2009-design and analysis of fuzzy extractors for faces

8/11/2019 2009-Design and Analysis of Fuzzy Extractors for Faces

http://slidepdf.com/reader/full/2009-design-and-analysis-of-fuzzy-extractors-for-faces 1/12

Design and Analysis of Fuzzy Extractors for Faces

Yagiz Sutcu a , Qiming Li b and Nasir Memon c

a Department of Electrical and Computer Engineering, Polytechnic Institute of NYU,6 MetroTech Center, Brooklyn, NY, 11201, USA;

b Cryptography and Security Department, Institute for Infocomm Research, A-Star,1 Fusionopolis Way, 138632, Singapore;

c Department of Computer Science and Engineering, Polytechnic Institute of NYU,6 MetroTech Center, Brooklyn, NY, 11201, USA

ABSTRACT

It is both crucial and challenging to protect biometric data used for biometric identication and authenticationsystems, while keeping the systems user friendly. We study the design and analysis of biometric data protectionschemes based on fuzzy extractors. There are limitations in previous fuzzy extractors, which make them difficultto handle continuous feature spaces, entropy estimation, and feature selection. We proposed a scheme based on

PCA features and a recently proposed fuzzy extractor for continuous domains. We conduct experiments usingthe ORL face database, and analyze carefully the entropies and the resulting security of the system. We exploreand compare different ways to select and combine features, and show that randomization plays an importantrole in both security, performance and cancelability. Furthermore, proposed feature selection does yield betterestimation of the nal key strength.

Keywords: Biometrics, security, template protection, entropy analysis

1. INTRODUCTION

Since biometric features of individuals are tightly bound with their identities and cannot be easily forgottenor lost, they provide signicant potentials in applications where both security and user convenience are highlydesirable. However, to achieve the desirable level of security and usability is not trivial. The key challenges,from a security perspective, are the difficulty to protect the biometric templates while allow easy matching.

Let us take a look of a typical biometric authentication system based on facial features. During the enrollment ,a user (say, Alice) takes a number of photos at a trusted server (one or multiple photos may be needed, dependingon the scheme). After that, a complicated signal processing tool is applied on the images to obtain a template,which is then stored on a trusted storage server. During the authentication , Alice takes another photo, and thesame feature extraction tool is applied to obtain a new feature sample that may be slightly different from thosein the template. This new sample is then compared with the template, and Alice is authenticated if the newsample matches the template according to some matching algorithm.

Besides authentication, it is also desirable to extract a cryptographic key from the biometric data, or use thebiometric data to encode a key, such that this key can only be obtained by presenting another similar sampleof the biometrics. This cryptographic key can then be used, for example, to access certain computing resources,encrypt personal data, generate digital signatures, or used for authentication or identication.

From a security perspective, there are a number challenging issues, which include: (1) The false acceptancerate (FAR) should be low; (2) The template should not reveal too much information about the original biometricdata; (3) The key strength should be high (if a key is extracted); and (4) The template should be privacypreserving. At the same time, any cryptographic tools employed to achieve these desirable properties should also

Further author information: (Send correspondence to Yagiz Sutcu)Yagiz Sutcu: E-mail: [email protected] Li: E-mail: [email protected] Memon: E-mail: [email protected]



consider the underlying signal processing techniques and performance measures, such that the overall performancefrom a signal processing perspective should not be degraded too much. In particular, the false-rejection rateshould be low so that the system would be user-friendly.

One method to protect biometric templates and allow robust key extraction at the same time is to use recentlyproposed secure sketch schemes (e.g., 1). In such a scheme, a sketch is computed from the original template, andwhen another sample of the same biometrics is obtained, the original template can be recovered with the helpof the sketch, if the recently captured biometric is similar to the template according to some similarity measure.After the template is recovered, a key can then be extracted using extractors such as pair-wise independent hashfunctions. The sketch is secure if it contains little information about the original biometric template of the user.A general method is given in 1 to bound such entropy loss from above for any distribution of the biometric data,which is useful since the distributions of many biometrics are not known.

The idea of a fuzzy extractor for biometric data is further explored in a number of previous works. A schemebased on singular value decomposition (SVD) for face images is proposed and analyzed in. 2 The performanceand security are evaluated using the Essex 94 database 3 and reasonable performance in terms of false-acceptanceand false-rejection rates is shown to be achievable.

