Multibiometric Cryptosystem: Model Structure and ... - MSU CSE

5 downloads 955 Views 995KB Size Report
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 4, NO. ...... Aug. 2004. Bo Fu received the M.S. degree in computer science.
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 4, NO. 4, DECEMBER 2009

867

Multibiometric Cryptosystem: Model Structure and Performance Analysis Bo Fu, Simon X. Yang, Senior Member, IEEE, Jianping Li, and Dekun Hu

Abstract—Single biometric cryptosystems were developed to obtain win-win scenarios for security and privacy. They are seriously threatened by spoof attacks, in which a forged biometric copy or artificially recreated biometric data of a legitimate user may be used to spoof a system. Meanwhile, feature alignment and quantization greatly degrade the accuracy of single biometric cryptosystems. In this paper, by trying to bind multiple biometrics to cryptography, a cryptosystem named multibiometric cryptosystem (MBC), is demonstrated from the theoretical point of view. First, an MBC with two fusion levels: fusion at the biometric level, and fusion at the cryptographic level, is formally defined. Then four models, namely biometric fusion model, MN-split model, nonsplit model, and package model, adopted at those two levels for fusion are presented. Shannon entropy analysis shows that even if the biometric ciphertexts and some biometric traits are disclosed, the new constructions still can achieve consistently data security and biometric privacy. In addition, the achievable accuracy is analyzed in terms of false acceptance rate/false rejection rate at each model. Finally, a comparison on the relative advantages and disadvantages of the proposed models is discussed. Index Terms—Biometric encryption, biometrics, cryptosystem, multibiometrics, Shannon entropy.

I. INTRODUCTION RUSTABLE authentication plays an increasingly important role in secure communication systems. Traditionally, passwords (knowledge-based security) and smartcards (tokenbased security) are used as the first step towards identity proof in the system. However, security can be breached since dynamic passwords are easily divulged and guessed by means of social engineering or dictionary attacks. Token-based authentication may in part compensate the limitation of knowledge-based authentication; however, it is not reliable and easily stolen. If passwords and smartcards are shared or stolen, there is no way to know who the actual user is. Thus, nonrepudiation can not be provided by these two means.

T

Manuscript received June 23, 2009; revised August 31, 2009. First published September 29, 2009; current version published November 18, 2009. This work was supported in part by the China Scholarship Council, High Technology Research and Development (863) Project (Grant 2007AA01Z423), and by the Advanced Robotics and Intelligent System Laboratory, University of Guelph, Canada. The associate editor coordinating the review of this manuscript and approving it for publication was Prof. Davide Maltoni. B. Fu, J. Li, and D. Hu are with the School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu 610054, China (e-mail: [email protected]; [email protected]; [email protected]). S. X. Yang is with the Advanced Robotics and Intelligent Systems (ARIS) Laboratory, School of Engineering, University of Guelph, Guelph, ON, N1G 2W1, Canada (e-mail: [email protected]). Color versions of one or more of the figures in this paper are available online at http://ieeexplore.ieee.org. Digital Object Identifier 10.1109/TIFS.2009.2033227

The emergence of biometrics, as a strong form of an individual authentication based on the certain physiological or behavioral traits associatedwith the individual, overcomes the disadvantages of passwords and smartcards, but it is known that the sensed single biometric data is always noisy and distorted. Noisy biometric data results in insufficient accuracy, which largely limits biometric technology to provide useful value in many practical applications. On the other hand, biometrics may be vulnerable to common potential attacks, such as replay attacks, man-in-the-middle attacks and Trojan horse attacks, and in particular, susceptible to spoof attacks and template attacks [1], [2]. Spoof attacks are commonly encountered in biometric systems. Several techniques [3]–[5] are introduced, showing how an artificial biometric image can be reconstructed to spoof the acquisition sensor for enrollment. An even more serious problem is that compromised biometrics will be rendered unusable forever due to the difficulty of revoking the compromised biometrics or reissuing a new one. One possible technique is to encrypt the template using symmetric encryption. Cancelable biometrics [6], [7] is another technique that attempts to construct revocable biometric templates using various noninvertible transforms. With an increasing number of templates, the speed of “a matcher” will be largely decreased when those templates are used for identification. Thus, to overcome the disadvantages of biometrics, there are a couple novel directions: multibiometric recognition systems that integrate multiple biometrics for identification or verification and biometric cryptosystems that encrypt the secret with biometrics, as shown in Fig. 1 (SB is the single biometrics and CG is the cryptography.) A comparison of some single biometrics, including face, fingerprint, hand, iris, keystroke, and voice, is provided by Uludag et al. [14] based on seven factors. From the authors’ point of view, each biometric has its advantages and disadvantages. One biometric usually compensates for the inherent limitations of the other biometrics [15]. Therefore, the limitations imposed by a single biometric model can be overcome by multibiometric recognition system [8]–[11]. Multibiometrics offers the following main advantages: 1) significantly improving the accuracy of the biometric identification or verification; 2) providing a certain degree of flexibility for some unusable biometric traits; and 3) resisting spoof attacks due to the difficulty in spoofing multiple biometric sources. Hong et al. [8] categorized multibiometric recognition systems into three architectures based on biometric data fusion: 1) fusion at the feature level (e.g., [16], [17]); 2) fusion at the score level (e.g., [18]); and 3) fusion at the decision level, (e.g., [19], [20]). Fusion at the decision level commonly consists of three strategies, namely, out of fusion rule [31], OR rule and AND rule [8]. As a multibiometric recognition system is expected to improve the accuracy for identification or verification and defeat spoof attacks, the biometric cryptosystem that binds biometrics

1556-6013/$26.00 © 2009 IEEE Authorized licensed use limited to: ASTAR. Downloaded on January 29, 2010 at 03:34 from IEEE Xplore. Restrictions apply.

868

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 4, NO. 4, DECEMBER 2009

Fig. 1. Biometric system.

to cryptography aims to obtain a win-win scenario of security and privacy. In a biometric cryptosystem, there are no biometric images or templates stored in the central database, and the security is completely controlled by the user with his/her biometrics; however, the biometric cryptosystem still encounters several challenges. As mentioned earlier, unlike a password, the variability of the biometric data sampled in different environments makes it hard to generate identical biometric key with perfect accuracy. Over the past several years, there were a number of research efforts done in the biometric cryptosystem field. A biometric cryptosystem was firstly presented by Soutar et al. [12] and defined by Cavoukian et al. [13]. Juels et al. [21] proposed a fuzzy commitment scheme (FCS) algorithm, which utilizes error-correcting code theory and cryptography together to overcome the influence of the random noise to achieve provable security, but since the FCS has the property of order-invariance, strictly aligning the query biometric features with the template is required. Thus, Juels and Sundan [22] presented a fuzzy vault scheme (FVS). Uludag et al. discussed the fuzzy vault scheme for fingerprint minutiae [23], and raised some issues and challenges about a biometric cryptosystem. Nandakumar [24] presented another implementation of the fuzzy vault scheme based on fingerprint minutiae and helper data that is used to align the template and query fingerprints accurately. An efficient two-layer error-correction technique that combines Hadamard and Reed–Solomon error correcting codes to improve the iris encryption system performance is shown by Hao et al. [25]. To make a rigorous proof, Dodis et al. [26] and Boyen [27] introduced the concepts of fuzzy extractors and secure sketches. They provided constructions of fuzzy extractors and secure sketches for input data with three various measures: Hamming distance (implemented in FCS), edit distance, and set difference (implemented in FVS). Since a multibiometric recognition system can improve accuracy and a biometric cryptosystem can improve security and privacy, can we develop a new cryptosystem with optimal accuracy, security and privacy, compared to a traditional biometric cryptosystem? As shown in the center of Fig. 1, this problem inspires us to explore a new construction model. Intuitively, since multiple biometrics is more difficult to be spoofed than

