Key Incorporation Scheme for Cancelable Biometrics

Biometrics is becoming an important method for human identification. However, once a biometric pattern is stolen, the user will quickly run out of alternatives and all the applications where the associated biometric pattern is used become insecure. Cancelable biometrics is a solution. However, traditional cancelable bio-metric methods treat the transformation process and feature extraction process independently. As a result, this kind of cancelable biometric approach would reduce the recognition accuracy. In this paper, we first analyzed the limitations of traditional cancelable biometric methods, and proposed the Key Incorporation Scheme for Cancelable Biometrics approach that could increase the recognition accuracy while achieving " cancelability ". Then we designed the Gabor Descriptor based Cancelable Iris Recognition method that is a practical implementation of the proposed Key Incorporation Scheme. The experimental results demonstrate that our proposed method can significantly improve the iris recognition accuracy while achieving " can-celability " .


Introduction
Biometrics uses unique and measurable physical, biological, or behavioral characteristics for human identification [1].Some commonly used modalities are fingerprint, iris, face, voice etc.Compared to traditional identification and verification methods, such as plastic identification card, biometrics is more convenient for users, reduces fraud, and is more secure.
However, once a biometrics is compromised or stolen, it is much harder to revoke and reissue than a password or a plastic ID card [2].The biometric user quickly runs out of alternatives.In addition, all of his/her information related to the biometric ID is also compromised.Moreover, user privacy may be compromised.Therefore, methods to protect the true patterns and templates are required in practical biometric applications.Attack against the biometric templates stored in database or during the matching process is considered to be one of the most potential threats to the traditional biometric system.Therefore most of the cancelable approaches were proposed to protect the template security and privacy.Some researchers proposed applying cryptographic methods to biometrics [3][4][5][6][7][8][9][10][11].These methods require extracting non-changing patterns from biometric data, which is often challenging.Among them, one popularly used method is biometric hardening or bioHashing [3,5,10,11].The feature template is combined with user specific random information in order to be projected to a new representation.An error-tolerant discretization method is then used to quantize the feature description to reduce uncertainty.The projection acts like a linear transformation of the biometric pattern.It can protect the true template and ensure high security since the user specific random information can be generated using different keys, which ensures the revocability of the templates.Moreover, the introduction of user key can further increase the discriminability of the templates.However, external randomness needs to be stored in a smart card or a token, making it inconvenient in large scale applications.If the key is compromised, the scheme is insecure since the projection process is usually invertible.It is also noticeable that intrauser variation may reduce the stability of this scheme.Key-binding [12][13][14][15] is another popular scheme in cryptosystem to protect the security of both biometric template and cryptographic key.This method depends on storing a helper data obtained by binding a key (which is independent of biometric template) with the biometric template [2].Notice that the helper data should not reveal too much information about the key or biometric template.This scheme is considered to be non-invertible since it is computationally infeasible to decode the key or biometric template without knowing the biometric data.One typical design of key-binding system is "fuzzy vault" which is proposed by Juels et al. [13]."fuzzy vault" incorporates error correction code with local biometric features to tolerate the within-class variance.The method is proved to be effective in tolerating biometric data variations.Note that this error correction based fuzzy scheme is first designed for a cryptosystem, but it is particularly suited for biometric data and biometric template protection.Therefore, it is often used in conjunction with other template protection methods, such as biometric hardening to achieve "cancelability".However, Simoens et al. [16] show that the attack on the fuzzy template protecting scheme is possible.In particular, it is possible for attacker to determine whether two documents are encrypted using the same biometric data.Even this does not mean that the biometric templates are compromised, but it is still a potential threat to user privacy.
Another type of similar scheme is categorized as "keygeneration" [17][18][19].In contrast with the key-binding method, the helper data of key-generation scheme is only derived from the biometric traits and the cryptographic key is directly generated from the help data.The ideas of "secure sketch" and "fuzzy extractor" introduced by Dodis et al. [17] is an example design of "key-generation" cryptosystem.The "secure sketch" is the helper data extracted from the original biometric patterns which leaks limited information of the biometric data while the "fuzzy extractor" can generate cryptographic key from the biometric features.This scheme also suffers from the same privacy issues as fuzzy methods mentioned in [16].In addition, the stableness and diversity of the generated key cannot be easily achieved simultaneously [2].
The idea of "cancelable biometrics" [20] is proposed by Ratha et al.This type of system implements "cancelability" by designing methods to transform the true signal and create alternatives for matching.This type of cancelable methods can be divided into two categories: one tries to mask the original patterns by mixing artificial texture or noise [21][22][23].The other uses some noninvertible transformations to distort the original biometric patterns [24][25][26].All these transformation functions are considered to be non-invertible since they are relying on some one-way functions which are easy to compute but hard to invert in polynomial time even if the attackers steal the transformed template and/or transformation key.The transformation parameters are determined by external added randomness, such as a user pin or token.The transformed patterns can be changed (or revoked/reissued) by changing the user pin or token.As a result, this method achieves "cancelability".Compare to other template protection methods, cancelable biometrics can preserve the biometric representation.Traditional cancelable biometrics approaches often reduce recognition accuracy.
In this paper, we first analyze the limitation of traditional cancelable biometrics methods, and propose a new cancelable scheme which can not only achieve "cancelability" but also achieve higher recognition accuracy.We will then design an example proposed cancelable biometrics system using iris recognition.The proposed cancelable iris method can potentially increase the recognition accuracy while achieving "cancelability".The rest of this paper is organized as follows: Section II analyze the limitation of the traditional cancelable biometrics methods from the point of view of information theory and introduce our key incorporation scheme for cancelable biometrics.Section III shows an example cancelable iris recognition system based on the proposed scheme.Section IV provides the experimental results of the proposed system prior to conclusions in Section V.

