‬௜௡௜௧ ൌ ܵ‫ ܮ‬ൌ ሼ࢓૚ ǡ ࢓૛ ǡ ǥ ǡ ࢓࢑ ሽǤ
2. Identify the non-representative points ࢜࢐࢏ associated with ࢓࢛
for ‫ ݑ‬ൌ ሼͳǡʹǡ ǥ ǡ ݇ሽ and ݅ ൌ ሼͳǡʹǡ ǥ ǡ ȁ‫ݏݑ݈ܥ‬௨ ȁሽ to form the initial
segments.
3. For each segment‫ݑ‬, exchange every ࢜࢐࢏ሺ࢛ሻ with ࢓࢛ and
compute
஽
ௗ
݃൫࢜࢐࢏ሺ࢛ሻ ൯ ൌ ෍ ห‫ݒ‬௝௜ሺ௨ሻ െ ݉௨ௗ ห
ௗୀଵ
150 Chapter Four
4. For each segment ‫ݑ‬, select the lowest ݃ሺ࢜࢐࢏ሺ࢛ሻ ሻ and replace ࢓࢛
with ࢜࢐࢏ሺ࢛ሻ Ǥ
5. Repeat steps 2 to 4 until there is no change in ܵ‫ ܮ‬and return the
final solution ܵ‫ܮ‬௙௜௡௔௟ .
Segmentation Encoding
1. With the final solution ܵ‫ܮ‬௙௜௡௔௟ ൌ ሼ࢓૚ ǡ ࢓૛ ǡ ǥ ǡ ࢓࢑ ሽ from the
segmentation phase, sort the medoids ascending according to
their d-th component value to obtain the sorted indices
‫ݏ‬ଵௗ ǡ ‫ݏ‬ଶௗ ǡ ǥ ǡ ‫ݏ‬௞ௗ :
ሾ‫ݏ‬ଵௗ ǡ ‫ݏ‬ଶௗ ǡ ǥ ǡ ‫ݏ‬௞ௗ ሿ ൌ ܽ‫ݐݎ݋ݏ̴݃݊݅݀݊݁ܿݏ‬൫݉ଵௗ ǡ ݉ଶௗ ǡ ǥ ǡ ݉௞ௗ ൯ǡ ݀
ൌ ͳǡʹǡ ǥ ǡ ‫ܦ‬Ǥ
2. Assign the codeword of index ߟ to the ሺߟ ൅ ͳሻ-th medoid
component, such that
݉௦ௗ೏ ՚ ࢈ࢊࣁࢊ ǡ
ആశభ
ߟௗ ൌ ሼͲǡͳǡ ǥ ǡ ݇ െ ͳሽǢ ݀
ൌ ሼͳǡʹǡ ǥ ǡ ‫ܦ‬ሽǤ
3. As a result, a D-dimensional sample point that falls within a
segment is eventually mapped to a concatenation of ‫ܦ‬
codewords representing the corresponding medoid:
࢈ࢗ = ቄ࢈૚ࣁ૚ ȁȁ࢈૛ࣁ૛ ȁȁ ǥ ȁȁ࢈ࡰ
ࣁࡰ
ቅ
Figure 7. Algorithmic description of a multivariate discretization.
Once the best segmentation solution is obtained, the medoid of every

segment is sorted in each feature dimension. As a result, every segment
will be associated with ‫ ܦ‬binary codewords corresponding to a ‫ܦ‬-
dimensional feature space, which can be concatenated to yield the final
binary representation of a user. To enable discretization of unknown test
objects, helper data such as the location of medoids and their
corresponding ‫ܦ‬-dimensional binary labels are stored. To decide on the
segment association during query, an unknown testing sample is
associated to the closest medoid of the segment, and is represented by the
‫ܦ‬-dimensional binary label of the associated segment. The complete
algorithm is described in Figure 7.
3 Advances in Feature Encoding

By indexing the quantization intervals using a decimal numeral system,
these indices can then be represented by its binary form, and subsequently
used for interval-labeling purpose. Hence, feature encoding can be

regarded as a problem of mapping discrete indices to binary codewords. In
the literature, there are several options of feature encoding schemes that
can be adopted for biometric discretization. Feature encoding schemes can
be classified into two categories: Complete-code-based and Partial-code-
based encoding. When a complete code is adopted for encoding, all code
elements are used for interval labelling 0[3][4][13][15][22]; While for
partial code, only part of the code elements are utilized [16][17]. In this
section, we will review a collection of recent advances in feature
encoding.
3.1 Conventional complete codes: Direct Binary Representation

and Binary Reflected Gray Code
Direct Binary Representation (DBR) and Binary Reflected Gray Code
(BRGC) [7] are two conventional complete codes for feature encoding in
discretization. For DBR, decimal indices are directly converted into its
binary equivalent. However, since DBR does not constrain the Hamming
distance between any pair of adjacent intervals’ label to handle intra-class
variations in the Hamming domain, this encoding scheme has only been
broadly employed in the early stage of quantization schemes before the
widespread employment of a more efficient scheme - BRGC. An -bit
BRGC is a code which visits all ʹ୬ binary -tuples orderly, such that
every successive pair of codewords differs by a single bit. By labelling
quantization intervals with BRGC codewords, the Hamming distance
between the output bits of any two adjacent intervals can be confined to
one. This could minimize intra-class variations in the Hamming domain.
Given a specific number of quantization intervals or encoding
elements in a code, the code length for both DBR and BRGC can be
determined as ୈ୆ୖ ൌ ୆ୖୋେ ൌ ‫ ڿ‬ଶ ‫ ۀ‬bits. Instances of DBR and
BRGC with ୈ୆ୖ ǡ ୆ୖୋେ ൌ ሼ͵ǡͶሽ sizes ൌ ሼͺǡͳ͸ሽ are illustrated in Table
1, where the codewords used for labeling the quantization intervals are
indexed from 0 to െ ͳ.
152 Chapter Four
Table 1. Complete code instances: DBR and BRGC for ‫ ܁‬ൌ ሼૡǡ ૚૟ሽ
with [࣎] indicating the codeword index.
DBR BRGC
ୈ୆ୖ ൌ ͵ ୈ୆ୖ ൌ Ͷ ୆ୖୋେ ൌ ͵ ୆ୖୋେ ൌ Ͷ
ൌͺ ൌ ͳ͸ ൌͺ ൌ ͳ͸
[0] 000 [0] 0000 [8] 1000 [0] 000 [0] 0000 [8] 1100
[1] 001 [1] 0001 [9] 1001 [1] 001 [1] 0001 [9] 1101
[2] 010 [2] 0010 [10] 1010 [2] 011 [2] 0011 [10] 1111
[3] 011 [3] 0011 [11] 1011 [3] 010 [3] 0010 [11] 1110
[4] 100 [4] 0100 [12] 1100 [4] 110 [4] 0110 [12] 1010
[5] 101 [5] 0101 [13] 1101 [5] 111 [5] 0111 [13] 1011
[6] 110 [6] 0110 [14] 1110 [6] 101 [6] 0101 [14] 1001
[7] 111 [7] 0111 [15] 1111 [7] 111 [7] 0100 [15] 1000
However, a tradeoff between discretization performance and entropy is

found to be inevitable when complete codes like DBR or BRGC is adopted
for feature encoding. The tradeoff is due to the indefinite discrete-to-
binary mapping during discretization, where multiple codewords in a
complete code share a common Hamming distance with respect to any
reference codeword in the code for any code length larger than 1. When a
complete code is used for encoding, there is a significant possibility where

imposter feature elements that are well-separated from a genuine feature
element in the discrete index space are mapped to certain closer codeword
elements in the Hamming space.
Consider the 4-bit DBR- and BRGC encoding in Table 1. For example,
when DBR is adopted, the interval ‘1000’ that is located 8 intervals away
from the reference interval ‘0000’ is mapped to one Hamming distance
away in the Hamming space. As another example, for BRGC, interval
‘1000’ is located much further (15 intervals away) from interval ‘0000’.
As a result, misclassification of encoded imposter feature components as
genuine in the Hamming domain and restricted discretization performance
can be expected. This defective phenomenon becomes increasingly critical
as the number of quantization intervals or code size increases [14]. By
referring to “code separability” as the Hamming distance separation
between any pair of codewords with reference to the index difference, it is
concluded that complete codes have low separability that is inappropriate
for feature encoding.
3.2 Partial codes: Linearly Separable Subcode and its Variant –

Partially Linearly Separable Subcode
To overcome the inherent limitation of complete codes, partial codes
are explored. Linearly Separable SubCode (LSSC) [14] is a partial code
that is able to overcome completely the indefinite discrete-to-binary
mapping phenomenon when it is used for encoding. Because only part of
the code elements is employed for labelling a given number of intervals,
the code length is larger than ଶ for ൐ ʹ. LSSC utilizes redundancy
to achieve ideal code separability, so that LSSC could construct a one-to-
one correspondence between every non-reference codeword and the
incurred Hamming distance from every possible reference codeword, thus
preserving the original separation between feature measurements in the
index domain after they are mapped to the Hamming domain.
Table 2. Instances of LSSC for ‫ ܁‬ൌ ሼ૜ǡ ૝ǡ ૞ǡ ૟ሽ where [࣎] denotes the
codeword index.
୐ୗୗେ ൌ ʹ ୐ୗୗେ ൌ ͵ ୐ୗୗେ ൌ Ͷ ୐ୗୗେ ൌ ͷ

ൌ͵ ൌͶ ൌͷ ൌ͸
[0] 00 [0] 000 [0] 0000 [0] 00000
[1] 01 [1] 001 [1] 0001 [1] 00001
[2] 11 [2] 011 [2] 0011 [2] 00011

[3] 111 [3] 0111 [3] 00111
[4] 1111 [4] 01111
[5] 11111
Given quantization intervals or encoding elements in a LSSC code, the

code length of LSSC can be determined as ୐ୗୗେ ൌ െ ͳ bits. Note that
the size of a ୐ୗୗେ -bit LSSC increases by one with every one-bit increment
of ୐ୗୗେ . Compared to complete codes, this flexibility in size increment
completely benefits dynamic bit allocation schemes that search for the
optimum number of quantization intervals that best accommodates the
genuine user pdf in each feature dimension. To construct a LSSC code,
beginning with an arbitrary ୐ୗୗେ -bit codeword (say an all-zero
codeword), the next ୐ୗୗେ codewords can be sequentially derived by
complementing a bit at a time from the lowest (rightmost) to the highest
order (leftmost) bit position. The resultant ୐ୗୗେ ൌ ሼʹǡ͵ǡͶǡͷሽ-bit LSSCs
for ൌ ሼ͵ǡͶǡͷǡ͸ሽ are shown in Table 2.
154 Chapter Four
In Table 2, the Hamming distance between any pair of codewords is

the same as the difference between the corresponding indices. For a 3-bit
LSSC example, the Hamming distance between codewords “111” and
“001” is 2, which equals the difference between codeword indices ‘3’ and
‘1’. It can be observed that the neighbour LSSC codewords tend to have
smaller Hamming distances compared to distant LSSC codewords. Thus,
LSSC encoding ensures distance preservation in the index space, despite
large bit redundancy.
The Partially Linearly Separable SubCode (LSSC) [14] is a variant of
LSSC that is designed for reducing the amount of redundancy of LSSC at
the expense of having a slightly lower separability level than LSSC. A
୔୐ୗୗେ -bit PLSSC has a size of ʹ୔୐ୗୗେ with the flexibility of size
increment lying between LSSC (unity) and a complete code (power of 2).
PLSSC can no longer offer a one-to-one correspondence between every
non-reference codeword and the incurred Hamming distance from every
possible reference codeword as there are only Ȁʹ ൅ ͳ Hamming distances
to be associated with discrete indices. Nonetheless, such a
correspondence is more relaxed (less codewords with common Hamming
distances with respect to any reference codeword) compared to that of
complete codes due to a larger maximum Hamming distance of PLSSC in
fulfilling a common code size. Instances of ୔୐ୗୗେ ൌ ሼʹǡ͵ǡͶǡͷሽ-bit PLSSC
for ൌ ሼͶǡ͸ǡͺǡͳͲሽ are shown in Table 3.
Table 3. Instances of PLSSC for ‫ ܁‬ൌ ሼ૝ǡ ૟ǡ ૡǡ ૚૙ሽ where [࣎] denotes
the codeword index.
୐ୗୗେ ൌ ʹ ୐ୗୗେ ൌ ͵ ୐ୗୗେ ൌ Ͷ ୐ୗୗେ ൌ ͷ

ൌͶ ൌ͸ ൌͺ ൌ ͳͲ
[0] 00 [0] 000 [0] 0000 [0] 00000
[1] 01 [1] 001 [1] 0001 [1] 00001
[2] 11 [2] 011 [2] 0011 [2] 00011
[3] 10 [3] 111 [3] 0111 [3] 00111
[4] 110 [4] 1111 [4] 01111
[5] 100 [5] 1110 [5] 11111
[6] 1100 [6] 11110
[7] 1000 [7] 11100
[8] 11000
[9] 10000
4 An Experimental Comparative Study

In this section, a comparison is conducted among the following
quantization schemes:
(a) [Univariate/Static] Equal-probable quantization
(b) [Univariate/Static] Entropy-based quantization
(c) [Semi-multivariate/Static] Long-short-strategy-based phase
quantization (Phase + LS)
(d) [Univariate/Dynamic] DROBA
(e) [Univariate/Dynamic] Dynamic DROBA
(f) [Univariate/Dynamic] Flexi-DROBA (DROBA with unity interval
increment in the bit allocation process)
(g) [Univariate/Dynamic] RDBA
and encoding schemes:
(a) [Complete code] BRGC encoding
(b) [Partial code] LSSC encoding
From this study, we are able to examine the performance of various

quantization-based discretization schemes under a common feature
encoding setting, and to justify the effectiveness of partial-code-based
encoding over the complete-code-based encoding.
4.1 Data Sets and Experimental Settings

Among the biometric modalities that produce ordered feature vectors upon
feature extraction, we adopt face biometric as the subject of our
experimental studies, due to its universal and non-intrusive characteristics.
In the experiments, two popular face data sets were adopted:
FRGC: The adopted data is a random subset of the FRGC dataset
(version 2) [19], containing a total of 2124 images with 12 images for each
of 177 identities. The images were taken under controlled-illumination
condition.
FERET: The adopted data is a random subset of the FERET face data
set [20] containing a total of 2400 images with 12 images for each of 200
identities. The images were collected under semi-controlled conditions and
images with varying illumination conditions and facial expressions were
selected.
For both data sets, proper alignment was applied to the images based
on standard face landmarks. To avoid possible strong variation in hair
style, the face region was extracted for recognition by cropping the images
156 Chapter Four
to the size of͸ͳ ൈ ͹͵ for both data sets. Finally, histogram equalization
was applied to the cropped images.
In the experiments, three rounds of four-fold cross-validation were
carried out with different training/testing partition and the experimental
results were averaged over the rounds to avoid bias in the classification
accuracy. Prior to discretization, discriminative/representative features
were initially extracted based on the raw features using Eigenfeature
Regularization and Extraction (ERE) [8]. Generally, the raw dimensions of
the images from both data sets were reduced to 128. For dynamic
discretization, the maximum number of quantization bits in each feature
dimension ୫ୟ୶ is limited to 6. As for static discretization, if the length of
(୫ୟ୶ -bit) binary strings exceeds the specified entropy, the first bits
of the binary strings will be adopted for performance evaluation.
For measuring false acceptance rate (FAR) of the system, each image
of every identity was matched against a random image of every other
identity within the testing partition (without overlapping selection), while
for evaluating the system false rejection rate (FRR), each image was
matched against every other images of the same identity for every identity
within the testing partition. Hamming distance is taken as the dissimilarity
measure. The Equal Error Rate (EER), that is, the error rate where FAR =
FRR, is used as a comparative measure for classification performance. The
lower the EER a scheme achieves, the better the scheme is considered to
be.
4.2 Performance Evaluation

The experimental comparisons illustrated in Figure 8. are conducted in
terms of (a) accuracy performance and (b) bit length of discretization
output based on (I) FRGC and (II) FERET datasets under several common
entropy specifications on discretization output.
It is noticed from Figure 8. that LSSC-encoding-based discretization
schemes generally outperform BRGC-encoding-based schemes, thus
justifying the effectiveness of the LSSC encoding scheme. Considering the
8-interval equal-probable scheme, for instance, the EER outperformance
of Equal-Probable+LSSC over Equal-Probable+BRGC in Figure 8(Ia)
ranges from 2 to 8%. As another example, in Figure 8(IIa)., the EER
outperformance of DROBA + LSSC over DROBA + BRGC is observed to
be less than 2%. However, in terms of bit length, LSSC encoding-based
discretization schemes generally extract longer binary biometric
representation than BRGC encoding-based discretization schemes, so to
fulfil an entropy specification.
In terms of quantization methods, it is observed that Flexi-

DROBA+LSSC (DROBA with unity interval increment in bit allocation
process) performs the best over all other discretization schemes in Figures
8(Ia). and (IIa). while inflicting a reasonable amount of bits redundancy, as
illustrated in Figures 8(Ib). and (IIb). This scheme enjoys full advantage of
(flexible) unity increment in code size/number of intervals, which renders
it a very effective bit allocation scheme compared to the other variants of
DROBA. Apart from that, Flexi-DROBA+LSSC achieves the lowest bit
redundancy among the LSSC-encoding-based bit allocation schemes due
to the same advantage.
Dynamic DROBA ranks second in performance comparison in Figure
8(Ia). and ranks third in Figure 8(IIa). as a result of its underperformance
to Flexi-DROBA+LSSC and the RL-based feature selection scheme by
less than 0.5% EERǤ It is noticed that the largest EER improvement
relative to DROBA+LSSC appears to be 2% at ൌ ͸Ͷ and ͵ʹͲ in Figure
8(Ia) and 0.7% at ൌ ʹͷ͸ in Figure 8(IIa). In terms of output bit length,
dynamic DROBA+LSSC happens to be slightly lower than Flexi-
DROBA+LSSC for ൑ ͵ʹͲ. However, it is worth noting that the actual
“effective entropy” achieved by dynamic DROBA might be significantly
lower than reported, due to the dynamic genuine interval search process as
illustrated in Figures 8(Ib). and (IIb).
The RDBA performs the worst among the bit allocation schemes under
LSSC-encoding setting. However, it is noticed that RDBA outperforms

DROBA+LSSC by at most 1.3% for ൒ ͵ʹͲ in Figure 8(Ia). and at most
0.5% in Figure 8(IIa). for ൒ ͳʹͺ. Since bits are allocated in accordance
with the corresponding reliability weights in a bit-oriented manner (from
the leftmost to the rightmost bit of a codeword) and a dimensional-
oriented manner (from the first to the last signal-to-noise-ratio-sorted
feature component), the bit allocation may not be terminated right at the
last sorted dimension in most cases when -bit entropy is required,
therefore rendering it more robust towards performance deterioration when
increases (considering there exist substantially more unallocated bits
which are associated with a reliability weight that is not lower than the
reliability weight threshold ୤୧୶ ). This implies that bits allocated to the
feature components could be greatly non-uniform, thus incurring the most
bit redundancy among the LSSC-encoding-based bit allocation schemes
shown in Figure 8(Ib) and (IIb).
158 Chapter Four
ERE (D=128) / FRGC / Performance Comparison

40
38 [BRGC] 8-interval Equal-Probable
[BRGC] 8-interval Entropy
36
[BRGC] DROBA
34 [BRGC] Phase+LS
32 [LSSC] 8-interval Equal-Probable
30 [LSSC] 8-interval Entropy
[LSSC] DROBA
28
[LSSC] Phase+LS
26 [LSSC] Dynamic DROBA
EER (%)
24 [LSSC] Flexi-DROBA
[LSSC] RDBA
22
20
18
16
14
12
10
8
6
64 128 192 256 320 384
Entropy L (bits)
(Ia)
ERE (D=128) / FERET / Bit Length Comparison

4500
[BRGC] 8-interval Equal-Probable
4000 [BRGC] 8-interval Entropy
[BRGC] DROBA
3500 [BRGC] Phase+LS
[LSSC] 8-interval Equal-Probable
[LSSC] DROBA
2500 [LSSC] Phase+LS
EER (%)
[LSSC] Dynamic DROBA

[LSSC] RDBA
1500
1000
500
0
64 128 192 256 320 384
Entropy L (bits)
(Ib)
160 Chapter Four
ERE (D=128) / FERET / Performance Comparison

24
[BRGC] DROBA
20
[BRGC] Phase+LS
18 [LSSC] 8-interval Equal-Probable
[LSSC] 8-interval Entropy
16 [LSSC] DROBA
[LSSC] Phase+LS
14
EER (%)
[LSSC] RDBA
10
0
64 128 192 256 320 384
Entropy L (bits)
(IIa)
ERE (D=128) / FRGC / Bit Length Comparison

4500
[BRGC] DROBA
3500 [BRGC] Phase+LS
[LSSC] 8-interval Equal-Probable
[LSSC] DROBA
2500 [LSSC] Phase+LS
EER (%)

[LSSC] RDBA
1500
1000
500
0
64 128 192 256 320 384
Entropy L (bits)
(IIb)
Figure 8. A comparison of the discretization schemes in (a) performance, and in

(b) bit length of binary output based on the (I) FRGC and (II) FERET data sets.
4 Conclusion and Future Directions

Biometric discretization extracts a binary representation from each user
through a sequential process of quantization and encoding. Biometric
discretization can be classified in accordance with its quantization fashion:
(a) univariate vs. semi-multivariate vs. multivariate, (b) static vs. dynamic;
or its encoding fashion: complete-code vs partial-code encoding. Among
the numerous approaches in the literature, univariate quantization is the
most popular quantization technique, and at the current stage, dynamic
quantization and partial code encoding are the most effective options for
biometric discretization.
While there have been many advances in biometric discretization in the
past decade, plenty of work in this area remains to be done. Univariate
quantization is designed based on the inherent assumption that the input
feature components are independent among one another, where very often
this assumption is not true in practice because truly independent input
162 Chapter Four
feature components are extremely difficult to extract. As a result, the

discretization output may not contain the expected amount of information
due to correlation among bits, thus resulting in lower output entropy than
expected. Although multivariate discretization is designed to overcome
such an issue, it is often very difficult to estimate high-dimensional
population distribution for creating quantization segments to fulfil an
entropy specification. Even if the required number of quantization
segments can be created, it is also a problem to efficiently represent a huge
number of segmentation indices in binary when the partial code is adopted
for feature encoding. Hence, developing a discretization scheme that could
maximize biometric recognition performance and output entropy remains
an open research problem. Apart from the above, more diverse
discretization techniques could still be explored in terms of quantization
and encoding techniques. Rigorous analyses on the discretization schemes
are also needed to provide relevant performance and security guarantees.
References
[1] Chang, Y., Zhang, W., Chen, T., “Biometric-based Cryptographic Key
Generation,” IEEE International Conference on Multimedia and Expo
(ICME 2004), vol. 3, pp. 2203-2206, 2004.
[2] Chen, C., Veldhuis, R., “Binary Biometric Representation through
Pairwise Polar Quantization,” the 3rd International Conference on

Advances in Biometrics (ICB '09), Lecture Notes in Computer
Science, vol. 5558, pp. 72-81, 2009.
[3] Chen, C., Veldhuis, R., Kevenaar, T., Akkermans, A., “Multi-bits
Biometric String Generation based on the Likelihood Ratio,” 1st IEEE
International Conference on Biometrics: Theory, Applications, and
Systems (BTAS '07), pp. 1-6, 2007.
[4] Chen, C., Veldhuis, R., Kevenaar, T., Akkermans, A., “Biometric
Quantization through Detection Rate Optimized Bit Allocation,”
EURASIP Journal on Advances in Signal Processing, vol. 2009,
Article ID 784834, 16 pages, 2009.
[5] Dodis, Y., Ostrovsky, R., Reyzin L., Smith, A., “Fuzzy extractors:
How to Generate Strong Keys from Biometrics and other Noisy Data,”
EUROCRYPT 2004, Lecture Notes in Computer Science, vol. 3027,
pp. 523-540, 2004.
[6] Fayyad, U.M., Irani, K.B., “Multi-interval Discretization of
Continuous-valued Attributes for Classification Learning,” the 13th
International Joint Conference on Artificial Intelligence, pp. 1022-
1027, 1993.
[7] Gray, F., “Pulse Code Communications,” U.S. Patent 2632058, 1953.
[8] Jiang, X.D., Mandal B., Kot A., “Eigenfeature Regularization and
Extraction in Face Recognition,” IEEE Transactions on Pattern
Analysis and Machine Intelligence, vol. 30, no. 3, pp. 383-394, 2008.
[9] Juels, A., Wattenberg, M., “A Fuzzy Commitment Scheme,” the 6th
ACM Conference in Computer and Communication Security (CCS'99),
pp. 28-36, 1999.
[10] Kevenaar, T.A.M., Schrijen, G.J., Van der Veen, M., Akkermans,
A.H.M., Zuo, F., “Face Recognition with Renewable and Privacy
Preserving Binary Templates,” the 4th IEEE Workshop on Automatic
Identification Advanced Technologies (AutoID '05), pp. 21-26, 2005.
[11] Kumar, A., Zhang, D., “Hand Geometry Recognition using
Entropy-based Discretization,” IEEE Transactions on Information
Forensics and Security, vol. 2, pp. 181-187, 2007.
[12] Li, Q., Sutcu, Y., Memon, N., “Secure Sketch for Biometric
Templates,” the 12th International Conference on the Theory and
Application of Cryptology and Information Security (ASIACRYPT
‘06), Lecture Notes in Computer Science, vol. 4284, pp. 99-113, 2006.
[13] Lim, M.-H., Teoh, A.B.J., and Toh, K.-A., “Biometric
Discretization via a Dynamic Detection Rate-based Bit Allocation with
Genuine Interval Concealment, The IEEE Transactions on Systems,”
Man, and Cybernetics, Part B (TSMCB), vol. 43, no.3, pp. 843-857,
2013.
[14] Lim, M.-H. and Teoh, A.B.J., “A Novel Encoding Scheme for
Effective Biometric Discretization: Linearly Separable SubCode,” The
IEEE Transactions on Pattern Analysis and Machine Intelligence
(TPAMI), vol. 35, no. 2, pp. 300-313, 2013.
[15] Lim, M.-H., Teoh, A.B.J., and Toh, K.-A., “An Efficient
Dynamic Reliability-Dependent Bit Allocation for Biometric
Discretization,” Pattern Recognition (PR), vol. 45, no. 5, pp. 1960-
1971, 2012.
[16] Lim, M.-H. and Teoh, A.B.J., “Non-User-Specific Multivariate
Biometric Discretization with Medoid-based Segmentation,” the 6th
Chinese Conference on Biometric Recognition (CCBR 2011), LNCS,
vol.7098, pp.279-287, 2011.
[17] Lim, M.-H. and Teoh, A.B.J., “An Effective Biometric
Discretization Approach to Extract Highly Discriminative, Informative
and Privacy-Protective Binary Representation,” EURASIP Journal on
Advances in Signal Processing, vol. 2011, no. 107, 2011.
[18] Linnartz, J.-P., Tuyls, P., “New Shielding Functions to Enhance
Privacy and Prevent Misuse of Biometric Templates,” the 4th
164 Chapter Four
International Conference on Audio and Video Based Person

Authentication (AVBPA 2004), LNCS, vol. 2688, pp. 238-250, 2003.
[19] Philips, P.J., Flynn, P.J., Scruggs, T., Bowyer, K.W., Chang, J.,
Hoffman, K., Marques, J., Min, J., Worek, W., “Overview of the Face
Recognition Grand Challenge,” IEEE Conference on Computer Vision
and Pattern Recognition (CVPR ’05), vol. 1, pp. 947-954, 2005.
[20] Philips, P.J., Moon, H., Rauss, P.J. and Rizvi, S. “The FERET
Evaluation Methodology for Face Recognition Algorithms,” IEEE
Transactions on Pattern Analysis and Machine Intelligence, vol. 22,
no. 10, pp. 1090-1104, 2000.
[21] Teoh, A.B.J., Yip, W.K., Toh, K.-A., “Cancellable Biometrics
and User-dependent Multi-State Discretization in BioHash,” Pattern
Analysis & Applications, 2009.
[22] Tuyls, P., Akkermans, A.H.M., Kevenaar, T.A.M., Schrijen, G.-
J., Bazen, A.M., Veldhuis, N.J., “Practical Biometric Authentication
with Template Protection,” the 5th International Conference on Audio-
and Video-based Biometric Person Authentication, Lecture Notes in
Computer Science, vol. 3546, pp. 436-446, 2005.
[23] Yip, W.K., Goh, A., Ngo, D.C.L., Teoh, A.B.J., “Generation of
Replaceable Cryptographic Keys from Dynamic Handwritten
Signatures,” the 1st International Conference on Biometrics, Lecture
Notes in Computer Science, vol. 3832, pp. 509-515, 2006.
CHAPTER FIVE
DE-IDENTIFYING BIOMETRIC IMAGES

BY DECOMPOSITION AND MIXING
ASEM OTHMAN AND ARUN ROSS

MICHIGAN STATE UNIVERSITY
Abstract
The goal of this chapter is to discuss methods that can be used to extend
privacy to biometric data in the context of an operational system.
Biometric data can be viewed as personal data, since it pertains to the
biological and behavioural attributes of an individual. Besides being used
to recognize individuals, biometric data can potentially be used to glean
additional information such as an individual’s health, gender, age, ancestry

origin, etc. Therefore, it is necessary to ensure that the biometric data
stored in a system is used only for its intended purpose and that function
creep is avoided. Further, in some applications, the biometric data may
have to be “de-identified" prior to storage in order to prevent an adversary
or an administrator from viewing the original identifiable data.
In this chapter, we first briefly review methods that have been
published in the literature for imparting privacy to biometric data. Next,
we discuss a method based on Visual Cryptography that de-identifies a
face or fingerprint image prior to storing it by decomposing the original
image into two images in such a way that the original image can be
revealed only when both images are simultaneously available; further,
each component image does not reveal the identity of the original image.
Experimental results suggest the utility of the scheme for de-identifying
fingerprint and face images. Finally, we discuss a method based on the
concept of mixing to extend privacy to fingerprint images. The proposed
scheme mixes a fingerprint with another fingerprint (referred to as the
“key") in order to generate a new mixed fingerprint image that can be
directly used by a fingerprint matcher. The mixed image obscures the
166 Chapter Five
identity of the original fingerprint; further, different applications can

employ different “keys," thereby ensuring that the identities enrolled in
one application cannot be matched against the identities in another
application. Experimental analysis confirms the potential of the scheme for
generating cancellable fingerprint templates that are resilient to cross-
matching attacks.
Keywords: De-identifying Biometrics, Image-level Fusion, Visual

Cryptography, Fingerprint Encryption, Face Encryption, Mixing
Biometrics, Phase Decomposition, Virtual Identities.
1 Introduction
Classical image-based biometric systems capture the biological and
behavioural attributes of an individual in the pixel space and transform it
to a lower dimensional feature space (i.e., feature sets). Preserving the
privacy of the stored biometric data (i.e., biometric images and/or feature
sets) is essential to the integrity of a biometrics system. Loss of privacy
occurs if the biometric data is used by authorized or unauthorized
agencies to glean additional information such as an individual’s health,
gender, age, ancestry origin, etc. [1], or to link biometric databases
belonging to different applications. Recently, Acquisti et al. [2]
demonstrated that by taking advantage of cloud computing and mobile

devices along with an off-the-shelf face recognizer, public sources of
information such as Facebook profiles can be mined in order to identify
strangers and derive sensitive information about them (e.g., in a few cases,
they were able to retrieve the first five digits of individual’s social security
number).
Therefore, de-identifying biometric data prior to storage may be
necessary to ensure that the stored biometric data is used only for its
intended purpose and to prevent an adversary or an administrator from
viewing the original identifiable data. De-identifying involves storing a
transformed or modified version of the biometric data in such a way that it
is impossible to deduce the original biometric signal from the stored
version. De-identifying can be applied at the image-level (see Figure 1-a)
or at the feature-level (see Figure 1-b).
De-Identifying Biometric Images by Decomposition and Mixing 167
1.1 De-identifying Biometric Images

De-identifying a biometric image involves intentionally changing the
biometric content of the image such that it cannot be easily associated with
its owner; however, the de-identified image is retained in the same image
space as the original image (i.e., a de-identified fingerprint is another
fingerprint image). The transformation function used to change the
biometric image has to be noninvertible, i.e., even if the de-identified
image and the function are revealed, reconstructing the original image
should be computationally hard. Further, this function should have the
ability to generate different transformed versions of the same biometric
image, for instance, by simply changing the function parameters. This is to
guarantee that different applications use different transformed versions of
the same biometric image, which prevents the linking of identities across
applications.
(a)
(b)
Figure 1: Illustration of de-identifying biometric data at (a) the image-level and (b)
the feature-level.
Ratha et al. [3] proposed the use of geometric transformations to modify

biometric images. They referred to this as cancellable biometrics. The
transformed image is cancellable because the distortion parameters can be
changed to generate a new biometric image. Ever since their paper on
cancellable biometrics [3], preserving biometrics privacy has been an
active research topic in the biometrics literature. However, de-identifying
biometric images is relatively less explored compared to de-identifying
168 Chapter Five
feature sets. This is because the noninvertible functions in the case of the
former are constrained to retain the transformed images in the same image
space as the original images while, at the same time, preserve the
discriminability of the original images. Zuo et al. [4] de-identified iris
images by combining the original image with a synthetic one and by
shifting and combining rows of the unwrapped iris image. In [5][6],
geometric transformations suggested by Ratha et al. [3], such as block re-
mapping and grid morphing, have been applied to iris images.
Newton et al. [7] and Gross et al. [8] introduced a face anonymisation
method that minimized the chances of performing automatic face
recognition while preserving details of the face such as expression, gender
and age. Bitouk et al. [9] proposed a face swapping technique that
protected the identity of a face image by automatically substituting it with
replacements taken from a large library of public face images. However, in
the case of both face anonymisation and swapping, the original face
images are irrevocably lost, thereby impacting their use for face
recognition.
Comments on de-identifying biometric images
The advantage of de-identifying biometric images is that different feature

extraction algorithms can be used on the transformed images to compute
the feature sets. However, applying a noninvertible de-identifying function

implies a loss in accuracy as discussed in [3][4] because the transformed
images are difficult to align and, in addition, the discriminability of the
biometric content is reduced [3].
Alternative solutions include de-identifying biometric feature sets by
applying a noninvertible transformation to them, or by using the feature
sets to directly generate or secure a cryptographic key.
1.2 De-identifying Biometric Feature Sets

A feature set is de-identified by replacing it with a transformed feature set
or a cryptographic key that either generated from the feature set or bound
to it. So the work done on de-identifying feature sets can be classified into
two categories [10, 11]: cancellable feature sets and cryptosystems.
To generate a cancellable feature set, a mapping function based on
application-specific parameters [12][4] or user-specific keys [13][14][15]
is used. Then, the matching is performed directly in the transformed
domain. Alternatively, in the case of cryptosystems [16][10][11], a
cryptographic key is secured by using a biometric template or by directly
generating a cryptographic key from the biometric template. Some public

information about the biometric template is stored and referred to as helper
data. This helper data does not reveal any significant information about the
original biometric template but is needed during matching to extract a
cryptographic key from the feature set corresponding to the input (query)
image. In cryptosystems, matching is performed indirectly by verifying the
validity of the extracted key. Biometric cryptosystems generally result in a
noticeable decrease in recognition performance. This is because
cryptosystems introduce a higher degree of quantization at the feature
extraction stage. Moreover, in general, biometric cryptosystems are not
designed to provide diversity and revocability. Therefore, hybrid schemes
have been proposed to combine both categories [17] [18], e.g., binding a
cryptographic key with a transformed feature set.
Comments on de-identifying biometric feature sets
In general, de-identifying feature sets is less constrained than de-

identifying images, but designing such a function for feature sets depends
on the biometric trait. For instance, it may be easier to design a
cryptosystem for an iris recognition system due to the nature of the
commonly used feature set (i.e., iriscodes which are binary representations
of the iris texture). Alternatively, there are many non-invertible
transformations for minutiae-based fingerprint feature sets, which may not

be suitable for generating a cancellable iris code.
The security of de-identified feature sets relies on the assumption that
the key and/or the transformation parameters are only known to the
legitimate user. Maintaining the secrecy of those keys is one of the main
challenges, since these approaches are vulnerable to linkage attacks where
the key or the set of transformation parameters along with the stored
template are compromised [19][20].
In this chapter, we will discuss two approaches for de-identifying
images based on the principles of decomposition [21] and mixing [22].
Figures 2 and 3 show examples of de-identifying a face image by
decomposing it into two face images and de-identifying a fingerprint by
mixing it with another fingerprint.
170 Chapter Five
Figure 2: Illustration of de-identifying a face image by decomposition.

Figure 3: Illustration of de-identifying a fingerprint image by mixing.
2 Decomposing Biometric Images

The first technique to de-identify biometric images is by decomposing
a biometric image into two images such that the original image can only
be revealed when the two constituent images are simultaneously available.
These two constituent images are referred to as sheets. During the
enrollment process, the private biometric image (i.e., the secret that has to
be protected and de-identified) is acquired by a trusted entity. Next, the
biometric image is decomposed into two sheets, and the original data
discarded. These sheets are then transmitted and stored in two different
servers. During the recognition process, the trusted entity sends a request
to each server, and the corresponding sheets are transmitted to it. Then the
sheets are overlaid to reveal the private image and sent to the matching
module. Once the matching score is computed, the revealed private image
is discarded. In order to accomplish this, Visual Cryptography can be

utilized.
2.1 Visual Cryptography

The Visual Cryptography Scheme [23] (VCS) is a simple and secure way
to share secret images such that decryption can be performed using the
human visual system or a simple binary operation. The basic scheme is
referred to as the k-out-of-n visual cryptography scheme which is denoted
as ȋk, nȌ VCS [23]. Given an original binary image T, it is encrypted in n
images, such that:
ܶ ൌ ܵ௛భ ْ ܵ௛మ ْ ܵ௛య ْ ǥ ْ ܵ௛ೖ ǡ (1)
where ْ is a Boolean operation, ܵ௛೔ ǡ ݄௜ ‫ͳ א‬ǡʹǡ Ǥ Ǥ Ǥ Ǥ ǡ ݇ is an image that

appears as white noise, ݇ ൑ ݊, and ݊ is the number of noisy images. It is
difficult to decipher the secret image T using individualܵ௛݅ ’s [23]. The
encryption is undertaken in such a way that ݇ or more out of the ݊
generated images are necessary for reconstructing the original imageܶ.
2.1.1 The ࢑-out-of-࢔ Visual Cryptography Scheme

There are a few basic definitions which need to be provided before we

formally discuss the adaptation of the VCS model for biometric purposes.
- Secret image (ܱ): The original image that has to be encrypted.

This is the private biometric image.
- Sheets (ܵƍs): The secret image is encrypted into n sheet images.
- Target (ܶ): The image reconstructed by stacking or superimposing
the sheets.
- Sub-pixel: Each pixel P is divided into a certain number of sub-
pixels during the encryption process.
- Pixel Expansion (m): The number of sub-pixels used by the sheet
images to encode each pixel of the original image.
- Shares: Each pixel is encrypted by n collections of m black-and-
white sub-pixels. These collections of sub-pixels are known as
shares.
- Relative Contrast ( ߙ ): The difference in intensity measure
between a black pixel and a white pixel in the target image.
172 Chapter Five
- OR-ed m-vector (ܸ): An ݊ ൈ ݉ matrix is transformed to an ݉-

dimensional vector by applying the boolean OR operation across
each of the ݉ columns.
- Hamming weight (‫ܪ‬ሺܸሻ): The number of ‘1’ bits in a binary
vector ܸ.
The ݇ -out-of- ݊ Visual Cryptography Scheme deals with the secret

message as an image consisting of independent white and black pixels.
Each pixel is reproduced as n shares with each share consisting of m sub-
pixels. This can be represented and described by an ݊ ൈ ݉ Boolean
matrix ‫ ܤ‬ൌ ൣܾ௜௝ ൧ where ܾ௜௝ = 1 if and only if the jth sub-pixel in the ith
share is black. The ‫ ܤ‬matrix is selected randomly from one of two
collections of ݊ ൈ ݉ Boolean matrices ‫ܥ‬଴ and ‫ܥ‬ଵ ; the size of each
collection is ‫ݎ‬. If the pixel ܲ in the secret image is a white pixel, one of the
matrices in ‫ܥ‬଴ is randomly chosen; if it is a black pixel, a matrix from ‫ܥ‬ଵ is
randomly chosen. Upon overlaying these shares, a grey level for the pixel
ܲ of the target image becomes visible, and it is proportional to the
Hamming weight, ‫ܪ‬ሺܸሻǡ of the OR-ed m-vector ܸ for a given matrix ‫ܤ‬. It
is interpreted visually as black if ‫ܪ‬ሺܸሻ ൒ ݀ and as white if ‫ܪ‬ሺܸሻ ൏ ݀ െ
ߙ݉ for some fixed threshold ͳ ൑ ݀ ൑ ݉ and relative difference ߙ ൐ Ͳ.
The contrast of the output of a visual cryptography scheme is the
difference between the minimum ‫ܪ‬ሺܸሻvalue of a black pixel and the
maximum allowed ‫ܪ‬ሺܸሻvalue for a white pixel, which is proportional to

the relative contrast ሺߙሻ and the pixel expansion ሺ݉ሻǤ The scheme is
considered valid if the following three conditions are satisfied:
x Condition (1): For any matrix ‫ ܤ‬in ‫ܥ‬଴ , the OR operation on any ݇
of the ݊ rows satisfies ‫ܪ‬ሺܸሻ ൏ ݀ െ ߙ݉.
x Condition (2): For any matrix ‫ ܤ‬in ‫ܥ‬ଵ , the OR operation on any ݇
of the ݊ rows satisfies ‫ܪ‬ሺܸሻ ൒ ݀.
x Condition (3): Consider extracting ‫ ݍ‬rows, ‫ ݍ‬൏ ݇ , from two
matrices, ‫ܤ‬଴ ‫ܥ א‬଴ and ‫ܤ‬ଵ ‫ܥ א‬ଵ ǡ resulting in new matrices ‫ܤ‬଴ᇱ and
‫ܤ‬ଵᇱ . Then, ‫ܤ‬଴ᇱ and ‫ܤ‬ଵᇱ are indistinguishable in that there exists a
permutation of columns of ‫ܤ‬଴ᇱ that would result in ‫ܤ‬ଵᇱ . In other
words, any ‫ ݍ‬ൈ ݉ matrix ‫ܤ‬଴ ‫ܥ א‬଴ and ‫ܤ‬ଵ ‫ܥ א‬ଵ are identical up to a
column permutation.
Conditions (1) and (2) define the image contrast due to VCS. Condition
(3) imparts the security property of a ȋ݇ǡ ݊Ȍ VCS which states that the
careful examination of fewer than k shares will not provide information
about the original pixel ܲ . Therefore, the important parameters of the
scheme are the following: First, the number of sub-pixels in a shareሺ݉ሻ;

this parameter represents the loss in resolution from the original image to
the resultant target image and it needs to be as small as possible such that
the target image is still visible. In addition, the ݉ sub-pixels need to be in
the form of a ‫ ݒ‬ൈ ‫ ݒ‬matrix where ‫ ܰ א ݒ‬in order to preserve the aspect
ratio of the original image. Second, ߙ, which is the relative difference in
the Hamming weight of the combined shares corresponding to a white
pixel and that of a black pixel in the original image; this parameter
represents the loss in contrast and it needs to be as large as possible to
ensure visibility of the target pixel. Finally, the size of the collection of ‫ܥ‬଴
and ‫ܥ‬ଵ , ‫ ݎ‬, which represents the number of possibilities for ‫ ܤ‬. This
parameter does not directly affect the quality of the target image.
The scheme can be illustrated by a ሺʹǡʹሻVCS example which is shown
in Figure 4. One pixel of the original image corresponds to four pixels in
each share. Therefore, six patterns of shares are possible. Based on this,
the following collection of matrices are defined:
ͳ ͳ ͲͲ
C0 = {all the matrices obtained by permuting the columns of ቂ ቃ }
ͳ ͳ ͲͲ
ͳ ͳ ͲͲ
C1 = {all the matrices obtained by permuting the columns of ቂ ቃ }.
Ͳ Ͳ ͳͳ
This 2-out-of-2 visual cryptography scheme has the parameters ݉ ൌ Ͷ,

ߙ ൌ ͳȀʹ and ‫ ݎ‬ൌ ͸. A secret image is encrypted by selecting shares in
the following manner. If the pixel of the secret binary image is white, the
same pattern of four pixels is randomly picked for both shares which is
equivalent to randomly selecting a Boolean matrix ‫ ܤ‬from the
collection‫ܥ‬଴ . If the pixel of the original image is black, a complementary
pair of patterns is randomly picked i.e., a boolean matrix ‫ ܤ‬from the
collection ‫ܥ‬ଵ is selected. Conditions (1) and (2) can be easily tested to
validate this ሺʹǡʹሻ VCS. The last condition which is related to the security
of the scheme can be verified by taking any row from ‫ܤ‬଴ ‫ܥ א‬଴ and ‫ܤ‬ଵ ‫ܥ א‬ଵ
and observing that they have the same frequency of black and white
values.
174 Chapter Five
Figure 4: Illustration of a 2-out-of-2 scheme with 4 sub-pixel construction.
2.2 Visual Cryptography for Securing Fingerprint Images

The basic visual cryptography scheme can be utilized to de-identify a
fingerprint image (see Figure 5.) [21]. The fingerprint image can be
decomposed into two random noise images such that the original image
can be revealed when the two constituent images are simultaneously
available and superimposed.
The overlaying or superimposing operation in visual cryptography is
computationally modelled as the binary OR operation which causes the
contrast level of the target image to be lowered. Loss in contrast in target
images has been addressed by simply substituting the OR operator with
the XOR operator [24]. Furthermore, the target image can be down-
sampled by reconstructing just one pixel from every ʹ‫ ʹݔ‬block. Thus, the
reconstructed image will have a visually pleasant appearance and require
less storage space. Figure 6 shows the difference in quality between the
secret images recovered using the OR and XOR operations. It is clearly
evident that the contrast of the original image is better restored in the
latter.
Figure 5: Illustration of utilizing a visual cryptography scheme to de-identify

fingerprint images.
Grey-level fingerprint images are converted to binary images by using

an empirical threshold value [21]. However, the binarization of
fingerprints did not degrade the overall matching performance because the
distinctive characteristics of a fingerprint, i.e., the topographic relief of its
ridge structure and the presence of certain ridge irregularities termed as
minutiae, have been mostly retained in the reconstructed fingerprint image
(see Figure 6).
176 Chapter Five
Figure 6: Examples of a ሺ૛ǡ ૛ሻ VCS for fingerprint images. Reconstructed

fingerprint images show differences in quality between the OR and XOR
operations.
2.3 Visual Cryptography for Securing Face Images

Decomposing face images using the basic visual cryptography schemes
leads to a degradation in the quality of the decoded images, which makes it
unsuitable for matching process [25], as shown in Figure 7. Along with the
quality concern, using random noise images as sheets may pique the
interest of an eavesdropper by suggesting the existence of secret data.
These issues are mitigated when the sheets are reformulated as face
images [25][21].
(a) (b)
Figure 7: Encryption of a private face image using the basic VCS leads to
unsatisfactory results. (a) is a private face image. (b) is the result of overlaying the
random noise sheets.
Nakajima and Yamaguchi [26] presented a 2-out-of-2 Extended Visual

Cryptography Scheme for natural images. They suggested a theoretical
framework for encoding a natural image in innocuous images. These two

innocuous images are referred to as hosts. This theoretical framework is
known as the Grey-level Extended Visual Cryptography Scheme
(GEVCS). GEVCS operates by changing the dynamic range of the original
and host images, transforming the grey-level images into meaningful
binary images (also known as half-toned images) and then applying a
Boolean operation on the half-toned pixels of the two hosts and the private
image in order to decompose the private into host images.
However, due to variations in face geometry and texture between the
candidate host images and the private face image, the impact of the private
image on the sheet images (i.e., the host images after the encryption) and
vice versa may become perceptible. This can be mitigated if the host
images for a particular private image are carefully chosen. Figure 8 shows
the key steps of utilizing GEVCS scheme to de-identify face images.
178 Chapter Five
Figure 8: Block diagram of the de-identifying faces approach.

Let ܲ ൌ ሼ‫ܪ‬ଵ ǡ ‫ܪ‬ଶ ǡ Ǥ Ǥ Ǥ ǡ ‫ܪ‬ே ሽbe a public dataset containing a set of candidate
host images that can hide the assigned private face image, O. The task is to
select two host images ‫ܪ‬௜ and ‫ܪ‬௝ , ݅ ് j and ݅ǡ ݆ ൌ ͳǡʹǡ Ǥ Ǥ Ǥ ǡ ܰ from ܲ .
Therefore, first, an Active Appearance Model (AAM) [27] that
characterizes the shape and texture of the face is utilized to determine the
similarity between the private face image and candidate host images
(Figure 8). Next, for selecting compatible hosts, the cost of registering
(aligning) each image in the public dataset with the private image is
computed, ܶ௖ . These costs are sorted in order to locate two host images,
‫ܪ‬௦ଵ and ‫ܪ‬௦ଶ , with the minimum registration costs. However, as shown in
[21], utilizing this cost alone is not sufficient. Thus, the texture is used as
an additional criteria and the cost associated with this is denoted as ‫ܣ‬௖ .
Therefore, the final cost ‫ܨ‬௖ , which is associated with each host image, is
the sum of the normalized transformation cost ܶ௖ and the normalized
appearance cost ‫ܣ‬௖ . The simple min-max normalization technique is used
to normalize both costs. After aligning the two selected host images
(‫ܪ‬௦ଵ ǡ ‫ܪ‬௦ଶ ) with the secret image (ܱ), the aligned hosts and the secret
image are cropped to capture only the facial features which have been
located by AAM. Finally, GEVCS is used to hide the secret image,ܱ, in
the two host images ‫ܪ‬௦ଵ and ‫ܪ‬௦ଶ resulting in two sheets denoted as ܵଵ and
ܵଶ , respectively. ܵଵ and ܵଶ are superimposed in order to reveal the secret
private image. The final target image is obtained by the reconstruction
process that reverses the pixel expansion step to obtain the original image
size. Figure 9 shows examples of private face images, their corresponding
sheets and reconstructed images.
Figure 9: Illustration of the proposed approach using face images from the IMM
Database [25].
2.4 Approach Evaluation

Experimental tests [21] on fingerprint images from the NIST Special
Database 4 (NIST-4) [28] confirmed the potential of using visual
cryptography to accord privacy and security to stored fingerprints without
degrading the matching accuracy. Further, a series experiments on two
different face images databases [21] ( XM2VTS [29] and IMM [30]
databases) confirmed the following: (a) the possibility of hiding a private
face image in two unrelated host face images; (b) the successful matching
180 Chapter Five
of face images that are reconstructed by superimposing sheets; (c) the

inability of sheets to reveal the identity of the secret face image, and (e)
that different pairs of host images can be used to encrypt different samples
of the same private face.
Comments on decomposing biometric images
De-identifying biometric images by decomposition has the benefit that the

reconstructed secret during the recognition process is still a biometric
image. Consequently, this approach does not significantly degrade the
overall matching accuracy. At the same time, a commercial fingerprint or
face matcher cannot reliably link an individual to their stored biometrics
images, i.e., sheets [21]. The hypothesis that the private biometric data
cannot be revealed from either of the sheets has been proven theoretically
in [23] and [26] and experimentally in [21].
Figure 10. describes a co-operation between a mobile device and cloud
storage in order to de-identify a face image. During enrolment, after
decomposing the private image into two compatible host images, one of
the sheet images can be stored in the mobile device, while the other sheet
can be stored in the cloud, such that the identity of the user is not revealed
to either system. During the recognition process, the two sheets have to be
retrieved and overlaid (i.e., superimposed) in order to reconstruct the
private image. Maintaining the ownership of one of the sheets (i.e., a part
of the secret) with the user minimizes information leakage and improves
privacy since the user controls the collection, storage and usage of the
biometric information. Moreover, the secret, i.e., the biometric image, can
be reconstructed by a simple binary operation, i.e., an OR-operation.
Therefore, utilizing visual cryptography schemes avoids the design of
complicated decryption and decoding routines unlike classical watermarking
[31][32], steganography [33], or cryptosystem [16] approaches. This
makes VCS an appropriate de-identifying method for mobile devices due
to the simplicity of the decryption process.
Finally, using face images as hosts (as opposed to using random noise
or other natural images) has several benefits in the context of biometric
applications. First, soft biometric attributes of the private face images such
as age, gender, ethnicity, etc. can be retained in the host images thereby
preserving the soft biometric aspects of the face while perturbing its
identity. Alternately, these soft biometric attributes, as manifested in an
individual’s face, can also be deliberately distorted by selecting host
images with opposite attributes as that of the private image. Second, a set
of public face images (e.g., those of celebrities) may be used to host the
private face database. In essence, a small set of public images can be used
to encrypt an entire set of private face images. Third, using non-face
images as hosts may result in visually revealing the existence of a secret
face [26] [21]. Fourth, while decomposing the face image into random
noise structures may be preferable, it can pique the interest of an
eavesdropper by suggesting the existence of secret data. Also,
decomposing into random noise images can degrade the quality of the
reconstructed face images as well as the recognition performance.
Figure 10: Illustration of utilizing Visual Cryptography scheme to de-identify a

face image in a mobile device.
3 Mixing Biometric Images

Mixing fingerprints is an image-level fusion approach that blends
information of two different fingerprints, pertaining to two different
fingers, in order to generate a new fingerprint. In the context of
fingerprints, image-level fusion has been only used to combine multiple
impressions of the same finger [34]. In [35], unlike previous work, two
fingerprint impressions acquired from two different fingers have been
fused into a new fingerprint image resulting in a new identity (see Figure
3). Here, the term “identity” is used to suggest that the mixed fingerprint is
unique and different from other fingerprints [36]. The mixed image
incorporates characteristics from both the original fingerprint images, and
182 Chapter Five
can be used directly by the feature extraction and matching module of an

existing fingerprint recognition system.
3.1 Mixing Fingerprints

To mix two fingerprints, the ridge flow of a fingerprint is represented as a
2D Amplitude and Frequency Modulated (AM-FM) signal [37]:

‫ܫ‬ሺ‫ݔ‬ǡ ‫ݕ‬ሻ ൌ ܽሺ‫ݔ‬ǡ ‫ݕ‬ሻ ൅ ܾሺ‫ݔ‬ǡ ‫ݕ‬ሻܿ‫ݏ݋‬ሺߖሺ‫ݔ‬ǡ ‫ݕ‬ሻሻ ൅ ݊ሺ‫ݔ‬ǡ ‫ݕ‬ሻǡ(2)

where ‫ܫ‬ሺ‫ݔ‬ǡ ‫ݕ‬ሻis the intensity of the original image at ሺ‫ݔ‬ǡ ‫ݕ‬ሻ, ܽሺ‫ݔ‬ǡ ‫ݕ‬ሻis the
intensity offset, ܾሺ‫ݔ‬ǡ ‫ݕ‬ሻis the amplitude, ߖሺ‫ݔ‬ǡ ‫ݕ‬ሻis the phase and ݊ሺ‫ݔ‬ǡ ‫ݕ‬ሻ
is the noise. Based on the Helmholtz Decomposition Theorem [38], the
phase can be uniquely decomposed into the continuous phase and the
spiral phase,ߖሺ‫ݔ‬ǡ ‫ݕ‬ሻ ൌ ߰ܿሺ‫ݔ‬ǡ ‫ݕ‬ሻ ൅ ߰‫ݏ‬ሺ‫ݔ‬ǡ ‫ݕ‬ሻ. Thus, based on this 2D AM-
FM representation [37], the fingerprint’s oriented patterns can be
completely determined by the phase of the modulated signal (i.e., a
fingerprint image) that can be uniquely decomposed into (a) a small
number of topologically distinct discontinuities, i.e., the spiral phase, and
(b) a well-defined smooth flow field, i.e., the continuous phase. The
amplitude of the signal only contributes to the textural appearance of the
fingerprint. Therefore, the first step in fingerprint mixing is reliably
estimating the phases of the component fingerprint images. Then, the

phase of each component fingerprint image is decomposed into a
continuous phase and a spiral phase [38]. As shown in Figure 11, the
continuous phase defines the ridge structure, and the spiral phase
characterizes the minutiae locations. Next, the two phase components
(spiral and continuous) of each fingerprint are aligned to a common
coordinate system [22]. Finally, mixing fingerprints is done by combining
the continuous phase of one fingerprint with the spiral phase of the other
fingerprint (see Figure 12).
(a) A fingerprint image
(b) Continuous phase (c) Spiral phase
Figure 11: Decomposing a fingerprint. The red circles represent some of the
irregularities in the fingerprint, i.e., the minutiae points.
Figure 12: The approach for mixing fingerprints.
184 Chapter Five
3.1.1 Decomposing Fingerprints
Since ridges and minutiae can be completely determined by the phase [37],
we are only interested in ߖሺ‫ݔ‬ǡ ‫ݕ‬ሻ. The other three parameters in Equation
(2) contribute to the realistic textural appearance of the fingerprint. Before
fingerprint decomposition, the phase ߖሺ‫ݔ‬ǡ ‫ݕ‬ሻmust be reliably estimated;
this is termed as demodulation.
In this work, a special demodulation technique was adapted and
referred to as vortex demodulation. The objective of vortex demodulation
[39] is to extract the amplitude ܾሺ‫ݔ‬ǡ ‫ݕ‬ሻ and phase ߖሺ‫ݔ‬ǡ ‫ݕ‬ሻ of the
fingerprint pattern. First, the DC term ܽሺ‫ݔ‬ǡ ‫ݕ‬ሻhas to be removed since the
failure to remove this offset correctly may introduce significant errors in
the demodulated amplitude and phase [39]. To facilitate this, a normalized
fingerprint image, ݂ሺ‫ݔ‬ǡ ‫ݕ‬ሻ, containing the enhanced ridge pattern of the
fingerprint [35] is used. From Equation (2), ݂ሺ‫ݔ‬ǡ ‫ݕ‬ሻ ൌ ‫ܫ‬ሺ‫ݔ‬ǡ ‫ݕ‬ሻ െ
ܽሺ‫ݔ‬ǡ ‫ݕ‬ሻ ؄ ܾሺ‫ݔ‬ǡ ‫ݕ‬ሻ ൫ߖሺ‫ݔ‬ǡ ‫ݕ‬ሻ൯. The vortex demodulation operator V
takes the normalized image ݂ሺ‫ݔ‬ǡ ‫ݕ‬ሻ and applies a spiral phase Fourier
multiplier ݁‫݌ݔ‬ሾ݅ߔሺ‫ݑ‬ǡ ‫ݒ‬ሻሿ:
ࢂሼ݂ሺ‫ݔ‬ǡ ‫ݕ‬ሻሽ ൌ ‫ ܨ‬െଵ ሼ݁‫݌ݔ‬ሾ݅ߔሺ‫ݑ‬ǡ ‫ݒ‬ሻሿǤ ‫ܨ‬ሼܾሺ‫ݔ‬ǡ ‫ݕ‬ሻǤ ܿ‫ݏ݋‬ሾߖሺ‫ݔ‬ǡ ‫ݕ‬ሻሿሽሽ

‫׽‬ൌ െ݅݁‫݌ݔ‬ሾ݅ߚሺ‫ݔ‬ǡ ‫ݕ‬ሻሿǤ ܾሺ‫ݔ‬ǡ ‫ݕ‬ሻǤ ‫݊݅ݏ‬ሾߖሺ‫ݔ‬ǡ ‫ݕ‬ሻሿ (3)
where, ‫ ܨ‬is the Fourier transform, ‫ ܨ‬െଵ is the inverse Fourier transform and
݁‫݌ݔ‬ሾ݅ߔሺ‫ݑ‬ǡ ‫ݒ‬ሻሿis a 2-D signum function [39] defined as a pure spiral phase
function in the spatial frequency space ሺ‫ݑ‬ǡ ‫ݒ‬ሻ:
௨ା௜௩
ሾ݅ߔሺ‫ݑ‬ǡ ‫ݒ‬ሻሿ ൌ Ǥ (4)
ඥ௨మ ା௩ మ
Note that in Equation (3) there is a new parameter, ߚሺ‫ݔ‬ǡ ‫ݕ‬ሻ, representing
the perpendicular direction of the ridges. In Equation (5), this directional
map is used to isolate the desired magnitude and phase from Equation (3),
i.e.,
െ݁‫݌ݔ‬ሾെ݅ߚሺ‫ݔ‬ǡ ‫ݕ‬ሻሿǤ ࢂሼ݂ሺ‫ݔ‬ǡ ‫ݕ‬ሻሽ ൌ ܾ݅ሺ‫ݔ‬ǡ ‫ݕ‬ሻǤ ‫݊݅ݏ‬ሾߖሺ‫ݔ‬ǡ ‫ݕ‬ሻሿ. (5)
Then, Equation (5) can be combined with the normalized image, ݂ሺ‫ݔ‬ǡ ‫ݕ‬ሻ,
to obtain the magnitude ܾሺ‫ݔ‬ǡ ‫ݕ‬ሻand the raw phase map ߖሺ‫ݔ‬ǡ ‫ݕ‬ሻas follows:
െ݁‫݌ݔ‬ሾെ݅ߚሺ‫ݔ‬ǡ ‫ݕ‬ሻሿǤ ࢂሼ݂ሺ‫ݔ‬ǡ ‫ݕ‬ሻሽ ൅ ݂ሺ‫ݔ‬ǡ ‫ݕ‬ሻ ൌ

ܾሺ‫ݔ‬ǡ ‫ݕ‬ሻǤ ሺ݅ߖሺ‫ݔ‬ǡ ‫ݕ‬ሻሻǤ (6)
Therefore, determining ߚሺ‫ݔ‬ǡ ‫ݕ‬ሻis essential for obtaining the amplitude and
phase functions, ܾሺ‫ݔ‬ǡ ‫ݕ‬ሻ and ߖሺ‫ݔ‬ǡ ‫ݕ‬ሻ , respectively. The direction map
ߚሺ‫ݔ‬ǡ ‫ݕ‬ሻcan be derived from the orientation image of the fingerprint by a
process called unwrapping.
In [36], a sophisticated unwrapping technique using the topological
properties of the ridge flow fields of fingerprints has been developed to
estimate the direction map ߚሺ‫ݔ‬ǡ ‫ݕ‬ሻ. Finally, the Helmholtz Decomposition
Theorem [38] is used to decompose the determined phase ߖሺ‫ݔ‬ǡ ‫ݕ‬ሻof a
fingerprint image into two phases, continuous and spiral, as shown in
Figure 11 [22].
3.1.2 Fingerprint Alignment
To mix two different fingerprints after decomposing each fingerprint into

its continuous component ሺ߰௖ ሺ‫ݔ‬ǡ ‫ݕ‬ሻሻ and spiral component
ܿ‫ݏ݋‬ሺ߰௦ ሺ‫ݔ‬ǡ ‫ݕ‬ሻሻ , the fingerprints themselves should be appropriately
aligned. In [36], the components have been pre-aligned to a common
coordinate system prior to the mixing step by utilizing a reference point
and an alignment line. The reference point is used to centre the
components. The alignment line is used to find a rotation angle about the
reference point. This angle rotates the alignment line to make it vertical.
The two phase components of each fingerprint are rotated by the same
angle.
3.1.3 Mixing
Let ‫ܨ‬ଵ and ‫ܨ‬ଶ be two different fingerprint images from different fingers,
and let ߰௖௜ ሺ‫ݔ‬ǡ ‫ݕ‬ሻand ߰௦௜ ሺ‫ݔ‬ǡ ‫ݕ‬ሻbe the pre-aligned continuous and spiral
phases, ݅ ൌ ͳǡʹ. As shown in Figure 12, there are two different mixed
fingerprint image that can be generated, ‫ܨܯ‬ଵ and ‫ܨܯ‬ଶ :
‫ܨܯ‬ଵ ൌ ܿ‫ݏ݋‬ሺ߰௖ଶ ൅ ߰௦ଵ ሻǡ ሺ͹ሻ

‫ܨܯ‬ଶ ൌ ܿ‫ݏ݋‬ሺ߰௖ଵ ൅ ߰௦ଶ ሻǤ

The continuous phase of ‫ܨ‬ଶ ሺ‫ܨ‬ଵ ሻ is combined with the spiral phase of
‫ܨ‬ଵ ሺ‫ܨ‬ଶ ሻ which generates a new fused fingerprint image ‫ܨܯ‬ଵ ሺ‫ܨܯ‬ଶ ሻ. In
other words, the resultant images are new fingerprints that are loosely
based on the ridge structure of one fingerprint and minutiae locations of
the other one.
186 Chapter Five
However, variations in the orientations and frequencies of ridges

between fingerprint images can result in visually unrealistic mixed
fingerprint images. This issue can be mitigated if the two fingerprints to be
mixed are carefully chosen using a compatibility measure. In [22], the
authors suggested a compatibility measure between fingerprints that was
computed using non-minutiae features, viz., orientation fields and
frequency maps of fingerprint ridges. To compute the compatibility
between two fingerprint images, their orientation fields and frequency
maps are first estimated [40]. Then, the compatibility measure ‫ ܥ‬between
them is computed as the weighted sum of the normalized orientations and
frequency differences, ܱ‫ ܦ‬and ‫ܦܨ‬, respectively:
‫ ܥ‬ൌ ͳ െ ሺߙǤ ܱ‫ ܦ‬൅ ߛǤ ‫ܦܨ‬ሻǡ (8)

where ߙ and ߛ are weights that are determined empirically. Perfect
compatibility (‫ ܥ‬ൌ ͳ) is likely to occur when the two prints to be mixed
are from the same finger - a scenario that is not applicable in this case.
Alternatively, two fingerprints having significantly different ridge
structures are unlikely to be compatible (‫ ܥ‬ൌ Ͳ) and will generate an
unrealistic looking fingerprint. Between these two extremes, lies a range of
possible compatible values that is acceptable. However, determining this
range automatically may be difficult. Figure 13 shows examples of mixed
fingerprints after utilizing the compatibility measure to systematically

select the fingerprints pairs, ሺ‫ܨ‬ଵ ǡ ‫ܨ‬ଶ ሻ.
Figure 13: Examples of mixed fingerprints.

3.2 Approach Evaluation

The performance of the mixing fingerprints approach was tested on two
different datasets. The first dataset was taken from the West Virginia
University (WVU) multimodal biometric database [41]. A subset of 1000
images corresponding to 500 fingers (two impressions per finger) was
used. The second dataset was taken from the FVC2002-DB2_A fingerprint
database containing 100 fingers with 2 impressions per finger (a total of
200 fingerprints). In order to establish the baseline performance, for each
finger in each dataset, one impression was used as a probe image and the
other impression was added to the gallery. This resulted in a rank-1
accuracy of ‫ ׽‬99% for the WVU dataset and ‫ ׽‬100% for the FVC2002
dataset. The EERs for these two datasets were 0.5% and 0.2%,
respectively.
The purpose of the experiments described below was to investigate if
the mixing fingerprint approach can be used to obscure the information
present in a component fingerprint image while still being used for
recognition. Therefore, the matching performance of mixing fingerprints
from FVC 2002-DB2_A with those in the WVU dataset was reported. For
each fingerprint in FVC 2002-DB2_A noted by F1, its compatibility
measure with each fingerprint in the WVU dataset (1000 images of 500
subjects) was computed using Equation (8) with ߙ ൌ ͲǤ͸ and ߛ ൌ ͲǤͶ.
Based on the computed compatibility measures, the spiral component of

F1 was combined with the continuous component of the most compatible
fingerprint image F2 in the WVU dataset, resulting in the mixed fingerprint
MF1. Because there are 2 impressions per finger in FVC2002-DB2_A, the
mixing process resulted in 2 impressions per mixed finger. One of these
mixed impressions was used as a probe image and the other impression
was added to the gallery set. The obtained rank-1 accuracy was ‫ ׽‬83% and
the EER was ‫ ׽‬7%. This indicates the possibility of matching mixed
fingerprints.
With regards to de-identification, the following key issues are raised
[12][15][42][10][20][11]:
1. Changeability: Do the original fingerprint and the mixed fingerprint

correlate? It is essential to assure that fingerprint mixing thwarts identity
linking, by preventing the possibility of successfully matching the original
print with the mixed print.
2. Non-invertibility: Can an adversary recover the original fingerprint
from a compromised mixed fingerprint? It must be computationally
188 Chapter Five
infeasible to obtain the original fingerprint features, i.e., the locations and
orientations of fingerprint minutia from the mixed fingerprint.
3. Cancelability: Does mixing result in cancellable templates? In case
a stored fingerprint is compromised, it must be possible to generate a new
mixed fingerprint by mixing the original with a new fingerprint. The new
mixed fingerprint and the compromised mixed image must be sufficiently
different, even though they are derived from the same finger. Another way
of looking at this is as follows: if two different fingerprints, ‫ܨ‬ଵ and ‫ܨ‬ଶ , are
mixed with the same fingerprint ‫ܨ‬௠ , are the resulting mixed fingerprints,
‫ܨܯ‬ଵ and ‫ܨܯ‬ଶ , similar? From the perspective of security, they should not
be similar.
Therefore, the following experiments were designed to report the security

strength and usability of the approach for generating cancellable
fingerprints.
3.2.1 Studying the Changeability Property
In this experiment, the possibility of exposing the identity of the

FVC2002-DB2_A fingerprint image by using the mixed fingerprint
images was investigated. The mixed fingerprints ‫ܨܯ‬ଵ (2 impressions per
finger) were matched against the original images in the FVC2002-DB2_A
database. The resultant rank-1 accuracy was less than 30% (and the EER
was more than 30%) suggesting that the original identity cannot be easily
deduced from the mixed image. Moreover, to confirm that the
changeability property of the mixing fingerprint approach is independent
of the nature of the used matcher, the mixed fingerprints were matched
against the original fingerprint based on only the locations of minutiae and
omitting the orientation features. The EER in this case increased from 30%
to 40% and the rank-1 accuracy decreased from 30% to 12%. This
suggests that the mixed and the original fingerprints are sufficiently
dissimilar even if only minutiae information is used.
3.2.2 Studying the Non-invertibility Property
In this experiment, the vulnerability of the approach to brute-force attacks

was assessed with respect to non-invertibility [15]. In this regard, the
probability of successfully reconstructing the original fingerprint ‫ܨ‬ଵ from
the mixed fingerprint ‫ܨܯ‬ଵ was estimated. Based on Equation (7), if an
attacker were to access a mixed fingerprint ‫ܨܯ‬ଵ (with the knowledge that
it is a mixed fingerprint) and ‫ܨ‬ଶ , and then deduce ‫ܨܯ‬ଵ ’s phase, then the
minutia locations of the original fingerprint ‫ܨ‬ଵ , characterized by the spiral

component, can be compromised. Although several researchers have
shown that the original fingerprint image can be reconstructed from a
fingerprint’s minutiae consisting of their locations and orientations
[43][44][45][46], there is no published work that discusses the possibility
to reconstruct the original fingerprint image only from the minutiae
locations. Therefore, the attacker must assume the orientation of each
minutia to be able to reconstruct the original fingerprint. Hence, if ‫ ݔ‬is the
tolerance determining the acceptable deviation from the original
orientation, the probability of assuming the correct orientation for a given
minutiae is
௫
‫݌‬ఏ ൌ Ǥ (9)
ଵ଼଴ι
Consequently, the probability of successfully generating n or more

minutiae which are the same as in the original fingerprint is
ே ௞
ܲ ൌ σே
௞ୀ௡ ൫ ௞ ൯‫݌‬ఏ ሺͳ െ ‫ ߠ݌‬ሻ
ேെ௞
, (10)
where ܰ is the total number of minutiae in a fingerprint, and ݊ is the

minimum number of minutiae required for authentication. In [22], the
computed probabilities of successfully compromising the original

fingerprints were less than ͳͲିଵଵ indicating that it is difficult to regenerate
the original fingerprint from the mixed fingerprint.
3.2.3 Studying the Cancellability Property
The purpose of this experiment was to investigate if it is possible to cancel

a compromised mixed fingerprint and generate a new mixed fingerprint by
mixing the original fingerprint with a new fingerprint. To study this, the
two impressions of a single fingerprint in the FVC2002-DB2_A database
were selected. Next, this fingerprint was mixed with each of the 500
fingers in the WVU dataset. This resulted in 500 mixed fingerprints with 2
impressions per mixed finger. One impression was added to the probe set
and the other was added to the gallery set. Then, each image in the probe
set was compared against all images in the gallery set in order to
determine a match. A match is deemed to be correct (i.e., the probe is
correctly identified) if the probe image and the matched gallery image are
from the same mixed finger. In the resulting experiments, the rank-1
identification accuracy obtained was 85% and the EER was 7%. The
190 Chapter Five
reasonably high identification rate suggests that the 500 mixed fingerprints
are different from each other. This means, the fingerprint from the
FVC2002-DB2_A database was successfully “cancelled” and converted
into a new “identity" based on the choice of the fingerprint selected from
the WVU database for mixing.
Comments on mixing biometric images
The process of mixing generates a new biometric image by fusing multiple

biometric images pertaining to a single or different individuals. The
generated image can be considered as a digital representation of a joint
identity (i.e., a virtual identity) that inherits its uniqueness from two
different individuals [36]. In this chapter, we discussed the possibility of
transforming a fingerprint image into a revocable (i.e., changeable)
template that imparts privacy.
In [22], the reasonably good recognition rates of mixed fingerprints
indicated the potential of the scheme. But these results are still lower than
the baseline performance; therefore, ways to further improve the rank-1
accuracy of mixed fingerprints has to be examined. This can be done by
exploring other approaches to mixing signals.
4 Summary and Future Work

Preserving the privacy of biometric data is of paramount importance as a

compromised biometric cannot be easily revoked. In this chapter, we first
briefly reviewed approaches that have been published in the literature for
de-identifying biometric data. These approaches can be classified into de-
identifying images and de-identifying feature sets. We observed that few
researchers have addressed the challenge of de-identifying biometrics at
the image-level, even though de-identifying images has several benefits. In
this chapter, we discussed two approaches to de-identify biometric data at
the image-level: decomposition and mixing. Table 1 provides a high-level
summary of discussed approaches for de-identifying biometric images by
comparing and contrasting their key properties, factors, and open
problems.
We conclude this chapter by suggesting possible ways in which the
research presented here may be expanded.
x Further work is required to investigate the possibility of de-

identifying other biometric modalities such as irises. In [21], the
visual cryptography technique was utilized to decompose iris
codes; so this falls under the category of de-identifying feature sets.

But basic visual cryptography schemes are not appropriate for iris
images since the binarisation step will deteriorate the iris texture.
So, the same technique that was developed to decompose face
images (GEVCS) can be used to decompose an iris image into two
sheets. However, further work is required to determine a
compatibility measure between iris textures.
x The performances of mixing fingerprints can be enhanced and
improved by exploring alternate algorithms for pre-aligning the
images.
x Assessing the viability of de-identifying biometric images by
combining different biometric traits of individuals is necessary. For
instance, the iris and fingerprint of an individual can be mixed in
order to protect the privacy of individual traits in a multi-biometric
framework.
Table 1: A high-level comparison of different approaches to de-

identify biometric images.
Non-invertible
transformations Decomposition [21] Mixing [22]
[4][5][6]
Decomposition into Mixing with another

Key Geometrical
two different biometric image
property transformation
images “Key"
Stored
Transformed image Two sheets Mixed image
entities
Cancellable Transformation
Host images Key image
factors parameters
Decomposing and pre-
Open Determining non- Securing distributed
aligning images to
issues invertible functions database
common coordinates
References
[1] E. Mordini and S. Massari, “Body, biometrics and identity,” Bioethics,
vol. 22, no. 9, pp. 488–498, 2008.
[2] A. Acquisti, R. Gross, and F. Stutzman, “Faces of facebook: Privacy in
the age of augmented reality,” BlackHat USA, 2011.
192 Chapter Five
[3] N.K. Ratha, J.H. Connell, and R.M. Bolle, “Enhancing security and
privacy in biometricsbased authentication systems,” IBM Systems
Journal, vol. 40, no. 3, pp. 614–634, 2001.
[4] J. Zuo, N.K. Ratha, and J.H. Connell, “Cancelable iris biometric,” in
IEEE 19th International
Conference on Pattern Recognition (ICPR), 2008, pp. 1–4.
[5] J. Hämmerle-Uhl, E. Pschernig, and A. Uhl, “Cancelable iris
biometrics using block remapping and image warping,” in Proceedings
of the 12th International Conference on Information Security, Berlin,
Heidelberg, 2009, ISC ’09, pp. 135–142, Springer-Verlag.
[6] P. Färberböck, J. Hämmerle-Uhl, D. Kaaser, E. Pschernig, and A. Uhl,
“Transforming rectangular and polar iris images to enable cancelable
biometrics,” in Image Analysis and Recognition, pp. 276–286.
Springer, 2010.
[7] E.M. Newton, L. Sweeney, and B. Malin, “Preserving privacy by de-
identifying face images,” IEEE Transactions on Knowledge and Data
Engineering, vol. 17, pp. 232–243, 2005.
[8] R. Gross, L. Sweeney, F. De la Torre, and S. Baker, “Model-based face
de-identification,” in Computer Vision and Pattern Recognition
Workshop (CVPRW’06), Los Alamitos, CA, USA, 2006, pp. 161–168,
IEEE Computer Society.
[9] D. Bitouk, N. Kumar, S. Dhillon, P. Belhumeur, and S.K. Nayar, “Face
swapping: automatically replacing faces in photographs,” ACM

Transactions on Graphics, vol. 27, no. 3, pp. 1–8, 2008.
[10] A.K. Jain, K. Nandakumar, and A. Nagar, “Biometric template
security,” EURASIP Journal on Advances in Signal Processing, vol.
2008, pp. 1–17, 2008.
[11] C. Rathgeb and A. Uhl, “A survey on biometric cryptosystems and
cancelable biometrics,” EURASIP Journal on Information Security, no.
1, pp. 1–25, 2011.
[12] N.K. Ratha, S. Chikkerur, J.H. Connell, and R.M. Bolle, “Generating
cancelable fingerprint templates,” IEEE Transactions on Pattern
Analysis and Machine Intelligence, pp. 561–572, 2007.
[13] M. Savvides, B.V.K.V. Kumar, and PK Khosla, “Cancelable
biometric filters for face recognition,” in Proceedings of IEEE
International Conference Pattern Recognition (ICPR), 2004, vol. 3, pp.
922–925.
[14] A. BJ Teoh, A. Goh, and D. CL Ngo, “Random multispace
random identity inputs,” IEEE Transactions on Pattern Analysis and
Machine Intelligence, vol. 28, no. 12, pp. 1892–1901, 2006.
[15] C. Lee, J.Y. Choi, K.A. Toh, and S. Lee, “Alignment-free cancelable
fingerprint templates based on local minutiae information,” IEEE
Transactions on Systems, Man, and Cybernetics, Part B: Cybernetics,
vol. 37, no. 4, pp. 980–992, 2007.
[16] U. Uludag, S. Pankanti, S. Prabhakar, and A.K. Jain, “Biometric
cryptosystems: issues and challenges,” Proceedings of the IEEE, vol.
92, no. 6, pp. 948–960, 2004.
[17] K. Nandakumar, A. Nagar, and A.K. Jain, “Hardening fingerprint
fuzzy vault using password,” in Advances in biometrics, pp. 927–937.
Springer, 2007.
[18] YC Feng, P.C. Yuen, and A.K. Jain, “A hybrid approach for face
template protection,” in Proc. of SPIE Conference of Biometric
Technology for Human Identification, Orlando, FL, USA, 2008, vol.
6944.
[19] Walter J Scheirer and Terrance E Boult, “Cracking fuzzy vaults and
biometric encryption,” in Biometrics Symposium, 2007. IEEE, 2007,
pp. 1–6.
[20] A. Nagar, K. Nandakumar, and A.K. Jain, “Biometric template
transformation: a security analysis,” in Proc. of SPIE, Electronic
Imaging, Media Forensics and Security XII, San Jose, Jan. 2010.
[21] A. Ross and A. Othman, “Visual cryptography for biometric privacy,”
IEEE Transactions on
Information Forensics and Security, vol. 6, no. 1, pp. 70–81, 2011.

