Design and Analysis of Fuzzy Extractors for Faces

Yagiz Sutcua , Qiming Lib and Nasir Memonc

a Department

of Electrical and Computer Engineering, Polytechnic Institute of NYU,

6 MetroTech Center, Brooklyn, NY, 11201, USA;
b Cryptography and Security Department, Institute for Infocomm Research, A-Star,
1 Fusionopolis Way, 138632, Singapore;
c Department of Computer Science and Engineering, Polytechnic Institute of NYU,
6 MetroTech Center, Brooklyn, NY, 11201, USA
ABSTRACT

It is both crucial and challenging to protect biometric data used for biometric identication and authentication
systems, while keeping the systems user friendly. We study the design and analysis of biometric data protection
schemes based on fuzzy extractors. There are limitations in previous fuzzy extractors, which make them dicult
to handle continuous feature spaces, entropy estimation, and feature selection. We proposed a scheme based on
PCA features and a recently proposed fuzzy extractor for continuous domains. We conduct experiments using
the ORL face database, and analyze carefully the entropies and the resulting security of the system. We explore
and compare dierent ways to select and combine features, and show that randomization plays an important
role in both security, performance and cancelability. Furthermore, proposed feature selection does yield better
estimation of the nal key strength.
Keywords: Biometrics, security, template protection, entropy analysis

1. INTRODUCTION
Since biometric features of individuals are tightly bound with their identities and cannot be easily forgotten
or lost, they provide signicant potentials in applications where both security and user convenience are highly
desirable. However, to achieve the desirable level of security and usability is not trivial. The key challenges,
from a security perspective, are the diculty to protect the biometric templates while allow easy matching.
Let us take a look of a typical biometric authentication system based on facial features. During the enrollment,
a user (say, Alice) takes a number of photos at a trusted server (one or multiple photos may be needed, depending
on the scheme). After that, a complicated signal processing tool is applied on the images to obtain a template,
which is then stored on a trusted storage server. During the authentication, Alice takes another photo, and the
same feature extraction tool is applied to obtain a new feature sample that may be slightly dierent from those
in the template. This new sample is then compared with the template, and Alice is authenticated if the new
sample matches the template according to some matching algorithm.
Besides authentication, it is also desirable to extract a cryptographic key from the biometric data, or use the
biometric data to encode a key, such that this key can only be obtained by presenting another similar sample
of the biometrics. This cryptographic key can then be used, for example, to access certain computing resources,
encrypt personal data, generate digital signatures, or used for authentication or identication.
From a security perspective, there are a number challenging issues, which include: (1) The false acceptance
rate (FAR) should be low; (2) The template should not reveal too much information about the original biometric
data; (3) The key strength should be high (if a key is extracted); and (4) The template should be privacy
preserving. At the same time, any cryptographic tools employed to achieve these desirable properties should also
Further author information: (Send correspondence to Yagiz Sutcu)
Yagiz Sutcu: E-mail: yagiz@isis.poly.edu
Qiming Li: E-mail: qiming.li@ieee.org
Nasir Memon: E-mail: memon@nyu.edu