single biometrics, it is harder for an attacker to derive the secret locked by biometrics from cryptographic templates. From the perspective of accuracy, multibiometrics involves the use of biometric fusion for automated recognition with a higher degree of accuracy than single biometrics. Thus, it should obtain higher accuracy than a single biometric cryptosystem. Some related methods have already been raised and studied. Sutcu et al. [32] proposed a technique of integrating face features and fingerprint minutiae at the feature level to obtain a secure template based on known secure sketch schemes. Nandakumar and Jain [33] derived a multibiometric vault by integrating the fingerprint minutiae template and the iriscode template at the feature level. After combining fingerprint and voice data at the template level, Camlikaya et al. [34] demonstrated a privacy protection technique by hiding the fingerprint minutiae points amongst the features extracted from the voice. Yanikoglu and Kholmatov [35] combined two fingerprint features extracted from different fingers to get a combined biometric ID. In the above references, while authors gave particular cases using face, fingerprint or iris to improve the security and privacy, they did not clearly point out or analyze a multiple biometrics system for encryption from a theoretical point of view. In this paper, by trying to bind multiple biometrics to cryptography, a cryptosystem, namely the multibiometric cryptosystem (MBC), is demonstrated. Abandoning the specific integration techniques of different biometrics, the impacts of fusion at biometric and cryptographic levels on the biometric security, privacy and accuracy are studied. Different constructions of MBC models are developed and analyzed by means of Shannon entropy analysis and probability analysis. The focus of this paper is as follows: 1) Formulate the formal definition of MBC based on the definition of the traditional biometric cryptosystem, and define two fusion levels: biometric level and cryptographic level. 2) Define security and privacy of MBC in terms of Shannon entropy; and define accuracy using two types of error measurement: false acceptance rate (FAR) and false rejection rate (FRR), which are related to the FAR and FRR in biometric recognition systems. 3) Propose a general construction model of MBC at the biometric level where different sets of biometric features are integrated to a vector or set for encryption, and discuss its security, privacy and accuracy. 4) Present three models of MBC at cryptographic level that consists of three submodels, namely, MN-split model, nonsplit model, and package model; then analyze their performance. 5) Discuss a comparison of the proposed models. In a multibiometric recognition system, there are four common distinct subcategories: multimodal (e.g., fingerprint and iris), multiinstance (e.g., left iris and right iris), multisensorial (e.g., optical fingerprint image and electrostatic fingerprint images), and multialgorithmic (e.g., fingerprint minutiae extraction algorithm and filter bank-based fingerprint feature extraction). In MBC, however, we only consider the biometric features and ignore the sources which those features are extracted from. Therefore, we are mainly concerned with the architectures at the biometric level regarding the fusion of biometric features, and at the cryptographic level regarding the fusion of the secret.

Authorized licensed use limited to: ASTAR. Downloaded on January 29, 2010 at 03:34 from IEEE Xplore. Restrictions apply.

FU et al.: MBC: MODEL STRUCTURE AND PERFORMANCE ANALYSIS

869

TABLE I NOTATIONS

Fig. 2. Unibiometric encryption.

The rest of this paper is organized as follows: some traditional biometric cryptosystems are presented in Section II. In Section III, the formal definitions of MBC with its performance index are proposed. The MBC model at the biometric level is discussed in Section IV and three MBC models at the cryptographic level are proposed in Section V. In Section VI, a comparison on the relative advantages and disadvantages of the proposed models is discussed. Conclusions are given in Section VII. Some related notations are presented in Table I. II. TRANDITIONAL BIOMETRIC CRYPTOSYSTEM Because the traditional biometric cryptosystem adopts single biometrics, as mentioned earlier (see for instance Fig. 2), we call it a Uni-Biometric Cryptosystem (UBC) in this paper. In this section, we will introduce three methods: Biometric Encryption Algorithm (BEA), Fuzzy Commitment Scheme (FCS) and Fuzzy Vault Scheme (FVS) for UBC first. BEA [12] used a Fourier transform to process the entire fingerprint image to bind a random key. FCS [21] and FVS [22], which have been broadly applied to iris, fingerprint, and face, rely on unique biometric traits that are used as inputs for various measures of closeness, such as Hamming distance and set distance. BEA defines a correlation function, , to be the basis for the algorithm. For two images, and , with their corresponding Fourier transform, and , respectively, the correlation function between them is formally defined as , where denotes the complex can be computed as the inverse conjugate. The output of Fourier transform (FT-1), . Then, a filter function , which provides a tradeoff between distortion tolerance and discrimination, can be defined and calculated using a set of training images . For a training image , the output pattern produced in response to is given by and its Fourier transform is

. A similarity term, , is defined given by as a measure of the similarity of the output correlation patterns and the random output function . A noise term, using , is defined as a measure of the effect of image-to-image variation. To minimize the error, Soutar et al. [12] proposed an opthat processes a timal filter design for the filter function perfect cryptographic secret. FCS utilizes technique of error-correcting. In order to authenticate and reveal the key, biometric features that are sufficiently close to the biometric template must be presented. Let be a hash function, such as SHA-1. Then, define a map: as , where is a codeword in a set . First, randomly select a codeword as a secret. When encrypting the secret using biometric vector , compute , and store as the ciphertext in a server. When decrypting the ciphertext, another biometric vector is inputted for authentication. Then, can be obtained, where is a decode function. If is close to , we can determine is the secret if . In FCS, the biometric features must be aligned before running the FCS algorithm. On the other hand, the property of order-invariance is to be desirable. To overcome the disadvantage of FCS, the FVS algorithm is developed without a fixed order because biometric features are considered as elements of a biometric set. FVS utilizes set difference to examine the similarity of biometric features. This technique consists of two algorithms: locking algorithm and unlocking algorithm. Locking algorithm . First, a locks a secret with an unordered set polynomial is selected to encode the secret . Then we can compute evaluations of the polynomial using all elements of . The results can be denoted as

In order to hide the secret, a number of random chaff points are chosen as random noise to mix with the genuine points. Those chaff points do not lie on the polynomial , denoted as

The entire collection of points constitutes a vault . The unlocking algorithm retrieves secret from vault by providing another similarly unordered set . If

Authorized licensed use limited to: ASTAR. Downloaded on January 29, 2010 at 03:34 from IEEE Xplore. Restrictions apply.

870

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 4, NO. 4, DECEMBER 2009

Fig. 3. Multibiometric encryption.

is big enough, many genuine points in can be identified. Then the secret is revealed by using an error correction scheme and a polynomial reconstruction algorithm. The security of FVS relies on the number of chaff points, but FVS is vulnerable to some attacks, such as Attacks via Record Multiplicity or Correlation Attacks, Surreptitious Key-inversion Attack, and Blended Substitution Attacks [28], [29], even if a large number of chaff points are added in. On the other hand, chaff points cannot be selected too close to genuine points. Otherwise, they will cause a genuine point to be quantized to a chaff point. That will hardly improve the attack complexity required if biometric feature detection and extraction are limited. BEA, FCS, and FVS have their advantages and disadvantages for different applications. When they are applied in an MBC, we will only consider them as possible algorithms to encryption without caring about the algorithms themselves.

