1. No category

Multibiometric Cryptosystem: Model Structure and

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 4, NO. 4, DECEMBER 2009
867
Multibiometric Cryptosystem: Model Structure and
Performance Analysis
Bo Fu, Simon X. Yang, Senior Member, IEEE, Jianping Li, and Dekun Hu
Abstract—Single biometric cryptosystems were developed to
obtain win-win scenarios for security and privacy. They are
seriously threatened by spoof attacks, in which a forged biometric
copy or artificially recreated biometric data of a legitimate user
may be used to spoof a system. Meanwhile, feature alignment
and quantization greatly degrade the accuracy of single biometric
cryptosystems. In this paper, by trying to bind multiple biometrics
to cryptography, a cryptosystem named multibiometric cryptosystem (MBC), is demonstrated from the theoretical point of
view. First, an MBC with two fusion levels: fusion at the biometric
level, and fusion at the cryptographic level, is formally defined.
Then four models, namely biometric fusion model, MN-split model,
nonsplit model, and package model, adopted at those two levels for
fusion are presented. Shannon entropy analysis shows that even if
the biometric ciphertexts and some biometric traits are disclosed,
the new constructions still can achieve consistently data security
and biometric privacy. In addition, the achievable accuracy is
analyzed in terms of false acceptance rate/false rejection rate at
each model. Finally, a comparison on the relative advantages and
disadvantages of the proposed models is discussed.
Index Terms—Biometric encryption, biometrics, cryptosystem,
multibiometrics, Shannon entropy.
I. INTRODUCTION
RUSTABLE authentication plays an increasingly important role in secure communication systems. Traditionally,
passwords (knowledge-based security) and smartcards (tokenbased security) are used as the first step towards identity proof
in the system. However, security can be breached since dynamic
passwords are easily divulged and guessed by means of social
engineering or dictionary attacks. Token-based authentication
may in part compensate the limitation of knowledge-based authentication; however, it is not reliable and easily stolen. If passwords and smartcards are shared or stolen, there is no way to
know who the actual user is. Thus, nonrepudiation can not be
provided by these two means.
T
Manuscript received June 23, 2009; revised August 31, 2009. First published
September 29, 2009; current version published November 18, 2009. This work
was supported in part by the China Scholarship Council, High Technology
Research and Development (863) Project (Grant 2007AA01Z423), and by the
Advanced Robotics and Intelligent System Laboratory, University of Guelph,
Canada. The associate editor coordinating the review of this manuscript and
approving it for publication was Prof. Davide Maltoni.
B. Fu, J. Li, and D. Hu are with the School of Computer Science and
Engineering, University of Electronic Science and Technology of China,
Chengdu 610054, China (e-mail: [email protected]; [email protected];
[email protected]).
S. X. Yang is with the Advanced Robotics and Intelligent Systems (ARIS)
Laboratory, School of Engineering, University of Guelph, Guelph, ON, N1G
2W1, Canada (e-mail: [email protected]).
Color versions of one or more of the figures in this paper are available online
at http://ieeexplore.ieee.org.
Digital Object Identifier 10.1109/TIFS.2009.2033227
The emergence of biometrics, as a strong form of an individual
authentication based on the certain physiological or behavioral
traits associatedwith the individual, overcomes the disadvantages
of passwords and smartcards, but it is known that the sensed single
biometric data is always noisy and distorted. Noisy biometric data
results in insufficient accuracy, which largely limits biometric
technology to provide useful value in many practical applications.
On the other hand, biometrics may be vulnerable to common potential attacks, such as replay attacks, man-in-the-middle attacks
and Trojan horse attacks, and in particular, susceptible to spoof
attacks and template attacks [1], [2]. Spoof attacks are commonly
encountered in biometric systems. Several techniques [3]–[5] are
introduced, showing how an artificial biometric image can be reconstructed to spoof the acquisition sensor for enrollment. An
even more serious problem is that compromised biometrics will
be rendered unusable forever due to the difficulty of revoking the
compromised biometrics or reissuing a new one. One possible
technique is to encrypt the template using symmetric encryption.
Cancelable biometrics [6], [7] is another technique that attempts
to construct revocable biometric templates using various noninvertible transforms. With an increasing number of templates, the
speed of “a matcher” will be largely decreased when those templates are used for identification. Thus, to overcome the disadvantages of biometrics, there are a couple novel directions: multibiometric recognition systems that integrate multiple biometrics
for identification or verification and biometric cryptosystems that
encrypt the secret with biometrics, as shown in Fig. 1 (SB is the
single biometrics and CG is the cryptography.)
A comparison of some single biometrics, including face, fingerprint, hand, iris, keystroke, and voice, is provided by Uludag
et al. [14] based on seven factors. From the authors’ point of
view, each biometric has its advantages and disadvantages. One
biometric usually compensates for the inherent limitations of
the other biometrics [15]. Therefore, the limitations imposed
by a single biometric model can be overcome by multibiometric recognition system [8]–[11]. Multibiometrics offers
the following main advantages: 1) significantly improving
the accuracy of the biometric identification or verification;
2) providing a certain degree of flexibility for some unusable
biometric traits; and 3) resisting spoof attacks due to the
difficulty in spoofing multiple biometric sources. Hong et al.
[8] categorized multibiometric recognition systems into three
architectures based on biometric data fusion: 1) fusion at the
feature level (e.g., [16], [17]); 2) fusion at the score level (e.g.,
[18]); and 3) fusion at the decision level, (e.g., [19], [20]). Fusion at the decision level commonly consists of three strategies,
namely, out of fusion rule [31], OR rule and AND rule [8].
As a multibiometric recognition system is expected to improve the accuracy for identification or verification and defeat
spoof attacks, the biometric cryptosystem that binds biometrics
1556-6013/$26.00 © 2009 IEEE
Authorized licensed use limited to: ASTAR. Downloaded on January 29, 2010 at 03:34 from IEEE Xplore. Restrictions apply.
868
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 4, NO. 4, DECEMBER 2009
Fig. 1. Biometric system.
to cryptography aims to obtain a win-win scenario of security
and privacy. In a biometric cryptosystem, there are no biometric
images or templates stored in the central database, and the security is completely controlled by the user with his/her biometrics;
however, the biometric cryptosystem still encounters several
challenges. As mentioned earlier, unlike a password, the variability of the biometric data sampled in different environments
makes it hard to generate identical biometric key with perfect
accuracy. Over the past several years, there were a number
of research efforts done in the biometric cryptosystem field.
A biometric cryptosystem was firstly presented by Soutar
et al. [12] and defined by Cavoukian et al. [13]. Juels et al.
[21] proposed a fuzzy commitment scheme (FCS) algorithm,
which utilizes error-correcting code theory and cryptography
together to overcome the influence of the random noise to
achieve provable security, but since the FCS has the property of
order-invariance, strictly aligning the query biometric features
with the template is required. Thus, Juels and Sundan [22]
presented a fuzzy vault scheme (FVS). Uludag et al. discussed
the fuzzy vault scheme for fingerprint minutiae [23], and raised
some issues and challenges about a biometric cryptosystem.
Nandakumar [24] presented another implementation of the
fuzzy vault scheme based on fingerprint minutiae and helper
data that is used to align the template and query fingerprints
accurately. An efficient two-layer error-correction technique
that combines Hadamard and Reed–Solomon error correcting
codes to improve the iris encryption system performance is
shown by Hao et al. [25]. To make a rigorous proof, Dodis
et al. [26] and Boyen [27] introduced the concepts of fuzzy
extractors and secure sketches. They provided constructions of
fuzzy extractors and secure sketches for input data with three
various measures: Hamming distance (implemented in FCS),
edit distance, and set difference (implemented in FVS).
Since a multibiometric recognition system can improve accuracy and a biometric cryptosystem can improve security and
privacy, can we develop a new cryptosystem with optimal accuracy, security and privacy, compared to a traditional biometric
cryptosystem? As shown in the center of Fig. 1, this problem
inspires us to explore a new construction model. Intuitively,
since multiple biometrics is more difficult to be spoofed than
single biometrics, it is harder for an attacker to derive the secret locked by biometrics from cryptographic templates. From
the perspective of accuracy, multibiometrics involves the use of
biometric fusion for automated recognition with a higher degree of accuracy than single biometrics. Thus, it should obtain
higher accuracy than a single biometric cryptosystem. Some related methods have already been raised and studied. Sutcu et al.