[22] A. Othman and A. Ross, “On mixing fingerprints,” IEEE
Transactions on Information Forensics and Security, vol. 8, no. 1, pp.
260–267, January 2013.
[23] M. Naor and A. Shamir, “Visual cryptography,” in Advances in
Cryptology—EUROCRYPT’94, Alfredo Santis, Ed. Springer, 1995,
vol. 950 of Lecture Notes in Computer Science, pp. 1–12.
[24] D. Jin, W. Yan, and M.S. Kankanhalli, “Progressive color visual
cryptography,” Journal of Electronic Imaging, vol. 14, no. 3, pp. 19–
33, 2005.
[25] A. Ross and A. Othman, “Visual cryptography for face privacy,” in
Proc. SPIE, 2010, vol. 7667, pp. 76670B–76670B–13.
[26] M. Nakajima and Y. Yamaguchi, “Extended visual cryptography for
natural images,” Journal of Winter School of Computer Graphics, vol.
10, no. 2, pp. 303–310, 2002.
[27] T.F. Cootes, G.J. Edwards, and C.J. Taylor, “Active appearance
models,” IEEE Transactions on Pattern Analysis and Machine
Intelligence, vol. 23, no. 6, pp. 681–685, 2001.
194 Chapter Five
[28] C.I. Watson and C.L. Wilson, “Nist special database 4,” Fingerprint
Database, National Institute of Standards and Technology, vol. 17,
1992.
[29] K. Messer, J. Matas, J. Kittler, J. Luettin, and G. Maitre,
“XM2VTSDB: The extended M2VTS database,” in Second
International Conference on Audio and Video-based Biometric Person
Authentication, 1999, pp. 965–966.
[30] M. B. Stegmann, B. K. Ersbøll, and R. Larsen, “FAME – a flexible
appearance modelling environment,” IEEE Transactions on Medical
Imaging, vol. 22, no. 10, pp. 1319–1331, 2003.
[31] A.K. Jain and U. Uludag, “Hiding biometric data,” IEEE Transactions
on Pattern Analysis and Machine Intelligence, vol. 25, pp. 1494–1498,
2003.
[32] J. Dong and T. Tan, “Effects of watermarking on iris recognition
performance,” in 10th International Conference on Control, Automation,
Robotics and Vision, 2008, pp. 1156–1161.
[33] N. Agrawal and M. Savvides, “Biometric data hiding: A 3 factor
authentication approach to verify identity with a single image using
steganography, encryption and matching,” Computer Vision and
Pattern Recognition Workshop, pp. 85–92, 2009.
[34] D. Maltoni, D. Maio, A.K. Jain, and S. Prabhakar, Handbook of
fingerprint recognition,
Springer-Verlag New York Inc, 2009.

[35] A. Ross and A. Othman, “Mixing fingerprints for template security
and privacy,” in Proc. of the 19th European Signal Processing
Conference (EUSIPCO), 2011.
[36] A. Othman and A. Ross, “Mixing fingerprints for generating virtual
identities,” in Proceedings of IEEE International Workshop on
Information Forensics and Security (WIFS), 2011, pp. 1–6.
[37] K.G. Larkin and P.A. Fletcher, “A coherent framework for fingerprint
analysis: are fingerprints holograms?,” Optics Express, vol. 15, no. 14,
pp. 8667–8677, 2007.
[38] D.C. Ghiglia and M.D. Pritt, Two-dimensional phase unwrapping:
theory, algorithms, and software, Wiley New York, 1998.
[39] K.G. Larkin, D.J. Bone, and M.A. Oldfield, “Natural demodulation of
two-dimensional fringe patterns. I. General background of the spiral
phase quadrature transform,” J. Opt. Soc. Am. A, vol. 18, no. 8, pp.
1862–1870, 2001.
[40] L. Hong, Y. Wan, and A. Jain, “Fingerprint image enhancement:
algorithm and performance evaluation,” IEEE Transactions on Pattern
Analysis and Machine Intelligence, vol. 20, no. 8, pp. 777 –789, Aug.
1998.
[41] S. Crihalmeanu, A. Ross, S. Schuckers, and L. Hornak, “A protocol
for multibiometric data acquisition, storage and dissemination,” Tech.
Rep., Lane Department of Computer Science and Electrical
Engineering, WVU, 2007.
[42] S. Chikkerur, NK Ratha, JH Connell, and RM Bolle, “Generating
registration-free cancelable fingerprint templates,” in 2nd IEEE
International Conference on Biometrics: Theory, Applications and
Systems, 2008, pp. 1–6.
[43] R. Cappelli, A. Lumini, D. Maio, and D. Maltoni, “Fingerprint image
reconstruction from standard templates,” IEEE Transactions on Pattern
Analysis and Machine Intelligence, vol. 29, no. 9, pp. 1489 –1503,
sept. 2007.
[44] A. Ross, J. Shah, and A.K. Jain, “From template to image:
reconstructing fingerprints from minutiae points,” IEEE Transactions
on Pattern Analysis and Machine Intelligence, vol. 29, no. 4, pp. 544–
560, 2007.
[45] J. Feng and A.K. Jain, “Fingerprint reconstruction: From minutiae to
phase,” IEEE Transactions on Pattern Analysis and Machine
Intelligence, vol. 33, no. 2, pp. 209 –223, Feb. 2011.
[46] S. Li and A.C. Kot, “A novel system for fingerprint privacy
protection,” in 7th International Conference on Information Assurance

and Security (IAS), dec. 2011, pp. 262 –266.
[47] R. Goldstein, H. Zebker, and C. Werner, “Satellite radar
interferometry- Two-dimensional phase unwrapping,” Radio Science,
vol. 23, no. 4, pp. 713–720, 1988.
PART 3.
BIOMETRIC SYSTEM ANALYSIS

CHAPTER SIX
BIOPACE: BIOMETRIC-PROTECTED
AUTHENTICATION CONNECTION
ESTABLISHMENT
NICOLAS BUCHMANN,* CHRISTIAN RATHGEB,*

ROEL PEETERS,† HARALD BAIER*
AND CHRISTOPH BUSCH*
*
DA/SEC BIOMETRICS AND INTERNET SECURITY RESEARCH
GROUP HOCHSCHULE DARMSTADT, DARMSTADT, GERMANY
FIRSTNAME.LASTNAME@H-DA.DE
†
KU LEUVEN, ESAT/COSIC & IMINDS, BELGIUM
FIRSTNAME.LASTNAME@ESAT.KULEUVEN.BE
Abstract
This book chapter is intended to introduce Biometric-Protected
Authentication Connection Establishment (BioPACE) protocol. Based on
a comprehensive overview of eMRTD protocols and a description of the
major benefits of biometric template protection technologies the potential
of the proposed BioPACE protocol is highlighted. The operation mode of
the protocol is described in detail, the integration of biometric information
is investigated and a security assessment of the protocol is given. Further,
an in-depth discussion of resulting issues and challenges is presented and
conclusions are drawn.
1 Introduction
The regulations of the European Union (EU) Council in 2004 form the
basis for the deployment of electronic passports within the EU [21, 22].
Since then EU member states adopt the format and the access protocols to
BioPACE 199
electronic machine readable travel documents (eMRTD) like national

electronic ID cards and electronic residence permits, respectively.
Currently issued ePassports feature an embedded radio frequency chip
which contains sensitive biometric data, typically the ePassport holder's
facial image and fingerprints of two index fingers [28]. The electronic
storage and wireless communication channel lead to several risks which
have to be addressed with appropriate security protocols. Access control
mechanisms protect the privacy of the ePassport holder's fingerprints, i.e.
only trusted parties may access them and confidentiality of the transferred
data is achieved by encrypting all communication between the travel
document's chip and the inspection system. Further security protocols
ensure authenticity and integrity of all data read from the chip, as well as
the chip's originality.
Security protocols used in the eMRTD domain follow the paradigm
of strong cohesion and loose coupling, i.e., each protocol fulfills a very
specific security goal and the security protocols hardly depend on each
other, if there is a dependency at all. This paradigm is well established in
the software engineering community [30, 35]. Due to this, principle
chip equipped cards (e.g., electronic ID cards) with similar security
goals can utilize a subset of the ePassports' security protocols and
replace an ePassport protocol by a new one where appropriate. This does
not only create a benefit for the electronic ID cards, but instead a mutual
gain, because if an improved security protocol is favoured in the

electronic ID card domain it might replace the ePassport counterpart in
the long run. This is currently the case for the Password Authenticated
Connection Establishment (PACE, [9]), which is expected to replace the
Basic Access Control (BAC) protocol by the PACE-based Supplemental
Access Control (SAC) in 2018 [29].
The BioPACE protocol was recently introduced to replace the
knowledge-based shared secret of PACE by a biometric-based secret
[20, 11]. This protocol represents the centre of our discussion, where the
goal of this book chapter is twofold:
1. We evaluate the BioPACE protocol and perform a security

assessment. We highlight design decisions which strengthen the
protocol against common attacks and
2. We discuss state-of-the-art biometric template protection schemes as
well as the entropy provided by different biometric characteristics
which are most suitable to integrate BioPACE into the eMRTD
domain.
200 Chapter Six
We sketch the idea of replacing the expensive Extended Access Control

(EAC) protocols and their related Country Verifying Public Key
Infrastructure (CV PKI) by BioPACE. An initial evaluation reveals that
BioPACE has the potential to serve as replacement, if some of the
conveniences of the EAC are dispensable (e.g., fine-grained authorisation
levels to different data groups).
The remainder of this chapter is organised as follows: Section 2
describes the eMRTD security protocols and their security goals, which
are relevant for the subsequent discussion of BioPACE. Fundamentals of
biometric template protection and state-of-the-art schemes are discussed in
Section 3. Section 4 is about the PACE protocol, which represents the
basis building block for the BioPACE protocol. In Section 5 the concept
and underlying idea of BioPACE is introduced. The security assessment of
BioPACE is presented in Section 6. Entropy of different biometric
characteristics is the focus of Section 7. Section 8 presents a future
perspective to replace EAC with BioPACE, and discusses the expediency
of BioPACE in the eMRTD domain. In Section 9 conclusions are drawn
and the achievements of BioPACE are summarised.
2 eMRTD Protocols and their Security Goals

Each eMRTD security protocol fulfills a very specific security goal, as
summarised in Table 1. The protocols are either specified by the

International Civil Aviation Organisation (ICAO) [28], or the German
Federal Office for Information Security (BSI) [9], and are well described
in [41].
Passive Authentication is the only protocol, which is specified as
mandatory by the ICAO [28]. It provides authenticity and integrity of the
data stored on the chip. Therefore a cryptographic hash is calculated for
every data group stored on the chip, and this hash list is electronically
signed by the eMRTD issuer with a digital signature. The hash list and the
digital signature are stored on the chip in a special file termed Document
Security Object, which can be read by the terminal, after performing
BAC/PACE, in order to validate the authenticity and integrity of the read
data groups, by verifying the digital signature. Passive Authentication
depends on the so-called Signing PKI.
Basic Access Control (BAC) provides protection against unauthorised
access to the data stored on the chip [28]. Unauthorised means access to
the data without the eMRTD owner handing over the document. To get
access to the chip, the terminal needs optical access to the data page in
order to read the Machine.
BioPA
ACE 201
Table 1: eM
MRTD securitty protocols and
a their secu
urity goals
Readable Zoone (MRZ). The T terminal authenticates itself to the chip c with
the data readd from the MR RZ, and both entities
e agree on session keys during
BAC to estaablish a securre channel wh hich providess authenticity, integrity
and confideentiality of the t transferreed data by m means of the Secure
Messaging ssub-protocol.
To proteect the sensittive data grou ups, which coontain biomeetric data,
BAC alone is not sufficiient. Thereforre Extended A Access Contro ol (EAC)
protects datta group 3 (DG3), which contains tthe fingerprin nts. EAC
consists of Terminal Auuthentication and a Chip Aut uthentication [9].
[ After
performing E EAC the term minal can read the fingerprinnts, capture a biometric
b
sample fromm the eMRTD D holder, and compare

c the bbiometric dataa to check
if the curreent eMRTD holderh is the legitimate ow wner, i.e. thee linkage
security goaal is achieved.
To preveent chip cloning, two protocols exist inn the eMRTD D domain.
Active Authhentication (A AA) specified d by the ICAO O [28] and as a part of
EAC Chip A Authenticationn (CA) speciffied by the B BSI [9]. Both protocols
prove the aauthenticity of o the chip (originality)
( tto the termin nal. AA
achieves this goal with a challenge-resp ponse protocool and CA estaablishes a
strong securre channel baased on the Diffie-Hellmann protocol to implicitly
i
prove the orriginality of thhe chip.
Terminaal Authenticattion (TA) is part of EAC and is a pro otocol by
which a terrminal can prrove to a chiip its access right to the sensitive
biometric ddata [9]. Thhe chip forcces every teerminal to prove p its
authorizationn to DG3 beefore granting g access to thhe fingerprintts. TA is
based on a PPKI for terminnals called the Country Veriifying PKI.
202 Chapter Six
3 Fundamentals of Biometric Template Protection

The industry has long claimed that one of the primary benefits of
biometric templates is that original biometric signals acquired to enrol a
data subject cannot be reconstructed from stored reference data
(templates). Several studies, e.g. [14, 50], have proven this claim wrong.
Since most biometric characteristics are largely immutable, a compromise
of raw biometric data or biometric templates might result in a situation that
a subject's biometric characteristics are essentially burned and not usable
any longer from the security perspective. Biometric template protection
technologies offer significant advantages to enhance the privacy and
security of biometric systems, providing reliable biometric authentication
at a high security level.
3.1 Categorization
Biometric template protection schemes are commonly categorized as,
1. Biometric cryptosystems, also referred to as helper data-based

schemes.
2. Cancelable biometrics, also referred to as feature transformation.
Biometric cryptosystems are designed to securely bind a digital key to a

biometric or generate a digital key from a biometric [15], offering
solutions to biometric-dependent key-release (Biocryptographic Key
Infrastructure [53]) and biometric template protection [16, 36]. Cancelable
biometrics consist of intentional, repeatable distortions of biometric
representations (i.e., templates) based on transforms which provide a
comparison of biometric templates in the transformed domain [46]. In
accordance with the ISO/IEC IS 24745 [31], technologies of biometric
template protection are designed to meet two major requirements:
1. Irreversibility, i.e., it should be computationally hard to reconstruct

the original biometric template from the stored reference data
(protected template), while it should be easy to generate the
protected biometric template;
2. Unlinkability, i.e., different versions of protected biometric
templates can be generated based on the same biometric data
(renewability), while protected templates should not allow cross-
matching (diversity).
BioPACE 203
Schematic illustrations of both properties are shown in Figure 1(a) and

Figure 1(b).
Figure 1: Template protection: security properties required by ISO/IEC IS 24745.

3.2 Advantages
Biometric cryptosystems and cancelable biometrics offer several
advantages over generic biometric systems. Most important advantages are
summarized in table 2. These major advantages over conventional
biometric systems call for several applications. With respect to the design
goals, biometric cryptosystems and cancelable biometrics offer significant
advantages to enhance the privacy and security of biometric systems,
providing reliable biometric authentication at high security levels. Several
new issues and challenges arise deploying these technologies [16].
204 Chapter Six
Table 2: Major advantages of technologies of biometric template

protection.
3.3 Issues
One fundamental challenge, regarding template protection, represents the
issue of alignment, which significantly effects recognition performance.
Biometric templates are obscured within both technologies, i.e. alignment
of obscured templates without leakage is highly non-trivial. For instance,
if iris biometric textures or templates (iris-codes) are transformed in a non-
row-wise manner, e.g. block permutation of preprocessed textures or a
permutation of iris-code bits. Consequentially, additional information,
which must not lead to template reconstruction, has to be stored [49].
Focusing on biometric template protection technologies it is not
actually clear which biometric characteristics to apply in which type of
application. In addition, stability of biometric features is required to limit
information leakage of stored helper data [55]. In addition, feature
adaptation schemes that preserve accuracy have to be utilized in order to
obtain common representations of arbitrary biometric characteristics.
Several approaches to extract fixed-length binary fingerprint templates
have been proposed, e.g. [8, 67].
BioPACE 205
As a variety of different approaches to biometric cryptosystems and

cancelable biometrics has been proposed a large number of pseudonyms
and acronyms have been dispersed across literature such that attempts to
represent biometric template protection schemes in unified architectures
have been made [6]. Standardization on biometric template protection has
been achieved in the ISO/IEC IS 24745 [31], providing guidance on the
protection of an individual's privacy during the processing of biometric
information.
3.4 State-of-the-art
Focusing on the current state-of-the-art in biometric template protection
key approaches to biometric cryptosystems and cancelable biometrics are
summarized in table 3. Representing one of the simplest key binding
approaches the fuzzy commitment scheme [38] has been successfully
applied to iris recognition [27] (and other biometrics). The fuzzy vault
scheme [37] which represents one of the most popular biometric
cryptosystem has frequently been applied to fingerprints. Early
approaches, e.g. [17], which required a pre-alignment of biometric
templates, have demonstrated the potential of this concept. Several
techniques, e.g. [60, 45], to overcome the shortcoming of pre-alignment
have been proposed. Quantization schemes, e.g. [63, 57], have been
applied to several physiological and behavioral biometrics, while focusing

on reported performance rates, these schemes require further studies in
order to improve accuracy.
Besides, approaches which aim at “salting” existing passwords with
biometric features have been proposed [44]. Within the BioHashing
approach [24] biometric features are projected onto secret domains
applying user-specific tokens prior to a key-binding process. Variants of
this approach have been exposed to reveal impractical performance rates
under the stolen-token scenario [40]. With respect to recognition rates, the
vast majority of biometric template protection schemes are by no means
comparable to conventional biometric systems. While numerous
approaches to biometric cryptosystems generate rather short keys at
unacceptable performance rates, several enrolment samples may be
required as well, e.g. four samples in [17]. Approaches which report
practical recognition rates are tested on rather small datasets, e.g. 70
persons in [27], which must not be interpreted as significant. In addition,
the introduction of additional tokens, such as random numbers or secret
PINs, often clouds the picture of reported results.
206 Chapter Six
Table 3: Experimental results of key approaches to template

protection schemes.
First approaches to non-invertible transforms [46] (representing an

instance of cancelable biometrics), which have been applied to face and
fingerprints, include block permutation and surface-folding. Diverse
proposals, e.g. [68, 26], have shown that recognition performance
decreases noticeably compared to original biometric systems.
Additionally, it is doubtable if sample images of transformed biometric
images are non-invertible. BioHashing [24] (without key-binding)
represents the most popular instance of biometric salting yielding a two-
factor authentication scheme. Since additional tokens have to be kept
secret, e.g. [51, 65], result reporting turns out to be problematic. Perfect
recognition rates have been reported, e.g. in [25] while the opposite was
found to be true [40] within the stolen-token scenario.
4 PACE: Password Authentication Connection

Establishment
The Password Authenticated Connection Establishment (PACE) fulfills
the same security goals as BAC, but provides strong session keys even in
the presence of low-entropy passwords, and is resistant against off-line
BioPACE 207
brute-force attacks [9]. The shared password is denoted by ʌ and can either
be received from the MRZ, a PIN, or the Card Access Number (CAN),
which is printed on the data page of the eMRTD and consists of a six-digit
number. PACE is based on symmetric and asymmetric cryptography,
while BAC is based solely on symmetric cryptography. PACE is depicted
in Figure 2 and roughly consists of the following steps:
1. First the eMRTD chip randomly chooses a nonce s and encrypts it

with Kʌ which is derived from the shared password ʌ. The chips
sends the ciphertext z = EncKʌ (s) to the terminal.
2. The terminal recovers s with the shared password ʌ and receives s =
DecKʌ (z).
3. Chip and terminal create ephemeral key pairs, and perform a Diffie-
Hellman key agreement protocol based on these key pairs and the
generated shared secret s. By performing Diffie-Hellman both
entities agree on a new shared secret K.
4. Based on K both parties derive session keys.
5. Chip and terminal exchange and verify authentication tokens based
on a Message Authentication Code.
6. After successfully performing PACE the Secure Messaging sub-
protocol is started with the derived session keys to establish a
secure channel, which provides authenticity, integrity and
confidentiality.
Figure 2: Basic operation mode of the PACE protocol.

208 Chapter Six
PACE represents the constituent building block for the BioPACE protocol
introduced in the next section.
5 BioPACE: Biometric-protected Authenticated

Connection Establishment
The notion of BioPACE was first introduced in [20] and later extended in
[11] in the form of BioPACE version 2. Since version 2 fixes a tracking
issue and adds diverse useful security properties which will be discussed
in section 6, in this work we will refer to BioPACE version 2 as
BioPACE.
BioPACE is a pre-processing step to the PACE protocol which
replaces the commonly used knowledge- based shared secret by a
biometric-based secret. In [20] the idea to make use of biometric template
protection based on the ISO/IEC IS 24745 [31] is introduced (see Section
3). BioPACE does not favour a biometric characteristic, i.e. BioPACE
may be implemented using the facial image, fingerprints, iris, etc. The
BioPACE protocol consists of two phases:
1. Initialisation phase
2. Regular use phase.
For every eMRTD the initialisation phase has to be conducted before the
manufacturer can personalise the eMRTD. During the application of an
eMRTD a user is enrolled and feature extraction is applied to the captured
biometric sample, resulting in a biometric reference consisting of a
pseudonymous identifier P I and auxiliary data AD.
After the biometric enrolment AD is printed on the eMRTD in form of
a 2D barcode (e.g., a QR code [33] or a Data Matrix code [32]), which is
shown as part of Figure 3. P I is not publicly available, instead it is stored
in the internal memory of the eIDAS token chip and is therefore only
available to the chip itself, but not to the eMRTD terminal.
After initialisation BioPACE is ready for the regular use phase which
consists of a new feature extraction from a biometric sample and an optical
scan of previously enrolled AD. An eMRTD terminal requires optical
access to the eMRTD in order to scan the 2D barcode and receive AD to
calculate PI ‫כ‬, which equals PI if and only if the same person provided the
biometric sample and therefore a biometric match occurs, this phase is
depicted in Figure 4.
BioPACE 209
Figure 3: The eMRTD with AD printed as data matrix code
After this pre-processing step PI* is used as input for the PACE
protocol. PI* is implicitly compared to PI by the completion of the PACE
protocol, because if PI* and PI do not match the PACE protocol will fail.
With respect to provided entropy biometric-based PI s exhibit sufficient
entropy, cf. Table 4, compared to a PACE-based six-digit numeric PIN

which provides log2(106 ) § 20 bits entropy.
Figure 4: Basic operation mode of the BioPACE protocol.
210 Chapter Six
6 Assessment of BioPACE
Our security assessment of BioPACE was conducted with respect to
common security features of an eMRTD. Every paragraph first presents a
short assessment regarding a specific security aspect, and then explains
specific design decisions, whenever applicable.
6.1 Physical to electronic linkage

Where PACE makes a link between the printed data page of the eMRTD
and the chip inside the eMRTD, by comparing the MRZ to Data Group 1,
BioPACE makes a link between the eMRTD owner and the chip inside the
eMRTD. There usually would be no more link between the printed data
page of the eMRTD and the chip inside the eMRTD. As a consequence it
could not build further upon the prior established authenticity of the MRZ
and CAN (by checking the optical security features on eMRTDs, such as
special paper and printing techniques). Therefore AD is printed on the data
page of the eMRTD in form of a 2D barcode. By printing AD on the data
page we create a link between the physical eMRTD and the chip. Now a
terminal needs optical access to the eMRTD to scan the 2D barcode and
receive AD to calculate PI‫כ‬. This will provide at least the same level of
protection against skimming and sniffing attacks as PACE.
6.2 No Tracking
PACE guarantees the unlinkability of eMRTD activities on the wireless
channel, BioPACE does not destroy this property even so it relies on two
unique identifiers P I and AD. On the one hand P I is never directly
transferred over the wireless channel, instead it is used to encrypt a
random value and matched on the eMRTD chip and on the other hand AD
is not wirelessly transferred at all, but instead optically read from the
printed 2D barcode making tracking infeasible via sniffing the BioPACE
communication between an eMRTD and an eMRTD terminal.
6.3 Usability Enhancement

By introducing BioPACE usability is enhanced is several ways:
1. the shared secret P I has a much higher entropy, than the currently
utilized secrets (PIN, PUK, CAN or MRZ) and therefore BioPACE
provides a higher security level for any transferred data, which
BioPACE 211
strengthens the user's data privacy;

2. in contrast to a knowledge based secret like a PIN, a biometric
feature cannot be forgotten by the document holder which enhances
the user experience.
3. in some jurisdictions (e.g. in Germany) the eID-law prohibits
photocopies of the e-ID card in order not to disseminate CAN,
which is printed on the card. This regulation is intentionally or
unintentionally ignored as it is less known. BioPACE and the
abolition of the printed e-ID card would thus enable to return to the
legal regulation that allows photocopies of eID cards.
6.4 Impeded Skimming

With BioPACE no unauthorised data retrieval is possible. For eMRTDs
that implement PACE or BioPACE, one requires access to the printed data
page of the eMRTD to read the data on the chip. Handing the eMRTD
over to an official for checking can be seen as an implicit authorisation
from the eMRTD owner. If BioPACE would only require the eMRTD
holders to provide their fingerprint to the officials checking their eMRTDs
it would not reach the same level of authorisation, because we leave our
fingerprints everywhere. Anyone within wireless communication range
that has access to the fingerprint of the eMRTD holder could read out the
data of the eMRTD without the owner even being aware. This would
render skimming attacks facile, for example in airport bars (given that one
can extract the fingerprint from a glass in a timely manner). One does not
need to fool the terminal's fingerprint reader (which is hard, since one has
to make a dummy finger, possible liveness detection) but the raw image
data is good enough for direct processing. As boundary condition, the
attacker also needs a terminal and the attack is only justified if a name or
facial image to a corresponding fingerprint is the goal of the attacker. By
making a link to the printed data page of the eMRTD this attack is
mitigated, because the printed content is not revealed in airport bars.
6.5 No off-line eMRTD Owner Guessing

Because the biometric feature has high entropy, an off-line guessing attack
with respect to whom the eMRTD belongs to is not possible. Assume that
one wants to track a number of high profile individuals and one has access
to their fingerprints (which are left behind on whatever the person in
question happens to touch). From these fingerprints, together with AD one
can derive all possible PI 's. This would narrow down the search space
212 Chapter Six
significantly. Since P I is of high entropy this attack is not feasible for

BioPACE and one could conclude it would also make BAC suitable again,
because the main criticism against BAC is the low entropy of the MRZ as
well as its vulnerability to off-line brute-force attacks. Still PACE is
resistant against off-line brute-force attacks and should therefore prefer
over BAC.
6.6 Biometric Linkage Goal

The BioPACE protocol provides access control and creates a link between
the eMRTD holder and the chip. In the current eMRTD security protocol
pool these goals are already achieved by BAC, PACE and EAC for the
access control and for the biometric link. Achieving the same security goal
twice has no benefit and only makes the border control check lengthier.
Therefore removing EAC and the raw fingerprints would justify the access
control and linkage goal of BioPACE. Of course this should only be
considered if the eMRTD would contain no more sensitive biometric data.
This is discussed in section 8.
6.7 Access Control Flexibility

As long as the sensitive biometric fingerprints are stored on the chip,
BioPACE should not be considered as EU EAC replacement, because it

can only provide two possible authorisation levels:
1. Read every data group or

2. Read no data group.
With EAC, one can provide a more fine grained access control and the
eMRTD receives an explicit authorisation from its issuing country that this
terminal is indeed authorised to read certain data groups. A possible
solution is to replace the raw fingerprints by a protected biometric
template that leaks no sensitive information.
7 Entropy of Biometric Data

Biometric features must not be expected to be mutually independent, e.g.
fingerprints underlie distinct structures (densities and orientations of
minutiae). Focusing on data storage, binary biometric templates represent
a favourable representation, enabling compact storage and rapid
comparison. So far, numerous approaches have been proposed to extract
BioPACE 213
binary feature vectors from diverse biometric characteristics. Without loss

of generality we will restrict to analyse entropy of biometric data
according to a binary representation of biometric features.
A common way to estimate the average entropy (§ amount of mutually
independent bits) of biometric feature vectors is to measure the provided
``degrees-of-freedom'' which are defined by d = p(1 í p)/ı2 ,where p is the
mean Hamming distance (HD) and ı2 the corresponding variance between
comparisons of different pairs of binary feature vectors, shown in Figure
5. In case all bits of each binary feature vector of length z would be
mutually independent, comparisons of pairs of different feature vectors
‫ݖ‬
would yield a binomial distribution, ࣜሺ‫ݖ‬ǡ ‫݌‬ሻ ൌ ቀ ቁ ‫݌‬௞ ሺͳ െ Ͳሻ௭ି௞ ൌ
݇
‫ݖ‬ ‫ݖ‬
ቀ ቁ ‫݌‬௞ ሺͳ െ ‫݌‬ሻ௭ି௞ ൌ ቀ ቁ ͲǤͷ‫ ݖ‬and the expectation of the HD would be
݇ ݇
ͳȀ‫ॱݖ‬ሺܺ ْ ܻሻ= zp·1/z = p = 0.5, where X and Y are two independent
random variables in {0, 1}.
In reality p decreases to 0.5íԖ while HDs remain binomially
distributed with a reduction in z in particular, ࣜሺ݀ǡ ͲǤͷሻ [64]. Reported
entropy in literature of relevant biometric characteristics are summarised
in Table 4. Estimated entropy can be directly transferred to AD and PI s
which are applied in further application. However, techniques which are
employed to overcome biometric variance, e.g. severe quantisation, may
reduce the entropy of resulting protected templates [1].
In addition, the amount of degrees-of-freedom can be directly derived

from the false match rate (FMR) provided by a biometric (template
protection) system. According to the ISO/IEC IS 19795-1 [34] the FMR
defines the proportion of zero-effort impostor attempt samples falsely
declared to match the compared non-self template. At a targeted false non-
match rate (FNMR), the proportion of genuine attempt samples falsely
declared not to match the template of the same characteristic from the
same user supplying the sample, provided entropy (in bits) is estimated as
log2 (FMRí1), which directly relates to entropy estimations which are
frequently applied to passwords or PINs.
Most biometric cryptosystems aim at binding or generating keys, long
enough to be applied in a generic cryptographic system (e.g. 128-bit keys
for AES). Obviously, to prevent a biometric keys from being guessed,
these require sufficient entropy. While the issue of key entropy has been
ignored in early approaches to biometric cryptosystems, recent works tend
to provide key entropy estimations. In [13, 12], Buhan et al. point out a
direct relation between the maximum length k of cryptographic keys and
the error rates of the biometric system. The authors define this relation as k
í log2(FMR), as previously mentioned. This means that an ideal
214 Chapterr Six
biometric cryptosystem would have to maintain an FAR 2ík which

appears to bbe a quite rigoorous upper bound
b that maay not be achiievable in
practice. Neevertheless, the authors’ em
mphasis on the important facct that the
recognition rates of a biometric
b systtem correlatee with the ammount of
information which can bee extracted, rettaining maximmum entropy.
Figure 5: Binnomial distributiion of scores beetween differennt pairs of vecto

ors.
Table 4: E Entropy rep

ported in litterature for different biometric
b
characteristtics.
Based onn their proposed

p quantization schemee [63], Vielhaauer et al.
describe the issue of chooosing significaant features off on-line signaatures and
introduce thhree measures for feature ev valuation [62]]: intrapersonal feature
deviation, iinterpersonal entropy of hash value components and the
correlation between bothh. By analyziing the discriiminatively of o chosen
features the authors showw that the appllied feature veector can be decreased
d
BioPACE 215
by 45% maintaining error rates [52]. This example underlines the fact that
biometric cryptosystems may generate arbitrary long keys while inter-class
distances (=Hamming distance between keys) remain low. Ballard et al.
[2, 3] propose a new measure to analyse the security of a biometric
cryptosystem, termed guessing distance. The guessing distance defines the
number of guesses a potential imposter has to perform in order to retrieve
either the biometric data or the cryptographic key. Thus, the guessing
distance directly relates to intra-class distances of biometric systems and,
therefore, provides a more realistic measure of the entropy of biometric
keys.
Kelkboom et al. [39] analytically obtained a relationship between the
maximum key size and a target system performance. An increase of
maximum key size is achieved in various scenarios, e.g. when applying
several biometric templates at enrolment and authentication or when
increasing the desired false rejection rates. In theory-oriented work Tuyls
et al. [61, 59] estimate the capacity and entropy loss for fuzzy commitment
schemes and shielding functions, respectively. Similar investigations have
been done in [42, 56] providing a systematic approach of how to examine
the relative entropy loss of any given scheme, which bounds the number of
additional bits that could be extracted if optimal parameters were used.
8 Replacing EU EAC and fingerprint images by BioPACE

We discuss the idea to replace the current infrastructure (i.e., the EAC
protocols, the Country Verifying PKI, and the storage of index finger
images in data group 3) by BioPACE. We analyse advantages and
disadvantages of our approach and include boundary conditions, which
have to be fulfilled to make BioPACE expedient. Fundamental changes to
an established infrastructure are a challenging task and require as a
boundary condition both innovative ideas and enhanced security. We
consider BioPACE to meet these demands as discussed below. In our
context, for instance, a sample representative idea is the Biocryptographic
Key Infrastructure [53] to replace a common Public Key Infrastructure,
yielding a higher security level. An example of enhancing an applied and
proven protocol is the Biotokens [54] approach, where biometric digital
signatures and Bio-Kerberos increases security. Therefore the redundant
protocols have to be dropped, and the BioPACE has to provide a
significant enhancement to become a new eMRTD standard.
If BioPACE is used without a subsequent EAC accomplishment, we
see the following benefits:
216 Chapter Six
1. Faster verification: If we drop EAC and make use of a PI instead of

raw fingerprints, we eliminate two bottlenecks: first, no more raw
fingerprints have to be transferred from the chip to the terminal
over the wireless interface. Second the lack of terminal
authentication resolves the need to verify certificate chains by the
eMRTD chip. This will drastically speed up the eMRTD processing
times at border checks.
2. Enhanced practical security: According to a recent EU border
control study [18, D4.1] border control personnel does only
perform an electronic check against eMRTD blacklists due to time
constraints. Hence in practice the actual security level of the
eMRTD chip and its infrastructure is mainly not used. A
significant speed-up of the verification protocols will therefore not
only make the verification more convenient for the travellers, but it
will improve security, because the electronic security features will
be used by border control personnel even under strict time schedule
guidelines.
3. Improving privacy: Raw fingerprints are removed and replaced
with a protected biometric template, which is stored in the
eMRTD's internal memory and therefore only accessible by the
chip. Hence the privacy level is improved.
4. Decreasing infrastructure costs: If we abandon terminal
authentication, complicated Country Verifying PKI maintenance is

no longer required. As the further expenses remain constant (e.g.,
the costs for the biometric personalisation of eMRTDs), the costs of
the whole eMRTD infrastructure will decrease significantly.
5. Standardised data structures: 2D barcodes are standardised, and
their integration is already discussed for non-electronic travel
documents based on the Digital Seal standard [10, 18, D6.1].
On the other hand BioPACE as a replacement for EAC yields the

following downsides:
1. Change of layout: To establish the BioPACE in the eMRTD
domain the creation and enrolment process has to be changed,
because AD needs to be printed on the data page.
2. Coarse-grained access control: As discussed in Section 6
BioPACE causes a loss of access control flexibility. However, if
the sensitive JPEG fingerprints are removed from the chip no more
sensitive data remains, which is worth protection with a flexible
access control scheme. Currently the EU EAC only protects DG3
so the only actual flexibility is access or no access to DG3, which is
BioPACE 217
gone anyway in our future proposal.

3. Renounce of strong cohesion paradigm: Security protocols often
follow the software engineering paradigm of strong cohesion and
loose coupling. Every protocol should have a very specific goal and
depend on as few as possible other protocols. Our proposal
abandons this paradigm.
4. Chip cloning: Dropping EAC results in the loss of chip
authentication and hence in giving up the current chip cloning
protection. However, the physical protection through the printed
AD on the document makes chip cloning useless from a practical
point of view. We discuss a further electronic prevention approach
of chip cloning below.
To conclude we rate the improvement with respect to run-time, practical

security, and costs to be more important than the disadvantages to change
the layout and the loss of fine-grained access control. Future attention
should be paid to the integration of a chip cloning protection into the
BioPACE. Bender et al. [5] present a protocol called PACE|AA, which
combines PACE and Active Authentication to create a protocol, which is
more efficient than the single protocols and solves a security risk of Active
Authentication.
The future BioPACE could be a merged protocol assimilating the
benefits of the BioPACE and the PACE|AA protocol. This combination

would create a monolithic protocol that fulfils all security goals achieved
by the eMRTD protocols and requirements of a biometric system
regarding privacy protection and security [55], save the EU a lot of money
because the CV PKI could be shut down, data privacy concerns would be
mitigated and border gate checks would become faster.
9 Summary and Conclusion

This chapter presented an assessment of the BioPACE protocol, pointed
out strengths and evaluated its expediency for the eMRTD domain. We
came to the conclusion that it is expedient in its proposed form only with
the drastic approach to completely drop EAC and remove the raw
fingerprint images from DG3, which then makes BioPACE very attractive
since the expensive CV PKI can be shut down. If BioPACE gets merged
with the PACE|AA protocol to gain chip cloning protection, it could
become a perfectly tailored monolithic security protocol for the eMRTD
domains requirements.
218 Chapter Six
Our discussions on the entropy of different biometric characteristics as

well as state-of-the-art biometric template protection schemes demonstrate
that BioPACE is not an abstract concept, but rather a practical security
protocol which simplifies the eMRTD infrastructure and strengthens the
key exchange between chip and terminal. BioPACE also provides an
enhanced border control user experience by on the one hand accelerating
the inspection since neither huge big raw fingerprint images have to be
transferred over the slow wireless channel nor on-chip certificate chain
validation is necessary; and on the other hand by enhancing the data
privacy of the sensitive biometric information since the raw fingerprint
images are replaced by a protected biometric template as well as using
implicit biometric on-chip comparison during BioPACE.
We presented the theoretical idea of merging BioPACE with the
PACE|AA protocol, therefore future work will focus on a formal security
proof of this protocol based on the model proposed by Bellare et al. [4].
Acknowledgement
This work was supported by the European Commission through the
FIDELITY EU-FP7 project (Grant No. SEC-2011-284862), CASED and
the Research Council KU Leuven: GOA TENSE (GOA/11/007).
References
[1] A. Adler, R. Youmaran, and S. Loyka. Towards a measure of
biometric information. In Canadian Conference on Electrical and
Computer Engineering, (CCECE'06)., pages 210--213, 2006.
[2] L. Ballard, S. Kamara, F. Monrose, and M. Reiter. On the requirements
of biometric key generators. Technical Report TR-JHU-SPAR-BKMR-
090707, 2007. Submitted and available as JHU Department of
Computer Science Technical Report.
[3] L. Ballard, S. Kamara, and M. K. Reiter. The practical subtleties of
biometric key generation. In SS'08: Proc. of the 17th Conf. on Security
symposium, pages 61--74, 2008.
[4] Mihir Bellare, David Pointcheval, and Phillip Rogaway. Authenticated
key exchange secure against dictionary attacks. In Advances in
Cryptology -- EUROCRYPT 2000, volume 1807 of LNCS, pages 139-
155. Springer, 2000.
[5] Jens Bender, Özgür Dagdelen, Marc Fischlin, and Dennis Kügler. The
pace|aa protocol for machine readable travel documents, and its
security. In Financial Cryptography and Data Security, volume 7397
BioPACE 219
of LNCS, pages 344--358. Springer, 2012.

[6] J. Breebaart, C. Busch, J. Grave, and E. Kindt. A reference
architecture for biometric template protection based on pseudo
identities. In Proc. of the BIOSIG 2008: Biometrics and Electronic
Signatures, pages 25--38, 2008.
[7] J. Bringer, H. Chabanne, G. Cohen, B. Kindarji, and G. Zémor.
Optimal iris fuzzy sketches. in Proc.1st IEEE Int. Conf. on Biometrics:
Theory, Applications, and Systems., pages 1--6, 2007.
[8] J. Bringer and V. Despiegel. Binary feature vector fingerprint
representation from minutiae vicinities. In Proc. of the 4th IEEE Int.
Conf. on Biometrics: Theory, applications and systems (BTAS'10),
pages 1-6, 2010.
[9] BSI. Technical Guideline TR-03110 Advanced Security Mechanisms
for Machine Readable Travel Documents - Extended Access Control
(EAC), Password Authenticated Connection Establishment (PACE),
and Restricted Identification (RI). Bundesamt für Sicherheit in der
Informationstechnik (BSI), 2.05 edition, 2010.
[10] BSI. Technical Guideline TR-03137 Optically Verifiable
Cryptographic Protection of non-electronic Documents (Digital Seal).
Bundesamt für Sicherheit in der Informationstechnik (BSI), 1.0
edition, 2013.
[11] Nicolas Buchmann, Roel Peeters, Harald Baier, and Andreas
Pashalidis. Security considerations on extending PACE to a biometric-

based connection establishment. In Biometrics Special Interest Group
(BIOSIG), 2013 International Conference of the, pages 1--13, 2013.
[12] I. R. Buhan, J. Doumen, P. Hartel, and R. N. J. Veldhuis.
Constructing practical fuzzy extractors us- ingqim. Technical report,
Centre for Telematics and Information Technology, University of
Twente, Netherland Technical Report TR-CTIT-07-52, 2007.
[13] I. R. Buhan, J. M. Doumen, P. H. Hartel, and R. N. J. Veldhuis.
Fuzzy extractors for continuous distributions. Technical report,
University of Twente, 2006.
[14] R. Cappelli, A. Lumini, D. Maio, and D. Maltoni. Fingerprint image
reconstruction from standard templates. IEEE Transactions on Pattern
Analysis and Machine Intelligence, 29(9):1489-1503, 2007.
[15] A. Cavoukian and A. Stoianov. Biometric encryption. In
Encyclopedia of Biometrics. Springer Verlag, 2009.
[16] A. Cavoukian and A. Stoianov. Biometric encryption: The new breed
of untraceable biometrics. In Biometrics: fundamentals, theory, and
systems. Wiley, 2009.
[17] T. C. Clancy, N. Kiyavash, and D. J. Lin. Secure smartcard-based
220 Chapter Six
fingerprint authentication. Proc. ACM SIGMM 2003 Multimedia,

Biometrics Methods and Applications Workshop, pages 45--52, 2003.
[18] European Commission. Fidelity project. online,
http://www.fidelity-project.eu/page/project/deliverables.php.
[19] J. Daugman. Probing the uniqueness and randomness of iriscodes:
Results from 200 billion iris pair comparisons. Proc. of the IEEE,
94(11):1927--1935, 2006.
[20] Bernhard Deufel, Carsten Mueller, Gavan Duffy, and Tom Kevenaar.
BioPACE -- Biometric passwords for next generation authentication
protocols for machine-readable travel documents. Daten- schutz und
Datensicherheit - DuD, 37(6):363 -- 366, 2013.
[21] EU. Integration of biometric features in passports and travel
documents - regulation (ec) 2252/2004, 2004.
[22] EU. Commission decision c(2005)409. Online,
http://ec.europa.eu/dgs/home-affairs/e-library/documents/policies/
borders-and-visas/document-security/index_en.htm, 2005.
[23] H. Feng and C. C. Wah. Private key generation from on-line
handwritten signatures. Information Management and Computer
Security, 10(18):159--164, 2002.
[24] A. Goh and D. C. L. Ngo. Computation of cryptographic keys from
face biometrics. In Communications and Multimedia Security (LNCS:
2828), pages 1--13, 2003.
[25] A. Goh, A. B. J. Teoh, and D. C. L. Ngo. Random multispace

random identity inputs. IEEE Trans. Pattern Anal. Mach. Intell.,
28(12):1892--1901, 2006.
[26] J. Hämmerle-Uhl, E. Pschernig, , and A.Uhl. Cancelable iris
biometrics using block re-mapping and image warping. In Proc. of the
Information Security Conf. 2009 (ISC'09) LNCS: 5735, pages 135--
142, 2009.
[27] F. Hao, R. Anderson, and J. Daugman. Combining Cryptography with
Biometrics Effectively. IEEE Transactions on Computers, 55(9):1081-
-1088, 2006.
[28] ICAO. Doc 9303 Part 1 Machine Readable Passports Volume 2
Specifications for Electronically En- abled Passports with Biometric
Identification Capability. International Civil Aviation Organization
(ICAO), 6 edition, 2006.
[29] ICAO. SUPPLEMENT to Doc 9303. International Civil Aviation
Organization (ICAO), 12 edition, 2013.
[30] IEEE Std 610.12-1990 -- Glossary of Software Engineering
Terminology, 1990.
BioPACE 221
[31] ISO/IEC JTC 1/SC 27 - Security Techniques. Information technology

-- security techniques -- biometric information protection. ISO/IEC
24745:2011, 2011.
[32] ISO/IEC JTC 1/SC 31 - Automatic identification and data capture
techniques. Information technology -- automatic identification and
data capture techniques -- data matrix bar code symbology
specification. ISO/IEC 16022:2006, 2006.
[33] ISO/IEC JTC 1/SC 31 - Automatic identification and data capture
techniques. Information technology -- automatic identification and
data capture techniques -- qr code 2005 bar code symbology
Specification. ISO/IEC 18004:2006, 2006.
[34] ISO/IEC TC JTC1 SC37 Biometrics. ISO/IEC 19795-1:2006.
Information Technology -- Biometric Performance Testing and
Reporting -- Part 1: Principles and Framework. International
Organiza- tion for Standardization and International Electrotechnical
Committee, March 2006.
[35] ISO/IEC TR 19759:2005 -- Software Engineering -- Guide to the
Software Engineering Body of Knowledge (SWEBOK), 9 2005.
[36] A. K. Jain, A. Ross, and U. Uludag. Biometric template security:
Challenges and solutions. in Proc. of European Signal Processing
Conf. (EUSIPCO), 2005.
[37] A. Juels and M. Sudan. A fuzzy vault scheme. Proc. 2002 IEEE Int.
Symp. on Information Theory, page 408, 2002.

[38] A. Juels and M. Wattenberg. A fuzzy commitment scheme. 6th ACM
Conf. on Computer and Communications Security, pages 28--36, 1999.
[39] E. J. C. Kelkboom, J. Breebaart, I. Buhan, and R. N. J. Veldhuis.
Analytical template protection performance and maximum key size
given a gaussian modeled biometric source. In Proc. of SPIE defense,
security and sensing, 2010.
[40] A. Kong, K.-H. Cheunga, D. Zhanga, M. Kamelb, and J. Youa. An
analysis of BioHashing and its variants. Pattern Recognition, 39:1359-
-1368, 2006.
[41] Dennis Kügler and Ingo Naumann. Sicherheitsmechanismen für
kontaktlose chips im deutschen reisepass. Datenschutz und
Datensicherheit - DuD, 31(3):176--180, 2007.
[42] Q. Li, Y. Sutcu, and N. Memon. Secure sketch for biometric
templates. Advances in Cryptology - ASIACRYPT 2006 (LNCS:4284),
pages 99--113, 2006.
[43] E. Maiorana, P. Campisi, J. Fierrez, J. Ortega-Garcia, and A. Neri.
Cancelable templates for sequence-based biometrics with application
to on-line signature recognition. Trans. on System, Man, and
222 Chapter Six
Cybernetics-Part A: Systems and Humans, 40(3):525--538, 2010.

[44] F. Monrose, M. K. Reiter, Q. Li, and S. Wetzel. Using Voice to
Generate Cryptographic Keys. Proc. 2001: A Speaker Odyssey, The
Speech Recognition Workshop, 2001. 6 pages.
[45] K. Nandakumar, A. K. Jain, and S. Pankanti. Fingerprint-based Fuzzy
Vault: Implementation and Performance. in IEEE Transactions on
Information Forensics And Security, 2:744--757, 2007.
privacy in biometrics-based authentication systems. IBM Systems
Journal, 40:614--634, 2001.
[47] N. K. Ratha, J. H. Connell, and S. Chikkerur. Generating cancelable
fingerprint templates. IEEE Transactions on Pattern Analysis and
Machine Intelligence, 29(4):561--572, 2007.
[48] Nalini K. Ratha, Jonathan H. Connell, and Ruud M. Bolle. An
analysis of minutiae matching strength. In AVBPA '01: Proc. of the
Third Int. Conf. on Audio- and Video-Based Biometric Person
Authentication, pages 223--228, 2001.
[49] C. Rathgeb and A. Uhl. A survey on biometric cryptosystems and
cancelable biometrics. EURASIP Journal on Information Security,
2011(3), 2011.
[50] Arun Ross, Jidnya Shah, and Anil K. Jain. From template to image:
Reconstructing fingerprints from minutiae points. IEEE Transactions
on Pattern Analysis and Machine Intelligence, 29(4):544--560, 2007.

[51] M. Savvides, B.V.K.V. Kumar, and P.K. Khosla. Cancelable
biometric filters for face recognition. ICPR '04: Proc. of the Pattern
Recognition, 17th Int. Conf. on (ICPR'04), 3:922--925, 2004.
[52] T. Scheidat and C. Vielhauer. Biometric hashing for handwriting:
Entropy based feature selection and semantic fusion. In Proc. of SPIE,
volume 6819, pages 68190N.1-68190N.12, 2008.
[53] Walter Scheirer, Bill Bishop, and Terrance Boult. Beyond PKI: The
biocryptographic key infrastructure. In Workshop Information
Forensics and Security, pages 1--6. IEEE, 2010.
[54] Walter Scheirer and Terrance Boult. Bio-cryptographic protocols with
bipartite biotokens. In Bio- metrics Symposium, pages 9--16, 2008.
[55] K. Simoens, J. Bringer, H. Chabanne, and S. Seys. A framework for
analyzing template security and privacy in biometric authentication
systems. IEEE Transactions on Information Forensics and Security,
7(2):833--841, 2012.
[56] Y. Sutcu, Q. Li, and N. Memon. How to Protect Biometric
Templates. SPIE Conf. on Security, Steganography and Watermarking
of Multimedia Contents IX, 6505, 2007. Proc. of SPIE, 11 pages.
BioPACE 223
[57] Y. Sutcu, H. T. Sencar, and N. Memon. A secure biometric

authentication scheme based on robust hashing. MMSec '05: Proc. of
the 7th Workshop on Multimedia and Security, pages 111--116, 2005.
[58] A. B. J. Teoh, D. C. L. Ngo, and A. Goh. Personalised cryptographic
key generation based on FaceHashing. Computers And Security,
2004(23):606--614, 2004.
[59] P. Tuyls and J. Goseling. Capacity and examples of template-
protecting biometric authentication systems. in Proc. ECCV Workshop
BioAW (LNCS), 3087:158 -- 170, 2004.
[60] U. Uludag and A. K. Jain. Fuzzy fingerprint vault. Proc. Workshop:
Biometrics: Challenges Arising from Theory to Practice, pages 13--16,
2004.
[61] E. Verbitskiy, P. Tuyls, D. Denteneer, and J. P. Linnartz. Reliable
biometric authentication with privacy protection. presented at the
SPIE Biometric Technology for Human Identification Conf., Orlando,
FL, 2004.
[62] C. Vielhauer and R. Steinmetz. Handwriting: feature correlation
analysis for biometric hashes. EURASIP J. Appl. Signal Process.,
2004(1):542--558, 2004.
[63] C. Vielhauer, R. Steinmetz, and A. Mayerhöfer. Biometric hash based
on statistical features of online signatures. In ICPR '02: Proc. of the 16
th Int. Conf. on Pattern Recognition (ICPR'02) Volume 1, page 10123,
2002.
[64] R. Viveros, K. Balasubramanian, and N. Balakrishnan. Binomial and
negative binomial analogues under correlated bernoulli trials. The
American Statistician, 48(3):243--247, 1984.
[65] Y. Wang and K.N. Plataniotis. Face based biometric authentication
with changeable and privacy preservable templates. In Proc. of the
IEEE Biometrics Symposium 2007, pages 11--13, 2007.
[66] X. Wu, N. Qi, K. Wang, and D. Zhang. A Novel Cryptosystem based
on Iris Key Generation. Fourth Int. Conf. on Natural Computation
(ICNC'08), pages 53--56, 2008.
[67] H. Xu and R. N.J. Veldhuis. Binary representations of fingerprint
spectral minutiae features. In Proc. of the 20th Int. Conf. on Pattern
Recognition (ICPR'10), pages 1212--1216, 2010.
[68] J. Zuo, N. K. Ratha, and J. H. Connel. Cancelable iris biometric. In
Proc. of the 19th Int. Conf. on Pattern Recognition 2008 (ICPR'08),
pages 1--4, 2008.
CHAPTER SEVEN
PRIVACY AND SECURITY ASSESSMENT

OF BIOMETRIC SYSTEMS
MOHAMAD EL-ABED,1 PATRICK LACHARME2

AND CHRISTOPHE ROSENBERGER2
1
RAFIK HARIRI UNIVERSITY, MESHREF, LEBANON
2
UNIVERSITÉ DE CAEN BASSE-NORMANDIE, UMR 6072
GREYC, F-14032 CAEN, FRANCE, ENSICAEN, UMR 6072
GREYC, F-14050 CAEN, FRANCE
CNRS, UMR 6072 GREYC, F-14032 CAEN, FRANCE
Abstract
Biometric authentication systems have been shown as a promising

candidate to ensure identity verification in secure applications. However,
these systems suffer from several weaknesses, which may considerably
decrease their use in real life applications. In this chapter, we address the
privacy and security evaluation of such systems -- a key challenge in the
field of biometrics. We believe that, as biometrics technology becomes
more widely used in daily life, the incentives of its misuse or attack will
grow. This chapter is dedicated to researchers and engineers who need to
quantify the privacy and security aspects of biometric systems.
Index Terms— Biometrics, Evaluation, Threats and Vulnerabilities, Data
Protection, Privacy and Security Assessment.
1 Introduction
The increasing need for security leads to the involvement of biometrics in
daily life. Biometrics has become part of many aspects of life, including
border control and e-payment [1]. Currently, many biometric
authentication systems have been proposed, ranging from morphological
Privacy and Security Assessment of Biometric Systems 225
(such as fingerprint [2]), behavioural (such as keystroke dynamics [3]) and

even biological (such as DNA [4]) modalities. Despite the advantages of
such systems in providing better security as compared to traditional
authentication systems based on “what we own” (such as a key) or “what
we know” (such as a password), biometric systems introduce new threats
and present limitations in terms of privacy and security.
The International Organization for Standardization ISO/IEC FCD
19792 [5] presents a list of several threats and vulnerabilities of biometric
systems. The standard also addresses privacy concerns when dealing with
biometric systems. Similar concerns have also been raised by the Common
Criteria Biometric Evaluation Working Group [6]. For example, personal
biometric information could be tracked from one application to another by
cross-matching between biometric databases, thus compromising privacy.
Direct attacks illustrated by the presentation of a fake biometric data to the
sensor have also been shown as a frequent attack on such biometric
modalities as face, fingerprint, and iris. An example of such attack on an
iris recognition system is presented in [7]. But the security of a biometric
system concerns the entire system, not only the sensor. Therefore, it is
important that biometric systems be designed to withstand these concerns
when employed in security-critical applications and to achieve an end to
end security. The goal of this chapter is then to present a privacy- and
security-based assessment methodology to be used to evaluate and
compare biometric systems.

The outline of the chapter is as follows. An introduction to the general
concepts of biometric systems is given in Section 2. Section 3 presents an
overview of the security and privacy concerns when dealing with
biometric systems. We present in Section 4 the existing works regarding
the security and privacy assessment of biometric systems. In Section 5, the
Security EvaBio tool which is an evaluation tool for the security and
privacy assessment of biometric systems is presented. Future trends of the
chapter are then given in Section 7.
2 Biometric Technology
2.1 Biometric Modalities
Biometrics refers to the automatic verification or recognition of
individuals by measuring their physical/behavioural characteristics. Any
such characteristic can be considered as biometric information if it
satisfies the following properties, detailed in [8]: universality, uniqueness,
226 Chapter Seven
permanency, collectability and acceptability. An example of the most

commonly used biometric modalities is given in Figure 1.
Figure 1. An example of biometric modalities: From left to right, top to bottom,

hand veins, face, hand geometry, keystroke dynamics, iris and fingerprint.
2.2 Biometric Process

Biometric systems are concerned by the following functionalities:
x Enrolment – which constitutes the initial process of collecting

biometric data samples from an individual to be used in order to
create its reference (biometric template). An example of a biometric

template is the extracted minutiae from a fingerprint.
x Verification – which provides a matching score between the
biometric sample provided by the individual and the biometric
reference template of the claimed identity.
x Identification – which consists of determining the identity of an
unknown individual by comparing the user's biometric sample with
reference templates stored in a database.
3 Biometric Systems Limitations

Biometric systems suffer from several security and privacy concerns
which may significantly decrease their widespread of use, by the
introduction of new threats and vulnerabilities, which are specific to
biometrics.
Ratha et al. [9] have identified eight locations of possible attacks in a
generic biometric system as depicted in Figure 2:
x Point 1: Involves presenting a fake biometric data to the sensor

such as a dummy finger.
x Point 2: In a replay attack, an intercepted biometric data is
submitted to the feature extractor bypassing the sensor.
x Point 3: The feature extractor is replaced with a Trojan horse
program that functions according to its designer specifications.
x Point 4: Genuine extracted features are replaced with other features
selected by the attacker.
x Point 5: The matcher is replaced with a Trojan horse program.
x Point 6: Involves attacks on the template database.
x Point 7: The templates can be altered or stolen during the
transmission between the template database and the matcher.
x Point 8: The matcher decision (accept or reject) can be overridden
by the attacker.
Figure 2. Possible attacks in a generic biometric system according to [9].
Direct attacks on biometric sensors (point 1) are the most known attacks in
the literature. Several works show the feasibility of such attack on
modalities such as face [10, 11, 12, 13], iris [7, 14, 15, 16], on-line writer
verification system [17], and speech verification [18, 19, 20, 21, 22, 23,
24]. A classic example is that of fake fingers that can be built with
silicone, gelatine, wood glue or latex [25, 26, 27, 28, 29, 30, 31]. Fake
fingers constructed with all these technologies are used on different sensor
technologies. An example of such attack is presented in Figure 3, which
illustrates a successful attack using a fake finger created out of latex that
we have created to evaluate several sensors of different technologies
(optical and capacitive). Countermeasures including liveness detection are
228 Chapter Seven
presented in [32, 33, 34, 35, 36, 37] for fingerprints, [38, 39, 40, 41, 42,
43] for speech verification, or [44, 45, 46, 47, 48] for face.
Figure 3. Successful attack resulting from the comparison between a fake finger
(on the left) and a genuine one stored in the database (right).
Attacks are also possible on other parts of the biometric system. Thus, an
attacker can introduce a Trojan horse into the system, or realize a denial-
of-service attack and hence can corrupt the authentication system so that
legitimate users cannot use it. The attacker can also intercept and/or replay
the biometric data in order to illegally access or modify the system. The
biometric database (point 6) is another important target for attackers,
particularly for centralized databases and non-protected databases. This
point is directly related to a user's privacy in that a biometric trait cannot
be replaced if it is compromised. The biometric database is vulnerable to
several types of attacks, such as the possibility to fraudulently create a new
template, or to modify existing templates without authorization. These
attacks are classified as direct attacks and indirect attacks.
Direct or masquerade attacks construct new biometric data from
information contained within one or several biometric templates. Thus,
Galbally et al. [49] refutes the popular belief of minutiae template non-
reversibility using fake fingers generated from ISO templates, where the
experiments grant access in over ͹ͷ of the attempts. Other attacks are

proposed on fingerprints [50, 51, 52, 53, 54], iris [55, 56, 57], hand
geometry [58, 59] or face [60, 61].
Indirect attacks or hill-climbing attacks construct iteratively biometric
templates, by observing the final score of the matcher [62]. This can be
realized in several modalities, such as fingerprint [63, 64, 65, 66, 67],
signature [68, 69, 70, 71, 72, 73, 74], iris [75, 76, 77], face [78, 79, 80, 81,
82, 83] or speech verification [84]. The attempts occur by injecting
samples on the communication link, to the feature extractor input (image),
or the matcher input (template). More precisely, the changes on the
synthetic templates are kept if the final score increases, and otherwise the
corresponding modifications are discarded. Transmission channels (points
2 and 4) are particularly vulnerable to these attacks.
Template protection schemes can be used to protect the biometric
database [85, 86, 87, 88] and to ensure diversity and revocability of
biometric templates [89, 90]. For example, Fuzzy sketches [91, 92, 93, 94,
95] and fuzzy vaults [96, 97, 98, 99, 100] are based on error correcting
codes. Nevertheless these techniques do not necessary protect the
biometric template against reversibility or distinguishability [101, 102,
103, 104]. Other template protection schemes include transform based
schemes, cancellable biometrics [105, 106, 107, 108, 109, 110], and multi-
party computation [111, 112, 113, 114, 115].
4 Privacy and Security Assessment of Biometric Systems

The privacy and security assessment of biometric systems is now carefully
considered. Many platforms have been proposed (such as FVC-onGoing
[116] and BioSecure [117]), whose objective is mainly to compare
biometric systems. However, these platforms are dedicated to quantify
performance technology (algorithms, processing time, etc.) without testing
the robustness of the target system against fraud, even if it respects the
privacy of end-users. This clearly shows that few works are dedicated
toward the security and privacy assessment of biometric systems. We
focus, in this section, in presenting an overview of this work.
The International Organization for Standardization ISO/IEC FCD
19792 [5] has listed several threats and vulnerabilities of biometric
systems. In addition to the threats addressed by Maltoni et al., the ISO
standard addresses other typical threats related to system performance and
the quality of the acquired biometric raw data. It also addresses privacy
concerns when dealing with biometric systems, but does not propose a
security evaluation method of biometric systems. Its aims are to guide
230 Chapter Seven
evaluators by giving suggestions and recommendations that should be

taken into account during the evaluation process.
Dimitriadis et al. [118] present a security comparison study of several
biometric technologies to be used as an access control system for
stadiums. The presented method can easily be used for comparing
biometric systems, since it is a quantitative-based evaluation method.
However, extended research work should be done in order to take into
account the recent vulnerabilities of biometric systems (especially those
presented by the ISO/IEC FCD 19792 standard). The attack tree technique
introduced by Schneier et al. [119] provides a structure tree to conduct
security analysis of protocols, applications, and networks. However, attack
trees are dependent on the intended system and its context of use.
Therefore, this technique is infeasible as a generic evaluation purpose.
Matyás and RÍha [120] categorise biometric systems according to level of
security. However, their model cannot be considered discriminative when
comparing the security level of biometric systems.
Security EvaBio by El-Abed et.al. [121] is a web-based automated
evaluation platform evaluating the security and privacy aspects of
biometric authentication systems. The aim of the platform is twofold:
First, it allows researchers in biometrics to easily evaluate their developed
systems using the presented security assessment method. Second, it aims
to enhance the presented database of common threats and vulnerabilities of
biometric systems, based on researcher feedbacks. To the best to our

knowledge, it is the only online evaluation platform for the security and
privacy assessment of biometric systems. We present this platform in the
next section.
5 Security EvaBio Platform

Security EvaBio [121] is an online evaluation tool for the security and
privacy assessment of biometric systems. A snapshot of this tool is given
in Figure 4. The tool implements a quantitative-based assessment method
based on a database of common threats and vulnerabilities of biometric
systems, and the notion of risk factors. The principle of the proposed
approach contains four steps as detailed below; study of the context,
expression of security needs, risk analysis, and security index. We present
in Sections 5.1, 5.2, 5.3 and 5.4 the four mentioned steps, followed by the
database of common threats and vulnerabilities of biometric systems in
Section 5.5. A comparison study of two different biometric systems is
presented in Section 6 to clarify the relevance of Security EvaBio
assessment tool.
Figure 4. Security EvaBio on-line evaluation tool accessible through the following
link: http://www.epaymentbiometrics.ensicaen.fr/securityEvaBio/
232 Chapter Seven
5.1 Study of the Context

The first step consists of identifying the utility and characteristics of the
target system. This step also consists of detailing its different components
and essential elements (known by assets). Using the generic architecture of
biometric systems by Ratha et al. as illustrated in Figure 2, the identified
assets to be protected are divided into three types as presented in Table 1;
information (I_), a function (F_) and a material (M_).
Table 1. The identified assets of a generic biometric system.
Reference Description
I_DATA_BIO Acquired biometric raw data
I_TEMPLATE User template
I_DECISION System decision (yes or no)
F_EXTRACTION Processing data function implemented on the feature
extractor component
F_MATCHER Matcher function between the acquired biometric
data and its corresponding template
M_SENSOR Biometric sensor
M_COMPONENT Materials in which the F_EXTRACTION and
F_MATCHER are implemented
M_BD Storage medium of the biometric templates

M_CHANNELS Transmission channels connecting the different
components of the target system
5.2 Expression of Security Needs

After describing the target system, the next step consists of identifying the
security requirements that will contribute to the risk assessment process.
As with any information technology (IT) system, these requirements
should include confidentiality (C), integrity (I), availability (D) and
authenticity (A). In the context of biometric systems, confidentiality
ensures the privacy and civil liberties of its intended users, whereas
authentication is the main functionality of biometric systems.
Security needs of biometric systems include the confidentiality and the
integrity of the biometric data I_DATA_BIO and I_TEMPLATE, which
are particularly important in a privacy context. Security also needs to
include the availability on M_SENSOR, M_CHANNELS, I_TEMPLATE
and F_EXTRACTION. Finally, the authenticity on I_DECISION is
directly related to the functionality of a biometric system. These security
requirements are necessary, in order to ensure the security of the biometric

system.
5.3 Risk Analysis

Risk analysis is essential to ensure the proper functionality of any IT
system. It is generally realized within two approaches; quantitative or
qualitative approaches. A comparative study of both approaches
(advantages and limitations) is presented in [122]. Security EvaBio
implements a quantitative approach based on the notion of risk factors.
The choice of the approach is made on the basis of the level of difficulty
when evaluating a biometric system. It has also become exploitable during
the risk reduction process. A risk factor for each identified threat and
vulnerability is considered as an indicator of its importance. The
computation of risk factors is given in Sections 5.3.1 (identified threats)
and 5.3.2 (retained vulnerabilities).
5.3.1 Risk Factor Computation of the Identified Threats
The risk factor computation of each identified threat uses a quantitative

approach based on the multi-criteria analysis [123]. More generally
speaking, two criteria are used for the risk factor computation of each
identified threat (‫ ݎ݋ݐ݂ܿܽ݇ݏ݅ݎ‬ൌ ݂ଵ ൈ ݂ଶ ):
x Impact ( ݂ଵ ): Represents the impact of the threat in terms of

criticality. This is defined between Ͳ and ͳͲ (the highest score ͳͲ
corresponds to a critical attack). This factor is arbitrarily fixed
according to the four security requirements (confidentiality,
integrity, availability and authenticity) presented in Section 5.2.
The impact (݂ଵ ) of threats affecting the confidentiality property is
penalized more since such threats affect the privacy and civil
liberties of legitimate users.
x Easiness ( ݂ଶ ): Represents the easiness with which to make a
successful attack. This is defined between Ͳ and ͳͲ (the lowest
score Ͳ corresponds to an impossible attack, while the highest score
ͳͲ corresponds to an easy attack). This factor is arbitrarily fixed
using two types of information; first, the weakness of the target
system (e.g., weakness related to its architecture), second, the cost
in terms of specific equipment and required expertise with which to
implement the attack.
234 Chapter Seven
5.3.2 Risk Factor Computation of the Vulnerabilities
For the three retained system overall vulnerabilities (see Section 5.5.2), the
tool uses a set of rules for the risk factor computation process, as depicted
in Table 2. For system performance vulnerability, EER is multiplied by ʹ,
since a biometric system providing a performance measure (such as the
Equal Error Rate EER) more than or equal to ͷͲ is not usable. For such
systems, the risk factor is rated to the highest scoreͳͲͲ. For the quality
aspect, there are four rules according to whether the system implements
quality checking during the enrollment step. For template database
protection, there also exists a set of rules according to whether the system
implements protection mechanisms (such as encryption schemes,
cancellable techniques, etc.).
Table 2. General scheme of risk computation for the system overall

vulnerabilities
Point Rules Risk factor

9 Sufficient panel of users ʹ ൈ ‫ܴܧܧ‬
10 x Multiple captures with quality Ͳ
assessment ͶͲ
x One capture with quality assessment ͸Ͳ
x Multiple captures without quality ͳͲͲ

assessment
x One capture without quality
assessment
11 x Secure database and local storage Ͳ
x Secure database and central storage ͶͲ
x Unsecure database and local storage ͸Ͳ
x Unsecure database and central ͳͲͲ
storage
5.4 Security Index

Security EvaBio uses the notion of the area under the curve resulting from
the retained risk factors, so to compute the security index of the target
system, calculated using the trapezoid rule. The main benefit of using this
approach is that it accounts for all the risks of a biometric system and their
relationships in the processing chain. The security index of the target
system is then defined as follows:
೙
஺௎஼൫௙ሺ௫ሻ൯ ‫׬‬భ ௙ሺ௫ሻௗ௫
‫ ݔ݁݀݊ܫ‬ൌ ߙ ൬ͳ െ ൰ ൌ ߙ ൬ͳ െ ೙ ൰
஺௎஼൫௚ሺ௫ሻ൯ ‫׬‬భ ௚ሺ௫ሻௗ௫
(1)
where ߙ ൌ ͳͲͲ , ݊ ൌ ‫ ݎ‬൅ ‫ ݏ‬with ‫ ݎ‬being the number of locations of
possible attacks in a generic biometric system, and ‫ ݏ‬being the number of
the retained system overall vulnerabilities (in the presented method, ‫ ݎ‬ൌ ͺ
and ‫ ݏ‬ൌ ͵); ݂ሺ‫ݔ‬ሻ is the curve resulting from the set of risk factors retained
from the ݊ points (the maximal risk factor is retained from each point);
and ݃ሺ‫ݔ‬ሻ is the curve resulting from the highest risk factors from each
point (according to our model, they are equal to ͳͲͲ). The use of the
security index for comparing and evaluating biometric systems is as
follows; the nearer the index is to ͳͲͲ, the better the robustness of the
target system against attacks.
5.5 Database of Common Threats and Vulnerabilities

The database of common threats and vulnerabilities used by Security
EvaBio is presented in this section. The presented database is collected due
to the results of desk research at the GREYC research laboratory, and
takes into account the known threats presented in previous work (such as
that presented in [124, 125]). The database follows the concerns and the
recommendations presented by the International Organization for
Standardization ISO/IEC FCD 19792 [5]. It is mainly divided into two

categories; system threats (Section 5.5.1) and system overall
vulnerabilities (Section 5.5.2).
5.5.1 System Threats
The presented threats are related to the locations of possible attacks in a

generic biometric system, as illustrated in Figure 2. Each threat is
presented in the following form: “Description,” which defines the threat,
and “Affect,” which describes which couples (security requirement on
asset) will be affected in the case of a successful attack. This
representation automatically allows Security EvaBio to compute the risk
factor of each identified threat during the evaluation process.
236 Chapter Seven
Table 3. Attacks on point 1. Sensor
Attack Description
‫ܣ‬ଵଵ Attacker presents fake biometric data to the sensor (e.g.,
prosthetic fingers created out of latex). Such attacks are called
spoofing.
Affect: Authenticity on I_DECISION
‫ܣ‬ଵଶ Attacker exploits the similarity of blood relationship to gain
access (e.g., case of identical twins and biometric systems using
specific modalities such as face).
‫ܣ‬ଵଷ Authorized users willingly provide their biometric sample to
attacker.
‫ܣ‬ଵସ Attacker provides own biometric sample as a zero-effort
attempt to impersonate an authorized user.
‫ܣ‬ଵହ Attacker exploits a residual biometric image left on the sensor
to impersonate the last authorized user.
Affect: Confidentiality on I_DATA_BIO; Authenticity on
I_DECISION
‫ܣ‬ଵ଺ Attacker physically destroys the biometric sensor to render it
unoperable.
Affect: Availability on M_SENSOR
Table 4. Attacks on points 2 and 4. Transmission channels.
Attack Description
‫ܣ‬ଶସଵ The attacker intercepts an authorized biometric sample from a
communication channel in order to be replayed (replay attack),
bypassing the biometric sensor, at another time for gaining
access.
Affect: Confidentiality on I_DATA_BIO; Authenticity on
I_DECISION
‫ܣ‬ଶସଶ The attacker cuts the communication link in order to make the
system unavailable to its intended authorized users (Denial of
Service attack).
Affect: Availability on M_CHANNELS
‫ܣ‬ଶସଷ The attacker alters the transported information from a

communication channel in order to deny legitimate users to be
authenticated (Denial of Service attack).
Affect: Integrity on I_DATA_BIO; Integrity on
M_CHANNELS
‫ܣ‬ଶସସ The attacker attempts continuously to enter the system (known
as hill-climbing attack), the input image/template is
conveniently modified until a desired matching score is
attained. The attempts are made, by injecting samples on the
communication link, to the feature extractor input (image) or
the matcher input (template).
‫ܣ‬ଶସହ The attacker continuously injects samples in order to deny the
legitimate users access to the system (Denial of Service attack).
Table 5. Attacks on points 3 and 5. Software components.
Attack Description
‫ܣ‬ଷହଵ Biometric system components may be replaced with a Trojan
horse program that functions according to its designers'
specifications.
Affect: Confidentiality on I_DATA_BIO; Confidentiality on

I_TEMPLATE; Availability on F_EXTRACTION; Availability
on F_MATCHER
Table 6. Attacks on points 6. Template database.
Attack Description
‫଺ܣ‬ଵ The attacker illegally reads the biometric templates.
Affect: Confidentiality on I_TEMPLATE; Authenticity on
I_DECISION
‫଺ܣ‬ଶ The attacker modifies (adding, replacing, or suppressing)
biometric templates from storage.
Affect: Availability on I_TEMPLATE; Integrity on
I_TEMPLATE
238 Chapter Seven
Table 7. Attacks on points 7. Transmission channel.
Attack Description
‫଻ܣ‬ଵ The attacker reads biometric templates from a communication
channel in order to replay them (replay attack).
Affect: Confidentiality on I_TEMPLATE; Authenticity on
I_DECISION
‫଻ܣ‬ଶ The attacker alters the transported information from a
communication channel in order to deny legitimate users access
to the system (Denial of Service attack).
Affect: Integrity on I_TEMPLATE; Integrity on
M_CHANNELS
‫଻ܣ‬ଷ The attacker cuts the communication link in order to make the
Service attack).
Table 8. Attacks on points 8. Transmission channel.
Attack Description
‫଼ܣ‬ଵ The attacker alters the transported information (yes or no) in
order to deny access to a legitimate user, or even to allow
access to an impostor.
Affect: Integrity on I_DECISION; Authenticity on
I_DECISION
‫଼ܣ‬ଶ The attacker cuts the communication link in order to make the
Service attack).
5.5.2 System Overall Vulnerabilities
Three additional points to Ratha’s work are considered on the global

system overall vulnerabilities.
x Point 9. Performance limitations

By contrast to traditional authentication methods based on “what we
know” or “what we own” (Ͳ comparison error), biometric systems are
subject to errors such as False Acceptance Rate (FAR) and False Rejection
Rate (FRR). This inaccuracy, illustrated by statistical rates, has potential
implications regarding the level of security provided by a biometric
system. Doddington et al. [126] places users into four categories; sheep,
lambs, goats and wolves. The sheep correspond to users who are easily
recognized (contribute to a low FRR). The lambs correspond to users who
are easy to imitate (contribute to a high FAR). The goats represent users
who are difficult to recognize (contribute to a high FRR). The wolves
represent users who have the capability to spoof the biometric
characteristics of other users (contribute to a high FAR). Thus, a poor
biometric in terms of performance may be easily attacked by lamb and
wolf users.
x Point 10. Quality limitations during the enrollment process

The quality of the acquired biometric samples is considered an important
factor during the enrollment process. It is a generic organizational
perspective in the deployment of the biometric system. The absence of a
quality test increases the possibility of enrolling authorized users with
weak templates. Such templates increase the probability of success of a
zero-effort impostor, hill-climbing, and brute force attempts.
x Point 11. Protection schemes of the biometric templates

The use of biometric systems presents privacy concerns. The storing of
biometric data in a central database is considered a violation of civil
liberties. Biometric template security is becoming a major concern in
biometrics, as compromised templates cannot be revoked and reissued.
6 Security EvaBio Assessment

The security and privacy assessment of two different biometric
systems is presented in this section, so to clarify the relevance of the
Security EvaBio platform. The first is a keystroke dynamics application,
developed in the GREYC research laboratory [127], while the second is a
commercial fingerprint lock that manages physical access.
The architecture and the main characteristics of the keystroke
dynamics system are as follows:
x The system implements a score-based method and provides an EER

of ͳ͹Ǥͷͳ%.
x System architecture is not distributed (all system components
including the template database are implemented within the same
PC).
x There is no data protection nor encryption schemes applied on the
template database.
240 Chapter Seven
x There is no quality check during the enrollment phase.

x The used PC is connected to the Internet.
For the fingerprint lock system:
x The system provides an EER of ͲǤͳ%.
x There is no data protection nor is an encryption scheme applied on
the template database, but it is physically protected.
x System architecture is not distributed (all system components
including template databases are implemented within the same
device).
x The device is not connected to the Internet and there is no USB
port.
x There is no quality check during enrolment phase.
x The device power supply is Ͷ ൈ ͳǤͷV AA batteries with a life span
of ͳ െ ʹ years.
Tables 9 and 10 present the risk analysis of both target systems. For the
“Impact” and “Easiness” criteria (݂ଵ and ݂ଶ , respectively), we have used
the symbol “െ” in the last three lines, since the corresponding risk factors
are computed according to the set of rules presented in Table 2. Here we
present the main findings from these tables:
x From Table 9, we have identified three threats on the sensor, such

as the ‫ܣ‬ଵ଺ threat. For this threat, the ݂ଵ criterion is automatically

rated by the platform to the value ʹ, since such threat does not
affect the “confidentiality” property. For the ݂ଶ criterion, we have
rated it (using the ten-point Likert-type scale) at ͳͲ, since there is
no physical protection of the keyboard.
x From Table 9, we have identified five threats on the transmission
channel between the sensor and feature extractor module, such as
the ‫ܣ‬ଶସଵ threat. For this threat, the ݂ଵ criterion is automatically
rated by the platform at a value of ͺ, since such threat affects the
“confidentiality” property. For the ݂ଶ criterion, we have rated it at
͸, since an attacker may install a keylogger in order to perform a
replay attack.
x From Tables 9 and 10, the threat ‫ܣ‬ଵହ has been identified as
common on both systems. The impact of this threat on the
fingerprint system is much higher than GREYC-Keystroke, since it
is more embarrassing to have a fingerprint image than to have
timing information regarding end-user privacy. For the ݂ଶ criterion,
many studies show that this threat can be more easily performed on
a fingerprint system than a keystroke dynamics system. This

explains why we obtained a risk factor in the fingerprint system
higher than GREYC-Keystroke.
Table 9. Security analysis of GREYC-Keystroke (C: Confidentiality,

I: Integrity, D: Availability, A: Authenticity).
Point Attack C I D A ݂ଵ ݂ଶ Risk

1 ‫ܣ‬ଵସ ൈ ͸ ʹ ͳʹ
‫ܣ‬ଵ଺ ൈ ʹ ͳͲ ʹͲ
‫ܣ‬ଵହ ൈ ൈ ͺ ͵ ʹͶ
2 ‫ܣ‬ଶସହ ൈ ʹ ͸ ͳʹ
‫ܣ‬ଶସଷ ൈ ʹ ͸ ͳʹ
‫ܣ‬ଶସଶ ൈ ʹ ͳͲ ʹͲ
‫ܣ‬ଶସସ ൈ ͸ Ͷ ʹͶ
‫ܣ‬ଶସଵ ൈ ൈ ͺ ͸ Ͷͺ
3 ‫ܣ‬ଷହଵ ൈ ൈ ͺ ͸ Ͷͺ
5 ‫ܣ‬ଷହଵ ൈ ൈ ͺ ͸ Ͷͺ
6 ‫଺ܣ‬ଶ ൈ ൈ ͺ Ͷ ͵ʹ
‫଺ܣ‬ଵ ൈ ൈ ͺ ͸ Ͷͺ
7 ‫଻ܣ‬ଶ ൈ ʹ ͸ ͳʹ
‫଻ܣ‬ଷ ൈ ʹ ͳͲ ʹͲ
‫଻ܣ‬ଵ ൈ ൈ ͺ ͸ Ͷͺ
8 ‫଼ܣ‬ଶ ൈ ʹ ͳͲ ʹͲ
‫଼ܣ‬ଵ ൈ ൈ ͸ ͸ ͵͸
9 Performance ൈ െ െ ͵ͷǤͲʹ
10 Multiple captures ൈ െ െ ͸Ͳ
without quality
assessment
11 Unsecure database and ൈ ൈ ൈ ൈ െ െ ͳͲͲ
central storage
242 Chapter Seven
Table 10. Security analysis of the fingerprint lock system (C:

Confidentiality, I: Integrity, D: Availability, A: Authenticity).
Point Attack C I D A ݂ଵ ݂ଶ Risk

1 ‫ܣ‬ଵ଺ ൈ ʹ ͳͲ ʹͲ
‫ܣ‬ଵଵ ൈ ͸ ͺ Ͷͺ
‫ܣ‬ଵଷ ൈ ͸ ͺ Ͷͺ
‫ܣ‬ଵହ ൈ ൈ ͳͲ ͸ ͸Ͳ
9 Performance ൈ െ െ ͲǤʹ
10 Multiple captures ൈ െ െ ͸Ͳ
without quality
assessment
11 Unsecure database and ൈ ൈ ൈ ൈ െ െ ͳͲͲ
central storage
Figure 5 illustrates a comparative study (of the maximal value of risk

factor at each location) between both systems. From this study, we can
conclude as follows: the fingerprint lock system is much more vulnerable
at location 1 than the keystroke dynamics system, the keystroke dynamics
system is much more vulnerable at locations 2, 3, 5, 6, 7, 8 and 9 than the
fingerprint lock system, and both systems are not vulnerable at location 4.
Figure 5. A comparative illustration of both systems among the 11 tested points.
Using Equation 1, the security index (total risk) of the keystroke dynamics
system is equal to ͷ͸Ǥ͹, while for the fingerprint lock system it is equal to
ͺ͸. These indices show clearly that the overall security of the keystroke
system is less important than the fingerprint lock system against attacks.
Because the fingerprint lock system is a black box, we cannot say much
for different locations. Despite that we have not presented security
problems for these locations, the possibility of attackers locating these still
remains high, building on techniques of reverse engineering (hardware and
software). However, the use of the commercial system in this study was
taken as an illustration case for the comparison. More generally, during the
security evaluation process of an IT system, system designers should
provide all the details/characteristics of the intended system for evaluators.
7 Future Trends
We focus in this section in presenting some of the recently used techniques
so to improve the robustness of biometric systems against attacks.
7.1 Multibiometrics
Multibiometric authentication systems use multiple biometric sources in
order to recognize a person. These systems are gaining popularity since
they provide better performance and larger population coverage compared
to classical biometric systems [128]. Besides enhancing matching
performance, these systems are considered to be promising against spoof
attacks that are commonly encountered in classical biometric systems, as
shown in this chapter.
7.2 Biometric Information Protection

Secure biometric information storage is critical since, once revealed, they
would allow an attacker to obtain sufficient information to impersonate a
genuine user. This is considered as a challenging issue because it is
difficult to guarantee that a storage device (such as a server or smart card)
can never be compromised, and once compromised, user templates cannot
be revoked like passwords. The International Standard ISO 24745 [86]
aims to present the potential threats and requirements with respect to
confidentiality, integrity, availability and renewability of biometric
templates during storage and transmission. In addition, some work exists
that deals with biometric data protection, such as applying a BioHashing
scheme [129].
244 Chapter Seven
References
[1] A. K. Jain, S. Pankanti, S. Prabhakar, L. Hong, and A. Ross,
“Biometrics: A grand challenge,” International Conference on Pattern
Recognition (ICPR), vol. 2, pp. 935 - 942, 2004.
[2] Y. Chen and A. Jain, “Beyond minutiae: A fingerprint individuality
model with pattern, ridge and pore features,” in International
Conference on Biometrics (ICB), pp. 523 - 533, 2009.
[3] R. Giot, M. El-Abed, and C. Rosenberger, “Keystroke dynamics with
low constraints SVM based passphrase enrollment,” in IEEE Third
International Conference on Biometrics: Theory, Applications and
Systems (BTAS), pp. 425 - 430, 2009.
[4] M. Hashiyada, “Development of biometric dna ink for authentication
security,” Tohoku Journal of Experimental Medicine, pp. 109 - 117,
2004.
[5] ISO/IEC FCD 19792, “Information technology - security techniques -
security evaluation of biometrics,” 2008.
[6] CC, “Common Criteria for Information Technology Security
Evaluation,” 1999.
[7] V. Ruiz-Albacete, P. Tome-Gonzalez, F. Alonso-Fernandez, J.
Galbally, J. Fierrez, and J. Ortega-Garcia, “Direct attacks using fake
images in iris verification,” in Biometrics and Identity Management,
pp. 181 - 190, 2008.

