Int. J. Inf. Secur. (2010) 9:69–82DOI 10.1007/s10207-009-0096-z

REGULAR CONTRIBUTION

Fractional biometrics: safeguarding privacy in biometricapplications

Duncan Bayly · Maurice Castro · Arathi Arakala ·Jason Jeffers · Kathy Horadam

Published online: 1 December 2009© Springer-Verlag 2009

Abstract This paper presents a biometric system solutionthat “masks” a fraction of a person’s biometric image beforesubmission, to reduce the possibility of forgery and collu-sion. A prototype system was constructed for the fingerprintbiometric and tested in three security scenarios. It is shownthat implementing the fractional biometric system does notsignificantly affect accuracy. We provide theoretical securityanalysis on the guessing entropy of a Fractional Templateand the security against collusion. We demonstrate that bymasking above 50% of the biometric features, we achieve asufficient mix of security, robustness and accuracy to war-rant further study. When 75% of the features are masked, wefound that the theoretical guessing entropy is 42 bits, and wefound that, on average, 5 authenticators had to collude beforethe system would be compromised.

Keywords Biometrics · Privacy ·Relationship pseudonymity · Fingerprint

D. Bayly · M. Castro · A. Arakala · J. Jeffers · K. Horadam (B)Mathematics, RMIT University, GPO BOX 2476,Melbourne, VIC 3001, Australiae-mail: kathy.horadam@rmit.edu.au

D. Baylye-mail: duncan.bayly@gmail.com

M. Castroe-mail: maurice@castro.aus.net

A. Arakalae-mail: arathi.arakala@rmit.edu.au

J. Jefferse-mail: jason.jeffers@rmit.edu.au

1 Introduction

Verification and identification are serious problems for gov-ernments, businesses and consumers. They can provide manybenefits for users but raise the spectre of surveillance andmass control. Therefore, to incorporate more security in oursystems, there is at times a legal obligation to demonstratethat there will not be an accompanying reduction in privacy.

One way to verify a person’s identity is to use measure-ments of his physiological or behavioural characteristics i.e.biometrics. Biometric verification has been deployed in gov-ernment and high security applications (passports, id cards)and commercial applications (employee attendance tracking,door locks for homes, supermarket cards).

The biometric information captured from a user is oftenpublic. As an authentication token, its advantage arises frombeing tied to the presence of the user and being difficult totransfer between users. Fake biometrics like gummy finger-prints, face masks or pre recorded voice could be presentedby attackers at the sensors of a system. Such attacks canbe thwarted by liveness detection mechanisms either in thesensor or template creation module of the biometric authen-tication system.

At the other end of the system where the submitted bio-metric is stored in digital form in a database or smartcard,it is vulnerable to attacks such as stealing or copying of thedigital representation of the biometric and reverse engineer-ing the digital representation to give an image of the originalbiometric. These have adverse implications on the privacyand security of the user.

Can a biometric system be constructed that provides ahigh level of convenience, but also protects our privacy andsecurity? Can we create digital representations (templates)of the biometric that allow revocation and reissuing on com-promise? This article explores an answer to these questions:

123

70 D. Bayly et al.

Fractional Biometrics. Fractional Biometrics is a techniquethat can allow us to use biometric systems without the fearthat large organisations may be colluding to track our actionsand movements and can ensure that we can recover fromfraudulent behaviour that may compromise a verification sys-tem. This article focuses on the protection of the privacy andsecurity of an individual’s stored biometric template againstattack by a malicious entity. The analysis can be extended tostudy the system’s robustness to a ‘wholesale’ attack of allthe templates stored in a database.

1.1 Securing the biometric template using fractionalbiometrics

Significant research has gone into techniques that securethe biometric template during comparison as well as stor-age. One approach is to use error correcting codes to correcta certain number of errors in a biometric template withina given metric space, by making some information aboutthe enroled template public. This public information (alsocalled helper data, Vault or Sketch) must be insufficient for anattacker to compromise the system by guessing the biometrictemplate. Examples of such constructs are the Fuzzy Com-mitment Scheme [15], Fuzzy Vault Scheme [14], FuzzyExtractors [8] and Secret Extraction Codes [18,29]. Theseschemes have been generally termed Biometric Encryp-tion [6]. The common feature of these schemes is that thebiometric template derived from the user is securely storedand compared without the need for any other secret key ortoken. These encryption mechanisms allow the biometric tobe used more conveniently than a password or a token.

Arakala et al. [1,2], Jeffers et al. [12,13] and Nandakumaret al. [21] have implemented and analysed the FuzzyExtractors and Fuzzy Vault for secure comparison of minu-tiae-based fingerprint templates. However, in the implemen-tations, the encrypted templates are susceptible to a bruteforce attack.

The one advantage the mentioned encryption schemescould not provide over passwords and tokens is revocability.If for some reason, the biometric is compromised, then verylittle can be done to recover from it. First, there are very fewoptions to revoke the biometric and issue another one for theperson. Secondly, the compromised biometric template couldreveal significant information about the person’s identity andcould be misused by malicious entities. For example, it hasbeen shown for fingerprints that it is possible to reconstructa likeness of the original enroled fingerprint from the digitaltemplate [26]. This implies that the compromised fingerprinttemplate could potentially identify the person in institutionalrecords such as police, without prior consent from the indi-vidual. This compromises an individual’s right to anonymity.

Therefore, there is a growing need to build revocable bio-metric templates akin to passwords that can be regularly

reissued, with different tokens for different organisations andeach token statistically independent of the others from thesame biometric. Creating such tokens is one of the goalsof the TURBINE project [28] which has recently outlineda reference architecture for a template-protected biometricsystem [16].

One method of creating revocable templates is to applya one-way non-invertible transform on the biometric tem-plate. This idea, called “Cancelable Biometrics”, was firstproposed by Ratha [23]. The transformed template is in thesame feature space as the original template. The only draw-back is that every biometric sample undergoes intra-samplevariation, and the one-way functions could magnify slightdifferences between genuine templates. Every biometricundergoes a different type of variation between templates.Therefore, functions must be designed particular to the natureof the biometric modality being chosen. Subsequent workby Ratha et al. [24,25] provided implementations for faceand fingerprint biometrics using “locally smooth and glob-ally not smooth” functions. Their implementations did notsignificantly degrade match performance in the transformeddomain. The advantage is that these functions need not bekept a secret, and it will be computationally infeasible toreconstruct the original biometric from the transformed ver-sion.

However, this scheme does not provide perfect secrecy asthe attacker could use a brute force technique to try to deter-mine the original template. The greater a one-way function’sstrength against brute force attack, the more it distorts a bio-metric template’s local smoothness and hence degrades theperformance. There will be a trade-off between the two goals.

A second method is to use a two-factor scheme wherethe biometric template is coupled with a random key. Teohet al. [27] have implemented a construct called BioHash onthe face, finger and palmprint biometrics. Such techniquesuse a random private key along with biometric features in afixed length and ordered feature vector to create revocabletemplates. Teoh et al. used the failure of a test of statisticalindependence as a match criterion for a template pair.