[32] proposed a technique of integrating face features and fingerprint minutiae at the feature level to obtain a secure template
based on known secure sketch schemes. Nandakumar and Jain
[33] derived a multibiometric vault by integrating the fingerprint
minutiae template and the iriscode template at the feature level.
After combining fingerprint and voice data at the template level,
Camlikaya et al. [34] demonstrated a privacy protection technique by hiding the fingerprint minutiae points amongst the features extracted from the voice. Yanikoglu and Kholmatov [35]
combined two fingerprint features extracted from different fingers to get a combined biometric ID. In the above references,
while authors gave particular cases using face, fingerprint or iris
to improve the security and privacy, they did not clearly point out
or analyze a multiple biometrics system for encryption from a
theoretical point of view.
In this paper, by trying to bind multiple biometrics to cryptography, a cryptosystem, namely the multibiometric cryptosystem
(MBC), is demonstrated. Abandoning the specific integration
techniques of different biometrics, the impacts of fusion at biometric and cryptographic levels on the biometric security, privacy and accuracy are studied. Different constructions of MBC
models are developed and analyzed by means of Shannon entropy analysis and probability analysis. The focus of this paper
is as follows:
1) Formulate the formal definition of MBC based on the definition of the traditional biometric cryptosystem, and define
two fusion levels: biometric level and cryptographic level.
2) Define security and privacy of MBC in terms of Shannon
entropy; and define accuracy using two types of error measurement: false acceptance rate (FAR) and false rejection
rate (FRR), which are related to the FAR and FRR in biometric recognition systems.
3) Propose a general construction model of MBC at the biometric level where different sets of biometric features are
integrated to a vector or set for encryption, and discuss its
security, privacy and accuracy.
4) Present three models of MBC at cryptographic level that
consists of three submodels, namely, MN-split model, nonsplit model, and package model; then analyze their performance.
5) Discuss a comparison of the proposed models.
In a multibiometric recognition system, there are four
common distinct subcategories: multimodal (e.g., fingerprint
and iris), multiinstance (e.g., left iris and right iris), multisensorial (e.g., optical fingerprint image and electrostatic
fingerprint images), and multialgorithmic (e.g., fingerprint
minutiae extraction algorithm and filter bank-based fingerprint
feature extraction). In MBC, however, we only consider the
biometric features and ignore the sources which those features
are extracted from. Therefore, we are mainly concerned with
the architectures at the biometric level regarding the fusion of
biometric features, and at the cryptographic level regarding the
fusion of the secret.
Authorized licensed use limited to: ASTAR. Downloaded on January 29, 2010 at 03:34 from IEEE Xplore. Restrictions apply.
FU et al.: MBC: MODEL STRUCTURE AND PERFORMANCE ANALYSIS
869
TABLE I
NOTATIONS
Fig. 2. Unibiometric encryption.
The rest of this paper is organized as follows: some traditional biometric cryptosystems are presented in Section II.
In Section III, the formal definitions of MBC with its performance index are proposed. The MBC model at the biometric
level is discussed in Section IV and three MBC models at the
cryptographic level are proposed in Section V. In Section VI,
a comparison on the relative advantages and disadvantages of
the proposed models is discussed. Conclusions are given in
Section VII.
Some related notations are presented in Table I.
II. TRANDITIONAL BIOMETRIC CRYPTOSYSTEM
Because the traditional biometric cryptosystem adopts single
biometrics, as mentioned earlier (see for instance Fig. 2), we
call it a Uni-Biometric Cryptosystem (UBC) in this paper. In
this section, we will introduce three methods: Biometric Encryption Algorithm (BEA), Fuzzy Commitment Scheme (FCS)
and Fuzzy Vault Scheme (FVS) for UBC first. BEA [12] used a
Fourier transform to process the entire fingerprint image to bind
a random key. FCS [21] and FVS [22], which have been broadly
applied to iris, fingerprint, and face, rely on unique biometric
traits that are used as inputs for various measures of closeness,
such as Hamming distance and set distance.
BEA defines a correlation function,
, to be the basis for
the algorithm. For two images,
and
, with their corresponding Fourier transform,
and
, respectively,
the correlation function between them is formally defined as
, where denotes the complex
can be computed as the inverse
conjugate. The output of
Fourier transform (FT-1),
. Then,
a filter function
, which provides a tradeoff between distortion tolerance and discrimination, can be defined and calculated
using a set of training images
.
For a training image
, the output pattern produced in response to
is given by
and its Fourier transform is
. A similarity term, , is defined
given by
as a measure of the similarity of the output correlation patterns
and the random output function
. A noise term,
using
, is defined as a measure of the effect of image-to-image variation. To minimize the error, Soutar et al. [12] proposed an opthat processes a
timal filter design for the filter function
perfect cryptographic secret.
FCS utilizes technique of error-correcting. In order to authenticate and reveal the key, biometric features that are sufficiently close to the biometric template must be presented. Let
be a hash function, such as SHA-1. Then,
define a map:
as
, where is a codeword in a set
. First, randomly select a codeword as a secret.
When encrypting the secret using biometric vector , compute
, and store
as the ciphertext
in a server. When decrypting the ciphertext, another biometric
vector is inputted for authentication. Then,
can be obtained, where is a decode function. If is close to
, we can determine is the secret if
.
In FCS, the biometric features must be aligned before running
the FCS algorithm. On the other hand, the property of order-invariance is to be desirable. To overcome the disadvantage of
FCS, the FVS algorithm is developed without a fixed order because biometric features are considered as elements of a biometric set.
FVS utilizes set difference to examine the similarity of
biometric features. This technique consists of two algorithms:
locking algorithm and unlocking algorithm. Locking algorithm
. First, a
locks a secret with an unordered set
polynomial is selected to encode the secret . Then we can
compute evaluations of the polynomial using all elements of
. The results can be denoted as
In order to hide the secret, a number of random chaff points are
chosen as random noise to mix with the genuine points. Those
chaff points do not lie on the polynomial , denoted as
The entire collection of points
constitutes a vault
. The unlocking algorithm retrieves secret from vault by
providing another similarly unordered set
. If
Authorized licensed use limited to: ASTAR. Downloaded on January 29, 2010 at 03:34 from IEEE Xplore. Restrictions apply.
870
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 4, NO. 4, DECEMBER 2009
Fig. 3. Multibiometric encryption.
is big enough, many genuine points in can be identified. Then the secret is revealed by using an error correction
scheme and a polynomial reconstruction algorithm.
The security of FVS relies on the number of chaff points, but
FVS is vulnerable to some attacks, such as Attacks via Record
Multiplicity or Correlation Attacks, Surreptitious Key-inversion
Attack, and Blended Substitution Attacks [28], [29], even if a
large number of chaff points are added in. On the other hand,
chaff points cannot be selected too close to genuine points. Otherwise, they will cause a genuine point to be quantized to a chaff
point. That will hardly improve the attack complexity required
if biometric feature detection and extraction are limited.
BEA, FCS, and FVS have their advantages and disadvantages
for different applications. When they are applied in an MBC,
we will only consider them as possible algorithms to encryption
without caring about the algorithms themselves.
III. BASIC THEORIES OF MBC
Basic architecture of the MBC is shown in Fig. 3. To effectively understand the MBC, we will analyze and define three
performance characterizations, namely, security, privacy and accuracy. As considered in the multibiometric recognition system,
it will be assumed that the cost and the speed of the system do
not play any significant role in its performance assessment [8].
A. Formal Definitions
Definition 3.1: Let
be a randomized encryption function computable in probabilistic polynomial
time. Let
be a decryption function
computable in probabilistic polynomial time.
denotes the ciphertext of biometric encryption where
and
, and
denotes the
result of biometric decryption, where
.
