IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS—PART A: SYSTEMS AND HUMANS, VOL. 40, NO. 3, MAY 2010 525 Cancelable Templates for Sequence-Based Biometrics with Application to On-line Signature Recognition Emanuele Maiorana, Member, IEEE, Patrizio Campisi, Senior Member, IEEE, Julian Fierrez, Javier Ortega-Garcia, Senior Member, IEEE, and Alessandro Neri, Member, IEEE Abstract—Recent years have seen the rapid spread of biometric technologies for automatic people recognition. However, security and privacy issues still represent the main obstacles for the deploy- ment of biometric-based authentication systems. In this paper, we propose an approach, which we refer to as BioConvolving, that is able to guarantee security and renewability to biometric tem- plates. Specifically, we introduce a set of noninvertible transfor- mations, which can be applied to any biometrics whose template can be represented by a set of sequences, in order to generate multiple transformed versions of the template. Once the trans- formation is performed, retrieving the original data from the transformed template is computationally as hard as random guess- ing. As a proof of concept, the proposed approach is applied to an on-line signature recognition system, where a hidden Markov model-based matching strategy is employed. The performance of a protected on-line signature recognition system employing the proposed BioConvolving approach is evaluated, both in terms of authentication rates and renewability capacity, using the MCYT signature database. The reported extensive set of experiments shows that protected and renewable biometric templates can be properly generated and used for recognition, at the expense of a slight degradation in authentication performance. Index Terms—Biometrics, cancelable biometrics, hidden Markov model (HMM), security, signature verification, template protection. I. I NTRODUCTION B IOMETRIC person recognition refers to the use of phys- iological or behavioral characteristics of people in an automated way to identify them or verify who they claim to be [1]. Biometric recognition systems are typically able to provide improved comfort and security to their users, when compared to traditional authentication methods, typically based on something that you have (e.g., a token) or something that you know (e.g., a password). Unfortunately, biometrics-based people authentication poses new challenges related to personal data protection, not existing in traditional authentication methods. In fact, if biometric data Manuscript received November 28, 2008. First published March 22, 2010; current version published April 14, 2010. This paper was recommended by Guest Editor K. W. Bowyer. E. Maiorana, P. Campisi, and A. Neri are with the Dipartimento di Elettron- ica Applicata, Università degli Studi Roma Tre, 00146 Roma, Italy (e-mail: maiorana@uniroma3.it; campisi@uniroma3.it; neri@uniroma3.it). J. Fierrez and J. Ortega-Garcia are with the Biometric Recognition Group—ATVS, Escuela Politecnica Superior, Universidad Autonoma de Madrid, 28049 Madrid, Spain (e-mail: javier.ortega@uam.es; julian.fierrez@ uam.es). Digital Object Identifier 10.1109/TSMCA.2010.2041653 are stolen by an attacker, this can lead to identity theft. More- over, users’ biometrics cannot be changed, and they may reveal sensitive information about personality and health, which can be processed and distributed without the users’ authorization [2]. An unauthorized tracking of the enrolled subjects can also be done when a cross-matching among different biometric databases is performed, since personal biometric traits are per- manently associated with the users. This would lead to users’ privacy loss. Because of these security and privacy issues, there are cur- rently many research efforts toward protecting biometric systems against possible attacks which can be perpetrated at their vulne- rable points (see [3]). In essence, the adopted security measures should be able to enhance biometric systems’ resilience against attacks while allowing the matching to be performed efficiently, thus guaranteeing acceptable recognition performance. In this paper, we introduce a novel noninvertible transform- based approach, namely, BioConvolving, which provides both protection and renewability for any biometric template which can be expressed in terms of a set of discrete sequences related to the temporal, spatial, or spectral behavior of the considered biometrics. The proposed approach can be therefore applied to a variety of biometric modalities, for example, speech biometrics [4], where spectral or temporal analysis of the voice signal pro- duces discrete sequences, or to signature [5] and handwriting [4] recognition, where the extracted sequences are related to the pen’s position, applied pressure, and inclination. Moreover, when performing gait recognition [6], temporal sequences de- scribing the trajectories of the ankle, knee, and hip of walking people can be considered as templates. A set of discrete finite sequences representing the potentials of brain electrical activity, generated as a response to visual stimuli, can also be employed as a template, when performing brain-activity-based identifica- tion [7]. This is also the case when performing iris recognition, since the normalized template can be decomposed into 1-D intensity signals, which retain the local variations of the iris [8]. It is worth pointing out that some methods for the protection of templates extracted from the aforementioned biometrics act on sets of parametric features derived from the originally acquired data, thus limiting the kind of matching which can be performed [9]. Since our BioConvolving approach deals with discrete sequences instead of parametric features, it allows using sophisticated matching schemes such as dynamic time warping (DTW) or hidden Markov models (HMMs). 1083-4427/$26.00 © 2010 IEEE Authorized licensed use limited to: Univ Autonoma de Madrid. Downloaded on May 06,2010 at 15:31:46 UTC from IEEE Xplore. Restrictions apply.