Fractional Biometrics is another technique that also usesa two-factor scheme to achieve revocability in addition tosecurity of the biometric template. This idea was developedindependently of Ratha et al. [23–25] and Teoh et al. [27] andcomplements the work they have done on Cancelable Bio-metrics. Both Fractional and Cancelable biometric schemesuse traditional matchers to perform matching, unlike Biomet-ric Encryption schemes where the matching process needs tobe redesigned to account for the public helper data. It shouldbe possible to enhance the security of templates in the Frac-tional and Cancelable biometric schemes by using an appro-priate Biometric Encryption scheme to compare the securedtemplates. In this article, we will only focus on the testing ofthe Fractional Biometric System.

123

Fractional biometrics 71

The core idea of Fractional Biometrics is to disguise a bio-metric before submitting it for verification. By altering thedisguise for different verifiers, we can thwart any attempts toshare and cross reference this information about users. Thesedisguises or “masks” are held on a device, such as a smartcard or mobile phone, that will take the original biometricimage, extract the features and then replace some with artifi-cial features that are stored in a “mask”. Each user will havea distinct “mask” for every authenticating entity they interactwith.

By identifying ourselves first to a trusted device, we confi-dently release a small amount of biometric information to anauthenticating organisation, without fear that our identity willbe compromised. If our identifying token is compromised bythe authenticator or an attacker, then the repercussions will belimited to our business with that organisation. As it will notbe possible to determine our identity from a compromisedidentifying token alone without the corresponding mask, ourtransactions with other organisations cannot be traced with-out the associated masks on the device.

Fractional biometrics addresses the problem of maintain-ing the privacy of users while still contributing significantsecurity to authentication transactions. Maltoni et al. [19]have noted that the main difficulty with Cancelable Biomet-rics is the effect the transformation can have on matchingthe resulting images. The major point of difference betweenFractional and Cancelable Biometrics is in the transform. Theoriginal features can be preserved under Cancelable Biomet-rics, but their relative positions will be altered. Under Frac-tional Biometrics, a proportion of the features are replacedwith false or pregenerated features. This may involve shiftingor replacing their position (as is tested here) or altering thefeature type (for example, a ridge bifurcation may become atermination in fingerprints, and a corona may be recorded asa freckle in iris verification).

1.2 Scope and summary

First, fingerprints were the only biometric to be tested usingFractional Biometrics. This modality was chosen, becauseit is one of the most popular and accepted biometric types.Nonetheless, fingerprints follow a standard path for biometricverification, which means that generalisations can be drawnfor other biometric types. Fractional Biometrics will be anoption for any biometric technique as long as artificial fea-tures can be generated and added to the template after featureextraction.

Secondly, only the Fractional Biometric matcher wasimplemented. For a complete prototype, it would be nec-essary to incorporate a scanner and implement the algorithmon a smart card or mobile phone. This would model a com-plete Fractional Biometric system, from enrolment to image

acquisition to verification, as well as testing the computa-tional and memory capabilities of the devices. Although afull system would permit a more comprehensive comparisonbetween traditional and Fractional Biometrics and a morethorough analysis of the system’s security, the matcher rep-resents the most fundamental aspect of the Fractional Bio-metric process and acts as a satisfactory proof-of-concept.

We designed and ran experiments to test the accuracy andsecurity of fingerprint Fractional Biometrics. The fractionalbiometric system and experiments are described in Sect. 2.The results and analysis are detailed in Sect. 3.

The extra masking step in a Fractional Biometric Systemintroduces new error. However, this error was found gener-ally to be slight.

The Fractional Biometric system was tested for attacksinvolving the acquisition of the biometric image or the tem-plate. These simulate attacks where an opponent forged auser’s biometric or stole another organisation’s version. Inboth of these cases, the more masking information that isused, the more protection and security that Fractional Bio-metrics can offer.

Another threat is that a user’s smart card, holding theirmasking information, could be obtained by an adversary.While it is possible that some fingerprint residue on the cardmight provide additional information to an attacker, we havenot considered this. We found that as the proportion of mask-ing information increases, the user becomes less protectedagainst this type of attack, but even with 100% masking,some protection is retained.

Therefore, there exists a trade-off between a fractional bio-metric system’s robustness against image or template reuseand its robustness against smart card (and hence mask) theft.Theoretical security analysis for all three attacks is included.We also estimate the security against a collusion attack byauthenticating identities.

This paper shows that Fractional Biometrics can pro-vide security, robustness and relationship pseudonymity [22]within a environment that allows customisable setting ofthese features.

2 Method

2.1 Fingerprint data

Fingerprint data were collected independently from 37 vol-unteers, who each provided 5 rolled off-line inked prints ofone thumb and 5 of one forefinger. The inking was assistedand supervised by researchers. Smudged or unclear printswere taken again. These prints were then scanned using aflatbed scanner set at 600 dpi. The resulting images mea-sured between 540 by 461 pixels and 980 by 962 pixels.

123

72 D. Bayly et al.

Maltoni et al. [19] set out some of the pitfalls of test-ing a biometric system, which we have addressed. This sys-tem used separate data sets for training and testing. The firstfive subjects were placed in the training set used to evaluatepossible parameter settings. The remaining 32 subjects wereplaced in the testing data set. While the data set is not large,the collected data measure 64 fingerprints by 5 impressions.In comparison, the FVC2000 database has 110 fingerprintsby 8 impressions [19]. Our database had no smudged finger-prints. The tests are designed to measure the performance ofthe matching algorithms, not minutiae detection. While theROC (receiver operating characteristics) curves developedfrom this database plot the accuracy of the matching mod-ules only, this should not affect the applicability of the resultsfor broadly comparing conventional and Fractional Biomet-ric systems as the experiment assumes identical minutiaeextraction techniques. Both the control and the FractionalBiometric systems were tested with exactly the same datasets.

Feature Vectors, consisting of the x and y coordinatesof the core and surrounding minutiae, were extracted man-ually. At least 30 minutiae were identified for each image.This should be more than sufficient for identity verificationas only 7 to 16 matching minutiae are needed for a legalidentification (depending on the country or state).

2.2 Control system

Current AFMSs (Automatic Fingerprint Matching Systems)extract several features like minutiae location, type and ori-entation, ridge frequency, ridge orientation and pattern ofthe sweat pores from fingerprints to assist in matching [11].We implemented a simple fingerprint matching system asa control, so that the accuracy of the Fractional Biometricsystem could be compared against it. A number of designdecisions were made to simplify the matching. The core ofthe fingerprint was specifically marked during the minutiaextraction, which allowed fast calculation of differences intranslation and rotation. Minutiae locations were the only fea-tures extracted to create the templates. While including fea-ture direction may have improved the accuracy, initial testsshowed that a satisfactory level of precision was achievedwithout it. In any case, our prototype can be easily extendedto include all the features used in a typical AFMS.

The general approach to match two fingerprints is to des-ignate one the enroled image and the other the query image.The enroled image is the fingerprint that is stored in a data-base during enrolment. The query image is the image that isscanned in during verification and compared to the enroledimage.

In order to eliminate bias in the selection of the enroledimage, every fingerprint was used as an enroled, and everyother image tested against it (see Sect. 2.3).

2.2.1 Translation and rotation

One of the more difficult problems in fingerprint matching iscalculating the rotation and translation between the enroledimages and the query images. This problem was solved inthe control system by explicitly marking the core point man-ually. By comparing the location of the core points in bothimages, the horizontal and vertical translation can be foundby calculating their difference in the Cartesian plane. Thecore also provides a centre that can be used as a pivot forfinding the rotation difference. One image’s points can berotated around its core until both images’ minutiae match.

