Attacks via record multiplicity on cancelable biometrics templates

CONCURRENCY AND COMPUTATION: PRACTICE AND EXPERIENCE Concurrency Computat.: Pract. Exper. (2013) Published online in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/cpe.3042

SPECIAL ISSUE PAPER

Attacks via record multiplicity on cancelable biometrics templates Cai Li and Jiankun Hu*,† School of Engineering and Information Technology, University of New South Wales at the Australian Defence Force Academy, Canberra 2600, Australia

ABSTRACT Various template protection techniques have been developed in the past few years, among which cancelable biometrics is a very popular and efficient one. It uses a noninvertible transformation to map an original template to a transformed domain to prevent the recovery of the original template from a compromised transformed template. Generally, cross-template attacks over cancellable template schemes are evaluated through statistic independence metrics. In this paper, we investigate approaches to launch attacks through cryptanalysis. Four typical cancelable fingerprint template design algorithms have been investigated by applying the attack via record multiplicity attack to retrieve the original template. Concrete attack examples are also given to make the demonstration more intuitive and comprehensive. The results show that all of them are vulnerable if an attacker can obtain multiple transformed templates and their corresponding transformation parameters. Copyright © 2013 John Wiley & Sons, Ltd. Received 14 January 2013; Revised 10 March 2013; Accepted 6 April 2013 KEY WORDS:

biometric security; cancelable biometrics; ARM; vulnerable

1. INTRODUCTION With the pervasive deployment of the Internet and mobile technology, more and more practical applications are deployed on top of networked environments, where information security and personal privacy have become a major concern [1–4]. While traditional authentication techniques such as token cards and passwords are very popular and easy to be implemented, both of them have several limitations [3,5]. Short passwords are easy to guess, whereas long and random passwords are hard to remember. Physical token cards can be stolen or lost. More importantly, authentication systems cannot distinguish a real user from an adversary who has stolen the tokens or decoded the passwords. The emergence of biometric-based authentication schemes effectively addresses these limitations because biometric features are unique, universal, and permanent. However, the usage of biometric features will give rise to the following new security issues [3,6]. 1. Biometrics is not secure. Fingerprints can be extracted by using special chemicals, whereas voice and face can be recorded or caught. 2. Unlike passwords that can be set distinct on different applications, a biometric template will normally be repeatedly used because of the scarcity of biometric features possessed by individuals. Therefore, if an attacker compromises a biometric template in one application, it will be lost forever and all other applications using the same template will be at risk as well. Also, biometric templates are hardly replaced or re-issued if they are compromised because of the limited biometric features. *Correspondence to: Jiankun Hu, School of Engineering and Information Technology, University of New South Wales at the Australian Defence Force Academy, Canberra 2600, Australia. † E-mail: [email protected] Copyright © 2013 John Wiley & Sons, Ltd.

C. LI AND J. HU

3. Cross matching can be conducted by colluding and sharing among various applications. 4. Biometric features extracted from raw images are physically stored in databases. As illegal access to the databases is becoming prevalent, raw images can be easily recovered by using some specific techniques [7–10]. The security concerns of biometrics lead to the development of biometric template protection techniques. Protection methods based on conventional cryptography have some pitfalls when they are directly applied to biometrics. On one hand, if the authentication process is conducted after decryption, original biometric features will be exposed. On the other hand, intraclass variation [11] (i.e., variation of different samples from the same subject) in biometrics is often observed and the difference between two samples will be enlarged during an encryption process. This will generate a challenging operational environment for the conventional cryptographic authentication mechanisms where exactness is required [2]. In the past decade, new biometric protection solutions have been developed [3,12–17], among which cancelable biometrics is an effective and widely applied one [18–21]. The concept of cancelable biometrics was formally presented by Ratha et al. [22] in 2001. The scheme is carried out by using a noninvertible transformation to transform raw biometric data and then storing the transformed version in databases for authentication. Generally speaking, an effective cancelable biometric scheme must satisfy the following conditions: noninvertibility, revocability, diversity, and matching performance preservation. Apparently, the key point of cancelable biometrics is the design of the noninvertible transformation. Ratha et al. proposed three kinds of transformation methods based on fingerprint minutiae positions in [3]: Cartesian, polar, and surface folding, which are all one-way functions. However, the matching performance of the first two transformations will degrade sharply when the minutiae cross-section boundaries, whereas the third one is attackable [23] by attack via record multiplicity (ARM) [24]. To overcome these defects, researchers have been devoting themselves to develop new efficient oneway transformations recently and have made certain achievements. Lee et al. [4] utilized a pair of changing functions to move each raw minutia to a new position as well as to change the orientation. The changing functions take local minutiae information as input, which is extracted from a raw image. As the raw image is not stored in databases, it is impossible to obtain the local minutiae information other than guessing. Further, the amount of movement and orientation variation cannot be calculated even the transformation, the new position, and the orientation are all compromised. Yang et al. [25] projected a pair of minutiae to a circle along the direction that is perpendicular to the line connecting these two minutiae. The noninvertibility is guaranteed because multiple minutiae pairs can be mapped to the same pair of points. Ahmad et al. [2] proposed a pair-polar coordinatebased cancelable fingerprint templates design by applying two noninvertible functions: section transformation and radial distance transformation. Wang et al. [1] presented a densely infinite-to-one mapping approach by using a set of linear transformations, noninvertibility of which is guaranteed by the rank deficient transformation matrix. Security and performance of the earlier schemes have been proved by conducting a large number of experiments. In the design of cancelable templates, cross-template attacks are generally evaluated through statistic independence metrics. However, in this paper, we will investigate how to launch attacks through cryptanalysis. As a result, we present and prove that cancelable template schemes mentioned earlier are all vulnerable to the ARM attack. The rest of the paper is organized as follows. Section 2 is devoted to describing the designs and the constructions of the four typical cancelable schemes. In Section 3, how to launch the ARM attack on each of these schemes is presented. The conclusion is given in Section 4.

