Multibiometric cryptosystems based on feature level fusion.bak

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012 255

Multibiometric Cryptosystems Based onFeature-Level Fusion

Abhishek Nagar, Student Member, IEEE, Karthik Nandakumar, Member, IEEE, and Anil K. Jain, Fellow, IEEE

Abstract—Multibiometric systems are being increasingly de-ployed inmany large-scale biometric applications (e.g., FBI-IAFIS,UIDAI system in India) because they have several advantages suchas lower error rates and larger population coverage compared tounibiometric systems. However, multibiometric systems requirestorage of multiple biometric templates (e.g., fingerprint, iris, andface) for each user, which results in increased risk to user privacyand system security. One method to protect individual templatesis to store only the secure sketch generated from the correspondingtemplate using a biometric cryptosystem. This requires storageof multiple sketches. In this paper, we propose a feature-levelfusion framework to simultaneously protect multiple templatesof a user as a single secure sketch. Our main contributions in-clude: 1) practical implementation of the proposed feature-levelfusion framework using two well-known biometric cryptosystems,namely, fuzzy vault and fuzzy commitment, and 2) detailed analysisof the trade-off between matching accuracy and security in theproposed multibiometric cryptosystems based on two differentdatabases (one real and one virtual multimodal database), eachcontaining the three most popular biometric modalities, namely,fingerprint, iris, and face. Experimental results show that boththe multibiometric cryptosystems proposed here have higher se-curity and matching performance compared to their unibiometriccounterparts.

Index Terms—Biometric cryptosystem, fusion, fuzzy commit-ment, fuzzy vault, multibiometrics, template security.

I. INTRODUCTION

M ULTIBIOMETRIC systems accumulate evidence frommore than one biometric trait (e.g., face, fingerprint, and

iris) in order to recognize a person [1]. Compared to unibio-metric systems that rely on a single biometric trait, multibio-metric systems can provide higher recognition accuracy andlarger population coverage. Consequently, multibiometric sys-tems are being widely adopted inmany large-scale identification

Manuscript receivedMarch 17, 2011; revised June 27, 2011; accepted August16, 2011. Date of publication October 03, 2011; date of current version January13, 2012. The work of A. Jain was supported in part by the World Class Uni-versity (WCU) program through the National Research Foundation of Koreafunded by the Ministry of Education, Science and Technology (R31-2008-000-10008-0). The associate editor coordinating the review of this manuscript andapproving it for publication was Dr. Fabio Scotti.A. Nagar is with the Department of Computer Science and Engineering,

Michigan State University, East Lansing, MI 48824 USA.K. Nandakumar is with the Institute for Infocomm Research, A*STAR, Fu-

sionopolis, Singapore, 138632, Singapore.A. K. Jain is with the Department of Computer Science and Engineering,

Michigan State University, East Lansing, MI 48824 USA, and also with theDepartment of Brain and Cognitive Engineering, Korea University, Seoul 136-713, Republic of Korea (e-mail: [email protected]).Color versions of one or more of the figures in this paper are available online

at http://ieeexplore.ieee.org.Digital Object Identifier 10.1109/TIFS.2011.2166545

systems, including the FBI’s IAFIS, the Department of Home-land Security’s US-VISIT, and the Government of India’s UID.A number of software and hardware multibiometric productshave also been introduced by biometric vendors [2], [3].While multibiometric systems have improved the accuracy

and reliability of biometric systems, sufficient attention has notbeen paid to security of multibiometric templates. Though abiometric system can be compromised in a number of ways,leakage of biometric template information to unauthorized in-dividuals constitutes a serious security and privacy threat dueto the following two reasons:1) Intrusion attack: If an attacker can hack into a biometricdatabase, he can easily obtain the stored biometric infor-mation of a user. This information can be used to gainunauthorized access to the system by either reverse engi-neering the template to create a physical spoof or replayingthe stolen template.

2) Function creep: An adversary can exploit the bio-metric template information for unintended purposes(e.g., covertly track a user across different applicationsby cross-matching the templates from the associateddatabases) leading to violation of user privacy.

Security of multibiometric templates is especially crucial asthey contain information regarding multiple traits of the sameuser. Hence, multibiometric template protection is the mainfocus of this work. The fundamental challenge in designing abiometric template protection scheme is to overcome the largeintrauser variability among multiple acquisitions of the samebiometric trait. A number of techniques have been proposedto secure biometric templates (see [4] for a detailed review).These techniques can be categorized into two main classes:1) Biometric cryptosystems: In a biometric cryptosystem,secure sketch is derived from the enrolled biometrictemplate1 and stored in the system database instead ofthe original template. In the absence of the genuine user’sbiometric data, it must be computationally hard to recon-struct the template from the sketch. On the other hand,given an authentication query that is sufficiently closeto the enrolled template , it should be easy to decodethe sketch and recover the template. Typically, the sketch isobtained by binding the template with a codeword from anerror correcting code, where the codeword itself is definedby a key . Therefore, the sketch can be written

1In this paper, we use the notation to denote a generic biometric featurevector and to denote a collection of biometric templates corresponding tothe same user. The notations and denote features that are represented asa binary string and point-set, respectively. Superscripts and are used todistinguish between the features extracted during enrollment and authentication,respectively.

1556-6013/$26.00 © 2011 IEEE

http://ieeexploreprojects.blogspot.com

256 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012

as , where is the sketch generation function.The error correction mechanism facilitates the recovery ofthe original template and hence, the associated key. Exam-ples of biometric cryptosystems include fuzzy vault [5],fuzzy commitment [6], PinSketch [7], and secret-sharingapproaches [8].

2) Template transformation: Template transformation tech-niques modify the biometric template with a user spe-cific key such that it is difficult to recover the originaltemplate from the transformed template . During au-thentication, the same transformation is applied to the bio-metric query and the matching is performed in thetransformed domain to avoid exposure of the original bio-metric template. Since the key needs to be stored in thesystem along with , the template security is guaranteedonly if the transformation function is noninvertible evenwhen is known to the attacker. Some well-known exam-ples of template transformation include Bio-Hashing [9]and cancelable biometrics [10].

Ideally, the secure template should satisfy the following twoproperties: (i) Noninvertibility—given a secure template, itmust be computationally difficult to find a biometric featureset that will match with the given template, and (ii) Revoca-bility—given two secure templates generated from the samebiometric data, it must be computationally hard to identify thatthey are derived from the same data or obtain the original bio-metric data. While biometric cryptosystems generally tend tohave stronger noninvertibility, template transformation schemestypically have better revocability. To simultaneously exploittheir relative strengths, different combinations of the abovetwo basic approaches, called hybrid biometric cryptosystems,have also been proposed [11], [12]. In this paper, we focus onthe biometric cryptosystem approach for multibiometric tem-plate protection due to two reasons: (i) well-known biometriccryptosystems such as fuzzy vault and fuzzy commitment areavailable for securing different types of biometric features, and(ii) it is relatively easy to analyze the security (noninvertibility)of a secure sketch by leveraging on the characteristics of errorcorrecting codes.Biometric cryptosystems have been designed only for spe-

cific biometric feature representations. For example, the fuzzycommitment scheme assumes a binary string representation,where the dissimilarity between template and query is mea-sured in terms of the Hamming distance. The fuzzy vault andPinSketch techniques assume point-set based representationsand use set difference as the dissimilarity metric. However,multiple templates of a user may not follow the same featurerepresentation. Point-set based features are used when theimage has a set of salient points (e.g., fingerprint minutiae). Ifdifferent samples of a biometric trait exhibit limited relativegeometric transformation and limited occlusion, real-valuedfeature vectors obtained through PCA [13] and Linear Dis-criminant Analysis (LDA) [14] can be used. Binary strings aretypically obtained through quantization of a real-valued featurevector, which reduces the storage space and matching com-plexity. For example, the bits in an iriscode [15] are obtainedthrough quantization of the phase response of a Gabor filterapplied to the iris image.