This approach is generally avoided in other finger-print matching systems, because core detection techniquescan have trouble reliably and consistently identifying thecore [19]. Because the matching relies on the core pointsbeing the same, a failure in core detection will invalidate anyresulting match or non-match. However, as minutia extrac-tion and core detection were performed manually, it was pos-sible to use this technique to increase accuracy and reducecomputation time.

In order to find the rotation difference, each enroled minu-tia is used in turn as a candidate until an orientation is found.The candidate feature’s distance from the core is found, andany minutiae in the query image that are a similar distancefrom the query core are recorded. The angular differencebetween the minutiae is calculated using the core as the ori-gin, and a match is attempted at this rotation difference. Ifit succeeds, a fingerprint match is recorded, and the algo-rithm stops. Otherwise, the next candidate is tested, and anew angular difference is used.

2.2.2 Minutia matching

The matching technique used was a modification of that pro-posed by Mital and Teoh [20]. Under their scheme, a numberof structural models are built. A structural model consists ofa central feature and surrounding local features (see Fig. 1).In Mital and Teoh’s model, a boundary radius is specified,and the five features closest to the central feature that fallwithin the radius are noted. One of these structural modelsis constructed for each minutia in the print. Kovács-Vajnaillustrated that even small local deformations can combineto create significant global distortion [17]. Stretching andtwisting of the fingerprint during scanning can generate verydifferent images of the same finger. By matching local fea-tures, the effect of stretching and distortion is reduced, ascomparisons are only made locally.

Any query features that were matched to a feature in alocal structure were forwarded to the second stage of match-ing. The central feature of the local structure that recordedthe most matches was used as a new central feature for alocal structure containing all matching features from the first

123

Fractional biometrics 73

Fig. 1 Local structure example. Features are marked by small circles.The core of the fingerprint is found in the top left hand corner. Thecentral feature is the centre of the dotted circle that marks the boundaryradius. The coordinates to the nearest five features are measured

stage. The number of features that matched from this largelocal structure was recorded, and if it exceeded some thresh-old, based on the legal requirement for a fingerprint match,then a match was declared.

In the control system (or “Matcher”) built for this pro-ject, Mital and Teoh’s system was modified. There was noboundary radius, and the number of adjacent features thatwere added to the model was defined by a parameter, fpLS(features per Local Structure). A threshold was set that spec-ified the number of features that had to match within a localstructure for it to qualify as a match (AMT; Adjacent MatchThreshold), and a matching decision was made on the num-ber of local structures that matched (LMT; Local StructureMatch Threshold).

When a fingerprint is registered as an enroled image, theLocal Structures are constructed for each minutia, which istermed the central feature of the Local Structure. The near-est fpLS features to each central feature are noted, alongwith the distance and angle from the central feature. Thepolar coordinates from the core to the central feature are alsorecorded.

In matching, once the rotation difference has been calcu-lated (see Sect. 2.2.1), each Local Structure in the enroledimage is loaded, and the query image is searched for minu-tiae that match the central feature and adjacent features of theLocal Structure at that rotation offset. In order to allow somestretching and distortion, two parameters are used to controlthe amount of deformation permitted. Each local feature isdescribed by its distance and orientation to the central feature.rLeniency and thetaLeniency specify the differencein polar coordinates that is tolerated between the polar coor-dinates from the central feature to the local feature and thepolar coordinates from the central feature to a query minutia.

The first step is to match the central feature. The dis-tance from each query minutia to where the enroled image

specifies the central feature should be is calculated. If no fea-ture is within rLeniency pixels, the Local Structure is notmatched, and the next Local Structure is examined. Other-wise, the query features are searched for minutiae that arewithin rLeniency and thetaLeniency of the featuresadjacent to the core feature of the Local Structure. AMT isa parameter that dictates how many minutiae must matchinside a Local Structure before the whole structure itself isclassified as matched inside the query fingerprint. Obviously,AMTmust be less than or equal tofpLS; that is, the algorithmwill fail if more matches must be found in each Local Struc-ture than there are minutiae to match. The final parameter,LMT, specifies how many Local Structures must be matchedwithin a query image before a fingerprint match is stated.

2.3 Testing procedure

In order to find the best parameter values to use, the data weresplit into two sets; a training group and a testing group. Thesubjects were arbitrarily numbered from 1 to 37. The traininggroup contained the fingerprints from the subjects 1 to 5 (twosets of 5 prints from each, therefore prints from ten differentfingers and 50 images in total). The testing group containedthe fingerprints from the 32 remaining subjects (two sets of32 prints from each for a total of 64 prints from differentfingers and 320 images in total).

Each fingerprint was loaded into the Matcher as an enroledimage, and the local structures for the fingerprint were con-structed. Once this was done, the enroled image was matchedagainst all the other fingerprints in the group. If a match wasrecorded but the prints were not from the same finger, a FalseMatch was recorded. If a non-match was recorded and thefingerprints were from the same finger, a False Non-Matchwas recorded. Counts of the types of comparisons were alsokept to record a false match rate (FMR) or false non-matchrate (FNMR) at the end of the test.

Once all the fingerprints were loaded and each tested asan enroled image, the error rates for the control matcher wererecorded. The testing procedure was repeated for each param-eter setting.

This procedure allowed each fingerprint to be tested asboth an enroled image and a query image. It was necessaryto run the tests in both directions, so that for each compari-son, each fingerprint would take the role of the enroled imageand of the query image. This was because the local structureswere only constructed for the enroled images, and hence theresult of the comparison could differ depending on whichfingerprint was the enroled image.

2.4 Fractional biometric system

The diagram of the Verification Process of the Fractional Bio-metric System is shown in Fig. 2. The Fractional Biometric

123

74 D. Bayly et al.

Biometric Image

Feature ExtractorOriginal Feature Vector (OFV)

Matcher

Masking Module

Original TemplateOFVMask

Matcher

Fractional Feature Vector (FFV)

Fractional Template

Fractional Biometric Module

Fig. 2 Fractional biometric verification process

System has 3 components: the captured biometric image, thesmartcard and the central database and matcher. The first twocomponents will be held by a user, and the third componentwill be operated by an authenticator. The enrolment processis identical to the verification process with the exception thatthe matchers in the smartcard and identifier will be unused.

A Fractional Biometric System alters the enroled andquery features in order to prevent authenticators from match-ing the user with other entities that may hold the biometricimage.

During enrolment, the following operations occur:

1. The user’s biometric image is processed, and the extrac-ted features are stored in a register called the OriginalFeature Vector (OFV).

2. A file called the Mask is generated by a mask genera-tion algorithm in the following manner: For every fea-ture in the OFV, a random number R between 0.0 and1.0 is generated. If R is less than the parameterfbProb,then a random noise θ value, between 0 and 2π , and arandom noise r value are generated. The θ value will beR×2π . The r value will be (max R−min R+10)×R−max R−min R

2 , where min R and max R are the smallest andlargest distances between the core and the minutiae in theenroled image. Both of these values are represented asdouble precision floating point numbers. When they areconverted to a pixel position in the image, the position isrounded to the closest pixel. The points generated whenR is less than fbProb are called Mask Points. WhenR is greater than fbProb, the r and θ values are set to0 and called Clear Points. The Mask Points and ClearPoints together form the Mask.