2. FOUR SCHEMES OF CANCELABLE FINGERPRINT 2.1. Alignment-free cancelable fingerprint templates based on local minutiae information Lee et al. [4] proposed a transformation that can preserve the geometric relationships among different fingerprint templates extracted from the same identity. It does not need to align input fingerprint Copyright © 2013 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. (2013) DOI: 10.1002/cpe

ATTACKS VIA RECORD MULTIPLICITY ON CANCELABLE BIOMETRICS TEMPLATES

images, or, registration, before the transformation. Therefore, it can avoid the error arising from alignment process and reduce the corresponding computational complexity as well. The transformation consists of coordinate movement and orientation variation, which depend on two changing functions LPIN(m) and YPIN(m), respectively. Here, PIN is the key of a specific user, whereas m is an invariant value to the rotation or translation. It is calculated from each minutia by using the orientations of the neighboring regions around it and a user specific random vector. The transformation is performed as follows. Let Mi = [xi,yi,θi] be a vector representation of an original minutia, where xi, yi, and Yi are the Cartesian coordinates and the orientation of the minutia, h i respectively. The transformed minutia MiT ¼ xTi ; yTi ; θTi is calculated by Eqn (1). xTi ¼ xi þ Δxi yTi ¼ yi þ Δyi ;

(1)

θTi ¼ θi þ Δθi where Δxi ¼ LPIN ðmi Þ cosðθi þ YPIN ðmi ÞÞ Δyi ¼ LPIN ðmi Þ sinðθi þ YPIN ðmi ÞÞ: Δθi ¼ YPIN ðmi Þ

(2)

In their method, mi is calculated as an inner product of two normalized vectors, and its value range is [1, 1]. For convenience, mi is made to be a nonnegative value by adding 1. As the invariant value is image-based and input fingerprint images vary every time even they are taken from the same identity, mi will vary accordingly but in a small range or intervalT, for example, 0.1 that is determined through experiments [4]. To preserve the matching performance, changing functions have to be designed relatively smooth in each interval. Lee et al. [4] provided following two functions: LPIN ðmi Þ ¼

mi  ðk  1ÞT ðLPIN ðkT Þ  LPIN ððk  1ÞT ÞÞ þ LPIN ððk  1ÞT Þ T

YPIN ðmi Þ ¼

mi  ðk  1ÞT ðYPIN ðkT Þ  YPIN ððk  1ÞT ÞÞ þ YPIN ððk  1ÞT Þ; T

(3)

ðk  1ÞT < mi < kT where LPIN ðkT Þ ¼ x0 þ xT þ . . . þ xðk1ÞT þ xkT ¼

kT X

xi

i¼0

YPIN ðkT Þ ¼ y0 þ yT þ . . . þ yðk1ÞT þ ykT

kT X ¼ yi

:

(4)

i¼0

Here, x0, xT.... xkT and y0, yT.... ykT are corresponding outputs of the two random number generators X and Ywhose seeds are the user’s PIN. As the same user has the same PIN and relatively stable invariant value m, changing functions and transformed templates will be relatively consistent as well. It ensures that legal users can always pass the authentication. When a transformed template is compromised, it can be canceled and re-issued by changing the user’s PIN to generate a new template. Noninvertibility of the transformation is guaranteed because the invariant value m is unknown without raw fingerprint images available. Copyright © 2013 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. (2013) DOI: 10.1002/cpe

