String-based Cancelable Fingerprint Templates Tohari Ahmad School of Computer Science and Information Technology RMIT University Melbourne, Australia tohari.ahmad@rmit.edu.au Jiankun Hu School of Engineering and Information Technology UNSW@ADFA Canberra, Australia J.Hu@adfa.edu.au Song Wang School of Engineering and Mathematical Sciences La Trobe University Melbourne, Australia song.wang@latrobe.edu.au Abstract—Cancelable (revocable) fingerprint templates have been proposed to protect fingerprint data. However, many of them have incurred significant authentication performance degrada- tion. In this paper, we propose a cancelable fingerprint template design mechanism to protect fingerprint data while maintaining a satisfactory authentication performance. The proposed scheme transforms fingerprint minutiae points into a vector string which serves as the cancelable fingerprint template. The results of the experiment carried out using a public database FVC2002DB2 show that it meets the requirements of revocability, diversity and security for cancelable fingerprint templates, in addition to the low error level. I. I NTRODUCTION Biometric authentication has been widely applied in many applications, which is likely to replace the use of conventional authentication in the future. Some biometric modalities, such as fingerprint and iris, can be potential candidates for further improvement due to their characteristics [13], e.g. distinctive- ness and universality. However, security and privacy remain an issue as once biometrics are compromised they are lost forever. Some bio- metric attack models have been presented in [13], [20], [21], which, in general, show that attacks can take place at the scanner, feature extractor, matcher, system database, and the channels between those modules. Various attacks which can be launched against those targeted points have been described in [3], [18]. A common objective of these attacks is to obtain a user’s biometric template because compromising it will make it easier to get the user’s identity which leads to privacy attacks. Moreover, some attacks to the biometric template have made it possible to reconstruct the raw (original) template [22], [25]. To protect fingerprint biometric templates, many methods have been proposed. Generally they can be classified into fol- lowing categories [12]: (i) image encryption [9], [11] (ii) bio- metric encryption [6], [15] (iii) cancelable (revocable) biomet- rics [20], [5], [24], [27]. Image-based encryption approaches require storing a cryptographic key which is problematic by itself [10]. Intrauser variability and interuser similarity, how- ever, present a major challenge to the approaches in the other two categories. Furthermore, it is likely that the authentication performance of the transformed biometric template is poorer than that of the untransformed one. This paper proposes a cancelable fingerprint template scheme by building upon our previous work [1] to improve the authentication performance and security. Through adding a new step, the proposed template transformation generates a vector string to represent secure fingerprint features. The transformation is parameterized by a set of keys. So, in the worst case where the template is compromised, a new template can be generated, which is different enough from the old one, by using a different set of parameters or keys. It is infeasible to reconstruct the original fingerprint data, given the transformed template or even with the key itself. Therefore, the proposed scheme offers revocability, diversity and security properties. The transformation function is tested in various scenarios using a public data set whose quality varies. The rest of the paper is organized as follows. Section II describes the related works and existing researches. Section III presents the proposed scheme in detail while section IV analyses the experimental results. Finally, the conclusion is drawn in section V. II. RELATED WORK In general, there are some advantages of biometric encryp- tion [4], which are also applicable to other biometric protection schemes, for instance: ∙ it can be used for multiple identifiers ∙ it does not need to retain the original biometric im- age/template ∙ it is appropriate for large-scale application ∙ it is more accepted by public The concept of cancelable biometric templates is introduced by Ratha et al. [20] by scrambling the biometric signal or feature such that it is infeasible to recover it given the transformed biometrics. So, the transformation function should not only be able to distinguish the fingerprints between users (discriminability), but also make it hard to reverse the trans- formed template (noninvertibility). This is difficult to achieve as both properties are inversely proportional. Different to con- ventional cryptographic algorithms, apart from irreversibility, it is argued that the transformation function should be secret [4]. In addition to this concept, some more properties should be met to alleviate the threats [16], which include: ∙ the information stored should be minimal with respect to users’ identity and their biometrics. So, acquiring the information is not adequate to launch an impersonation attack 1028 978-1-4244-8756-1/11/$26.00 c 2011 IEEE