3. The content of the OFV is input to the Masking Modulewhich uses the Mask to map features in the OFV to thefeatures in the Fractional Feature Vector (FFV) register.The Masking Module adds every feature in the OFV with

its corresponding feature (Mask Point or Clear Point) inthe Mask. The resulting randomised features are storedin the FFV. Note that when a Clear Point is added to afeature from the OFV, that feature remains unaltered inthe FFV. Only features to which Mask Points are addedget altered in the FFV.

4. The content of the FFV is sent to the database as the Frac-tional Template for that user. The content of the OFV reg-ister obtained at enrolment is stored as the user’s OriginalTemplate along with the Mask in the user’s smart cardor similar portable device. These two files along with theMatcher and the Masking Module form the FractionalBiometrics Module of the smartcard. The OFV registerin the smart card and FFV register are now cleared oftheir contents.

During verification, the user’s query biometric image issent to the smart card. The extracted features are stored inthe cleared OFV register. The content of the OFV is thencompared with the Original Template using the matcher inthe Fractional Biometric Module. If the feature vectors donot match, the verification fails. If the feature vectors match,the rotation variation in the OFV with respect to the OriginalTemplate is corrected. Then, the features in the OFV regis-ter are modified by the values in the Mask in the followingmanner: For each feature entry in the Original Template, thenearest feature in the OFV is found. If this feature is withinrLeniency pixels of the Original Template entry, then thecorresponding point in the Mask is added to the feature in theOFV, and the resulting coordinates are written to the FFV reg-ister. All features in the OFV that are not matched to a featurein the Original Template are discarded. The resulting contentof the FFV register is then sent to the control Matcher, whichcompares it to the Fractional Template created during enrol-ment. If these two vectors are matched, the Matcher confirmsthe verification.

123

Fractional biometrics 75

2.5 Security testing

Three cases of partial compromise were tested using the Frac-tional Biometric system to determine the reduction in secu-rity.

The first situation is where an imposter acquires the fin-gerprint of a user, but not the Mask. Could the imposter useonly the fingerprint information to authenticate himself asthe user? To test this situation, the parameters were set to thevalues that gave the FMR/FNMR closest to the EER whenfbProb is set to 0% (i.e. in the control system). At thispoint, the FMR was 3.57%, and the FNMR was 4.06%, giv-ing a ratio of 1.14:1 rather than 1:1 at the EER. Every finger-print was enroled using a randomly generated Mask, and theresulting Fractional Template was stored in the database. Inorder to test against image reuse, we compared the FractionalTemplate of each user with feature vectors of the images fromthe same finger. We modified the verification process to testthis security vulnerability as follows: We loaded the OFVfrom the query image directly into the FFV module, withoutpassing through the Fractional Biometric Module, so that theentire OFV could be compared with the Fractional Templateby the control Matcher. As the enroled template is masked, itideally should not match with any of the FFVs at verification.Hence the error rate recorded here is the FMR. The resultsappear in Sect. 3.2.1.

The second scenario involves a malicious system admin-istrator taking a user’s Fractional Template and using thatto fraudulently authenticate themself at another organisationwhere the user is enroled. For this experiment, the previoustest’s parameter set was reused. A fingerprint from each useris enroled in the Fractional Biometric System, and the cor-responding Fractional Template is created. To test againstfractional template reuse, for each user, the Fractional Tem-plate is compared against FFVs from different images of thesame finger to which a different Mask is applied. The veri-fication process was carried out as follows: For every user,another image from the same finger was used to create theOFV, a Mask different to that used for enrolment was gen-erated, and a corresponding FFV was created. The enroledFractional Template was then compared with the FFV. In thiscase as well, as the masks are different, the templates mustnot match. The test was done for all users in the database, andthe FMR was recorded These results appear in Sect. 3.2.2.

The final scenario we test is where the imposter managesto steal the user’s smart card. We assume that the smart cardcan be used by an imposter but not read or altered. Wouldthe imposter be able to use the the smart card to pretend tobe the user? Again, each user’s fingerprint is enroled using arandom Mask, and the corresponding Fractional Template isstored in the database. To test against mask theft, we compareeach user’s Fractional Template with FFVs created by mask-ing OFVs of different fingerprints with the same Mask used

0 20 40 60 80 100

False Match Rate (%)

0

0

1

10

100

Fal

se N

on M

atch

Rat

e (%

) (l

ogar

ithm

ic s

cale

)

Fig. 3 Control ROC curve

Table 1 Control error rates Rate Value (%)

EER 4.0

FMR100 6.9

FMR1000 9.8

Cumulative error 1.431

for the enroled Fractional Template. The verification processis carried out as follows: Each fingerprint from other fin-gers is loaded into the OFVs, and the corresponding featuresfrom the Mask are added to it without calculating the rota-tion difference to generate the FFV. Although the masks arethe same, the fingerprints are different and must not match.Therefore, we record the FMR of the experiment. The resultscan be seen in Sect. 3.2.3.

3 Results and analysis

3.1 Accuracy

The measures of accuracy used in this section are EER,FMR100,1 FMR10002 and cumulative error.3

3.1.1 Control experiment

The control system was run as described in Sect. 2.2. Theresulting ROC curve is displayed in Fig. 3, and the errorrates are given in Table 1. The EERs of the top three entries

1 The FNMR when FMR is 1100 .

2 The FNMR when FMR is 11000 .

3 Cumulative Error: Area under the ROC Curve.

123

76 D. Bayly et al.

to the Fingerprint Verification Competition 2002 (FVC2002)were all less than 0.5% [19]. While the accuracy here is notof commercial standard, the control system exhibits similarbehaviour to standard biometric systems. Its EER, FMR100and FMR1000 would have ranked it around 16 out of 31 com-petitors in FVC2002. However, it should be noted that thosesystems also performed feature extraction, and this systemonly conducts fingerprint matching. Because these resultsshow that the base fingerprint matching algorithm exhibitsexpected behaviour, it is a suitable base for Fractional Bio-metrics to be built upon.

3.1.2 Fractional biometrics

The Fractional Biometric system was run with five differentproportions of random information inserted into each Mask.0% random information can be treated as a control. How-ever, the accuracy rates differ slightly. This is caused by thesecond round of orientation and matching that must be doneunder Fractional Biometrics, which introduce an additionalopportunity for error.

Figure 4 plots the accuracy for each level of masking andshows that accuracy deteriorates as more random maskinginformation is used. However, the greatest overall loss incumulative accuracy is only 13% from 0.01403 (0% Mask-ing Proportion) to 0.01614 (25% Masking Proportion). TheEER deteriorates by around 0.3% for each 25% increase inmasking information. This means that any benefit that Frac-tional Biometrics provides to biometric systems will be foronly a minor decrease in accuracy. Error rates are given inTable 2.

By using the core as a pivot for the matching algorithms,Fractional Biometrics was able to display robustness despiteshifts and rotations in the fingerprints. This highlights anadvantage over transforming under Cancelable Biometrics;Fractional Biometrics is able to withstand positional move-ments in the image.

