Fuzzy Commitment for Function Based Signature ... - Semantic Scholar

IEEE SIGNAL PROCESSING LETTERS, VOL. 17, NO. 3, MARCH 2010

249

Fuzzy Commitment for Function Based Signature Template Protection Emanuele Maiorana, Member, IEEE, and Patrizio Campisi, Senior Member, IEEE

Abstract—In this paper we propose a biometric cryptosystem able to provide security and renewability to a function based online signature representation. A novel reliable signature traits selection procedure, along with a signature binarization algorithm, are introduced. Experimental results, evaluated on the public MCYT signature database, show that the proposed protected on-line signature recognition system guarantees recognition rates comparable with those of unprotected approaches, and outperforms already proposed protection schemes for signature biometrics. Index Terms—Biometrics, cryptosystem, error control coding, on-line signature, template protection.

I. INTRODUCTION ECURITY and privacy probably represent the major concerns which have to be faced when implementing biometric based recognition systems. In fact, individuals’ biometrics are limited in number, and can be hardly replaced if stolen or copied. Biometric data can also contain relevant information regarding people personality and health, which can be used in an unauthorized manner for undesired intents. They can also be employed to perform an unauthorized tracking of the enrolled subjects across multiple databases [1]. Therefore, template protection is an issue of paramount importance which has to be addressed to protect users’ privacy and security. Several approaches have been recently proposed in order to secure biometric templates. Roughly speaking, these approaches can be classified as biometric cryptosystems and feature transformation approaches [2]. Biometric cryptosystems can be further classified as key binding approaches, where biometric templates are combined with binary keys, or key generation approaches, where cryptographic keys are directly generated from biometric data. Feature transformation methods can be classified as salting approaches, which apply invertible transforms to either the biometric data or to the extracted features, and non-invertible transform approaches, where one-way functions are applied either in the biometric domain or in the feature domain. The security of the former class of transformations relies on the secure storage of the transformation keys [3], whereas when non-invertible transforms are used it is computationally unfeasible to retrieve the original data, even knowing the transform’s defining parameters [1]. A detailed review on signature template protection has been presented in [4]. A key generation approach based

S

Manuscript received September 21, 2009; revised November 25, 2009. First published December 28, 2009. Current version published December 31, 2009. The associate editor coordinating the review of this manuscript and approving it for publication was Dr. Z. Jane Wang. The authors are with the Department of Applied Electronics of the Università degli Studi “Roma Tre,” Rome 00146, Italy 00146 (e-mail: [email protected]; [email protected]). Digital Object Identifier 10.1109/LSP.2009.2038111

on signature parametric features has been proposed in [5]. A salting approach has been presented in [3], while a user-adaptive version of the fuzzy commitment cryptographic protocol [6] has been applied to signature biometrics in [7]. A feature transformation approach for the protection of sequence based signature templates has been presented in [8], and its renewability capacity has been discussed in [9], [10]. In this contribution we present a key binding biometric cryptosystem based on Juels’ fuzzy commitment [6], which provides protection to function based on-line signature templates. The obtained recognition performances are far better than those achievable when using parametric feature based representations, as done in the majority of the already proposed signature template protection approaches, like for example [5] and [7]. II. PROPOSED PROTECTION SCHEME The adopted on-line signature representation consists of discrete finite sequences , with , while is the discrete temporal index. In order to handle the variability of each user’s signature temporal extension, a resam, with pling process is performed to generate the functions , from the originally acquired signature sequences , with , for . is a system parameter representing the fixed length of the resampled signature , , which are arranged as rows of a sequences matrix . Sections II-A, II-B and II-C describe in detail each stage of the proposed cryptosystem: training, enrollment and authentication. A. Training In the training stage, signatures are collected from each of subjects. The available dataset is employed to evaluate some statistics about the functions used for the signature representation. These statistics are collected in the matrices , , and . Specifically, the rows , , of the matrix represent the average of the available signature functions: (1)

the -th sequence of the -th acquisition from user . being , of the matrix , and the rows The rows , , , of the matrix are given by: (2)

1070-9908/$26.00 © 2009 IEEE Authorized licensed use limited to: BIBLIOTECA D'AREA SCIENTIFICO TECNOLOGICA ROMA 3. Downloaded on July 06,2010 at 14:17:09 UTC from IEEE Xplore. Restrictions apply.

