Embed Size (px)
Citation preview
University of Colorado at Colorado Springs
Remote authentication using
Vaulted Fingerprint Verification
Hamdan A. Alzahrani
A dissertation proposal submitted
in partial fulfillment of the requirement for the degree
Doctor of Philosophy
1
Remote authentication using
Vaulted Fingerprint Verification
May 2014
Advisor
Professor Terrance Boult, Chair
Dissertation Committee Members:
1. Professor C. Edward Chow2. Professor Albert Glock3. Professor Walter J. Scheirer4. Professor Mohammad Mahoor
2
Table of contents
Abstract.......................................................................................................................................................................... 5
Chapter 1: Introduction.......................................................................................................................................... 6
Chapter 2: Related Work..................................................................................................................................... 10
2.1. General Biometric Techniques............................................................................................................10
2.1.1. Representations.................................................................................................................................10
2.1.2. Quantization........................................................................................................................................13
2.1.3. Error Correcting Codes...................................................................................................................14
2.2. General Protective Techniques...........................................................................................................15
2.2.1. Cryptographic Functions...............................................................................................................15
2.2.2. Other Protections..............................................................................................................................17
2.3. Additional Functionality.........................................................................................................................17
2.4. Template Protection Systems..............................................................................................................17
2.4.1. Fuzzy Vault.......................................................................................................................................... 18
2.4.2. Fuzzy Commitment.......................................................................................................................... 20
2.4.3. Fuzzy Extractor..................................................................................................................................22
2.4.4. Other Template Protection Systems.........................................................................................24
2.4.5. Analysis................................................................................................................................................. 28
2.5. Vaulted Verification..................................................................................................................................29
2.5.1. Enrollment Process..........................................................................................................................30
2.5.2. Verification Process.........................................................................................................................30
Chapter 3: Preliminary Work............................................................................................................................ 31
3.1. Vaulted Fingerprint Verification.........................................................................................................31
3.1.1. Enrollment Process..........................................................................................................................32
3
3.1.2. Verification Process.........................................................................................................................33
3.1.3. Evaluation............................................................................................................................................ 37
3.1.4. Security.................................................................................................................................................. 39
Chapter 4: Proposed Work................................................................................................................................. 40
4.1. VFV................................................................................................................................................................... 41
4.2. VFV-PMCC..................................................................................................................................................... 41
4.3. Biotope Triangles...................................................................................................................................... 43
4.4. Biotope/Fuzzy Extractor Theory........................................................................................................44
4.5. Time line........................................................................................................................................................ 45
4.6. List of publication......................................................................................................................................45
5. References............................................................................................................................................................. 46
4
Abstract
Fingerprint biometrics are increasingly used for identity verification. However, these
require a careful balance of accuracy and privacy that is missing in many implementations.
In this proposal, I review techniques and systems for protected biometric templates,
identify several weaknesses in existing systems, and develop a research plan to improve
the quality of biometric template systems.
My research develops the Vaulted Verification (VV) system into Vaulted Fingerprint
Verification (VFV) by implementing VV on a fingerprint minutia triangle representation.
This allows for key exchange using the protected biometric template. I propose adding the
PMCC minutia neighborhood descriptor to VFV to improve accuracy.
My research will also implement Biotope on a minutia triangle representation. Currently,
Biotope uses a minutia pair representation. The minutia pair representation lacks
distinguishability, which leads to complicated matching operations. The minutia triangle
representation should improve accuracy while simplifying matching.
A formal description of Biotope as a Fuzzy Extractor will be provided if the accuracy of the
above systems is insufficient to compete with the state of the art.
5
Chapter 1: Introduction
With the rise of the Internet, remote verification of identity is an increasingly
important part of modern life. From online banking systems to personal data storage to
software as a service, most aspects of modern life require identity verification.
Current identity systems rely on passwords, encryption keys, or tokens. Passwords
are the most common identification system in current use due to ease of implementation
and administration, and user familiarity. However, passwords are vulnerable if used with
common words or patterns. Yet passwords can be easy to crack if they are poorly chosen,
and such poorly chosen passwords are common (Adams and Sasse 1999). Another method
to securing an identity is the use of cryptographic keys. These are similar to passwords, but
longer and more difficult to memorize. They are used for identity purposes when digital
storage is available, often combined with smart cards. Tokens, such as smart cards, allow a
more physical approach to identity assurance. They require physical possession of an item
to prove identity.
Each of these methods has their own strengths and weaknesses. Passwords tend to
be short and easily broken, but are also easy to replace. Encryption keys are difficult or
impossible to memorize, but provide very strong security. Tokens do not require the
memorization or outside storage of a string, but can be stolen and copied. However, all of
these methods have a similar weakness. All of them are independent of the user, and so do
not provide strong evidence for the presence of the user.
6
A solution to this problem is biometrics. By measuring and comparing a feature of
the user, we can increase the assurance that the user is present during authentication.
Automated biometric matching has been achieved with face(Andrew B J Teoh, Goh,
and Ngo 2006), iris(Wilber, Scheirer, and Boult 2012), fingerprint(Watson, Garris, and
Tabassi 2007), and other biometrics. While these systems significantly enhance identity
assurance, they have their own difficulties. Biometric features are inherently static. A
change to a biometric often requires a long time or a significant injury. Large databases of
biometric features are vulnerable to the “Birthday Problem”(Wagner 2002), sometimes
referred to as the doppelganger threat (T. Boult 2007).
The static nature of biometrics has advantages and weaknesses. It is what allows it
to be used as an identification mechanism. Most features are constant enough to be used
for years or decades without update. However, the unchanging nature also puts biometric
templates at high risk of compromise. Once a biometric is compromised to an attacker, the
feature may not uniquely identify the user. An attacker with access to an unprotected
biometric template can create a physical copy, such as a gummy finger (Matsumoto et al.
2002). Alternatively the attacker can directly use the template identify as legitimate user,
especially in remote applications.
With the rise of large databases of biometric features, the doppelganger threat
becomes significant. As with the Birthday Problem, the probability of there being a match
between any two users in a large system can be high. When this problem is applied to
biometrics, it is referred to as the doppelganger threat. Once an attacker finds a match
among a large set of users, they can masquerade as that person.
7
These two threats guide the design of a well-protected biometric identification
system. The system must protect the biometric against being revealed, since the biometric
is permanently compromised if an attacker ever gains it. This system must also allow for
revocation and reissue of unique templates.
Template protection should have the following requirements (A. K. Jain, Nandakumar, and
Nagar 2008):
A. Diversity: The secure template must not allow cross-matching across databases,
thereby ensuring the user’s privacy.
B. Revocability: It should be straightforward to revoke a compromised template and
reissue a new one based on the same biometric data.
C. Security: It must be computationally hard to obtain the original biometric template
from the secure template. This property prevents an adversary from creating a
physical spoof of the biometric trait from a stolen template.
D. Performance: The biometric template protection scheme should not degrade the
recognition performance (FAR and FRR) of the biometric system.
The field of protected biometric templates is rapidly progressing. While systems
need both security and accuracy, security aspects are difficult to compare. Examples of
state of the art in terms of accuracy can be found at FVC Ongoing (Dorizzi et al. 2009).
Currently, protected biometric systems lack several desirable features. First,
existing systems lack accuracy at necessary security levels. Second, there are few effective
biometric systems that allow key exchange. Finally, most existing biometric template
8
protection systems lack strong theoretical foundations. My thesis will make progress in
closing these critical gaps. I will develop: a system for biometric remote authentication and
key exchange, extend this system to compare with the state of the art, extend Biotope to a
minutia triangle representation, and, as necessary, give a formal description of Biotope as a
Fuzzy Extractor.
To understand the benefits and difficulties of this thesis, I first examine common
techniques in the creation and protection of biometric templates in section 2.1. General
Biometric Techniques. In section 2.4. Template Protection Systems, I examine select papers
from the literature to show how these techniques are used. In section 2.5. Vaulted
Verification, I outline a detailed method of sending messages using a biometric called
Vaulted Verification. In section 3.1. Vaulted Fingerprint Verification, I discuss my recent
work on integrating Vaulted Verification with fingerprint biometrics. Finally, in section
Chapter 4: Proposed Work, I discuss my plans to improve system accuracy, protect the
biometric, and prove the protections used.
9
Chapter 2: Related Work
Biometric data needs to be protected in such a way that allows authentication while
preserving privacy. Effective biometric protections work best on clear representations of
the data, which form an important basis for protected templates. These representations can
then be protected by a variety of methods. Additional functionality is commonly included in
the protected template to allow key binding, key generation, and remote authentication.
2.1. General Biometric Techniques
Inter-user variability needs to be addressed. This variability could be resulted from
fingerprint displacement, fingerprint pressure, non-liner distortions, etc. To alleviate this
problem, it is important to have a representation that provides high discriminatory
information for the fingerprint.
2.1.1. Representations
The system that is used to represent minutia strongly influences how the biometric
data is protected. For example, protecting bitstring is different from protecting vectors. The
biometric data for minutia-based systems is often initially represented in a coordinate
system derived from the image (Watson, Garris, and Tabassi 2007). These coordinates are
generally unsuitable for protected templates due to biometric sampling errors. The
primary methods for managing these errors are global alignment, local alignment, and
invariant representations.
10
2.1.1.1. Global Alignment Representations
Global matchers attempt to match minutia within a common coordinate system.
This requires finding a transformation (translation and rotation) between the gallery and
probe coordinates, which maximizes the number of overlapping minutia. The advantage of
this method is conceptual simplicity; minutiae are identified if their location and additional
data match. The disadvantage is that the coordinate system alignment requires common
information (commonly core, delta, or singular point(s)) that must be available. Failure to
recover or identify the data in probe, results in false rejections.
Global alignment representations are uncommon in current work. (Ahmad 2012)
examines global coordinate system transformations to protect templates. (Arakala, Jeffers,
and Horadam 2007) uses a core-point aligned coordinate system. (Nagar, Nandakumar, and
Jain 2009) uses high curvature points to align the coordinate system. (Kaizhi and Aiqun
2013) uses the core point aligned FingerCode (A. Jain et al. 1999) as a base representation.
2.1.1.2. Local Alignment Representations
Local alignment representations attempt to find a transformation between
coordinate systems on (small) regions of the images. On fingerprints, this is usually done
with respect to a minutia at the center of the region. The position and orientation of the
minutia are used as a coordinate system for the region. Since the common information
needed is trivial (ex. every minutia is a center of a coordinate system), these are often
referred to as “alignment-free” representations. Local alignment is robust against non-
linear distortions. (Ahmad 2011; Arakala, Jeffers, and Horadam 2007; Cappelli, Ferrara, and
11
Maltoni 2010; Ferrara, Maltoni, and Cappelli 2012) use local alignment to identify
neighboring minutia. (Jin et al. 2012; D. Moon et al. 2007) identify all minutiae with respect
to each minutia.
2.1.1.3. Invariant Representation
Invariant structure representations attempt to avoid issues of alignment by
constructing invariant representations from each image. These invariant representations
are then used to match the images. An example of an invariant structure is the distance
between two points; distance is independent of rigid changes to the coordinate system
used to describe the points. However, individual invariant representations are not
sufficiently distinguishable. To overcome this, they are often grouped into larger
structures.
These representations generally produce a feature vector containing some relations
derived from the structure. For minutia pairs, this can be the distance between the points
(d) and the relative orientations (o1, o2) forming a vector [d, o1, o2]. A triangle feature vector
may contain 3 pair distances, 3 internal angles, and 3 relative orientations. Larger
structures have similar vectors with more elements, and other relationships may be
included.
(T. Boult 2007; Das, Karthik, and Chandra Garai 2012; Jin 2010) uses a pair
representation. (X. Chen et al. 2006; Zheng, Gao, and Zhang 2009; Jin et al. 2009; Jin et al.
2013; S. Wang and Hu 2014; P. Li et al. 2012; Parziale and Niel 2004) use generic triangles.
12
(Chau and Soto 2011; Júnior 2010; W Yang et al. 2013; Wencheng Yang, Hu, and Wang
2012) use Delaunay triangles, which restrict the triangles to a limited neighborhood.
2.1.2. Quantization
Quantization is the procedure of constraining values from a large (eg. continuous)
domain to a smaller discrete domain in a once to many map (Gray and Neuhoff 1998).
Thus, it is impossible to determine the value of a quantized number. Quantization trades
distinguishability for stability. The primary benefit of quantization is to mitigate the
distortion problem. The disadvantage of quantization is the loss of discriminability.
Examples include truncation (ex. 1.6 to 1), and rounding (ex 1.6 to 2).
(Wencheng Yang et al. 2014; Jin et al. 2012; P. Li et al. 2012; Andrew Beng Jin Teoh
and Kim 2007; B. Yang et al. 2010; R. Wang et al. 2010; Kaizhi and Aiqun 2013;
Mirmohamadsadeghi and Drygajlo 2013) quantize bitstrings derived from representations.
(Hartloff et al. 2013; T. Boult 2007; Júnior 2010; Arakala, Jeffers, and Horadam 2007;
Nandakumar 2007; S. Wang and Hu 2014; Jin 2010; Jin et al. 2009; D. Moon et al. 2007;
Nagar, Nandakumar, and Jain 2009)quantize features.(Ahmad 2012; Jin et al. 2012; Zhang
et al. 2013; A. Jain et al. 1999)quantize based on coordinate grids.(Wencheng Yang et al.
2014; Jin et al. 2012; P. Li et al. 2012; Andrew Beng Jin Teoh and Kim 2007; B. Yang et al.
2010; R. Wang et al. 2010; Kaizhi and Aiqun 2013; Mirmohamadsadeghi and Drygajlo
2013) quantize bitstrings derived from representations. (Hartloff et al. 2013; T. Boult 2007;
Júnior 2010; Arakala, Jeffers, and Horadam 2007; Nandakumar 2007; S. Wang and Hu
2014; Jin 2010; Jin et al. 2009; D. Moon et al. 2007; Nagar, Nandakumar, and Jain
13
2009)quantize feature vectors.(Ahmad 2012; Jin et al. 2012; Zhang et al. 2013; A. Jain et al.
1999)quantize based on coordinate grids.
2.1.3. Error Correcting Codes
Another method of managing errors is error correction codes. These are more
specialized than quantization in that they require bitstring representations. However,
unlike quantization, error correction codes do not reduce distinguishability. Error
correction codes trade message length for stability. Error correction codes are the basis for
Fuzzy Commitment and are closely related to Fuzzy Extractors, both of which are discussed
in more detail below.
Error correction codes utilize redundant bits to find and correct errors in a bitstring,
up to an error correction capacity. In forward error correction, these redundant bits are
added to the message, increasing its length. When used in biometrics, the redundant bits
can be sent separately to the matcher as helper data. Error correction codes can be made
with a variety of message length and error correction capacities.
(P. Li et al. 2012; Wencheng Yang et al. 2014; Wencheng Yang, Hu, and Wang 2012;
Fan and Lin 2009; Nagar, Nandakumar, and Jain 2009; Jin et al. 2012; Kaizhi and Aiqun
2013; Arakala, Jeffers, and Horadam 2007; Andrew Beng Jin Teoh and Kim 2007) use error
correction codes on the biometric. (Johnson, Scheirer, and Boult 2013; W Scheirer and
Boult 2009; Nandakumar 2007; Bringer, Chabanne, and Favre 2012) use error correction
codes to correct a message as part the authentication process.
14
2.2. General Protective Techniques
2.2.1. Cryptographic Functions
It is very difficult to make standard cryptography work with biometrics despite its
power to protect secrets. The noisy nature of biometrics conflicts with cryptographic
functionality (e.g. Avalanche effect). Additionally, the privacy risks associated with
biometrics make cryptographic hashes a better fit. Despite these difficulties, there are some
approaches that protect the temp late by applying standard cryptography.
2.2.1.1. Symmetric Encryption
Symmetric key cryptography methods use the same key for encryption and
decryption. The simplest method of symmetric encryption is through combining the
message with a random string (key) by XOR operation. If the key is random, this is the one-
time pad and provides provable security. This method is vulnerable to key reuse; using the
key to encrypt two messages makes recovering the key and the messages trivial.
Exclusive OR (XOR) operation is used as a protection method in (Fan and Lin 2009;
Nagar, Nandakumar, and Jain 2009; Zhang et al. 2013; Kaizhi and Aiqun 2013; Arakala,
Jeffers, and Horadam 2007). XOR operation is used in (Fan and Lin 2009), (Kaizhi and
Aiqun 2013) to combine the template and challenge.
Another approach to symmetric key cryptography is algorithmic. These systems can
allow keys to be used with multiple messages. Algorithmic methods are often quite
complicated, see (Stallings 2011) for more details. Algorithmic symmetric key encryption is
15
used by (T. Boult 2007) to encrypt the quantized value so that preform matching is in the
encrypted domain.
2.2.1.2. Public Key Encryption
Public key cryptography, or asymmetric cryptography, uses separate keys for
encryption and decryption. This allows communication across unsecured channels without
the need of an initial shared secret. The disadvantages of public key cryptography are the
large key sizes. More information on public key cryptography can be found in (Stallings
2011). Public key cryptography is used in (T. Boult 2007), (Fan and Lin 2009), (Johnson,
Scheirer, and Boult 2013), (H. Li et al. 2013), (W. Scheirer, Bishop, and Boult 2010), (W
Scheirer and Boult 2009).
2.2.1.3. Cryptographic Hashes
Cryptographic hashes take a string of arbitrary length to a fixed length string in such
a way that it is non-invertible and collision resistant. It should also produce hash values
which are evenly distributed and apparently random(Stallings 2011). Cryptographic
hashes are also deterministic. The non-invertibility of cryptographic hashes is particularly
useful for template security due to biometric privacy concerns. The deterministic nature of
hashes can be avoided by including a random string (called a salt) in the input. This
random string can provide some security if it is kept secret.
Hash function is applied in (C.-T. Li and Hwang 2010; X. Li et al. 2011; C. Chen, Lee,
and Hsu 2012) to biometric features to release embedded secret. Hash function is used in
16
(Kaizhi and Aiqun 2013) for authentication purpose. (Kumar, Tulyakov, and Govindaraju
2010) performs matching on hashed space.
2.2.2. Other Protections
Due to the difficulty of producing stable, fixed length bitstrings that are needed for
standard encryption, protected biometric templates sometimes use alternate security
methods.
One example of a non-standard protection is biometric salting. In this method, a
secret string is used to define a transformation operation. The most notable use of this
method is in Biohashing (Andrew B J Teoh, Goh, and Ngo 2006) where the secret string
defines a projection operator.
2.3. Additional Functionality
Protected biometric templates are often imbedded within other functions that
increase their functionality. These are commonly key binding or key generating functions.
Key binding functions allow an arbitrary message to be included in a template. Examples
include Fuzzy Commitment, Fuzzy Vault, and Vaulted Verification. Key generating functions
allow a key to be produced from the biometric data; an example of this is Fuzzy Extractor.
Some systems that implement these concepts are described in more detail below.
2.4. Template Protection Systems
Understanding how techniques are used to protect biometric templates is as
important as knowing which techniques are used. Therefore, I now describe how a few
17
protected biometric template systems integrate these transformations. Two examples of
the common methods Fuzzy Vault, Fuzzy Commitment, and Fuzzy Extractor are discussed,
with one example of the Biotope system, PMCC, and a cancelable template transformation.
2.4.1. Fuzzy Vault
Fuzzy Vault binds a key to a template through the use of polynomial interpolation.
The key is used to create a polynomial. The biometric is divided into a (unordered) set of
values, which are used to evaluate the polynomial forming a point. These points are
combined with a large number of chaff points to form a vault. A probe template attempts to
identify enough correct points to reconstruct the polynomial, recovering the key. Fuzzy
Vault suffers from a large number of security flaws in its naïve application . However, many
researchers have modified the protocol to address them.
Fuzzy Vault was initially described in (Juels and Sudan 2006). Its weaknesses are
well described in (WJ Scheirer and Boult 2007). It is implemented in (Xi and Hu 2009; K. Y.
Moon and Moon 2012; Nandakumar 2007; Bringer, Chabanne, and Favre 2012; D. Moon et
al. 2007; Nagar and Chaudhury 2006; Nagar, Nandakumar, and Jain 2009; Hartloff et al.
2013). Two systems which implement Fuzzy Vault are described below.
2.4.1.1. Toward Fingerprints as Strings: Secure Indexing for Fingerprint Matching
(Hartloff et al. 2013) proposed a Fuzzy Vault-based protected template. The primary
objects are a minimum distance graph minutia descriptor and an arbitrary key. The
minimum distance graph is a graph that connects a point to its nearest neighbor. This
graph is extended until it has 5 nodes. The distance, relative angles, and minutia
18
orientations are used to create a vector used to describe the initial minutia. The vector
elements are quantized to provide error tolerance. The key is used to create a polynomial
for the Fuzzy Vault. The minimum distance graph minutia descriptors are used to
determine the vault points.
The biometric representation is protected by ambiguity (chaff) in the Fuzzy Vault.
This system was tested on FVC2002 DB1 and DB2. It achieved a 13.2% EER, or 1.5% FAR
with a 23.9% FRR. The system uses all available biometric data to produce a single match
score.
The lack of protection on the biometric representation can be overcome in Fuzzy
Vaults, as given by our next example.
2.4.1.2. A Hybrid Biometric Cryptosystem for Securing Fingerprint Minutiae Templates
(Nagar, Nandakumar, and Jain 2009) proposed a Fuzzy Vault-based protected
template using Fuzzy Commitment as additional protection. The primary objects in this
system are minutia locations and orientations, a minutia neighborhood ridge descriptor,
and an arbitrary key. A minutia ridge descriptor is a binary string derived from the ridge
pattern around a minutia. The key combined with an error detection code. The key with
error detection code is used to construct a polynomial for the Fuzzy Vault.
They use global alignment by high curvature points to align the coordinate system.
Minutia locations are used to determine the vault points. The polynomial evaluations are
protected by Fuzzy Commitment with the minutia ridge descriptors.
19
The biometric representation is protected by Fuzzy Commitment and ambiguity
(chaff) in the Fuzzy Vault. When evaluated on FVC2002 BD2, this system achieved 5% FRR
with a .01% FAR. The system uses all available biometric data to produce a single match
score.
While Fuzzy Commitment is used in this paper to protect minutia points
individually, it can also be used as the primary binding method.
2.4.2. Fuzzy Commitment
Fuzzy Commitment binds a key to a template through the use of error correction
codes. A template is treated as a translation of an arbitrary code word. A (translated) probe
template is treated as a corruption of that code word, which can be corrected to recover the
key. Fuzzy Commitment requires the storage of the translation (non-secret) helper data.
The template must also be ordered and have a fixed length.
Fuzzy Commitment was initially described in (Juels and Wattenberg 1999) and is
implemented in (Nagar, Nandakumar, and Jain 2009), (P. Li et al. 2012), (Kaizhi and Aiqun
2013). Two systems are described below which use Fuzzy Commitment.
2.4.2.1. An Enhancing Fingerprint Template Protection Method
(Kaizhi and Aiqun 2013) proposed a Fuzzy Commitment-based protected template
system. The primary features are a FingerCode (A. Jain et al. 1999) representation,
Biohashing (Andrew B J Teoh, Goh, and Ngo 2006), and BCH-based Fuzzy Commitment.
20
FingerCode is a fingerprint descriptor based around a central minutia point. It uses average
grayscale color of the image to produce a feature vector.
The authors first align the fingerprint based on fingerprint minutia. A FingerCode
feature vector is extracted from the aligned image. The feature vector is Biohashed to
produce a fixed length bitstring. This bitstring is used to bind an arbitrary code word using
Fuzzy Commitment.
This system is evaluated on FVC2002 DB2. When the Biohashing matrix is
confidential, this system achieves a 0% EER. When the matrix is public, the EER is 4.27%.
The system uses all available biometric data to produce a single match score.
While this system achieves remarkable accuracy when the Biohash projection
matrix is secret, it requires leaving fingerprint minutia unprotected for alignment
purposes.
2.4.2.2. An Effective Biometric Cryptosystem Combining Fingerprints With Error
Correction Codes
(P. Li et al. 2012) proposed a Fuzzy Commitment-based template protection system.
The primary features of this system are a minutia triangle initial representation, a set
difference binarization, an LDA dimension reduction, and a BCH-based Fuzzy Commitment.
The minutia triangles create feature vectors. The set difference binarization splits the set of
feature vectors into two subsets based on a random question. It then takes the difference of
the number of feature vectors in each subset. This produces a more stable feature vector.
21
LDA is used to reduce the length of this vector and remove correlations. The vector is then
binarized. The binary vector is used to bind an arbitrary codeword by Fuzzy Commitment.
They evaluate the system on several databases, including FVC2002 db1 and db2. For
DB1, they achieved an EER of 1.08%. For DB2, they achieved an EER of .54%. The system
uses all available biometric data to produce a single match score.
The biometric representation is protected by cryptographic hashing, as part of the
Fuzzy Commitment. However, the authors do not examine the privacy and security effects
of the LDA dimension reduction matrix.
2.4.3. Fuzzy Extractor
Fuzzy Extractor uses error correction codes and hash functions to generate a key
from a biometric template. The parity bits of an error correction code applied to the
template are stored as helper data. The template is hashed to generate a key. To regenerate
the key from a new biometric template, the parity bits are used to error correct the
template, which will then hash to the key value. Fuzzy Extractor is described in (Dodis,
Reyzin, and Smith 2004) and implemented in(Wencheng Yang, Hu, and Wang 2012;
Arakala, Jeffers, and Horadam 2007; Wencheng Yang et al. 2014).
In addition to its practical application as a biometric key generating function, (Dodis,
Reyzin, and Smith 2004) provide a solid abstract definition of Fuzzy Extractor. This
abstract definition provides a general framework for understanding many biometric
template protection systems. The abstract Fuzzy Extractor provides a powerful method of
analyzing information loss.
22
2.4.3.1 Fuzzy Extractors for Minutiae-based Fingerprint Authentication
(Arakala, Jeffers, and Horadam 2007) propose a Fuzzy Extractor-based system. The
primary features are a dual globally and locally aligned representation, polar coordinate
quantization, and a random seed. The location of each minutia is based on its relative
position to a core point, giving distance and angle with respect to the core point’s
orientation. For additional distinguishability, a minutia is also associated with its 5 nearest
neighbors, which are given by polar coordinates centered at the minutia. Both the global
and local coordinates are quantized based on a polar grid. This results in a set of binary
vectors associated to each minutia. A layered Fuzzy Extractor is used to generate a key.
First, a PinSketch is applied to the global position vector. Second, a PinSketch is applied to
the local position vectors. The resulting code word is then hashed with a random seed.
The system is protected by the Fuzzy Extractor system. The only unprotected data
are the parity bits of the error correction codes, which reveal a limited amount of
information. The system is evaluated on FVC2000. They achieved an EER of about 15%.
This poor result shows that it is possible to use Fuzzy Extractors with fingerprints in
principle, but a better representation needs to be found. The system uses all available
biometric data to produce a single match score.
2.4.3.2. An Alignment-free Fingerprint Bio-cryptosystem Based on Modified Voronoi
Neighbor Structures
(Wencheng Yang et al. 2014) propose a Fuzzy Extractor-based system. The primary
features are a minutia neighborhood representation, grid quantization, and a PinSketch-
23
based Fuzzy Extractor, and key-based polynomial. The authors create a local structure
based on the neighboring minutia points. This structure is quantized based on a local
coordinate grid, creating binary vectors. A PinSketch-based Fuzzy Extractor is used to
stabilize and protect the vectors, resulting in a hashed vector. The hashed vectors are used
to evaluate the key polynomial.
This system is evaluated on several databases, including FVC2002. They achieved an
EER of 11.84% on DB1, and 10.38% on DB2. This EER is significantly reduced when used
on only high quality images. The system uses all available biometric data to produce a
single match score. Since each element is matched independently, this system could allow
multiple permutations to send a message. However, this implementation is focused on
regenerating a fixed message.
2.4.4. Other Template Protection Systems
2.4.4.1. Biotope
Biotope is a system for creating cryptographically secure biotokens (T. Boult 2007).
In the Biotope system, a process of quantization and encryption secures the biometric.
First, each feature is quantized with the remainder saved. The integer (stable) portion is
then encrypted by any standard encryption method. The residual is saved to improve
matching accuracy with a minimal loss of private information. During matching, the
(encrypted) integer portion is binary-matched, with the residual portions distance-
matched to provide a more accurate score.
24
The primary features are a pair minutia representation, encryption, and a modified
Bozorth matcher. The pair minutia representation is generated from a list of minutia,
capturing their distance and orientations. This is quantized, with the residual retained. The
integer portion is encrypted, and both are used in the Bozorth matcher to identify similar
fingerprints.
This system is evaluated on several datasets, including FVC2000, FVC2002, and
FVC2004. On FVC2002 DB1 it has a 2.1% EER. On FVC2002 DB2 it has a 1.2% EER. All
available biometric data is used to create a single match value and token.
2.4.4.2. Bipartite Biotokens
The Biotope system described above has been extended to a key binding system in
Bipartite Biotokens (W Scheirer and Boult 2009). Similar to Biotope, this system uses a
minutia pair representation, quantization of the feature vector, and encryption. The feature
vector derived from the minutia pair representation is quantized, with remainder retained.
The integer portion is encrypted. In order to bind a key to the biotoken, the minutia pairs
are hashed and evaluated on a Reed-Solomon (RS) Polynomial that encodes the key. The RS
values are stored with the pair feature vector. To match, the user first finds possible pair
feature vector matches, and then applies a Bozorth-like matcher to reduce the set of
matched pairs. The RS evaluation points are obtained by hashing the pair data and the RS
values from the template. These are used to decode the RS polynomial and obtain the key.
Bipartite Biotokens are evaluated on FVC 2002 DB1 and DB2 in the original paper.
FRR is dependent on the size of the key encoded, and ranges from 7% for 128 bit keys to
25
37% for 1024 bit keys with 0% FAR. An improved version of Bipartite Biotoken is
evaluated in (L. Jain, Wilber, and Boult 2013) with FVC 2002 DB1a, DB2a, and DB3a and
FVC 2004 DB1a, DB2a,DB3a. On FVC 2002 DB1a, they achieved about 4% FRR at .1% FAR.
On FVC 2002 DB2a, they achieved about 7% FRR at .1% FAR.
2.4.4.3. PMCC
Minutia Cylinder Code (Cappelli, Ferrara, and Maltoni 2010) is a method for
constructing a local descriptor for a minutia. It locally aligns the coordinate system for each
minutia (central minutia) based on that minutia’s position and orientation. The vector
describes all neighboring minutia based on its relative position and orientation.
While MCC creates an effective minutia neighborhood descriptor, it reveals
information about the biometric. In (Ferrara, Maltoni, and Cappelli 2012), the authors
modify MCC by projecting most of the information about the neighboring minutia and
binarizing the result. This results in a minutia neighborhood feature in a convenient, non-
invertible bitstring form. PMCC achieves more accurate results than other biometric
protection systems at the cost of reduced security, lack of revocability
(Mirmohamadsadeghi and Drygajlo 2013), and no key binding/generation.
PMCC has lower security than other biometric cryptographic systems. Between 25%
and 30% of minutia can be recovered from the PMCC descriptor by inversion, depending
on the size of the PMCC bitstring. Comparatively, the cryptographic hashes used by Fuzzy
Commitment and Fuzzy Extractor reveal no minutia locations without a successful match.
26
PMCC does not support revocability. It cannot utilize a password or random string to
differentiate templates. Similarly, it cannot generate or release a key on a successful match.
PMCC was evaluated on FVC2002 and FVC2006. For comparison purposes, 32 bit
PMCC achieved a 6.6% EER, 14.8% FRR at .1% FAR, 19.5% FRR at 0% FAR on FVC2002
DB1, and 4.3% EER, 11.5% FRR at .1% FAR, 16.4% FRR at 0% FAR on FVC2002 DB2.
2.4.4.4. Cancelable Fingerprint Templates With Delaunay Triangle-Based Local
Structures
Yang, W., Hu, J., Wang, S., & Yang, J (W Yang et al. 2013) propose a cancelable
template using Delaunay triangle. The main features are a Delaunay triangle representation
and a non-invertable polar transformation. The Delaunay triangle representation produces
a feature vector. The feature vector is element-wise quantized. Each triangle then
undergoes a non-invertible polar transformation.
Formally non-invertible transformations, such as the one used in this example, are
not very good at protecting templates. Other key-scrambled transformation techniques are
non-invertible on a few percent of the data (T. Boult 2007). The authors of this system do
not present a security analysis.
This system was evaluated on FVC2002 DB1 and DB2. On DB1 it has a 5.9% EER. On
DB2 it has a 4% EER. All available biometric data is used to generate a single match score.
27
2.4.5. Analysis
From the techniques available to the field and these examples, we can now draw
some conclusions.
There is a strong tradeoff between system accuracy and privacy. For example,
(Kaizhi and Aiqun 2013) proposed a cancellable template system based on fuzzy
commitment. They were able to achieve an effectively 0% FAR at 0% FRR (FVC2004 DB2),
but only by having a private key and public minutia data. (P. Li et al. 2012) implement
Fuzzy Commitment. They achieved an effectively 0% FAR at 4.6% FRR (FVC2002 DB2), but
at the expense of having helper data that depended heavily on user data, leaving an
unknown amount of private biometric information public. On the other hand, systems that
accurately account for lost privacy have unusable error rates. (Wencheng Yang et al. 2014)
use Fuzzy Extractors, which reveal a bounded amount of private information, but has a FRR
of not less than 25% at near 0% FAR1. Therefore, the tradeoff between accuracy and
privacy has not been optimally solved in existing work.
Moreover, most systems use all available biometric data to create a single match
result. Any message released from the template was fixed at the time of template creation.
This problem is most severe for Fuzzy Commitment, Fuzzy Vault, and Fuzzy Extractor. For
these systems, the message must be created at registration.
Bipartite Biotokens avoid this problem by the creation of nested templates. For each
new message, a new template can be created with public key cryptography.
1 Based on ROC curve, exact numbers not provided.
28
Bipartite Biotokens are complicated by their fingerprint biometric representation,
which requires multiple layers of matching. The minutia pair representation has low
distinguishability and requires multiple methods of complicated matching algorithms.
Since the message elements are paired directly with the minutia pair elements, Bipartite
Biotokens cannot use redundancy at the representation level.
This analysis gives direction to my research. Protected biometric systems require a
better accuracy / security trade off. Since most protected biometric systems have template
dependent messages, new methods of biometric key exchange are necessary. The best
existing system for biometric key exchange, Bipartite Biotokens based on Biotope, may
benefit from an improved representation.
2.5. Vaulted Verification
Vaulted Verification (VV) (Wilber and Boult 2012) is a privacy preserving, remote
key exchange system. Unlike the key binding and key generation functions discussed above,
VV allows key binding at an arbitrary time by a remote server. The template is divided into
a number of blocks. These blocks are paired with chaff blocks and stored. The permutation
of these paired blocks stores the key. A user recovers the key by identifying the real blocks
from the chaff blocks, recovering the permutation. Protection in this system is provided by
public key encryption, which allows the template to be transmitted to a remote server. The
server can then use the protocol to verify the user. Vaulted Verification is described in
(Wilber and Boult 2012) and implemented in (Johnson, Scheirer, and Boult 2013), (Wilber,
Scheirer, and Boult 2012). The enrollment and verification process are as follows.
29
2.5.1. Enrollment Process
The user enrolls in the system by submitting the appropriate biometric modality to
the client. The client then constructs feature vectors and groups them into multiple blocks
called “real blocks.” Each real block is paired with a randomized chaff block. Each block is
independently encrypted by the user’s encryption key. The entire template is then
encrypted by the server’s encryption key.
The template becomes a group of encrypted real and chaff blocks. This allows the
server to swap blocks and create a challenge response, which is later used to authenticate a
potential user.
2.5.2. Verification Process
The user needs to prove his identity in order to access the server. The server creates
a random binary bitstring of length N, where N is the number of block pairs in the template.
The server permutes the blocks according to the bitstring created. If the bit is 1, then the
blocks are swapped. If the bit is 0, no swapping is conducted. The blocks are encrypted and
sent to the client. The client decrypts the received blocks and compares them against live
input to identify the real blocks and ultimately recover the correct bitstring.
30
Chapter 3: Preliminary Work
3.1. Vaulted Fingerprint Verification
This review of current research indicates that we can now create a communication
channel between remote sites while: providing strong evidence of a user’s identity though
biometrics, using the user-friendly fingerprint biometric, protecting the biometric data, and
having reasonable performance. To investigate this question, I build the Vaulted
Fingerprint Verification (VFV) system. VFV integrates fingerprint biometrics with VV to
send a message encoded in the biometric to a remote user. This message is used to verify
that user.
Our approach uses minutia triples as fuzzy feature representation (X. Chen et al.
2006). The minutia triangles are extracted to vectors that can be compared for a match. We
have modified the fuzzy feature representation approach by extending it into a voting
system that helps the client distinguish real blocks from chaff, which is necessary to
recover the VFV bitstring. An overview of the enrollment process is illustrated in Figure 1.
31
3.1.1. Enrollment Process
Figure 1. Enrollment process.
Fingerprint minutiae are the building blocks of VFV. We use Mindtct from the NIST
toolset (Kenneth), which outputs the x and y coordinates for the minutia, the minutia
orientation, and the quality value as illustrated in 1:
Mi ={x, y, θ, q} (1)
We eliminate low-quality minutiae and compute all possible combinations of three
minutia points to construct a set of triangles. We compute the distance, interior angle, and
invariant orientation of each triangle. The distances are ordered from largest to smallest.
Invariant orientation is the difference between the minutia orientation and the bisector of
the triangle through that point. However, not all of the triangles we construct are useful.
32
We only accept triangles whose distances are between two threshold values (10, 150).
Overly long triangles are likely to have distorted distances while short distances will distort
angles (X. Chen et al. 2006).
The accepted triangles are then permuted randomly to remove any ordering
relationship between minutia locations in the triangle set. These accepted, randomized
triangles are grouped into blocks, which give us more control over accuracy at the expense
of template size. As we will show in our experiment increasing block size increases
accuracy but consumes more triangles per bit.
Chaff triangles are constructed in the similar manner. The only difference is that the
chaff is drawn from a separate pool of subjects. Constructing chaff is critical part of the
system. We need to balance the overlap between the real and chaff triangles. This requires
us to make it difficult for an attacker to discriminate real triangles while allowing potential
users to identify themselves with high probability.
Each block is individually encrypted using user’s private key. Each real block is then
paired with a chaff block. Next, the entire template is encrypted with the server’s public
key. Then, the encrypted template is sent to the server for use in the verification process.
3.1.2. Verification Process
A user initiates the identity verification process by requesting authentication from
the server. The server decrypts the template using its key and creates a challenge bitstring
of length N, where N is the number of blocks in the saved template. The server then swaps
pairs according to the generated bitstring. If the bitstring is 1, the pair is swapped; if it is 0,
33
there is no change. The permuted template becomes encrypted with the user’s public key,
and it is sent to the client.
The client decrypts the template and matches it against a live input to recover the
bitstring. Our matching algorithm consists of four parts: score generation, vote summation,
group comparison, and key generation (bit string recovery).
A score function takes each triangle from the gallery set and probe set and outputs
a score. We use Equation 2 to compare a triangle from gallery Tg to a triangle of probe Tpr:
score={1−¿T g−T pr∨¿Threshold ,if ∨T g−T pr∨¿Threshold0 ,∧otherwise (2)
The score is summed along the probe set dimension, resulting in a triangle vote
vector. The triangle vote vector is summed along each block, which results in a Block Vote
Vector (BVV).
The BVV allows us to compare the two gallery sets. The gallery set with the larger
BVV is classified as a “real” block, and the other is classified as a “chaff” block. If the BVV is
equal for both sets, we classify the block as undetermined.
The BVV classifications for the entire set is combined with the error correction
parity bits. This allows us to recover the permutation bitstring. An overview of the
verification process is illustrated in Figure 2.
34
Figure 2. Verification process.
35
Verification process pseudo-codeThe gallery has two sets; These are referred to as Gallery (Sets)
Each Set has N blocks; These are referred to as Gallery (Set (Blocks))
Each Block has M Triangles; These are referred to as Gallery(Sets(Blocks(Triangles)))
Each Triangle has 9 elements- 3 distances, 3 interior angles, 3 orientations; These are referred to as Gallery (Sets (Blocks(Triangles(Elements))))
for each Gallery(Sets)for each Gallery(Sets(Blocks))
for each Gallery(Sets(Blocks(Triangles)))for each Gallery(Sets(Blocks(Triangles(Elements))))
for each Probe(Triangles(Elements))calculate Element Match Score as the entrywise score function between Gallery(Sets(Blocks(Triangles))) and Probe(Triangle)
calculate Pairwise Triangle Match Score as product of Element Match Scores
endendcalculate the Triangle Match Score as the sum of the Pairwise Triangle Match Scores
endcalculate Block Match Score as sum of Triangle Match Scores
endif Set1(Block Match Score) is greater than Set2(Block Match Score)
then Bitstring is 1else, if Set1(Block Match Score) is less than Set2(Block Match Score)
then Bitstring is 0else
then Bitstring is errorend if
endapply RS-ECC to Bitstring to create Corrected Bitstring
36
3.1.3. Evaluation
The proposed VFV protocol has been evaluated using data from the DB1-A of
Fingerprint Verification Competition 2002 (FVC2002) (Maio and Maltoni 2002), which
contains 8 images per person for 100 people. An implementation of VFV requires setting a
quality threshold, maximum and minimum distance thresholds, block size, and template
length, which are listed in Table 1.
Table 1. Triangle construction parameters.
Minutia quality
Min. distance Max. distance Block size Template length
25 10 150 8 255
The thresholds for the scoring function (2) were determined empirically. We
performed a grid search over a training set of the threshold space to locate the values that
maximized the distinguishability between the real and chaff triangles. The mean optimal
thresholds and standard deviation are shown in Table 2.
Table 2. Optimal threshold.
Mean Standard deviationSample
size
DistanceInterior
angleInvariant
orientationDistance
Interior angle
Invariant orientation
31.1 14.7 17.3 1.4 1.8 1.4 24
37
The accuracy of the VFV system is determined by all of the parameters listed in
tables 1 and 2. Blocking plays a critical role in accuracy. Larger block sizes improve
accuracy, which reduces the need for error correction but reduces template length. On the
other hand, a smaller block size reduces accuracy but increases template length allowing
larger keys. Larger block size increases uniqueness for block matching, suggesting
directions for future improvements.
The bitstring produced by the client is corrected by Reed-Solomon ECC with n= 255
and k=65. This allows us to correct 95 errors in any bitstring, leaving 65 bits of security.
With these parameters, VFV has an ERR of about 7.5% (Figure 3). While below the state-of-
the-art privacy-enhanced algorithms on this dataset; e.g., the 2.1%EER reported18 by Bolt et
al. in 2007, these initial experiments do suggest that VFV has potential in viable remote
authentication method. The section on future work discusses methods for improving the
system.
Figure 3: FAR and FRR curves
38
3.1.4. Security
The first layer of security is encryption. Blocks are encrypted using user’s personal
(symmetric) key. Personal encryption prevents server and attacker from reading the
contents of the template. Within the template, groups are randomly permuted by an
initialization vector so they cannot be identified. The encrypted template is digitally signed
by the user’s private key, which ensures the integrity of the template. The template is then
encrypted using the server’s encryption key. The additional layer of encryption maintains
the confidentiality of the transmitted template.
At the verification stage, the server digitally signs the permuted template with its
private key and encrypts the permuted template using the user’s public key. This ensures a
unique challenge to prevent replay attacks. The encrypted template is then sent to the user.
This ensures the integrity and confidentiality of the challenge.
We can consider different scenarios of attack upon the system. If an attacker gains
access to a server’s private key at the enrollment stage, the attacker still cannot modify the
template due to the signature.
If the user’s private key is compromised, the attacker can inject his template at the
enrollment stage. At verification, the attacker can authenticate himself as a legitimate user
while denying access to the legitimate user. Since the user can no longer authenticate, this
can be detected through verification after enrollment.
39
If both the server and user private keys are compromised, the communication
channel is no longer secure. However, the template is still protected by the user’s personal
key and by the chaff.
If the user’s personal key is compromised at the enrollment stage, the template is
protected through the server’s public key. At the verification stage, the template is
protected through the user’s private key.
If the user’s personal and private keys are compromised, the template is still
protected at the enrollment stage through the server’s public key. However, the attacker
can recover the template at the verification stage.
If all keys are compromised, the attacker has the full control over the system and
can recover the template at any stage, leaving the chaff as the final layer of protection.
Without the biometric, if the chaff is good, the attacker still has a random chance to recover
the actual key. If the attacker has also broken into the server, they don’t need the random
string to impersonate the user, but with both templates and the all keys, the attacker can
recover the triangles. We currently know of no algorithm to recover minutiae from the
triangle data, but cannot rule out that is it might be possible.
Chapter 4: Proposed Work
My proposal has 4 parts: proof of concept for VFV, improved accuracy VFV with
PMCC, Biotope applied to triangle representation, and, as necessary, a formal description of
Biotope as Fuzzy Extractor. The proof of concept section consists of my existing work on
40
VFV. Accuracy will be improved by integrating PMCC with VFV. Extending Biotope to
triangles will demonstrate proficiency with biometric protection systems. If these systems
do not work as intended, I will also give a formal description of Biotope as a Fuzzy
Extractor.
4.1. VFV
Our implementation model is discussed 3.1. Vaulted Fingerprint Verification. In that
section, we prove that it is possible to transmit a message from a server to a remote user
encoded in a template. This message is chosen after template creation. However, VFV
requires additional accuracy to compete with the state of the art. Currently, the feature
vectors are insufficiently distinguishable, and may match each other accidentally. This is
the first contribution of my thesis.
Minutia1
Minutia2
Minutia3[d2,3 a1 o1
d1,3 a2 o2
d1,2 a3 o3]
Current Feature Vector
4.2. VFV-PMCC
While VFV proves that it is possible to construct a biometric message with
fingerprints, the accuracy of the triangle representation is limited. Therefore, I propose
including PMCC descriptors (Ferrara, Maltoni, and Cappelli 2012) to the minutia. PMCC
provides a bitstring description of the minutia neighborhood, and are discussed in more
41
detail in 2.4.4.3. PMCC. These should enhance triangle distinguishability, improving
accuracy.
Minutia1
Minutia2
Minutia3[d2,3 a1 o1 PMCC1
d1,3 a2 o2 PMCC2
d1,2 a3 o3 PMCC3]
PMCC Feature Vector
Figure 4 VFV-PMCC: Triangle A compared with triangles B and C. It matches triangle B only because they have the same PMCC. Triangle C has a different PMCC, thus it will not match despite having similar distances, angles, and orientation.
42
This modification will have no conceptual changes to the VFV system. Key exchange,
bitstring error correction, and block matching are all conceptually unchanged. However, it
will significantly impact the triangle matcher function as the original elements (d, a, o) are
numbers, while the PMCC elements are bitstrings. The original elements are approximately
matched by a Euclidean distance function, but the PMCC elements will require a Hamming
distance function. Additionally, there is no obvious best method of combining these scores,
so this project will require determining the weights of PMCC and the existing elements
within the matching function. VFV with PMCC will be compared against other state of the
art systems with respect to accuracy, and security for the second contribution of my thesis.
4.3. Biotope Triangles
An effective and accurate protected biometric system has been built by Boult (T.
Boult 2007), discussed in 2.4.4.1. Biotope. The current implementation on a minutia pair
representation compares favorably with other State of the Art systems. However, the pair
representation has several limitations and may not be an optimal for Biotope.
The pair representation has limited information content (1 distance, and 2
orientation values). This provides limited distinguishability for the matcher. Additionally,
the small size makes it difficult to protect the stable values with large encryption keys, as
the protected object must be the same size as the key.
A triangle representation overcomes the weaknesses of the pair representation. The
triangle representation contains more information (3 distances, 3, angles, and 3 orientation
43
values). This will provide more distinguishability to the matcher and allow protection by
larger encryption keys.
I will construct an implementation of the Biotope system on a minutia triangle
representation. It will be compared against the existing pair-representation Biotope system
as the third contribution of my thesis.
4.4. Biotope/Fuzzy Extractor Theory
Biotope is a general concept. It has been applied to face (T. E. Boult 2006) and
fingerprint (T. Boult 2007) biometrics, and is the basis of a key binding system (W Scheirer
and Boult 2009). It functions by using a robust matcher that uses the remainder of a
quantization procedure as helper data.
Fuzzy Extractor provides a framework for understanding the amount of information
revealed by helper data. There are several useful theorems associated with Fuzzy Extractor
that allow for bounds on the information revealed by helper data.
A formal description of the relationship between Biotope and Fuzzy Extractor will
provide benefits to both systems. For Biotope, it will provide an abstract description to
ensure the groundwork for future generalizations. For Fuzzy Extractor, it will extend the
known methods of utilizing helper data.
If VFV-PMCC and Biotope Triangles are unable to compete with the State of the Art,
then the formal description of the relationship between Biotope and Fuzzy Extractor will
be the final contribution of my thesis.
44
4.5. Time line
Task Estimated timeImplement VFV-PMCC May - JuneImplement Biotope triangles July - AugustReserved for formal description of Biotope as Fuzzy Extractor. September - OctoberWriting and preparation for Thesis Defense November - December
4.6. List of publication
1. Albahdal, Abdullah A., Hamdan Alzahrani, Lalit Prithviraj Jain, and Terrance E. Boult. "Trusted BWI: Privacy and trust enhanced biometric web identities." Biometrics: Theory, Applications and Systems (BTAS), 2013 IEEE Sixth International Conference on, pp. 1-8. IEEE, 2013.
2. Alzahrani, Hamdan, and Terrance E. Boult. “Remote authentication using vaulted fingerprint verification.” To appear in Biometric and Surveillance Technology for Human and Activity Identification XI, May 2014.
45
5. ReferencesAdams, Anne, and Martina Angela Sasse. 1999. “Users Are Not the Enemy.” Communications of the ACM 42 (12) (December 1):
40–46. doi:10.1145/322796.322806. http://portal.acm.org/citation.cfm?doid=322796.322806.
Ahmad, Tohari. 2011. “Cartesian and Polar Transformation-Based Cancelable Fingerprint Template.” IECON 2011 - 37th Annual Conference of the IEEE Industrial Electronics Society (November): 373–378. doi:10.1109/IECON.2011.6119339. http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=6119339.
———. 2012. “Global and Local Feature-Based Transformations for Fingerprint Data Protection” (January). http://researchbank.rmit.edu.au/view/rmit:160073.
Arakala, Arathi, Jason Jeffers, and KJ Horadam. 2007. “Fuzzy Extractors for Minutiae-Based Fingerprint Authentication.” Advances in Biometrics: 760–769. http://link.springer.com/chapter/10.1007/978-3-540-74549-5_80.
Boult, TE. 2007. “Revocable Fingerprint Biotokens: Accuracy and Security Analysis.” IEEE Conference on Computer Vision and Pattern Recognition. http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=4270135.
Boult, Terrance E. 2006. “Robust Distance Measures for Face-Recognition Supporting Revocable Biometric Tokens.” In Automatic Face and Gesture Recognition.
Bringer, Julien, H Chabanne, and M Favre. 2012. “Fuzzy Vault for Multiple Users.” In Progress in Cryptology, AFRICACRYPT 2012, 67–81. http://link.springer.com/chapter/10.1007/978-3-642-31410-0_5.
Cappelli, Raffaele, Matteo Ferrara, and Davide Maltoni. 2010. “Minutia Cylinder-Code: A New Representation and Matching Technique for Fingerprint Recognition.” IEEE Transactions on Pattern Analysis and Machine Intelligence 32 (12) (December): 2128–41. doi:10.1109/TPAMI.2010.52. http://www.ncbi.nlm.nih.gov/pubmed/20975113.
Chau, AC, and CP Soto. 2011. “Hybrid Algorithm for Fingerprint Matching Using Delaunay Triangulation and Local Binary Patterns.” Progress in Pattern Recognition, Image Analysis, Computer Vision, and Applications: 692–700. http://link.springer.com/chapter/10.1007/978-3-642-25085-9_82.
Chen, Chin-ling, Cheng-chi Lee, and Chao-yung Hsu. 2012. “Mobile Device Integration of a Fingerprint Biometric Remote Authentication Scheme” (April 2011). doi:10.1002/dac.
Chen, Xinjian, Jie Tian, Xin Yang, and Yangyang Zhang. 2006. “An Algorithm for Distorted Fingerprint Matching Based on Local Triangle Feature Set.” IEEE Transactions on Information Forensics and Security 1 (2): 169–177. http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1634359.
Das, Priyanka, Kannan Karthik, and Boul Chandra Garai. 2012. “A Robust Alignment-Free Fingerprint Hashing Algorithm Based on Minimum Distance Graphs.” Pattern Recognition 45 (9) (September): 3373–3388. doi:10.1016/j.patcog.2012.02.022. http://linkinghub.elsevier.com/retrieve/pii/S0031320312001008.
Dodis, Yevgeniy, Leonid Reyzin, and Adam Smith. 2004. “Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data.” Advances in Cryptology-Eurocrypt 2004.
Dorizzi, B, M Cappelli, D Maio, D Maltoni, S Houmani, S Garcia-Salicetti, and A Mayoue. 2009. “Fingerprint and On-Line Signature Verification Competitions at ICB 2009.” In International Conference on Biometrics, 725 – 732.
Fan, Chun-i, and Yi-hui Lin. 2009. “Provably Secure Remote Truly Three-Factor Authentication Scheme With Privacy Protection on Biometrics.” IEEE Transactions on Information Forensics and Security 4 (4) (December): 933–945. doi:10.1109/TIFS.2009.2031942. http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=5238635.
Ferrara, Matteo, Davide Maltoni, and Raffaele Cappelli. 2012. “Noninvertible Minutia Cylinder-Code Representation.” IEEE Transactions on Information Forensics and Security 7 (6) (December): 1727–1737. doi:10.1109/TIFS.2012.2215326. http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=6307852.
46
Gray, R.M., and D.L. Neuhoff. 1998. “Quantization.” IEEE Transactions on Information Theory 44 (6): 2325–2383. doi:10.1109/18.720541. http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=720541.
Hartloff, Jesse, Jimmy Dobler, Sergey Tulyakov, Atri Rudra, and Venu Govindaraju. 2013. “Towards Fingerprints as Strings: Secure Indexing for Fingerprint Matching.” 2013 International Conference on Biometrics (ICB) (June): 1–6. doi:10.1109/ICB.2013.6612973. http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=6612973.
Jain, AK, Salil Prabhakar, Lin Hong, and Sharath Prankanti. 1999. “FingerCode: A Filterbank for Fingerprint Representation and Matching.” Computer Vision and Pattern Recognition 2 (11): 187–193. http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=784628.
Jain, Anil K, Karthik Nandakumar, and Abhishek Nagar. 2008. “Biometric Template Security.” EURASIP Journal on Advances in Signal Processing 2008 (1): 579416. doi:10.1155/2008/579416. http://asp.eurasipjournals.com/content/2008/1/579416.
Jain, Lalit, Michael J. Wilber, and Terrance E. Boult. 2013. “Issues in Rotational (Non-)invariance and Image Preprocessing.” 2013 IEEE Conference on Computer Vision and Pattern Recognition Workshops (June): 76–83. doi:10.1109/CVPRW.2013.19. http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=6595857.
Jin, Zhe. 2010. “A Revocable Fingerprint Template for Security and Privacy Preserving.” KSII Transactions on Internet and Information Systems 4 (6) (December 23): 1327–1342. doi:10.3837/tiis.2010.12.020. http://www.itiis.org/tiis/download.jsp?filename=TIIS_Vol4No6P20December2010.pdf.
Jin, Zhe, Bok-Min Goi, Yong Haur Tay, and Andrew Beng Jin Teoh. 2013. “A Non-Invertible Graph-Based Hamming Embedding Transform for Fingerprint Minutiae Protection.” 2013 6th International Congress on Image and Signal Processing (CISP) (Cisp) (December): 1688–1693. doi:10.1109/CISP.2013.6743948. http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=6743948.
Jin, Zhe, Andrew Beng Jin Teoh, Thian Song Ong, and Connie Tee. 2012. “Fingerprint Template Protection with Minutiae-Based Bit-String for Security and Privacy Preserving.” Expert Systems with Applications 39 (6) (May): 6157–6167. doi:10.1016/j.eswa.2011.11.091. http://linkinghub.elsevier.com/retrieve/pii/S095741741101637X.
Jin, Zhe, ABJ Teoh, TS Ong, and Connie Tee. 2009. “Secure Minutiae-Based Fingerprint Templates Using Random Triangle Hashing.” Visual Informatics: Bridging Research and Practice: 521–531. http://link.springer.com/chapter/10.1007/978-3-642-05036-7_49.
Johnson, R. C., Walter J. Scheirer, and Terrance E. Boult. 2013. “Secure Voice-Based Authentication for Mobile Devices: Vaulted Voice Verification.” Edited by Ioannis Kakadiaris, Walter J. Scheirer, Laurence G. Hassebrook, and Shishir Shah. SPIE Defense, Security, and Sensing 8712 (May 31): 87120P–87120P–13. doi:10.1117/12.2015649. http://proceedings.spiedigitallibrary.org/proceeding.aspx?doi=10.1117/12.2015649.
Juels, Ari, and Madhu Sudan. 2006. “A Fuzzy Vault Scheme.” In Designs Codes and Cryptography, 38:237–257. IEEE. doi:10.1007/s10623-005-6343-z. http://www.springerlink.com/index/10.1007/s10623-005-6343-z.
Juels, Ari, and Martin Wattenberg. 1999. “A Fuzzy Commitment Scheme.” Proceedings of the 6th ACM Conference on Computer and Communications Security CCS 99: 28–36. http://dl.acm.org/citation.cfm?id=319714.
Júnior, PRM. 2010. “A Complete System for Fingerprint Authentication Using Delaunay Triangulation.” http://www.decom.ufop.br/menotti/rp102/TrabalhoFinal-papers/02-Fingerprint.pdf.
Kaizhi, Chen, and Hu Aiqun. 2013. “An Enhancing Fingerprint Template Protection Method.” 2013 5th International Conference on Computational Intelligence and Communication Networks (September): 275–279. doi:10.1109/CICN.2013.65. http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=6657999.
Kenneth, Ko. “User’s Guide to NIST Biometric Image Software (NBIS).”
Kumar, Gaurav, Sergey Tulyakov, and Venu Govindaraju. 2010. “Combination of Symmetric Hash Functions for Secure Fingerprint Matching.” 2010 20th International Conference on Pattern Recognition (August): 890–893. doi:10.1109/ICPR.2010.224. http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=5596072.
Li, Chun-Ta, and Min-Shiang Hwang. 2010. “An Efficient Biometrics-Based Remote User Authentication Scheme Using Smart Cards.” Journal of Network and Computer Applications 33 (1) (January): 1–5. doi:10.1016/j.jnca.2009.08.001. http://linkinghub.elsevier.com/retrieve/pii/S1084804509001192.
47
Li, Huixian, Longfei Ju, Liaojun Pang, and Xuan Wang. 2013. “Remote Biometric Authentication Scheme with Privacy Protection” 2 (20096102120045): 455–462.
Li, Peng, Xin Yang, Hua Qiao, Kai Cao, Eryun Liu, and Jie Tian. 2012. “An Effective Biometric Cryptosystem Combining Fingerprints with Error Correction Codes.” Expert Systems with Applications 39 (7) (June): 6562–6574. doi:10.1016/j.eswa.2011.12.048. http://linkinghub.elsevier.com/retrieve/pii/S0957417411017192.
Li, Xiong, Jian-Wei Niu, Jian Ma, Wen-Dong Wang, and Cheng-Lian Liu. 2011. “Cryptanalysis and Improvement of a Biometrics-Based Remote User Authentication Scheme Using Smart Cards.” Journal of Network and Computer Applications 34 (1) (January): 73–79. doi:10.1016/j.jnca.2010.09.003. http://linkinghub.elsevier.com/retrieve/pii/S1084804510001657.
Maio, D, and D Maltoni. 2002. “FVC2002: Second Fingerprint Verification Competition.” Pattern Recognition, 2002. Proceedings. 16th International Conference On. (September): 0–3. http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1048144.
Matsumoto, Tsutomu, Hiroyuki Matsumoto, Koji Yamada, and Satoshi Hoshino. 2002. “Impact of Artificial ‘Gummy’ Fingers on Fingerprint Sytems.” In Optical Security and Counterfeit Deterrence Techniques 4, edited by Rudolf L. van Renesse, 4677:275–289. doi:10.1117/12.462719. http://proceedings.spiedigitallibrary.org/proceeding.aspx?articleid=878135.
Mirmohamadsadeghi, Leila, and Andrzej Drygajlo. 2013. “A Template Privacy Protection Scheme for Fingerprint Minutiae Descriptors.” In Biometrics Special Interest Group (BIOSIG), 2013 International Conference of the. IEEE. http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6617156.
Moon, Daesung, Sungju Lee, Seunghwan Jung, and Yongwha Chung. 2007. “Fingerprint Template Protection Using Fuzzy Vault.” Computational Science and Its Applications–ICCSA: 1141–1151. http://link.springer.com/chapter/10.1007/978-3-540-74484-9_100.
Moon, Ki Young, and Daesung Moon. 2012. “Biometrics Information Protection Using Fuzzy Vault Scheme.” 2012 Eighth International Conference on Signal Image Technology and Internet Based Systems (November): 124–128. doi:10.1109/SITIS.2012.28. http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=6395084.
Nagar, Abhishek, and S Chaudhury. 2006. “Biometrics Based Asymmetric Cryptosystem Design Using Modified Fuzzy Vault Scheme.” Pattern Recognition 2006, 18th International Conference on 4: 2–5. http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1699897.
Nagar, Abhishek, Karthik Nandakumar, and Anil K. Jain. 2009. “A Hybrid Biometric Cryptosystem for Securing Fingerprint Minutiae Templates.” Pattern Recognition Letters 31 (8) (June): 733–741. doi:10.1016/j.patrec.2009.07.003. http://linkinghub.elsevier.com/retrieve/pii/S0167865509001652.
Nandakumar, Karthik. 2007. “Fingerprint-Based Fuzzy Vault: Implementation and Performance.” Information Forensics and Security, IEEE Transactions on 2 (4): 744–757. http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=4378259.
Parziale, Giuseppe, and Albert Niel. 2004. “A Fingerprint Matching Using Minutiae Triangulation.” Biometric Authentication: 241–248. http://link.springer.com/chapter/10.1007/978-3-540-25948-0_34.
Scheirer, W, and T Boult. 2009. “Bipartite Biotokens: Definition, Implementation, and Analysis.” Advances in Biometrics: 775–785. http://www.springerlink.com/index/Y6854128XJ40W511.pdf.
Scheirer, W., B. Bishop, and T. Boult. 2010. “Beyond PKI: The Biocryptographic Key Infrastructure.” 2010 IEEE International Workshop on Information Forensics and Security (December): 1–6. doi:10.1109/WIFS.2010.5711435. http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=5711435.
Scheirer, WJ, and TE Boult. 2007. “Cracking Fuzzy Vaults and Biometric Encryption.” Biometrics Symposium, 2007 29 (4) (April): 544–60. doi:10.1109/TPAMI.2007.1018.
Stallings, William. 2011. Cryptography and Network Security: Principles and Practice. 5th ed. Practice Hall.
Teoh, Andrew B J, Alwyn Goh, and David C L Ngo. 2006. “Random Multispace Quantization as an Analytic Mechanism for BioHashing of Biometric and Random Identity Inputs.” IEEE Transactions on Pattern Analysis and Machine Intelligence 28 (12) (December): 1892–901. doi:10.1109/TPAMI.2006.250. http://www.ncbi.nlm.nih.gov/pubmed/17108365.
48
Teoh, Andrew Beng Jin, and Jaihie Kim. 2007. “Secure Biometric Template Protection in Fuzzy Commitment Scheme.” IEICE Electronics Express 4 (23): 724–730. doi:10.1587/elex.4.724. http://joi.jlc.jst.go.jp/JST.JSTAGE/elex/4.724?from=CrossRef.
Wagner, David. 2002. “A Generalized Birthday Problem.” In Advances in Cryptography CRYPTO 2002, 288–304.
Wang, Ruifang, Xin Yang, Xia Liu, Sujing Zhou, Peng Li, Kai Cao, and Jie Tian. 2010. “A Novel Fingerprint Template Protection Scheme Based on Distance Projection Coding.” 2010 20th International Conference on Pattern Recognition (August): 886–889. doi:10.1109/ICPR.2010.223. http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=5596071.
Wang, Song, and Jiankun Hu. 2014. “Design of Alignment-Free Cancelable Fingerprint Templates via Curtailed Circular Convolution.” Pattern Recognition 47 (3) (March): 1321–1329. doi:10.1016/j.patcog.2013.10.003. http://linkinghub.elsevier.com/retrieve/pii/S0031320313004093.
Watson, CI, MD Garris, and E Tabassi. 2007. “User’s Guide to Nist Biometric Image Software (nbis).” http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.152.7698.
Wilber, Michael J., and Terrance E. Boult. 2012. “Secure Remote Matching with Privacy: Scrambled Support Vector Vaulted Verification.” 2012 IEEE Workshop on the Applications of Computer Vision (WACV) (January): 169–176. doi:10.1109/WACV.2012.6163018. http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=6163018.
Wilber, Michael J., Walter J. Scheirer, and Terrance E. Boult. 2012. “PRIVV: Private Remote Iris-Authentication with Vaulted Verification.” 2012 IEEE Computer Society Conference on Computer Vision and Pattern Recognition Workshops (June): 97–104. doi:10.1109/CVPRW.2012.6239222. http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=6239222.
Xi, K., and J. Hu. 2009. “Biometric Mobile Template Protection: A Composite Feature Based Fingerprint Fuzzy Vault.” 2009 IEEE International Conference on Communications (June): 1–5. doi:10.1109/ICC.2009.5198785. http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=5198785.
Yang, Bian, Christoph Busch, Patrick Bours, and Davrondzhon Gafurov. 2010. “Robust Minutiae Hash for Fingerprint Template Protection.” Edited by Nasir D. Memon, Jana Dittmann, Adnan M. Alattar, and Edward J. Delp III 7541 (February 4): 75410R–75410R–9. doi:10.1117/12.838998. http://proceedings.spiedigitallibrary.org/proceeding.aspx?articleid=777191.
Yang, W, Jiankun Hu, Song Wang, and Jucheng Yang. 2013. “Cancelable Fingerprint Templates with Delaunay Triangle-Based Local Structures.” Cyberspace Safety and Security: 81–91. http://link.springer.com/chapter/10.1007/978-3-319-03584-0_7.
Yang, Wencheng, Jiankun Hu, and Song Wang. 2012. “A Delaunay Triangle-Based Fuzzy Extractor for Fingerprint Authentication.” 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications (June): 66–70. doi:10.1109/TrustCom.2012.23. http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=6295959.
Yang, Wencheng, Jiankun Hu, Song Wang, and Milos Stojmenovic. 2014. “An Alignment-Free Fingerprint Bio-Cryptosystem Based on Modified Voronoi Neighbor Structures.” Pattern Recognition 47: 1309–1320. http://www.sciencedirect.com/science/article/pii/S003132031300407X.
Zhang, Ning, Xin Yang, Yali Zang, Xiaofei Jia, and Jie Tian. 2013. “Generating Registration-Free Cancelable Fingerprint Templates Based on Minutia Cylinder-Code Representation.” 2013 IEEE Sixth International Conference on Biometrics: Theory, Applications and Systems (BTAS) (September): 1–6. doi:10.1109/BTAS.2013.6712731. http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=6712731.
Zheng, Jian-De, Yuan Gao, and Ming-Zhi Zhang. 2009. “Fingerprint Matching Algorithm Based on Similar Vector Triangle.” 2009 2nd International Congress on Image and Signal Processing (October): 1–6. doi:10.1109/CISP.2009.5304556. http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=5304556.
49