3.2 Security analysis

Accuracy can be used as an empirical measure of the secu-rity of the system against a masquerade attack. In a FractionalBiometric system, as the Fractional Template is in a public

0 20 40 60 80 100

False Match Rate (%)

0

10

20

Fal

se N

on M

atch

Rat

e (%

)

0%

25%

50%

75%

100%

Fig. 4 Fractional biometric ROC curve (combined)

database, it would be useful to get a theoretical measure ofthe robustness of a Fractional Template to attempts by anattacker to use it to masquerade as the valid user. We assumethat an attacker will masquerade as a valid user by trying tocreate a template which has enough features from the user’sfingerprint to be successfully matched to the user’s OriginalTemplate T stored in the smart card. Recall from Sect. 2.4that the OFV from the query fingerprint, which we will callthe Query Template Tq , must be matched to the Original Tem-plate T to confirm orientation, before Tq ’s FFV can be createdin the verification process. In this section, we set bounds onthe Guessing Entropy of the Fractional Template of a validuser i.e. we estimate how hard it will be for an attacker to cre-ate a Tq that will fool the matcher in the smart card, if all heknows is the Masking Proportion and the matching thresholdof the matcher in the smart card. Our main assumptions inthe analysis are as follows:

1. The features from the OFV to be masked are chosen per-fectly at random.

Table 2 Fractional biometricerror rates Masking proportion (%) EER (%) FMR100 (%) FMR1000 (%) Cumulative error rate

0 4.0 6.9 10.7 0.01403

25 4.3 6.4 11.1 0.01614

50 4.6 7.1 12.5 0.01766

75 5.0 8.5 13.2 0.01822

100 5.4 8.3 13.4 0.01935

123

Fractional biometrics 77

2. The Masked Features introduced are uniformly chosenfrom the set of possible features.

3. The smart card can be stolen, but its contents cannot beread by the attacker.

4. The optimum method for an attacker to create Tq fromthe Fractional Template T ′ in the database is to identifywhich features in T ′ are Masked Features and which fea-tures are not. The next step will be to replace the MaskedFeatures with features that could possibly be part of theOriginal Template and test if the newly created templateTq fools the matcher in the smart card.

It is not possible to determine exactly how many choicesan attacker has to replace a Masked Feature with his guess ofthe correct feature. However, an approximation to the exactnumber can be made. Recall that rLeniency and the-taLeniency are the acceptable variations in the radial andangular positions of a feature. Let Rmax be the maximumradial dimension, and 360◦ is the maximum angular dimen-sion in the reference frame on which the features are located.A close estimate to the number of distinct features in thereference frame is:

N = Rmax × 360

rLeniency× thetaLeniency(1)

Let F be the number of features in a person’s OriginalTemplate T . When the Fractional Template T ′ is created, letf be the number of features in it that are Unmasked. Thissection will estimate the probability that an attacker havingaccess to a Fractional Template T ′ can successfully guessenough features of the Original Template T , so that he canmasquerade as the original user.

Let the matcher in the smart card be designed, so thatM is the maximum set difference that can occur between aQuery Template Tq and the Original Template T for Tq tobe successfully matched to T and proceed with the fraction-ing process. The set difference metric is used in analysing thematching success, because the matcher compares local struc-tures in T and Tq to make a match decision. If T and Tq varyby more than a certain limit, the corresponding local struc-ture shapes will vary greatly, and the matcher will indicate amatching failure.

The size of the set difference between the set of featuresin T and T ′ is 2 × (F − f ). The number of features that anattacker must change in T ′ to create a template Tq that willfool the matcher is:

d = 2 × (F − f ) − M

2(2)

As the attacker must choose d features to alter and eachchosen feature must be replaced by one of the N possiblefeatures, there are

(Fd

) × N d ways an attacker can attemptto create Tq . However, for him to succeed, he must pick dfeatures out of the F − f Masked Features and replace them

with the corresponding correct feature. Thus, the probabilityof the attacker creating a Tq that fools the matcher is:

P =(F− f

d

)

(Fd

) × N d

Consequently the Guessing Entropy, GE, is:

G E = − log2

(F− fd

)

(Fd

) × N d(3)

In order to determine the Guessing Entropy of a FractionalTemplate in the fractional biometric system, we substitute theactual parameters of the system into Eq. 3. The number offeatures on average in each template was F = 30, and thematching threshold of the matcher was set at a set differ-ence of M = 36. The tolerance in feature position was setat rLeniency = 15 and thetaLeniency = 25, andthe maximum radial dimensions of the coordinate frame wasRmax = 300.

When the Masking Proportion is 100%, the number ofUnmasked Features in T ′ is f = 0. Using Eqs. 1, 2 and 3 theguessing entropy to create a Tq that can fool the matcher at theabove-matching threshold is roughly 98 bits. If an attackerhad to correctly guess all the 30 minutiae in T to fool thematcher, the Guessing Entropy will be 245 bits. When mask-ing is decreased to 75% i.e. f = 7, the Guessing Entropy isroughly 42 bits at the matching threshold and is 208 bits ifall the features of T had to be guessed correctly.

At 50% masking and below, for the given matching thresh-old, the Fractional Template T ′ itself has enough genuinefeatures from T to fool the matcher. Thus, for less than 50%masking, the attacker is better off simply using T ′ as the Tq

to masquerade as the user in the system.

3.2.1 Security against original template reuse

The first potential security concern examined in Sect. 2.5 iswhen a user’s fingerprint image is captured, either as a latentprint or as a feature vector from an existing biometric system.Using just this image, is it possible for an unregistered userto be recognised by a Fractional Biometric system?

The set-up for this experiment is described in Sect. 2.5,and the results are given in Table 3. From these results, itcan be seen that as more masking information is introduced,protection against an imposter falsely using their featuresincreases. The user is significantly protected for MaskingProportions that are greater than 50%.

Theoretically, the set difference between the original tem-plate T and the Fractional File T ′ of a user is 2 × (F − f ).If 2 × (F − f ) ≤ M , the two templates will be consideredas a match. With the parameters used previously, this hap-pens when f ≥ 12 which corresponds to 60% masking andbelow. This estimate is validated by the results in Table 3

123

78 D. Bayly et al.

Table 3 Biometric image reuseerror rates Masking FMR

proportion (%) (%)

0 95.8

25 89.4

50 62.5

75 12.5

100 3.4

Table 4 Fractional templatereuse error rates Masking FMR

proportion (%) (%)

0 96.0

25 69.8

50 13.0

75 4.8

100 4.2

where 50% masking and below give very high match rates.Biometric image reuse in any system can be guarded againstby incorporating biometric liveness detection at the scanneror feature extractor. Fractional Biometrics provides a secondlayer of security against such an attack.

3.2.2 Security against fractional template reuse

The second security concern is that a malicious systemadministrator could acquire a Fractional Template (contain-ing the mix of both biometric and masking information) anduse that to authenticate as the user in another Fractional Bio-metric system. This type of attack could occur if the imposterwas able to bypass the Fractional Biometric stage and directlysubmit the Fractional Template to the matcher of the secondsystem. This assumes no collaboration on the part of the sec-ond Fractional Biometric system.

The set-up for this experiment is described in Sect. 2.5, andthe results can be seen in Table 4. These results indicate thatthe more masking information that is used, the smaller thechances of an imposter succeeding at using a Fractional Bio-metric template to impersonate a user. When more than 50%masking information is present, the chances of an impostersucceeding are critically reduced.

