Secure Minutiae-Based Fingerprint Templates Using ... - Springer Link

Secure Minutiae-Based Fingerprint Templates Using Random Triangle Hashing Zhe Jin1, Andrew Beng Jin Teoh2, Thian Song Ong1, and Connie Tee1 1 Faculty of Information Science & Technology Multimedia University, Jalan Ayer Keroh Lama, 75450 Malacca, Malaysia {jin.zhe,tsong,tee.connie}@mmu.edu.my 2 School of Electrical and Electronic Engineering Yonsei University, College of Engineering 262 Seongsanno, Seodaemun-gu, Seoul 120-749, Korea [email protected]

Abstract. Due to privacy concern on the widespread use of biometric authentication systems, biometric template protection has gained great attention in the biometric research recently. It is a challenging task to design a biometric template protection scheme which is anonymous, revocable and noninvertible while maintaining acceptable performance. Many methods have been proposed to resolve this problem, and cancelable biometrics is one of them. In this paper, we propose a scheme coined as Random Triangle Hashing which follows the concept of cancelable biometrics in the fingerprint domain. In this method, realignment of fingerprints is not required as all the minutiae are translated into a pre-defined 2 dimensional space based on a reference minutia. After that, the proposed Random Triangle hashing method is used to enforce the one-way property (non-invertibility) of the biometric template. The proposed method is resistant to minor translation error and rotation distortion. Finally, the hash vectors are converted into bit-strings to be stored in the database. The proposed method is evaluated using the public database FVC2004 DB1. An EER of less than 1% is achieved by using the proposed method. Keywords: cancelable biometrics, fingerprint minutiae, template protection, random triangle hashing.

1 Introduction Biometrics has become an attractive alternative to personal authentication over the traditional password-based authentication due to its ability to discriminate users based on biological or behavioral traits. However, the biometric authentication system imposes many inherent risks, which can lead to security breaches and privacy threats when they are underestimated. One of the main concerns for biometric security is the possible reveal of the user’s private information due to the strong binding between the biometric template and the user’s identity. Another concern is associated with the security of the template which cannot be reproduced or replaced when compromised. H. Badioze Zaman et al. (Eds.): IVIC 2009, LNCS 5857, pp. 521–531, 2009. © Springer-Verlag Berlin Heidelberg 2009

522

Z. Jin et al.

In literature, cancellable biometrics [1] and biometric cryptosystem [2] are the two major approaches for template protection. Cancellable biometrics applies an irreversible transform onto the biometric template to ensure the security and privacy of the actual biometric template. Hence, the actual biometric data is never stored in the user database but only its irreversible representation. On the other hand, biometric cryptosystem encompasses the design of template protection method by incorporating biometric authentication into cryptographic bounds, thus enabling the use of biometrics to derive an encrypted template for more stringent template security. Theoretically, a template protection scheme must fulfill the following requirements: 1) Revocability. A new template can be reissued provided that the generation of the new template does not affect the performance of the existing system. 2) Non-invertibility. It must be impossible or computationally hard to obtain the original biometric template from the transformed or encrypted template and helper data. 3) Performance. The recognition performance, in terms of False Rejection Rate (FRR) or False Acceptance Rate (FAR) should not be poorer than the performance of using the original biometric data. This paper presents a key-specific transformation technique for fingerprints without pre-alignment on the registration point of the fingerprint image. Our scheme involves minutiae translation, Random Triangle Hashing and bit-string conversion. The proposed technique makes it computationally hard to invert the transformed template without presenting the unique personal key. Besides, in the case that the transformed template is compromised; a new one can be regenerated by simply assigning a different key to the biometric template. 1.1 Related Work Current biometrics researchers divided their work into two categories: biometric cryptosystems and cancelable biometrics. Biometric cryptosystems is based on a cryptographic primitive by means of associating the biometric data with cryptographic keys [2]. Clancy et al. [3] and Uludag et al [4] proposed their methods based on fuzzy vault scheme. In their methods, the minutiae positions were used to encode and decode the secret (S). But there is an assumption that fingerprints used for locking and unlocking the vault are pre-aligned. Yang et al. [5] proposed a way of determining a reliable reference point based on the similarity indices of minutiae pairs by using several enrolled fingerprints. Based on this reference point, each minutia was represented by a polar coordinate and then used as locking and unlocking sets in the fuzzy vault scheme. Recently, Chung et al [6] proposed an automatic fingerprint alignment approach that used geometric hash tables. For cancelable biometrics, the main idea is to store an irreversibly transformed version of the biometric template which provides a high privacy level by allowing multiple templates to be associated with the dame biometric data [7]. Ratha et al [1] described three transformation methods, Cartesian, polar and functional transformation. The Cartesian and polar transformation methods divided a fingerprint into sub-blocks and then scrambled those sub-blocks. In the functional transformation,

