Accepted Manuscript

Fingerprint Shell: Secure Representation of Fingerprint Template

Chouaib Moujahdi, George Bebis, Sanaa Ghouzali, Mohammed Rziza

PII: S0167-8655(14)00118-4DOI: http://dx.doi.org/10.1016/j.patrec.2014.04.001Reference: PATREC 5989

To appear in: Pattern Recognition Letters

Please cite this article as: Moujahdi, C., Bebis, G., Ghouzali, S., Rziza, M., Fingerprint Shell: Secure Representationof Fingerprint Template, Pattern Recognition Letters (2014), doi: http://dx.doi.org/10.1016/j.patrec.2014.04.001

This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customerswe are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, andreview of the resulting proof before it is published in its final form. Please note that during the production processerrors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.

Fingerprint Shell: Secure Representation of Fingerprint

Template

Chouaib Moujahdia,∗, George Bebisb, Sanaa Ghouzalic, Mohammed Rzizaa

aLRIT, associated unit to CNRST (URAC 29), Mohammed V-Agdal University, Rabat,Morocco

bDepartment of Computer Science and Engineering, University of Nevada, Reno, NV89577, USA

cInformation Technology Department, CCIS, King Saud University, Riyadh, SaudiArabia

Abstract

Fingerprint is a popular biometric modality which is used extensively in sev-

eral applications for person authentication, providing high uniqueness and

acceptable performance. Most fingerprint systems use minutiae-based repre-

sentations. However, several studies have proven that the original fingerprint

impression can be reconstructed from minutia information, which makes the

problem of ensuring the security of fingerprint data very critical. In this

paper, we present a new approach for fingerprint template protection. Our

objective is to build a non-invertible transformation that meets the require-

ments of revocability, diversity, security and performance. In this context,

we exploit the information provided by the extracted minutiae to construct

a new representation based on special spiral curves, which can be used for

the recognition task instead of the traditional minutiae-based representation.

∗Corresponding author. Unit 517, 590 Lake Street, Reno, NV 89501. +1 775 771 4653Email addresses: chouaib.moujahdi@fulbrightmail.org (Chouaib Moujahdi),

bebis@cse.unr.edu (George Bebis), sghouzali@ksu.edu.sa (Sanaa Ghouzali),rziza@fsr.ac.ma (Mohammed Rziza)

Preprint submitted to Pattern Recognition Letters April 10, 2014

The proposed approach has been evaluated using the original FVC protocol

and compared with existing protection approaches which use the same pro-

tocol. Our experimental results illustrate the ability of the proposed repre-

sentation to preserve the performance of protected systems. Moreover, we

demonstrate that the security of our approach is sufficiently robust to the

zero effort and brute force attacks.

Keywords: Fingerprint, minutiae, template protection, revocability,

diversity, security.

1. Introduction1

Biometric systems, day after day, propagate more to human life instead2

traditional systems which use passwords and ID cards. They are widely3

used to identify / authenticate users reliably in many applications. However,4

biometric systems have given rise to new problems and challenges related5

to the security and the protection of personal data, issues of less concern in6

traditional systems. In practice, while biometrics ensure uniqueness, they7

do not provide secrecy. Each person has his/her own biometric traits but8

the person cannot keep them away from theft incidents to be used illegally.9

For example, a person might leave his/her fingerprints on everyday touched10

surfaces. Thus, many attacks can be launched against biometric systems,11

which reduce the credibility of these systems.12

We can identify eight levels of attack in a biometric system (Ratha et al.,13

2001); however, since the principle of some attacks is repeated, Jain et al14

(Jain et al., 2008) have grouped them into four categories. First, attacks on15

the user interface (i.e., sensor), mainly due to the presentation of falsified16

2

biometric data. Second, attacks on the interface between modules where an17

adversary can either destroy or interfere communication interfaces between18

modules. Third, attacks on the software module where the executable pro-19

gram of a module can be modified so that it always returns the desired values20

of an opponent. This is known as Trojan-horse attack.21

Finally, attacks against the biometric templates stored in the database22

module which are considered among the most damaging attacks on a bio-23

metric system. For example, a biometric template can be replaced by an24

impostor’s template to obtain unauthorized access to the system. In addi-25

tion, a physic parody (spoof) can be created from a stolen template to obtain26

unauthorized access to the system. The irrevocability of biometric templates27

makes this kind of attack very dangerous; because, unlike a stolen credit card28

or password, it is not possible for a legitimate user to revoke his/her biomet-29