The experiment supports our theoretical expectation thatas the amount of unmasked features in common between thetwo Fractional Templates increases (with decreased MaskingProportion), and hence the set difference decreases below thematch threshold of the matcher, there is a high chance thattwo Fractional Templates from the same finger will match. Ifeach of the Fractional Templates has f unmasked features,

on an average f 2

F features will be in common between them.

The set difference between them will then be 2×(

F − f 2

F

).

Table 5 Mask theft error ratesMasking FMRproportion (%) (%)

0 2.3

25 6.6

50 16.1

75 27.8

100 41.0

When the Masking Proportion is reduced to a level where

2 ×(

F − f 2

F

)≤ M , the two Fractional Templates will

be deemed a match. This condition will be satisfied at 36%masking and below. This is verified by the results in Table 4where the match rates are very high below 50% masking.

3.2.3 Security against mask theft

The final security concern is when an imposter takes a user’ssmart card and can use the Mask stored in the smart card.Could an imposter use this information to mask his or herown fingerprint and successfully impersonate a user?

The set-up for this experiment is described in Sect. 2.5,and the results are given in Table 5. The results indicate thatas the masking proportion increases, the probability of twodifferent fingerprints with the same mask, being declared as amatch increases. However, even when 100% masking infor-mation is used, an imposter would only be successful 41%of the time. However, this threat is more manageable whenthe masking information is kept below 50%.

Instead of using his own fingerprint, if the attacker wasto try to create a Query Template Tq without knowledge ofT ′, and then use this Tq to fool the smart card’s matcher, hewould have to build Tq from scratch by choosing d featuresout of the N possibilities. This is equivalent to an attackertrying to create Tq when he has access to a T ′ with 100%Masking Proportion. The security against such an attack canbe estimated by putting f = 0 in Eq. 3 in the analysis pre-ceding Sect. 3.2.1, giving a Guessing Entropy of d log2 N . Alarger d will increase the security against such an attack.

3.3 Security against collusion

Another issue in the Fractional Biometric System is Collu-sion. Would it be possible for different organisations havingdifferent Fractional Templates of a user to collude and gen-erate a template that could masquerade as that user, or evendetermine his identity? In this section, we will estimate theaverage number of Fractional Templates needed to collectenough genuine features of T , so that a fake template Tq

comprising those features will successfully be matched to Tby the matcher in the smart card.

123

Fractional biometrics 79

Let M ′ be the number of features that must match betweenT and a query template Tq for the matcher to claim that Tq

and T were derived from the same finger. We assume thatthe features that will be Unmasked in the Fractional Tem-plate are chosen at random from T , and the Masked featuresare random features that do not exist in T .

We perform our analysis using two scenarios. One, withan oracle that can identify a true feature in a Fractional Tem-plate and the second without an oracle, where a true feature isidentified if it occurs in at least two Fractional Templates. Inthe latter case, we do not consider the possibility that MaskedFeatures could also repeat. Thus, both cases are overestimatesof the skill we expect an attacker to possess.

Case 1: Attacker with an oracle This case assumes that theattacker possesses an oracle which can identify a true featureif it is present in a Fractional Template. Thus, the FractionalTemplates disclose some information about T to an attackerwho has this oracle.

Let U (i) be the number of unique features disclosed col-lectively by i Fractional Templates. As f Unmasked featuresare present when a Fractional Template is created from T ,when we have only 1 Fractional Template, U (1) = f .

When a second Fractional Template is also available, onaverage U (1)

F × f Unmasked Features in the second masked

file will be repeated from the first masked file, and F−U (1)F × f

Unmasked Features will not be repeated. These non-repeatedfeatures are unique features revealed to the attacker by thesecond Fractional Template in addition to those revealed bythe first Fractional Template. By induction, the number ofunique features collectively revealed by i Fractional Tem-plates is given by the expression:

U (i) = U (i − 1) + F − U (i − 1)

F× f

On solving the recurrence relation, this simplifies to:

U (i) = f

(1 − ai

1 − a

), a = 1 − f

F. (4)

Let n be the smallest number of Fractional Templatesavailable such that the collective feature information revealedis U (n) ≥ M ′. Thus, an attacker needs on an average n Frac-tional Templates to create a fake template Tq that will foolthe matcher in the smart card.

If 100% masking is done, the oracle will not be able toreveal any feature of T from the Fractional Templates, as theFractional Templates will have no features in common withT .

Using the parameters of the biometric system i.e. F =30, M ′ = 12 and for a Masking Proportion of 75% whichgives f = 7.5, we find that n = 2 is the smallest numbersuch that U (n) ≥ 12 , i.e. an average of two Fractional Tem-plates will collectively give away sufficient information to

create a fake template Tq that can fool the matcher. If theattacker needs to recover 29 features out of the 30, he willneed n = 12 Fractional Templates.

At 50% masking and below, one Fractional Template isenough to recover more than 12 genuine features from Twith the help of the oracle. With 50% Masking Proportion inthe Fractional Template, we find U (4) ≥ 29 and 25% mask-ing gives U (3) ≥ 29 i.e the number of Fractional Templatesneeded to recover almost all the minutiae in T is 4 with 50%Masking Proportion and 3 with 25% Masking Proportion.

Case 2: Attacker without an oracle We make the assump-tion that the attacker can identify an Unmasked Feature onlyif it is present in at least two Fractional Templates. We alsoassume that Masked Features never repeat between Frac-tional Templates i.e. if a feature occurs in more than oneFractional Template, it is an Unmasked feature. With thisnew assumption, we estimate the number of Fractional Tem-plates that would be needed to collude and generate Tq . Inthis case, is it easier to compute the number of features fromT present in the Fractional Templates that are left hiddenwhen i Fractional Templates are available. Let H(i) denotethis number. U (i) denotes the number of unique minutiaepresent in i Fractional Templates as in Eq. 4.

When only 1 Fractional Template is present, the attackercannot get any information. All the f genuine features in thefirst template are hidden. Thus H(1) = f and U (1) = f .

When 2 masked templates are available, on an averageF−U (1)

F f features are Unmasked Features from T which havenot occurred in the first Fractional Template. These featurescannot be detected as genuine by the attacker. Also, aH(1)

features have occurred in the first Fractional Template buthave not repeated in the second. These cannot be detected bythe oracle either. By induction,

H(i) = F − U (i − 1)

Ff + aH(i − 1) (5)

The number of minutiae that are revealed when i Frac-tional Templates are available is denoted by

R(i) = U (i) − H(i) (6)

Figure 5 describes how R(i) varies with i for a FractionalBiometric System with F = 30 features (both Masked andUnmasked) in each Fractional Template.

From the figure, we see that at 75% Masking Proportion,corresponding to f = 7.5, on an average 5 templates wouldbe needed to collude and create a template Tq that has a min-imum of M = 12 features in common with T . In order touncover all the features, an average of 23 Fractional Tem-plates would be needed. With 50% masking correspondingto f = 15 in each Fractional Template, it would take only 3Fractional Templates to reveal M = 12 features, but it wouldtake 8 Fractional Templates to reveal all the features in T .

123

80 D. Bayly et al.

0

5

10

15

20

25

30

50% Mask75% Mask

30282624222018161412108642

R(i

)

i

Fig. 5 Number of features revealed by i fractional templates

Comment These results show that Fractional Biometricsdelivers many of the security and robustness features thatwere hoped for. Fractional Biometrics provides increasedprotection against biometric image reuse or template theftby system administrators.