[8] M. El-Abed, C. Charrier, and C. Rosenberger, New Trends and
Developments in Biometrics, ch. “Evaluation of Biometric Systems”,
pp. 149 - 169. InTech, 2012.
[9] N. K. Ratha, J. H. Connell, and R. M. Bolle, “An analysis of minutiae
matching strength,” in Audio- and Video-Based Biometric Person
Authentication, pp. 223 - 228, 2001.
[10] N. Kose and J.-L. Dugelay, “On the vulnerability of face recognition
systems to spoofing mask attacks,” in ICASSP 2013, IEEE
International Conference on Acoustics, Speech, and Signal Processing,
2013.
[11] M-M. Chakka, A. Anjos, and S. Marcel. “Competition on counter
measures to 2d facial spoofing attacks”. In IEEE/IAPR International
Joint Conference on Biometrics (IJCB), 2011.
[12] A. Hadid and M. Pietikäinen. “Face spoofing detection from single
images using texture and local shape analysis”. IET Biometrics, 1:
pages 3-10, 2012.
[13] N. Kose and J.-L. Dugelay. “Classification of captured and recaptured

images to detect photograph spoofing”. In IEEE/IAPR International
Conference on Informatics, Electronics & Vision (ICIEV), 2012.
[14] T. Matsumoto. “Artificial fingers and irises: importance of
vulnerability analysis”. In 7th International Biometrics Conference,
2004.
[15] T. Matsumoto. “Assessing the security of advanced biometric
systems: finger, vein and iris”. In 10th International Biometrics
Conference, 2007.
[16] X. He, Y. Lu, and P. Shi. “A fake iris detection method based on fft
and quality assessment”. In Chinese Conference on Pattern
Recognition, pp. 316-319, 2008.
[17] Y. Yamazaki, A. Nakashima, K. Tasaka, and N. Komatsu, “A Study
on Vulnerability in On-line Writer Verification System,” in Eighth
International Conference on Document Analysis and Recognition,
2005.
[18] J. Lindberg and M. Blomberg. “Vulnerability in speaker verification -
a study of technical impostor techniques”. In European Conference on
Speech Communication and Technology, pp. 1211-1214, 1999.
[19] T. Masuko, T. Hitotsumatsu, K. Tokuda, and T. Kobayashi. “On the
security of hmm-based speaker verification systems against imposture
using synthetic speech”. In Sixth European Conference on Speech
Communication and Technology (EUROSPEECH), 1999.

[20] P. Perrot, G. Aversano, R. Blouet, M. Charbit, and G. Chollet. “Voice
forgery using alisp : Indexation in a client memory”. In IEEE
International Conference on Acoustics, Speech, and Signal Processing
(ICASSP), volume 1, pp. 17-20, 2005.
[21] J.-F. Bonastre, D. Matrouf, and C. Fredouille. “Artificial impostor
voice transformation effects on false acceptance rates”. In 8th Annual
Conference of the International Speech Communication Association
(ISCA), Interspeech, pp. 2053-2056, 2007.
[22] P.L. De Leon, V.R. Apsingekar, M. Pucher, and J. Yamagishi.
“Revisiting the security of speaker verification systems against
imposture using synthetic speech”. In IEEE International Conference
on Acoustics Speech and Signal Processing (ICASSP), pp. 1798-1801,
2010.
[23] T. Kinnunen, Z. Wu, K.A. Lee, F. Sedlak, E.S. Chng, and H. Li.
“Vulnerability of speaker verification systems against voice conversion
spoofing attacks: the case of telephone speech”. In IEEE International
Conference on Acoustics, Speech, and Signal Processing (ICASSP),
pp. 4401-4404, 2012.
246 Chapter Seven
[24] F. Alegre, R. Vipperla, N. Evans, and B. Fauve. “On the vulnerability

of automatic speaker recognition to spoofing attacks with artificial
signals”. In 20th European Signal Processing Conference (EUSIPCO),
pp. 36-40, 2012.
[25] B. Geller, J. Almog, P. Margot, and E. Springer. “A chronological
review of fingerprint forgery”. Journal of Forensic Science, 44(5) : pp.
963-968, 1999.
[26] T. Matsumoto. “Gummy and conductive silicone rubber fingers”. In
8th International Conference on the Theory and Application of Cryp-
tology and Information Security (Asiacrypt), pp. 574-576. Lecture
Notes in Computer Sciences, 2002.
[27] Y. Endo and T. Matsumoto. “Can we make artificial fingers that fool
fingerprint systems ?” In Computer Security Symposium, 2002.
[28] J. Galbally, R. Cappelli, A. Lumini, D. Maltoni, and J. Fiérrez. “Fake
fingertip generation from a minutiae template”. In 19th International
Conference on Pattern Recognition (ICPR), pp. 1-4, 2008.
[29] T. van der Putte and J. Keuning, “Biometrical fingerprint recognition:
Don't get your fingers burned,” in Proceedings of CARDIS, vol 180,
pp. 289 - 306, 2000.
[30] T. Matsumoto, H. Matsumoto, K. Yamada, and S. Hoshino, “Impact
of Artificial Gummy Fingers on Fingerprint Systems,” in SPIE, Optical
Security and Counterfeit Deterrence Techniques, 2002.
[31] C. Barral and A. Tria, “Fake fingers in fingerprint recognition:

Glycerin supersedes gelatin,” in Formal to Practical Security, LNCS
5458, pp. 57 - 69, 2009.
[32] R. Derakhshani, S.A.C. Schuckers, L.A. Hornak, and L.O. Gorman.
“Determination of vitality from a non-invasive biomedical
measurement for use in fingerprint scanners”. Pattern Recognition, 36:
pp. 383-396, 2003.
[33] A. Antonelli, D. Maio, and D. Maltoni. “Fake finger detection by skin
distortion analysis”. IEEE Transactions on Information Forensics and
Security, 1(3): pp. 360-373, 2006.
[34] P. Coli, G. Marcialis, and F. Roli. “Vitality detection from fingerprint
images : A critical survey”. In Advances in Biometrics, International
Conference (ICB), volume 4642, pp. 722-731. Lecture Notes in
Computer Sciences, 2007.
[35] C. Barral and A. Tria, “Fake fingers in fingerprint recognition:
Glycerin supersedes gelatin,” in Formal to Practical Security, LNCS
5458, pp. 57 - 69, 2009.
[36] A. Franco and D. Maltoni, Advances in Biometrics: Sensors, Systems

and Algorithms, Ch. “Fingerprint Synthesis and Spoof Detection”,
2007.
[37] G. Marcialis, P. Coli, and F. Roli. “Fingerprint liveness detection
based on fake finger characteristics”. International Journal of Digital
Crime and Forensics (IJDCF), 4(3): pp. 1-19, 2012.
[38] T. Satoh, T. Masuko, T. Kobayashi, and K. Tokuda. “Imposture using
synthetic speech against speaker verification based on spectrum and
pitch”. In Eurospeech, volume 2, pp. 302–305, 2001.
[39] C.C. Chibelushi, F. Deravi, and J.S.D. Mason. “A review of speech-
based bimodal recognition”. IEEE Transactions on Multimedia, 4(1):
pp. 23-37, 2002.
[40] G. Chetty and M. Wagner. “Liveness verification in audio-video
speaker authentication”. In International Conference on Spoken
Language Processing (ICSLP), 2004.
[41] E.A. Rua, C.G. Mateo, H. Bredin, and G. Chollet. “A liveness
detection using coupled hidden markov models”. In Spanish Workshop
on Biometrics, 2007.
[42] P.L. De Leon, I. Hernaez, I. Saratxaga, M. Pucher, and J. Yamagishi.
“Detection of synthetic speech for the problem of imposture”. In IEEE
International Conference on Acoustics, Speech, and Signal Processing
(ICASSP), pp. 4844–4847, 2011.
[43] F. Alegre, R. Vipperla, and N. Evans. “Spoofing countermeasures for

the protection of automatic speaker recognition from attacks with
artificial signals”. In Interspeech, 13th Annual Conference of the
International Speech Communication Association (ISCA), 2012.
[44] K. Kollreider, H. Fronthaler, M.I. Faraj, and J. Bigun. “Real-time face
detection and motion analysis with application in liveness assessment”.
IEEE Transactions on Information Forensics and Security, 2(3-2): pp.
548-558, 2007.
[45] K. Kollreider, H. Fronthaler, and J. Bigun. “Verifying liveness by
multiple experts in face biometrics”. In Computer Vision and Pattern
Recognition (CVPR), Workshop on Biometrics, pp. 1- 6, 2008.
[46] U.L. Sindhu, A. Asha, S. Suganya, and M. Vinodha. “Face
recognition in online using image processing”. International Journal of
Communication and Computer Technologies, 2(13), 2014.
[47] J. Komulainen, A. Hadid, and M. Pietikäinen. “Context based face
anti-spoofing”. In IEEE International Confernce on Biometrics:
Theory, Applications and Systems (BTAS), 2013.
248 Chapter Seven
[48] T.-F. Pereira, J. Komulainen, A. Anjos, J.-M. De Martino, A. Hadid,

M. Pietikäinen, and S. Marcel. “Face liveness detection using dynamic
texture”. EURASIP Journal of Image and Video Processing, 2, 2014.
[49] J. Galbally, R. Cappelli, A. Lumini, G. Gonzalez-de Rivera, D.
Maltoni, J. Fierrez, J. Ortega-Garcia, and D. Maio, “An evaluation of
direct attacks using fake fingers generated from ISO templates,”
Pattern Recognition Letters, vol. 31, pp. 725 - 732, 2010.
[50] R. Cappelli, A. Lumini, D. Maio, and D. Maltoni. Fingerprint image
reconstruction from standard templates. IEEE Transactions on Pattern
Analysis and Machine Intelligence, 29(9):1489-1503, 2007.
[51] R. Cappelli, A. Lumini, D. Maio, and D. Maltoni. “Evaluating
minutiae template vulnerability to masquerade attack”. In IEEE
AutoID, pp. 174-179, 2007.
[52] R. Cappelli, A. Lumini, D. Maio, and D. Maltoni. “Fingerprint image
reconstruction from standard templates”. IEEE Transactions on Pattern
Analysis and Machine Intelligence, 29(9): pp. 1489–1503, 2007.
[53] A. Ross, J. Shah, and A.K. Jain. “From template to image:
Reconstructing fingerprints from minutiae points”. IEEE Transactions
on Pattern Analysis and Machine Intelligence, 29(4): pp. 544–560,
2007.
[54] J. Feng and A.K. Jain. “Fingerprint reconstruction: From minutiae to
phase”. IEEE Transactions on Pattern Analysis and Machine
Intelligence, 33(2): pp. 209–223, 2011.

[55] Z. Wei, X. Qiu, Z. Sun, and T. Tan. “Counterfeit iris detection based
on texture analysis”. In 19th International Conference on Pattern
Recognition (ICPR), pp. 1–4, 2008.
[56] V. Ruiz-Albacete, P. Tome-Gonzalez, F. Alonso-Fernandez, J.
Galbally, J. Fiérrez-Aguilar, and J. Ortega-Garcia. “Direct attacks
using fake images in iris verification”. In Biometrics and Identity
Management, First European Workshop (BIOID), pp. 181–190.
Lecture notes in Computer Sciences, 2008.
[57] V. Testoni and D. Kirovski. “On the inversion of biometric template
by an example”. In IEEE International Conference on Acoustics
Speech and Signal Processing (ICASSP), pp. 1830–1833, 2010.
[58] M. Gomez-Barrero, J. Galbally, J. Fiérrez, J. Ortega-Garcia, A.
Morales, and M.-A. Ferrer. “Inverse biometrics: A case study in hand
geometry authentication”. In 21st International Conference on Pattern
Recognition (ICPR), pp. 1281–1284, 2012.
[59] M. Gomez-Barrero, J. Galbally, A. Morales, M.-A. Ferrer, J. Fiérrez,
and J. Ortega-Garcia. “A novel hand reconstruction approach and its
application to vulnerability assessment”. Inf. Sci., 268: pp. 103–121,

2014.
[60] M. Potzsch, T. Maurer, L. Wiskott, and C. von-der Malsburg.
“Reconstruction from graphs labeled with responses of gabor filters”.
In International Conference of Artificial Neural Networks, pp. 845-
850, 1996.
[61] P.C. Yuen Y.C. Feng. “Vulnerabilities in binary face template”. In
IEEE Computer Society Conference on Computer Vision and Pattern
Recognition (CVPR) Workshops, pp. 105–110, 2012.
[62] C. Soutar, “Biometric system security”, 2002.
[63] C. Soutar, R. Gilroy, and A. Stoianov. “Biometric system
performance and security”. In IEEE Automatic Identification
Advanced Technologies, 1999.
[64] U. Uludag and A. K. Jain, “Attacks on biometric systems: A case
study in fingerprints,” in Proc. SPIE-EI 2004, Security, Seganography
and Watermarking of Multimedia Contents VI, vol. 5306, pp. 622 -
633, 2004.
[65] M. Martinez-Diaz, J. Fierrez-Aguilar, F. Alonso-Fernandez, J.
Ortega-Garcia, and J. Siguenza, “Hill-climbing and brute-force attacks
on biometric systems: A case study in match-on-card fingerprint
verification,” in Carnahan Conferences Security Technology, pp. 151 -
159, 2006.
[66] M. Martinez-Diaz, J. Fierrez, J. Galbally, and J. Ortega-Garcia, “An

evaluation of indirect attacks and countermeasures in fingerprint
verification systems,” Pattern Recognition Letters, vol. 32, pp. 1643 -
165, 2011.
[67] M. Berthier, Y. Bocktaels, J. Bringer, H. Chabanne, T.Chouta, J.-L.
Danger, M. Favre, and T. Graba. “Studying potential side channel
leakages on an embedded biometric comparison system”, 2014.
[68] Y. Yamazaki, A. Nakashima, K. Tasaka, and N. Komatsu. “A study
on vulnerability in on-line writer verification system”. In International
Conference on Document Analysis and Recognition (ICDAR), pp.
640-644, 2005.
[69] D. Muramatsu. “Online signature verification algorithm using hill-
climbing method”. In IEEE/IFIP International Conference on
Embedded and Ubiquitous Computing, pp. 133-138, 2008.
[70] C. Rathgeb and A. Uhl. “Online signature verification algorithm
using hill-climbing method”. In International Conference on Pattern
Recognition (ICPR), 2010.
[71] M. Gomez-Barrero, J. Galbally, J. Fiérrez, and J. Ortega-Garcia.
“Hill-climbing attack based on the uphill simplex algorithm and its
250 Chapter Seven
application to signature verification”. In European workshop on

Biometrics and ID Management (BIOID), pp. 83-94, 2011.
[72] E. Argones, E. Maiorana, J.A. Castro, and P. Campisi. “Biometric
template protection using universal background models: An
application to online signature”. IEEE Transactions on Information
Forensics and Security, 7(1): pp. 269-282, 2012.
[73] E. Maiorana, G. Hine, and P. Campisi. “Hill-climbing attack:
Parametric optimization and possible countermeasures, an application
to on-line signature recognition”. In ICB, 2013.
[74] J. Galbally, J. Fierrez, and J. Ortega-Garcia, “Bayesian hill-climbing
attack and its application to signature verification,” in International
Conference on Biometrics (ICB), LNCS 4642, pp. 386 - 395, 2007.
[75] C. Rathgeb and A. Uhl. “Attacking iris recognition: an efficient hill-
climbing technique”. In International Conference on Pattern
Recognition (ICPR), pp. 1217-1220, 2010.
[76] P. T. Marta Gomez-Barrero, Javier Galbally and J. Fierrez, “On the
vulnerability of iris-based systems to a software attack based on a
genetic algorithm,” in CVIARP, 2012.
[77] J. Galbally, A. Ross, M. Gomez-Barrero, J. Fiérrez, and J. Ortega-
Garcia. “Iris image reconstruction from binary templates: An efficient
probabilistic approach based on genetic algorithms”. Computer Vision
and Image Understanding, 117(10): pp. 1512-1525, 2013.
[78] A. Adler. “Images can be regenerated from quantized biometric

match score data”. In Canadian Conference on Electrical and
Computer Engineering (CCECE), pp. 469-472, 2004.
[79] A. Adler. “Vulnerabilities in biometric encryption systems”. In 5th
International Conference Audio- and Video-Based Biometric Person
Authentication (AVBPA), pp. 1100-1109, 2005.
[80] P. Mohanty, S. Sarkar, and R. Kasturi. “From scores to face
templates: a model based approach”. IEEE Transactions on Pattern
Analysis and Machine Intelligence, 29(12): pp. 2065-2078, 2007.
[81] A. Adler, “Sample images can be independently restored from face
recognition templates”, Electrical and Computer Engineering, vol. 2,
pp. 1163 - 1166, 2003.
[82] J. Galbally, C. McCool, J. Fierreza, S. Marcel, and J. Ortega-Garcia,
“On the vulnerability of face verification systems to hill-climbing
attacks,” Pattern Recognition, Elsevier, 2010.
[83] M. Gomez-Barrero, J. Galbally, J. Fierrez, and J. Ortega-Garcia,
“Face verification put to test: A hill-climbing attack based on the
uphill-simplex algorithm,” in International Conference on Biometrics
(ICB), 2012.
[84] M. Gomez-Barrero, J. Gonzalez-Dominguez, J. Galbally, and J.

Gonzalez-Rodriguez. “Security evaluation of i-vector based speaker
verification systems against hill-climbing attacks”, 2013.
[85] A. Cavoukian and A. Stoianov, “Biometric encryption chapter from
the encyclopedia of biometrics,” 2009.
[86] ISO 24745, “Information technology - security techniques -
biometric information protection,” 2011.
[87] R. Belguechi, V. Alimi, E. Cherrier, P. Lacharme, and C.
Rosenberger. “An overview on privacy preserving biometrics”, 2011.
[88] Rathgeb and A. Uhl. “A survey on biometric cryptosystems and
cancelable biometrics”. EURASIP J. on Information Security, 3, 2011.
[89] K. Simoens, B. Yang, X. Zhou, F. Beato, C. Busch, E. M. Newton,
and B. Preneel. “Criteria towards metrics for benchmarking template
protection algorithms”. In Internacional Conference on Biometrics
(ICB), pp. 498–505, 2012.
[90] K. Simoens, J. Bringer, H. Chabanne, and S. Seys. “A framework for
analyzing template security and privacy in biometric authentication
systems”. IEEE Transactions on Information Forensics and Security,
7(2): pp. 833–841, 2012.
[91] A. Juels and M. Wattenberg. “A fuzzy commitment scheme”. In
ACM Conference on Computer and Communication Security (CCS),
pp. 28–36, 1999.
[92] M. Ao and S. Z. Li. “Near infrared face based biometric key binding”.
In 3rd International Conference on Biometrics (ICB), volume 5558, pp.
376–385. Lecture Notes in Computer Science, 2009.
[93] V. Tong, H. Sibert, J. Lecoeur, and M. Giraul. “Biometric fuzzy
extractors made practical: a proposal based on fingercodes”. In
International Conference on Biometrics (ICB), volume 4642. Lecture
Notes in Computer Sciences, 2007.
[94] F. Hao, R. Anderson, and J. Daugman. “Combining crypto with
biometrics effectively”. IEEE Transactions on Computers, 55(9): pp.
1081–1088, 2006.
[95] J. Bringer, H. Chabanne, G. Cohen, B. Kindarji, and G. Zémor.
“Optimal iris fuzzy sketches”. In IEEE International Conference on
Biometrics : Theory Applications and Systems (BTAS), pp. 27 - 29,
2007.
[96] A. Juels and M. Sudan. “A fuzzy vault scheme”. In IEEE
International Symposium on Information Theory (ISIT), 2002.
[97] A.K. Jain K. Nandakumar and S.C. Pankanti. “Fingerprint-based
fuzzy vault: Implementation and performance”. IEEE Transactions on
Information Forensics and Security, 2(4): pp. 744–757, 2007.
252 Chapter Seven
[98] C. Orencik, T. Brochmann Pederson, E. Savas, and M. Keskinoz.

“Improved fuzzy vault scheme for fingerprint verification”. In
International Conference on Security and Cryptography (SECRYPT),
pp. 37–43, 2008.
[99] Y.J. Lee, K. Bae, S.J. Lee, K.R. Park, and J. Kim. “Biometric key
binding: Fuzzy vault based on iris images”. In Second International
Conference on Biometrics (ICB), pp. 800-808, 2007.
[100] A. Nagar, K. Nandakuma, and A. K. Jain. “Multibiometric
cryptosystems based on feature-level fusion”. IEEE Transactions on
Information Forensics and Security, 7(1), 2012.
[101] K. Simoens, P. Tuyls, and B. Preneel, “Privacy weaknesses in
biometric sketches,” in IEEE symposium on Security and Privacy,
2009.
[102] M. Blanton and M. Aliasgari, “On the (non)-reusability of fuzzy
scketches and extractors and security in the computational setting,” in
Secrypt, 2001.
[103] A. Nagar, K. Nandakumar, and A. Jain, “Biometric template
transformation: A security analysis,” in Proceedings of SPIE,
Electronic Imaging, Media Forensics and Security XII, 2010.
[104] X.Zhou, A. Kuijper, and C. Busch, “Cracking iris fuzzy
commitment,” in International Conference on Biometrics (ICB), 2012.
[105] N. K. Ratha, J. H. Connell, and R. M. Bolle. “Enhancing security
and privacy in biometrics-based authentication systems”. IBM Systems

Journal, 40: pp. 614-634, 2001.
[106] M. Savvides and B.V.K. Vijaya Kumar. “Cancellable biometric
filters for face recognition”. In 17th International Conference on
Pattern Recognition (ICPR), volume 3, pp. 922-925, 2004.
[107] A.B.J. Teoh, D. Ngo, and A. Goh. “Biohashing: two factor
number”. Pattern recognition, 37(11): pp. 2245-2255, 2004.
[108] A.B.J. Teoh, Y. Kuan, and S. Lee. “Cancellable biometrics and
annotations on biohash”. Pattern recognition, 41: pp. 2034-2044, 2008.
[109] L. Nanni, S. Brahnam, and A. Lumini. “Biohashing applied to
orientation-based minutia descriptor for secure fingerprint
authentication system”. Electronics Letters, 47(15): pp. 851-853, 2011.
[110] P. Lacharme, E. Cherrier, and C. Rosenberger, “Preimage attack on
biohashing,” in Secrypt, 2013.
[111] M. Osadchy, B. Pinkas, A. Jarrous, and B. Moskovich. “Scifi - a
system for secure face identification”. In IEEE Symposium on Security
and Privacy (S & P), 2010.
[112] Y. Huang, J. Katz, L. Malka, and D. Evans. “Efficient privacy-

preserving biometric identification”. In Network and Distributed
System Security Conference (NDSS), 2011.
[113] M. Blanton and P. Gasti. “Secure and efficient protocols for iris and
fingerprint identification”. In 16th European Symposium on Research
in Computer Security (ESORICS), pp. 190-209. Lecture Notes in
Computer Sciences, 2011.
[114] J. Bringer, M. Favre, H. Chabanne, and A. Patey. “Faster secure
computation for biometric identification using filtering”. In 5th IAPR
International Conference on Biometrics (ICB), pp. 257-264, 2012.
[115] M. Pathak, B. Raj, S. Rane, and P. Smaragdis. “Privacy-preserving
speech processing”. IEEE Signal Processing Magazine, 30(2): pp. 62–
74, 2013.
[116] D. Maio, D. Maltoni, R. Capelli, A. Franco, M. Ferrara, and F.
Turroni, “FVC-onGoing: on-line evaluation of fingerprint recognition
algorithms,” 2013.
[117] D. Petrovska and A. Mayoue, “Description and documentation of
the BioSecure software library,” tech. rep., BioSecure, 2007.
[118] C. Dimitriadis and D. Polemi, “Application of multi-criteria analysis
for the creation of a risk assessment knowledgebase for biometric
systems,” in international conference on biometric authentication
(ICB), vol. 3072, pp. 724 - 730, 2004.
[119] B. Schneier, “Attack trees,” Dr. Dobb's Journ. of Softw. Tools,

1999.
[120] V. Matyás and Z. RÍha, “Biometric authentication - security and
usability,” in Proceedings of the IFIP TC6/TC11 Sixth Joint Working
Conference on Communications and Multimedia Security, pp. 227 -
239, 2002.
[121] M. El-Abed, P. Lacharme, and C. Rosenberger, “Security evabio:
An analysis tool for the security evaluation of biometric authentication
systems,” in the 5th IAPR/IEEE International Conference on
Biometrics (ICB), pp. 1 - 6, 2012.
[122] A. Rot, “IT risk assessment: Quantitative and qualitative approach,”
in the World Congress on Engineering and Computer Science
(WCECS), pp. 1 - 6, 2008.
[123] MCA, “Multi-criteria analysis: a manual”. Department for
Communities and Local Government: London, 2009.
[124] D. Maltoni, D. Maio, A. K. Jain, and S. Prabhakar, Handbook of
Fingerprint Recognition. Springer-Verlag, 2003.
[125] C. Roberts, “Biometric attack vectors and defences,” Computers &
Security, 2007.
254 Chapter Seven
[126] G. Doddington, W. Liggett, A. Martin, M. Przybocki, and D.

Reynolds, “Sheep, goats, lambs and wolves: A statistical analysis of
speaker performance in the NIST 1998 speaker recognition
evaluation,” in International Conference on Spoken Language
Processing (ICSLP), pp. 1 - 4, 1998.
[127] R. Giot, M. El-Abed, and C. Rosenberger, “Greyc keystroke : a
benchmark for keystroke dynamics biometric systems,” in IEEE Third
International Conference on Biometrics : Theory, Applications and
Systems (BTAS), pp. 1 - 6, 2009.
[128] A. Ross, A. Jain, and K. Nandakumar, Handbook of
Multibiometrics. Springer, 2006.
[129] R. Belguechi, E. Cherrier, C. Rosenberger, and S. Ait-Aoudia, “An
integrated framework combining bio-hashed minutiae template and
pkcs15 compliant card for a better secure management of fingerprint
cancelable templates,” Computers & Security, vol. 39, pp. 325 - 339,
2013.
CHAPTER EIGHT
A GENERALIZED FRAMEWORK FOR PRIVACY

AND SECURITY ASSESSMENT OF BIOMETRIC
TEMPLATE PROTECTION
XUEBING ZHOU1 AND BIAN YANG2

1
HOCHSCHULE DARMSTADT - CASED, GERMANY
2
NORWEGIAN INFORMATION SECURITY LABORATORY
DEPARTMENT OF COMPUTER SCIENCE AND MEDIA
TECHNOLOGY, GJOVIK UNIVERSITY COLLEGE, NORWAY
Abstract
Biometric template protection is an important technique designed to

prevent abuse of stored biometric information. Using these techniques,
numerous independent non-invertible references can be derived from
biometrics data so that retrieval of original biometric information or
tracing of individual is infeasible. In this chapter, we will show our recent
development of a generalized evaluation framework, which aims to enable
a comprehensive assessment of biometric template protection regarding to
privacy and security. It consists of three main steps; identifying protection
goals, determining threat models, and development of evaluation metrics
and processes. The protection goals represent the security and privacy
objectives we want to achieve with biometric template protection. They
are also the evaluation criterion. After carefully reviewing the
requirements of template protection, the protection goals can be
summarized as security, privacy protection ability, and unlinkability.
Furthermore, the definitions of privacy and security are given, which allow
one to quantify the computational complexity estimating a pre-image of a
protected template and to measure the hardness of retrieving biometric
data respectively. The threat models are the important prerequisites for an
assessment, which define computational power and information available
256 Chapter Eight
for an adversary. As long as threat models are determined, it is known

which information about biometric data, system parameters and functions
are accessible during the evaluation. We apply the evaluation framework
on an iris fuzzy commitment scheme. We measured the security and
privacy with theoretical metrics. Due to strong feature dependency, the
achieved security is much smaller than the secret size, which is the
expected security in a perfectly secure case with uniformly identically
distributed features. High privacy leakage exists in the system. The
feasibility of the evaluation framework is also demonstrated.
Keywords: Privacy Assessment, Security Assessment, Biometric

Template Protection, Privacy Evaluation Metrics, Protection Goals.
1 Introduction
Due to the advantages in convenience and security, applications of
biometrics broaden rapidly. Meanwhile, related privacy and security
issues, such as exposure of user sensitive information, cross matching of
different databases, or identity theft, raise many concerns of end users,
government agencies and public sectors. In order to prevent abuse of
stored biometric information, privacy protection techniques, also referred
to as template protection, biometric encryption, untraceable biometrics,
cancellable or revocable biometrics, have been developed. Using these

techniques, numerous independent non-invertible references, so called
pseudo identities [1], can be derived from biometrics data, so that retrieval
of original biometric information or tracing of individuals is infeasible.
Although current research results show the successful integration of
template protection techniques into biometric systems with acceptable
performance, systematic evaluation on privacy and security is still a big
challenge. The existing privacy and security evaluation differs from
theoretical analysis and attacks on the algorithms.
Theoretical analyses are fundamental to successful development of
template protection. They prove the feasibility of an abstract construction
and are normally based on specific mathematical models. In such work,
security and privacy have been analysed and defined in a theoretical way.
For instance, in [2] Linnartz and Tuyls introduced a new shielding
function, where secrets are encoded in biometric data with a quantization
method. In [3], Tuyls and Goseling showed the secrecy and identification
capacity of the helper data scheme, which can be seen as a kind of fuzzy
extractor. They modelled biometric features as independent identically-
distributed (i.i.d.) variables of length ݊. In [4], Dodis et al. proposed a
Framework for Privacy and Security Assessment of BTP 257
ሺ‫ܯ‬ǡ ݉ ෥ ǡ ݈ǡ ‫ݐ‬ሻ – secure sketch and a ሺ‫ܯ‬ǡ ݉ǡ ݈ǡ ‫ݐ‬ǡ ߝሻ – fuzzy extractor for
arbitrarily distributed biometric data ܺ in space ‫ ܯ‬with min-entropy of ݉.
In addition to theoretical analysis, attack-based analysis exploits
vulnerabilities of template protection, and conducts concrete attacks on
special algorithms. Due to overlap between intraclass and interclass
distributions in biometrics, false acceptance and false rejection can occur.
An adversary who owns or has access to a large biometric database can
exploit the false acceptance properties and can find a similar biometric
datum to that of a victim. Some template protection algorithms such as
fuzzy vault [5] and fuzzy commitment [6] are vulnerable to linkage attack,
and templates of the same subjects can be reidentified. In the case that a
soft comparison score is used, hill climbing attacks can be applied on a
template protection algorithm [7].
The existing work analyses the security and privacy of biometric
template protection from different aspects. However, only part of security
and privacy requirements are addressed, and analysis on a general level is
still lacking. In this work, we propose a generalized evaluation framework,
which aims to enable a comprehensive assessment of biometric template
protection regarding privacy and security.
This chapter is organized as follows: Section 2 will give a detailed
introduction of template protection. Section 3 will elaborate the proposed
evaluation framework. Section 4 will apply the framework on real
biometric template protection systems and will demonstrate the feasibility

and usefulness of the framework. Conclusions will be given in Section 5.
2 Biometric Template Protection

Template protection is a collective term for a variety of methods that aim
to preserve privacy and to enhance the secure storage of biometric data.
Different kinds of algorithms exist, which can generate diverse unlinkable
and non-invertible references from biometric data. In [8] Jain et al. gave an
overview on the existing techniques, and categorized them into
transformation-based approaches and biometric cryptosystems.
The functions used in transformation-based approaches, such as in [9,
10, 11, 12], can distort or randomize biometric data, so that the original
data cannot be reconstructed from transformed templates. The renewability
is realized by changing distortion parameters or randomization salt. Both
parameters and salt are user- and application-specific. They are factors
essential for security and must be kept secret. The biometric cryptosystems
such as [13,14, 4], can embed or generate secret keys from biometric data.
With the help of some auxiliary data, the secret keys can be successfully
258 Chapter Eight
and precisely retrieved in verification processes. The secrets are

comparable with cryptographic keys and can also be revoked and reissued.
The auxiliary data should contain information neither about the secrets nor
about biometric data, and can be considered as public.
The international standard ISO/IEC 24745 [15] defines a high-level
architecture of template protection, which can model various types of
algorithms. It consists of the following functions:
1. The pseudonymous identifier encoder ሺܲ‫ܧܫ‬ሻ generates a

pseudonymous identifier ܲ‫ ܫ‬and auxiliary data ‫ܦܣ‬from a biometric
datum ‫ ܯ‬in the enrolment: ሾܲ‫ܫ‬ǡ ‫ܦܣ‬ሿ ൌ ܲ‫ܧܫ‬ሺ‫ܯ‬ሻ. ܲ‫ ܫ‬is a protected
identity of an individual or a data subject, and AD is user-specific
data, which helps to reproduce ܲ‫ ܫ‬in an authentication process.
Only ܲ‫ ܫ‬and ‫ ܦܣ‬are stored as a protected template in the system.
The biometric datum ‫ ܯ‬is deleted after the enrolment.
2. The pseudonymous identifier recorder ሺܲ‫ܴܫ‬ሻ takes a queried
biometric datum ‫ܯ‬Ԣ and the stored ‫ ܦܣ‬as inputs, and calculates a
pseudonymous identifier ܲ‫ܫ‬Ԣ in the verification: ሾܲ‫ܫ‬ᇱ ሿ ൌ
ܲ‫ܴܫ‬ሺ‫ܯ‬ᇱ ǡ ‫ܦܣ‬ሻ.
3. The pseudonymous identifier comparator ሺܲ‫ܥܫ‬ሻ compares ܲ‫ܫ‬ᇱ with
the stored ܲ : ‫ ݒ‬ൌ ܲ‫ܥܫ‬ሺܲ‫ܫ‬ǡ ܲ‫ܫ‬Ԣሻ . Depending on comparators, the
comparison result ‫ ݒ‬is either a hard decision (yes/no) or a similarity
score ‫ݒ‬.
Figure 1. depicts the construction of template protection with ܲ‫ܧܫ‬, ܲ‫ܴܫ‬,

and ܲ‫ ܥܫ‬. Biometric systems provide input data ‫ ܯ‬and ‫ܯ‬Ԣ to template
protection, which can be samples acquired directly from a sensor or some
compact features extracted from biometric samples. Of course, the
interface between a biometric system and a template protection algorithm
marked with the red dashed line is an internal or virtual dataflow, which
must be secure against any internal or external attack. The orange lines
show the communication between ܲ‫ܧܫ‬, ܲ‫ܴܫ‬, and ܲ‫ܥܫ‬. They might take
place over a public and insecure channel. For instance, in many
applications, the enrolment stations and verification stations are not at the
same location, and the data needs to be centrally stored. A database easily
becomes an attack target. In remote enrolment or authentication, data
needs to be transported, e.g. over the internet. From a security point of
view, transferring and storing ܲ‫ܫ‬, processes which cannot reveal biometric
information, are better than using biometric templates themselves. Note
that ‫ ܦܣ‬is allowed to be public in some algorithms, however, in others,
‫ ܦܣ‬is a secret parameter.
Figure 1. ISO reference architecture of template protection
3 Evaluation Framework
In order to enable a comprehensive privacy and security assessment, we
propose a generalized evaluation framework. This consists of three main
steps, identifying protection goals, determining threat models, and
developing of evaluation metrics and process.
3.1 Threat Models

Template protection improves the resistance of biometric systems against
internal and external attacks. Before assessing security and privacy,
identifying the information and computational resource available to an
adversary is crucial. For example, secret size can be used to quantify the
security of ܲ‫ ܫ‬in fuzzy commitment systems. However, if biometric
features are correlated and their distribution is known, leakage of the
secret exists and the security of ܲ‫ ܫ‬can be much smaller than the secret
size. We define three main threat models as follows:
1. Naive Model: An adversary has neither information of the

underlying algorithm in a template protection system, nor owns a
large biometric database. The adversary only has access to
protected templates. The protected system is considered a
blackbox. Attacks that can be performed or biometric information
that can be obtained are restricted.
2. Advanced Model: We employ Kerckhoffs' principle and that an
adversary has full knowledge of the underlying algorithm. Essential
260 Chapter Eight
details of the algorithm are known. System internal parameters can

be accessed and adjusted. Protected templates from one or more
databases can be obtained. Additionally, we assume that the
adversary also knows statistical properties of biometric features.
These are very important priori information and can strongly
influence security and privacy. If a system possesses a secret
parameter, for example, transformation parameters in cancellable
biometrics, and a projection matrix in biohashing, the security of
the system relies on the secrecy of the secret parameter. Security
can be assessed under the assumption that an adversary has no
access to secret parameters. We can also make a stronger
assumption that the adversary can use the secret parameters but
does not know them explicitly. Additionally in privacy assessment,
we can assume that an adversary also knows the secret parameters
in clear text. It is important to see whether leakage of biometric
information exists, if secret parameters are compromised. In a
secret-based system, there are no secret parameters. We assume
that all system parameters are known to an adversary.
3. Collision Model: We assume that an adversary owns a large
amount of biometric data. This allows him to gain enough
information about biometric data. The adversary can exploit the
inaccuracy of biometric systems, can make an exhaustive search in
the adversary’s own database, and can find biometric data that has
sufficient similarity to that of a target person. If ‫ ܴܣܨ‬is a false
acceptance rate of the system under a given setting, ͳȀ‫ ܴܣܨ‬is the
average number of biometric data from different users, which an
adversary needs in the adversary’s own database.
Naive and advanced models are comparable with the models in the
cryptanalysis, which a cryptanalyst defines during assessment of
cryptosystems. The naive model is the basic and weakest. The advanced
model is stricter, and can verify the security of a system against an
experienced adversary. The collision model is derived from inherent
properties of biometric systems. Threat models can be refined and new
requisitions can be extended, according to security and privacy
requirements on biometric systems. Threat models are prerequisites for
quantifying security and privacy.
3.2 Protection Goals

The protection goals represent the security and privacy objectives we want
to achieve with biometric template protection. They are also the evaluation
criterion. After carefully reviewing the requirements of template
protection, the protection goals can be summarized as security, privacy
protection ability, and unlinkability:
Security of ࡼࡵ: In a protected biometric system, an authentication

result is based on the comparison of Pseudonymous Identifiers. The
security of ܲ‫ ܫ‬is determined by the difficulty to find data ‫ܯ‬Ԣ, which can
produce a ܲ‫ܫ‬ᇱ ൌ ܲ‫ܴܫ‬ሺ‫ܯ‬ᇱ ǡ ‫ܦܣ‬ሻ, and ܲ‫ܥܫ‬ሺܲ‫ܫ‬ᇱ ǡ ܲ‫ܫ‬ሻ gives a positive result.
Additionally, for the secret-based algorithms, the security of ܲ‫ ܫ‬also
depends on the complexity of finding a secret ܵԢ, which is equal to the true
secret ܵ generated in the enrolment process. This evaluation is comparable
with the “pre-image” attack in cryptanalysis. ܵԢ equates to a pre-image of
ܲ‫ܫ‬. The security of ܲ‫ ܫ‬ensures trustworthiness of authentication.
Privacy Protection Ability: One of the main motivations for applying

template protection is to safeguard biometric information. The privacy
protection ability includes two aspects:
x Irreversibility of biometric data indicates the difficulty to retrieve
the original biometric data. It is not always the same as that of ܲ‫ܫ‬.
Data, which can pass ܲ‫ ܫ‬-verification processes, may not have
enough similarity to the original biometric data. If a “pre-image”
space of a ܲ‫ ܫ‬is larger than its corresponding biometric data space,
the system has a better protection of biometric data. The security
shows only expense to retrieve biometric data. However, it cannot
disclose the leakage of biometric data.
x Privacy leakage shows the amount of information about biometric
data exposed in protected templates. In many template protection
algorithms, privacy leakage exists to compensate variation of
biometric data, as shown in [16, 17]. However, exposure of
biometric information is not only a threat for privacy but also a
serious security shortcoming. It can be exploited to retrieve
activities of a subject in other biometric applications. The
revelation is permanent and difficult to amend, and can also
influence the renewability of ܲ‫ܫ‬. Therefore, the protected template
ሾܲ‫ܫ‬ǡ ‫ܦܣ‬ሿ should contain as little biometric information as possible.
262 Chapter Eight
Unlinkability: One of the motivations to use template protection is to

stop cross matching. Unlinkability is a crucial criterion. It also includes
two parts:
x Cross matching: Assume that an adversary obtains two protected
templates. It should be difficult for the adversary to verify whether
they are generated from the same subject or not. However, cross
matching can happen if protected templates contain “personal
identifiable information”. For instance, ‫ ܦܣ‬is generated by ܲ‫ ܧܫ‬and
required inܲ‫ܴܫ‬. If ‫ ܦܣ‬is not random and contains user-specific
information, identification of a subject is feasible with ‫ܦܣ‬. It is
necessary to measure whether and how much personally
identifiable information is contained in ‫ܦܣ‬.
x Leakage amplification: Combing two or more protected templates
should not be helpful to estimate secrets or to retrieve biometric
features. Whether a combination of several protected templates can
increase privacy leakage and can reduce security needs to be
analysed. Leakage amplification limits long term applications and
multiple uses of biometrics.
3.3 Evaluation Metrics

In order to quantify protection goals, evaluation metrics are needed.
Generally speaking, information-theoretical metrics such as Entropy,

Conditional entropy, Mutual information, Min-entropy, and Average min-
entropy, are widely used in the theoretical security analysis. However in
attack-based analysis, the metrics such as successful rate, and Guessing
entropy, are more useful. In the following, we give formal definitions on
privacy and security with general evaluation metrics, which can be applied
in evaluation of different template protection schemes.
Definition 1: Let ࣛሺ‫ܦܣ‬ǡ ܲ‫ܫ‬ሻ ൌ ሾ‫ܯ‬ ෡ ǡ ܲ‫ܫ‬

෢ ሿ be a reconstruction function,
where ܲ‫ܫ‬෢ ൌ ܲ‫ܴܫ‬ሾ‫ܯ‬ ෡ ǡ ‫ܦܣ‬ሿ. ܶࣛ is the computational time required in one
reconstruction attempt and ݊ is the average number of reconstructions
needed to get a ሾ‫ܯ‬ ෡ ǡ ܲ‫ܫ‬ ෢ ൌ ͳ for a positive
෢ ሿ , such that ܲ‫ܥܫ‬ሺܲ‫ܫ‬ǡ ܲ‫ܫ‬ሻ
authentication result. A template protection algorithm is ሼࢀǡ ࢿሽ - secure, if
for all reconstruction functions ࣛ,
ܶࣛ ൒ ࢀ
ଶ ݊ ൒ ࢿ
This security definition represents the average effort to find a biometric

datum ‫ܯ‬ ෡ , which can successfully pass a pseudonymous identifier
verification process. It emphasizes computational security, however, and is
strongly related to information-theoretical security. To break verification,
a reconstruction function ࣛ is necessary. It demands some computational
power, which is quantified with computational time ܶࣛ. It is the lower
limit for all the possible reconstruction functions. The reconstruction
function is tied up with ܲ‫ ܧܫ‬and ܲ‫ܴܫ‬. For a well-designed template
protection algorithm, ܲ‫ ܧܫ‬and ܲ‫ ܴܫ‬should be hard to invert (e.g.
one-way functions). Reconstruction is possible, for instance, only
with a kind of brute force using ܲ‫ ܴܫ‬and ܲ‫ ܥܫ‬functions. In some of
transformation-based algorithms, inverse functions can exist and
the inversion is possible, if the transformation parameter (‫ )ܦܣ‬is
known. Inversion might be a one-to-many function. Only biometric
data is protected, however, and security cannot be ensured if ‫ ܦܣ‬is
compromised.
The factor ࢿ indicates the average number of guesses
(reconstructions). It is dependent on the properties of the search
space. In the case that an inversion function exists, the search space
can be very small and ࢿ ൌ ͳ. For the secret-based algorithm ࢿ is
related to the conditional guessing entropy ‫ܩ‬ሺܵȁ‫ܦܣ‬ሻ. In practice,
both ࢿ and ࢀ should be large enough for an adversary to not find an

‫ܯ‬෡ successfully in reasonable time.
Definition 2: Let ࣛሺ‫ܦܣ‬ǡ ܲ‫ܫ‬ሻ ൌ ሾ‫ܯ‬ ෡ ǡ ܲ‫ܫ‬

෢ ሿ be a reconstruction function,
෢ ൌ ܲ‫ܴܫ‬ሾ‫ܯ‬
where ܲ‫ܫ‬ ෡ ǡ ‫ܦܣ‬ሿ. ܶࣛ is the computational time required in one
reconstruction and ݊ is the average number of reconstructions needed to
get a ሾ‫ܯ‬ ෡ ǡ ܲ‫ܫ‬
෢ ሿ , such that for a threshold ࢚ , distance function
݀݅‫ݐݏ‬ሺ‫ܯ‬ǡ ‫ܯ‬෡ ሻ ൏ ࢚. A template protection algorithm is ሼࢀǡ ࢿǡ ࢚ሽ - preserving,
if for all reconstruction functions ࣛ , ‫ܯ‬ ෡ , which is similar to ‫ ܯ‬.
Biometric data is a random va

ܶࣛ ൒ ࢀ
ଶ ݊ ൒ ࢿ
This definition shows the cost of finding riable. It is not necessary

to reconstruct the same ‫ ܯ‬as in the enrolment. We use a distance
function and a threshold to represent the desired accuracy of the
264 Chapter Eight
reconstruction. Other privacy related information such as birthday,

gender, and name, might be saved in a protected biometric system,
but we only consider protecting input biometric data.
In the definitions, the average number of attempts is used as one
of the evaluation metrics. Other information-theoretical metrics are
also good metrics for the evaluation. However, they are not suitable
for measurement of the transformation-based methods. The average
number of attempts represents the computational security. The
proposed definitions interpret the meaning of security and privacy
from an attack point of view.
3.4 The Generalized Evaluation Framework

An overview of the evaluation framework is depicted in Figure 2. The
first step to start a rigorous evaluation is to identify the protection goals.
They represent the security and privacy objectives we want to achieve
with biometric template protection. They are also the evaluation criterion.
After carefully reviewing the requirements of template protection, the
protection goals can be summarized as security, privacy protection ability,
and unlinkability. Furthermore, the definitions of privacy and security are
given, which allow one to quantify the computational complexity,
estimating a pre-image of a secure template, and to measure the hardness

of retrieving biometric data respectively.
The threat models are the important prerequisites for an assessment,
which define computational power and information available for an
adversary. As long as threat models are determined, it is known which
information about biometric data, system parameters and functions are
allowed to access during the evaluation. We give three threat models to
describe the ability of an adversary. The first threat model, so called naive
model, assumes that an adversary has very limited information about a
system. In the second threat model, the advanced model, we apply
Kerckhoffs' principle and assume that essential details of algorithms, as
well as properties of biometric data, are known. The last threat model
assumes that an adversary owns large amount of biometric data, and this
allows the adversary to exploit the inaccuracy of biometric systems. This
is called the collision threat model.
Based on the protection goals and threat models, the metrics
quantifying different protection goals, as well as an evaluation process
measuring the metrics, will be developed. Both theoretical evaluation with
metrics such as entropy, mutual information, and practical evaluation

based on individual attacks can be used.
Figure 2. The generalized evaluation framework
4 Privacy and Security Evaluation of Biometric Template

Protection
We apply the evaluation framework on an iris fuzzy commitment scheme.
The fuzzy commitment scheme is implemented based on [18] of Hao. Iris
recognition is one of the most important and popular biometric modalities.
The iris texture contains rich discriminative information and iris-based
recognition can achieve high accuracy. Additionally, iris patterns can be
encoded as compact binary strings. These properties promise smooth
integration with the fuzzy commitment scheme. However, the challenge is
to control the large amount of intraclass bit errors.
One of the milestone works has been proposed by Hao et al. [18]. After
carefully analysing error patterns of iris codes, they applied a two-layer
error correction method: Hadamard codes are used to correct random
errors caused by capture devices or iris distortions; additionally, Reed-
266 Chapter Eight
Solomon (RS) codes compensate burst errors that might occur due to
undetected eyelashes and specular reflections. In [19], Bringer et al. used
the product codes and a two-dimensional iterative min-sum decoding
algorithm in the error correction process. They modelled errors between
reference and queried iris codes with a binary symmetric channel (BSC)
with erasure. In order to handle burst errors, an interleaver (random
permutation) is applied to break the burst errors. They assumed
independently distributed iris codes and showed that the results are close
to the theoretical limit of the ideal BSC coding according to Shannon's
information theory. In [20], Vetro et al. used the syndrome coding to
protect iris codes. This algorithm can be seen as a fuzzy extractor with
syndrome coding [4]. Instead of storing the code offset of an iris code to a
randomly selected codeword, as in fuzzy commitment, the syndrome of
iris features is calculated with low density parity coding. In the verification
process, the decoding process uses a belief propagation process. The
security properties of fuzzy commitment and fuzzy extractor with
syndrome coding are very similar.
We implemented the scheme of Hao et al [18]. The iris features are
extracted with the open source algorithm of Masek [21]. In the
preprocessing phase, the Hough transformation is applied on an iris image
so to localize and segment the iris region. Additionally, the probable
eyelid and specular reflection areas are marked black. Then the detected
iris ring is mapped from the cartesian capture coordinate system to the
dimensionless polar coordinate system. During feature extraction, the 1D
log-Gabor filter is convoluted with each row of the normalized iris region.
Here the spatial combination of 1D log-Gabor filters is considered as a 2D
Gabor filter. The complex-valued frequencies are derived and the phase of
each frequency value is quantized with 2 bits. The final iris code is a 2D
binary matrix.
We generate iris features for the CASIA database [22] with Masek's
algorithm, and transform the resulting feature vectors with the fuzzy
commitment scheme of Hao et al. [18]. In the enrolment, a randomly
selected secret ܵ is at first encoded with the RS encoder and then with the
Hadamard encoder. The codeword ‫ ܥ‬is XOR-ed with the input iris feature
vector ܺ. The XOR output ܹ ൌ ܱܴܺሺ‫ܥ‬ǡ ܺሻ is stored together with the
hash of the secret ݄ሺܵሻ as a protected template and serves as a reference
for the respective subject. During the verification, a probe iris feature
vector is derived from the captured sample and XOR-ed with the stored
ܹ . From this operation, a corrupted codeword ‫ܥ‬Ԣ is obtained. The
Hadamard decoder and the RS decoder can correct the errors in ‫ܥ‬Ԣ. The
hash of the estimated secret ܵԢ is compared with the stored ݄ሺܵሻ. If they
are identical, the system has verified the identity claim.
In the coding process, a randomly generated secret ܵ with the length of
‫ ݏܮ‬bits is divided into ݉‫ ݏ‬blocks, and each block is ݈ bits long. The RS
encoder adds ʹ‫ݐ‬ோௌ parity blocks at the end of the secret blocks, where ‫ݐ‬ோௌ
is the number of the correctable block errors of the RS code. Then the
Hadamard encoder extends each block into a ʹ௟ିଵ bit Hadamard code.
Hadamard coding can correct up to ʹ௟ିଷ െ ͳ bit errors in each block. The
final codeword contains ‫ܯ‬ோௌ ൈ ʹ௟ିଵ bits. The codeword is XOR-ed with
an iris code, so to obtain ܹ.
In the experiments, the length of the iris code ݉ is set to 9600. The
length of the Hadamard block ‫ܮ‬ு௔ௗ is 128. We analyze the security of the
system using Definition 1. The metrics ࢿ and ࢀ are proposed, which show
the average number of attempts needed to guess a pre-image of ܲ‫ܫ‬, namely
‫ܪ‬ሺܵሻ, and the computational time required for one attempt. They represent
average computational complexity required in an attack scenario. These
unified metrics allow the comparison of different template protection
systems.
In Table 1, the security assessment using Definition 1 in three threat
models is displayed. In the naive model, an adversary can only guess the
plain text of the hash. Therefore, ࢿ is dependent on the secret size and ࢀ
corresponds to the computational time of the hash function. The
assessment in the naive model indicates the computational complexity of a

brute force attack on the ܲ‫ܫ‬.
In the case of a perfectly secure fuzzy commitment scheme, biometric
features are uniformly and identically distributed, and the security of the
advanced model should equal that of the naive model. Unfortunately, iris
features strongly correlate, as shown in [23]. In the advanced threat model,
ࢿ drops strongly, since the estimation of secrets becomes easier with
knowledge about the system and biometric features. We empirically
calculate the average number of attempts needed by the cracking algorithm
[23]. This result is dependent on the cracking algorithm and its settings,
and becomes an approximation of ࢿ. For instance, ࢿ drops from 55 bits in
a native model to 10.93 bits in the advanced model for the secret length of
55.
ࢿ and ࢀ in the collision model depend on the FAR and the
computational time of the whole verification process. Table 1 shows that ࢿ
varies from 6.86 bits to 7.41 bits. We can reduce the FAR to achieve
higher security, though FRR will increase and the system will become
inconvenient. The most effective method is to design a better feature
268 Chapter Eight
extraction algorithm and a more effective template protection algorithm so

to improve the recognition performance.
Table 1. Security assessment
‫ݏܮ‬ Naive Model Advanced Model Collision Model

ࢿ ൌ ‫ ݏܮ‬െ ͳ ࢀ ࢿ ࢀ ࢿ = ílog2 FAR
(FAR@F RR)
40 39 O(1) 7.65 O(1) 6.86
(0.86%@19.96%)
56 55 O(1) 10.93 O(1) 7.18
(0.69%@21.30%)
72 71 O(1) 14.25 O(1) 7.41
(0.59%@22.74%)
Table 2. Privacy assessment in the advanced model
Uncertainty ‫ݏܮ‬ Privacy Irreversibility

of features Leakage ࢿ ࢀ
4325.88 40 4317.12 7.65 O(1)
56 4314.06 10.93 O(1)

72 4311.00 14.25 O(1)
At this point, we analyse the privacy protection ability. In the naive model,
an adversary cannot obtain information about biometric data lacking
knowledge about the systems. In the collision model, the adversary can
only find biometric data, from which the same or a similar ܲ‫ ܫ‬as that of the
target person can be generated. In this case, the privacy of ܲ‫ ܫ‬is similar to
the security of ܲ‫ ܫ‬. Therefore, it makes more sense to assess privacy
protection ability in the advanced model, and the results appear in Table 2.
The privacy leakage measures the amount of information about biometric
features contained in protected templates, where the irreversibility of ܲ‫ ܫ‬is
measured with Definition 2. The threshold ࢚ in the definition is equal to 0.
The privacy leakage of the fuzzy commitment schemes is evaluated as
the conditional entropy ‫ܪ‬ሺܺȁܹሻ. The entropy of iris features is 4325.88 at
a feature length of 9600, where the privacy leakage is extremely high. A
detailed proof and calculation can be found in [23].
All these results are based on statistical models, which are utilized to
simulate the distribution of biometric features. A more accurate estimation
is possible if better methods can be found for modelling the distributions.
Additionally, it is shown that the privacy leakage increases when reducing
the secret size in fuzzy commitment. This confirms the similar conclusion
drawn in [17].
5 Conclusion
The proposed systematic evaluation framework adheres to the essential
criteria and requirements of biometric template protection techniques. The
applicability of the framework is demonstrated with the analysis of a
protected iris recognition system. The assessment presented in this work is
fundamental for a thorough analysis, and also provides evidence on
security and privacy performance. Therefore, the proposed framework is
an indispensable tool for technical innovation and improvement, and helps
system designers in selecting a suitable template protection algorithm for
their applications and needs. The framework creates a basis for
benchmarking and certification of biometric template protection
techniques.
References
[1] Breebaart, J., Busch, C., Grave, J., and Kindt, E. “A reference
architecture for biometric template protection based on pseudo
identities,”. In Biosig 2008: Biometrics and electronic signatures,
Germany, 2008.
[2] Linnartz, J. P., and Tuyls, P. “New shielding functions to enhance
privacy and prevent misuse of biometric templates,” In 4th
international conference on audio- and video-based biometric person
authentication, 2003.
[3] Tuyls, P., and Goseling, J. “Capacity and examples of template
protecting biometric authentication systems, ” In LNCS (Ed.),
Biometric authentication workshop (bioaw 2004), Prague, 2004, p.
158- 170.
[4] Dodis, Y., Ostrovsky, R., Reyzin, L., and Smith, A. (2008), “Fuzzy
extractors: How to generate strong keys from biometrics and other
noisy data,” SIAM Journal on Computing, 38, 2008.
[5] Scheirer, W. J., and Boult, T. E., “Cracking fuzzy vaults and biometric
encryption,” In Proceedings of the biometrics symposium. Baltimore,
Md, USA., 2007.
270 Chapter Eight
[6] Simoens, K., Tuyls, P., and Preneel, B., “Privacy weaknesses in
biometric sketches,” In the 2009 ieee symposium on security and
privacy, ieee computer society (p. 188-203), 2009.
[7] Adler, A., “Vulnerabilities in biometric encryption systems”, In Audio-
and video-based biometric person auth. Tarrytown, NY, USA. 2005.
[8] Jain, A. K., Nandakumar, K., and Nagar, A., “Biometric template
security”. In Eurasip journal on advances in signal processing, , special
issue on biometrics, 2008.
[9] Roberge, C. S. D., Stoianov, A., Gilroy, R., and Kumar, B. V,
“Biometric encryption,” ICSA Guide to Cryptography, Chapter 2,
1999.
[10] Jin, A. T. B., Ling, D. N. C., and Goh, A., “Biohashing: two factor
number,” Pattern Recognition Issue 11, 37, 2245-2255, November
2004.
[11] Jin, A. T. B., Toh, K.-A., & Kuan, Y. W., “2n discretisation of
biophasor in cancellable biometrics.” In ICB, p. 435-444, 2007.
[12] Ratha, N. K., Chikkerur, S., Connell, J. H., and Bolle, R. M.,
“Generating cancelable fingerprint templates,” In IEEE transactions on
pattern analysis and machine intelligence, Vol. 29., April 2007.
[13] Juels, A., and Sudan, M., “A fuzzy vault scheme,” In IEEE
international symposium on information theory, 2002.
[14] Juels, A., and Wattenberg, M., “A fuzzy commitment scheme,” In

6th ACM conference on computer and communications security, p. 28-
36, 199
[15] ISO/IEC 24745 “Information technology - Security techniques -
Biometric template protection,” ISO/IEC JTC 1/SC 27, June 2011.
[16] Smith, A. D., “Maintaining secrecy when information leakage is
unavoidable,” doctoral dissertation, Massachusetts Institute of
Technology, 2004.
[17] Ignatenko, T., “Secret-key rates and privacy leakage in biometric
systems,” doctoral dissertation, Eindhoven University of Technology,
2009.
[18] Hao, F., Anderson, R., and Daugman, J., “Combining cryptography
with biometrics effectively”, Tech. Rep. No. 640, Univesity of
Cambridge, Computer Laboratory, July 2005.
[19] Bringer, J., Chabanne, H., Cohen, G., Kindarj, B., and Zemor, G.,
“Optimal iris fuzzy sketches,” In First IEEE international conference
on biometrics: Theory, Applications, and Systems BTAS 2007 (Vol.
705), May 2007.
[20] Vetro, A., Draper, S., Rane, S., and Yedidia, J., “Securing biometric
data”, In Distributed source coding, Elsevier, 2009.
[21] Masek, L., “Recognition of human iris patterns for biometric
identification,” The University of Western Australia, 2003
[22] CASIA iris image database, collected by the Chinese Academy of
Sciences Institute of Automation (CASIA),
http://biometrics.idealtest.org/.
[23] Zhou, X., Kuijper, A., & Busch, C., “Cracking iris fuzzy
commitment,” In IEEE the international conference on biometrics (ICB
12), 2012.
PART 4.
PRIVACY-ENHANCED BIOMETRIC SYSTEMS

CHAPTER NINE
SECURE AND EFFICIENT IRIS

AND FINGERPRINT IDENTIFICATION
MARINA BLANTON1 AND PAOLO GASTI2

1
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING,
UNIVERSITY OF NOTRE DAME
MBLANTON@ND.EDU
2
DEPARTMENT OF COMPUTER SCIENCE, NEW YORK INSTITUTE
OF TECHNOLOGY
PGASTI@NYIT.EDU
Abstract
Advances in biometric recognition and the increasing use of biometric data

prompt signi¿cant privacy challenges associated with the possible misuse,
loss, or theft of biometric data. Biometric comparisons are often
performed by two mutually distrustful parties, one of which holds a
biometric sample, while the other owns a possibly large collection of
biometric data. Due to privacy and liability considerations, neither party is
willing to share its data. This gives rise to the need to utilize secure
computation techniques over biometric data, where no information is
revealed to the parties, except the outcome of the comparison or search for
identi¿cation purposes. In this chapter, we present the design, security
analysis, and performance of privacy-preserving identi¿cation protocols
for iris codes and ¿ngerprints. Combined with certain optimizations, such
techniques are suitable for practical use on large data sets.
Keywords: Privacy-Preserving Protocols, Biometric Identi¿cation, Secure

Multiparty Computation, Iris, Fingerprints
Secure and Efficient Iris and Fingerprint Identification 275
1 Introduction
Recent advances in biometric recognition have made the use of biometric
information more susceptible to veri¿cation and identi¿cation purposes.
Large-scale collections of biometric data in use today include, for
example, ¿ngerprint, face, and iris images, collected by the US
Department of Homeland Security (DHS) from visitors [48]; ¿ngerprint
and iris images collected by the government of India from (more than
billion) citizens [56]; iris, ¿ngerprint, and face images collected by the
United Arab Emirates (UAE) Ministry of Interior from visitors [57]; and
adoption of biometric passports in several countries. While biometric
systems serve as an excellent tool for authentication and identi¿cation of
individuals, biometric data is undeniably extremely sensitive and must be
well protected. Furthermore, once leaked, biometric data cannot be
revoked or replaced. For these reasons, biometric data cannot be easily
shared between organizations or agencies. However, there could be
legitimate reasons to carry out computations on biometric data belonging
to different entities. For example, a non-government agency may need to
know whether a biometric sample it possesses belongs to an individual on
the government watch-list. In this case the agency would like to maintain
the privacy of the individual if no matches are found, and the government
also does not want to release its database to third parties.
The above requires carrying out computation over biometric data in a

way that keeps the data private and reveals only the outcome of the
computation. In particular, we treat the problem of biometric
identi¿cation, where a client ‫ ܥ‬is in a possession of a biometric sample ܺ
and a server ܵ possesses a biometric database ‫ܦ‬. The client would like to
know whether there is any ܺ ᇱ ‫ ܦ א‬matching ܺ by comparing ܺ to each
biometric record in ‫ܦ‬. The computation amounts to comparing ܺ to
eachܻ ‫ ܦ א‬in a privacy-preserving manner. This formulation is general
enough to apply to a number of other scenarios, ranging from a single
comparison of ܺ and ܻ to the case where two parties need to compute the
set of biometric data records common to their respective databases. We
assume that the result of comparing ܺ and ܻ is a bit, and no additional
information about ܺ or ܻ should be learned by the parties as a result of
secure computation. Throughout this chapter, we also assume that ܺ and ܻ
correspond to biometric templates, i.e., they have representations suitable
for biometric comparison after raw biometric samples have been processed
by a feature extraction algorithm. Feature extraction can be performed for
each biometric sample independently, and we do not discuss this further.
This chapter introduces and discusses secure techniques that perform
276 Chapter Nine
the aforementioned computation with provable protection of data privacy.

We present protocols for two types of biometric characteristics: iris and
¿ngerprints. While iris codes are normally represented as binary strings
and use very similar matching algorithms, there is a variety of
representations and comparison algorithms for ¿ngerprints. For that
reason, we study two types of matching algorithms for ¿ngerprints: (i)
FingerCodes that use ¿xed-size representations and a simple comparison
algorithm and (ii) a traditional and most widely used method for pairing
minutia points in one ¿ngerprint with minutiae in another ¿ngerprint. With
such techniques, the outcome of the computation can be made available to
either or both parties; for concreteness, in our description we have the
client learn the outcome of each comparison.
2 Description of Computation
Without loss of generality, in what follows, we assume that client ‫ ܥ‬holds
a single biometric template ܺ and server holds a database of biometric
data . The goal is to learn whether 's biometric template has a match in
's database without learning any additional information. This is
accomplished by comparing ܺ to each biometric templateܻ ‫ܦ א‬, and as a
result of each comparison, learns a bit that indicates whether the
comparison resulted in a match.
2.1 Iris
Let an iris code be represented as an ݉-bit binary string. We use ܺ௜ to
denote the ݅-th bit of ܺ. In iris-based recognition, after feature extraction,
biometric comparison is normally performed by computing the normalized
Hamming distance between two biometric representations. To simplify
presentation, we refer to normalized Hamming distance simply as
Hamming distance henceforth. Furthermore, the feature extraction process
is such that some bits of the extracted string ܺ are unreliable and are
ignored in the comparison process. Information about such bits is stored in
an additional ݉-bit string, called mask, where its ݅-th bit is set to 1 if the ݅-
th bit of ܺ should be used in the comparison process and is set to 0
otherwise. For iris code ܺ, we use ‫ܯ‬ሺܺሻ to denote the mask associated
with the iris code. Often, a predetermined number of bits (e.g., 25% in [31]
and 35% in [6]) are considered unreliable in each biometric template.
Thus, to compare two biometric templates ܺ and ܻ, their Hamming
distance takes into account the respective masks. That is, if the Hamming
distance between two iris codes without masks is computed as:
ԡܺ ْ ܻԡ σ௠
௜ୀଵሺܺ௜ ْ ܻ௜ ሻ
‫ܦܪ‬ሺܺǡ ܻሻ ൌ ൌ
݉ ݉
the computation of the Hamming distance that uses masks becomes [23]:
ԡሺܺ ْ ܻሻ ‫ܯ ת‬ሺܺሻ ‫ܯ ת‬ሺܻሻԡ

‫ܦܪ‬൫ܺǡ ‫ܯ‬ሺܺሻǡ ܻǡ ‫ܯ‬ሺܻሻ൯ ൌ (1)
ԡ‫ܯ‬ሺܺሻ ‫ܯ ת‬ሺܻሻԡ
In other words, we have

σ௠
௜ୀଵሺሺܺ௜ ْ ܻ௜ ሻ ‫ܯ ר‬ሺܺ௜ ሻ ‫ܯ ר‬ሺܻ௜ ሻሻ
‫ܦܪ‬൫ܺǡ ‫ܯ‬ሺܺሻǡ ܻǡ ‫ܯ‬ሺܻሻ൯ ൌ
σ௠௜ୀଵሺ‫ܯ‬ሺܺ௜ ሻ ‫ܯ ר‬ሺܻ௜ ሻሻ
Throughout this chapter, we assume that the latter formula is used, and we
simplify the notation to ‫ܦܪ‬ሺܺǡ ܻሻ. Then, the computed Hamming distance
is compared with a speci¿c threshold ܶ, and the biometric samples ܺ and
ܻ are considered to be a match if the distance is below the threshold, and a
mismatch otherwise. The threshold ܶ is chosen based on the distributions
of authentic and impostor data; in the likely case of overlap of the two
distributions, the threshold is set to achieve the desired levels of false
accept and false reject rates based on the security goals.
Two iris representations can be slightly misaligned. This problem is
usually caused by head tilt during image acquisition. To account for this,
the matching process attempts to compensate for the error and rotates a
biometric representation by a ¿xed amount to determine the lowest
distance. More precisely, each iris code is represented as a two-
dimensional bit array, and rotation corresponds to a circular shift which is
applied to each row. Each biometric is then rotated to the left and to the
right a small ¿xed number of times, which we denote byܿ. The minimum
Hamming distance across all rotations is then compared to the threshold.
That is, if we let ‫ܵܮ‬௝ ሺȉሻ (resp., ܴܵ௝ ሺȉሻ) denote a circular left (resp., right)
shift of the argument by a ¿xed number of bits (normally 2 bits due to the
properties of the feature extraction process), the matching process
becomes:
ሺ‫ܦܪ‬൫ܺǡ ‫ ܵܮ‬௖ ሺܻሻ൯ǡ ǥ ǡ ‫ܦܪ‬൫ܺǡ ‫ܵܮ‬ଵ ሺܻሻ൯ǡ ‫ܦܪ‬ሺܺǡ ܻሻǡ

ǫ
‫ܦܪ‬൫ܺǡ ܴܵଵ ሺܻሻ൯ǡ ǥ ǡ ‫ܦܪ‬൫ܺǡ ܴܵ ௖ ሺܻሻ൯ሻ ൏ ܶ (2)
Throughout this chapter, we assume that the algorithms for comparing two
biometric samples are public, as well as any constant thresholds ܶ. The
278 Chapter Nine
protocols we present, however, maintain their security and computational

performance guarantees, even if the (¿xed) thresholds are known only to
the server who owns the database.
2.2 Fingerprints
Work on ¿ngerprint identi¿cation dates back to the late 1800s, with a
number of diơerent approaches currently available (see, e.g., [46] for an
overview). The most popular and widely used techniques extract
information about minutiae from a ¿ngerprint and store that information as
a set of points in the two-dimensional plane. Fingerprint comparison in
this case consists of ¿nding a matching between two sets of points, so that
the number of paired minutiae is maximized. In more detail, a biometric
template is represented as a set of ݉௫ points
ܺ ൌ ‫ۃ‬ሺ‫ݔ‬ଵ ǡ ‫ݕ‬ଵ ǡ ܽଵ ሻǡ ǥ ǡ ൫‫ݔ‬௠ೣ ǡ ‫ݕ‬௠ೣ ǡ ܽ௠ೣ ൯‫ۄ‬, where ‫ݔ‬௜ and ‫ݕ‬௜ are coordinates of
minutia i in a two-dimensional space and ߙ௜ is its orientation (represented
as an angle in degrees). A minutia ܺ௜ ൌ ሺ‫ݔ‬௜ ǡ ‫ݕ‬௜ ǡ ܽ௜ ሻ in ܺ and minutia
ܻ௝ ൌ ൫‫ݔ‬௝ᇱ ǡ ‫ݕ‬௝ᇱ ǡ ܽ௝ᇱ ൯ in ܻ are considered matching if the spatial (i.e.,
Euclidean) distance between them is smaller than a given threshold ݀଴ ,
and the directional diơerence between them is smaller than a given
threshold ߙ଴ . That is, we compute this as:
ටሺ‫ݔ‬௝ᇱ െ ‫ݔ‬௜ ሻଶ ൅ ሺ‫ݕ‬௝ᇱ െ ‫ݕ‬௜ ሻଶ ൏ ݀଴ and ൫หܽ௝ᇱ െ ܽ௜ หǡ ͵͸Ͳι െ หܽ௝ᇱ െ ܽ௜ ห൯ ൏ ܽ଴ (3)
It is necessary to tolerate small diơerences in the position and orientation

of minutia points to account for errors introduced by feature extraction
algorithms (e.g., quantization) and small skin distortions. Two points
within a single ¿ngerprint are also assumed to lie within at least distance
݀଴ of each other.
Before two ¿ngerprints can be compared, they need to be pre-aligned,
which maximizes the number of matching minutiae. We can distinguish
two types of alignment: absolute and relative. With absolute alignment,
each ¿ngerprint is pre-aligned independently using the core point or other
information. With relative alignment, information contained in two
biometric samples is used to guide their alignment relative to each other.
While relative pre-alignment can be more accurate than absolute pre-
alignment, such techniques are not practical within a privacy-preserving
protocol due to the additional overhead, and we assume that absolute pre-
alignment is used. To increase the accuracy of the matching process, a
single ¿ngerprint can be stored using a small number of representations
with slightly diơerent alignments, and the result of the comparison is a

match if at least one of them matches the biometric template being
queried.
A simple way for determining a pairing between minutiae of
¿ngerprints ܺ and ܻ consists of pairing a minutia ܺ௜ with the closest
minutia ܻ௝ in ܻ. Let ݉݉ሺܺ௜ ǡ ܻ௝ ሻ denote the minutiae matching predicate in
Equation 3. Then, the pairing function ܲሺ‫ڄ‬ሻ that determines the mapping of
minutiae in ܺ and ܻ can be de¿ned as follows: for ݅ ൌ ͳǡ ǥ ǡ ݉௑ ǡ ܲሺ݅ሻ ൌ ݆
if ܻ௝ is the closest to ܺ௜ among all ܻ௞ ‫ ܻ א‬such that ݉݉ሺܺ௜ ǡ ܻ௞ ሻ ൌ ͳ, and
ܲሺ݅ሻ ൌ٣ if no such ܻ௝ exists. Because each minutia ܻ௝ can be paired with at
most one minutia from ܺ, the above algorithm needs to mark all minutiae
in ܻ that have already been paired with a point in ܺ to enforce this
constraint.
The above approach will not ¿nd the optimum assignment (i.e., the one
that maximizes the number of mates) because to ¿nd such a pairing, a
minutia ܺ௜ might need to be paired with another minutia ܻ௝ , which is not
the closest to ܺ௜ . The optimum pairing can be achieved by formulating the
problem as an instance of minimum cost-maximum Àow, where
¿ngerprints ܺ and ܻ are used to create a Àow network. Then, this problem
can be solved using known algorithms, such as Ford-Fulkerson [26], and
others. In particular, [37, 58] use a Àow network representation of the
minutia pairing problem to ¿nd an optimal pairing, where there is an edge
from a node corresponding to minutia ܺ௜ ‫ܻ݋ݐܺ א‬௝ ‫ܻ݉݉ א‬൫ܺ௜ ǡ ܻ௝ ൯ ൌ

ͳ. We refer the reader to [37, 58] for additional details. For ¿ngerprints
consisting of m minutiae, the optimal pairing can be found in ܱሺ݉ଶ ሻ time
using a Ford-Fulkerson algorithm because each minutia from ܺ is
connected to, at most, a constant number of minutiae from Y. In a privacy-
preserving setting, however, when information about connections between
minutiae in ܺ and ܻ (and thus the structure of the graph) must remain
private, the complexity of this approach would increase. For example, a
solution based on [11] would result in complexity ܱሺ݉ଷ ݉ሻ, which is
substantially slower even for modest values of ݉. We therefore implement
the pairing approach based on the minimum distance outlined above. The
algorithm is not guaranteed to ¿nd the optimal pairing, but performs well
in the privacy-preserving setting.
For the purposes of this chapter, we assume that during ¿ngerprint
identi¿cation, the number of minutiae in a pairing is compared to a ¿xed
threshold ܶ. If, in speci¿c ¿ngerprint comparison algorithms this threshold
is not constant, but rather is a function of biometric templates ܺ and ܻ
being compared (e.g., a function of the number of points in each template),
280 Chapter Nine
our techniques can be easily extended to accommodate those variations as

well.
Fingerprint matching can also be performed using a diơerent type of
information extracted from a ¿ngerprint image. One example is
FingerCode [36], which uses texture information from a ¿ngerprint scan to
form ¿ngerprint representation ܺ. While FingerCodes are not as
distinctive as minutia-based representations and are best suited for use in
combination with minutiae to improve the overall accuracy of ¿ngerprint
comparisons [46], FingerCode-based identi¿cation can be implemented
very eƥciently in a privacy-preserving protocol. In particular, each
FingerCode consists of a ¿xed number ݉ elements of κ bits each. Then
FingerCodes ܺ ൌ ሺ‫ݔ‬ଵ ǡ ǥ ǡ ‫ݔ‬௠ ሻ and ܻ ൌ ሺ‫ݕ‬ଵ ǡ ǥ ǡ ‫ݕ‬௠ ሻ are considered a match
if the Euclidean distance between their elements is below the threshold ܶ:
௠ ǫ
ඨ෍ ሺ‫ݔ‬௜ െ ‫ݕ‬௜ ሻଶ ൏ ܶ (4)
௜ୀଵ
The technique we present in this chapter is substantially faster, in terms

of both computation and communication, than earlier techniques (e.g.,
from [5]). We then also proceed with providing a secure protocol for more
accurate (but less eƥcient) minutia-based matching algorithm.
3 Cryptographic Preliminaries
Security model. Intuitively, the level of security that a privacy-preserving
construction should achieve is the same as having the participants
privately send their inputs to a trusted third party who performs the
computation and privately sends the result back. Then a secure technique
should provide the same level of data privacy, but without assuming the
existence of such a trusted third party.
Our security model is the standard model for secure two-party
computation in the presence of semi-honest participants [27] (also known
as honest-but-curious or passive). In particular, it means that the parties
follow the prescribed behavior, but might try to compute additional
information from the information obtained during protocol execution.
Security in this setting is de¿ned using a simulation argument: The
protocol is secure if the view of protocol execution for each party is
computationally indistinguishable from the view simulated using that
party's input and output only. This means that the protocol execution does
not reveal any additional information to the participants. The de¿nition
below formalizes the notion of security for two semi-honest participants:
De¿nition 1 Let parties ܲଵ and ܲଶ engage in a protocol ߨ that computes

function݂ሺ݅݊ଵ ǡ ݅݊ଶ ሻ ൌ ሺ‫ݐݑ݋‬ଵ ǡ ‫ݐݑ݋‬ଶ ሻ, where ݅݊௜ and ‫ݐݑ݋‬௜ denote input and
output of party ܲ௜ , respectively. Let ܸ‫ܹܧܫ‬గ ሺܲ௜ ሻ denote the view of
participant ܲ௜ during the execution of protocol ߨ. More precisely, ܲ௜ 's
view is formed by its input, internal random coin tosses ‫ݎ‬௜ , and messages
݉ଵ ǡ ǥ ǡ ݉௧ passed between the parties during protocol execution:
ܸ‫ܹܧܫ‬గ ሺܲ௜ ሻ ൌ ሺ݅݊௜ ǡ ‫ݎ‬௜ ǡ ݉ଵ ǡ ǥ ǡ ݉௧ ሻ
We say that protocol ߨ is secure against semi-honest adversaries if for

each party ܲ௜ there exists a probabilistic polynomial time simulator ܵ௜
such that
൛ܵ௜ ൫݅݊௜ ǡ ݂௜ ሺ݅݊ଶ ǡ ݅݊ଶ ሻ൯ǡ ݂ሺ݅݊ଵ ǡ ݅݊ଶ ሻൟ ‫ ؠ‬ሼܸ‫ܹܧܫ‬గ ሺܲ௜ ሻǡ ሺ‫ݐݑ݋‬ଵ ǡ ‫ݐݑ݋‬ଶ ሻሽǡ
where ݂ሺ݅݊ଵ ǡ ݅݊ଶ ሻ denotes the ݅th element that ݂ሺ݅݊ଵ ǡ ݅݊ଶ ሻ outputs, and ''Ł''
denotes computational indistinguishability.
Homomorphic encryption. Our constructions use a semantically secure

additively homomorphic encryption scheme. Informally, semantic security
means that a computationally bounded adversary cannot learn any

information about the encrypted message from the ciphertext with more
than negligible probability in the security parameter (see, e.g., [27] for a
formal de¿nition). In an additively homomorphic encryption scheme
de¿ned by three algorithms ሺܵ݁‫݌ݑݐ‬ǡ ‫ܿ݊ܧ‬ǡ ‫ܿ݁ܦ‬ሻǡ ‫ܿ݊ܧ‬ሺ݉ଵ ሻ ȉ ‫ܿ݊ܧ‬ሺ݉ଶ ሻ ൌ
‫ܿ݊ܧ‬ሺ݉ଵ ൅ ݉ଶ ሻ for any two plaintexts ݉ଵ and ݉ଶ , which also implies that
‫ܿ݊ܧ‬ሺ݉ଵ ሻ௠మ ൌ ‫ܿ݊ܧ‬ሺ݉ଶ ȉ ݉ଵ ሻ, where plaintext ݉ଶ is known. While any
encryption scheme with the above properties (such as the well-known
Paillier encryption scheme [50]) suƥces for the purposes of this chapter,
the construction due to Damgård et al. [21, 20] (DGK) is of particular
interest here.
To be able to understand optimizations used in our techniques, we
brieÀy describe the relevant encryption schemes. In a Paillier encryption
scheme, a public key consists of a ݇-bit RSA modulus ܰ ൌ ‫ݍ݌‬, where ‫݌‬
and ‫ ݍ‬are prime numbers of bitlength ݇Ȁʹ, and ݇ is the security parameter,
and an element whose order is a multiple of ܰ in Ժ‫כ‬ேమ . Given a message
݉ ‫ א‬Ժே , encryption is performed as ‫ܿ݊ܧ‬ሺ݉ሻ ൌ ݃௠ ‫ ݎ‬௡ ݉‫ ܰ݀݋‬ଶ ǡ where
‫ ݎ‬՚ோ Ժே and notation ܽ ՚ோ ‫ ܣ‬means that ܽ is chosen uniformly at
random from the set ‫ܣ‬. In a DGK encryption scheme [21, 20], which was
282 Chapter Nine
designed to work with small plaintext spaces and has shorter cipher-text
size than other randomized encryption schemes, a public key consists of (i)
a (small, possibly prime) integer that de¿nes the plaintext space, (ii) ݇-bit
RSA modulus ܰ ൌ ‫ ݍ݌‬such that ‫ ݌‬and ‫ ݍ‬are ݇/2-bit primes, ‫ݒ‬௣ and ‫ݒ‬௤ are
‫ݐ‬-bit primes for another security parameter ‫( ݐ‬smaller than ݇), and
‫ݒݑ‬௣ ȁሺ‫ ݌‬െ ͳሻ and ‫ݒݑ‬௤ ȁሺ‫ ݍ‬െ ͳሻ, and (iii) elements ݃ǡ ݄ ‫ א‬Ժ‫כ‬ே such that ݃ has
order ‫ݒݑ‬௣ ‫ݒ‬௤ and ݄ has order ‫ݒ‬௣ ‫ݒ‬௤ . Given a message ݉ ‫ א‬Ժ௨ , encryption is
performed as ‫ܿ݊ܧ‬ሺ݉ሻ ൌ ݃௠ ݄௥ ݉‫ܰ݀݋‬, where ‫ ݎ‬՚ோ ሼͲǡͳሽଶǤହ௧ . We refer
the reader to the original publications [50] and [21,20] for any additional
information.
Garbled circuit evaluation. Originating in Yao's work [59], garbled

circuit evaluation allows two parties to securely evaluate any function
represented as a boolean circuit. The basic idea is that, given a Boolean
circuit composed of gates, one party ܲଵ creates a garbled circuit by
assigning to each wire two randomly chosen labels (one corresponding to
0 and the other corresponding to 1). ܲଵ also encodes gate information in a
way that, given labels corresponding to the input wires (encoding speci¿c
inputs), the label corresponding to the output of the gate on those inputs
can be recovered. The second party, ܲଶ , evaluates the circuit using labels
corresponding to inputs of both ܲଵ and ܲଶ (without learning anything in
the process, since ܲଶ does not know the meaning of the (random) labels
that it sees during evaluation). At the end, the result of the computation
can be recovered by linking the computed output labels to the bits which
they encode.
Recent literature provides optimizations that reduce computation and
communication overhead associated with circuit construction and
evaluation. Kolesnikov and Schneider [40] describe an optimization that
permits XOR gates to be evaluated for free, i.e., there is no communication
overhead associated with such gates, and their evaluation does not involve
cryptographic functions. Pinkas et al. [51] additionally give a mechanism
for reducing communication complexity of binary gates by 25%. Now
each gate can be speci¿ed by encoding only three outcomes of the gate
instead of all four. Finally, Kolesnikov et al. [39] improve the complexity
of certain commonly used operations such as addition, multiplication,
comparison, etc., by reducing the number of non-XOR gates. Adding two
݊-bit integers requires ͷ݊ gates, ݊ of which are non-XOR gates;
comparing two ݊-bit integers requires 4݊ gates, ݊ of which are non-XOR
gates; and computing the minimum of ‫݊ ݐ‬-bit integers (without the
location of the minimum value) requires 7݊(‫ ݐ‬í 1) gates, 2݊(‫ ݐ‬í 1) of
which are non-XOR gates. Garbling and evaluation of large circuits can
also be pipelined [32], so that the entire circuit does not have to reside in
memory.
With the above techniques, evaluating non-XOR gates involves one
invocation of the hash function [40] (which is assumed to be correlation
robust [42]) or one call to AES [7]. During garbled circuit evaluation, ܲଶ
directly obtains keys corresponding to ܲଵ 's inputs from ܲଵ and engages in
the oblivious transfer (OT) protocol to obtain keys corresponding to ܲଶ 's
inputs.
Oblivious Transfer. In 1-out-of-2 Oblivious Transfer, ܱܶଵଶ , one party, the

sender, has as its input two strings ݉଴ ǡ ݉ଵ and another party, the receiver,
has as its input a bit ܾ. At the end of the protocol, the receiver learns ݉௕
and the sender learns nothing. Similarly, in 1-out-of-ܰ OT the receiver
obtains one of the strings held by the sender. There is a rich body of
research literature on OT, and in this chapter we use its eƥcient
implementation from [47] as well as OT extension from [35] that reduces a
large number of OT protocol executions to ߢ of them, where ߢ is the
security parameter. This, in particular, means that, obtaining the keys
corresponding to ܲଶ 's inputs in garbled circuit evaluation by ܲଶ incurs only
small overhead. We note that there are other very recent OT extensions
such as [38] and [2] that further reduce the cost of OT and their usage in
our solution will reduce the overhead that we report.
4 Secure Iris Identification

