Document not found! Please try again

Proposal of a Transformation Method for Iris Codes ... - Semantic Scholar

3 downloads 0 Views 306KB Size Report
The authors are with KDDI R&D Laboratories, Inc.,. Kamifukuoka-shi, 356-8502 Japan. a) E-mail: [email protected] the enrolled biometric data and the verified ...
IEICE TRANS. FUNDAMENTALS, VOL.E88–A, NO.1 JANUARY 2005

287

PAPER

Special Section on Cryptography and Information Security

Proposal of a Transformation Method for Iris Codes in Iris Scanning Verification Haruki OTA†a) , Shinsaku KIYOMOTO† , and Toshiaki TANAKA† , Members

SUMMARY In this paper, we propose a transformation function for a user’s raw iris data, an “iris code” in iris scanning verification on the server, since the iris code requires to be hidden from even a server administrator. We then show that the user can be properly authenticated on the server, even though the iris code is transformed by the proposed function. The reason is that the function has a characteristic, “The (normalized) Hamming distances between the enrolled iris codes and the verified iris codes are conserved before and after the computation of the function,” that is, the normalized Hamming distance in this scheme is equal to that in the existing scheme. We also show that the transformed iris code is sufficiently secure to hide the original iris code, even if a stronger attack model is supposed than the previously described model. That can be explained from the following two reasons. One reason is that nonlinear function, which consists of the three-dimensional rotation about the x-axis and the y-axis with the iris code lengthened bit by bit, and the cyclic shift, does not enable an attacker to conjecture the iris code. The other reason is that the success probabilities for the exhaustive search attack concerning the iris code in the supposed attack models are lower than those of the previously proposed methods and are negligible. key words: iris scanning verification, iris code, transformation function, hiding, exhaustive search attack

1.

Introduction

Biometric authentication is one of the personal identification scheme based on individual physical or behavioral characteristics, while the others are based on one’s knowledge or one’s possession. Biometrics, such as fingerprint, face, iris, and so on, used in biometric authentication cannot be changed. Hence, biometric data extracted from biometrics should be kept securely to prevent theft. Up to now, two types of biometric authentication models are proposed: local authentication model and remote authentication model. In the former model, biometric data is verified on the user side. Hence, biometric data is usually kept and properly verified in tamper-resistant module, such as an IC card [1]–[3]. In the latter model, biometric data is verified on the server side. Hence, biometric data requires to be securely sent to the server. Even if the biometric data are encrypted on the network, their ciphertexts should be decrypted on the server in the verification process. That means that a server administrator could easily obtain the biometric data of users and use them inappropriately. If the verified biometric data are always identical to the enrolled biometric data, they could be verified in the encrypted form on the server. However, Manuscript received March 23, 2004. Manuscript revised July 9, 2004. Final manuscript received August 30, 2004. † The authors are with KDDI R&D Laboratories, Inc., Kamifukuoka-shi, 356-8502 Japan. a) E-mail: [email protected]

the enrolled biometric data and the verified biometric data are not exactly the same in biometric authentication, even if they are captured from the same person. If the matching score between both the data is equal to or greater than the stated threshold, the person with the verified data is regarded as the person with the enrolled data. Some methods solving this problem were proposed for fingerprint authentication [4]–[6], which are imperfect on propriety or impractical. On the other hand, we previously proposed different methods from the above for iris scanning verification [7]. In this paper, we propose a transformation method for the user’s raw iris data, an “iris code” in iris scanning verification on the server. We first consider the method to transform it into another code. It is essential for this method to conserve the normalized Hamming distance between the enrolled iris code and the verified iris code. We then show that the user can be properly authenticated on the server, even though his/her iris code is transformed by the proposed method. We also show that the transformed iris code is sufficiently secure to hide the original iris code, even if a stronger attack model is supposed than in the literature [7]. The rest of this paper is organized as follows: we propose the transformation method for the iris code to solve the problem concerning the existing iris scanning verification scheme and explain an iris scanning verification scheme using this method in Sect. 2, we show that the method described in Sect. 2 is valid on propriety in Sect. 3 and on security in Sect. 4 respectively, we offer our conclusion in Sect. 5, and we show simple simulation results concerning processing time in Appendix. 2.