Key Incorporation Scheme for Cancelable Biometrics
In this session, we will first analyze the limitation of current cancelable biometrics approaches using information theory.Then, we will introduce the proposed Key Incorporation Scheme that can not only achieve "cancelability" but also increase recognition accuracy.

Analysis of Current Cancelable Biometrics Approaches
The recognition accuracy of a biometrics system can be represented as the recognition capacity [27].A typical biometric system diagram is shown in Figure 1.By analogy to channel capacity, we can use mutual information to calculate the recognition capacity: (2-1) where ( ; ) I X Y is the mutual information which can be expressed as: Here   H X is the entropy of X: ( )log log ( ) Figure 2 shows the diagrams of traditional cancelable biometrics approaches.Since the feature transformation is independent of feature extraction steps, the recognition capacity of these two approaches are equal: . (2)(3)(4)(5) In this approach, the key is independent of pattern, from Figure 2(a) and Figure 1, we have a Markov Chain : .
2 is a Markov Chain.Obviously, it is not a Markov chain, therefore, 2 1

C
. As a result, the existing cancelable biometrics (Figure 2) will reduce the recognition accuracy.

The Proposed Key Incorporation Scheme for Cancelable Biometrics
To increase the recognition capacity, we should design a cancelable biometric system that can use partial key information to increase channel capacity.We call this scheme "Key Incorporation Scheme" (Figure 3).
If we can redesign the feature extraction process to  provide additional information O, which can be used to incorporate the key information to the later step, we will be able to increase the recognition capacity of the system.Using information theory, we get: Here because O is also extracted from 4 , and O is not independent of K .This shows that, in theory, it is possible to increase the recognition accuracy while achieving cancelability.
Note: In this design, in order to achieve the security of the cancelable approach, it is important to ensure that the Key information could not be fully recovered from K .

