Over the years, a number of biometric template protection schemes, often based on the notion of “cancelable biometrics”, have been proposed. An ideal cancelable biometric algorithm complies with four criteria: irreversibility, revocability, unlinkability, and performance preservation. Cancelable biometrics employs an irreversible but distance preserving transformation to convert the original biometric templates into protected templates. Matching in the transform domain can be accomplished due to the property of distance preservation. However, distance preservation also entails security issues, a point often overlooked in existing research. In this paper, we have conducted a comprehensive security analysis of distance preservation in cancelable biometrics for the first time. The analysis is based on a pre-image attack, which is launched to break the security of cancelable biometrics under Kerckhoffs’s assumption. Furthermore, we propose a general security analysis framework under the single and cross-transformation attacks, which also employs an information leakage estimation strategy based on mutual information as a complement. The experimental results performed on real face, iris, and fingerprint data demonstrate that the risks originating from the matching scores computed from the distance/similarity of two cancelable templates greatly compromise the security of cancelable biometric schemes, including the classic Biohashing, Index-of-max hashing, Non-linear multi-dimensional spectral hashing, Indexing-First-One hashing, Bloom Filter and Two-factor Protected Minutia Cylinder-Code. The security versus accuracy trade-off is discussed and recommendations for designing a biometric system secure against pre-image attacks are also proposed. The source code is available at github.com/biometricsecurity/CBrisks.
Read full abstract