In this section, we present our solution for biometric identi¿cation
based on iris codes. Our solution combines homomorphic encryption with
garbled circuit evaluation. The rationale behind building hybrid protocols
is that the use of homomorphic encryption will allow an encrypted
template ܺ to be used in comparisons to many ܻ ‫ܦ א‬, while garbled
circuits are very fast for certain operations such as comparisons, where
techniques based on homomorphic encryption are much more costly.
4.1 Structural Optimization of the Computation

As indicated in Equation 1, computing the distance between two iris
codes involves securely evaluating the division operation. While
techniques for conducting this operation using secure multi-party
computation are known (see, e.g., [3, 17, 9, 18]), their performance in
practice is often substantially slower than performance of other elementary
operations, which poses a problem for this application. For example,
284 Chapter Nine
according to [8], two-party evaluation of garbled circuits for division

produced by Fairplay [45] takes several seconds for numbers of length 24-
28 bits, but circuits for longer integers could not be constructed due to the
rapidly increasing memory requirements of Fairplay. More recent results
achieve faster circuit evaluation, but performance of this operation
normally is not reported1. Fortunately, in our case, the computation can be
rewritten to completely avoid this operation and replace it with
multiplication. That is, using the notation
‫ܦܪ‬ሺܺǡ ܻሻ ൌ ԡሺܺ ْ ܻሻ ‫ܯ ת‬ሺܺሻ ‫ܯ ת‬ሺܻሻԡΤԡ‫ܯ‬ሺܺሻ ‫ܯ ת‬ሺܻሻԡ

ൌ ‫ܦ‬ሺܺǡ ܻሻΤ‫ܯ‬ሺܺǡ ܻሻǡ
instead of testing whether ‫ܦܪ‬ሺܺǡ ܻሻ ൏ǫ ܶ, we can test whether

‫ܦ‬ሺܺǡ ܻሻ ൏ǫ ܶ ȉ ‫ܯ‬ሺܺǡ ܻሻ. While the computation of the minimum distance
as used in Equation 2 is no longer possible, we can replace it with
equivalent computation that does not increase its cost. Now the
computation becomes
‫ܦ‬൫ܺǡ ‫ ܵܮ‬஼ ሺܻሻ൯ ൏ǫ ܶ ȉ ‫ܯ‬൫ܺǡ ‫ ܵܮ‬஼ ሺܻሻ൯ ‫ ש‬ǥ ‫ܦ ש‬ሺܺǡ ܴܵ ஼ ሺܻሻሻ ൏ǫ ܶ (5)
‫ܯ ڄ‬ሺܺǡ ܴܵ ஼ ሺܻሻሻ
When this computation is carried out over real numbers, ܶ lies in the range
[0, 1]. In our case, it is desirable to carry out the computation over the
integers, which means that we ''scale up'' all values with the desired level
of precision. That is, by using κ bits to achieve desired precision, we
multiply ‫ܦ‬ሺܺǡ ܻሻ by ʹκ and let range between 0 and ʹκ . Now ʹκ ‫ܦ‬ሺܺǡ ܻሻ
and ܶ ‫ܯ ڄ‬ሺܺǡ ܻሻ can be represented using ‫ ۀ݉݃݋݈ڿ‬൅ κ bits.
4.2 Base Protocol

In what follows, we ¿rst describe the basic privacy-preserving protocol for
iris codes. The consecutive section presents optimizations and the resulting
performance of the protocol. At the high level, the solution consists of
using encrypted data to compute (partial) distances between biometric
templates, after which we switch to garbled circuit evaluation for ¿nishing
the computation and producing the ¿nal result.
1
Secure evaluation of the division operation in the multi-party setting was reported
in [30, 12, 1], but such techniques cannot be directly used in the two-party setting
that we employ.
With this approach, the client ‫ ܥ‬generates a public-private key pair

ሺ‫݇݌‬ǡ ‫݇ݏ‬ሻ for an additively homomorphic encryption scheme, and
distributes the public key ‫݇݌‬. This is a one-time setup cost for the client
for all possible invocations of this protocol with any number of servers.
During the protocol itself, the secure computation proceeds as speci¿ed in
Equation 5. In the beginning, ‫ ܥ‬sends its inputs encrypted with ‫ ݇݌‬to the
server ܵ. At the server side, the computation ¿rst proceeds using
homomorphic encryption, but later the client and the server convert the
intermediate result into a secret-shared form and ¿nish the computation
using garbled circuit evaluation. As mentioned before, we employ this
structure due to the fact that secure two-party computation of the
comparison operation is signi¿cantly faster using garbled circuit
evaluation, but the rest of the computation in our case is best performed on
encrypted values.
To compute ‫ܦ‬ሺܺǡ ܻሻ ൌ σ௠ ௜ୀଵሺܺ௜ ْ ܻ௜ ሻ ‫ܯ ר‬ሺܺ௜ ሻ ‫ܯ ר‬ሺܻ௜ ሻ using
algebraic computation, we use ܺ௜ ْ ܻ௜ ൌ ܺ௜ ሺͳ െ ܻ௜ ሻ ൅ ሺͳ െ ܺ௜ ሻܻ௜ and
obtain:
௠
‫ܦ‬ሺܺǡ ܻሻ ൌ ෍ሺܺ௜ ሺͳ െ ܻ௜ ሻ ൅ ሺͳ െ ܺ௜ ሻܻ௜ ሻ‫ܯ‬ሺܺ௜ ሻ‫ܯ‬ሺܻ௜ ሻǤ

௜ୀଵ
‫ܯ‬ሺܺǡ ܻሻ is computed as σ௠ ௜ୀଵ ‫ܯ‬ሺܺ௜ ሻ‫ܯ‬ሺܻ௜ ሻ. Then, if the server obtains

encryptions of ܺ௜ ‫ܯ‬ሺܺ௜ ሻǡ ሺͳ െ ܺ௜ ሻ‫ܯ‬ሺܺ௜ ሻ, and ‫ܯ‬ሺܺ௜ ሻ for each ݅ from the
client, it will be able to compute ‫ܦ‬ሺܺǡ ܻሻ and ‫ܯ‬ሺܺǡ ܻሻ using its knowledge
of the ܻ௜ 's and the homomorphic properties of the encryption. Figure 1
describes the protocol, in which after receiving ‫'ܥ‬s encrypted values, it
produces ‫ܿ݊ܧ‬ሺ‫ܯ‬ሺܺ௜ ሻሻ's and proceeds to compute ‫ܦ‬ሺܺǡ ܻ௝ ሻ and ‫ܯ‬ሺܺǡ ܻ௝ ሻ
in parallel for each ܻ in its database. Here ܻ௝ denotes the biometric
template ܻ shifted by ݆ positions, and ݆ ranges from െܿ to ܿ. At the end of
௝
steps 3(a).i and 3(a).ii, the server obtains ‫ܿ݊ܧ‬ሺʹκ‫ܦ‬ሺܺǡ ܻ௝ ሻ ൅ ‫ݎ‬ௌ ሻ for a
௝
randomly chosen ‫ݎ‬ௌ of its choice, and at the end of step 3(a).iii ܵ obtains
௝ ௝
‫ܿ݊ܧ‬ሺܶ ‫ܯ ڄ‬ሺܺǡ ܻ௝ ሻ ൅ ‫ݐ‬௦ ሻ for a random ‫ݐ‬ௌ of its choice. The server sends
these values to the client who decrypts them. Therefore, at the end of step
௝ ௝ ௝ ௝
3(a), ‫ ܥ‬holds ‫ݎ‬஼ ൌ ʹκ ‫ܦ‬ሺܺǡ ܻ௝ ሻ ൅ ‫ݎ‬ௌ and ‫ݐ‬஼ ൌ ܶ ȉ ‫ܯ‬ሺܺǡ ܻ௝ ሻ ൅ ‫ݐ‬ௌ , and ܵ
௝ ௝
holds െ‫ݎ‬ௌ and െ‫ݐ‬஼ , i.e., they additively share ʹκ ‫ܦ‬ሺܺǡ ܻ௝ ሻ and ܶ ‫ڄ‬
‫ܯ‬ሺܺǡ ܻ௝ ሻ.
What remains to be computed is ʹܿ ൅ ͳ comparisons (one per each ܻ௝ )
followed by ʹܿ, OR operations as speci¿ed by Equation 5. This is
௝
accomplished using garbled circuit evaluation, where ‫ ܥ‬enters ‫ݎ‬஼ 's and
286 Chapter Nine
௝ ௝ ௝
‫ݐ‬஼ 's and ܵ enters ‫ݎ‬ௌ 's and
a ‫ݐ‬ௌ 's, and they learn a bit, which indicates
whether ܻ wwas a match.
Figure 1. Secuure two-party protocol

p for iris identification.
௝ ௝ ௝ ௝
Note that since ‫ݎ‬஼ 's, ‫ݎ‬ௌ 's, ‫ݐ‬஼ 's and ‫ݐ‬ௌ 's are used as inputs to the garbled
circuit and will need to be added inside the circuit, we want them to be as
small as possible. Therefore, instead of providing unconditional hiding by
௝ ௝
choosing ‫ݐ‬ௌ and ‫ݎ‬஼ from Ժ‫כ‬ே (where ܰ is from ‫)݇݌‬, the protocol achieves
statistical hiding by choosing these random values to be ߢ bits longer than
the values that they protect, where ߢ is a security parameter (so that the
value ‫ ݐ‬௝ revealed to ‫ ܥ‬statistically hides the computed distance).
4.3 Optimizations
Pre-computation and oƫine communication. Similar to other literature
on secure biometric identi¿cation, we distinguish between oƫine and
online stages, where any computation and communication that does not
depend on the inputs of the participating parties can be moved to the
oƫine stage. In our protocol, we ¿rst notice that most modular
exponentiations (the most expensive operation in the encryption scheme)
can be precomputed. That is, the client needs to produce 2݉ encryptions
of bits. Because both ݉ and the average number of 0's and 1's in a
biometric template and a mask are known, the client can produce a
suƥcient number of bit encryptions in advance. In particular, ܺ normally
will have 50% of 0's and 50% of 1's, while 75% (or a similar number) of
‫ܯ‬ሺܺሻ's bits are set to 1 and 25% to 0 during processing. Let ‫݌‬଴ and ‫݌‬ଵ (‫ݍ‬଴
and ‫ݍ‬ଵ ) denote the fraction of 0's and 1's in an iris code (resp., its mask),
where ‫݌‬଴ ൅ ‫݌‬ଵ ൌ ‫ݍ‬଴ ൅ ‫ݍ‬ଵ ൌ ͳ. Therefore, to have a suƥcient supply of
ciphertexts to form tuples ‫ܽۃ‬௜ଵ ǡ ܽ௜ଶ ‫ۄ‬, the client needs to precompute
൫ʹ‫ݍ‬଴ ൅ ‫ݍ‬ଵ ሺ‫݌‬ଵ ൅ ߝሻ ൅ ‫ݍ‬ଵ ሺ‫݌‬଴ ൅ ߝሻ൯݉ ൌ ሺͳ ൅ ‫ݍ‬଴ ൅ ʹ‫ݍ‬ଵ ߝሻ݉ encryptions of
0 and ൫‫ݍ‬ଵ ሺ‫݌‬ଵ ൅ ߝሻ ൅ ‫ݍ‬ଵ ሺ‫݌‬଴ ൅ ߝሻ൯݉ ൌ ‫ݍ‬ଵ ሺͳ ൅ ʹߝሻ݉ encryptions of 1,
where ߝ is used as a cushion, since the number of 0's and 1's in might not
be exactly ‫݌‬଴ and ‫݌‬ଵ , respectively. Then at the time of the protocol the
client simply uses the appropriate ciphertexts to form its transmission.
Similarly, the server can precompute a sufficient supply of encryption
௝ ௝
of ‫ݎ‬ௌ ’s and ‫ݐ‬ௌ ’s for all records. That is, the server needs for produce
ʹሺʹܿ ൅ ͳሻȁ‫ܦ‬ȁ encryptions of diơerent random values of length ‫ ۀ݉ ڿ‬൅
κ ൅ ݇, where ȁ‫ܦ‬ȁ denotes the size of the database ‫ܦ‬. The server also
generates one garbled circuit per record ܻ in its database (for step 3(b) of
the protocol) and communicates the circuits to the client. In addition, the
most expensive part of the oblivious transfer can also be performed during
the oƫine stage, as detailed below.
288 Chapter Nine
Optimized multiplication. Server computation in steps 3(a).i and 3(a).iii

of the protocol can be signi¿cantly lowered as follows: To compute
ೕ ೕ ೕ ೕ
௝ ሺଵି௒೔ ሻெሺ௒೔ ሻ ௒ ெሺ௒೔ ሻ
ciphertexts ܾ௜ , ܵ needs to calculate ܽ௜ଵ ȉ ܽ௜ଵ೔ . Since the bits
௝ ௝
ܻ௜ and ‫ܯ‬ሺܻ௜ ሻ
are known to ܵ, this computation can be rewritten using one
of the following cases:
௝ ௝ ௝ ௝
x ܻ௜ ൌ Ͳ and ‫ܯ‬൫ܻ௜ ൯ ൌ Ͳ: In this case both ሺͳ െ ܻ௜ ሻ‫ܯ‬ሺܻ௜ ሻ and
௝ ௝ ௝
ܻ௜ ‫ܯ‬ሺܻ௜ ሻ are zero, which means that ܾ௜ should correspond to an
encryption of 0 regardless of ܽ௜ଵ and ܽ௜ଶ . Instead of having ܵ create
௝
an encryption 0, we set ܾ௜ to the empty value, i.e., it is not used in
the computation of ܾ ௝ in step 3(a).ii.
௝ ௝
x ܻ௜ ൌ ͳ and ‫ܯ‬൫ܻ௜ ൯ ൌ Ͳ: the same as above.
௝ ௝ ௝ ௝
x ܻ௜ ൌ Ͳ and ൫ܻ௜ ൯ ൌ ͳ: In this case ൫ͳ െ ܻ௜ ൯‫ܯ‬൫ܻ௜ ൯ ൌ ͳ and
௝ ௝ ௝
ܻ௜ ‫ܯ‬൫ܻ௜ ൯ ൌ Ͳ, which means that ܵ sets ܾ௜ ൌ ܽ௜ଵ .
௝ ௝ ௝ ௝
x ܻ௜ ൌ Ͳ and ൫ܻ௜ ൯ ൌ ͳ: in this case ൫ͳ െ ܻ௜ ൯‫ܯ‬൫ܻ௜ ൯ ൌ Ͳ and
௝ ௝ ௝
ܻ௜ ‫ܯ‬൫ܻ௜ ൯ ൌ ͳ, and ܵ therefore sets ܾ௜ ൌ ܽ௜ଶ .
௝
The above implies that only ‫ݍ‬ଵ ݉ ciphertexts ܾ௜ need to be added in step
3(a).ii to form ܾ ௝ (i.e.,‫ݍ‬ଵ ݉ െ ͳ modular multiplications to compute the
hamming distance between ݉-element strings).

௝
Similar optimization applies to the computation of ݀௜ and ݀ ௝ in step
௝ ௝
3(a).iii of the protocol. That is, when ‫ܯ‬൫ܻ௜ ൯ ൌ Ͳǡ ݀௜ is set to the empty
௝
value and is not used in the computation of ݀ ௝ ; when ‫ܯ‬൫ܻ௜ ൯ ൌ ͳǡ ܵ set
௝
݀௜ ൌ ܽ௜ଷ . Consequently, ‫ݍ‬ଵ ݉ ciphertexts are used in computing ݀ ௝ .
To further reduce the number of modular multiplications, we can adopt
the idea from [49], which consists of precomputing all possible
combinations for ciphertexts at positions ݅ and ݅ + 1, and reducing the
number of modular multiplications used during processing a database
௝ ௝
record in half. In our case, the value of ܾ௜ ܾ௜ାଵ requires computation only
௝ ௝
when ‫ܯ‬൫ܻ௜ ൯ ൌ ‫ܯ‬൫ܻ௜ାଵ ൯ ൌ ͳ. In this case, computing ܽ௜ଵ ܽሺ௜ାଵሻଵ,
ܽ௜ଵ ܽሺ௜ାଵሻଶ ܽ௜ଶ ܽሺ௜ାଵሻଵ, and ܽ௜ଶ ܽሺ௜ାଵሻଶ , for each odd ݅ between 1 and ݉ í 1
will cover all possibilities.
Note that these values need to be computed once for all possible shift
amounts of the biometric data (since only server's ܻ's are shifted).
Depending on the distribution of the set bits in each ‫ܯ‬ሺܻሻ, the number of
modular multiplication now will be between ‫ݍ‬ଵ ݉Ȁʹ (when ‫ܯ‬ሺܻ௜ ሻ ൌ
௠
‫ܯ‬ሺܻ௜ାଵ ሻ for each odd ݅) and ݉ሺ‫ݍ‬଴ ൅ ሺͳ െ ʹ‫ݍ‬଴ ሻȀʹሻ ൌ ሺ‫ܯ݄݊݁ݓ‬ሺܻ௜ ሻ ്
ଶ
‫ܯ‬ሺܻ௜ାଵ ሻ for as many odd ݅'s as possible). This approach can be also
applied to the computation of ݀ ௝ (where only the value of ܽ௜ଷ ܽሺ௜ାଵሻଷ needs
to be precomputed for each odd ݅) resulting in the same computational
savings during computation of the hamming distance. Furthermore, by
precomputing the combinations of more than two values additional
savings can be achieved during processing of each ܻ.
Optimized encryption scheme. As it is clear from the protocol

description, its performance crucially relies on the performance of the
underlying homomorphic encryption scheme for encryption, addition of
two encrypted values, and decryption. Instead of utilizing a general
purpose encryption scheme such as Paillier, we turn our attention to
schemes of restricted functionality which promise to oơer improved
ef¿ciency. In particular, the DGK additively homomorphic encryption
scheme [21, 20] was developed to be used for secure comparison, where
each ciphertext encrypts a bit. In that setting, it has faster encryption and
decryption time than Paillier and each ciphertext has size ݇ using a ݇-bit
RSA modulus (while Paillier ciphertext has size 2݇). To be suitable for our
application, the DGK scheme can be modi¿ed to work with plaintexts
longer than one bit used in its original design. In that case, at decryption
time, one needs to additionally solve the discrete logarithm problem where
the base is 2-smooth using a Pohlig-Hellman algorithm. This means that

decryption uses additional ܱሺ݊ሻ modular multiplications for -bit
plaintexts. Now recall that in the protocol we encrypt messages of length
‫ ۀ݉ ڿ‬൅ κ ൅ ߢ bits. The use of the security parameter ߢ signi¿cantly
increases the length of the plaintexts. We, however, notice that the DGK
encryption can be setup to permit arithmetic on encrypted values such that
all computations on the underlying plaintexts are carried modulo ʹ௡ for
௝ ௝
any ݊. For our protocol, it implies that (i) the blinding values ‫ݎ‬ௌ and ‫ݐ‬ௌ can
now be chosen from the range ሾͲǡ ʹ௡ െ ͳሿ, where ݊ ൌ ‫ ۀ݉ ڿ‬൅ κ, and
(ii) this provides information-theoretic hiding (thus improving the security
properties of the protocol). This observation has a profound impact not
only on the client decryption time in step 3(a).iv (which decreases by
about an order of magnitude), but also on the consecutive garbled circuit
evaluation, where likewise the circuit size is signi¿cantly reduced in size.
Circuit construction. We construct garbled circuits using the most

eƥcient techniques from [51] and references therein. By performing
addition modulo ʹ௡ and by eliminating gates which have a constant value
290 Chapter Nine
as one of their inputs, we reduce the complexity of the circuit for addition
to ݊ í 1 non-XOR gates and ͷሺ݊ െ ͳሻ െ ͳ total gates. Similarly, after
eliminating gates with one constant input, the complexity of the circuit for
comparison of ݊-bit values becomes ݊ non-XOR gates and Ͷ݊ െ ʹ gates
overall. Since in the protocol there are two additions and one comparison
per each ݆ followed by ʹܿ OR gates, the size of the overall circuit is
ͳͶሺ݊ െ ͳሻሺʹܿ ൅ ͳሻ ൅ ʹܿ gates, where ሺ͵݊ െ ʹሻሺʹ ൅ ͳሻ ൅ ʹܿ of which
are non-XOR gates. Note that this circuit does not use multiplexers, which
are required (and add complexity) during direct computation of minimum.
Oblivious transfer. The above circuit requires each party to supply

ʹ݊ሺʹܿ ൅ ͳሻ input bits, and a new circuit is used for each ܻ in ‫ܦ‬. Similar to
some other techniques, the combination of fast OT and OT extension (we
use [35] and [47]) achieves the best performance in our case. Let the
server create each circuit and the client evaluate them. Using the results of
[35], performing ܱܶଵଶ a total of ʹ݊ሺʹܿ ൅ ͳሻȁ‫ܦ‬ȁ times, where the client
receives a ݇-bit string as a result of each OT for a security parameter ݇,
can be reduced to ߢ invocations of ܱܶଵଶ (that communicates to the receiver
݇-bit strings) at the cost of Ͷߢ ‫݊ʹ ڄ‬ሺʹ݊ ൅ ͳሻȁ‫ܦ‬ȁ bits of communication and
Ͷ݊ሺʹܿ ൅ ͳሻ applications of a hash function for the sender and ʹ݊ሺʹܿ ൅ ͳሻ
applications for the receiver. Then ߢ ܱܶଵଶ protocols can be implemented
using the construction of [47] with low amortized complexity, where the
sender performs 2 + ߢ and the receiver performs 2ߢ modular

exponentiations with the communication of ʹ݇ ଶ bits and ߢ public keys.
The OT protocols can be performed during the offline stage, while the
additional communication takes place once the inputs are known.
Further reducing online communication. If transmitting 2݉ ciphertexts

during the online stage of the protocol (which amounts to a few hundred
KB for our set of parameters) constitutes a burden, this communication
can be performed at the oƫine stage before the protocol begins. This can
be achieved using the technique of [49], where the client transmits 2݉
encryptions of randomly chosen bits ‫ݑ‬ଵ ǡ ǥ ǡ ‫ݑ‬ଶ௠ during the oƫine stage,
and the online communication consists of 2݉ bits ‫ݒ‬ଵ ǡ ǥ ǡ ‫ݒ‬ଶ௠ . Each bit ‫ݒ‬௜
corresponds to the XOR of the bit ‫ݓ‬௜ that the client wants to use in the
protocol with the previously communicated random bit ‫ݑ‬௜ . After receiving
the 2݉-bit correction string ‫ݓ‬ଵ ْ ‫ݑ‬ଵ ǡ ǥ ǡ ‫ݓ‬ଶ௠ ْ ‫ݑ‬ଶ௠ , the server needs to
compute encryption of ‫ݓ‬௜ 's using ‫ܿ݊ܧ‬ሺ‫ݑ‬௜ ሻ and ‫ݒ‬௜ , which is done by
XORing ‫ݑ‬௜ and ‫ݒ‬௜ inside the encryption. Using ‫ݑ‬௜ ْ ‫ݒ‬௜ ൌ ‫ݑ‬௜ ሺͳ െ ‫ݒ‬௜ ሻ ൅
ሺͳ െ ‫ݑ‬௜ ሻ‫ݒ‬௜ ൌ ‫ݑ‬௜ ൅ ‫ݒ‬௜ െ ʹ‫ݑ‬௜ ‫ݒ‬௜ , we see that when ‫ݒ‬௜ ൌ Ͳ, the server can
simply set ‫ܿ݊ܧ‬ሺ‫ݓ‬௜ ሻ ൌ ‫ܿ݊ܧ‬ሺ‫ݑ‬௜ ሻ, but when ‫ݒ‬௜ ൌ ͳ, the server will need to
perform subtraction of (encrypted) ‫ݑ‬௜ . While subtraction is usually one of

the most expensive operations, note that because of our use of DGK
encryption with short plaintexts, the subtraction operations can be
performed on a ciphertext signi¿cantly faster than using generic full-
domain encryption schemes such as Paillier. The speed up is of the order
of ݇Ȁ݊ ൎ ͷͲ, where ݇ ൒ ͳͲʹͶ is the security parameter for a public-key
encryption scheme and ݊ ൌ ‫ ۀ݉ ڿ‬൅ κ ൌ ʹͲ is the length of the values
we operate on. Furthermore, this entire computation can be completely
removed from the online stage if, upon the receipt of ‫ܿ݊ܧ‬ሺ‫ݑ‬௜ ሻ, the server
computes ‫ܿ݊ܧ‬ሺͳ െ ‫ݑ‬௜ ሻ during the oƫine stage. Then when the protocol
begins, the server sets either ‫ܿ݊ܧ‬ሺ‫ݓ‬௜ ሻ ൌ ‫ܿ݊ܧ‬ሺ‫ݑ‬௜ ሻ or ‫ܿ݊ܧ‬ሺ‫ݓ‬௜ ሻ ൌ ‫ܿ݊ܧ‬ሺͳ െ
‫ݑ‬௜ ሻ depending on the bit ‫ݒ‬௜ it receives.
4.4 Security Analysis

Security of the iris protocol relies on the security of the underlying
building blocks. In particular, we need to assume that (i) the DGK
encryption scheme is semantically secure (which was shown under a
hardness assumption that uses subgroups of an RSA modulus [21, 20]);
(ii) garbled circuit evaluation is secure (which was shown in [41], but the
version we use [40] relies on a hash function which is assumed to be
correlation robust or otherwise modeled as a random oracle); and (iii) the
oblivious transfer is secure as well (to achieve this, techniques of [35]

require the hash function to be correlation robust and the use of a pseudo-
random number generator, while techniques of [47] model the hash
functions as a random oracle and use the computational Diƥe-Hellman
(CDH) assumption). Therefore, assuming the security of the DGK
encryption, CDH, and using the random oracle model for hash functions is
suƥcient for our approach.
To show the security of the protocol, we sketch how to simulate the
view of each party using its inputs and outputs alone. If such simulation is
indistinguishable from the real execution of the protocol, for semi- honest
parties this implies that the protocol does not reveal any unintended
information to the participants (i.e., they learn only the output and what
can be deduced from their respective inputs and outputs).
First, consider the client ‫ܥ‬. The client's input consists of its biometric
template ܺ, ‫ܯ‬ሺܺሻ and the private key, and its outputs consist of a bit for
each record in ܵ's database ‫ܦ‬. A simulator that is given these values
simulates ‫'ܥ‬s view by sending encrypted bits of ‫'ܥ‬s input to the server as
prescribed in step 1 of the protocol. It then simulates the messages
received by the client in step 3(a).iii using encryptions of two randomly
292 Chapter Nine
௝ ௝
chosen strings ‫ݎ‬஼ and ‫ݐ‬஼ of length ݊. The simulator next creates a garbled
௝
circuit for the computation given in step 3(b) that, on input client's ‫ݎ‬஼ 's and
௝
‫ݐ‬஼ 's, computes bit ܾ, sends the circuit to the client, and simulates the OT.
Note that the simulator can set the other party's inputs in such a way that
the computation results in bit ܾ. It is clear that given secure
implementation of garbled circuit evaluation in the real protocol, the client
cannot distinguish simulation from real protocol execution. Furthermore,
the values that ‫ ܥ‬recovers in step 3(a).iv of the protocol are distributed
identically to the values used in the real protocol execution that uses DGK
encryption (and they are statistically indistinguishable when other
encryption schemes are used).
Now consider the server's view. The server has its database ‫ܦ‬
consisting of ܻ, ‫ܯ‬ሺܻሻ, and the threshold.
ܶ as the input and no output. In this case, a simulator with access to ‫ܦ‬
¿rst sends to ܵ ciphertexts (as in step 1 of the protocol) that encrypt bits of
its choice. For each ܻ ‫ܦ א‬, ܵ performs its computation in step 3(a) of the
protocol, and forms garbled circuits as speci¿ed in step 3(b). The server
and the simulator engage in the OT protocol, where the simulator uses
arbitrary bits as its input to the OT protocol and the server sends the key-
value mapping for the output gate. It is clear that the server cannot
distinguish the above interaction from the real protocol execution. In
particular, due to semantic security of the encryption scheme, ܵ learns no

information about the encrypted values and due to security of OT ܵ, learns
no information about the values chosen by the simulator for the garbled
circuit.
4.5 Implementation and Performance

The implementation of the secure iris identi¿cation protocol that we
describe was performed in C using MIRACL library [34] for
cryptographic operations. It also used the DGK encryption scheme with a
1024-bit modulus and another security parameter ‫ ݐ‬set to 160, as suggested
in [21, 20]. To illustrate the advantage of the tools the solution utilizes, we
also give performance of selected experiments using Paillier encryption
[50]. The Paillier encryption scheme was implemented using a 1024-bit
modulus and a number of optimizations suggested in [50] for best
performance. In particular, a small generator ݃ = 2 was used to achieve
lower encryption time, and decryption is sped up using pre-computation
and Chinese remainder computation (see [50], section 7 for more detail).
The security parameters ݇ = 1024 for public-key cryptography and ߢ = 80
Secure and Effficient Iris and Fingerprint Ideentification 293
for symmettric and statistical security

y are used ffor compatibiility with
experimentss reported in other sourcess, while largeer security paarameters
would be prreferred todayy. The experiiments were rrun on an Inteel Core 2
Duo 2.13 GGHz machine running
r Linuxx (kernel 2.6.335) with 3GB of RAM
and gcc verssion 4.4.5.
Table 1. Brreakdown of the

t performa
ance of the iriis identi¿catio
on
protocol.
The tablle shows perfformance usin ng three diơerrent con¿guraations: (i)

the amount oof rotation ܿ was
w set to 5, (ii)
( no rotationn was used by y setting ܿ
= 0 (this is uused when thee images are well
w aligned, ee.g., during suupervised
image acquiisition or wheen simultaneou usly acquiringg images of bo
oth eyes),
and (iii) witth ܿ = 5 usingg Paillier encrryption insteaad of DGK sccheme. In
the table, w
we divide the computation
c and
a communiccation into oƫ ƫine pre-
computationn and online protocol
p execution. No inpputs are assummed to be
294 Chapter Nine
known by any party at pre-computation time. Some of the overhead

depends on the server's database size, in which case the computation and
communication are indicated per record (using notation ''/rec''). The
overhead associated with the part of the protocol that uses homomorphic
encryption is shown separately from the overhead associated with garbled
circuits. The oƫine and online computation for the part based on
homomorphic encryption is computed as described in Section 4.3. For
circuits, garbled circuit creation, communication, and some of OT is
performed at the oƫine stage, while the rest of OT (as described in
Section 4.3) and garbled circuit evaluation take place during the online
protocol execution. We also note that while the table lists computational
overhead of each party separately, the overall runtime for a single
biometric comparison will be approximately the runtime of the server
(which is typically faster than the client and is not expected to be the
bottleneck of the protocol) and the runtime of the server. The reason for
this is that computation is initially carried out on encrypted data by the
server, followed by the OT between the client and the server, followed by
the client evaluating the garbled circuit. When, however, the parties
perform a number of biometric comparisons, the amortized time per record
in the database is going to be lower (i.e., it is the maximum of the server's
and client's time instead of their sum) because all records can be evaluated
in parallel and the amount of communication is low.
As the table indicates, the design of the solution and the optimizations
employed in it allow for a particularly eƥcient performance. In particular,
comparison of two iris codes, which among other things includes
computation of 2(2ܿ + 1) = 22 Hamming distances (i.e., for the numerator
and denominator in Equation 1) over 2048-bit biometric templates in
encrypted form, is done in 0.15 sec. This is comparable in speed to the
latest developments in other functionalities (e.g., [32, 15, 54], which can
be used to compute the Hamming distance) and in part due to the use of
eƥcient DGK encryption scheme and other optimizations. When iris
images are well aligned and no rotation is necessary, our protocol requires
only 14 msec online computation time and under 2KB of data to compare
two biometric templates.
5 Secure Fingerprint Identification

Before proceeding with new techniques for ¿ngerprint identi¿cation based
on minutiae pairing, we ¿rst illustrate how the techniques given in this
chapter for iris identi¿cation can be applied to other types of biometric
computations such as FingerCodes. In particular, they can be used to
improve thee eƥciency off the secure prrotocol for FinngerCode iden
nti¿cation
in [5].
Figure 2. Secuure two-party protocol

p for Fin
ngerCode identi¿
¿cation.
5.1 FingerCode
F Identificatioon
The commputation invoolved in FingeerCode compaarisons is verry simple,
which resultts in an extremmely eƥcientt privacy-presserving realizaation. We
rewrite the computation in Equation 4 as σ௠ ଶ
௜ୀଵሺ‫ݔ‬௜ െ ‫ݕ‬௜ ሻ ൌ σ௜ୀ
௠ ଶ
ୀଵሺ‫ݔ‬௜ ሻ ൅
௠ ଶ ௠ ଶ
σ௜ୀଵሺ‫ݕ‬௜ ሻ െ σ௜ୀଵ ʹ‫ݔ‬௜ ‫ݕ‬௜ ൏ ܶ . In our protocol, the Euclidean diistance is
computed uusing homom morphic encry yption, while the compariisons are
performed uusing garbled circuits. The secure
s FingerC
rCode protoco ol is given
in Figure 2. The client coontributes enccryptions of െെʹ‫ݔ‬௜ and σሺ‫ݔ‬௜ ሻଶ to the
computationn, while thee server contributes σ ሺ‫ݕ‬௜ ሻଶ and computes c
encryption oof െʹ‫ݔ‬௜ ‫ݕ‬௜ froom െʹ‫ݔ‬௜ . Notte that by usinng ‫ܿ݊ܧ‬ሺെʹ‫ݔ‬௜ ሻ instead
of ‫ܿ݊ܧ‬ሺ‫ݔ‬௜ ሻ, the server's work
w for each ܻ is reduced , since negativ
ve values
typically usee signi¿cantlyy longer representations. Thhe protocol in
n Figure 2
uses DGK eencryption witth the plaintex xt space of ሾͲǡ ʹ௡ െ ͳሿ. To be
b able to
represent thhe Euclidean distance,
d we need to set݊݊ ൌ ‫ ۀ݉ ڿ‬൅ ʹκ ൅ ͳ,
where κ is the bitlengthh of elementss ‫ݔ‬௜ and ‫ݕ‬௜ . This impliess that all
computationn on plaintextss is performed d modulo ʹ௡ ; for instance, ʹ௡ െ ʹ‫ݔ‬௜
296 Chapter Nine
is used in sttep 1 to form m ‫ܿ݊ܧ‬ሺെʹ‫ݔ‬௜ ሻ. The circuit uused in step 2(c) 2 takes
two ݊-bit vvalues, adds themt modulo ʹ௡ , and com mpares the reesult to a
constant as ddescribed in Section
S 4.3.
Finally, some of the computation can be perfoormed oƫine. For the
client it inccludes precom mputing the random valuues used in the ݉+1
ciphertexts iit sends in steep 1 (i.e., the computation oof ݄௥ ݉‫))ܰ݀݋‬. For the
server it inccludes precom mputing ‫ܿ݊ܧ‬ሺሺ‫ݎ‬ௌ ሻ, preparingg a garbled circuitc for
each, and oone-time compputation of random valuess for ‫ܿ݊ܧ‬ሺσ௠ ௜ୀଵ
௜ ሺ‫ݕ‬ ଶ
௜ ሻ
ሻ
since the reeuse of cipherrtexts in this case does noot aơect secu urity. The
client and tthe server also perform some s of OT functionality prior to
protocol inittiation, as prevviously discusssed.
In literatture on FingerrCodes, each ¿ngerprint
¿ in tthe server's daatabase is
represented by ܿ FingerC Codes that corrrespond to ddiơerent orienttations of
the same ¿nngerprint, which improves the t accuracy oof comparison n. Then if
the client iss entitled to receiving
r all matches withhin the ܿ FingerCodes
correspondinng to the sam me ¿ngerprint,, our protocoll in Figure 2 computes
c
exactly this functionalityy. If, on the other
o hand, it is desirable to output
only a singlee bit for all ܿ instances of a ¿ngerprint, iit is easy to modify
m the
circuit evaluuated in step 2(c)
2 of the pro otocol to comppute the OR of o the bits
produced byy the original ܿ circuits.
Security. T The security of
o this protoco ol is straightfoorward to show w and we
omit the dettails of the siimulator from m the current ddescription. As A before,
by using onnly tools know wn to be securre and protectting the inform mation at
intermediatee stages, neithher the clientt nor the servver learns infformation
beyond whaat the protocoll prescribes.
Table 2. Brreakdown of the

t performa
ance of the Fin
ngerCode
identi¿catioon protocol.
Implementation and performance. The FingerCode parameters can

range as ݉= 16-640, κ = 4-8, and ܿ = 5. The implementation we report
uses parameters ݉ ൌ ͳ͸ and κ ൌ ͹ and therefore ݊ ൌ ͳͻ. The
performance of the secure FingerCode identi¿cation protocol is given in
Table 2. No inputs (ܺ or ܻ) are assumed to be known at the oƫine stage
when the parties compute (among other things) randomization values of
the ciphertexts. For that reason, a small ¿xed cost is acquired in the
beginning of the protocol to ¿nish forming the ciphertexts using the
inputs. We also note that, based on additional experiments, by using
Paillier encryption instead of DGK encryption, the server's online work
increases by an order of magnitude, even if packing of multiple elements
into a single ciphertext is used with Paillier encryption.
It is evident that the overhead reported in the table is minimal and the
protocol is suitable for processing ¿ngerprint data in real time. For
example, for a database of 320 records (64 ¿ngerprints with 5 FingerCodes
each), client's online work is 0.35 sec and the server's online work is 0.45
sec, with online communication of 277KB. As can be seen from these
results, computation is no longer the bottleneck and this secure two-party
protocol can be carried out very eƥciently.
5.2 Minutia-Based Fingerprint Identification

We next present a secure protocol for minutia-based ¿ngerprint

identi¿cation. It preserves the high-level idea of using homomorphic
encryption for computing the distance between minutia points and garbled
circuit evaluation for comparisons, but introduces a number of new
techniques. At high-level, computing the pairing between the minutiae of
two ¿ngerprints ܺ ൌ ‫ۃ‬ሺ‫ݔ‬ଵ ǡ ‫ݕ‬ଵ ǡ ܽଵ ሻǡ ǥ ǡ ሺ‫ݔ‬௠೉ ǡ ‫ݕ‬௠೉ ǡ ܽ௠೉ ሻ‫ ۄ‬and ܻ ൌ
‫ۃ‬ሺ‫ݔ‬ଵᇱ ǡ ‫ݕ‬ଵᇱ ǡ ܽଵᇱ ሻǡ ǥ ǡ ሺ‫ݔ‬௠
ᇱ
೉
ᇱ
ǡ ‫ݕ‬௠ ೉
ᇱ
ǡ ܽ௠ ೉
ሻ‫ ۄ‬based on minimum distances between
the points proceeds in iterations as follows. ‫ ܥ‬and ܵ maintain an ݉௒ -bit
array ‫ܯ‬, the ݅-th bit of which indicates whether minutia ܻ௜ has been
marked or not. Initially, all bits of ‫ ܯ‬are set to 0. For ݅ ൌ ͳǡ ǥ ǡ ݉௑ ,
perform:
1. Compute the set ܼ of minutiae from ܻ matching ܺ௜ that have not

been marked, i.e., ܼ ൌ ൛ܻ௝ ȁ݉݉൫ܺ௜ ǡ ܻ௝ ൯and‫ܯ‬ሾ݆ሿ ൌ Ͳൟ.
2. Compute the minutiaܻ௞ (if any) from ܼ with the minimum (spatial)
distance from ܺ௜ , and set ‫ܯ‬ሾ݇ሿ ൌ ͳ.
To preserve secrecy of the data, each bit of the array ‫ ܯ‬is maintained by ‫ܥ‬
and ܵ in XOR-split form, i.e., ‫ ܥ‬stores ‫ܯ‬஼ ሾ݅ሿ and ܵ stores ‫ܯ‬ௌ ሾ݅ሿ such that
298 Chapter Nine
‫ܯ‬ሾ݅ሿ ൌ ‫ܯ‬஼ ሾሾ݅ሿ ْ ‫ܯ‬ௌ ሾ݅ሿ. During

D each iteration
i of thhe computatio on, at the
end of step 2 above, ‫ ܥ‬annd ܵ obtain XO OR-shares off an array ‫ ܣ‬th hat has bit
set to 1 and all other bits set to 0 (and all bits are seet to 0 if no pairing for
ܺ௜ exists). B
Both ‫ ܥ‬and ܵ update
u hare of ‫ ܣ‬by X
their sh XORing the share of ‫ܣ‬
that they recceived with thhe current shaare of ‫ܯ‬. Thiss ensures that the array
‫ ܯ‬is properlly maintained.
Figure 3. Secure two-partyy protocol for minutia-based

m ¿
¿ngerprint identti¿cation
In the beginning of the protocol, the client sends information about its
¿ngerprint ܺ. For best performance, the solution utilizes DGK encryption
with two pairs of keys. The ¿rst pair ሺ‫݇݌‬ǡ ‫݇ݏ‬ሻ is used for encrypting
spatial coordinates ‫ݔ‬௜ ǡ ‫ݕ‬௜ and computing Euclidean distance between
points, and the second pair ሺ‫݇݌‬ଶ ǡ ‫݇ݏ‬ଶ ሻ is used for encrypting orientation
information ߙ௜ and directional diơerence. Therefore, we set the plaintext
space ‫ ݑ‬ൌ ʹଶκାଶ in ‫݇݌‬ଵ , where κ is the bitlength of coordinates ‫ݔ‬௜ , ‫ݕ‬௜ ,
and ‫ ݑ‬ൌ ͵͸Ͳ in ‫݇݌‬ଶ . This implies that computing ܽ௝ᇱ െ ܽ௜ on encrypted
values will automatically result in the value being reduced modulo 360,
which simpli¿es computation with the directional diơerence in this form.
Also note that, while decryption in the DGK encryption scheme involves
solving the discrete logarithm, when ‫ ݑ‬ൌ ͵͸Ͳ, this can be achieved at
low cost using the Pohlig-Hellman algorithm, because 360 has only small
factors.
Our secure ¿ngerprint identi¿cation protocol is given in Figure 3. At
iteration, after computing the distances in encrypted form (step 2(b).i) and
decrypting them in a secret-shared form (step 2(b).ii), the parties engage in
garbled circuit evaluation using a circuit that performs the main
computation and produces an ݉௒ -bit vector ‫ ܣ‬with at most one bit set to
one, indicating the position of the mate of minutia ܺ௜ . This (optimized)
circuit is the most involved part of the protocol, and is discussed in detail
below. At the end of each iteration, the vector ‫ ܯ‬is updated with the
output of the circuit. And after all iterations have been performed, the rest
of the protocol consists of counting the number of marked elements in and
comparing that number to the threshold ܶ. This is done using an additional
garbled circuit, where the client learns the output bit.
Note that the protocol requires that both parties know the number of
minutiae in client ܺ and server ܻs, which is assumed not to leak
information about the ¿ngerprints themselves. While biometric images of
similar quality are expected to have similar numbers of minutiae, if for the
purposes of this computation ݉௑ and ݉௒ are considered to be sensitive
information, the ¿ngerprints can be slightly padded to always use the same
number ݉ of minutia points. This can be achieved by agreeing on a ¿xed
݉ and inserting fake elements into each ¿ngerprint until its size becomes
݉. The fake elements should not aơect the result of the computation,
which means that the fake elements of client's ܺ should not match either
the original or fake elements of any ܻ. The easiest way to ensure this is by
setting fake ‫ݔ‬௜ in ܺ to its maximum value plus ݀଴ and by setting fake ‫ݔ‬௝ᇱ in
each ܻ to its maximum value plus ʹ݀଴ . This slightly increases the range of
values that spatial distances between minutia points can take, but is not
likely to result in additional overhead due to the increased space (i.e., the
300 Chapter Nine
overhead can increase only when the bitlength needed to represent the
distances grows).
We design the circuit in step 2(b).iii of the protocol to minimize the
number of comparisons. In particular, each directional diơerence ܽ௝ᇱ െ ܽ௜
is compared to the threshold ߙ଴ in the beginning, and if it exceeds the
threshold, the corresponding distance between ܺ௜ and ܻ௝ is modi¿ed so that
it will not be chosen as the minimum. This is done by prepending the
resulting bit of computation ሺሺܽ௝ᇱ െ ܽ௜ ሻ ൒ ܽ଴ ‫ ר‬ሺ൫ܽ௝ᇱ െ ܽ௜ ൯ ൑ ሺ͵͸Ͳ െ ܽ଴ ሻሻ
to the spatial distance between ܺ௜ and ܻ௝ (as the most signi¿cant bit). The
same technique is used to ensure that marked minutiae from ܻ are not
selected as well. What remains to be done is to verify what spatial
distances fall below the threshold and compute the minimum of such
values. In the (oblivious) garbled circuit, instead of ¿rst comparing each
distance to the threshold and then computing the minimum of (possibly
modi¿ed) distances, the solution directly computes the minimum and then
compares the minimum to the threshold. This reduces the number of
distance comparisons from ʹ݉௒ െ ͳ‫݉݋ݐ‬௒ . The two previously
prepended bits are preserved throughout the comparisons, and the ¿nal
result will have no mate for ܺ௜ selected if the computed minimum
(squared) distance is not below the threshold ሺ݀଴ ሻଶ .
Both the computation of the minimum and creation of vector ‫ ܣ‬require
the use of multiplexers in the circuit. In particular, after comparing the two
values ܽଵ andܽଶ , one type of multiplexer used in our circuit chooses either
the bits of ܽଵ orܽଶ based on the resulting bit of the comparison. This
permits the computation of the minimum in a hierarchical manner using a
small number of non-XOR gates as described in [39]. We also use
multiplexers to collect information about ‫ ܣ‬throughout the circuit. In
particular, after a single comparison of distances ܽଵ andܽଶ , the portion of
‫ ܣ‬corresponding to these two bits will be chosen to be either 01 or 10.
Suppose that after comparing ܽଵ andܽଶ , this value is 01 and after
comparing ܽଷ andܽସ , the value is 10. Then, after performing the
comparison of ሺܽଵ ǡ ܽଶ ሻ and ሺܽଷ ǡ ܽସ ሻ, either 0100 or 0010 will be
chosen as the current portion of ‫ܣ‬. This process continues until the overall
minimum and the entire ‫ ܣ‬is computed. This value of ‫ ܣ‬will have a single
bit set to 1, and after the ¿nal comparison of the minimum with the
threshold, ‫ ܣ‬will either remain unchanged or will be reset to contain all 0s.
Figure 4 shows the initial computation in the circuit performed for
each value of ݆, where ݊ ൌ ʹκ ൅ ʹ, and Figure 5 shows the computation
of the minimum and the output for a toy example of ݉௒ ൌ Ͷ. In Figure 4,
௝ ௝
after adding ‫ݐ‬஼ and െ‫ݐ‬஼ (mod 360) together, the sum is compared to 360.
Figure 4. Com
mponent of circcuit in ¿ngerprin
nt identi¿cationn protocol perfo
ormed for
f݆ ‫ א‬ሾͳǡ ݉௒ ሿ.
each value of
Figure 5. Computation off minimum an

nd its index iin circuit of ¿ngerprint
¿
identi¿cation.
If it exceeds the value, 360 3 is subtraccted from thee sum (in our concrete
realization tthe subtractedd value is bittwise AND oof the outcom me of the
comparison and each bit of the binary representatioon of 360). Fin nally, the
resulting value is comparred to two thrresholds and tthe result is prepended
p
௝ ௝
to the spatiaal distance ‫ݎ‬஼ െ ‫ݎ‬ௌ . In Figu
ure 4, multipleexer ݉‫ݔݑ‬ଵ ch
hooses the
smaller valuue based on thhe result of thhe comparisonn, ݉‫ݔݑ‬ଶ chooses either
01 or 10, bbased on the result
r of the comparison, ݉ ݉‫ݔݑ‬ଷ choosees a 4-bit
302 Chapter Nine
string based on its inputs from two multiplexers ݉‫ݔݑ‬ଶ and the outcome of
another comparison, and ݉‫ݔݑ‬ସ chooses either its input from ݉‫ݔݑ‬ଷ or a
zero string based on the result of the ¿nal comparison. The server (circuit
creator) supplies a stream of random bits ‫ܣ‬ௌ to the circuit, and the client
learns the outcome of the XOR of that stream and the output of the last
multiplexer.
Precomputation. Precomputation in this protocol takes a similar form to

that in the FingerCode protocol. Namely, the random values (݄௥ mod ܰ) in
௝ ௝
the ciphertexts are precomputed and the server chooses all ‫ݎ‬ௌ and ‫ݐ‬ௌ in
advance and encrypts them. Furthermore, omitting randomness in the
ଶ
encrypted values ‫ܿ݊ܧ‬ሺ൫‫ݔ‬௝ᇱ ൯ ൅ ሺ‫ݕ‬௝ᇱ ሻଶ ሻ at the server side does not
compromise security and thus the server skips precomputing the
randomization component of such ciphertexts (and assumes ݄௥ mod ܰ =
1) for each and each ܻ ‫ܦ א‬, resulting in substantial savings. In addition, all
garbled circuits are created and transferred in advance, as well as that the
expensive portion of the OT is performed in advance. Note that it is
suƥcient to have two input wires to implement all constants in the circuit
such as 360, ߙ଴ ,݀଴ଶ , inputs to the multiplexers, etc.
Security. As before, it is easy to show that the protocol is secure, where

the simulator relies on the security of the encryption scheme, garbled

circuits, and OT.
Implementation and performance. To show the performance of the

protocol, we use a grid of size 250 × 250 for minutiae coordinates, which
means that each ‫ݔ‬௜ ǡ ‫ݕ‬௜ ‫ א‬ሾͲǡ ʹͶͻሿ and κ is set to 8. In the experiments that
follow, ݉ ൌ ݉௑ ൌ ݉௒ with two values of 20 and 32 minutia per
¿ngerprint. It is clear that the protocol incurs cost quadratic in ݉ and is
expected to have higher overhead than two previous iris and FingerCode
protocols. Table 3 shows performance of our secure minutia-based
¿ngerprint comparisons. The online work is dominated by ʹ݉ଶ
decryptions at the client side and adds up to 0.73 sec per ¿ngerprint
comparison for ݉ ൌ ʹͲ and 1.88 sec for ݉ ൌ ͵ʹ. The circuit evaluated
by the client in step 2(b).iii of the protocol has 2372 non-XOR and 8836
total gates for ݉ ൌ ʹͲ, and 3820 non-XOR and 14212 total gates for
݉ ൌ ͵ʹ. It is evaluated ݉ times by the client for each . The circuit
evaluated by the client in step 2(c) of the protocol has 39 non-XOR and
153 total gates for ݉ = 20 and 63 non-XOR and 246 total gates for ݉ =
32. It is evaluated once for each ܻ.
We also would like too mention thatt a protocol soolely based on n garbled
circuit evalluation for thhis type of computation
c is likely to result in
comparable or possibly even faster perrformance duee to recent adv vances in
the speed off garbled circuuit evaluation and OT extennsions (such as
a [7] and
[38, 2], resppectively). Too realize that, the circuit w
would need too perform
additional ʹ ʹ݉ଶ multipliications (as well as addditional additions and
subtractionss) per ܻ, withh the addition nal number oof gates exceeeding the
current num mber of gatees in the cirrcuits. This m means that using
u the
techniques tthat we impllement the oƫ ƫine work aassociated witth circuit
constructionn (per ܻ) willl increase, buut the online ccommunicatio on should
decrease.
Table 3. Breeakdown of the

t performan
nce of the ¿nggerprint iden
nti¿cation
protocol.
6S
Summary of
o Design Principles
P aand Resultss
The prootocol designn presented in this chappter suggestss certain
principles thhat lead to an eƥcient implementation oof a privacy-p preserving
protocol forr biometric identi¿cation. First,
F notice thhat in the com mputation
described inn this chapter, as well as in other literatuure, a distancee between
biometric teemplate ܺ annd each biomeetric templatee in the daatabase is
¿rstly compputed, followeed by a comp parison operaation. The co omparison
ne whether thee distance ݀݅‫ݐݐݏ‬ሺܺǡ ܻሻ is
can be perfoormed to eitheer (i) determin
304 Chapter Nine
below a certain threshold (where the threshold can be speci¿c to each ܻ or

¿xed for all ܻ) or (ii) determine whether the minimum of all distances
݀݅‫ݐݏ‬ሺܺǡ ܻሻ is below a certain threshold. In both cases, an equivalent
number of comparisons is performed. Several existing eƥcient protocols
compute the distance function using homomorphic encryption, but then
resort to a diơerent technique for the comparisons. Therefore, the client
¿rst communicates its encrypted biometric template to the server, the
server next computes the distances, and both the client and the server
become involved in the comparison protocol. We thus obtain the
following:
1. Representation of client's biometric data matters. The server's work

for processing each record in its database can be signi¿cantly
reduced if the client's data is provided in the form that optimizes
server's computation (for instance, computing ‫ܿ݊ܧ‬ሺെܽሻ from
‫ܿ݊ܧ‬ሺܽሻ could be one of the most expensive operations). This one-
time cost at the client's side has far-reaching consequences for the
performance of the overall protocol.
2. Operations that manipulate bits are the fastest outside encryption.
Any protocol for biometric identi¿cation is expected to use
comparisons. Despite recent advances in the techniques for
carrying out secure comparisons over encrypted data which make
them practical (e.g., [21]), garbled circuit evaluation is better suited

for a large volume of such operations. Furthermore, when the range
of values being compared is small and many comparisons are
necessary, additional techniques such as OT can be utilized at low
cost [49].
3. A substantial speedup can be seen from proper tuning of encryption
tools. Privacy-preserving protocols that rely on homomorphic
encryption can bene¿t immensely from a wise choice of an
encryption scheme and its usage. Traditionally, packing was used
to reduce overheads of privacy-preserving protocols, including
asymptotic complexity (see, e.g., [44] for an example). When
computation is carried out on integers of small size, alternative
encryption schemes such as DGK or additively homomorphic
ElGamal implemented over elliptic curves can signi¿cantly
improve performance. The performance that the solutions presented
in this chapter achieve would not be possible without the right
choice of encryption schemes.
Using these principles and a number of new techniques, in this chapter we

demonstrate secure protocols for iris and ¿ngerprint identi¿cation that use
standard biometric recognition algorithms. The optimization techniques
employed in this chapter allow for fast performance of three secure
biometric identi¿cation protocols:
• One of the ¿rst privacy-preserving two-party protocols for iris codes

using current biometric recognition algorithms. Despite the length
of iris codes' representation and complexity of their processing, the
protocol we present allows a secure comparison between two
biometric templates to be performed in 0.15 seconds with
communication of under 18KB. Furthermore, when the iris codes
are known to be well-aligned and their rotation is not necessary, the
overhead decreases by an order of magnitude to 14 msec
computation and 2KB communication per comparison.
• A privacy-preserving and extremely eƥcient two-party protocol for
FingerCodes used for low-cost ¿ngerprint recognition. Comparing
two ¿ngerprints requires approximately 1 msec of computation,
allowing thousands of biometric templates to be processed in a
matter of seconds. Communication overhead is also very modest
with less than 1KB per biometric comparison.
• Secure ¿ngerprint recognition based on minutiae pairings that utilizes
most complex algorithms over unordered sets with spatial and

directional diơerences. The implementation results suggest that
such secure ¿ngerprint identi¿cation can be performed using
approximately 1 second per record.
7 Further Reading
Most of the material presented in this chapter appeared in [10]. Two
privacy-preserving approaches for FingerCodes (with higher overhead) are
available in [5] and in [33]. Minutia-based ¿ngerprint matching (also with
higher overhead) is available in [55]. Additionally, some publications
(e.g., [25]) propose alternative mechanisms for privacy-preserving
authentication (as opposed to identi¿cation) without using standard
algorithms for comparing two biometric templates.
A number of publications [24, 53, 49] target the problem of privacy-
preserving face recognition. The ¿rst two of these [24, 53] build solutions
based on the Eigenfaces algorithm (where [53] improves the performance
of the technique in [24]), while [49] designs a new face recognition
algorithm together with its privacy-preserving realization called SciFi. The
306 Chapter Nine
design aimed to simultaneously address the robustness of the face

recognition algorithm to diơerent viewing conditions and eƥciency when
used for secure computation. Several papers have since improved on the
techniques used in SciFi [32, 15, 54].
The problem of privacy-preserving iris matching has been addressed in
[43] and [16] using garbled circuits. Luo et al. [43] reduce computational
cost of iris matching by using a common mask between the two protocol
participants, although at the cost of a slight increase of false accept and
false reject rates. Bringer et al. [16] use ¿ltering techniques to improve
performance of secure iris matching.
There are also publications that treat biometric authentication with
privacy protection without implementing an exact algorithm used to
compare a speci¿c biometric modality. For example, [13] describes a
biometric authentication mechanism where the Hamming distance is used
as the distance metric, and the authentication server is composed of three
entities that must not collude. Consequently, [4] extends that work with a
classi¿er.
Generally, secure multi-party computation techniques can also be used
for secure biometric identi¿cation, and literature on this topic is extensive.
Starting from the seminal work on garbled circuit evaluation [59, 28], it
has been known that any function can be securely evaluated by
representing it as a boolean circuit. Similar results are also known for
securely evaluating any function using secret sharing techniques (e.g.,

[52]) or homomorphic encryption (e.g., [19]). In the last several years a
number of tools have been developed for automatically creating a secure
protocol from a function description written in a high-level language.
Examples include Fairplay [45], VIFF [22], TASTY [29], PICCO [60],
and others. It is, however, usually the case that custom optimized protocols
constructed for speci¿c applications outperform solutions based on general
techniques. Such custom solutions are known for a wide range of
application (e.g., set operations, DNA matching, k-means clustering, etc.),
and this chapter focuses on secure biometric identi¿cation using iris codes
and ¿ngerprints. Furthermore, some of the optimizations presented in this
chapter can ¿nd their uses in protocol design for other applications, as well
as general compilers and tools such as TASTY [29].
An overview of privacy-preserving biometric identi¿cation is
presented in [14].
References
[1] M. Aliasgari, M. Blanton, Y. Zhang, and A. Steele. Secure
computation on Àoating point numbers. In Network and Distributed
System Security Symposium (NDSS), 2013.
[2] G. Asharov, Y. Lindell, T. Schneider, and M. Zohner. More eƥcient
oblivious transfer and extensions for faster secure computation. In
ACM Conference on Computer and Communications Security (CCS),
pages 535-548, 2013.
[3] M. Atallah, M. Bykova, J. Li, K. Frikken, and M. Topkara. Private
collaborative forecasting and benchmarking. In ACM Workshop on
Privacy in the Electronic Society (WPES), pages 103-114, 2004.
[4] M. Barbosa, T. Brouard, S. Cauchie, and S. de Sousa. Secure biometric
authentication with improved accuracy. In Australasian conference on
Information Security and Privacy (ACISP), pages 21-36, 2008.
[5] M. Barni, T. Bianchi, D. Catalano, M. Di Raimondo, R. Labati, P.
Failla, D. Fiore, R. Lazzeretti, V. Piuri, F. Scotti, and A. Piva. Privacy-
preserving ¿ngercode authentication. In ACM Workshop on
Multimedia and Security (MM&Sec), pages 231-240, 2010.
[6] N. Barzegar and M. Moin. A new user dependent iris recognition
system based on an area preserving pointwise level set segmentation
approach. EURASIP Journal on Advances in Signal Processing, pages
1-13, 2009.
[7] M. Bellare, V. T. Hoang, S. Keelveedhi, and P. Rogaway. Eƥcient
garbling from a ¿xed-key blockcipher. In IEEE Symposium on Security
and Privacy, pages 478-492, 2013.
[8] M. Blanton. Empirical evaluation of secure two-party computation
models. Technical Report TR 2005-58, CERIAS, Purdue University,
2005.
[9] M. Blanton and M. Aliasgari. Secure computation of biometric
matching. Technical Report 2009-03, Department of Computer Science
and Engineering, University of Notre Dame, 2009.
[10] M. Blanton and P. Gasti. Secure and eƥcient protocols for iris and
¿ngerprint identi¿cation. In European Symposium on Research in
Computer Security (ESORICS), pages 190-209, 2011.
[11] M. Blanton, A. Steele, and M. Aliasgari. Data-oblivious graph
algorithms for secure computation and outsourcing. In ACM
Symposium on Information, Computer and Communications Security
(ASIACCS), pages 183-194, 2013.
[12] D. Bogdanov, M. Niitsoo, T. Toft, and J. Willemson. High-
performance secure multi-party computation for data mining
308 Chapter Nine
applications. International Journal of Information Security, 11(6):403-

418, 2012.
[13] J. Bringer, H. Chabanne, M. Izabachene, D. Pointcheval, Q. Tang,
and S. Zimmer. An application of the Goldwasser-Micali cryptosystem
to biometric authentication. In Australasian conference on Information
Security and Privacy (ACISP), volume 4586 of LNCS, pages 96-106,
2007.
[14] J. Bringer, H. Chabanne, and A. Patey. Privacy-preserving biometric
identi¿cation using secure multi- party computation: An overview and
recent trends. IEEE Signal Processing Magazine, 30(2):42-52, 2013.
[15] J. Bringer, H. Chabanne, and A. Patey. SHADE: Secure Hamming
distance computation from oblivious transfer. In Financial
Cryptography Workshops, volume 7862 of LNCS, pages 164-176.
Springer, 2013.
[16] J. Bringer, M. Favre, H. Chabanne, and A. Patey. Faster secure
computation for biometric identi¿cation using ¿ltering. In IAPR
International Conference on Biometrics (ICB), pages 257-264, 2012.
[17] P. Bunn and R. Ostrovsky. Secure two-party k-means clustering. In
ACM Conference on Computer and Communications Security (CCS),
pages 486-497, 2007.
[18] O. Catrina and A. Saxena. Secure computation with ¿xed-point
numbers. In Financial Cryptography and Data Security, pages 35-50,
2010.
[19] R. Cramer, I. Damgård, and J. Nielsen. Multiparty computation from
threshold homomorphic encryption. In Advances in Cryptology -
EUROCRYPT, pages 280-300, 2001.
[20] I. Damgård, M. Geisler, and M. Krøigård. A correction to eƥcient
and secure comparison for on-line auctions. Cryptology ePrint
Archive, Report 2008/321, 2008.
[21] I. Damgård, M. Geisler, and M. Krøigård. Homomorphic encryption
and secure comparison. Journal of Applied Cryptology, 1(1):22-31,
2008.
[22] I. Damgård, M. Geisler, and M. Krøigård. Asynchronous multiparty
computation: Theory and implementation. In Public Key Cryptography
(PKC), pages 160-179, 2009.
[23] J. Daugman. How iris recognition works. IEEE Transactions on
Circuits and Systems for Video Technology, 14(1):21-30, 2004.
[24] Z. Erkin, M. Franz, J. Guajardo, S. Katzenbeisser, I. Lagendijk, and
T. Toft. Privacy-preserving face recognition. In Privacy Enchancing
Technologies Symposium (PETS), pages 235-253, 2009.
[25] Q. Feng, F. Su, and A. Cai. Privacy-preserving authentication using
¿ngerprint. International Journal of Innovative Computing,

Information and Control, 8(11):8001-8018, 2012.
[26] L. Ford and D. Fulkerson. Flows in Networks. Princeton University
Press, 1962.
[27] O. Goldreich. Foundations of Cryptography: Volume 2, Basic
Applications. Cambridge University Press, 2004.
[28] O. Goldreich, S. Micali, and A. Wigderson. How to play any mental
game or a completeness theorem for protocols with honest majority. In
ACM Symposium on Theory of Computing (STOC), pages 218-229,
1987.
[29] W. Henecka, S. Kogl, A.-R. Sadeghi, T. Schneider, and I.
Wehrenberg. TASTY: Tool for Automating Secure Two-party
computations. In ACM Conference on Computer and Communications
Security (CCS), pages 451-462, 2010.
[30] T. Hoens, M. Blanton, and N. Chawla. A private and reliable
recommendation system using a social network. In IEEE International
Conference on Information Privacy, Security, Risk and Trust
(PASSAT), pages 816-825, 2010.
[31] K. Hollingsworth, K. Bowyer, and P. Flynn. The best bits in an iris
code. IEEE Transactions on Pattern Analysis and Machine
Intelligence, 31(6):964-973, June 2009.
[32] Y. Huang, D. Evans, J. Katz, and L. Malka. Faster secure two-party
computation using garbled circuits. In USENIX Security Symposium,

2011.
[33] Y. Huang, L. Malka, D. Evans, and J. Katz. Eƥcient privacy-
preserving biometric identi¿cation. In Network and Distributed System
Security Symposium (NDSS), 2011.
[34] Multiprecision Integer and Rational Arithmetic C/C++ Library.
http://www.shamus.ie/.
[35] Y. Ishai, J. Kilian, K. Nissim, and E. Petrank. Extending oblivious
tranfers eƥciently. In Advances in Cryptology - CRYPTO, pages 145-
161, 2003.
[36] A. Jain, S. Prabhakar, L. Hong, and S. Pankanti. Filterbank-based
¿ngerprint matching. IEEE Transactions on Image Processing,
9(5):846-859, 2000.
[37] T.-Y. Jea and V. Govindaraju. A minutia-based partial ¿ngerprint
recognition system. Pattern Recognition, 38(10):1672-1684, 2005.
[38] V. Kolesnikov and R. Kumaresan. Improved OT extension for
transferring short secrets. In CRYPTO, pages 54-70, 2013.
[39] V. Kolesnikov, A.-R. Sadeghi, and T. Schneider. Improved garbled
circuit building blocks and applications to auctions and computing
310 Chapter Nine
minima. In Cryptology and Network Security (CANS), pages 1-20,

2009.
[40] V. Kolesnikov and T. Schneider. Improved garbled circuit: Free
XOR gates and applications. In International Colloquium on
Automata, Languages and Programming (ICALP), pages 486-498,
2008.
[41] Y. Lindell and B. Pinkas. A proof of security of Yao's protocol for
two-party computation. Journal of Cryptology, 22(2):161-188, 2009.
[42] Y. Lindell, B. Pinkas, and N. Smart. Implementing two-party
computation eƥciently with security against malicious adversaries. In
Security and Cryptography for Networks (SCN), pages 2-20, 2008.
[43] Y. Luo, S.-C. Cheung, T. Pignata, R. Lazzeretti, and M. Barni. An
eƥcient protocol for private iris-code matching by means of garbled
circuits. In IEEE International Conference on Image Processing
(ICIP), pages 2653-2656, 2012.
[44] K. Nissim M. Freedman and B. Pinkas. Eƥcient private matching
and set intersection. In Advances in Cryptology - EUROCRYPT, pages
1-19, 2004.
[45] D. Malkhi, N. Nisan, B. Pinkas, and Y. Sella. Fairplay - a secure
two-party computation system. In USENIX Security Symposium, pages
287-302, 2004.
[46] D. Maltoni, D. Maio, A. Jain, and S. Prabhakar. Hanbook of
Fingerprint Recognition. Springer, second edition, 2009.

[47] M. Naor and B. Pinkas. Eƥcient oblivious transfer protocols. In
ACM-SIAM Symposium On Discrete Algorithms (SODA), pages 448-
457, 2001.
[48] U.S. DHS Oƥce of Biometric Identity Management.
http://www.dhs.gov/obim.
[49] M. Osadchy, B. Pinkas, A. Jarrous, and B. Moskovich. SCiFI - A
system for secure face identi¿cation. In IEEE Symposium on Security
and Privacy, pages 239-254, 2010.
[50] P. Paillier. Public-key cryptosystems based on composite degree
residuosity classes. In Advances in Cryptology - EUROCRYPT'99,
volume 1592 of LNCS, pages 223-238, 1999.
[51] B. Pinkas, T. Schneider, N. Smart, and S. Williams. Secure two-party
computation is practical. In Advances in Cryptology - ASIACRYPT,
volume 5912 of LNCS, pages 250-267, 2009.
[52] T. Rabin and M. Ben-Or. Veri¿able secret sharing and multiparty
protocols with honest majority. In ACM Symposium on Theory of
Computing (STOC), pages 73-85, 1989.
[53] A.-R. Sadeghi, T. Schneider, and I. Wehrenberg. Eƥcient privacy-
preserving face recognition. In International Conference on

Information Security and Cryptology (ICISC), pages 229-244, 2009.
[54] T. Schneider and M. Zohner. GMW vs. Yao? Eƥcient secure two-
party computation with low depth circuits. In Financial Cryptography
and Data Security, volume 7859 of LNCS, pages 275-292, 2013.
[55] S. Shahandashti, R. Safani-Naini, and P. Ogunbona. Private
¿ngerprint matching. In Australasian Conference on Information
Security and Privacy (ACISP), pages 426-433, 2012.
[56] The Corbett Report. India ¿ngerprints, iris scanning over one billion
people.
http://www.corbettreport.com/india-¿ngerprinting-iris-scanning-over-
one-billion-people/.
[57] UAE Iris Collection.
http://www.cl.cam.ac.uk/~jgd1000/UAEdeployment.pdf.
[58] C. Wang, M. Gavrilova, Y. Luo, and J. Rokne. An eƥcient algorithm
for ¿ngerprint matching. In International Conference on Pattern
Recognition (ICPR), pages 1034-1037, 2006.
[59] A. Yao. How to generate and exchange secrets. In IEEE Symposium
on Foundations of Computer Science (FOCS), pages 162-167, 1986.
[60] Y. Zhang, A. Steele, and M. Blanton. PICCO: A general-purpose
compiler for private distributed computation. In ACM Conference on
Computer and Communications Security (CCS), pages 813-826, 2013.
CHAPTER TEN
IDENTIFICATION OVER OUTSOURCED

BIOMETRIC DATA
JULIEN BRINGER,1,3 HERVÉ CHABANNE1,2,3

AND ALAIN PATEY1,2,3
1
MORPHO (SAFRAN GROUP)
2
TE´ LE´ COM PARISTECH
3
IDENTITY AND SECURITY ALLIANCE (THE MORPHO
AND TE´ LE´ COM PARISTECH RESEARCH CENTER)
Abstract
In this chapter, we describe several protocols for outsourcing biometric

data to an untrusted server while maintaining identification functionalities
without compromising confidentiality of the data or privacy of the
requests. To run identification requests without downloading the whole
database, we use a filtering process based on locality-sensitive hash
functions. To preserve privacy of the queries to the server, we describe
several cryptographic tools such as Searchable Encryption, Private
Information Retrieval and Oblivious RAM. In particular, the solution
using Oblivious RAM applied to iris recognition can be run efficiently on
large databases.
Keywords: Biometric Identification, Privacy, Searchable Encryption,

Private Information Retrieval, Oblivious RAM
1 Introduction
Cloud computing and biometric identification. Cloud computing offers
new interesting opportunities in the field of biometrics. A client holding a
biometric database can outsource it to the cloud and enjoy the availability
Identification Over Outsourced Biometric Data 313
and the elasticity of cloud facilities. Moreover, one could use the cloud to
compute over these biometric data, for instance for computing
authentications or 1-vs-N identifications.
As for any other data outsourcing, delegating biometric data storage
and identification to a cloud facility raises many security and privacy
problems [50, 32]. The sensitive nature of biometric data and
consequences of a biometric data server breach encourage taking special
precautions when outsourcing biometric data. In particular, we do not want
an untrusted server S to learn the biometric data stored.
Confidentiality vs usability. To preserve confidentiality of these data, one

can make use of encryption and not disclose decryption keys to the server.
However, especially when using encryption with the highest levels of
security (non- malleability/ciphertext-indistinguishability under chosen
ciphertext-attack [16]), it is not possible to compute over encrypted data
without decrypting them. Thus, if one wants to run identification requests
on the encrypted database, one has to download the entire database and
run identification protocols locally. This diminishes the interest of using
cloud storage.
It is however possible to use homomorphic cryptosystems [43] that
enable computing over encrypted data without the knowledge of the secret
keys. Using such schemes, client C could delegate computation to an
untrusted server S without impacting data confidentiality. Unfortunately,

efficient known cryptosystems only allow performing of certain types of
operations, usually additive operations [17,41,14]. Fully homomorphic
schemes that enable evaluation of every kind of operation on encrypted
data have been very recently introduced [19], but are not yet efficient
enough to be used in practice. For instance, homomorphically evaluating
the AES circuit (which is a much simpler functionality than biometric
identification) takes around 36 hours on a computer with large memory
[20].
To improve efficiency while preserving confidentiality, we suggest
using identification protocols that include a filtering process, i.e. protocols
that come in several phases where first filtering phases are used to select a
set of candidates on which to apply computationally demanding
identification operations in a second phase. In particular, we focus on
filtering (or indexing) using locality-sensitive hashing (LSH) [30]. LSH
functions are hash functions such that two points that are close for a given
metric have the same hash values with high probability. To enable
biometric filtering, a family of such hash functions is evaluated on
biometric data. When two data collide on several hash values, they are
314 Chapter Ten
candidates for matching. As an example, the case of IrisCodes [15] is

considered, using the Beacon Guided Search of Hao et al. [27] to define
LSH functions.
This technique is combined with specific encryption schemes that
allow for index or keyword-based research without having to decrypt data.
This is, for instance, the case using Symmetric Searchable Encryption
(SSE) [13] or Public-key Encryption with Keyword Search [5]. If we
combine these techniques with LSH functions, only the data with the
appropriate hash values are downloaded from the cloud during a 1-vs-N
identification. Notice that such cryptosystems usually also preserve
confidentiality of keywords, i.e. even indexing data are not disclosed to the
server.
Privacy. Data confidentiality is not the only concern when outsourcing a

biometric identification system to the cloud. Access patterns might leak
information on the data without revealing them. For instance, if the same
data block is accessed several times, it is likely that the same person is
authenticated or identified by the system. If the server obtains, only once,
the identity of the concerned user, the system will know whenever this
user uses the system again. This kind of information might be sensitive
and it is preferable to hide these access patterns.
Retrieving information from a server without revealing which data has
been accessed is a topic of interest in the cryptology community and can

be achieved using two main kinds of schemes: Computational Private
Information Retrieval (PIR) [11] is a technique based on public-key
encryption techniques that enable retrieval of data in a privacy-preserving
fashion, even if these data are not encrypted. The computation cost can be
quite high while the communication cost is often low. The other main
approach is Oblivious RAM (ORAM) [25], which is not based on specific
cryptographic techniques, but rather uses standard symmetric encryption
(e.g. AES) and relies on database organization techniques to prevent the
server from linking data accesses. The computation cost of ORAMs is
negligible while communication cost can be slightly higher than for PIRs.
Recent proposals of ORAM constructions make it usable in practice [48].
Organization of the Chapter. In this chapter, we describe several protocols

for biometric identification over encrypted data that combine filtering
techniques using LSH functions with the cryptographic techniques
described above. These protocols were introduced in [1, 7, 8, 9]. The
different combinations enable reaching of different levels of privacy, and
different application possibilities with different complexity levels. These
protocols are illustrated by an example involving IrisCodes [15] together

with a LSH family inspired by the Beacon Guided Search of Hao et al.
[27].
In Section 2, we describe the (non-private) identification process with

filtering using LSH functions, a process that underlies all the protocols
presented in this chapter and how it can be specifically instantiated in the
case of iris recognition. In Section 3, we present a model and a generic
construction for biometric identification over encrypted data. In Section 4,
we describe the protocols of [1, 7, 8, 9] that match our model and security
requirements using several cryptographic techniques. In Section 5, we
conclude by discussing some deployment issues.
2 Biometric Identification Using LSH functions

As discussed above, we need an efficient filtering or indexing solution to
improve the efficiency of biometric identification. We use a technique
called locality-sensitive hashing (LSH) that aims at recovering the nearest
neighbors of a point in a metric space. We then describe a solution by Hao
et al. [27] that introduces LSH functions that can be used in the case of iris
recognition.
2.1 Nearest Neighbor Problems

Let ࣪ be a set of points in a metric space (E, d). The Nearest Neighbor
(NN) problem is defined as follows:
Definition 1 (Nearest Neighbor Problem). Given a point‫ܧ א ݔ‬, find a

point ‫݌‬௫ ‫ ࣪ א‬such that
݀ሺ‫ݔ‬ǡ ‫݌‬௫ ሻ ൌ ݀ሺ‫ݔ‬ǡ ࣪ሻ ൌ ݀ሺ‫ݔ‬ǡ ‫݌‬ሻ

௣‫࣪א‬
This topic has many applications in information retrieval. Efficient

algorithms exist for searching for a solution in low-dimensional spaces
whereas this is not the case for large sets of points in high-dimensional
spaces [29]. The Approximate Nearest Neighbor (ANN) problem has been
introduced to overcome this issue, it is defined as follows:
316 Chapter Ten
Definition 2 (Approximate Nearest Neighbor Problem). Given a point

‫ ܧ א ݔ‬and߳ ൒ Ͳ, find a point ‫݌‬௫ ‫ ࣪ א‬such that
݀ሺ‫ݔ‬ǡ ‫݌‬௫ ሻ ൑ ሺͳ ൅ ߳ሻ ݀ሺ‫ݔ‬ǡ ‫݌‬ሻ

௣‫࣪א‬
2.2 Locality-Sensitive Hashing

Several algorithms have been proposed to solve the ANN problem [29]. In
some of them, the set of points ࣪ is preprocessed to create look-up tables
enabling an efficient search through exact matches. Specific functions are
selected and evaluated on the points; the tables are filled with the resulting
values. These functions should ensure that the evaluations on two close
inputs most probably return the same output.
Locality-Sensitive Hashing (LSH) is a generic definition given in [30]
for such functions. The basic idea is to map a point of an n-dimensional
space into a value of a m-dimensional space, with ‫ ا‬, following the
principles of hash functions. The main requirement is that a LSH function
gives, with a high probability, the same result on near points and different
results on distant points. Note that this is an important difference with the
notion of cryptographic hash functions, where a small variation on the
inputs should lead to unpredictable variations on hash values.
Definition 3 (Locality-Sensitive Hashing, [30]). Let ሺ‫ܧ‬ǡ ݀ሻ be a metric

space, ܷ be a set ‫ݎ‬ଵ ǡ ‫ݎ‬ଶ ‫ א‬Թ with ‫ݎ‬ଵ ൏ ‫ݎ‬ଶ ǡ ‫݌‬ଵ ǡ ‫݌‬ଶ ‫ א‬ሾͲǡͳሿ with ‫݌‬ଵ ൐ ‫݌‬ଶ . Let
࣢ ൌ ൛݄ଵ ǡ ǥ ǡ ݄ఓ ൟ be a family of functions ݄௜ ǣ ‫ ܧ‬՜ ܷ .
The family ࣢ is ሺ‫ݎ‬ଵ ǡ ‫ݎ‬ଶ ǡ ‫݌‬ଵ ǡ ‫݌‬ଶ ሻ െ if
ܲ‫ݎ‬ሾ݄௜ ሺ‫ݔ‬ሻ ൌ ݄௜ ሺ‫ ݔ‬ᇱ ሻȁ ݀ሺ‫ݔ‬ǡ ‫ ݔ‬ᇱ ሻ ൏ ‫ݎ‬ଵ ሿ ൐ ‫݌‬ଵ

‫݄׊‬௜ ‫࣢ א‬ǡ ‫ݔ‬ǡ ‫ ݔ‬ᇱ ‫ ܧ א‬൜
ܲ‫ݎ‬ሾ݄௜ ሺ‫ݔ‬ሻ ൌ ݄௜ ሺ‫ ݔ‬ᇱ ሻȁ ݀ሺ‫ݔ‬ǡ ‫ ݔ‬ᇱ ሻ ൐ ‫ݎ‬ଶ ሿ ൏ ‫݌‬ଶ
In practice, is a space with a smaller dimensionality than or a set of

quite small size. For instance, if is the -dimensional Hamming space,
then can be the -dimensional Hamming space, with ‫ ا‬.
A good example for constructing a LSH family, when is a vector
space, is to take random projections on small subspaces of [34, 33, 30,
2]. For instance, in [27], a LSH family of functions is described, mapping
binary vectors of ሼͲǡͳሽଶ଴ସ଼ to well-chosen 10-bit projections (see Section
2.4).
As seen in Definition 3, LSH functions are described as families of
hash functions and not single functions. Indeed, it is very difficult in
practice to find a single function satisfying the conditions of Definition 3

with a probability ‫݌‬ଵ close to 1, and a probability ‫݌‬ଶ close to 0. The idea is
to obtain families of sufficiently “independent” LSH functions, such that
the nearest neighbors of a point x are the points in ࣪ sharing the most
important number of common hash values with x, through a given family
of LSH functions.
With a LSH family ࣢ ൌ ሼ݄ଵ ǡ ǥ ǡ ݄ఓ ሽ, a generic algorithm to solve the
ANN or NN problems can be constructed as in Figure 1. The ANN
solution follows the ideas of previous paragraph; the point that shares the
highest number of hash values with is with good probability an
approximate neighbor of . The NN solution is a two-step algorithm; the
first step consists in selecting a set of potential nearest neighbors using
LSH functions while the second step consists in evaluating all the
distances between these candidates and x. Selecting the candidates is done
by fixing a threshold on the number of LSH values collisions. This
threshold should be set up according to a tradeoff between accuracy (the
lower the threshold the more chances to select the nearest neighbor among
the candidates) and efficiency (the higher the threshold the less distances
need to be computed).
Remark 1. In implementations, in order to reduce storage cost, we often

store a set of identifiers in the look-up tables where each identifier is
related to a point of ࣪.
2.3 Biometric Identification using LSH functions

Biometric data are captured by biometric sensors. We write ܾ ĸ ȕ to
indicate that when we are capturing the biometric trait ȕ of an user, we
obtain the value ܾ. As these captures are sensitive to variations, when a
second capture of the same biometric trait ȕ is made, we obtain a different
value ܾԢ ĸȕ, ܾԢ b.
In the following, for a given biometric trait ȕ, we consider two
particular captures ref , ܾsearch ĸ ȕ made at two different times. ref is the
biometric data which is captured during the enrollment of a given user in the
biometric system. This biometric data ref is stored to be used later as the
data to be compared with. ܾsearch corresponds to the “fresh” data that has to
be matched against the references in the system in order to identify users.
There are many matching algorithms in the literature depending on the
type of biometric data we are working with. The underlying performance
of the recognition inside the biometric system is directly related to these
algorithms.
318 Chapter Ten
Remark 2. In a biometric system, we would like to minimize at the same

time the False Acceptance Rate (FAR) and the False Rejection Rate (FRR)
that measure, respectively, the probability that an impostor is wrongly
identified and the probability that a genuine user is rejected [31, 35].
In this chapter, we make the hypothesis that the biometric data b are
represented as vectors in an n-dimensional metric vector space ሺ‫ܧ‬ǡ ݀ሻ, in
such a way that the following conditions hold:
Condition 1. Two different captures ܾ, ܾԢ from the same user ࣯ are, with
high probability, at a distance ݀ሺܾǡ ܾԢሻ ൑ ߣ௠௜௡ .
Condition 2. Captures ܾ1, ܾ2 of different users ࣯1, ࣯2 are, with high

probability, at a distance ݀ሺܾଵ ǡ ܾଶ ሻ ൐ ߣ௠௔௫ .
If ‫ ܧ‬is the ݊-dimensional Hamming space, ݀ሺǤ ǡ Ǥ ሻ counts the coordinates in

which two vectors differ. Conditions above say that there are good chances
that ܾǡ ܾԢ ĸ ȕ are represented by binary vectors that are close, i.e. with
many coordinates sharing the same value. On the other side, captures of
different users should not have particularly many in common, i.e. their
Hamming distance should be around ݊Ȁʹ.
Inputs: A metric space ሺ‫ܧ‬ǡ ݀ሻ, a set of points ࣪ ‫ܧ ؿ‬, a point ‫ܧ א ݔ‬, a
family of LSH functions ࣢ = {݄ଵ ǡ ǥ ǡ ݄ఓ } : E ĺ U , a threshold Ĳ ‫{ א‬1, . . .
, μ}.
Preprocessing
Let ܶଵ ǡ Ǥ Ǥ Ǥ ǡ ܶஜ be empty look-up tables with ܷ as input domain.
• For all ‫࣪ א ݌‬, do ܶ௜ ሾ݄௜ ሺ‫݌‬ሻሿ ՚ ሼ‫݌‬ሽ ‫ܶ ׫‬௜ ሾ݄௜ ሺ‫݌‬ሻሿ, for ͳ ൑ ݅ ൑ Ɋ.
Algorithm for solving the ANN problem
1. Compute ݄ଵ ሺ‫ݔ‬ሻǡ Ǥ Ǥ Ǥ ǡ ݄ஜ ሺ‫ݔ‬ሻ.