Secure Minutiae-Based Fingerprint Templates Using Random Triangle Hashing

523

transformation was based on a Gaussian function. However, all the three methods required alignment before transformation. Teoh et al. [8] use an external confidential token to protect biometric templates; however, it will be vulnerable since the external token is easy to be lost, stolen or compromised. Farooq et al. [9] generated a bit-string from fingerprint minutiae representation based on minutiae triplets. The invariant features: the length of three sides, the three angles between the sides and minutiae orientations and the height of the triangles are extracted then quantized and hashed 24

into bit-string ( 2 bits). But this method required calculating all the possible triple invariant features which results additional computation costs. Shi et al [10] proposed a template protection scheme call Biomapping that integrate the feature extraction, noninvertible transform and anonymous query as a whole. But the latency for recognition and the size of the secure template are the concern in practices.

Fig. 1. Overall transformation of proposed scheme

2 Proposed Scheme In this section, we describe a transformation scheme which can generate revocable bit-strings from a set of minutiae points. Fig. 1 shows the overall process flow of the proposed method. Most of the fingerprint researchers reported in the literature rely on a reliable registration point (core), but the location of this registration point is not always feasible in practices [1] [8] [11] [12]. Hence, in our proposed method, a reference minutia is chosen from the minutiae set, and the remaining minutiae are translated based on the selected reference minutiae. The application of this transformation technique is based on the fact that rotation and translation invariance can be achieved

524

Z. Jin et al.

by using the same reference minutiae. After that, we calculate the number of minutiae that is confined in the random regions (triangles) to produce short hash vectors. A categorization based on the minutiae orientation is conducted in order to obtain more information for authentication. Finally, a binary histogram (bit-string) is generated from the short hash vectors. This bi-string is the final representation of the fingerprint template. 2.1 Rotation and Translation of Minutiae Suppose that

M i = [xi , y i , θ i ] depicts the i-th minutiae, where xi , y i and θ i ([0,

2 π ]) represent the Cartesian coordinates and the orientation of the minutiae. One of

[

]

the minutiae is selected as the reference minutiae M r = x r , y r , θ r . The rest of the minutiae are rotated and translated based on this reference minutiae. The transformed minutiae

[

]

M it = xit , y it , θ it can be obtained as follow: ⎡ xit ⎤ ⎡cosθr − sinθr 0⎤ ⎡ xi − xr ⎤ ⎡W ⎤ ⎢ t⎥ ⎢ ⎥ ⎢ ⎥ ⎢ ⎥ ⎢ yi ⎥ = ⎢sinθr cosθr 0⎥ × ⎢− ( yi − yr )⎥ + ⎢H ⎥ ⎢θit ⎥ ⎢⎣ 0 0 1⎥⎦ ⎢⎣ θi −θr ⎥⎦ ⎢⎣ 0 ⎥⎦ ⎣ ⎦

(1)

where W and H represent the width and height of the pre-defined 2D space. In this paper, W and H are set to be double the size of the input fingerprint image. This is to ensure that the reference minutia is located in the center region of the pre-defined 2D space. Fig. 2 demonstrates the 2D space schematically.