Although their method is sound, there are still a number of limitations. First, the Essex 94 database isconsidered as an “easy” database for pattern recognition related research, since it is of relatively high qualityin the sense that there is very little variations among different images of the same person. Furthermore, thereare many analysis techniques that are generally considered to be more favorable compared with SVD. Hence, itis not clear if reasonable performance can still be achieved using a more challenging database and other signalprocessing techniques for facial feature extraction.

Secondly, any PCA-like analysis on the biometric data (SVD in 2 ) would typically result in a large number of components. In previous work usually the most signicant components are taken, based on the common viewthat these components contain most of the information about the data. However, from a more rigorous point of view, such a heuristic may need to be examined further. Ideally, the strategies of selecting the components asfeatures should maximize the security (e.g., by maximizing the min-entropy and minimizing the entropy loss).

Finally, the estimation of min-entropy and calculation of entropy loss heavily depends on the choice of parameters. In particular, as the parameters (such as quantization step) change, both the min-entropy and theentropy loss would change. Furthermore, the randomization process introduces correlations into the components,which makes the analysis difficult. In fact, to avoid the problem, it is proposed in 2 that the min-entropy shouldbe measured before randomization. Moreover, the analysis in 2 follows the guideline presented in 4 to choose theparameters. Nevertheless, the theoretical results in 4 is mainly considering the case where we do not know thedistribution of the data. Since we already have a database at hand, it is interesting to investigate if we can dobetter with some knowledge about the distribution.

In this paper, we conduct experiments on the ORL face database, which contains considerably more variationsin poses and facial expressions. Also, we employ the eigenface features instead of SVD components. In particular,we analyze the effect of randomization, and carefully examine its implications in the performance and the entropyestimation.

We further investigate the problem of entropy estimation and feature selection. We also propose to choosefeature components and/or determine the importance of components by estimating their min-entropy, which inturn would contribute to the nal key strength. This is in contrast to many previous methods, which would pickonly the most signicant components, or those with highest energy, or using any criteria that do not address the

key strength directly.

2. RELATED WORK

In recent years, many different ideas have been proposed to overcome the template security problem associatedwith biometric systems. A comprehensive coverage of many proposed solutions can also be found in. 5, 6

The rst group of techniques is associated with the notion of cancelable biometrics which was rst introducedby Ratha et al. 7 The underlying idea is to apply a similarity-preserving, noninvertible (or hard-to-invert)



transformation to biometric templates before they are stored. New biometric samples are transformed in thesame way before they are matched with the templates. In the literature, one can found signicant number of applications/variants of this idea. Some examples can be found in. 8–14

Besides transformation-based cancelable techniques, another class of approaches, that makes information-theoretic security analysis possible, is based on use of some helper data . In this group of techniques, main idea isto create/extract some user-specic auxiliary information from the original biometric data in a way that does notreveal much information about the biometric data. Later, this auxiliary information is used to recover/estimatethe original biometric data from a noisy instance of itself. This information can be in the form of a helper data ,15,16 a syndrome 17,18 or a secure sketch .1,4,19 Furthermore, fuzzy commitment 20 and fuzzy vault 21 schemesmay be considered as the earlier implementations of secure sketch scheme.

In this recently proposed cryptographic primitive called secure sketch , some public information which doesnot reveal too much information about the original biometric data, is extracted/created and used to recover theoriginal biometric data given a noisy sample of the same biometric data that is sufficiently similar to the originalone.

There are few reasons why their framework does not only allow more rigorous security analysis comparedto many other approaches, but also helps generalizing the much of the prior helper-data based work. First of all, a sketch allows exact recovery of the biometric template. Therefore, a strong extractor (such as pair-wiseindependent hash functions) can be further applied on the template to obtain a key that is robust, in the sensethat it can be consistently reproduced given any noisy measurement that is similar to the template. This keycan then be used in the same way as passwords. Furthermore, in this framework, it is possible to demonstratesome general results that do not depend on any particular notion of closeness between two measurements of thesame biometric data as long as this closeness is dened in a metric space. This is very important since differentbiometric modalities have different representations and error patterns.

