Secure Fuzzy Vault ased Fngerprnt Verfcaton System Shengln Yang UCL Dept of EE Los ngeles, C 90095 +1-310-267-4940 shenglny@ee.ucla.edu bstract--ths paper descrbes a secure fngerprnt verfcaton system based on the fuzzy vault scheme, where the senstve bometrc template s not stored, but a transformed verson. e propose an adaptve algnment technque to reach the most relable reference pont, and a methodology to construct a set of rotaton and shftng nvarant features, actng as the loc set for the fuzzy vault. e nvestgate the parameters of the fuzzy vault and the number of the templates needed to obtan a relable reference pont, such that a hgh unloc complexty for attacers wth an acceptable unloc rate for the legal users s acheved. I. INTRODUCTION The authentcaton system based on bometrc nformaton offers greater securty and convenence than the tradtonal methods of personal recognton. long wth the rapd growng of ths emergng technology, the system performance, such as accuracy and speed, s contnuously mproved. One of the most sgnfcant dsadvantages of all the bometrc recognton systems s that the bometrc ey cannot be easly recalled. Therefore storng the bometrc template securely s becomng extremely mportant. One possble approach s to encrypt the template usng a secret ey before storng t. s soon as the nput sgnal comes, the matcher decrypts the template and performs the comparson. However, some dedcated attacs can stll extract the secure ey, and n turn, the template by tracng the revealed nformaton from the physcal mplementaton, such as varatons n tme, power consumpton and electromagnetc radaton. These types of attacs are called Sde Channel ttacs (SC), among whch the dfferental power analyss (DP) s the most powerful one. It reles on statstcal analyss and error correcton to extract nformaton from the power consumpton that s correlated to secret data [1]. One soluton to ths problem s to store a nonnvertble transformed verson, for nstance a hash, of the template on the embedded devce, and the comparson s performed n the transformed space. One man property of a cryptographc random hash functon s that the output hush value wll not gve any nformaton about even part of the nput [2]. Therefore, the smlarty n the nput wll not reflect n the output hash value. However, for most bometrcs, the exactness for dfferent captures s usually not avalable, and the match algorthms are normally based on the smlarty. To Ths wor s sponsored by the NSF, account no CCR-0310527 and UC MICRO. Ingrd M. Verbauwhede UCL Dept of EE & K.U.Leuven Los ngeles, C 90095 +1-310-794-5209 ngrd@ee.ucla.edu address ths problem, we adopt the dea of fuzzy vault scheme [3] to conduct the fngerprnt authentcaton. Ths paper s organzed as followng: secton II brefly revews some related wor about the secure authentcaton methods as well as the fngerprnt matchng technques. Secton III presents the basc dea and the mplementaton of the fuzzy vault scheme. Secton IV dscusses the strategy used to algn the nput fngerprnt mages to mae the system automatc and adaptve. Secton V shows some expermental results. nd fnally Secton VI draws a concluson. II. RELTED ORK There have been many research efforts amng at the fngerprnt user dentfcaton. Recently, a novel cryptographc constructon called fuzzy commtment scheme has been proposed and employed n the feld of bometrc authentcaton.. Fngerprnt Fuzzy Vault The fuzzy commtment scheme s frst proposed n [4] to ntegrate well-nown error-control codng and cryptographc technques to construct a novel type of cryptographc system. Instead of an exact, unque decrypton ey, a reasonable close wtness can be accepted to decrypt the commtment. Ths characterstc maes t possble for protectng the bometrc data usng tradtonal cryptographc technques. However, snce the fuzzy vault used n ths scheme does not have the property of order nvarance, any elements mssng or addng wll result n the falure of matchng. To overcome ths problem, [3] proposed a new archtecture, whch possesses the advantage of order-nvarance. t the same tme, the authors suggested that one of the mportant applcatons of the fuzzy commtment s to secure bometrc systems. Followng ths drecton, [5] employed the fuzzy vault scheme on a secure smartcard system, where the fngerprnt authentcaton s used to protect the prvate ey. In the bometrc cryptosystem, the secret nformaton s hdden as coeffcents n a polynomal, whch acts as the frame of the fuzzy commtment. The fngerprnt vault constructon s based on the assumpton that the fngerprnt features are extracted and well algned n a blac box. Our wor wll address the algnment problem n a systematc way to mae the authentcaton system automatc and adaptve. 0-7803-8622-1/04/$20.00 2004 IEEE 577
. Fngerprnt Matchng lgorthm For modern embedded fngerprnt recognton systems, the matchng algorthm s usually based on the mnutae feature. The reason s, on the one hand, the mnutae of the fngerprnt are wdely beleved the most dscrmnatng and relable feature, and on the other hand, the template sze of the mnutae s much smaller and the processng speed s hgher than that of graph-based matchng. These characterstcs are very mportant for savng memory and energy on the embedded devces. Reference [6] uses the local structure of the mnutae to descrbe the characterstcs of the mnutae set. Ths approach has hgher processng speed, and s robust to rotaton and partal prnts. However, the local structure usually has less dstnct features because t only represents parts of the whole mnutae set. lgnment-based matchng algorthms tae use of the shape of the rdge connected to the mnutae [7]. Ths mght mprove the system accuracy, but results n a larger template sze. Some other researches combne the local and global structures [8]. The local structure s used to fnd the correspondence of two mnutae sets and ncrease the relablty of the global matchng, whle the global structure relably determnes the unqueness of a fngerprnt. In our wor, the local-global nformaton ntegraton s employed to perform the fngerprnt mnutae algnment before the features are ported nto the fuzzy vault. To address the problem of SC, [9] dvdes the fngerprnt match engne nto two parts. Only the relatvely small secure part contanng the senstve bometrc nformaton s executed on a specalzed DP-proof logc bloc, whch does not reveal the power consumpton varatons durng operatons. In spte of the careful dvson, the secure part stll consumes large numbers of area and energy due to the specal desgn of the DP-proof logc as well as the frequent data exchange between the embedded processor and the DP-proof bloc. In ths wor we replace the bometrc template stored n the DP-proof bloc wth a randomly generated bt stream and only a one-tme comparson s needed for each attempt of the verfcaton algorthm. III. FUZZY VULT SCHEME. The basc dea of fuzzy vault Fuzzy vault scheme s a smple and novel cryptographc constructon. Suppose we have a secret, whch we want to share wth some specfc persons, but do not want to post t ndscrmnately on some untrusted places, such as a publc webste. One approach s to comple a set of elements wth the secret and publsh t n an encrypted form. To extract the secret nformaton, one needs to have an unloc set, whch s close to, to unloc the vault. Ths vault s a form of error-tolerant cryptographc algorthm and proved very useful n many crcumstances, such as fuzzy human factor based authentcaton systems, where exactness of the unloc ey s usually unavalable. Several examples are presented n [3] ncludng the bometrc applcatons, whch we plan to nvestgate n ths paper. Follow the dea n [5], the fuzzy encrypt ey conssts of a set of elements loc, 1,2,..., n, where n s the sze of loc set. The fuzzy vault contans all pars ( p loc ), where p x s a nown polynomal. esdes these true pars whch represent the characterstcs of the loc set, large number of mpostor pars ( mpostorj, p mpostor j ), where j 1,2,...,r and p x px, are also added to the fuzzy vault. p x s a random functon. For a legal user, a set of elements unloc, whch s reasonably close to loc, s avalable. lso we assume that the numbers of loc set and unloc set are larger than the degree of the polynomal, d. Therefore, the user can unloc ths fuzzy vault by tryng to reconstruct the polynomal usng the unloc set. If the overlap between the loc set and the unloc set satsfes the polynomal reconstructon condton, the verfcaton process successes. From an attacer s pont of vew, deally, the unloc set s a unformly dstrbuted random set. To successfully attac the fuzzy vault wthout any nowledge about the loc set, the attacer has to frst separate the true pars from the mpostor pars by brute force trals. Snce the number of the mpostor pars s far larger than that of the true pars, the separaton operaton s formdably dffcult.. Fngerprnt Fuzzy Vault s we mentoned before the securty requrement of the bometrc template storage s very strct snce the bometrc data are usually rreplaceable and the lost of these precous nformaton mght lead to serous securty problems. To address ths ssue, nstead of storng the bometrc template, we store a machne-generated bt stream as the secret. The way we present the secret s to hde t as the coeffcents for a polynomal, p x, whch s used as the frame to construct the fuzzy vault. Fngerprnt verfcaton s usually based on the pattern matchng of the feature extracted from the fngerprnt mages. Here we descrbe the mnutae feature of a fngerprnt mage as, 1,2,..., n, where n s the total number of the feature ponts. Thus the pars (, p ) form the loc set of the fngerprnt fuzzy vault. For the mpostor pars, we randomly choose and j, j 1,2,..., r, where j j p j. Note that the dstance between any and any must be greater than a mnmum dstance d mn. The value of d mn depends on the characterstc of the feature ponts as well as the performance requrement. e wll dscuss ths n secton V. There exts a X, to the set one-to-one projecton between the set j Y p, loc, j. Durng the unlocng procedure, the user s fngerprnt s captured and processed to get the mnutae feature set { }. Snce two bometrc readngs are rarely exactly the same, even though they are lely to be close, { } and { } are usually not dentcal. To perform the unlocng, for each, we search n the whole fuzzy vault to reach the closest element and t s correspondng,, 1,2,..., m, s the unloc set. Thus, the set 578
generated as the ey to the fuzzy vault, where m s the number of features extracted from the user s nput fngerprnt. Now the verfcaton s equvalent to the problem below: Gven m pars of ponts, F F, there exsts a polynomal p of degree at most d such that for all but values of,,, where d m p 2. ccordng to the erleamp-elch error correctng code theory, ths problem can be solved by fndng the soluton for a lnear constrant system N, 1,2,..., m, where deg and deg K d. fter all the unnowns are calculated out, p N / s the result polynomal [10]. In order to act as the loc set, the features extracted from the fngerprnt mages need to satsfy two condtons: (1) dstngushable from each other so that no more than one feature results n a same par n the loc set; (2) the dfference between several scans of prnt from a same fnger s acceptable small. In the followng sectons, we wll dscuss the selecton of the feature as well as the automatc feature algnment, whch wll be proven very mportant for automatc authentcaton systems. IV. FETURE SELECTION Fngerprnt mnutae are defned as the endngs of one rdge and the crossngs of two rdges. The most straghtforward way to construct the loc set s to use the x, y coordnates of each mnuta [5]. However, Fg. 1 shows that the effect of the fngerprnt shftng and rotaton on the poston of the mnutae features s not gnorable and wll result n dffculty of matchng. Therefore, ths feature depends on the poston and angle of the nput fngerprnts. In order to address ths problem, we propose a new feature r,, where r s the dstance between one mnuta and a specfc reference pont, and s the assocated drecton as shown n Fg. 2. oth r and are represented by 8 bts, and the concatenaton of, s an element of the fnte feld. If the specfc reference pont s correctly chosen, the these two values, r 8 16 GF 2 proposed feature wll be ndependent of the shftng and rotaton of the nput mages. Fg. 3 shows four algned sets of mnutae from a same fnger. In order to fnd the reference pont, we adopt the methodology proposed n [11]. smplfed rotaton and translaton nvarant local feature s constructed as: M d, 1 d2, 1, 2, 1, Fg. 2 ndcates the detals of ths local feature. ssume M j are the local feature vectors of the th M and th mnuta of the fngerprnt and the j mnuta of the fngerprnt, respectvely, the smlarty level of these two mnutae can be defned as: M sl, j 1 M j, f M 0, otherwse 2 M j r 1 1 r 2 1 2 2 (a) (b) Fg. 2. Concept of the proposed feature (c) Fg. 1. The effect of shftng and rotaton on the feature poston. (a) and (b) are two prnts from a same fnger; (c) s the postons of the features. Fg. 3. Overlap of four mnutae feature sets algned based on the wellselected reference pont. 579
1,2...p j 1,2... q where p and q are the total numbers of mnutae n fngerprnt and, respectvely. M M j s the weghed dstance between two local feature vectors. s a fxed threshold, whch s related to the weght vector. In ths paper, we set 1,1,8,8,8,8 and 55. y thoroughly searchng sl, j, mnutae pars M, M j can be ordered accordng to the assocated smlarty level. Intutvely, the par wth largest smlarty value can be taen as the reference par. To fnd the relable reference par, we use three fngerprnts (,, C ) from one fnger as the templates and the smlarty metrc we use s sl(, j) slc ( j, ). The largest value ndcates the most relable mnuta n three of these prnts. Fg. 4 presents the dstrbuton of the smlarty levels for all possble combnatons of the mnutae n three fngerprnts. fter fndng out the most relable reference pont, we algn the rest of the mnutae n polar system and also store the local structure of the reference mnuta. Then the next step s to fgure out the refer pont n the nput fngerprnt based on the stored local structure and convert the rest of the mnutae n a polar system. The polar coordnates of the nput fngerprnt mnutae s what we use as the unloc set n our fngerprnt fuzzy vault. V. RESULT e get ten prnts for each fnger, among whch three are randomly chosen to be the templates for reachng the relable reference mnuta. However, there are cases that from three templates, the relable par cannot be successfully acheved. In an automatc system, ths falure needs to be detected by ntroducng a threshold to lmt the mnmum smlarty for beng the reference feature pont. If the sum-up smlarty level sl(, j) slc ( j, ) s less than the threshold, t shows that the reference pont s not relable. In ths case, more templates are needed to perform the selecton. Fg. 5 shows the number of templates needed expermentally. From the result we fnd that four templates durng enrollment phase ((12,10), 9, 111778) can guarantee to acheve the relable reference pont wth a possblty hgher than 99%. The selecton of the fuzzy vault parameters s very mportant for the verfcaton performance. Frst we nvestgate the effect of the degree of the polynomal, d. ccordng to the erleamp-elch error correctng code theory, the condton nequaton s 2 d m. In other words, to successfully decode the fuzzy vault, the number of the mpostor ponts must satsfy: m d / 2, where m s the total number of the nput mnutae ponts. Intutvely, the maxmum acceptable mpostor pont number should depend on the total unloc set sze m. For fngerprnts wth larger number of mnutae, the degree of the underlyng polynomal needs to be larger, so that the maxmum value of ncreases accordngly. y ntroducng ths self-adaptve scheme, the fuzzy vault wll sut for fngerprnts wth dfferent sze of feature sets. Fg. 6 shows the relatonshp between the unlocng complextes of the fuzzy vault and the degree of the polynomal, where m 30 for a typcal case. From ths fgure, we can fnd that hgher degree polynomal provdes hgher complexty, n turn, hgher level of securty. However, from another pont of vew, for hgher degree polynomal, the maxmum acceptable mpostor pont sze becomes smaller, whch wll ncrease the False Reject Rate (FRR) for the verfcaton system. Therefore a sutable polynomal degree s needed to acheve the desrable tread-off between the securty and the matchng accuracy. Experments show that for m / d 3, the successful unlocng rate s about 83%, whch s acceptable n most of the realstc mplementatons. In ths d M / 3. paper, we choose Possblty of fndng relable reference Smlarty Level Number of templates Fg. 5. Relatonshp between the possblty of fndng relable reference and the number of templates (,j) Fg. 4. Dstrbuton of the smlarty for three fngerprnts. 580
Fg. 6. The unloc complexty vares accordng to the degree of polynomal for dfferent sze of mpostor pont. The experments also show that the mnmum dstance between any mpostor ponts and any loc set ponts s another mportant parameter, whch affects the performance. hen we randomly generate the mpostor ponts, we need to mae sure the mnmum dstance s satsfed. The mnmum dstance needs to be at least twce as large as the acceptable dstance of a mnuta poston between dfferent scans. Fg. 7 shows the relatonshp between the mnmum dstance and the matchng accuracy. esdes the mnmum dstance, the number of the mpostor ponts also needs to be taen nto consderaton durng the fuzzy vault constructng. If the number of the mpostor ponts s set too small, accordng to the unlocng algorthm, the nput features are more lely to be closer to the loc set ponts, whch wll result n hgher False ccept Rate (FR). Smlarly, f the sze of mpostor ponts s too bg, a feature pont s more lely to be classfed as an mpostor pont. Ths wll lead to hgher False Reject Rate (FRR). VI. CONCLUSION e construct our database by 10 prnts per fnger from 10 dfferent fngers, formng a total 100 fngerprnt mages. Employng the automatc fuzzy vault constructon and unlocng algorthms wth the followng parameters: mpostor ponts sze r 200, polynomal degree d M /3, and mnmum dstance d mn 13, the successful unlocng rate s about 83%. The error rate s acceptable, whle relatvely hgher compared to the tradtonal fngerprnt verfcaton algorthm [2]. Ths degradaton can be explaned by the characterstc of the underlyng error-correct codng scheme we adopted for the fuzzy vault unlocng snce the condton for the erleamp-elch error correctng code theory s more strct compared to the exstng mnutae-based fngerprnt verfcaton algorthm. REFERENCES [1] Kocher, P., Jaffe, J., and Jun,., Dfferental power analyss, Proceedng of dvances n Cryptology Crypto 99. 19 th nnual Internatonal Cryptology Conference. 1999, pp.388-97. erln, Germany. [2] nderson, R.J., Securty Engneerng, Gude to uldng Dependable Dstrbuted Systems, John ley & Sons, 2001. [3] Juels,. and Sudan, M., fuzzy vault scheme, Proceedngs 2002 IEEE Internatonal Symposum on Informaton Theory, 2002, pp.408. Pscataway, NJ. [4] Juels,. and attenberg, M., fuzzy commtment scheme. 6th CM Conference on Computer and Communcatons Securty, 1999, pp.28-36, New Yor, NY. [5] Clancy, T.C., Kyavash, N., and Ln, D.J., Secure smartcard-based fngerprnt authentcaton, CM orshop on ometrcs: Methods and pplcatons, Nov. 2003, pp. 45-52, ereley, C. [6] Hrecha, K and McHugh, J. utomated fngerprnt recognton usng structural matchng, Pattern Recognton, vol.23, no.8, 1990, pp.893-904. UK. [7] Jan,., Ln, H., and olle, R., On-lne fngerprnt verfcaton, IEEE Transactons on Pattern nalyss and Machne Intellgence, vol.19, no.4, prl 1997, pp.302-14. [8] Jang, X. and Yau,., Fngerprnt mnutae matchng based on the local and global structures, Proceedngs 15th Internatonal Conference on Pattern Recognton. 2000, pp.1038-41 vol.2. Los lamtos, C. [9] Yang, S. and Verbauwhede, I., secure fngerprnt matchng technque, CM orshop on ometrcs: Methods and pplcatons, Nov. 2003. pp. 89-94, ereley, C. [10] Gemmell, P. and Sudan, M., Hghly reslent correctors for polynomals, Informaton Processng Letters, vol.43, no.4, Sept. 1992, pp.169-74, Netherlands. [11] Yang, S., Sayama, K. and Verbauwhede, I., Secure and Effcent Fngerprnt Verfcaton System for Embedded Systems, 37 th slomar Conference on Sgnal, Systems, and Computers, Nov. 2003, pp. 2058-2062, Pacfc Grove, C. Fg. 7. The relatonshp between the possblty of successful matchng and the mnmum dstance of mpostor pont for dfferent mpostor sze. 581