2. Retrieve sets of points ܶଵ ሾ݄ଵ ሺ‫ݔ‬ሻሿǡ Ǥ Ǥ Ǥ ǡ ܶஜ ሾ݄ஜ ሺ‫ݔ‬ሻሿ.
3. Let ݊௫ ሺ‫݌‬ሻ ൌ ͓ሼ݅ ‫ א‬ሼͳǡ Ǥ Ǥ Ǥ ǡ Ɋሽȁ‫ܶ א ݌‬௜ ሾ݄௜ ሺ‫ݔ‬ሻሿሽ, for all ‫࣪ א ݌‬.
4. Output ‫݌‬௫ such that ݊௫ ሺ‫݌‬௫ ሻ ൌ ݉ܽ‫ݔ‬௣‫א‬௉ ݊௫ ሺ‫݌‬ሻ.
Algorithm for solving the NN problem
1. Compute ݄ଵ ሺ‫ݔ‬ሻǡ Ǥ Ǥ Ǥ ǡ ݄ஜ ሺ‫ݔ‬ሻ.

2. Retrieve sets of points ܶଵ ሾ݄ଵ ሺ‫ݔ‬ሻሿǡ Ǥ Ǥ Ǥ ǡ ܶஜ ሾ݄ஜ ሺ‫ݔ‬ሻሿ.
3. Let ݊௫ ሺ‫݌‬ሻ ൌ ͓ሼ݅ ‫ א‬ሼͳǡ Ǥ Ǥ Ǥ ǡ Ɋሽȁ‫ܶ א ݌‬௜ ሾ݄௜ ሺ‫ݔ‬ሻሿሽ, for all ‫࣪ א ݌‬.
4. Compute ܵ௫ ൌ ሼ‫࣪ א ݌‬ȁ݊௫ ሺ‫݌‬ሻ ൒ ߬ሽ.
5. For all ‫ܵ א ݌‬௫ , compute ݀ሺ‫ݔ‬ǡ ‫݌‬ሻ.
6. Output ‫݌‬௫ such that ݀ሺ‫ݔ‬ǡ ‫݌‬௫ ሻ ൌ ݉݅݊௣‫א‬ௌೣ ݀ሺ‫ݔ‬ǡ ‫݌‬ሻ.
Figure 1. Generic algorithms for solving the ANN and NN problems using LSH
functions
We focus on an 1-vs-N identification problem in this setting that can be

summed as follows. Let us assume that a server ࣭ holds a database of
biometric templatesܾଵ ǡ ǥ ǡ ܾே and that a client holds a fresh biometric
acquisitionܾ௦௘௔௥௖௛ . The problem is to find ݅ ‫ א‬ሼͳǡ Ǥ Ǥ Ǥ ǡ ܰሽ such that
݀ሺܾ௦௘௔௥௖௛ ǡ ܾ௜ ሻ ൏ ߣ௠௜௡ , if such an element exists. The 1-vs-N identification
functionality is described in Figure 2.
Inputs
Common: vector space ሺ‫ܧ‬ǡ ݀ሻ for biometric data.
Server ࣭: ܾଵ ǡ ǥ ǡ ܾே ‫ܧ א‬.

Client ‫ܥ‬: ܾ௦௘௔௥௖௛ ‫ܧ א‬.
Output
݅Ǥ ݀ሺܾ௦௘௔௥௖௛ ǡ ܾ௜ ሻ ൏ ߣ௠௜௡ Ǣ
൜
‫׎‬
Figure 2. 1-vs-N Identification
Now let us assume that the vector space ‫ ܧ‬can be equipped with a LSH
family ࣢ ൌ ሺ݄ଵ ǡ ǥ ǡ ݄ఓ ሻ ‫ ܧ ׷‬՜ ܷ. The NN protocol described in Figure
1. can then be adapted to accelerate biometric identification. Indeed,
computing a few hash function evaluations and doing some look-ups can
be much more efficient than computing the distances between ܾ௦௘௔௥௖௛ and
all the ܾ௜ ‫ݏ‬. The enrollment procedure includes a preprocessing part and the
identification procedure is a direct application of the algorithm of Figure 1.
The thus obtained protocol is described in Figure 3. This generic protocol
is used in all secure solutions presented in Section 4.
320 Chapter Ten
Remark 3. The last step of the identification algorithm described in Figure

3. can be modified to use any possible identification protocol among the
candidates in set Sx. What is important is to use LSH functions in a
filtering process to select these candidates, and this is the part that is
adapted to a secure setting in Section 4.
Figure 3: A generic protocol for solving biometric enrollment and identification

using LSH functions
2.4 The case of IrisCodes

In this chapter, we use as an example the case of iris recognition using
IrisCodes [15]. Biometric templates can be represented as binary vectors.
A 256-byte (2048 bits) iris template, together with a 256-byte mask, is
computed from an iris image using the algorithm reported in [15]. The
mask filters out the unreliable bits, i.e. stores the erasure positions of the
iris template. The resulting template is called IrisCode.
Given an image of the eye, the first step of the encoding algorithm is to
find the part of the image that corresponds to the iris area between the
pupil-iris and the iris-sclera boundaries. Upon isolating the iris, its texture
is normalized using a rubber sheet model in which the iris image is
remapped from a Cartesian coordinate system to a polar coordinate system
regardless the iris size and the pupil dilation. After normalization, a set of
Gabor filters is applied on every direction and location of the normalized
and rectangular shaped iris image. Each computed Gabor phase value is
then coded into 2 bits, depending on its position on the trigonometric
circle.
The classical way to compare two IrisCodes relies on a weighted
Hamming distance (HD) computation between binary vectors: given
ܺ ൌ ሺ‫ݔ‬ଵ ǡ ǥ ǡ ‫ݔ‬ଶ଴ସ଼ ሻ, ܻ ൌ ሺ‫ݕ‬ଵ ǡ ǥ ǡ ‫ݕ‬ଶ଴ସ଼ ሻ, two 2048-bit representations of
irises and the associated Mask ‫ܯ‬ሺܺሻ ൌ ሺ݉ଵ ǡ ǥ ǡ ݉ଶ଴ସ଼ ሻ and ‫ܯ‬ሺܻሻ ൌ
ሺ݉ଵᇱ ǡ ǥ ǡ ݉ଶ଴ସ଼
ᇱ
ሻ, compute
ԡሺܺ۩ܻሻ‫ܯځ‬ሺܺሻ‫ܯځ‬ሺܻሻԡ
‫ܦܪ‬ሺܺǡ ܻሻ ൌ
ԡ‫ܯ‬ሺܺሻ‫ܯځ‬ሺܻሻԡ
(1)
σଶ଴ସ଼ ᇱ
௜ୀଵ ሺ‫ݔ‬௜ ْ ‫ݕ‬௜ ሻ ‫݉ ڄ‬௜ ‫݉ ڄ‬௜
ൌ
σଶ଴ସ଼
௜ୀଵ ݉௜ ‫݉ ڄ‬௜
ᇱ
for some rotations of the second template – to deal with the iris
orientation’s variation – and to keep the lowest distance.
For the LSH functions considered in our protocol, we use the beacon
guided search (BGS) algorithm introduced in [27]. The range of this LSH
family is the m = 10-dimensional Hamming space, and μ = 128 hash
functions are considered. Hashing simply consists in taking 10
uncorrelated bits of the IrisCodes. More details on the choice of these bits
can be found in [27].
Take IrisCodes with ݊ ൌ ʹͲͶͺ, μ = 128 and ݉ ൌ ͳͲ. Let
ߣ௠௜௡ =0.25·2048 = 512, ߣ௠௔௫ = 0.35·2048 = 716.8 be the values of
Conditions 1 and 2. If we consider that biometric acquisitions are
sufficiently independent and uniformly distributed, we can get estimations
322 Chapter Ten
on the characteristics of the LSH family.

The probability ‫݌‬ଵ to get the same hash value (10-bit projection) on
ఒ
two IrisCodes coming from the same user would be: ‫݌‬ଵ ൌ ሺͳ െ ೘೔೙ ሻଵ଴ ؄
ଶ଴ସ଼
ͲǤͲͷ͸. The probability ‫݌‬ଶ to obtain the same hash value on two IrisCodes
ఒ
coming from different users can be estimated as ‫݌‬ଶ ൌ ሺͳ െ ೘ೌೣሻଵ଴ ؄
ଶ଴ସ଼
ͲǤͲͳ͵.
Now consider the identification protocol of Figure 3. using IrisCodes
and LSH functions exposed in [27]. With a threshold ɒ ൌ Ͷ, the
probability to output ‫ ׎‬for a legitimate user registered in ࣞࣜ is
ఛ
ߤെͳ ௜
෍ቀ ቁ ‫݌‬ଵ ሺͳ െ ‫݌‬ଵ ሻఓିଵ ؄ ͲǤͲ͸͸
݅
௜ୀ଴
and the probability to output a non-empty answer for an impostor (i.e. a

person not enrolled in ࣞࣜ) is
ఛ
ߤെͳ ௜
෍ቀ ቁ ‫݌‬ଶ ሺͳ െ ‫݌‬ଶ ሻఓିଵ ؄ ͲǤͲͻͷ
݅
௜ୀ଴
Biometric Accuracy. These numbers are theoretical. The practical values

vary with the databases. For concrete numbers, we sum the biometric
performances of Beacon Guided Search given in [27].
The experiments of [27] were made on the UAE database containing
N=632, and 500 records. If an exhaustive search is used for identification
on this database, the number of matchings is about 300,000 and the False
Rejection Rate (FRR) is 0.32 %. If a Beacon Guided Search is used, with
one type of camera, and a threshold Ĳ = 3 (resp. Ĳ = 2 and Ĳ = 4), the
number of matchings to perform is l = 41 (resp. 1087 and 2), and FRR is
0.64 % (resp. 0.48 % and 0.96 %), while False Acceptance Rate (FAR) is
still 0. Using two types of camera and a threshold Ĳ = 3, in a noisier
setting, a Beacon Guided Search only requires l = 440 matchings for a
FRR equal to 0.55 % (with 3 references per user in the database), while an
exhaustive search gives an FRR of 1.32% (with one reference per user),
still with more than 300,000 matchings.
These numbers confirm that the biometric protocol that underlies our
secure constructions is relevant in terms of biometric accuracy, and leads
to very few candidates in the last step of the identification protocol, which
improves efficiency.
3 Identification over Outsourced Biometric Data

In this section, we exhibit the model for identification over outsourced
biometric data. In particular, we give a series of security requirements that
we expect from such constructions. We then describe a generic
construction, following the principles of the enrollment/identification
protocols of Figure 3, that will be instantiated using three different
cryptographic tools in Section 4.
3.1 Model and Security Requirements

Let us describe our model for identification over outsourced biometric
data. Three entities are involved; a sender Snd who wants to store
biometric and identity data, a server ܵ that stores the database ࣞࣜ sent by
the sender, and a receiver Rcv who may retrieve identification results or
biometric/identity data from the server. Depending on the setting, the
sender and the receiver could be distinct or the same person. The setting
where they are the same person is called the symmetric setting, and we
denote by ‫ ܥ‬the client playing both roles of Snd and Rcv. The setting
where Snd and Rcv are distinct is called the asymmetric setting.
Notice that sender/receiver and server do not exactly correspond to the
classical client and server of identification protocols. Here, the sender and
the receiver can be seen as service providers owning a biometric database,

while the server manages an outsourced storage/computation service (e.g.
S is a cloud provider). The people from which biometric data are acquired
are called users, and denoted by ࣯ or ࣯௜ .
Two main functionalities are dealt with by the constructions presented
in this chapter:
x Snd can run Enrollment (ܾ௜ ) to enrol a new person ࣯௜ into the
database. The Enrollment protocol is run in interaction with the
server.
x Rcv can run Identification (ܾ௦௘௔௥௖௛ ) to obtain an identification result
on ܾ௦௘௔௥௖௛ against the biometric data enrolled in the database. The
Identification protocol is run in interaction with the server.
Let us discuss security requirements of such a system. Protection against

external attacks is a classical issue. The system needs a secure
implementation and infrastructure to mitigate external threat like
eavesdropping, injection of malicious software, etc. For instance,
establishing a secure channel ensuring confidentiality and authenticity
324 Chapter Ten
during the communications between two distant components is important

but already well-known. Consequently, we here focus on the internal
threats, i.e., on what could be exploited by the server ܵ during an
Enrollment or an Identification protocol execution.
The system should return an accurate result for the identification
functionality. This leads to the two following requirements:
Requirement 1 (Completeness). If receiver Rcv runs an Identification

(ܾ௦௘௔௥௖௛ ), where ܾ௦௘௔௥௖௛ is acquired from an enrolled user ࣯௜ (say a
legitimate user), then the Rcv should output, except for a small probability,
an index referring either to the enrolled template of ࣯௜ or to his identifier
within the system.
Requirement 2 (Soundness). If receiver Rcv runs an Identification

(ܾ௦௘௔௥௖௛ ), where ܾ௦௘௔௥௖௛ is acquired from a non-enrolled user (say an
impostor), then the Rcv should output, except for a small probability, an
empty result.
For privacy issues, we want to ensure that the identification system is not
misused and that function creep (i.e. use for another purpose) is prevented.
This means in particular that a component should not be able to learn more
information than what is really needed for a correct result. For instance,
reference data, on the server’s side, should be handled in a protected form,

an enrollment query or an identification query should not reveal private
information to the server, and the receiver should not retrieve (too much)
information about the other data which are not related to the identification
query. This is summarized in the requirements below.
The next requirement thwarts the situation when an adversary has
recovered the content of the database and tries to gain some information.
Requirement 3 (Database Confidentiality). The data which are stored by

a server ܵ should reveal information neither on the identities of the
enrolled users nor on their biometric traits.
The next requirement corresponds to the case where an adversary, on the

server’s side, tries to detect whether a known biometric trait of a user is
being registered, or to find a link between the identities or the traits.
Requirement 4 (Enrollment Privacy). When executing enrollment queries,

a server ܵ should not be able to distinguish them.
The next requirement is the transposition of the previous one to the

identification phase as we do not want such an adversary to be able to
know which biometric data are looked for and which candidates are
retrieved. In particular, this prevents tracking a user through several
identifications.
Requirement 5 (Identification Privacy). When executing identification

queries, a server ܵ should not be able to learn information about the
content of the queries.
The last requirement applies to the receiver’s side. We do not want to let
an adversary learn more information from the result of an identification
query than needed. This is not mandatory for all applications, but seems to
be a nice objective for non-criminal implementations of biometric
identification systems:
Requirement 6 (Identification Proportionality (optional)). The data

retrieved by a receiver Rcv after executing an Identification (ܾ௦௘௔௥௖௛ )
query should not give information about the elements of the database that
are not close to ܾ௦௘௔௥௖௛ .
3.2 Generic Construction

In this section, we assume that we have a cryptographic tool that enables

doing write and read queries on a database, with some privacy properties.
Three possible instantiations of this tool are described in Section 4:
Searchable encryption, Private information retrieval/storage, and
Oblivious RAM. We assume that databases can be represented as tables
containing data blocks. The queries can be described as follows:
x The Receiver Rcv can run readDB(u) to obtain the content of a block
at address u in the database ࣞࣜ;
x The Sender Snd can run writeDB(u, b) to place data block b at
address u in the database ࣞࣜ.
We assume that we are in the setting of Figure 3., i.e., that biometric data
lie in an appropriate space E where a LSH family ࣢ ൌ ሼ݄ଵ ǡ ǥ ǡ ݄ఓ ሽ ‫ ׷‬՜
can be used in an identification protocol. For the sake of simplicity, we
assume that is the m-dimensional Hamming space, for some integer m.
We also assume that at most users can be enrolled in the database.
A server database is split into two parts. Biometric data of enrolled
326 Chapter Ten
users are stored in a database ࣞࣜ1. More precisely, user ࣯୧ ’s biometric

reference is stored at address i in ࣞࣜ1, together with identity information.
A database ࣞࣜ2 is used for preprocessing identification requests. The
range of the indices of the data blocks in ࣞࣜ2 should be ሼͳǡ Ǥ Ǥ Ǥ ǡɊሽ ൈ
ሼͲǡ ͳሽ୫ . Data blocks can be seen as the look-up tables of the algorithm
described in Figure 3.
We summarize generic Enrollment and Identification protocols in
Figure 4.
Figure 4: Generic constructions for Enrollment and Identification.
4 Secure Protocols for Identification over Outsourced

Encrypted Biometric Data
In this section, we describe three secure protocols following the heuristic of
Figure 4. based on searchable encryption [1], private information retrieval and
private information storage [7, 8], and oblivious RAM [9]. They all satisfy
security requirements defined in Section 3.1, but not in the same way. Thus,
they lead to different constructions that bring different levels of privacy and of
efficiency. Depending on the underlying cryptographic tools, they are more
dedicated either to the symmetric or the asymmetric setting.
4.1 Using Searchable Encryption

4.1.1 Introduction on Searchable Encryption
We here describe cryptographic primitives that provide a solution for

dealing with secure and exact searches. These primitives are Searchable
Encryption [13] and Public- Key Encryption with Keyword Search [5].
The main goal of these techniques is to store messages into an encrypted
database while still enabling a search for messages related to some
keywords. For instance, this could correspond to a remote mailing service
where the user wants to retrieve messages which contain a given keyword,
without letting the mail provider learn information on the content of the
user’s mails.
Three entities are involved; a sender Snd who wants to store data, a
server ܵ that stores the data sent by the server, and a receiver Rcv who may
retrieve part of the data detained by the server. Depending on the setting,
the sender and the receiver could be distinct persons or the same person
(client ‫)ܥ‬. In the latter case, the construction usually relies on symmetric
cryptography, whereas asymmetric cryptography is used in the first case.
The main functionalities are Send and Receive:
x Send(m, {Į1,…, Įl }, K) is a query run by Snd to store the message

m in an encrypted form on the server’s side. {Į1,…,Įl } correspond
to keywords associated to the message by the sender. The algorithm
Send also takes as input a key K that is used to derive, from m and
the keywords, the data that will actually be sent to the server.
x Receive(Į, K’) is a query run by Rcv, with inputs a keyword Į and a
key K’(possibly equal to K in the symmetric setting). The algorithm
interrogates the server to retrieve the messages for which Į is an
associated keyword.
328 Chapter Ten
The two main security properties that are associated with searchable
encryption schemes are sender privacy and receiver privacy. Namely,
sender privacy models the fact that the server should not learn information
about what is stored on the server’s side (this always includes
confidentiality of the messages, of the keywords and may encompass
indistinguishability of the queries as well, using asymmetric
cryptography). Receiver privacy corresponds to confidentiality of the
receiver’s queries: The server should not learn which data are retrieved
and, possibly, should also not distinguish queries. Depending on the level
of security, the scheme can prevent non-adaptive or adaptive attack
strategies. The scheme of Boneh et al. [6] achieves the highest known
level of security (indistinguishability against adaptive adversaries) owing
to the use of Private Information Retrieval (PIR) [18] techniques. A PIR
protocol enables the retrieval of a specific block from a database, without
allowing the database to learn anything about the query (see Section
4.2.3).
The general principle, in particular in [6, 13], to construct these
primitives, is to consider each sent keyword as a virtual address where the
receiver can recover a link toward the associated messages. To do so
without increasing too much memory cost, several works [6, 23, 3] rely on
Bloom filters (see Section 4.2.1 for more details on Bloom filters).
4.1.2 The Protocol for SSE-based Biometric Identification
In [1], a protocol is described, combining LSH and Symmetric Searchable

Encryption (SSE) (in particular the scheme of [13]) for biometric
identification. When looking at Figure 4., the scheme of Adjedj et al. [1]
focuses on the interactions with ࣞࣜ2 (i.e. Step 2 of Enrollment and Steps 1
to 4 of Identification). The generic construction described in Figure 4. is
described in using PIR/ORAM-like instructions. Let us sum up the
instantiation with SSE using a more dedicated description:
Initialization. Client ‫ ܥ‬and Server ܵ set up a SSE architecture, where

client ‫ ܥ‬holds the secret key K, server ܵ stores the encrypted data,
the set of keywords is [1, μ] × {0, 1}m.
Enrollment (ܾ௜ ). Let IDi,1,…, IDi,μ be identifiers for user ࣯i. Client runs
Send(IDi,j, {j||hj(bi)}, K), for j = 1,…,μ. Thus, the identifiers of user
࣯i are stored with the LSH values of its biometric data ܾ௜ as
keywords.
Identification ሺܾ௦௘௔௥௖௛ ). For j = 1,…, μ, client ‫ ܥ‬runs Tj =
Receive(j||hj(ሺܾ௦௘௔௥௖௛ ), K). Let nx(u) = #{j 䳲 {1,…,μ}|IDu,j 䳲 Tj},
for all bu䳲ࣞࣜ. Compute Sx = {u 䳲ࣞࣜ|nx(u) Ĳ }.
We do not mention interactions with ࣞࣜ1. This database does not need to
be equipped with a SSE functionality. Depending on the level of privacy
that one wants to obtain, ࣞࣜ1 can be simple (encrypted) database or can be
associated to a Private Information Retrieval protocol (see Section 4.2).
For some functionalities, outputting Sx can also be sufficient. The protocol
using SSE is summed up in Figures 5. and 6.
The benefit of symmetric searchable encryption compared to
asymmetric schemes concerns complexity; computation cost at the
database’s side is much lower.
When data are organized as look-up tables, a search can be made in
constant time and only μ searches (one per keyword j||hj ሺܾ௦௘௔௥௖௛ ).) are
needed for an identification query.
Figure 5. Enrollment(bi) using Symmetric Searchable Encryption
330 Chapter Ten
Figure 6. Identification(b) using Symmetric Searchable Encryption
4.1.3 Complexity
Complexity of the protocol based on SSE is directly linked to the

underlying SSE scheme. The proposal of [1] is instantiated using the [13]
SSE scheme. The computational work on the server’s side consists mainly
of look-ups and is negligible. Regarding the work on the client’s side,
during an Enrollment execution, ‫ ܥ‬has to perform μ (symmetric)
encryptions. During an Identification execution, ‫ ܥ‬has to perform μ ¨
(symmetric) decryptions, where ¨ is the maximum number of biometric
data sharing the same hash value, over the whole database and all hash
values. Communication complexity is approximately equal to μā¨ālog2(N)
bits.
4.1.4 Adaptation to the Asymmetric Setting
We described the protocol using symmetric searchable encryption.

However, there exists an asymmetric version of searchable encryption,
called public-key encryption with keyword search [5]. In this asymmetric

setting, Bob can send an encrypted message to Alice, with keyword search
facilities, using the public key of Alice, while it requires the secret key of
Alice to run these keyword search queries.
In our biometric identification setting, this means that the sender Snd
(the entity in charge for enrollment) and the receiver Rcv (the entity in
charge for identification) can be separated entities. This separation of roles
can help cover more functionalities. The protocol described above can
easily be adapted to this asymmetric setting. If K is the public key of Rcv
(used by Snd to encrypt) and Ԣis the secret key of Rcv (used by Rcv to
decrypt), it suffices to replace with Ԣ in the Identification description.
4.2 Using Bloom Filters and Private Information Retrieval

4.2.1 Bloom Filters
Bloom filter [4] is a notion used in membership checking applications to

reduce the memory cost of the data storage. As LSH functions, Bloom
filters are based on a family of (non-cryptographic) hash functions.
Additionally, an array is used to check set membership. Bloom filters are
formally defined as follows:
Definition 4 (Bloom Filter, [4]). Let ࣪ be a finite subset of a set E, ࣢Ԣ be

a family of Ȟ (independent and random) hash functions ࣢Ԣ ൌ ሼ݄ଵᇱ ǡ ǥ ǡ ݄୴ᇱ ሽ
with ᇱ୨ : E ĺ {1, . . . ,M}. A (Ȟ, M)-Bloom filter representing ࣪ is ࣢Ԣ,
together with an array T = (t1, . . . , tM )䳲{0,1}M, defined as:
ͳ‫ א ׌‬ሼͳǡ ǥ ǡ ሽǡ ‫࣪ א‬Ǥ ᇱ୧ ሺሻ ൌ Ƚ

஑ ൌ ൜
Ͳ‫݁ݏ݅ݓݎ݄݁ݐ݋‬
A Bloom filter enables compression of the representation of a dataset by

introducing the possibility for some false positive to happen. When a point
is added to ࣪, the array is updated by setting to 1 all position
ሺ‫ݐ‬௛ᇲ ሺ௫ሻ ሻ௝ୀଵǡǥǡ௩ . Testing if an element ‫ ݔ‬in ࣪ is made by verifying that
ೕ
‫ݐ‬௛ᇲ ሺ௫ሻ ൌ ͳ for all ݆ ൌ ͳǡ ǥ ‫ݒ‬Ǥ So, there is no false negative and the
ೕ
௩
௩ ȁ࣪ȁ
probability for a false positive to happen is ൬ͳ െ ቀͳ െ ቁ ൰ , if hash
୑
functions and points in ࣪ are independently randomly chosen.
An extension of this notion called Bloom filters with storage (BFS) [6]
332 Chapter Ten
enables the storage of an identifier of the related elements in each array:
Definition 5 (Bloom Filter with Storage, [6]). Let ࣪ be a finite subset of a

set E, ࣢Ԣbe a family of Ȟ hash functions ࣢ ᇱ ൌ ሼଵᇱ ǡ ǥ ǡ ᇱ୴ ሽǣ ՜
ሼͳǡ ǥ ǡ ሽǡ be a set of tags associated to P with a tagging function ȥ: ࣪
ĺ V . A (ɋ, M)-Bloom Filter with Storage is ࣢Ԣ, together with an array
(T1,…, TM ) of subsets of V , called buckets, iteratively defined as:
1. 䳪䳲 {1,…, M}, Ti ĸ ‫׎‬,

2. 䳪䳲 ࣪, 䳪䳲 {1, . . . , Ȟ}, update the bucket TĮ with TĮ ĸ TĮ䴔ȥ(y),
where Į = ݄௝ᇱ (y).
In other words, the bucket structure is empty at first, and, for each element
‫ ࣪ א ݕ‬to be indexed, we add to the bucket TĮ the tag associated to ‫ݕ‬. This
construction enables the retrieval of a tag ȥ(y) associated to an element
‫ ࣪ א ݕ‬by computing ‫ځ‬௩௝ୀଵ ܶ௛ᇲ ሺ௬ሻ .This intersection may capture
ೕ
inappropriate tags, but the choice of relevant hash functions and increasing
their number enables the reduction of the probability of that event. These
properties are summed up in the following lemma.
Lemma 1 ([4]). Let ሺ࣢Ԣǡ ܶଵ ǡ Ǥ Ǥ Ǥ ǡ ܶெ ሻ be a ሺߥǡ ‫ܯ‬ሻ-Bloom filter with

storage indexing a set ࣪ with tags from a tag set . Then, for ‫࣪ א ݕ‬, the
following properties hold:

௩
x ߰ሺ‫ݕ‬ሻ ‫ܶ א‬ሺ‫ݕ‬ሻ ൌ ‫ځ‬௝ୀଵ ܶ௛ᇲ ሺ௬ሻ , i.e the tags of ‫ ݕ‬are retrieved.
ೕ
The probability for a false positive ‫ ܸ א ݐ‬is ሾ‫ܶ א ݐ‬ሺ‫ݕ‬ሻܽ݊݀‫് ݐ‬
௩
௩ ȁ࣪ȁ
߰ሺ‫ݕ‬ሻሿ ൬ͳ െ ቀͳ െ ቁ ൰ .
୑
4.2.2 Combining BFS and LSH
We want to apply Bloom filters to data that are very likely to vary, like
biometric data. The following section shows how to apply LSH families as
inputs to Bloom filters.
We choose Ɋ hash functions from an adequate LSH family ࣢ ൌ
ሺ݄ଵ ǡ Ǥ Ǥ Ǥ ǡ ݄ஜ ሻ:
‫ ܧ‬՜ ሼͲǡͳሽ௠ . And hash functions dedicated to a Bloom filter with
Storage ࣢ ᇱ ൌ ൫݄௝ᇱ ǡ ǥ ǡ ݄௩ᇱ ൯ǣ ሼͳǡ ǥ ǡ ߤሽ ൈ ሼͲǡͳሽ௠ ՜ ሼͳǡ ǥ ǡ ‫ܯ‬ሽ. To obtain a
BFS with locality-sensitive functionality, we use a ρ ൈ composite hash
function by combining both families.
௖
We denote by ݄ሺ௝ǡ௜ሻ ‫ ܧ ׷‬՜ ሼͳǡ ǥ ǡ ‫ܯ‬ሽ the corresponding composite
௖
functions (ܿ stands for composite) with ݄ሺ௝ǡ௜ሻ ሺ‫ݕ‬ሻ ൌ ݄௝ᇱ ሺ݅ǡ ݄௜ ሺ‫ݕ‬ሻሻ. Let
ୡ ௖
࣢ ൌ ሼ݄ሺ௜ǡ௝ሻ ǡ ሺ݆ǡ ݅ሻ ‫ א‬ሼͳǡ ǥ ǡ ‫ݒ‬ሽ ൈ ሼͳǡ ǥ ǡ ߤሽሽ be the set of all these
functions.
To sum up, we modify the update of the buckets in Definition 5 by
setting Ƚ ൌ ݄௝ᇱ ሺ݄௜ ሺ‫ݕ‬ሻǡ ݅ሻ. Later on, to recover the tag related to an
approximate query ‫ݔ‬Ԣ ‫ܤ א‬, all we have to consider is
ఓ
ܾ݅݃ܿܽ‫݌‬௝ୀଵ ‫ځ‬௩௝ୀଵ ܶ௛ᇲ ሺ௛೔ ൫௫ᇲ ൯ǡ௜ሻ (or, at least, the items appearing in more than
ೕ
ɒ tables ܶ௛ᇲ ሺ௛೔ ൫௫ᇲ ൯ǡ௜ሻ , where ɒ is a fixed threshold). Indeed, if ‫ ݔ‬and ‫ݔ‬Ԣ are
ೕ
close enough, then the LSD function outputs the same result on ‫ ݔ‬and ‫ݔ‬Ԣ;
we thus build a Bloom filter with storage that has the LSH property. This
property is numerically estimated in the following lemma:
Lemma 2 ([8]). Let ࣢ ൌ ሺଵ ǡ Ǥ Ǥ Ǥ ǡ ஜ ሻ be a (Ȝmin, Ȝmax, ߳ଵ ǡ ߳ଶ )-LSH family

from ‫ ܤ‬to ሼͲǡͳሽ௠ . Let ࣢ ᇱ ൌ ሺ݄ଵᇱ ǡ ǥ ǡ ݄௩ᇱ ሻ be a family of pseudo-random
hash function from ሾͲǡͳሽ௠ ൈ ሼͳǡ ǥ ǡ ߤሽ to ሼͳǡ ǥ ǡ ‫ܯ‬ሽ. Let ࣢ ௖ be the family
௖
of composite function ሼ݄ሺ௝ǡ௜ሻ ǣ ‫ ܧ‬՜ ሼͳǡ ǥ ǡ ‫ܯ‬ሽǡ ሺ݆ǡ ݅ሻ ‫ א‬ሼͳǡ ǥ ǡ ‫ݒ‬ሽ ൈ ሼͳǡ ǥ ǡ ߤሽሽ.
The following properties stand:
1. If two points ‫ ݔ‬and ‫ݔ‬Ԣ are far enough apart, then except with a small
probability, ߰ሺ‫ݔ‬Ԣሻ does not intersect all the buckets that index ‫ݔ‬, i.e.
‫ܧ א ݔ׊‬ǡ ܲ‫ ݎ‬൥߰ሺ‫ ݔ‬ᇱ ሻ ‫א‬ ‫ܶ ת‬௛೎ ሺ௫ሻ ‫݀ٿ‬ሺ‫ݔ‬ǡ ‫ ݔ‬ᇱ ሻ ൒ ߣ௠௔௫ ൩

ᇱ
‫ܧא ݔ‬ ݄ ‫࣢ א‬ౙ௖
௖
ͳ ȁ࣢ ȁ
൑ ൬߳ଶ ൅ ሺͳ െ ߳ଶ ሻ ൰
‫ܯ‬
2. If two points x and ‫ݔ‬Ԣ are close enough, then except with a small
probability,
߰ሺ‫ݔ‬Ԣሻ is in all the buckets that index ‫ݔ‬, i.e.
‫ܧ א ݔ׊‬ǡ ܲ‫ ݎ‬൥߰ሺ‫ ݔ‬ᇱ ሻ ‫א‬ ‫ܶ ת‬௛೎ ሺ௫ሻ ‫݀ٿ‬ሺ‫ݔ‬ǡ ‫ ݔ‬ᇱ ሻ ൒ ߣ௠௜௡ ൩

ᇱ
‫ܧא ݔ‬ ݄ ‫א‬ౙ ࣢ ௖
௖
ȁ࣢ ȁ
൑ ൫ͳ െ ሺͳ െ Ԗଶ ሻ൯
4.2.3 Private Information Retrieval and Private Information Storage
Private Information Retrieval. Private Information Retrieval (PIR, [12])

is a primitive that enables privacy-preserving queries in databases. Its goal
is to retrieve specific information from a remote server ࣭ in such a way
334 Chapter Ten
that ࣭ does not know which data was read. This is done through a method
ࣞࣜ ሺ‫ݑ‬ሻ, that allows the client ‫ ܥ‬to recover the element stored at index
‫ ݑ‬in ࣞࣜ by running a PIR protocol.
Suppose a database ࣞࣜ is constituted with M blocks ܺ ൌ ‫ݔ‬ଵ ǡ Ǥ Ǥ Ǥ ǡ ‫ݔ‬ெ .
To be secure, the protocol should satisfy the following properties [22]:
• Soundness: When the user and the database follow the protocol, the
result of the request is exactly the requested block.
• User Privacy: For all ൌ ‫ݔ‬ଵ ǡ Ǥ Ǥ Ǥ ǡ ‫ݔ‬ெ , for ͳ ൑ ݅ǡ ݆ ൑ ‫ ܯ‬, for any
algorithm used by the database, it cannot distinguish, with a non-
negligible probability, between a read request on index ݅ and a read
request on index ݆.
Among known constructions of computationally-secure PIR, block-based

PIR – i.e. working on block of bits – allows the efficient reduction of the
cost. The best performances are from Gentry and Ramzan [21] and Lipmaa
[36] with a communication complexity polynomial in the logarithm of M.
Surveys on the subject are available in [18, 40].
Some PIR protocols are called Symmetric Private Information
Retrieval (or oblivious transfer), when they comply with the Data Privacy
requirement [22]. This condition states that client cannot learn more
information about ࣞࣜ than the blocks that queried.
Private Information Storage (PIS) Protocols. PIR protocols enable the

retrieval of information from a database. A Private Information Storage
(PIS) (or PIR-writing) protocol [40] is a protocol that enables the writing
of information in a database with properties that are similar to those of
PIR. The goal is to prevent the database from knowing the content of the
information that is being stored and the index where it is stored; for a
detailed description of such protocols, see [6, 39].
A PIS protocol provides a method writeሺǡ ሻ, that takes as input an
element b and a database index u, and puts the value b into the database
entry ‫ݑ‬. To be secure, the protocol must also satisfy the Soundness and
User Privacy properties, meaning that
1. the writeሺ‫ݑ‬ǡ ܾሻ algorithm does update the database with the

appropriate value at appropriate index ;
2. no algorithm run by ࣭can distinguish between write(ui, bi) and
write(uj ,bj), for any values bi, bj and indices ui, uj.
4.2.4 The Protocol for PIR-based Biometric Identification
The protocol described in [7, 8] is an adaptation of the generic protocol

described in Figure 4., replacing the LSH family ࣢ with the composite
hash family ࣢ ୡ and using compatible PIR and PIS protocols for read and
write queries. This protocol can be deployed in both symmetric and
asymmetric settings. PIS protocols can be, for instance, constructed based
on homomorphic encryption techniques [37]. In this case, Snd is given the
public encryption key, while Rcv is given the secret decryption key. The
protocol using PIR/PIS and Bloom filters is summed up in Figures 7. and
8.
This protocol is introduced in [7] as an error-tolerant searchable
encryption scheme, i.e., an encryption scheme that enables a user to search
messages with keywords that might contain small errors.
In [7], the cost of an identification query is estimated. The main effort
resides on the database side to answer to the PIR queries; Indeed, the
computation cost of the database for answering to a PIR query is linear in
the size of the database. For one identification query, Ɋ ൈ ɋ PIR queries
are executed (Ȟ per keyword i||hi(ሺܾ௦௘௔௥௖௛ ),).
Notice that it is possible to instantiate this protocol using LSH
functions only (without Bloom filters) as in the generic construction
described in Figure 4.
4.2.5 Security Properties
All the identifiers are stored encrypted, ensuring Database Confidentiality.

Enrollment uses Private Information Storage (PIS) protocols. Owing to
PIS User Privacy properties, the protocol achieves Enrollment Privacy.
Moreover, the identification query is based on a PIR query to retrieve the
information, which leads to Identification Privacy. Finally, PIS and PIR
security properties hold against an adaptive adversary, as does the
identification protocol. We summarize the security results given in [8],
showing that this construction faithfully achieves the security requirements
we defined in Section 3.1.
336 Chapter Ten
Figure 7: Enrollment(bi) using PIR and Bloom filters

Figure 8: Identification(b) using PIR and Bloom filters
Proposition 1 (Completeness). Provided that ࣢ is a (Ȝmin, Ȝmax, ߳ଵ , ߳ଶ )-

LSH family, for a negligible ߳ଵ , this scheme is complete.
Proposition 2 (ࣕ-Soundness). Provided that ࣢ is a (Ȝmin, Ȝmax, ߳ଵ , ߳ଶ )-

LSH family from E to {0, 1}m, and provided that the Bloom filter functions
࣢Ԣ behave like psuedo-random function from
ሼͳǡ ǥ ǡ ‫ݑ‬ሽ ൈ ሼͲǡͳሽ௠ ‫݋ݐ‬ሼͳǡ ǥ ǡ Ǥ ‫ܯ‬ሽ then the scheme is ߳-sound, with:
೎ȁ
ͳ ȁ࣢
߳ ൌ ൬߳ଶ ൅ ሺͳ െ ߳ଶ ሻ ൰
݉
Propositions 1 and 2 are direct consequences of Lemma 2.
Remark 4. Proposition 2 assumes that the Bloom filter hash functions are
pseudo-random; this hypothesis is quite standard for a Bloom filter
analysis. It can be achieved by using cryptographic hash functions with a
random oracle-like behaviour.
Proposition 3 (Enrollment Privacy). Assume that the PIS protocol

achieves User Privacy, then the scheme ensures Enrollment Privacy.
Proposition 4 (Identification Privacy). Assume that the PIR protocol

ensures User Privacy, then the scheme ensures Identification Privacy.
The proofs appear in [7, 8].
4.2.6 Asymmetric Identification Protocol with Identification

Proportionality
In [8], the scheme above has been extended to achieve Identification

Proportionality. The issue with the previous scheme is that, among the
results of the μ × Ȟ PIR queries – which are intersected and analyzed to
select the candidates, each result taken independently reveals more
information than what is necessary to construct the list of candidates.
For instance, it can give information on the similarity between users, even
if they are not sufficiently close to be identified as a same user. To reach the
Identification Proportionality requirement, the scheme from [7] is modified to
enable the identification service to obtain information only when an identifier
appears more times than a fixed threshold in the different queries. This is
made possible owing to specific secret sharing techniques where the basic
goal is to split a secret s into n re-randomisable parts [45, 28].
338 Chapter Ten
4.3 Using Oblivious RAM

An alternative to Private Information Retrieval, to retrieve data from a
database while preserving query privacy, is Oblivious RAM. This
primitive, based on symmetric cryptography and relying on database
organisation techniques, can be more efficiently implemented than PIR,
and relies on public-key cryptography.
4.3.1 Oblivious RAM
Oblivious RAM (ORAM) was introduced by Goldreich and Ostrovsky

[24, 38, 25], originally as a way to prevent from learning about a program
from its execution. With recent trends of outsourced storage and
computation, use of ORAM has been suggested for applications in
privacy-preserving remote storage access. ORAM has received a lot of
attention (e.g. [42, 52]), but a proposal for a “practical” ORAM has only
recently been proposed by Stefanov et al. [48].
The Model. We consider a client ࣝ who stores data on a remote untrusted

server ܵ. The data of client ࣝ consist of N blocks of size B bytes (N is
called the ORAM capacity). The blocks are encrypted in order to preserve
their confidentiality, and are organized in a specific way so to preserve
client privacy.
Client ࣝ can make two kinds of requests:
x a read request on a specified block u;
x a write request of a B bytes data on a specified block u.
These requests are compiled by the ORAM construction into instructions

for construction into instructions for ܵ on ࣝԢ‫ ݏ‬real storage that preserves
privacy of the original requests.
Contrary to Private Information Retrieval/Storage, ORAM
constructions do not ask for computation on the server’s side. Here, a
server ܵis only a storage provider and executes read and write queries. To
preserve privacy, a database is slightly reorganized (i.e. some data blocks
are moved at the request of ࣝ) after each read or write query, so that
querying the same data twice does not result in reading the same blocks.
An easy-to-understand ORAM construction is Path-ORAM [49],
where the database is seen as a binary tree. Each data block is assigned a
leaf of the tree and is located somewhere on the path from the root to this
leaf. When ࣝ wants to read a block, ࣝqueries the whole path to the
corresponding leaf, retrieves the block and assigns a new leaf to this block.
The path to the first leaf is then fully re-written, while placing the data
block somewhere in the intersection with the path to the second leaf.
To preserve confidentiality, all data are encrypted by client ࣝ using a
symmetric encryption scheme (e.g. AES). The computational cost for ࣝ to
encrypt/decrypt/re-encrypt data blocks thus remains very low, compared to
the use of public-key cryptography.
Security Definition. The security definition of ORAM ensures data

confidentiality and privacy of data accesses. In particular, the protocol
should not reveal which data is accessed, how old it is, whether the same
data has been accessed in two requests or whether the access is a read or a
write. Let us give a more formal definition.
Let (op, u, data) denote an ORAM request, that is either read(u) or
write(u, data), where op = read or write, u denotes the block that is being
read or written and data is the data being written. If y = ((op1, u1,
data1),…,(opM, uM, dataM)) denotes a sequence of ORAM requests, let
A(y) denote the sequence of real accesses to the remote server generated
from y by the ORAM construction.
Definition 6 (Security of Oblivious RAM). An ORAM construction is said

to be secure if, for any two sequences of ORAM requests y and z of the
same length, their access patterns A(y) and A(z) are computationally
indistinguishable by anyone but client ࣝ.
Notice that this definition is close to Requirement 4 and Requirement 5,

which state that enrollment and identification queries should not reveal
their actual content to the server.
Also notice that, contrary to Searchable Encryption or PIR/PIS, server
࣭ is not able to distinguish if client ࣝ is running a read or a write request.
The Oblivious RAM of Stefanov et al. In their proposal [48], Stefanov et

al. introduce a new ORAM protocol that is intended to be used in practice.
In particular, they aim at efficiency in bandwidth consumption. They
assume that the client has relatively small storage capacities (max. a few
gigabytes) and that the server can store terabytes of data.
To improve performance, the server storage is divided into
ξܰORAM’s. For each of these ORAM’s, the client keeps a small amount
of data. Furthermore, the client stores information about the positions of
all blocks in the server storage. This is practical as long as the block size is
bigger than log(N). More details can be found in [48].
For practical parametrisations (an ORAM capacity between 64 GB and
340 Chapter Ten
1024TB), the server stores less than 4N blocks, and the client has to store
less than 0.3% of the ORAM capacity (this proportion decreases when the
ORAM capacity increases). The practical performance, measured as the
ratio between the bandwidth consumptions of an ORAM request and of a
request on a remote database without privacy, is between 20 and 35.
Moreover, Stefanov et al. prove that their construction leads to a secure
ORAM, following the model of Definition 6.
4.3.2 The Protocol for ORAM-based identification
The protocol of [9] also follows the generic construction of Figure 4. in the
symmetric setting. Both databases ࣞ‫ܤ‬ଵ and ࣞ‫ܤ‬ଶ are equipped with ORAM
functionalities. As in the previous construction, elements in ࣞ‫ܤ‬ଵ
(biometric and identity data) are indexed by user identifiers, while
elements in ࣞ‫ܤ‬ଶ (identification pre-processing) are indexed by hash
values. The protocol using ORAM is summed up in Figures 9. and 10.
Figure 9: Enrollment(bi) using Oblivious RAM
Privacy. According to Definition 6, server ࣭ is unable to distinguish

between two access sequences (to the same ORAM) if these sequences
have the same length. Consequently, server ࣭ can distinguish between an
Enrollment and an Identification query.
However, every Enrollment query leads to one write query to ࣞ‫ܤ‬ଵ and
μ read and μ write queries to ࣞ‫ܤ‬ଶ . Consequently, the number of queries
during an Enrollment query is constant and ࣭ cannot distinguish between
two Enrollment queries and the protocol using ORAM satisfies
Requirement 4.
To satisfy Requirement 5, the number l of candidates during the
identification process has to be constant. To enforce this condition, it
becomes sufficient to find a (heuristic) maximal boundary lmax and making,
at every identification, the l read requests described above, then lmax í l
read requests on random items of the database. At the price of a small loss
of accuracy, the constant number of read calls can be a smaller Ȝ < lmax to
gain in efficiency. In this case, if l > Ȝ, ࣝ only executes read requests on
the l items that have the most appearances in the blockj ’s computed at step
1 of the identification protocol.
Such an approach was considered in [10] where a secure identification
protocol is proposed with a filtering process where the number of
candidates has to be constant so to preserve privacy. Their filtering
process, adapted to the iris case, but slightly different from the Beacon
Guided Search of [27], does not degrade much identification results [10,
Section 5.2].
If the value of l is not considered to be sensitive, it becomes sufficient
to follow the protocol described in Figure 4., and without modifications.
342 Chapter Ten
Figure 10: Identification(b) using Oblivious RAM
4.3.3 Complexity
Complexity of the protocol based on ORAM is quite similar to the

complexity of the protocol based on SSE. The computational work on the
server’s side is negligible. Let PN be the practical performance of the
underlying ORAM for N data blocks (i.e. the ratio between bandwidth
consumption of an ORAM query and of a non-private query, 20 PN 35
for the [48] scheme). On the client’s side, during an Enrollment execution ࣝ
has to perform ߤ ȉ ܲఓ௫ଶ೘ symmetric operations (encryptions/decryptions).
During an Identification execution, ࣝ has to perform ߤ ȉ ܲఓ௫ଶ೘ ൅ ݈ ȉ ܲே
symmetric operations, where l is the number of candidates.
Communication complexity for identification is approximately equal to
ߤ ȉ ο ȉ ݈‫݃݋‬ଶ ሺܰሻ ȉ ܲఓ௫ଶ೘ ൅ ݈ ȉ ܲே ȉ ‫ ܤ‬bits, where ¨ is the maximum number
of biometric data sharing the same hash value, over the whole database
and all hash values and B is the size of a biometric data.
4.3.4 Experimental Results
We summarize the implementation results given by Bringer et al. [9]. For

the implementation of the ORAMs, they used the C# Oblivious RAM
library [46] that implements the ORAM of [48].
The parameters chosen for their implementation were the ones of
IrisCodes and the LSH functions are the beacon indices introduced in [27]
(see Section 2.4). The range of the LSH family is the m = 10-dimensional
Hamming space, and μ = 128 hash functions are considered.
Accesses to ࣞ‫ܤ‬ଵ . ࣞ‫ܤ‬ଵ contains the (encrypted) biometric data. With the
notations of Section 3.2, N blocks of 512 bytes (IrisCodes with masks) are
stored in ࣞ‫ܤ‬ଵ . (Notice that identity information could also be added.) The
performances of the first ORAM consequently only depend on N. Server ࣭
needs to store about 4 times the size of the actual database (i.e. 4N blocks
of 512 bytes), while the storage required by client ‫ ܥ‬decreases with N,
reaching about 1% of the actual database size for a few thousand enrolled
users. Reading or writing in the ࣞ‫ܤ‬ଵ database requires less than 1 ms of
computational time.
Accesses to ࣞ‫ܤ‬ଶ . Regarding ࣞ‫ܤ‬ଶ , the number of blocks is constant.

Indeed, the blocks are indexed by the 2m = 210 possible outcomes of the μ
= 128 = 27 LSH functions. Consequently the ORAM capacity (i.e. the
number of actual blocks that are outsourced by ‫ܥ‬, while server’s database
contains additional fake blocks) is set to 217 and only the block size varies
with N. The ratio between server storage and ORAM capacity does not
change much with N and is approximately equal to 4.22. For N § 250, 000
users, client storage is approximately 2 MB, while 314ms are required for
μ = 128 accessed to ࣞ‫ܤ‬ଶ . Recall that Enrollment requires 256 accesses to
ࣞ‫ܤ‬ଶ while Identification requires 128 ones.
Combining Everything Together. Bringer et al. consider a database of N

= 218 = 262, 144 IrisCode records, which is close to the size of the UAE
database used in [27]. Without outsourcing, client ‫ ܥ‬would have to store
128 MB of data. With the protocol of [9], he needs to store about 1.3 MB
for ࣞ‫ܤ‬ଵ and 2.3 MB for ࣞ‫ܤ‬ଶ . Thus, the total storage of the client is around
3.6 MB, less than 3 % of the storage required without outsourcing. The
server storage is around 509 MB for ࣞ‫ܤ‬ଵ and 1.06 GB for ࣞ‫ܤ‬ଶ .
With the same parameters, the computational time for one write or
read request to ORAM1 is 0.84 ms, and 314 ms are needed for 128
344 Chapter Ten
accesses to ORAM2. The time required by an enrollment is thus about 630

ms. For an identification, assuming that 41 candidates are selected after
Step 1 (see Section 2.4 and [27]), the total computational time for
Identification is 314 + 41ȉ0.84 = 348 ms. The time required to compute 41
IrisCode comparisons is negligible compared to the ORAM accesses.
Based on the estimations on performances of [48], the total data exchange
between ܵ and ‫ ܥ‬for an identification should be around 5 MB.
5 Concluding Remarks
To conclude this chapter, we suggest some elements of comparison
between the different protocols that were described and expose some open
issues.
5.1 Complexity and Efficiency

Computational Efficiency. As often when using cryptographic primitives,
using public-key (asymmetric) cryptography is more computationally
demanding than symmetric cryptography. Concerning the protocols
presented here, it means that use of Symmetric Searchable Encryption or
oblivious RAM is more efficient than Public-key Encryption with
Keyword Search or Private Information Retrieval/Storage. Furthermore,
use of PIR/PIS implies a work for the server that is linear in the size of the
databases, while ܵ only has to do look-ups for SSE and data
storage/retrieval for ORAM. On the client’s side, it depends on the
parameters, and requires a sublinear number of encryptions/decryptions
that are either public-key operations (PIR/PIS) or symmetric operations
(SSE, ORAM).
The ORAM construction is the only construction for which
implementation performances were published, and the performances given
in [9] and summed up above show its computational efficiency for quite
large databases (see Section 4.3).
Communication Complexity. SSE enables a ࣩ(1) communication

complexity, while this cost for ORAM and PIR is sublinear but non-
constant. With efficient ORAM or PIR implementations, it can be
ࣩ(log(N)). The constant hidden in the “big-O” is important.
Indeed, let us for instance consider the ORAM construction. If the number
of candidates found that using LSH functions is about 1% of the size of the
database, then client ‫ ܥ‬has to call N/100 read queries to ࣞ‫ܤ‬ଵ . And if every
query requires, say 25 times the communication cost of a non-secure
query, then about 1/4 of the whole ࣞ‫ܤ‬ଵ size is exchanged and the
advantage of using outsourcing and privacy-preserving primitives instead
of downloading the whole database is limited.
To make outsourcing valuable, one should choose a primitive with low
communication complexity, adapt the LSH family (see Section 5.3),
and/or find an appropriate use case (see below).
Size of biometric databases and use cases. To value the use of

outsourcing, databases should be of a large size. Indeed, even on personal
computers or smartphones, it is possible to store a biometric database of
reasonable size, since biometric references are usually relatively small.
However, biometric filtering using LSH functions can be used, for
instance, to efficiently search among large databases of images and/or
videos, where full downloading would be impossible. The impact of
outsourcing is thus more important and privacy-preserving techniques
might also be of great interest in such a setting.
5.2 Multi-server/Multi-client Systems

The protocols have been described for a single server and single client (or
a single sender and a single receiver). But, in some use cases, several
clients might want to access the same databases, for instance several
agents of the same governmental agency. This raises several issues.
Stateful vs Stateless and Concurrency. The first two protocols (SSE and
PIR/ PIS) are stateless, meaning that the client does not need to store data.
Moreover, accessing data on the remote server does not change the
database, thus using these protocols can easily be done in a concurrent
setting. However, use of ORAM often requires some synchronization
between the client ‫ ܥ‬and the server ܵ, and might ask ‫ ܥ‬for storing up-to-
date information (e.g. [48, 49]). Concurrency is thus more difficult to
achieve and use of stateless ORAMs ([26]) could be valuable, if one wants
to let several clients access the identification system. This could be the
case, for instance, if the database is a central database of the police and
police officers on the field have devices that they use to exchange
information with the remote database, so to identify citizens who are under
surveillance.
Multi-server. One could also outsource the biometric database to several

cloud providers. Using multiple servers can lead to better
computational/communication performances, while still maintaining
346 Chapter Ten
privacy, as long as servers do not collude. Multi-server solutions exist for

PIR [11] and for ORAM [47].
5.3 Biometric data and LSH functions

The efficiency of the schemes presented in this chapter relies highly on the
choice of LSH functions. The dimensionality m of the LSH functions
range should be small so that the locality-sensitive property is preserved,
but not too small, otherwise too many data would collide and the filtering
capacity of the protocols would be insufficient. Since complexity is also
directly linked to the number of LSH functions, their number μ should not
be too large. However, if μ is too small, then accuracy may decrease, since
filtering might miss the researched item. Thus, all parameters should be
carefully chosen in the trade-off between accuracy and efficiency. For the
actual construction of such functions, the example of Hao et al. [27] is
promising, but seems difficult to apply to other biometrics, since it relies
on the binary nature of IrisCodes. Applying this technique to other
biometric traits and encodings might require traversing first through
binarizing feature vectors and then finding reliable and independent small
projections.
Acknowledgements
This work has been partially funded by the European FP7 FIDELITY
project (SEC-2011-284862). The opinions expressed in this document are
only those of the authors. They reflect neither the view of the European
Commission nor the view of the employer of the authors.
References
[1] M. Adjedj, J. Bringer, H. Chabanne, and B. Kindarji. Biometric
identification over encrypted data made feasible. In A. Prakash and I.
Gupta, editors, ICISS, volume 5905 of Lecture Notes in Computer
Science, pages 86–100. Springer, 2009.
[2] A. Andoni and P. Indyk. Near-optimal hashing algorithms for
approximate nearest neighbor in high dimensions. Commun. ACM,
51(1):117–122, 2008.
[3] J. Bethencourt, D. X. Song, and B. Waters. New constructions and
practical applications for private stream searching (extended abstract).
In IEEE Sym- posium on Security and Privacy, pages 132–139. IEEE
Computer Society, 2006.
[4] B. H. Bloom. Space/time trade-offs in hash coding with allowable

errors. Commun. ACM, 13(7):422–426, 1970.
[5] D. Boneh, G. D. Crescenzo, R. Ostrovsky, and G. Persiano. Public key
encryption with keyword search. In C. Cachin and J. Camenisch,
editors, EUROCRYPT, volume 3027 of Lecture Notes in Computer
[6] D. Boneh, E. Kushilevitz, R. Ostrovsky, and W. E. S. III. Public key
encryption that allows PIR queries. In A. Menezes, editor, CRYPTO,
volume 4622 of Lecture Notes in Computer Science, pages 50–67.
Springer, 2007.
[7] J. Bringer, H. Chabanne, and B. Kindarji. Error-tolerant searchable
encryption. In ICC, pages 1–6. IEEE, 2009.
[8] J. Bringer, H. Chabanne, and B. Kindarji. Identification with encrypted
biometric data. Security and Communication Networks, 4(5):548–
562, 2011.
[9] J. Bringer, H. Chabanne, and A. Patey. Practical identification with en-
crypted biometric data using oblivious RAM. In IAPR International
Conference on Biometrics (ICB), 2013.
computation for biometric identification using filtering. In A. K. Jain,
A. Ross, S. Prab- hakar, and J. Kim, editors, ICB, pages 257–264.
IEEE, 2012.
[11] B. Chor, O. Goldreich, E. Kushilevitz, and M. Sudan. Private

information retrieval. In FOCS, pages 41–50. IEEE Computer Society,
1995.
[12] B. Chor, E. Kushilevitz, O. Goldreich, and M. Sudan. Private
information retrieval. J. ACM, 45(6):965–981, 1998.
[13] R. Curtmola, J. A. Garay, S. Kamara, and R. Ostrovsky. Searchable
symmetric encryption: improved definitions and efficient
constructions. In A. Juels, R. N. Wright, and S. D. C. di Vimercati,
editors, ACM Conference on Com- puter and Communications
Security, pages 79–88. ACM, 2006.
[14] I. DamgaÛrd, M. Geisler, and M. Krøigaard. Efficient and secure
comparison for on-line auctions. In J. Pieprzyk, H. Ghodosi, and E.
Dawson, editors, ACISP, volume 4586 of Lecture Notes in Computer
[15] J. Daugman. How iris recognition works. IEEE Trans. Circuits Syst.
Video Techn., 14(1):21–30, 2004.
[16] D. Dolev, C. Dwork, and M. Naor. Nonmalleable cryptography.
SIAM J. Comput., 30(2):391–437, 2000.
[17] T. E. Gamal. A public key cryptosystem and a signature scheme
348 Chapter Ten
based on discrete logarithms. In G. R. Blakley and D. Chaum, editors,

CRYPTO, volume 196 of Lecture Notes in Computer Science, pages
10–18. Springer, 1984.
[18] W. I. Gasarch. A survey on private information retrieval (column:
Computational complexity). Bulletin of the EATCS, 82:72–107, 2004.
[19] C. Gentry. Fully homomorphic encryption using ideal lattices. In M.
Mitzen- macher, editor, STOC, pages 169–178. ACM, 2009.
[20] C. Gentry, S. Halevi, and N. P. Smart. Homomorphic evaluation of
the AES circuit. In R. Safavi-Naini and R. Canetti, editors, CRYPTO,
Springer, 2012.
[21] C. Gentry and Z. Ramzan. Single-database private information
retrieval with constant communication rate. In L. Caires, G. F. Italiano,
L. Mon- teiro, C. Palamidessi, and M. Yung, editors, ICALP, volume
3580 of Lecture Notes in Computer Science, pages 803–815. Springer,
2005.
[22] Y. Gertner, Y. Ishai, E. Kushilevitz, and T. Malkin. Protecting data
privacy in private information retrieval schemes. In Vitter [51], pages
151–160.
[23] E.-J. Goh. Secure indexes. IACR Cryptology ePrint Archive,
2003:216, 2003.
[24] O. Goldreich. Towards a theory of software protection and simulation
by oblivious RAMs. In A. V. Aho, editor, STOC, pages 182–194.

ACM, 1987.
[25] O. Goldreich and R. Ostrovsky. Software protection and simulation
on oblivious RAMs. J. ACM, 43(3):431–473, 1996.
[26] M. T. Goodrich, M. Mitzenmacher, O. Ohrimenko, and R. Tamassia.
Privacy-preserving group data access via stateless oblivious RAM
simulation. In Y. Rabani, editor, SODA, pages 157–167. SIAM, 2012.
[27] F. Hao, J. Daugman, and P. Zielinski. A fast search algorithm for a
large fuzzy database. IEEE Transactions on Information Forensics and
Security, 3(2):203–212, 2008.
[28] A. Herzberg, S. Jarecki, H. Krawczyk, and M. Yung. Proactive secret
sharing or: How to cope with perpetual leakage. In D. Coppersmith,
editor, CRYPTO, volume 963 of Lecture Notes in Computer Science,
pages 339–352. Springer, 1995.
[29] P. Indyk. Nearest neighbors in high-dimensional spaces. In J. E.
Goodman and J. O’Rourke, editors, Handbook of Discrete and
Computational Geom- etry, chapter 39. CRC Press, 2004. 2rd edition.
[30] P. Indyk and R. Motwani. Approximate nearest neighbors: Towards
removing the curse of dimensionality. In Vitter [51], pages 604–613.
[31] A. K. Jain, P. Flynn, and A. A. Ross. Handbook of Biometrics.

Springer- Verlag New York, Inc., Secaucus, NJ, USA, 2007.
[32] W. Jansen and T. Grance. Guidelines on security and privacy in
public cloud computing. Special Publication 800-144, NIST,
December 2011.
[33] A. Kirsch and M. Mitzenmacher. Distance-sensitive Bloom filters. In
R. Ra- man and M. F. Stallmann, editors, ALENEX, pages 41–50.
SIAM, 2006.
[34] E. Kushilevitz, R. Ostrovsky, and Y. Rabani. Efficient search for
approximate nearest neighbor in high dimensional spaces. In Vitter
[51], pages 614–623.
[35] S. Z. Li and A. K. Jain, editors. Encyclopedia of Biometrics. Springer
US, 2009.
[36] H. Lipmaa. An oblivious transfer protocol with log-squared
communication. In J. Zhou, J. Lopez, R. H. Deng, and F. Bao, editors,
ISC, volume 3650 of Lecture Notes in Computer Science, pages 314–
[37] H. Lipmaa and B. Zhang. Two new efficient PIR-writing protocols. In
J. Zhou and M. Yung, editors, ACNS, volume 6123 of Lecture Notes in
Com- puter Science, pages 438–455, 2010.
[38] R. Ostrovsky. Efficient computation on oblivious RAMs. In H. Ortiz,
editor, STOC, pages 514–523. ACM, 1990.
[39] R. Ostrovsky and W. E. S. III. Algebraic lower bounds for computing

on encrypted data. Electronic Colloquium on Computational
Complexity (ECCC), 14(022), 2007.
[40] R. Ostrovsky and V. Shoup. Private information storage (extended
abstract). In F. T. Leighton and P. W. Shor, editors, STOC, pages 294–
303. ACM, 1997.
residuosity classes. In J. Stern, editor, EUROCRYPT, volume 1592 of
Lecture Notes in Computer Science, pages 223–238. Springer, 1999.
[42] B. Pinkas and T. Reinman. Oblivious RAM revisited. In T. Rabin,
editor, CRYPTO, volume 6223 of Lecture Notes in Computer Science,
[43] R. L. Rivest, L. Adleman, and M. L. Dertouzos. On data banks and
privacy homomorphisms. In R. A. DeMillo, D. P. Dobkin, A. K. Jones,
and R. J. Lip- ton, editors, Foundations of Secure Computation, pages
165–179. Academic Press, 1978.
[44] A.-R. Sadeghi, V. D. Gligor, and M. Yung, editors. 2013 ACM
SIGSAC Conference on Computer and Communications Security,
CCS’13, Berlin, Germany, November 4-8, 2013. ACM, 2013.
350 Chapter Ten
[45] A. Shamir. How to share a secret. Commun. ACM, 22(11):612–613,

1979.
[46] E. Stefanov. Oblivious RAM library.
http://www.emilstefanov.net/Research/ObliviousRam/.
[47] E. Stefanov and E. Shi. Multi-cloud oblivious storage. In Sadeghi et
al. [44], pages 247–258.
[48] E. Stefanov, E. Shi, and D. X. Song. Towards practical oblivious
RAM. In NDSS. The Internet Society, 2012.
[49] E. Stefanov, M. van Dijk, E. Shi, C. W. Fletcher, L. Ren, X. Yu, and
S. De- vadas. Path ORAM: an extremely simple oblivious RAM
protocol. In Sadeghi et al. [44], pages 299–310.
[50] H. Takabi, J. B. D. Joshi, and G.-J. Ahn. Security and privacy
challenges in cloud computing environments. IEEE Security &
Privacy, 8(6):24–31, 2010.
[51] J. S. Vitter, editor. Proceedings of the Thirtieth Annual ACM
Symposium on the Theory of Computing, Dallas, Texas, USA, May 23-
26, 1998. ACM, 1998.
[52] P. Williams and R. Sion. Single round access privacy on outsourced
storage. In T. Yu, G. Danezis, and V. D. Gligor, editors, ACM
Conference on Computer and Communications Security, pages 293–
304. ACM, 2012.
CHAPTER ELEVEN
A COLLABORATIVE FRAMEWORK DESIGN

FOR DISTRIBUTED BIOMETRICS-BASED
AUTHENTICATION IN THE CLOUD
KOK-SENG WONG AND MYUNG HO KIM

SCHOOL OF COMPUTER SCIENCE AND ENGINEERING,
SOONGSIL UNIVERSITY
Abstract
Over the past several years, many companies have benefited from the
implementation of cloud solutions within their own organisations. Due to
advantages such as flexibility, mobility, and cost savings, we expect

numbers of cloud users to grow rapidly. Consequently, organizations need
a secure way to authenticate their users, in order to ensure the functionality
and safety of their services. In this chapter, we design a collaborative
framework to support biometrics-based authentication for cloud users
under a distributed setting. In our design, we divide the biometric system
into four distinct entities: the client, the service provider, the
transformation agent, and the matching agent), so to prevent one party
from controlling all the information and components during the
authentication process. In particular, we want to prevent an adversary from
bypassing the authentication system and from reconstructing the original
biometric sample of the users during the verification process. We utilize a
homomorphic cryptosystem in our biometric matching that allows
operations in an encrypted form. We analyse security for our framework
by considering attacks from each semi-honest entity and possible joint
attacks from two or more semi-honest entities controlled by adversaries.
Index Terms— Biometrics-based Authentication System, Collaborative
Framework Design, Cloud Authentication, Privacy Protection.
352 Chapter Eleven
1 Introduction
Cloud computing is an emerging technology which allows users to request
services and resources from their service providers in an on-demand
environment. It is a complex yet resource-saving infrastructure for today’s
modern business needs, providing the means through which services are
delivered to the end users via Internet access. In the cloud environment,
users can access services based on their needs, without knowing how the
services are delivered or where the service is hosted.
The US National Institute of Standards and Technology (NIST) has
defined cloud computing as follows [1]: Cloud computing is a model for
enabling ubiquitous, convenient, on-demand network access to a shared
pool of configurable computing resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly provisioned and released
with minimal management effort or service provider interaction. Hardware
devices, software, storage and network infrastructure are available to cloud
users through Internet access. Rather than purchasing expensive but
powerful resources, users lease these resources from the service providers.
With cloud computing, users can access the services via the Internet
regardless of time or location. In addition, they do not have to install
software on their local machine but are still able to enjoy a high level of
availability of services. Furthermore, high efficiency and fast deployment
benefits are also attractions for companies and individuals who move to
cloud services. Due to advantages such as flexibility, mobility, and cost
saving, the number of cloud users has increased tremendously. Industry
analysts have made projections that the entire computing industry will be
transformed into a cloud environment [2].
1.1 Issues and Problem Statement

Cloud computing is an emerging technology in many organizations,
especially those which require extra resources (i.e., processing power and
storage) at a lower cost. Recently, the adoption of cloud services within an
organization has raised a significant security concern among data owners
when the data stored in the cloud are sensitive to the public or shared
environment. For example, customer details are sensitive data to the
company and the data owner. The leakage of this sensitive information
will compromise individual privacy, and allows competitors to gain
competitive advantages. Therefore, user authentication for cloud
computing is important and needs to be addressed when considering
sensitive data.
Distributed Biometrics-based Authentication in the Cloud 353
In this cloud-driven era, user authentication is often the key issue in the
cloud environment. It is important for the service provider to verify who
can access their services and to identify each user. Some commonly-used
authentication services include Kerberos [3] and OpenID [4]. The service
provider authenticates its users based on the credentials submitted such as
a password, token or digital certificate. Unfortunately, these credentials
can be stolen, accidentally revealed or difficult to remember.
A biometric system is a pattern recognition system that uses biometric
features extracted from physiological (e.g., fingerprint or face) or
behavioural characteristics (e.g., voice or handwriting) of the user. It is
commonly used to recognize an individual, based on characteristics such
as iris patterns, facial features, fingerprints, palm prints, or voice patterns.
Biometric authentication is an emerging approach to authenticate cloud
users. Recently, the German company BioID proposed the world’s first
biometric authentication service for cloud computing [5]. In their solution,
biometric authentication as a service (BaaS) was proposed to provide
single sign-on for user authentication. With large-scale biometrics
deployment, the amount of biometric data collected has grown
tremendously. For example, India launched a biometric data project to
collect biometric data for its 1.3 billion residents [6].
The attempt to use cloud computing to quantify the scope of the
biometric database size explosion was first proposed by associates at Booz
Allen Hamilton in 2010 [7]. Their idea was to utilize the processing power
of the cloud to facilitate the big data biometrics-matching problem.
Recently, Intel’s McAfee started offering a biometric authentication
service to allow its users to securely store their files online [8].
The primary concern in any biometric-based system is the protection of
the biometric templates. This is of particular concern because biometric
characteristics for humans are limited (they cannot be changed or
reissued). Biometric templates uniquely represent the strong identity
information of their owner. Although they provide a higher degree of
security, compared with passwords or security tokens, they can still be
stolen or exchanged. Hence, the leakage of biometric templates will
compromise the user’s privacy forever. For example, if users enrol in
different systems using the same biometric features, the leakage in one
system will compromise their privacy in other systems at the same time.
1.2 Our Goals

In view of the issues and problems discussed in the previous section, we
aim to design a secure collaborative framework to authenticate cloud users
354 Chapter Eleven
and to protect their biometric samples stored in a system. We summarize

our goals in this chapter as follows:
1. To design a collaborative framework to support biometrics-based

user authentication for cloud computing. In particular, we want to
prevent one party from controlling all the information and
components used during the authentication process. We will
separate the biometric system into different entities: the client, the
service provider, the transformation agent, and the matching agent.
2. At the same time, there is a need to allow users to use the same
biometric features in different enrolments. We introduce the usage
of the verification code to transform the original biometric sample
of the users into different templates. The verification code should
not affect the comparison result in the system.
3. Our solution needs to ensure that no semi-honest entity can bypass
the authentication process in a biometric system. We require a
verification code and user’s biometric sample for each
authentication request. Both verification code and biometric sample
must be transformed and shuffled correctly during the verification
process.
4. Due to the uniqueness of the biometric sample, we must ensure that
no adversary is able to reconstruct the sample from the template
stored in the system.

5. The biometric template generates by our system cannot be used for
cross-matching attack. In particular, a stolen or compromised
biometric template cannot be used to gain access into another
system.
6. The biometric comparison should be performed in an encrypted
form to prevent the leakage of a user’s biometric sample. We will
utilize a homomorphic cryptosystem in our protocol, which
supports an additive operation between two ciphertexts without
requiring decryption.
1.3 Organization
The rest of this chapter is organized as follows: The background and
related work for this research are presented in Section 2. We describe the
system settings and model of our framework in Section 3. We present our
solution in Section 4, followed by the analysis and discussions in Section
5. Our conclusion is in Section 6.
2 Background and Related Work

2.1 User Authentication
In a generic sense, security is the prevention of an unauthorized party from
gaining access to confidential information and system resources. A secure
authentication system needs to ensure that only authorized users can
access the system. When performing authentication over the Internet,
credentials will be submitted by the principal (the user, machine, or
service requesting access) [9]. If the credentials match, the user is allowed
to access the services subscribed to the service provider. In this chapter,
we only consider a user as the principal who submits their credentials for
authentication over the Internet.
There are several types of credential that the cloud users can submit as
proof of their identity. A shared-key is typically a password used in
protocols such as Password Authentication Protocol (PAP) [10] and
Challenge Handshake Authentication Protocol (CHAP) [11]. A digital
certificate is a second type of credential which can provide strong
authentication in the cloud environment. It is an electronic document that
uses a trusted Certificate Authority (CA) so to bind the encryption key to
an identity [12]. A decryption key is the only way to validate the signed
certificate.
Another type of credential is the commonly used one-time-password

(OTP) [13, 14]. The end-user obtains the OTP from a token (hardware or
software) during login. The token can generate in real time a randomized
password string based on a complex algorithm. Since the password
generated is unique and can only be used once, it is possible to use OTP in
the cloud environment. For example, Amazon Web Services (AMW) has
already started to use OTP tokens for use with individual AWS accounts
[15].
2.2 Biometric-based Authentication

Biometric characteristics such as iris patterns, facial features, fingerprints,
palm prints or voice patterns will be submitted by the user as a credential
for authentication over the Internet. Biometric-based authentication
systems provide a higher degree of security as compared with
conventional authentication systems. Furthermore, it allows the system to
keep track of the user’s activities because individual biometric
characteristics cannot be shared with others.
356 Chapter Eleven
Figure 1. A general design for biometric-based authentication systems
Generally, biometric authentication systems consist of five modules,

namely, the biometric sensor, feature extractor, template storage, matching
module, and the decision module. Figure 1 illustrates the general design
for most biometric-based authentication systems.
During the enrolment process, the biometric sensor scans the biometric
traits of the user, while the feature extractor extracts the feature vector
from the scanned biometric data. The feature vector is then stored in the
template in the template storage.