consider the underlying signal processing techniques and performance measures, such that the overall performance
from a signal processing perspective should not be degraded too much. In particular, the false-rejection rate
should be low so that the system would be user-friendly.
One method to protect biometric templates and allow robust key extraction at the same time is to use recently
proposed secure sketch schemes (e.g.,1 ). In such a scheme, a sketch is computed from the original template, and
when another sample of the same biometrics is obtained, the original template can be recovered with the help
of the sketch, if the recently captured biometric is similar to the template according to some similarity measure.
After the template is recovered, a key can then be extracted using extractors such as pair-wise independent hash
functions. The sketch is secure if it contains little information about the original biometric template of the user.
A general method is given in1 to bound such entropy loss from above for any distribution of the biometric data,
which is useful since the distributions of many biometrics are not known.
The idea of a fuzzy extractor for biometric data is further explored in a number of previous works. A scheme
based on singular value decomposition (SVD) for face images is proposed and analyzed in.2 The performance
and security are evaluated using the Essex 94 database3 and reasonable performance in terms of false-acceptance
and false-rejection rates is shown to be achievable.
Although their method is sound, there are still a number of limitations. First, the Essex 94 database is
considered as an easy database for pattern recognition related research, since it is of relatively high quality
in the sense that there is very little variations among dierent images of the same person. Furthermore, there
are many analysis techniques that are generally considered to be more favorable compared with SVD. Hence, it
is not clear if reasonable performance can still be achieved using a more challenging database and other signal
processing techniques for facial feature extraction.
Secondly, any PCA-like analysis on the biometric data (SVD in2 ) would typically result in a large number of
components. In previous work usually the most signicant components are taken, based on the common view
that these components contain most of the information about the data. However, from a more rigorous point of
view, such a heuristic may need to be examined further. Ideally, the strategies of selecting the components as
features should maximize the security (e.g., by maximizing the min-entropy and minimizing the entropy loss).
Finally, the estimation of min-entropy and calculation of entropy loss heavily depends on the choice of
parameters. In particular, as the parameters (such as quantization step) change, both the min-entropy and the
entropy loss would change. Furthermore, the randomization process introduces correlations into the components,
which makes the analysis dicult. In fact, to avoid the problem, it is proposed in2 that the min-entropy should
be measured before randomization. Moreover, the analysis in2 follows the guideline presented in4 to choose the
parameters. Nevertheless, the theoretical results in4 is mainly considering the case where we do not know the
distribution of the data. Since we already have a database at hand, it is interesting to investigate if we can do
better with some knowledge about the distribution.
In this paper, we conduct experiments on the ORL face database, which contains considerably more variations
in poses and facial expressions. Also, we employ the eigenface features instead of SVD components. In particular,
we analyze the eect of randomization, and carefully examine its implications in the performance and the entropy
estimation.
We further investigate the problem of entropy estimation and feature selection. We also propose to choose
feature components and/or determine the importance of components by estimating their min-entropy, which in
turn would contribute to the nal key strength. This is in contrast to many previous methods, which would pick
only the most signicant components, or those with highest energy, or using any criteria that do not address the
key strength directly.

2. RELATED WORK
In recent years, many dierent ideas have been proposed to overcome the template security problem associated
with biometric systems. A comprehensive coverage of many proposed solutions can also be found in.5, 6
The rst group of techniques is associated with the notion of cancelable biometrics which was rst introduced
by Ratha et al.7 The underlying idea is to apply a similarity-preserving, noninvertible (or hard-to-invert)

transformation to biometric templates before they are stored. New biometric samples are transformed in the
same way before they are matched with the templates. In the literature, one can found signicant number of
applications/variants of this idea. Some examples can be found in.814
Besides transformation-based cancelable techniques, another class of approaches, that makes informationtheoretic security analysis possible, is based on use of some helper data. In this group of techniques, main idea is
to create/extract some user-specic auxiliary information from the original biometric data in a way that does not
reveal much information about the biometric data. Later, this auxiliary information is used to recover/estimate
the original biometric data from a noisy instance of itself. This information can be in the form of a helper
data,15, 16 a syndrome 17, 18 or a secure sketch.1, 4, 19 Furthermore, fuzzy commitment20 and fuzzy vault21 schemes
may be considered as the earlier implementations of secure sketch scheme.
In this recently proposed cryptographic primitive called secure sketch, some public information which does
not reveal too much information about the original biometric data, is extracted/created and used to recover the
original biometric data given a noisy sample of the same biometric data that is suciently similar to the original
one.
There are few reasons why their framework does not only allow more rigorous security analysis compared
to many other approaches, but also helps generalizing the much of the prior helper-data based work. First of
all, a sketch allows exact recovery of the biometric template. Therefore, a strong extractor (such as pair-wise
independent hash functions) can be further applied on the template to obtain a key that is robust, in the sense
that it can be consistently reproduced given any noisy measurement that is similar to the template. This key
can then be used in the same way as passwords. Furthermore, in this framework, it is possible to demonstrate
some general results that do not depend on any particular notion of closeness between two measurements of the
same biometric data as long as this closeness is dened in a metric space. This is very important since dierent
biometric modalities have dierent representations and error patterns.
Constructions and rigorous analysis of secure sketch are given in1 for three metrics: Hamming distance, set
dierence and edit distance. Secure sketch schemes for point sets in19 are motivated by the typical similarity
measure (that does not dene a metric space) used for minutiae-based ngerprint templates. Linnartz and
Tuyls22 consider a similar problem for biometric authentication applications. Under the Gaussian assumption,
they use mutual information as the measure of security against dishonest veriers. Tuyls and Goseling23 consider
a similar notion of security, and develop some general results when the distribution of the original is known and
the verier can be trusted. Some practical results along this line also appeared in.15
However, there are a few diculties in extending these techniques to biometric templates in practice. Most
importantly, many biometric templates are not discrete, but are instead points in continuous domain where it is
hard to dene what the minimum entropy of the original biometric template should be. Furthermore, extracting
a discrete key from such a template would require some form of quantization. In this case, since the entropy of
the original data can be very large, and the length of the extracted key is typically quite limited, the entropy
loss as dened in1 can be arbitrarily high, which can be misleading. Furthermore, besides the subtleties in
the entropy loss due to quantization, a very important aspect of any biometric authentication system is its false
accept rate (FAR) and false reject rate (FRR), which are often overlooked in previous theoretical work on secure
sketch. (For further details about the problem of designing secure sketch for continuous data see2, 4, 24 and for
the reusability issue of sketches, see.2527 )