An Example Design of the Proposed Scheme: The Key Incorporation Cancelable Iris Recognition Method
To show that the proposed scheme is practical, in this session, we introduce the partial-key information incorporation based cancelable iris recognition method.Among biometrics authentication techniques, iris recognition is tested to be one of the most accurate and reliable methods of positive identification [28].In recent years, several methods for iris recognition have been developed [29,30].Among them, Daugman's approach [31][32][33][34][35] has been most widely adapted in commercialized iris recognition systems.
In recent years, several methods of cancelable iris recognition have been presented.Zuo et al. [36] presented registration-free transform and salting approaches to apply both at the unwrapped iris image level and the binary template level to produce masked templates.Pillai et al. [37] used sectored random projection to generate cancelable iris template.The Gabor features are extracted from the segmented iris images to form a feature vector and a random matrix is then multiplied with the feature vector to project it onto an n dimension random subspace.Hammerle-Uhl et al. [38] applied two classical transformations, block re-mapping and texture warping, to iris textures in the image domain prior to feature extraction to protect the true iris pattern.All the methods above used Daugman's 2D Gabor wavelet (or alike) method for feature extraction.The templates are binary codes.The non-invertible transformation may affect the global Gabor features.As a result, the recognition accuracy is reduced [37].There is a need to design a suitable iris recognition algorithm for cancelable systems.recognition, which does not require polar transformation, and can work with low resolution and off-angle iris images.In this method, the iris features are extracted using a Gabor descriptor.The feature extraction and comparison are scale-, shift-, rotation-and contrast-invariant.The Gabor wavelet is incorporated with scaleinvariant feature transformation (SIFT) [39] to better extract the iris features.Both the phase and magnitude of the Gabor wavelet outputs were used in a novel way for local feature point description.
Figure 4 shows the system architecture.It is a noninvertible transformation.During Enrollment, a set of enrollment images is collected and preprocessed.The Gabor Descriptor feature selection and description algorithms are applied to each preprocessed iris pattern.A unique non-invertible transform method controlled by a random kernel is then carried out on each user's Gabor Descriptor templates.Here we give a simple implementation of this random kernel: the user provides a key as a seed to a pseudo-random number generator which is used to create the random kernel.Thus, templates from the same user will have the same unique transformation.Finally, the transformed cancelable templates are stored in a database.
Preprocessing: In the preprocessing step, the iris area is segmented from the image.We used direct least square fitting of ellipse method to mathematically model the iris boundary.Then a window gradient-based method is applied to remove noise in the iris region [29].
Feature Point Selection: The Difference of Gaussian (DoG) approach [39] is used to find the potential feature points which are invariant to scale, shift, rotation and contrast.The whole iris region is divided in to 720 subregions.For each sub-region, one extrema point at most is kept as the feature point.Lowe's 3-D quadratic method [40] and the Hessian matrix [41,42] are used to test if a feature point is a stable point or not.
During authentication (Figure 3), the user is asked to provide the user key to the system.The same feature selection and description algorithm is then applied to the preprocessed testing images.The user key produces the same seed to the pseudo-random number generator to realize a unique non-invertible transformation.Finally, two Gabor Descriptor templates are compared in a transformed domain to make a decision.Therefore if the transformed templates are compromised, the key can be reissued and the compromising would not affect the original templates.
Feature Point Description: Each stable feature point is then described using a vector with 64 elements, which is called a "Gabor Descriptor".To create the descriptor for the feature point, a small window centered on this feature point is used for feature extraction.A bank of 2-D Gabor filters is then used to extract the iris features.The magnitude of the filtered area is Gaussian-weighted based on the spatial distance between each point and the feature point.The phase is divided into 4 areas.Finally, the weight is summed to form one of the 64 bins based

Brief Review of the Gabor Descriptor-Based Iris Recognition Method
In [55], we proposed the Gabor Descriptor-based iris on its spatial location referred to the feature (4 x bins and 4 y bins) and phase quadratic (4 phase orientation bins).The 64 length Gabor Descriptor vector for each feature point is finally created by normalizing the cumulative weight to a unit vector.The resulting 64 bin feature point descriptor is then normalized to a unit vector by dividing by the 2-norm of the descriptor.Feature Matching: To match two feature point maps, the average of the distance scores between all overlapping feature points is calculated and used as the matching score between two feature point maps.To make the proposed method be tolerant of segmentation error and eye rotation, each feature point in a feature point map from image X, is compared to each feature point in the fifteen surrounding bins (two bins on either side and one bin above and below) in a feature point map from image Y, and the minimum average distance score is stored for the two feature point maps compared.