In a biometric cryptosystem, when inputting a biometric
vector or set
and a secret , function
binds
and
and maps to a new space. We denote the random output of
the function by
that presents the ciphertext of the
secret encrypted by . If we wish to make the randomness
explicit, the denotation
is used, where is a random
number. Also, the function
reconstructs the secret after
inputting another biometric vector or set B and the ciphertext.
If a genuine user offers legitimate inputs, and should run
in probabilistic polynomial time.
In order to define an MBC, first, we must define a unibiometric cryptosystem that is used to encrypt the secret using
the single biometrics.
Definition 3.2: A unibiometric cryptosystem
is an encryption/decryption pair
with the following property:
, if
for every pair of biometric features
for a positive real , then
with overwhelming probability.
This definition of uni-biometric cryptosystem allows one to
encrypt a secret with a biometric vector or set , and then successfully retrieve in the expected polynomial time with any
that is close to . Here, the distance
vector or set
is the number of different digit positions for hamming metric
and half of size of two sets’ symmetric difference for set difference metric[26]. This definition can be extended to define MBC,
which contains multiple biometrics for encryption/decryption.
is an encryption/decryption pair
Definition 3.3: An MBC
with the following property: for some pairs of bioextracted
metric feature vectors or sets
for a
from m different biometric sources, if
with
positive real , then
overwhelming probability, where
.
In other words, an MBC
can decrypt a ciphertext
, which is the result of a secret encrypted
with biometric vectors or sets
, if the input
is
close to
. The similarity assessment of
and
is obtained based on a measure function
.
How to integrate different biometrics is not considered in
this definition, so we will give the following two definitions
regarding fusion at the biometric level and fusion at the cryptographic level.
Definition 3.4: In system
, fusion at the biometric
level is a map
,
which satisfies the following multibiometric encryption/decryption process: for some pairs of biometric vectors or
sets
extracted from different bio, if
metric sources, where
for a positive real , where
and
, then
with
overwhelming probability.
Definition 3.5: In system
, fusion at the cryptographic
level is a pair
, where
is a map
and
is another map
, which
satisfies the following multibiometric encryption/decryption
process: for some pairs of biometric vectors or sets
extracted from different biometric sources, where
, if
for a positive real ,
with
then
overwhelming probability.
From Definition 3.4, we can see that the MBC model at the
biometric level is the same as the fusion at the feature level in a
multibiometric recognition system. The only difference is that
the integrated vector or set is used for either biometric encryption or identity recognition. Similarly, according to Definition
3.5, fusion at the cryptographic level is the same as the decision level fusion. While there is a fusion level (score level fusion) in the multibiometric recognition system, it is not defined
Authorized licensed use limited to: ASTAR. Downloaded on January 29, 2010 at 03:34 from IEEE Xplore. Restrictions apply.
FU et al.: MBC: MODEL STRUCTURE AND PERFORMANCE ANALYSIS
in the MBC because a cryptographic algorithm needs an accurate and determined cryptographic key rather than a nonidentified score judgment. Also, in Section V, we will find that at the
cryptographic level, the MN-split model, nonsplit model, and
package model all have parallels with fusions in the multibiometric recognition system, corresponding to the out of fusion rule, OR rule, and AND rule, respectively.
B. Security and Privacy
The privacy of a biometrics and the security of a secret can
be put into precise mathematical terms based on the definition
of entropy. The entropy measure for biometric protection was
firstly proposed in [26], which is called min entropy. But in
[30], authors proposed the Shannon entropy instead of the min
entropy due to the disadvantage of the min entropy in the multiple-key scenario. We also adopt the Shannon entropy to analyze the privacy and security in the multiple-biometrics scenario.
The Shannon entropy of a random variable is defined in
terms of its probability distribution. The conditional ungiven
such
certainty of the random variable
that
is given by
for each
. Furthermore, given the random variable
, the conditional uncertainty of the random variable
is
given by
, which is
the expected value of
over .
can
be regarded as the entropy of
after disclosing . Then, the
entropy loss of the random variable
by disclosed
is the
. Based on these theories,
entropy difference
to analyze the privacy and security of an MBC, three attack
hypotheses are given as follows.
1) For an individual, some biometric traits are vulnerable and
were compromised by an impostor. For example, his/her
fingerprints or voice are faked or recorded by means of
social engineering. However, other biometric traits are still
unknown.
2) The ciphertext of the secret encrypted with biometrics is
disclosed. In some systems, it is easier to break the server
than to attack biometrics.
3) Fusion algorithms and encryption/decryption algorithms in
the MBC are known by the impostor.
Now we can have the following descriptions: Set
and let
be a triple of random
variables corresponding to a randomized construction of the
MBC.
is a random biometric vector or set over a universe
corresponding to the
biometrics, where
.
and
are independent for all
. is a random secret
uniformly chosen from
and independent of
.
is a ciphertext, which is the result of a function of and , namely
when integration is done at biometric
level and
when integration is done
at cryptographic level, respectively. In terms of the Shannon
entropy, we have
for
and
for
Since
. Let
the uncompromised biometrics, where
, then
be a set of
, and
871
is a set of the compromised biometrics. Without a loss
and
.
of generality, we assume
is the entropy measure of the uncertainty about
when the ciphertext and the biometrics in the set are disclosed. The security and privacy of the MBC depends on the
entropy of the unbroken biometrics in the set . The main ob.
jective then is to determine
Lemma 3.1: In an MBC over a universe , for the secret
and the set of biometrics
, if is partitioned into
two complementary subsets and , and
,
we have the following equations:
,
.
can be equivProof: The mutual information
and
alently expressed as
. Because and are in. Thus, we
dependent, then the mutual information
. In the same way,
have
. We have
because and are also independent,
.
Theorem 3.1: In an MBC over a universe , given
and , for the conditional entropy
, we have
.
Proof: By Lemma 3.1, we know
. If set
, we get
Therefore,
.
As a result, we can examine the mutual information of each
biometric and the ciphertext to determine the entropy of unbroken biometrics, which maintains its privacy from the disand , and protects the security of the
closed information
or
secret. In order to determine the privacy or security of
, we only need to determine the mutual information as description in Lemma 3.1 and Theorem 3.1. To compare the security of a unibiometric cryptosystem with an MBC, we assume
that given a random biometric , a random secret , and the
unibiometric algorithm , we can determine the entropy. In the
MBC, we will not consider the security of the unibiometric algorithm and assume it is secure for secret protection. According
to this assumption, we will analyze the privacy and security of
the MBC.
C. Accuracy
In a biometric system, the problem of personal identification
can be formulated as a hypothesis testing problem [8], [19].
Thus, two types of error measure, FAR and FRR, can be presented using conditional probability. In an MBC, the accuracy
problem in unibiometric cryptosystems can be formulated as a
hypothesis testing problem also. As presented in [19], FAR and
Authorized licensed use limited to: ASTAR. Downloaded on January 29, 2010 at 03:34 from IEEE Xplore. Restrictions apply.
872
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 4, NO. 4, DECEMBER 2009
TABLE II
EXAMPLES OF ACCURACY
FRR are used to measure that an impostor successfully generates the secret by providing the illegitimate biometrics and that
a genuine user unsuccessfully generates the secret by providing
the legitimate biometrics, respectively. Therefore, we can obtain
the following description: two categories of people,
and , seek to obtain the secret
that is encrypted by biometis an impostor. After
rics . Here, is a genuine user and
providing another biometric , the cryptosystem outputs
if successfully decrypting the ciphertext encrypted by
, or
if un-successfully decrypting the ciphertext, where
is a special character. That is to say, if obtaining , then the
user belongs to . On the other hand, if obtaining , the user
belongs to .
Based on the above description, we can determine the accuracy of the uni-biometric cryptosystem. The FAR is the conditional probability that an impostor successfully obtains
by
inputting
to the cryptosystem , denoted as
. The
FRR is the conditional probability that a genuine user obtains
by inputting
to the cryptosystem , denoted as
.