III. BASIC THEORIES OF MBC Basic architecture of the MBC is shown in Fig. 3. To effectively understand the MBC, we will analyze and define three performance characterizations, namely, security, privacy and accuracy. As considered in the multibiometric recognition system, it will be assumed that the cost and the speed of the system do not play any significant role in its performance assessment [8]. A. Formal Definitions Definition 3.1: Let be a randomized encryption function computable in probabilistic polynomial time. Let be a decryption function computable in probabilistic polynomial time. denotes the ciphertext of biometric encryption where and , and denotes the result of biometric decryption, where . In a biometric cryptosystem, when inputting a biometric vector or set and a secret , function binds and and maps to a new space. We denote the random output of the function by that presents the ciphertext of the secret encrypted by . If we wish to make the randomness explicit, the denotation is used, where is a random number. Also, the function reconstructs the secret after inputting another biometric vector or set B and the ciphertext.

If a genuine user offers legitimate inputs, and should run in probabilistic polynomial time. In order to define an MBC, first, we must define a unibiometric cryptosystem that is used to encrypt the secret using the single biometrics. Definition 3.2: A unibiometric cryptosystem is an encryption/decryption pair with the following property: , if for every pair of biometric features for a positive real , then with overwhelming probability. This definition of uni-biometric cryptosystem allows one to encrypt a secret with a biometric vector or set , and then successfully retrieve in the expected polynomial time with any that is close to . Here, the distance vector or set is the number of different digit positions for hamming metric and half of size of two sets’ symmetric difference for set difference metric[26]. This definition can be extended to define MBC, which contains multiple biometrics for encryption/decryption. is an encryption/decryption pair Definition 3.3: An MBC with the following property: for some pairs of bioextracted metric feature vectors or sets for a from m different biometric sources, if with positive real , then overwhelming probability, where . In other words, an MBC can decrypt a ciphertext , which is the result of a secret encrypted with biometric vectors or sets , if the input is close to . The similarity assessment of and is obtained based on a measure function . How to integrate different biometrics is not considered in this definition, so we will give the following two definitions regarding fusion at the biometric level and fusion at the cryptographic level. Definition 3.4: In system , fusion at the biometric level is a map , which satisfies the following multibiometric encryption/decryption process: for some pairs of biometric vectors or sets extracted from different bio, if metric sources, where for a positive real , where and , then with overwhelming probability. Definition 3.5: In system , fusion at the cryptographic level is a pair , where is a map and is another map , which satisfies the following multibiometric encryption/decryption process: for some pairs of biometric vectors or sets extracted from different biometric sources, where , if for a positive real , with then overwhelming probability. From Definition 3.4, we can see that the MBC model at the biometric level is the same as the fusion at the feature level in a multibiometric recognition system. The only difference is that the integrated vector or set is used for either biometric encryption or identity recognition. Similarly, according to Definition 3.5, fusion at the cryptographic level is the same as the decision level fusion. While there is a fusion level (score level fusion) in the multibiometric recognition system, it is not defined

Authorized licensed use limited to: ASTAR. Downloaded on January 29, 2010 at 03:34 from IEEE Xplore. Restrictions apply.

FU et al.: MBC: MODEL STRUCTURE AND PERFORMANCE ANALYSIS

in the MBC because a cryptographic algorithm needs an accurate and determined cryptographic key rather than a nonidentified score judgment. Also, in Section V, we will find that at the cryptographic level, the MN-split model, nonsplit model, and package model all have parallels with fusions in the multibiometric recognition system, corresponding to the out of fusion rule, OR rule, and AND rule, respectively. B. Security and Privacy The privacy of a biometrics and the security of a secret can be put into precise mathematical terms based on the definition of entropy. The entropy measure for biometric protection was firstly proposed in [26], which is called min entropy. But in [30], authors proposed the Shannon entropy instead of the min entropy due to the disadvantage of the min entropy in the multiple-key scenario. We also adopt the Shannon entropy to analyze the privacy and security in the multiple-biometrics scenario. The Shannon entropy of a random variable is defined in terms of its probability distribution. The conditional ungiven such certainty of the random variable that is given by for each . Furthermore, given the random variable , the conditional uncertainty of the random variable is given by , which is the expected value of over . can be regarded as the entropy of after disclosing . Then, the entropy loss of the random variable by disclosed is the . Based on these theories, entropy difference to analyze the privacy and security of an MBC, three attack hypotheses are given as follows. 1) For an individual, some biometric traits are vulnerable and were compromised by an impostor. For example, his/her fingerprints or voice are faked or recorded by means of social engineering. However, other biometric traits are still unknown. 2) The ciphertext of the secret encrypted with biometrics is disclosed. In some systems, it is easier to break the server than to attack biometrics. 3) Fusion algorithms and encryption/decryption algorithms in the MBC are known by the impostor. Now we can have the following descriptions: Set and let be a triple of random variables corresponding to a randomized construction of the MBC. is a random biometric vector or set over a universe corresponding to the biometrics, where . and are independent for all . is a random secret uniformly chosen from and independent of . is a ciphertext, which is the result of a function of and , namely when integration is done at biometric level and when integration is done at cryptographic level, respectively. In terms of the Shannon entropy, we have for

and for

Since . Let the uncompromised biometrics, where

, then be a set of , and

871

is a set of the compromised biometrics. Without a loss and . of generality, we assume is the entropy measure of the uncertainty about when the ciphertext and the biometrics in the set are disclosed. The security and privacy of the MBC depends on the entropy of the unbroken biometrics in the set . The main ob. jective then is to determine Lemma 3.1: In an MBC over a universe , for the secret and the set of biometrics , if is partitioned into two complementary subsets and , and , we have the following equations: , . can be equivProof: The mutual information and alently expressed as . Because and are in. Thus, we dependent, then the mutual information . In the same way, have . We have because and are also independent, . Theorem 3.1: In an MBC over a universe , given and , for the conditional entropy , we have . Proof: By Lemma 3.1, we know . If set , we get

Therefore, . As a result, we can examine the mutual information of each biometric and the ciphertext to determine the entropy of unbroken biometrics, which maintains its privacy from the disand , and protects the security of the closed information or secret. In order to determine the privacy or security of , we only need to determine the mutual information as description in Lemma 3.1 and Theorem 3.1. To compare the security of a unibiometric cryptosystem with an MBC, we assume that given a random biometric , a random secret , and the unibiometric algorithm , we can determine the entropy. In the MBC, we will not consider the security of the unibiometric algorithm and assume it is secure for secret protection. According to this assumption, we will analyze the privacy and security of the MBC. C. Accuracy In a biometric system, the problem of personal identification can be formulated as a hypothesis testing problem [8], [19]. Thus, two types of error measure, FAR and FRR, can be presented using conditional probability. In an MBC, the accuracy problem in unibiometric cryptosystems can be formulated as a hypothesis testing problem also. As presented in [19], FAR and

Authorized licensed use limited to: ASTAR. Downloaded on January 29, 2010 at 03:34 from IEEE Xplore. Restrictions apply.