ric templates and replace them with another set of identifiers. Therefore,30

promoting the use of biometric technologies in future applications requires31

increased security of biometric data.32

Due to these security challenges, there are currently many research ef-33

forts underway to protect biometric systems against possible attacks. Sev-34

eral approaches have been proposed in the literature for biometric template35

protection. The main objective of these proposed schemes is to make bio-36

metrics revocable. Revocability means that we can revoke a compromised37

template and replace it with another one, in the same way that a stolen pass-38

word can be replaced with a new one. The main idea of these approaches,39

which aim to protect the stored biometric templates, is that instead of stor-40

ing the templates themselves, a function is stored for each template which is41

3

used directly in the task of authentication. This work is primarily concerned42

with these solutions for template protection. An ideal approach of biometric43

template protection must meet four requirements (Jain et al., 2008):44

• Revocability : it should be possible to revoke a compromised template45

and replace it with a new one based on the same biometric data.46

• Diversity : if a revoked template is replaced by a new model, it should47

not correspond with the former. This property ensures the privacy.48

• Security : it must be difficult, computationally, to obtain the original49

template from the protected template. This requirement has another50

naming, for example it is called non-reversibility in (Maltoni et al.,51

2009) and irreversibility in (Breebaart et al., 2009). It should be noted52

that the security requirement of a biometric template protection differs53

from the concept of the overall security of a biometric system which is54

the result of including all possible protection techniques in a biometric55

system (i.e., encryption of data in canals, timestamp, etc) to avoid all56

possible threats in all levels of attack.57

• Performance: The protection approach should not degrade the recog-58

nition performance of the system.59

Jain et al. (2008) have classified template protection approaches into three60

main categories: feature transformation, biometric cryptosystem, and hybrid.61

Each of these approaches has its own advantages and limitations (Rathgeb62

and Uhl, 2011). Overall, they do not meet, contemporaneously, the four re-63

quirements of an ideal protection scheme. We are concerned in this work with64

4

feature transformation approaches. The basic idea of feature transformation65

approaches is to apply a transformation function F to the original biometric66

template T using a key K; the transformed template F(T,K) is then stored67

in the database. The function F is also used to transform the test tem-68

plate Q, and we can directly compare the transformed templates F(T,K) and69

F(Q,K) in the transformation domain to determine whether the user is ac-70

cepted or not. Depending on the type of template representation, feature71

transformation schemes can be divided into two main classes: Vector-based72

approaches (e.g., Moujahdi et al. (2012)) and Interest-point-based approaches73

(e.g., Ratha et al. (2007)) (mostly designed for minutiae-based systems).74

In this paper, we propose a new non-invertible transformation approach75

for minutiae-based templates of fingerprint-based systems (i.e., interest-point-76

based approach), that allows diversity, revocability, security and perfor-77

mance. In addition, unlike several fingerprint template protection schemes,78

the performance of our approach is less sensitive to translation / orientation79

transformations of fingerprint impressions.80

The rest of the paper is organized as follows. In Section 2, we review fin-81

gerprint template protection approaches. We present the proposed approach82

in Section 3. Our experimental results and comparisons are presented in83

Section 4. Our conclusions and perspectives are provided in Section 5.84

2. Literature review85

Fingerprint recognition of minutiae-based systems involves the following86

three main steps. First, fingerprint image pre-processing (i.e., segmentation,87

orientation estimation, binarization, thinning, etc.). Second, feature extrac-88

5

tion (ridge endings and bifurcations). Finally, fingerprint matching (i.e.,89

alignment, matching score). This kind of systems requires storing minutiae90

information (coordinates and orientations) in the database. However, several91

works (Ross et al., 2005; Cappelli et al., 2007) have proven that the finger-92

print impression can be reconstructed from minutia information. Thus, the93

design of new protection solutions and new secure fingerprint representations94

become increasingly important.

M4

(60, 283, 20)

M1

(216,162, 45)

M2

(261, 229, 82)

M3

(131, 306, 353)

M1

(260, 111, 17)

M4

(158, 274, 352)

M2

(330, 154, 62)

M3

(235, 270, 333)

Figure 1: Examples of translation / rotation of two impressions from the same

finger. Location and orientation of minutiae (x, y, θ) are changed drastically.

Distances between singular point (red square) and minutiae (blue squares)

are relatively invariant.

