Upload
mohammed
View
240
Download
13
Embed Size (px)
Citation preview
Accepted Manuscript
Fingerprint Shell: Secure Representation of Fingerprint Template
Chouaib Moujahdi, George Bebis, Sanaa Ghouzali, Mohammed Rziza
PII: S0167-8655(14)00118-4DOI: http://dx.doi.org/10.1016/j.patrec.2014.04.001Reference: PATREC 5989
To appear in: Pattern Recognition Letters
Please cite this article as: Moujahdi, C., Bebis, G., Ghouzali, S., Rziza, M., Fingerprint Shell: Secure Representationof Fingerprint Template, Pattern Recognition Letters (2014), doi: http://dx.doi.org/10.1016/j.patrec.2014.04.001
This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customerswe are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, andreview of the resulting proof before it is published in its final form. Please note that during the production processerrors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.
Fingerprint Shell: Secure Representation of Fingerprint
Template
Chouaib Moujahdia,∗, George Bebisb, Sanaa Ghouzalic, Mohammed Rzizaa
aLRIT, associated unit to CNRST (URAC 29), Mohammed V-Agdal University, Rabat,Morocco
bDepartment of Computer Science and Engineering, University of Nevada, Reno, NV89577, USA
cInformation Technology Department, CCIS, King Saud University, Riyadh, SaudiArabia
Abstract
Fingerprint is a popular biometric modality which is used extensively in sev-
eral applications for person authentication, providing high uniqueness and
acceptable performance. Most fingerprint systems use minutiae-based repre-
sentations. However, several studies have proven that the original fingerprint
impression can be reconstructed from minutia information, which makes the
problem of ensuring the security of fingerprint data very critical. In this
paper, we present a new approach for fingerprint template protection. Our
objective is to build a non-invertible transformation that meets the require-
ments of revocability, diversity, security and performance. In this context,
we exploit the information provided by the extracted minutiae to construct
a new representation based on special spiral curves, which can be used for
the recognition task instead of the traditional minutiae-based representation.
∗Corresponding author. Unit 517, 590 Lake Street, Reno, NV 89501. +1 775 771 4653Email addresses: [email protected] (Chouaib Moujahdi),
[email protected] (George Bebis), [email protected] (Sanaa Ghouzali),[email protected] (Mohammed Rziza)
Preprint submitted to Pattern Recognition Letters April 10, 2014
The proposed approach has been evaluated using the original FVC protocol
and compared with existing protection approaches which use the same pro-
tocol. Our experimental results illustrate the ability of the proposed repre-
sentation to preserve the performance of protected systems. Moreover, we
demonstrate that the security of our approach is sufficiently robust to the
zero effort and brute force attacks.
Keywords: Fingerprint, minutiae, template protection, revocability,
diversity, security.
1. Introduction1
Biometric systems, day after day, propagate more to human life instead2
traditional systems which use passwords and ID cards. They are widely3
used to identify / authenticate users reliably in many applications. However,4
biometric systems have given rise to new problems and challenges related5
to the security and the protection of personal data, issues of less concern in6
traditional systems. In practice, while biometrics ensure uniqueness, they7
do not provide secrecy. Each person has his/her own biometric traits but8
the person cannot keep them away from theft incidents to be used illegally.9
For example, a person might leave his/her fingerprints on everyday touched10
surfaces. Thus, many attacks can be launched against biometric systems,11
which reduce the credibility of these systems.12
We can identify eight levels of attack in a biometric system (Ratha et al.,13
2001); however, since the principle of some attacks is repeated, Jain et al14
(Jain et al., 2008) have grouped them into four categories. First, attacks on15
the user interface (i.e., sensor), mainly due to the presentation of falsified16
2
biometric data. Second, attacks on the interface between modules where an17
adversary can either destroy or interfere communication interfaces between18
modules. Third, attacks on the software module where the executable pro-19
gram of a module can be modified so that it always returns the desired values20
of an opponent. This is known as Trojan-horse attack.21
Finally, attacks against the biometric templates stored in the database22
module which are considered among the most damaging attacks on a bio-23
metric system. For example, a biometric template can be replaced by an24
impostor’s template to obtain unauthorized access to the system. In addi-25
tion, a physic parody (spoof) can be created from a stolen template to obtain26
unauthorized access to the system. The irrevocability of biometric templates27
makes this kind of attack very dangerous; because, unlike a stolen credit card28
or password, it is not possible for a legitimate user to revoke his/her biomet-29