At the verification stage, the biometric sensor and the feature extractor
perform the same tasks as in the enrolment process. However, the
extracted feature vector (query feature ܳ) will not be stored in the storage.
Instead, it will be used by the matching module to compare with the
templates stored in the storage. The matching operation outputs a
similarity score, which will be used by the decision module in making the
decision (accept or reject). The matching result is then compared with a
threshold value determined by the system administrator.
Biometric matching is the key operation in biometric-based
authentication systems with which to verify the users. However, in
practice, the same biometric trait will not produce two identical feature
vectors, due to noise or variations in the user’s interaction with the
biometric sensor. Hence, biometric-based systems are not required to have
a perfect match as in password-based authentication systems. The distance
between two feature vectors originating from the same user is typically
greater than zero (zero distance means both feature vectors are identical).
2.3 Homomorphic Cryptosystem

In order to allow the system (i.e., the matching agent) to perform
comparison in an encrypted form, we will utilize a homomorphic
cryptosystem (i.e., Paillier [16]) in our protocol. Let ‫ܿ݊ܧ‬௣௞࣯ ሺ݉ଵ ሻ denote
the encryption of a message ݉ଵ with an encryption key ‫ ࣯݇݌‬. The Paillier
cryptosystem supports the following operations in an encrypted form:
- Addition: Given two ciphertexts ‫ܿ݊ܧ‬௣௞࣯ ሺ݉ଵ ሻ and ‫ܿ݊ܧ‬௣௞࣯ ሺ݉ଶ ሻ ,

there exists an efficient algorithm ൅௛ to compute ‫ܿ݊ܧ‬௣௞࣯ ሺ݉ଵ ൅
݉ଶ ሻ.
- Scalar multiplication: Given a constant ܿ and a ciphertext
‫ܿ݊ܧ‬௣௞࣯ ሺ݉ଵ ሻ , there exists an efficient algorithm ȉ௛ to compute
‫ܿ݊ܧ‬௣௞࣯ ሺܿ ȉ ݉ଵ ሻ.
Note that when a scheme supports the additive operation, it also supports
scalar multiplication, because ‫ܿ݊ܧ‬௣௞࣯ ሺܿ ȉ ݉ଵ ሻ can be achieved by
summing ୮୩౑ ሺଵ ሻ successively ܿ times. By using a homomorphic
cryptosystem, we can compute the additive operation directly on the
encrypted data without decryption. This is a useful feature because the
biometric template stored in the server does not require decryption during
the matching operation.
2.4 Notations Used

The notations used hereafter in this chapter are shown in Table 1.
Table 1. Common notations used.
Notation Description
ट individual who provides his or her biometric data for
ࢄ authenticate
biometric sample extracted from ࣯ during the enrolment
process
ࢅ biometric sample extracted from ࣯ during the verification
ࢄԢ process
transformed biometric sample during the enrolment process
ࢅԢ transformed biometric sample during the verification process
ࢄ̶ shuffled sample during the enrolment process
ࢅ̶ shuffled sample during the verification process
ࢀ biometric template
358 Chapter Eleven
ࡽ query feature
࣊ट shuffling protocol o ࣯
࢞ᇱ࢏ ݅-th element of ܺԢ
࢟ᇱ࢏ ݅-th element of ܻԢ
࢙ comparison score between ܺ and ܻ (based on squared
Euclidean distance)
࢔ length of the original feature vector
࢓ length of the verification code
࢑ length of the transformed vector where, ݇ ൌ ݊ ൅ ݉
ࢀࡵࡰ template identification number
ࢂࡵࡰ verification code identification number
࢖࢑ट encryption key from ࣯
࢖࢘ट decryption key from ࣯
ࡱ࢔ࢉ࢖࢑ट ሺȉሻ encryption operation by using ‫࣯݇݌‬
ࡰࢋࢉ࢖࢘ट ሺȉሻ decryption operation by using ‫࣯ݎ݌‬
࣓ random non-zero noise
2.5 Related Work

Performing matching between the query feature vector and the biometric
template is the main operation and the most critical task for any biometric-
based system. Generally, the matching operation can be performed at the

client side, or can be computed by the authentication server. The matching
computation at the client side is done with portable devices such as a smart
card reader. The biometric data of the user is stored on the smart card
which has the ability to store large amounts of data and has ability to
perform on-card functions such as encryption and matching operations.
This approach is also known as match-on-card (MOC) where the biometric
template of the user will never leave the smart card [17].
The matching computation done at the authentication server is
commonly used in the existing biometric-based authentication system. The
matching module of the server is responsible for performing a comparison
between the query feature vector and the template. Recently, a new
approach to outsourcing large scale biometric computations to an external
party has been proposed in literature [18, 19]. Outsourcing the matching
operation to one or more external servers is necessary when computing
power is the main consideration for the authentication system.
There are several solutions that have been proposed to compare the
query feature vector and the template during the matching operation (i.e.,
fuzzy commitment scheme[20], fuzzy vault [21], and error correcting
codes [22]). Cryptographic-based solutions are also widely used in
biometric matching. These solutions include secure multi-party

computation (SMC) [23], private information retrieval [24], and
homomorphic encryption schemes [25].
Recently, homomorphic encryption schemes such as Paillier [16] and
ElGamal [26] have received great attention in the biometric research area.
A number of papers deal with homomorphic encryption schemes in
biometric-based authentication systems. Schoenmakers and Tuyls employ
a secure multi-party computation method which utilizes homomorphic
properties in biometric authentication systems [27]. Bringer et al.
introduced several authentication protocols to protect the relationship
between the biometric templates and the relevant identity of the users
(identity privacy) in [23].
The work most related to our solution in this chapter is the distributed
framework proposed by Simoens et al. [28]. Their solution is motivated by
the separation-of-duties principle defined by Bringer et al. in [23]. The
idea of this principle is to separate the roles of each entity to prevent any
party from controlling all the processing operations and data storage. The
biometric system in [28] is separate into four distinct entities: (1) the
biometric sensor ࣭, (2) the authentication server ࣭ࣛ, (3) the database ࣞࣜ
and (4) the matcher ࣧ . Each entity plays a specific role during the
authentication process, aiming to provide higher privacy protection to
users.
During the authentication process (identification or verification), the

biometric sensor ࣭ extracts the biometric features ܳ of user ܷ௜ and sends it
as authentication request to ࣭ࣛ. Next, ࣭ࣛ retrives the biometric template
ܶ of ܷ௜ stored in ࣞࣜ. Note that the ࣞࣜ can provide a single template for
verification or a set of templates (or entire database) for identification
purposes. In addition, both ܳ and ܶ will be mapped into an encrypted
value, so to prevent the leakage of original biometric features. The
authentication server ࣭ࣛ then forwards ܳ and ܶ to ࣧ. The matcher ࣧ is
then responsible for computing a comparison score between ܳ and ܶ
(based on similarity or distance functions), and sends the result (the
comparison score or the authentication decision) back to ࣭ࣛ . The
overview of the system model proposed in [28] is shown in Figure 2.
As shown in Figure 2, there is no direct communication channel
between ࣞࣜ and ࣧ. It aims to prevent any possible collusion between the
two entities. However, this design requires a high level of trust on ࣭ࣛ
because it will learn all the sensitive information (e.g., ܳ , ܶ and
comparison score) of the system.
360 Chapter Eleven
Figure 2. A system model for framework proposed in [28]
The primary attack points considered in [28] are at ࣭, ࣭ࣛ, ࣞࣜ and ࣧ. A

comprehensive study for possible collusions between internal attackers
(e.g., malicious system administrator) was discussed. In particular, they
focus on the internal attackers who control one or more entities during the
authentication process and therefore, they do not consider the attack point
at the client side. Moreover, they do not consider the case where an
adversary tries to bypass the authentication. Instead, their focus is on
template security and privacy protection. We will consider this attack in
our protocol.
In this chapter, we design a collaborative framework that can improve
the model proposed in [28]. In particular, we aim to prevent any entity
from learning all the sensitive information. To do so, we include an
additional entity (e.g., a transformation agent), and introduce the usage of
a verification code and noise to protect the biometric samples.
Furthermore, we utilize a homomorphic cryptosystem in our framework
design so to allow the computation of a comparison score in an encrypted
form. This can prevent the matcher from knowing the actual score between
the two biometric samples. We will discuss the details of our framework
design in the following section.
3 Collaborative Framework Settings and Model

3.1 Framework Idea
In our solution, the authentication process requires two credentials from
the user ࣯: (1) the user’s biometric data and (2) the verification code.
Biometric data is a sample extracted from the user’s biometric traits
whereas the verification code is a feature used to transform the biometric

data into template ܶ or query feature ܳ . This transformation process
makes it difficult for the adversary to learn the biometric data from the
mixture (template or query feature). In addition, we use the verification
code to prevent the adversary from using a stolen template to gain access
into the system or launch a cross-matching attack. Each user ࣯ generates a
Paillier cryptosystem key pair ሺ‫ ࣯݇݌‬ǡ ‫ ࣯ݎ݌‬ሻ and provides his or her
encryption key ‫ ࣯݇݌‬to the service provider. We assumed that the
decryption key ‫ ࣯ݎ݌‬will not be revealed to any party. The decryption
module of the client will help ࣯ to perform the decryption operation.
Like other biometric-based authentication systems, our solutions
require matching between the query feature, ܳ and the biometric template,
ܶ. Based on the characteristics of the biometric feature, we can compare
both ܳ and ܶ by using some distance measurements. For example,
normalized Hamming distance is used for iris-based comparison while the
squared Euclidean distance has been used in face matching. We consider
the latter as our measurement metric in this chapter.
To authenticate an enrolled user, both the biometric sample and the
verification code must be combined and shuffled correctly. If one of these
credentials is incorrect (or absent), the verification process will fail. In
particular, the comparison result between ܳ and ܶ will not be able to pass
the system threshold. Note that this idea has been proposed in our previous
work [29, 30].
3.2 Framework Settings

Our framework design also follows the separation-of-duties principle
defined by Bringer et al. in [23]. We design four distinct entities in our
system: (1) the client ࣝ, (2) the service provider ࣪, (3) the transformation
agent ࣮, and (4) the matching agent ࣧ. In addition, there are two data
storages in our system. The first storage ሺ்ࣞࣜ ሻ is used to store the
biometric templates of the users while the second storage ሺࣞࣜ୚ ሻ is used to
store the verification codes.
Unlike the solution in [28], we do not detach the data storage as an
independent entity. Instead, we attach it with another entity, aiming to
reduce the data retrieving time. However, it is straightforward if we want
to detach both storages as an independent entity. We show the overview of
our system setting in Figure 3.
362 Chapter Eleven
Figure 3. An overview of the system setting in our proposed solution
3.3 Framework Communications

Communication among entities is important to the security of our
collaborative framework. We also assumed the communication channels
between the different entities to be secure. In our design, we need to
ensure that the protocol execution is secure while no extra information is
revealed. To show the communication direction between two entities, we

will use ሺ՜ሻ and ሺุሻ to denote one-way communication and two-way
communication, respectively.
As shown in Figure 3, we design one-way communication for ࣝ ՜ ࣮
and ࣮ ՜ ࣧ. The main reason to restrict one-way communication between
ࣝ and ࣮ (i.e., ࣝ ՜ ࣮) is to prevent the user from knowing the verification
code used to transform his or her biometric sample. After ࣮ retrieves the
verification code of ࣯, it must perform immediately the transformation
operation, and sends the transformation result to ࣧ . We restrict the
communication between ࣮ and ࣧ (i.e., ࣮ ՜ ࣧ) in order to prevent an
adversary who controls ࣧ and ࣪ from reconstructing the original
biometric sample from the verification code and the template. For the
same reason, we restrict any communication between ࣪ and ࣮.
Despite the two-way communication between an entity and the data
storage (i.e, ࣮ ุ ࣞࣜ௏ and ࣪ ุ ்ࣞࣜ ), we also require two-way
communication for ࣧ ุ ࣪ and ࣝ ุ ࣪ . The first communication
ሺࣧ ุ ࣪ሻ is to allow ࣪ to send the template of ࣯ to ࣧ, and to allow ࣧ
to return the computed comparison result back to ࣪ . In the second
communication ሺࣝ ุ ࣪ሻ, we allow ࣝ to send the authentication request
from ࣯ to ࣪ and allow ࣪ to notify ࣝ about the authentication result (to

accept or to reject).
3.4 Entities Design

We now formally describe the roles and components assigned for each
entity as follows:
x User ࣯, an individual who provides his or her biometric data to

authenticate himself to the service provider ࣪ . Each user has a
Paillier cryptosystem key pair ሺ‫ ࣯݇݌‬ǡ ‫ ࣯ݎ݌‬ሻ.
x Client ࣝ , a computer or workstation with network access (e.g.,
Internet). It is used to generate a biometric sample of ࣯ , and
performs the decryption operation by using ‫ ࣯ݎ݌‬. The client has the
following components:
- Biometric sensor: scans the biometric traits of the user
- Feature extractor: extracts the biometric sample from the scanned
biometric data
- Decryption module: performs a decryption operation by using the
decryption key ‫ ࣯ݎ݌‬from ࣯
x Transformation agent ࣮, a separate entity which helps to transform
the biometric sample into ܶ or ܳ. The transformation agent requires
the following components:

- Verification code generator: generates a unique verification code
for ࣯
- Transformation module: combines and shuffles the biometric
sample and the verification code
- Verification code storage ࣞࣜ୚ ǣ cloud-based data storage used to
store the verification codes
- Encryption module: performs encryption operation by using the
encryption key ‫ ࣯݇݌‬of ࣯ and shuffles the transformed sample by
using ߨ࣯
x Matching agent ࣧ , a separate entity which is responsible for
computing the comparison score between ܶ and ܳ. The matching
agent requires the following component:
- Matching module: computes squared Euclidean distance between ܶ
and ܳ. This computation is performed in an encrypted form
x Service provider ࣪, a company or an organization which provides
cloud services (SaaS, PaaS or IaaS) to ࣯. The service provider
requires the following components:
364 Chapter Eleven
- Noise module: injects noise into the comparison score computed

by ࣧ before it is sent to ࣝ for decryption. This noise is used to
prevent ࣝ from learning the actual value of ‫ ݏ‬after the decryption.
- Decision module: makes the final decision by comparing the
comparison score with a threshold ߬ determined by ࣪.
- Templates storage ்ࣞࣜ : cloud-based data storage used to store the
biometric templates
3.5 Adversary Model

Two different types of attacks can be identified in our system: (1) an
internal attack and (2) an external attack. An internal attack involves an
adversary such as employee or client who attempts to gain access into the
cloud. An external attack involves external parties (intruders or network
attackers) who watch the traffic on the network. They are interested in
learning something from or intercepting the data in the network. Since the
internal attackers have more knowledge about the protocol, we will only
consider the internal attack in our solution. Note that we can prevent
external attackers by utilizing a secure channel to serve as the
communication medium among entities.
As mentioned earlier, our goal is to support biometric matching
operations in a secure and privacy-preserved environment. In particular,
the protocol needs to ensure that there is no leakage of any sensitive

information during the protocol execution. Hereafter in this section, we
refer to sensitive information as the biometric data (i.e., biometric sample,
ܳ and ܶ), the verification code ܸ, the comparison score ‫ݏ‬, and the system
threshold ߬ . Also, we need to prevent any adverse party from
reconstructing the biometric features and impersonating an enrolled user
during the verification process. In our design, ࣝ is unable to learn the
actual comparison score for any two biometric samples. This design can
prevent an adversary who controls ࣝ to modify ‫ݏ‬, aiming to bypass the
authentication. This objective was not considered in [28] because its focus
is on the template security and user privacy .
We assume all entities in our system are semi-honest parties. In the
semi-honest model, each party follows the prescribed action in the
computation protocol. However, upon completion of the protocol, the
semi-honest party might attempt to discover additional information from
the intermediate or final computation result. For instance, a semi-honest
service provider is interested to learn the original biometric sample of a
target user from the template it stored, while the semi-honest client wants
to know the comparison score for each authentication request after it

performs the decryption operation.
In general, we can summarize the attack goals for semi-honest
adversaries (or attackers who monitor different entities) in our protocol as
follows:
1. To discover biometric template, ܶ: semi-honest adversary aims to

impersonate enrolled user in the verification process
2. To identify verification code, ܸ : semi-honest adversary aims to
determine genuine biometric sample ܺ (or ܻ ) from transformed
sample
3. To reconstruct original biometric sample ܺ (or ܻ ): semi-honest
adversary aims to use biometric data for cross-matching purposes
4. To learn the comparison score ‫ ݏ‬and the system threshold, ߬: semi-
honest adversary aims to modify comparison score to bypass
authentication (e.g., ‫ ݏ‬൏ ߬)
5. To trace user’s identity in different enrolments, ‫ܫ‬௜ : semi-honest
adversary aims to compromise identity privacy of user
Based on the attack goals discussed previously, we now set the

requirements to reveal the sensitive information to each entity during the
verification process. In particular, we want to prevent each entity from
learning extra-sensitive information. For instance, we allow ࣝ to learn the

original biometric samples of ࣯, since we attach the biometric sensor and
the feature extractor to ࣝ. Similarly, we allow ࣮ to learn ܺ and ܻ, since it
requires the biometric samples in the transformation process. Since ࣧ
needs to perform the biometric comparison, we must allow it to learn both
ܸ and ܶ . Note that the user’s decryption key is only accessible by ࣝ
because it needs to perform the decryption process. In Table 2, we
summarize that the sensitive information can be learned by each entity.
366 Chapter Eleven
Table 2. Restrictions on sensitive information that can be learned by

each entity.
Sensitive Information Entity

ࣝ ࣮ ࣧ ࣪
Biometric samples, ࢄ and ࢅ ξ ξ ൈ ൈ
Verification code, ࢂ ൈ ξ ξ ൈ
Template, ࢀ ൈ ൈ ξ ξ
Comparison score ࢙ ൈ ൈ ൈ ξ
System threshold, ࣎ ൈ ൈ ൈ ξ
Shuffling protocol, ࣊ट ൈ ξ ൈ ൈ
User’s decryption key,࢖࢘ट ξ ൈ ൈ ൈ
4 Our Solution
In this section, we explain the details of the enrolment and the verification
process.
4.1 Enrolment Process

The objective of the enrolment process is to register a user into the system.
Users can use the same biometric data to enrol into new or existing
systems that allow multiple enrolments. The enrolment process begins by
scanning biometric trait of the user. The biometric sensor scans the
biometric trait of ࣯ and then the feature extractor extracts a biometric
sample ܺ from the scanned data. Since ܺ is sensitive information, we will
not use it directly as the template of ࣯. Instead, we will use a verification
code ܸ to transform ܺ into a mixture for which it is difficult for the
adversary to identify a genuine ܺ . The transformed sample will be
encrypted by using the encryption key ‫ ࣯݇݌‬of ࣯, before it is shuffled and
stored as a template ܶ of ࣯ in ்ࣞࣜ . Note that the cryptosystem used in our
protocol is semantically secure such that the encryption of the same
message will produce different ciphertexts due to randomization in the
encryption process [31]. The shuffle protocol is used to permute the order
of elements in the transformed sample, and we will use the same shuffle
protocol for ࣯ during the verification process.
A user who successfully enrols into our system will obtain two
identifiers: (1) the template identifier, ܶ‫ ܦܫ‬and (2) the verification code
identifier, ܸ‫ ܦܫ‬. The first identifier is used to retrieve template ܶ from
்ࣞࣜ , while the second identifier is used to access the verification code ܸ
stored in ࣞࣜ௏ . The overview of the enrolment process is shown in Figure

4.
Figure 4. An overview of the enrolment process

The workflow for the enrolment process is summarized as follow:
1. The biometric sensor scans the biometric trait of ࣯.

2. The feature extractor processes the scanned biometric data to
extract a biometric sample ܺ ൌ ሼ‫ݔ‬ଵ ǡ ‫ݔ‬ଶ ǡ ǥ ǡ ‫ݔ‬௡ ሽ, ݊ ൐ Ͳ.
3. The feature extractor sends ܺ to the transformation module of ࣮.
4. The verification code generator generates a unique verification
code ܸ ൌ ሼ‫ݒ‬ଵ ǡ ‫ݒ‬ଶ ǡ ǥ ǡ ‫ݒ‬௠ ሽ, ݉ ൐ Ͳ for ࣯.
5. The verification code ܸ is sent to the verification codes storage
ࣞࣜ௏ .
6. The transformation module of ࣮ transforms ܺ into ܺ ᇱ ൌ
ሼ‫ݔ‬௜ᇱ ȁ݅ ൌ ͳǡʹǡ ǥ ǡ ݊ ൅ ݉ሽ such that ‫ݔ‬௜ᇱ ൌ െʹ‫ݔ‬௜ for ͳ ൑ ݅ ൑ ݊ and
ᇱ
‫ݔ‬௡ା௝ ൌ െʹ‫ݒ‬௝ for ͳ ൑ ݆ ൑ ݉ . Also, it computes σ௡௜ୀଵ ‫ݔ‬௜ଶ and
σ௠ ଶ
௝ୀଵ ‫ݒ‬௝ .
7. The encryption module of ࣮ encrypts ܺԢǡ σ௡௜ୀଵ ‫ݔ‬௜ଶ and σ௠ ଶ
௝ୀଵ ‫ݒ‬௝ by
using ‫ ࣯݇݌‬to produce ‫ܿ݊ܧ‬௣௞࣯ ሺ̶ܺሻǡ ‫ܿ݊ܧ‬௣௞࣯ ሺσ௡௜ୀଵ ‫ݔ‬௜ଶ ሻ and
‫ܿ݊ܧ‬௣௞࣯ ሺσ௠ ଶ
௝ୀଵ ‫ݒ‬௝ ሻ . Next, it shuffles elements in ‫ܿ݊ܧ‬௣௞࣯ ሺܺԢሻ by
using a shuffle protocol ߨ࣯ (i.e., ‫ܿ݊ܧ‬௣௞࣯ ሺ̶ܺሻ ൌ
368 Chapter Eleven
ߨ࣯ ሺ‫ܿ݊ܧ‬௣௞࣯ ሺܺԢሻሻ ). The encryption module sends

ܶ ൌ ൛‫ܿ݊ܧ‬௣௞࣯ ሺ̶ܺሻǡ ‫ܿ݊ܧ‬௣௞࣯ ሺσ௡௜ୀଵ ‫ݔ‬௜ଶ ሻǡ ‫ܿ݊ܧ‬௣௞࣯ ሺσ௠ ‫ݒ‬
௝ୀଵ ௝
ଶ
ሻൟ to ࣪ . The
service provider ࣪ stores ܶ as the template for user ࣯ in ்ࣞࣜ .
4.2 Verification Process

The purpose of the verification process is to verify that people are who
they claim to be. When a user ࣯ wants to access his or her data stored in
the cloud (or wants to use the cloud services), he or she must be verified
by the service provider ࣪. During the verification process, the biometric
sensor scans the biometric trait of ࣯ and then the feature extractor extracts
a biometric sample ܻ from the scanned data. Next, the transformation
module of ࣮ retrieves ܸ of ࣯ by using the ܸ‫ ܦܫ‬provided by ࣯ and
transforms ܻ into a query feature ܳ. The transformation process will use
the same shuffle protocol and encryption key as in the enrolment process.
A verification message that consists of ܳ and ܶ‫ ܦܫ‬will be sent to ࣧ.
Like most existing biometric-based authentication systems, our
solution requires matching between ܳ and ܶ . The matching agent ࣧ
requests ܶ from ࣪ by sending the ܶ‫ ܦܫ‬provided by ࣯ . The service
provider ࣪ helps ࣧ to retrieve ܶ from ்ࣞࣜ . Consequently, ࣧ needs to
compute a comparison score ‫ ݏ‬between ܳ and ܶ , by using a distance
measurement metric (e.g., squared Euclidean distance). Since both ܳ and
ܶ are encrypted datasets, ࣧ cannot directly use them to make the

comparison. In addition, ࣧ cannot decrypt ܳ or ܶ because it has no
knowledge about the decryption key ‫ ࣯ݎ݌‬. Therefore, we utilize a
homomorphic cryptosystem in our protocol design to make it possible for
ࣧ to compute ‫ ݏ‬in an encrypted form. The encrypted ‫ ݏ‬only can be
decrypted by ࣯ . However, the actual comparison score is viewed as
sensitive information which should not be revealed to ࣝ.
The client ࣝ will perform the decryption operation by using ‫ ࣯ݎ݌‬of ࣯.
To hide the value of ‫ݏ‬, we insert a noise into the encrypted value. After the
decryption, ࣪ removes the noise and makes the verification decision (to
accept or to reject) by comparing ‫ ݏ‬with a threshold value determined by
࣪. An overview of the verification process is shown in Figure 5.
Figure 5: An overview of the verification process
The workflow for the verification process is summarized as follows:

1. The biometric sensor scans the biometric trait of ࣯.

2. The feature extractor processes the scanned biometric data so to
extract a biometric sample ܻ ൌ ሼ‫ݕ‬ଵ ǡ ‫ݕ‬ଶ ǡ ǥ ǡ ‫ݕ‬௡ ሽ.
3. The feature extractor sends ܻ to the transformation module of ࣮.
4. The transformation module of ࣮ retrieves the verification code ܸ of
࣯ from ࣞࣜ௏ by using ܸ‫ ܦܫ‬. Next, it transforms ܻ into ܻ ᇱ ൌ
ሼ‫ݕ‬௜ᇱ ȁ݅ ൌ ͳǡʹǡ ǥ ǡ ݊ ൅ ݉ሽ such that ‫ݕ‬௜ᇱ ൌ ‫ݕ‬௜ for ͳ ൑ ݅ ൑ ݊ and
ᇱ
‫ݕ‬௡ା௝ ൌ ‫ݒ‬௝ for ͳ ൑ ݆ ൑ ݉. Also, it computes σ௡௜ୀଵ ‫ݕ‬௜ଶ and σ௠ ଶ
௝ୀଵ ‫ݒ‬௝ .
5. The encryption module of ࣮ encrypts σ௡௜ୀଵ ‫ݕ‬௜ଶ and σ௠ ଶ
௝ୀଵ ‫ݒ‬௝ by using
௠ ଶ
the encryption key ‫ ࣯݇݌‬. Note that ‫ܿ݊ܧ‬௣௞࣯ ൫σ௝ୀଵ ‫ݒ‬௝ ൯ can be pre-
computed at the enrolment process. Next, it shuffles ܻԢ by using the
shuffle protocol ߨ࣯ (i.e., ̶ܻ ൌ ߨ࣯ ሺܻԢሻ).
6. The encryption module sends
ܳ ൌ ൛̶ܻǡ ‫ܿ݊ܧ‬௣௞࣯ ሺσ௡௜ୀଵ ‫ݕ‬௜ଶ ሻǡ ‫ܿ݊ܧ‬௣௞࣯ ൫σ௠ ଶ
௝ୀଵ ‫ݒ‬௝ ൯ൟ to ࣧ.
7. Next, ࣪ retrieves ‫ܿ݊ܧ‬௣௞࣯ ሺ̶ܺሻ from ்ࣞࣜ by using ܶ‫ܦܫ‬, and sends
it to ࣧ.
370 Chapter Eleven
8. If the sizes for ܶ and ܳ are equal, the computation module

computes:
i. Scalar multiplication: ‫ܿ݊ܧ‬௣௞࣯ ሺܺ ȉ ܻሻ ൌ ̶ܻ ȉ௛ ‫ܿ݊ܧ‬௣௞࣯ ሺ̶ܺሻ
ii. Homomorphic additive operation:
‫ܿ݊ܧ‬௣௞࣯ ሺ‫ݏ‬ሻ
ൌ ‫ܿ݊ܧ‬௣௞࣯ ൫σ௡ା௠ ᇱᇱ ᇱᇱ ௡ ଶ ௡ ଶ ௠ ଶ
௜ୀଵ ሺ‫ݔ‬௜ ȉ ‫ݕ‬௜ ሻ ൅ σ௜ୀଵ ‫ݔ‬௜ ൅ σ௜ୀଵ ‫ݕ‬௜ ൅ ʹ σ௝ୀଵ ‫ݒ‬௝ ൯
The computation module sends ‫ܿ݊ܧ‬௣௞࣯ ሺ‫ݏ‬ሻ to the noise module of
࣪. Note that ‫ ݏ‬is the actual comparison score between ܺ and ܻ.
9. The noise module inserts a random non-zero number ɘ into
‫ܿ݊ܧ‬௣௞࣯ ሺ‫ݏ‬ሻ. Next, it sends ‫ܿ݊ܧ‬௣௞࣯ ሺ߱ ȉ ‫ݏ‬ሻ to the decryption module
of ࣝ.
10. The decryption module decrypts ‫ܿ݊ܧ‬௣௞࣯ ሺ߱ ȉ ‫ݏ‬ሻ and returns the
decryption result ሺɘ ȉ ሻ back to the noise module.
11. The noise module removes ɘ from the decryption result and
informs the decision module about the final comparison score ‫ݏ‬.
12. The decision module makes the decision as follows ( ߬ is the
threshold determined by ࣪):
‫ݐ݌݁ܿܿܣ‬ǡ ݂݅‫ ݏ‬൑ ߬
݀݁ܿ݅‫ ݊݋݅ݏ‬ൌ ൜
ܴ݆݁݁ܿ‫ݐ‬ǡ ݂݅‫ ݏ‬൐ ߬
5 Analysis and Discussion

In this section, we present the correctness and security analysis for our
proposed solution. We will consider all possible attacks from each semi-
honest entity. In addition, we will discuss joint attacks which occur when
two or more adversaries who control the semi-honest entity collude.
5.1 Correctness Analysis

This section will demonstrate the elimination of the verification code from
the final comparison result. In this analysis, we assume all entities follow
the protocol faithfully, and correctly computes the squared Euclidean
distance between ܺ and ܻ. In our protocol design, the biometric template
ܶ and the query feature ܳ are in the following forms:
ܶ ൌ ൛‫ܿ݊ܧ‬௣௞࣯ ሺ̶ܺሻǡ ‫ܿ݊ܧ‬௣௞࣯ ሺσ௡௜ୀଵ ‫ݔ‬௜ଶ ሻǡ ‫ܿ݊ܧ‬௣௞࣯ ൫σ௠ ଶ

௝ୀଵ ‫ݒ‬௝ ൯ൟ
ܳ ൌ ൛̶ܻǡ σ௡௜ୀଵ ‫ݕ‬௜ଶ ǡ σ௠ ଶ
௝ୀଵ ‫ݒ‬௝ ൟ
For ease of explanation, we do not consider the shuffling order of elements

in ܶ and ܳ. The computation module of ࣧ first computes ‫ܿ݊ܧ‬௣௞࣯ ሺ̶̶ܻܺሻ
by using scalar multiplication as follows:
‫ܿ݊ܧ‬௣௞࣯ ሺ̶̶ܻܺሻ
‫ܿ݊ܧ‬௣௞࣯ ሺെʹ‫ݔ‬ଵ ‫ݕ‬ଵ ሻǡ ‫ܿ݊ܧ‬௣௞࣯ ሺെʹ‫ݔ‬ଶ ‫ݕ‬ଶ ሻǡ ǥ ǡ ‫ܿ݊ܧ‬௣௞࣯ ሺെʹ‫ݔ‬௡ ‫ݕ‬௡ ሻǡ
ൌቊ ቋ
‫ܿ݊ܧ‬௣௞࣯ ሺെʹ‫ݒ‬ଵଶ ሻǡ ‫ܿ݊ܧ‬௣௞࣯ ሺെʹ‫ݒ‬ଶଶ ሻǡ ǥ ǡ ‫ܿ݊ܧ‬௣௞࣯ ሺെʹ‫ݒ‬௠
ଶሻ
Next, the computation module performs the following homomorphic

additive operations:
‫ܿ݊ܧ‬௣௞࣯ ሺ‫ݏ‬ሻ ൌ
‫ܿ݊ܧ‬௣௞࣯ ሺσ௡௜ୀଵ െʹ‫ݔ‬௜ ‫ݕ‬௜ ሻ൅௛ ‫ܿ݊ܧ‬௣௞࣯ ൫σ௠ ଶ ௡ ଶ
௜ୀଵ െʹ‫ݒ‬௝ ൯൅௛ ‫ܿ݊ܧ‬௣௞࣯ ሺσ௜ୀଵ ‫ݔ‬௜ ሻ
൅௛ ‫ܿ݊ܧ‬௣௞࣯ ൫σ௠ ଶ ௡ ଶ ௠ ଶ

௝ୀଵ ‫ݒ‬௝ ൯ ൅௛ ‫ܿ݊ܧ‬௣௞࣯ ሺσ௜ୀଵ ‫ݕ‬௜ ሻ൅௛ ‫ܿ݊ܧ‬௣௞࣯ ൫σ௝ୀଵ ‫ݒ‬௝ ൯
ൌ ‫ܿ݊ܧ‬௣௞࣯ ሺσ௡௜ୀଵ ‫ݔ‬௜ଶ ሻ൅௛ ‫ܿ݊ܧ‬௣௞࣯ ሺσ௡௜ୀଵ െʹ‫ݔ‬௜ ‫ݕ‬௜ ሻ൅௛ ‫ܿ݊ܧ‬௣௞࣯ ሺσ௡௜ୀଵ ‫ݕ‬௜ଶ ሻ
ൌ ‫ܿ݊ܧ‬௣௞࣯ ሺσ௡௜ୀଵ ‫ݔ‬௜ଶ െ ʹ‫ݔ‬௜ ‫ݕ‬௜ ൅ ‫ݕ‬௜ଶ ሻ
ൌ ‫ܿ݊ܧ‬௣௞࣯ ሺσ௡௜ୀଵሺ‫ݔ‬௜ െ ‫ݕ‬௜ ሻଶ ሻ (1)
As shown in Eq. (1), the computation result is an encrypted form of

squared Euclidean distance between ܺ and ܻ. Note that the verification

code used to transform the original biometric sample has been eliminated
from the result in Eq. (1). After the decryption operation, we can learn that
the actual comparison result ‫ ݏ‬ൌ σ௡௜ୀଵሺ‫ݔ‬௜ െ ‫ݕ‬௜ ሻଶ .
5.2 Security Analysis

In general, we can assume that the enrolment process is secure because it
is often carried out by a trusted system administrator. Therefore, we only
analyse the security of our framework during the verification process. An
attacker who wants to pose as an enrolled user must have knowledge of
the verification code, the original biometric sample, and the shuffle
protocol.
Let us denote ࣝԢ, ࣮Ԣ, ࣧԢ and ࣪Ԣ as the client, the transformation agent,
the matching agent and the service provider, respectively, monitored by
the adversary ࣛ. The adversary ࣛ can control one or more entities in
order to launch an attack for a target user ࣯ᇱ . Based on the attack goals
described in Section 4.5, we first analyse the security of our protocol,
372 Chapter Eleven
assuming that ࣛ only controls one semi-honest entity to achieve its attack
goal:
1. To discover the biometric template ܶ of ࣯ᇱ .

Since the biometric templates are stored in an encrypted form, ࣪Ԣ is
unable to learn the transformed sample of ࣯ᇱ without the
knowledge of the decryption key ‫࣯ݎ݌‬ᇲ . Gaining access to an
encrypted template is as difficult as attacking the encryption
algorithm. Brute-force attacks are also impossible since all the
templates are different (after the encryption operation).
2. To identify the verification code, ܸ, used to transform biometric
sample of ࣯ᇱ .
During the verification process, ࣮Ԣ retrieves ܸ of ࣯ᇱ from ࣞࣜ௏ .
With information from ܸ alone, ࣛ is not able to associate it with
the user’s template. In our system design, ܸ and ܶ are stored
separately.
3. To reconstruct the original biometric sample of ࣯ᇱ .
The adversary ࣛ cannot achieve this attack if it only has control
over ࣪Ԣ. This is because ࣪Ԣ cannot discover ܶ. In addition, it has no
knowledge of ܸ and ߨ࣯ . During the verification process, ࣧԢ can
learn ̶ܻ in plaintext from ܳ. Since ̶ܻ is a transformed and shuffled
dataset, we can ensure that ࣧԢ cannot identify the biometric
sample of ࣯ᇱ .
4. To learn the comparison score, and the system threshold, ߬.
The adversary ࣛ cannot achieve this attack if it only has control
over ࣝԢ. In our protocol design, the comparison score has been
distorted with a noise. After ࣝԢ performs the decryption operation,
it cannot learn the actual comparison score between ܺ and ܻ. Since
߬ is determined by the system administrator and this information is
never exchanged during the protocol execution, we can assume that
ࣛ cannot learn ߬ from ࣝԢ. Therefore, we can ensure that ࣛ cannot
modify the decrypted result from ࣝԢ so to bypass the authentication
system. If ࣝԢ performs a hill-climbing attack for the same attack
goal, we can foresee that this attack is unlikely to succeed. For each
authentication request, the noise module will generate random
noise to hide the actual comparison score. Therefore, any obvious
modification (e.g., obtaining a negative result after removing the
noise) detected by the noise module will lead to a failed
authentication.
5. To trace the identity of ࣯ᇱ in different enrolments.

During the verification process, ࣧԢ receives
ܳ ൌ ൛̶ܻǡ ‫ܿ݊ܧ‬௣௞࣯ ሺσ௡௜ୀଵ ‫ݕ‬௜ଶ ሻǡ ‫ܿ݊ܧ‬௣௞࣯ ൫σ௠ ଶ
௝ୀଵ ‫ݒ‬௝ ൯ൟ from ࣮ . Although
̶ܻ is in plaintext, ࣧԢ is not able to verify if two query feature
vectors are from the same user (i.e., ࣯ᇱ ). This is because the
encrypted data in each ܳ will be different due to the semantically
secure encryption. Moreover, some features in ̶ܻ will be different
because the biometric sample extracted from ࣯ᇱ at different times
will not be identical.
5.3 Security Analysis for Joint Attacks

Our analysis for joint attacks in this section was inspired by the security
analysis presented in [28]. The joint attack analysis in [28] is based on the
attack goal which considers that ࣛ wants to learn sensitive information
(biometric sample or trace user) in the system instead of bypassing the
authentication system. Unlike the analysis in [28], we will focus on two
major attack goals in this section: (1) to bypass the authentication process
and (2) to learn the biometric sample of ࣯ᇱ . We assume that two or more
semi-honest entities collude together (e.g., ࣛ collects all the information
learned by each semi-honest entity) to achieve the attack goal.
To bypass the authentication process. In this joint attack, ࣝԢ wants to
collude with any entities to bypass the authentication process. In order for
ࣝԢ to perform such an attack, it needs the computation result from ࣧԢ (i.e.,
‫ܿ݊ܧ‬௣௞࣯ ሺ‫ݏ‬ሻ). After the decryption, ࣝԢ can learn the value of ‫ݏ‬. Later, ࣝԢ can
deduce ɘ from the data it received from ࣪ (i.e., ‫ܿ݊ܧ‬௣௞࣯ ሺ߱ ȉ ‫ݏ‬ሻ). Hence, it
is possible for ࣝԢ to bypass the authentication process by sending a
relatively small fake comparison score back to ࣪. The adversary ࣛ who
controls ࣝԢ can achieve the same attack goal if it colludes with ࣪Ԣ during
the verification process. For instance, ࣪Ԣ reveals the value of ɘ to ࣝԢ, and
ࣝԢ carries the same operations as discussed previously. We summarize all
the possible joint attacks between ࣝԢ and other entities in Table 3. We use
an arrow symbol (฻)to denote the joint attack.
374 Chapter Eleven
Table 3. Possible joint attacks from ऍԢ to bypass an authentication

system
Joint Attack Attack goal: To bypass authentication system

ऍԢ ฻ ञԢ Not achievable
ऍԢ ฻ गԢ Achievable if ࣝԢ learns the comparison score ‫ݏ‬
computed by ࣧԢ and later, learns the noise ߱ inserted
by the noise module of ࣪
ऍԢ ฻ चԢ Achievable if ࣝԢ learns the noise ߱ inserted by the
noise module of ࣪
ऍԢ ฻ ञԢǡ चԢ Achievable (same as ࣝԢ ฻ ࣪Ԣ)
ऍԢ ฻ गԢǡ चԢ Achievable (same as ࣝԢ ฻ ࣧԢ or ࣝԢ ฻ ࣪Ԣ)
ऍԢ ฻ ञԢǡ गԢ Achievable if the client can deduce the noise ߱
inserted by the noise module of ࣪
ऍԢ ฻ ञԢǡ गԢǡ चԢ This is a powerful attack with a fully achievable goal.
As shown in Table 3., the most powerful joint attack occurs when ࣝԢ
obtains sensitive information from ࣮Ԣ, ࣧԢ, and ࣪Ԣ during the verification
process. However, in the real world, we assume that no attacker can attack
two or more entities at the same time. This assumption is realistic because
the background knowledge and skills required for each attack point are
different. Further, the attacker may not have sufficient resources and
computation power to perform multiple attacks during the verification

process.
To learn the biometric sample of टᇱ . In this joint attack, we consider
that ࣪Ԣ wants to collude with any entity to reconstruct the original
biometric sample (i.e., ܺ) of ࣯ᇱ from ܶ which is stored in ்ࣞࣜ . When ࣪Ԣ
is a colluding party, ࣛ will learn the ܶ of ࣯ᇱ . In our protocol design, all
templates are stored in an encrypted form. If ࣪Ԣ colludes with ࣝԢ, it can
decrypt ܶ to learn the plaintext used to form the template. However, ࣪Ԣ
cannot determine ܺ because the mixture consists of ܸ. Hence, the leakage
of ܶ does not guarantee that the attacker will be able to reconstruct ܺ from
ܶ. Let us assume that ࣮ ᇱ joins ࣪Ԣ and ࣝԢ in the attack. The transformation
agent ࣮ ᇱ can provide ܸ and ߨ࣯ to ࣪Ԣ. By knowing this information, ࣪Ԣ can
construct ܺ from the decryption result performed by ࣝԢ. When ࣪Ԣ colludes
with ࣝԢ and ࣮ ᇱ , it cannot achieve this attack goal, because ࣧԢ has no
knowledge about ܸ and ߨ࣯ . We summarize the possible joint attacks
involving ࣪Ԣ in Table 4.
Table 4. Possible joint attacks from चԢ to learn the biometric sample

of टᇱ
Joint Attack Attack goal: To reconstruct the original

biometric sample from ࢀ
चԢ ฻ ऍԢ Not achievable in the absence of ܸ and ߨ࣯
चԢ ฻ ञԢ Not achievable without the decryption key
चԢ ฻ गԢ Not achievable without the decryption key
चԢ ฻ ሺऍԢǡ ञԢሻ Achievable
चԢ ฻ ሺऍԢǡ गԢሻ Not achievable in the absence of ܸ and ߨ࣯
चԢ ฻ ሺञԢǡ गԢሻ Not achievable without the decryption key
चԢ ฻ ሺऍԢǡ ञԢǡ गԢሻ This is a powerful attack with a fully achievable
goal.
As shown in Table 4., ࣪Ԣ will learn the biometric sample of ࣯ᇱ when it

colludes with ࣝԢ and ࣧԢ. In order to prevent this joint attack, we design
our protocol such that each user must submit two identifiers (i.e., ܶ‫ ܦܫ‬and
ܸ‫ )ܦܫ‬during the verification process. To reduce the possibility for ࣝԢ to
learn the correct ܶ and ܸ of ࣯ᇱ , we can design a mechanism where the
identities submitted by the user will arrive at ࣪Ԣ and ࣮ ᇱ in two different
timestamps. In addition, we can use a different ߨ࣯ for each user, and store
them in a separate entity.
5.4 Discussion
Our notion of a verification code is somewhat similar to the secret token
for a biohash[32] or a cancellable biometric [33]. In fact, we can design an
additional entity to generate a cancellable biometric sample for the user,
and use it in our transformation process so to increase the security of our
system. The inclusion of ܸ during the transformation process is to make it
difficult for the attacker to determine the genuine biometric sample from
the mixture. Note that all elements of ܸ will be eliminated at the end of the
computation so to ensure that the comparison result is correct and it can be
used to authenticate the legitimate user.
In general, we can generate ܸ from a distribution that is identical or
approximately close to the original biometric sample. For each user, we
can generate ܸ with different lengths so to increase the difficulty level for
the attacker to attack the system. By using different verification codes, we
can transform a biometric sample into different templates. In order words,
our solution allows the users to use the same biometric sample to enrol
into various services. The leakage of a user template in one service will
376 Chapter Eleven
not affect templates used for other services. Hence, the adversary is not
able to use a compromised or stolen template to perform the cross-
matching attack.
The noise module of ࣪ is responsible for inserting and removing noise
߱ from the comparison score. For security purposes, it should generate a
new random noise for each authentication request. This is an important
way to prevent any adversary from launching a hill-climbing attack to
bypass the authentication system. With random noise, the decrypted result
at the client will be different. In our protocol design, we required a
shuffling protocol ߨ࣯ to permute the order of elements in the transformed
sample. To enhance the security of our system, ࣮ may use difference
shuffling protocols for each user. However, this enhancement requires
additional maintenance to store all shuffling protocols in ࣞࣜ௏ .
As discussed in [28], there are still some open problems that need to be
solved before a fully anonymous biometric authentication system can be
realized. For instance, their framework has the following open problems:
x The matcher ࣧ cannot verify whether ࣭ࣛ has correctly combined

the input from ࣭ and ࣞࣜ . Also, it cannot verify that inputs
originate from queries from ࣭ and to ࣞࣜ.
x It is not possible for ࣞࣜ to verify whether ࣭ࣛ is executing queries
that originate from a query made by ࣭.
By using our framework, we can avoid the first problem, since ࣧ will
receive ܶ and ܸ from ࣭ and ࣮ , respectively. Consequently, ࣧ does not
need to verify the inputs (ܶ and ܸ) because they are directly retrieved from
the data storages by using the ܶ‫ ܦܫ‬and ܸ‫ ܦܫ‬of the user. We can assume
that the second problem will not occur in our framework, because we
attached ࣞࣜ to ࣭.
6 Conclusion
Biometric-based authentication offers many advantages over other existing
authentication methods. However, processing time during the verification
process is a main concern in any biometric-based system. The integration
of biometric-based authentication in the cloud environment can benefit
from the advantages that cloud computing offers, such as extra resources
and processing power. In this chapter, we propose a collaborative
framework to support biometrics matching for cloud users.
In our solution, the leakage of a user biometric template will not
compromise the security of the system and the privacy of the user. In
particular, the template itself cannot be used to bypass the authentication

system since our design requires the biometric sample and the verification
code as inputs during the verification process. At the same time, we use
the verification code and a shuffle protocol to make it difficult for the
adversary to reconstruct the biometric sample of users. The usage of a
verification code allows the same biometric features to be used for
different enrolments. Our solution preserves the privacy of the sensitive
information, and securely performs the authentication process for cloud
users.
References
[1] P. Mell and T. Grance. (2009, The NIST Definition of Cloud
Computing. Available: http://www.csrc.nist.gov/groups/SNS/cloud-
computing/cloud-def-v15.doc
[2] R. Buyya, et al., "Cloud computing and emerging IT platforms: Vision,
hype, and reality for delivering computing as the 5th utility," Future
Gener. Comput. Syst., vol. 25, pp. 599-616, 2009.
[3] B. C. Neuman and T. Ts'o, "Kerberos: An Authentication Service for
Open Network Systems," IEEE Communications, vol. 32, pp. 33-38,
September 1994.
[4] D. Recordon and D. Reed, "OpenID 2.0: a platform for user-centric
identity management," presented at the Proceedings of the second

ACM workshop on Digital identity management, Alexandria, Virginia,
USA, 2006.
[5] Krowneva. (2011). BioID Announces World's First Biometric
Authentication as a Service (BaaS). Available:
http://silicontrust.wordpress.com/2011/03/04/bioid-announces-worlds-
first-biometric-authentication-as-a-service-baas/
[6] H. Schneider. (2013) India launches biometric data project to make
every citizen count in official eyes. theguardian. Available:
http://www.theguardian.com/world/2013/may/14/india-biometric-data-
identity-mapping
[7] B. A. Hamilton. (2011, Leveraging the Cloud for Big Data Biometrics.
Available: http://www.boozallen.com/insights/ideas/booz-allen-ideas-
festival/winning-ideas/ideas-cloud-biometrics
[8] A. Shah. (2013) Intel's McAfee brings biometrics authentication to
cloud storage. ComputerWorld. Available:
http://www.computerworld.com/s/article/9239170/Intel_39_s_McAfee
_brings_biometric_authentication_to_cloud_storage
378 Chapter Eleven
[9] S. Convery, "Network Authentication, Authorization, and Accounting

Part One: Concepts, Elements, and Approaches," The Internet Protocol
Journal, vol. 10, pp. 2-11, 2007.
[10] B. Lloyd and W. Simpson, "PPP Authentication Protocols," RFC
Editor, 1992.
[11] W. Simpson, "PPP Challenge Handshake Authentication Protocol
(CHAP)," RFC Editor, 1996.
[12] R. Canetti, "Universally Composable Signature, Certification, and
Authentication," presented at the Proceedings of the 17th IEEE
workshop on Computer Security Foundations, 2004.
[13] N. Haller, "The S/KEY One-Time Password System," presented at
the Internet Society Symposium on Network and Distributed Systems,
1994.
[14] A. D. Rubin, "Independent one-time passwords," presented at the
Proceedings of the 5th conference on USENIX UNIX Security
Symposium - Volume 5, Salt Lake City, Utah, 1995.
[15] C. Brooks. (2009) Amazon adds onetime password token to entice the
wary. SearchCloudComputing. Available:
http://searchcloudcomputing.techtarget.com/news/1367923/Amazon-
adds-onetime-password-token-to-entice-the-wary
[16] P. Paillier, "Public-key cryptosystems based on composite degree
residuosity classes," presented at the Proceedings of the 17th
international conference on Theory and application of cryptographic

techniques, Prague, Czech Republic, 1999.
[17] T. Clancy, et al., "Secure smartcard-based fingerprint authentication,"
Proc ACM SIGMM 2003 Multimedia, Biometrics Methods and
Applications Workshop, pp. 45 - 52, 2003.
[18] M. Blanton and M. Aliasgari, "Secure Outsourced Computation of
Iris Matching," Journal of Computer Security, vol. 20, pp. 259-305,
2012.
[19] M. Blanton, et al., "Secure and Verifiable Outsourcing of Large-Scale
Biometric Computations," in Privacy, security, risk and trust (passat),
2011 ieee third international conference on and 2011 ieee third
international conference on social computing (socialcom), 2011, pp.
1185-1191.
[20] P. Failla, et al., "esketch: a privacy-preserving fuzzy commitment
scheme for authentication using encrypted biometrics," Proc of the
12th ACM workshop on Multimedia and security MM&Sec '10, pp. 241
- 246, 2010.
[21] U. Uludag and A. Jain, "Fuzzy fingerprint vault," Proc Workshop:

Biometrics: Challenges Arising from Theory to Practice, pp. 13 - 16,
2004.
[22] S. Argyropoulos, et al., "Biometric template protection in multimodal
authentication systems based on error correcting codes," J. Comput.
Secur., vol. 18, pp. 161-185, 2010.
[23] J. Bringer, et al., "An application of the Goldwasser-Micali
cryptosystem to biometric authentication," presented at the
Proceedings of the 12th Australasian conference on Information
security and privacy, Townsville, Australia, 2007.
[24] J. Bringer, et al., "Extended private information retrieval and its
application in biometrics authentications," presented at the Proceedings
of the 6th international conference on Cryptology and network
security, Singapore, 2007.
[25] Y. Luo, et al., "Anonymous biometric access control based on
homomorphic encryption," ICME'09: Proc of the 2009 IEEE Int Conf
on Multimedia and Expo, pp. 1046 - 1049, 2009.
[26] T. Elgamal, "A public key cryptosystem and a signature scheme
based on discrete logarithms," presented at the Proceedings of
CRYPTO 84 on Advances in cryptology, Santa Barbara, California,
United States, 1984.
[27] S. Goldwasser and L. A. Levin, "Fair Computation of General
Functions in Presence of Immoral Majority," presented at the

Proceedings of the 10th Annual International Cryptology Conference
on Advances in Cryptology, 1991.
[28] Koen Simoens, et al., "A Framework for Analyzing Template
Security and Privacy in Biometric Authentication Systems," IEEE
Transaction on Information Forensics and Security, vol. 7, pp. 833-
841, 2012.
[29] W. Kok-Seng and K. Myung Ho, "Towards Biometric-based
Authentication for Cloud Computing," presented at the 2nd
International Conference on Cloud Computing and Services Science
(CLOSER2012), Porto, Portugal, 2012.
[30] W. Kok-Seng and K. Myung Ho, "Secure Biometric-Based
Authentication for Cloud Computing," in Cloud Computing and
Services Science. vol. 367, I. Ivanov, et al., Eds., ed: Springer
International Publishing, 2013, pp. 86-101.
[31] S. Goldwasser and S. Micali, "Probabilistic encryption & how to play
mental poker keeping secret all partial information," presented at the
Proceedings of the fourteenth annual ACM symposium on Theory of
computing, San Francisco, California, United States, 1982.
380 Chapter Eleven
[32] A. Teoh, et al., "Biohashing: two factor authentication featuring

fingerprint data and tokenised random number," Pattern Recogn, vol.
37, pp. 2245 - 2255, 2004.
[33] M. Savvides, et al., "Cancelable biometric filters for face
recognition," ICPR '04: Proc of the Pattern Recognition, 17th Int Conf
on (ICPR'04), vol. 3, pp. 922 - 925, 2004.
CHAPTER TWELVE
SECURE TWO-PARTY COMPUTATION

AND BIOMETRIC IDENTIFICATION
JULIEN BRINGER,1,3 HERVÉ CHABANNE1,2,3

AND ALAIN PATEY1,2,3
1
MORPHO (SAFRAN GROUP)
2
TE´ LE´ COM PARISTECH
3
IDENTITY AND SECURITY ALLIANCE (THE MORPHO
AND TE´ LE´ COM PARISTECH RESEARCH CENTER)
Abstract
This chapter aims at summarizing Secure Two-Party Computation

concepts and techniques that can be applied to privacy-preserving
biometric identification. After describing cryptographic techniques that
can be used in this identification setting, we review known
implementations in order to give clues about best practices and an idea of
the current efficiency of such schemes. While first implementations dealt
with databases of a few hundred elements in about 20 seconds, recent
protocols reach more than 50,000 matchings per second, while ensuring a
high level of privacy.
Keywords: Secure Two-Party Computation, Biometric Identification,

Privacy, Garbled Circuits, Homomorphic Encryption, Oblivious Transfer
1 Introduction
Biometric data play an increasingly important role in our society for
identifying individuals. The recent introduction of biometric authentication
by Apple in their smartphones [1] makes biometrics usable at home by
382 Chapter Twelve
millions of people around the world. Another example of massive

deployment is the Aadhaar project [3]: in September 2013, 400 million
Indian citizens were given a biometric identification number, and the
expectation for 2014 is to reach 600 million enrolments.
Biometric recognition offers good guarantees of efficiency and
accuracy for identifying people, but its use raises several privacy concerns
[63, 65]. In particular, it cannot be considered as secret data, it is almost
not revocable due to its permanent nature, whereas it is unique and can be
used to identify someone among a large set of individuals. If biometric
templates are stolen, they may be used for illegal activities such as identity
theft or tracking individuals. These are motivations to prevent someone
from learning the content of a remote database, or a service provider from
being able to eavesdrop the content of the received requests. The previous
techniques for preserving privacy of biometric data while maintaining
their usability in recognition systems, such as fuzzy vault [42], fuzzy
sketches [43], or cancelable biometrics [66], are based on encoding
techniques. They are designed for protection at the storage level only, but,
as such, they do not guarantee full privacy due to reversibility or
distinguishability issues. One very concrete vulnerability of protection
schemes that work at the storage level only is the capability to execute
authentication checks without any restriction based on chosen or random
fresh templates. This is called a False Accept attack. For fuzzy vault, given
two protected data (vaults), it is easy to check whether they are coming
from the same biometric sample by correlating the vaults. Those schemes
require as well some concessions in terms of accuracy. [42, 43] are based
on error correcting techniques and there is a tradeoff between security -
that depends on the size of the code - and performances - that depend on
the correcting capacity of the code. [66] relies on a public and somewhat
non-invertible geometric transformation so to protect the biometric data;
therefore the transformation has to decrease the entropy of the biometric
data so to be truly irreversible; this has a bad impact on the performances.
We here focus on techniques that guarantee full privacy of these data,
using encryption techniques and a multi-party model to distribute the data
and keys, rather than encoding techniques with a storage model.
In the context of Secure Multi-Party Computation [77] (SMC), a set of
parties engage in an interactive computation on their inputs in such a way
that no information leaks about the inputs that cannot be deduced from the
outputs. Secure Computation is a hot topic in the cryptographic
community. While having mostly been of theoretic interest during the 80s
and the 90s, it has recently become increasingly practical. Many generic or
specific protocols and implementations have been introduced during the
Secure Two-Party Computation and Biometric Identification 383
last decade, and some of these techniques can be applied to the security of
Cloud Computing applications. Such techniques are even already used in
real-life applications [10].
In particular, several proposals [26, 69, 6, 60, 8, 38, 16, 14, 15, 73]
consider the application of SMC to biometric identification protocols. In a
biometric identification process, a server S holds a database of biometric
templates, and a client ࣝ owns one biometric sample. They execute a
protocol to know if the biometric sample is similar, w.r.t. a given metric,
to one of the elements of the database.
The result of the computation can be, for instance, a Boolean indicating
if there is a match in the database, or the index of the closest element in
the database, or a list of indices of the closest elements, or a probabilistic
measure of similarity or dissimilarity between templates.
We thus focus on the Secure Two-party Computation (2PC) setting,
where the parties are server ࣭ and client ࣝ. These parties can interactively
compute biometric identification, while, in particular, not revealing to each
other the biometric data that are involved in the protocol, which is of great
interest given their sensitive nature regarding privacy issues. Many
applications could benefit from such security properties, such as
anonymous biometric access control or private biometric database
intersection (see Section 1.1).
Security and Privacy. Using a SMC protocol to compute a given

functionality guarantees
– Correctness: The output is the same as for a non-secure execution of

the functionality;
– Privacy: No information other than the output, and what can be
deduced from the output, is revealed by the execution of the
protocol.
In our context, this means that only an identification result is output and
that a client ࣝ never gives biometric acquisition in the clear to server ࣭
(and server ࣭ does not disclose own database to client ࣝ). The privacy
notion goes even further; if only a match/non-match answer is to be
output, no information about the actual score or the level of similarity of
biometric data is disclosed.
Security is guaranteed through a specific model of adversaries. We
here focus on the case of semi-honest (or passive) adversaries that follow
the protocol but try to learn more information than they should. This is
currently the only setting where SMC protocols can be efficiently
implemented.
384 Chapter Twelve
1.1 Use Cases

To motivate the use of secure two-party computation for biometric
identification, we give a non-exhaustive list of use cases to which this
setting, described in Section 3 and summed up in Figure 4, applies. In
some of the cases, the requirements for client’s privacy can be for instance
enforced by law, especially if it is not in the interest of the server.
Anonymous Biometric Access Control. Assume there is a biometric access

control, for instance, to a company building. The employer ࣭ wants to
ensure that the registered (and biometrically enrolled) employees are the
only ones to enter the building. Our setting is adapted to prevent the
employer from tracking his employees’ activities. We can choose the
output of the computation to be only a yes/no answer, informing ࣭ as to
whether ‫ ܥ‬is one of his employees or not, thus allowing/forbidding him
entrance to the building.
Biometric Anonymous Credentials. This example, like the previous one,

involves three parties: a client ‫ܥ‬, a service provider ࣭࣪, and a biometric
server holder࣭. ࣭ can, for instance, be a government or an agency
authorized to store biometric data, while ࣭࣪ is not allowed to do so. Let us
assume that ࣭ holds a database of people satisfying a given criterion (e.g.,
be over 21), that is a requirement for the services of ࣭࣪. To access the
services of ࣭࣪, C identifies himself against the database of ࣭. If ‫ ܥ‬matches
one in the database, ࣭ gives him a token to present ࣭࣪ so to prove that he
fulfils the requirements. Throughout the whole process, ‫ ܥ‬does not reveal
his identity to other parties.
Secure Biometric Database Intersection. Let us assume that two

security agencies want to identify the suspects they have in common, or
that the police want to identify which people registered in a given database
belong to a list of suspects. For security reasons or due to some privacy
policy, the parties involved might want to keep secret the data that are not
common to both of them. Our setting, described in Section 3., can be
adapted to this, by letting the client also input a list of biometric data.
Outline of the Paper
In Section 1, we introduce Secure Two-party computation, give

definitions, and explain privacy notions. We also describe generic
cryptographic tools that are used in most 2PC protocols, such as
homomorphic encryption, garbled circuits, and oblivious transfer. In

Section 3, we focus on the secure evaluation of functions used for
biometric identification, such as Hamming distance, Euclidean distance, or
comparison. In Section 4, we review known implementations for privacy -
preserving biometric identification using 2PC techniques, with application
to iris, face, and fingerprint recognition. Section 5 concludes this paper by
discussing open issues and leads for future research.
Notices to the reader. In this chapter, we try to remain as self-contained as

possible but basic knowledge on (public-key) cryptography can be useful.
Our goal is to give a short introduction to Secure Multi-Party Computation
that is complete enough, together with all given pointers, to assist the
reader to understand, evaluate, or design privacy-preserving biometric
identification protocols.
Notice that one should be careful with all implementation results given
in this chapter. Experiments were run on different machines, networks,
biometric traits, and using different programming languages. Also, some
timings might take only computation into account, while others include
communication. Results are given as clues for choosing appropriate tools
depending on the application, but should not be taken as an indisputable
truth.
Since SMC techniques do not modify the underlying functions that are
computed but only enforce privacy, we do not discuss biometric accuracy

of the described protocols here.
2 Secure Two-Party Computation

As discussed in Section 1, we focus on secure computation involving two
parties and do not describe Secure Multi-Party Computation with more
than two parties, which often uses different techniques such as secret
sharing (see [17] for more details). In this section, we summarize
definitions and results that are useful for secure biometric identification.
For more details about Secure Two-Party Computation, we refer the reader
to [34, 72].
2.1 Setting and Security Properties

Setting
In the setting of Secure Two-Party Computation (2PC) (also called secure

function evaluation (SFE)), two parties P1 and P2 want to compute a
386 Chapter Twelve
function f over their respective inputs x and y without revealing these

inputs to each other. Since we might prefer that both parties do not get the
same output, we divide f into two functions f1 and f2 corresponding,
respectively, to outputs of P1 and P2. In particular, 2PC covers the case
where an output is given to one party (say P1, w.l.o.g) and nothing to the
other party (say P2). In this case, f1 = f and f2(x, y) = ߳, for all x, y, where ߳
denotes the empty string. The 2PC setting is described in Figure 1. The
functionality offered by such a protocol is denoted by (x; y) ฽(f1(x, y);
f2(x, y)).
Figure 1. The Secure Two-Party Computation Setting
Adversarial Model
In order to define security notions, we first need to determine the power of

the potential adversaries against which a 2PC protocol should be secure
(the analysis presented in this section is also valid for SMC with more than
2 parties). There are several aspects that should be taken into account.
Corruption Strategy. In the 2PC setting, we deal with one adversary

corrupting at most one party.
x The adversary can be static if choosing in advance the party to

corrupt. Honest parties remain honest and corrupted parties remain
corrupted during the execution of the protocol.
x The other strategy is adaptive: the adversary can choose to corrupt
a party during the execution of the protocol. However, once a party
is corrupted, it remains corrupted.
Adversarial Behavior. Two main categories of adversaries have been

defined in the literature.
x In the case of semi-honest adversaries, corrupted parties follow the

protocol but try to infer more information than they should from
their view of the protocol, i.e., their inputs, outputs, and the
transcripts of all the messages they received during the execution of
the protocol. Such adversaries are also called passive or honest but
curious.
x The second main model considers malicious adversaries. In this
case, the adversary is allowed to follow any strategy of the
adversary chooses: the adversary can modify the messages, abort

the protocol at will and so on.
Notice that there also exists an intermediary model of covert adversaries

[5], where the adversary is caught with high probability if corrupted
parties do not follow the protocol.
Complexity. One can consider adversaries that are not limited in time and
computational power. In this case, protocols achieve information-theoretic
security. However, in this case, one cannot achieve secure computation for
every function if half of the parties or more are corrupted, for the semi-
honest setting, or one third or more, for the malicious setting. For instance,
in the 2PC setting, it is impossible to achieve information-theoretical
security in both models.
Consequently, one might construct protocols that are computationally
secure, i.e. that resist adversaries that run in a polynomial time.
In the following, we deal with static polynomial-time semi-honest

adversaries. This choice enables the construction of efficient protocols and
388 Chapter Twelve
can be motivated by several arguments. Computational security is the

maximum we can get for the 2PC setting, as noted above. Let us motivate
the use of the semi-honest model.
– The actual users using the secure protocol might not have access to
the code that is executed and to the data that are used; in this case
they can only inspect transcripts to gain information and thus
remain passive.
– Security against semi-honest adversaries is retroactive: even if a
malicious adversary corrupts one of the parties after the execution
of the protocol, the adversary will not be able to gain information
about the inputs of the protocol, since the adversary can no longer
change the computation.
– Sanctions against parties caught cheating might enforce parties to
behave honestly, but they can still try to learn information
passively, without getting caught.
Privacy in the Presence of Static Semi-honest adversaries
Privacy in the semi-honest model is proved by simulation, as, for instance,

for zero-knowledge [71]. Put simply, to prove security, we have to show
that it is possible to simulate the view of a party Pi, given the party’s input
and output only. Thus, the simulation does not depend on the input of the
other party P3íi, which proves that Pi does not learn more information
about P3íi’s input than what can be deduced from the output.
More formally, let f = (f1, f2) be a deterministic functionality and let ʌ
be a 2PC protocol for computing f. The view of party Pi during an
execution of ʌ on inputs (x, y) denoted by ୧஠ (x, y) is made of the input
of Pi, of the party’s internal random tape ‫ ݎ‬௜ and of the messages ݉ଵ௜ ǡ ǥ ǡ ݉௧௜
received by ܲ௜ during the execution of the protocol. Privacy is given by
describing a simulator for the view of each party
The protocol ʌ ensures privacy against a corrupted P1 if there exists a
probabilistic polynomial-time algorithm S1 such that:
{S1(x, f1(x, y))}x,y‫{א‬0,1}* Ł {ଵ஠ (x, y)}x,y‫{א‬0,1}*
where Ł means computational indistiguishability. Similarly, the protocol ʌ

ensures privacy against a corrupted P2 if there exists a probabilistic
polynomial-time algorithm S2 such that:
{S2(y, f2(x, y))}x,y‫{א‬0,1}* Ł {ଶ஠ (x, y)}x,y‫{א‬0,1}*
One should also check correctness, i.e., verify that a legitimate execution
of the protocol ʌ on inputs (x; y), and outputs (f1(x, y); f2(x, y)), except with
negligible probability.
2.2 Cryptographic Tools

2.2.1 Oblivious Transfer
A 1-out-of-N Oblivious transfer, denoted by ܱܶଵே , is an elementary,

Secure, Two-Party Computation protocol, enabling one party, the sender
࣭, to send one element out of N bit-strings (x0,…, xN í1) in possession to a
second party, the receiver ࣬. The receiver ࣬ chooses the index i‫[א‬0, N-1]
of the element that the receiver would like to obtain. At the end of the
protocol, ࣬ should get xi, but no information about (xj)ji, while ܵ should
get no information about i. We note the following:
ܱܶଵே ǣ ((x0, . . . , xNí1); i) հ (߳; xi).
In the following, we mostly focus on 1-out-of-2 oblivious transfer:
ܱܶଵଶ ǣ ((x0, x1); i) ‫ א‬ሺሼͲǡͳሽ‫ כ‬ሻଶ ൈ ሼͲǡͳሽ հ (߳; xi).

and parallel execution of n 1-out-of-2 oblivious transfers on Ȝ-bit strings,

that we denote by the following:
ఒ ଶ ଵ ଵ ௡ ௡ ଶ௡
௡ܱܶଵ ǣ ൫ሺ‫ݔ‬଴ ǡ ‫ݔ‬ଵ ሻǡ ǥ ǡ ሺ‫ݔ‬଴ ǡ ‫ݔ‬ଵ ሻ൯Ǣ ሺ݅ଵ ǡ ǥ ǡ ݅௡ ሻሻ ‫א‬ ൫ሼͲǡͳሽఒ ൯ ൈ ሼͲǡͳሽ௡
฽ ሺ߳Ǣ ሺ‫ݔ‬௜ଵభ ǡ ǥ ǡ ‫ݔ‬௜௡೙ ሻሻ
Oblivious transfer has been introduced, in a slightly different form, by

Rabin [64], while a protocol computing the actual ܱܶଵଶ functionality first
appeared in [27]. Much work has focused on possible instantiations of the
ܱܶଵଶ and ௡ఒܱܶଵଶ protocols, and on optimizations, so to make them efficient.
The Naor-Pinkas protocol [56], secure in the random oracle model, is
often used in implementations. It relies on the decisional Diffie-Hellman
assumption, and can be implemented either on sub-groups of prime order
of the unit group of a large prime field, or on elliptic curves. Most ௡ఒܱܶଵଶ
protocols, as [56], require the computation of one or several public-key
operations that are computationally extensive. Therefore, Ishai et al. [39]
proposed an extension that makes the number of public-key operations
independent of n, for large enough n. The cost is reduced to k “real”
390 Chapter Twelve
oblivious transfers on k-bit values (where k is a security parameter, equal,

e.g., to 80 or 128), while there are ࣩ(n) evaluations of cryptographic hash
functions, whose cost is substantially cheaper than the cost of public-key
operations. This optimization still requires a communication of 2n(Ȝ+k)
bits. Another extension, due to Beaver [7], enables the delegation of most
of the computational workload of oblivious transfers to a pre-computation
phase1. It roughly consists of running OTs on random inputs, and of using
the results as masks for the online phase. The online phase, then, mostly
consists of sending data (2n(Ȝ+1) bits) from a sender ࣭ to a receiver ࣬ for
a negligible computational cost (XOR evaluations) on both sides.
2.2.2 Garbled Circuits and Yao’s Protocol
In his seminal paper on Secure Multi-Party Computations [77], Yao

describes a protocol that enables the secure computation of (in the semi-
honest 2PC setting) any function that can be expressed as a binary circuit.
Yao’s protocol has been later more formalized and proven secure in [48,
49]. This protocol is based on oblivious transfer and garbled circuits. Let
us described the latter technique.
A garbled circuit (GC) is an encryption of a binary circuit Cf
representing the function f to be evaluated. We assume that all gates of the
binary circuit have two input wires and one output wire, which is non-
restrictive.
Garbled values: To each wire u of the circuit, we associate a pair of keys

ሺ݇௨଴ ǡ ݇௨ଵ ሻ ‫ א‬ሺሼͲǡͳሽ௞ ሻଶ . Each of the keys corresponds to a possible binary
value of the wire (0 or 1). Computation will be done on these keys, instead
of actual bits, and therefore, we have to redefine the binary gates of the
circuit.
Garbled Tables: Let G be a gate of Cf with input wires u, v and output

wire w. For example, let G be an AND gate. We see G as a truth table. We
first translate this truth table to a truth table with garbled values, replacing
bit values by associated keys, for example with an AND gate:
1
The preprocessing phase is sometimes called the offline phase in SMC papers.
However, this pre-computation phase requires communication between the parties
and is not off-line in a strict sense.
For Yao’s protocol, we need to go one step further. The output wire keys
are encrypted using the corresponding input keys, and then the rows are
permuted. In our example, a possible final garbled table is:
where ‫ܧ‬௞భǡ ௞మ ሺ݇ଷ ሻ is an encryption scheme taking as inputs 2 keys k1, k2, a
message k3 and an additional information s (that is a unique identifier for

gate G).
This way, one can decrypt a row of the garbled gate if one has one key
per input wire. Conversely, if one has one key only per input wire, one
gets one key only for the output wire. Furthermore, the permutation of the
rows prevents the garble gate evaluator to know the actual bits
corresponding to the keys that are manipulated.
A garbled circuit is then a set of garbled tables, one per binary gate of
the circuit, constructed using the same set of garbled values.
Yao’s Protocol: Yao’s Protocol implements the functionality (x; y) ฽

(f(x, y); f(x, y)) for any deterministic function f that can be described using
a binary circuit Cf. Party P1 acts as the creator of the garbled circuit and
party P2 as the evaluator. The protocol is run as follows.
1. Creating and sending the garbled circuit. Party P1 selects a set of
garbled values for all the wires of the circuit Cf, and then computes
garbled tables that are compatible with these garbled values, for all binary
gates of the circuit. The resulting set of garbled tables is a garbled circuit
392 Chapter Twelve
‫ܥ‬ሚ௙ . P1 sends Cf. to P2.

