^{1, 2}

^{1, 2}

^{1}

^{1, 2}

^{1}

^{2}

Biometric template protection is indispensable to protect personal privacy in large-scale deployment of biometric systems. Accuracy, changeability, and security are three critical requirements for template protection algorithms. However, existing template protection algorithms cannot satisfy all these requirements well. In this paper, we propose a hybrid approach that combines random projection and fuzzy vault to improve the performances at these three points. Heterogeneous space is designed for combining random projection and fuzzy vault properly in the hybrid scheme. New chaff point generation method is also proposed to enhance the security of the heterogeneous vault. Theoretical analyses of proposed hybrid approach in terms of accuracy, changeability, and security are given in this paper. Palmprint database based experimental results well support the theoretical analyses and demonstrate the effectiveness of proposed hybrid approach.

Biometric based authentication is more convenient and reliable than password or token based authentication. However, biometric technology needs large-scale capture and storage of biometric data which leads to serious concern about privacy leakage and identity theft. Unlike passwords or tokens, biometric characteristics are inherent to a person; once they are compromised, they would never be reissued or refreshed. Therefore, biometric template protection techniques [

Broadly, biometric template protection techniques can be categorized into two classes, cancelable biometrics and biometric cryptosystems. For a typical biometric template protection scheme, three critical requirements are suggested to satisfy [

However, for cancelable biometrics and biometric cryptosystems, they cannot satisfy all these requirements quite well. And different approach has its advantages and disadvantages [

The cancelable biometrics often uses transform-based approach to generate new templates. This approach has good cancelability, but the security level is often lower than biometric cryptosystems, and in general no independent cryptographic key can be bound for cryptographic applications.

Biometric cryptosystems (BC) [

Considering the limitations of available approaches, hybrid approach [

In this paper, a novel hybrid approach is proposed to compensate the shortcomings of a single approach and meanwhile maintain the advantages of individual approach in the hybrid scheme.

The proposed hybrid scheme combines fuzzy vault scheme (FVS) [

Fuzzy vault scheme is one of the most popular biometric cryptosystems [

To combine random projection with fuzzy vault effectively, first, a heterogeneous space is defined; raw biometric features are projected into the heterogeneous space by random projection and long enough cryptographic key can be bound together with projected features in the heterogeneous space. A new chaff point generation method is also proposed to ensure the security even when the projection matrices are lost, and then three requirements of proposed hybrid are theoretically analyzed. Promising experimental results based on palmprint database show the validity of proposed hybrid approach.

The rest of this paper is organized as follows. The proposed hybrid approach is described in Section

The flow chart of proposed hybrid approach is shown in Figure

Flow chart of the proposed hybrid algorithm.

Assuming the fixed-length feature vector is

In order to generate multiple genuine points using single feature vector, one feature vector

The heterogeneous vault is a set of points in

The high dimensional palmprint feature vector

In genuine vector generation,

The key

In this step, the key

Given genuine vector

The chaff points are generated to protect genuine points against attacks such as clustering attack and compromised projection matrices attack.

The chaff points

The idea of chaff vector generation is shown in Figure

Illustration of chaff point generation idea.

The chaff vectors

Although the distances between one genuine vector and its chaff vectors are concentrated around its mean

A 2D vault with genuine vectors and chaff vectors.

After adding chaff points, all points in heterogeneous space are sorted according to the value of the first elements in real-valued vectors; after that, the vault can be stored in smartcard or central database.

Firstly, the query feature vector

Totally, there are

In this section, the accuracy, changeability, and security of proposed hybrid approach are analyzed theoretically.

If the projection matrices are nonorthogonal, the random projection can preserve the pairwise distances at a certain degree; this property is addressed by means of the Johnson-Lindenstrauss (JL) Lemma [

According to the J-L Lemma, an original set with

This property states that we can change the form of real-valued biometric feature vectors, but the discriminability of feature vectors are still preserved. So, this property can be used to generate multiple genuine vectors in vault generation.

In this case, the projection matrix

Suppose that

The above equation demonstrates that the pairwise Euclidean distances of feature vectors can be precisely preserved after orthogonal random projection.

The changeability of proposed scheme is provided by the random projection module. By refreshing the projection matrices, the projected feature vector can be updated. In this subsection, the statistical properties [

Let

According to (

If projection matrices are different; that is,

According to (

Assuming that an attacker has obtained the vault and all parameters of the vault, that is, the number of genuine points

In this condition, what an attacker can do is to employ brute force attack to decode the vault. Min-entropy [

In this case, the attacker will use randomly generated random matrices

Assuming projection matrices used in enrollment are

Since each entry in

These two equalities imply that original feature vectors are first projected by the same matrix

According to geometric-based analysis in [

From the above two cases, the total false accept probability can be expressed as

The total false accept probability depends on dimension

When the attacker only has projection matrices

Suppose Euclidean distance is used to measure the distance between two vectors; the probability can be written as follows:

Assuming that entries in

Since uniformly distribution in a given value range

Substituting (

This case is the user-independent scenario; all users use the same projection matrices. The attacker may take

From the fuzzification phase in vault generation, we know there are

In the above four different scenarios, the last one is the most severe scenario since the attacker has gotten most information. In (

In this section, the proposed hybrid scheme is evaluated based on palmprint database. Concrete experimental results in terms of accuracy, changeability, and security are presented to support the proposed hybrid approach.

The Handmetric Authentication Beijing Jiao Tong University database (HA-BJTU) [

The classic principle component analysis (PCA) and linear discriminant analysis (LDA) are used to extract the features from palmprints. In feature extraction (PCA and LDA), five palmprint images of each person are used for training and the rest 1483 palmprint images are used for test.

In experiments, the number of genuine points is set to be 31; for each genuine point, 20 chaff points are generated for fuzzification using proposed chaff point generating algorithm. And one symbol error is set to be corrected by ECC.

Similar to biometric verification system, receiver operating characteristic (ROC) curve (which includes two kinds of error rates, that is, the false accept rate (FAR) and the false reject rate (FRR)) and equal error rate (EER) (when FAR = FRR) are used to evaluate the accuracy of proposed hybrid system. ROC curves are obtained by varying the controlling distance between chaff vectors and genuine vectors. EER curves are obtained under different dimensionality of projected feature vectors.

In the random projection module of proposed hybrid system, random matrices and biometric templates are needed for feature transformations, so it is a two-factor scheme. Three different scenarios, that is, stolen-key, stolen biometrics, and both legitimate cases, should be considered.

For the stolen-key case, the impostor will use genuine projection matrices and impostor biometrics for vault unlocking. This is equal to user-independent (UI) scenario; that is, different users use the same projection matrices for vault unlocking, which characterizes the system accuracy when user-independent transformations are used. For the stolen-biometrics scenario, random generated projection matrices and genuine biometrics are used for vault unlocking. In both legitimate cases, different user uses different projection matrices for vault locking and unlocking. This is a user-dependent (UD) scenario.

Let

Figure

ROC curves in user-independent scenario.

EER curves in Figure

EER curves.

The changeability of proposed hybrid scheme is provided by the random projection module, where different enrolling features can be generated for different applications by applying random projection with different projection matrices.

Let

In experiments, each test palmprint feature vector is paired with five groups of randomly generated matrices to unlock the corresponding vault. There are 1483 test palmprints; 7415 times experiments are performed totally.

The experimental results are shown in Figure

Changeability.

According to the theoretical analysis of security in Section

In our experiments, the number of genuine points

Figures

Security by varying the number of genuine points.

Security by varying the number of chaff points around each genuine point.

Security by varying the number of error symbols that can be corrected by ECC.

To better satisfy accuracy, changeability, and security requirements for biometric template protection, in this paper, a hybrid approach for protecting real-valued palmprint feature vectors has been proposed. The proposed hybrid approach includes two modules: random projection and fuzzy vault scheme. A heterogeneous space was proposed for fuzzy vault to enhance the intraclass variant tolerating ability and the cryptographic key can be bound as long as needed. To improve the security of fuzzy vault in heterogeneous space, a chaff point generation method was also proposed.

Theoretical analyses from accuracy, changeability, and security perspectives were presented. For accuracy analysis, orthogonal projection and nonorthogonal projection were considered. For changeability analysis, statistical properties of projected feature vector were obtained using same projection matrices and different projection matrices have shown that higher dimension of projected feature vectors provides stronger cancelability. For security analysis, we considered four different scenarios that the attacker knows different information.

Experiments based on HA-BJTU palmprint database have given concrete data to support the proposed hybrid approach well in the view of accuracy, changeability, and security.

The authors declare that there is no conflict of interests regarding the publication of this paper.

This work is supported by NSFCs (nos. 61201158 and 61201203), PCSIRT (no. IRT201206), and the Key Laboratory of Advanced Information Science and Network Technology of Beijing.