ric templates and replace them with another set of identifiers. Therefore,30
promoting the use of biometric technologies in future applications requires31
increased security of biometric data.32
Due to these security challenges, there are currently many research ef-33
forts underway to protect biometric systems against possible attacks. Sev-34
eral approaches have been proposed in the literature for biometric template35
protection. The main objective of these proposed schemes is to make bio-36
metrics revocable. Revocability means that we can revoke a compromised37
template and replace it with another one, in the same way that a stolen pass-38
word can be replaced with a new one. The main idea of these approaches,39
which aim to protect the stored biometric templates, is that instead of stor-40
ing the templates themselves, a function is stored for each template which is41
3
used directly in the task of authentication. This work is primarily concerned42
with these solutions for template protection. An ideal approach of biometric43
template protection must meet four requirements (Jain et al., 2008):44
• Revocability : it should be possible to revoke a compromised template45
and replace it with a new one based on the same biometric data.46
• Diversity : if a revoked template is replaced by a new model, it should47
not correspond with the former. This property ensures the privacy.48
• Security : it must be difficult, computationally, to obtain the original49
template from the protected template. This requirement has another50
naming, for example it is called non-reversibility in (Maltoni et al.,51
2009) and irreversibility in (Breebaart et al., 2009). It should be noted52
that the security requirement of a biometric template protection differs53
from the concept of the overall security of a biometric system which is54
the result of including all possible protection techniques in a biometric55
system (i.e., encryption of data in canals, timestamp, etc) to avoid all56
possible threats in all levels of attack.57
• Performance: The protection approach should not degrade the recog-58
nition performance of the system.59
Jain et al. (2008) have classified template protection approaches into three60
main categories: feature transformation, biometric cryptosystem, and hybrid.61
Each of these approaches has its own advantages and limitations (Rathgeb62
and Uhl, 2011). Overall, they do not meet, contemporaneously, the four re-63
quirements of an ideal protection scheme. We are concerned in this work with64
4
feature transformation approaches. The basic idea of feature transformation65
approaches is to apply a transformation function F to the original biometric66
template T using a key K; the transformed template F(T,K) is then stored67
in the database. The function F is also used to transform the test tem-68
plate Q, and we can directly compare the transformed templates F(T,K) and69
F(Q,K) in the transformation domain to determine whether the user is ac-70
cepted or not. Depending on the type of template representation, feature71
transformation schemes can be divided into two main classes: Vector-based72
approaches (e.g., Moujahdi et al. (2012)) and Interest-point-based approaches73
(e.g., Ratha et al. (2007)) (mostly designed for minutiae-based systems).74
In this paper, we propose a new non-invertible transformation approach75
for minutiae-based templates of fingerprint-based systems (i.e., interest-point-76
based approach), that allows diversity, revocability, security and perfor-77
mance. In addition, unlike several fingerprint template protection schemes,78
the performance of our approach is less sensitive to translation / orientation79
transformations of fingerprint impressions.80
The rest of the paper is organized as follows. In Section 2, we review fin-81
gerprint template protection approaches. We present the proposed approach82
in Section 3. Our experimental results and comparisons are presented in83
Section 4. Our conclusions and perspectives are provided in Section 5.84
2. Literature review85
Fingerprint recognition of minutiae-based systems involves the following86
three main steps. First, fingerprint image pre-processing (i.e., segmentation,87
orientation estimation, binarization, thinning, etc.). Second, feature extrac-88
5
tion (ridge endings and bifurcations). Finally, fingerprint matching (i.e.,89
alignment, matching score). This kind of systems requires storing minutiae90
information (coordinates and orientations) in the database. However, several91
works (Ross et al., 2005; Cappelli et al., 2007) have proven that the finger-92
print impression can be reconstructed from minutia information. Thus, the93
design of new protection solutions and new secure fingerprint representations94
become increasingly important.
M4
(60, 283, 20)
M1
(216,162, 45)
M2
(261, 229, 82)
M3
(131, 306, 353)
M1
(260, 111, 17)
M4
(158, 274, 352)
M2
(330, 154, 62)
M3
(235, 270, 333)
Figure 1: Examples of translation / rotation of two impressions from the same
finger. Location and orientation of minutiae (x, y, θ) are changed drastically.
Distances between singular point (red square) and minutiae (blue squares)
are relatively invariant.