250


B. Enrollment During the enrollment of a user , signatures are acquired, is generated, assigning to its rows and a mean matrix the mean vectors , . , with and , Each element bits, by performing a comparison with is then binarized with , and . Specifically, the first bit the stored data . The is determined by the sign of the term bits are given by the binarization of the term remaining , performed by uniformly quantizing into bins the interval specified as follows: if if

(3)

, with rows and The resulting binary template columns, is then protected using error correcting codes. Specifof bits is encoded using ically, a random binary message BCH code, thus obtaining a codeword of length an . The Error Correcting Capability (ECC) of the employed code takes into account the users’ intra-class variability, and therefore determines the verification performance of the system. A vector with length is then generated from , following the is XOR-ed procedure detailed in Section II-B1. Eventually, , thus obtaining the fuzzy commitment with the codeword . A hashed version of is then stored together with . 1) Reliable Signature Traits Selection: The binary template consists of bits. It is worth noting to protect that the length of the resampled signature sequences should be large enough to not discard any useful signature information, while the number of employed sequences should be large enough to guarantee an efficient signature representation. On the and should be kept as low as other hand, the length of possible, due to the fact that the computational complexity of a BCH encoder increases with the value of . A procedure which determines, for each user, the traits of his signatures which guarantee the best possible authentication rates, is therefore needed and here proposed. Using such procedure, it is possible to seto generate the binary lect only the most reliable bits of . word parts with Specifically, each signature is divided into . segments are then selected out of equal sample length available ones to generate . The desired segments the are identified using two different reliability measures. , , assigns a greater The first metric reliability to the segments whose binarization produces outputs . Specifically, the biwhich are, most of the time, equal to narization of each of the enrolled signature representations , , is compared with , and the traits whose binary versions have the lower Hamming distance from receive a greater reliability measure, normalized between 0 and 1. In principle, the use of the so selected segments allows obtaining a lower False Recognition Rate (FRR) than the use of generic segments. , , assigns a greater The second metric reliability to the segments which are more difficult to forge. As well known in the forensic field, it is assumed that the most distinctive traits of a signature are those realized in the most spontaneous way. Therefore, we assign a greater reliability to those

traits where a high velocity, a high pressure, and a low curvature radius are encountered. In principle, the use of the segments seis able to guarantee a lower False lected according to Acceptance Rate (FAR) than the use of generic segments. The proposed reliability measures are combined into a single . The traits with measure the greatest values of are selected and registered in the vector . The vector is generated by concatenating the , taking for each row only the binary values related rows of to the most reliable signature traits. The parameters and can be set according to which metrics the designer wants to play a predominant role. Alternatively, their values can be determined during the training phase, as we did for our experimental tests described in Section IV. C. Authentication The authentication phase follows the same steps of the enrollment. A subject claims the identity of a user by providing a signature. A matrix is generated from the signature, and quantized using the inter-class matrices , and , thus obtaining . A binary vector is then produced using the stored infor, related to the most reliable signature traits for mation the user . A binary vector , representing a possibly corrupted BCH codeword, is then obtained as . A BCH decoder, selected accordingly to the encoder used in enrollment, generis compared to ates from . Finally, the hashed version : if the values are identical, the subject is recognized as the claimed identity. III. SYSTEM SECURITY In this section, we analyze the security of the proposed cryptosystem. Specifically, we consider both the feasibility of reconstructing the signature binary representation from the stored , and , and the privacy protection cadata pability of the proposed framework, in terms of the potential information leakage about the identity of the enrolled users from and . does not It is worth pointing out that the knowledge of allow to reconstruct either the original signature or its binary , or can representation, since no information on be obtained from . In fact, contains only the indices of the signature most reliable traits for the user , selected according to the criterion given in Section II-B1. On the other hand, the security of a fuzzy commitment based cryptosystem employed to safely store mainly relies on the hash function , as discussed in [6]. In fact, if can the random message be retrieved, it can be used to reconstruct given . However, an attacker can attempt a brute force attack to deby analyzing all the possible binary strings with termine length . Therefore the parameter represents the key strength of a fuzzy commitment protection schemes [11]. The value of is connected with the length of the binary templates , and with the ECC employed to manage the intra-class variability: keeping fixed the ECC/ ratio, related to the reliability of the employed features, the message length increases with the BCH codeword length . When a set of parametric features is employed as signature representation [7], the usable codeword length can be hardly higher than 127, due to difficulties in defining reliable parametric signature features. On the contrary,

Authorized licensed use limited to: BIBLIOTECA D'AREA SCIENTIFICO TECNOLOGICA ROMA 3. Downloaded on July 06,2010 at 14:17:09 UTC from IEEE Xplore. Restrictions apply.