This diversity of biometric representations naturally requiresa separate template protection scheme for each trait, and a fusionof the decisions made by each trait [16]. This is analogous to asecurity system that requires multiple low strength (fewer bits)passwords, where each password can be attacked individually.Such a system is less secure than one which uses a single pass-word with a larger number of bits. This motivates the proposedapproach to protect the multiple biometric templates using asingle secure sketch.While the concept of securing multiple templates simultane-

ously as a single entity using a biometric cryptosystem has beenreported in the literature, published approaches usually assumethat different templates follow the same representation scheme.This enables simple concatenation of the individual templatesto obtain the fused template [17]. The objective of this work isto examine the feasibility of creating a single multibiometric se-cure sketch when the traits that are being fused have differentfeature representations. This paper makes the following contri-butions:• We propose a feature-level fusion framework to simultane-ously secure multiple templates of a user using biometriccryptosystems. To demonstrate the viability of this frame-work, we propose simple algorithms for the following threetasks:1) Converting different biometric representations intoa common representation space using various em-bedding algorithms: (a) binary strings to point-sets,(b) point-sets to binary strings, and (c) fixed-lengthreal-valued vectors to binary strings.

2) Fusing different features into a single multibiometrictemplate that can be secured using an appropriatebiometric cryptosystem such as fuzzy vault and fuzzycommitment; efficient decoding strategies for thesebiometric cryptosystems are also proposed.

3) Incorporating a minimummatching constraint for eachtrait, in order to counter the possibility of an attackergaining illegitimate access to the secure system bysimply guessing/knowing only a subset of the bio-metric traits.

• We analyze the GAR-security trade-off in the pro-posed multibiometric cryptosystems using two differentdatabases each containing three biometric modalities,namely, fingerprint, iris, and face.

The rest of the paper is organized as follows. Section II pro-vides a background on fuzzy vault and fuzzy commitment tech-niques and compares the various multibiometric template secu-rity schemes proposed in the literature. The feature-level fusionframework for multibiometric cryptosystems and the associatedalgorithms are introduced in Section III. Section IV presents thesecurity analysis methodology. Implementation details and per-formance evaluation of the proposed multibiometric cryptosys-tems are discussed in Section V. Our conclusions are summa-rized in Section VI.

II. BACKGROUND

A. Fuzzy Commitment and Fuzzy Vault

Fuzzy commitment [6] is a biometric cryptosystem that canbe used to secure biometric traits represented in the form of


NAGAR et al.: MULTIBIOMETRIC CRYPTOSYSTEMS BASED ON FEATURE-LEVEL FUSION 257

binary vectors (e.g., iriscodes). Suppose that the enrolled bio-metric template is an -bit binary string. In fuzzy commit-ment, a uniformly random key of length bitsis generated and used to uniquely index an -bit codewordof an appropriate error correcting code. The sketch is then ex-tracted from the template as , where indicatesthe modulo-2 addition. The sketch is stored in the databasealong with , where is a cryptographic hash function.During authentication, the codeword is obtained from the querybiometric and the sketch as follows:

. This codeword , which is generally a cor-rupted version of the original codeword , can be decoded to getthe key . The authentication is deemed successful if isthe same as . If the Hamming distance between and

is not greater than the error correcting capacity of the code,would be the same as and the matching will be successful.Fuzzy vault [5] is useful for securing point-set-based

biometric features such as fingerprint minutiae. Letdenote a biometric template consisting of a

set of points from a finite field . In order to secure , auniformly random cryptographic key of length bits isgenerated and this key is transformed into a polynomial ofdegree over . All the elements in are then evalu-ated on this polynomial to obtain the set . The set ofpoints is then secured by hiding them amonga large set of randomly generated chaff pointsthat do not lie on the polynomial (i.e., and

, ). The set of genuine points alongwith their polynomial evaluations together with the chaff pointsconstitute the sketch or vault . During authentication, if thequery biometric set is sufficiently close to , many genuinepoints in can be correctly identified and the polynomialcan be successfully reconstructed using decoding algorithmsused in Reed–Solomon error correcting codes. Table I summa-rizes the comparative characteristics of fuzzy vault and fuzzycommitment.

B. Evaluation of Fuzzy Commitment and Fuzzy Vault Schemes

The effectiveness of a biometric cryptosystem depends on thematching performance and the template security. Matching per-formance of a biometric system is usually quantified by the falseaccept rate (FAR) and the genuine accept rate (GAR). In bio-metric cryptosystems, matching is typically carried out using apolynomial-time error correction decoding algorithm (compu-tational complexity of the decoder is bounded by a polynomialexpression in the length of the codeword). Therefore, GAR (re-spectively, FAR) can be defined as the proportion of genuine (re-spectively, impostor) attempts that lead to successful decodingin polynomial time.It is well-known that both fuzzy vault and fuzzy commit-

ment do not generate revocable templates, i.e., the securesketches generated by them are susceptible to linkage attacks[27]. Hence, only the noninvertibility property is consideredduring security analysis of these two schemes. Security is oftenmeasured in terms of the information leakage rate or entropyloss [7], [8]. Leakage rate is defined as the mutual informa-tion between (i) the secure sketch and the original biometrictemplate (known as privacy leakage) or (ii) sketch and the

TABLE ICOMPARISON OF FUZZY COMMITMENT AND FUZZY VAULT

cryptographic key associated to it (secret key leakage). In bothfuzzy vault and fuzzy commitment, the privacy leakage rateis related to the secret-key leakage rate because it is trivial torecover (i) the biometric template given the key and the securesketch and (ii) the key given the template and the secure sketch.Some researchers have argued that since a false accept erroralso leads to unauthorized exposure of the original biometrictemplate, the security of a biometric cryptosystem is boundedby FAR bits [28].Due to intrauser variability in biometric traits, there is usually

a trade-off between the GAR and the security (both FAR andleakage rate) in biometric cryptosystems. Schemes with highersecurity tend to have lower GAR and vice versa. This trade-offis determined by the error correcting capacity of the code used.

C. Multibiometric Cryptosystems

A number of attempts have been made to extend the securebiometric recognition framework to incorporate multiple bio-metric traits [16], [17], [29], [30]. Sutcu et al. [29] combinedface and fingerprint templates that are both transformed into bi-nary strings. These binary strings are concatenated and used asthe input to a fuzzy commitment scheme.Nandakumar and Jain [30] proposed a multibiometric cryp-

tosystem in which biometric templates based on binary stringsand point-sets are combined. The binary string is divided intoa number of segments and each segment is separately securedusing a fuzzy commitment scheme. The keys associated withthese segment-wise fuzzy commitment schemes are then usedas additional points in the fuzzy vault constructed using thepoint-set-based features.Kelkboom et al. [17] provided results for feature-level,

score-level, and decision-level fusion of templates representedas fixed-length real-valued vectors. Since the match scores arenot explicitly available in a biometric cryptosystem, Kelkboomet al. used the number of errors corrected by an error correctingcode in a biometric cryptosystem as a measure of the score.Such scores are, however, meaningful only if the crypto-bio-metric match is successful and the key can be successfullyrecovered. Moreover, multiple scores can be obtained only ifthe different templates are secured individually, which leadsto suboptimal security. This is also true for decision-level



Fig. 1. Schematic diagram of a multibiometric cryptosystem based on the proposed feature-level fusion framework during the enrollment phase.

fusion. The feature-level fusion scheme in [17] involves simpleconcatenation of two real-valued vectors and binarization ofthe combined vector using quantization thresholds.Fu et al. [16] theoretically analyzed the template security

and recognition accuracy imparted by a multibiometric cryp-tosystem, which can be operated in four different ways: no-split,MN-split, package, and biometric model. The first three modelscorrespond to decision-level fusion, where the biometric tem-plates are secured individually. The biometric model is basedon feature-level fusion of homogeneous templates. However, nosystem implementation was reported.Cimato et al. [31] follow a modular approach to design multi-

biometric cryptosystems. Suppose that and are two bio-metric templates. A secure sketch is extracted from alongwith a hash of the , which is further used as a key to secure thesecond template. This approach is similar to the package modelproposed in [16], which in turn is based on the AND decision fu-sion rule. Fang et al. [32] consider a more general version of theabove modular approach, where multiple secrets (could be bio-metric templates or passwords) are mixed in a cascaded fashionwithin the secure sketch framework. One advantage of such amodular approach is that additional biometric traits can be easilyintroduced in the multibiometric cryptosystem. Another benefitis that it allows the use of heterogeneous templates. For ex-ample, in [31], a secure sketch is used to protect the iriscodetemplate, and the hash value of the iriscode based on the secretkey is used to encrypt a fingerprint minutiae template. A limi-tation of this approach is that its overall security is bounded bythe security of the sketch in the outermost layer.In this paper, we propose a generic framework for the design

of a multibiometric cryptosystem with heterogeneous templatesand consider practical implementation issues in the case of bothbinary string and point-set-based representations.

III. PROPOSED FRAMEWORK FOR MULTIBIOMETRICCRYPTOSYSTEMS

We propose a feature-level fusion framework for multibio-metric cryptosystems that consists of three basic modules:(i) embedding algorithm , (ii) fusion module , and(iii) biometric cryptosystem . The generic framework ofthe proposed multibiometric cryptosystem is shown in Fig. 1.Suppose that we have a set of biometric feature representations

, where represents the featurescorresponding to the th biometric modality of a user, andrepresents the number of modalities, . Thefunctionalities of the three modules are as follows:1) Embedding algorithm : The embedding algorithmtransforms a biometric feature representation into anew feature representation , where , forall . The input representation can be areal-valued feature vector, a binary string, or a point-set.The output representation could be a binary string or apoint-set that could be secured using fuzzy commitmentor fuzzy vault, respectively.

2) Fusion module : The fusion module combines a set ofhomogeneous biometric featuresto generate a fused multibiometric feature representation. For point-set-based representations, one can use

. In the case of binary strings, the fusedfeature vector can be obtained by simply concatenating theindividual strings, i.e., .Note that it is also possible to define more complex fusionschemes, where features could be selected based on criteriasuch as reliability and discriminability.

3) Biometric cryptosystem : During enrollment, the bio-metric cryptosystem generates a secure sketch usingthe fused feature vector (obtained from the set of bio-metric templates ) and a key ,i.e., . During authentication, the biometriccryptosystem recovers from and (obtained fromthe set of biometric queries ).Fuzzy commitment is used if is a binary string, whereasa fuzzy vault is used if is a point-set.

Each of the above three modules play a critical role indetermining the matching performance and security of themultibiometric cryptosystem. The embedding algorithm shouldgenerate a compact representation that preserves the discrim-inability of the original biometric features. The fusion moduleshould find the optimal trade-off between the discriminabilityand variability in the individual feature representations. Thebiometric cryptosystem should minimize the informationleakage about the original biometric templates. Thus, op-timizing each module is a challenging task in itself and isbeyond the scope of this work. Since our primary objective



TABLE IISIMPLIFIED ILLUSTRATION OF THE PROPOSED EMBEDDING ALGORITHMS

is to demonstrate the viability of the proposed feature-levelfusion framework, we propose fairly simple algorithms forimplementing the above three modules and do not focus onoptimizing them.

A. Embedding Algorithms

We shall now discuss three types of embedding algorithmsthat can perform the following feature transformations: (i) real-valued vector into a binary string, (ii) point-set into a binarystring, and (iii) binary string into a point-set (see Table II).1) Real-Valued Vector to Binary String: A number of

schemes have been proposed in the literature for binarizationof real-valued biometric features. Examples include BinaryMultidimensional Scaling techniques [33], Locality SensitiveHashing [34], Detection Rate Optimized Bit Allocation [35],and quantization of element pairs in the polar domain [36].Since no single feature binarization technique is provably

better than all others, we propose the following simple algo-rithm for transforming a real-valued vector into a binary string.First, we quantize each element of the real-valued vector into

fixed size quanta. The quantized values are then rep-resented using -bit unary2 representation in order to obtain abinary string of length , where is the dimensionality of theoriginal vector. In the second stage, we select a desired numberof most discriminable bits . The discriminability of each bitis computed as , where and are the genuineand impostor bit-error probabilities, respectively.2) Point-Sets to Binary String: A number of techniques

have been proposed for converting point-sets into binary fea-ture vectors. These techniques include local point aggregates[37], spectral minutiae [38], geometric transformation [29],triplet histogram [39], and the bag-of-words approach [40]. Inthis paper, we implement the simple local aggregates-basedtechnique, which works as follows. Let us assume that eachpoint can be represented as an -tuple. The available point-setis aligned such that the bounding box of the points is centeredat the origin. Then, a set of axis-aligned hyper-rectangles withrandomly selected position and size are generated. Amongthese hyper-rectangles, a fraction of hyper-rectangles withlarge overlap with other hyper-rectangles is discarded.Statistics for each hyper-rectangle based on the points falling

inside it are computed. These statistics include the number ofpoints in the hyper-rectangle, and the mean and variance of the

2A unary encoding works as follows. Suppose that a real-value needs tobe encoded using bits. The range of , say , is quantized into

bins. If falls into the th bin, it is represented as onesfollowed by zeros, where .

points along each of the dimensions. The statistics from dif-ferent hyper-rectangles are concatenated to generate a featurevector. LDA is applied to the resultant feature vector to reducethe dimensionality. Finally, the real-valued LDA features are bi-narized using the algorithm presented in Section III-A1.3) Binary String to Point-Set: Conversion of binary string

to point-set is required when the final biometric cryptosystem isbased on point-set features. In order to obtain a point-set from abinary string, we simply divide the binary string into the desirednumber of segments. Each segment can be considered as a pointin the point-set representation. The only parameter in this tech-nique is the number of segments. A similar technique was alsoused in [30], where instead of directly using the segments of thebinary strings as points, a key is associated with each segmentthrough fuzzy commitment and the keys are used as additionalpoints in the vault.

B. Biometric Cryptosystem Implementation

Both fuzzy vault and fuzzy commitment schemes typicallyuse linear error correcting codes. Consider a linear error cor-recting code of length (number of symbols in the codeword)and rank (number of symbols in the secret key). A linear errorcorrecting code can correct any combination of erasures anderrors as long as , where is the min-imum distance between the codewords of the code [41]. Whensuch a code is employed in a biometric cryptosystem, the se-cure sketch can be decoded as long as symbolsin the biometric feature vector can be guessed correctly and theremaining symbols are treated as erasures. If the se-lected error correcting code is maximum distance separable (i.e.,it satisfies the Singleton bound), then .For example, the Reed–Solomon code used in fuzzy vault ismaximum distance separable with and .Hence, the polynomial in a fuzzy vault can be successfullyreconstructed if genuine points can be identified fromthe vault.As pointed out in Section II-B, the error correction decoder in

a biometric cryptosystem is generally constrained to run in poly-nomial-time. This approach has two limitations. First, it restrictsthe number of errors that can be corrected to ,thereby leading to more false rejects for genuine users. Giventhe large intrauser variations in biometric features, it is oftendifficult to find codes with sufficient error correction capabilitythat can provide high GAR. Second, the above approach re-quires analysis of two separate attack strategies: (i) a false ac-cept attack, where the attacker attempts to decode a given se-cure sketch by invoking the polynomial-time decoder multipletimes with different nonmatching queries from a database, and



(ii) a brute-force attack, where the attacker directly tries to guesssymbols in the original biometric feature vector.

It is not clear which strategy is more efficient from the attacker’sperspective.In this paper, we relax the constraint that the decoder needs to

run in polynomial-time. During each iteration of our decodingalgorithm, we consider only a subset of most reliable symbolsfrom the codeword and attempt to decode the sketch by consid-ering the remaining symbols as erasures. If the sketch cannot bedecoded in a particular iteration, we attempt to decode it using asmaller subset of symbols with minimum size .Thus, the sketch will be eventually decoded for every authen-tication query. However, the decoding complexity will be dif-ferent for the genuine and impostor cases. In practice, one canset a threshold on the decoding complexity for genuine usersand measure GAR as the fraction of genuine authentication at-tempts where the decoding complexity is less than the selectedthreshold. The security is measured as the minimum compu-tational complexity faced by the attacker for a successful de-coding among the various impostor match attempts. Thus, theproposed security metric takes into account both the false ac-cept (number of impostor attempts needed) and brute-force at-tack (minimum complexity of an impostor attempt) strategies.1) Fuzzy Vault Encoding: Let be the biometric

template represented as a set of points, which is to be securedusing a vault. Let be the universe of all possible biometricpoints. In practice, the points in may not necessarily be ele-ments of the field . To construct a vault, each point in is as-signed3 to a point from . Let be the element in associatedwith the point in , and let .A set of chaff points are randomly selected from (“ ”denotes the set difference operator). Let be the

set of chaff points and let be the corresponding

set of points obtained by mapping elements in to elementsin . Given a key of length bits, we encode it as a poly-nomial of degree . Finally, the vault is obtained as a set of3-tuples as follows: , where ,

, is the corresponding element in ,and is given by

ifif .

2) Fuzzy Vault Decoding: Let be the setof points in the authentication query. For each point

in the vault, its distance to the closest querypoint is computed and the list of vault points is sorted basedon this distance. The ordered set of points in the vault isgiven by ,where if , and

. Finally, the Berlekamp–Massey4 (B-M)algorithm [42] is applied on subsets of different lengths derivedfrom to decode the vault and thereby recover the associatedpolynomial and the key (see Algorithm 1).

3This mapping can be stored as a lookup table or defined by a hash function.4The Berlekamp–Massey (B-M) algorithm is one of the well-known decoding

algorithms used for Reed–Solomon codes.

Algorithm 1 Fuzzy vault decoding based onBerlekamp–Massey algorithm [42].

Input:(Ordered vault points); (Degree of polynomial)forall5 to do

for to doforall , do

if is the required polynomial thenReturn

end ifend forall

end forend forallReturn{ performs a Berlekamp–Masseydecoding of the set of points for a polynomial of degree }

Algorithm 1 is based on the following principle. Given a setof points from the vault, the B-M decoding allows recoveryof the polynomial if there are at least genuinepoints in the given set. Since the points in the vault are orderedaccording to their likelihood of being genuine, we consider sub-sets of most likely points in parallel. If aselected subset of length cannot decode the vault, some pointsin the subset are randomly removed to obtain smaller subsets ofminimum size . Since all points in the vault are usedin decoding, the vault will always be eventually decoded, butthe decoding complexity will be different for each query. Sincethe points in the vault are ordered based on their distance to thepoints in the query biometric set, one would expect the decodingcomplexity for a genuine user to be significantly less than thedecoding complexity for an impostor.3) Fuzzy Commitment Implementation: In the fuzzy com-

mitment technique, the biometric template of length isbound to a codeword of the same length to generatethe secure sketch as follows: . The codewordis obtained from a key of length by adding

error correcting bits to it. Algorithm 2 provides the fuzzy com-mitment decoding procedure. If the error (crossover) probabil-ities of each bit in the biometric feature vector is known, it ispossible to consider some of the least reliable bits as erasuresduring decoding. As in the case of fuzzy vault, we consider themost reliable bits in parallel

and treat the remaining bits as erasures. If the decoding is stillnot successful, a subset of reliable bits of size are flipped. Ifthe number of errors among the flipped bits is more than ,then the number of errors will be less after flipping, thereby in-creasing the possibility of successful decoding.

5forall is the parallel for-loop; all instances of the loop run in parallel.



Algorithm 2 A fuzzy commitment decoding algorithm thatallows for erasures in the codeword based on the crossoverprobabilities.

Input: (corrupted codeword); (bitreliability vector where indicates the reliability(1-crossover probability) of , ); .forall to do

for to doforall , do

if is the required key thenReturn

end ifend forall

end forend forallReturn{ is an error correction decoder thatcorrects the errors in the corrupted codeword toobtain a key of length , while considering all bits whoseindices are not indicated in as erasures. The function

returns the indices of the most reliablebits. returns the codeword , in which thebits in corresponding to points in are flipped.}

C. Constrained Multibiometric Cryptosystem

One of the limitations of a multibiometric system is that itis possible for an adversary to get successfully authenticatedby spoofing only a subset of the involved biometric traits [43].This issue is also a concern for a multibiometric cryptosystem.Ideally, a multibiometric system should ensure the presence of aminimum amount of discriminatory information from a subsetor all the biometric traits of the user, especially those that aredifficult to spoof. We refer to a cryptosystem that enforces sucha requirement as a constrained multibiometric cryptosystem andthe traits for which a minimum matching constraint is appliedas constrained traits.There are many ways to impose a minimum matching con-

straint for a biometric modality within a multibiometric cryp-tosystem. For example, when only two modalities are involved,it is possible to set the error correction capacity in such a waythat even a perfect match in one modality is not sufficient todecode the secure sketch and some minimum level of simi-larity is also required for the second modality. Such an approachwill have high template security, but will reduce the GAR sig-nificantly. Alternatively, one can store separate unibiometricsketches for each modality and allow them to be decoded in-dividually. This approach will lower the security, but will resultin higher GAR compared to the first approach.We propose a constrained multibiometric cryptosystem that

does not affect the security of a multibiometric secure sketch,

but enforces a matching constraint on individual modalities.Our approach is conceptually similar to the modular multibio-metric cryptosystem proposed in [31]. The proposed approachassumes that two different representations called the primaryand secondary representations are available for the constrainedbiometric modalities. These two representations satisfy the fol-lowing property: it should be hard to obtain the primary repre-sentation from the secondary representation. A simple way tosatisfy this requirement is to consider the given biometric fea-ture vector (e.g., minutiae set) as a primary representation andderive the secondary representation by applying a noninvert-ible transformation (e.g., minutiae aggregates [37]) to the givenfeature vector. Thus, even if the secondary representation is re-vealed, it is difficult to obtain the primary representation.For each of the constrained traits, its secondary representa-

tion is secured using the multibiometric cryptosystem using thefeature-level fusion framework whereas its primary representa-tion is secured using a unibiometric cryptosystem (see Fig. 2).The unibiometric cryptosystems corresponding to the variousconstrained traits will use unique keys that are different fromthe one used in the multibiometric cryptosystem. Finally, theunibiometric secure sketches are encrypted with a symmetriccryptographic algorithm such as AES, where the encryption keyis the same as the key associated with the multibiometric cryp-tosystem. The authentication involves two stages. In the firststage, the key associated with the multibiometric cryptosystemis recovered. This key is used to decrypt the unibiometricsecure sketches. In the second stage, the unibiometric securesketches are decoded. All the keys associated with the unibio-metric sketches must be correctly recovered for successfulauthentication.Unlike the simple multibiometric cryptosystem shown

in Fig. 1, the constrained multibiometric cryptosystem re-quires storage of both multibiometric and unibiometric securesketches. But the proposed approach has two advantages. First,the overall security of the templates is not affected becauseunibiometric sketches are encrypted using the key that is boundto the multibiometric sketch; unless the attacker decodes themultibiometric sketch he cannot compromise the unibiometricsketches. Second, the primary representation that is requiredto decode a unibiometric sketch cannot be obtained fromthe secondary representation. But successful authenticationrequires decoding of the multibiometric sketch as well as allthe unibiometric sketches. This ensures that the user has aminimum amount of information about each of the constrainedbiometric traits. The limitation of the proposed approach is thatit leads to a degradation in the GAR because it is possible thatan authentication attempt fails despite correct decoding of themultibiometric sketch, because one or more of the unibiometricsketches may not be decoded correctly.

IV. METHODOLOGY FOR SECURITY ANALYSIS

While information-theoretic measures such as entropy lossor leakage rates are typically used to characterize the securityof biometric cryptosystems, such measures are difficult to es-timate when the precise distribution of biometric features is



Fig. 2. Enrollment phase of a constrained multibiometric cryptosystem. The templates corresponding to each constrained trait (traits 1 and in this example)have two representations (the primary representation and the secondary representation for modality ). The secondary representation is securedusing a multibiometric secure sketch, while the primary representation is secured using a unibiometric sketch that is further encrypted using the key associatedwith the multibiometric cryptosystem.

not known. In practice, unrealistic assumptions about the bio-metric features (e.g., uniform distribution) are used to estimatethe leakage rates, which provide only loose upper bounds on thesecurity [44], [45]. To account for this factor, we assume that theattacker has access to a large biometric database (analogous toa dictionary attack in password-based systems). We then em-pirically estimate the security based on the minimum decodingcomplexity among all impostor matches tried by the attacker todecode a given secure sketch. While estimating the computa-tional complexity, we assume that the complexity of the errorcorrection decoder (e.g., B-M algorithm) is unity, and consideronly the number of times this decoder needs to be invoked. Theproposed security measure is a “product” of the number of im-postor matching attempts (related to false accept attacks) andthe minimum decoding complexity of an impostor matching at-tempt (related to brute force attacks). Thus, we combine the twoattack strategies traditionally used to estimate system security.Furthermore, during authentication, the symbols in the code-word are ordered based on the query prior to decoding. There-fore, the proposed security measure indirectly takes into accountthe distribution of biometric features and provides a more reli-able estimate of the difficulty in breaking a secure sketch, whichis usually greater than FAR bits.

A. Fuzzy Vault Security

Suppose that the attacker has access to impostor samplesto decode a vault . Let denote a set containing the firstpoints from the ordered set of vault points . Here, the

ordering is based on the distance of the vault points to the pointsin the query biometric set from impostor . Let be the numberof genuine points in , i.e., , where is theenrolled template secured using . For ,where is the total number of points in the vault, three differentscenarios are possible.

1) If , the B-M algorithm will return thecorrect polynomial in a single attempt.

2) If , one needs to find theminimum value of such that when chaff points areremoved from , becomes greater than

. Hence, and the

corresponding complexity is approximately .

3) If , the vault cannot be decoded using . Inthis case, the corresponding value of complexity is consid-ered to be .

Based on the above analysis, the security of the vault can beexpressed as

(1)

where . The first term in (1) measuresthe complexity of a brute-force attack by an impostor and isminimized over all impostor samples. Therefore, adding moreimpostors is likely to lower this term. However, adding moreimpostors (false accept attack) will also increase the number ofcomputations needed, which is reflected by the term. An in-crease in the polynomial degree will increase and conse-quently result in higher security.In the case of multibiometric fuzzy vault, it is possible that

a poor quality sample from one of the modalities can lead to ahigher decoding complexity if the relative quality of the samplesis not taken into account when generating the multibiometrictemplate. In order to address this issue, we also check if anysubset of biometric modalities can decode the vault. The final



value of security is the minimum among the security based onthe multibiometric query and that based on different subsets ofthe query biometric traits.Since the decoding algorithm is common to both the genuine

user and the impostor, we can also estimate the decoding com-plexity for a genuine match. Let denote a set containing thefirst points from the ordered set of vault points , wherethe ordering is based on the distance of the vault points to thepoints in the query from the genuine user. Let be the numberof genuine points in , i.e., . The decoding com-plexity for the genuine user can be expressed as

(2)

where .

B. Fuzzy Commitment Security

To decode a fuzzy commitment sketch, one needs to guess thebits in the binary template . Though the length of the templateis bits, the entropy6 of the template is typically much

less than bits. This is because some bits may not be uniformlydistributed (0 and 1 values are not equally likely), while theremay also be correlation between the bits.Suppose that the attacker has access to impostor samples

and a sketch . For each impostor , a corrupted codewordis obtained as , where is the binary feature vectorfrom impostor . Let denote a set containing the indices ofthe most reliable bits in the biometric template.7 Let , ,and be substrings of , , and , respectively, containingonly those bits whose indices are in . The Hamming distancebetween and is denoted as .Let be the error correction decoder that

corrects the errors in the corrupted codeword to obtain a keyof length while considering all bits whose indices are not inas erasures. When the attacker invokes the above error cor-

rection decoder for values of in the range ,where is the minimum distance of the code, three differentscenarios are possible.1) The values of and are such that

, where is the number of erasures andis the number of errors. In this case, the decoder will

return the correct key in a single attempt.2) If , the attacker can try to find

such that, when errors are corrected from ,becomes less than or equal to .

If such an exists, then its minimum value is given byand the

corresponding complexity is approximately .

3) If no such can be found, the secure sketch cannot bedecoded by considering the least reliable bits as

6We use a procedure similar to the one used in [46] to estimate the entropy.See [47, Appendix A] for details.7We assume that the attacker can somehow estimate the bit reliability vector

(i.e., the crossover probability for each bit in the biometric template).

erasures. Hence, the corresponding value of complexity isconsidered to be .

Based on the above analysis, the security of the fuzzy com-mitment scheme can be expressed as

(3)

where . The above expression, however,assumes that the bits in are independent and uniformlyrandom. Suppose that the entropy of is only bits. Inthis case, the effective Hamming distance between and

is and the corresponding value ofis .Thus, the security is given by

(4)

Suppose is a genuine authentication query and is theeffective Hamming distance between and , where and

are the substrings of and , respectively, containingonly the most reliable bits. The decoding complexity for agenuine match can be expressed as

(5)

where .

V. EXPERIMENTAL RESULTS

A. Databases

We have evaluated the recognition performance and securityof the proposed multibiometric cryptosystems on two differentmultimodal databases, each containing face, fingerprint, and irismodalities. The first database is a virtual multimodal databaseobtained by randomly linking subjects from FVC2002-DB-2(fingerprint), CASIA Iris database Ver-1, and XM2VTS (face)databases. The virtual multimodal database consists of the fullfingerprint database (100 subjects), first 100 subjects from theface database, and first 100 subjects from the iris database. Wealso use the WVU multimodal database, which is a real mul-timodal database containing fingerprint, iris, and face imagesfrom 138 different users. In our experiments, we consider onegenuine authentication attempt per user and impostor attemptsare simulated by using one impression of each user’s biometricto authenticate as every other user. Consequently, the number ofimpostor attempts is 9900 (100 99) for the virtual multi-modal database and 18 906 (138 137) for the real multimodaldatabase. Fig. 3 shows sample images from the different bio-metric databases used.



Fig. 3. Sample iris, fingerprint, and face images from (a) CASIA Ver-1,FVC2002 DB-2, and XM2VTS databases, respectively, and (b) WVU multi-modal database. Note that the quality of iris images from WVU database ismuch lower than that from the CASIA database.

1) Fingerprint Features: Fingerprint minutiae are extractedusing the procedure detailed in [48]. To obtain the binary stringrepresentation from the minutiae set, we follow the approachoutlined in Section III-A2 with 500 hyper-rectangles (cuboidsin 3-D space) aligned along the horizontal location, vertical lo-cation, and orientation axis associated with minutiae. Differentfeatures such as sum of distances of minutiae from the six wallsof the cuboids and mean and standard deviations of minutiaealong each of the three axes, are extracted from each cuboid inorder to obtain a vector of length 3500. LDA is used to reducethe dimensionality of this vector to 80. Each LDA coefficient isconverted into a 40-bit unary representation and they are con-catenated to obtain a 3200 (40 80)-bit binary string. We selecta subset of the most discriminable bits using the proceduredescribed in Section III-A1. The first impression of the finger isused for enrollment, the second one is used as the authentica-tion sample, and the remaining impressions are used as trainingset in order to compute the LDA features. Since no training isrequired for extracting minutiae, only the first two impressionsare used in constructing the fuzzy vault.2) Iris Features: The binary IrisCode features are extracted

based on the algorithm described in [49]. In the case of theCASIA Ver-1 database, 48 different radii and 360 differentangles are used whereas in the case of the WVU Iris data-base, 20 different radii and 240 different angles are used. Thecomplete IrisCodes are thus 34 560 and 9600-bits long for theCASIA Ver-1 and WVU Iris databases, respectively.In order to reduce the dimensionality of the iriscode and re-

move the redundancy present in the code, LDA is applied to theiriscode features. Only the top 80 LDA coefficients are retained

and these real-valued features are then binarized usingthe technique proposed in Section III-A1 with . In orderto obtain the point-set representation, 800 bits selected from thebinarized LDA features are divided into 20 segments of 40 bitseach. As in the case of fingerprints, one iris sample is used forenrollment, one sample is used for authentication, and the re-maining samples are used as the training set in order to computethe LDA features.3) Face Features: Alignment of face images is essential

prior to feature extraction. For theWVU database, eye locationswere automatically extracted using Identix FaceIT software, aregion of size 120 100 was cropped such that interpupil dis-tance is 60 pixels. In the case of the XM2VTS database, we useFaceVACS software from Cognitec in order to extract the eyecoordinates to align all the face images. The interpupil distanceis set to 37.5 pixels. We then crop the aligned face image to a re-gion of size 120 100 pixels. Histogram equalization is used to

reduce the effect of illumination variations. Finally, we extract80 LDA coefficients that constitute the real-valuedfeature vector representing a face image. The same procedureapplied to the iris LDA coefficients is also applied to the faceLDA coefficients to generate a binary string and point-set rep-resentations for the face modality. Again, one face image eachis used for enrollment and authentication, while the remainingsamples are used as the training set.

B. Parameter Selection

1) Unibiometric Fuzzy Vaults: We consider the Galois fieldas the finite field in all our experiments. In the

case of fingerprint fuzzy vault, a set of at most 24 good qualityand well separated minutiae is selected from the given finger-print image as the biometric points. The chaff points are ran-domly generated as in [19] to obtain a vault with 224 points( , , and ). In addition to genuine minu-tiae and chaff points, points on the fingerprint correspondingto high ridge curvature are also stored in the system. Thesepoints are not expected to reveal significant information aboutthe minutiae but can be effectively used to align the query fin-gerprint [19]. During authentication, the query minutiae set isfirst aligned with the vault using the high curvature points. Abounding box is then used to filter out points in the vault thatare not in close proximity [19] of the query minutiae. The queryis then further aligned with the remaining vault points using aminutiae matcher. These aligned points are then used to com-pute the closest distances of the vault points to the query pointsbased on which the vault points are ordered prior to decoding.The point-set representations for iris and face modalities can

be directly used to construct the iris and face vaults, respec-tively. To generate chaff points in the iris (face) vault, we poolthe iris (face) points extracted from all the iris (face) images inthe database (excluding the images of the user under consider-ation) and select the desired number (200) of chaff points fromthis pool. During authentication, Hamming distance is used toobtain the closest point in the query for each vault point.2) Multibiometric Fuzzy Vault: Multiple unibiometric vaults

can be easily converted into a single multibiometric vault byassociating the same key with them. Note that the keylength and hence, the polynomial degree of such amultibiometric vault is typically higher than the unibiometriccase. During decoding, multiple query biometrics are matchedwith the corresponding unibiometric vaults and an orderedsequence of points from each vault is obtained. These indi-vidual sequences of points are then merged such that the firstelements of the merged sequence contain approximately toppoints from the vault corresponding to the th biometric. In thecurrent implementation, we choose to be the same for all thebiometric traits. However, specific strategies can be designed toselect proper values of based on the quality of the individualbiometric traits and the number of genuine points from eachtrait.3) Fuzzy Commitment: We select 1023 most discriminable

bits from each of the three biometrics for the unibiometric fuzzycommitments . In order to create a multibiometriccryptosystem with different biometric traits, we extract



Fig. 4. G-S curves for fuzzy vault for iris, fingerprint, and face images fromCASIAVer-1, FVC 2002DB-2, and XM2VTS databases, respectively, the base-line multibiometric cryptosystem based on AND-fusion rule and the proposedmultibiometric crytposystem using all three modalities.

most discriminative bits from the pool of bits avail-able from all the constituent biometric traits. In our experiments,we assume different values of (the minimum distance ofthe error correcting code) in the range 0.02 to 0.6 times the totalnumber of bits .

C. Performance Evaluation

We evaluate the trade-off between recognition accuracy andsecurity of the proposed multibiometric cryptosystems usingthe GAR-Security (G-S) curves. The G-S curve is obtained byvarying the error correction capacity of the code (varying poly-nomial degree in the case of fuzzy vault and for fuzzycommitment) used in the biometric cryptosystem. Here, we as-sume that the system accepts a query if its decoding complexity(as computed using (2) in case of the fuzzy vault, and (5) in thecase of fuzzy commitment) is less than 15 bits.Figs. 4 and 5 show the performance of the multibiometric

fuzzy vault for the virtual and real multimodal databases, re-spectively. In general, it can be observed that incorporating ad-ditional biometric features does increase the performance of thesystem. In case of the virtual multimodal database, the securityof the iris fuzzy vault at a GAR of 90% is 45 bits; however, whenfingerprint and face are also incorporated in the fuzzy vault, thesecurity increases to around 90 bits at the same GAR. When thetemplates are secured individually and the AND fusion rule is ap-plied, i.e., the authentication is deemed successful only when allthe unibiometric cryptosystems are decoded, the security at 90%GAR is around 40 bits. However, in the case of the WVU data-base, there is only a marginal increase in performance comparedto the best modality (face). This can be attributed to the lowerquality8 of the iris and fingerprint images in the WVU databasecompared to the CASIA and FVC2002-DB2 databases, respec-tively. In fact, the GAR of the iris fuzzy vault for the WVUdatabase at zero-FAR is 0%, which is the reason why the G-Scurve corresponding to iris is not shown in Fig. 5.

8Please refer to the technical report [47] for more details.

Fig. 5. G-S curves for fuzzy vault for iris, fingerprint, and face images fromWVUMultimodal database, the baseline multibiometric cryptosystem based onAND-fusion rule and the proposed multibiometric crytposystem using all threemodalities.

Fig. 6. G-S curves for fuzzy commitment for iris, fingerprint, and face imagesfrom CASIA Ver-1, FVC 2002 DB-2, and XM2VTS databases, respectively,the baseline multibiometric cryptosystem based on AND-fusion rule and the pro-posed multibiometric crytposystem using all three modalities.

The results corresponding to fuzzy commitment are shown inFigs. 6 and 7 for the virtual and real multimodal databases, re-spectively. The G-S curves are obtained by varying of theerror correcting code. Similar to fuzzy vault, the performanceof the multibiometric fuzzy commitment is significantly betterthan the unibiometric systems.Table III summarizes the GAR of different biometric cryp-

tosystems at a security level of 53 bits, which is equivalent to theguessing entropy of an 8-character password randomly chosenfrom a 94-character alphabet [50]. We observe that the perfor-mances of the unibiometric cryptosystems are quite low, whichmay be due to three reasons. First, as mentioned earlier, thequality of iris and fingerprint samples in the WVU multimodaldatabase is substantially lower than the quality of samples inthe FVC2002-DB-2 and CASIA ver1 databases, respectively.



Fig. 7. G-S curves for fuzzy commitment for iris, fingerprint, and face imagesfrom WVU Multimodal database, the baseline multibiometric cryptosystembased on AND-fusion rule and the proposed multibiometric crytposystem usingall three modalities.

TABLE IIICOMPARISON OF GENUINE ACCEPT RATES OF THE DIFFERENT BIOMETRICCRYPTOSYSTEMS AT A SECURITY LEVEL OF 53 BITS, WHICH EQUALS THE

SECURITY IMPARTED BY A RANDOMLY CHOSEN EIGHT-CHARACTER PASSWORD[50]. HERE, BASELINE FUSION REFERS TO SECURING INDIVIDUAL TEMPLATESUSING UNIBIOMETRIC CRYPTOSYSTEMS AND COMBINING DECISIONS USINGAND-RULE FUSION, WHILE THE PROPOSED FUSION SCHEME USES A SINGLE

MULTIBIOMETRIC SECURE SKETCH

This explains the inferior performance of iris and fingerprint-based cryptosystems when evaluated on the WVU multimodaldatabase. Second, there is a loss of discriminatory informationduring the feature transformation (embedding) stage (more de-tails about this issue are discussed in the technical report [47]).This explains the better performance of the unibiometric cryp-tosystems when the native representation scheme is used. Forexample, in both the real and virtual multimodal databases, irisfuzzy commitment performs better than a iris fuzzy vault. Sim-ilarly, the performance of fingerprint fuzzy vault is generallybetter than a fingerprint fuzzy commitment. Finally, the secu-rity level of 53 bits used in Table III is higher when compared tothose typically reported in the literature [19], [25]. Furthermore,the proposed security measure takes into account the distribu-tion of biometric features and hence, provides a tighter boundon the security of the sketch.For the multibiometric fuzzy vault implementation reported

in [30], where iris and fingerprint templates from MSU-DBIdatabase and CASIA Ver-1 database, respectively, were secured

together, the genuine accept rate was 98.2% at a security of49 bits. Note that the security estimate in [30] assumes uniformdistribution of biometric features. In our implementation, thegenuine accept rate is 99% at a security of 49 bits [47] based onthe FVC2002-DB2 and the CASIA Ver-1 databases. In [31], se-curity of the system has not been explicitly reported. In [17], theproposed technique performs fusion of two different 3-D facerecognition algorithms and thus cannot be directly compared tothe techniques proposed here. In [16], no experimental resultswere reported.To validate the constrained multibiometric cryptosystem,

we implemented a system consisting of iris and fingerprintmodalities, where minimum matching constraints are imposedfor the fingerprint modality. We further assume that the adver-sary has knowledge about the iris biometric, i.e., he has accessto some iris image of the enrolled user. In this experiment, amultibiometric fuzzy commitment is implemented and a sec-ondary representation of fingerprints is obtained using minutiaeaggregates. Minutiae are employed as the primary fingerprintrepresentation, and hence a fuzzy vault is used in the secondstage. The degree of polynomial for the fuzzy vault is selectedsuch that the sum of security in bits and GAR in percentageof the resulting system is maximized. Using this constrainedmultibiometric cryptosystem, it is possible to achieve a securityof 35 bits even if the iris features of a genuine user are knownto the adversary. However, the GAR for this scenario is only15% compared to a GAR of 70%, when no constraints wereimposed on the fingerprint modality.

VI. CONCLUSIONS AND FUTURE WORK

We have proposed a feature-level fusion framework for thedesign of multibiometric cryptosystems that simultaneouslyprotects the multiple templates of a user using a single securesketch. The feasibility of such a framework has been demon-strated using both fuzzy vault and fuzzy commitment, whichare two of the most well-known biometric cryptosystems. Wehave also proposed different embedding algorithms for trans-forming biometric representations, efficient decoding strategiesfor fuzzy vault and fuzzy commitment, and a mechanism toimpose constraints such as minimum matching requirementfor specific modalities in a multibiometric cryptosystem. Arealistic security analysis of the multibiometric cryptosys-tems has also been conducted. Experiments on two differentmultibiometric databases containing fingerprint, face, and irismodalities demonstrate that it is indeed possible to improveboth the matching performance and template security using themultibiometric cryptosystems.There are four critical issues that need to be investigated fur-

ther: 1) Embedding schemes for transforming one biometricrepresentation into another, while preserving the discriminativepower of the original representation; 2) a better feature fusionscheme to generate a compact multibiometric template that re-tains most of the information content in the individual tem-plates; 3) methods to improve the security analysis by accuratelymodeling the biometric feature distributions; and 4) evaluationof the proposed cryptosystem on large multimodal databases.



REFERENCES

[1] A. Ross, K. Nandakumar, and A. K. Jain, Handbook of Multibiomet-rics. New York: Springer, 2006.

[2] 3M Cogent, Fusion—Multi-Modal Biometric Handheld Device [On-line]. Available: http://www.cogentsystems.com/fusion_d3.asp

[3] MorphoTrak, MetaMatcher—Amulti-biometric matching architecture[Online]. Available: http://www.morphotrak.com/MorphoTrak/Mor-phoTrak/mt_multi-biometrics.html

[4] A. Jain, K. Nandakumar, and A. Nagar, “Biometric template security,”EURASIP J. Adv. Signal Process., vol. 2008, 2008.

[5] A. Juels and M. Sudan, “A fuzzy vault scheme,” in Proc. IEEE Int.Symp. Information Theory, Lausanne, Switzerland, 2002, p. 408.

[6] A. Juels and M. Wattenberg, “A fuzzy commitment scheme,” in Proc.Sixth ACM Conf. Computer and Communications Security, Singapore,Nov. 1999, pp. 28–36.

[7] Y. Dodis, R. Ostrovsky, L. Reyzin, and A. Smith, FuzzyExtractors: How to Generate Strong Keys From Biometricsand Other Noisy Data Cryptology ePrint Archive, Tech. Rep.235, Feb. 2006, A preliminary version of this work appearedin EUROCRYPT 2004.

[8] T. Ignatenko and F. M. J. Willems, “Biometric systems: Privacy andsecrecy aspects,” IEEE Trans. Inf. Forensics Security, vol. 4, no. 4, pp.956–973, Dec. 2009.

[9] A. B. J. Teoh, K.-A. Toh, and W. K. Yip, “ discretisation of Bio-Phasor in cancellable biometrics,” in Proc. Second Int. Conf. Biomet-rics, Seoul, South Korea, Aug. 2007, pp. 435–444.

[10] N. K. Ratha, S. Chikkerur, J. H. Connell, and R. M. Bolle, “Generatingcancelable fingerprint templates,” IEEE Trans. Pattern Anal. Mach.Intell., vol. 29, no. 4, pp. 561–572, Apr. 2007.

[11] W. Scheirer and T. Boult, “Bio-cryptographic protocols with bipartitebiotokens,” in Proc. Biometric Symp., Tampa, FL, 2008.

[12] K. Nandakumar, A. Nagar, and A. K. Jain, “Hardening fingerprintfuzzy vault using password,” in Proc. Second Int. Conf. Biometrics,Seoul, South Korea, Aug. 2007, pp. 927–937.

[13] M. Turk and A. Pentland, “Eigenfaces for recognition,” J. CognitiveNeuroSci., vol. 3, no. 1, pp. 71–86, 1991.

[14] P. N. Belhumeur, J. P. Hespanha, and D. J. Kriegman, “Eigenfacesversus Fisherfaces: Recognition using class specific linear projection,”IEEE Trans. Pattern Anal. Mach. Intell., vol. 9, no. 7, pp. 711–720, Jul.1997.

[15] J. Daugman, “Recognizing persons by their iris patterns,” inBiometrics: Personal Identification in Networked Society, A. K.Jain, R. Bolle, and S. Pankanti, Eds. London, U.K.: Kluwer,1999, pp. 103–122.

[16] B. Fu, S. X. Yang, J. Li, and D. Hu, “Multibiometric cryptosystem:Model structure and performance analysis,” IEEE Trans. Inf. ForensicsSecurity, vol. 4, no. 4, pp. 867–882, Dec. 2009.

[17] E. Kelkboom, X. Zhou, J. Breebaart, R. Veldhuis, and C. Busch,“Multi-algorithm fusion with template protection,” in Proc. IEEE 3rdInt. Conf. Biometrics: Theory, Applications, and Systems, Washington,DC, Sep. 2009.

[18] S. Yang and I. Verbauwhede, “Automatic secure fingerprint verificationsystem based on fuzzy vault scheme,” in Proc. IEEE Int. Conf. Acous-tics, Speech, and Signal Processing, Philadelphia, PA, Mar. 2005, vol.5, pp. 609–612.

[19] K. Nandakumar, A. K. Jain, and S. Pankanti, “Fingerprint-based fuzzyvault: Implementation and performance,” IEEE Trans. Inf. ForensicsSecurity, vol. 2, no. 4, pp. 744–757, Dec. 2007.

[20] Y. C. Feng and P. C. Yuen, “Protecting face biometric data on smart-card with Reed-Solomon code,” in Proc. CVPR Workshop on Biomet-rics, New York, Jun. 2006.

[21] Y. J. Lee, K. Bae, S. J. Lee, K. R. Park, and J. Kim,“Biometric key binding: Fuzzy vault based on iris images,” inProc. Second Int. Conf. Biometrics, Seoul, South Korea, Aug.2007, pp. 800–808.

[22] M. Freire-Santos, J. Fierrez-Aguilar, and J. Ortega-Garcia, “Crypto-graphic key generation using handwritten signature,” in Proc. SPIEConf. Biometric Technologies for Human Identification, Orlando, FL,Apr. 2006, vol. 6202, pp. 225–231.

[23] J. Bringer, H. Chabanne, G. Cohen, B. Kindarji, and G. Zemor, “Theo-retical and practical boundaries of binary secure sketches,” IEEE Trans.Inf. Forensics Security, vol. 3, no. 4, pp. 673–683, Dec. 2008.

[24] T. A. M. Kevenaar, G. J. Schrijen, M. vanderVeen, A. H. M. Akker-mans, and F. Zuo, “Face recognition with renewable and privacy pre-serving binary templates,” in Proc. AutoID, 2005, pp. 21–26.

[25] F. Hao, R. Anderson, and J. Daugman, “Combining crypto withbiometrics effectively,” IEEE Trans. Comput., vol. 55, no. 9, pp.1081–1088, Sep. 2006.

[26] E. Maiorana and P. Campisi, “Fuzzy commitment for function basedsignature template protection,” IEEE Signal Process. Lett., vol. 17, no.3, pp. 249–252, Mar. 2010.

[27] W. J. Scheirer and T. E. Boult, “Cracking fuzzy vaults and biometricencryption,” in Proc. Biometrics Symp., Baltimore, MD, Sep. 2007.

[28] R. Plaga, “Biometric keys: Suitable use cases and achievable informa-tion content,” Int. J. Inf. Security, vol. 8, pp. 447–454, 2009.

[29] Y. Sutcu, Q. Li, and N. Memon, “Secure biometric templates fromfingerprint-face features,” in Proc. CVPR Workshop Biometrics, Min-neapolis, MN, Jun. 2007.

[30] K. Nandakumar and A. K. Jain, “Multibiometric template securityusing fuzzy vault,” in Proc. IEEE 2nd Int. Conf. Biometrics: Theory,Applications, and Systems, Washington, DC, Sep. 2008.

[31] S. Cimato, M. Gamassi, V. Piuri, R. Sassi, and F. Scotti, “Privacy-aware biometrics: Design and implementation of a multimodal verifi-cation system,” in Proc. IEEE Ann. Conf. Computer Security Applica-tions, Los Alamitos, CA, 2008.

[32] C. Fang, Q. Li, and E.-C. Chang, “Secure sketch for multiple secrets,”in Proc. Int. Conf. Applied Cryptography and Network Security, Nejra,Spain, 2010.

[33] D. Rhodes, “Methods for binary multidimensional scaling,” NeuralComputation, vol. 14, pp. 1195–1232, 2002.

[34] A. Andoni and P. Indyk, “Near-optimal hashing algorithms for approx-imate nearest neighbor in high dimensions,” in IEEE Symp. Founda-tions Computer Science, 2006, pp. 459–468.

[35] C. Chen, R. N. J. Veldhuis, T. A. M. Kevenaar, and A. H. M. Akker-mans, “Biometric quantization through detection rate optimized bit al-location,” EURASIP J. Adv. Signal Process., vol. 2009, 2009.

[36] C. Chen and R. Veldhuis, “Binary biometric representation throughpairwise polar quantization,” in Proc. Int. Conf. Biometrics, 2009, pp.72–81.

[37] A. Nagar, S. Rane, and A. Vetro, “Privacy and security offeatures extracted from minutiae aggregates,” in Proc. IEEE Int.Conf. Acoustics, Speech and Signal Processing, Dallas, TX, Mar.2010, pp. 524–531.

[38] H. Xu, R. Veldhuis, T. Kevenaar, A. Akkermans, and A. Bazen, “Spec-tral minutiae: A fixed-length representation of a minutiae set,” in Proc.IEEE Computer Vision and Pattern Recognition Workshop on Biomet-rics, Anchorage, AK, 2008.

[39] F. Farooq, R. Bolle, T. Jea, and N. Ratha, “Anonymous and revocablefingerprint recognition,” in Proc. IEEE Computer Vision and PatternRecognition, Minneapolis, MN, Jun. 2007.

[40] L. Fei-Fei and P. Perona, “A Bayesian hierarchical model for learningnatural scene categories,” in Proc. IEEE Computer Vision and PatternRecognition, 2005, pp. 524–531.

[41] J. I. Hall, Notes on Coding Theory 2001 [Online]. Available: http://www.mth.msu.edu/~jhall/classes/codenotes/GRS.pdf

[42] E. R. Berlekamp, Algebraic Coding Theory. New York: McGraw-Hill, 1968.

[43] R. N. Rodrigues, L. L. Ling, and V. Govindaraju, “Robustness of mul-timodal biometric fusion methods against spoof attacks,” J. Vis. Lang.Comput., vol. 20, no. 3, pp. 169–179, 2009.

[44] A. Nagar and A. K. Jain, “On the security of non-invertible fingerprinttemplate transforms,” in Proc. IEEE Workshop Information Forensicsand Security, London, U.K., Dec. 2009.

[45] E.-C. Chang, R. Shen, and F. W. Teo, “Finding the original point sethidden among chaff,” in Proc. 2006 ACM Symp. Information, Com-puter and Communications Security, Taipei, Taiwan, Jun. 2006.

[46] J. Daugman, “The importance of being random: Statistical principlesof iris recognition,” Pattern Recognit., vol. 36, pp. 279–291,2003.

[47] A. Nagar, K. Nandakumar, and A. K. Jain, Multibiometric Cryptosys-tems Department of Computer Science and Engineering, MichiganState University, Tech. Rep. MSU-CSE-11-4, 2011.

[48] A. K. Jain, L. Hong, and R. Bolle, “On-line fingerprint verification,”IEEE Trans. Pattern Anal. Mach. Intell., vol. 19, no. 4, pp. 302–314,Apr. 1997.

[49] S. Shah, “Enhanced Iris Recognition: Algorithms for Segmentation,Matching and Synthesis,” Master’s Thesis, Department of ComputerScience and Electrical Engineering, West Virginia University, Morgan-town, WV, 2006.

[50] W. E. Burr, D. F. Dodson, and W. T. Polk, Information Security: Elec-tronic Authentication Guideline NIST, Tech. Rep. Special Rep. 800-63,Apr. 2006.



Abhishek Nagar (S’08) received the five-year Inte-grated M.Tech. degree from Indian Institute of Tech-nology (IIT) Delhi, India, in 2006. He is working to-ward the Ph.D. degree at the Department of ComputerScience and Engineering, Michigan State University,East Lansing.His research interests include biometric template

security, pattern recognition, and image processing.Mr. Nagar received the Best Scientific Paper

Award (Biometrics Track) at ICPR 2008.

Karthik Nandakumar (M’02) received the B.E. de-gree from Anna University, Chennai, India in 2002,the M.S. degrees in computer science (2005) andstatistics (2007), and the Ph.D. degree in computerscience (2008) from Michigan State University, EastLansing.He is a Scientist in the Department of Computer

Vision and Image Understanding at the Institutefor Infocomm Research, A*STAR, Fusionopolis,Singapore. His research interests include statisticalpattern recognition, biometric authentication, image

processing, and computer vision. He has coauthored a book titled Handbook ofMultibiometrics (Springer, 2006).Dr. Nandakumar received the Best Paper award from the Pattern Recognition

Journal (2005), the Best Scientific Paper Award (Biometrics Track) at ICPR2008, and the 2010 IEEE Signal Processing Society Young Author Best PaperAward.

Anil K. Jain (S’70–M’72–SM’86–F’91) is a uni-versity distinguished professor in the Departmentof Computer Science and Engineering at MichiganState University, East Lansing. His research interestsinclude pattern recognition and biometric authen-tication. He served as the editor-in-chief of theIEEE TRANSACTIONS ON PATTERN ANALYSIS ANDMACHINE INTELLIGENCE (1991–1994). The holderof six patents in the area of fingerprints, he is theauthor of a number of books, including Handbookof Fingerprint Recognition (2009), Handbook of

Biometrics (2007), Handbook of Multibiometrics (2006), Handbook of FaceRecognition (2005), BIOMETRICS: Personal Identification in NetworkedSociety (1999), and Algorithms for Clustering Data (1988). He served as amember of the Defense Science Board and The National Academies commit-tees on Whither Biometrics and Improvised Explosive Devices.Dr. Jain received the 1996 IEEE TRANSACTIONS ON NEURAL NETWORKS

Outstanding Paper Award and the Pattern Recognition Society best paperawards in 1987, 1991, and 2005. He is a fellow of the AAAS, ACM, IAPR, andSPIE. He has received Fulbright, Guggenheim, Alexander von Humboldt, IEEEComputer Society Technical Achievement, IEEE Wallace McDowell, ICDMResearch Contributions, and IAPR King-Sun Fu awards. ISI has designatedhim a highly cited researcher. According to Citeseer, his book Algorithms forClustering Data (Englewood Cliffs, NJ: Prentice-Hall, 1988) is ranked #93 inmost cited articles in computer science.


Date post:	22-Nov-2014
Category:	Technology
Upload:	ieeexploreprojects
View:	11,371 times
Download:	1 times