95
In practice, intra-subject variations make fingerprint recognition an ex-96
tremely difficult task; this is because multiple acquisitions of the same finger97
are very unlikely to lead to an identical set of minutiae. The main factors re-98
sponsible for intra-subject variations are due to the non-linear distortion (due99
to the skin elasticity), translation and rotation of fingerprint impressions. A100
6
finger may be placed and/or rotated on the sensor differently during several101
authentications which changes drastically the location / orientation informa-102
tion of minutiae points and requires applying an alignment between test and103
training templates before matching (e.g., according to (Maltoni et al., 2009),104
displacement of 2 mm corresponds to 40 pixels translation and ±20◦ of ro-105
tation can be noticed). Therefore, fingerprint recognition is very sensitive to106
orientation and translation of impressions (Figure 1) which makes fingerprint107
template protection more complicated too.108
Several vector-based approaches (e.g., Teoh et al. (2007); Moujahdi et al.109
(2012)) have been applied for fingerprint template protection. The main110
idea of these schemes is to build feature vectors using the global texture111
of fingerprint impressions. However, fingerprint images are mostly treated112
using an interest point representation (i.e., minutiae representation) which113
requires appropriate protection techniques. We can divide interest-point-114
based approaches into three categories.115
First, techniques that convert the minutiae representation to a vector rep-116
resentation. For example in (Farooq et al., 2007), the information provided by117
several extracted minutiae triplets are used to generate a binarized histogram.118
A user’s key is used after that to randomize the histogram and obtain the119
protected binary vector to be stored in the database. This technique provides120
good performance. However, it is still vulnerable against some attacks like121
dictionary based attacks. In (Tulyakov et al., 2007), several symmetric poly-122
nomial functions are used to construct the hashes of the extracted minutiae123
triplets during enrolment and verification stage; the matching takes place in124
the hash space. This technique provides good balance between security and125
7
performance. However, in practice, the hash values, of several impressions126
from the same finger, change drastically due to the presence of the intra-127
subject variations which can decrease considerably the performance. (Boult128
et al., 2007) propose a hybrid approach which combines feature transforma-129
tion with encryption to generate a secure template called Biotop biotoken.130
This method provides a good balance between security and performance.131
(Ahn et al., 2008) propose an interesting alignment-free feature transforma-132
tion approach. The purpose of this technique is to extract some special133
geometrical information from minutiae triplets to construct the secure tem-134
plate. This technique provides low accuracy compared to the state-of-the-art.135
(Kumar et al., 2010) propose an extension of (Tulyakov et al., 2007) using136
a combination of symmetric hash functions on several extracted minutia k-137
plets. This technique provides high security in terms of resistance against138
brute force attacks. However, the performance is decreased.139
Second, techniques that disorder the minutiae representation to generate140
a new secure set of minutiae (Ratha et al., 2007; Ahmad et al., 2011). (Ratha141
et al., 2007) have proposed an interesting solution which belongs to this cat-142
egory. The main idea is to apply geometric transformations to the minutiae143
representation. Three transformation types were tested: cartesian, radial144
and functional. This solution provides high security because it is difficult to145
recover the original minutiae representation from the transformed template.146
However, the intra-subject variation increases in the secure representation147
which decreases the performance considerably.148
Finally, techniques that generate a new secure representation from the149
minutiae representation. For example in (Ferrara et al., 2012), they have150
8
proposed a protected version of Minutia Cylinder-Code (MCC) (Cappelli151
et al., 2010) which is a new fingerprint template representation. MCC uses,152
for each minutia, a cylinder (i.e., local descriptor) to encode, spatial (loca-153
tion) and directional (orientation) information between the minutia and its154
neighborhood, and create the fingerprint template. A non-invertible transfor-155
mation based on the Kullback-Leibler projection (Goutis and Robert, 1998)156
followed by a binarization step is applied on the MCC. This scheme has157
demonstrated very good efficiency although it has to trade performance /158
accuracy for security / privacy. Our work is primarily concerned with this159
kind of solutions.160
3. Proposed approach161
The main idea of fingerprint shell is to construct special spiral curves162
using information from the extracted minutiae. These curves will be stored163
in the database system to be used for recognition. This new representation of164
fingerprint images provides: revocability, diversity, security and performance.165
The main steps of fingerprint shell are the following:166
During enrollment, for each fingerprint image we perform the following:167
• Extract minutiae and singular points1 (Core and delta).168
• Calculate the distance between each minutiae and every singular point169
(i.e., for every fingerprint template, the number of curves will be equal170
1Singular points are special regions in a fingerprint impression where the ridges are of
high curvature. These regions may be classified into two categories: core and delta. The
number of singular points in a fingerprint template is usually between one and four points.
9
to the number of singular points). The distances between minutiae and171
singular point are invariant under translation or/and rotation transfor-172
mations (Figure 1).173
• Fingerprint Shell / Curve construction: Sort distances in an ascending174
order. The sorted distances are used to construct several contiguous175
right angle triangles where the distances are the hypotenuses of these176
triangles (see Figure 2). We keep only the spiral curves for matching.177
d1
d3
d2
Distances between singular
point (red) and minutiae (blue)
Fingerprint Shell
Construction
d0
d1+d0
d2+d0
d3+d0
Fingerprint Curve
extraction
(a) Simple example of Fingerprint Shell/Curve construction
(b) Fingerprint Shell/Curve of a fingerprint impression
Figure 2: Illustration of Fingerprint Shell construction.
It should be noted that for the first triangle, we choose randomly an initial178
distance d0 (see Figure 2 (a) and Algorithm 1); for the other cathetus, the179
10
Algorithm 1 Fingerprint Curve construction
Input: Sorted distances d1 d2 ... dn of a fingerprint impression
Parameters: User’s key d0
Output: A fingerprint curve FC
Let DIS = [d0, d1 + d0, d2 + d0, ..., dn + d0] and θ1 = 0
for i = 1 to n + 1 do
if i == 1 then
Legi =√
DIS2i+1 − d2
0 . Leg distance of the first right angle triangle
x = [0 DISi DISi 0] . Points abscissae of the first triangle
y = [0 0 Legi 0] . Points ordinates of the first triangle
end if
if i > 1 then
Legi =√
DIS2i+1 − DIS2
i . Leg distance of the next right angle triangle
θi = −atan
(
Legi−1
DISi−1
)
θi = θi + θi−1 . Angle between d0 and the last constructed leg
x = [0 DISi DISi 0]
y = [0 0 Legi 0]
for j = 1 to 4 do
∆ = [xj yj] ×
cos (θi) −sin (θi)
sin (θi) cos (θi)
. Change of basis
xj = ∆1 and yj = ∆2 . Coordinates in the vector space frame of the first triangle
end for
end if
CurveXi = x3 and CurveYi = y3
end for
FC (1, :) = CurveX . Points abscissae of the fingerprint curve
FC (2, :) = CurveY . Points ordinates of the fingerprint curve11
distance of the leg is calculated using the Pythagorean theorem. Moreover, d0180
is added to each extracted distance, before the triangles construction process,181
to be able to launch our algorithm even in the scenario where d0 is greater182
than some extracted distances.183
Each user will have his own d0 which can be considered as the user’s key.184
In practice, performance increases considerably using this strategy due to the185
reduction of the False Match Rate (see Subsection 4.2).186
During authentication, for each test image, we use the same process ap-187
plied on the training fingerprint images except for the choice of the singular188
point. For test templates, the closest singular point to the center of the test189
image is chosen to calculate the distances. However, any other singular point190
can be used in this process since in the enrollment phase we have considered191
all extracted singular points.192
To match the test and reference curves, we apply the Hausdorff Distance
which is widely used in computer vision and computer graphics. For two sets
of points A and B, it can be defined as follow:
HD (A,B) = max (h (A,B) , h (B,A)) (1)
where h (A,B) = maxa∈A
minb∈B
‖ a − b ‖193
− ‖ . ‖ is a distance metric (e.g., Euclidean distance).194
The proposed technique meets the requirements of revocability, diversity195
and security. In practice, we can protect a compromised template by chang-196
ing the distance d0 (revocability); the new constructed curve will not match197
with the compromised one which provides diversity (see Figure 3).198
12
For security (i.e., non-reversibility), it is very difficult to recover the minu-199
tiae information (which will be used as well to recover the fingerprint impres-200
sion (Ross et al., 2005; Cappelli et al., 2007)) from a stolen fingerprint curve.201
Let us analyze the worst case scenario where the adversary has access to a202
fingerprint curve and he/she knows the process to recover the distances be-203
tween the singular point and the extracted minutiae. In practice, the number204
of possibilities to put each minutia around the singular point using the recov-205
ered distances is infinite. However, even if we assume that, for each distance,206
there are only 360 possibilities, the number of possible combinations is 360n207
(n is the number of minutiae). Moreover, there is no way to recover the208
minutiae orientation, from a stolen fingerprint curve, which is necessary to209
reconstruct the fingerprint impression.
Match
Match
Imp
ression
2
key1
Do not Match Do not Match
key1
key2 key2
Imp
ress
ion
1
Figure 3: Illustration of revocability/diversity; example of two impressions
of the same identity using two different d0.