C. LI AND J. HU

2.2. Noninvertible transformation based on perpendicularly projection Yang et al. [25] designed a noninvertible transformation by projecting each pair of minutiae to a circle along the direction that is perpendicular to the line connecting the two minutiae. Then, the information of transformed minutiae will be stored in databases for authentication. The process is illustrated with Figure 1. The central point O of the circle above is the singular point of a fingerprint image. To include all the qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi minutiae in the circle, the radius r is required to satisfy r ≥ max ðxi  x0 Þ2 þ ðyi  y0 Þ2. Here, n is i2f1:::::ng

the total number of the minutiae in the fingerprint image, whereas (x0, y0) and (xi, yi) are the coordinates of the circle center and the coordinates of the ith minutia, respectively. In their method, the actual radius rd of the circle is calculated asrd = r + m(1 + K1), where m is a small constant and K 2 {1, 1} is the secret key of a user. The noninvertibility is guaranteed because multiple minutiae pairs can be mapped to the same pair of points on the circle. 2.3. Pair-polar coordinates-based cancelable fingerprint templates Ahmad et al. [2] designed a variation of polar transformation in which a coordinate system is divided into multiple sectors, and each sector is mapped to another one by a random vector. Different from Ratha’s method, more transformation factors are introduced to further increase the diversity between original templates and transformed ones. To avoid inaccurate registration involving error-prone rotation and shift processes, they utilized the relative relationship of minutiae as the matching criterion. Suppose a fingerprint image consists of n minutiae. k minutiae are selected such that the distance between any pair of the minutiae is greater than a predefined threshold. The set of these minutiae is denoted as M ¼ fmi gki¼1 . To guarantee the matching performance, k must be greater than a specific number l. A fingerprint image fails to generate at least l well-separated minutiae will be regarded as an ineligible template or query. The transformed template is generated as follows. Firstly, a polar coordinate system is constructed by making one of the minutiae as the center and  using its orientation as the 0 axis. qffiffiffiffiffiffiffiffiffiffiffiffiffiffi As shown in Figure 2, rij ¼ x2j þ y2j is the distance between the central minutia mi (0,0) and the jth    y minutia mj(xj,yj), aij ¼ arctan xjj is the angle between 0 axis and the edge rij in the counterclockwise   y’ direction, andbij ¼ arctan xj’ is the angle between the orientation of the jth minutiae and the edge rij j

in the counterclockwise direction. The relationships between the center and all other minutiae are  k represented as a set of vectors Ri ¼ vij j¼1;j6¼i , in which i is the index of the central minutia and vij = (rij, aij, bij). Because the central point can be any minutia from M, there are k different vector sets in total. The set of them is denoted as OT ¼ fRi gki¼1 .

Figure 1. Perpendicular projection of minutiae to a circle. Copyright © 2013 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. (2013) DOI: 10.1002/cpe

ATTACKS VIA RECORD MULTIPLICITY ON CANCELABLE BIOMETRICS TEMPLATES

Figure 2. Polar coordinate system and parameters definition.

Secondly, a transformation is applied on each vector set R to generate the transformed template  k TT ¼ RTi i¼1 . The transformation consists of two steps: section transformation and radial distance transformation. Similar to [3], the polar coordinate system is divided into several sectors, and each sector is mapped to a different position according to a mapping transformation SectorN = abs (SectorO + vw)mod(n). Here, SectorO and SectorN are the vectors of the original sector number and the new sector number, respectively, and vw is a random vector, whereas n is the total number of the sectors. The process is noninvertible because the sector mapping is many-to-one. To further increase the diversity between original templates and transformed ones and make the recovery more difficult, they introduce a radial distance transformation. The original radial

distance between the jth minutia and the center is enlarged or reduced by transformation rijT ¼ rij  rw modðmÞ=rw , where rw is a transformed-radial factor, and rijT is the new radial distance. The radial distance transformation is also noninvertible because both modulo operator and floor division are many-to-one. The random vector vw, the transformed-radial factor rw, and the modulo m form a transformation key k, which is stored in databases.

2.4. A densely infinite-to-one mapping approach Different from the three many-to-one transformations mentioned earlier, Wang et al. [1] proposed a densely infinite-to-one mapping approach based on a linear parametric transformation. Similar to Ahmad’s method, a set of minutiae is selected such that the distance between any pair of minutiae is not less than a predefined threshold. The set of selected minutiae is denoted by M ¼ fmðxi ; yi ; θi Þgki¼1 , where k is the number of the selected minutiae, xi, yi and θi are the x, ycoordinates, and the orientation of the ith minutiae, respectively. A transformed template is generated as follows. Firstly, by pairing any two minutiae mi(xi,yi,θi) and mj(xj,yj,θj) in the set M, a pair-minutiae vector Vij = (dij,ai,bj) can be constructed, in which dij is mi mj and the orientation of the distance between mi(xi,yi,θi) and mj(xj,yj,θj), ai is the angle between  mi mj and the orientation of mj mi(xi,yi,θi) in the counterclockwise direction, and bj is the angle between  (xj,yj,θj) in the counterclockwise direction. As the number of minutiae in M is k, there are k(k + 1)/2 pair-minutiae vectors. The set of them is denoted as V = {Vij : 1 ≤ i, j ≤ k, i 6¼ j}. Apparently, the set V includes original fingerprint data. Therefore, Wang et al. applied quantization on each vector Vij to protect the original information. First, each element in Vij is quantized on the basis of a quantization stepsize, followed by a binary conversion. Then, by concatenating the binary representations of dij, aj and bj, an n bits binary representation Vijb is generated, and the set of which is denoted as V ðbÞ ¼ n o Vijb : 1≤i; j≤k; i 6¼ j . As n bits can represent 2n binary values from n zeros to n ones, successive bins Copyright © 2013 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. (2013) DOI: 10.1002/cpe

