Abstract—In this paper a parameterized geometric alignmentmethod is proposed for minutiae-based fingerprint templateprotection by transforming an original minutia vicinity into ageometrically-aligned and protected minutia vicinity byrandomly generated parameters. Template diversification canbe achieved by setting different parameters for differentminutiae vicinities. Comparison result of two protectedtemplates is summarized from comparison results of protectedminutiae vicinities from both templates. Experimental resultson the public FVC2002DB2_A database show satisfactorybiometric performance (with average Equal Error Rate 0.0404)of the proposed algorithm. Performance and security analysisare also given for the proposed approach.

I. INTRODUCTION

ingerprint templates need careful protection becausefingerprint characteristics cannot be updated like usual

passwords or PIN codes. Standard encryption (DES, AES,etc) is insufficient to protect a biometric template becausethe encrypted template needs decryption to invert to itsplain-text for comparison. This is insecure as full access tosamples or unprotected biometric features is given to thepotentially untrusted entity that conducts the comparison. Itis preferable to run the comparison process in an encrypteddomain. However standard encryption algorithms tolerate nofuzzy distortions inherent with fingerprint samples, neitherdo cryptographic hash functions such as SHA-1, MD5,…,etc., by purpose. Therefore, biometric template protectionalgorithms [1-21] were proposed, among which fingerprinttemplate protection algorithms were intensively investigated[2,4-6,8-9,13-16,19-20]. Fingerprint template protectionalgorithms can use different biometric features: luminancefeatures with image processing techniques [4-5]; minutiaefeatures complemented with additional biometric features(such as ridge surroundings) [6,16]; and the only minutiaefeatures based algorithms which protects already-generatedminutiae templates conforming to ANSI or ISO standards.However, the key-inversion attack [12] was found towardsthe fuzzy vault approach [2]. Fuzzy extractor [13] andsecure sketch [14] don't suffer from the key-inversion attack,but they sacrifice comparison accuracy. Biotokens [15]exhibits good performance by exploiting enlarged feature

Manuscript received June 7, 2009. This work was supported by fundingunder the Seventh Research Framework Programme of the European Union,Project TURBINE (ICT-2007-216339).

Bian Yang is with the Norwegian Information Security Laboratory atGjøvik University College, Gjøvik, N-2821, Norway. (phone: +47-61135256;fax: +47-61135170; e-mail: bian.yang@hig.no).

Christoph Busch is with the Norwegian Information Security Laboratoryat Gjøvik University College, Gjøvik, N-2821, Norway. (phone: +47-61135194; fax: +47-61135170; e-mail: christoph.busch@hig.no).

space, but with large template size which in turn makes thisalgorithm less attractive to storage-limited applications suchas Reference-on-Card systems or On-Card-Comparisonsystems [22]; in addition, the unprotected information(“control” and “residual” bytes) in [15] might be weak toprivacy threats such as linking across different protectedtemplates diversified from the same fingerprint.

The method of cancelable fingerprint templates [9] wasproposed to distort minutiae data in a non-invertible way. Asthis mechanism is non-invertible, there is no way to launchthe key-inversion attack [12]. All minutiae are assumed tobe pre-aligned in [9], but in practical cases a failure-to-alignrate of approximately 10% is likely to occur [23]. The pre-alignment accuracy will impact the end-to-end biometricperformance. The work [19-20] was also constrained by thesame pre-condition of accurate core point detection, whichis difficult to achieve in practical applications.

We propose a geometric alignment method for eachminutia vicinity, which is formed by the minutia itself andits M closest neighboring minutiae. To diversify the originalminutia vicinity into various protected vicinities, thegeometric alignment is achieved with randomly generatedparameters. The geometrically-aligned vicinity can becompared individually and comparisons of allgeometrically-aligned vicinities will contribute to a scoreindicating the similarity of two protected minutiae templates.

The proposed parameterized geometric alignment basedtemplate protection algorithm is designed to achieve thefollowing goals:

• reliable geometric alignment without need ofinherent homologous points such as core or delta inthe original minutia template;

• satisfactory biometric performance; • non-invertibility from a protected template to its

original unprotected minutiae template; • unlinkability among diversified protected templates

from one fingerprint. The reminder of the paper is structured as follows:

Section II presents the proposed method, Section IIIdemonstrates the experimental results, Section IV gives asecurity analysis, and Section V concludes this paper.

II.PROPOSED PARAMETERIZED GEOMETRIC ALIGNMENT BASED

FINGERPRINT MINUTIAE TEMPLATE PROTECTION

A. General Framework Fig.1 illustrates a general framework for the proposed

parameterized geometric alignment based fingerprint

Parameterized Geometric Alignment for Minutiae-BasedFingerprint Template Protection

Bian Yang and Christoph Busch

F

978-1-4244-5020-6/09/$25.00 ©2009 IEEE

minutiae template protection algorithm. For an arbitraryminutia mi (i=1,2,...,N), the minutia vicinity Vi is defined asmi itself together with its M closest neighboring minutiae(called companions ci1,ci2,...,ciM in this paper), i.e. Vi = {mi,ci1, ci2, ..., ciM}. The main idea of the proposed algorithm is toachieve self alignment of each minutia vicinity instead ofreferencing the core point, and infuse randomness to eachgeometric alignment step for diversification. Fig.1(a)presents the process of generating a protected template PTfrom its unprotected version T. Supposing there are totally Nminutiae detected in a template, each minutia vicinityVi(i=1,2,...,N) is processed individually into a protected oneVai . The protected template containing all Vai (i=1,2,...,N) canbe stored in a database or a token for comparison. Note thatN might differ for two different fingerprint samples, but thiscan be handled by the vicinity based comparison strategy.