Next, we will consider the accuracy of the MBC based on that
found in the unibiometric cryptosystem. In a multibiometrics
scenario, if multiple biometrics
are inputted for encryption and
are
inputted for decryption, then the error rate can be defined as
To examine the accuracy, we set the values of
as
the FAR and FRR when using a uni-biometric algorithm
to decrypt , which is the ciphertext of the secret
encrypted by biometrics
using algorithm
. We use
the following four examples of
in Table II to test the
accuracy, where
, 2, 3, 4.
In a biometric recognition system, there is a tradeoff between
FAR and FRR. But for a cryptographic system, security is more
important. Therefore, we set the FRR as much bigger than the
FAR for single biometrics. For instance, the accuracy of pair
algorithms (
) is
with values of (0.05, 0.2)
when a biometric encryption algorithm is applied to biometrics
. In the following models, accuracy is examined by using
these examples.
IV. MBC MODEL AT BIOMETRIC LEVEL
Fusion at the biometric level integrates different biometric
features that are extracted from multiple biometric sources to a
vector or set for encryption. This fusion may be done in the same
manner as fusion at the feature level in multibiometric recognition systems, as shown in Fig. 4. In this section, we will discuss
performance problems without considering how to integrate the
biometric features. Some fusion methods were widely used in
Fig. 4. Fusion at biometric level.
the multibiometric recognition system. We refer the reader to
the corresponding literature [16], [17].
The MBC model at the biometric level is a formal construction, which presents basic relations among the fusion of biometric features and biometric encryption. In this model, the variincludes two components and ,
able set of biometrics
where is the set of broken biometrics and is the biometrics
still unknown by the impostor. Variables , and can be de,
,
, where
and
noted as
. Without a loss of generality, we assume
and
. The fusion of the variable set of biometcan be used to encrypt the secret
to satisfy the folrics
lowing formulas:
and
Then the fusion,
, can be consider as a special biofor single biometric encryption/demetric integrated from
, each biometric
cryption. Here, for the same algorithm
also satisfies the following formulas:
and
We now show the lower bound of biometrics in the construction of a cryptosystem at the biometric level when
is
disclosed and biometric is compromised. We consider the entropy loss of biometrics that can be determined from the fusion algorithm and the uni-biometric cryptosystem.
Theorem 4.1: In a general construction of MBC at biometric
level over a universe , if the entropy loss of
is for fusion,
where
,
is the encryption template, then given
and , for the random variable , we have
.
See Appendix A.1 for the proof of Theorem 4.1.
By Theorem 4.1, If there are no spoofed biometrics, namely
, then
. On
in , we have
the other hand, for the biometric trait
. Set
and
, then
by Theorem 4.1. As a consequence, given
and , we can
determine the minimum entropy for each un-broken biometrics
in the set is
.
We now state and prove Theorem 4.2 which gives the relationship of and when and are both disclosed at biometric
level.
Authorized licensed use limited to: ASTAR. Downloaded on January 29, 2010 at 03:34 from IEEE Xplore. Restrictions apply.
FU et al.: MBC: MODEL STRUCTURE AND PERFORMANCE ANALYSIS
873
Theorem 4.2: In a general construction of MBC at the
biometric level over a universe , for the random variable
, we have
.If
is uniquely determined by
, we have
See Appendix A.2 for the proof of Theorem 4.2.
Without considering the parameter , Theorem 4.1 and 4.2
give the relationship of the security/privacy between the MBC
model at biometric level and the UBC model when some biometrics in are disclosed. However, based on Definition 3.4,
meets the condition
,
only when the pair
the fusion biometric vector or set can decrypt the template.
Therefore, the parameter plays an important role in determining the accuracy of the cryptosystem. On the other hand, the
security of cryptosystem depends on and the entropy of the disclosed biometric set also. The following theorem shows the
relationship between the security of the secret and the accuracy using the parameter and the set .
Theorem 4.3: In a general construction of MBC at the
biometric level, for some pairs of biometric vectors or
, where
, if the
sets
and
fusion biometric traits
in probabilistic polynomial time
, where
, and
to make
, then we have
,
;
(1) If
,
(2) If
where denotes the considerable computational complexity.
See Appendix A.3 for the proof of Theorem 4.3.
If there is no entropy loss when combining the biometric traits in , the entropy of
can be considered as the considerable computational com. Thereplexity
fore,
can be determined by
.
It is known that integrating multiple biometrics using an effective fusion scheme can significantly improve the overall accuracy of the biometric system. An MBC that utilizes the highly
efficient methods also can achieve better accuracy compared to
a unibiometric cryptosystem. For example, the multibiometric
vault [33] achieves a GAR of 98.2% at FAR of about 0.01%,
while the corresponding GAR values of the iris and fingerprint
vaults are 88% and 78.8%. In a general construction of MBC
models at the biometric level, if a fusion algorithm can improve the accuracy for identification/verification, we can apply
the same fusion algorithm to improve the accuracy of the MBC.
In general, the alignment and quantization of biometric features
are mainly affected by the features. We can find some proper
fusion algorithm to achieve the lower FAR and FRR. Therefore,
a good fusion algorithm at biometric level can improve the accuracy also.
V. MBC MODELS AT CRYPTOGRAPHIC LEVEL
MBC Models at the cryptographic level, as shown in
Figs. 5–7, consists of three submodels: MN-split model, nonsplit model, and package model. Cryptographic level fusion
stems from the decision level fusion. Thus, there are some similarities and relationships between them. Similarly, the MN-split
model, nonsplit model, and package model correspond to the
Fig. 5. MN-split model.
out of fusion rule, OR rule, and AND rule, respectively. In
pieces. Each
the MN-split model, the secret is split into
biometric protects one piece using a relative encryption/decryption algorithm. The secret can be reconstructed only if
pieces are recovered from the corresponding bioany
metric ciphertexts. This model can eliminate the effect of some
low-quality biometric images or some unusable biometrics.
In nonsplit models, the secret is not split into pieces. Each
biometric encrypts the secret that can be recovered when any
one of biometric ciphertexts is decrypted successfully. Since
any broken biometrics can compromise the secret, the security
of is vulnerable. In the third model, the secret is packed layer
by layer. The secret is encrypted to the biometric ciphertext by
the first layer biometrics, then the ciphertext is considered as
the secret and encrypted by the second layer biometrics. At last,
the final ciphertext is obtained after encrypted by the outside
biometrics. Those models will be investigated in the following
section.
A. MN-Split Model
In the MN-split model, the secret is split into
pieces,
denoted as . Any
pieces
can be used to restore
. Assume protects
,
protects
, , and
protects
, as shown in Fig. 5. There is
a determined coefficient, denoted by combination
, existing
between the encryption using biometrics
and the encryption using a subset
, where is the set of biometrics that is randomly selected from the to encrypt/decrypt
. Therefore, in this model we only consider the multiple
biometric encryption using and analyze its security.
If
is the set of broken biometrics in the set and
is
the set of other biometrics in , then ,
and can be de,
, where
and
noted as ,
. Just the same as the assumption at the biometric level, without a loss of generality, we assume
and
. For each biometric
,
can be
encrypted as follows:
Because
.
, then
Authorized licensed use limited to: ASTAR. Downloaded on January 29, 2010 at 03:34 from IEEE Xplore. Restrictions apply.
is independent with
if
874
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 4, NO. 4, DECEMBER 2009
Fig. 6. Nonsplit model.
are both disclosed. In the following
the biometrics when
theorem, we can examine biometrics to determine the security
of the secret.
Theorem 5.2: In a general construction of the MN-split model
over a universe , given and , for the random variable ,
we have
.
If biometric
is uniquely determined by
, we have
.
See Appendix B.2 for the proof of Theorem 5.2.
Theorem 5.3: In a general construction of the MN-split
model, for some pairs of biometric vectors or sets
, where
, if there is a biometric set
, in probabilistic polynomial time to make
, where
,
and is a positive real, then we have
,
;
(1) If
(2) If
,
,
is the entropy of the
combination, which is generated
by selecting
elements from the set
, denoted
. Here,
,
as
,
, and denotes the considerable computational complexity.
See Appendix B.3 for the proof of Theorem 5.3.
The accuracy of restoring the secret can be computed by Theorem 5.4.