Furthermore, P1 needs to send output mapping tables for the output
wire keys that will enable P2 to know the actual bits of f(x, y) that are
associated with the output keys output at the end of the evaluation.
2. Sending garbled values. In order to allow party P2 to evaluate
garble Circuit ‫ܥ‬ሚ௙ , P1 needs to send P2 one key per input wire of the circuit.
These keys should be the keys corresponding to the actual bits of x and y.
We denote by (ui)i=1,...,n the wires corresponding to the bits of x and by
(vj)j=1,...,n the wires corresponding to the bits of y. Party P1 knows x and can
௫
thus directly send P2 the keys ݇௨೔೔ , for i = 1, . . . , n.
Sending the keys associated with P2’s inputs is trickier. In order to
preserve privacy, P2 cannot give his input y to P1. Conversely, P1 cannot
give both keys for each input wire, which would enable P2 to evaluate ‫ܥ‬ሚ௙
on several inputs, and thus learn more information about x than he should.
Consequently, P1 and P2 have to run oblivious transfers. More precisely, if
n is the bit-size of y and k is the security parameter for the protocol, then
P1 and P2 have to run a ௡௞ܱܶଵଶ protocol, where P1 inputs all key pairs for
wires vj and P2 inputs the bits yj of y.
3. Evaluating the garbled circuit. Now that P2 has the garbled
circuit, one key per input wire and the output mapping table, P2 is fully
able to evaluate ‫ܥ‬ሚ௙ . Party P2 thus obtains f(x, y) and sends it to P1 so that
both parties learn the result. (Recall that we are in the semi-honest model
and that parties are assumed to follow the protocol. In particular, it means
that P2 provides P1 with f(x, y) even if this result does not suit P1.
Yao’s protocol is summarized in Figure 2.
Remark 1. A garbled circuit can only be used once. Indeed, if one plays
Yao’s protocol on the same garbled circuit using different inputs, one
could decrypt more garbled table rows than expected, and learn
information about the other party’s input that should not have been
learned. Therefore, a new set of garbled values and, thus, a new set of
garbled tables, have to be used if P1 and P2 wish to securely evaluate f
again, on different inputs.
Figure 2. Yao’s Protocol
Optimizations. During the last decade, several optimizations have been

proposed to make Yao’s protocol practical. Moreover, the OT
optimizations described above can of course be applied to an
implementation of Yao’s protocol. For more details about these
optimizations, we refer the reader to [62, 37, 72].
An efficient encryption construction for the garbled table components
has been proposed in [52, 62], based on cryptographic hash functions.
Encryption can roughly be instantiated as follows:
‫ܧ‬௞భǡ ௞మ ሺ݇ଷ ሻ ൌ ݇ଷ ۩࣢ሺ݇ଵ ȁȁ݇ଶ ȁȁ‫ݏ‬ሻ
where s is a unique identifier for the gate, and ࣢ is a cryptographic hash

function. This construction is secure in the random oracle model.
394 Chapter Twelve
The Point-and-permute technique [57] enables the evaluator of the

garbled circuit to know which entry of the garbled table that has to be
decrypted, without impacting privacy, thus reducing the evaluator’s
workload to one hash function evaluation per garbled gate. To do so, each
garbled value includes one bit of permutation, in addition to the wire key.
The Free XOR optimization [45] enables to garble XOR gates “for
free”. Using this technique, the XOR gates of the original circuits are not
garbled, which means that the time spent on encrypting, sending, and
evaluating these gates can be avoided. This is accomplished by creating a
fixed difference between the two garbled values of each garbled wire, i.e.
for a given garbled circuit, we fix ᇞ‫ א‬ሼͲǡͳሽ௞ and enforce ݇௨ଵ ൌ ݇௨଴ ۩ ᇞ, for
each wire u (notice that ¨ should not be learned by the evaluator).
Moreover, the garbled values of the ouput wire w of a XOR gate whose
input wires are and are not randomly picked but computed this way:
଴
݇௪ ൌ ݇௨଴ ْ ݇௩଴ Ǣ ݇௪
ଵ ଴
ൌ ݇௪ ۩ ᇞǤ
One can then easily be convinced that, for any pair of bits (a, b) ‫{ א‬0, 1}2,
௔ْ௕
݇௪ ൌ ݇௨௔ ْ ݇௩௕ , which is precisely what the evaluator of the garbled
circuit will compute instead of evaluating a “real” garbled gate. This
optimization is very important and has an impact on the circuit
representation. When designing a circuit for integration in Yao’s protocol,
one should not optimize the total number of gates of the circuit, but the
number of non-XOR gates, even by adding more XOR gates, since their
impact on the overall execution time is negligible. We refer the reader to
[45, 44] for a description of circuits minimizing the number of non-XOR
gates for basic functionalities (addition, subtraction, comparison,
multiplexer, minimum, and multiplication). For example, addition,
comparison or subtraction on n-bit inputs requires n non-free XOR gates
only.
The Garbled Row Reduction technique [56, 62] enables the reduction
of the size of a garbled table to 3 elements2, instead of 4, by appropriately
picking the garbled values (see [62, Section 4] for more details). For
instance, for a security parameter equal to 80 (resp. 128), a garbled non-
XOR gate is 240-bit (resp. 384) long. This optimization substantially
reduces bandwidth consumption, which is often a bottleneck when
deploying 2PC protocols. However, the workload of the creator does not
change (4 encryptions).
2
This number can even be reduced to 2, if one does not want to use the free XOR
technique.
Finally, the Pipelined Circuit Execution technique [37] aims to reduce

the computation time during an execution of Yao’s protocol. When using
the pipelined execution, the creator does not wait for encrypting the whole
circuit before sending it. Reciprocally, the evaluator does not wait for
getting the whole garbled circuit before starting to evaluate it. This does
not save communication complexity, but it reduces overall computation
time, and can save memory space on both parties’ devices.
2.2.3 GMW Protocol
The Goldreich-Micali-Wigderson (GMW) protocol [32] has been

introduced shortly after Yao’s protocol. It is not specific to 2PC but can be
used with any number of parties. We here summarise the 2PC version.
This protocol also considers a function f expressed as a binary circuit.
Parties P1 and P2 share their input bits between both of them. For example,
if xi is an input bit of P1, then P1 picks a random bit ri, sends ri to P2, and
holds xi۩ri as the secret share of xi. Once all inputs are shared, the circuit
is evaluated on the shares. When evaluating a gate, each party owns a
share of both inputs and learns a share of the output. Let us respectively
denote by (u, v) and w the inputs and output of a gate G. Party P1 holds
shares u1 and v1 of u and v, party P2 holds shares u2, and v2 of u and v (i.e.
u = u1۩u2 and v = v1۩v2); they interactively obtain shares of w as follows:
x XOR gates. Each party Pi locally computes wi = ui۩vi.

x AND gates. Parties P1 and P2 run a ܱܶଵସ where, say, P1 is the sender
and P2 is the receiver. P1 picks a random bit w1 as his share of w =
u‫ר‬v. Party P1 pre-computes all possible shares of w, depending on
the values of u2 and v2. More precisely, the OT input at position (a,
b) ‫{ א‬0, 1}2 is w2 = w1 ْ ((u1 ْ a) ‫( ר‬v1 ْ b)). Thus, on input (u2,
v2), P2 obtains w2= w1ْ ((u1 ْ u2) ‫( ר‬v1 ْ v2)) = w1 ْ w2, which
ensures correctness.
At the end of the evaluation, P1 and P2 exchange their shares of the

output bits and thus obtain the output f(x, y).
Recently, the GMW protocol has been implemented with new
optimizations that make it more efficient (see [73, 4] for more details). The
performances in the case of secure evaluation of distances or of biometric
identification computation are given in Section 3 and Section 4.
396 Chapter Twelve
2.2.4 Homomorphic Encryption
Homomorphic cryptosystems [67] are cryptosystems that enable us to

“compute over encrypted data”. More precisely, a cryptosystem E is
homomorphic of operation ٛ (on plaintexts) if there exists an efficiently
computable operation ٝ (on ciphertexts) such that one can compute an
encryption of ଵ ٛ ଶ from encryptions of m1 and m2 as
‫ܧ‬ሺ݉ଵ ٛ ݉ଶ ሻ ൌ ‫ܧ‬ሺ݉ଵ ሻ ٝ ‫ܧ‬ሺ݉ଶ ሻ
without the knowledge of the secret key. RSA [68] and ElGamal [28]
cryptosystems that are homomorphic for the multiplication operation on
plaintexts are called multiplicatively homomorphic. Constructing a
cryptosystem that is homomorphic for any operation on plaintexts (called
fully homomorphic) has been a challenge for a long time. It has only been
solved in 2009 by Gentry [30]. We discuss the use of fully homomorphic
encryption in Section 5.3.
If the homomorphic properties of the cryptosystem enable the
computation of Epk(f(x, y)) from Epk (x) and y, without knowing the secret
key, then one can design a simple 2PC protocol for securely evaluating f ,
as described in Figure 3.
In the following, we focus on additively homomorphic schemes, i.e.,
schemes that are homomorphic for addition on plaintexts. We denote,

respectively, by pk, sk, Epk, Dsk the public key, secret key, encryption
algorithm, and decryption algorithm, of such schemes. The homomorphic
operation on ciphertexts corresponding to additions is denoted
multiplicatively, i.e. Epk(m1 + m2) = Epk(m1) . Epk (m2), for any messages
m1, m2. Notice that, by induction, one can also obtain Epk(n·m), from
Epk(m) and n ‫ א‬Ժ, as Epk(n·m) = (Epk (m))n.
This means, if we see n as an input to the computation, then one can
compute multiplications with an additively homomorphic cryptosystem,
without interaction, as long as one of the operands is in the clear. This will
be useful for secure biometric matching.
Some variants might be applied to the generic protocol described in
Figure 3., in order to broaden the set of functions that can be securely
evaluated using additively homomorphic encryption.
Interactively computing multiplications. If at some point of the protocol,

party P2, owns two ciphertexts Epk(u) and Epk(v) (while P1 holds the
decryption key sk) and needs to compute Epk(u·v), then P1 and P2 can
proceed as follows:
1. P1 picks two random numbers r and ‫ݎ‬Ԣ, according to the uniform

distribution over the plaintext space, and computes c1=Epk(u+r) and
c2=Epk(‫ ݒ‬+ ‫ݎ‬Ԣ ) using homomorphic properties of E.
2. P2 sends c1 and c2 to P1.
3. P1 decrypts ‫ݑ‬Ԣ = Dsk(c1) and ‫ݒ‬Ԣ = Dsk (c2), then computes c3 = Epk
(‫ݑ‬Ԣā‫ݒ‬Ԣ).
4. P1 sends c3 to P2.
5. P2 computes c4 = (Epk(u))-r' = Epk(íu·r ), c5 = (Epk(v))ír = Epk(ír·v)
and c6 = Epk(-r·r').
6. P2 computes c7 = c3·c4·c5·c6, which is an encryption of u·v.
The last line is justified using homomorphic properties of E:

c3·c4·c5·c6= Epk((íu+r)·(v+r’)) ·Epk(íu·r’) Epk(ív·r) ·Epk(ír·r’)
= Epk((u+r)·(v + r’) í u·r’ív·rír·r’)
= Epk(u·v)
Figure 3. Secure Two-Party Computation using Homomorphic Encryption
398 Chapter Twelve
Packing. It can be useful to encrypt several messages in the same

ciphertext, in order to save bandwidth when ciphertexts are sent from one
party to the other. Indeed, the plaintext space is often very large, compared
to the actual size of data on which we would like to compute (see
description of Paillier encryption below). To deal with this problem,
several messages can be packed into one cipher text. Let m1,…, mk‫{א‬0, 1}
be such messages, such that k×l N, where N is the bit-size of plaintexts
of E. Then one can encrypt m1,…, mk in the same ciphertext by setting the
plaintext to ݉ ൌ σ௞௜ୀଵ ݉௜ ʹκሺ௜ିଵሻ , which is equivalent to encrypting mk
mk||…||m1, where || denotes concatenation. Packing enables the batch of
homomorphic additions. (Unfortunately, one cannot batch homomorphic
multiplication with several operands in the clear).
Re-randomizing ciphertexts. To preserve privacy, it can be useful to re-

randomize ciphertexts (notice that homomorphic schemes used for 2PC
have a randomized encryption algorithm, in order to satisfy ciphertext-
indistinguishability requirements (see Security below)). Given a ciphertext
c=Epk(m), it suffices to compute c’= c·Epk(0), which is also an encryption
of m, thanks to additively homomorphic properties of E.
Main schemes used in implementations. Two main additively

homomorphic schemes are usually employed in implementations of secure
biometric identification: Paillier cryptosystem [61] and DGK cryptosystem

[19, 20, 21]. We give some details about these schemes below. Notice that
lifted ElGamal [28] can also be used if the messages that are decrypted lie
in a small set, since decryption ends with a search for a discrete logarithm.
Paillier cryptosystem. Paillier cryptosystem [61] is an additively

homomorphic cryptosystem, whose security is based on the decisional
composite residuosity problem. The public key consists of a ț-bit RSA
number N = pq, where p and q are prime, and g‫ א‬চேమ of order of a
multiple of N in g‫ א‬চ‫כ‬ேమ , for instance, g = N + 1 [22]. The private key
consists of p and q. The plaintext space is চே , and the ciphertext space is
̈́
চேమ . To encrypt a message m‫ א‬চே , one selects a random number r ՚ চே ,
and computes a ciphertext c=Epk (m)=gm·rN‫ א‬চேమ .
As for RSA encryption, one should use ț= 1024-bit N moduli for k =
80-bit security and ț = 3072-bit moduli for 128-bit security. Notice that
the ciphertext space is চேమ , thus the ciphertexts have twice the size of the
plaintexts. In particular, even the encryption of 1 bit requires at least 2048
bits for a reasonable level of security, which motivates the use of another
scheme when manipulating small plaintexts.
DGK cryptosystem. DGK encryption [19, 20, 21] answers this problem.
The public key still includes a ț-bit RSA modulus N = pq, in addition to a
small integer u, and two elements g, h ‫ א‬চ‫כ‬ே (with restrictions about their
order, linked to u, p, and q). Plaintext space is now Ժu, while ciphertext
space is ԺN (instead of চேమ for Paillier encryption). Encryption of a
message m‫ א‬Ժu is performed by picking a random integer r, and
computing c = Epk(m)=gm·hr‫ א‬ԺN .
Security. Due to homomorphic properties, homomorphic cryptosystems

cannot achieve the strongest requirements for public-key cryptosystems of
non-malleability [24, 25] (but it is precisely because these schemes are
malleable that we are using them). We require homomorphic schemes
employed for 2PC to be ciphertext-indistinguishable under chosen
plaintext attack (IND-CPA), or, equivalently, to achieve semantic security.
The IND-CPA property roughly means that an adversary that does not
know the secret key cannot distinguish what plaintext is encrypted in a
ciphertext, even when knowing a potential small subset of plaintexts to
which the actual plaintext belongs.
Using this property, we can quickly justify why the protocols based on
homomorphic cryptosystems satisfy the privacy requirements of Secure
Two-Party Computation. We recall (see Section 2.1) that proving security
is done by describing an algorithm that simulates the view of each party Pi
during an execution of the protocol, using Pi’s input and output only. To
construct such a simulator for 2PC protocols based on homomorphic
encryption, it suffices to send ciphertexts encrypting random data instead
of real data for all communication rounds, except for the last one (the
ciphertext encrypting the output should be an actual encryption of the
output). If the corrupted party is P2 (that does not know pk), then, from the
indistinguishability property of E, the adversary cannot distinguish the real
execution from the simulation. If the corrupted party is P1, then the
adversary only receives either encryptions of masked data, which are
perfectly simulated by sending encryptions of random data, or the
encryption of the output, which is not simulated, and thus the adversary’s
view can also be simulated in this case. Thus, the scheme described in
Figure 3. achieves privacy. This analysis remains true if one runs
interactive multiplications or uses packing.
2.2.5 Comparison between the techniques
There is no absolute best solution for securely evaluating a given function

f. It can depend, for instance, on the computational capabilities of the
400 Chapter Twelve
parties, and the latency of the network. We can however give some
elements of comparison.
Yao’s protocol is more dedicated to functions that have an efficient
representation as a binary circuit. It enjoys many optimizations that reduce
its cost to few public-key operations and mostly symmetric operations.
Moreover, it is a1-round protocol, which can be useful when suffering
from low network latency. The drawbacks are that a garbled circuit can
only be used once, and that sending garbled circuit and garbled values
leads to significant communication costs.
GMW protocol is also more dedicated to binary functions and enjoys
optimizations on oblivious transfer. Moreover, compared to Yao’s
protocol, the cost for sending garbled circuit is removed. However, the
number of rounds depends on the depth (not taking XORs into
consideration) of the binary circuits.
The solution employing homomorphic encryption is more suited to
arithmetic functions on integer inputs. Homomorphic ciphertexts also have
the advantage that they can be used for several secure evaluations. The
communication cost depends on the size of the inputs and on the
multiplicative depth of the function. In particular, encrypting small values
with homomorphic ciphertexts can lead to large communication
overheads. The number of rounds also depends on the multiplicative
depth. The major drawback is that encryption, decryption, and
homomorphic operations are arithmetic operations (products,

exponentiations) on large moduli, which could lead to a significant
computational cost.
It is possible to design hybrid protocols that use several tools for
different parts of a secure computation. Notice that one should pay
attention to the way tools are sequentially combined. In particular,
intermediary results should not be made available in the clear. Often, a
masked output is obtained by one party, while the other party holds the
mask, which prevents either party from learning information about
intermediary outputs.
2.3 Generic Implementations

Several generic implementations of 2PC are publicly available, and can be
used to run 2PC protocols on any function of reasonable size.
Fairplay. Fairplay [54] is the first known generic implementation of Yao’s

protocol, written in Java. It does not include all optimizations presented
above. It comes with a description language called SFDL (Secure Function
Definition Language) for the function to be securely evaluated. The SFDL

description is then compiled to a SHDL (Secure Hardware Definition
Language) description, which defines the binary circuit on which to apply
the Yao’s protocol. Regarding performances, the total execution time for,
e.g., a comparison on 32-bit inputs on a local area network, is 1.25s.
According to [54], in the LAN setting, oblivious transfer takes the most
important part of execution time (from 54 to 91 %, depending on the
evaluated function).
TASTY. TASTY (Tool for Automating Secure Two-partY computations)

[35] is a tool that aims at automating secure function evaluation, using
either Yao’s protocol, (additively) homomorphic encryption, or a
combination of both techniques, depending on the function to be
evaluated. It includes all previously mentioned optimizations on garbled
circuits and oblivious transfer, except pipelining. As with Fairplay, it
comes with a description language for the function to be evaluated, here
called TASTYL (TASTY input Language). TASTY is written in Python.
Results on securely evaluating biometric identification using TASTY
appear in Section 4.2.
FastGC. FastGC [37] is a Java implementation of Yao’s protocol that

includes all optimizations on OTs and GCs described above, in particular
pipelining, which makes it the more efficient current tool for executing
Yao’s protocol, to our knowledge. An intermediate language and an
interpreter (GCParser) [2] have later been introduced, in order to facilitate
the use of FastGC with personalized circuits. Performances on FastGC
applied to biometric identification appear in Section 4.3.
Oblivious Transfer Implementations. It is possible to extract oblivious

transfer implementations from the 2PC Yao’s protocol implementations
presented above (Fairplay,TASTY, FastGC). Recently, new optimizations
on oblivious transfer have been introduced by [4], especially for use in
Yao’s and GMW protocols. The associated OTExtension library is written
in C++. It enables computation of 10 million ܱܶଵଶ s in less than 15 seconds,
on a local area network [4].
402 Chapter Twelve
3 Privacy-Preserving Biometric Identification

3.1 Setting
We here consider the case of biometric (1-vs-N) identification where
biometric data can be represented as fixed-length vectors in a metric space,
and where biometric matching is done by computing distances between
biometric data, and comparing these distances to a threshold. Our setting is
formalized in Figure 4. Server ࣭ inputs a list of biometric templates
x1,…,xN‫{א‬0, 1}n, while client ‫ ܥ‬inputs one fresh biometric acquisition
y‫{א‬0,1}n. All distances d(xj, y) are computed, for j = 1,…, N and are
compared to a threshold t (or to several thresholds t1,…, tN ). Several
options for the output are described in Figure 4. depending on the
functionality one wants to offer. For the examples given in Section 1.1,
one possible solution is the output option 5 of Figure 4., where only one
bit is output.
3.2 Secure Computation of Distances and Comparison

As in Figure 4., the operations that we would like to evaluate in a privacy-
preserving fashion are either distances or comparison operations. In this
section, we describe how to design 2PC protocols for computing them,
using the tools described in Section 2.2. The distances considered in this
section are metrics found in state-of-the-art of biometric matching:
(normalized) Hamming distance (Sections 3.2.1 and 3.2.3), Euclidean
distance and scalar product (Section 3.2.2). We also discuss secure
computation of comparison and minimum search operations (Section
3.2.4).
To compare the different techniques exposed in this section, we refer
the reader to the analysis made in Section 2.2.5, and to implementation
results given in Section 4.
Figure 4. The Privacy-Preserving Biometric Identification Setting
3.2.1 Hamming Distance
Hamming distance, between two n-bit binary strings x = (x1,…,xn)‫{א‬0,1}n

and y = (y1,…,yn)‫ א‬ሼͲǡͳሽ୬ , can be defined by
404 Chapter Twelve
ሼͲǡͳሽ௡ ൈ ሼͲǡͳሽ௡ ՜ ሾͲǡ ݊ሿ

௡
݀ு ǣ
ሺ‫ݔ‬ǡ ‫ݕ‬ሻ ฽ ෍ሺ‫ݔ‬௜ ْ ‫ݕ‬௜ ሻ
௜ୀଵ
where ْ is the XOR operation seen as a function with range {0, 1} (over
the integers). If one sees the coordinates of x and y as integers, instead of
bits, then xi ْ yi = xi + yi í 2xi·yi and thus
௡
݀ு ǣ ሺ‫ݔ‬ǡ ‫ݕ‬ሻ ฽ ෍ሺ‫ݔ‬௜ ൅ ‫ݕ‬௜ െ ʹ ȉ ‫ݔ‬௜ ȉ ‫ݕ‬௜ ሻ

௜ୀଵ
This description is particularly useful when using homomorphic

encryption. Secure computation of Hamming distance has been proposed
using different tools, as illustrated below.
Homomorphic Encryption. Hamming distance can be securely evaluated

using additively homomorphic encryption, following the heuristic
described in Section 2.2.4. The notations are the same as in Section 2.2.4,
i.e. Epk(x)·Epk(y) = Epk(x + y) and Dsk(Epk (m)) = m.
1. Encryption. Client ‫ ܥ‬picks a key pair (sk, pk) for E, and encrypts
each of his inputs bits, separately, using E, i.e., computes c1 = Epk
(y1),…, cn = Epk (yn). Client ‫ ܥ‬sends pk and (c1,…, cn) to server ܵ.
2. Computation over encrypted data. Server ܵ does the following for
௝ ௝
each‫ ݔ‬௝ ൌ ሺ‫ݔ‬ଵ ǡ ǥ ǡ ‫ݔ‬௡ ሻ in his database:
ೕ
௝ ଵିଶȉ௫೔ ௝
x Compute ݀௜ ൌ ܿ௜ ȉ ‫ܧ‬௣௞ ൫‫ݔ‬௜ ൯Ǥ(Thanks for homomorphic
௝ ௝
properties, ݀௜
ൌ ‫ܧ‬௣௞ ሺ‫ݔ‬௜ ْ ‫ݕ‬௜ ሻሻ
௡
௜
x Compute ܵ ൌ ς௜ୀଵ ݀௜ . (Thanks to homomorphic properties,
௝
ܵ௝ ൌ ‫ܧ‬௣௞ ሺσ௡௜ୀୀଵሺ‫ݔ‬௜ ۩‫ݕ‬௜ ሻሻ ൌ ‫ܧ‬௣௞ ሺ݀ு ሺ‫ ݔ‬௝ ǡ ‫ݕ‬ሻሻሻ
୨
x Send ࣝ.
3. Decryption. Client ࣝ computes ݀ு ሺ‫ ݔ‬௝ ǡ ‫ݕ‬ሻ ൌ ‫ܦ‬௦௞ ሺܵ௝ ሻ for ݆ ൌ
ͳǡ ǥ ǡ ܰ
Remark 2. As explained in Section 2.2.4, if one wants the server to get the
result or one wants to get the output of comparison operations only, one
should let server ܵ homomorphically add a mask toܵ௝ .
Yao’s Protocol. Yao’s protocol is described in Section 2.2.2. For its

application to a particular function, the main issue is to design a circuit
that minimizes the number of non-XOR gates.
The circuit proposed by Huang et al. [37] is intuitive: it uses a tree of
addition gates that forms the Counter sub-circuit, which is computed after
bit-wise XORs. If ݊ ൌ ʹ௩ , then the number of non-XOR gates is σ௩௜ୀଵ ݅ ȉ
ʹ௩ି௜ , which is approximately equal to ʹ݊.
Recently, it has been suggested [73, 36] to use a circuit designed by
Boyar and Peralta [11] that approximately reduces the number of non-
XOR gates by half.
GMW Protocol. As for Yao’s protocol, the circuit should be optimized for
reducing the number of AND gates, but also for reducing the depth of the
circuit. Schneider and Zohner [73] implemented the GMW protocol using
the Boyar and Peralta circuit [11] (see Section 4.3).
Using Oblivious Transfer only. Bringer et al. [15] proposed a new protocol
called SHADE (Secure HAmming DistancE) for computing Hamming
distance in the 2PC setting using OT only. In the 1-vs-N setting, it can be
described as follows.
௝ ̈́
1. ࣭picks ݊ ȉ ܰ random values ൫‫ݎ‬௜ ൯௜‫א‬ሾଵǡ௡ሿǡ௝‫א‬ሾଵǡேሿ ՚ ሺሾͲǡ ݊ሿሻ௡ൈே .
‫ڿ‬௟௢௚ሺ௡ାଵ‫ۀ‬
ଶ
2. ࣭ and ࣝ perform a ௡ܱܶଵ protocol where
x ࣭acts as the sender with inputs ሺሺ‫ݎ‬ଵଵ ൅ ‫ݔ‬ଵଵ ԡǥ ԡ‫ݎ‬ଵே ൅ ‫ݔ‬ଵே ǡ ‫ݎ‬ଵଵ ൅
ሺ‫ݔ‬ଵଵ ۩ ͳሻԡǥ ԡ‫ݎ‬ଵே ൅ ሺ‫ݔ‬ଵே ۩ ͳሻǡ ǥ ǡ ǥ ሺ‫ݎ‬௡ଵ ൅ ‫ݔ‬௡ଵ ԡǥ ԡ‫ݎ‬௡ே ൅
‫ݔ‬௡ே ǡ ‫ݎ‬௡ଵ ሺ‫ݔ‬௡ଵ ۩ ͳሻԡǥ ԡ‫ݎ‬௡ே ൅ ‫ݔ‬௡ே ൅ ሺ‫ݔ‬௡ே ۩ ͳሻሻ
x ࣝ acts as received with inputs ሺ‫ݕ‬ଵ ǡ ǥ ǡ ‫ݕ‬௡ ሻ
௝ ௝ ௝
x ࣝ thus obtains ቀ‫ݐ‬௜ ൌ ‫ݎ‬௜ ൅ ൫‫ݔ‬௜ ۩‫ݕ‬௜ ൯ቁ
௜‫א‬ሾଵǡ௡ሿǡ௝‫א‬ሾଵǡேሿ
௝
3. For j‫[ א‬1, N], client ࣝ computes ܶ௝ ൌ σ௡௜ୀଵ ‫ݐ‬௜ .
௝
4. For j‫[ א‬1, N], server ࣭computes ܴ ௝ ൌ σ௡௜ୀଵ ܴ௜
1 N
5. Client ࣝ sends (T ,…,T ) to server ࣭.
6. For j‫[ א‬1, N], server ࣭ computes Tj í Rj = dH(xj, y)
Remark 3 (Variants)
x The last two steps can be inverted (࣭ sends the Rjs and ‫ ܥ‬computes
the distances) if one wants the client to learn the output.
x The last two steps can be avoided and replaced by a comparison
protocol (see Section 3.2.4) if one does not want Hamming
406 Chapter Twelve
distances to be output but rather comparison results only.

x The SHADE protocol can be adapted to compute other functions,
such as Euclidean distance, or scalar product (see [15] for more
details).
3.2.2 Euclidean Distance
We here consider squared Euclidean distance, defined b

௡
݀ா ሺܺǡ ܻሻ ൌ ෍ሺ‫ݔ‬௜ െ ‫ݕ‬௜ ሻଶ

௜ୀଵ
where X = (x1,…, xn), Y = (y1, . . . , yn) ‫ א‬Ժ௟ for some integer κ.

Due to its arithmetic nature, computation of Euclidean distance is often
secured using homomorphic encryption [26, 69, 6, 38, 8]. However, [69]
also evokes the possibility of computing it using Yao’s protocol (see [69,
Extended version] for more details).
Homomorphic Encryption. Euclidean distance can be securely
evaluated using additively homomorphic encryption, following the
heuristic described in Section 2.2.4. We still use the notations of Section
2.2.4.
1. Encryption. Client ‫ ܥ‬picks a key pair (sk, pk) for E, and encrypts
each of his input’s coordinates, separately, using E, i.e. computes c1
= Epk (y1),…, cn = Epk(yn). In addition, client ࣝ computes ܿ௡ାଵ ൌ
σ௡௜ୀଵ ‫ݕ‬௜ଶ . Client ࣝ sends ‫ ݇݌‬and ሺܿଵ ǡ ǥ ǡ ܿ௡ ǡ ܿ௡ାଵ ሻto server ࣭.
2. Computation over encrypted data. Server ࣭ does the following for
௝ ௝
each ‫ ݔ‬௝ ൌ ሺ‫ݔ‬ଵ ǡ ǥ ǡ ‫ݔ‬௡ ሻ in his database.
ೕ
௝ ିଶȉ௫೔
x Compute ݀௜ ൌ ܿ௜ . (Owing to homomorphic properties,
௝ ௝
݀௜ ൌ ‫ܧ‬௣௞ ሺെʹ ȉ ‫ݔ‬௜ ȉ ‫ݕ‬௜ ሻሻ
௝ ଶ
x Compute ܵ௝ ൌ ‫ܧ‬௣௞ ቀσ௡௜ୀଵ൫‫ݔ‬௜ ൯ ቁ ȉ ܿ௡ାଵ ȉ ς௡௜ୀଵ ݀௜ (Owing to
௝ ଶ
homomorphic properties, ܵ௝ ൌ ‫ܧ‬௣௞ ቀσ௡௜ୀଵ൫‫ݔ‬௜ ൯ ൅ ሺ‫ݕ‬௜ ሻଶ െ ʹ ȉ
௝
‫ݔ‬௜ ‫ݕ‬௜ ቁ ൌ ‫ܧ‬௣௞ ቀ݀ா ሺ‫ ݔ‬௝ ǡ ‫ݕ‬ሻቁ
x Send ܵ௝ to ࣝ
3. Decryption. Client ࣝ computes ݀ா ሺ‫ ݔ‬௝ ǡ ‫ݕ‬ሻ ൌ ‫ܦ‬௦௞ ሺܵ௝ ሻ, for ݆ ൌ
ͳǡ ǥ ǡ ܰ
Remark 4. As explained in Section 2.2.4, if one wants the server to get the
result, or one wants to get the output of comparison operations only, one
should let server ࣭ homomorphically add a mask to ܵ௝ .
Remark 5 (Scalar Product). Secure evaluation of scalar product can be

done in a very similar way to Euclidean distance. One should just remove
the encryptions of the sums of squares of coordinates and the factor 2 for
the other elements. This will be useful for secure encoding in Eigenfaces
recognition, as we describe in Section 4.2.
3.2.3 Normalized Hamming Distance
We here consider normalized Hamming distance, as used for IrisCode

matching [23]. It can be defined as
σ௡௜ୀଵሺ‫ݔ‬௜ ۩‫ݕ‬௜ ሻ ‫݉ ڄ‬௜ ‫݉ ڄ‬௜ᇱ

݀ேு ൫ሺ‫ݔ‬ǡ ݉ሻǡ ሺ‫ݕ‬ǡ ݉ᇱ ሻ൯ ൌ
σ௡௜ୀଵ ݉௜ ‫݉ ڄ‬௜ᇱ
where ሺ‫ݔ‬ǡ ݉ǡ ‫ݕ‬Ǥ ݉ᇱ ሻ ‫ א‬ሺሼͲǡͳሽ௡ ሻସ

Divisions are difficult to securely evaluate in an efficient way. Since
normalized Hamming distances are usually computed in a biometric
identification setting, we do not describe protocols computing this distance
only, but rather comparison of this distance to a threshold. Instead of

ǫ
computing D/N t, where D and N are the numerator and denominator of
൏
ǫ
normalized Hamming distance, we suggest computing D t·N. Actually,
൏
the protocols described below consist, in computing (masked versions of),
of D and N, able to be used as inputs to a secure comparison protocol (see
Section 3.2.4).
Homomorphic Encryption. Blanton and Gasti [8] suggest using

homomorphic encryption to compute, on one side, the numerator of the
distance and, on the other side, the denominator. To do so, client ࣝ sends
server ܵ two cipher-texts ai1 = Epk(xi·mi) and ai2 = Epk ((1 í xi)·mi), for each
i = 1,…, n. Server ܵ can then homomorphically obtain ai3 = Epk(mi)=
ai1·ai2. Using these ciphertexts, ݉௜ᇱ , yi and homomorphic properties of E,
௠ᇲ
server ܵ obtains ‫ܧ‬௣௞ ሺ݉௜ ȉ ݉௜ᇱ ሻ ൌ ܽ௜ଷ೔ ൌ ܽ௜ସ and ‫ܧ‬௣௞ ሺሺ‫ݔ‬௜ ۩‫ݕ‬௜ ‫݉ ڄ‬௜ ‫݉ ڄ‬௜ᇱ ሻ ൌ
ሺଵି௬ ሻ‫ڄ‬௠ ௬ ‫ڄ‬௠
ܽ௜ଵ ೔ ೔ ‫ܽ ڄ‬௜ଶ೔ ೔ . By multiplication of all of these ciphertexts, server ࣭
obtains encryptions of the numerator and the denominator of the
normalized Hamming distance between ሺ‫ݔ‬ǡ ݉ሻ and ሺ‫ݕ‬ǡ ݉ᇱ ሻ. Secure
408 Chapter Twelve
protocols for comparison can then be launched.
Yao’s Protocol. Bringer et al. [16] suggest using Yao’s protocol instead of
homomorphic encryption. The same idea of separately computing
numerator and denominator before running a comparison protocol is used.
Details on the circuit design can be found in [16].
3.2.4 Comparison and Minimum
Our biometric identification functionality usually ends with comparison of

one (or several) distance d to a threshold t. We assume that both distance d
and threshold t are in Ժm, for some integer ݉. As we will see, for some
implementations, complexity is directly related to ݉. Thus, finding the
experimentally optimal maximal distance dmax is of interest. For instance,
in [60], where biometric vectors are at a theoretical maximum distance of
360, the experiments show that taking dmax =180 is sufficient. When
arriving at the comparison step, values are often masked, meaning that one
party holds d+R while another party holds R, where R is a random value in
Ժm. In this case, a secure addition (or subtraction) might have to be
performed before comparison. Depending on the case, either the threshold
is public or held by server ܵ. In the following, the options for outputs of
these comparison/minimum protocols are numbered according to Figure 4.
In particular, protocols implementing options 3 and 4 of Figure 4. include

research for a closest element, translated into a search for a minimum
among several distances.
Homomorphic Encryption. Damgard et al. [19, 20, 21] propose a secure

comparison protocol that can be run when using their homomorphic
encryption scheme. It is, for instance, used in [26] with some
modifications. Simply put, comparison bit is computed as the most
significant bit of ʹ‫ڿ‬௟௢௚ሺ௠ሻ‫ ۀ‬൅ ‫ ݐ‬െ ݀, equal to 1, if and only if d<t. Details
on how to obtain this bit while preserving privacy using homomorphic
inputs can be found in [26, 69]. Notice that it requires many interactions
between server ࣭ and client ࣝ (about ͸‫ڿ‬ሺܰሻ‫ ۀ‬rounds of interaction).
Yao’s Protocol. Comparison on integers in Ժm can be done using a binary

circuit made of ‫ڿ‬ሺ݉ሻ‫ ۀ‬non-free gates, as the one described in [44]. If
the minimum of N distances has to be found before comparison to a
threshold (as in output option 4), a minimum circuit with about
ʹ‫ڿ‬ሺ݉ሻ‫ ܰۀ‬non-free gates [57] can be run before comparing the best
match to a threshold, and can use a multiplexer to output its index if the
associated distance is below the threshold [69]. Another possibility is to

compute all comparisons then an OR of all values (Ní1 non-free gates) if
one wants to obtain output option 5. Dedicated protocols that extend Yao’s
protocol can also be used, as the Backtracking tree protocol of [38] to
obtain output option 4.
GMW Protocol. When evaluating comparisons using GMW protocol, one

can use the same circuits as for Yao’s protocol. However, Schneider and
Zohner [73] suggest using a different comparison circuit from the one of
[44]. Indeed, they employ the DC circuit of [29], that is about 3 times
larger than the one of [44], but its depth is logarithmic in the bit-size of the
inputs, while the depth of the [44] circuit is linear, which helps save
computation time, since GMW can be efficiently computed for small-
depth circuits [73].
Oblivious Transfer. Osadchy et al. [60] propose computing comparison to

1 using oblivious transfer. Assuming that party P holds d + R ‫א‬
a threshold 1
ǫ
Ժm, and party P2 holds R‫א‬Ժm and t‫א‬Ժm, they can obtain the bit d t by
൏
running a ܱܶଵ௠ where
x party P1 plays the role of receiver with input d+R;

ǫ
x party P2 plays the role of sender with inputs ((i í R)(mod m)
൏
t)i=0,...,mí1‫ א‬ሼͲǡ ͳሽ௠ .
Thus, P1 obtains 1 if d < t and 0 otherwise.
4 Application to Iris, Fingerprint and Face Recognition

In this section, we describe existing protocols for privacy-preserving
biometric identification, using 2PC techniques. They make use of the
techniques exposed in Section 3.2 using different combinations. We report
implementation results exposed in the associated publications.
Note that tables reporting these results contain several cells filled with
dashes. This does not (always) mean that values are zero, but it indicates
when the information is not explicitly available, or easy to deduct, in the
related publication.
410 Chapter Twelve
4.1 FingerCodes
The FingerCode representation of fingerprints was introduced by Jain et
al. in [40]. Although fingerprint representations are usually based on local
reference points called minutiae, this representation does not take them
into consideration in order to achieve a much simpler comparison
algorithm. Simply put, in order to encode the image, one first locates a
central reference point and, preferably, a direction in order to define a disk
of analysis. Each sector of the disk is filtered using a bank of Gabor filters.
For each sector, one computes the standard deviation of the Gabor phases
to obtain the FingerCode. The matching operation between two
FingerCodes is an Euclidean distance. In proposals described below,
experiments were conducted on FingerCodes made of vectors of 16
coordinates, each coordinate being a 7-bit integer (except for [38]).
Using Paillier and ElGamal cryptosystems. Barni et al. [6] describe a

scheme based on homomorphic encryption (Paillier [61] and additive
ElGamal [28] over elliptic curves). Euclidean distance comparison follows
the same methodology as in Section 3.2.2, and uses Paillier encryption.
Once server ܵ holds all encrypted distances between client ࣝ’s input and
every database element, it runs a comparison protocol based on
homomorphic encryption, adapting the DGK method [19, 20, 21]
described in Section 2.2 to the EC-ElGamal cryptosystem [28], in order to

save bandwidth.
Using DGK cryptosystem and Yao’s Protocol. Blanton and Gasti [8]
described a proposal that uses DGK encryption [19, 20, 21] for Euclidean
distance computation, and Yao’s protocol for comparison of the distances
to a threshold.
In another proposal, Huang et al. [38] also propose a hybrid protocol. It
uses Paillier encryption for Euclidean distance computation, with an
optimization using packing techniques. Yao’s protocol, and a specific
backtracking protocol are used for retrieving the index of the closest
match. Their implementation considers 640 ×8-bit vectors. It requires
about 17.7 second per record for online computation, and 7.5KB per
record online communication.
Table 1: Performances of privacy-preserving FingerCode identification

protocols
Comparison. The performances on the aforementioned protocols, on

16×7-bit vectors, are summarised in Table 1. Notice that the performances
of [38] are on 16×8-bit vectors.
4.2 Eigenfaces
In 1991, Turk and Pentland introduced a new approach to human face
recognition known as Eigenfaces [75]. Using this representation, face
images in a high-dimensional vector space are transformed into feature

vectors in a low-dimensional vector space whose basis is composed of
Eigenfaces. Such a basis is obtained through Principal Component
Analysis from a set of training images. We do not detail this process here
and only focus on the projection and matching algorithms.
We assume that face images are represented by vectors of length n, and
that a set of Eigenfaces u1,…,uK forming a basis for the low dimensional
space that has already been set up. Notice that K < n. We also need the
vector Ȍ representing the average of the training images used to compute
the ui’s.
Let X be a new face image. We obtain its feature vector representation
as follows:
1. Compute ĭ = X í Ȍ = (ĭ1, . . . , ĭn);

2. For each i = 1, . . . , K , compute Ȧi = ĭ1.(ui)1 + ā ā ā + ĭn.(ui)n;
3. The feature vector associated to X is = (Ȧ1, . . . , ȦK).
412 Chapter Twelve
The distance between two feature vectors and ’ can then be defined
(in the simplified version that we consider) as the squared Euclidean
distance D(, ’ ) = || í ’||2 = (Ȧ1 – Ȧ’1)2 + ā ā ā + (ȦK – Ȧ’K )2.
In the secure versions of this protocol, in addition to the feature vectors
in the database, the Eigenfaces u1,…, uK and the average vector Ȍ are also
assumed to be private inputs of ࣭. Implementations use 192 × 112-pixel
images as inputs, where pixels are 8-bit values, and K = 12 Eigenfaces.
The distances are 50-bit.
Using homomorphic encryption only. Erkin et al. [26] proposed to follow

the homomorphic encryption approach. Client ‫ ܥ‬sends a ciphertext per
coordinate of his input image. Then, projection can be homomorphically
computed by ࣭ without interactions. However, one round of interaction is
required for distance computation, since a squaring operation has to be
homomorphically performed (contrary to the case of Fingercodes where ‫ܥ‬
can directly send the sum of the squared coordinates of his input, as in
Section 3.2.2). Projection and distance use Paillier encryption, while
comparison is done using DGK encryption and the protocol presented in
Section 3.2.4.
Using hybrid solutions. Hanecka et al. [35] suggest to still use (Paillier)
homomorphic encryption for the projection and distance phases, but to use
Yao’s protocol for comparison/minimum phases. Their implementation

uses the generic TASTY tool [35] (see Section 2.3), and consequently
does not contain all possible optimizations.
Sadeghi et al. [69] propose a more dedicated and thus more efficient
implementation using the same hybrid approach.
Using GMW Protocol. Schneider and Zohner [73] implemented a GMW

version of the Eigenfaces recognition protocol, reaching very good timing
performances, especially for the online phase.
Comparison. We summarise, in Table 2., the performances of the

protocols exposed in [26, 69, 35, 73]. HE denotes homomorphic
encryption and GC denotes garbled circuits. Notice that some experiments
were run on a single computer, and others on two computers in a LAN
setting. We refer the reader to the associated publications for more details.
4.3 SCiFI (Face)

The SciFI project [41, 59, 60] is a project of the University of Haifa,
where a new face identification system is proposed. The main particularity
of this system is that the biometric identification algorithm has been
specifically designed for a more efficient usage in secure computation.
Table 2. Performances of privacy-preserving Eigenfaces identification

protocols
In their system, biometric templates are fixed-length vectors. In this

representation a face is represented by p patches. A vocabulary of M
words is processed for each patch. In the vectorial representation, there is

an appearance component and a spatial component. The spatial component
corresponds to the distance between each patch and the center of the face
image, and is represented by 2 out of 10 possible distances for each patch.
The appearance component is, for each patch, the set of m words, out of
the M available in the vocabulary, that are the closest to the real patch of
the face image.
The template is a p.(M + 10)-bit feature vector. For each patch, 10 bits
are used for the spatial component, and M for the appearance component.
Among the first ten bits, the two bits that correspond to the indices
representing the distance between the image and the center of the image
are set to 1, and the others are set to 0. Identically for the M other bits, the
m bits whose indices correspond to the appearance component are set to 1,
and the others are set to 0.
For instance, with m = 2 and M = 10, if the distance between a given
patch and the center of the image is between 6 and 7, and if the closest
words in the vocabulary are indexed by 2 and 9, the part of the feature
vector corresponding to this patch will be as in Table 3.
414 Chapter Twelve
Consequently, the feature vectors have a constant Hamming weight

equal to p.(2 + m). In the implementation of [60], p = 30, M = 20 and m =
4, this results in 900-bit vectors, in which 180 bits are set to 1. The
matching operation is an exclusive-OR between two feature vectors.
Experiments described in [60] show that angle of distances is [0, 180].
Using Homomorphic encryption. Osadchy et al. [60] propose an

implementation of the SCiFI identification protocol that employs
homomorphic encryption for distance computation and that uses oblivious
transfer for comparison evaluation.
Using Yao’s Protocol. Huang et al., in their paper [37] aiming at showing
the good performances of Yao’s protocol (especially by introducing
pipelining), describe an implementation of Hamming distance computation
using this protocol.
Spatial component Appearance component

Bit position 1 2 3 4 1 2 3 4
Feature 0 05 6
0 7
0 0 15 06 07
t 0 1 1 0 0 0
Table 3. Schematic SCiFI feature vector
Table 4. Performances of privacy-preserving SCiFI identification

protocols
Using SHADE. Bringer et al. [15] propose the SHADE protocol that is
dedicated to Hamming distance computation. The execution time is
approximately divided by 4, compared to Yao’s protocol using FastGC.
Using the GMW Protocol. Schneider and Zohner [73] show that using the
GMW protocol leads to a very efficient identification protocol that deals
with 50,000 elements in the database in less than 1 second.
Comparison. Comparisons of the aforementioned protocols are reported in

Table 4. All timings include communication time over a local area
network (LAN).
4.4 IrisCodes
In the case of iris recognition using IrisCodes [23], biometric templates
can be represented as binary vectors. A 256-byte (2048 bits) iris template,
together with a 256-byte mask, is computed from an iris image using the
algorithm reported in [23]; the mask filters out the unreliable bits, i.e.,
stores the erasures positions of the iris template. The resulting template is
called IrisCode.
Given an image of the eye, the first step of the encoding algorithm is to
find the part of the image that corresponds to the iris area between the
pupil-iris and the iris-sclera boundaries. Upon isolating the iris, its texture
is normalized using a rubber sheet model, in which the iris image is
remapped from a Cartesian coordinate system to a polar coordinate
system, regardless of the iris size and the pupil dilation. After
normalization, a set of Gabor filters is applied on every direction and
location of the normalized and rectangular shaped iris image. Each
computed Gabor phase value is then coded into 2 bits depending on its
position on the trigonometric circle.
Table 5. Performances of the secure IrisCode identification protocol of

[8]
The classical way to compare two IrisCodes relies on a normalized

Hamming distance (NH) computation between binary vectors: given X =
(x1, . . . , x2048), Y = (y1, . . . , y2048) two 2048-bit representations of irises
and the associated masks M(X) = (m1, . . . , m2048) and M(Y ) = (m1, . . . ,
m2048), compute for some rotations of the second template – to deal with
the iris orientation’s variation – and keep the lowest distance.
416 Chapter Twelve
ԡሺܺ۩ܻሻ‫ܯځ‬ሺܺሻ‫ܯځ‬ሺܻሻԡ
݀ேு ሺܺǡ ܻሻ ൌ
ԡ‫ܯ‬ሺܺሻ‫ܯځ‬ሺܻሻԡ
(1)
σଶ଴ସ଼ ᇱ
௜ୀଵ ሺ‫ݔ‬௜ ْ ‫ݕ‬௜ ሻ ‫݉ ڄ‬௜ ‫݉ ڄ‬௜
ൌ
σଶ଴ସ଼
௜ୀଵ ݉௜ ‫݉ ڄ‬௜
ᇱ
Using hybrid solutions. Blanton and Gasti [8] propose to follow the
homomorphic encryption approach for normalized Hamming distance
evaluation, as described in Section 3.2. Comparison operations are done
using Yao’s protocol. Performances are reported in the following table.
Using Yao’s Protocol. Bringer et al. [16] suggested using Yao’s protocol
instead of homomorphic encryption. The aim of Bringer et al. was more to
introduce a protocol that takes filtering into account (see Section 5.1) than
to introduce a faster protocol for secure iris identification. Indeed, they
report a performance of about 2.4 seconds per rotation per element in the
database. Concurrently, Luo et al. [53] also proposed a protocol using
Yao’s protocol with the same parameters, requiring 563 ms to compare
two Iriscodes.
5 New Directions
Several new directions for privacy-preserving biometric identification in

the 2PC setting have been suggested, slightly explored or more
investigated [8, 16, 74, 55]. We discuss four of them in this section. Some
are specific to biometric identification (filtering, minutiae), some are more
generic problems (fully homomorphic encryption, malicious adversaries).
We also discuss the use of Secure Multi-party Computation, so to
conclude this chapter.
5.1 Filtering
In all protocols that we have described so far, identification is roughly
done by computing the same distance operation between the client’s input
and all database elements, and doing some comparison operations that
depend on the input we want to obtain. In actual biometric identification
systems with large databases, using the same operation for all database
elements is not the way to proceed. Indeed, either the distance operation is
discriminative enough (i.e. it enables the separation of matching and non-
matching elements with low error rates), but too computationally
expensive to be computed on all elements of the database, or this operation
is lightweight but does not discriminate enough. This is why a filtering
process is often used in such setting. Such a process goes in several

phases. During first phases, lightweight distances are computed against the
whole database in order to select a smaller set of candidates for
identification. The last phase computes the more accurate operation
against these candidates only.
Bringer et al. [16] suggest applying 2PC techniques to this setting
(with 2 phases) in order to improve efficiency of secure biometric
identification protocols. They describe a protocol for iris that is actually
applicable to any biometric trait, as long as all underlying distances can be
efficiently expressed as binary circuits. Their protocol uses Yao’s protocol
with a few modifications. In particular, several ܱܶଵே have to be computed
between both phases, in order to select candidates without giving the list
of candidates to the server. The issue is that ܱܶଵே s have a cost that is linear
in N. Thus, this cost must be small compared to the cost of the final costly
distance operation in order to be more efficient than when not using
filtering. As an example, Bringer et al. suggest using smartcard-aided
oblivious transfers [33].
5.2 Minutiae-based Representation for Fingerprints

Minutiae representation is the most classical representation for fingerprints
[46]. Minutiae are local features of fingerprints (such as ridge endings,
ridge bifurcations. . . ) that are usually encoded as oriented points. A

fingerprint encoding is then a set of such oriented points and comparison
of fingerprints done by comparing these sets.
Minutiae are difficult to deal with using 2PC techniques. Indeed, the
number of minutiae used to encode a fingerprint is not fixed. As we
indicated in Figure 1., the size of the inputs has to be fixed, in order not to
leak information about the inputs. In the case of fingerprints, the size of
the set of minutiae gives, for instance, information about the quality of the
acquisition that one would not like to disclose.
Furthermore, the matching operation often consists of filling and
updating tables, first, to find the best geometric transformation that maps
one fingerprint to the other, and then, to compute the score. Dealing with
tables is difficult and costly using SMC techniques, since, in order to
preserve privacy and not to learn which items are more often updated, all
items have to be modified the same number of times.
However, there have been some proposals [8, Extended version][74],
that have attempted to apply secure computation techniques to fingerprint
matching using minutiae, with some relaxations in the model of minutiae
that reduce accuracy.
418 Chapter Twelve
5.3 Fully Homomorphic Encryption

Fully homomorphic encryption (FHE) (see Section 2.2.4) was one holy
grail in cryptography for a few decades, until Gentry [30] provided the
first proposal to be proven secure. However, this proposal was rather
inefficient. Despite improvements and new schemes [76, 13, 12],
efficiency of FHE is not yet acceptable for applications to biometric
identification. For instance, homomorphic evaluation of AES using the
BGV cryptosystem [12] was shown in 2012 to take about 36 hours, using
machines with large memory facilities [31]. We refer the reader to [55] for
an overview of the promises of fully homomorphic cryptography in the
field of signal processing.
5.4 Malicious Adversaries

As pointed out in Section 2, we focus in this chapter on semi-honest
adversaries only, but there is a higher level of security that can be reached
if one needs to be protected against malicious adversaries. Taking into
account malicious adversaries has not been much considered in proposals
for privacy-preserving biometric identification. Several obstacles can be
pointed out if one wants to augment the level of security of the proposals
presented in this chapter.
If one wants to use homomorphic cryptosystems, the main problem is

to guarantee that operations performed on the ciphertexts comply with the
protocol. Proofs of computation have to be added to ciphertexts sent by
both parties, such as the ones proposed in [18] for Paillier encryption.
Adding these proofs requires a computational/communication cost that is
too high to be used for practical applications.
If one wants to use garbled-circuit techniques, several generic
approaches can be used to consider the malicious setting. The cut-and-
choose technique [50, 51, 47] is one of the most promising approaches. It
roughly consists of sending many garbled circuits for the same
functionality. The creator opens some of them (i.e. reveals the keys) at the
request of the evaluator. If they are all correct, the evaluator evaluates the
other as usual and outputs the result that appears frequently. With the most
recent results [47], sending k garbled-circuits leads to a k-bit level of
security. Another approach [58], that somehow extends the GMW protocol
to the malicious setting using MAC values, and claims to be only 10 times
less efficient than generic protocols in the semi-honest setting.
Some work cited in this chapter also comes with a protocol for secure-
distance computation in the malicious setting, e.g. [41, 15]. However, the
interest of these proposals is often more theoretical than practical.

Finding dedicated protocols for biometric identification in the
malicious settings is a very interesting lead for future research.
5.5 The Multi-Party Case

We have discussed in this chapter the applications of Secure Two-party
Computation to biometric identification. The multi-party case is slightly
different. With most usual protocols [17], the n > 2 parties involved in the
protocol share their private data between all parties using secret sharing
techniques. The computations are then done on the shares (with possible
interactions). Notice that it is assumed that less than n/2 parties collude to
ensure privacy. This setting has been applied to real-life applications, such
as auctions [10] or financial data analysis [9]. Application to biometrics
could be an interesting lead for future research. However, one of the
difficulties resides in the use case: one has to define who the parties are,
why we can ensure that they do not collude, and what is their interest in
using multi-party techniques.
Acknowledgements
This work has been partially funded by the European FP7 BEAT project
(SEC-2011-284989).
References
[1] Apple - iPhone 5s. http://www.apple.com/iphone-5s/.
[2] GCParser, an interpreter for garbled circuits intermediate language.
Code available at http://www.mightbeevil.com/gcparser/.
[3] UIDAI: Unique Identification Authority of India. http://uidai.gov.in.
[4] G. Asharov, Y. Lindell, T. Schneider, and M. Zohner. More efficient
oblivious transfer and extensions for faster secure computation. In A.-
R. Sadeghi, V. D. Gligor, and M. Yung, editors, ACM Conference on
Computer and Communications Security, pages 535–548. ACM, 2013.
[5] Y. Aumann and Y. Lindell. Security against covert adversaries:
Efficient protocols for realistic adversaries. In S. P. Vadhan, editor,
TCC, volume 4392 of Lecture Notes in Computer Science, pages 137–
[6] M. Barni, T. Bianchi, D. Catalano, M. Di Raimondo, R. Donida Labati,
P. Failla, D. Fiore, R. Lazzeretti, V. Piuri, F. Scotti, and A. Piva.
Privacy-preserving fingercode authentication. In ACM workshop on
420 Chapter Twelve
Multimedia and Security (MM & Sec), pages 231–240. ACM, 2010.
[7] D. Beaver. Precomputing oblivious transfer. In D. Coppersmith, editor,
97–109. Springer, 1995.
[8] M. Blanton and P. Gasti. Secure and efficient protocols for iris and
fingerprint identification. In V. Atluri and C. D´Õaz, editors, ESORICS,
Springer, 2011. Extended version available at http://eprint.
iacr.org/2010/627.
[9] D. Bogdanov, R. Talviste, and J. Willemson. Deploying secure multi-
party computation for financial data analysis - (short paper). In A. D.
Keromytis, editor, Financial Cryptography, volume 7397 of Lecture
Notes in Computer Science, pages 57–64. Springer, 2012.
[10] P. Bogetoft, D. L. Christensen, I. DamgaÛrd, M. Geisler, T. P.
Jakobsen, M. Krøigaard, J. D. Nielsen, J. B. Nielsen, K. Nielsen, J.
Pagter, M. I. Schwartzbach, and T. Toft. Secure multi- party
computation goes live. In R. Dingledine and P. Golle, editors,
Financial Cryptography, volume 5628 of Lecture Notes in Computer
[11] J. Boyar and R. Peralta. Concrete multiplicative complexity of
symmetric functions. In R. Kralovic and P. Urzyczyn, editors, MFCS,
Springer, 2006.
[12] Z. Brakerski, C. Gentry, and V. Vaikuntanathan. (Leveled) fully
homomorphic encryption without bootstrapping. In S. Goldwasser,
editor, ITCS, pages 309–325. ACM, 2012.
[13] Z. Brakerski and V. Vaikuntanathan. Efficient fully homomorphic
encryption from (standard) LWE. In R. Ostrovsky, editor, FOCS,
pages 97–106. IEEE, 2011.
[14] J. Bringer, H. Chabanne, and A. Patey. Privacy-preserving biometric
identification using secure multiparty computation: An overview and
recent trends. IEEE Signal Process. Mag., 30(2):42–52, 2013.
[15] J. Bringer, H. Chabanne, and A. Patey. SHADE: Secure Hamming
distance computation from oblivious transfer. In A. A. Adams, M.
Brenner, and M. Smith, editors, Financial Cryp- tography Workshops,
Springer, 2013. Extended version available at
http://eprint.iacr.org/2012/586.
computation for biometric identification using filtering. In A. K. Jain,
A. Ross, S. Prabhakar, and J. Kim, editors, ICB, pages 257–264. IEEE,
2012.
[17] R. Cramer, I. Damgard, and J. B. Nielsen. Secure multiparty
computation and secret sharing- an information theoretic appoach.
Book draft. Available at http://www.daimi.au. dk/˜ivan/MPCbook.pdf.
[18] R. Cramer, I. DamgaÛrd, and J. B. Nielsen. Multiparty computation
from threshold homomorphic encryption. In B. Pfitzmann, editor,
EUROCRYPT, volume 2045 of Lecture Notes in Computer Science,
[19] I. DamgaÛrd, M. Geisler, and M. Krøigaard. Efficient and secure
comparison for on-line auctions. In J. Pieprzyk, H. Ghodosi, and E.
Dawson, editors, ACISP, volume 4586 of Lecture Notes in Computer
[20] I. DamgaÛrd, M. Geisler, and M. Krøigaard. Homomorphic
encryption and secure comparison. IJACT, 1(1):22–31, 2008.
[21] I. DamgaÛrd, M. Geisler, and M. Krøigaard. A correction to ’efficient
and secure comparison for on-line auctions’. IJACT, 1(4):323–324,
2009.
[22] I. DamgaÛrd and M. Jurik. A generalisation, a simplification and some
applications of Pail- lier’s probabilistic public-key system. In K. Kim,
editor, Public Key Cryptography, volume 1992 of Lecture Notes in
Computer Science, pages 119–136. Springer, 2001.
[23] J. Daugman. How iris recognition works. IEEE Trans. Circuits Syst.
Video Techn., 14(1):21–30, 2004.

[24] D. Dolev, C. Dwork, and M. Naor. Non-malleable cryptography
(extended abstract). In C. Koutsougeras and J. S. Vitter, editors,
STOC, pages 542–552. ACM, 1991.
[25] D. Dolev, C. Dwork, and M. Naor. Nonmalleable cryptography.
SIAM J. Comput., 30(2):391–437, 2000.
[26] Z. Erkin, M. Franz, J. Guajardo, S. Katzenbeisser, I. Lagendijk, and
T. Toft. Privacy- preserving face recognition. In I. Goldberg and M. J.
Atallah, editors, Privacy Enhancing Technologies, volume 5672 of
[27] S. Even, O. Goldreich, and A. Lempel. A randomized protocol for
signing contracts. Com- mun. ACM, 28(6):637–647, 1985.
[28] T. E. Gamal. A public key cryptosystem and a signature scheme
based on discrete logarithms. In G. R. Blakley and D. Chaum, editors,
10–18. Springer, 1984.
[29] J. A. Garay, B. Schoenmakers, and J. Villegas. Practical and secure
solutions for integer comparison. In T. Okamoto and X. Wang, editors,
Public Key Cryptography, volume 4450 of Lecture Notes in Computer
422 Chapter Twelve

[30] C. Gentry. Fully homomorphic encryption using ideal lattices. In M.
Mitzenmacher, editor, STOC, pages 169–178. ACM, 2009.
[31] C. Gentry, S. Halevi, and N. P. Smart. Homomorphic evaluation of
the AES circuit. In Safavi-Naini and Canetti [70], pages 850–867.
[32] O. Goldreich, S. Micali, and A. Wigderson. How to play any mental
game or a completeness theorem for protocols with honest majority. In
A. V. Aho, editor, STOC, pages 218–229. ACM, 1987.
[33] C. Hazay and Y. Lindell. Constructions of truly practical secure
protocols using standard- smartcards. In P. Ning, P. F. Syverson, and
S. Jha, editors, ACM Conference on Computer and Communications
Security, pages 491–500. ACM, 2008.
[34] C. Hazay and Y. Lindell. Efficient Secure Two-Party Protocols -
Techniques and Constructions. Information Security and
Cryptography. Springer, 2010.
[35] W. Henecka, S. Ko¨ gl, A.-R. Sadeghi, T. Schneider, and I.
Wehrenberg. TASTY: tool for automating secure two-party
computations. In E. Al-Shaer, A. D. Keromytis, and V. Shmatikov,
editors, ACM Conference on Computer and Communications Security,
pages 451–462. ACM, 2010. Code available at
https://code.google.com/p/tastyproject/.
[36] W. Henecka and T. Schneider. Faster secure two-party computation
with less memory. In K. Chen, Q. Xie, W. Qiu, N. Li, and W.-G.

Tzeng, editors, ASIACCS, pages 437–446. ACM, 2013.
[37] Y. Huang, D. Evans, J. Katz, and L. Malka. Faster secure two-party
computation using garbled circuits. In USENIX Security Symposium.
USENIX Association, 2011. Code available at
http://www.mightbeevil.com/framework/download.html.
[38] Y. Huang, L. Malka, D. Evans, and J. Katz. Efficient privacy-
preserving biometric identification. In NDSS. The Internet Society,
2011.
[39] Y. Ishai, J. Kilian, K. Nissim, and E. Petrank. Extending oblivious
transfers efficiently. InD. Boneh, editor, CRYPTO, volume 2729 of
[40] A. K. Jain, S. Prabhakar, L. Hong, and S. Pankanti. FingerCode: A
filterbank for fingerprint representation and matching. In CVPR, pages
2187–. IEEE Computer Society, 1999.
[41] A. Jarrous and B. Pinkas. Secure Hamming distance based
computation and its applications. In M. Abdalla, D. Pointcheval, P.-A.
Fouque, and D. Vergnaud, editors, ACNS, volume 5536 of Lecture
Notes in Computer Science, pages 107–124, 2009.
[42] A. Juels and M. Sudan. A fuzzy vault scheme. Des. Codes

Cryptography, 38(2):237–257, 2006.
[43] A. Juels and M. Wattenberg. A fuzzy commitment scheme. In J.
Motiwalla and G. Tsudik, editors, ACM Conference on Computer and
Communications Security, pages 28–36. ACM, 1999.
[44] V. Kolesnikov, A.-R. Sadeghi, and T. Schneider. Improved garbled
circuit building blocks and applications to auctions and computing
minima. In J. A. Garay, A. Miyaji, and A. Otsuka, editors, CANS,
Springer, 2009.
[45] V. Kolesnikov and T. Schneider. Improved garbled circuit: Free XOR
gates and applications. In L. Aceto, I. DamgaÛrd, L. A. Goldberg, M.
M. Halldo´rsson, A. Ingo´lfsdo´ttir, and I. Walukiewicz, editors,
ICALP (2), volume 5126 of Lecture Notes in Computer Science, pages
486–498. Springer, 2008.
[46] S. Z. Li and A. K. Jain, editors. Encyclopedia of Biometrics. Springer
US, 2009.
[47] Y. Lindell. Fast cut-and-choose based protocols for malicious and
covert adversaries. In R. Canetti and J. A. Garay, editors, CRYPTO
(2), volume 8043 of Lecture Notes in Computer Science, pages 1–17.
Springer, 2013.
[48] Y. Lindell and B. Pinkas. A proof of Yao’s protocol for secure two-
party computation. Electronic Colloquium on Computational

Complexity (ECCC), (063), 2004.
[49] Y. Lindell and B. Pinkas. A proof of security of Yao’s protocol for
two-party computation. J. Cryptology, 22(2):161–188, 2009.
[50] Y. Lindell and B. Pinkas. Secure two-party computation via cut-and-
choose oblivious transfer. In Y. Ishai, editor, TCC, volume 6597 of
[51] Y. Lindell and B. Pinkas. Secure two-party computation via cut-and-
choose oblivious transfer. J. Cryptology, 25(4):680–722, 2012.
[52] Y. Lindell, B. Pinkas, and N. P. Smart. Implementing two-party
computation efficiently with security against malicious adversaries. In
R. Ostrovsky, R. D. Prisco, and I. Visconti, editors, SCN, volume 5229
of Lecture Notes in Computer Science, pages 2–20. Springer, 2008.
[53] Y. Luo, S. ching Samson Cheung, T. Pignata, R. Lazzeretti, and M.
Barni. An efficient protocol for private iris-code matching by means of
garbled circuits. In ICIP, pages 2653–2656. IEEE, 2012.
[54] D. Malkhi, N. Nisan, B. Pinkas, and Y. Sella. Fairplay - secure two-
party computation system. In USENIX Security Symposium, pages
287–302. USENIX, 2004. Code available at
424 Chapter Twelve
http://www.cs.huji.ac.il/project/Fairplay/Fairplay.html.
[55] C. A. Melchor, S. Fau, C. Fontaine, G. Gogniat, and R. Sirdey.
Recent advances in homomorphic encryption: A possible future for
signal processing in the encrypted domain. IEEE Signal Process. Mag.,
30(2):108–117, 2013.
[56] M. Naor and B. Pinkas. Efficient oblivious transfer protocols. In S.
R. Kosaraju, editor, SODA, pages 448–457. ACM/SIAM, 2001.
[57] M. Naor, B. Pinkas, and R. Sumner. Privacy preserving auctions and
mechanism design. In ACM Conference on Electronic Commerce,
pages 129–139, 1999.
[58] J. B. Nielsen, P. S. Nordholt, C. Orlandi, and S. S. Burra. A new
approach to practical active-secure two-party computation. In Safavi-
Naini and Canetti [70], pages 681–700.
[59] M. Osadchy and B. Moskovich. Illumination invariant representation
for privacy preserving face identification. In IEEE Computer Society
and IEEE Biometrics Council Workshop on Biometrics (CVPRW),
2010.
[60] M. Osadchy, B. Pinkas, A. Jarrous, and B. Moskovich. SCiFI - a
system for secure face identification. In IEEE Symposium on Security
and Privacy, pages 239–254. IEEE Computer Society, 2010.
residuosity classes. In J. Stern, editor, EUROCRYPT, volume 1592 of

[62] B. Pinkas, T. Schneider, N. P. Smart, and S. C. Williams. Secure two-
party computation is practical. In M. Matsui, editor, ASIACRYPT,
Springer, 2009.
[63] S. Prabhakar, S. Pankanti, and A. K. Jain. Biometric recognition:
Security and privacy concerns. IEEE Security & Privacy, 1(2):33–42,
2003.
[64] M. O. Rabin. How to exchange secrets with oblivious transfer.
Technical Report TR-81, Aiken Computation Lab, Harvard University,
1981.
[65] N. K. Ratha. Privacy protection in high security biometrics
applications. In A. Kumar and D. Zhang, editors, ICEB, volume 6005
of Lecture Notes in Computer Science, pages 62–69. Springer, 2010.
privacy in biometrics- based authentication systems. IBM Systems
Journal, 40(3):614–634, 2001.
[67] R. L. Rivest, L. Adleman, and M. L. Dertouzos. On data banks and
privacy homomorphisms. In R. A. DeMillo, D. P. Dobkin, A. K. Jones,
and R. J. Lipton, editors, Foundations of Secure Computation, pages

165–179. Academic Press, 1978.
[68] R. L. Rivest, A. Shamir, and L. M. Adleman. A method for obtaining
digital signatures and public-key cryptosystems. Commun. ACM,
21(2):120–126, 1978.
[69] A.-R. Sadeghi, T. Schneider, and I. Wehrenberg. Efficient privacy-
preserving face recognition. In D. Lee and S. Hong, editors, ICISC,
volume 5984 of Lecture Notes in Com- puter Science, pages 229–244.
Springer, 2009. Extended version available at
http://eprint.iacr.org/2009/507.
[70] R. Safavi-Naini and R. Canetti, editors. Advances in Cryptology -
CRYPTO 2012 - 32nd Annual Cryptology Conference, Santa Barbara,
CA, USA, August 19-23, 2012. Proceedings, volume 7417 of Lecture
Notes in Computer Science. Springer, 2012.
[71] A. D. Santis, S. Micali, and G. Persiano. Non-interactive zero-
knowledge proof systems. In C. Pomerance, editor, CRYPTO, volume
293 of Lecture Notes in Computer Science, pages 52–72. Springer,
1987.
[72] T. Schneider. Engineering Secure Two-Party Computation Protocols -
Design, Optimization, and Applications of Efficient Secure Function
Evaluation. Springer, 2012.
[73] T. Schneider and M. Zohner. GMW vs. Yao? Efficient secure two-
party computation with low depth circuits. In A.-R. Sadeghi, editor,

Financial Cryptography, volume 7859 of Lecture Notes in Computer
[74] S. F. Shahandashti, R. Safavi-Naini, and P. Ogunbona. Private
fingerprint matching. In W. Susilo, Y. Mu, and J. Seberry, editors,
ACISP, volume 7372 of Lecture Notes in Computer Science, pages
426–433. Springer, 2012.
[75] M. A. Turk and A. P. Pentland. Eigenfaces for recognition. Journal of
Cognitive Neuro- science, 3(1):71–86, Winter 1991.
[76] M. van Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan. Fully
homomorphic encryption over the integers. In H. Gilbert, editor,
EUROCRYPT, volume 6110 of Lecture Notes in Computer Science,
[77] A. C.-C. Yao. How to generate and exchange secrets (extended
abstract). In FOCS, pages 162–167. IEEE Computer Society, 1986.
PART 5.
OTHER BIOMETRIC SECURITY

TECHNOLOGIES
CHAPTER THIRTEEN
WATERMARKED BIOMETRICS
F. HAN, R. VAN SCHYNDEL

AND M. ALKHATHAMI
SCHOOL OF COMPUTER SCIENCE AND INFORMATION
TECHNOLOGY
RMIT UNIVERSITY, VIC 3000, AUSTRALIA
1. Introduction
The release of iPhone 5S, which integrates a fingerprint sensor into the
home button for opening the device, has triggered another round of debate
on the security protection by using biometrics. Apple device users love the
advanced feature of opening the phone by using their fingerprints rather
than by a password. However, only two days after the iPhone 5S went on
sale, it was reported that a "fake fingerprint" photographed from a glass
surface could unlock the phone [1]. Soon after, it was pointed out: to use
something that you cannot change (biometrics) and that you leave
everywhere, such as the fingerprint on the glass surface as a security
token, is ‘stupid’ [2].
Identity theft has incurred significant loss in the real world [3].
Biometrics describes features of the person that are permanent and ideally
unchangeable, which serves as a more effective authentication technique
compared to traditional methods such as tokens that can be lost or stolen,
or passwords that can be forgotten [4, 5]. However, biometrics is only the
representations of people; they are not secrets. The biometrics therefore
should not be used to secure anything. Consequently, to ensure that the
given biometric samples are genuine, watermarking techniques have been
introduced. A digital watermark refers to a secret code-dependent signal
typically inserted into a noise-tolerant sampled digital data (audio, video,
or image), which could later be decoded or extracted. Through digital
watermarking, information such as legal destination, origin, and rights to
Watermarked Biometrics 429
access, also can be embedded in multimedia content without introducing

any discernible distortions.
A considerable amount of research has been proposed in digital image
watermarking. In general, the major characteristics of watermarking
algorithms are imperceptibility and robustness against damage [6].
Robustness suggests an algorithm that should protect the embedded data
against various forms of attack, including image translation, scaling,
cropping, or rotation. Imperceptibility implies that the watermark’s
message should not be discernible to the human visual system. Finally, the
addition of a watermark must be done in a secure fashion, so that only
those authorized to do so may read or write the watermark.
In this chapter, we look at the use of watermarking as an aid to prevent
fraudulent tampering of biometric data.
2. Digital Watermarking
The digital watermark process is often linked to a data signalling ‘channel
model’ [7]. That is, the host data acts as a channel medium or carrier, and
the watermark is the data within the carrier.
The generic watermarking or ‘steganographics’ channel model
resembles the traditional communications channel model in most respects
[8]. The embedding and extraction processes are often symmetric, or at
least complementary to each other. The principal difference between the

traditional channel model and the steganographics channel model is the
visibility criterion. This can be roughly considered analogous to a power
limitation requirement, but the human visual system is a much more ‘fussy
animal’ when it comes to watermark detection. Fig. 2-1. shows the process
of watermark embedding and detecting.
Fig. 2-1(a). demonstrates watermark embedding and recovery. The
multimedia data, D, is often referred to as the host data, which is
transformed (‘XFM’) into some other invertible domain as C. Typically,
the transform is a Fourier, Discrete Cosine, or Wavelet Transform. The
message, M, is also transformed or encoded as part of the watermark
generator (‘GEN’) into some compatible form, W, and then embedded
within the transformed data to form Cw. We reverse the transform, and the
watermarked data results, and Dw, is deployed.
430 Chapter Thirteen
T
(a)
(b)
Figure 2-1. (aa) Watermark em

mbedding and recovery.
r (b) W
Watermark deteccting.
In the processs of normal handling

h durin
ng communicaation, the host data may
get damageed. We modeel this as an n attack, and apply variou us attack
modelling strategies to mitigate
m the atttacks. A simpple example would
w be
resizing the image, or savving it in a diffferent formatt. Typically, thhis would
damage the watermark, annd attack mod delling is then used to re-esttimate the
watermark ffrom the damaaged media.
The channnel noise waas modelled in n early versionns of the wateermarking
process as aadditive white Gaussian noise (AWGN), bbut recent effo forts use a
more generaal non-linear distortion
d or attack
a noise m
model. The mo odeling of
additive noisse has been onne of the activ ve areas of reseearch in waterrmarking,
but its mitiigation is veery dependen nt on the feaatures of a particular
p
watermarkinng algorithm and a individuall image statisttics. We exam mine some
mitigation sttrategies later in this chapter.
When detecting or extracting the watermark, the first step is to remove

the host data as much as possible (as it now acts as an interference) but
preserve the watermark. Typically this is not a perfect process, and we get
a watermarked data estimate, Dwe, which is returned to the transform
domain, Cwe, from which we extract the watermark using the method which
depends on how it was embedded. The result is an estimate of the original
embedded message, Me.
The embedding and extraction process can involve encryption using
keys K1 and K2, which may or may not be identical.
A final step, often called channel equalisation, involves a degree of pre-
distortion. In the model shown in Fig 2-1(b)., the watermark detector is
used to adjust the embedding parameters in order to maximise the detection
of the watermark for this particular host data, yet minimise its damage to
the data, or its visibility. This means that for different host data, the
parameters may be quite different, even if the embedded watermark was
identical.
We first model the kind of distortions that are likely to happen to the
host data, whether deliberate or otherwise, and ensure that the watermark
can still be recovered successfully. With further adjustment of the
parameters, we then ensure that the watermark remains invisible. Finally,
we need to be sure that the watermark is still recoverable with these new
settings. The host data, the watermark, and the detector are all available to
the embedder, so that an optimal equalisation process is possible when and

where the watermark is created.
As with any multi-objective optimisation algorithms, the resulting
watermark stability can be highly data-dependent, as well as algorithm-
dependent, making any process using such post-processing difficult to
compare with others. We follow here with a rough guide as to what to look
for among good watermarking algorithms.
In order to achieve maximum protection for intellectual property
through watermarking, the following principal properties must be
satisfied:
A. Security
The security requirement in a watermarking system can vary, depending
on its application. It must be difficult or virtually impossible to eliminate
the watermark, at least without tampering with the original image. It must
also survive any modifications carried out on the images, including colour
re-quantification, which are commonly achieved by picture editors, or the
lossy compression methods such as JPEG, popular with storage and
transmission. Watermarking as a security feature is the ability to ensure

the integrity and secrecy of the watermark information while defending
against malicious attacks [8].
B. Imperceptibility
Imperceptibility here refers to the watermark’s perpetual transparency.
Ideally, there should be no discernible difference between the original and
watermarked signals [9], [10]. In some watermarking applications, a
watermark should be readily perceptible to the appropriate authorities,
even when it is not observable to the ordinary eye. A simple way of
reducing distortion during watermarking is embedding it in the host
signal’s perpetually insignificant portion [10], though this makes it
relatively easy for an attacker also to alter the watermark information
without being noticed.
C. Robustness
Robustness refers to the ability of the watermark to survive manipulations
of the signal. It has to be difficult for an attacker attempting to counterfeit
the data to remove it. However, not every watermark application requires a
watermark to be so robust as to withstand all attacks and signal processing
applications. A watermark needs only to survive attacks and signal

processing operations that could occur when the watermark is within a
communication channel. In extreme cases, the robustness could be entirely
irrelevant in cases where fragility is desired. A watermark becomes fragile
if any significant manipulation of the host data is done, and can act as a
tamper-proofing measure to ensure data integrity.
D. Capacity
Channel Capacity in watermarking usually refers to the amount of data
that can be embedded within a host signal. The capacity requirement often
comes into conflict with the two other vital requirements: robustness and
imperceptibility. A higher capacity comes at the expense of
imperceptibility, robustness, or both.
In addition to the above four principal properties, there are other
properties such as implementation complexity, embedding speed, in-
channel detection, false-positive rate and additional parameters depending
on the specific implementation. We will return to these in detail, in the
next section.
3. Digital Watermark Techniques

In classifying watermarking algorithms, we can divide the
watermarking domain into four main classes, which illustrate their use.
x Human perception.
o Visible / perceivable / detectable
o Invisible / unperceivable / undetectable
Fragile – watermarks that ‘break’ when tampered with
Robust – watermarks that can resist any attempt to remove it
x Working domain.
o Spatial – 1:1 correspondence between the data and the watermark
elements
o Transform – 1:1 correspondence with a set of templates describing
the data
x Type of data.
o Designed for human consumption
o Designed for machine consumption
x Application.
o Source-based – one unique watermark with many copies of it
o Destination-based – many watermarks and each copy is unique
In the above categories, the human perception has two main image
subcategories that include the invisible and visible. The invisible can be
further divided into fragile and robust. A visible watermark could be a
company or channel logo superimposed over an image or video. It would
serve the social purpose of informing the user of its presence, which may
deter copying. For the more determined copier, who would visibly remove
such a watermark, there exist the invisible watermarks. Not only are these
harder to remove, but also are harder to confirm by the copier whether
they have been removed.
We can divide the subcategory of the working domain to include the
spatial domain and the transform domain. Typically, the transform domain
templates are a set of complex, cosine, or wavelet [13] basis functions,
such as Fourier, DCT and DWT transform domains, respectively [12]. We
describe these domains later in the chapter.
The type of data can be further divided into data meant for human
consumption, such as freeform text, images, audio, or video. These
suggest that it is human perception that determines whether a watermark is
noticeable or not. By being unnoticeable, the watermark can ‘silently’
move with the data wherever the data goes, without interfering with its
use.
If the data is instead usually consumed by a machine, or some
program, then the method of making the watermark undetectable depends
on the application, not just on human perceptibility. For example, a list of
coordinates are used to draw an agricultural field on a satellite map can be
watermarked by perturbing the coordinates in some controlled way. These
perturbations may be small according to a human observer looking at the
map, who still sees the field, but they could have a major impact on a
program measuring the total area of fields using these coordinates.
Finally, the algorithms can be classified by the target application as
well. Such watermarking techniques can be categorised into source-based
and the destination-based techniques. In the source-based case, the
watermark that identifies the sender is uniquely provided to all distributed
contents, whereas in the destination-based case, every distributed content
target receives a particular watermark that identifies the receiver uniquely.
Taking fingerprint images as an example, the watermark techniques of
a fingerprint image are mainly classified by two parameters, such as the
visibility of the watermark on multimedia content and the domain where
the watermark data will be embedded into the host images.
A. Visible and Invisible

A visible watermark often has a discernible message or company logo

defining the image’s owner. Its purpose is copyright notification.
Alternatively, the digital content watermarked invisibly is visually similar
to the original. An invisible watermark is inserted into the image as a mark
or a label, by coding image pixel values, which in turn reflects the label,
such that changes in the pixel value do not give rise to visible artefacts.
Later on, at the receiving end, an invisible watermark can be decoded or
detected through analysis of pixel values. Invisible watermarking,
therefore, refers to two processes, including the embedding of the labels
and the detection of the stamped label.
Invisible watermarks can be further classified into two types based on
both appearance and application, while defining the requirements of each
class, namely robust and fragile or semi-fragile. Generally, in the
copyright protection and verification of ownership, robust watermarks are
preferred [11-13], since they can withstand practically all types of image
processing operations. Comparatively, fragile or semi-fragile watermarks
[14, 15] are mostly deployed in the content authentication and verification
of integrity, since they are vulnerable to modifications.
B. Spatial Watermarking
Many novel techniques have been proposed to conceal watermarks in
digital images. These methods can be classified into different categories
depending on the domain type in which embedding takes place. Two
major domain types exist, spatial and transform, each with its own
advantages and disadvantages.
In the spatial domain [16], one can simply embed the watermark in a
host image by altering the gray-scale levels of some pixels. The earlier-
mentioned watermarking techniques are spatial in nature, and the simplest
are those that modify least significant bits (LSB) in an image’s pixel data
[17]. Variants and improvements to these methods were proposed in [18],
[19]. The same techniques have been demonstrated to be robust against
filtering, "lossy" image compression, and scanning.
As an example, consider the algorithm by PW Wong [20], as shown
in Fig. 3-1(a). below. In this case, the host image is subdivided into 8×16
blocks of 8-bit RGB pixel data. For each RGB channel, the leading 7 bits
are preserved. Thus we obtain MD5(8×16×7 bits || height || width). The
MD5 is 128 bits long, which is reshaped into an 8×16 block. This block is
XORed with a corresponding block of a binary company logo image, and
the result is encrypted using RSA with a private key. The lowest bit is then
replaced as shown, by the generated watermark.
The extraction process, shown in Fig.3-1(b). is almost identical to the

embedding method, except that instead of a company logo as input, we get
the extracted logo (at top right) as output.
Clearly such a method cannot tolerate a lossy compression method
such as JPEG, but there are ways of mitigating this. An example illustrated
in the experimental result in the next section, demonstrates a
tamperproofing watermark algorithm.
C. Transform-based Watermarking
In the transform domain [7], [8], [11], [21], [22], one can insert the
watermark in the coefficients of a transformed image. In the spatial
domain, ideally, the transform domain has the effect of apportioning
hidden information in varying ordered bits in a robust manner. There are
several transformations that can be applied to the digital images, but only
three are most notably used in watermarking. These include Discrete
Cosine Transform (DCT), Discrete Wavelet Transform (DWT), and
Discrete Fourier Transform (DFT). Transform-based methods can insert
T
much largerr numbers of bits as compaared to the sppatial domain methods,

without giviing rise to disccernible visuaal artefacts.
(a)
(b)
Figure 3-1 (aa). The Wong embedding meethod. (b) Extrraction process using the
Wong methodd.
In DFT method, the transform domain components correspond to complex

sinusoidal frequency domain values. In DCT and DWT methods, this
correspondence is less clear. One of the earliest papers using DFT for
watermarking by Ó’Ruanaidh and Pun [56] cites its main advantages as
making the watermark resultant invariant to the rotation, translation, and
scaling by combining the DFT with a log-polar transform. While this
transform was not further used by others (due to its instability and
inaccuracy), it did point the way to using a transformation space that can
confer such advantages to an image watermark.
In DCT, an image is split up into varying frequency bands, making it
much easier to embed watermarking information in an image’s middle
frequency bands. The middle frequency bands selected as the most
visually significant sections of the image (corresponding to low
frequencies) are to be avoided, so that they are not overexposed, and their
risk of removal is not increased through noise attacks (corresponding to
high frequencies). In the original Cox approach [12], a DCT of the whole
image was obtained, and the middle frequencies used, however this is not
the most optimal, as there is no spatial optimisation, which is a useful
property to have if we are going to modify the components. A
compromise is to tile an image into 8×8 blocks and perform a DCT and
watermark on these tiles. For fingerprint images, this reveals blocks that
host zero or fewer minutia points. The watermark data is then only
embedded in these blocks.

An alternative way to trade-off spatial locality and frequency global
properties is to use wavelets, where the blocking is part of the algorithm
design. Wavelet-based image watermarking is a very popular technique
[11]. The wavelet based image watermarking is a transformed domain
approach, and generally does not affect the spatial properties of an image.
Wang et al. presented a frequency domain based watermarking scheme
[13]. In this work, they first decomposed an image using wavelet
transform, and after decomposition, they modified the wavelet coefficients
using a Cox approach [12, 25]. The main disadvantage in this approach is
that for the extraction of watermarking, an original image is required as a
reference. Zhao and Koch [26] report one of the earlier transform-based
techniques adapted for JPEG "lossy" image compression. The additional
techniques include methods reported in [27], [28].
Discrete Cosine Transform correlates with DFT in the sense that it
achieves transformation of a time domain signal to its frequency
components. However, the DCT is strictly a DFT with the components
reorganised to yield real space components, as opposed to the DFT, where
the components remain complex. The DCT has a strong “energy
compaction” characteristic [29], which means that most of the signal data
is frequently concentrated in a few low-frequency DCT components.
The JPEG compression technique makes use of this property to
separate and remove high frequency components that are insignificant in
images. Srayazdi et al [30] proposes a grey-level watermarking method
through division of the cover image into 4×4 non-overlapping blocks,
aligned with the 8×8 blocks used for a DCT. This allows the use of their
blocks to derive 4 estimates of the first five 8×8 block DCT coefficients.
Thereafter, a grey-level value is embedded through perturbation of the
low-frequency DCT value in a block with the respective estimated
modified values. One fault of this scheme is that the attackers can do this
too, suggesting that it is only the secrecy of the algorithm that hides it.
Sverdlov et al [31] developed a novel hybrid robust non-blind
watermarking scheme that is discrete cosine transform (DCT) and Singular
Value Decomposition (SVD) based. In this method, following the
application of DCT in the host image, DCT coefficients are remapped,
forming four quadrants, representing frequency bands from the highest to
the lowest. Thereafter, the SVD is applied in each quadrant. The process is
repeated on the watermark. The technique subsequently modifies single
values found in each quadrant, so to achieve a set of adjusted DCT
coefficients. The process of decoding involves mapping the altered DCT
coefficients back to their original positions, while applying an inverse
equation to generate a watermarked cover image.

Relatively few papers have been published on watermarking
fingerprint images, using novel techniques specific to such images. Ratha
et al. in [32] propose a data concealing method, which can be applied to
WSQ wavelet compressed fingerprint images. The discrete wavelet
transform coefficients are altered during WSQ encoding, while
considering possible image deterioration. Pankanti and Yeung [33]
propose a fragile watermarking method for use in fingerprint verification.
One embeds a spatial watermark image in the fingerprint image’s spatial
domain through a verification key. The method proposed can localize any
region of an image that has been tampered with. Pankanti and Yeung
conclude further that their technique does not significantly decrease the
performance of fingerprint verification. Jain in [34] uses a semi-unique
key that is based on local block averages, so to detect any tampering with
host images, including faces and fingerprints.
4. Watermarked Biometrics
Biometrics recognition has been widely deployed for user identity
authentication when biometrics samples are obtained under monitoring.
However, for remote identity authentication, biometric authentication is
far from being a mature technology. Biometrics is not secret, where for
example, fingerprint or face biometrics could be acquired easily without
the consent or permission from the owner [36, 37]. The fake fingerprint
acquired from a glass surface in the iPhone 5S story is a typical example
used to indicate how sensors can be tricked [1, 2]. Encryption, in this
case, does not provide security. There is an urgent need to reconsider how
to use biometrics for identity authentication effectively. Watermarked
biometrics is one of the possible solutions for how future biometric
authentication applies to remote personal identification.
In remote biometric authentication systems, raw biometric samples
could be sampled by third parties at the user-end. To embed a watermark
to biometrics samples at the time of acquisition will help to confirm that
the biometric sample is genuine. Similar to the security features
incorporated in paper currencies, the embedded watermark proves
genuineness of the samples. The watermark can be detected and removed
only when a secret key is provided. A key is used for watermark
embedment. Compared with that of the original biometric data, the format
and size of the watermarked biometric data usually remains unchanged.