95

In practice, intra-subject variations make fingerprint recognition an ex-96

tremely difficult task; this is because multiple acquisitions of the same finger97

are very unlikely to lead to an identical set of minutiae. The main factors re-98

sponsible for intra-subject variations are due to the non-linear distortion (due99

to the skin elasticity), translation and rotation of fingerprint impressions. A100

6

finger may be placed and/or rotated on the sensor differently during several101

authentications which changes drastically the location / orientation informa-102

tion of minutiae points and requires applying an alignment between test and103

training templates before matching (e.g., according to (Maltoni et al., 2009),104

displacement of 2 mm corresponds to 40 pixels translation and ±20◦ of ro-105

tation can be noticed). Therefore, fingerprint recognition is very sensitive to106

orientation and translation of impressions (Figure 1) which makes fingerprint107

template protection more complicated too.108

Several vector-based approaches (e.g., Teoh et al. (2007); Moujahdi et al.109

(2012)) have been applied for fingerprint template protection. The main110

idea of these schemes is to build feature vectors using the global texture111

of fingerprint impressions. However, fingerprint images are mostly treated112

using an interest point representation (i.e., minutiae representation) which113

requires appropriate protection techniques. We can divide interest-point-114

based approaches into three categories.115

First, techniques that convert the minutiae representation to a vector rep-116

resentation. For example in (Farooq et al., 2007), the information provided by117

several extracted minutiae triplets are used to generate a binarized histogram.118

A user’s key is used after that to randomize the histogram and obtain the119

protected binary vector to be stored in the database. This technique provides120

good performance. However, it is still vulnerable against some attacks like121

dictionary based attacks. In (Tulyakov et al., 2007), several symmetric poly-122

nomial functions are used to construct the hashes of the extracted minutiae123

triplets during enrolment and verification stage; the matching takes place in124

the hash space. This technique provides good balance between security and125

7

performance. However, in practice, the hash values, of several impressions126

from the same finger, change drastically due to the presence of the intra-127

subject variations which can decrease considerably the performance. (Boult128

et al., 2007) propose a hybrid approach which combines feature transforma-129

tion with encryption to generate a secure template called Biotop biotoken.130

This method provides a good balance between security and performance.131

(Ahn et al., 2008) propose an interesting alignment-free feature transforma-132

tion approach. The purpose of this technique is to extract some special133

geometrical information from minutiae triplets to construct the secure tem-134

plate. This technique provides low accuracy compared to the state-of-the-art.135

(Kumar et al., 2010) propose an extension of (Tulyakov et al., 2007) using136

a combination of symmetric hash functions on several extracted minutia k-137

plets. This technique provides high security in terms of resistance against138

brute force attacks. However, the performance is decreased.139

Second, techniques that disorder the minutiae representation to generate140

a new secure set of minutiae (Ratha et al., 2007; Ahmad et al., 2011). (Ratha141

et al., 2007) have proposed an interesting solution which belongs to this cat-142

egory. The main idea is to apply geometric transformations to the minutiae143

representation. Three transformation types were tested: cartesian, radial144

and functional. This solution provides high security because it is difficult to145

recover the original minutiae representation from the transformed template.146

However, the intra-subject variation increases in the secure representation147

which decreases the performance considerably.148

Finally, techniques that generate a new secure representation from the149

minutiae representation. For example in (Ferrara et al., 2012), they have150

8

proposed a protected version of Minutia Cylinder-Code (MCC) (Cappelli151

et al., 2010) which is a new fingerprint template representation. MCC uses,152

for each minutia, a cylinder (i.e., local descriptor) to encode, spatial (loca-153

tion) and directional (orientation) information between the minutia and its154

neighborhood, and create the fingerprint template. A non-invertible transfor-155

mation based on the Kullback-Leibler projection (Goutis and Robert, 1998)156

followed by a binarization step is applied on the MCC. This scheme has157

demonstrated very good efficiency although it has to trade performance /158

accuracy for security / privacy. Our work is primarily concerned with this159

kind of solutions.160

3. Proposed approach161

The main idea of fingerprint shell is to construct special spiral curves162

using information from the extracted minutiae. These curves will be stored163

in the database system to be used for recognition. This new representation of164

fingerprint images provides: revocability, diversity, security and performance.165

The main steps of fingerprint shell are the following:166

During enrollment, for each fingerprint image we perform the following:167

• Extract minutiae and singular points1 (Core and delta).168

• Calculate the distance between each minutiae and every singular point169

(i.e., for every fingerprint template, the number of curves will be equal170

1Singular points are special regions in a fingerprint impression where the ridges are of

high curvature. These regions may be classified into two categories: core and delta. The

number of singular points in a fingerprint template is usually between one and four points.