Theorem 5.4: In a general construction of the MN-split model
, if at least
over a universe , for biometrics
biometrics can be used to successfully decrypt corresponding
,
ciphertexts, then we have
Fig. 7. Package model.
The previous description gives the basic ideas of the general
MN-split model. The following theorem shows that the lower
bound of the entropy of
is mainly affected by the entropy
in , which is used in the uni-biometric
of each biometric
cryptosystem, given corresponding to .
Theorem 5.1:
In a general construction of
the MN-split model over a universe
, given
and
, for the random variable
, we have
,
.
See Appendix B.1 for the proof of Theorem 5.1.
, then
. We can
By this theorem, we can see if
get
and
. For a biometrics
in
when given
and , because
, it is clear that
. On the other hand, we have then
. Thus, let
entropy
and
, we can get
by Theorem 5.1.
Hamming metric construction over a field
is a technique
that the secret
is a random codeword chosen uniformly at
random and independently with each biometric . In this construction, is a function of
and , namely
,
and
is uniquely determined by
, namely
.
Theorem 5.2 shows that if
can be uniquely determined by
, the entropy of the secret
is equal to the entropy of
,
is the FAR of
and
is the FRR of
, and
where
is a randomly selected biometric for encryption.
See Appendix B.4 for the proof of Theorem 5.4.
Proposition 5.1: In the MN-split model, given biometrics
as input, if a biometric trait
is involved in
decrypting the corresponding subkey, then we have
,
, where
( ) is the FAR (FRR) of the biometric ,
and
( ) is the FAR (FRR) of the cryptosystem
.
Proof: By Theorem 5.4, when
is chosen for decryption,
then
where
is the FAR and
is the FRR of cryptosystem
.
Therefore, Since
,
and
, then
,
.
To more clearly understand the accuracy computation of
MN-split model, we provide the following example.
Example 1: As an example, consider the following choice of
,
, and
. Because
parameters. Let
,
, then based on Table II,
Authorized licensed use limited to: ASTAR. Downloaded on January 29, 2010 at 03:34 from IEEE Xplore. Restrictions apply.
has the
FU et al.: MBC: MODEL STRUCTURE AND PERFORMANCE ANALYSIS
875
TABLE III
EXAMPLES OF ERROR RATE AT THE MN-SPLIT MODEL
following four possible values:
Since
,
has the following six possible values:
Therefore, by comparing Tables II and III, we have achieved
that both FAR and FRR have decreased greatly.
B. Nonsplit Model
Distinct from the construction of the MN-split model, the seis not split into pieces, as shown in Fig. 6. Any
cret
biometric protects the same secret . is the set
to
encrypt/decrypt . is the set of broken biometrics in the set
and is the set of un-broken biometrics in . , and
can be denoted as
,
,
, where
and
. Without a loss of generality, we assume
and
. Here, any biometric
can be used to encrypt as follows:
In this model, because
, then
is independent with
if
. Also, for a determined
, is
independent with
if
. So we can get the following theorem.
Theorem 5.5: In a general construction of the nonsplit model
over a universe , given and , for the random variable ,
we have
.
See Appendix B.5 for the proof of Theorem 5.5.
From above theorem, for any un-compromised biometrics
in ,
. Obviously, if is nil,
.
For any biometric
, when
are disclosed,
is also disclosed since
. Thus, knowing
and , an impostor can restore the secret by using the decryption algorithm
. We then have the following
theorem for the security of the secret.
Theorem 5.6: In a general construction of the nonsplit model
over a universe , given and , for the random variable ,
we have
.
See Appendix B.6 for the proof of Theorem 5.6.
Theorem 5.7: In a general construction of the nonsplit model, for some pairs of biometric vectors or sets
, if
, where
,
and is a positive real, then
we have
,
;
(1) If
(2) If
,
;
where
,
, and denotes the considerable
computational complexity.
See Appendix B.7 for the proof of Theorem 5.7.
Theorem 5.8: In a general construction of the nonsplit model
, then we have
over a universe , for biometrics
,
, where
is the
and
is the FRR of
.
FAR of
See Appendix B.8 for the proof of Theorem 5.8.
Proposition 5.2: In the nonsplit model, given
biometrics
as input, we have
,
, where
( ) is the FAR (FRR) of a biometric trait
, and
(
) is the FAR (FRR) of
.
the cryptosystem
Proof: By Theorem 5.8, we can obtain
Since
, we can get
, then
. And since
, we can obtain
Therefore, we have
,
.
Example 2: Again, we pick
and
. Then based on Table II, we can compute
, and
. Therefore, with a higher FAR, this model largely decreases
FRR.
C. Package Model
Package model provides a layer-by-layer protection for the
secret using biometrics. The bottom layer is the secret that is
encrypted by the next layer’s biometrics to the ciphertext, which
Authorized licensed use limited to: ASTAR. Downloaded on January 29, 2010 at 03:34 from IEEE Xplore. Restrictions apply.
876
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 4, NO. 4, DECEMBER 2009
becomes the following layer’s secret. The top layer is the last
result of the whole encryption process. To obtain the secret, an
impostor has to rake up the ciphertext layer by layer, as shown
in Fig. 7. We can create the following model.
is the set of broken biometrics in the set
the set .
and is the set of un-broken biometrics in . , and can
,
, where
be denoted as ,
and
. Without a loss of generality, assume
and
. The process of encryption is denoted as follows.
From the above formulas, we can see
and are independent. Following three theorems shows the privacy, security
and accuracy of this model.
Theorem 5.9: In a general construction of the package model
over a universe , given and , for the random variable ,
we have
.
See Appendix B.9 for the proof of Theorem 5.9.
If there are no spoofed biometrics, namely
and
, then
.
has only an un-comOn the other hand, if
, because
promised biometrics, such as
,
is determined by
, then
. Since both
and
are
independent with
, and
,
then
we
have
. The following theorem
gives the minimum entropy of the secret .
Theorem 5.10: In a general construction of the package
model over a universe , given and , for the random variable , we have
.
See Appendix B.10 for the proof of Theorem 5.10.
Theorem 5.11: In a general construction of the package
model, for some pairs of biometric vectors or sets
, if
and
, where
,
and is a positive real, then
we have
(1) If
,
;
(2) If
,
;
where
,
, and denotes the considerable computational complexity.
See Appendix B.11 for the proof of Theorem 5.11.
Theorem 5.12: In a general construction of the package
model over a universe , for biometrics
, then
we have
,
, where
is the FAR of
and
is the FRR of
.
See Appendix B.12 for the proof of Theorem 5.12.
Proposition 5.3: In the package model, given biometrics
as input by an impostor or a genuine user, we
have
,
, where
( ) is the FAR (FRR)
(
) is the FAR (FRR) of the cryptosystem
.
Proof: By Theorem 5.12, we can obtain
be
Same as the nonsplit model, let
, and
of a biometric
Since
, we can obtain
. And
Since
, we can get
we have
,
Example 3: Let
, then
.
and
. Therefore,
. Then based on
Table II, we can compute
and
,
. Therefore, this model
largely decreases FAR (near zero), but FRR is increased.
VI. COMPARISON OF VARIOUS MBC MODELS
In this section, a brief comparison of MBC models will be
provided based on the security, privacy and accuracy. We mainly
consider following scenarios: 1) the entropy of the determined
biometric set in which the biometric trait is uncompromised
when the ciphertext and some biometrics in are disclosed
,
,
,
, respectively); 2) the
(corresponding to
when the ciphertext and some bioentropy of the secret
metrics are disclosed; and 3) the accuracy of the models. The
first and second scenarios are relative to the privacy of the biometrics and the security of the secret.
In an MBC, without biometrics directly stored in the template
database, the user need not reveal his biometrics to an impostor
just as dealt in the unibiometric cryptosystem. But the privacy
issues tied to MBCs are significantly affected by different model
architectures and parameters. It is known that the compromised
biometrics cannot be revoked. Thus, in the unibiometric cryptosystem, if a biometric is compromised, we have to discard
it and switch to another biometric cryptosystem based on another biometric identifier. In an MBC, in order to consider the
system’s performance to overcome this problem, we have assumed the set consisting of compromised biometrics.
