Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Multibiometric cryptosystems based on feature level fusion.bak


Published on

Published in: Technology, Business
  • Be the first to comment

Multibiometric cryptosystems based on feature level fusion.bak

  1. 1. IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012 255 Multibiometric Cryptosystems Based on Feature-Level Fusion Abhishek Nagar, Student Member, IEEE, Karthik Nandakumar, Member, IEEE, and Anil K. Jain, Fellow, IEEE Abstract—Multibiometric systems are being increasingly de- systems, including the FBI’s IAFIS, the Department of Home-ployed in many large-scale biometric applications (e.g., FBI-IAFIS, land Security’s US-VISIT, and the Government of India’s UID.UIDAI system in India) because they have several advantages such A number of software and hardware multibiometric productsas lower error rates and larger population coverage compared tounibiometric systems. However, multibiometric systems require have also been introduced by biometric vendors [2], [3].storage of multiple biometric templates (e.g., fingerprint, iris, and While multibiometric systems have improved the accuracyface) for each user, which results in increased risk to user privacy and reliability of biometric systems, sufficient attention has notand system security. One method to protect individual templates been paid to security of multibiometric templates. Though ais to store only the secure sketch generated from the corresponding biometric system can be compromised in a number of ways,template using a biometric cryptosystem. This requires storageof multiple sketches. In this paper, we propose a feature-level leakage of biometric template information to unauthorized in-fusion framework to simultaneously protect multiple templates dividuals constitutes a serious security and privacy threat dueof a user as a single secure sketch. Our main contributions in- to the following two reasons:clude: 1) practical implementation of the proposed feature-level 1) Intrusion attack: If an attacker can hack into a biometricfusion framework using two well-known biometric cryptosystems, database, he can easily obtain the stored biometric infor-namely, fuzzy vault and fuzzy commitment, and 2) detailed analysisof the trade-off between matching accuracy and security in the mation of a user. This information can be used to gainproposed multibiometric cryptosystems based on two different unauthorized access to the system by either reverse engi-databases (one real and one virtual multimodal database), each neering the template to create a physical spoof or replayingcontaining the three most popular biometric modalities, namely, the stolen template.fingerprint, iris, and face. Experimental results show that both 2) Function creep: An adversary can exploit the bio-the multibiometric cryptosystems proposed here have higher se-curity and matching performance compared to their unibiometric metric template information for unintended purposescounterparts. a user across different applications (e.g., covertly track by cross-matching the templates from the associated Index Terms—Biometric cryptosystem, fusion, fuzzy commit-ment, fuzzy vault, multibiometrics, template security. databases) leading to violation of user privacy. Security of multibiometric templates is especially crucial as they contain information regarding multiple traits of the same I. INTRODUCTION user. Hence, multibiometric template protection is the main focus of this work. The fundamental challenge in designing aM ULTIBIOMETRIC systems accumulate evidence from biometric template protection scheme is to overcome the large more than one biometric trait (e.g., face, fingerprint, and intrauser variability among multiple acquisitions of the sameiris) in order to recognize a person [1]. Compared to unibio- biometric trait. A number of techniques have been proposedmetric systems that rely on a single biometric trait, multibio- to secure biometric templates (see [4] for a detailed review).metric systems can provide higher recognition accuracy and These techniques can be categorized into two main classes:larger population coverage. Consequently, multibiometric sys- 1) Biometric cryptosystems: In a biometric cryptosystem,tems are being widely adopted in many large-scale identification secure sketch is derived from the enrolled biometric template1 and stored in the system database instead of the original template. In the absence of the genuine user’s Manuscript received March 17, 2011; revised June 27, 2011; accepted August16, 2011. Date of publication October 03, 2011; date of current version January biometric data, it must be computationally hard to recon-13, 2012. The work of A. Jain was supported in part by the World Class Uni- struct the template from the sketch. On the other hand,versity (WCU) program through the National Research Foundation of Korea given an authentication query that is sufficiently closefunded by the Ministry of Education, Science and Technology (R31-2008-000-10008-0). The associate editor coordinating the review of this manuscript and to the enrolled template , it should be easy to decodeapproving it for publication was Dr. Fabio Scotti. the sketch and recover the template. Typically, the sketch is A. Nagar is with the Department of Computer Science and Engineering, obtained by binding the template with a codeword from anMichigan State University, East Lansing, MI 48824 USA. K. Nandakumar is with the Institute for Infocomm Research, A*STAR, Fu- error correcting code, where the codeword itself is definedsionopolis, Singapore, 138632, Singapore. by a key . Therefore, the sketch can be written A. K. Jain is with the Department of Computer Science and Engineering,Michigan State University, East Lansing, MI 48824 USA, and also with the 1In this paper, we use the notation to denote a generic biometric featureDepartment of Brain and Cognitive Engineering, Korea University, Seoul 136- vector and to denote a collection of biometric templates corresponding to713, Republic of Korea (e-mail: the same user. The notations and denote features that are represented as Color versions of one or more of the figures in this paper are available online a binary string and point-set, respectively. Superscripts and are used toat distinguish between the features extracted during enrollment and authentication, Digital Object Identifier 10.1109/TIFS.2011.2166545 respectively. 1556-6013/$26.00 © 2011 IEEE
  2. 2. 256 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012 as , where is the sketch generation function. This diversity of biometric representations naturally requires The error correction mechanism facilitates the recovery of a separate template protection scheme for each trait, and a fusion the original template and hence, the associated key. Exam- of the decisions made by each trait [16]. This is analogous to a ples of biometric cryptosystems include fuzzy vault [5], security system that requires multiple low strength (fewer bits) fuzzy commitment [6], PinSketch [7], and secret-sharing passwords, where each password can be attacked individually. approaches [8]. Such a system is less secure than one which uses a single pass- 2) Template transformation: Template transformation tech- word with a larger number of bits. This motivates the proposed niques modify the biometric template with a user spe- approach to protect the multiple biometric templates using a cific key such that it is difficult to recover the original single secure sketch. template from the transformed template . During au- While the concept of securing multiple templates simultane- thentication, the same transformation is applied to the bio- ously as a single entity using a biometric cryptosystem has been metric query and the matching is performed in the reported in the literature, published approaches usually assume transformed domain to avoid exposure of the original bio- that different templates follow the same representation scheme. metric template. Since the key needs to be stored in the This enables simple concatenation of the individual templates system along with , the template security is guaranteed to obtain the fused template [17]. The objective of this work is only if the transformation function is noninvertible even to examine the feasibility of creating a single multibiometric se- when is known to the attacker. Some well-known exam- cure sketch when the traits that are being fused have different ples of template transformation include Bio-Hashing [9] feature representations. This paper makes the following contri- and cancelable biometrics [10]. butions: Ideally, the secure template should satisfy the following two • We propose a feature-level fusion framework to simultane-properties: (i) Noninvertibility—given a secure template, it ously secure multiple templates of a user using biometricmust be computationally difficult to find a biometric feature cryptosystems. To demonstrate the viability of this frame-set that will match with the given template, and (ii) Revoca- work, we propose simple algorithms for the following threebility—given two secure templates generated from the same tasks:biometric data, it must be computationally hard to identify that 1) Converting different biometric representations into a common representation space using various em-they are derived from the same data or obtain the original bio- bedding algorithms: (a) binary strings to point-sets,metric data. While biometric cryptosystems generally tend to (b) point-sets to binary strings, and (c) fixed-lengthhave stronger noninvertibility, template transformation schemes real-valued