The information carried within a watermark is not usually vital to the
operation of the biometric, but is available for detection when needed. The
additional data (embedded watermark) can be detected and recovered by
using the right key. It is impossible for anyone who does not knowing the
key to remove the watermark.
In [24], a DCT-based algorithm embeds watermark messages in a
fingerprint image. The DCT divides the image into different frequency
bands, so that watermarks can be easily embedded. Two watermarks are
embedded into a fingerprint image. The host fingerprint image is
partitioned into an 8×8 block. The fingerprint minutiae locations have to
be examined first to avoid adding the watermark in those locations. Target
blocks are then selected for the first watermark embedment only where
there are fewer than two minutia points in these blocks. This ensures that
the watermarked image has a somewhat equal number of minutiae points
as compared with the original image. The second message is then added,
in the form of a grey-scale image. The DCT operation’s inverse is then
performed to extract the second watermark’s data while retaining the first.
Gunsel et al. [35] describes using two methods embedding watermarks

to fingerprint images without corrupting their features. Firstly, fingerprint
minutiae are extracted, then gradient orientation analysis is employed
while embedding the watermark. In this way, the watermark embedding
process does not modify any of the features extracted using gradient
information. The second method applies to watermark embedding before
feature extraction, which maintains the singular points within the
fingerprint image, such that the watermarked image’s classification is not
affected (e.g. into arch, left loop).
The locations of embedded watermark in host images are determined
by a secret key. Amplitude modulation method [38] has been used to
embed watermarks. To reduce the retrieval error, the high priority bits that
have more effect on the numerical information [39] are investigated.
Considering that human eyes are less sensitive to the blue channel as
compared with the red and green ones in the color images, a RGB color
image size m×n is denoted as I(m, n)={R(m, n), G(m, n), B(m, n)}. A bit
sequence of size k is described as: W=(s1, s2, …, sk). The sequence is then
embedded to the blue channel d times at different positions in the image
I(m, n) as a watermark. Then a watermarked image Iƍ(m, n)={Rƍ(m, n), Gƍ
(m, n), Bƍ(m, n)} is obtained. A pseudo-random position sequence p is used
in the encoding process to determine the positions of watermark
embedding, and the same key is regenerated in the process of decoding.
By checking the difference between the retrieved value and the original
value of the pixel, a confidence value for the watermark retrieval can be
estimated, based on a bit priority function. Phasemark is a semi-robust
Fourier domain authentication watermark to be embedded in the images
[40]. A signature extracted from the Fourier phase of the original image,
which has been decomposed in the Fourier transform frequency domain, is
encoded into the original image as a watermark [41]. The parity check
method has been proposed for embedding an invisible watermark to a
biometric template [42]. A seed produced from a pseudo random number
generator is used as a key to determine the pixel location to hide “0” or
“1”. By checking the odd parity and even parity at the selected pixel
location for watermark embedment, a match score is obtained by
comparing the sample with that of reference. A predefined threshold is
given, then the parity after insertion of watermark is calculated.
The main concern for these algorithms is that the watermark
embedding and extraction procedure does not alter the biometric features
required for recognition. Adding voice biometrics to face images of the
same individual has been investigated [43] using a 3-level Redundant
Discrete Wavelet Transform (RDWT) watermarking algorithm. When
designing how to embed a watermark, to ensure recognition accuracy, a

phase congruency model is used to compute the embedding locations so
that the facial features are preserved from being watermarked. To calculate
where the watermark is embedded, the RGB coloured face image is
decomposed into three channels, red, blue, and green, for the purpose of
increasing the embedding capacity. The embedding in the red and blue
channels makes the watermark imperceptible, while embedding in the
green channel makes the watermark visible as noise. The watermarking
algorithm involves computing appropriate locations for watermark
embedding. Locations are randomly selected in red and blue channels of
the RDWT decomposed image. These locations are stored as keys for the
red and blue channels, respectively. The keys are used for watermark
embedding and watermark extraction.
Watermarked biometrics is obtained by embedding a watermark to
biometrics. However, biometric signals and their representations of a
person vary dramatically, depending on the acquisition method,
acquisition environment, and a user’s interaction with the acquisition
devices [36]. For example, different impressions of the fingerprints are
obtained at each acquisition. Each impression may possibly depict a
different portion of the biometric, but not necessarily all of it, particularly
of the contactless biometrics acquired by the cameras. All of these render
the signal processing difficult. To investigate effective watermark
embedding schemes that do not affect the biometric features are critical
research topics.
5. Biometric-Kerberos Authentication
The story of a "fake fingerprint" photographed from a glass surface
unlocking the iphone 5S by a Germany’s Chaos Computer Club (CCC)
should raise awareness that biometrics is only a measurable distinctive
representation of a person, and that it should not be used by itself as a
security measure, since it is possible to obtain biometrical data without the
individual’s notice or permission.
Recent research efforts endeavouring to add watermark to biometrics
are the possible solution to the above problem. Kerberos is an
authentication protocol in which client and server can mutually
authenticate each other across an insecure network connection [44, 45].
However, Kerberos is not effective against password compromise, which
is one of the most frequent attacks in mobile computing services. For
example, if the user enters a password to a program that has already been
modified by an attacker (a Trojan horse), it is not difficult for attackers to
obtain sufficient information to impersonate the user. Biometrics

information can be used to authenticate that the genuine users rather than
the imposters who have the knowledge are interacting at the client end.
As we know that fake biometrics can work in remote authentication, a
process which is similar to password compromise. To address this
concern, Kerberos authentication has been proposed to be integrated into
biometrics [46]. Kerberos authentication service works based on the
existence of trusted third parties. When a principle requests access to a
remote resource, a trusted server authenticates the principle, and a ticket
for accessing the resource server is issued upon positive authentication.
There are three steps during Kerberos authentication: registration,
authentication, and ticket granting. A series of messages are exchanged
among the involved three parties. The encryption of Kerberos traffic uses
the data encryption standard (DES). The encryption and decryption
processes are described as:
Cipher: C = E{ki, (P)} (5-1)
where P is the plaintext, ki is encryption key.
Decipher: P = D{kj, (C)} (5-2)

where C is the ciphertext, kj is decryption key.

If ciphertext is decrypted with the same key used to encrypt it, i.e.: ki =
kj, the original plaintext appears. If different keys are used for encryption
and decryption, or if the ciphertext is modified, the result will be
unintelligible, and the checksum in the Kerberos message will not match
the data. The combination of encryption and the checksum provides
integrity and confidentiality for encrypted Kerberos messages. However,
[46] does not explain clearly the technical detail about how biometrics is
used.
A biometric Kerberos-based user identity authentication scheme targets
at mobile computing applications is presented in [47]. In the scheme,
smart phones having computing capability and an internal mobile camera
are the only device required at the user-end. The combination of the user
biometrics and the device information is used for identity authentication.
There are mainly three pairs of messages exchanged for users accessing an
application resource: authenticating the user identity, and returning a
session key; obtaining a resource ticket using that session key; and
accessing that resource using the ticket. Whenever a client requests access
to a resource, the Key Distribution Centre (KDC) generates a fresh

encryption session key and a ticket, which it encrypts and distributes to the
client and verifier securely. The diagram of Kerberos authentication using
biometric information is shown in Fig. 5-1.
Figure 5-1. The diagram of Kerberos authentication protocol.
x Message 1, client program sends a request to the authentication

server (AS).
x Message 2, AS creates a session key kS and timestamp Ts, encrypts
them, sends back to the client.
x Message 3, Alice decrypts M2 to obtain kS, then encrypts the service

request with network address AReq, sends to ticket grant server
(TGS).
x Message 4, TGS decrypts M3, then creates a resources session key
kSS, encrypts with kS, sends back to client.
x Message 5, Alice decrypts M4 to obtain kRS, and encrypts the
resource request, sends to resource server.
x Message 6, resource server decrypts the request, verifies ticket, and
then offers the service upon successful verification.
For biometric authentication, the user’s biometric reference is usually

stored in a registration server. A watermark generated from the computing
device, making use of the by-product in Kerberos authentication, is
embedded to user’s biometrics at the instance of the fingerprint images
acquisition. Such a watermark corrupts minutiae of the host fingerprint
images while offering forensic traceability in resource constraint mobile
computing services. The positive minutiae matching are then possible only
when the watermark is removed successfully. Until then, a ticket will be
issued for accessing the resource server.
The main advantage of the biometric Kerberos-based scheme

proposed in [47] is that the watermark links a device to its user. The
watermark is produced and embedded by using the internal functions of
smart phones entirely, and the watermark embedding key is the by-product
in Kerberos authentication. Only the trusted KDC has enough knowledge
to detect and remove the watermark. The ticket for the permission to
access an application resource will only be issued upon successful
biometric authentication. Only the valid biometrics acquired by the
registered device can pass the identity authentication. Each subsequent
session is treated as a fresh session, and new keys and tickets are issued
for this type of authentication process.
6. Chaotic Key Generation in Resource Constrained

Environments
Chaotic dynamics produces unpredictable behaviour with deterministic
equations [48]. The majority of the chaotic dynamics are produced by
nonlinear equations, like Lorenz equations [49], Chuaƍ circuits [50], and
Chen’s attractors [51]. Alternatively, those piecewise linear (PWL) based
chaotic systems, comprised of continuous-time linear systems with control
of piecewise linear functions, have attracted recent research efforts due to
their simple circuit implementations [52-55]. Among them, the chaos
generated from second-order linear systems with a hysteresis-based

switching is one of the simplest models. Intuitively, the responses of these
PWL systems are the solutions of their linear part on different subspaces.
In addition, the fact that the output of the hysteresis depends on both the
present and the past values of the input adds complexity, even though the
solutions look simple.
Continuous-time second-order linear systems with switching control of
hysteresis-series can be described as follows [55]:
x y
® (6-1)
¯ y x ay ui
¦
m
where x, y are the state variables, and ui i 0
hysi ( x) is a hysteresis-
series.
When a < 0 and a2 – 4 < 0, the trajectory of the linear part runs
unboundedly. With the switching of the hysteresis-series, the outgoing
trajectories of the linear part switches back when it hits the boundary of
hysteresis. This process repeats, and chaos may appear, shown in (6-1).
For the sake of simplicity, a hysteresis-series shown in Fig. 6-1(a). is
chosen. If a = í0.125, and a trajectory starts within the domain of the
chaos attraction, a three-scroll attractor is obtained as shown in Fig. 6-1(b).
The solution of the system (6-1) is:
°

x (t ) eG ( t t 0 ) cos( Z (t t )) GZ 1 sin( Z (t t )) x (t ) i
0 0 0
G
°° Z e 1 ( t t )
0 sin( Z (t t )) y (t ) i
0 0
®
° y ( t ) Z 1 G ( t t 0 )
e sin( Z ( t t 0 )) x ( t 0 i
)
°
°¯
eG ( t t 0 ) cos( Z (t t0 )) GZ 1 sin( Z (t t 0 )) y (t 0 )
(6-2)
where į = a/2 = 0.0625, Ȧ = ξͶ െ ܽଶ /2 = 0.998. x(t0), y(t0) are the initial

conditions, and i is the x values of the equilibrium points.
As shown in Fig. 6-1(b)., an unstable limit cycle, L, exists in systems
(6-1) which binding the basin of attraction. The switching lines from the
outputs of the hysteresis-series keep the outgoing trajectory within a
limited region. Even though the chaotic system (6-1) is deterministic, the
long term behavior is complicated and unpredictable.
(a)
(b)
Figure 6-1. (a) Hysteresis-series. (b) A three-scroll chaotic attractor. The solution
(6-2) is a simple closed formula which can be easily programmed in resource
constrained environment.
7. Watermarked Fingerprint Experiment Results

Take a fingerprint image as an example, this section shows how to add
watermark to fingerprint images.
A. Fingerprint Pre-processing
The captured fingerprint images often suffer deterioration due to an
irrelevant background and signal processing limitations. Consequently,
enhancement techniques are usually employed for fingerprint minutiae
extraction and matching. The following are the steps taken to extract valid
minutia points [24]:
x Binarisation and thinning operations on fingerprint image,

x Extraction of minutia points,
x Suppression of extreme minutia points,
x Removal of spurious minutia points.
As a pre-processing step, a grey-scale image is first converted to binary

using the following threshold operation:
I ( x, y) 255 if I ( x, y) ! T
I B x, y ®
¯I ( x, y) 0 otherwise
(7-1)
where IB represents the generated binary fingerprint image, I(x, y) is the

pixel intensity value of the grey-scale fingerprint image, and ș represents
the threshold which is empirically determined as shown in Fig. 7-1.
(a) (b) (c)
Figure 7-1. (a) Input fingerprint image, (b) Fingerprint image after binarization and
thining, (c) Fingerprint minutiae are highlighted.
The uniqueness of a fingerprint features is based on the local ridge

characteristics and the existing relationships. Minutia points represent the
local ridge features that appear either at a ridge’s bifurcation or a ridge’s
ending. To extract minutia points, a filter is applied on the fingerprint
image resulting from the binarisation and thinning operations. This filter
reveals the number of one-value of every 3×3 window as follows:
x A central pixel is a ridge ending if pixel value is 1 and only has 1

one-value neighbour.
x A central pixel is a bifurcation if pixel value is 1 and has 3 one-
value neighbours.
x A central pixel is normal pixel if pixel value is 1 and has 2 one-

value neighbours.
The results of the previous step may include false minutia points which
may occur due to the presence of broken ridges. Generally, the spurious
minutia points occur at the borders, since the image ends abruptly as
presented in Fig. 7-1(c). To address this problem, we remove these false
points using a masked fingerprint image. Region of Interest (ROI)
extraction is an important step for removing spurious extreme minutia
points. For this purpose, we first perform a morphological closing
operation and then apply erosion to the binary image. We consider only
those minutia points that are present inside the ROI region, as shown in
Fig. 7-2.
(a) (b)
Figure 7-2. (a) ROI extracted image, (b) Final minutia points.
B. Watermark Embedding
The minutiae on the fingerprint are extracted and used without necessary
reference to the watermark. The watermark can be generated from the
capturing device related information, such as the IEMI number, the camera
serial number, or the time stamp. In this case, user biometric images
belong to that capturing device with a serial number. This information is
encoded by using the hash function. It is not feasible to alter the message
without modifying the respective hash value. Moreover, it would not be
possible to obtain two varied messages for a single hash value.
P.W. Wong’s classic public watermark algorithm [20] is used for
watermark embedding. The hash is stored as an 8×16 bit array, and each
bit is then replicated 8 times to a 64×128 element array, so as to protect
against JPEG compression artifacts. This is then tiled over the image in
order to match its size. A corresponding binary logo image is also tiled as
needed to fit the image. These two are mutually XORed, resulting in a bit
image. A second bitplane image is generated which specifies the bitplane
in which to insert the watermark for each pixel. This bitplane is
dynamically determined using HVS [17] parameters. The image bitplanes
are then replaced with the combined logo/hash bit array, and the
watermarking process is complete. This is shown in Fig.7-3.
To extract the watermark, the same HVS parameters are determined
from the watermarked image, so to regenerate the bitplanes, and are
extracted into a binary array.
Without access to the hash, a simple symmetry operation will reveal
the general 8×8 replication of this bitplane, which is very unlikely to
happen by chance. The recovery is not perfect due to the compression
artifacts, but for JPG quality of around 30% or higher, the 8×8 symmetry
will be readily visible.
(a) (b)
(c) (d)
Figure 7-3. (a) The original fingerprint image, (b) The company logo, (c) The
extracted logo after the file was saved as JPEG with 20% quality, (d) The result of
using an invalid hash value.
The presence of the watermark is thus discernible, without revealing its

contents. The hash value can only be regenerated if all the component
information is present. This hash value can then be replicated into a binary
array, as for embedding, and XORed with the extracted bit array. If the
hash value matched with that on the embedding, then the company logo
will be revealed – subject to compression errors.
This is ultimately only a minor variation of Wong’s original work, but

served the purpose of testing the implementation. Fig.7-3(a). shows the
original fingerprint image, and the company logo is shown in Fig.7-3(b).
The different scales are automatically accounted for. Fig.7-3(c). shows that
the logo is extracted after the image was saved as a JPEG at 20% quality.
The extraction succeeded because the same hash value was calculated as
for embedding. Note that this information has to be obtained from other
sources – it cannot be discerned from the watermark. Fig.7-3(d). shows
that the image is revealed when an incorrect or no hash value is supplied.
Although there is no information, there is still an 8×8 block indicating
indirectly that the image was watermarked using this algorithm.
C. Watermarking in DCT Transform Space

The previous section described a spatial watermark which has the distinct
advantage of tying watermark components to local spatial regions (blocks
in this case). However, this comes at a price of reduced robustness. In this
section, we summarise recent work [24] on using a Discrete Cosine
Transform (DCT). Other approaches using DCT include [8, 12, 23, 30,
31].
Essentially, in a 8x8 block based DCT, the image is subdivided into
8x8 blocks, and each component in the block is then multiplied by the
corresponding block in the Basis Set, shown in Fig. 7-4. The scaled result
then corresponds to the DCT component.
If a block contains uniform values, for example, then the uppermost-
left block would yield the largest value. If, instead, a vertical edge occurs
in the 8×8 block, then the component immediately to the right of the
upper-left would resonate the most. A block with high frequency data in it
would most resemble a block to the lower-right.
At its core, a DCT is a form of block classification using DCT vectors
as the classifiers. The variations between papers relate mostly to the
details of this process.
In compression, the high frequency components are often filtered out,
so placing watermark data there would be vulnerable to compression loss.
In contrast, placing a watermark in the upper-left components would make
it visible as a wave-like texture superimposed over the image. It is for this
reason that DCT watermarks involve changing the components in the
second or third row or column.
Figure 7-4. 22D DCT Basic Vectors

V
D. Wateermarking in
n DTCWT S
Space
One of the pproblems withh the DCT ap pproach is thaat it assumes each 8×8
block is sepparated and unnconnected to o its neighborring blocks. In
I reality,
images are smoother thann that and thiis smoothnesss can scale. Hence
H we
need a transsform that smmoothly scaless over differennt levels in a way that
DCT does ppoorly. This iss one of the reeasons for usinng wavelet traansforms.
Another is tthat the DCT does not respond well to the translatio on of less
than one 8× ×8 block increement, and soo shift invariaance and croppping will
present probblems as the blocks
b are no
ow not synchrronized on thee original
block bounddaries, and so the DCT coeffficients can vvary significan
ntly.
A Dual Tree Compleex Wavelet trransform (DT TCWT) for watermark
w
embedding is applied [577], which is a variation onn the standard d wavelet
watermarkinng approach [88, 13, 25, 32],, and has beenn applied recenntly.
In a norrmal wavelet encoding of an image, thee image is su ubdivided
into four reggions. For thee most commmon Haar waveelet ‫ ܦ‬௞ , an immage I of
௡
size ܹǡ ‫ ʹ א ܪ‬for integger n., and lo ocation x,y ‫݊݁ݒ݁ א ݔ‬ǡ ‫݊݁ݒ݁ א ݕ‬, is
ௐ ு
mapped into the follow wing regions within D, eaach of size ǡ . For
ଶ ଶ
iteration ݇ ൌ ͳ as
T
ଵ
‫ܦ‬௫Ȁଶǡ௬Ȁଶ
ଶ ൌ ‫ܫ‬௫ǡ௬ ൅ ‫ܫ‬௫ାଵǡ௬ ൅ ‫ܫ‬௫ǡ௬ାଵ
௫ ൅ ‫ܫ‬௫ାଵǡ௬ାାଵ ሺ‫ܮܮ‬ሻ
ଵ
‫ܦ‬ሺ௫ାௐሻȀଶǡ௬
௬Ȁଶ ൌ ‫ܫ‬௫ǡ௬ െ ‫ܫ‬௫ାଵǡ௬ ൅ ‫ܫ‬௫ǡ௬ାଵ
௫ െ ‫ܫ‬௫ାଵǡ௬ାାଵ ሺ‫ܮܪ‬ሻ
ଵ
‫ܦ‬௫Ȁଶǡሺ௬ାுሻ
ሻȀଶ ൌ ‫ܫ‬௫ǡ௬ ൅ ‫ܫ‬௫ାଵǡ௬ െ ‫ܫ‬௫ǡ௬ାଵ
௫ െ ‫ܫ‬௫ାଵǡ௬ାାଵ ሺ‫ܪܮ‬ሻ
ଵ
‫ܦ‬ሺ௫ାௐሻȀଶǡሺ௬ା
ାுሻȀଶ ൌ ‫ܫ‬௫ǡ௬ െ ‫ܫ‬௫ାଵǡ௬ െ ‫ܫ‬௫ǡ௬ାଵ
௫ ൅ ‫ܫ‬௫ାଵǡ௬ାାଵ ሺ‫ܪܪ‬ሻ
(7-2)
These compprise regions laabeled LL, HL L LH, HH. Inn other wordss, the first
quadrant contains the sum m of 4 pixelss in a 2×2 grooup – a low-p pass filter
output, and the four quaadrant contain ns the differeence of each of the 4
pixels, resuulting in a hiigh-pass filterr output. Thhe two quad drants are
projections iin x and y resspectively. Wee then reiteratte this process only on
the first quadrant. Fig. 7--5. shows the result
r of threee iterations.
Figure 7-5. Thhree iterations of

o a Haar Waveelet encoding
In Fig. 7-5.,, the squares on

o the leadingg diagonal (LL
L3, HHn) reprresent the
low-pass (toop-left) and increasingly hig
gh-pass Haar wwavelet compponents in
x and y. Forr many of thee wavelet wateermarking pappers, the optimmal place
to perturb daata in embeddding the waterrmark are LH33 and HL3, where with
one projectiion being low w-pass allows some protectiion against atttack. The
inverse wavvelet transform m is readily apparent
a by innverting the effects
e of
equation (7--2).
A Dual Tree Compleex Wavelet traansform (DTC CWT) varies from the
above in thhat the compoonents in x, y are consideered complex x and are
combined in specific ways in order to achieve the even and odd symmetry
properties of a complex decomposition. Effectively, this allows the
DTCWT to ‘borrow’ some of the properties of the DFT, such as shift
invariance.
As demonstrated in [57], the shift invariance property of the DTCWT
allows the image to be made crop-resistant. In this way, the DTCWT
avoids the blocking limitations of the blocked DCT approach. Similar
components (LH4 and HL4) are used in a four level decomposition.
E. Chaotic Key Generation

Owing to the closed form solutions of these systems, they could be
programmed by any programming language with a size of several
kilobytes. In our experiment, they are programmed in telosb sensor, and
nesC is used for demonstration. As shown in Fig. 7-6., the chaotic scroll is
observed.
Figure 7-6. Chaos observed in sensor node.
8. Conclusion
This chapter discussed various image watermarking techniques as applied
to the domain of biometric template protection. We concentrated on
fingerprint biometrics, as they are usually presented as image scans to any

processing system.
Watermarked biometrics is expected to produce security strength
significantly greater than the biometric samples alone. Similar to security
features incorporated in paper currencies, the watermark embedded at the
instance of the image capturing end would validate the genuineness of the
biometric samples.
For readers to use the watermarked biometrics, selecting the best
domain is very important. Each of the schemes mentioned in previous
sections has its own merits and demerits, so in any evaluation, the
environment within which the measurement is to be made, and its
constraints may well dictate the ultimate choice.
References
1. C. Arthur, iPhone 5S fingerprint sensor hacked by Germany's Chaos
Computer Club.
http://www.theguardian.com/technology/2013/sep/22/apple-iphone-
fingerprint-scanner-hacked.
2. B. Reed, iPhone 5S seen spawning wave of fingerprint scanning
copycats,
http://www.telegraph.co.uk/technology/apple/iphone/10327635/iPhone
-5s-fingerprint-sensor-hacked-within-days-of-launch.html.
http://www.insurancenetworking.com/news/insurance_technology_mo
bile_payments_risk_fraud_credit-26090-1.html.
3. A. K. Jain, L. Hong, S. Pankanti, Biometric identification.
Communications of the ACM, 43(2), pp.90-98, 2000.
4. Federal Bureau of Investigation, The Science of Fingerprints:
Classification and Uses. Washington, D.C.: U.S. Government Printing
Office, 1984.
5. T. Y. Chung, M. S. Hong, Y. N. Oh, D. H. Shin, and S. H. Park,
Digital watermarking for copyright protection of mpeg2 compressed
video. Consumer Electronics, IEEE Transactions on, 44(3), pp.895–
901, 1998.
6. S. Stankovic, I. Orovic, and N. Zaric. An application of
multidimensional time-frequency analysis as a base for the unified
watermarking approach. Image Processing, IEEE Transactions on,
19(3), pp.736–745, 2010.
7. I. J. Cox, M. Miller, J. Bloom, J. Fridrich, T. Kalker, Digital
Watermarking and Steganography, ISBN 978-0123725851, Morgan
Kaufman, 2007
8. C. T. Li and F.M. Yang, One-dimensional Neighborhood Forming

Strategy for Fragile Watermarking. Journal of Electronic Imaging,
12(2), pp. 284-291, 2003.
9. C. Podilchuk, and W. Zeng. Image-adaptive Watermarking Using
Visual Models. In IEEE Journal Selected. Areas of Communications,
16, pp. 525-539, May 1998.
10. C. Podilchuk, and E. Delp. Digital Watermarking Algorithms and
Applications. In IEEE Signal Processing Magazine, 18(4), July 2001.
11. I. J. Cox, J. Kilian, F. T. Leighton, and T. Shamoon, Secure spread
spectrum watermarking for multimedia, IEEE Trans. Image Process.,
6(12), pp. 1673-1687, December 1997.
12. Y. Wang, J. F. Doherty, and R. E. Van Dyck, A wavelet-based
watermarking algorithm for ownership verification of digital images,
IEEE Trans. Image Process., 11(2), pp.77-88, February 2002.
13. Z. M. Lu, D. G. Xu, S. Sun, Multipurpose image watermarking
algorithm based on multistage vector quantization. Image Processing,
IEEE Transactions on, 14(6), pp.822-831, 2005.
14. M. U. Celik, G. Sharma, E. Saber, and A. M. Tekalp, Hierarchical
watermarking for secure image authentication with localization, IEEE
Trans. Image Process., 11(6), pp. 585-595, June 2002.
15. L. Jaejin and S. W. Chee, A watermarking sequence using parities of
error control coding for image authentication and correction, IEEE
Trans. Consum. Electron., 46(2), pp. 313-317, May 2000.

16. F. Y. Shih, and S. Y. T. Wu, Combinational image watermarking in the
spatial and frequency domains. Pattern Recognition, 36(4), pp. 969-
975, 2003.
17. S. Craver, N. Memon, B.L. Yeo, M. M. Yeung, Resolving rightful
ownerships with invisible watermarking techniques: Limitations,
attacks, and implications. IEEE Journal on Selected Areas in
Communications, 16(4), pp. 573-586, 1998.
18. N. Nikolaidis and I. Pitas, Copyright protection of images using robust
digital signatures, in Proc., IEEE Int. Conf. on Acoustics, Speech and
Signal Processing, 4, pp. 2168-2171, May 1996.
19. P.W. Wong, A public key watermark for image verification and
authentication, Proceedings of IEEE International Conference on
Image Processing, Chicago, USA, 47, pp. 425-429, October 1998.
20. F. Han, R. van Schyndel, M-identity and its authentication protocol for
secure mobile commerce applications, 4th International Symposium on
Cyberspace Safety and Security, LNCS7672, pp.1-10, Melbourne
Australia, December 2012.
21. J. Huang, Y. Q. Shi, Y. Shi, Embedding image watermarks in DC

components, IEEE Trans. CSVT 10 (6), pp.974-979, 2000.
22. S. D. Lin, C. F. Chen, A robust DCT-based watermarking for
copyright protection, IEEE Trans. Consumer Electron. 46 (3), pp.415-
421, 2000.
23. M. Alkhathami, F. Han, R. van Schyndel, Fingerprint image protection
using two watermarks without corrupting minutiae. In 8th IEEE
Conference on Industrial Electronics and Applications (ICIEA), pp.
1151-1155, June 2013.
24. I. Cox, J. Ingemar J., and L. Matt, The first 50 years of electronic
watermarking. EURASIP Journal on Applied Signal Processing. 1,
pp.126-132, 2002.
25. J. Zhao, E. Koch, Embedding Robust Labels into Images for Copyright
Protection. In KnowRight, pp. 242-251, August 1995.
26. M. Swanson, B. Zhu, and A. Tewfik, Transparent robust image
watermarking, in Proc. Int. Conf. on Image Processing 3, pp. 211-214,
September 1996.
27. F. M. Boland, J. J. K. O’Ruandaidh, and C. Dautzenberg,
Watermarking digital images for copyright protection, in Proc. IEE
Image Processing Applications Conf., pp. 326-330, 1995.
28. K. R. Rao and P. Yip.: Discrete Cosine Transform: Algorithms,
Advantages, Applications, Academic Press, Boston, 1990.
29. S. Saryazdi, M. Demehri, A Blind DCT Domain Digital

Watermarking, 3rd International Conference: Sciences of Electronic,
Technologies of Information and Telecommunications, 2005.
30. S. Sverdlov, Dexter, A. M. Eskicioglu, Robust DCT-SVD Domain
Image Watermarking for Copyright Protection: Embedding Data in all
Frequencies, International Multimedia Conference, Proceedings of the
workshop on Multimedia and security, pp.166-174, 2004.
31. N.K. Ratha, J.H. Connell, and R.M. Bolle, Secure Data Hiding in
Wavelet Compressed Fingerprint Images, Proc. ACM Multimedia, pp.
127-130, October 2000.
32. S. Pankanti and M.M. Yeung, Verification Watermarks on Fingerprint
Recognition and Retrieval, Proc. SPIE, 3657, pp. 66-78, 1999.
33. S. Jain, Digital Watermarking Techniques: A Case Study in
Fingerprints & Faces, Proc. Indian Conf. Computer Vision, Graphics,
and Image Processing, pp. 139-144, December 2000.
34. B. Gunsel, U. Uludag, and A. M. Tekalp, Robust Watermarking of
Fingerprint Images, Pattern Recognition, 35(12), pp. 2739-2747,
December 2002.
35. A. K. Jain, S. Prabhakar, L. Hong, A multichannel approach to

fingerprint classification, IEEE Trans. on Pattern Anal. Machine Intell.,
21, pp.348-359, 1999.
36. U. Uludag, S. Pankanti, S. Prabhakar, A.K. Jain, Biometric
cryptosystems: Issue and challenges, Proceedings of the IEEE, 92,
pp.948-960, 2004.
37. T. Amornraksa, K. Janthawongwilai, Enhanced images watermarking
based on amplitude modulation, Image and Vision Computing, 24(2),
pp.111-119, February 2006.
38. T. Hoang, D. Tran, D. Sharma, Bit priority-based biometrics
watermarking, 2nd International Conference on Communications and
Electronics, pp.191-196, June 2008.
39. F. Ahmed, I. S. Moskowitz, A correlation-based watermarking method
for image authentication application, Optical Engineering, 43(8),
pp.1833-1838, 2004.
40. F. Ahmed, I. S. Moskowitz, Composite Signature based watermarking
for fingerprint authentication, In Proceedings of the 7th workshop on
Multimedia and security, pp.137-142, New York 2005.
41. R. Yadav, R. Saini, R. Nandal, Biometric template security using
invisible watermarking with minimum degradation in quality of
template, International Journal on Computer Science and Engineering,
3(12), pp.3656-3668, 2011.
42. M. Vasta, R. Singh, A. Noore, Feature based RDWT watermarking for

multimodal biometrics systems, Image and Vision Computing, 27(3),
pp.293-304, 2009.
43. B. C. Neuman and T. Y. T'so. Kerberos: An authentication service for
computer networks, IEEE Communication Magazine, 32(9), pp.33-38,
1994.
44. J. T. Kohl, B. C. Neuman, and T. Y. T'so, The evolution of the
Kerberos authentication system. In Distributed Open Systems, IEEE
Computer Society Press, pp.78-94, 1994.
45. M. S. Shashidhar, D. Suresha. Implementation of secure biometric
authentication using Kerberos protocol. Inter. Journal of Advanced
Research in Computer Science and Software Engineering, 2(3),
pp.249-254. 2013.
46. F. Han, M. Alkhathami, R.van Schyndel, Biometric-Kerberos
Authentication Scheme for Mobile Computing Services, 6th
International Congress on Image and Signal Processing (CISP),
HangZhou China, December 2013.
47. G. Chen, and X. Dong, From Chaos to Order, Methodologies,
Perspectives and Applications, World Scientific, Singapore. 1998.
48. E. Ott, Chaos in dynamical systems, Cambridge University Press,

second edition, New York, USA, 2002.
49. R. N. Madan, (ed.), Chua’s circuit: A paradigm for chaos, World
Scientific, Singapore. 1998
50. G. Chen, T. Ueta, Yet Another chaotic attractor. Inter. J. of Bifur. and
Chaos, 9(7), pp.1465-1466, 1999.
51. M. E. YalçÕn, J. A. K. Suykens, J. Vandewalle, True random bit
generation from a double-scroll attractor, IEEE Trans. on Circuits and
Systems-I, 51(7), pp.1395-1404, 2004.
52. T. Satio, On a hysteresis chaos generator, In Proc. IEEE ISCAS,
Kyoto, Japan, pp.847-849, June 1985.
53. M. Storace, M. Parodi, D. Robatto, A hysteresis-based chaotic circuit:
dynamics and applications, Inter. J. Circuit. Theory appl., pp. 527-542,
l999.
54. F. Han, X. Yu, Y. Wang, Y. Feng, and G. Chen, N-scroll chaotic
oscillators by second-order systems and double-hysteresis blocks, IEE
Electronics Letters, 39, pp.1636-1637, 2003.
55. J. J. K. Ó Ruanaidh and T. Pun, Rotation, Scale and Translation
Invariant Spread Spectrum Digital Image Watermarking, IEEE Signal
Processing, 66(3), 1998.
56. M. Alkhathami, F. Han and R. van Schyndel, Fingerprint image
watermarking approach using DTCWT without corrupting minutiae,
6th International Conference on BioMedical Engineering and

Informatics (BMEI13), Hangzhou, China, December 2013.
CHAPTER FOURTEEN
3D FINGERPRINTS: A SURVEY
WEI ZHOU,1 JIANKUN HU,1,* SONG WANG,2

IAN PETERSEN1
AND MOHAMMED BENNAMOUN3
1
SCHOOL OF ENGINEERING AND INFORMATION
TECHNOLOGY, UNIVERSITY OF NEW SOUTH WALES,
CANBERRA, AUSTRALIA 2600
2
SCHOOL OF ENGINEERING AND MATHEMATICAL SCIENCES,
LATROBE UNIVERSITY, MELBOURNE, AUSTRALIA 3086
3
SCHOOL OF COMPUTER SCIENCE AND SOFTWARE
ENGINEERING, UNIVERSITY OF WESTERN AUSTRALIA,
PERTH, AUSTRALIA 6009
Abstract
Fingerprint has been one of the most successful biometrics applied in both
forensic law enforcement and security applications. Fingerprint
acquisition, for many years, has been accomplished by first pressing a
finger on a hard plane, and then converting the image into a digital form.
Recent developments in fingerprint acquisition technology have resulted in
touchless live scan devices that generate 3D representation of fingerprints.
By capturing the fingerprints in 3D using a non-contact based imaging
technique, much higher quality fingerprint images can be obtained and
higher matching performance can be achieved if a fingerprint's quality is
sufficiently good. Besides, 3D fingerprints are more difficult to duplicate
or counterfeit. All these result in more secure and robust fingerprint
recognition systems. In this chapter, we investigated the advantages of this
new technology, the acquisition of 3D fingerprint images, the compatibility
between 3D fingerprints and 2D fingerprints, the feature representation of
460 Chapter Fourteen
3D fingerprrints, and the possible reseearch on 3D ffingerprints in

n the near
future.
Keywords: S
Security, Biom
metrics, Fingeerprint, 3D.
1 Introd
duction
Fingerprint recognition has been thee most practtical and wid dely used
biometric teechnique sincce the 1980ss. Over the llast decade, computer
technology hhas facilitatedd both the acqquiring and prrocessing of fingerprint
f
data. Thereefore, automaated fingerprrint identificaation and veerification
systems are widely used in commerciaal and security ty applicationss, such as
access contrrol, denial opeerations, and criminal
c identiifications.
Fingerprrint acquisitioon, for several decades, hhas evolved from ink
(rolled or pplain) to cappacitive, ultraasonic, pyro--electric, therrmal, and
optoelectronnic approachhes (see Fig gure 1.). A Among thesee capture
approaches, contact-baseed methods detect the geometric difference d
between conntact and nonn-contact parts (e.g., ridgees and valley ys) of the
fingertips onn a device. The
T optical approach, on thhe other hand, captures
the texture innformation off the fingerprin
nt under exam
mination.
Recent developments in fingerp print acquisittion technolo ogy have
resulted in touchless 3D D (three-dimensional) live scan (see Figure 2.),

which uses oone digital cam
mera and severral mirrors, or more than onee camera,
Figure 1. Tradditional fingerpprint sensors
which surroound the fingeer for acquisition of a 3D fingerprint. Touchless

T
biometric rrecognition performed
p using 3D finngerprint mo odels has
advantages such as reduccing problemss related to thhe deformatioons of the
skin, dust onn the sensor, and
a spoofing of latent fingeerprints. Moreeover, the
3D Fingerprintts: A Survey 461
fingerprint aarea usable foor the recogniition is widerr than the onee captured
by traditionnal contact-baased acquisition techniquees. Therefore, the new
generation oof touchless livve scan devicees that generaate 3D represeentation of
fingerprints has been inntroduced to the market. A 3D singlee and ten
fingerprint ssystem that uses
u shape from shading aand stereovision-based
techniques to obtain 3D fingerprin nts in a nonn-contact fash hion was
developed bby TBS Nortth America [1]. [ Flashscann3D LLC [2]] and the
University oof Kentucky have
h developeed a non-contaact, 3D fingerr scanning
system, which can capturee the 3D ridgee-valley detaills of the fingertips.
To be ccompatible wiith existing 2D 2 fingerprinnting technolo ogy, there
have been many attem mpts that extend
e the ttraditional fingerprint
f
identificatioon methods too 3D fingerp print identificcation. Howeever, it is
necessary too unroll the 3D fingerprin nt images intto 2D equivaalent ones
before matcching. Availabble unrolling algorithms caan be divided d into two
categories--pparametric annd non-parameetric--accordinng to whetherr a model
is assumed for the fingerr surface or not.
n Parametriic unrolling algorithms
a
assume that the finger suurface can be represented aas a parametric surface,
e.g., cylindeer, tube or sphhere. Unlike parametric
p meethods, non-p parametric
methods do not assume any a models for f the finger surfaces, insttead, they
directly commpute the corrresponding pix xels in the 2D
D equivalent fingerprint
f
image from the points in thet 3D fingerp print model.
Figure 2. 3D fingerprint senssors
In this chappter, we inveestigate the 3D 3 fingerprinnting compreh hensively,

including thhe advantagees of this neew technology gy, various acquisition
techniques of 3D fingeerprint imagees, the comppatibility betw ween 3D
fingerprints,, and 2D fingeerprints, and th
he possible fuuture research..
The restt of this chaapter is orgaanized as folllows. Section n 2 is a
comparison between tradiitional 2D fing gerprinting annd newly deveeloped 3D
fingerprintinng. Section 3 elaborates on various acqquisition tech hniques of
3D fingerprints. The unrolling algorithms are investigated in Section 4.

Section 5 introduces feature detection and representation of 3D
fingerprints. Section 6 investigates quality analysis done on 3D
fingerprints. Section 7 discusses the future directions of 3D fingerprinting
and Section 8 concludes the whole work.
2 Comparison with 2D fingerprinting

2.1 Disadvantages of 2D fingerprinting
Traditional 2D fingerprinting technologies rely upon either applying ink
(or other substances) to the fingertip skin, and then pressing or rolling the
finger onto a paper surface or touching or rolling the finger onto a glass
(silicon, polymer, proprietary) surface (platen) of a special device. In both
cases, the finger is placed on a hard or semi-hard surface, resulting in some
disadvantages of the 2D fingerprint scanning [3]:
x obligatory maintenance of a clean sensor or prism surface;

x uncontrollability and non-uniformity of the finger pressure on the
device;
x permanent or semi-permanent change of the finger ridge structure
due to injuries or heavy manual labours;
x residues from the previous fingerprint capture;

x data distortion under different illumination, environmental, and
finger skin conditions;
x extra scanning time and motion artefacts incurred in technologies
that require finger rolling.
2.2 Advantages of 3D fingerprinting

3D touchless fingerprint acquisition is a remote sensing technology to
capture the ridge-valley pattern, which provides essential information for
recognition. Examples of a 3D fingerprint image and its corresponding 2D
fingerprint image are shown in Figure 3. Compared with conventional
fingerprinting, the advantages of 3D fingerprint scanning and processing
technology are as follows.
2.2.1 Automaticity
3D fingerprint devices can function independently of an operator, since the

finger is aligned with real-time visual feedback, which gives the user real-
time feedbaack for correct placement of o the finger. The operatorr does not
need to interract with the user
u unless there is a speciaal circumstancce such as
a physical ddeformity. Theerefore, quality of the print is no longer tied
t to the
skills of thhe operator manipulating
m the acquisitioon. Besides, enhanced
segmentatioon can be donee for multi-fin
ngers capture [[4].
2.2.2 Imagee quality
Better imagge quality is achieved

a becaause there is nno contact off the print
with the scaanner so to distort the imagge. Simultaneoous acquisitio
on of both
texture and ridge depth innformation [55] of fingers pproduces highher-quality
fingerprint images, whicch can result in improvedd fingerprint matching
accuracy.
2.2.3 Speed
d
3D fingerprrint scanners can achieve fast scanningg (less than 1 second).

Some devicees can scan teen prints simu
ultaneously annd allow for use in high
volume enviironments.
Figure 3. 3D vs. 2D fingerprrint image
2.2.4 Stabiliity
3D fingerpriint devices caan function co

onsistently reggardless of dryy, oily, or
damaged finngertip surfaces, therefore, the failure too acquire ratess are very
low.
2.2.5 Compatibility
3D fingerprints are flattened to produce 2D equivalent fingerprints, which

are consistent and compatible with existing databases and matching
programs.
2.2.6 Low cost
The use of off-the-shelf commodity cameras and projectors, whose

performance is market driven, can help build low-cost acquisition systems.
Besides, no cleaning is required, which can eliminate costs and downtime
associated with cleaning the platen of conventional contact based scanners
between users.
2.2.7 Security
3D fingerprinting is robust to clutter and fraud (e.g. latex overlays) because

of the difficulties in faking 3D fingerprints. Besides, it can reduce the risk
of transfer of microorganisms and communicable diseases.
2.3 Disadvantages of 3D fingerprinting

Despite the advantages, 3D fingerprinting is a new technology, and there

are some drawbacks of using it:
x the image resolution is not constant within the image, and decreases
from the centre to the image extremities;
x the contrast between the ridges and the valleys is low in fingerprint
images;
x defocus and motion blurriness are acquired sometimes.
3 3D Fingerprint Acquisition Technology

A 3D fingerprint acquisition system is a combination of projector(s),
camera(s) and/or mirrors with calibrated positions. According to the
number of cameras used in the system and the illumination pattern, we
classify the acquisition technology into several categories.
3D Fingerprints: A Survey 465
3.1 Single Digital Camera Based Capture System
3.1.1 Single Image
B.Y. Hiew et al. [6] proposed to use a digital camera to acquire the
fingerprint images with the size of 640*480 (see Figure 4). The captured
raw images will be normalized, segmented, enhanced and followed by the
core point detection. After the core point detection, the image is cropped
again into the size of 200*200 with the core point as the centre. The
normalized images will then be proposed by the Gabor filters to extract
features. Chulhan et al. [7] introduced a hardware approach that used a
camera and the wavelengths of light. Besides, they proposed a strong view
difference image rejection method using the distance between the core and
the centre axis of the finger, in order to overcome the 3D to 2D image
mapping problem.
Figure 4. Single image capture system used in [6]
Apart from the above 3D fingerprint image acquisition method using a

single image, Ruggero et al. [8] proposed to simulate contactless
fingerprint acquisitions performed in different light conditions, by using
different hardware setups and image processing techniques. The method
starts from a simulated fingerprint image or a real fingerprint image
captured using a contact-based sensor. Well-known algorithms designed
for fingerprint recognition systems are applied to the input image in order
to extract the distinctive pattern of the ridges. Then, realistic effects such
as noise, pores, and incipient ridges, are introduced. The next step is the
estimation of the 3D structure of the ridges, which is then superimposed on
a parametric model of the finger shape, computed considering
experimental measurements of the average finger curvature. In order to
improve the realism of the simulated data, the lens focus blur is simulated.
The model is then completed with the estimation of a realistic colour
pattern, obtained by applying a low-pass filter to a real contactless
fingerprint image, and by adding the properties of reflectance that match
the ones of the human skin. Finally, a virtual light source is used to
illuminate the scene and make the details of the ridges visible.
Disadvantages: Such acquisition methods cannot get the 3D model of
the fingerprint, some parts of the fingerprint region are in focus but some
parts are out of focus, and the effective region of the fingerprint is very
limited.
3.1.2 Multi-Images
Gil et al. [9] proposed to use a linescan camera and a mechanical motion
system to acquire the equivalent of a rolled fingerprint collected by contact
means. The system captures four high-resolution images at different
depths, using polarization rotation and birefringence at frame rate and with
no moving parts. Then the depth from focus is used to generate a coarse
3D data file. The captured images are registered and combined into a
single 500 PPI (points per inch) high-resolution image. Finally, the 3D data
is used to create the equivalent of a rolled fingerprint for comparison with
standard fingerprint databases.
Xufang et al. [10] used a photometric stereo 3D reconstruction system

to obtain 3D fingerprint data (see Figure 5.). The system comprises a
camera with a resolution of 659*493 pixels and seven LED lamps mounted
around it. By synchronizing the camera and lamps, seven fingerprint
images under various lighting conditions can be captured within 0.2
second. Using the calibrated lighting directions and image intensities in
seven images, the surface normal at each image point can be estimated by
solving a nonlinear equation. Finally, 3D models of fingerprints are
obtained through surface normal integration.
Ajay et al. [11] developed a low-cost 3D fingerprint acquisition system
using a single camera. Several finger images are acquired using contactless
imaging setup and the average/expected distance between the camera and
the finger is around 10cm. Seven illumination sequence and the image
acquisition are synchronized and controlled by a computer using a very
low-cost imaging interface. The position of LEDs on the acquired images
is calibrated. Each of these images is down sampled (after edge detection
and boundary scanning) to extract 500*350 pixels region of interest (ROI).
Once the ROI images are extracted, the 3D fingerprint surface is
reconstructed using the shape from shading technique.
Figure 5. Multi-images capture system used in [10]
Hee-seung et al. [26] also designed a touchless fingerprint sensing system

to acquire a complete extended fingerprint image by using a single camera,
two planar mirrors, several light - emitting diodes (LED)-based
illuminators and a lens. The two planar mirrors work as virtual cameras
and can reflect the left and right side view of a finger. To acquire the
expanded fingerprint image, a new mosaic method was proposed to
combine frontal-view and side-view images. They consider minutiae and
ridge points as the correspondences for initial alignment, and use the thin
plate spline (TPS) model and ridge mapping for finer alignment. In
particular, to reduce the ridge width variation caused by perspective
distortion and to preserve the ridge intervals of a mosaicked image as
consistently as possible, they select the regions to be mosaicked from three
views, by comparing the ridge width values in all images.
3.2 Two-Camera Based Capture System

Ruggero et al. [12] presented a novel methodology being able to obtain
a 3D reconstruction of the fingertip in less constrained conditions (see
Figure 6.). The method is based on a single two-view acquisition of the
fingertip with the aid of a fixed projected pattern. The finger is placed
according to the depth of focus of the cameras, and in the overlapping field
of views. The proposed methodology can be applied to a single acquisition
composed by two frames, captured using a synchronization trigger. The
projected pattern is used in order to extract a set of reference points in the
two images, which are rapidly matched by using the geometric information
related to the pattern itself. The finger model is then reconstructed by using
the information related to a previous calibration of the cameras. A novel

algorithm is then used in order to remove the light pattern from the
captured images, and one input image is wrapped on the resulting 3D
model, obtaining a 3D pattern with a limited distortion of the ridges.
Finally, an enhancement method is applied to the texture of the 3D model
in order to improve the visibility of the distinctive characteristics of the
fingertip.
Figure 6. Two-camera based capture system used in [12]
Yao et al. [13] presented a theoretical study to reconstruct a set of 3D

minutiae from two planar minutiae images captured by mobile devices. At
first, two fingerprint images were obtained by using two cameras with
known relative positions under the assumption that the images were
obtained by cameras via orthogonal projection and the minutiae did not
contain angle information. Then, two planar minutiae sets were extracted
from these two images to reconstruct 3D minutia points.
3.3 The Surround Imager

Geppy et al. [14] in TBS North America developed a 3D fingerprint
acquisition technology named the surround imager (SI, see Figure 7). The
device is a cluster of 3 or 5 cameras located on a semicircle and pointing to
its centre, where the finger has to be placed in a correct position so that it is
completely contained in the field-of-views of the cameras at the same time
during the acquisition. Moreover, the device contains a set of several green
LED arrays and the large size has also been chosen to dissipate the heat
generated by the light system.
Figure 7. Thee surround imagger and the phottos it captures
The Surrounnd Imager prrovides a neg gative polarityy representation of the

fingerprint, i.e., the ridgees appear to be brighter thaan the valleys. Besides,
the image obbtained by thee device also contains the sstructure of th he valleys.
The 3D rreconstructionn procedure is based on stereovission and
photogramm metry algorithhms. Thus, the exact posittion and orien ntation of
each cameraa (camera caliibration) with respect to a ggiven referencce system
are needed ffor further proocessing. The calibration iss done off-line, using a
3D target onn which, poinnts with known n positions arre marked. Too facilitate
the integratiion of the Surrround Imagerr into existingg systems, a 2D D version
of the reconnstructed finggerprint is also o provided affter the reconnstruction.
The compuuted 3D fingeer geometry can be usedd to virtually y roll the
fingerprint oonto a plane, obtaining
o a co
omplete rolledd-equivalent fingerprint
f
of the acquirred finger.
3.4 Structtured Light Illuminatioon (SLI)

The idea off SLI is to prooject a structu
ured pattern oof light onto the target
surface andd to extract thet depth by the amount of deviation n that the
reflected ligght pattern unndergoes (see Figure 8.). F
Flashscan3D LLC.
L and
the University of Kentuccky [4][5][15]][16] have deeveloped the following
non-contact 3D scanning systems that employ structtured light illu umination
(SLI).
3.4.1 SLI single Point Of View (POV)
In the SLI single POV approach, the scanner, which can simultaneously
acquire 3D scans of all the five fingers and the palm in high speed and
fidelity, consists of a commercial off-the-shelf projector to project the SLI
patterns and a high resolution camera to capture the shape deformed SLI
patterns reflected from the target being scanned.
The algorithm for fingerprint scanning is phase measuring profilometry
(PMP), which originates from classical optical interferometry techniques,
and can make a 3D scan of the human finger with sufficiently high
resolution so as to record 3D ridge depth information. Post processing of
these scans is performed later to virtually extract the finger and palm
surfaces, and create 2D flat equivalent images.
Figure 8. Structured light Illumination [5]
3.4.2 SLI Sub-windowing
In the SLI Sub-window technique, the scanner uses a custom LED line
source with a static SLI pattern and cameras operating in sub-window
mode rather than full-frame for increased frame rates.
The hardware [17] consists of a simple projection system with an LED-
based illumination module and a photographic slide with encoded sine
wave patterns. The projection system effectively projects a static image
pattern on a target surface. A small region of interest (ROI) of the pixel
resolution in the camera sensor is chosen. The ROI is called an image slice.
Additionally, the exposure time of the camera is set very low, which limits
the amount of light available per frame but helps in capturing the 2D image
slices at a very high frame rate. Using the sub-window based approach, the
2D image slices are captured at a much higher frame rate with the finger
moving across the projector and camera's fields of view in a swipe like
motion. The number of image slices captured N, is based on the camera's

frame rate and the speed at which the finger moves in the scan volume.
The image slices are stitched using an image registration algorithm so to
create an image mosaic of the full fingerprint.
Full-hand scanners using SLI Sub-windowing were also developed by
Flashscan 3D LLC. For this type of scanner, a total of four cameras capture
image slices for each camera. Multiple image-slices are captured by each
camera at a very high frame rate, so to span the length of a full hand (from
tip of the middle finger to the bottom portion of the palm). For a 3D full-
hand scan, a subject moves his/her hand in a vertical direction. The scanner
has a built-in proximity detector to turn on the LED line source and project
a static SLI pattern onto the target. Each camera only captures a portion of
the hand, and all the cameras are hardware synced to capture the image
slices at the same time. Multiple image-slices for each camera are stitched
to create a mosaic of texture image of the hand portion in addition to
generating the phase map for 3D depth computation using the projected
SLI pattern.
4 Compatibility with 2D fingerprints

There are two ways to develop an Automatic Fingerprint Identification
System (AFIS) using 3D fingerprints: (1) 3D image based and (2) 2D flat
equivalent image based. The former requires developing new feature

extraction and matching methods. The latter can make use of the existing
algorithms for 2D fingerprint processing after 3D fingerprint scans are
unravelled into 2D flat equivalent ones.
The flattening approaches can be roughly classified into parametric and
nonparametric methods. While parametric methods try to project the 3D
object onto a parametric model, e.g., a cylinder, and then flatten the model,
nonparametric methods apply the flattening directly to the 3D object (see
Figure 9.).
4.1 Parametric Methods

4.1.1 Cylindrical model
Yi Chen et al. [16][18] used a cylinder as the parametric model. Since a

cylindrical model is the closest model to the finger shape, it is a reasonable
choice for parametric unwrapping of 3D fingerprints. The transformation
in this method is often straightforward. The texture of the fingerprint is
projected onto the cylinder which surrounded the finger, and then the 2D
fingerprint iis obtained byy flattening thee cylinder. Eaach point ሺ‫ݔ‬ǡ ‫ݕ‬ǡ
‫ݖ ݕ‬ሻ in the
fingerprint iis transformedd to the cylin ndrical coordiinateሺߠǡ ‫ݖ‬ሻ, whereߠ
w ൌ
‫ି݊ܽݐ‬ଵ ሺ‫ ݔ‬Τ‫ݕ‬ሻሻ.
Shortcom mings: This method doess not preservee the relativee distance
between thee points on thhe original fin ngerprint surfface, so it intrroduces a
horizontal ddistortion to thhe flattened fin
ngerprint.
Figure 9. Three representativve unrolling alg

gorithms [23]
4.1.2 Tube m
model
Several algoorithms to unnravel 3D fing gerprints into 2D equivalen nt images

using a tube model [9][12][15][16] have h been devveloped. The finger is
similar to a ccylinder but teends to taper in
i radius towaard the fingerttip. So the
tubular fit algorithm fits a series of consecutivve circles to o the 3D
fingerprint ccross section along its leng gth. The finggerprint pointss are then
associated wwith a radius, angular value, and theirr original Y coordinate
c
based on eaach consecutivve circular cro oss section. K
Knowing the radius
r and
angle of eacch point allowws the print to be “rolled” inn a way mimiicking the
rolled print pprocess.
4.1.3 Fit sph

here model
Another alggorithm, the fiit-sphere algo

orithm [19], wwas proposed to reduce
the computaational cost. The fit spherre model reliies upon bestt fitting a
sphere to thhe fingerprintt scan, wheree the original 3D data in Cartesian
coordinates is convertedd to the sph herical coorddinate ሺߠǡ ‫׎‬ǡ ߩሻ.
ߩ Then,
fingerprint rridges will bee extracted frrom depth byy applying a band-pass
b
filter to the ߩdimension, where the loww-frequency, smooth conto ours of the
finger surface as well as high-frequency, noise fluctuations, will be

removed. That is, the 3D fingerprint surface was mapped onto a plane with
minimal distortion.
Shortcomings: The curvature is not an exact fit to a typical finger, so
there is some projection error. While the algorithm does mimic flat
fingerprint acquisition, the spherical fit algorithm does not mimic the
rolled print process.
4.2 Non-Parametric Methods

4.2.1 Spring Algorithm
The spring algorithm [20] first extracts the smooth surface of the 3D
fingerprint by smoothing the ridge and valleys by a weighted, non-linear,
least square algorithm. The weights are obtained by a Gaussian function.
Then the smoothed 3D surface is transformed to the 2D unrolled surface
using the spring algorithm [21]. The texture of the fingerprint (ridges and
valleys) is calculated by taking a difference between the original 3D
surface and the smoothed 3D surface. Therefore, the final, unrolled, 2D
fingerprint is obtained by putting the texture onto the unrolled surface
which is extracted by the spring algorithm.
Sara et al. [22] also adopted the spring algorithm to convert the 3D
fingerprint surface into a 2D unrolled surface, however, the texture (ridges

and valleys) of fingerprint is computed by curvature analysis, particularly,
the points lying on ridge lines on the surface are extracted by Gaussian and
mean curvature.
Shortcomings: There are several challenges to the spring algorithm,
such as the distortion effects of the finger tip that do not mimic rolled or
flattened prints. Besides, the spring algorithm is numerically intensive.
4.2.2 Direct Sampling
In this method [18], the unwrapping directly applies to the fingerprint

without projecting it to a special model. The approach locally unfolds the
finger surface. In fact, a 3D fingerprint is divided into thin horizontal
parallel sections and each section is unfolded separately. Linear
interpolation is used to obtain more slices between the main slices, which
results in a smoother fingerprint. Finally, points are regenerated using
linear interpolation for each horizontal slice, so to map the slice from 3D to
2D. The regenerating of the point for unwrapping starts from the centre
and goes to the nail side. The non-parametric method generates better
results than the parametric method, since it preserves the relative distance
between minutiae in the fingerprint.
Qijun et al. [23] took distortion into consideration when converting 3D
fingerprints into 2D equivalent fingerprints using direct sampling, and
proposed a distortion model. The distortion model aims to simulate non-
uniform sampling rates caused by the non-uniform pressure across a plain
fingerprint. For simplicity, two assumptions on plain fingerprint
acquisition are made: 1) The finger moves towards the fingerprint sensor
along the direction perpendicular to the acquisition plane of the sensor.
The point on the finger surface which touches the acquisition plane first is
defined as the centre of the obtained fingerprint. 2) No traction or torsion is
applied to the finger once it gets in contact with the acquisition plane.
Under these assumptions, the pressure reaches the maximum at the centre
and gradually decreases as we approach the boundary of the fingerprint.
Correspondingly, the sampling interval gradually increases from the centre
to the boundary.
4.2.3 Valley-ridge Line Extraction
Xufang et al. [10] developed an approach for directly extracting valley-

ridge lines from point-cloud-based 3D fingerprint models. First, the
moving least-squares (MLS) method was applied to fit a local paraboloid
surface and to represent the local point cloud area. On the basis of the
fitting surface, the 3D fingerprint surface’s curvature and curvature tensors
were calculated. By referring to the curvatures, potential valley-ridge
points were detected. Through statistical means, those points were
projected to the most likely valley-ridge lines. Then, by growing the
polylines that approximate the projected points and removing the
perturbations between the sampled points, the 3D valley-ridge lines were
obtained.
This approach can directly extract the features of valley-ridge lines
without employing the unwrapping that converts 3D models into 2D but
introduces distortions.
5 Feature Extraction of 3D Fingerprints

Different from 2D fingerprints, 3D fingerprint models introduce new
features, such as minutiae in 3D space. Therefore, feature detection and
representation are crucial issues in 3D fingerprint techniques.
5.1 Finger Surface Code

The shape index (SI) can be used to describe 3D surface using
curvature information. On a 3D fingerprint surface, the SI’s are
concentrated in numeric values representing the fingerprint valley (0.25)
and ridge (0.75) regions. The surface index is therefore likely to be largely
distributed in this zone. Therefore the encoding scheme splits the
fingerprint surface into five zones: cup, rut, saddle, ridge, and cap. The
direction of the dominant principle curvature is portioned into six
directions, and rut and ridge zones are further divided. The resulting
feature representation has 15 different values and therefore 4-bits can store
resulting binary code for each pixel. This binarised representation of a 3D
fingerprint surface is referred to as Finger Surface Code [11]. The
matching score between two Finger Surface Codes can be computed using
their normalized Hamming distance.
Figure 10. Representation of a 3D minutia
5.2 3D Minutiae
The 2D fingerprint templates ሺ‫ݔ‬ǡ ‫ݕ‬ǡ ߠሻ typically include the position of the
minutiae ሺ‫ݔ‬ǡ ‫ݕ‬ሻ and the angle ߠ representing the orientation of the minutiae
in 2D space. This representation can be extended to include new
(extended) features, which can more accurately localize such minutiae in
3D space. The 3D feature ‫ ݖ‬can represent the height of the vertex on the
reconstructed 3D fingerprint surface at position ሺ‫ݔ‬ǡ ‫ݕ‬ሻ, while the ߮can
represent the minutiae orientation in spherical coordinates with unit length
1. Such extended minutiae templates can more effectively localize the
minutiae in 3D space, and referred to as 3D minutiae ሺ‫ݔ‬ǡ ‫ݕ‬ǡ ‫ݖ‬ǡ ߠǡ ߮ሻ
[11][14], as is shown in Figure 10.
5.3 Ridge-valley Structure

Besides the coarse 3D representation of the fingerprint shape, the Surround
Imager [14] also provides a more fine 3D description of the ridge-valley
structure. The entire 3D ridge-valley structure captured with a specific
illumination can be well represented by the image grey-levels, mapping
each image pixel into a 3D space ሼ‫ݔ‬ǡ ‫ݕ‬ǡ ‫ܫ‬ሺ‫ݔ‬ǡ ‫ݕ‬ሻሽ, where ‫ܫ‬ሺ‫ݔ‬ǡ ‫ݕ‬ሻ represents
the value of the grey-level of the fingerprint image I at position ሺ‫ݔ‬ǡ ‫ݕ‬ሻ.
6 Quality Analyses
For the 3D fingerprint study, as large public databases have not been
available to test its matching performance, it is specifically important to
evaluate the performance of fingerprint scanner in terms of the fingerprint
image quality.
6.1 Tools
Software, developed by the National Institute of Standards and Technology
(NIST) for conventional 2D fingerprints, can be employed to evaluate the
performance of 3D fingerprints after unravelling them into 2D equivalent
images [3][15].
PCASYS: A pattern classification system designed to automatically

categorize a fingerprint image as an arch, left or right loop, scar, tented
arch, or whorl.
MINDTCT: A minutiae detection system, which takes a fingerprint
image and locates features in the ridges and furrows of the friction skin,
mainly minutiae.
NFIQ: A fingerprint image quality algorithm, which takes a fingerprint
image and analyses the overall quality of the image returning an image
quality number ranging from 1 for highest quality to 5 for lowest.
6.2 Analysed Features

Different sets of features [24] have been presented that can be used for the
quality estimation of the evaluated fingerprint images:
x Features related to the minutiae (FM): The number of minutiae

points, and the mean and standard deviation of their quality.
x Features related to the shape of the ROI (FS): The length and width
of the ROI, and the eccentricity of the ROI shape.
x Features related to Gabor filter (FG): Computed by applying a set

of Gabor filters with different orientations, and standard deviation
of Gabor features.
x Features related to Histogram of Oriented Gradients (HOG): The
first step is the computation of the gradient module image ‫ܯܩ‬ሺ‫ݔ‬ǡ ‫ݕ‬ሻ
and the gradient phase image ‫ܲܩ‬ሺ‫ݔ‬ǡ ‫ݕ‬ሻ of the image I. Then, these
two images are divided into ܿ‫ ݓ‬ൈ ݄ܿ local regions. At each cell, the
orientation ‫ܲܩ‬ሺ‫ݔ‬ǡ ‫ݕ‬ሻ is then quantized into ܾܿ orientation bins, and
weighted by its magnitude‫ܯܩ‬ሺ‫ݔ‬ǡ ‫ݕ‬ሻ. Finally, the histogram with
the ܾܿ orientations is computed for each cell.
6.3 Results of Quality Analyses

Several experiments have been conducted to test the quality of 3D
fingerprints [3][11][15][18]. The results show that the recognition accuracy
is enhanced with respect to the reference methods for almost all the ROC
curve plot. Compared to the 2D plain counterpart, the new non-contact 3D
approach provides superior performance in terms of the number of high
quality features.
7 Discussion and Future Works

7.1 Acquisition of a 3D Fingerprint Database

A common database of 3D fingerprints together with ground truth data,
which is representative of a broad range of the population, is required.
Although synthetic 3D fingerprints [27] could be used for evaluation of
fingerprint systems, to the best of our knowledge, there are no 3D full
fingerprint databases with their corresponding 2D prints publicly available.
We have established a fingerprint database of full 3D and their
corresponding 2D fingerprints, which can be used as ground truth for
extensive experimental testing in 3D fingerprint biometric.
The 3D fingerprints were collected using a 3D fingerprint scanner TBS
BioGuard Enroll, and the corresponding 2D fingerprints were captured by
a contact-based sensor CROSSMATCH Verifier 300 LC 2.0. For 3D
prints, all ten fingers of each subject were scanned twice and the output
images were unravelled 2D equivalent fingerprints. The unravelled 2D
equivalent fingerprint images were further processed with algorithms
‘TH6’ and ‘R414,’ provided by TBS 3D CaptureSuite. For 2D prints, all
ten fingers of each subject were captured four times.
7.2 Fingerprint Recognition of 2D to 3D Fingerprint Images

We have conducted some preliminary recognition experiments on a small
part of the fingerprint database, that is, fingerprints of 5 subjects were
chosen.
Figure 11. Recognition performance regarding different subjects
To investigate the performance of 2D to 3D fingerprint recognition, we

divided the database into several groups by subjects or by fingers, and
conducted a series of experiments. The recognition tool we used is the
Neurotechnology’s commercial software Verifinger [25], which can also
help extract and present the main features of fingerprints (singular points
and minutia points) in a graphical interface.
7.2.1 Testing by Subjects
In this test, there are 5 groups (5 subjects in total), where each group
contains 20 (10*2) 2D fingerprints, 20 unravelled 2D equivalent
fingerprint images, 20 post-processed images using algorithm ‘TH6’, and
20 post-processed images using algorithm ‘R414’. We use False Reject
Rate (FRR) to evaluate the recognition performance. The lower the FRR is,
the better the performance is. Figure 11. demonstrates the performance
regarding each subject in three scenarios: 2D to unravelled 2D equivalent

images, 2D to post-processed images using algorithm ‘TH6’, and 2D to
post-processed images using algorithm ‘R414’.
As is shown in Figure 11, the recognition performance of Subject 4 is
the best because the FRR are all 0 in three scenarios; the performance of
Subject 5 is the worst since the FRR are all very high in three testings, and
the FRR even reaches 90% when identifying 2D to post-processed images
using algorithm ‘TH6’. A possible reason for the large difference is that
there are too many creases in the fingerprint images of Subject 5 captured
by the 3D scanner, but the ridges and valleys are very smooth in the
fingerprint images of Subject 4.
Figure 12. Recognition performance regarding different finger names
The average FRR, which demonstrates the performance of the whole

database, is above 20% in all three scenarios, so the performance of 2D to
3D recognition is not good regarding the database we have collected.
Meanwhile, we can see from the average FRR that, using Algorithm
‘R414’ to process unravelled 2D equivalent images can improve the
performance of 2D to 3D recognition, since the FRR in this scenario is
lower than those in other two cases.
7.2.2 Testing by finger names
In this test, there are 10 groups: left thumb finger, left index finger, left
middle finger, left ring finger, left little finger, right thumb finger, right
index finger, right middle finger, right ring finger, and right little finger.
Each group contains 10 (5*1*2) 2D fingerprints, 10 unravelled 2D
equivalent fingerprint images, 10 post-processed images using algorithm
‘TH6’, and 10 post-processed images using algorithm ‘R414’. We also use
False Reject Rate (FRR) to evaluate the recognition performance. Figure
12. demonstrates the performance regarding different finger names in three
scenarios: 2D to unravelled 2D equivalent images, 2D to post-processed
images using algorithm ‘TH6’, and 2D to post-processed images using
algorithm ‘R414’.
As is shown in Figure 12., the recognition performance of ring fingers
is the worst since the FRR regarding both left ring and right ring fingers
are all very high in three scenarios, the FRR reaches 60% when identifying
2D to unravelled 2D equivalent images for the left ring fingers; the
recognition performance of little fingers is a little better than that of the
ring fingers, but still not good. Relatively speaking, the performance of
identifying the thumb fingers is the best, which may be due to the large
region and smooth surface of the thumb fingers.
7.2.3 Testing of 3D to 3D Fingerprint Recognition
We also tested the performance of 3D to 3D fingerprint recognition. In

particular, we try to verify two unravelled 2D equivalent images of the
same finger captured consecutively using the same 3D scanner. There are
in total 50 (5*10) pairs of fingerprints to be verified by VeriFinger. The
results show that not all pairs can be matched successfully. For example,
the two fingerprints in Figure 13. cannot be verified as the same
fingerprint, and their corresponding post-processed images in Figure 14.
cannot be matched too.
Figure 13. Two captures of the same finger using the same 3D scanner
The singular points and minutiae in Figure 13. are marked red by
VeriFinger. We can see that the area of the fingerprint in Figure 13(b). is
wider than that in Figure 13(a)., and the number of minutiae in Figure
13(b). is larger than that in Figure 13(a). Actually, there are too many
spurious minutiae in both images, especially near the brim of the
fingerprints. Certain minutiae near the singular area are missing, and the
extracted singular point in Figure 13(b). deviates obviously from the
ground truth. The same observations also apply to images in Figure 14. All
these may result from the difference between the finger poses of two
captures and the creases on the fingerprints.
Figure 14. Post-processed images in Figure 13. using Algorithm ‘R414’
Because of the different nature of the 3D finger image with respect to the
traditional approaches, in the near future, new methods for image quality
check, analysis, enhancement, and protection, can be implemented to
provide additional flexibility for specific applications. We tried to enhance
the contrast of the collected 3D fingerprint images and again conducted the
experiment. The results showed that the performance of 2D to 3D and 3D
to 3D fingerprint matching was improved greatly. Besides, new forensic
and pattern-based identification can also be developed and exploited to

surpass the existing fingerprint methods. Furthermore, due to this
flexibility, the provided finger images should be well compatible with the
Automated Fingerprint Identification System (AFIS) and other fingerprint
matching algorithms, including the ability to be matched against legacy 2D
fingerprint images.
7.3 Fingerprint Recognition in 3D Space

The 3D representation of fingerprints brings new challenges to field of
fingerprint recognition, and new algorithms to match fingerprints directly
in the 3D space. This has many advantages with respect to the 2D
matching. Since fingerprints acquired by 3D fingerprint scanners do not
present any skin deformation, the relative position of the minutia points is
always maintained during each acquisition. In this case, the minutiae
matching problem can be considered as a rigid 3D point-matching
problem. For example, once the minutiae have been localized on the
fingerprint skeleton, a 3D Delaunay triangulation can be applied to the
point clouds. From each triangle, many features are computed (length of
the triangle sides, internal angles, angles between the minutia orientation,
and the triangle side, and so on) and then used to match the triangles in the
other fingerprint.
8 Conclusion
Non-contact 3D fingerprint technology has the tendency of replacing
traditional fingerprint acquisition and recognition in many applications.
Recent research on 3D fingerprint biometrics focuses on the acquisition of
3D fingerprint models, unwrapping 3D fingerprints into 2D equivalent
ones, and using existing algorithms for 2D to 3D fingerprint recognition.
This chapter presents a comprehensive study of this new technology and
points out some future research in the 3D fingerprint domain, including
direct 3D to 3D recognition, accurate algorithms for feature extraction of
unravelled 2D equivalent fingerprint images, enhancement of the 3D
fingerprint images using image processing techniques, and novel methods
for 2D to 3D fingerprint recognition.
References
[1] Tbs biometrics. [Online]. Available: http://www.tbs-biometrics.com.
[2] Flashscan3d. [Online]. Available: http://www.flashscan3d.com.
[3] Y. Wang, Q. Hao, A. Fatehpuria, L. G. Hassebrook, and D. L. Lau.
“Quality and matching performance analysis of three-dimensional
unraveled fingerprints,” Optical Engineering, 49.7 (2010): 077 202–
077 202–10.
[4] V. Yalla, L. Hassebrook, R. Daley, C. Boles, and M. Troy. “Full-hand
3d non-contact scanner using sub-window-based structured light
illumination technique,” Proc. SPIE, 8371 (2012): 83 711O–83 711O–
15.
[5] M. Troy, L. Hassebrook, V. Yalla, and R. Daley. “Non-contact 3d
fingerprint scanner using structured light illumination,” Proc.SPIE,
7932 (2011): 79 320C–79 320C–13.
[6] B. Hiew, A. Teoh, and Y. Pang. “Touch-less fingerprint recognition
system,” Proceedings of the 2007 IEEE Workshop on Automatic
Identification Advanced Technologies, 2007. 24–29.
[7] C. Lee, S. Lee, and J. Kim. “A study of touchless fingerprint
recognition system,” in Structural, Syntactic, and Statistical Pattern
Recognition, ser. Lecture Notes in Computer Science, D.-Y. Yeung, J.
Kwok, A. Fred, F. Roli, and D. Ridder, Eds. Springer Berlin
Heidelberg, 4109 (2006): 358–365.

[8] R. D. Labati, A. Genovese, V. Piuri, and F. Scotti. “Virtual
environment for 3-d synthetic fingerprints,” Proceedings of the 2012
IEEE International Conference on Virtual Environments Human-
Computer Interfaces and Measurement Systems (VECIMS), 2012. 48–
53.
[9] G. Abramovich, K. Harding, S. Manickam, J. Czechowski, V.
Paruchuru, R. Tait, C. Nafis, and A. Vemury. “Mobile, contactless,
single-shot, fingerprint capture system,” Proc. SPIE, 7667 (2010): 766
708–766 708–12.
[10] X. Pang, Z. Song, and W. Xie. “Extracting valley-ridge lines from
point-cloud-based 3d fingerprint models,” IEEE Computer Graphics
and Applications, 33.4 (2013): 73–81.
[11] A. Kumar and C. Kwong. “Towards contactless, low-cost and
accurate 3d fingerprint identification,” Proceedings of the 2013 IEEE
Conference on Computer Vision and Pattern Recognition, Washington,
DC, USA: IEEE Computer Society, 2013. 3438–3443.
[12] R. Labati, A. Genovese, V. Piuri, and F. Scotti. “Fast 3-d fingertip
reconstruction using a single two-view structured light acquisition,”
Proceedings of the 2011 IEEE Workshop on Biometric Measurements

and Systems for Security and Medical Applications (BIOMS), 2011. 1–
8.
[13] Y. Chen, F. Han, H. Liu, and J. Lu. “3d reconstruction from planar
points: A candidate method for authentication of fingerprint images
captured by mobile devices,” Proceedings of the 2012 IEEE
International Symposium on Circuits and Systems (ISCAS), 2012.
153–156.
[14] G. Parziale, E. Diaz-Santana, and R. Hauke. “The surround imager: a
multi-camera touchless device to acquire 3d rolled-equivalent
fingerprints,” Proceedings of the 2006 international conference on
Advances in Biometrics, Berlin, Heidelberg: Springer-Verlag, 2006.
244–250.
[15] Y. Wang, Q. Hao, A. Fatehpuria, L. Hassebrook, and D. Lau. “Data
acquisition and quality analysis of 3-dimensional fingerprints,”
Proceedings of the 2009 International Conference on Biometrics,
Identity and Security (BIdS), 2009. 1–9.
[16] Y. Wang, L. Hassebrook, and D. Lau. “Data acquisition and
processing of 3-d fingerprints,” IEEE Transactions on Information
Forensics and Security, 5.4 (2010): 750–760.
[17] V. Yalla, R. Daley, C. Boles, L. Hassebrook, K. Fleming, and M.
Troy. “High-quality 3d fingerprint acquisition using a novel sub-
window-based structured light illumination approach,” Proc. SPIE,

7797 (2010): 77 970R–77 970R–11.
[18] Y. Chen, G. Parziale, E. Diaz-Santana, and A. Jain. “3d touchless
fingerprints: Compatibility with legacy rolled images,” Proceedings of
the 2006 Biometric Consortium Conference, Special Session on
Research at the Biometrics Symposium, 2006. 1–6.
[19] Y. Wang, D. L. Lau, and L. G. Hassebrook. “Fit-sphere unwrapping
and performance analysis of 3d fingerprints,” Appl. Opt., 49.4 (2010):
592–600.
[20] A. Fatehpuria, D. L. Lau, and L. G. Hassebrook. “Acquiring a 2d
rolled equivalent fingerprint image from a non-contact 3d finger scan,”
Proc. SPIE, 6202 (2006): 62 020C–62 020C–8.
[21] C. B. Atkins, J. P. Allebach, and C. A. Bouman. “Halftone
postprocessing for improved rendition of highlights and shadows,” J.
Elec. Imaging, 9 (2000): 200–215.
[22] S. Shafaei, T. Inanc, and L. Hassebrook. “A new approach to unwrap
a 3-d fingerprint to a 2-d rolled equivalent fingerprint,” Proceedings of
the IEEE 3rd International Conference on Biometrics: Theory,
Applications, and Systems, BTAS’09., 2009. 1–5.
[23] Q. Zhao, A. K. Jain, and G. Abramovich. “3d to 2d fingerprints:

Unrolling and distortion correction.” IEEE IJCB, A. K. Jain, A. Ross,
S. Prabhakar, and J. Kim, Eds., 2011. 1–8.
[24] R. Labati, A. Genovese, V. Piuri, and F. Scotti. “Quality measurement
of unwrapped three-dimensional fingerprints: A neural networks
approach,” Proceedings of the 2012 International Joint Conference on
Neural Networks (IJCNN), 2012. 1–8.
[25] VeriFinger. [Online]. Available:
http://www.neurotechnology.com/verifinger.html.
[26] Hee-seung Choi, Kyoungtaek Choi, Jaihie Kim. “Mosaicing touchless
and mirror-reflected fingerprint images,” IEEE Transactions on
Information Forensics and Security, 5.1 (2010): 52-61.
[27] Tom Oswald, Kim Ward, Anil Jain. “3-D fingerprint phantoms
improve fingerprint-matching technology”.
http://msutoday.msu.edu/news/2014/3-d-fingerprint-phantoms-
improve-fingerprint-matching-technology.

Biometric Security

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Biometric Security

Caricato da

Copyright:

Formati disponibili

Biometric Security

Copyright © 2015. Cambridge Scholars Publisher. All rights reserved.

David Chek Ling Ngo,

This book first published 2015

Cambridge Scholars Publishing

Lady Stephenson Library, Newcastle upon Tyne, NE6 2PA, UK

British Library Cataloguing in Publication Data

ISBN (10): 1-4438-7183-4

Preface ....................................................................................................... vii

Part 1. Biometric Template Protection

Chapter One ................................................................................................. 2

Chapter Two .............................................................................................. 37

Chapter Three ............................................................................................ 92

Part 2. Biometric Key and Encryption

Chapter Four ............................................................................................ 134

Chapter Five ............................................................................................ 165

Part 3. Biometric System Analysis

Chapter Six .............................................................................................. 198

Chapter Seven.......................................................................................... 224

Chapter Eight ........................................................................................... 255

Part 4. Privacy-Enhanced Biometric Systems

Chapter Nine............................................................................................ 274

Chapter Ten ............................................................................................. 312

Chapter Eleven ........................................................................................ 351

Kok-Seng Wong and Myung Ho Kim

Chapter Twelve ....................................................................................... 381

Part 5. Other Biometric Security Technologies

Chapter Thirteen ...................................................................................... 428

Chapter Fourteen ..................................................................................... 459

Modern biometrics is defined as the science of using biological

perhaps storing them to the fullest extent possible, has emerged as a

presents the design, security analysis, and performance of privacy-

Publishing has also assisted the editors continuously from inception to

A B J Teoh, D C L Ngo and J Hu

BIOMETRIC TEMPLATE PROTECTION

CANCELABLE BIOMETRICS AND DATA

privacy-preserving biometric authentication scheme called cancellable

Keywords: biometrics, cancellable biometrics, template protection,

decrypted in the server, so to perform pattern matching at the time of

transformed domain, directly without restoring the original feature. The

with a cancellable template and a corresponding parameter, can obtain the

template is called authorised-leakage irreversibility in [26]. As pointed out

2 Biometric Template Protection and Cancelable

Figure 1: Arcchitecture for biiometric templaate protection [111]

separation iss considered only

A typicaal data separatiion model for cancellable bbiometrics and

Figure 2: Typpical system moodel of cancellaable biometrics

Let ܺǡ ܻ denote biometric features for enrollment and authentication

‫ܨ‬ா ǡ ‫ܨ‬஺ ǣ ࣲ ൈ ࣥ ՜ ࣮ǡ (1)

either can be revoked by generating a new parameter ‫ܭ‬Ԣ㻌and replacing T

2.2 Desirable Properties

irreversibility (ALI)1. The FLI refers to a diĜculty to determine the exact

3 Examples of Cancelable Biometrics

Ratha et al. proposed several feature transformation functions for minutiae

3.1.1 Cartesian Transformation

‫ ݔ‬ᇱ ൌ ‫ ݔ‬൅ ܲ௫ ሺܿ௜ᇱ ሻ െ ܲ௫ ሺܿ௜ ሻǡ

Figure 3: Carrtesian transform

The primaryy drawback off the Cartesiaan transformattion is, as desscribed in

3.1.2 Funcctional Transformation

To avoid thhe boundary problem,

‫ ݔ‬ᇱ ൌ ‫ ݔ‬൅ ݂ሺ‫ݔ‬ǡ ‫ݕ‬ሻǡ

where f ǡ ǡ  h are noonlinear perturrbation functioons. By designning f ǡ ǡ

Lee, et. al. [14] alsso proposed a locally sm mooth functio

where f ǡ ǡ h are noonlinear perturrbation functioons. By designning f ǡ ǡ

࢚ ൌ ሺ‫ ݔܭ‬െ ߬ ȉ ͳሻ (3)

࢚ ൌ ‫ܨ‬ா ሺ࢞ǡ ‫ܭ‬ሻ ൌ ሺ‫࢞ܭ‬ሻ

࢚ ൌ ‫ܨ‬ா ሺ࢞ǡ ‫ܭ‬ሻ ൌ ሺ‫࢞ܭ‬ሻ