For the security of the secret, when the ciphertext
and
biometrics in are disclosed, the entropy of the secret
is
. Therefore, if
and are compromised by the
impostor, the security of the secret
is only protected by the
;
biometrics in . We consider following scenarios: 1)
2)
, is the parameter of MN-split model; 3)
; 4) all biometrics are compromised,
.
When
,
. Then, by
comparing the entropy using the parameters ,
and
,
where is the threshold in the biometric fusion model,
is the distance of
biometric trait and
is the size of
Authorized licensed use limited to: ASTAR. Downloaded on January 29, 2010 at 03:34 from IEEE Xplore. Restrictions apply.
FU et al.: MBC: MODEL STRUCTURE AND PERFORMANCE ANALYSIS
877
TABLE IV
SECURITY COMPARISON OF VARIOUS MBC MODELS (jZ j
TABLE V
SECURITY COMPARISON OF VARIOUS MBC MODELS (
the set
, we can obtain the security level of each model
. Based on Theorem 4.3, 5.3,
5.7, and 5.11, we can get the entropy
as shown in
Table IV. Similarly, we can get the Tables V and VI when
and
. When
, it is
clear that
since all biometrics are broken.
In Table IV, the security level of each model are given when
and
. These
two scenarios are considered under the condition of
. In
Section V, with the same condition, Theorem 5.4, 5.8, and 5.12
demonstrate how to compute the accuracy (FAR and FRR).
Since the accuracy of the biometric fusion model is related to
, the FAR and FRR of the four models under the same two
scenarios can be compared. These comparisons are presented
.
in Table VII
In the biometric fusion model, for a determined biometric trait
, when the ciphertext
and biometrics
are disclosed, by Theorem 4.1, we can get
.
If there is no entropy loss of the biometric
when combining all the biometrics to form a encryption vector,
. By Theorem 5.1,
since
, we can
get
in the MN-split model. By Theorem 5.5,
we know
. By Theorem
5.9, we can get
. Thus,
while there is a low level of privacy in the MN-split model,
the biometric fusion model and package model have a higher
level of privacy than that in the nonsplit model, as shown in
the second column of Table VIII. Also, by Theorem 5.4, 5.8,
5.12, and Proposition 5.1, 5.2, 5.3, we can obtain the accuracy
comparing single biometrics. Both the biometric fusion model
1
j
= 0)
Z < n)
j
and the MN-split model can increase the encryption/decryption
accuracy. But while the FRR is decreased, the FAR is largely
increased in the nonsplit model. That is the same as in the
package model, in which the FRR is increased with a decreased
FAR. The accuracy comparison between the multi and unibiometric cryptosystem is shown in the third and forth column of
Table VIII.
We also provide a comparison of the models based on flexibility including three factors: scalability (the ability of an MBC
to add or remove biometrics), feature consistency (the different
biometric vectors or sets that should be converted into an identical feature space), and convenience (whether the model is convenient for application), as shown in Table VIII.
On the whole, when the threshold is big enough, the biometric level fusion may provide higher security than the fusion models at the cryptographic level. However, different biometric sources such as fingerprint and iris may have incompatible features and different feature spaces. That makes it difficult
to concatenate different features. Meanwhile, it is hard to extend
the biometric system, such as adding or canceling a biometric
source. Those disadvantages make it inconvenient for application deployment. Although the MN-split model has the lowest
level of the privacy of the four models, it can achieve optimal
performance with flexibility. Moreover, the MN-split model can
easily combine different biometric algorithms that utilize various measures, such as hamming distance and edit distance, for
biometric encryption. We can enhance or improve the security,
privacy and accuracy using mere parameter selection without
redesigning the whole system. In the nonsplit model, because
any one of inputted biometrics may restore the secret, nonsplit
model makes the security of system lower than other methods.
But it has the best flexibility for practice. If a system does not
Authorized licensed use limited to: ASTAR. Downloaded on January 29, 2010 at 03:34 from IEEE Xplore. Restrictions apply.
878
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 4, NO. 4, DECEMBER 2009
TABLE VI
SECURITY COMPARISON OF VARIOUS MBC MODELS (n
jZ j < m )
TABLE VII
ACCURACY COMPARISON OF VARIOUS MBC MODELS
TABLE VIII
COMPARISON OF VARIOUS MBC MODELS
require high security, a lower FRR with high FAR may be more
useful in some cases. For example, this model can be applied to
sharing a secret in a group using each individual’s biometrics.
The package model has the same characteristics as the biometric
fusion model except for the FAR and the feature consistency.
This model leads to a higher FRR than the single biometrics.
VII. CONCLUSION
Unibiometric cryptosystems combine cryptography and biometrics to benefit from high security levels provided by cryptography and nonrepudiation brought by biometrics. Without
storing sensitive data by means of plaintexts, a biometric cryptosystem provides a secure method for secret protection and enhances the privacy of individual biometrics. However, feature
alignment, quantization and other factors degrade the accuracy
of biometric cryptosystem. Spoof attacks that commonly existed
in biometric systems also seriously threaten the security and privacy. This paper proposed a cryptosystem, namely the MBC,
which is superior to the use of the unibiometric cryptosystem in
different applications, due to integration of multiple biometrics
for encryption.
In this paper, the MBC is formally defined to integrate multiple biometric traits to protect a secret with two fusion levels,
the biometric level and the cryptographic level. There are four
model structures or methods presented to meet requirements of
different applications at those two levels. By comparing with
the entropy of single biometrics, the lower bound of biometrics
and secret is given and proved using Shannon conditional entropy. The accuracy is rigorously analyzed using FAR/FRR and
Authorized licensed use limited to: ASTAR. Downloaded on January 29, 2010 at 03:34 from IEEE Xplore. Restrictions apply.
FU et al.: MBC: MODEL STRUCTURE AND PERFORMANCE ANALYSIS
demonstrated by examples. Finally, a comparison on the relative advantages and disadvantages of the proposed models are
discussed. From the comparison, we can see that each MBC
model, either modeled at the biometric level or at the cryptographic level, has its strengths and weaknesses. No single model
is expected to be optimal to meet all the requirements of factors,
such as privacy, security, accuracy, and flexibility. In practice,
performance improvements can be achieved only if the right architecture is selected.
879
to break the cryptosystem. Therefore, when and are disclosed , if
, the entropy of is determined
by .
B) Proofs for MBC at Cryptographic Level:
B.1) Proof of Theorem 5.1:
Proof: According to Theorem 3.1, given
and some broken biometrics
,
we can obtain the equation
. In the construction of
the MN-split model over a universe
, since
,
then
APPENDIX
A) Proofs for MBC at Biometric Level:
A.1) Proof of Theorem 4.1:
Proof: By theorem 3.1, we know
. Set
and
are independent, and
. Since
, then we have
with the equality iff
and
given
. Set
Therefore,
The equality holds iff
and
are conditionally independent given
. Thus,
. Therefore, we obtain
. When
is disclosed, we can consider the secret is encrypted by biometric
that is the only random variable for an impostor, and
is only determined by
. Then the mutual
and
is relative to
information between
the mutual information between
and . There is
entropy loss of
when
is integrated with
to
.
Thus, given
the mutual information between
and
is less than or equal to
. Then we have
.
A.2) Proof of Theorem 4.2:
Proof: We know that given
, the secret can be ob,
tained using the decryption algorithm. Therefore, given
. Then
. On the other hand, since the mu.
tual entropy
. For a
We then get
biometric encryption/decryption algorithm, given
, we can
uniquely determine , then
.
On the other hand, if
is uniquely determined by
and ,
. It is quite obvious that
then
. Therefore,
. As a
consequence, if
can determine , the entropy is equal
disclosed.
to under the condition of
A.3) Proof of Theorem 4.3:
Proof: Since
, if
, then an imusing
to
postor can decrypt
,
get . Therefore, If
.
If
, the loss entropy from
is
. That is too say, to attack , an impostor guesses only
bits
we
are conditionally independent
, then
have
.
On
the
because
then
a
consequence,
we
have
the
other
hand,
,
, thus
. As
entropy
and
.