Proposed Method

This section proposes the method to transform the iris code by considering the problem concerning the existing iris scanning verification scheme, and explains the iris scanning verification scheme using this method. 2.1 Problem of Existing Scheme This subsection explains the problem of the existing iris scanning verification scheme. The normalized Hamming distance between the enrolled iris code and the verified iris code of the user is computed on the server administrator side. The user is regarded as either “himself/herself” or one of “others,” which depends on the relation of the computed value and a threshold.

c 2005 The Institute of Electronics, Information and Communication Engineers Copyright 

IEICE TRANS. FUNDAMENTALS, VOL.E88–A, NO.1 JANUARY 2005

288

This threshold is stated by the server administrator, considering false rejection rate (FRR) and false acceptance rate (FAR). The FRR denotes the rate of that “himself/herself” is regarded as one of “others” with error, and the FAR denotes the rate of that one of “others” is regarded as “himself/herself” with error. For the general iris scanning verification scheme, see the literature [8], [9]. The iris code can be hidden by the conventional encryption function or the existing hash function on the network, when it is sent to the server. The encrypted iris code or the hash digest of the iris code, however, does not enable the user to be properly authenticated on the server, since the (normalized) Hamming distances between the enrolled iris codes and the verified iris codes are not conserved before and after the computation of the encryption function or the hash function. Hence, the iris code requires to be used in the verification process, without transforming it by the encryption function or the hash function. Then, the server administrator could easily obtain the iris codes of users and impersonate them, in case that the same iris scanning verification scheme is made use of on other servers. The iris codes require to be properly hidden in the verification process. We previously proposed two methods to transform the iris code: the exclusive-or function and the permutation function [7]. We propose the secure transformation function of the iris code, even if the stronger attack model is supposed than in the literature [7], in Sect. 2.2. 2.2 Proposal of Transformation Method This subsection explains the method to transform the iris code. The transformation function for the iris code meets the following two requirements. Requirement 1: The (normalized) Hamming distances between the enrolled iris codes and the verified iris codes are conserved before and after the computation of the function.  Requirement 2: The iris code cannot be simply conjectured from the transformed iris code. 

Fig. 1

Block diagram of one processing in the transformation function.

R j = (u j u j z j θ j ϕ j e j d j ),

(1)

u j, u j, e j ∈ X

(2)

θ j, ϕ j ∈ X , z j , d j ∈ X, 2

log2 n

,

(3) (4)

using the assured random number generating algorithm. We assume that the generated random sequences, which play a role in keys for the transformation, are kept securely from others and are distinct for respective servers in which the iris codes are enrolled. The length of the random sequence is decided by respective steps of the procedure and n repetitions of these steps, as described later. 2. Set j = 1. Let j = j + 1 in the following steps 4 – 7, and repeat these steps while j ≤ n. 3. Transform the n-bit iris code X into an (n + j − 1)dimensional vector W n+ j−1 = (W1 , · · · , Wn+ j−1 ) (∈ Rn+ j−1 ) and a temporary (n + j)-dimensional vector  n+ j ) respectively, W  n+ j = (W1 , · · · , Wn+ j−1 , 0) (∈ R such that  1    for Xi = 1 √  Wi   3  = 1 Wi     for Xi = 0 −√ 3 (i = 1, · · · , n + j − 1), (5)

The iris code X = (X1 · · · Xn ) (∈ Xn ) is transformed according to the following procedure, where X = {0, 1}. The length n of the iris code is usually 2048 bits [10], [11] or 4096 bits [12], but the 4096-bit iris code consists of the 2048-bit iris code and its mask code of 2048 bits [12], and the following method cannot be simply applied to the 4096bit iris code. Then, we suppose only the 2048-bit iris code in this paper. See Fig. 1.

where R denotes the set of real numbers. 4. Extract two elements W[u j ]10 +1 , W[u j ]10 +1 from the (n+ j− 1)-dimensional vector W n+ j−1 respectively, transform a random bit z j into Wn+ j , such that  1    for z j = 1 √    3 (6) Wn+ j =   1    for z j = 0  −√ 3

1. Generate (3 log2 n + 6)n-bit random sequence R = (R1 · · · R j · · · Rn ) (R j ∈ X(3 log2 n+6) , j = 1, · · · , n), where

and compose a three-dimensional vector (W[u j ]10 +1, W[u j ]10 +1 , Wn+ j ), where [a]10 denotes the decimal number of a.