3. QUANTIZATION-BASED SECURE SKETCH

In a recent work, we consider the problem of designing and analyzing secure sketch for biometric templates in
continuous domain4 and study how to design and analyze dierent quantization algorithms. In this section, we
will briey summarize the basic concepts and denitions related to the quantization-based secure sketch scheme
and then we will describe our two-step scheme to compute sketches from face images that allow us to extract
consistent keys.

3.1 Preliminaires
In the case where X is discrete, we follow the denitions by Dodis et al.1 They consider a variant of the average
min-entropy of X given P , which is essentially the minimum strength of the key that can be consistently extracted
from X when P is made public. In particular, the min-entropy H (A) of a discrete random variable A is dened
as
H (A) = log(maxa Pr[A = a])

(1)

Similarly, for two discrete random variables A and B, the average min-entropy of A given B is dened as
(A | B) = log(EbB [2H (A|B=b) ])
H

(2)

(X|P ). This denition is

For discrete X, the entropy loss of the sketch P is dened as L = H (X) H
(A | B) H (A) . For any secure sketch
useful in the analysis, since for any -bit string B, we have H
scheme for discrete X, let R be the randomness invested in constructing the sketch, it is not dicult to show
that when R can be computed from X and P , we have
(X | P ) |P | H (R).
L = H (X) H

(3)

In other words, the entropy loss can be bounded from above by the dierence between the size of P and the
amount of randomness we invested in computing P . This allows us to conveniently nd an upper bound of L
for any distribution of X, since it is independent of X.
Here we repeat the denitions of secure sketch and entropy loss in the discrete domain given by Dodis et al.1
Let M be a nite set of points with a similarity relation S M M. When (X, Y ) S, we say the Y is similar
to X, or the pair (X, Y ) is similar.
Definition 1: A sketch scheme in discrete domain is a tuple (M, S, ENC, DEC), where ENC : M {0, 1}
is an encoder and DEC : M {0, 1} M is a decoder such that for all X, Y M, DEC(Y, ENC(X)) = X
if (X, Y ) S. The string P = ENC(X) is the sketch, and is to be made public. We say that the scheme
is L-secure if for all random variables X over M, the entropy loss of the sketch P is at most L. That is,
(X | ENC(X)) L.
H (X) H
(X | P ) the left-over entropy, which in essence measures the strength of the key that can be
We call H
extracted from X given that P is made public. Note that in most cases, the ultimate goal is to maximize the
left-over entropy for some particular distribution of X. However, in the discrete case, the min-entropy of X
is xed but can be dicult to analyze. Hence, entropy loss becomes an equivalent measure which is easier to
quantify.
To handle points in some continuous domain U, we follow4 and use a two-step approach. In particular, we
quantize (discretize) the points such that they become points in a discrete domain M. After that we apply
known sketch scheme in discrete domain M to construct the sketch. When a fresh measurement of the same
biometrics is given, it is quantized using the same quantizer and the corresponding reconstruction algorithm in
the discrete domain is used to recover the quantized version of the original data points.
More formally, let U be a set that may be uncountable, and let S be a similarity relation on U, i.e., S U U.
Let M be a set of nite points, and let Q : U M be a function that maps points in U to points in M. We
will refer to such a function Q as a quantizer.

Figure 1. Sketch Generation and Reconstruction in Continuous Domain.