B.2) Proof of Theorem 5.2:
Proof: Since
, then
, and
. For the
biometric en,
using
cryption/decryption
algorithm,
given
the decryption algorithm, we can determine
,
,
then
. Meanor
while, if given
, we can determine
, then
,
. Therefore,
or
.
B.3) Proof of Theorem 5.3:
Proof: Since
, if
, then an impostor can
decrypt using
to get
. Therefore, If
,
.
If
, to attack , an impostor guesses only
biometric traits to break the cryptosystem. Therefore, when
and
are disclosed , he can select
biometrics from
, in which the sum of the biometric entropy is
minimal. Without a loss of generality, let the combination be
. To attack , the minimum entropy
.
is
B.4) Proof of Theorem 5.4:
Proof: If an impostor wishes to get the secret, he/she must
successfully decrypt at least ciphertexts that are encrypted
by corresponding biometrics. Then let random event
occur
such that the decryption algorithm outputs . We suppose
Authorized licensed use limited to: ASTAR. Downloaded on January 29, 2010 at 03:34 from IEEE Xplore. Restrictions apply.
880
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 4, NO. 4, DECEMBER 2009
that an impostor successfully decrypts the key using arbitrary
biometrics
, which correspond to events
. Therefore, we can obtain following equations:
Since a legitimate user is rejected when
biometrics
are inputted, there is at most
biometrics that can be used successfully for decryption. That
decryption algorithms output
is to say, at least
. Therefore, let random event
be that the decryption
algorithm outputs . We can suppose that a legitimate user
arbitrary
unsuccessfully decrypts the key using
biometrics
corresponding to
events
. Then we can get
As a consequence,
,
, where
is the FAR of
and
is the FRR of
, and
is
a randomly selected biometric.
B.5) Proof of Theorem 5.5:
Proof: By theorem 3.1, we know the entropy
. In the
construction of the nonsplit model over a universe , since
, then we get the equation shown at the bottom
of the page. When
When
When
,
Therefore, we can obtain
.
B.6) Proof of Theorem 5.6:
, then
Proof: In this model, because
. Therefore, when any biometric
is compromised, the secret
can be broken if is disclosed. Then
.
we have
B.7) Proof of Theorem 5.7:
, then an impostor can decrypt
using
Proof: If
to get , where
. Therefore, if
,
.
If
, to attack , an impostor guesses only one of the
biometric traits to break the cryptosystem. When and are
disclosed , he can select the biometric that the entropy is minimal to attack . Therefore,
is determined by
.
B.8) Proof of Theorem 5.8:
Proof: If a genuine user obtains an error output, all biometrics
can not make the corresponding decryption algorithm output correct secret. But if an impostor wishes
to get the secret, he/she only successfully need to decrypt one
ciphertext that is encrypted by corresponding biometrics. Then
let random event be that the decryption algorithm outputs
Authorized licensed use limited to: ASTAR. Downloaded on January 29, 2010 at 03:34 from IEEE Xplore. Restrictions apply.
FU et al.: MBC: MODEL STRUCTURE AND PERFORMANCE ANALYSIS
881
and random event
is that the decryption algorithm outputs
. Therefore, we can obtain following equations.
bits.
Therefore,
is
determined
by
.
B.12) Proof of Theorem 5.12:
Proof: A genuine user obtains an error output if any one
outputs an incorrect secret, and if
of biometrics
an impostor wishes to get the secret, he/she must successfully
decrypt all ciphertexts that are encrypted by corresponding biobe that the decryption algorithm
metrics. Let random event
outputs and random event is that the decryption algorithm
outputs . Therefore, we can obtain following equations:
and
and
Then,
,
, where
is
and
is the FRR of
.
the FAR of
B.9) Proof of Theorem 5.9:
Proof: By theorem 3.1, we know
. From the model, we have
. Then
can be uniquely determined by
. Therefore
As a consequence, we have
, where
With equality iff
uniquely determines
, then
the FRR of
,
is the FAR of
and
is
.
ACKNOWLEDGMENT
Therefore,
.
B.10) Proof of Theorem 5.10:
Proof: We know
. Since
is uniquely determined by
REFERENCES
,
then
Since
entropy
The authors would like to thank the anonymous reviewers for
their valuable comments.
is uniquely determined from
and , then
. As a result, we have
.
B.11) Proof of Theorem 5.11:
Proof: If
, then an impostor gets to know all biometrics and can decrypt
to get . Therefore, if
,
.
If
, to attack
, an impostor must guess
the rest
biometric traits to break the cryptosystem. Then, when
and
are disclosed, he
must guess at least
[1] D. Gafurov and E. Snekkenes, “Spoof attacks on gait authentication
system,” IEEE Trans. Inf. Forensics Security, vol. 2, no. 3, pp. 491–502,
Sep. 2007.
[2] Q. Xiao, “Security issues in biometric authentication,” in Proc. IEEE
Workshop Inf. Assurance Security, New York, Jun. 2005, pp. 8–13.
[3] R. Cappelli, A. Lumini, D. Maio, and D. Maltoni, “Finger image reconstruction from standard templates,” IEEE Trans. Pattern Anal. Mach.
Intell., vol. 29, no. 9, pp. 1489–1503, Sep. 2007.
[4] A. Ross, J. Shah, and A. K. Jain, “From template to image: Reconstructing fingerprints from minutiae points,” IEEE Trans. Pattern Anal.
Mach. Intell., vol. 29, no. 4, pp. 544–560, Apr. 2007.
[5] A. Adler, “Can images be regenerated from biometric templates,” in
Proc. Biometr. Consortium Conf., Washington, D.C., Sep. 2003.
[6] R. M. Bolle, J. H. Connel, and N. K. Ratha, “Biometric perils and
patches,” Pattern Recogn., vol. 35, no. 12, pp. 2727–2738, Dec. 2002.
[7] N. K. Ratha, J. Connell, R. M. Bolle, and S. Chikkerur, “Cancelable
biometrics: A case study in fingerprints,” in Proc. 18th Int. Conf. Pattern Recogn., Hong Kong, China, Aug. 2006, pp. 370–373.
[8] L. Hong, A. K. Jain, and S. Pankanti, “Can multibiometrics improve
performance,” in Proc. AutoID, NJ, Oct. 1999, pp. 59–64.
[9] A. K. Jain, A. Ross, and S. Pankanti, “Biometrics: A tool for information security,” IEEE Trans. Inf. Forensics Security, vol. 1, no. 2, pp.
125–143, Jun. 2006.
[10] A. Ross and A. K. Jain, “Information fusion in biometrics,” Pattern
Recogn. Lett., vol. 24, no. 13, pp. 2115–2125, Sep. 2003.
[11] A. Rattani, D. R. Kisku, M. Bicego, and M. Tistarelli, “Feature level fusion of face and fingerprint biometrics,” in IEEE Int. Conf. Biometrics:
Theory, Appl., Syst. (BTAS), Washington, DC, Sep. 2007, pp. 27–29.
Authorized licensed use limited to: ASTAR. Downloaded on January 29, 2010 at 03:34 from IEEE Xplore. Restrictions apply.
882
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 4, NO. 4, DECEMBER 2009
[12] C. Soutar, D. Roberge, A. Stoianov, R. Gilroy, and B. V. K. V.
Kumar, “Biometric encryption,” in ICSA Guide to Cryptography, R.
K. Nichols, Ed. New York: McGraw-Hill, 1999, ch. 22.
[13] A. Cavoukian and A. Stoianov, “Biometric encryption: A positive-sum
technology that achieves strong authentication, security and privacy”,
Tech. Rep. Information and Privacy Commissioner, Ontario, Canada,
2007 [Online]. Available: www.ipc.on.ca
[14] U. Uludag, S. Pankanti, S. Prabhakar, and A. K. Jain, “Biometric cryptosystems: Issues and challenges,” Proc. IEEE, vol. 92, no. 6, Jun.
2004.
[15] K. Nandakumar, “Multibiometric systems: Fusion strategies and template security,” Ph.D. thesis, Dept. Computer Science and Engineering,
Michigan State Univ., East Lansing, MI, 2008.