Incorporating the Key Information to the Templates
It is not trivial to incorporate key information into the biometric templates.In this session, we will show an example to incorporate the key into the iris templates generated from the Gabor Descriptor method.We used the fact that the ring information r can reflect key information and it is non-reversible.With this new feature information, the feature descriptor becomes a 65length vector (64 bins plus the ring information)(an example is shown in Figure 5).The r information is actually the radial position in the sub-region map of each feature point.In order to enhance the template security and create cancelable template, a re-arrangement of the sub-region is needed.Before rearrangement, the radial position of each feature point in sub-region map is recorded in r field added to the Gabor Descriptor.The re-arrangement is uniquely determined by a user key, which means a correct key provided should maintain the same re-arrangement.No matter how the transformation goes, the overlapping feature in original sub-region map should be still overlapping after re-arrangement.Thus, the recorded radial position of the overlapping feature point in both transformed templates should have the same r value.By checking the correspondence of the r values of each overlapping feature point in both test and enrolled templates, we can quickly get rid of the wrong user key situations.The key information is incorporated with the iris pattern and we do not directly compare the user key so there is less room for the attacker to get the key information.Moreover, the added r information will not leak the true template information because one cannot reverse the transform process only with the radial position in the sub-region map provided.Also, the key could not be fully recovered from the extracted key information as we stated in Section II.

Non-Invertible Transformation
The transformation process is a non-invertible spatial transformation consisting of a random re-mapping of the 720 bins to shuffle the original location.Therefore theoretically 720! (over 10 4200 ) different transformations can be obtained.To be tolerant of segmentation error and provide redundancy, feature points located within a 3 × 5 neighborhood region are considered to be overlapping during matching.In our research, In order to make the re-mapping non-invertible, we only use part of the bins (N < 720) from the original templates which contains all the feature points so that the information for recognition will not be reduced.Therefore the true arrangement number is much less than the theoretical one.(For example, 100 valid feature points can get   ! 100 !N N  different permutations).Even though, the number of possible arrangements is still enough to ensure a potential attacker has a negligible probability of guessing the arrangement of the original template using a bruteforce attack.
In order to transform the original mapping arrangement, the user provides a random seed for a pseudorandom number generator.This seed may be generated by a physical hardware token that the user keeps in her possession.In this way, it provides a complex random seed in a secure manner.The results of the pseudorandom number generator are applied to a transformation process that re-maps each of the sub-regions from the original mapping arrangement into the newly transformed mapping.The transformation process re-maps the arrangement of the sub-regions, while leaving the contents of the 64-length descriptor in each sub-region unchanged from the original mapping.To make the 720bin random permutation non-invertible, a 128-bit sequence is generated from each user's pin or token as an input seed, as well as a set of encryption keys for the pseudo-random number generator.A one way hash encryption function or method can be used to map the input seed into 720 128-bit strings using the ANSI X9.17 pseudo-random number generator algorithm [43].
The 720 bit string sequence constitutes a unique random permutation applied to the original Gabor Descriptor templates.The transformation process is considered a non-invertible or "one way" process because there is no deterministic process for reversing the transformation to return to the original template without previously knowing the user key and the function used in the pseudorandom number generator.The pseudo-random number generator will produce the same numeric sequence when used with the same seed during a future transformation process.This allows for subsequently generated iris mappings to undergo the same transformation, producing a consistently transformed mapping arrangement for matching.Even if the attacker gets the original template arrangement, that is just a part of the iris; the system can regenerate a new pin.The corresponding templates in the enrollment database should be deleted and the user should be re-enrolled in the database to achieve "cancelability".