Definition 2: A quantization-based sketch scheme is (as dened in4 ) a tuple (U, S, Q, M, ENC, DEC), where
ENC : M {0, 1} is an encoder and DEC : M {0, 1} M is an decoder such that for all X, Y U,
DEC(Q(Y ), ENC(Q(X))) = Q(X) if (X, Y ) S. The string P = ENC(Q(X)) is the sketch. We say that the
scheme is L-secure in the quantized domain if for all random variable X over U, the entropy loss of P is at most
(Q(X) | ENC(Q(X))) L
L, i.e., H (Q(X)) H
It is worth to note that according to this denition, we only require the quantized original to be reconstructed.
This, in some sense, avoids the problem of possible high entropy loss due to quantization. It is shown in4 that when
the quantization step (assuming scalar quantization) is close to the error that we want to tolerate, the resulting
scheme would not be too much dierent in terms of left-over entropy from using the optimal quantization
step, which may be dicult to nd. Therefore, in this paper we will follow this principle, with some necessary
deviation due to be nature of the biometrics in the real world.

3.2 Implementation
Our quantization-based secure sketch implementation is as the following: Firstly, for a given image, we extract
a feature vector V of size n (Section 3.2.1). Secondly, we discretize (quantize) the feature vector (Section 3.2.3)
and nally, we apply a known sketch scheme to generate a sketch and to reconstruct the quantized feature vector
(Section 3.2.4).
3.2.1 Template Representation
We assume that we can extract a feature vector of size n from each biometric sample. Therefore,
Bi = [bi1 bi2 ... bin ]T

(4)

represents the n-dimensional feature vector of i-th user of the system where each coecient bij R is a real
number.
In addition, we also assume that the value of each coecient bij can vary within a certain range, which is
going to be determined through experiments on the data set. In other words, we consider the j-th coecient for
the i-th user to be always associated with a range, which is dened by a mid-point and a range ij . Here, the
mean-point bij for the j-th component of the i-th user is determined as the mid-point value of the j th component
of the feature vector observed in the training data set of user i. Similarly, the range size ij for the j th component
of the ith user is determined as ij = (mxij mnij )/2 where mnij (resp. mxij ) is the minimum (resp. the maximum)
value of the j th component of the feature vector observed in the training data set of user i.
Therefore, the template for the i-th user consists of two vectors. The rst is the list of n mid-points bi1 , . . . , bin ,
and the other is the list of range sizes for each coecients i1 , . . . , in .

In the simplest case, for the i-th user in the system, we can consider a sample Bi = [bi1 bi2 ... bin ]T as
authentic if
bij ij bij bij + ij
(5)
for all j = 1, ..., n.
3.2.2 Randomization
Before generating a sketch from the coecients extracted from raw samples of biometric data, we can further
apply user-specic random mapping on these feature vectors. In particular, we generate k-by-n matrices whose
elements are uniformly distributed random numbers between and , where is a parameter. We call such
matrices randomization matrices. Through experiments, we found that the overall performance is not sensitive
to the value of , so we x the value of to be 1.
Let Ri be the randomization matrix for user i and by multiplying the feature vector with this random matrix,
an n dimensional feature vector can be mapped into another k dimensional feature vector. That is, for user i
and a raw sample Bi = [bi1 . . . bin ]T , we compute Vi = Ri Bi = [vi1 vi2 ... vik ]T .
Similar to the simple case in Section 3.2.1, mid-points v ij s and range sizes ij s are recalculated and for any
Vi = Ri Bi = [vi1 vi2 ... vik ]T , we consider it as authentic if
v ij ij vij v ij + ij

(6)

for all j = 1, ..., k.