Fig. 2. Pre-defined 2D space

2.2 Random Triangle Hashing The principle of Random Triangle Hashing is used to construct a hash string by counting the number of minutiae contained in random regions. In this research, triangle is used as the region shape due to its simplicity of implementation as it contains


525

fewer vertexes as compared to other polygonal shapes. After that, the minutiae contained in each triangle will be used to generate the template for verification. a) Secret Key. Each subject is assigned a unique secret key. This secret key is the source of randomness used for determining the random triangles [13]. In other words, the secret key is a set of random number that indicates the location of the three vertexes that form the random triangles. Therefore, each subject has a unique template based on the different secret keys assigned to him/her. In the case when the template is compromised, a new key can be assigned to the subject to replace the old one. b) Hashing. Random Triangle Hashing counts the number of minutiae contained in the random region. It can be described as the transformation function which maps the minutiae representation into decimal vector. It can be described as the following function:

f : X → Zn where X = { X , Y , θ } and tion of a minutia and

(2)

X i , Yi and θ i represent the position and the orienta-

n

Z is an n-dimensional integer vector in which each element

denotes the number of minutiae that can be found in a random triangle. Fig. 3 illustrates the conversion from minutiae representation into an integer vector. The number of random triangles formed, n is determined experimentally. Random Triangle Hashing is based on the rational that the configuration of the minutiae on human finger is unique and can be used to distinguish each other. Besides, the key based hashing methodology with randomized triangle produces short hash strings that cannot be used to reconstruct the original fingerprint without knowledge of the secret key [13].

Fig. 3. Conversion from minutiae representation into integer vector

We conducted a minutiae orientation based blocking mechanism by using the minutiae orientation information. We blocked/divided the minutiae orientation into fixed-sized ranges, and count the number of minutiae points falling in a specific range. For example, let say there are five minutiae contain in the random triangle shown in Fig. 4. We take the orientation of each minutia and count the number of

526

Z. Jin et al.

minutiae falling in the pre-defined orientation range. From the figure, we find that among the five minutiae, one of them falls in the range 0,60 , one in 120,180 ) ,

[

[

[

)

[

two in 240,300 ) , and one in 300,360 ) . These numbers form the building block for bit string generation in the next procedure. Note that the orientation range without any corresponding minutiae count is set to zero. We repeat the same process for the remaining triangles. The fixed-length (6 digits) vectors generated from each triangle are concatenated to form the hash vector used to construct the final feature representation in bit-string format.

Fig. 4. Blocking of minutiae orientation detail

2.3 Bit String Generation In the previous section, we generate a hash (integer) vector that is acquired through Random Triangle Hashing. However using integer representation for template is not secure and it occupies more memory space in the database. Our solution is to convert the integer into binary representation. To do this, a fixed binary block is first initialized to zeros. This binary block will be set to ones according to the integer in the hash vector. For example, if the integer in a hash block is 5, its binary counterpart will be 1111100000. By repeating this process for the remaining hash blocks, all the integers in the hash vector will be converted into binary representation. We call this process as Bit-Block Coding. The length resultant binary block is d x n x m, where d refers to the number of hash blocks for each triangle, n denotes the total number of triangles formed, and m is the number of bits used to represent the binary counterpart of each hash block. 2.4 Calculating the Dissimilarity Score In a perfect environment, the two 1 dimension bit strings generated based on the same reference minutiae will be the same. However, we have no information to locate the corresponding minutiae used for alignment in the enrolled template and query template. Therefore, we need to compare all the 1 dimensional bit-strings between the


527

enrolled and query sets to determine the closest pair. The dissimilarity score between the enrolled bit-strings ( B ) and query bit-strings ( B ) are calculated as follows:

∑ (B d

Score(i, j ) =

k =1

where ⊕ represents the XOR operation,

j ,k

⊕ Bi ,k

)

(3)

L B j ,k and B i ,k

denote the k-th bit in

B j and B i , L represents the length of B j and B i . Fig. 5 shows the comparisons

between the query and enrolled bit-strings. A matrix Score(i, j ) is used to store the dissimilarity scores. Next we calculate the mean of the minimum distance for each column in Score(i, j ) and denote it as MeanCol, and compute the mean of the

minimum distance of each row in Score(i, j ) and signify it as MeanRow. We choose the minimum MeanCol and MeanRow as the final score.

Fig. 5. Comparison between the query and the enrolled template

3 Experimental Analysis The database, FVC2004 DB1 [14] that is available on the public domain is used for our test. It consists of 100 different users and each user has 8 fingerprint images. The minutiae features X, Y coordinates and orientation are obtained by using the trial version of VeriFinger Standard SDK [15]. We performed two sets of experiments, namely genuine test and impostor test. For the test on the genuine set, we compared the enroll fingerprint and the query fingerprint among the same user. For the test on imposters, the scores of imposter are generated by comparing the enroll fingerprint and the query fingerprint from the different users. We used false acceptance rate (FAR), false reject rat (FRR) and equal error rate (EER) to evaluate the proposed algorithm while the genuine and imposter distribution in section 3.3 illustrate the performance of the proposed algorithm graphically.

528

Z. Jin et al.

3.1 Number of Random Triangles Determination Theoretically, we will achieve better result when more random triangles are used. But in practice, we have to strike a balance between accuracy and computational requirements. Table 1 lists the performance by using different amount of random triangles. Table 1. Equal Error Rate (EER) of different number of random triangles Number of Random Triangles 10 Random Triangles 15 Random Triangles 20 Random Triangles

EER 2.81% 0.32% 0.20%

We observe from Table 1, that the EER drops with the increase of random triangles. The reason for this is that when more random triangle is used, more information could be extracted so that the feature became more discriminative. But in real-time scenario, computational performance should also be considered. In this case, we select parameter of 20 random triangles to be used in our subsequent experiments. 3.2 Revocability In the case of lost secret key where the key or the transformed template is compromised, we should be able to cancel the template and key and assign the individual a new key and hence template [Error! Reference source not found.]. In order to test this statement, we generated n different keys for each individual, and used these keys to generate n binary templates. These binary templates are different from each other, even though they represent the same individual. In this experiment, we achieve an EER of less than 1%. This does not only vindicate the claim of revocability, it also solves the problem of cross-matching in databases [9]. Fig.6 shows the sample results obtained using different keys.

Fig. 6. Sample results (EER) obtained using different keys


529

3.3 Verification In this experiment, we assume that the secrete keys are never lost, and each individual is assigned a unique key that is stored in the database. Based on the secrete keys, the enrolled binary template and test binary vector are generated and the scores for verification were calculated using Formula 3. By using these scores, we plot the genuine and imposter distribution as shown in Fig. 7. An EER (equal error rate) of less than 1% was achieved on public database FVC2004 DB1 [14].

Fig. 7. Genuine and imposter distribution for FVC2004 DB1

3.4 Security of Proposed Method When we assume that a template is revealed, the adversary has to further reconstruct the corresponding hash vector. However, the template revealed is only randomized version of the original data. Assume the number of random triangles is 20 and bit block is 240 bits, then the total length of the template will be 4800 bits. This makes it computational difficulty to invert the original hash vector. In case the hash vector has been reconstructed, the adversary will also have no clue to determine the exact location of each minutia since we just count the number of minutiae contained in the random triangle.