Perform Iris Recognition Using the Key Incorporated Templates
To match two feature point maps, the average of the distance scores between all overlapping feature points is calculated and used as the matching score between two feature point maps.To make the proposed method tolerant of segmentation error and eye rotation, each feature point in a feature point map from image X, is compared to each feature point in the fifteen surrounding bins (two bins on either side and one bin above and below) in a feature point map from image Y, and the minimum average distance score is stored for the two feature point maps compared.
In addition, we modified the Euclidean distance based matching algorithm by taking the transformation into consideration.For both enrolled and test images from a same user with the same key, the unique transformed mapping should be the same.During matching, any overlapping blocks of the transformed templates should also be overlapped in the original templates.Thus, we add a field which only records the ring number of the bin to provide location information of this feature point.Before calculating the Euclidean distance, we check the feature point location information.If several blocks are found to be too far away, we view the two templates as being from different users and move on to the next comparison.The similarity (from 0 to 1) of two images X, Y is calculated as: where .m X r and are the ring location number of the mth overlapping block in both X and Y.An attacker cannot recover the original permutation with only the radius location information.Thus, with the added ring number, we can shorten our matching time and reduce the false acceptance rate greatly without compromising the security of the original templates.
. m Y r

Database
Three databases are used in our experiments: IUPUI noncooperative remote database [39] and ICE 2005 Database [44].
The IUPUI Remote Iris Image Database was acquired at 10.3 feet from the camera to the subject using a Micro Vista NIR camera with Fujinon zoom lens.The database includes 3690 remote iris images of 31 users in 6 directions (look left, look center, look right, look up-left, look up, look up-right) (Figure 6).
The ICE 2005 Database [44] from National Institute of Standards and Technology (NIST) consists mostly of frontal look eyes (Figure 7).It includes two sub-databases: a left iris image database with 1527 images from 120 subjects, and a right iris image database with 1426 ima-ges from 124 subjects.In this experiment, we used the more challenging left eyes.

Experimental Results and Analysis
For the IUPUI database (experiment 1), we used the ICE  2005 matching protocol in this experiment: each image is matched against all other images in the database.Therefore, all 3690 images were used in our experiment, comprising 6.8 million comparisons in the matching stage.
Our own non-cooperative segmentation algorithm was used to automatically obtain the iris region.In order to show the performance of our method in a general case, we randomly assign a unique key to each user and apply random transformations controlled by the user key to the iris templates of each user.We run random transformation 10 times, which means we revoke the old key and re-issue a new key 10 times.We first apply the traditionnal method without key information incorporated to the 10 transformed datasets.We then use the proposed cancelable approach to test the 10 trials.Figure 8 shows the 10 EERs (Equal Error Rates) comparison: Our Gabor Descriptor result for IUPUI database is 5.24% while the average EER of our 10 times experiment using proposed method is 0.3965%.This shows that the proposed method does not change the genuine matching results, but greatly increases the matching distance of imposters.Table 1 compares the results of using the two traditional cooperative iris recognition algorithms, 2-D Gabor wavelet matching and 1-D Log-Gabor matching, with our Gabor Descriptor and the proposed cancelable method on the centered eyes from our IUPUI remote database.The proposed method result is the average  result of 10 times experiments.To make the comparison result reasonable, we only use the 610 frontal-look images (cooperative situation) and use the same segmentation outputs.Our Gabor Descriptor method results are comparable to the results achieved using traditional matching algorithms.The EERs of 10 trials using our proposed key incorporated cancelable method are 0.22%, 0.25%, 0.33%, 0.23%, 0.18%, 0.22%, 0.22%, 0.24%, 0.23% and 0.21%, which justify that the proposed method can effectively reduce FAR and improve the accuracy.
In the matching process, there could be four possible scenarios: the two templates for matching could be from: Same user and same key: the two templates should be matched.