There are few reasons of using such a randomization in our scheme. First of all, randomization provides a
better noise tolerance. In particular, the noise on the original components seems to be smoothed out by the
random mapping, which makes the scheme more robust for the same FAR. Secondly, randomization provides
cancelability and diversity simultaneously. More specically, users will be able to use the same biometric data
(i.e., their face in our case) with newly generated random mapping in case of any data compromise. Furthermore,
the cross-matching across dierent databases will not be feasible since dierent applications will use dierent
random mapping.
It is also worth mentioning that our purpose of using such a randomization is neither dimension reduction
(as in28, 29 ) nor to increase security by introducing non-invertibility (as in30, 31 ). Therefore in this study, we only
considered square (n-by-n) randomization matrices and analyzed the eect of such mapping on the performance
and security of the quantization-based secure sketch scheme.
3.2.3 Quantization and Codebook
In order to generate a sketch for the biometric template, rst step is to discretize every component of the feature
vector such that we can apply a sketch scheme for discrete domains. Therefore, we employ a straightforward
method, which uses a scalar quantizer for each of the coecients to map it to a discrete domain.
First, we determine global ranges of each and every component of the feature vectors from the training data
set obtained during enrollment phase. Let these values be MNj = mini (vij ) and MXj = maxi (vij ). Next, the
discrete domain Cj for the j-th component is computed by quantizing the overall user range by the quantization
step j . That is,
(7)
Cj = {MNj rj , MNj rj + j , MNj rj + 2j , ..., MNj rj + Lj j }
where Lj is appropriately chosen integer which satises MNj rj +Lj j MXj and rj is a positive random number.
In this way, for the j-th component of the i-th user, a range of midpoint v ij and size ij can be translated to
a discrete range where the discrete midpoint is quantization of v ij in Cj , and the discrete range size dij is given
by
ij
dij =  
(8)
j
Finally, the codebook Cji for the j-th component of the i-th user is a subset of Cj , and can be determined by
choosing one point out of every 2dij + 1 consecutive points in Cj .

In this setup, j s are simply determined as a function of the minimum range size of each component of the
feature vector observed in overall user space. That is,
j = min(ij )
i

(9)

where is a parameter which can take dierent values.

It is worth noting that, in the above formulation, the quantization step j can be determined in many dierent
ways. However, it is reasonable to assume that, j should be related to some statistics of the range of the feature
components, namely ij s.
3.2.4 Sketch Generation and Template Reconstruction
During enrollment, the biometric data of each user are acquired and feature vectors are extracted several times
as a part of training process. Then the variation (i.e,. the midpoint and range size) of each feature vector
component is estimated by analyzing the training data set. Next, we construct a codebook for each component
of each user as in Section 3.2.3.
Therefore, the sketch Pi for user i is a vector Pi = [pi1 pi2 ... pik ]T where pij = Qij (v ij ) v ij and Qij (v ij ) is
the codeword in Cji that is closest to v ij .
During authentication, biometric data of the i-th user is taken and corresponding feature vector is computed.
vi1 
vi2 ... vin ]T . Then the decoder takes Vi and Pi and calculates
Let us denote this noisy feature vector as Vi = [
vij ) pij for j = 1, ..., n. Reconstruction of the original biometric will be successful if
Qij (
vij ) Qij (v ij ) < dij
dij Qij (

(10)

where dij is the user specic error tolerance bound for the j-th component. It is not dicult to see that,
vij ) pij = Qij (
vij ) Qij (v ij ) + v ij and the errors up to the some preset threshold value will be corrected
Qij (
successfully.

4. EXPERIMENTS, RESULTS AND ANALYSIS

4.1 Dataset and Experimental Setup
Face images are one of the widely used biometrics for authentication. In our experiments, we used the Olivetti
Face Database (ORL database32 ). ORL face database consists of 10 dierent images of 40 distinct subjects and
the size of each image is 92x112, 8-bit grey levels. In our simulation, we randomly divide each 10 samples of
subjects from ORL database into two parts, namely, training (e.g., enrollment) and test (i.e., authentication) sets
where training set is assigned 7 of the images and test set has the remaining 3 sample face images. In our setup,
7 test data for every user is used to generate 40x3=120 genuine authentication attempts and 39x40x3=4680
impostor authentication attempts (3 attempts by 39 remaining users for every user in the system). Sample
images from this database are given in Figure 2.
In literature, many dierent feature extraction/selection algorithms are proposed for face recognition and
one of the most popular one is the Eigenface method33 which is an intricate application of principal component
analysis (PCA) which combines the dimension reduction together with feature selection.34 To test our proposed
scheme, we also used the Eigenface method. However, it should be noted that the essence of the technique is
not specic to face image data and can be applied to any type of ordered biometric features.