9

to the number of singular points). The distances between minutiae and171

singular point are invariant under translation or/and rotation transfor-172

mations (Figure 1).173

• Fingerprint Shell / Curve construction: Sort distances in an ascending174

order. The sorted distances are used to construct several contiguous175

right angle triangles where the distances are the hypotenuses of these176

triangles (see Figure 2). We keep only the spiral curves for matching.177

d1

d3

d2

Distances between singular

point (red) and minutiae (blue)

Fingerprint Shell

Construction

d0

d1+d0

d2+d0

d3+d0

Fingerprint Curve

extraction

(a) Simple example of Fingerprint Shell/Curve construction

(b) Fingerprint Shell/Curve of a fingerprint impression

Figure 2: Illustration of Fingerprint Shell construction.

It should be noted that for the first triangle, we choose randomly an initial178

distance d0 (see Figure 2 (a) and Algorithm 1); for the other cathetus, the179

10

Algorithm 1 Fingerprint Curve construction

Input: Sorted distances d1 d2 ... dn of a fingerprint impression

Parameters: User’s key d0

Output: A fingerprint curve FC

Let DIS = [d0, d1 + d0, d2 + d0, ..., dn + d0] and θ1 = 0

for i = 1 to n + 1 do

if i == 1 then

Legi =√

DIS2i+1 − d2

0 . Leg distance of the first right angle triangle

x = [0 DISi DISi 0] . Points abscissae of the first triangle

y = [0 0 Legi 0] . Points ordinates of the first triangle

end if

if i > 1 then

Legi =√

DIS2i+1 − DIS2

i . Leg distance of the next right angle triangle

θi = −atan

(

Legi−1

DISi−1

)

θi = θi + θi−1 . Angle between d0 and the last constructed leg

x = [0 DISi DISi 0]

y = [0 0 Legi 0]

for j = 1 to 4 do

∆ = [xj yj] ×

cos (θi) −sin (θi)

sin (θi) cos (θi)

. Change of basis

xj = ∆1 and yj = ∆2 . Coordinates in the vector space frame of the first triangle

end for

end if

CurveXi = x3 and CurveYi = y3

end for

FC (1, :) = CurveX . Points abscissae of the fingerprint curve

FC (2, :) = CurveY . Points ordinates of the fingerprint curve11

distance of the leg is calculated using the Pythagorean theorem. Moreover, d0180

is added to each extracted distance, before the triangles construction process,181

to be able to launch our algorithm even in the scenario where d0 is greater182

than some extracted distances.183

Each user will have his own d0 which can be considered as the user’s key.184

In practice, performance increases considerably using this strategy due to the185

reduction of the False Match Rate (see Subsection 4.2).186

During authentication, for each test image, we use the same process ap-187

plied on the training fingerprint images except for the choice of the singular188

point. For test templates, the closest singular point to the center of the test189

image is chosen to calculate the distances. However, any other singular point190

can be used in this process since in the enrollment phase we have considered191

all extracted singular points.192

To match the test and reference curves, we apply the Hausdorff Distance

which is widely used in computer vision and computer graphics. For two sets

of points A and B, it can be defined as follow:

HD (A,B) = max (h (A,B) , h (B,A)) (1)

where h (A,B) = maxa∈A

minb∈B

‖ a − b ‖193

− ‖ . ‖ is a distance metric (e.g., Euclidean distance).194

The proposed technique meets the requirements of revocability, diversity195

and security. In practice, we can protect a compromised template by chang-196

ing the distance d0 (revocability); the new constructed curve will not match197

with the compromised one which provides diversity (see Figure 3).198

12

For security (i.e., non-reversibility), it is very difficult to recover the minu-199

tiae information (which will be used as well to recover the fingerprint impres-200

sion (Ross et al., 2005; Cappelli et al., 2007)) from a stolen fingerprint curve.201

Let us analyze the worst case scenario where the adversary has access to a202

fingerprint curve and he/she knows the process to recover the distances be-203

tween the singular point and the extracted minutiae. In practice, the number204

of possibilities to put each minutia around the singular point using the recov-205

ered distances is infinite. However, even if we assume that, for each distance,206

there are only 360 possibilities, the number of possible combinations is 360n207

(n is the number of minutiae). Moreover, there is no way to recover the208

minutiae orientation, from a stolen fingerprint curve, which is necessary to209

reconstruct the fingerprint impression.

Match

Match

Imp

ression

2

key1

Do not Match Do not Match

key1

key2 key2

Imp

ress

ion

1

Figure 3: Illustration of revocability/diversity; example of two impressions

of the same identity using two different d0.