OTA et al.: PROPOSAL OF A TRANSFORMATION METHOD FOR IRIS CODES IN IRIS SCANNING VERIFICATION

289

5. Rotate the three-dimensional vector (W[u j ]10 +1 , W[u j ]10 +1 , Wn+ j ) by the angle 90 · [θ j ]10 (in short, θ j [deg]) about the x-axis and by the angle 90·[ϕ j ]10 (in short, ϕ j [deg]) about the y-axis respectively, and obtain a transformed   , W[u j ]10 +1 , Wn+ three-dimensional vector (W[u j ). j ]10 +1 That is,       W[u j ]10 +1   W[u j ]10 +1   W    = HG  W (7)  [u j ]10 +1   [u j ]10 +1  ,  W Wn+ n+ j j where the rotation matrices G about the x-axis and H about the y-axis are   0 0   1 (8) G =  0 cos θ j − sin θ j  0 sin θ j cos θ j and   cos ϕ j 0 H =  − sin ϕ j

0 sin ϕ j 1 0 0 cos ϕ j

   , 

as MD5 (Message Digest 5) [13], SHA-1 (Secure Hash Algorithm 1) [14] and SHA-2 (SHA-256, SHA-384 and SHA512) [15]. These existing hash functions have a characteristic that even if the difference between two sequences is only 1 bit, the difference between the k-bit hash digests of these sequences approximately becomes (k/2) bits. Hence, the Hamming distances between both the iris codes are not conserved before and after the computation of the hash function at all. On the other hand, the proposed transformation function has the characteristic that the difference between two sequences is equal to that between the transformed sequences. Thereby, the Hamming distances between the enrolled iris codes and the verified iris codes are completely conserved before and after the computation of the transformation function. We explain the iris scanning verification scheme using the above function, in Sect. 2.3. 2.3 Iris Scanning Verification Scheme

(9)

This subsection explains the iris scanning verification scheme employing the function defined in Definition 1.

respectively. 6. Return the transformed three-dimensional vector   , W[u j ]10 +1 , Wn+ (W[u j ) to the temporary (n + j)j ]10 +1  dimensional vector W n+ j such as corresponding with the indices. 7. Cyclically shift the temporary (n + j)-dimensional vector W  n+ j by ([e j ]10 + 1) bits such that leftward for d j = 1 , (10) rightward for d j = 0

We explain the scheme using the transformation function in Definition 1 under the following two procedures: the enrollment procedure and the verification procedure. See Fig. 2. In addition, another function can be defined as follows.

and obtain the (n + j)-dimensional vector W n+ j . 8. Transform the 2n-dimensional vector W 2n obtained by repeating the steps 4 – 7 into a new iris code X =  ) (∈ X2n ) such that (X1 · · · X2n  1    1 for Wi = √     3 Xi =   1     0 for Wi = − √ 3 (i = 1, · · · , 2n).

(11)

X obtained by the above procedure is the transformed iris code. This transformation can be defined as the following function. Definition 1: For the n-bit iris code and the (3 log2 n + 6)nbit random sequence, the function f that outputs the 2n-bit transformed iris code is defined as f :X ×X n

(3 log2 n+6)n

→X . 2n

Definition 2: Let k be the server’s public key. For the 2nbit transformed iris code and a 2n-bit challenge code, the public key encryption function Ek that outputs a 2n-bit sequence is defined as Ek : X2n × X2n → X2n .

(13) 

The enrollment procedure in this scheme is shown as follows. The method that gives the iris code is based on that described in the literature [10], [11], but discussion regarding its security is beyond the scope of this paper. (1) When a user sends an enrollment request to the server, he/she receives the 2n-bit challenge code c = (c1 · · · c2n ) (∈ X2n ) the server has generated. (2) His/her iris code is given using the method described in the literature [10], [11]. It is then confirmed that his/her eyes are the vital human ones. (3) For the n-bit iris code A = (A1 · · · An )(∈ Xn ), the (3 log2 n+6)n-bit random sequence R is generated, and the transformed iris code A = (A1 · · · A2n ) (∈ X2n ) is computed as A = (A1 · · · A2n ) = f ( A, R).

(14)

(12) 

Many hash algorithms have been proposed so far, such

(4) The transformed iris code A is encrypted into Ek ( A , c), and the ciphertext is sent to the server, together with an ID prepared by him/her. The iris code A,

IEICE TRANS. FUNDAMENTALS, VOL.E88–A, NO.1 JANUARY 2005

290

Fig. 2

The enrollment procedure and the verification procedure in this scheme.

the transformed iris code A , the ciphertext Ek ( A , c) of the transformed iris code and the challenge code c are then all deleted on the user side. The generated random sequence R is kept securely. (5) The ciphertext Ek ( A , c) of the transformed iris code and the ID sent by him/her are enrolled within a template in the database of the server. The verification procedure in this scheme is shown as follows. (1) When the user sends a verification request to the server, he/she receives the 2n-bit challenge code c = (c1 · · · c2n ) (∈ X2n ) the server has generated. (2) His/her iris code is given by the method such as the step (2) of the enrollment procedure. (3) For the n-bit iris code B = (B1 · · · Bn )(∈ Xn ), the transformed iris code B = (B1 · · · B2n )(∈ X2n ) is computed as B = (B1 · · · B2n ) = f (B, R),