4.2 Performance and Security Analysis

As already mentioned, it is often sucient (as well as faster, and more economical for storage) to consider the
rst n principal components for PCA-based dimension reduction. Therefore, in our experiments, we rst tested
our range-based authentication scheme (explained in Section 3.2.1) by increasing the number of selected principal
components of PCA, (hence the dimensionality of the feature vectors, Bi s) without implementing secure sketch

Figure 2. Variation of the equal error rate (EER) values with increasing number of dimensionality after PCA (left) and
some examples from ORL face database (right).

scheme. Dimensionality of the feature vectors and the corresponding equal error rate, EER values are shown
in Figure 2.
As can be seen in Figure 2, selecting more than 20 principal components results in increasing EER values,
hence the performance becomes worse. The main reason behind observing such a characteristic is basically due
to the fact that, in contrast to euclidian distance-based similarity measure, our range-based measure is more
sensitive to feature variation since that requires each feature to be in pre-estimated ranges. Therefore, including less signicant principal components which have less distinguishing power deteriorates the authentication
performance.
The main result we observed from Figure 2 is the signicant eect of randomization in terms of performance.
As noted previously, randomization actually provides some additional tolerance to minor out-of-range variations
of the feature vector components by introducing some level of correlation. After observing such a trend in
performance in terms of EER, we set the dimensionality of the feature vectors (after PCA) to n = 20 to further
investigate the eects of quantization and feature selection.
As already mentioned earlier, the quantization step j can be determined in many dierent ways depending
on operational constraints (such as the noise level which needs to be tolerated) and also depending on the data
set considered. Here, we considered a straightforward approach and set the quantization step to be a fraction of
the minimum range observed over the whole data set (i.e., j = mini (ij )).
Figure 3 shows the eect of the quantization on the performance of the scheme for various values of for both
non-randomized and randomized implementations for n = 20. As can be seen from Figure 3, while the small
values of seem to improve the performance of the scheme, increasing to above 0.75 signicantly decrease the
performance. Furthermore, randomization generally improves the performance of the scheme, especially for the
small values of .
(X | P ) is called the left-over entropy, which measures the strength of the key
As mentioned earlier, H
that can be extracted from X given that P is made public and in most cases, the ultimate goal is to maximize
the left-over entropy for some particular distribution of the biometric data considered. However, in the discrete
case, the min-entropy is xed but can be dicult to analyze and entropy loss becomes an equivalent measure
which is easier to quantify.

EER is the rate at which both false accept and false reject rates are equal.

Figure 3. ROC of non-randomized and randomized secure sketch implementation for = 0.25 (left); EER values of
non-randomized and randomized secure sketch implementation for dierent values of (right).

For this construction, in order to estimate the left-over entropy, rstly, we tried to estimate the min-entropy
of V (H (V )) assuming that the components of the feature vector are independent. Therefore, the min-entropy
of each component are estimated independently and the total min-entropy of the feature vector V is calculated
as the summation of the individual min-entropies of the components. That is,
H (V ) = ni=1 H (vi )

(11)

To estimate H (vi ), we simply considered the distribution of the feature vector component vi over all user
space and analyzed the histogram of that distribution while setting the bin size to the quantization step size
i of that component (i.e., = 1). The number of elements in the most likely bin gives a rough estimate of
the min-entropy of the feature vector component i. Under this setting, the min-entropy of the feature vectors is
estimated to be about 59.91 bits when n = 20.
The (component-wise) entropy loss in the quantized domain can simply be bounded by
L(P ) ni=1 L(pi )

(12)

where L(pi ) is the entropy loss of the sketch for the component i of the feature vector representation of the
biometric data. This can be conveniently bounded by the size of the sketch. That is,
L(pi ) |pi | = log(2

ij
 + 1).
j

(13)

The entropy loss of the scheme can be calculated by the size of the sketch. However, it is worth noting that,
since the errors to be tolerated are quite dierent for dierent users even for the same component, the resulting
entropy loss is much larger than the theoretically achievable n log 3.
From the experiments, we calculated the average size of the sketch as 40.35 bits when n = 20, which gives a
guarantee of 19.56 bits in the left-over entropy. On the other hand, if we select the rst 20 features which have
the highest estimated min-entropy, the min-entropy of the feature vectors is estimated to be about 61.95 bits. In
this case, the average size of the sketch is about 43.46 bits, which gives a guarantee of 18.49 bits in the left-over
entropy which is not signicantly dierent than the former case.

Figure 4. Percentage of the variance explained for each principal component of PCA (left); estimated entropy and minentropy of the PCA features (right).