210
Based on the complexity of brute force attack, we can conclude that even211
13
in the worst case scenario, the security of our system is enough to be robust to212
this kind of attacks. The performance, diversity and security of the proposed213
approach will be analyzed more in the next section.214
4. Experimental results215
In this section, we evaluate the verification accuracy of the Fingerprint216
Shell approach using the original Fingerprint Verification Competition proto-217
col (Maio et al., 2002) and the FVC2002 DB1 and DB2 fingerprint databases.218
4.1. Data sets and experimental procedure219
FVC2002 DB1 and DB2 contain 800 fingerprint impressions, of various220
quality, from 100 distinct fingers (i.e., each person is represented by 8 im-221
pressions). The trial version of the commercial software VeriFinger SDK 6.02222
has been used to extract minutiae and singular points.223
For each database, the FVC protocol is used to report results of the224
Fingerprint Shell on FVC2002. In this protocol, the first impression of each225
finger is compared against the first impression of the remaining fingers to226
obtain the impostor score distribution (i.e., 4950 attempts in the case of227
the FVC2002 databases if all first impressions are enrolled successfully). To228
obtain the genuine score distribution, each impression is compared against229
the remaining impressions of the same finger (i.e., 2800 attempts in the case230
of the FVC2002 databases if all impressions are enrolled successfully). It231
should be noted that the calculated scores must be in the range [0, 1] and the232
2http://www.neurotechnology.com
14
symmetric comparisons are not launched to avoid repetition of scores (i.e., if233
T1 is matched with T2, T2 against T1 is not calculated).234
The genuine / impostor score distribution can be graphically illustrated
to show how an algorithm can separate imposter from genuine. We will use
two other factors to measure the separability of scores: first, the Kolmogorov-
Smirnov test. The closer this test is to 1, the more the scores are separated,
which means that diversity is high. Second, the separability measurement
proposed by (Lee et al., 2007):
Separability =| µG − µI |
√
(σ2G + σ2
I ) /2(2)
− µG and µI are the means of genuine and impostor distributions.235
− σ2G and σ2
I are the variances of genuine and impostor distributions.236
Following the FVC protocol, genuine matching scores (gms) and impostor
matching scores (ims) are used to calculate the False Match Rate (FMR) and
the corrected False Non Match Rate (FNMR). For a threshold t ranging from
0 to 1 (Maio et al., 2002):
FMR (t) =cardinality {ims|ims ≥ t}
number of impostor recognition attempts(3)
FNMR (t) =cardinality {gms|gms < t} + REJ
number of genuine recognition attempts(4)
− Where REJ is the number of rejections. If an image cannot be en-237
rolled successfully (e.g., no extracted singular point in the case of our238
approach), the matching will be 0 for every possible recognition attempt239
using any rejected template.240
15
Additional performance indicators are used in our evaluation (Cappelli241
et al., 2006): first, FMR1000 which equal the FNMR value when FMR=0.001%.242
Second, ZeroFMR which equal to the lowest FNMR value for FMR=0%.243
These values are used to evaluate the verification accuracy of systems which244
operate far from the Equal Error Rates (EER) point (i.e., these systems aim245
high security and they use a threshold which reduces FMR even if that yields246
a high FNMR).247
Fingerprint curves have been constructed as described in section 3. How-248
ever, to use correctly the FVC verification protocol and allow a fair compar-249
ison with the state-of-the-art, we only extracted the closest singular point to250
the image center to calculate distances. It should be noted that three images251
from DB1 and one image from DB2 do not contain singular points; which252
means that the number of possible recognition attempt using these rejected253
images, among the 2800 attempts of genuine scores, is 21 and 7 for DB1254
and DB2 respectively. Therefore, in our evaluation, REJDB1 = 0.75% and255
REJDB2 = 0.25%.256
4.2. Results and discussion257
First, we evaluated the importance of using a specific d0 for each user.258
Separability, Kolmogorov-Smirnov test and genuine-impostor distribution of259
two systems, using FVC2002 DB1 database, are reported to show how the use260
of keys influences discriminability. The first system enrolls people without a261
user’s key (i.e., the same d0 is used for all fingers). In the second system, the262
user’s key is required (the keys are randomly chosen in the range (0, 1.5555]).263
Figure 4 illustrates the results.264
Figure 4(a) shows the genuine-impostor distribution of the first system265
16
(i.e., without keys). We can notice some overlap between the two distribu-266
tions which explains the medium values of K-S test (0.7812) and Separability267
(2.4703). These values are greatly increased (6.1636 and 0.9934 for Separa-268
bility and K-S test respectively) using the user’s keys in the second system269
(Figure 4(b)) which means that discriminability is enhanced as well. There-270
fore, we can conclude that the use of a specific d0 for each user increases271
discrimination which reduces the False Match Rate and increases accuracy.