MAIORANA AND CAMPISI: FUZZY COMMITMENT FOR FUNCTION BASED SIGNATURE TEMPLATE PROTECTION

when the binary signature representation is generated using a set of signature time sequences, the length of the employed BCH codewords can be easily set to 1024 or 2048 bits, thus obtaining a significantly greater robustness to brute force attacks. The analysis of the privacy protection capability of the proposed approach is made in terms of entropy loss, as discussed in [12]. Specifically, the entropy loss due to the availability of the can be expressed as , for binary fuzzy commitment with uniform distribution, and therefore inrepresentations creases with the ECC employed in the system, when keeping fixed the parameter . It is worth reporting that, when applying , an the procedure illustrated in Section II-B1 to generate entropy approximately equal to 0.9 has been observed for the signature binary representation, thus only slightly affecting the observed entropy loss. The information leakage due to the statistics contained in , that is, the amount of information about the identities revealed by the helper data, can be evaluated by taking into account two scenarios proposed in [11] for privacy attacks: 1) an attacker acquires all the stored helper data, and tries to determine which of them belongs to a given user; 2) an attacker acquires many users’ biometrics, and tries to identify which user a given helper data belongs to. The first scenario can be analyzed by applying the procedure described in Section II-B1 to the signatures taken from a given user, and by comparing the obtained most reliable traits with the for each user in the database: the match ones stored in with the highest similarity score can be then associated with the considered identity. A similar approach can be employed to analyze the second scenario, by performing comparisons between the reliable signature traits of each available user, and the given helper data. The resilience of the proposed cryptosystem to the exposed privacy attacks is discussed in Section IV. IV. EXPERIMENTAL RESULTS An extensive set of experimental results is performed using the public version of the MCYT on-line signature database [13], which includes 100 users, for each of which 25 genuine signatures and 25 skilled forgeries are available. The database is users, divided into a training set comprising the first as employed to estimate the inter-class matrices , and described in Section II-A, and an evaluation set composed by the remaining 70 users, used to analyze the verification performances of the proposed system. discreteThe generic signature is represented by using the generic feature setime sequences. Let us indicate with quence extracted from the signature. Specifically, we have emand vertical position trajectories, ployed the horizontal , the path-tangent angle , the path the applied pressure , the log curvature radius and the velocity magnitude to represent a signature. total acceleration magnitude , The system parameters are first set as follows: , and . The parameters and , introduced in Section II-B-I, are experimentally determined on the training set. Specifically, and are varied within the , with the condition that . The pair ( , interval ) giving the lowest Equal Error Rate (EER) over the training set is then employed for all the subjects in the evaluation set to estimate the verification performances. In our experimentations,

251

Fig. 1. Recognition performances of the proposed template protected system. System parameters: P ,N . (a) Comparison between and E different reliable signature traits selection procedures. (b) Comparison between the proposed approach and other signature based recognition systems.

= 200

=2

=5

the values and have been estimated for the considered system configuration. The Receiver Operating Characteristic (ROC) curves in Fig. vs. 1(a), which show the FAR for skilled forgeries signatures FRR for different systems, are obtained using in the enrollment stage. From the given experimental results, it is straightforward to observe the effectiveness of the reliable signature traits selection procedure proposed in Section II-B-I. The and combined use of both the reliability measures allows to achieve performances equal or even better than those obtained with the entire binarized signature functions, even if considering less than a half of the available signature information. The resulting EER is 9.35%. In Fig. 1(b), the authentication performances of the proposed protected system are compared with those achieved by the protected approaches in [5], [7] and [8], as well as with the performances of an unprotected system employing Dynamic Time Warping (DTW) as classifier [14]. The proposed scheme performs better than the cryptosystems presented in [5] and [7], implemented using a signature representation based on the 100 parametric features given in [15]. A performance improvement is also observed with respect to the transformation based protection approach presented in [8], which relies on a function based signature representation. It is also worth pointing out that the renewability capacity of the approach here proposed is higher than that of the approaches in [5] and [7], due to the possibility of encoding messages with longer length . The proposed approach introduces an acceptable loss in performances with respect to an unprotected system using DTW, currently considered the approach giving the best possible authentication performances for signature recognition, while providing protection to the employed signature templates. It is worth specifying that signature based recognition systems can hardly reach EERs as low as those obtained using fingerprint or iris, due to the behavioral nature of signature biometrics. Nevertheless, the obtained recognition rates are comparable with those achieved, and the same database, by unprotected signature with based recognition systems [15]. The dependence of verification performances on the system parameters is also analyzed by taking into account the configurations given in Table I. The reported parameters are selected and in order to respect the conditions . Fig. 2(a) shows the EERs vs , which represents


252


. When related to the distinctiveness of the helper data and , which is the system configselecting uration giving the best verification performances, the identity leakage is therefore at least bits, which implies that the helper data can reveal information which facilitate an attacker to link the stored data with the enrolled identities. It is worth specifying that the obtained results provide an upper bound, related to the considered attacks, on the security of the proposed framework.