While there is an increased chance of impersonation if thebiometric Masks are stolen, the chance of this attack suc-ceeding is significantly lower than the increase in protectionagainst biometric and template attacks. In addition, this attackcan be recovered from by reissuing the Masks.

Users are protected from collusion by authenticating or-ganisations, because Fractional Biometrics alters the tem-plate issued to each organisation. This deters them frommatching templates. Masks can be reissued should a systembreach occur and when a new Mask is created and re-enroled,the old Fractional Template will be unrecognised by the sys-tem. This means that distribution of the fingerprint will notundermine a Fractional Biometric System’s ability to rejectimposters.

These features come at a slight accuracy cost. Depend-ing on the threat model and the application, system design-ers can control the trade-off between the extra security thatFractional Biometrics affords and increased accuracy.

3.4 Alternative solutions

These experiments have shown that Fractional Biometricscan provide a secure and privacy protecting system whenabove 50% Masking Proportion is used. However, it is impor-tant to compare this system to similar techniques that maybe used.

Assuming the infrastructure used here (biometric scan-ners and smart cards), two competing systems are pro-posed for comparison with Fractional Biometrics. Corcoranet al. [7] suggest a “lock-box” type system, where a number of

cryptographically secure numbers (or keys) are stored withinthe smart card, one for each organisation. These can only bereleased when a matching fingerprint is presented. The bio-metric testing can be done locally, and a key can then be sentas a proof-of-identity. Therefore, the biometric informationwill not be leaked, and the keys cannot be used as a iden-tification technique as there is nothing inherent about themto link them to the user. They are also easily changed in thecase of compromise. We term this a Key Lockbox.

The second system would generate a false fingerprint foreach organisation and would send that for verification. Thesefalse fingerprints can easily be generated with the aid of anartificial fingerprint generation program such as SFinGe [5].It would operate in the same manner as the lockbox, excepta biometric feature vector could be sent instead of a key.The organisation would then authenticate the user from thisrandom biometric. We term this a Biometric Lockbox andit is similar to Fractional Biometrics with 100% maskinginformation.

The primary difference between Fractional Biometricsand the Lockbox approach is that some real biometric infor-mation is retained. This provides direct evidence towards apositive identification to the organisation; the user had tobe present. Verifying organisations cannot have this level ofassurance with Lockboxes, because the communication linesmay be insecure, or the keys (either as a biometric templateor a number) may have been obtained and fraudulently pre-sented by an imposter.

In addition, the Fractional Biometric accuracy experiment(see Fig. 4) demonstrates that there is an accuracy cost asFractional Biometrics is introduced. The Biometric Lockboxis likely to have worse accuracy than a Fractional Biometricsystem, because error would be compounded over the firstmatching on the smart card of the true biometric and the sec-ond matching by the organisation of the artificially generatedbiometric image.

Fractional Biometrics also spreads the risk of interceptionof this key information. The fingerprint or the smart cardalone is insufficient to impersonate a user as demonstratedby the results earlier in the section. Lockbox systems aremore vulnerable to unauthorised access to the keys stored onthe card.

While the Lockbox mechanisms make it impossible fororganisations to collude and reconstruct the original biomet-ric image, the template reuse experiment (see Table 4) showsthat with sufficient masking information, this risk is greatlyreduced in Fractional Biometrics.

The other advantage of the Lockboxes is that their infor-mation can be replaced without a great inconvenience to theuser. Under Fractional Biometrics, it is possible to reissuea Mask, unlike traditional biometrics. However, it remainsto be determined how many times a Fractional Biometriccan be reissued until an organisation would have sufficient

123

Fractional biometrics 81

information to reliably reconstruct the user’s original bio-metric image.

Fractional Biometrics would be well suited to applica-tions that require broad user acceptance and assurance thatsurveillance and identification will not be undertaken. It isan excellent way to prevent feature creep in projects for largeorganisations and governments. It allows a degree of positiveidentification and retains some of the benefits of shared secretand token-based verification. The slight loss in accuracy maymean that Fractional Biometrics is not suited to high securitysituations, but for widely deployed applications with largeend-user populations, it will help reduce end-user resistanceand ensure that the system can recover from compromise.

4 Conclusion

This paper has examined a novel technique for verifying peo-ple by their biometric features. It promises to provide us withthe convenience and security of biometric authentication aswell as the robustness and relationship pseudonymity asso-ciated with more traditional authentication techniques.

4.1 Key results and outcomes

We demonstrate that Fractional Biometrics helps to achievethe following privacy goals.

– Relationship Pseudonymity: By being able to assign adifferent mask for a user’s enrolment to different organ-isations, the user can maintain the privacy of his trans-actions with each individual organisation without fear ofhis activities being tracked across organisations.

– Unlinkability: As the enroled biometric features are dif-ferent from a person’s original biometric, a maliciousthird party will find it difficult to link the template andthe user.

– Identity Theft Prevention: The user’s original biometrictemplate is never stored in an organisation. As a result,even if the template is stolen and used by a maliciousattacker, the compromised template can be revoked, anda new one easily reissued. An attacker would be unableto masquerade as the genuine user for very long as anew template can be immediately reissued. In addition,experimental evidence showed that Fractional Biometricsreduces the chance of successful attacks using forged orstolen biometric images or templates. The more mask-ing information that is introduced to the image, the moreprotection is provided.

– Protection of Sensitive information derived from biomet-rics: Certain biometrics reveal significant health and otherinformation about an individual [3,9,10]. As the wholebiometric template cannot be accessed by any organisa-tion, such sensitive information can be protected.

The additional security obtained by masking does reducethe system’s accuracy. However, a decrease of only 0.6%in the EER was recorded (from 4 to 4.6%) for 50% mask-ing. It also makes a target of the smart card that would holdthe masking information, but acquisition of this informationwould not guarantee the ability to impersonate the user, evenif 100% masking information was used. Nonetheless, themore masking information that is used, the more vulnerablea user will be to this attack.

Our tests have supported the expectations that FractionalBiometrics would provide additional security against bio-metric image or template compromise with a slight loss inaccuracy. This allows Fractional Biometrics to balance secu-rity, robustness and anonymity.

4.2 Future work

A natural step to follow this work would be to implement thewhole Fractional Biometric process, including smart card ormobile telephone code and to integrate this with a finger-print scanner. The Matcher could also be made more robust,avoiding the need for manual core detection. Security couldbe enhanced by removing the need for the unmasked fin-gerprint data to be stored on the smart card. The effect ofcombining the Fractional Biometric scheme with a Biomet-ric Encryption scheme warrants further study.

More work may also be required into the types of attackthat may be launched against this system, with and withoutthe additional Biometric Encryption. With so many differ-ent stakeholders (users, verifying organisations, smart carddevelopers, etc.), there are many possibilities for fraudulentbehaviour, and each participant must be reassured that collab-oration on the part of others will not undermine their securityor trust in the system.

Specifically, it will be necessary to investigate whethera user’s original biometric image could be extracted from acollection of their Fractional Templates without the assump-tions mentioned in Sect. 3.3. If this is the case, we need toknow how many of these files are required, and at what pro-portion of masking information, before a user would be indanger.