210

Based on the complexity of brute force attack, we can conclude that even211

13

in the worst case scenario, the security of our system is enough to be robust to212

this kind of attacks. The performance, diversity and security of the proposed213

approach will be analyzed more in the next section.214

4. Experimental results215

In this section, we evaluate the verification accuracy of the Fingerprint216

Shell approach using the original Fingerprint Verification Competition proto-217

col (Maio et al., 2002) and the FVC2002 DB1 and DB2 fingerprint databases.218

4.1. Data sets and experimental procedure219

FVC2002 DB1 and DB2 contain 800 fingerprint impressions, of various220

quality, from 100 distinct fingers (i.e., each person is represented by 8 im-221

pressions). The trial version of the commercial software VeriFinger SDK 6.02222

has been used to extract minutiae and singular points.223

For each database, the FVC protocol is used to report results of the224

Fingerprint Shell on FVC2002. In this protocol, the first impression of each225

finger is compared against the first impression of the remaining fingers to226

obtain the impostor score distribution (i.e., 4950 attempts in the case of227

the FVC2002 databases if all first impressions are enrolled successfully). To228

obtain the genuine score distribution, each impression is compared against229

the remaining impressions of the same finger (i.e., 2800 attempts in the case230

of the FVC2002 databases if all impressions are enrolled successfully). It231

should be noted that the calculated scores must be in the range [0, 1] and the232

2http://www.neurotechnology.com

14

symmetric comparisons are not launched to avoid repetition of scores (i.e., if233

T1 is matched with T2, T2 against T1 is not calculated).234

The genuine / impostor score distribution can be graphically illustrated

to show how an algorithm can separate imposter from genuine. We will use

two other factors to measure the separability of scores: first, the Kolmogorov-

Smirnov test. The closer this test is to 1, the more the scores are separated,

which means that diversity is high. Second, the separability measurement

proposed by (Lee et al., 2007):

Separability =| µG − µI |

√

(σ2G + σ2

I ) /2(2)

− µG and µI are the means of genuine and impostor distributions.235

− σ2G and σ2

I are the variances of genuine and impostor distributions.236

Following the FVC protocol, genuine matching scores (gms) and impostor

matching scores (ims) are used to calculate the False Match Rate (FMR) and

the corrected False Non Match Rate (FNMR). For a threshold t ranging from

0 to 1 (Maio et al., 2002):

FMR (t) =cardinality {ims|ims ≥ t}

number of impostor recognition attempts(3)

FNMR (t) =cardinality {gms|gms < t} + REJ

number of genuine recognition attempts(4)

− Where REJ is the number of rejections. If an image cannot be en-237

rolled successfully (e.g., no extracted singular point in the case of our238

approach), the matching will be 0 for every possible recognition attempt239

using any rejected template.240

15

Additional performance indicators are used in our evaluation (Cappelli241

et al., 2006): first, FMR1000 which equal the FNMR value when FMR=0.001%.242

Second, ZeroFMR which equal to the lowest FNMR value for FMR=0%.243

These values are used to evaluate the verification accuracy of systems which244

operate far from the Equal Error Rates (EER) point (i.e., these systems aim245

high security and they use a threshold which reduces FMR even if that yields246

a high FNMR).247

Fingerprint curves have been constructed as described in section 3. How-248

ever, to use correctly the FVC verification protocol and allow a fair compar-249

ison with the state-of-the-art, we only extracted the closest singular point to250

the image center to calculate distances. It should be noted that three images251

from DB1 and one image from DB2 do not contain singular points; which252

means that the number of possible recognition attempt using these rejected253

images, among the 2800 attempts of genuine scores, is 21 and 7 for DB1254

and DB2 respectively. Therefore, in our evaluation, REJDB1 = 0.75% and255

REJDB2 = 0.25%.256

4.2. Results and discussion257

First, we evaluated the importance of using a specific d0 for each user.258

Separability, Kolmogorov-Smirnov test and genuine-impostor distribution of259

two systems, using FVC2002 DB1 database, are reported to show how the use260

of keys influences discriminability. The first system enrolls people without a261

user’s key (i.e., the same d0 is used for all fingers). In the second system, the262

user’s key is required (the keys are randomly chosen in the range (0, 1.5555]).263

Figure 4 illustrates the results.264

Figure 4(a) shows the genuine-impostor distribution of the first system265

16

(i.e., without keys). We can notice some overlap between the two distribu-266

tions which explains the medium values of K-S test (0.7812) and Separability267

(2.4703). These values are greatly increased (6.1636 and 0.9934 for Separa-268

bility and K-S test respectively) using the user’s keys in the second system269

(Figure 4(b)) which means that discriminability is enhanced as well. There-270

fore, we can conclude that the use of a specific d0 for each user increases271

discrimination which reduces the False Match Rate and increases accuracy.