vectors to binary strings.typically have better revocability. To simultaneously exploit 2) Fusing different features into a single multibiometrictheir relative strengths, different combinations of the above template that can be secured using an appropriatetwo basic approaches, called hybrid biometric cryptosystems, biometric cryptosystem such as fuzzy vault and fuzzyhave also been proposed [11], [12]. In this paper, we focus on commitment; efficient decoding strategies for thesethe biometric cryptosystem approach for multibiometric tem- biometric cryptosystems are also proposed.plate protection due to two reasons: (i) well-known biometric 3) Incorporating a minimum matching constraint for eachcryptosystems such as fuzzy vault and fuzzy commitment are trait, in order to counter the possibility of an attackeravailable for securing different types of biometric features, and gaining illegitimate access to the secure system by(ii) it is relatively easy to analyze the security (noninvertibility) simply guessing/knowing only a subset of the bio-of a secure sketch by leveraging on the characteristics of error metric traits.correcting codes. • We analyze the GAR-security trade-off in the pro- Biometric cryptosystems have been designed only for spe- posed multibiometric cryptosystems using two differentcific biometric feature representations. For example, the fuzzy databases each containing three biometric modalities,commitment scheme assumes a binary string representation, namely, fingerprint, iris, and face.where the dissimilarity between template and query is mea- The rest of the paper is organized as follows. Section II pro-sured in terms of the Hamming distance. The fuzzy vault and vides a background on fuzzy vault and fuzzy commitment tech-PinSketch techniques assume point-set based representations niques and compares the various multibiometric template secu-and use set difference as the dissimilarity metric. However, rity schemes proposed in the literature. The feature-level fusionmultiple templates of a user may not follow the same feature framework for multibiometric cryptosystems and the associatedrepresentation. Point-set based features are used when the algorithms are introduced in Section III. Section IV presents theimage has a set of salient points (e.g., fingerprint minutiae). If security analysis methodology. Implementation details and per-different samples of a biometric trait exhibit limited relative formance evaluation of the proposed multibiometric cryptosys-geometric transformation and limited occlusion, real-valued tems are discussed in Section V. Our conclusions are summa-feature vectors obtained through PCA [13] and Linear Dis- rized in Section VI.criminant Analysis (LDA) [14] can be used. Binary strings aretypically obtained through quantization of a real-valued feature II. BACKGROUNDvector, which reduces the storage space and matching com-plexity. For example, the bits in an iriscode [15] are obtained A. Fuzzy Commitment and Fuzzy Vaultthrough quantization of the phase response of a Gabor filter Fuzzy commitment [6] is a biometric cryptosystem that canapplied to the iris image. be used to secure biometric traits represented in the form of
  3. 3. NAGAR et al.: MULTIBIOMETRIC CRYPTOSYSTEMS BASED ON FEATURE-LEVEL FUSION 257binary vectors (e.g., iriscodes). Suppose that the enrolled bio- TABLE Imetric template is an -bit binary string. In fuzzy commit- COMPARISON OF FUZZY COMMITMENT AND FUZZY VAULTment, a uniformly random key of length bitsis generated and used to uniquely index an -bit codewordof an appropriate error correcting code. The sketch is then ex-tracted from the template as , where indicatesthe modulo-2 addition. The sketch is stored in the databasealong with , where is a cryptographic hash function.During authentication, the codeword is obtained from the querybiometric and the sketch as follows: . This codeword , which is generally a cor-rupted version of the original codeword , can be decoded to getthe key . The authentication is deemed successful if isthe same as . If the Hamming distance between and is not greater than the error correcting capacity of the code, would be the same as and the matching will be successful. Fuzzy vault [5] is useful for securing point-set-basedbiometric features such as fingerprint minutiae. Let cryptographic key associated to it (secret key leakage). In both denote a biometric template consisting of a fuzzy vault and fuzzy commitment, the privacy leakage rateset of points from a finite field . In order to secure , a is related to the secret-key leakage rate because it is trivial touniformly random cryptographic key of length bits is recover (i) the biometric template given the key and the securegenerated and this key is transformed into a polynomial of sketch and (ii) the key given the template and the secure over . All the elements in are then evalu- Some researchers have argued that since a false accept errorated on this polynomial to obtain the set . The set of also leads to unauthorized exposure of the original biometricpoints is then secured by hiding them among template, the security of a biometric cryptosystem is boundeda large set of randomly generated chaff points by FAR bits [28].that do not lie on the polynomial (i.e., and Due to intrauser variability in biometric traits, there is usually , ). The set of genuine points along a trade-off between the GAR and the security (both FAR and http://ieeexploreprojects.blogspot.comwith their polynomial evaluations together with the chaff points leakage rate) in biometric cryptosystems. Schemes with higherconstitute the sketch or vault . During authentication, if the security tend to have lower GAR and vice versa. This trade-offquery biometric set is sufficiently close to , many genuine is determined by the error correcting capacity of the code used.points in can be correctly identified and the polynomialcan be successfully reconstructed using decoding algorithms C. Multibiometric Cryptosystemsused in Reed–Solomon error correcting codes. Table I summa- A number of attempts have been made to extend the securerizes the comparative characteristics of fuzzy vault and fuzzy biometric recognition framework to incorporate multiple bio-commitment. metric traits [16], [17], [29], [30]. Sutcu et al. [29] combined face and fingerprint templates that are both transformed into bi-B. Evaluation of Fuzzy Commitment and Fuzzy Vault Schemes nary strings. These binary strings are concatenated and used as The effectiveness of a biometric cryptosystem depends on the the input to a fuzzy commitment scheme.matching performance and the template security. Matching per- Nandakumar and Jain [30] proposed a multibiometric cryp-formance of a biometric system is usually quantified by the false tosystem in which biometric templates based on binary stringsaccept rate (FAR) and the genuine accept rate (GAR). In bio- and point-sets are combined. The binary string is divided intometric cryptosystems, matching is typically carried out using a a number of segments and each segment is separately securedpolynomial-time error correction decoding algorithm (compu- using a fuzzy commitment scheme. The keys associated withtational complexity of the decoder is bounded by a polynomial these segment-wise fuzzy commitment schemes are then usedexpression in the length of the codeword). Therefore, GAR (re- as additional points in the fuzzy vault constructed using thespectively, FAR) can be defined as the proportion of genuine (re- point-set-based features.spectively, impostor) attempts that lead to successful decoding Kelkboom et al. [17] provided results for feature-level,in polynomial time. score-level, and decision-level fusion of templates represented It is well-known that both fuzzy vault and fuzzy commit- as fixed-length real-valued vectors. Since the match scores arement do not generate revocable templates, i.e., the secure not explicitly available in a biometric cryptosystem, Kelkboomsketches generated by them are susceptible to linkage attacks et al. used the number of errors corrected by an error correcting[27]. Hence, only the noninvertibility property is considered code in a biometric cryptosystem as a measure of the score.during security analysis of these two schemes. Security is often Such scores are, however, meaningful only if the crypto-bio-measured in terms of the information leakage rate or entropy metric match is successful and the key can be successfullyloss [7], [8]. Leakage rate is defined as the mutual informa- recovered. Moreover, multiple scores can be obtained only iftion between (i) the secure sketch and the original biometric the different templates are secured individually, which leadstemplate (known as privacy leakage) or (ii) sketch and the to suboptimal security. This is also true for decision-level