C. LI AND J. HU

indexed from 0 to 2n  1 can be constructed. A bin will be assigned the value 1 if there is one and only one Vijb in Vb whose value equals to the binary representation of the bin’s index value. Other bins will be assigned 0. Finally, the sequence of the bins’ values forms a 2n bits binary string Vfinal. Because Vfinal is a binary string consisting of only 0 and 1, a transformation directly performed on it will result in equations with limited binary solutions, which will greatly reduce the difficulty of reversing the transformation. Therefore, discrete Fourier transform is adopted to convert Vfinal to a complex vector H in the frequency domain, whose size is 2n. Secondly, the proposed transformation is performed through premultiplying H by a parametric matrix Apq, where q = 2n, p < q, and rank(A) = r. The transformed template Tp1 = ApqHq1 instead of H is stored in databases for authentication. Noninvertibility is guaranteed because there are infinite solutions to T = AX when rank(A) = rank([A ⋮ T]) < q according to the properties of linear equations in algebra.

3. ATTACK VIA RECORD MULTIPLICITY ON THE FOUR CANCELABLE FINGERPRINT SCHEMES Attack via record multiplicity was first proposed by Scheirer et al. [24] as one of the general attacks against privacy enhancing technologies in 2007. In cancelable biometrics design, a raw biometric template can be used repeatedly to generate distinct transformed templates by applying different transformation parameters. ARM refers to that an attacker can retrieve the original raw template by correlating multiple different transformed templates. ARM assumes that the information including transformation method, parameters, and transformed templates stored in databases is available. This assumption is reasonable as a mobile template device can be lost or stolen, and the content stored in the device can be retrieved by hardware power attack. Next, we will design concrete attack methods against the earlier four cancelable fingerprint schemes. 3.1. Attack via record multiplicity on alignment-free cancelable fingerprint templates based on local minutiae information In this scheme [4], the invariant value m is extracted from an input image, which has a range W. Because the input image is not stored in databases, it is infeasible for an attacker to obtain m and further calculate the actual coordinate movement Δx, Δy and orientation variation Δθ. Even if the transformed template is revealed, the attacker still cannot retrieve the original template. It seems that a brute force attack is the only way to obtain the value of m if it is uniformly distributed. It is commonly known that intraclass variation exists in biometrics. Strictly speaking, m is not invariant but varies in a small range T, for example, 0.1 which is determined through experiments [4]. Therefore, the proposed scheme divided the whole range W into several equal intervals of size T. The designed changing functions slope slightly in each interval to ensure the minutiae whose invariant values falling within the same interval will be transformed into minutiae that will be considered a match in the transformed domain. The security analysis under the brute force attack by randomly guessing the invariant value was also given in [4]. It is observed that the probability of a randomly generated invariant value matching the real invariant value is T/W. Because the proposed scheme needs at least five matched minutiae in the authentication system, the probability of success for brute force attack will be very small. Next, we will show that it will be much easier to break the system and retrieve the original template by the ARM attack. T Suppose we obtain several transformed templates MiT1 ; MiT2 ::::::Mi j , changing functions L and T Y, interval size T, and all users’ PINs, where MiT1 ; MiT2 ::::::Mi j are transformed minutiae from an original minutia by applying different users’ PINs as transformation parameters. Then, we have Copyright © 2013 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. (2013) DOI: 10.1002/cpe

ATTACKS VIA RECORD MULTIPLICITY ON CANCELABLE BIOMETRICS TEMPLATES

xTi 1 ¼ xi þ LPIN1 ðmi Þ cosðθi þ YPIN1 ðmi ÞÞ xTi 2 ¼ xi þ LPIN2 ðmi Þ cosðθi þ YPIN2 ðmi ÞÞ  

T xi j ¼ xi þ LPINj ðmi Þ cos θi þ YPINj ðmi Þ

yTi 1 ¼ yi þ LPIN1 ðmi Þ sinðθi þ YPIN1 ðmi ÞÞ yTi 2 ¼ yi þ LPIN2 ðmi Þ sinðθi þ YPIN2 ðmi ÞÞ