0 0.01 0.02 0.03 0.04 0.05 0.06 0.070

0.5

1

1.5

2

2.5

3

3.5

4

x 105

Normalized Hausdorff Distance

Genuine

Imposter

Separability = 2.4703

K−S Test = 0.7812

(a) Without a user’s key

0 0.01 0.02 0.03 0.04 0.05 0.06 0.07 0.080

0.5

1

1.5

2

2.5

3

3.5

4

x 105

Normalized Hausdorff Distance

Genuine

Imposter

Separability = 6.1636

K−S Test = 0.9934

(b) With a user’s key

Figure 4: Histogram of two systems based on Fingerprint Shell using

FVC2002 DB1.272

The purpose of our second evaluation is the diversity of fingerprint shell273

approach (i.e., resistance against cross-matching). It must be ensured that a274

fingerprint curve of a finger does not allow cross-matches among fingerprint275

curves of the same finger in other systems. For each database, we have276

considered three systems which enroll the same fingers in their databases.277

Systems 1, 2 and 3 use keys which are randomly chosen in the ranges (0,278

1.5555], [100, 500] and [1000, 2000] respectively. For each finger in system 1,279

17

the same finger in the systems 2 and 3 is used to obtain the pseudo-genuine280

distribution as follow: each curve from system 1 is compared against all281

curves of the same finger from systems 2 and system 3 respectively (i.e.,282

6400 attempts for each system if all impressions are enrolled successfully;283

6355 attempts for DB1 and 6385 attempts for DB2 in our experiments). The284

results are illustrated in Figure 5.285

Figure 5 shows the genuine-impostor distribution of system 1 and the286

pseudo-genuine distributions in the same system using fingerprint curves from287

system 2 and system 3. It can be observed that both pseudo-genuine distrib-288

utions are well separate from te genuine distribution of system 1. Moreover,289

they are closest to the impostor distribution which means that system 1290

considers, most of time, fingerprint curves of systems 2 and 3 as impostors.291

Thus, we can conclude that both revocability and diversity are achieved by292

the proposed approach. We can also notice that the pseudo distribution of293

system 3 is more separated from the genuine distribution of system 1 than294

that of system 2; which means that the diversity, of two systems based on295

fingerprint shell approach, increases if the keys ranges are well separated.296

Table 1 provides a comparison of verification accuracy of the fingerprint297

shell approach with existing protection approaches which use the same FVC298

protocol. It should be noted that the fingerprint shell and (Boult et al.,299

2007), unlike the other algorithms cited in Table 1, are two-factor techniques300

which combine the information provided by a fingerprint impression with a301

secret key (for fingerprint shell, the keys are randomly chosen in the range302

(0, 100]).303

We can notice that the proposed approach shows good performance in304

18

0 0.01 0.02 0.03 0.04 0.05 0.06 0.07

0

2

4

6

8

10

12

14x 10

5

Normalized Hausdorff Distance

Genuine (System 1)

Pseudo−Genuine (System 2 curves)

Pseudo−Genuine (System 3 curves)

Imposter (System 1)

(a) FVC2002 DB1

0 0.01 0.02 0.03 0.04 0.05 0.06 0.070

2

4

6

8

10

12

14x 10

5

Normalized Hausdorff Distance

Genuine (System 1)

Pseudo−Genuine (System 2 curves)

Pseudo−Genuine (System 3 curves)

Imposter (System 1)

(b) FVC2002 DB2

Figure 5: Histogram of system 1 and pseudo-genuine distributions using

systems 2 and 3.

comparison with the state-of-the-art, which can be explained by the increase305

of discrimination / performance (which is one of the advantages of two-factor306

approaches Maltoni et al. (2009)) due to the use of a specific key for each user307

and also by the fact that all techniques of Table 1 (except Boult et al. (2007))308

are single-factor approaches. In addition, the use of information invariant to309

translation / rotation of impression (i.e., distances between singular points310

and minutiae) helps to preserve performance.311

To analyze the performance of Fingerprint Shell in the zero effort attack312

scenario (with stolen key) where the opponent knows d0 and tries to cir-313

cumvent the system using his/her own fingerprint features, we modified the314

FVC evaluation protocol. To obtain the impostor score distribution, the first315

fingerprint curve of each finger is compared against the first curve of the re-316

maining fingers which is constructed using the same d0 of the reference curve317

(i.e., 9900 attacks if all first impressions are enrolled successfully). For the318

19

Table 1: Verification accuracy based on FVC protocol (percentage values)