  4. 4. 258 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012 Fig. 1. Schematic diagram of a multibiometric cryptosystem based on the proposed feature-level fusion framework during the enrollment phase.fusion. The feature-level fusion scheme in [17] involves simple , where represents the featuresconcatenation of two real-valued vectors and binarization of corresponding to the th biometric modality of a user, andthe combined vector using quantization thresholds. represents the number of modalities, . The Fu et al. [16] theoretically analyzed the template security functionalities of the three modules are as follows:and recognition accuracy imparted by a multibiometric cryp- 1) Embedding algorithm : The embedding algorithmtosystem, which can be operated in four different ways: no-split, transforms a biometric feature representation into aMN-split, package, and biometric model. The first three models new feature representation , where , forcorrespond to decision-level fusion, where the biometric tem- all . The input representation can be aplates are secured individually. The biometric model is based real-valued feature vector, a binary string, or a point-set.on feature-level fusion of homogeneous templates. However, no The output representation could be a binary string or asystem implementation was reported. point-set that could be secured using fuzzy commitment Cimato et al. [31] follow a modular approach to design multi- or fuzzy vault, respectively. http://ieeexploreprojects.blogspot.combiometric cryptosystems. Suppose that and are two bio- 2) Fusion module : The fusion module combines a set ofmetric templates. A secure sketch is extracted from along homogeneous biometric featureswith a hash of the , which is further used as a key to secure the to generate a fused multibiometric feature representationsecond template. This approach is similar to the package model . For point-set-based representations, one can useproposed in [16], which in turn is based on the AND decision fu- . In the case of binary strings, the fusedsion rule. Fang et al. [32] consider a more general version of the feature vector can be obtained by simply concatenating theabove modular approach, where multiple secrets (could be bio- individual strings, i.e., .metric templates or passwords) are mixed in a cascaded fashion Note that it is also possible to define more complex fusionwithin the secure sketch framework. One advantage of such a schemes, where features could be selected based on criteriamodular approach is that additional biometric traits can be easily such as reliability and discriminability.introduced in the multibiometric cryptosystem. Another benefit 3) Biometric cryptosystem : During enrollment, the bio-is that it allows the use of heterogeneous templates. For ex- metric cryptosystem generates a secure sketch usingample, in [31], a secure sketch is used to protect the iriscode the fused feature vector (obtained from the set of bio-template, and the hash value of the iriscode based on the secret metric templates ) and a key ,key is used to encrypt a fingerprint minutiae template. A limi- i.e., . During authentication, the biometrictation of this approach is that its overall security is bounded by cryptosystem recovers from and (obtained fromthe security of the sketch in the outermost layer. the set of biometric queries ). In this paper, we propose a generic framework for the design Fuzzy commitment is used if is a binary string, whereasof a multibiometric cryptosystem with heterogeneous templates a fuzzy vault is used if is a point-set.and consider practical implementation issues in the case of both Each of the above three modules play a critical role inbinary string and point-set-based representations. determining the matching performance and security of the multibiometric cryptosystem. The embedding algorithm should III. PROPOSED FRAMEWORK FOR MULTIBIOMETRIC generate a compact representation that preserves the discrim- CRYPTOSYSTEMS inability of the original biometric features. The fusion module We propose a feature-level fusion framework for multibio- should find the optimal trade-off between the discriminabilitymetric cryptosystems that consists of three basic modules: and variability in the individual feature representations. The(i) embedding algorithm , (ii) fusion module , and biometric cryptosystem should minimize the information(iii) biometric cryptosystem . The generic framework of leakage about the original biometric templates. Thus, op-the proposed multibiometric cryptosystem is shown in Fig. 1. timizing each module is a challenging task in itself and isSuppose that we have a set of biometric feature representations beyond the scope of this work. Since our primary objective
  5. 5. NAGAR et al.: MULTIBIOMETRIC CRYPTOSYSTEMS BASED ON FEATURE-LEVEL FUSION 259 TABLE II SIMPLIFIED ILLUSTRATION OF THE PROPOSED EMBEDDING ALGORITHMSis to demonstrate the viability of the proposed feature-level points along each of the dimensions. The statistics from dif-fusion framework, we propose fairly simple algorithms for ferent hyper-rectangles are concatenated to generate a featureimplementing the above three modules and do not focus on vector. LDA is applied to the resultant feature vector to reduceoptimizing them. the dimensionality. Finally, the real-valued LDA features are bi- narized using the algorithm presented in Section III-A1. 3) Binary String to Point-Set: Conversion of binary stringA. Embedding Algorithms to point-set is required when the final biometric cryptosystem is We shall now discuss three types of embedding algorithms based on point-set features. In order to obtain a point-set from athat can perform the following feature transformations: (i) real- binary string, we simply divide the binary string into the desiredvalued vector into a binary string, (ii) point-set into a binary number of segments. Each segment can be considered as a pointstring, and (iii) binary string into a point-set (see Table II). in the point-set representation. The only parameter in this tech- 1) Real-Valued Vector to Binary String: A number of nique is the number of segments. A similar technique was alsoschemes have been proposed in the literature for binarization used in [30], where instead of directly using the segments of theof real-valued biometric features. Examples include Binary binary strings as points, a key is associated with each segmentMultidimensional Scaling techniques [33], Locality Sensitive through fuzzy commitment and the keys are used as additionalHashing [34], Detection Rate Optimized Bit Allocation [35], points in the vault.and quantization of element pairs in the polar domain [36]. B. Biometric Cryptosystem Implementation Since no single feature binarization technique is provablybetter than all others, we propose the following simple algo- Both fuzzy vault and fuzzy commitment schemes typicallyrithm for transforming a real-valued vector into a binary string. use linear error correcting codes. Consider a linear error cor-First, we quantize each element of the real-valued vector into recting code of length (number of symbols in the codeword) fixed size quanta. The quantized values are then rep- and rank (number of symbols in the secret key). A linear errorresented using -bit unary2 representation in order to obtain a correcting code can correct any combination of erasures andbinary string of length , where is the dimensionality of the errors as long as , where is the min-original vector. In the second stage, we select a desired number imum distance between the codewords of the code [41]. Whenof most discriminable bits . The discriminability of each bit such a code is employed in a biometric cryptosystem, the se-is computed as , where and are the genuine cure sketch can be decoded as long as symbolsand impostor bit-error probabilities, respectively. in the biometric feature vector can be guessed correctly and the 2) Point-Sets to Binary String: A number of techniques remaining symbols are treated as erasures. If the se-have been proposed for converting point-sets into binary fea- lected error correcting code is maximum distance separable (i.e.,ture vectors. These techniques include local point aggregates it satisfies the Singleton bound), then .[37], spectral minutiae [38], geometric transformation [29], For example, the Reed–Solomon code used in fuzzy vault istriplet histogram [39], and the bag-of-words approach [40]. In maximum distance separable with and .this paper, we implement the simple local aggregates-based Hence, the polynomial in a fuzzy vault can be successfullytechnique, which works as follows. Let us assume that each reconstructed if genuine points can be identified frompoint can be represented as an -tuple. The available point-set the aligned such that the bounding box of the points is centered As pointed out in Section II-B, the error correction decoder inat the origin. Then, a set of axis-aligned hyper-rectangles with a biometric cryptosystem is generally constrained to run in poly-randomly selected position and size are generated. Among nomial-time. This approach has two limitations. First, it restrictsthese hyper-rectangles, a fraction of hyper-rectangles with the number of errors that can be corrected to ,large overlap with other hyper-rectangles is discarded. thereby leading to more false rejects for genuine users. Given Statistics for each hyper-rectangle based on the points falling the large intrauser variations in biometric features, it is ofteninside it are computed. These statistics include the number of difficult to find codes with sufficient error correction capabilitypoints in the hyper-rectangle, and the mean and variance of the that can provide high GAR. Second, the above approach re- quires analysis of two separate attack strategies: (i) a false ac- 2A unary encoding works as follows. Suppose that a real-value needs to cept attack, where the attacker attempts to decode a given se-be encoded using bits. The range of , say , is quantized into bins. If falls into the th bin, it is represented as ones cure sketch by invoking the polynomial-time decoder multiplefollowed by zeros, where . times with different nonmatching queries from a database, and
  6. 6. 260 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012(ii) a brute-force attack, where the attacker directly tries to guess symbols in the original biometric feature vector. Algorithm 1 Fuzzy vault decoding based onIt is not clear which strategy is more efficient from the attacker’s Berlekamp–Massey algorithm [42].perspective. In this paper, we relax the constraint that the decoder needs torun in polynomial-time. During each iteration of our decodingalgorithm, we consider only a subset of most reliable symbols Input:from the codeword and attempt to decode the sketch by consid- (Ordered vault points); (Degree of polynomial)ering the remaining symbols as erasures. If the sketch cannot be forall5 to dodecoded in a particular iteration, we attempt to decode it using asmaller subset of symbols with minimum size . for to doThus, the sketch will be eventually decoded for every authen- forall , dotication query. However, the decoding complexity will be dif-ferent for the genuine and impostor cases. In practice, one canset a threshold on the decoding complexity for genuine users if is the required polynomial thenand measure GAR as the fraction of genuine authentication at- Returntempts where the decoding complexity is less than the selected end ifthreshold. The security is measured as the minimum compu- end foralltational complexity faced by the attacker for a successful de- end forcoding among the various impostor match attempts. Thus, the end forallproposed security metric takes into account both the false ac- Returncept (number of impostor attempts needed) and brute-force at- { performs a Berlekamp–Masseytack (minimum complexity of an impostor attempt) strategies. decoding of the set of points for a polynomial of degree } 1) Fuzzy Vault Encoding: Let be the biometrictemplate represented as a set of points, which is to be securedusing a vault. Let be the universe of all possible biometric Algorithm 1 is based on the following principle. Given a setpoints. In practice, the points in may not necessarily be ele- of points from the vault, the B-M decoding allows recoveryments of the field . To construct a vault, each point in is as- of the polynomial if there are at least genuinesigned 3 to a point from . Let be the element in associated points in the given set. Since the points in the vault are orderedwith the point in , and let . according to their likelihood of being genuine, we consider sub-A set of chaff points are randomly selected from (“ ” sets of most likely points in parallel. If adenotes the set difference operator). Let be the selected subset of length cannot decode the vault, some pointsset of chaff points and let be the corresponding in the subset are randomly removed to obtain smaller subsets ofset of points obtained by mapping elements in to elements minimum size . Since all points in the vault are usedin . Given a key of length bits, we encode it as a poly- in decoding, the vault will always be eventually decoded, butnomial of degree . Finally, the vault is obtained as a set of the decoding complexity will be different for each query. Since3-tuples as follows: , where , the points in the vault are ordered based on their distance to the , is the corresponding element in , points in the query biometric set, one would expect the decodingand is given by complexity for a genuine user to be significantly less than the decoding complexity for an impostor. if 3) Fuzzy Commitment Implementation: In the fuzzy com- if . mitment technique, the biometric template of length is bound to a codeword of the same length to generate the secure sketch as follows: . The codeword 2) Fuzzy Vault Decoding: Let be the set is obtained from a key of length by addingof points in the authentication query. For each point error correcting bits to it. Algorithm 2 provides the fuzzy com- in the vault, its distance to the closest query mitment decoding procedure. If the error (crossover) probabil-point is computed and the list of vault points is sorted based ities of each bit in the biometric feature vector is known, it ison this distance. The ordered set of points in the vault is possible to consider some of the least reliable bits as erasuresgiven by ,where if , and during decoding. As in the case of fuzzy vault, we consider the . Finally, the Berlekamp–Massey4 (B-M) most reliable bits in parallelalgorithm [42] is applied on subsets of different lengths derived and treat the remaining bits as erasures. If the decoding is stillfrom to decode the vault and thereby recover the associated not successful, a subset of reliable bits of size are flipped. Ifpolynomial and the key (see Algorithm 1). the number of errors among the flipped bits is more than , then the number of errors will be less after flipping, thereby in- 3This mapping can be stored as a lookup table or defined by a hash function. creasing the possibility of successful decoding. 4The Berlekamp–Massey (B-M) algorithm is one of the well-known decodingalgorithms used for Reed–Solomon codes. 5forall is the parallel for-loop; all instances of the loop run in parallel.
  7. 7. NAGAR et al.: MULTIBIOMETRIC CRYPTOSYSTEMS BASED ON FEATURE-LEVEL FUSION 261 but enforces a matching constraint on individual modalities.Algorithm 2 A fuzzy commitment decoding algorithm that Our approach is conceptually similar to the modular multibio-allows for erasures in the codeword based on the crossover metric cryptosystem proposed in [31]. The proposed approachprobabilities. assumes that two different representations called the primary and secondary representations are available for the constrained Input: (corrupted codeword); (bit biometric modalities. These two representations satisfy the fol- reliability vector where indicates the reliability lowing property: it should be hard to obtain the primary repre- (1-crossover probability) of , ); . sentation from the secondary representation. A simple way to forall to do satisfy this requirement is to consider the given biometric fea- ture vector (e.g., minutiae set) as a primary representation and for to do derive the secondary representation by applying a noninvert- forall , do ible transformation (e.g., minutiae aggregates [37]) to the given feature vector. Thus, even if the secondary representation is re- vealed, it is difficult to obtain the primary representation. if is the required key then For each of the constrained traits, its secondary representa- Return tion is secured using the multibiometric cryptosystem using the end if feature-level fusion framework whereas its primary representa- tion is secured using a unibiometric cryptosystem (see Fig. 2). end forall The unibiometric cryptosystems corresponding to the various end for constrained traits will use unique keys that are different from end forall the one used in the multibiometric cryptosystem. Finally, the Return unibiometric secure sketches are encrypted with a symmetric { is an error correction decoder that cryptographic algorithm such as AES, where the encryption key corrects the errors in the corrupted codeword to is the same as the key associated with the multibiometric cryp- obtain a key of length , while considering all bits whose tosystem. The authentication involves two stages. In the first indices are not indicated in as erasures. The function stage, the key associated with the multibiometric cryptosystem returns the indices of the most reliable is recovered. This key is used to decrypt the unibiometric bits. returns the codeword , in which the secure sketches. In the second stage, the unibiometric secure bits in corresponding to points in the keys associated with the unibio- are flipped.} sketches are decoded. All metric sketches must be correctly recovered for successful authentication.C. Constrained Multibiometric Cryptosystem Unlike the simple multibiometric cryptosystem shown in Fig. 1, the constrained multibiometric cryptosystem re- One of the limitations of a multibiometric system is that it quires storage of both multibiometric and unibiometric secureis possible for an adversary to get successfully authenticated sketches. But the proposed approach has two advantages. First,by spoofing only a subset of the involved biometric traits [43]. the overall security of the templates is not affected becauseThis issue is also a concern for a multibiometric cryptosystem. unibiometric sketches are encrypted using the key that is boundIdeally, a multibiometric system should ensure the presence of a to the multibiometric sketch; unless the attacker decodes theminimum amount of discriminatory information from a subset multibiometric sketch he cannot compromise the unibiometricor all the biometric traits of the user, especially those that are sketches. Second, the primary representation that is requireddifficult to spoof. We refer to a cryptosystem that enforces such to decode a unibiometric sketch cannot be obtained froma requirement as a constrained multibiometric cryptosystem and the secondary representation. But successful authenticationthe traits for which a minimum matching constraint is applied requires decoding of the multibiometric sketch as well as allas constrained traits. the unibiometric sketches. This ensures that the user has a There are many ways to impose a minimum matching con- minimum amount of information about each of the constrainedstraint for a biometric modality within a multibiometric cryp- biometric traits. The limitation of the proposed approach is thattosystem. For example, when only two modalities are involved, it leads to a degradation in the GAR because it is possible thatit is possible to set the error correction capacity in such a way an authentication attempt fails despite correct decoding of thethat even a perfect match in one modality is not sufficient to multibiometric sketch, because one or more of the unibiometricdecode the secure sketch and some minimum level of simi- sketches may not be decoded correctly.larity is also required for the second modality. Such an approachwill have high template security, but will reduce the GAR sig-nificantly. Alternatively, one can store separate unibiometric IV. METHODOLOGY FOR SECURITY ANALYSISsketches for each modality and allow them to be decoded in-dividually. This approach will lower the security, but will result While information-theoretic measures such as entropy lossin higher GAR compared to the first approach. or leakage rates are typically used to characterize the security We propose a constrained multibiometric cryptosystem that of biometric cryptosystems, such measures are difficult to es-does not affect the security of a multibiometric secure sketch, timate when the precise distribution of biometric features is
  8. 8. 262 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012Fig. 2. Enrollment phase of a constrained multibiometric cryptosystem. The templates corresponding to each constrained trait (traits 1 and in this example)have two representations (the primary representation and the secondary representation for modality ). The secondary representation is securedusing a multibiometric secure sketch, while the primary representation is secured using a unibiometric sketch that is further encrypted using the key associatedwith the multibiometric cryptosystem.not known. In practice, unrealistic assumptions about the bio- 1) If , the B-M algorithm will return themetric features (e.g., uniform distribution) are used to estimate correct polynomial in a single attempt.the leakage rates, which provide only loose upper bounds on the 2) If , one needs to find thesecurity [44], [45]. To account for this factor, we assume that the minimum value of such that when chaff points areattacker has access to a large biometric database (analogous to removed from , becomes greater thana dictionary attack in password-based systems). We then em- . Hence, and thepirically estimate the security based on the minimum decoding corresponding complexity is approximately .complexity among all impostor matches tried by the attacker to 3) If , the vault cannot be decoded using . Indecode a given secure sketch. While estimating the computa- this case, the corresponding value of complexity is consid-tional complexity, we assume that the complexity of the error ered to be .correction decoder (e.g., B-M algorithm) is unity, and consider Based on the above analysis, the security of the vault can beonly the number of times this decoder needs to be invoked. The expressed asproposed security measure is a “product” of the number of im-postor matching attempts (related to false accept attacks) andthe minimum decoding complexity of an impostor matching at-tempt (related to brute force attacks). Thus, we combine the twoattack strategies traditionally used to estimate system security.Furthermore, during authentication, the symbols in the code- (1)word are ordered based on the query prior to decoding. There-fore, the proposed security measure indirectly takes into accountthe distribution of biometric features and provides a more reli- where . The first term in (1) measuresable estimate of the difficulty in breaking a secure sketch, which the complexity of a brute-force attack by an impostor and isis usually greater than FAR bits. minimized over all impostor samples. Therefore, adding more impostors is likely to lower this term. However, adding moreA. Fuzzy Vault Security impostors (false accept attack) will also increase the number of Suppose that the attacker has access to impostor samples computations needed, which is reflected by the term. An in-to decode a vault . Let denote a set containing the first crease in the polynomial degree will increase and conse- points from the ordered set of vault points . Here, the quently result in higher security.ordering is based on the distance of the vault points to the points In the case of multibiometric fuzzy vault, it is possible thatin the query biometric set from impostor . Let be the number a poor quality sample from one of the modalities can lead to aof genuine points in , i.e., , where is the higher decoding complexity if the relative quality of the samplesenrolled template secured using . For , is not taken into account when generating the multibiometricwhere is the total number of points in the vault, three different template. In order to address this issue, we also check if anyscenarios are possible. subset of biometric modalities can decode the vault. The final
  9. 9. NAGAR et al.: MULTIBIOMETRIC CRYPTOSYSTEMS BASED ON FEATURE-LEVEL FUSION 263value of security is the minimum among the security based on erasures. Hence, the corresponding value of complexity isthe multibiometric query and that based on different subsets of considered to be .the query biometric traits. Based on the above analysis, the security of the fuzzy com- Since the decoding algorithm is common to both the genuine mitment scheme can be expressed asuser and the impostor, we can also estimate the decoding com-plexity for a genuine match. Let denote a set containing thefirst points from the ordered set of vault points , wherethe ordering is based on the distance of the vault points to thepoints in the query from the genuine user. Let be the numberof genuine points in , i.e., . The decoding com- (3)plexity for the genuine user can be expressed as where . The above expression, however, (2) assumes that the bits in are independent and uniformly random. Suppose that the entropy of is only bits. Inwhere . this case, the effective Hamming distance between and is and the corresponding value of is .B. Fuzzy Commitment Security Thus, the security is given by To decode a fuzzy commitment sketch, one needs to guess thebits in the binary template . Though the length of the template (4) is bits, the entropy6 of the template is typically muchless than bits. This is because some bits may not be uniformlydistributed (0 and 1 values are not equally likely), while there Suppose is a genuine authentication query and is themay also be correlation between the bits. effective Hamming distance between and , where and Suppose that the attacker has access to impostor samples are the substrings of and , respectively, containingand a sketch . For each impostor , a corrupted codeword only the most reliable bits. The decoding complexity for ais obtained as , where is the binary feature vector genuine match can be expressed asfrom impostor . Let denote a set containing the indices ofthe most reliable bits in the biometric template.7 Let , , (5)and be substrings of , , and , respectively, containingonly those bits whose indices are in . The Hamming distancebetween and is denoted as . where . Let be the error correction decoder thatcorrects the errors in the corrupted codeword to obtain a keyof length while considering all bits whose indices are not in V. EXPERIMENTAL RESULTS as erasures. When the attacker invokes the above error cor-rection decoder for values of in the range , A. Databaseswhere is the minimum distance of the code, three different We have evaluated the recognition performance and securityscenarios are possible. of the proposed multibiometric cryptosystems on two different 1) The values of and are such that multimodal databases, each containing face, fingerprint, and iris , where is the number of erasures and modalities. The first database is a virtual multimodal database is the number of errors. In this case, the decoder will obtained by randomly linking subjects from FVC2002-DB-2 return the correct key in a single attempt. (fingerprint), CASIA Iris database Ver-1, and XM2VTS (face) 2) If , the attacker can try to find databases. The virtual multimodal database consists of the full fingerprint database (100 subjects), first 100 subjects from the such that, when errors are corrected from , face database, and first 100 subjects from the iris database. We becomes less than or equal to . also use the WVU multimodal database, which is a real mul- If such an exists, then its minimum value is given by timodal database containing fingerprint, iris, and face images and the from 138 different users. In our experiments, we consider one corresponding complexity is approximately . genuine authentication attempt per user and impostor attempts 3) If no such can be found, the secure sketch cannot be are simulated by using one impression of each user’s biometric decoded by considering the least reliable bits as to authenticate as every other user. Consequently, the number of 6We use a procedure similar to the one used in [46] to estimate the entropy. impostor attempts is 9900 (100 99) for the virtual multi-See [47, Appendix A] for details. modal database and 18 906 (138 137) for the real multimodal 7We assume that the attacker can somehow estimate the bit reliability vector database. Fig. 3 shows sample images from the different bio-(i.e., the crossover probability for each bit in the biometric template). metric databases used.
  10. 10. 264 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012 reduce the effect of illumination variations. Finally, we extract 80 LDA coefficients that constitute the real-valued feature vector representing a face image. The same procedure applied to the iris LDA coefficients is also applied to the face LDA coefficients to generate a binary string and point-set rep- resentations for the face modality. Again, one face image each is used for enrollment and authentication, while the remainingFig. 3. Sample iris, fingerprint, and face images from (a) CASIA Ver-1,FVC2002 DB-2, and XM2VTS databases, respectively, and (b) WVU multi- samples are used as the training set.modal database. Note that the quality of iris images from WVU database ismuch lower than that from the CASIA database. B. Parameter Selection 1) Fingerprint Features: Fingerprint minutiae are extracted 1) Unibiometric Fuzzy Vaults: We consider the Galois fieldusing the procedure detailed in [48]. To obtain the binary string as the finite field in all our experiments. In therepresentation from the minutiae set, we follow the approach case of fingerprint fuzzy vault, a set of at most 24 good qualityoutlined in Section III-A2 with 500 hyper-rectangles (cuboids and well separated minutiae is selected from the given finger-in 3-D space) aligned along the horizontal location, vertical lo- print image as the biometric points. The chaff points are ran-cation, and orientation axis associated with minutiae. Different domly generated as in [19] to obtain a vault with 224 pointsfeatures such as sum of distances of minutiae from the six walls ( , , and ). In addition to genuine minu-of the cuboids and mean and standard deviations of minutiae tiae and chaff points, points on the fingerprint correspondingalong each of the three axes, are extracted from each cuboid in to high ridge curvature are also stored in the system. Theseorder to obtain a vector of length 3500. LDA is used to reduce points are not expected to reveal significant information aboutthe dimensionality of this vector to 80. Each LDA coefficient is the minutiae but can be effectively used to align the query fin-converted into a 40-bit unary representation and they are con- gerprint [19]. During authentication, the query minutiae set iscatenated to obtain a 3200 (40 80)-bit binary string. We select first aligned with the vault using the high curvature points. Aa subset of the most discriminable bits using the procedure bounding box is then used to filter out points in the vault thatdescribed in Section III-A1. The first impression of the finger is are not in close proximity [19] of the query minutiae. The queryused for enrollment, the second one is used as the authentica- is then further aligned with the remaining vault points using ation sample, and the remaining impressions are used as training minutiae matcher. These aligned points are then used to com- http://ieeexploreprojects.blogspot.comset in order to compute the LDA features. Since no training is pute the closest distances of the vault points to the query pointsrequired for extracting minutiae, only the first two impressions based on which the vault points are ordered prior to decoding.are used in constructing the fuzzy vault. The point-set representations for iris and face modalities can 2) Iris Features: The binary IrisCode features are extracted be directly used to construct the iris and face vaults, respec-based on the algorithm described in [49]. In the case of the tively. To generate chaff points in the iris (face) vault, we poolCASIA Ver-1 database, 48 different radii and 360 different the iris (face) points extracted from all the iris (face) images inangles are used whereas in the case of the WVU Iris data- the database (excluding the images of the user under consider-base, 20 different radii and 240 different angles are used. The ation) and select the desired number (200) of chaff points fromcomplete IrisCodes are thus 34 560 and 9600-bits long for the this pool. During authentication, Hamming distance is used toCASIA Ver-1 and WVU Iris databases, respectively. obtain the closest point in the query for each vault point. In order to reduce the dimensionality of the iriscode and re- 2) Multibiometric Fuzzy Vault: Multiple unibiometric vaultsmove the redundancy present in the code, LDA is applied to the can be easily converted into a single multibiometric vault byiriscode features. Only the top 80 LDA coefficients are retained associating the same key with them. Note that the key and these real-valued features are then binarized using length and hence, the polynomial degree of such athe technique proposed in Section III-A1 with . In order multibiometric vault is typically higher than the unibiometricto obtain the point-set representation, 800 bits selected from the case. During decoding, multiple query biometrics are matchedbinarized LDA features are divided into 20 segments of 40 bits with the corresponding unibiometric vaults and an orderedeach. As in the case of fingerprints, one iris sample is used for sequence of points from each vault is obtained. These indi-enrollment, one sample is used for authentication, and the re- vidual sequences of points are then merged such that the firstmaining samples are used as the training set in order to compute elements of the merged sequence contain approximately topthe LDA features. points from the vault corresponding to the th biometric. In the 3) Face Features: Alignment of face images is essential current implementation, we choose to be the same for all theprior to feature extraction. For the WVU database, eye locations biometric traits. However, specific strategies can be designed towere automatically extracted using Identix FaceIT software, a select proper values of based on the quality of the individualregion of size 120 100 was cropped such that interpupil dis- biometric traits and the number of genuine points from eachtance is 60 pixels. In the case of the XM2VTS database, we use trait.FaceVACS software from Cognitec in order to extract the eye 3) Fuzzy Commitment: We select 1023 most discriminablecoordinates to align all the face images. The interpupil distance bits from each of the three biometrics for the unibiometric fuzzyis set to 37.5 pixels. We then crop the aligned face image to a re- commitments . In order to create a multibiometricgion of size 120 100 pixels. Histogram equalization is used to cryptosystem with different biometric traits, we extract
  11. 11. NAGAR et al.: MULTIBIOMETRIC CRYPTOSYSTEMS BASED ON FEATURE-LEVEL FUSION 265Fig. 4. G-S curves for fuzzy vault for iris, fingerprint, and face images from Fig. 5. G-S curves for fuzzy vault for iris, fingerprint, and face images fromCASIA Ver-1, FVC 2002 DB-2, and XM2VTS databases, respectively, the base- WVU Multimodal database, the baseline multibiometric cryptosystem based online multibiometric cryptosystem based on AND-fusion rule and the proposed AND-fusion rule and the proposed multibiometric crytposystem using all threemultibiometric crytposystem using all three modalities. modalities. most discriminative bits from the pool of bits avail-able from all the constituent biometric traits. In our experiments,we assume different values of (the minimum distance ofthe error correcting code) in the range 0.02 to 0.6 times the totalnumber of bits .C. Performance Evaluation We evaluate the trade-off between recognition accuracy andsecurity of the proposed multibiometric cryptosystems usingthe GAR-Security (G-S) curves. The G-S curve is obtained byvarying the error correction capacity of the code (varying poly-nomial degree in the case of fuzzy vault and for fuzzycommitment) used in the biometric cryptosystem. Here, we as-sume that the system accepts a query if its decoding complexity(as computed using (2) in case of the fuzzy vault, and (5) in thecase of fuzzy commitment) is less than 15 bits. Figs. 4 and 5 show the performance of the multibiometric Fig. 6. G-S curves for fuzzy commitment for iris, fingerprint, and face imagesfuzzy vault for the virtual and real multimodal databases, re- from CASIA Ver-1, FVC 2002 DB-2, and XM2VTS databases, respectively,spectively. In general, it can be observed that incorporating ad- the baseline multibiometric cryptosystem based on AND-fusion rule and the pro- posed multibiometric crytposystem using all three modalities.ditional biometric features does increase the performance of thesystem. In case of the virtual multimodal database, the securityof the iris fuzzy vault at a GAR of 90% is 45 bits; however, when The results corresponding to fuzzy commitment are shown infingerprint and face are also incorporated in the fuzzy vault, the Figs. 6 and 7 for the virtual and real multimodal databases, re-security increases to around 90 bits at the same GAR. When the spectively. The G-S curves are obtained by varying of thetemplates are secured individually and the AND fusion rule is ap- error correcting code. Similar to fuzzy vault, the performanceplied, i.e., the authentication is deemed successful only when all of the multibiometric fuzzy commitment is significantly betterthe unibiometric cryptosystems are decoded, the security at 90% than the unibiometric systems.GAR is around 40 bits. However, in the case of the WVU data- Table III summarizes the GAR of different biometric cryp-base, there is only a marginal increase in performance compared tosystems at a security level of 53 bits, which is equivalent to theto the best modality (face). This can be attributed to the lower guessing entropy of an 8-character password randomly chosenquality8 of the iris and fingerprint images in the WVU database from a 94-character alphabet [50]. We observe that the perfor-compared to the CASIA and FVC2002-DB2 databases, respec- mances of the unibiometric cryptosystems are quite low, whichtively. In fact, the GAR of the iris fuzzy vault for the WVU may be due to three reasons. First, as mentioned earlier, thedatabase at zero-FAR is 0%, which is the reason why the G-S quality of iris and fingerprint samples in the WVU multimodalcurve corresponding to iris is not shown in Fig. 5. database is substantially lower than the quality of samples in 8Please refer to the technical report [47] for more details. the FVC2002-DB-2 and CASIA ver1 databases, respectively.
  12. 12. 266 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012 together, the genuine accept rate was 98.2% at a security of 49 bits. Note that the security estimate in [30] assumes uniform distribution of biometric features. In our implementation, the genuine accept rate is 99% at a security of 49 bits [47] based on the FVC2002-DB2 and the CASIA Ver-1 databases. In [31], se- curity of the system has not been explicitly reported. In [17], the proposed technique performs fusion of two different 3-D face recognition algorithms and thus cannot be directly compared to the techniques proposed here. In [16], no experimental results were reported. To validate the constrained multibiometric cryptosystem, we implemented a system consisting of iris and fingerprint modalities, where minimum matching constraints are imposed for the fingerprint modality. We further assume that the adver- sary has knowledge about the iris biometric, i.e., he has access to some iris image of the enrolled user. In this experiment, a multibiometric fuzzy commitment is implemented and a sec-Fig. 7. G-S curves for fuzzy commitment for iris, fingerprint, and face images ondary representation of fingerprints is obtained using minutiaefrom WVU Multimodal database, the baseline multibiometric cryptosystem aggregates. Minutiae are employed as the primary fingerprintbased on AND-fusion rule and the proposed multibiometric crytposystem usingall three modalities. representation, and hence a fuzzy vault is used in the second stage. The degree of polynomial for the fuzzy vault is selected such that the sum of security in bits and GAR in percentage TABLE III of the resulting system is maximized. Using this constrained COMPARISON OF GENUINE ACCEPT RATES OF THE DIFFERENT BIOMETRIC multibiometric cryptosystem, it is possible to achieve a security CRYPTOSYSTEMS AT A SECURITY LEVEL OF 53 BITS, WHICH EQUALS THESECURITY IMPARTED BY A RANDOMLY CHOSEN EIGHT-CHARACTER PASSWORD of 35 bits even if the iris features of a genuine user are known [50]. HERE, BASELINE FUSION REFERS TO SECURING INDIVIDUAL TEMPLATES to the adversary. However, the GAR for this scenario is only USING UNIBIOMETRIC CRYPTOSYSTEMS AND COMBINING DECISIONS USING 15% compared to a GAR of 70%, when no constraints were AND-RULE FUSION, WHILE THE PROPOSED FUSION SCHEME USES A SINGLE imposed on the fingerprint modality. MULTIBIOMETRIC SECURE SKETCH VI. CONCLUSIONS AND FUTURE WORK We have proposed a feature-level fusion framework for the design of multibiometric cryptosystems that simultaneously protects the multiple templates of a user using a single secure sketch. The feasibility of such a framework has been demon- strated using both fuzzy vault and fuzzy commitment, which are two of the most well-known biometric cryptosystems. We have also proposed different embedding algorithms for trans-This explains the inferior performance of iris and fingerprint- forming biometric representations, efficient decoding strategiesbased cryptosystems when evaluated on the WVU multimodal for fuzzy vault and fuzzy commitment, and a mechanism todatabase. Second, there is a loss of discriminatory information impose constraints such as minimum matching requirementduring the feature transformation (embedding) stage (more de- for specific modalities in a multibiometric cryptosystem. Atails about this issue are discussed in the technical report [47]). realistic security analysis of the multibiometric cryptosys-This explains the better performance of the unibiometric cryp- tems has also been conducted. Experiments on two differenttosystems when the native representation scheme is used. For multibiometric databases containing fingerprint, face, and irisexample, in both the real and virtual multimodal databases, iris modalities demonstrate that it is indeed possible to improvefuzzy commitment performs better than a iris fuzzy vault. Sim- both the matching performance and template security using theilarly, the performance of fingerprint fuzzy vault is generally multibiometric cryptosystems.better than a fingerprint fuzzy commitment. Finally, the secu- There are four critical issues that need to be investigated fur-rity level of 53 bits used in Table III is higher when compared to ther: 1) Embedding schemes for transforming one biometricthose typically reported in the literature [19], [25]. Furthermore, representation into another, while preserving the discriminativethe proposed security measure takes into account the distribu- power of the original representation; 2) a better feature fusiontion of biometric features and hence, provides a tighter bound scheme to generate a compact multibiometric template that re-on the security of the sketch. tains most of the information content in the individual tem- For the multibiometric fuzzy vault implementation reported plates; 3) methods to improve the security analysis by accuratelyin [30], where iris and fingerprint templates from MSU-DBI modeling the biometric feature distributions; and 4) evaluationdatabase and CASIA Ver-1 database, respectively, were secured of the proposed cryptosystem on large multimodal databases.
  13. 13. NAGAR et al.: MULTIBIOMETRIC CRYPTOSYSTEMS BASED ON FEATURE-LEVEL FUSION 267 REFERENCES [25] F. Hao, R. Anderson, and J. Daugman, “Combining crypto with biometrics effectively,” IEEE Trans. Comput., vol. 55, no. 9, pp. 1081–1088, Sep. 2006. [1] A. Ross, K. Nandakumar, and A. K. Jain, Handbook of Multibiomet- [26] E. Maiorana and P. Campisi, “Fuzzy commitment for function based rics. New York: Springer, 2006. signature template protection,” IEEE Signal Process. Lett., vol. 17, no. [2] 3M Cogent, Fusion—Multi-Modal Biometric Handheld Device [On- 3, pp. 249–252, Mar. 2010. line]. Available: [27] W. J. Scheirer and T. E. Boult, “Cracking fuzzy vaults and biometric [3] MorphoTrak, MetaMatcher—A multi-biometric matching architecture encryption,” in Proc. Biometrics Symp., Baltimore, MD, Sep. 2007. [Online]. Available: [28] R. Plaga, “Biometric keys: Suitable use cases and achievable informa- phoTrak/mt_multi-biometrics.html tion content,” Int. J. Inf. Security, vol. 8, pp. 447–454, 2009. [4] A. Jain, K. Nandakumar, and A. Nagar, “Biometric template security,” [29] Y. Sutcu, Q. Li, and N. Memon, “Secure biometric templates from EURASIP J. Adv. Signal Process., vol. 2008, 2008. fingerprint-face features,” in Proc. CVPR Workshop Biometrics, Min- [5] A. Juels and M. Sudan, “A fuzzy vault scheme,” in Proc. IEEE Int. neapolis, MN, Jun. 2007. Symp. Information Theory, Lausanne, Switzerland, 2002, p. 408. [30] K. Nandakumar and A. K. Jain, “Multibiometric template security [6] A. Juels and M. Wattenberg, “A fuzzy commitment scheme,” in Proc. using fuzzy vault,” in Proc. IEEE 2nd Int. Conf. Biometrics: Theory, Sixth ACM Conf. Computer and Communications Security, Singapore, Applications, and Systems, Washington, DC, Sep. 2008. Nov. 1999, pp. 28–36. [31] S. Cimato, M. Gamassi, V. Piuri, R. Sassi, and F. Scotti, “Privacy- [7] Y. Dodis, R. Ostrovsky, L. Reyzin, and A. Smith, Fuzzy aware biometrics: Design and implementation of a multimodal verifi- Extractors: How to Generate Strong Keys From Biometrics cation system,” in Proc. IEEE Ann. Conf. Computer Security Applica- and Other Noisy Data Cryptology ePrint Archive, Tech. Rep. tions, Los Alamitos, CA, 2008. 235, Feb. 2006, A preliminary version of this work appeared [32] C. Fang, Q. Li, and E.-C. Chang, “Secure sketch for multiple secrets,” in EUROCRYPT 2004. in Proc. Int. Conf. Applied Cryptography and Network Security, Nejra, [8] T. Ignatenko and F. M. J. Willems, “Biometric systems: Privacy and Spain, 2010. secrecy aspects,” IEEE Trans. Inf. Forensics Security, vol. 4, no. 4, pp. [33] D. Rhodes, “Methods for binary multidimensional scaling,” Neural 956–973, Dec. 2009. Computation, vol. 14, pp. 1195–1232, 2002. [9] A. B. J. Teoh, K.-A. Toh, and W. K. Yip, “ discretisation of Bio- [34] A. Andoni and P. Indyk, “Near-optimal hashing algorithms for approx- Phasor in cancellable biometrics,” in Proc. Second Int. Conf. Biomet- imate nearest neighbor in high dimensions,” in IEEE Symp. Founda- rics, Seoul, South Korea, Aug. 2007, pp. 435–444. tions Computer Science, 2006, pp. 459–468. [10] N. K. Ratha, S. Chikkerur, J. H. Connell, and R. M. Bolle, “Generating [35] C. Chen, R. N. J. Veldhuis, T. A. M. Kevenaar, and A. H. M. Akker- cancelable fingerprint templates,” IEEE Trans. Pattern Anal. Mach. mans, “Biometric quantization through detection rate optimized bit al- Intell., vol. 29, no. 4, pp. 561–572, Apr. 2007. location,” EURASIP J. Adv. Signal Process., vol. 2009, 2009. [11] W. Scheirer and T. Boult, “Bio-cryptographic protocols with bipartite [36] C. Chen and R. Veldhuis, “Binary biometric representation through biotokens,” in Proc. Biometric Symp., Tampa, FL, 2008. pairwise polar quantization,” in Proc. Int. Conf. Biometrics, 2009, pp. [12] K. Nandakumar, A. Nagar, and A. K. Jain, “Hardening fingerprint 72–81. fuzzy vault using password,” in Proc. Second Int. Conf. Biometrics, [37] A. Nagar, S. Rane, and A. Vetro, “Privacy and security of Seoul, South Korea, Aug. 2007, pp. 927–937. features extracted from minutiae aggregates,” in Proc. IEEE Int. [13] M. Turk and A. Pentland, “Eigenfaces for recognition,” J. Cognitive NeuroSci., vol. 3, no. 1, pp. 71–86, 1991. and Signal Processing, Dallas, TX, Mar. Conf. Acoustics, Speech 2010, pp. 524–531. [14] P. N. Belhumeur, J. P. Hespanha, and D. J. Kriegman, “Eigenfaces [38] H. Xu, R. Veldhuis, T. Kevenaar, A. Akkermans, and A. Bazen, “Spec- versus Fisherfaces: Recognition using class specific linear projection,” tral minutiae: A fixed-length representation of a minutiae set,” in Proc. IEEE Trans. Pattern Anal. Mach. Intell., vol. 9, no. 7, pp. 711–720, Jul. IEEE Computer Vision and Pattern Recognition Workshop on Biomet- 1997. rics, Anchorage, AK, 2008. [15] J. Daugman, “Recognizing persons by their iris patterns,” in [39] F. Farooq, R. Bolle, T. Jea, and N. Ratha, “Anonymous and revocable Biometrics: Personal Identification in Networked Society, A. K. fingerprint recognition,” in Proc. IEEE Computer Vision and Pattern Jain, R. Bolle, and S. Pankanti, Eds. London, U.K.: Kluwer, Recognition, Minneapolis, MN, Jun. 2007. 1999, pp. 103–122. [40] L. Fei-Fei and P. Perona, “A Bayesian hierarchical model for learning [16] B. Fu, S. X. Yang, J. Li, and D. Hu, “Multibiometric cryptosystem: natural scene categories,” in Proc. IEEE Computer Vision and Pattern Model structure and performance analysis,” IEEE Trans. Inf. Forensics Recognition, 2005, pp. 524–531. Security, vol. 4, no. 4, pp. 867–882, Dec. 2009. [41] J. I. Hall, Notes on Coding Theory 2001 [Online]. Available: http:// [17] E. Kelkboom, X. Zhou, J. Breebaart, R. Veldhuis, and C. Busch, “Multi-algorithm fusion with template protection,” in Proc. IEEE 3rd [42] E. R. Berlekamp, Algebraic Coding Theory. New York: McGraw- Int. Conf. Biometrics: Theory, Applications, and Systems, Washington, Hill, 1968. DC, Sep. 2009. [43] R. N. Rodrigues, L. L. Ling, and V. Govindaraju, “Robustness of mul- [18] S. Yang and I. Verbauwhede, “Automatic secure fingerprint verification timodal biometric fusion methods against spoof attacks,” J. Vis. Lang. system based on fuzzy vault scheme,” in Proc. IEEE Int. Conf. Acous- Comput., vol. 20, no. 3, pp. 169–179, 2009. tics, Speech, and Signal Processing, Philadelphia, PA, Mar. 2005, vol. [44] A. Nagar and A. K. Jain, “On the security of non-invertible fingerprint 5, pp. 609–612. template transforms,” in Proc. IEEE Workshop Information Forensics [19] K. Nandakumar, A. K. Jain, and S. Pankanti, “Fingerprint-based fuzzy and Security, London, U.K., Dec. 2009. vault: Implementation and performance,” IEEE Trans. Inf. Forensics [45] E.-C. Chang, R. Shen, and F. W. Teo, “Finding the original point set Security, vol. 2, no. 4, pp. 744–757, Dec. 2007. hidden among chaff,” in Proc. 2006 ACM Symp. Information, Com- [20] Y. C. Feng and P. C. Yuen, “Protecting face biometric data on smart- puter and Communications Security, Taipei, Taiwan, Jun. 2006. card with Reed-Solomon code,” in Proc. CVPR Workshop on Biomet- [46] J. Daugman, “The importance of being random: Statistical principles rics, New York, Jun. 2006. of iris recognition,” Pattern Recognit., vol. 36, pp. 279–291, [21] Y. J. Lee, K. Bae, S. J. Lee, K. R. Park, and J. Kim, 2003. “Biometric key binding: Fuzzy vault based on iris images,” in [47] A. Nagar, K. Nandakumar, and A. K. Jain, Multibiometric Cryptosys- Proc. Second Int. Conf. Biometrics, Seoul, South Korea, Aug. tems Department of Computer Science and Engineering, Michigan 2007, pp. 800–808. State University, Tech. Rep. MSU-CSE-11-4, 2011. [22] M. Freire-Santos, J. Fierrez-Aguilar, and J. Ortega-Garcia, “Crypto- [48] A. K. Jain, L. Hong, and R. Bolle, “On-line fingerprint verification,” graphic key generation using handwritten signature,” in Proc. SPIE IEEE Trans. Pattern Anal. Mach. Intell., vol. 19, no. 4, pp. 302–314, Conf. Biometric Technologies for Human Identification, Orlando, FL, Apr. 1997. Apr. 2006, vol. 6202, pp. 225–231. [49] S. Shah, “Enhanced Iris Recognition: Algorithms for Segmentation, [23] J. Bringer, H. Chabanne, G. Cohen, B. Kindarji, and G. Zemor, “Theo- Matching and Synthesis,” Master’s Thesis, Department of Computer retical and practical boundaries of binary secure sketches,” IEEE Trans. Science and Electrical Engineering, West Virginia University, Morgan- Inf. Forensics Security, vol. 3, no. 4, pp. 673–683, Dec. 2008. town, WV, 2006. [24] T. A. M. Kevenaar, G. J. Schrijen, M. vanderVeen, A. H. M. Akker- [50] W. E. Burr, D. F. Dodson, and W. T. Polk, Information Security: Elec- mans, and F. Zuo, “Face recognition with renewable and privacy pre- tronic Authentication Guideline NIST, Tech. Rep. Special Rep. 800-63, serving binary templates,” in Proc. AutoID, 2005, pp. 21–26. Apr. 2006.
  14. 14. 268 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012 Abhishek Nagar (S’08) received the five-year Inte- Anil K. Jain (S’70–M’72–SM’86–F’91) is a uni- grated M.Tech. degree from Indian Institute of Tech- versity distinguished professor in the Department nology (IIT) Delhi, India, in 2006. He is working to- of Computer Science and Engineering at Michigan ward the Ph.D. degree at the Department of Computer State University, East Lansing. His research interests Science and Engineering, Michigan State University, include pattern recognition and biometric authen- East Lansing. tication. He served as the editor-in-chief of the His research interests include biometric template IEEE TRANSACTIONS ON PATTERN ANALYSIS AND security, pattern recognition, and image processing. MACHINE INTELLIGENCE (1991–1994). The holder Mr. Nagar received the Best Scientific Paper of six patents in the area of fingerprints, he is the Award (Biometrics Track) at ICPR 2008. author of a number of books, including Handbook of Fingerprint Recognition (2009), Handbook of Biometrics (2007), Handbook of Multibiometrics (2006), Handbook of Face Recognition (2005), BIOMETRICS: Personal Identification in Networked Society (1999), and Algorithms for Clustering Data (1988). He served as a Karthik Nandakumar (M’02) received the B.E. de- member of the Defense Science Board and The National Academies commit- gree from Anna University, Chennai, India in 2002, tees on Whither Biometrics and Improvised Explosive Devices. the M.S. degrees in computer science (2005) and Dr. Jain received the 1996 IEEE TRANSACTIONS ON NEURAL NETWORKS statistics (2007), and the Ph.D. degree in computer Outstanding Paper Award and the Pattern Recognition Society best paper science (2008) from Michigan State University, East awards in 1987, 1991, and 2005. He is a fellow of the AAAS, ACM, IAPR, and Lansing. SPIE. He has received Fulbright, Guggenheim, Alexander von Humboldt, IEEE He is a Scientist in the Department of Computer Computer Society Technical Achievement, IEEE Wallace McDowell, ICDM Vision and Image Understanding at the Institute Research Contributions, and IAPR King-Sun Fu awards. ISI has designated for Infocomm Research, A*STAR, Fusionopolis, him a highly cited researcher. According to Citeseer, his book Algorithms for Singapore. His research interests include statistical Clustering Data (Englewood Cliffs, NJ: Prentice-Hall, 1988) is ranked #93 in pattern recognition, biometric authentication, image most cited articles in computer science.processing, and computer vision. He has coauthored a book titled Handbook ofMultibiometrics (Springer, 2006). Dr. Nandakumar received the Best Paper award from the Pattern RecognitionJournal (2005), the Best Scientific Paper Award (Biometrics Track) at ICPR2008, and the 2010 IEEE Signal Processing Society Young Author Best PaperAward.