1 Security Considerations in Minutiae-based Fuzzy Vaults Benjamin Tams, Preda Mih˘ ailescu and Axel Munk Abstract—The fuzzy vault scheme is a cryptographic primitive that can be used to protect human fingerprint templates where stored. Analyses for most implementations account for brute- force security only. There are, however, other risks that have to be taken into account such as false-accept attacks, record multiplicity attacks, and information leakage from auxiliary data, such as alignment parameters. In fact, existing work lacks analyses of these weaknesses and are even susceptible to a variety of them. In view of these vulnerabilities, we redesign a minutiae- based fuzzy vault implementation preventing an adversary from running attacks via record multiplicity. Furthermore, we propose a mechanism for robust absolute fingerprint pre-alignment. In combination, we obtain a fingerprint-based fuzzy vault that resists known record multiplicity attacks and that does not leak information about the protected fingerprints from auxiliary alignment data. By experiments, we evaluate the performance of our security-improved implementation which, even though it has slight usability merits as compared to other minutiae-based implementations, provides improved security. However, despite heavy efforts spent in improving security, our implementation is, like all other implementations based on a single finger, subjected to a fundamental security limitation related to the false acceptance rate, i.e., false-accept attack. Consequently, this paper supports the notion that a single finger is not sufficient to provide acceptable security. Instead, implementations for multiple finger or even multiple modalities should be deployed the security of which may be improved by the technical contributions of this paper. Index Terms—fingerprint, minutiae, fuzzy vault scheme, im- plementation, security, cryptanalyses I. I NTRODUCTION We start with a preview of the main purposes of the paper. This paper is concerned with two important aspects of the se- curity of biometry. We use the long time investigated example of fingerprint recognition for presenting the details about this security issues. The first aspect, although apparently simple and qualitatively known, has not been taken into account with sufficient consistency so far. It concerns the limitations of fingerprint security. This is due to two major factors: A. Unlike passwords, biometry is irreplaceable. If it has been once cracked on any system, it is insecure for any further applications. The biometric community faces com- parably more difficult problems than the cryptographic one, B. Tams and A. Munk are with the Institute for Mathematical Stochastics, University of Goettingen, Goldschmidtstr. 7, 37077, Goettingen, Germany. Emails: { btams , munk }@math.uni-goettingen.de. B. Tams and A. Munk gratefully acknowledge support of the DFG Graduiertenkolleg 1023, the Felix Bernstein Institute for Mathematical Statistics in the Biosciences and the Volkswagen Foundation. P. Mih˘ ailescu is with the Mathematical Institute, University of Goet- tingen, Bunsenstr. 3-5, 37073, Goettingen, Germany. Email: preda@uni- math.gwdg.de. which has developed during a period of more than one to two decades of intensive academic work a set of reliable and well defined attack scenarios. These are a common base both for cryptologic research and for security assessments and standardisation work. In cryptography, the identification process is based on deterministic primitive, which consistently yield the same output when presented the same input. In biometry however, identification is based on images and visual data which are prone to slight fluctuations, and thus statistical in nature. Therefore, presenting the same input, meaning the biometry of one and the same person, will not necessarily result with the extraction of the same identification data: this data is influenced by many, mostly external, physical factors. As a consequence, except for few marginal scenarios, one of which we mention below, we have hardly any investigated attack definitions for biometric security. In particular, the consequences of the compromise of an individual trait for the security of the respective individual is very poorly treated. Since the probability for such a compromise is quite high, it is a challenge, that structured attack scenarios should be defined and investigated in the near future in this community. B. Primitives like fuzzy vaults or fuzzy sketches rely on an abstract notion of entropy, which was expected by the computer scientists who initially designed this general purpose primitives, to be high, or at least sufficient. However, in the context of fingerprints, the statistical character of matching implies that entropy cannot be considered to be more than a metaphor that describes intuitively the amount of specific information which can actually be used in repeated matching attempts for the purpose of authentication or identification. This amount is usually quite low for a fingerprint. We argue that the security — and thus the “de facto entropy” — is strictly correlated to the false accept error probability FAR. It is in fact essentially equal to its inverse S =1/FAR. Using an open database we also provide empirical evidence for the feasibility of false-accept attacks that require the expected amount of S attempts. In particular, this realistic measure is severely lower than figures one encounters in the literature. These are mostly derived by theoretical estimates drawn from models about the security of fuzzy vaults based on fingerprints and scenarios that overlook the possibility of direct false- accept attacks. We therefore urgently recommend that secure applications of fingerprint recognition should migrate to (at least) five finger recognition. This is not a technological chal- lenge, since scanners for simultaneous scanning of five fingers are already on the market — but the academic community is called to insist on their relevance for security. The first