(5)

 

T yi j ¼ yi þ LPINj ðmi Þ sin θi þ YPINj ðmi Þ

θTi 1 ¼ θi þ YPIN1 ðmi Þ θTi 2 ¼ θi þ YPIN2 ðmi Þ  

T

θi j ¼ θi þ YPINj ðmi Þ Expanding orientation transformations in Eqn (5), we can obtain θTi 1 ¼ θi þ

mi  ðk  1ÞT ðYPIN1 ðkT Þ  YPIN1 ððk  1ÞT ÞÞ þ YPIN1 ððk  1ÞT Þ T

θTi 2 ¼ θi þ

mi  ðk  1ÞT ðYPIN2 ðkT Þ  YPIN2 ððk  1ÞT ÞÞ þ YPIN2 ððk  1ÞT Þ T

(6)

 

T θi j

mi  ðk  1ÞT YPINj ðkT Þ  YPINj ððk  1ÞT Þ þ YPINj ððk  1ÞT Þ: ¼ θi þ T

Using subtraction elimination, the equations earlier are further transformed to θTi 2  θTi 1 ¼

mi  ðk  1ÞT kT  mi ðYPIN2 ðkT ÞYPIN1 ðkT ÞÞ þ ðYPIN2 ððk  1ÞT ÞYPIN1 ððk  1ÞT ÞÞ T T

θTi 3  θTi 2 ¼

mi  ðk  1ÞT kT  mi ðYPIN3 ðkT ÞYPIN2 ðkT ÞÞ þ ðYPIN3 ððk  1ÞT ÞYPIN2 ððk  1ÞT ÞÞ T T  

T θi j



T θi j1

kT  mi

mi  ðk  1ÞT YPINj ððk  1ÞT Þ  YPINj1 ððk  1ÞT Þ YPINj ðkT Þ  YPINj1 ðkT Þ þ ¼ T T

(7) Now, we demonstrate how to retrieve the invariant value mi. Obviously, equations in Eqn (7) are nonlinear because the existence of a random number. This means that Gaussian elimination does not work here. However, as other parameters are all known and the range of k is very small (integral values between [1, 10] in the proposed design), we can apply brute force method to transverse all possible values of k and figure out the corresponding values of mi. It is noted that for a fixed value of k, a value of mi can be figured out in each equation, so we may obtain at most j  1 different values of mi. When all the j  1 equations have the same solution for mi and the solution denoted as psatisfies (k  1)T < p < kT, p will be considered as a candidate value of mi. After this process, a much narrowed down list of candidate values will be established. If an attacker can obtain enough Copyright © 2013 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. (2013) DOI: 10.1002/cpe

C. LI AND J. HU

transformed templates, the list will be very short which can eventually lead to only a few or even one qualified value. Once mi is obtained, the transformation can be inverted, making the original template at risk. 3.2. Attack via record multiplicity on noninvertible transformation based on perpendicularly projection In this scheme, each pair of minutiae is projected to a circle along the direction that is perpendicular to the line connecting the two minutiae. The center of the circle is the singular point of a fingerprint image, whereas the radius of the circle is determined by a user specific key. The transformation is noninvertible because multiple pairs of minutiae can be mapped to the same pair of points on the circle. However, by correlating multiple transformed templates, we can recover the original template. For simplicity, we demonstrate our attack method with two n revealed transformed templates.

T1 T1 ; M12 ; M T1 ; M T1 ; M T1 ; M T1 ; Suppose we have two sets of transformed minutiae M T1 ¼ M11 n 21 22 31 32 o T1 T1 T1 T1 T2 T2 T2 T2 M41 ; M42 ; M51 ; M52 ; M12 ; M21 ; M22 ; by transformation T1 with radius parameter r1 and M T2 ¼ M11 o T2 T2 T2 T2 T2 T2 M31 ; M32 ; M41 ; M42 ; M51 ; M52 by transformation T2 with radius parameter r2. Because they are

transformed from the same set of raw minutiae M = {M1. M2, M3, M4, M5}, we can generate two circles with the same center. For each minutia on circle 2, we choose a corresponding minutia on circle 1 using the method described in the next paragraph and draw a line passing through these two minutiae. Eventually, a group of lines will be produced, and the crossover points will be the candidate original minutiae. The whole process is shown in Figure 3. Visually, there are numerous minutiae on each circle and it is not easy to find the pairs of corresponding minutiae coming from different transformed templates that are generated from the same original minutiae. It is observed that the radius of any circle constructed is greater than the distance between any original minutia and the center. As a result, a minutia MiT2 on circle 2 and its corresponding minutia MiT1 on circle 1 must be at the same side relative to their original minutia. In this case, we draw two tangents of the circle 1 through the minutia MiT2 . Any minutia falling on the curve segment between tangent points of the circle 1 will be selected as potential corresponding minutiae. Therefore, a number of non-corresponding minutia pairs will be eliminated through this process, which will reduce the search space significantly. However, as multiple potential corresponding minutiae may exist for a chosen minutia, a few groups of lines linking possible pairs of corresponding minutiae will be generated. We define them a set as PG = {G1, G2,....... GK}. To choose the correct group of lines that intersects at the original minutiae, a filter is designed to filter out unqualified ones.