0 0.01 0.02 0.03 0.04 0.05 0.06 0.070
0.5
1
1.5
2
2.5
3
3.5
4
x 105
Normalized Hausdorff Distance
Genuine
Imposter
Separability = 2.4703
K−S Test = 0.7812
(a) Without a user’s key
0 0.01 0.02 0.03 0.04 0.05 0.06 0.07 0.080
0.5
1
1.5
2
2.5
3
3.5
4
x 105
Normalized Hausdorff Distance
Genuine
Imposter
Separability = 6.1636
K−S Test = 0.9934
(b) With a user’s key
Figure 4: Histogram of two systems based on Fingerprint Shell using
FVC2002 DB1.272
The purpose of our second evaluation is the diversity of fingerprint shell273
approach (i.e., resistance against cross-matching). It must be ensured that a274
fingerprint curve of a finger does not allow cross-matches among fingerprint275
curves of the same finger in other systems. For each database, we have276
considered three systems which enroll the same fingers in their databases.277
Systems 1, 2 and 3 use keys which are randomly chosen in the ranges (0,278
1.5555], [100, 500] and [1000, 2000] respectively. For each finger in system 1,279
17
the same finger in the systems 2 and 3 is used to obtain the pseudo-genuine280
distribution as follow: each curve from system 1 is compared against all281
curves of the same finger from systems 2 and system 3 respectively (i.e.,282
6400 attempts for each system if all impressions are enrolled successfully;283
6355 attempts for DB1 and 6385 attempts for DB2 in our experiments). The284
results are illustrated in Figure 5.285
Figure 5 shows the genuine-impostor distribution of system 1 and the286
pseudo-genuine distributions in the same system using fingerprint curves from287
system 2 and system 3. It can be observed that both pseudo-genuine distrib-288
utions are well separate from te genuine distribution of system 1. Moreover,289
they are closest to the impostor distribution which means that system 1290
considers, most of time, fingerprint curves of systems 2 and 3 as impostors.291
Thus, we can conclude that both revocability and diversity are achieved by292
the proposed approach. We can also notice that the pseudo distribution of293
system 3 is more separated from the genuine distribution of system 1 than294
that of system 2; which means that the diversity, of two systems based on295
fingerprint shell approach, increases if the keys ranges are well separated.296
Table 1 provides a comparison of verification accuracy of the fingerprint297
shell approach with existing protection approaches which use the same FVC298
protocol. It should be noted that the fingerprint shell and (Boult et al.,299
2007), unlike the other algorithms cited in Table 1, are two-factor techniques300
which combine the information provided by a fingerprint impression with a301
secret key (for fingerprint shell, the keys are randomly chosen in the range302
(0, 100]).303
We can notice that the proposed approach shows good performance in304
18
0 0.01 0.02 0.03 0.04 0.05 0.06 0.07
0
2
4
6
8
10
12
14x 10
5
Normalized Hausdorff Distance
Genuine (System 1)
Pseudo−Genuine (System 2 curves)
Pseudo−Genuine (System 3 curves)
Imposter (System 1)
(a) FVC2002 DB1
0 0.01 0.02 0.03 0.04 0.05 0.06 0.070
2
4
6
8
10
12
14x 10
5
Normalized Hausdorff Distance
Genuine (System 1)
Pseudo−Genuine (System 2 curves)
Pseudo−Genuine (System 3 curves)
Imposter (System 1)
(b) FVC2002 DB2
Figure 5: Histogram of system 1 and pseudo-genuine distributions using
systems 2 and 3.