872

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 4, NO. 4, DECEMBER 2009

TABLE II EXAMPLES OF ACCURACY

FRR are used to measure that an impostor successfully generates the secret by providing the illegitimate biometrics and that a genuine user unsuccessfully generates the secret by providing the legitimate biometrics, respectively. Therefore, we can obtain the following description: two categories of people, and , seek to obtain the secret that is encrypted by biometis an impostor. After rics . Here, is a genuine user and providing another biometric , the cryptosystem outputs if successfully decrypting the ciphertext encrypted by , or if un-successfully decrypting the ciphertext, where is a special character. That is to say, if obtaining , then the user belongs to . On the other hand, if obtaining , the user belongs to . Based on the above description, we can determine the accuracy of the uni-biometric cryptosystem. The FAR is the conditional probability that an impostor successfully obtains by inputting to the cryptosystem , denoted as . The FRR is the conditional probability that a genuine user obtains by inputting to the cryptosystem , denoted as . Next, we will consider the accuracy of the MBC based on that found in the unibiometric cryptosystem. In a multibiometrics scenario, if multiple biometrics are inputted for encryption and are inputted for decryption, then the error rate can be defined as

To examine the accuracy, we set the values of as the FAR and FRR when using a uni-biometric algorithm to decrypt , which is the ciphertext of the secret encrypted by biometrics using algorithm . We use the following four examples of in Table II to test the accuracy, where , 2, 3, 4. In a biometric recognition system, there is a tradeoff between FAR and FRR. But for a cryptographic system, security is more important. Therefore, we set the FRR as much bigger than the FAR for single biometrics. For instance, the accuracy of pair algorithms ( ) is with values of (0.05, 0.2) when a biometric encryption algorithm is applied to biometrics . In the following models, accuracy is examined by using these examples. IV. MBC MODEL AT BIOMETRIC LEVEL Fusion at the biometric level integrates different biometric features that are extracted from multiple biometric sources to a vector or set for encryption. This fusion may be done in the same manner as fusion at the feature level in multibiometric recognition systems, as shown in Fig. 4. In this section, we will discuss performance problems without considering how to integrate the biometric features. Some fusion methods were widely used in

Fig. 4. Fusion at biometric level.

the multibiometric recognition system. We refer the reader to the corresponding literature [16], [17]. The MBC model at the biometric level is a formal construction, which presents basic relations among the fusion of biometric features and biometric encryption. In this model, the variincludes two components and , able set of biometrics where is the set of broken biometrics and is the biometrics still unknown by the impostor. Variables , and can be de, , , where and noted as . Without a loss of generality, we assume and . The fusion of the variable set of biometcan be used to encrypt the secret to satisfy the folrics lowing formulas: and Then the fusion, , can be consider as a special biofor single biometric encryption/demetric integrated from , each biometric cryption. Here, for the same algorithm also satisfies the following formulas: and We now show the lower bound of biometrics in the construction of a cryptosystem at the biometric level when is disclosed and biometric is compromised. We consider the entropy loss of biometrics that can be determined from the fusion algorithm and the uni-biometric cryptosystem. Theorem 4.1: In a general construction of MBC at biometric level over a universe , if the entropy loss of is for fusion, where , is the encryption template, then given and , for the random variable , we have . See Appendix A.1 for the proof of Theorem 4.1. By Theorem 4.1, If there are no spoofed biometrics, namely , then . On in , we have the other hand, for the biometric trait . Set and , then by Theorem 4.1. As a consequence, given and , we can determine the minimum entropy for each un-broken biometrics in the set is . We now state and prove Theorem 4.2 which gives the relationship of and when and are both disclosed at biometric level.

Authorized licensed use limited to: ASTAR. Downloaded on January 29, 2010 at 03:34 from IEEE Xplore. Restrictions apply.

FU et al.: MBC: MODEL STRUCTURE AND PERFORMANCE ANALYSIS

873

Theorem 4.2: In a general construction of MBC at the biometric level over a universe , for the random variable , we have .If is uniquely determined by , we have See Appendix A.2 for the proof of Theorem 4.2. Without considering the parameter , Theorem 4.1 and 4.2 give the relationship of the security/privacy between the MBC model at biometric level and the UBC model when some biometrics in are disclosed. However, based on Definition 3.4, meets the condition , only when the pair the fusion biometric vector or set can decrypt the template. Therefore, the parameter plays an important role in determining the accuracy of the cryptosystem. On the other hand, the security of cryptosystem depends on and the entropy of the disclosed biometric set also. The following theorem shows the relationship between the security of the secret and the accuracy using the parameter and the set . Theorem 4.3: In a general construction of MBC at the biometric level, for some pairs of biometric vectors or , where , if the sets and fusion biometric traits in probabilistic polynomial time , where , and to make , then we have , ; (1) If , (2) If where denotes the considerable computational complexity. See Appendix A.3 for the proof of Theorem 4.3. If there is no entropy loss when combining the biometric traits in , the entropy of can be considered as the considerable computational com. Thereplexity fore, can be determined by . It is known that integrating multiple biometrics using an effective fusion scheme can significantly improve the overall accuracy of the biometric system. An MBC that utilizes the highly efficient methods also can achieve better accuracy compared to a unibiometric cryptosystem. For example, the multibiometric vault [33] achieves a GAR of 98.2% at FAR of about 0.01%, while the corresponding GAR values of the iris and fingerprint vaults are 88% and 78.8%. In a general construction of MBC models at the biometric level, if a fusion algorithm can improve the accuracy for identification/verification, we can apply the same fusion algorithm to improve the accuracy of the MBC. In general, the alignment and quantization of biometric features are mainly affected by the features. We can find some proper fusion algorithm to achieve the lower FAR and FRR. Therefore, a good fusion algorithm at biometric level can improve the accuracy also. V. MBC MODELS AT CRYPTOGRAPHIC LEVEL MBC Models at the cryptographic level, as shown in Figs. 5–7, consists of three submodels: MN-split model, nonsplit model, and package model. Cryptographic level fusion stems from the decision level fusion. Thus, there are some similarities and relationships between them. Similarly, the MN-split model, nonsplit model, and package model correspond to the

Fig. 5. MN-split model.

out of fusion rule, OR rule, and AND rule, respectively. In pieces. Each the MN-split model, the secret is split into biometric protects one piece using a relative encryption/decryption algorithm. The secret can be reconstructed only if pieces are recovered from the corresponding bioany metric ciphertexts. This model can eliminate the effect of some low-quality biometric images or some unusable biometrics. In nonsplit models, the secret is not split into pieces. Each biometric encrypts the secret that can be recovered when any one of biometric ciphertexts is decrypted successfully. Since any broken biometrics can compromise the secret, the security of is vulnerable. In the third model, the secret is packed layer by layer. The secret is encrypted to the biometric ciphertext by the first layer biometrics, then the ciphertext is considered as the secret and encrypted by the second layer biometrics. At last, the final ciphertext is obtained after encrypted by the outside biometrics. Those models will be investigated in the following section. A. MN-Split Model In the MN-split model, the secret is split into pieces, denoted as . Any pieces can be used to restore . Assume protects , protects , , and protects , as shown in Fig. 5. There is a determined coefficient, denoted by combination , existing between the encryption using biometrics and the encryption using a subset , where is the set of biometrics that is randomly selected from the to encrypt/decrypt . Therefore, in this model we only consider the multiple biometric encryption using and analyze its security. If is the set of broken biometrics in the set and is the set of other biometrics in , then , and can be de, , where and noted as , . Just the same as the assumption at the biometric level, without a loss of generality, we assume and . For each biometric , can be encrypted as follows:

Because .

, then

Authorized licensed use limited to: ASTAR. Downloaded on January 29, 2010 at 03:34 from IEEE Xplore. Restrictions apply.

is independent with

if

874

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 4, NO. 4, DECEMBER 2009

Fig. 6. Nonsplit model.

are both disclosed. In the following the biometrics when theorem, we can examine biometrics to determine the security of the secret. Theorem 5.2: In a general construction of the MN-split model over a universe , given and , for the random variable , we have . If biometric is uniquely determined by , we have . See Appendix B.2 for the proof of Theorem 5.2. Theorem 5.3: In a general construction of the MN-split model, for some pairs of biometric vectors or sets , where , if there is a biometric set , in probabilistic polynomial time to make , where , and is a positive real, then we have , ; (1) If (2) If , , is the entropy of the combination, which is generated by selecting elements from the set , denoted . Here, , as , , and denotes the considerable computational complexity. See Appendix B.3 for the proof of Theorem 5.3. The accuracy of restoring the secret can be computed by Theorem 5.4. Theorem 5.4: In a general construction of the MN-split model , if at least over a universe , for biometrics biometrics can be used to successfully decrypt corresponding ,

ciphertexts, then we have Fig. 7. Package model.

The previous description gives the basic ideas of the general MN-split model. The following theorem shows that the lower bound of the entropy of is mainly affected by the entropy in , which is used in the uni-biometric of each biometric cryptosystem, given corresponding to . Theorem 5.1: In a general construction of the MN-split model over a universe , given and , for the random variable , we have , . See Appendix B.1 for the proof of Theorem 5.1. , then . We can By this theorem, we can see if get and . For a biometrics in when given and , because , it is clear that . On the other hand, we have then . Thus, let entropy and , we can get by Theorem 5.1. Hamming metric construction over a field is a technique that the secret is a random codeword chosen uniformly at random and independently with each biometric . In this construction, is a function of and , namely , and is uniquely determined by , namely . Theorem 5.2 shows that if can be uniquely determined by , the entropy of the secret is equal to the entropy of

,

is the FAR of and is the FRR of , and where is a randomly selected biometric for encryption. See Appendix B.4 for the proof of Theorem 5.4. Proposition 5.1: In the MN-split model, given biometrics as input, if a biometric trait is involved in decrypting the corresponding subkey, then we have , , where ( ) is the FAR (FRR) of the biometric , and ( ) is the FAR (FRR) of the cryptosystem . Proof: By Theorem 5.4, when is chosen for decryption, then

where is the FAR and is the FRR of cryptosystem . Therefore, Since , and , then , . To more clearly understand the accuracy computation of MN-split model, we provide the following example. Example 1: As an example, consider the following choice of , , and . Because parameters. Let ,

, then based on Table II,

Authorized licensed use limited to: ASTAR. Downloaded on January 29, 2010 at 03:34 from IEEE Xplore. Restrictions apply.

has the

FU et al.: MBC: MODEL STRUCTURE AND PERFORMANCE ANALYSIS

875

TABLE III EXAMPLES OF ERROR RATE AT THE MN-SPLIT MODEL

following four possible values:

Since

,

has the following six possible values:

Therefore, by comparing Tables II and III, we have achieved that both FAR and FRR have decreased greatly. B. Nonsplit Model Distinct from the construction of the MN-split model, the seis not split into pieces, as shown in Fig. 6. Any cret biometric protects the same secret . is the set to encrypt/decrypt . is the set of broken biometrics in the set and is the set of un-broken biometrics in . , and can be denoted as , , , where and . Without a loss of generality, we assume and . Here, any biometric can be used to encrypt as follows:

In this model, because , then is independent with if . Also, for a determined , is independent with if . So we can get the following theorem. Theorem 5.5: In a general construction of the nonsplit model over a universe , given and , for the random variable , we have . See Appendix B.5 for the proof of Theorem 5.5. From above theorem, for any un-compromised biometrics in , . Obviously, if is nil, . For any biometric , when are disclosed, is also disclosed since . Thus, knowing and , an impostor can restore the secret by using the decryption algorithm . We then have the following theorem for the security of the secret. Theorem 5.6: In a general construction of the nonsplit model over a universe , given and , for the random variable , we have . See Appendix B.6 for the proof of Theorem 5.6.

Theorem 5.7: In a general construction of the nonsplit model, for some pairs of biometric vectors or sets , if , where , and is a positive real, then we have , ; (1) If (2) If , ; where , , and denotes the considerable computational complexity. See Appendix B.7 for the proof of Theorem 5.7. Theorem 5.8: In a general construction of the nonsplit model , then we have over a universe , for biometrics ,

, where

is the

and is the FRR of . FAR of See Appendix B.8 for the proof of Theorem 5.8. Proposition 5.2: In the nonsplit model, given biometrics as input, we have , , where ( ) is the FAR (FRR) of a biometric trait , and (

) is the FAR (FRR) of

. the cryptosystem Proof: By Theorem 5.8, we can obtain

Since , we can get

, then . And since , we can obtain

Therefore, we have , . Example 2: Again, we pick and . Then based on Table II, we can compute , and . Therefore, with a higher FAR, this model largely decreases FRR. C. Package Model Package model provides a layer-by-layer protection for the secret using biometrics. The bottom layer is the secret that is encrypted by the next layer’s biometrics to the ciphertext, which

Authorized licensed use limited to: ASTAR. Downloaded on January 29, 2010 at 03:34 from IEEE Xplore. Restrictions apply.

876

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 4, NO. 4, DECEMBER 2009

becomes the following layer’s secret. The top layer is the last result of the whole encryption process. To obtain the secret, an impostor has to rake up the ciphertext layer by layer, as shown in Fig. 7. We can create the following model.

is the set of broken biometrics in the set the set . and is the set of un-broken biometrics in . , and can , , where be denoted as , and . Without a loss of generality, assume and . The process of encryption is denoted as follows.

From the above formulas, we can see and are independent. Following three theorems shows the privacy, security and accuracy of this model. Theorem 5.9: In a general construction of the package model over a universe , given and , for the random variable , we have . See Appendix B.9 for the proof of Theorem 5.9. If there are no spoofed biometrics, namely and , then . has only an un-comOn the other hand, if , because promised biometrics, such as , is determined by , then . Since both and are independent with , and , then we have . The following theorem gives the minimum entropy of the secret . Theorem 5.10: In a general construction of the package model over a universe , given and , for the random variable , we have . See Appendix B.10 for the proof of Theorem 5.10. Theorem 5.11: In a general construction of the package model, for some pairs of biometric vectors or sets , if and , where , and is a positive real, then we have (1) If , ; (2) If , ; where , , and denotes the considerable computational complexity. See Appendix B.11 for the proof of Theorem 5.11. Theorem 5.12: In a general construction of the package model over a universe , for biometrics , then we have

,

, where

is the FAR of and is the FRR of . See Appendix B.12 for the proof of Theorem 5.12. Proposition 5.3: In the package model, given biometrics as input by an impostor or a genuine user, we have , , where ( ) is the FAR (FRR)

(

) is the FAR (FRR) of the cryptosystem

.

Proof: By Theorem 5.12, we can obtain

be

Same as the nonsplit model, let

, and

of a biometric

Since

, we can obtain . And

Since , we can get we have , Example 3: Let

, then . and

. Therefore, . Then based on

Table II, we can compute and

, . Therefore, this model

largely decreases FAR (near zero), but FRR is increased. VI. COMPARISON OF VARIOUS MBC MODELS In this section, a brief comparison of MBC models will be provided based on the security, privacy and accuracy. We mainly consider following scenarios: 1) the entropy of the determined biometric set in which the biometric trait is uncompromised when the ciphertext and some biometrics in are disclosed , , , , respectively); 2) the (corresponding to when the ciphertext and some bioentropy of the secret metrics are disclosed; and 3) the accuracy of the models. The first and second scenarios are relative to the privacy of the biometrics and the security of the secret. In an MBC, without biometrics directly stored in the template database, the user need not reveal his biometrics to an impostor just as dealt in the unibiometric cryptosystem. But the privacy issues tied to MBCs are significantly affected by different model architectures and parameters. It is known that the compromised biometrics cannot be revoked. Thus, in the unibiometric cryptosystem, if a biometric is compromised, we have to discard it and switch to another biometric cryptosystem based on another biometric identifier. In an MBC, in order to consider the system’s performance to overcome this problem, we have assumed the set consisting of compromised biometrics. For the security of the secret, when the ciphertext and biometrics in are disclosed, the entropy of the secret is . Therefore, if and are compromised by the impostor, the security of the secret is only protected by the ; biometrics in . We consider following scenarios: 1) 2) , is the parameter of MN-split model; 3) ; 4) all biometrics are compromised, . When , . Then, by comparing the entropy using the parameters , and , where is the threshold in the biometric fusion model, is the distance of biometric trait and is the size of

Authorized licensed use limited to: ASTAR. Downloaded on January 29, 2010 at 03:34 from IEEE Xplore. Restrictions apply.

FU et al.: MBC: MODEL STRUCTURE AND PERFORMANCE ANALYSIS

877

TABLE IV SECURITY COMPARISON OF VARIOUS MBC MODELS (jZ j

TABLE V SECURITY COMPARISON OF VARIOUS MBC MODELS (

the set

, we can obtain the security level of each model . Based on Theorem 4.3, 5.3, 5.7, and 5.11, we can get the entropy as shown in Table IV. Similarly, we can get the Tables V and VI when and . When , it is clear that since all biometrics are broken. In Table IV, the security level of each model are given when and . These two scenarios are considered under the condition of . In Section V, with the same condition, Theorem 5.4, 5.8, and 5.12 demonstrate how to compute the accuracy (FAR and FRR). Since the accuracy of the biometric fusion model is related to , the FAR and FRR of the four models under the same two scenarios can be compared. These comparisons are presented . in Table VII In the biometric fusion model, for a determined biometric trait , when the ciphertext and biometrics are disclosed, by Theorem 4.1, we can get . If there is no entropy loss of the biometric when combining all the biometrics to form a encryption vector, . By Theorem 5.1, since , we can get in the MN-split model. By Theorem 5.5, we know . By Theorem 5.9, we can get . Thus, while there is a low level of privacy in the MN-split model, the biometric fusion model and package model have a higher level of privacy than that in the nonsplit model, as shown in the second column of Table VIII. Also, by Theorem 5.4, 5.8, 5.12, and Proposition 5.1, 5.2, 5.3, we can obtain the accuracy comparing single biometrics. Both the biometric fusion model

1

 j

= 0)

Z < n) j

and the MN-split model can increase the encryption/decryption accuracy. But while the FRR is decreased, the FAR is largely increased in the nonsplit model. That is the same as in the package model, in which the FRR is increased with a decreased FAR. The accuracy comparison between the multi and unibiometric cryptosystem is shown in the third and forth column of Table VIII. We also provide a comparison of the models based on flexibility including three factors: scalability (the ability of an MBC to add or remove biometrics), feature consistency (the different biometric vectors or sets that should be converted into an identical feature space), and convenience (whether the model is convenient for application), as shown in Table VIII. On the whole, when the threshold is big enough, the biometric level fusion may provide higher security than the fusion models at the cryptographic level. However, different biometric sources such as fingerprint and iris may have incompatible features and different feature spaces. That makes it difficult to concatenate different features. Meanwhile, it is hard to extend the biometric system, such as adding or canceling a biometric source. Those disadvantages make it inconvenient for application deployment. Although the MN-split model has the lowest level of the privacy of the four models, it can achieve optimal performance with flexibility. Moreover, the MN-split model can easily combine different biometric algorithms that utilize various measures, such as hamming distance and edit distance, for biometric encryption. We can enhance or improve the security, privacy and accuracy using mere parameter selection without redesigning the whole system. In the nonsplit model, because any one of inputted biometrics may restore the secret, nonsplit model makes the security of system lower than other methods. But it has the best flexibility for practice. If a system does not

Authorized licensed use limited to: ASTAR. Downloaded on January 29, 2010 at 03:34 from IEEE Xplore. Restrictions apply.

878

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 4, NO. 4, DECEMBER 2009

TABLE VI SECURITY COMPARISON OF VARIOUS MBC MODELS (n

 jZ j < m )

TABLE VII ACCURACY COMPARISON OF VARIOUS MBC MODELS

TABLE VIII COMPARISON OF VARIOUS MBC MODELS

require high security, a lower FRR with high FAR may be more useful in some cases. For example, this model can be applied to sharing a secret in a group using each individual’s biometrics. The package model has the same characteristics as the biometric fusion model except for the FAR and the feature consistency. This model leads to a higher FRR than the single biometrics. VII. CONCLUSION Unibiometric cryptosystems combine cryptography and biometrics to benefit from high security levels provided by cryptography and nonrepudiation brought by biometrics. Without storing sensitive data by means of plaintexts, a biometric cryptosystem provides a secure method for secret protection and enhances the privacy of individual biometrics. However, feature

alignment, quantization and other factors degrade the accuracy of biometric cryptosystem. Spoof attacks that commonly existed in biometric systems also seriously threaten the security and privacy. This paper proposed a cryptosystem, namely the MBC, which is superior to the use of the unibiometric cryptosystem in different applications, due to integration of multiple biometrics for encryption. In this paper, the MBC is formally defined to integrate multiple biometric traits to protect a secret with two fusion levels, the biometric level and the cryptographic level. There are four model structures or methods presented to meet requirements of different applications at those two levels. By comparing with the entropy of single biometrics, the lower bound of biometrics and secret is given and proved using Shannon conditional entropy. The accuracy is rigorously analyzed using FAR/FRR and

Authorized licensed use limited to: ASTAR. Downloaded on January 29, 2010 at 03:34 from IEEE Xplore. Restrictions apply.

FU et al.: MBC: MODEL STRUCTURE AND PERFORMANCE ANALYSIS

demonstrated by examples. Finally, a comparison on the relative advantages and disadvantages of the proposed models are discussed. From the comparison, we can see that each MBC model, either modeled at the biometric level or at the cryptographic level, has its strengths and weaknesses. No single model is expected to be optimal to meet all the requirements of factors, such as privacy, security, accuracy, and flexibility. In practice, performance improvements can be achieved only if the right architecture is selected.

879

to break the cryptosystem. Therefore, when and are disclosed , if , the entropy of is determined by . B) Proofs for MBC at Cryptographic Level: B.1) Proof of Theorem 5.1: Proof: According to Theorem 3.1, given and some broken biometrics , we can obtain the equation . In the construction of the MN-split model over a universe , since , then

APPENDIX A) Proofs for MBC at Biometric Level: A.1) Proof of Theorem 4.1: Proof: By theorem 3.1, we know . Set and are independent, and

. Since , then we have with the equality iff and given . Set

Therefore, The equality holds iff and are conditionally independent given . Thus, . Therefore, we obtain . When is disclosed, we can consider the secret is encrypted by biometric that is the only random variable for an impostor, and is only determined by . Then the mutual and is relative to information between the mutual information between and . There is entropy loss of when is integrated with to . Thus, given the mutual information between and is less than or equal to . Then we have . A.2) Proof of Theorem 4.2: Proof: We know that given , the secret can be ob, tained using the decryption algorithm. Therefore, given . Then . On the other hand, since the mu. tual entropy . For a We then get biometric encryption/decryption algorithm, given , we can uniquely determine , then . On the other hand, if is uniquely determined by and , . It is quite obvious that then . Therefore, . As a consequence, if can determine , the entropy is equal disclosed. to under the condition of A.3) Proof of Theorem 4.3: Proof: Since , if , then an imusing to postor can decrypt , get . Therefore, If . If , the loss entropy from is . That is too say, to attack , an impostor guesses only bits

we

are conditionally independent , then

have .

On

the

because then a

consequence,

we

have

the

other

hand, , , thus . As

entropy and .

B.2) Proof of Theorem 5.2: Proof: Since

, then , and . For the biometric en, using cryption/decryption algorithm, given the decryption algorithm, we can determine , , then . Meanor while, if given , we can determine , then , . Therefore, or . B.3) Proof of Theorem 5.3: Proof: Since , if , then an impostor can decrypt using to get . Therefore, If , . If , to attack , an impostor guesses only biometric traits to break the cryptosystem. Therefore, when and are disclosed , he can select biometrics from , in which the sum of the biometric entropy is minimal. Without a loss of generality, let the combination be . To attack , the minimum entropy . is B.4) Proof of Theorem 5.4: Proof: If an impostor wishes to get the secret, he/she must successfully decrypt at least ciphertexts that are encrypted by corresponding biometrics. Then let random event occur such that the decryption algorithm outputs . We suppose

Authorized licensed use limited to: ASTAR. Downloaded on January 29, 2010 at 03:34 from IEEE Xplore. Restrictions apply.

880

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 4, NO. 4, DECEMBER 2009

that an impostor successfully decrypts the key using arbitrary biometrics , which correspond to events . Therefore, we can obtain following equations:

Since a legitimate user is rejected when biometrics are inputted, there is at most biometrics that can be used successfully for decryption. That decryption algorithms output is to say, at least . Therefore, let random event be that the decryption algorithm outputs . We can suppose that a legitimate user arbitrary unsuccessfully decrypts the key using biometrics corresponding to events . Then we can get

As a consequence,

,

, where

is the FAR of and is the FRR of , and is a randomly selected biometric. B.5) Proof of Theorem 5.5: Proof: By theorem 3.1, we know the entropy . In the construction of the nonsplit model over a universe , since , then we get the equation shown at the bottom of the page. When

When

When

,

Therefore, we can obtain . B.6) Proof of Theorem 5.6: , then Proof: In this model, because . Therefore, when any biometric is compromised, the secret can be broken if is disclosed. Then . we have B.7) Proof of Theorem 5.7: , then an impostor can decrypt using Proof: If to get , where . Therefore, if , . If , to attack , an impostor guesses only one of the biometric traits to break the cryptosystem. When and are disclosed , he can select the biometric that the entropy is minimal to attack . Therefore, is determined by . B.8) Proof of Theorem 5.8: Proof: If a genuine user obtains an error output, all biometrics can not make the corresponding decryption algorithm output correct secret. But if an impostor wishes to get the secret, he/she only successfully need to decrypt one ciphertext that is encrypted by corresponding biometrics. Then let random event be that the decryption algorithm outputs

Authorized licensed use limited to: ASTAR. Downloaded on January 29, 2010 at 03:34 from IEEE Xplore. Restrictions apply.

FU et al.: MBC: MODEL STRUCTURE AND PERFORMANCE ANALYSIS

881

and random event is that the decryption algorithm outputs . Therefore, we can obtain following equations.

bits.

Therefore,

is

determined

by

. B.12) Proof of Theorem 5.12: Proof: A genuine user obtains an error output if any one outputs an incorrect secret, and if of biometrics an impostor wishes to get the secret, he/she must successfully decrypt all ciphertexts that are encrypted by corresponding biobe that the decryption algorithm metrics. Let random event outputs and random event is that the decryption algorithm outputs . Therefore, we can obtain following equations:

and

and Then,

,

, where

is

and is the FRR of . the FAR of B.9) Proof of Theorem 5.9: Proof: By theorem 3.1, we know . From the model, we have . Then can be uniquely determined by . Therefore As a consequence, we have , where With equality iff

uniquely determines

, then

the FRR of

, is the FAR of

and

is

. ACKNOWLEDGMENT

Therefore,

.

B.10) Proof of Theorem 5.10: Proof: We know . Since is uniquely determined by

REFERENCES ,

then

Since entropy

The authors would like to thank the anonymous reviewers for their valuable comments.

is uniquely determined from and , then . As a result, we have . B.11) Proof of Theorem 5.11: Proof: If , then an impostor gets to know all biometrics and can decrypt to get . Therefore, if , . If , to attack , an impostor must guess the rest biometric traits to break the cryptosystem. Then, when and are disclosed, he must guess at least

[1] D. Gafurov and E. Snekkenes, “Spoof attacks on gait authentication system,” IEEE Trans. Inf. Forensics Security, vol. 2, no. 3, pp. 491–502, Sep. 2007. [2] Q. Xiao, “Security issues in biometric authentication,” in Proc. IEEE Workshop Inf. Assurance Security, New York, Jun. 2005, pp. 8–13. [3] R. Cappelli, A. Lumini, D. Maio, and D. Maltoni, “Finger image reconstruction from standard templates,” IEEE Trans. Pattern Anal. Mach. Intell., vol. 29, no. 9, pp. 1489–1503, Sep. 2007. [4] A. Ross, J. Shah, and A. K. Jain, “From template to image: Reconstructing fingerprints from minutiae points,” IEEE Trans. Pattern Anal. Mach. Intell., vol. 29, no. 4, pp. 544–560, Apr. 2007. [5] A. Adler, “Can images be regenerated from biometric templates,” in Proc. Biometr. Consortium Conf., Washington, D.C., Sep. 2003. [6] R. M. Bolle, J. H. Connel, and N. K. Ratha, “Biometric perils and patches,” Pattern Recogn., vol. 35, no. 12, pp. 2727–2738, Dec. 2002. [7] N. K. Ratha, J. Connell, R. M. Bolle, and S. Chikkerur, “Cancelable biometrics: A case study in fingerprints,” in Proc. 18th Int. Conf. Pattern Recogn., Hong Kong, China, Aug. 2006, pp. 370–373. [8] L. Hong, A. K. Jain, and S. Pankanti, “Can multibiometrics improve performance,” in Proc. AutoID, NJ, Oct. 1999, pp. 59–64. [9] A. K. Jain, A. Ross, and S. Pankanti, “Biometrics: A tool for information security,” IEEE Trans. Inf. Forensics Security, vol. 1, no. 2, pp. 125–143, Jun. 2006. [10] A. Ross and A. K. Jain, “Information fusion in biometrics,” Pattern Recogn. Lett., vol. 24, no. 13, pp. 2115–2125, Sep. 2003. [11] A. Rattani, D. R. Kisku, M. Bicego, and M. Tistarelli, “Feature level fusion of face and fingerprint biometrics,” in IEEE Int. Conf. Biometrics: Theory, Appl., Syst. (BTAS), Washington, DC, Sep. 2007, pp. 27–29.

Authorized licensed use limited to: ASTAR. Downloaded on January 29, 2010 at 03:34 from IEEE Xplore. Restrictions apply.

882

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 4, NO. 4, DECEMBER 2009

[12] C. Soutar, D. Roberge, A. Stoianov, R. Gilroy, and B. V. K. V. Kumar, “Biometric encryption,” in ICSA Guide to Cryptography, R. K. Nichols, Ed. New York: McGraw-Hill, 1999, ch. 22. [13] A. Cavoukian and A. Stoianov, “Biometric encryption: A positive-sum technology that achieves strong authentication, security and privacy”, Tech. Rep. Information and Privacy Commissioner, Ontario, Canada, 2007 [Online]. Available: www.ipc.on.ca [14] U. Uludag, S. Pankanti, S. Prabhakar, and A. K. Jain, “Biometric cryptosystems: Issues and challenges,” Proc. IEEE, vol. 92, no. 6, Jun. 2004. [15] K. Nandakumar, “Multibiometric systems: Fusion strategies and template security,” Ph.D. thesis, Dept. Computer Science and Engineering, Michigan State Univ., East Lansing, MI, 2008. [16] C. C. Chibelushi, J. S. D. Mason, and F. Deravi, “Feature-level data fusion for bimodal person recognition,” in Proc. 6th Int. Conf. Image Process. Appl., Dublin, Ireland, Jul. 1997, vol. 1, pp. 399–403. [17] B. Son and Y. Lee, “Biometric authentication system using reduced joint feature vector of iris and face,” in Proc. 5th Int. Conf. Audio and Video-Based Biometric Person Authent., Rye Brook, NY, Jul. 2005, pp. 513–522. [18] S. C. Dass, K. Nandakumar, and A. K. Jain, “A principled approach to score level fusion in multimodal biometric systems,” in Proc. 5th Int. Conf. Audio and Video-Based Biometric Person Authent., Rye Brook, NY, Jul. 2005, pp. 1049–1058. [19] K. Veeramachaneni, L. A. Osadciw, and P. K. Varshney, “An adaptive multimodal biometric management algorithm,” IEEE Trans. Syst., Man Cybern. C, Appl. Rev., vol. 35, no. 3, pp. 344–356, Aug. 2005. [20] K. A. Toh and W. Y. Yau, “Combination of hyperbolic functions for multimodal biometrics data fusion,” IEEE Trans. Syst., Man Cybern. B, Cybern., vol. 34, no. 2, pp. 1196–1209, Apr. 2004. [21] A. Juels and M. Wattenbeg, “A fuzzy commitment scheme,” in Proc. 6th ACM Conf. Comput. Commun. Security, Singapore, 1999, pp. 28–36. [22] A. Jules and M. Sudan, “A fuzzy vault scheme,” Designs, Codes Cryptogr., vol. 38, no. 2, pp. 237–257, Feb. 2006. [23] U. Uludag, S. Pankanti, and A. K. Jain, “Fuzzy vault for fingerprints,” in AVBPA2005: Audio- and Video-Based Biometric Person Authentication. New York: Springer, 2005, vol. 3546, pp. 310–319. [24] K. Nandakumar, A. K. Jain, and S. Pankanti, “Fingerprint-based fuzzy vault: Implementation and performance,” IEEE Trans. Inf. Forensics Security, vol. 2, no. 4, pp. 744–757, Dec. 2007. [25] F. Hao, R. Anderson, and J. Daugman, “Combining crypto with biometrics effectively,” IEEE Trans. Comput., vol. 55, no. 9, pp. 1081–1088, Sep. 2006. [26] Y. Dodis, R. Ostrovsky, L. Reyzin, and A. Smith, “Fuzzy extractors: How to generate strong keys from biometrics and other noisy data,” in Proc. Eurocrypt, 2004, pp. 523–540. [27] X. Boyen, “Resuable cryptographic fuzzy extractor,” in Proc. ACM Conf. Computer and Communications Security, Washington, DC, Oct. 2004, pp. 82–91. [28] W. J. Scheirer and T. E. Boult, “Cracking fuzzy vaults and biometric encryption,” in Proc. IEEE Biometr. Symp., Baltimore, MD, Sep. 2007, pp. 1–6. [29] A. Kholmatov and B. Yanikoglu, “Realization of correlation attack against the fuzzy vault scheme,” in Proc. SPIE, 2008, vol. 6819, pp. 68190O–68190O-7. [30] J. D. Golic and M. Baltatu, “Entropy analysis and new constructions of biometric key generation systems,” IEEE Trans. Inf. Theory, vol. 54, no. 5, pp. 2026–2040, May 2008. [31] U. Dieckmann, P. Plankensteiner, R. Schamburger, B. Froba, and S. Meller, “SESAM: A biometric person identification system using sensor fusion,” in Proc. 1st Int. Conf. Audio- and Video-Based Biometric Person Authentication, 1997, vol. 1206, LNCS, pp. 301–310. [32] Y. Sutcu, Q. Li, and N. Memon, “Secure biometric templates from fingerprint-face features,” in Proc. CVPR Workshop on Biometr., Minneapolis, MN, Jun. 2007, pp. 1–6. [33] K. Nandakumar and A. K. Jain, “Multibiometric template security using fuzzy vault,” in Proc. IEEE Int. Conf. Biometrics: Theory, Applications and Systems, Arlington, VA, Sep. 2008, pp. 1–6. [34] E. Camlikaya, A. Kholmatov, and B. Yanikoglu, “Multimodal biometric templates for verification using fingerprint and voice,” in SPIE Defense Security: Biometr. Technol. Human Identif. V, Orlando, FL, Mar. 2008. [35] B. Yanikoglu and Kholmatov, “Combining multiple biometrics to protect privacy,” in Proc. ICPR-BCTP Workshop, Cambridge, England, Aug. 2004.

Bo Fu received the M.S. degree in computer science and engineering in 2005 from the University Electronic Science and Technology of China. He is currently pursuing the Ph.D. degree in information security with the University Electronic Science and Technology of China. He joined the Advanced Robotics and Intelligent Systems (ARIS) Lab, University of Guelph, Canada, during 2007–2008 as a visiting scholar. His research interests include cryptography, biometric recognition, and wavelet analysis.

Simon X. Yang (S’97–M’99–SM’08) received the B.Sc. degree in engineering physics from Beijing University, China, in 1987, the first of two M.Sc. degrees in biophysics from Chinese Academy of Sciences, Beijing, in 1990, the second M.Sc. degree in electrical engineering from the University of Houston, TX, in 1996, and the Ph.D. degree in electrical and computer engineering from the University of Alberta, Edmonton, Canada, in 1999. He joined the School of Engineering, University of Guelph, Canada, in 1999. Currently, he is a Professor and the Head of the Advanced Robotics and Intelligent Systems (ARIS) Laboratory, University of Guelph. His research interests include intelligent systems, robotics, sensors and multisensor fusion, wireless sensor networks, control systems, soft computing, and computational neuroscience. Prof. Yang serves as an Associate Editor of the IEEE TRANSACTIONS OF NEURAL NETWORKS, IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS, PART B, International Journal of Robotics and Automation, and serves as an Associate Editor or Editorial Member of several other journals. He has involved in the organization of many conferences. He is the General Chair of the 2006 International Conference on Sensing, Computing, and Automation.

Jianping Li received the M.S. degree in computing mathematics and the M.E. degree in soft engineering from Xi’An Jiaotong University in 1989, and the Ph.D. degree in computer science from Chongqing University in 1998. As a visiting scholar, he visited some famous universities around the world during 1999–2006. He is the author and/or coauthor of 18 books on subjects ranging from wavelet analysis and its applications to computer science, and has published more than 200 technical papers. His current interests include wavelet theory and applications, fractal, image processing, pattern recognition , electronic commerce, and information security. Dr. Li is the General Chairman of the First Conference on Wavelets Analysis and Its Applications to Signal Processing of China (2000), the Associate Chairman of the Second International Conference on Wavelet Analysis and Its Applications in Hong Kong (Hong Kong Baptist University, 2001), the Chairman of the International Computer Congress 2004 (ICC04), Chairman of the Second International Conference on Active Media Technology (ICAMT04), Chairman of the International Conference 2007 on Information Computing and Automation (ICICA07), and the Chairman of ICACIA08.

Dekun Hu received the M.S. degree from the University Electronic Science and Technology of China, Sichuan, in 2005. He is currently pursuing the Ph.D. degree in signal processing with the School of Computer Science and Engineering. He spent one year (2007–2008) with the Advanced Robotics and Intelligent Systems (ARIS) Lab, University of Guelph, Canada, working on object recognition algorithms. His research interests include object recognition and Internet content audit.

Authorized licensed use limited to: ASTAR. Downloaded on January 29, 2010 at 03:34 from IEEE Xplore. Restrictions apply.