Constructions and rigorous analysis of secure sketch are given in 1 for three metrics: Hamming distance, setdifference and edit distance. Secure sketch schemes for point sets in 19 are motivated by the typical similaritymeasure (that does not dene a metric space) used for minutiae-based ngerprint templates. Linnartz andTuyls 22 consider a similar problem for biometric authentication applications. Under the Gaussian assumption,they use mutual information as the measure of security against dishonest veriers. Tuyls and Goseling 23 considera similar notion of security, and develop some general results when the distribution of the original is known andthe verier can be trusted. Some practical results along this line also appeared in. 15

However, there are a few difficulties in extending these techniques to biometric templates in practice. Mostimportantly, many biometric templates are not discrete, but are instead points in continuous domain where it ishard to dene what the minimum entropy of the original biometric template should be. Furthermore, extractinga discrete key from such a template would require some form of quantization. In this case, since the entropy of the original data can be very large, and the length of the extracted key is typically quite limited, the “entropyloss” as dened in 1 can be arbitrarily high, which can be misleading. Furthermore, besides the subtleties inthe entropy loss due to quantization, a very important aspect of any biometric authentication system is its falseaccept rate (FAR) and false reject rate (FRR), which are often overlooked in previous theoretical work on securesketch. (For further details about the problem of designing secure sketch for continuous data see 2,4,24 and forthe reusability issue of sketches, see. 25–27 )

3. QUANTIZATION-BASED SECURE SKETCH

In a recent work, we consider the problem of designing and analyzing secure sketch for biometric templates incontinuous domain 4 and study how to design and analyze different quantization algorithms. In this section, wewill briey summarize the basic concepts and denitions related to the quantization-based secure sketch schemeand then we will describe our two-step scheme to compute sketches from face images that allow us to extractconsistent keys.



3.1 Preliminaires

In the case where X is discrete, we follow the denitions by Dodis et al. 1 They consider a variant of the average min-entropy of X given P , which is essentially the minimum strength of the key that can be consistently extractedfrom X when P is made public. In particular, the min-entropy H ∞ (A) of a discrete random variable A is denedas

H ∞ (A) = − log(max a Pr[A = a]) (1)

Similarly, for two discrete random variables A and B , the average min-entropy of A given B is dened as

H̃ ∞ (A | B ) = − log(E b←B [2− H ∞ (A | B = b) ]) (2)

For discrete X , the entropy loss of the sketch P is dened as L = H ∞ (X ) − H̃ ∞ (X |P ). This denition isuseful in the analysis, since for any -bit string B, we have H̃ ∞ (A | B) ≥ H ∞ (A) − . For any secure sketchscheme for discrete X , let R be the randomness invested in constructing the sketch, it is not difficult to showthat when R can be computed from X and P , we have

L = H ∞ (X ) − H̃ ∞ (X | P ) ≤ | P | − H ∞ (R). (3)

In other words, the entropy loss can be bounded from above by the difference between the size of P and theamount of randomness we invested in computing P . This allows us to conveniently nd an upper bound of Lfor any distribution of X , since it is independent of X .

Here we repeat the denitions of secure sketch and entropy loss in the discrete domain given by Dodis et al. 1

Let M be a nite set of points with a similarity relation S ⊆ M×M . When ( X, Y ) ∈ S , we say the Y is similarto X , or the pair ( X, Y ) is similar.

Denition 1: A sketch scheme in discrete domain is a tuple ( M , S , ENC , DEC ), where ENC : M → { 0, 1}∗is an encoder and DEC : M × { 0, 1}∗→ M is a decoder such that for all X, Y ∈ M, DEC (Y, ENC (X )) = X if (X, Y ) ∈ S . The string P = ENC (X ) is the sketch, and is to be made public. We say that the schemeis L-secure if for all random variables X over M , the entropy loss of the sketch P is at most L. That is,

H ∞ (X ) − ˜H ∞ (X |

ENC(X )) ≤ L .

We call H̃ ∞ (X | P ) the left-over entropy , which in essence measures the “strength” of the key that can beextracted from X given that P is made public. Note that in most cases, the ultimate goal is to maximize theleft-over entropy for some particular distribution of X . However, in the discrete case, the min-entropy of X is xed but can be difficult to analyze. Hence, entropy loss becomes an equivalent measure which is easier toquantify.

To handle points in some continuous domain U , we follow4 and use a two-step approach. In particular, wequantize (discretize) the points such that they become points in a discrete domain M . After that we applyknown sketch scheme in discrete domain M to construct the sketch. When a fresh measurement of the samebiometrics is given, it is quantized using the same quantizer and the corresponding reconstruction algorithm inthe discrete domain is used to recover the quantized version of the original data points.

More formally, let U be a set that may be uncountable, and let S be a similarity relation on U , i.e., S ⊆ U ×U .

Let M be a set of nite points, and let Q : U → M be a function that maps points in U to points in M . Wewill refer to such a function Q as a quantizer .



Figure 1. Sketch Generation and Reconstruction in Continuous Domain.

Denition 2: A quantization-based sketch scheme is (as dened in 4) a tuple ( U , S , Q , M , ENC , DEC ), whereENC : M → { 0, 1}∗ is an encoder and DEC : M × { 0, 1}∗ → M is an decoder such that for all X, Y ∈ U ,

DEC (Q(Y ), ENC (Q(X ))) = Q(X ) if (X, Y ) ∈ S . The string P = ENC (Q(X )) is the sketch. We say that thescheme is L-secure in the quantized domain if for all random variable X over U , the entropy loss of P is at mostL, i.e., H ∞ (Q(X )) − H̃ ∞ (Q(X ) | ENC (Q(X ))) ≤ L

It is worth to note that according to this denition, we only require the quantized original to be reconstructed.This, in some sense, avoids the problem of possible high entropy loss due to quantization. It is shown in 4 that whenthe quantization step (assuming scalar quantization) is close to the error that we want to tolerate, the resultingscheme would not be too much different in terms of left-over entropy from using the “optimal” quantizationstep, which may be difficult to nd. Therefore, in this paper we will follow this principle, with some necessarydeviation due to be nature of the biometrics in the real world.

3.2 Implementation

Our quantization-based secure sketch implementation is as the following: Firstly, for a given image, we extract

a feature vector V of size n (Section 3.2.1). Secondly, we discretize (quantize) the feature vector (Section 3.2.3)and nally, we apply a known sketch scheme to generate a sketch and to reconstruct the quantized feature vector(Section 3.2.4).

3.2.1 Template Representation

We assume that we can extract a feature vector of size n from each biometric sample. Therefore,

B i = [bi 1 bi 2 ... bin ]T (4)

represents the n-dimensional feature vector of i-th user of the system where each coefficient bij ∈ R is a realnumber.

In addition, we also assume that the value of each coefficient bij can vary within a certain range , which isgoing to be determined through experiments on the data set. In other words, we consider the j -th coefficient forthe i-th user to be always associated with a range, which is dened by a mid-point and a range ρij . Here, themean-point bij for the j -th component of the i-th user is determined as the mid-point value of the j th componentof the feature vector observed in the training data set of user i. Similarly, the range size ρij for the j th componentof the ith user is determined as ρij = ( mxij − mnij )/ 2 where mnij (resp. mxij ) is the minimum (resp. the maximum)value of the j th component of the feature vector observed in the training data set of user i.

Therefore, the template for the i-th user consists of two vectors. The rst is the list of n mid-points bi 1 , . . . , bin ,and the other is the list of range sizes for each coefficients ρi 1 , . . . , ρ in .



In the simplest case, for the i-th user in the system, we can consider a sample Bi = [bi 1 bi 2 ... bin ]T asauthentic if

bij − ρij ≤ bij ≤ bij + ρij (5)

for all j = 1 ,...,n .

3.2.2 Randomization

Before generating a sketch from the coefficients extracted from raw samples of biometric data, we can furtherapply user-specic random mapping on these feature vectors. In particular, we generate k-by-n matrices whoseelements are uniformly distributed random numbers between − θ and θ, where θ is a parameter. We call suchmatrices randomization matrices . Through experiments, we found that the overall performance is not sensitiveto the value of θ, so we x the value of θ to be 1.

Let R i be the randomization matrix for user i and by multiplying the feature vector with this random matrix,an n dimensional feature vector can be mapped into another k dimensional feature vector. That is, for user iand a raw sample B i = [bi 1 . . . bin ]T , we compute V i = R i B i = [vi 1 vi 2 ... vik ]T .

Similar to the simple case in Section 3.2.1, mid-points vij ’s and range sizes δ ij ’s are recalculated and for anyV i = R i B i = [vi 1 vi 2 ... vik ]T , we consider it as authentic if

vij − δ ij ≤ vij ≤ vij + δ ij (6)

for all j = 1 ,...,k .

There are few reasons of using such a randomization in our scheme. First of all, randomization provides abetter noise tolerance. In particular, the noise on the original components seems to be smoothed out by therandom mapping, which makes the scheme more robust for the same FAR. Secondly, randomization providescancelability and diversity simultaneously. More specically, users will be able to use the same biometric data(i.e., their face in our case) with newly generated random mapping in case of any data compromise. Furthermore,the cross-matching across different databases will not be feasible since different applications will use differentrandom mapping.

It is also worth mentioning that our purpose of using such a randomization is neither dimension reduction(as in 28,29 ) nor to increase security by introducing non-invertibility (as in 30,31 ). Therefore in this study, we onlyconsidered square ( n-by-n) randomization matrices and analyzed the effect of such mapping on the performance

and security of the quantization-based secure sketch scheme.3.2.3 Quantization and Codebook

In order to generate a sketch for the biometric template, rst step is to discretize every component of the featurevector such that we can apply a sketch scheme for discrete domains. Therefore, we employ a straightforwardmethod, which uses a scalar quantizer for each of the coefficients to map it to a discrete domain.

First, we determine global ranges of each and every component of the feature vectors from the training dataset obtained during enrollment phase. Let these values be MNj = min i (vij ) and MXj = max i (vij ). Next, thediscrete domain C j for the j -th component is computed by quantizing the overall user range by the quantizationstep δ j . That is,

C j = {MNj − r j , MNj − r j + δ j , MNj − r j + 2 δ j ,..., MNj − r j + Lj δ j } (7)

where Lj is appropriately chosen integer which satises MNj − r j + L j δ j ≥ MXj and r j is a positive random number.

In this way, for the j -th component of the i-th user, a range of midpoint vij and size δ ij can be translated toa discrete range where the discrete midpoint is quantization of vij in C j , and the discrete range size dij is givenby

dij = δ ijδ j

(8)

Finally, the codebook C ij for the j -th component of the i-th user is a subset of C j , and can be determined bychoosing one point out of every 2 dij + 1 consecutive points in C j .



In this setup, δ j ’s are simply determined as a function of the minimum range size of each component of thefeature vector observed in overall user space. That is,

δ j = α mini

(δ ij ) (9)

where α is a parameter which can take different values.

It is worth noting that, in the above formulation, the quantization step δ j can be determined in many differentways. However, it is reasonable to assume that, δ j should be related to some statistics of the range of the featurecomponents, namely δ ij ’s.

3.2.4 Sketch Generation and Template Reconstruction

During enrollment, the biometric data of each user are acquired and feature vectors are extracted several timesas a part of training process. Then the variation (i.e,. the midpoint and range size) of each feature vectorcomponent is estimated by analyzing the training data set. Next, we construct a codebook for each componentof each user as in Section 3.2.3.

Therefore, the sketch P i for user i is a vector P i = [ pi 1 pi 2 ... pik ]T where pij = Q ij (vij ) − vij and Q i

j (vij ) isthe codeword in C ij that is closest to vij .

During authentication, biometric data of the i-th user is taken and corresponding feature vector is computed.Let us denote this noisy feature vector as V i = [vi 1 vi 2 .. . vin ]T . Then the decoder takes V i and P i and calculatesQ i

j (vij ) − pij for j = 1 ,...,n . Reconstruction of the original biometric will be successful if

− dij ≤ Q ij (vij ) − Q i

j (vij ) < d ij (10)

where dij is the user specic error tolerance bound for the j -th component. It is not difficult to see that,Q i

j (vij ) − pij = Q ij (vij ) − Q i

j (vij ) + vij and the errors up to the some preset threshold value will be correctedsuccessfully.

4. EXPERIMENTS, RESULTS AND ANALYSIS

4.1 Dataset and Experimental Setup

Face images are one of the widely used biometrics for authentication. In our experiments, we used the OlivettiFace Database (ORL database 32 ). ORL face database consists of 10 different images of 40 distinct subjects andthe size of each image is 92x112, 8-bit grey levels. In our simulation, we randomly divide each 10 samples of subjects from ORL database into two parts, namely, training (e.g., enrollment) and test (i.e., authentication) setswhere training set is assigned 7 of the images and test set has the remaining 3 sample face images. In our setup,7 test data for every user is used to generate 40x3=120 genuine authentication attempts and 39x40x3=4680impostor authentication attempts (3 attempts by 39 remaining users for every user in the system). Sampleimages from this database are given in Figure 2.

In literature, many different feature extraction/selection algorithms are proposed for face recognition andone of the most popular one is the Eigenface method 33 which is an intricate application of principal componentanalysis (PCA) which combines the dimension reduction together with feature selection. 34 To test our proposedscheme, we also used the Eigenface method. However, it should be noted that the essence of the technique isnot specic to face image data and can be applied to any type of ordered biometric features.

4.2 Performance and Security Analysis

As already mentioned, it is often sufficient (as well as faster, and more economical for storage) to consider therst n principal components for PCA-based dimension reduction. Therefore, in our experiments, we rst testedour range-based authentication scheme (explained in Section 3.2.1) by increasing the number of selected principalcomponents of PCA, (hence the dimensionality of the feature vectors, B i s) without implementing secure sketch



Figure 2. Variation of the equal error rate (EER) values with increasing number of dimensionality after PCA (left) and

some examples from ORL face database (right).

scheme. Dimensionality of the feature vectors and the corresponding equal error rate, EER ∗ values are shownin Figure 2.

As can be seen in Figure 2, selecting more than 20 principal components results in increasing EER values,hence the performance becomes worse. The main reason behind observing such a characteristic is basically dueto the fact that, in contrast to euclidian distance-based similarity measure, our range-based measure is moresensitive to feature variation since that requires each feature to be in pre-estimated ranges. Therefore, includ-ing less signicant principal components which have less distinguishing power deteriorates the authenticationperformance.

The main result we observed from Figure 2 is the signicant effect of randomization in terms of performance.As noted previously, randomization actually provides some additional tolerance to minor out-of-range variations

of the feature vector components by introducing some level of correlation. After observing such a trend inperformance in terms of EER, we set the dimensionality of the feature vectors (after PCA) to n = 20 to furtherinvestigate the effects of quantization and feature selection.

As already mentioned earlier, the quantization step δ j can be determined in many different ways dependingon operational constraints (such as the noise level which needs to be tolerated) and also depending on the dataset considered. Here, we considered a straightforward approach and set the quantization step to be a fraction of the minimum range observed over the whole data set (i.e., δ j = α min i (δ ij )).

Figure 3 shows the effect of the quantization on the performance of the scheme for various values of α for bothnon-randomized and randomized implementations for n = 20. As can be seen from Figure 3, while the smallvalues of α seem to improve the performance of the scheme, increasing α to above 0 .75 signicantly decrease theperformance. Furthermore, randomization generally improves the performance of the scheme, especially for thesmall values of α .

As mentioned earlier, H̃ ∞ (X | P ) is called the left-over entropy , which measures the “strength” of the keythat can be extracted from X given that P is made public and in most cases, the ultimate goal is to maximizethe left-over entropy for some particular distribution of the biometric data considered. However, in the discretecase, the min-entropy is xed but can be difficult to analyze and entropy loss becomes an equivalent measurewhich is easier to quantify.

∗ EER is the rate at which both false accept and false reject rates are equal.



Figure 3. ROC of non-randomized and randomized secure sketch implementation for α = 0 . 25 (left); EER values of non-randomized and randomized secure sketch implementation for different values of α (right).

For this construction, in order to estimate the left-over entropy, rstly, we tried to estimate the min-entropyof V (H ∞ (V )) assuming that the components of the feature vector are independent. Therefore, the min-entropyof each component are estimated independently and the total min-entropy of the feature vector V is calculatedas the summation of the individual min-entropies of the components. That is,

H ∞ (V ) = Σ ni =1 H ∞ (vi ) (11)

To estimate H ∞ (vi ), we simply considered the distribution of the feature vector component vi over all userspace and analyzed the histogram of that distribution while setting the bin size to the quantization step sizeδ i of that component (i.e., α = 1). The number of elements in the most likely bin gives a rough estimate of the min-entropy of the feature vector component i. Under this setting, the min-entropy of the feature vectors is

estimated to be about 59 .91 bits when n = 20.The (component-wise) entropy loss in the quantized domain can simply be bounded by

L(P ) ≤ Σ ni =1 L( pi ) (12)

where L( pi ) is the entropy loss of the sketch for the component i of the feature vector representation of thebiometric data. This can be conveniently bounded by the size of the sketch. That is,

L( pi ) ≤ | pi | = log(2δ ijδ j

+ 1) . (13)

The entropy loss of the scheme can be calculated by the size of the sketch. However, it is worth noting that,since the errors to be tolerated are quite different for different users even for the same component, the resultingentropy loss is much larger than the theoretically achievable n log3.

From the experiments, we calculated the average size of the sketch as 40 .35 bits when n = 20, which gives aguarantee of 19 .56 bits in the left-over entropy. On the other hand, if we select the rst 20 features which havethe highest estimated min-entropy, the min-entropy of the feature vectors is estimated to be about 61 .95 bits. Inthis case, the average size of the sketch is about 43 .46 bits, which gives a guarantee of 18 .49 bits in the left-overentropy which is not signicantly different than the former case.



Figure 4. Percentage of the variance explained for each principal component of PCA (left); estimated entropy and min-entropy of the PCA features (right).

When n increases, the size of sketch (and hence the entropy loss) increases proportionally. For example, if werepeat the experiment for n = 50, the min-entropy of the feature vectors is estimated to be about 132 .52 bits;the average size of the sketch is about 98 .88 bits, which gives a guarantee of 33 .64 bits in the left-over entropy.If we select the rst 50 features which have the highest estimated min-entropy, the min-entropy of the featurevectors is estimated to be about 139 .95 bits. In this case, the average size of the sketch is about 106 .55 bits,which gives a guarantee of 33 .40 bits in the left-over entropy which is again almost same as the former case.

However, despite the increase in the average size of the sketch (averaged over 40 users) when min-entropybased feature selection is considered, (40 .35 bits when the rst n = 20 PCs are selected; 43 .46 bits for the rst20 features which have the highest estimated min-entropy are selected), the variance of this estimation is muchlower for the proposed feature selection technique. In particular, this variances are calculated as 11 .50 and 9.19respectively for n = 20; 46.41 and 26.71 respectively for n = 50.

5. CONCLUSIONS AND DISCUSSIONS

In this paper we study the problem of secure storage of biometric templates and examine a recently proposedcryptographic primitive called secure sketch. We carefully investigated the effect of randomization on the securityand the performance of the proposed quantization-based secure sketch implementation. We showed the fact that,randomization not only improves the authentication performance of the scheme signicantly, but also providescancelability and diversity. However, it is worth mentioning the fact that the security analysis can (and should)be performed separately. More specically, the min-entropy should be estimated before randomization.

Furthermore, we investigated the problem of feature selection. In particular, we proposed to choose featurecomponents and determine the selection of components by their min-entropy. Experimental results showed thatthe proposed feature selection provides better estimation of the average sketch size without compromising thenal key strength.

We note that the “entropy loss” is a worst case bound, which states that there exists an input distributionthat will give such amount of information leakage, but not necessarily the distribution for the particular biometricdata. In other words, the entropy loss is an upper bound of the information leakage and the estimation of entropyloss may not be accurate in reality.

Furthermore, another important problem is measuring the amount of information in biometrics. Main dif-culty here is not only related to the selected feature representation of the biometric data, but also related tothe matching algorithm employed. This becomes more relevant question when evaluating secure sketch based



biometric template protection methods and we consider it an open question to bound the “exact informationleakage” without the exact knowledge of the amount of information in a given biometric modality.

ACKNOWLEDGMENTS

This material is based upon work partially supported by the National Science Foundation under Grant No:0716490.

REFERENCES

[1] Dodis, Y., Reyzin, L., and Smith, A., “Fuzzy extractors: How to generate strong keys from biometrics andother noisy data,” in [ Eurocrypt,04 ], LNCS 3027 , 523–540, Springer-Verlag (2004).