comparison with the state-of-the-art, which can be explained by the increase305
of discrimination / performance (which is one of the advantages of two-factor306
approaches Maltoni et al. (2009)) due to the use of a specific key for each user307
and also by the fact that all techniques of Table 1 (except Boult et al. (2007))308
are single-factor approaches. In addition, the use of information invariant to309
translation / rotation of impression (i.e., distances between singular points310
and minutiae) helps to preserve performance.311
To analyze the performance of Fingerprint Shell in the zero effort attack312
scenario (with stolen key) where the opponent knows d0 and tries to cir-313
cumvent the system using his/her own fingerprint features, we modified the314
FVC evaluation protocol. To obtain the impostor score distribution, the first315
fingerprint curve of each finger is compared against the first curve of the re-316
maining fingers which is constructed using the same d0 of the reference curve317
(i.e., 9900 attacks if all first impressions are enrolled successfully). For the318
19
Table 1: Verification accuracy based on FVC protocol (percentage values)
FVC2002 DB1 FVC2002 DB2
EER FMR1000 ZeroFMR EER FMR1000 ZeroFMR
Boult et al. (2007) 2.1 —– —– 1.2 —– —–
Tulyakov et al. (2007) 3 —– —– —– —– —–
Ahn et al. (2008) 7.18 —– —– 3.61 —– —–
Kumar et al. (2010) —– —– —– 4.98 —– —–
Ferrara et al. (2012) 1.88 3.14 5.07 0.99 1.43 2.54
Fingerprint Shell 2.03 4.18 6.36 1.01 1.39 2.21
genuine score distribution, each impression is compared against the remain-319
ing impressions of the same finger (i.e., 2800 attempts if all impressions are320
enrolled successfully). It should be noted that the keys are randomly chosen321
here in the range (0, 1000]. The ROC curves of fingerprint shell using the322
described scenario are illustrated in Figure 6.323
We can notice that the proposed approach preserves, in general, the per-324
formance of the protected systems which means that fingerprint shell resists325
against the zero effort attacks even in the case where the adversary knows326
the user’s key. However, we can observe from Table 2, which summarizes the327
EER, FMR1000 and ZeroFMR computed from Figure 6, that the performance328
is preserved just near the EER points (4.28% and 1.45% for DB1 and DB2329
respectively). Fingerprint shell loses accuracy for thresholds far from the330
EER points (see FMR1000 and ZeroFMR in Table 2), which can be explained331
by the inability of the used classifier to return a score which exceeds the332
20
10−4
10−3
10−2
10−1
100
10−3
10−2
10−1
100
False Match Rate
Fa
lse
No
n M
atc
h R
ate
Fingerprint Shell (DB1)
Fingerprint Shell (DB2)
FMR1000
EER line
Figure 6: ROC curves in the zero effort attack scenario using FVC2002 DB1
and DB2.
threshold decision in high level security working points.
Table 2: Verification accuracy of Fingerprint Shell in the zero effort attack
scenario
FVC2002 DB1 FVC2002 DB2
EER FMR1000 ZeroFMR EER FMR1000 ZeroFMR
Fingerprint Shell 4.28 27.14 94.00 1.45 36.46 99.04
333
Therefore, we can conclude that, in high security applications based on334
fingerprint shell, the systems should be operated only near the EER point to335
minimize the success of zero effort attacks.336
21
5. Conclusion337
In this paper, we proposed a new approach for fingerprint template pro-338
tection. The information provided by the minutiae is used to construct a new339
representation based on special spiral curves which are used for the recog-340
nition task instead of the traditional minutiae-based representation. Our341
approach meets revocability, diversity and security, which are required in an342
ideal method for template protection. In addition, our experimental results343
indicate that the proposed approach preserves recognition performance. The344
performance of fingerprint shell is related to two factors: first, the accuracy of345
minutiae extraction and second, the presence and accuracy of singular points346
detection. However, unlike several fingerprint template protection schemes,347
the performance of fingerprint shell is less sensitive to translation / rotation348
of fingerprint impressions.349
In practice, the proposed technique is far from being efficient in all sce-350
narios of impression acquisition: for example, if the majority of minutiae are351
missed or several spurious minutiae are added or simply the impression is352
cropped, the constructed curves will change drastically. In our future work,353
we will address these weak points. In addition, we plan to test the proposed354
approach using larger databases which are characterized by the presence of355
important intra-subject variations. Also we plan to improve fingerprint shell356
using more features provided by fingerprint impressions (e.g., texture mea-357
sures) to construct the curves, and to test several versions of the Hausdorff358
distance family and new methodologies of this distance (e.g., Moreno et al.359
(2013)). Moreover, our future plans include the design of new protection360
schemes for multimodal systems.361
22
Acknowledgment362
This work is supported by the Fulbright Joint Supervision Program of the363
Moroccan-American Commission for Educational and Cultural Exchange.364
References365
Ahmad, T., Hu, J., Wang, S., 2011. Pair-polar coordinate-based cancelable366
fingerprint templates. Pattern Recognition 44, 2555–64.367
Ahn, D., Kong, S., Chung, Y.S., Moon, K.Y., 2008. Matching with secure368
fingerprint templates using non-invertible transform, in: Image and Signal369
Processing, 2008. CISP ’08. Congress on, pp. 29–33.370
Boult, T., Scheirer, W., Woodworth, R., 2007. Revocable fingerprint bioto-371
kens: accuracy and security analysis, in: IEEE Conference on Computer372
Vision and Pattern Recognition, 2007. CVPR ’07, pp. 1–8.373
Breebaart, J., Yang, B., Dulman, I.B., Busch, C., 2009. Biometric tem-374
plate protection: The need for open standards. Privacy and Data Security375
journal 5, 299–304.376
Cappelli, R., Ferrara, M., Maltoni, D., 2010. Minutia cylinder-code: A new377
representation and matching technique for fingerprint recognition. Pattern378
Analysis and Machine Intelligence, IEEE Transactions on 32, 2128–41.379
Cappelli, R., Maio, D., Lumini, A., Maltoni, D., 2007. Fingerprint image380
reconstruction from standard templates. IEEE Transactions on Pattern381
Analysis and Machine Intelligence 29, 1489–503.382
23
Cappelli, R., Maio, D., Maltoni, D., Wayman, J., Jain, A., 2006. Perfor-383
mance evaluation of fingerprint verification systems. Pattern Analysis and384
Machine Intelligence, IEEE Transactions on 28, 3–18.385
Farooq, F., Bolle, R., Jea, T.Y., Ratha, N., 2007. Anonymous and revoca-386
ble fingerprint recognition, in: Computer Vision and Pattern Recognition,387
2007. CVPR ’07. IEEE Conference on, pp. 1–7.388
Ferrara, M., Maltoni, D., Cappelli, R., 2012. Noninvertible minutia cylinder-389
code representation. IEEE Transactions on Information Forensics and Se-390
curity 7, 1727–37.391
Goutis, C., Robert, C.P., 1998. Model choice in generalised linear models: A392
bayesian approach via kullback-leibler projections. Biometrika 85, 29–37.393
Jain, A.k., Nandakumar, K., Nagar, A., 2008. Biometric template security.394
EURASIP Journal on Advances in Signal Processing , 1–17.395
Kumar, G., Tulyakov, S., Govindaraju, V., 2010. Combination of symmetric396
hash functions for secure fingerprint matching, in: Pattern Recognition397
(ICPR), 2010 20th International Conference on, pp. 890–3.398
Lee, C., Choi, J.Y., Toh, K.A., Lee, S., 2007. Alignment-free cancelable399
fingerprint templates based on local minutiae information. Systems, Man,400
and Cybernetics, Part B: Cybernetics, IEEE Transactions on 37, 980–92.401
Maio, D., Maltoni, D., Cappelli, R., Wayman, J., Jain, A., 2002. Fvc2000:402
fingerprint verification competition. Pattern Analysis and Machine Intel-403
ligence, IEEE Transactions on 24, 402–12.404
24
Maltoni, D., Maio, D., Jain, A.K., Prabhakar, S., 2009. Handbook of Fin-405
gerprint Recognition. Springer Publishing Company, Incorporated. 2nd406
edition.407
Moreno, R., Koppal, S., de Muinck, E., 2013. Robust estimation of distance408
between sets of points. Pattern Recognition Letters 34, 2192–8.409
Moujahdi, C., Ghouzali, S., Mikram, M., Rziza, M., Bebis, G., 2012. Spiral410
cube for biometric template protection, in: Image and Signal Processing.411
Springer Berlin Heidelberg. volume 7340 of Lecture Notes in Computer412
Science, pp. 235–44.413
Ratha, N., Chikkerur, S., Connell, J., Bolle, R., 2007. Generating cancelable414
fingerprint templates. Pattern Analysis and Machine Intelligence, IEEE415
Transactions on 29, 561–72.416
Ratha, N., Connell, J., Bolle, R., 2001. An analysis of minutiae matching417
strength, in: Audio- and Video-Based Biometric Person Authentication.418
Springer Berlin Heidelberg. volume 2091 of Lecture Notes in Computer419
Science, pp. 223–8.420
Rathgeb, C., Uhl, A., 2011. A survey on biometric cryptosystems and cance-421
lable biometrics. EURASIP Journal on Information Security 2011, 1–25.422
Ross, A.A., Shah, J., Jain, A.K., 2005. Toward reconstructing fingerprints423
from minutiae points. Proc. SPIE 5779, 68–80.424
Teoh, A.B.J., Toh, K.A., Yip, W.K., 2007. 2n discretisation of biophasor in425
cancellable biometrics, in: Proceedings of the 2007 international conference426
25
on Advances in Biometrics, Springer-Verlag, Berlin, Heidelberg. pp. 435–427
44.428
Tulyakov, S., Farooq, F., Mansukhani, P., Govindaraju, V., 2007. Sym-429
metric hash functions for secure fingerprint biometric systems. Pattern430
Recognition Letters 28, 2427–36.431
26
A new approach for fingerprint template protection is proposed.
A new representation is used instead of the traditional minutiae-based representation.
Requirements of revocability, diversity, security and performance are achieved.
The approach is sufficiently robust to the zero effort and brute force attacks.