Figure 3. Original minutiae recovery process through two transformed templates. Copyright © 2013 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. (2013) DOI: 10.1002/cpe

ATTACKS VIA RECORD MULTIPLICITY ON CANCELABLE BIOMETRICS TEMPLATES

Under the transformation, MiT1 ; Mi T2 and Mj T1 ; MjT2 will compose a pair of parallel lines that are perpendicular to the line connecting minutia Mi and Mj. So the group of lines generated must consist of m pairs of parallel lines, where m is the number of the original minutiae (m = 5 in our case). Any group of lines not satisfying this condition will be marked ‘unqualified’. Finally, to further verify whether a group of lines intersect at the original minutiae or not, we apply the same transformations T1 and T2 on the crossover points, denoted as CP. If two sets of transformed points CPT1 and CPT2 are equal to M T1 and M T2 , respectively, then we consider these crossover points as the original minutiae. The filter is illustrated with Figure 4. 3.3. Attack via record multiplicity on pair-polar coordinates-based cancelable fingerprint templates The pair-polar coordinates-based cancelable fingerprint templates are implemented by a many-to-one sector mapping. Therefore, it is infeasible to find the features in the original sector. Moreover, the original radical distances between the central point and other minutiae are irreversibly transformed on the basis of a radial factor rw and a modulo m. The noninvertible transformation is shown as Figure 5. However, if an attacker can obtain multiple transformed templates and all the transformation parameters, it is still possible to recover the original template. Next, we will use three transformed templates and their corresponding parameters to demonstrate the recovery process of the original template. The recovery consists of two steps, sector reverse and distance reverse. Suppose we have another two revealed transformed templates shown in Figure 6. First, let us consider the sector reversion. The mappings between old sectors and new sectors depend on the random vectors of transformations, which are assumed as [2,1,1,5,4,7,6,5], [3,2,7,6,6,5,6,1], and [3,1,9,7,5,4,2,1], respectively. Then, the new sectors are determined by SectorNT1 ¼ absð½1; 2; 3; 4; 5; 6; 7; 8 þ ½2; 1; 1; 5; 4; 7; 6; 5Þ modð8Þ ¼ ½3; 3; 4; 1; 1; 5; 5; 5 SectorNT2 ¼ absð½1; 2; 3; 4; 5; 6; 7; 8 þ ½3; 2; 7; 6; 6; 5; 6; 1Þ modð8Þ ¼ ½4; 4; 2; 2; 3; 3; 5; 1

(8)

SectorNT3 ¼ absð½1; 2; 3; 4; 5; 6; 7; 8 þ ½3; 1; 9; 7; 5; 4; 2; 1Þ modð8Þ ¼ ½4; 3; 4; 3; 2; 2; 1; 1:

Figure 4. Double layer filter. Copyright © 2013 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. (2013) DOI: 10.1002/cpe

C. LI AND J. HU

(a)

(b)

Figure 5. Noninvertible transformation in polar coordinate system. (a) Original template and (b) transformed template under transformation T1.

(a)

(b)

Figure 6. Two additional transformed templates. (a) Transformed template under transformation T2 and (b) transformed template under transformation T3.

The sector reversion is infeasible if we use any of these transformed templates alone as the sector mapping is many-to-one. Nevertheless, we can reverse the sectors uniquely by combining all the mapping relationships. For instance, under transformation T1, minutiae in both sectors 1 and 2 are transformed to new sector 3, whereas minutiae in sectors 1 and 2 are moved to new sectors 4 and 3, respectively, by transformation T3. It is well-known that the angles θ between a sector boundary and   m0 mi are reserved after the transformations, where m 0 mi is the line connecting the central point m0 and a minutia mi in the sector [2]. Consequently, minutiae coming from old sector 1 can be determined by comparing the angles θ of minutiae in sector 3 under T1 with sector 4 under T3. Minutiae in other sectors can be retrieved in the same manner. Secondly, we will combine distance-related parameters and new radial distances to recover the original radical distance between the central point and each minutia. Three distance transformations are listed as follows. Copyright © 2013 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. (2013) DOI: 10.1002/cpe

ATTACKS VIA RECORD MULTIPLICITY ON CANCELABLE BIOMETRICS TEMPLATES



rij T1 ¼ rij  rw T1 modmT1 =rw T1

rij T2 ¼ rij  rw T2 modmT2 =rw T2

rij T3 ¼ rij  rw T3 modmT3 =rw T3 ;

(9)

where rij T1 ; rij T2 ; rij T3 ; rw T1 ; rw T2 ; rw T3 ; mT1 ; mT2 ; mT3 are all known. From Eqn (9), we can calculate three sets of candidate original radial distances,     ODT1 ¼ rij T1 þ mT1 i=rw T1 ; i 2 N ; 

   ODT2 ¼ rij T2 þ mT2 i=rw T2 ; i 2 N     ODT3 ¼ rij T3 þ mT3 i=rw T3 ; i 2 N

(10)

Actually, as i = rij * rw/m and the range of the original radial distance rij is limited by the size of a fingerprint image, the actual values of i are finite integer values from [rw /u, rmax * rw /m] instead of an infinite integer set. rmax here is the maximum distance between different minutiae in a fingerprint image. Intersecting ODT1 ; ODT2 , and ODT3 , we can obtain the original radial distance. For instance, if rw and m are assigned 50 and 6000, respectively, and we have rmax = 572 that is equivalent to the length of the diagonal line of a typical 512  256 pixel fingerprint image, then the actual values of i are integer values with [0,4]. It indicates that the size of ODis only 5, which will greatly reduce the effort for an exhaustive search attack. Finally, with original sector number, direction, and length of  m0 mi , the position of each minutia relative to the central point can be uniquely determined. Then, the original template will be recovered. 3.4. Attack via record multiplicity on densely infinite-to-one mapping approach Unlike the previous many-to-one transformations, Wang et al. [1] applied an infinite-to-one linear transformation on preprocessed templates. Intuitively, this kind of transformation is much more secure because of the infinite number of possible mappings. However, the actual recovery of the original template can be quite easy and fast if we can obtain enough transformed templates. Suppose a few transformed templates T1, T2,.... Tk and their corresponding transformation matrixes A1, A2,..... Ak are revealed, then we can construct a series of linear equations in the following format. A1 X ¼ T1 A2 X ¼ T2    Ak X ¼ Tk ;

(11)

where X is the matrix representation of the original raw template. Apparently, we cannot calculate X with any pair of A and T alone. This is because when we have rank(Ai) = rank ([Ai ⋮ Ti]) = r < q, i = 1, 2,.... k, there will be infinite solutions forX. However, when q linearly independent equations can be extracted from the combined equations in Eqn (11), X can be uniquely determined. To prove our analysis and also to make it more2intuitive, a simple example is given. Let X ¼ 3 1 2 3 4 T1 ¼ ½ 30 19 14 T , ½ x1 x2 x3 x4 T ¼ ½ 1 2 3 4 T , A1 ¼ 4 2 1 1 3 5 , 3 2 1 1 2 3 3 3 4 5 A2 ¼ 4 2 2 1 2 5 , and T2 ¼ ½ 41 17 29 T . Combining generated linear equations, we will 1 3 2 4 obtain Copyright © 2013 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. (2013) DOI: 10.1002/cpe

C. LI AND J. HU

x1 þ 2x2 þ 3x3 þ 4x4 ¼ 30 2x1 þ x2 þ x3 þ 3x4 ¼ 19 3x1 þ 2x2 þ x3 þ x4 ¼ 14 3x1 þ 3x2 þ 4x3 þ 5x4 ¼ 41

(12)

2x1 þ 2x2 þ x3 þ 2x4 ¼ 17 x1 þ 3x2 þ 2x3 þ 5x4 ¼ 33

Picking out the first four equations in Eqn (12), we can calculate the unique value of vector X that is equal to ½ 1 2 3 4 T . Large dimension matrixes can be computed in the same way. Hence, Wang et al.’s approach [4] is also vulnerable to ARM.

4. CONCLUSION Cancelable biometrics has been proved to be an effective biometric template protection technique. The critical component of cancelable biometrics is the noninvertible transformation. Conventionally, assessment metric against the cross-template attack is concerned about the statically independence of multiple transformed templates that are generated by random transformation parameters. In this paper, we launched attacks to four typical cancelable fingerprint template schemes from the perspective of cryptanalysis. It is revealed that the existing statistic independence metric is insufficient in assessing the security of cancellable biometrics templates as the ARM attack can break such systems if an attacker can obtain multiple transformed templates. To address this issue, new security performance metrics and design principles are needed for designing stronger cancelable biometrics templates. REFERENCES 1. Wang S, Hu JK. Alignment-free cancelable fingerprint template design: a densely infinite-to-One mapping (DITOM) approach. Pattern Recognition 2012; 45(12): 4129–4137. 2. Ahmad T, Hu JK, Wang S. Pair-polar coordinate based cancelable fingerprint templates. Pattern Recognition 2011; 40(10–11): 2555–2564. 3. Ratha NK, Chikkerur S, Connell JH, Bolle RM. Generating cancelable fingerprint templates. IEEE Transactions on Pattern Analysis and Machine Intelligence 2007; 29(4): 561–572. 4. Lee C, Choi JY, Toh KA, Lee S, Kim J. Alignment-free cancelable fingerprint templates based on local minutiae information. IEEE Transactions on Systems, Man, and Cybernetics - Part B: Cybernetics 2007; 37(4): 980–992. 5. Huang XY, Xiang Y, Chonka A, Zhou JY, Deng, RH. A generic framework for three-factor authentication: preserving security and privacy in distributed systems. IEEE Transaction on Parallel and Distributed Systems 2011; 22(8): 1390–1397. 6. Matsumoto T, Matsumoto H, Yamada K, Hoshino S. Impact of artificial gummy fingers on fingerprint systems. Proceeding of SPIE, Optical Security and Counterfeit Deterrence Techniques IV 2002; 275–289. 7. Ross A, Shah J, Jain AK. From template to image: reconstructing fingerprints from minutiae points. IEEE Transactions on Pattern Analysis and Machine Intelligence 2007; 29(4): 544–560. 8. Feng JJ, Jain AK. Fingerprint reconstruction: from minutiae to phase. IEEE Transactions on Pattern Analysis and Machine Intelligence 2011; 33(2): 209–223. 9. Cappelli R, Lumini A, Maio D, Maltoni D. Fingerprint image reconstruction from standard templates. IEEE Transactions on Pattern Analysis and Machine Intelligence 2007; 29(9): 1489–1503. 10. Wang Y, Hu JK. Global ridge orientation modeling for partial fingerprint identification. IEEE Transactions on Pattern Analysis and Machine Intelligence 2011; 33(1): 72–87. 11. Ross A, Jain AK. Multimodal biometrics: an overview. Proceeding of 12th European Signal Processing Conference, 2004; 1221–1224. 12. Juels A, Wattenberg M. A fuzzy commitment scheme. Proceedings of sixth ACM conference on computer and communications security, ACM Press, 1999; 28–36. 13. Juels A, Sudan M. A fuzzy vault scheme. Designs, Codes and Cryptography 2006; 38(2): 237–257. 14. Dodis Y, Ostrovsky R, Reyzin L, Smith A. Fuzzy extractor: how to generate strong keys from biometrics and other noisy data. SIAM Journal on Scientific Computing 2008; 38(1): 97–139. Copyright © 2013 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. (2013) DOI: 10.1002/cpe

ATTACKS VIA RECORD MULTIPLICITY ON CANCELABLE BIOMETRICS TEMPLATES 15. Li C. Double layer secure sketch. Proceedings of AIP Conference, International Conference of Numerical Analysis and Applied Mathematics, 2012; 1500–1505. 16. Xi K, Hu JK. Biometric mobile template protection: a composite feature based fingerprint fuzzy vault. Proceedings of the International Conference of Communication, 2009; 1–5. 17. Hu JK. Mobile fingerprint template protection: progress and open issues. Proceedings of 3rd IEEE Conference on Industrial Electronics and Applications, 2008; 2133–2138. 18. Lee C, Kim J. Cancelable fingerprint templates using minutiae-based bit-strings. Journal of Network and Computer Applications 2010; 33(3): 236–246. 19. Chikkerur S, Ratha NK, Connell JH, Bolle RM. Generating registration-free cancelable fingerprint templates. Proceedings of 2nd IEEE International Conference on Biometrics: Theory, Applications and Systems, 2008; 1–6. 20. Maiorana E, Campisi P, Fierrez J, Ortega-Garcia J, Neri A. Cancelable templates for sequence-based biometrics with application to on-line signature recognition. IEEE Transactions on Systems, Man, and Cybernetics - Part A: Systems and Humans 2010; 40(3): 525–538. 21. Ouda O, Tsumura N, Nakaguchi T. Tokenless cancelable biometrics scheme for protecting iris codes. Proceedings of International Conference on Pattern Recognition, 2010; 882–885. 22. Ratha NK, Connell JH, Bolle RM. Enhancing security and privacy in biometrics-based authentication system. IBM Systems Journal 2001; 40(3): 614–634. 23. Feng Q, Su F, Cai A, Zhao FF. Cracking cancelable fingerprint template of Ratha. Proceedings of International Symposium. Computer Science and Computational. Technology, 2008; 572–575. 24. Scheirer WJ, Boult TE. Cracking fuzzy vaults and biometric encryption. Proceedings of Biometrics Symposium, 2007; 1–6. 25. Yang HJ, Jiang XD, Kot AC. Generating secure cancelable fingerprint templates using local and global features. Proceedings of 2nd IEEE International Conference on Computer Science and Information Technology, 2009; 645–649.

Copyright © 2013 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. (2013) DOI: 10.1002/cpe