[2] Sutcu, Y., Li, Q., and Memon, N., “Protecting biometric templates with sketch: Theory and practice,”IEEE Transactions on Information Forensics and Security 2, 503–512 (September 2007).

[3] “The Essex Faces94 database.” http://cswww.essex.ac.uk/mv/allfaces/index.html .[4] Li, Q., Sutcu, Y., and Memon, N., “Secure sketch for biometric templates,” in [ Asiacrypt’06, Shanghai,

China ], LNCS 4284 , Springer-Verlag, Shanghai, China (December 2006).[5] Vetro, A. and Memon, N., “Biometric system security.” Tutorial presented at IEEE International Conference

on Acoustics, Speech and Signal Processing, Las Vegas, Nevada, USA, April 2008.

[6] Jain, A. K., Nandakumar, K., and Nagar, A., “Biometric template security,” EURASIP Journal on Advances in Signal Processing, Special Issue on Pattern Recognition Methods for Biometrics (2008).[7] Ratha, N., Connell, J., and Bolle, R., “Enhancing security and privacy in biometrics-based authentication

systems,” IBM Systems Journal 40 (3), 614–634 (2001).[8] Soutar, C., Roberge, D., Stojanov, S., Gilroy, R., and Kumar, B. V., “Biometric encryption using image

processing,” in [ SPIE, Optical Security and Counterfeit Deterrence Techniques II ], 3314 (1998).[9] Ang, R., Safavi-Naini, R., and McAven, L., “Cancelable key-based ngerprint templates,” in [ ACISP ],

LNCS 3574 , 242–252 (2005).[10] Teoh, A., Gho, A., and Ngo, D., “Random multispace quantization as an analytic mechanism for bio-

hashing of biometric and random identity inputs,” IEEE Transactions on Pattern Analysis and Machine Intelligence 28 (12), 1892–1901 (2006).

[11] Savvides, M., Kumar, B. V., and Khosla, P., “Cancelable biometric lters for face recognition,” Proceedings of the 17th International Conference on Pattern Recognition, ICPR 2004 3, 922–925 (2004).

[12] Ratha, N. K., Chikkerur, S., Connell, J. H., and Bolle, R. M., “Generating cancelable ngerprint templates,”IEEE Transactions on Pattern Analysis and Machine Intelligence 29 (4), 561–572 (2007).

[13] Maiorana, E., Campisi, P., Ortega-Garcia, J., and Neri, A., “Cancelable biometrics for hmm based sig-nature recognition,” in [ Proceedings of the IEEE Second International Conference on Biometrics: Theory,Applications and Systems, (BTAS 2008) ], (October 2008).

[14] Boult, T., Scheirer, W., and Woodwork, R., “Revocable ngerprint biotokens: Accuracy and securityanalysis,” in [ IEEE Conf. Computer Vison and Pattern Recognition (CVPR) ], (2007).

[15] Tuyls, P., Akkermans, A., Kevenaar, T., Schrijen, G., Bazen, A., and Veldhuis, R., “Practical biometricauthentication with template protection,” in [ AVBPA ], 436–446 (2005).

[16] Kevenaar, T., Schrijen, G., der Veen, M. V., Akkermans, A., and Zuo, F., “Face recognition with renewableand privacy preserving binary templates,” Fourth IEEE Workshop on Automatic Identication Advanced Technologies , 21–26 (2005).

[17] Draper, S., Khisti, A., Martinian, E., Vetro, A., and Yedidia, J., “Using distributed source coding to securengerprint biometrics,” in [ IEEE Conf. on Acoustics, Speech and Signal Processing (ICASSP) ], (2007).

[18] Sutcu, Y., Rane, S., Yedidia, J., Draper, S., and Vetro, A., “Feature extraction for a slepian-wolf biometricsystem using ldpc codes,” in [ 2007 IEEE International Symposium on Information Theory, 6-11 July 2008,Toronto, Ontario, CA ],

[19] Chang, E.-C. and Li, Q., “Hiding secret points amidst chaff,” in [ Eurocrypt ], (2006).[20] Juels, A. and Wattenberg, M., “A fuzzy commitment scheme,” in [ Proc. ACM Conf. on Computer and

Communications Security ], 28–36 (1999).

2009-design and analysis of fuzzy extractors for faces

Documents