When n increases, the size of sketch (and hence the entropy loss) increases proportionally. For example, if we
repeat the experiment for n = 50, the min-entropy of the feature vectors is estimated to be about 132.52 bits;
the average size of the sketch is about 98.88 bits, which gives a guarantee of 33.64 bits in the left-over entropy.
If we select the rst 50 features which have the highest estimated min-entropy, the min-entropy of the feature
vectors is estimated to be about 139.95 bits. In this case, the average size of the sketch is about 106.55 bits,
which gives a guarantee of 33.40 bits in the left-over entropy which is again almost same as the former case.
However, despite the increase in the average size of the sketch (averaged over 40 users) when min-entropy
based feature selection is considered, (40.35 bits when the rst n = 20 PCs are selected; 43.46 bits for the rst
20 features which have the highest estimated min-entropy are selected), the variance of this estimation is much
lower for the proposed feature selection technique. In particular, this variances are calculated as 11.50 and 9.19
respectively for n = 20; 46.41 and 26.71 respectively for n = 50.

5. CONCLUSIONS AND DISCUSSIONS

In this paper we study the problem of secure storage of biometric templates and examine a recently proposed
cryptographic primitive called secure sketch. We carefully investigated the eect of randomization on the security
and the performance of the proposed quantization-based secure sketch implementation. We showed the fact that,
randomization not only improves the authentication performance of the scheme signicantly, but also provides
cancelability and diversity. However, it is worth mentioning the fact that the security analysis can (and should)
be performed separately. More specically, the min-entropy should be estimated before randomization.
Furthermore, we investigated the problem of feature selection. In particular, we proposed to choose feature
components and determine the selection of components by their min-entropy. Experimental results showed that
the proposed feature selection provides better estimation of the average sketch size without compromising the
nal key strength.
We note that the entropy loss is a worst case bound, which states that there exists an input distribution
that will give such amount of information leakage, but not necessarily the distribution for the particular biometric
data. In other words, the entropy loss is an upper bound of the information leakage and the estimation of entropy
loss may not be accurate in reality.
Furthermore, another important problem is measuring the amount of information in biometrics. Main difculty here is not only related to the selected feature representation of the biometric data, but also related to
the matching algorithm employed. This becomes more relevant question when evaluating secure sketch based

biometric template protection methods and we consider it an open question to bound the exact information
leakage without the exact knowledge of the amount of information in a given biometric modality.

ACKNOWLEDGMENTS
This material is based upon work partially supported by the National Science Foundation under Grant No:
0716490.

REFERENCES
[1] Dodis, Y., Reyzin, L., and Smith, A., Fuzzy extractors: How to generate strong keys from biometrics and
other noisy data, in [Eurocrypt,04], LNCS 3027, 523540, Springer-Verlag (2004).
[2] Sutcu, Y., Li, Q., and Memon, N., Protecting biometric templates with sketch: Theory and practice,
IEEE Transactions on Information Forensics and Security 2, 503512 (September 2007).
[3] The Essex Faces94 database. http://cswww.essex.ac.uk/mv/allfaces/index.html.
[4] Li, Q., Sutcu, Y., and Memon, N., Secure sketch for biometric templates, in [Asiacrypt06, Shanghai,
China], LNCS 4284, Springer-Verlag, Shanghai, China (December 2006).
[5] Vetro, A. and Memon, N., Biometric system security. Tutorial presented at IEEE International Conference
on Acoustics, Speech and Signal Processing, Las Vegas, Nevada, USA, April 2008.
[6] Jain, A. K., Nandakumar, K., and Nagar, A., Biometric template security, EURASIP Journal on Advances
in Signal Processing, Special Issue on Pattern Recognition Methods for Biometrics (2008).
[7] Ratha, N., Connell, J., and Bolle, R., Enhancing security and privacy in biometrics-based authentication
systems, IBM Systems Journal 40(3), 614634 (2001).
[8] Soutar, C., Roberge, D., Stojanov, S., Gilroy, R., and Kumar, B. V., Biometric encryption using image
processing, in [SPIE, Optical Security and Counterfeit Deterrence Techniques II], 3314 (1998).
[9] Ang, R., Safavi-Naini, R., and McAven, L., Cancelable key-based ngerprint templates, in [ACISP],
LNCS 3574, 242252 (2005).
[10] Teoh, A., Gho, A., and Ngo, D., Random multispace quantization as an analytic mechanism for biohashing of biometric and random identity inputs, IEEE Transactions on Pattern Analysis and Machine
Intelligence 28(12), 18921901 (2006).
[11] Savvides, M., Kumar, B. V., and Khosla, P., Cancelable biometric lters for face recognition, Proceedings
of the 17th International Conference on Pattern Recognition, ICPR 2004 3, 922925 (2004).
[12] Ratha, N. K., Chikkerur, S., Connell, J. H., and Bolle, R. M., Generating cancelable ngerprint templates,
IEEE Transactions on Pattern Analysis and Machine Intelligence 29(4), 561572 (2007).
[13] Maiorana, E., Campisi, P., Ortega-Garcia, J., and Neri, A., Cancelable biometrics for hmm based signature recognition, in [Proceedings of the IEEE Second International Conference on Biometrics: Theory,
Applications and Systems, (BTAS 2008)], (October 2008).
[14] Boult, T., Scheirer, W., and Woodwork, R., Revocable ngerprint biotokens: Accuracy and security
analysis, in [IEEE Conf. Computer Vison and Pattern Recognition (CVPR)], (2007).
[15] Tuyls, P., Akkermans, A., Kevenaar, T., Schrijen, G., Bazen, A., and Veldhuis, R., Practical biometric
authentication with template protection, in [AVBPA ], 436446 (2005).
[16] Kevenaar, T., Schrijen, G., der Veen, M. V., Akkermans, A., and Zuo, F., Face recognition with renewable
and privacy preserving binary templates, Fourth IEEE Workshop on Automatic Identification Advanced
Technologies , 2126 (2005).
[17] Draper, S., Khisti, A., Martinian, E., Vetro, A., and Yedidia, J., Using distributed source coding to secure
ngerprint biometrics, in [IEEE Conf. on Acoustics, Speech and Signal Processing (ICASSP)], (2007).
[18] Sutcu, Y., Rane, S., Yedidia, J., Draper, S., and Vetro, A., Feature extraction for a slepian-wolf biometric
system using ldpc codes, in [2007 IEEE International Symposium on Information Theory, 6-11 July 2008,
Toronto, Ontario, CA],
[19] Chang, E.-C. and Li, Q., Hiding secret points amidst cha, in [Eurocrypt ], (2006).
[20] Juels, A. and Wattenberg, M., A fuzzy commitment scheme, in [Proc. ACM Conf. on Computer and
Communications Security], 2836 (1999).