TABLE I SYSTEM PARAMETERS EMPLOYED FOR THE PERFORMED TESTS, AND CORRESPONDING ACCURACIES OF PRIVACY ATTACKS

V. CONCLUSIONS A biometric cryptosystem able to provide security and renewability to a function based on-line signature representation is presented. A method for selecting the most reliable signature traits is also introduced. The proposed protected system guarantees performances comparable with those of unprotected systems, and far better than those offered by protection methods relying on parametric signature features. Further improvements can be accomplished by defining other metrics for the selection of the most reliable signature traits, less affecting the entropy of the employed binary representation and providing higher resilience to privacy attacks, as well as by using different functions to represent the acquired on-line signatures. Fig. 2. Recognition performances of the proposed protected system, with E . (a) EERs for skilled forgeries when varying P and N . (b) FRR and for different key strengths.

5

FAR

=

the number of bits employed to binarize each signature element, parameterized with respect to , representing the length of the resampled sequence. The employed values of and have been estimated as previously described for each configuration. The best verification rates are achieved when employing and , which results in an EER equal to 9.13%. It can be inferred that the best recognition rates can be achieved by setting approximately equal to the mean length of the originally acquired signatures (289 samples for the employed database), while keeping low the number of bits assigned to each signature element. A numerical evaluation of the proposed system’s security is also reported. Specifically, Fig. 2(b) shows the behavior of FRR with respect to the system key strength . The and , and are kept fixed. As values can be seen, increasing the parameter while keeping fixed results in: • improving the FAR while worsening the FRR (the employed ECC decreases); • improving both key strength (which increases) and entropy loss (which decreases). Finally, the information leakage related to the disclosure of is evaluated by implementing the prithe helper data vacy attacks described in Section III. Specifically, Table I reports the accuracy with which an attacker can correctly link a given sample to the corresponding helper data (Scenario 1), and the accuracy with which he can correctly associate a given helper data with its owner (Scenario 2), for each considered configuration and having considered 70 subjects. It is worth noticing that such accuracies depend on the system parameters, and are

REFERENCES [1] N. Ratha, S. C. J. H. Connell, and R. M. Bolle, “Generating cancelable fingerprint templates,” IEEE PAMI, vol. 29, no. 4, pp. 561–572, 2007. [2] A. K. Jain, K. Nandakumar, and A. Nagar, “Biometric template security,” in EURASIP J. Appl. Signal Process., Special Issue on Biometrics, 2008. [3] W. K. Yip, A. Goh, D. C. L. Ngo, and A. B. J. Teoh, “Generation of replaceable cryptographic keys from dynamic handwritten signatures,” in ICB, 2006. [4] P. Campisi, E. Maiorana, and A. Neri, , N. V. Boulgouris, K. Plataniotis, and E. Micheli-Tzanakou, Eds., “On-line signature based authentication: Template security issues and countermeasures,” in Biometrics: Theory, Methods, and Applications. Hoboken, NJ: Wiley-IEEE Press, 2009. [5] H. Feng and C. W. Chan, “Private key generation from on-line handwritten signatures,” Inform. Manag. Comput. Security, 2002. [6] A. Juels and M. Wattenberg, “A fuzzy commitment scheme,” in 6th ACM Conf. Computer and Communication Security, Singapore, 1999. [7] E. Maiorana, P. Campisi, and A. Neri, “User adaptive fuzzy commitment for signature templates protection and renewability,” SPIE J. Electron. Imag., vol. 17, no. 1, pp. 1–12, Jan.–Mar. 2008. [8] E. Maiorana, M. Martinez-Diaz, P. Campisi, J. Ortega-Garcia, and A. Neri, “Template protection for HMM-based on-line signature authentication,” IEEE CVPR, Jun. 2008. [9] E. Maiorana, P. C. J. Ortega-Garcia, and A. Neri, “Cancelable biometrics for HMM-based signature recognition,” IEEE BTAS, Oct. 2008. [10] E. Maiorana, P. Campisi, J. Fierrez, J. Ortega-Garcia, and A. Neri, “Cancelable templates for sequence based biometrics with application to on-line signature recognition,” IEEE Syst., Man, Cybern. A, to be published. [11] Q. Li, M. Guo, and E.-C. Chang, “Fuzzy extractors for asymmetric biometric representation,” IEEE CVPR, Jun. 2008. [12] Y. Dodis, L. Reyzin, and A. Smith, “Fuzzy extractors: How to generate strong keys from biometrics and other noisy data,” in EUROCRYPT, 2004. [13] J. Ortega-Garcia et al., “MCYT baseline corpus: A bimodal biometric database,” Proc. Inst. Elect Eng.. Vis., Image Signal Process., vol. 150, no. 6, 2003. [14] A. Kholmatov and B. Yanikoglu, “Identity authentication using improved online signature verification method,” Pattern Recognit. Lett., vol. 26, no. 15, 2005. [15] J. Fierrez-Aguilar, L. Nanni, J. Lopez-Peñalba, J. Ortega-Garcia, and D. Maltoni, “An on-line signature verification system based on fusion of local and global information,” AVBPA, pp. 523–532, 2005.