Acknowledgments Elements of this research were part of theMAppSc thesis [4] of the first author Duncan Bayly. Duncan was diag-nosed with Motor Neurone Disease in 2007. The other authors wouldlike to record their admiration of Duncan’s positive spirit and men-tal strength. Senior Sergeant Anthony Allen arranged Victoria Police’scontribution of fingerprinting ink and foils. This research was supportedby the Virtual Research Institute, Research and Innovation, RMITUniversity and by the Department of Mathematics and Statistics, RMITUniversity. We are very grateful to the anonymous reviewers for theirconstructive comments.

123

82 D. Bayly et al.

References

1. Arakala, A., Horadam, K.J., Boztas, S.: Practical considerations forsecure minutiae based templates. In: Proceedings of the BiometricsConsortium Conference, Biometrics Symposium 2008, pp. 53–58.IEEE Press, Tampa, FL, USA, (2008)

2. Arakala, A., Jeffers, J., Horadam, K.J.: Fuzzy extractors for minu-tiae-based fingerprint authentication. In: Lee, S.W., Li, S.(eds.) Pro-ceedings of the Second International Conference in Biometrics, pp.760–769. Springer, Seoul, South Korea, (2009)

3. Bates, B.: A Guide to Physical Examination and History Taking,5th edn. pp. 181–215. Lippincott, Philadelphia (1991) Also in inter-view with F.P. Nasrallah and A.S. DiDo, Washington, D.C., April4, 1994, as referenced in [30]

4. Bayly, D.: Fractional Biometrics. Master’s Thesis, RMIT Univer-sity, Melbourne, Australia (2004)

5. Cappelli, R., Maio, D., Maltoni, D.: Synthetic fingerprint-databasegeneration. In: Proceedings of the 16th International Conferenceon Pattern Recognition (ICPR2002), 3, pp. 744–747, Québec City,Canada (2002)

6. Cavoukian, A., Stoianov, A.: Biometric encryption. BiometricTechnol. Today 15(3), 11 (2007)

7. Corcoran, D., Sims, D., Hillhouse, B.: Smart cards and biomet-rics: the cool way to make secure transactions. Linux J. 1999(59,7)(1999)

8. Dodis, Y., Ostrovsky, R., Reyzin, L., Smith, A.: Fuzzy extractors:How to generate strong keys from biometrics and other noisy data.Cryptology ePrint Archive, Report 2003/235. Available: http://eprint.iacr.org (2003)

9. Green, R., Young, R.: Fingerprint asymmetry in male and femaletranssexuals. Personality and Individual Differences 29. pp. 933–942. Elsevier, Oxford (2000)

10. Hall, J.A., Kimura, D.: Dermatoglyphic asymmetry and sexualorientation in men. Behavioral neuroscience 108(6), pp. 1203–6. American Psychological Association, Washington, DC, USA(1994)

11. Jain, A.K., Flynn, P., Ross, A.A. (eds.): Handbook of Biomet-rics. Springer, New York (2008)

12. Jeffers, J., Arakala, A.: Fingerprint alignment for a minutiae-basedfuzzy vault. In: Proceedings of the Biometrics Consortium Con-ference, Biometrics Symposium 2007, pp. 1–6. IEEE Press, Balti-more, Maryland, USA, (2007)

13. Jeffers, J., Arakala, A.: Minutiae-based Structures for a FuzzyVault, Proceedings of the Biometrics Consortium Conference, Bio-metrics Symposium 2006, pp. 1–6. IEEE Press, Baltimore, Mary-land, USA, (2006)

14. Juels, A., Sudan, M.: A fuzzy vault scheme. In: Proceedings ofIEEE ISIT, p. 408. IEEE Press, Lausanne, Switzerland (2002)

15. Juels, A., Wattenberg., M.: A fuzzy commitment scheme. In:Tsudik, G. (ed.) Proceedings of the Sixth ACM Conference onComputer and Communications Security, pp. 28–36, ACM Press,New york (1999)

16. Kindt, E., Breebaart, J., Busch, C., Grave, J.: A reference architec-ture for biometric template protection based on pseudo identities.In: Bromme, A.B. (ed.) Proceedings of the Special Interest Groupon Biometrics and Electronic Signatures 2008, pp. 25–37. GI-LNI,Darmstadt, Germany, 11–12 September (2008)

17. Kovács-Vajna, Z.M.: A fingerprint verification system based on tri-angular matching and dynamic time warping. IEEE Trans. PatternAnal. Mach. Intell. 22(11), 1266–1276 (2000)

18. Linnartz, J.P., Tuyls, P.: New shielding functions to enhance pri-vacy and prevent misuse of biometric templates. In: Proceedings ofAVBPA 2003, 2688 pp. 393-402. LNCS, Springer, Berlin (2003)

19. Maltoni, D., Maio, D., Jain, A., Prabhakar, S.: Handbook of Fin-gerprint Recognition. Springer, New York (2003)

20. Mital, D.P., Teoh, E.K.: An automated matching technique for fin-gerprint identification. In: Jain, L.C. (Ed.) Proceedings of the FirstInternational Conference on Knowledge-Based Intelligent Elec-tronic Systems, pp. 142–147. IEEE Computer Society, Adelaide,Australia (1997)

21. Nandakumar, K., Jain, A.K., Pankanti, S.: Fingerprint-based Fuzzyvault: implementation and performance. IEEE Trans. Inf. ForensicsSecur. 2(4), 744–757 (2007)

22. Pfitzmann, A., Hansen, M.: Anonymity, Unlinkability, Un-detectability, Unobservability, Pseudonymity, and IdentityManagement—A Consolidated Proposal for Terminology, Version0.31. “http://dud.inf.tu-dresden.de/Anon_Terminology.shtml”,Last Accessed 4 March (2008)

23. Ratha, N.K.: Cancelable biometrics. In: Proceedings of the Bio-metric Consortium Conference 2000, pp. 501–526. Gaithersburg,Maryland, USA (2000)

24. Ratha, N.K., Connell, J.H., Bolle, R.M.: Enhancing security andprivacy in biometrics based authentication systems. IBM Syst.J. 40(3), 614–634 (2001)

25. Ratha, N.K., Connell, J.H., Bolle, R.M.: Generating cancel-able fingerprint templates. IEEE Trans. Pattern Anal. Mach. In-tell. 29(4), 561–572 (2007)

26. Ross, A., Shah, J., Jain, A.K.: From template TO image: recon-structing fingerprints from minutiae points. IEEE Trans. PatternAnal. Mach. Intell. 29(4), 544–560 (2007)

27. Teoh, A.B.J., Kuan, Y.W., Lee, S.: Cancellable biometricsand annotations on BioHash. Pattern Recognit. 41(6), 2034–2044 (2008)

28. TrUsted Revocable Biometric IdeNtitiEs (TURBINE) http://www.turbine-project.org, Accessed on: 16 March (2009)

29. Tuyls, P., Goseling, J.: Capacity and examples of template-pro-tecting biometric authentication systems. In: Proceedings of the8th ECCV, 3087, pp. 158–170, LNCS, Springer, Prague, CzechRepublic (2004)

30. Woodward, J.D.: Biometrics: privacy’s foe or privacy’s friend?Proc. IEEE 85(9), 1480–1492 (1997)

123