[16] C. C. Chibelushi, J. S. D. Mason, and F. Deravi, “Feature-level data
fusion for bimodal person recognition,” in Proc. 6th Int. Conf. Image
Process. Appl., Dublin, Ireland, Jul. 1997, vol. 1, pp. 399–403.
[17] B. Son and Y. Lee, “Biometric authentication system using reduced
joint feature vector of iris and face,” in Proc. 5th Int. Conf. Audio and
Video-Based Biometric Person Authent., Rye Brook, NY, Jul. 2005, pp.
513–522.
[18] S. C. Dass, K. Nandakumar, and A. K. Jain, “A principled approach to
score level fusion in multimodal biometric systems,” in Proc. 5th Int.
Conf. Audio and Video-Based Biometric Person Authent., Rye Brook,
NY, Jul. 2005, pp. 1049–1058.
[19] K. Veeramachaneni, L. A. Osadciw, and P. K. Varshney, “An adaptive
multimodal biometric management algorithm,” IEEE Trans. Syst., Man
Cybern. C, Appl. Rev., vol. 35, no. 3, pp. 344–356, Aug. 2005.
[20] K. A. Toh and W. Y. Yau, “Combination of hyperbolic functions for
multimodal biometrics data fusion,” IEEE Trans. Syst., Man Cybern.
B, Cybern., vol. 34, no. 2, pp. 1196–1209, Apr. 2004.
[21] A. Juels and M. Wattenbeg, “A fuzzy commitment scheme,” in Proc.
6th ACM Conf. Comput. Commun. Security, Singapore, 1999, pp.
28–36.
[22] A. Jules and M. Sudan, “A fuzzy vault scheme,” Designs, Codes Cryptogr., vol. 38, no. 2, pp. 237–257, Feb. 2006.
[23] U. Uludag, S. Pankanti, and A. K. Jain, “Fuzzy vault for fingerprints,”
in AVBPA2005: Audio- and Video-Based Biometric Person Authentication. New York: Springer, 2005, vol. 3546, pp. 310–319.
[24] K. Nandakumar, A. K. Jain, and S. Pankanti, “Fingerprint-based fuzzy
vault: Implementation and performance,” IEEE Trans. Inf. Forensics
Security, vol. 2, no. 4, pp. 744–757, Dec. 2007.
[25] F. Hao, R. Anderson, and J. Daugman, “Combining crypto with
biometrics effectively,” IEEE Trans. Comput., vol. 55, no. 9, pp.
1081–1088, Sep. 2006.
[26] Y. Dodis, R. Ostrovsky, L. Reyzin, and A. Smith, “Fuzzy extractors:
How to generate strong keys from biometrics and other noisy data,” in
Proc. Eurocrypt, 2004, pp. 523–540.
[27] X. Boyen, “Resuable cryptographic fuzzy extractor,” in Proc. ACM
Conf. Computer and Communications Security, Washington, DC, Oct.
2004, pp. 82–91.
[28] W. J. Scheirer and T. E. Boult, “Cracking fuzzy vaults and biometric
encryption,” in Proc. IEEE Biometr. Symp., Baltimore, MD, Sep. 2007,
pp. 1–6.
[29] A. Kholmatov and B. Yanikoglu, “Realization of correlation attack
against the fuzzy vault scheme,” in Proc. SPIE, 2008, vol. 6819, pp.
68190O–68190O-7.
[30] J. D. Golic and M. Baltatu, “Entropy analysis and new constructions of
biometric key generation systems,” IEEE Trans. Inf. Theory, vol. 54,
no. 5, pp. 2026–2040, May 2008.
[31] U. Dieckmann, P. Plankensteiner, R. Schamburger, B. Froba, and S.
Meller, “SESAM: A biometric person identification system using
sensor fusion,” in Proc. 1st Int. Conf. Audio- and Video-Based Biometric Person Authentication, 1997, vol. 1206, LNCS, pp. 301–310.
[32] Y. Sutcu, Q. Li, and N. Memon, “Secure biometric templates from fingerprint-face features,” in Proc. CVPR Workshop on Biometr., Minneapolis, MN, Jun. 2007, pp. 1–6.
[33] K. Nandakumar and A. K. Jain, “Multibiometric template security
using fuzzy vault,” in Proc. IEEE Int. Conf. Biometrics: Theory,
Applications and Systems, Arlington, VA, Sep. 2008, pp. 1–6.
[34] E. Camlikaya, A. Kholmatov, and B. Yanikoglu, “Multimodal biometric templates for verification using fingerprint and voice,” in SPIE
Defense Security: Biometr. Technol. Human Identif. V, Orlando, FL,
Mar. 2008.
[35] B. Yanikoglu and Kholmatov, “Combining multiple biometrics to protect privacy,” in Proc. ICPR-BCTP Workshop, Cambridge, England,
Aug. 2004.
Bo Fu received the M.S. degree in computer science
and engineering in 2005 from the University Electronic Science and Technology of China.
He is currently pursuing the Ph.D. degree in
information security with the University Electronic
Science and Technology of China. He joined
the Advanced Robotics and Intelligent Systems
(ARIS) Lab, University of Guelph, Canada, during
2007–2008 as a visiting scholar. His research interests include cryptography, biometric recognition,
and wavelet analysis.
Simon X. Yang (S’97–M’99–SM’08) received the
B.Sc. degree in engineering physics from Beijing
University, China, in 1987, the first of two M.Sc.
degrees in biophysics from Chinese Academy of
Sciences, Beijing, in 1990, the second M.Sc. degree
in electrical engineering from the University of
Houston, TX, in 1996, and the Ph.D. degree in electrical and computer engineering from the University
of Alberta, Edmonton, Canada, in 1999.
He joined the School of Engineering, University of
Guelph, Canada, in 1999. Currently, he is a Professor
and the Head of the Advanced Robotics and Intelligent Systems (ARIS) Laboratory, University of Guelph. His research interests include intelligent systems,
robotics, sensors and multisensor fusion, wireless sensor networks, control systems, soft computing, and computational neuroscience.
Prof. Yang serves as an Associate Editor of the IEEE TRANSACTIONS
OF NEURAL NETWORKS, IEEE TRANSACTIONS ON SYSTEMS, MAN, AND
CYBERNETICS, PART B, International Journal of Robotics and Automation, and
serves as an Associate Editor or Editorial Member of several other journals. He
has involved in the organization of many conferences. He is the General Chair
of the 2006 International Conference on Sensing, Computing, and Automation.
Jianping Li received the M.S. degree in computing
mathematics and the M.E. degree in soft engineering
from Xi’An Jiaotong University in 1989, and the
Ph.D. degree in computer science from Chongqing
University in 1998.
As a visiting scholar, he visited some famous
universities around the world during 1999–2006. He
is the author and/or coauthor of 18 books on subjects
ranging from wavelet analysis and its applications
to computer science, and has published more than
200 technical papers. His current interests include
wavelet theory and applications, fractal, image processing, pattern recognition
, electronic commerce, and information security.
Dr. Li is the General Chairman of the First Conference on Wavelets Analysis
and Its Applications to Signal Processing of China (2000), the Associate
Chairman of the Second International Conference on Wavelet Analysis and
Its Applications in Hong Kong (Hong Kong Baptist University, 2001), the
Chairman of the International Computer Congress 2004 (ICC04), Chairman of
the Second International Conference on Active Media Technology (ICAMT04),
Chairman of the International Conference 2007 on Information Computing and
Automation (ICICA07), and the Chairman of ICACIA08.
Dekun Hu received the M.S. degree from the University Electronic Science and Technology of China,
Sichuan, in 2005.
He is currently pursuing the Ph.D. degree in signal
processing with the School of Computer Science and
Engineering. He spent one year (2007–2008) with the
Advanced Robotics and Intelligent Systems (ARIS)
Lab, University of Guelph, Canada, working on object recognition algorithms. His research interests include object recognition and Internet content audit.
Authorized licensed use limited to: ASTAR. Downloaded on January 29, 2010 at 03:34 from IEEE Xplore. Restrictions apply.

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz