Generating protected fingerprint template utilizing coprime mapping transformation

by   Rudresh Dwivedi, et al.

The identity of a user is permanently lost if biometric data gets compromised since the biometric information is irreplaceable and irrevocable. To revoke and reissue a new template in place of the compromised biometric template, the idea of cancelable biometrics has been introduced. The concept behind cancelable biometric is to irreversibly transform the original biometric template and perform the comparison in the protected domain. In this paper, a coprime transformation scheme has been proposed to derive a protected fingerprint template. The method divides the fingerprint region into a number of sectors with respect to each minutiae point and identifies the nearest-neighbor minutiae in each sector. Then, ridge features for all neighboring minutiae points are computed and mapped onto co-prime positions of a random matrix to generate the cancelable template. The proposed approach achieves an EER of 1.82, 1.39, 4.02 and 5.77 on DB1, DB2, DB3 and DB4 datasets of the FVC2002 and an EER of 8.70, 7.95, 5.23 and 4.87 on DB1, DB2, DB3 and DB4 datasets of FVC2004 databases, respectively. Experimental evaluations indicate that the method outperforms in comparison to the current state-of-the-art. Moreover, it has been confirmed from the security analysis that the proposed method fulfills the desired characteristics of diversity, revocability, and non-invertibility with a minor performance degradation caused by the transformation.



There are no comments yet.


page 1

page 2

page 3

page 4


A non-invertible cancelable fingerprint template generation based on ridge feature transformation

In a biometric verification system, leakage of biometric data leads to p...

Fingerprint Orientation Estimation: Challenges and Opportunities

There is an exponential increase in portable electronic devices with bio...

Fingerprint template protection using minutia-pair spectral representations

Storage of biometric data requires some form of template protection in o...

Using k-nearest neighbors to construct cancelable minutiae templates

Fingerprint is widely used in a variety of applications. Security measur...

A Generalized Approach for Cancellable Template and Its Realization for Minutia Cylinder-Code

Hashing technology gains much attention in protecting the biometric temp...

A novel hybrid score level and decision level fusion scheme for cancelable multi-biometric verification

In spite of the benefits of biometric-based authentication systems, ther...

The Fuzzy Vault for fingerprints is Vulnerable to Brute Force Attack

The fuzzy vault approach is one of the best studied and well accepted id...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

1.1 Background

Compromise of original biometric information causes permanent identity theft as it is intrinsically linked to the user. In thee literature, there are various security concerns associated with the usage of biometric information across different applications ratha ; anneal . Ratha et al. ratha first proposed three cancelable transformations namely cartesian, polar and functional transformations. Shin et al. etri applied dictionary attack onto these transformations to derive a pre-image and found that the transformation is vulnerable to attacks. Therefore, biometric template protection is the utmost need in recent years. There are two well-known mechanisms to provide template protection i.e. Biometric cryptosystem and Cancelable biometrics. The biometric cryptosystem reforms the original template and generates poor matching rate. Hence, many researchers utilized cancelable biometric-based transformations to provide template protection. It states that a transformed template is required to be stored instead of the original biometric template. The transformation depends upon an irreversible or non-invertible function such that it is infeasible to invent the original biometric template even if the attacker gets access to the protected template and transformation key. In case of compromise, a new template can be derived by modifying the transformation key used for protected template generation. The cancelable transformation must follow the four desired characteristics:

  1. Non-invertibility: It should be computationally hard enough to construct the original template from the transformed template. This prevents the recovery of original biometric information by an imposter.

  2. Diversity: Identical cancelable template should not be used in the different applications to avoid cross-matching of the stored template.

  3. Revocability: The transformation should be able to derive numerous protected templates from the same biometric input and there should be immediate revocation in case of compromise.

  4. Performance: The transformation should not exhibit significant performance degradation.

1.2 Existing approaches

In literature, authors have proposed several methods for cancelable template generation in recent years. Ratha et al. ratha have introduced cartesian, polar, and functional transformation for fingerprint template protection. Das et al. das evaluated nearest neighbor distance from minutiae points to the core point. Next, they constructed a graph structure which can be revoked using a PIN. However, the approaches introduced by Ratha ratha and Das das et al. require pre-alignment of different fingerprints based on singular/core point and detection of the core point is not always feasible.

Lee et al. lee introduced a technique which pre-aligns minutiae points and maps into a 3-D array based on the minutia’s orientation and positional difference. Next, the array is visited in sequential order to generate a bit string. The derived bit string is exploited to random permutation based on a user-specific key and minutiae type. An alignment-free protected template design method is proposed by Wang et al. ditom

where pair-minutiae vectors are quantized, indexed and converted to bit-string. Then, discrete Fourier transform (DFT) is applied to generate a complex vector which is further fused with a user-specific key. In their another work, Wang et al.

blind proposed a method to protect the bit-string derived using the method proposed in ditom . The bit-string is utilized as an input to FIR filter with a user-specific key. Moujahdi et al. shell presented a unique transformation i.e. fingerprint shell where they computed the distance from the singular point to all other minutiae. Next, a user-specific key is summed up to the computed distances and are sorted in ascending order to generate a spiral curve structure. Jin et al. hamem introduced a method where minutiae triplet features are computed, i.e. three sides, three internal angle and relative orientation. Further, a random sequence is projected onto features to derive the protected template. Jin et al. jintee proposed a protected fingerprint template generation scheme where minutiae information is first aligned and shifted to a new position. Next, the polar transform is utilized, and bit-string is derived by applying quantization. Further, the random permutation is exploited to generate the protected template. The approaches proposed in shell ; lee ; ditom ; blind ; jintee ; hamem results to performance degradation if the user-specific key gets compromised. Further, Wang et al. hadamard presented a method where a bit string is derived by utilizing partial Hadamard transform. In BioHashing based approaches biohash ; hash ; hash2 , a protected template is derived after discretizing the inner product of the biometric features with the projection matrix. BioHashing and its variants biohash ; hash ; hash2 , are proved to be impractical if the unique seed is compromised. Sandhya et al. sandhya proposed two different algorithms to design cancelable fingerprint template where Delaunay triangle based features are incorporated. However, the performance gets degraded in case of poor quality images. Abe et al. abe proposed a method on template generation where bloom filter is applied onto bit-string derived by minutiae relation code. The scheme is susceptible to inversion attack if parameters of bloom filter get compromised.

Cappelli et al. mcc proposed a state-of-the-art minutiae representation MCC (Minutiae cylinder Code) where a 3-D cylindrical structure is framed in the vicinity of each minutiae neighborhood. Thereafter, Ferrara et al. pmcc introduced a method namely protected-MCC (P-MCC) where they applied binary-KL projection for each MCC templates to alleviate privacy issues over non-invertibility in MCC mcc . However, it has been further investigated that the P-MCC approach is irrevocable to some extent. To provide revocability, Ferrara et al. 2pmcc presented two-factor protected Minutiae Cylinder-Code (2P-MCC) where partial permutation is performed using a secret key over the cylinders in P-MCC. Recently, Rathgeb et al. rathir

proposed a theoretical estimation of the irreversibility of the generic protected biometric templates. They evaluated the complexity of inverting the protected template by quantifying the security provided by the different approaches. Thereafter, a novel general framework for the evaluation of unlinkability among biometric templates is proposed by Gomez-Barrero et al.

unlink . Also, a protocol is defined to analyze the correlation between different templates of same and different subjects.

1.3 Contributions

To mitigate the different concerns raised by afore-stated approaches, we have proposed a novel protected template generation scheme for fingerprint biometric which is based on coprime mapping transformation. We highlight the contributions of this work as follows:

  1. In this work, coprime mapping transformation has been applied over ridge features which deal with rotation, scale and translation distortions in the input fingerprint image effectively.

  2. The applied transformation does not depend on prior alignment based on the singular/core points as it is not always possible to extract the singularities in poor quality images.

  3. The nearest neighbor transformation is applied in the vicinity of each minutia to compute a fixed length descriptor instead of fixed-radius transformation. This would prevent performance degradation caused due to the border minutiae points.

  4. We have evaluated our method against the desirable characteristics of template security schemes, i.e. non-invertibility, revocability, and diversity.

  5. The recognition performance of the proposed approach is tested on two different benchmark databases i.e. FVC2002 and FVC2004. The experimental evaluations indicate that our method outperforms in comparison to the current state-of-the-art.

This article is an extension of our earlier work mymike . In the previous work, we proposed a technique for generation of cancelable fingerprint template. However, the previous work does not include a rigorous experimental analysis concerning accuracy and attack analysis. Furthermore, the earlier method was tested with only FVC2002 database fvc . In this work, experiments have been performed onto all four datasets i.e.DB1, DB2, DB3 and DB4 of FVC2004 database. Further, experimental results are also compared with existing methods to determine the robustness of the proposed method. Additionally, we have performed a rigorous security analysis against different possible attacks such as brute-force, pre-image and annealing attack in this work. Finally, we have enhanced our literature review by adding few relevant existing approaches describing current advancement in the area.

The remainder of the paper is organized as follows. Section 2 presents the proposed protected template generation method in detail. Experiments and comparisons are demonstrated in Section 3. Section 4 analyzes the security and privacy of the transformation. Section 5 concludes the paper.

2 Proposed scheme

The proposed method comprises of three major steps which include the preprocessing and minutiae extraction, feature extraction, and cancelable template generation. The overall workflow of the proposed method is depicted in Fig. 1.

Figure 1: Block diagram of the proposed method

2.1 Pre-processing and minutiae extraction

In our method, pre-processing and minutiae point extraction is carried out using the scheme described in joshua . Here, the minutiae points are denoted as:


where, represents the set of raw minutiae points extracted from an input fingerprint, minutiae point is denoted by out of total n minutiae points. and denotes the coordinate position and orientation for the minutiae point. We also obtain a thinned fingerprint image which is further used for invaqriant feature extraction.

2.2 Feature extraction

Invariant feature computation from a fingerprint image is an utmost need since performance may degrade due to rotation, translation and scale uncertainties caused at the time of acquisition. In this work, we calculate ridge features to deal with these deformations present in the input fingerprint image. In this work, feature extraction is carried out using two steps: nearest-neighbor structure construction and ridge feature computation.

2.2.1 Nearest-neighbor structure construction:

Following the preprocessing and minutiae extraction, we achieve a thinned output image and minutiae information. Afterward, we consider one of the minutiae from the minutiae set as a reference minutia. Next, a nearest-neighbor structure is formed around the reference minutia based on the ridge coordinate system as shown in Fig. 2(a). The ridge coordinate system assigns the reference axis such that it coincides with the orientation of the reference minutiae. Further, the fingerprint region is divided into ‘s’ sectors of equal angular width utilizing ridge coordinate system as illustrated in Fig. 2(a).

(a) Nearest-neighbor structure for = 8
(b) Ridge-based feature computation
Figure 2: Feature extraction

2.2.2 Ridge feature computation:

We consider ridge count and average ridge orientation as an invariant feature in this work. The ridge features are calculated between reference minutiae and nearest minutiae in each sector considering each minutia as the reference. Ridge count is evaluated by counting the ridges between reference minutiae and nearest neighbor minutia. For example, ridge count between two minutiae points ( say and ) is 2 as shown in Fig. 2(b). To compute ridge orientation, the angle subtended by the tangent line and the straight line connecting two minutiae points is measured for each ridge crossing. For example, the orientation of the first ridge in the first sector as shown in Fig. 2(b), can be evaluated as:

where is the slope of the straight line starting from reference minutiae to neighboring minutia in the first sector. , is the angle spanned by a tangent line from the intersection point of first ridge and reference axis. Similarly, we compute the orientation of the second ridge, and evaluate the mean ridge orientation for example shown in Fig. 2(b). The mean ridge orientation for each sector can be expressed as defined in Eq. (2).


where denotes the total number of ridges between the nearest minutiae and the reference minutiae in the sector. The ridge features are stored in a 2-D matrix (). For example, if a fingerprint contains number of minutiae points, the feature matrix will contain entries containing ridge count and average ridge orientation if the fingerprint image is divided into number of sectors. A value zero is assigned to the ridge features if no minutia point is located in that sector. At the time of matching, we do not consider the sectors with no minutiae point.

2.3 Cancelable template generation

The generation of cancelable fingerprint template involves two steps: matrix generation and co-prime mapping.

2.3.1 Matrix generation:

The feature matrix is mapped into a high-dimensional matrix to generate the protected template. For this purpose, a random matrix of size is generated using a seed (). The value of is equal to where and are the total number of minutiae points in the input fingerprint image and the number of sectors around a reference minutiae, respectively.

2.3.2 Co-prime mapping:

We map the feature matrix into such that there will be no overlapping. To perform this, we map the ridge features onto coprime positions at places of . Rest of the entries of the matrix are filled with some random data. The following four keys are utilized for mapping:

  1. : initial row position

  2. : initial column position

  3. : number of row jump from initial position

  4. : number of column jump from initial position

The start position is selected on the basis of the user-specific key. We start at position in matrix . The next position () is evaluated based on the row and column jump from the initial position using the following relation described in Eq. (3) and (4):


The coprime mapping avoids overlapping in the matrix. Further, we select the value of and such that both should be co-prime with as defined in Eq. (5).


For example, if the key values for start position are =2 and =2, respectively and the key values for row and column jump are =3, =5, then the co-prime based mapping is depicted in Fig. 3.

Figure 3: Example of co-prime based mapping procedure

2.4 Matching

Fingerprint matching involves the comparison between an enrolled fingerprint template (say ) and a query fingerprint template (say ) to output a match score. In our method, two-step matching is performed to compute match score: Local matching and global matching.

2.4.1 Local matching:

In local matching, ridge feature set corresponding to a minutiae point from is compared with ridge feature set for a minutiae point of to return local match score. Mapped ridge feature set in the and are accessed using user-specific keys , , and . We compute the Euclidean distance between the mapped non-zero entries of the query and enrolled template. Next, we compute the mean of the minimum distances corresponding to each non-zero entries of the two ridge features sets of and as described in Eq. (6).


2.4.2 Global matching:

In global matching, we compute the number of matched minutiae points between and utilizing the local match scores by comparing each ridge-feature set from with each ridge-feature set from . Next, overall matching score is evaluated by the number of matched minutiae points divided by the number of minutiae points in as described in Eq. (7).


3 Experimental Results and Analysis

In our experiment, we use four datasets DB1, DB2, DB3 and DB4 of FVC2002 and FVC2004 databases fvc since the most of the existing approaches utilized these datasets. Each datasets DB1, DB2, DB3 and DB4 of FVC2002 and FVC2004 contain a total of 800 images of 100 subjects with eight samples each. The performance of the method is evaluated with four parameters: False Acceptance Rate (FAR), False Rejection Rate (FRR), Equal Error Rate (EER) which is defined as the error rate when the FRR and FAR holds equality, and GAR is computed as 1-FRR.

3.1 Validation of parameter: Number of sectors ()

The proposed method divides the input fingerprint image into the number of sectors with equal angular width after preprocessing. To validate the parameter , we have performed a number of experiments considering different values of . We have computed the EER with angular width of , , …and corresponding to = 24,12,…and 4, respectively. The performance for the different values of is reported in Table 1. From the reported results in Table 1, we observe that =8 corresponds to the best performance on each of the datasets of FVC2002. Also, it has also been observed that EER increases due to more number of sectors without minutiae points for high values of . Therefore, we have considered = 8 for all other experiments for each dataset of FVC2002 and FVC2004 databases.

Number of sectors (s)
EER (in %)
FVC2002 DB1
FVC2002 DB2
FVC2002 DB3
FVC2002 DB4
4 3.93 3.79 5.86 6.83
8 1.82 1.39 4.02 5.77
16 5.04 4.93 8.83 12.7
32 9.63 5.19 11.24 19.3
Table 1: EER obtained for databases FVC 2002 DB1, DB2, DB3 and DB4 in same key scenario

3.2 Performance

We have utilized FVC protocol to evaluate the performance of our method. In this protocol, each subject is compared against the first sample of the remaining subjects to calculate impostor scores. Further, the genuine score is computed by comparing each sample against the remaining samples of the same subject. Hence, it requires 4950 and 2800 impostor and genuine comparisons for all four datasets of FVC2002 and FVC2004 databases respectively if all samples are enrolled. Further, we have conducted the experiments under two scenarios: Same key scenario and different key scenario.

3.2.1 Same key scenario:

This scenario represents the performance under the assumption that all the users hold the same key. In this situation, an adversary utilizes the key being a genuine user to gain unauthorized access to the system. To evaluate the performance, we utilize same keys for all users (i.e. , , and ) for enrollment. Next, we apply the proposed method to DB1, DB2, DB3 and the DB4 dataset of database FVC2002 and FVC2004. Figure 4 and Figure 5 represent the ROC curves for each dataset of FVC2002 and FVC2004 databases for the optimal value of parameter (i.e., =8), respectively.

Figure 4: ROC curves for FVC 2002 DB1, DB2, DB3 and DB4 under same key scenario

FVC2002: For the database FVC2002, we obtain an EER of 1.82, 1.39, 4.02, and 5.77 for DB1, DB2, DB3, and DB4, respectively under FVC protocol. Out of all four datasets, the proposed scheme attains superior performance onto DB1 and DB2 as these datasets comprise plenty of good quality images in comparison to DB3 and DB4 datasets. Also, DB3 and DB4 datasets include poor quality images containing less number of minutiae points per image as compared to dataset DB1 and DB2. Consequently, we obtain high values of EER for the two datasets, i.e. DB3 and DB4.

FVC2004: We also apply the proposed method onto the FVC2004 database. As a result, we attain an EER of 8.70, 7.95, 5.23, and 4.87 for DB1, DB2, DB3, and DB4 datasets, respectively. We observe that the method achieves better on DB4, out of all FVC2004 datasets due to relatively better quality images. However, the performance gets degraded in case of DB2 since the first two images of the DB2 dataset are densely distorted. Furthermore, the small overlap area for the images of stored and query templates is another reason for getting less accuracy on FVC2004 DB2. We obtain high values of EER for all four datasets of FVC2004 in comparison to all datasets of the FVC2002 database since deliberate deformation are requested to each user at the time of acquisition fvc .

Figure 5: ROC curves for FVC 2004 DB1, DB2, DB3 and DB4 under same key scenario

3.2.2 Different key scenario:

We also evaluate our method in the scenario where different keys (i.e. , , and ) are utilized to enroll different users. We achieve an EER of 0 for DB1, DB2 and DB4 datasets and an EER of 0.09 for the dataset DB3 of FVC2002. For FVC2004 database, we obtain an EER of 3.08, 2.25, 1.82 and 1.13 for DB1, DB2, DB3 and DB4 datasets, respectively which is reasonable considering relative poor quality images. Hence, it is clear that our approach also outperforms in the different key scenario.

3.2.3 Time complexity:

To investigate the time complexity of our method, we calculate the template generation time and matching time on a machine with specification as, Intel CPU i5, 2400 (3.10 GHz) and 4 GB RAM. The time readings are reported in Table 2. Note that MATLAB 2016b is used without any code optimization. It has been observed from the tabulated results that protected template generation takes almost equal time with the matching time since the matcher has to retrieve the desired mapped positions in different templates for comparison. Overall, the average time elapsed in template generation and matching meets the expectations for an efficient real-time realization.

Average time (in sec.)
Average time (in sec.)
.0005 0.0007 0.0005 0.0006 0.0006 0.0007 0.0005 0.0006
Matching 0.0002 0.0003 0.0002 0.0002 0.0003 0.0002 0.0002 0.0003
Table 2: Average processed time for proposed method under protected template generation and matching

3.3 Comparison with existing approaches

The approaches proposed in das ; shell ; ditom ; blind ; hadamard ; pmcc ; 2pmcc ; hamem ; jintee ; abe ; sandhya utilized FVC2002 database to measure the performance for their method. Furthermore, few methods in current literature such as lee ; hamem ; jintee ; abe ; sandhya also evaluated their method onto FVC2004 databases. Hence, we have performed the experiments onto FVC2002 and FVC2004 databases and compared the performance of our method with the methods described in das ; shell ; ditom ; blind ; hadamard ; pmcc ; 2pmcc ; hamem ; jintee ; abe ; sandhya ; lee to test the efficacy of the proposed method. In Table 3, the proposed method has been compared with the existing in terms of EER. In case of the FVC2002 database, we observe that our method outperforms in comparison to the approaches proposed in shell ; das ; ditom ; blind ; 2pmcc ; hamem ; jintee ; abe ; sandhya . Although the performance of our method is slightly lower in case of DB1 for Wang et al. hadamard , DB2 for Ferrara et al. pmcc and DB4 for Abe et al. abe even comparable with existing approaches. For FVC2004 databases, we find that EER obtained by our method is superior to the existing literature as described in Table 3. Hence, it is obvious from Table 3 that our approach outperforms over the current state-of-the-art.

Methods EER (in %)
Das et al.
2.27 3.79 - -
Moujahdhi et al.
4.28 1.45 - -
Wang et al.
3.5 5 7.5 -
Lee et al.
- - - - 10.3 9.5 6.8 -
Wang et al.
3 2 7 -
Wang et al.
1 2 5.2 -
Ferrara et al.
1.88 0.99 5.24 4.84
Ferrara et al.
3.3 1.8 7.8 6.6
Jin et al.
4.36 1.77 - - 17.89 17.11 - -
Jin et al.
5.19 5.65 - - 15.76 11.64 - -
Abe et al.
2.3 1.8 6.6 5.1 13.4 8.1 9.7 6.3
Sandhya et al.
3.96 2.98 6.89 - 12.17 13.29 17.73 -
Proposed method 1.82 1.39 4.02 5.77 8.70 7.95 5.23 4.87
  • indicates that the author(s) have not reported the results or results are reported for the partial dataset, in their work.

Table 3: EER obtained for databases FVC 2002 DB1, DB2, DB3 and DB4 in same key scenario

3.4 Baseline comparison

We perform two sets of experiments for baseline comparison. In the first experiment, we evaluate the EER using the original (untransformed) template involving ridge features. In the second experiment, we evaluate the performance after applying the proposed transformation using the keys (, , and ). In case of FVC2002, the performance is degraded by 0.19%, 0.41%, 0.05%, and 0.39% for DB1, DB2, DB3, and DB4 dataset of FVC2002 database, respectively. For FVC2004 database, the performance is degraded by 0.03%, 0.03%, 0.05% and 0.06% for DB1, DB2, DB3, and DB4 datasets, respectively with respect to original (untransformed) fingerprint template. From the reported results in Table 4, it is clear that the proposed cancelable transformation exhibits very low performance degradation.

Database EER (in %)
degradation (in %)
Without cancelable
With cancelable
FVC2002DB1 1.47 1.82 0.19
FVC2002DB2 0.89 1.39 0.41
FVC2002DB3 3.81 4.02 0.05
FVC2002DB4 3.49 5.77 0.39
FVC2004DB1 8.43 8.70 0.03
FVC2004DB2 7.69 7.95 0.03
FVC2004DB3 4.94 5.23 0.05
FVC2004DB4 4.58 4.87 0.06
Table 4: Baseline comparison for FVC2002 database

4 Security analysis

A template protection mechanism should fulfill the requirements of irreversibility, revocability, and diversity as depicted in Section 1. In the following subsections, we analyze our method concerning these criteria.

4.1 Irreversibility analysis

The requirement of irreversibility or non-invertibility states that it should be infeasible to obtain the original template from the protected template. To validate the claim of non-invertibility, we imagine that an adversary unveils the stored protected template . In this situation, the adversary cannot be able to access the original template () as he does not have any clue about the four different keys used for mapping. For instance, if an input fingerprint containing 50 minutiae points is divided into eight sectors, then the original template () and protected template would contain 800 cells and 640000 cells, respectively. Hence, It is not feasible to calculate initial positions (, ) and next positions (, ) to extract the entries corresponding to original template as an adversary would require =409 billion attempts.

Further, assume that the attacker reveals the keys (, , and ) utilized for mapping. In this situation, it would be extremely hard for an attacker to construct original template since all four keys , , and comprise of random coprime entries. From the random coprime entries, it is almost impossible to reveal any information about the original template.

4.2 Revocability analysis

The criteria of revocability refer to issue a new template in case stored template gets compromised. To validate the claim of revocability, we have generated 100 different protected templates by altering the parameters for the same fingerprint. Next, genuine, imposter and Pseudo-imposter distribution are computed for the two different datasets of each database i.e. DB2 dataset of FVC2002 and the DB1 dataset of FVC2004. In this experiment, we obtain 0% average FAR. Also, the mean and standard deviation (

) of genuine, imposter and pseudo-imposter are (0.576;0.02), (0.202;0.031), and (0.209;0.0373), respectively for DB2 of FVC2002. In a similar manner, we achieve (0.528;0.017), (0.196;0.029), (0.189;0.031) for genuine, imposter and pseudo-imposter distributions for DB1 dataset of FVC2004, respectively. From the evaluated distribution, it has been observed that there is a strong overlap between the pseudo-impostor and impostor distributions as shown in Fig. 6. This means that the derived templates from the same subject with different keys are different enough with each other. Hence, it is confirmed that the compromised template differs from the transformed template yet belong to the same fingerprint.

Figure 6: Genuine, imposter and pseudo-imposter distribution for FVC2002 DB2 (Left) and FVC2004 DB1 (Right)

4.3 Unlinkability analysis

This characteristic implies that there must be significant distinctiveness between the two protected templates derived from same or different subjects. To validate this requirement, we evaluate pseudo-genuine scores. Pseudo-genuine score is evaluated by comparing two different templates of same subject using different values of , , and .

In this context, if the pseudo-genuine and pseudo-imposter distribution get overlapped, it implies that the protected templates derived from the same subject are adequately dissimilar and vice versa. The computational hardness in differentiating the protected templates aids to the unlinkability characteristics. Figure 7 shows the pseudo-genuine and pseudo-imposter distribution for the DB2 dataset of FVC2002 and the DB1 dataset of FVC2004 where the pseudo-imposter and pseudo-genuine distribution are substantially overlapped. This confirms the unlinkability for derived protected templates.

Figure 7: Pseudo-genuine, pseudo-imposter for DB2 of FVC2002 (left) and DB1 of FVC2004 (right)

4.4 Diversity analysis

The template generation scheme should be able to derive multiple templates different enough with each other so that it does not cross-match over different applications. Many different templates can be derived by changing the values of key (, , , ) and seed (). Further, the number of sectors (s) can also be varied to generate multiple templates.

4.5 Other attacks

We also analyze our method against different types of attacks namely brute-force, pre-image and annealing attacks to validate the robustness of the proposed work:

Brute-Force Attack: Brute-force attack determines the total number of attempts made by an imposter to retrieve the original template. This attack is also known as masquerade attack masq in literature. In our method, we have achieved the best accuracy at s=8. For best performance configuration, an adversary would require 409 billion brute-force attempts to guess the positions of the original ridge features corresponding to an input fingerprint containing 50 minutiae points as described in Section 4.1.

Pre-image attack: In pre-image attack, the adversary may use multiple instances of the protected template to derive a pre-image of the original template. Privacy invasion is attempted by utilizing feature order in the different protected template to create a fake template. In literature, Biohashing based methods biohash ; hash ; hash2 are vulnerable to this attack since they derive a binary string which can be easily exploited to unveil original minutiae information. On the contrary, our method is robust enough to sustain this attack since the coprime mapping is utilized to hide the original ridge features across many possible different non-overlapped coprime positions. Also, our method does not depend on the order of feature components while generating the original as well as the protected template. Further, any value could not be investigated from the two projected feature vectors in any position due to the different sized enrolled and query template. Hence, pre-image attack could not be utilized to derive the original template in our method.

Annealing attack: In this attack anneal , the protected template is divided into multiple regions, and some regions of a sample template are paired with some regions of the reference template to evaluate similarity score. If the similarity score exceeds the threshold, the vicinity corresponding to sample’s region is included in the gummy template. This step is repeated until it outputs a gummy template including all the matched vicinities. Our approach is robust against this type of attack due to the following reasons:

  1. Our approach evaluates the nearest-neighbor minutia for each minutiae point causing the different radii to the different minutiae points. Hence, it is very hard to map the gummy template with the original template which is derived from the multiple regions with the variable radius.

  2. Ridge-based features are utilized for the neighboring minutiae points in each sector instead of relative distances or the directional difference between minutiae pairs. Here, the measured ridge features are invariant to the inter-ridge distances and locations of minutiae points.

5 Conclusion

Pre-alignment and the privacy-invasion are two prime factor in fingerprint-based authentication. To address these issues, we have proposed a novel cancelable fingerprint template generation method which maps original ridge features to a coprime position in a non-overlapping manner. The approach does not depend on detection of singularities (core/delta). Due to the simplicity in implementation, the method is suitable for real-world applications such as mobiles and smart- cards. The experimental evaluations performed over two publicly available databases FVC2002, and FVC2004 databases show a significant performance improvement in comparison to the several existing works in fingerprint template protection. Further, the necessary criteria of non-invertibility, diversity, and revocability are either theoretically proved or verified by experiments. The proposed method is tested against different attacks and observed that the transformation ensures the optimal security and preserves the recognition accuracy. In the future, we would try to invent a method for the evaluation of ridge feature for low or poor quality fingerprint and partial fingerprint images.


  • (1) N.K. Ratha, S. Chikkerur, J.H. Connell, R.M. Bolle, Generating cancelable fingerprint templates, IEEE Trans. on Pattern Analysis and Machine Intelligence 29(4), 561 (2007)
  • (2) A. Pashalidis, in International Conference of the BIOSIG Special Interest Group (BIOSIG) (2013), pp. 1–11
  • (3) S.W. Shin, M. Lee, D. Moon, K. Moon, Dictionary attack on functional transform‐based cancelable fingerprint templates, ETRI Journal 31(5), 628
  • (4)

    P. Das, K. Karthik, B. Chandra Garai, A robust alignment-free fingerprint hashing algorithm based on minimum distance graphs, Pattern Recognition

    45(9), 3373 (2012)
  • (5) C. Lee, J. Kim, Cancelable fingerprint templates using minutiae-based bit-strings, Journal of Network and Computer Applications 33(3), 236 (2010)
  • (6) S. Wang, J. Hu, Alignment-free cancelable fingerprint template design: A densely infinite-to-one mapping approach, Pattern Recognition 45(12), 4129 (2012)
  • (7) S. Wang, J. Hu, A blind system identification approach to cancelable fingerprint templates, Pattern Recognition 54, 14 (2016). DOI URL
  • (8) C. Moujahdi, G. Bebis, S. Ghouzali, M. Rziza, Fingerprint shell: Secure representation of fingerprint template, Pattern Recognition Letters 45, 189 (2014)
  • (9) Z. Jin, M.H. Lim, A.B.J. Teoh, B.M. Goi, A non-invertible randomized graph-based hamming embedding for generating cancelable fingerprint template, Pattern Recognition Letters 42, 137 (2014)
  • (10) Z. Jin, A.B.J. Teoh, T.S. Ong, C. Tee, Fingerprint template protection with minutiae-based bit-string for security and privacy preserving, Expert Systems with Applications 39(6), 6157 (2012)
  • (11) S. Wang, G. Deng, J. Hu, A partial hadamard transform approach to the design of cancelable fingerprint templates containing binary biometric representations, Pattern Recognition 61, 447 (2017). DOI URL
  • (12) A.B. Teoh, Y.W. Kuan, S. Lee, Cancellable biometrics and annotations on biohash, Pattern Recognition 41(6), 2034 (2008)
  • (13) G.I. Davida, Y. Frankel, B. Matt, in IEEE Symposium on Security and Privacy (IEEE, 1998), pp. 148–157
  • (14) A.T.B. Jin, T. Connie, Remarks on biohashing based cancelable biometrics in verification system, Neurocomputing 69(16–18), 2461 (2006)
  • (15) M. Sandhya, M.V.N.K. Prasad, R.R. Chillarige, Generating cancellable fingerprint templates based on delaunay triangle feature set construction, IET Biometrics 5(2), 131 (2016)
  • (16) N. Abe, S. Yamada, T. Shinzaki, in IEEE 7th International Conference on Biometrics Theory, Applications and Systems (BTAS) (2015), pp. 1–7
  • (17) R. Cappelli, M. Ferrara, D. Maltoni, Minutia cylinder-code: A new representation and matching technique for fingerprint recognition, IEEE Transactions on Pattern Analysis and Machine Intelligence 32(12), 2128 (2010)
  • (18) M. Ferrara, D. Maltoni, R. Cappelli, Noninvertible minutia cylinder-code representation, IEEE Transactions on Information Forensics and Security 7(6), 1727 (2012). DOI 10.1109/TIFS.2012.2215326
  • (19) M. Ferrara, D. Maltoni, R. Cappelli, in International Conference of the Biometrics Special Interest Group (2014), pp. 1–8
  • (20) C. Rathgeb, C. Busch, in Computer Analysis of Images and Patterns, ed. by R. Wilson, E. Hancock, A. Bors, W. Smith (Springer Berlin Heidelberg, Berlin, Heidelberg, 2013), pp. 177–184
  • (21) M. Gomez-Barrero, J. Galbally, C. Rathgeb, C. Busch, General framework to evaluate unlinkability in biometric template protection systems, IEEE Transactions on Information Forensics and Security 13(6), 1406 (2018)
  • (22) R. Dwivedi, S. Dey, in Mining Intelligence and Knowledge Exploration (Springer International Publishing, 2017), pp. 111–122
  • (23) Fingerprint Verification Competition. FVC2002 database,. Accessed from:
  • (24) J. Abraham, J. Gao, P. Kwan, Fingerprint matching using a hybrid shape and orientation descriptor (INTECH Open Access Publisher, 2011)
  • (25) K. Nandakumar, A.K. Jain, Biometric template protection: Bridging the performance gap between theory and practice, IEEE Signal Processing Magazine 32(5), 88 (2015)