530

Z. Jin et al.

4 Conclusion We have presented a new scheme for one-way biometric transformation that uses randomized triangles to compute fingerprint hashes. In the template protection domain, our method fulfills three requirements, namely performance in terms of False Rejection Rate (FRR) and False Acceptance Rate (FAR), non-invertibility and revocability. Another advantage of our method is that pre-alignment of fingerprint is not required. Our further work would emphasis on a scenario wherein secret key is utilized by an adversary to gain access to the system, coined as stolen-token scenario. In the current work, EER more than 10% is reported for stolen-token case. We will look into this issue in our future work.

Acknowledgments. The authors would like to thank Chulhan Lee in contribution of data set used in this paper.

References 1. Ratha, N.K., Chikkerur, S., Connell, J.H., Bolle, R.M.: Generating Cancelable Fingerprint Templates. IEEE Transactions on Pattern Analysis and Machine Intelligence, Special Issue on Biometrics 29(4), 561–572 (2007) 2. Uludag, U., Pankanti, S., Prabhakar, S., Anil, K.J.: Biometric Cryptosystems: Issues and Challenges. Proceedings of the IEEE 92(6), 948–960 (2004) 3. Clancy, T.C., Kiyavash, N., Lin, D.J.: Secure Smartcard-based Fingerprint Authentication. In: Proc. SCM SIGMM 2993 Multimedia, Biometrics Methods and Applications Workshop, pp. 45–52 (2003) 4. Uludag, U., Pankanti, S., Jain, A.: Fuzzy Vault for Fingerprints. In: Proc. of Audio- and Video-based Biometric Person Authentication (AVBPA), Rye Brook, NY, pp. 310–319 (July 2005) 5. Yang, S., Verbauwhede, I.: Automatic Secure Fingerprint Verification System Based on Fuzzy Vault Scheme. In: IEEE International Conference on Acoustics, Speech, and Signal Processing (ICASSP 2005), pp. 609–612 (March 2005) 6. Chung, Y., Moon, D., Lee, S., Jung, S., Kim, T., Ahn, D.: Automatic Alignment of Fingerprint Features for Fuzzy Fingerprint Vault, Information Security and Cryptology. In: Feng, D., Lin, D., Yung, M. (eds.) CISC 2005, vol. 3822, pp. 358–369. Springer, Heidelberg (2005) 7. Ratha, N., Connell, J., Bolle, R.: Enhancing security and privacy in biometrics-based authentication systems. IBM Systems Journal 40(3), 614–634 (2001) 8. Teoh, A.B.J., Goh, A., Ngo, D.C.L.: Random Multispace Quantization as an Analytic Mechanism for BioHashing of Biometric and Random Identity Inputs. IEEE Transactions on PAMI 28(12), 1892–1901 (2006) 9. Farooq, F., Bolle, R., Ruud, M., Jea, T., Ratha, N.: Anonymous and Revocable Fingerprint Recognition. In: Computer Vision and Pattern Recognition, CVPR 2007, June 17-22, pp. 1–7 (2007) 10. Shi, J.Y., You, Z.Y., Gu, M., Lam, K.Y.: Biomapping Privacy Trustworthy Biometrics Using Noninvertible and Discriminable Constructions. In: IEEE International Conference on Pattern Recognition, ICPR 2008 (2008) 11. Teoh, A., Ngo, D., Goh, A.: Biohashing: two factor authentication featuring fingerprint data and tokenised random number. Pattern Recognition 37(11), 2245–2255 (2004)


531

12. Ratha, N., Connell, J., Bolle, R., Chikkerur, S.: Cancelable Biometrics: A Case Study in Fingerprints. In: Proc. ICPR 2006, vol. 4, pp. 370–373 (2006) 13. Jakubowski, M.H., Venkatesan, R.: Randomized Radon Transforms for Biometric Authentication via Fingerprint Hashing. In: Proceedings of the 2007 ACM workshop on Digital Rights Management (2007) 14. Third International Fingerprint Verification Competition (2004), http://bias.csr.unibo.it/fvc2004/ 15. Neurotechnologija, Inc. VeriFinger (2006), http://www.neurotechnology.com/verifinger.html