[21] Juels, A. and Sudan, M., A fuzzy vault scheme, in [IEEE Intl. Symp. on Information Theory], (2002).
[22] Linnartz, J.-P. M. G. and Tuyls, P., New shielding functions to enhance privacy and prevent misuse of
biometric templates, in [AVBPA 2003], 393402 (2003).
[23] Tuyls, P. and Goseling, J., Capacity and examples of template-protecting biometric authentication systems, in [ECCV Workshop BioAW], 158170 (2004).
[24] Buhan, I., Doumen, J., Hartel, P. H., and Veldhuis, R. N. J., Fuzzy extractors for continuous distributions.,
in [ASIACCS],
[25] Boyen, X., Reusable cryptographic fuzzy extractors, in [Proceedings of the 11th ACM conference on
Computer and Communications Security], 8291, ACM Press (2004).
[26] Boyen, X., Dodis, Y., Katz, J., Ostrovsky, R., and Smith, A., Secure remote authentication using biometric
data, in [Eurocrypt ], (2005).
[27] Li, Q., Guo, M., and Chang, E.-C., Fuzzy extractors for asymmetric biometric representations, in [In
IEEE Computer Society Workshop on Biometrics, June 2008], (2008).
[28] Bingham, E. and Mannila, H., Random projection in dimensionality reduction: applications to image and
text data, Proceedings of the 7th ACM International Conf. on Knowledge Discovery and Data Mining
(SIGKDD) (2001).
[29] Deegalla, S. and Bostrom, H., Reducing high-dimensional data by principal component analysis vs. random
projection for nearest neighbor classication, Proceedings of the 5th International Conference on Machine
Learning and Applications (ICMLA) , 245 250 (2006).
[30] Teoh, A., Ngo, D., and Goh, A., Personalised cryptographic key generation based on facehashing, Computers and Security 23, 606614 (2004).
[31] Teoh, A. B. and Ngo, D. C., Cancellable biometerics featuring with tokenized random number, Pattern
Recognition Letters 26, 14541460 (2005).
[32] The Olivetti Research Laboratories face database.
http://www.cl.cam.ac.uk/research/dtg/
attarchive/facedatabase.html.
[33] Turk, M. and Pentland, A., Eigenfaces for recognition, J. Cogn. Neurosci. 3, 7286 (1991).
[34] Alpaydin, E., [Introduction to Machine Learning], The MIT Press (2004).