(15)

using the same R as the enrollment procedure. (4) The transformed iris code B is encrypted into Ek (B , c ), and the ciphertext is sent to the server, together with the ID prepared in the step (4) of the enrollment procedure. The iris code B, the transformed iris code B , the ciphertext Ek (B , c ) of the transformed iris code and the challenge code c are then all deleted on the user side. (5) The ciphertext Ek ( A , c) of the enrolled transformed iris code is obtained from the database of the server using the ID as search key, and is decrypted into the

enrolled transformed iris code A . The ciphertext Ek (B , c ) of the verified transformed iris code sent by him/her is decrypted into the verified transformed iris code B . The normalized Hamming distance HDpro between both the transformed iris codes is computed on the server, such that 1  = (A ⊕ Bj ), n j=1 j 2n

HDpro

(16)

where ⊕ denotes the exclusive-or operation. The enrolled transformed iris code A , the verified transformed iris code B and the ciphertext Ek (B , c ) of the verified transformed iris code are then all deleted on the server side. (6) If the normalized Hamming distance HDpro is equal to or less than the stated threshold, the user is regarded as “himself/herself”; otherwise, one of “others.” The iris code of the user is not known to others, since it is transformed by the function f , when it is sent to the server and verified on the server. Furthermore, the challengeresponse method is introduced between the server and the user to prevent the replay attack in case that the transformed iris code is illegally captured on the network. It is confirmed that his/her eyes are the vital human ones, when the iris code is given using the method described in the literature [10], [11]. The vital reaction is detected according to uncontrolled oscillations in pupillary dilation [10]. We assume that the detected information cannot be misused by the server administrator. We show that the transformation function is valid in

OTA et al.: PROPOSAL OF A TRANSFORMATION METHOD FOR IRIS CODES IN IRIS SCANNING VERIFICATION

291

terms of propriety and security in Sect. 3 and in Sect. 4 respectively. We also show the processing time for the existing scheme and the proposed scheme on simulation basis in Appendix. 3.

Propriety of Transformation Function

This section shows that the user can be properly authenticated on the server, even if his/her iris code is transformed by the function f . 3.1 Propriety of Three-Dimensional Rotation This subsection explains two points in the three-dimensional rotation. We now consider the transformation function f concerning propriety. The remarkable point is Requirement 1 of the transformation function, that is, “The (normalized) Hamming distances between the enrolled iris codes and the verified iris codes are conserved before and after the computation of the function.” The n three-dimensional rotations about the x-axis and the y-axis are used to transform the nbit iris code into the 2n-bit transformed iris code. Propriety of the three-dimensional rotation can be shown from the following two points for the enrolled iris code and the verified iris code. Point 1: The relation of 3-bit value and eight equal areas into which a sphere is divided, where the 3-bit value is composed from the 2-bit iris code and a random bit.  Point 2: The setting of the angles in the three-dimensional rotation.  Point 1 is explained as follows. First, there are eight kinds of the three-dimensional vectors, which correspond to the 2bit iris codes and the random bits, namely the 3-bit values in total, on the three-dimensional sphere of radius 1√with center √ at the√origin. That is, these vectors denote (±1/ 3, ±1/ 3, ±1/ 3) for all combinations of plus and minus signs. The three-dimensional sphere is divided into the eight equal areas concerning positive and negative of the x-coordinate, the y-coordinate and the z-coordinate. These divided eight areas and the eight kinds of the vectors are one-to-one correspondence, since the respective areas include the respective distinct vectors. Next, consider arbitrary two kinds of the three-dimensional vectors, which correspond to the enrolled iris code and the verified iris code respectively. The location of the two areas that include the two kinds of the vectors is any of the same area, adjacent areas, alternate areas, and otherwise. Also, the respective locations relate to the numbers of different elements for the two kinds of the vectors, which are equal to the Hamming distances between the two kinds of the original 3-bit values. Hence, the Hamming distances between the two kinds of the 3-bit values relate to the locations of two areas, such that 0 ⇔ the same area, 2 ⇔ alternate areas,

1 ⇔ adjacent areas, 3 ⇔ otherwise.

(17)

This point corresponds to Eqs. (5), (6) and (11) of the steps 3, 4 and 8 respectively, in the procedure of the transformation function in Sect. 2.2. Point 2 is explained as follows. There are the eight kinds of the three-dimensional vectors, as described in Point 1. When the respective vectors are rotated about the x-axis and the y-axis respectively, both the rotational angles are set such that the obtained vector is also any of the eight kinds of the vectors. That is, these angles denote 0 [deg], 90 [deg], 180 [deg], and 270 [deg]. Then, consider that the two kinds of the vectors are rotated about the x-axis and the y-axis respectively. The respective vectors are rotated by the same angle about each axis. The location of the two areas that include the two kinds of the vectors remains the original location, which is any of the same area, adjacent areas, alternate areas, and otherwise, in the case of the rotation by the same angle about the same axis. This reason is because the rotation by the same angle about the same axis is equivalent to the rotation of the whole three-dimensional sphere with its form eternal. This point corresponds to “the angle 90 · [θ j ]10 ” and “the angle 90 · [ϕ j ]10 ” of the step 5 in the procedure of the transformation function in Sect. 2.2. We show that the (normalized) Hamming distances between both the iris codes are conserved before and after the computation of the transformation function, in Sect. 3.2. 3.2 Conservation of Normalized Hamming Distance This subsection shows that the normalized Hamming distance of the proposed scheme is equal to that of the existing scheme. The user can properly be authenticated on the server, since the normalized Hamming distance HDpro in this scheme is equal to the normalized Hamming distance HDorg in the existing scheme [10] as follows: HDpro =

1  (A ⊕ Bj ) n j=1 j

(18)

=

1 (A j ⊕ B j ) n j=1

(19)

2n

n

= HDorg ,

(20)

even if the enrolled iris code A and the verified iris code B are transformed into the enrolled transformed iris code A and the verified transformed iris code B by the function f , respectively. This reason is explained as follows. The transformation function consists of pre-processing (the step 3 of the transformation function), main processing and post processing (the step 8 of the transformation function). The Hamming distances between both the iris codes are conserved before and after the pre-processing and the post processing, since the same transformation rule is applied to these two processing. The main processing consists of every n three-dimensional rotations and cyclic shifts, respectively. In the three-dimensional rotation, the additional random bit

IEICE TRANS. FUNDAMENTALS, VOL.E88–A, NO.1 JANUARY 2005

292

is the same for both the enrolled iris code and the verified iris code, that is, the Hamming distance between the random sequences for both the iris codes is 0. The three-dimensional rotation has the characteristic of conserving the Hamming distances between both the iris codes, from Point 1 and Point 2 in Sect. 3.1. The cyclic shift also meets the requirements for conserving the Hamming distances between both the iris codes, because of cyclically shifting the vectors by the same bit numbers to the same direction. Consequently, the normalized Hamming distance of the proposed scheme is equal to that of the existing scheme, since the whole transformation function has the characteristic of conserving the Hamming distances between both the iris codes. The following simple example is shown. Consider the case of n = 4. Let 1010 and 1100 be the enrolled iris code and the verified iris code respectively, and 1001 be the additional random sequence. (The other random bits are omitted.) Then, the normalized Hamming distance between both the iris codes is 0.5. We assume that these iris codes are transformed according to the following values, which denote, in turn, respective positions of the two elements extracted from the iris codes, the rotational angle about the xaxis, the rotational angle about the y-axis, bit numbers and the direction of the cyclic shift. (1) (2) (3) (4)

1, 2, 90 [deg], 180 [deg], 2 bits, rightward. 2, 3, 270 [deg], 180 [deg], 3 bits, leftward. 3, 4, 180 [deg], 90 [deg], 1 bit, rightward. 1, 3, 90 [deg], 270 [deg], 4 bits, leftward.

In the case of (1), both the iris codes 1010 and 1100 are transformed as follows. First, 10 and 11 are extracted from the enrolled iris code and the verified iris code, and 101 and 111 are composed in addition to the random bit 1, respectively. (For simplicity, the pre-processing and the post processing are omitted, and these iris codes are transformed with bit.) Next, 101 and 111 are transformed into 001 and 000 by the 90-deg rotation about the x-axis and the 180-deg rotation about the y-axis, respectively. These two elements 00 and 00, which correspond to parts of the iris codes, are returned to the original positions, the remaining elements 1 and 0, which correspond to the random bit, are added to the last of the iris codes, and 00101 and 00000 are obtained, respectively. These are transformed into 01001 and 00000 according to cyclically shifting by 2 bits rightward. Then, the normalized Hamming distance between both the iris codes (in the middle of the transformation) is conserved with 0.5. Similarly, 01001 and 00000 are transformed into 010000 and 000010 respectively in the case of (2). Furthermore, 010000 and 000010 are transformed into 1011100 and 1001110 in the case of (3), and 1011100 and 1001110 are transformed into 10010001 and 11011001 in the case of (4), respectively. Thereby, the enrolled transformed iris code 10010001 and the verified iris code 11011001 are obtained respectively, and the normalized Hamming distance between both the transformed iris codes is conserved with 0.5.

