May 5, 2009 ... ISO/IEC 19794-2 compact card. » (x, y, theta, type). » Each point in 3 bytes. •
Lower spatial and angular resolution. » Placement differences.
NIST Activities at the Intersection of Biometrics Standardization and Testing NIST Support for Match‐on‐Card Patrick Grother CTST 2009 May 5, 2009
The Minutiae Matching Problem
Standardized Templates » INCITS 378:2004 » » » »
Ridge bifurcation
Ridge ending
Fingerprint minutiae A set of (x, y, theta, type, quality) points Each point in six bytes Median 38 points per finger
» ISO/IEC 19794‐2 compact card » »
(x, y, theta, type) Each point in 3 bytes • Lower spatial and angular resolution
»
Placement differences
theta (x, y)
Template Matching Minutiae from enrollment image
Minutiae from verification image
Biometric Interoperability
Cross‐vendor Interoperability Enrolment sample, (e.g. visa or passport issuance.) Produced by Product A
STANDARD DATA
Verification sample (e.g. at border crossing) Produced by Product B
Matching by Product C
STANDARD DATA
Decision to admit based on verification decision
Cross‐vendor interoperability Enrolment Template Produced by CrossMatch
Authentication Template Produced by Cogent Sagem Matcher
Measurements of interoperability
» Most biometric testing is done by developers »
Traditional single‐vendor, proprietary technology testing
» Interoperability testing »
Uniquely done by independent test labs
Biometric Interoperability is “Different” • The Internet: Routers
from different companies are interoperable because A standard, IPv4, regulates the packet format – Competitive marketplace –
• But also the receiving
router doesn’t care about content –
Modulo policies on network non‐neutrality
• Biometrics: For example,
fingerprint minutiae encoders and matchers from different companies follow –
A standard, INCITS 378:2004, regulating the format
• The receiving matcher is
sensitive to the content –
Algorithmic dependency has accuracy implications
Interoperability of Minutia Templates False Non‐Match Supplier of Verification Template + Template Matcher Rate at False Match Rate of 0.01 NEC NEC
0.0129
Supplier of Enrollment Template
Red values refer to NATIVE performance : One vendor generates and matches all templates. Figures from MINEX 04: http://fingerprint.nist.gov/minex04
Interoperability of Minutia Templates False Non‐Match Supplier of Verification Template + Template Matcher Rate at False Match Rate of 0.01 NEC Sagem NEC Supplier of Enrollment Sagem Template
0.0129
0.0205
0.0316
0.0140
Red values refer to NATIVE performance : One vendor generates and matches all templates.
Interoperability of Minutia Templates False Non‐Match Supplier of Verification Template + Template Matcher Rate at False Match Rate of 0.01 NEC Sagem Cogent NEC
0.0129
0.0205
0.0300
Supplier of Enrollment Sagem Template
0.0316
0.0140
0.0207
Cogent
0.0417
0.0225
0.0136
Red values refer to NATIVE performance : One vendor generates both templates and matches them.
MINEX ‐ Definitions » MINEX » An NIST‐industry collaboration to support the INCITS 378 and ISO/IEC 19794‐2 standards through evaluation‐driven research, development and standardization » A family of tests aimed at supporting standardized fingerprint minutia templates as the de facto leading biometric element for identity management » Ongoing assessment of the core algorithmic accuracy and interoperability of minutia matching algorithms » Calibration services
Interested parties
MINEX
About NIST Testing
NIST Tests and Related Image Group
FRVT (face)
ICE (iris)
1:N Fingerprint
MBGC
US Gov. Systems
X
Y
Quality
X
PFT
Slap
End Stage
Segmentation
ELFT I (Lights out)
ELFT Latent
ELFT II (CDEFFS)
Y
Support Standardization
MINEX (minutiae) MINEX I (2004)
Test Lab Accreditation
Test Standards
MINEX II (Cards)
IREX (iris) IREX 08 (19794‐6)
MOC Conform XML Ongoing Interop. 19795‐4 19795‐8 29109 29120 (PIV)
MINEX II – The NIST Context NIST Support for Compact Biometric Elements e.g. for Identity Credentials
sBMOC
MINEX I 2004 Initial evaluation
MINEX
Ongoing MINEX PIV
IREX
MINEX II Match‐on‐Card
Standards SC37 WG3
MINEX III Minutia quality calibration
NIST’s Offline Testing » Massive archival image
databases support »
Scientific Method • Reproducible results • Fair comparative evaluations
» Statistical significance
e.g. in low FMR measurements »
Can test FMR ≤ 10‐4
» But » Forces algorithms to deal with standard images: decouples sensor from the recognition algorithm • Is this realistic? »
Offline image sets don’t usually capture the transactional nature • But MOC matching is expensive
System‐on‐card » Sensor is on the
id-smart
card » Testing by human attempts only »
Expensive to verify that FMR ≤ 10‐4
Biometric Associates Fidelica
Scanecotech
Fidelica on Divacard
Testing MXC vs. MOC vs. SOC Match‐off‐card
Match‐on‐card
System‐on‐card
»
»
On card
»
No external reader
»
GOOD: Algorithm could be certified in lab process
»
BAD: Algorithm can only be certified in a scenario test
On PC, on wall reader, on network server » GOOD: Algorithm could be certified in lab process »
»
Augmented MINEX I
BAD: But fielded installation cannot be tested for FMR compliance »
Is algorithm the same? » Is threshold the same?
»
»
Augmented MINEX II
GOOD: Production card stock can be sampled and »
Testing for compliance with certified product » Need PI
»
Many attempts with a large human population = expense
» O(105) people to
check FMR = 10‐4 » Or market forces »
An operational test?
MINEX II
MINEX II – Why MOC? » Match‐on‐Card – Why » Cards are ubiquitous » ISO/IEC 7816 cards • Cryptographically hardened token • FIPS 140‐2 certified »
Privacy Enhancing Technology (PET) • No central database • Biometric reference never leaves the card
» Match‐on‐Card – Why not? » Verification template must be made off card » And passed to the card » A matcher on every credential » Computational resources …
MINEX II – Why? » Hypothesis: »
Match‐on‐Card implementations have same accuracy as Match‐off‐Card
» Why might that be? » »
MOC is not new. Many of the same companies involved
» Why not? »
MINEX II is a definitive, public, independent, simultaneous measurement of the algorithmic accuracy and speed of MOC implementations
Limited computational resources • Stack space, registers • Integer arithmetic • Smaller instruction sets » Smaller templates • MOC typically uses fewer minutiae • Reduced angular resolution in ISO‐CC format » Asymmetric Algorithms
Not in MINEX II Scope Also needed
And there’s alternatives
» Card reliability, robustness
» Proprietary templates
» Card vulnerability
» System‐on‐card
» Security evaluation
» Business model, economics
» Image match‐on‐card? » Conformance to 7816‐x » Contact vs. contactless
MINEX II – Design objectives » Make it: independent, statistically robust, repeatable » »
Massive offline archival data Uniform, standards‐based, interface
» Measure error rate tradeoffs »
Consider FNMR(t) vs. FMR(t) Ö Need matcher scores from card
» Demonstrate at industry “norm” of FMR of 10‐4 » Measure time »
Inspect the slow‐but‐accurate vs. fast‐but‐inaccurate spectrum
» Allow teams »
Allow card suppliers to team with fingerprint matcher suppliers
» Use the industry‐preferred template »
ISO/IEC 19794‐2 compact card – three bytes per minutia
MINEX II – Card APDUs Reference Template: sent via PUT DATA
Verification Template sent via VERIFY FNMR
FMR
Similarity Score via GET DATA
MINEX II ‐ Evaluation Principle In vitro » 1. Measure accuracy by Execute N template comparisons on general purpose computer
In vivo » 2. Confirm by repeating n « N comparisons on the card, check output is identical n = O(103)
N = O(106)
MINEX II ‐ Status Phase I
Phase II
Phase III
»
»
Δ
»
July‐Oct, 07 Precise Biometrics + TecSec Neurotechnology + Internet Risk Mgmt Sagem Orga Oberthur + id3
»
Non‐public
»
» » »
Nov 07 – Feb 08
Δ
Δ
» » »
Giesecke Devrient Sagem Orga Oberthur + id3
Public Report NIST Interagency Report 7477
Δ
Δ
Δ
ISO Standard
Nov 08 – May 09 Gemalto + Micro‐ Packs Gemalto + Cogent Gemalto + Innovatrics Oberthur + id3
Δ
August 08
Δ
Public Report May 2009 as NISTIR 7477 (Rev)
Δ
ISO/IEC CD 19795‐7 Performance Testing of 7816‐ based Algorithms Not fingerprint specific Not standard template specific
Participant = Team of { Card vendor + Fingerprint matcher vendor }
Δ
genuine
VERIFY times (seconds) G+D
impostor SAGEM Orga
1.0 0.5 0.2
Oberthur / id3
Oberthur / id3
Gemalto / Innovatrics
Gemalto / Cogent
Gemalto / MicroPacks
MINEX II – PIV Compliance? » PIV Compliance requires matchers to compare templates
from other producers with low recognition error rates. »
Row denotes enroller, column denotes matcher. » Green indicates accuracy is better than PIV requirement. SAGEM
Gem / Inno Ober Ober / id3 / id3
Gem / Cog
MINEX II Results » Protocol »
Vendor acceptance • Eight teams • 19 implementations
»
Open source support • For ISO‐STD prep
»
It works • One interface problem
» Implementations »
ISO‐CC templates can be matched with accuracy approaching INCITS 378 » Some MOC implementations attain accuracy approaching that of better MINEX 04 matchers » Two implementations attain PIV compliance • Four others are close »
Median VERIFY execution time