Same user and different keys: The template matching distance would be high because the transformations are different and the two templates should not be matched. Different users and same key: The template matching distance would be high because iris patterns are different (i.e.Gabor Descriptors would be different so the distance will be high).


Different users and different keys: The template matching distance would be high because both the iris patterns and the transformations are different.Under such a scenario, the false acceptance rate will be reduced dramatically.In experiment 2, we use the 1527 left eyes of ICE Database, which provides 1.1 million comparisons.Similar to experiment 1, we assign a random generated key to each subject 10 times.The EERs comparisons of the 10 random experiments are listed in Figure 9, The EERs of 10 trials are 0.11%, 0.10%, 0.10%, 0.09%, 0.09%, 0.10%, 0.10%, 0.10%, 0.10%, 0.10%.We can see that the recognition accuracy has been dramatically improved.
Table 2 compares using 2-D Gabor wavelet matching, 1-D Log-Gabor matching, our Gabor Descriptor and the proposed cancelable method results on annular iris images of the ICE database.To be comparable, all the methods use the same segmentation method and frontallook images.It is shown that our original Gabor Descriptor method can achieve accuracy close to the traditional 2-D Gabor wavelet method and 1-D Log-Gabor method.Our proposed cancelable method can effectively reduce the FAR to achieve 0.001 EER.Moreover, our methods can work well in non-cooperative situations (off-angle eyes).Most of the eyes from different classes are directly rejected during the stored ring number checking process; therefore high accuracy is reasonable.
All the above experiments using our cancelable method achieve very promising results, which is reasonable because we pre-assigned totally random keys to different users.The key variation will result in totally different transformations which will be detected by our matching algorithm with ring information examination.Therefore, nearly all the false acceptance cases are excluded because they cannot pass the ring number check mechanism.One thing to point out here is, our scheme is not a direct and simple combination of key check and iris  The proposed cancelable approach (trial 1) 0.11% 99.90% 99.71% The proposed cancelable approach (trial 2) 0.10% 99.90% 99.68% The proposed cancelable approach (trial 3) 0.10% 99.91% 99.69% The proposed cancelable approach (trial 4) 0.09% 99.93% 99.69% The proposed cancelable approach (trial 5) 0.09% 99.92% 99.70% The proposed cancelable approach (trial 6) 0.10% 99.90% 99.69% The proposed cancelable approach (trial 7) 0.10% 99.90% 99.70% The proposed cancelable approach (trial 8) 0.10% 99.92% 99.67% The proposed cancelable approach (trial 9) 0.10% 99.90% 99.72% The proposed cancelable approach (trial 10) 0.10% 99.93% 99.71% comparisons, but incorporates the key information into the biometric templates.We do not directly compare the user key but extract the key information from the iris templates and quickly exclude imposters.In such a way, we can better protect the user key and achieve high accuracy, as well as reducing the matching time.
From our experimental results, we can see that our method effectively obtains "cancelability" while reducing the FAR greatly and thus improving the recognition accuracy.Most of the false acceptances are rejected due to our transformation checking mechanism by comparing the stored ring number before matching.The unique cancelable transformation actually provides more information for identity verification.Moreover, the noninvertible transformation is carried out on descriptor templates without changing or ruining the original feature information.Thus, the added transformation greatly increases the recognition accuracy.

Conclusions
In this paper, we proposed the Key Incorporation Scheme that can help increase the recognition accuracy while achieving "cancelability".We designed a Gabor Descriptorbased cancelable iris recognition method using the proposed Key Incorporation Scheme.The experimental results demonstrate that our approach can achieve "cancelability" and also improve recognition accuracy.The proposed scheme can be applicable to cancelable face recognition, cancelable fingerprint recognition, or other kinds of cancelable biometrics.

Figure 1 .
Figure 1.Diagram of a typical biometric system.

Figure 2 .
Figure 2. Diagrams of two kinds of set of traditional cancelable biometrics scheme.

Figure 3 .
Figure 3. Diagram of the proposed cancelable biometrics schemes.