4.

Security of Transformation Function

This section shows that the transformed iris code is sufficiently secure to hide the original iris code. 4.1 Definition of Attack Models This subsection supposes the attack models in this paper. An attacker (the server administrator) supposed in this paper aims at impersonating the user with his/her iris code. The attacker cannot obtain the random sequence generated by him/her, since we assume that it is kept securely. Hence, we suppose the following attack models. Attack-model 1: The attacker conjectures the iris code only using the transformed iris codes.  Attack-model 2: The attacker conjectures the iris code using the transformed iris codes into which arbitrary iris codes are transformed by the function.  Attack-model 1 and Attack-model 2 correspond to the conceptions of “ciphertext only attack” and “chosen plaintext attack” in the cryptanalysis, respectively. The transformation function proposed in this paper has the characteristic of conserving the Hamming distances between both the iris codes. Hence, to prevent the impersonation of the user by the attacker, we further consider the following conditions in addition to the proposed function. • The random sequence is generated using the assured random number generating algorithm. • The generated random sequences are kept securely from others and are distinct for respective servers in which the iris codes are enrolled. • The challenge-response method is introduced between the server and the user. • The remote authentication model is assumed. • The attacker cannot obtain private key of any other server. Thus, the attack models that we can actually assume to the server administrator are only Attack-model 1 and Attackmodel 2. 4.2 Characteristics of Transformation Function This subsection describes characteristics of the transformation function with respect to Attack-model 1 and Attackmodel 2 respectively. “Nonlinearity” is the characteristic of the transformation function, which relates to Attack-model 1. One processing in the transformation function is linear, since the three-dimensional vector composed from the 2-bit iris code and the random bit is rotated about the x-axis and the yaxis respectively. This linearity needs to conserve the (normalized) Hamming distances before and after the computation of the function. The total 2n elements are chosen, since

OTA et al.: PROPOSAL OF A TRANSFORMATION METHOD FOR IRIS CODES IN IRIS SCANNING VERIFICATION

293

two elements are arbitrarily extracted from the (n + j − 1)dimensional vector n times during the transformation. These repetitions mean that they can be always classified into two kinds of the elements: some elements are repeatedly chosen twice or more than twice and the other elements are chosen once or less than once. Also, the transformed value differs depending on each value of the iris code in the rotation processing, that is, the transformed values are not linear when respective elements of the different iris codes are rotated for the same random sequence. Consequently, the whole transformation function is nonlinear. The security of the transformation function mostly depends on the randomness of the generated random sequence, because of the above-mentioned consideration, and since the angles, bit numbers of the cyclic shift, and so on, are decided by the random sequence. All iris codes are almost uniformly transformed into the transformed iris codes, since we assume that the random number generating algorithm is assured. Thus, we conclude that it is difficult for the attacker to conjecture the iris code by analysis of the transformed iris codes. “The conservation of the (normalized) Hamming distance” is the characteristic of the transformation function, which relates to Attack-model 2. Let the n-bit verified iris code be all 0s, since the attacker can obtain the transformed iris codes for arbitrary iris codes. The Hamming distance between the enrolled transformed iris code and the verified transformed iris code corresponding to the all 0s’ verified iris code is then equal to the 1’s number of the enrolled iris code. That can be shown from the following two reasons. One reason is that the Hamming distance between the enrolled iris code and the all 0s’ verified iris code is equal to the 1’s number of the enrolled iris code. The other reason is that the Hamming distance between both the iris codes is also conserved after the computation of the function. Thus, the server administrator can know the 1’s number and the 0’s number of the enrolled iris code, when Attack-model 2 is supposed. The server administrator, however, cannot obtain the more useful information regarding the enrolled iris code. 4.3 Security for Exhaustive Search Attack This subsection shows that the success probabilities for the exhaustive search attack in each attack model are lower than those of the methods proposed in the literature [7] and are negligible. The attacker cannot conjecture the iris code, even though each attack model is supposed, as considered in Sec. 4.2. Accordingly, the attacker can make use of only the exhaustive search attack. We at first consider the success probabilities for the exhaustive search attack concerning the n-bit iris code in Attack-model 1. A mean of the normalized Hamming distance between 2048-bit iris codes extracted from the same iris is measured approximately 0.084, according to the lit-

erature [10]. That is, the error bit numbers between n-bit iris codes extracted from the same iris are approximately 0.084n bits, where a denotes the minimum integer equal to or greater than a. We limit the following probabilities with respect to the method proposed in this paper and the methods described in the literature [7], to the case permitting these error bit numbers. Let P1 (n, α) be the success probability for the exhaustive search attack concerning the n-bit iris code in Attack-model 1. Then, we have P1 (n, α) =

n C 0.084n

, 2n

(21)

where α denotes the 1’s number of the iris code. Now, we compare the method proposed in this paper with the methods described in the literature [7], namely the exclusiveor function and the permutation function. Let Pe1 (n, α) and Pp1 (n, α) be the success probabilities for the exhaustive search attack concerning the n-bit iris code on the exclusiveor function and the permutation function respectively in Attack-model 1. Then, we have P1 (n, α) = Pe1 (n, α) < Pp1 (n, α) =

n C 0.084n

n Cα

. (22)

We secondly consider the success probabilities for the exhaustive search attack concerning the n-bit iris code, where the 1’s number and the 0’s number of it are already known, in Attack-model 2. Let P2 (n, α) be the success probability for the exhaustive search attack concerning the n-bit iris code in Attack-model 2. Then, we have P2 (n, α) =

n C 0.084n

n Cα

.

(23)

Similarly, let Pe2 (n, α) and Pp2 (n, α) be the success probabilities for the exhaustive search attack concerning the n-bit iris code on the exclusive-or function and the permutation function respectively in Attack-model 2. Then, we have P2 (n, α) = Pp2 (n, α) < Pe2 (n, α) = 1.

(24)

Pe2 (n, α) = 1 implies that the exclusive-or value of the enrolled transformed iris code and the verified transformed iris code for the all 0s’ verified iris code just corresponds with the enrolled iris code. Thereby, we conclude that this method is superior to the methods described in the literature [7] in each attack model. Furthermore, Table 1 shows the approximate estimates of all probabilities with regard to this method in case of n = 2048. We assume that the probability of the 1’s number of the iris code is 0.4 in the worst case, considering the estimate in the literature [10]. For reference, we compare the Table 1

The approximate estimates of all probabilities in this method. n = 2048 α = 819

P1 (n, α)

P2 (n, α)

3.43 × 10−361

1.68 × 10−341

IEICE TRANS. FUNDAMENTALS, VOL.E88–A, NO.1 JANUARY 2005

294

proposed method with the 1024-bit RSA encryption, which is secure at present, concerning the success probabilities for the exhaustive search attack. Let PRSA be the success probability for the exhaustive search attack of the private key, which is less efficient than the factorization of the modulus. Then, we have PRSA = 2−1024 ≈ 5.56 × 10−309 .

(25)

Hence, we have P1 (n, α), P2 (n, α) < PRSA ,

(26)

for n = 2048. The success probabilities for the exhaustive search attack concerning the (3 log2 n + 6)n-bit random sequence and the 2n-bit transformed iris code are much lower than P1 (n, α) in this method. Consequently, we conclude that the success probabilities for the exhaustive search attack are negligible in each attack model. This method is not as secure as the general public key cryptosystem and common key cryptosystem, since the (normalized) Hamming distances between both the iris codes require to be conserved before and after the computation of the function. However, the transformed iris code is sufficiently secure in practice to hide the original iris code. 5.

Conclusion

In this paper, we proposed the transformation function for the user’s iris code in iris scanning verification on the server. The function consists of the three-dimensional rotation about the x-axis and the y-axis with the iris code lengthened bit by bit, and the cyclic shift, and the whole function has nonlinearity. We showed that the user could be properly authenticated on the server even though the iris code is transformed by this function, since the normalized Hamming distances between both the iris codes are conserved before and after the computation of the function. We also showed that the transformed iris code is sufficiently secure to hide the original iris code even if the stronger attack model is assumed than the previously described model, since the above nonlinearity does not enable the attacker to conjecture the iris code, and the success probabilities for the exhaustive search attack concerning the iris code in the supposed attack models are lower than those of the previously proposed methods and are negligible. As for the further studies, we will evaluate the FAR, the FRR and the processing time for the proposed scheme in the actual iris scanning verification system, and discuss the transformation function with respect to the attack models assumed in the case of distinct preconditions. References [1] Y. Seto, M. Mimura, and S. Ishida, “Development of personal authentication techniques using fingerprint matching embedded in smartcard,” 2000 Symposium on Cryptography and Information Security, SCIS2000-D01, Jan. 2000.

[2] S. Ishida, M. Mimura, and Y. Seto, “Development of personal authentication system embedded in smartcard,” IPSJ SIG Notes, vol.2000, no.68, pp.145–152, July 2000. [3] ISO/IEC 7816-11:2004, Identification cards—Integrated circuit cards—Part 11: Personal verification through biometric methods. [4] N.K. Ratha, J.H. Connell, and R.M. Bolle, “Enhancing security and privacy in biometrics-based authentication systems,” IBM Syst. J., vol.40, no.3, pp.614–634, 2001. [5] K. Wakayama, Y. Decchi, J. Leng, and A. Iwata, “A remote user authentication method using fingerprint matching,” J. IPSJ, vol.44, no.2, pp.401–404, Feb. 2003. [6] T. Nakamura, N. Yoshiura, and Y. Onozato, “Experiment of biometric recognition by hash function,” IPSJ SIG Notes, vol.2003, no.18, pp.245–250, Feb. 2003. [7] H. Ota, Y. Sasano, and F. Sugaya, “Proposal of an iris identification scheme protecting privacy,” Computer Security Symposium 2003, vol.2003, no.15, pp.163–168, Oct. 2003. [8] D.D. Zhang, Automated biometrics: technologies and systems, Kluwer Academic Publishers, Massachusetts, 2000. [9] M. Tsukada, “Personal identification by iris analysis,” IPSJ Mag., vol.40, no.11, pp.1084–1087, Nov. 1999. [10] J.G. Daugman, “High confidence visual recognition of persons by a test of statistical independence,” IEEE Trans. Pattern Anal. Mach. Intel., vol.15, no.11, pp.1148–1161, Nov. 1993. [11] J.G. Daugman, “Recognizing persons by their iris patterns,” in Biometrics: personal identification in networked society, ed. A. Jain, R. Bolle, and S. Pankanti, pp.103–121, Kluwer Academic Publishers, Massachusetts, 2002. [12] J.G. Daugman, “The importance of being random: Statistical principles of iris recognition,” Pattern Recognit., vol.36, no.2, pp.279– 291, Feb. 2003. [13] R.L. Rivest, “The MD5 message-digest algorithm,” Request for Comments (RFC) 1321, Internet Activities Board, Internet Privacy Task Force, April 1992. [14] FIPS 180-1, “Secure hash standard,” Federal Information Processing Standard (FIPS), Publication 180-1, National Institute of Standards and Technology, US Department of Commerce, April 1995. [15] FIPS 180-2, “Secure hash standard,” Federal Information Processing Standard (FIPS), Publication 180-2, National Institute of Standards and Technology, US Department of Commerce, Aug. 2002.

Appendix:

Simulation Results

This appendix shows the simulation results in the proposed scheme and the existing scheme, concerning the processing time. The following processing time is measured in the proposed scheme and the existing scheme, since the other processing is almost the same in both the schemes. • In the proposed scheme: – The transformation processing time in the enrollment procedure. – The transformation processing time in the verification procedure. – The verification processing time in the verification procedure. • In the existing scheme: – The verification processing time in the verification procedure.

OTA et al.: PROPOSAL OF A TRANSFORMATION METHOD FOR IRIS CODES IN IRIS SCANNING VERIFICATION

295 Table A· 1

The average processing time in both the schemes [ms]. Proposed scheme 246

Existing scheme 0.186

We use a PC with Intel Pentium-4 2.4-GHz processor and 512-Mbyte RAM for the simulation. Then, Table A· 1 shows the average processing time in both the schemes. From Table A· 1, the additional processing time, which denotes the two transformation processing time, is within 1 [s] in the proposed scheme, although the processing in the proposed scheme takes much more time than that in the existing scheme. Thus, the transformation function proposed in this paper is practically valid in iris scanning verification.

Haruki Ota received the B.E. Department of Computer Science, and M.E. Department of Communications and Integrated Systems, from Tokyo Institute of Technology, Japan, in 2000 and 2002 respectively. He joined KDDI and has been engaged in research on information security technology. He is currently a research engineer of Security Lab. in KDDI R&D Laboratories Inc. He is a member of IPSJ.

Shinsaku Kiyomoto received the B.E. College of Engineering Sciences, and M.E. Institute of Materials Science, from Tsukuba University, Japan, in 1998 and 2000 respectively. He joined KDD (now KDDI) and has been engaged in research on network security, cryptographic protocol, and mobile security. He is currently a research engineer of Security Lab. in KDDI R&D Laboratories Inc. He is a member of JPS and IPSJ.

Toshiaki Tanaka received the B.E. and M.E. degrees of Communication Engineering from Osaka University, Japan, in 1984 and 1986 respectively. He joined KDD (now KDDI) and has been engaged in research on network security, cryptographic protocol, mobile security, digital rights management, and intrusion detection techniques. He is currently the leader of Security Lab. in KDDI R&D Laboratories Inc. He is a member of IPSJ.