FVC2002 DB1 FVC2002 DB2

EER FMR1000 ZeroFMR EER FMR1000 ZeroFMR

Boult et al. (2007) 2.1 —– —– 1.2 —– —–

Tulyakov et al. (2007) 3 —– —– —– —– —–

Ahn et al. (2008) 7.18 —– —– 3.61 —– —–

Kumar et al. (2010) —– —– —– 4.98 —– —–

Ferrara et al. (2012) 1.88 3.14 5.07 0.99 1.43 2.54

Fingerprint Shell 2.03 4.18 6.36 1.01 1.39 2.21

genuine score distribution, each impression is compared against the remain-319

ing impressions of the same finger (i.e., 2800 attempts if all impressions are320

enrolled successfully). It should be noted that the keys are randomly chosen321

here in the range (0, 1000]. The ROC curves of fingerprint shell using the322

described scenario are illustrated in Figure 6.323

We can notice that the proposed approach preserves, in general, the per-324

formance of the protected systems which means that fingerprint shell resists325

against the zero effort attacks even in the case where the adversary knows326

the user’s key. However, we can observe from Table 2, which summarizes the327

EER, FMR1000 and ZeroFMR computed from Figure 6, that the performance328

is preserved just near the EER points (4.28% and 1.45% for DB1 and DB2329

respectively). Fingerprint shell loses accuracy for thresholds far from the330

EER points (see FMR1000 and ZeroFMR in Table 2), which can be explained331

by the inability of the used classifier to return a score which exceeds the332

20

10−4

10−3

10−2

10−1

100

10−3

10−2

10−1

100

False Match Rate

Fa

lse

No

n M

atc

h R

ate

Fingerprint Shell (DB1)

Fingerprint Shell (DB2)

FMR1000

EER line

Figure 6: ROC curves in the zero effort attack scenario using FVC2002 DB1

and DB2.

threshold decision in high level security working points.

Table 2: Verification accuracy of Fingerprint Shell in the zero effort attack

scenario

FVC2002 DB1 FVC2002 DB2

EER FMR1000 ZeroFMR EER FMR1000 ZeroFMR

Fingerprint Shell 4.28 27.14 94.00 1.45 36.46 99.04

333

Therefore, we can conclude that, in high security applications based on334

fingerprint shell, the systems should be operated only near the EER point to335

minimize the success of zero effort attacks.336

21

5. Conclusion337

In this paper, we proposed a new approach for fingerprint template pro-338

tection. The information provided by the minutiae is used to construct a new339

representation based on special spiral curves which are used for the recog-340

nition task instead of the traditional minutiae-based representation. Our341

approach meets revocability, diversity and security, which are required in an342

ideal method for template protection. In addition, our experimental results343

indicate that the proposed approach preserves recognition performance. The344

performance of fingerprint shell is related to two factors: first, the accuracy of345

minutiae extraction and second, the presence and accuracy of singular points346

detection. However, unlike several fingerprint template protection schemes,347

the performance of fingerprint shell is less sensitive to translation / rotation348

of fingerprint impressions.349

In practice, the proposed technique is far from being efficient in all sce-350

narios of impression acquisition: for example, if the majority of minutiae are351

missed or several spurious minutiae are added or simply the impression is352

cropped, the constructed curves will change drastically. In our future work,353

we will address these weak points. In addition, we plan to test the proposed354

approach using larger databases which are characterized by the presence of355

important intra-subject variations. Also we plan to improve fingerprint shell356

using more features provided by fingerprint impressions (e.g., texture mea-357

sures) to construct the curves, and to test several versions of the Hausdorff358

distance family and new methodologies of this distance (e.g., Moreno et al.359

(2013)). Moreover, our future plans include the design of new protection360

schemes for multimodal systems.361

22

Acknowledgment362

This work is supported by the Fulbright Joint Supervision Program of the363

Moroccan-American Commission for Educational and Cultural Exchange.364

References365

Ahmad, T., Hu, J., Wang, S., 2011. Pair-polar coordinate-based cancelable366

fingerprint templates. Pattern Recognition 44, 2555–64.367

Ahn, D., Kong, S., Chung, Y.S., Moon, K.Y., 2008. Matching with secure368

fingerprint templates using non-invertible transform, in: Image and Signal369

Processing, 2008. CISP ’08. Congress on, pp. 29–33.370

Boult, T., Scheirer, W., Woodworth, R., 2007. Revocable fingerprint bioto-371

kens: accuracy and security analysis, in: IEEE Conference on Computer372

Vision and Pattern Recognition, 2007. CVPR ’07, pp. 1–8.373

Breebaart, J., Yang, B., Dulman, I.B., Busch, C., 2009. Biometric tem-374

plate protection: The need for open standards. Privacy and Data Security375

journal 5, 299–304.376

Cappelli, R., Ferrara, M., Maltoni, D., 2010. Minutia cylinder-code: A new377

representation and matching technique for fingerprint recognition. Pattern378

Analysis and Machine Intelligence, IEEE Transactions on 32, 2128–41.379

Cappelli, R., Maio, D., Lumini, A., Maltoni, D., 2007. Fingerprint image380

reconstruction from standard templates. IEEE Transactions on Pattern381

Analysis and Machine Intelligence 29, 1489–503.382

23

Cappelli, R., Maio, D., Maltoni, D., Wayman, J., Jain, A., 2006. Perfor-383

mance evaluation of fingerprint verification systems. Pattern Analysis and384

Machine Intelligence, IEEE Transactions on 28, 3–18.385

Farooq, F., Bolle, R., Jea, T.Y., Ratha, N., 2007. Anonymous and revoca-386

ble fingerprint recognition, in: Computer Vision and Pattern Recognition,387

2007. CVPR ’07. IEEE Conference on, pp. 1–7.388

Ferrara, M., Maltoni, D., Cappelli, R., 2012. Noninvertible minutia cylinder-389

code representation. IEEE Transactions on Information Forensics and Se-390

curity 7, 1727–37.391

Goutis, C., Robert, C.P., 1998. Model choice in generalised linear models: A392

bayesian approach via kullback-leibler projections. Biometrika 85, 29–37.393

Jain, A.k., Nandakumar, K., Nagar, A., 2008. Biometric template security.394

EURASIP Journal on Advances in Signal Processing , 1–17.395

Kumar, G., Tulyakov, S., Govindaraju, V., 2010. Combination of symmetric396

hash functions for secure fingerprint matching, in: Pattern Recognition397

(ICPR), 2010 20th International Conference on, pp. 890–3.398

Lee, C., Choi, J.Y., Toh, K.A., Lee, S., 2007. Alignment-free cancelable399

fingerprint templates based on local minutiae information. Systems, Man,400

and Cybernetics, Part B: Cybernetics, IEEE Transactions on 37, 980–92.401

Maio, D., Maltoni, D., Cappelli, R., Wayman, J., Jain, A., 2002. Fvc2000:402

fingerprint verification competition. Pattern Analysis and Machine Intel-403

ligence, IEEE Transactions on 24, 402–12.404

24

Maltoni, D., Maio, D., Jain, A.K., Prabhakar, S., 2009. Handbook of Fin-405

gerprint Recognition. Springer Publishing Company, Incorporated. 2nd406

edition.407

Moreno, R., Koppal, S., de Muinck, E., 2013. Robust estimation of distance408

between sets of points. Pattern Recognition Letters 34, 2192–8.409

Moujahdi, C., Ghouzali, S., Mikram, M., Rziza, M., Bebis, G., 2012. Spiral410

cube for biometric template protection, in: Image and Signal Processing.411

Springer Berlin Heidelberg. volume 7340 of Lecture Notes in Computer412

Science, pp. 235–44.413

Ratha, N., Chikkerur, S., Connell, J., Bolle, R., 2007. Generating cancelable414

fingerprint templates. Pattern Analysis and Machine Intelligence, IEEE415

Transactions on 29, 561–72.416

Ratha, N., Connell, J., Bolle, R., 2001. An analysis of minutiae matching417

strength, in: Audio- and Video-Based Biometric Person Authentication.418

Springer Berlin Heidelberg. volume 2091 of Lecture Notes in Computer419

Science, pp. 223–8.420

Rathgeb, C., Uhl, A., 2011. A survey on biometric cryptosystems and cance-421

lable biometrics. EURASIP Journal on Information Security 2011, 1–25.422

Ross, A.A., Shah, J., Jain, A.K., 2005. Toward reconstructing fingerprints423

from minutiae points. Proc. SPIE 5779, 68–80.424

Teoh, A.B.J., Toh, K.A., Yip, W.K., 2007. 2n discretisation of biophasor in425

cancellable biometrics, in: Proceedings of the 2007 international conference426

25

on Advances in Biometrics, Springer-Verlag, Berlin, Heidelberg. pp. 435–427

44.428

Tulyakov, S., Farooq, F., Mansukhani, P., Govindaraju, V., 2007. Sym-429

metric hash functions for secure fingerprint biometric systems. Pattern430

Recognition Letters 28, 2427–36.431

26

A new approach for fingerprint template protection is proposed.

A new representation is used instead of the traditional minutiae-based representation.

Requirements of revocability, diversity, security and performance are achieved.

The approach is sufficiently robust to the zero effort and brute force attacks.