The parameterized geometric alignment for each Vi isillustrated in Fig.1(b), which is described in details in thefollowing sub-sections.

B. Self-Alignment of a Minutia VicinityTo realize reliable geometric alignment without

referencing the core point, we propose a self alignmentmethod for each minutia vicinity in the unprotectedtemplate. The idea of self alignment is similar to the pointfeature model in [24] but limited to translation and rotationalignment in our case. First, an orientation for rotationalignment needs to be defined by pairing two minutiae in Vi

to form a vector, e.g., 1iicm , with its orientation as the newx-axis, and its geometric middle point as the origin in thealigned coordinate system. In this way, there are totally

⎟⎟⎠

⎞⎜⎜⎝

⎛ +2

1M pairs that can be formed and ⎟⎟⎠

⎞⎜⎜⎝

⎛ +2

12

M orientations can

be defined. To constrain the template size, only L < ⎟⎟⎠

⎞⎜⎜⎝

⎛ +2

12

M

orientations {O1,O2, …, OL} are selected for alignment. Foreach orientation Ol (l=1,2,...,L), the (M-1) minutiae

(excluding the two defining the new x-axis) in Vi are rotatedand translated and the aligned set is denoted as lth group ofaligned minutiae Gl. Mathematically, supposing the vector

qpJJ for the orientation Ol is formed by two points Jp and Jq

(1≤p,q≤M+1, p≠q), the remaining (M-1) minutiae Jj

(1≤j≤M+1, j≠p, j≠q) will be aligned:

⎥⎥⎦

⎤

⎢⎢⎣

⎡−−

⎥⎦

⎤⎢⎣

⎡−

=⎥⎥⎦

⎤

⎢⎢⎣

⎡)()()()(

.)cos()sin()sin()cos(

)(')('

yMDPyJxMDPxJ

yJxJ

lj

lj

ll

ll

j

j

θθθθ

(1)

where MDPl is the geometric middle point of Jp and Jq:

⎪⎩

⎪⎨⎧

+=+=

2/))()(()(2/))()(()(

yJyJyMDPxJxJxMDP

qpl

qpl (2)

and θl is the angle formed by the vector qpJJ 's orientationOl and the old x-axis calculated as:

))()()()(

(tan 1xMDPxJyMDPyJ

lq

lql −

−= −θ (3)

If we do the above alignment along all the L orientations andsuperimpose the results, we can obtain a self-aligned minutiavicinity for the original minutia vicinity. However, this selfalignment is not enough for template protection because theoriginal topological relationship still exists among minutiaepoints after the alignment; and additionally, the wholealignment process is a surjection without any diversificationeffect. To destroy the topological relationship left among thealigned minutiae and also to achieve some diversificationeffect, we integrate an offsetting operation with the aboveself alignment process as follows.

C. Parameterized Minutiae Coordinates offsetting As shown in Fig.1(b), offsets will be added to each

aligned minutiae group Gl to generate G'l. To destroy thelocal topological relationship among minutiae, the offsets∆xl and ∆yl are added to the self-aligned coordinates J'j(x)and J'j(y) in polar direction and the correspondingperpendicular direction, respectively as:

⎩⎨⎧

+⋅+⋅+=+⋅+⋅+=

)2/sin(∆y)sin(∆x)(')()2/cos(∆y)cos(∆x)(')(

πϕϕπϕϕ

lljaj

lljaj

yJyJxJxJ

(4)

(1≤j≤M+1, j≠p, j≠q). The polar direction φ in Eq.(4) isdefined by the aligned minutiae coordinates:

))(')('

(tan 1xJyJ

j

j−=ϕ (5)

The offsets ∆xl and ∆yl in Eq.(4) are calculated from dxl anddyl that can be looked up by the index l (l=1,2,...,L) from therandom offset table depicted in Fig.1(b):

⎩⎨⎧

⋅+⋅=⋅+⋅=

)dy(signdy∆y)dx(signdx∆x

max

max

llll

llll

DDDD

(6)

where Dmax in Eq.(5) is calculated as:},...,2,1,max{ max LlDD l == (7)

where Dl is calculated as22 ))()(())()(( yJyJxJxJD qpqpl −+−= (8)

where the index l corresponds to p and q in the same way as

(a) General framework for minutiae template protection

(b) Parameterized minutia vicinity geometric alignmentFig. 1. General framework for parameterized geometric alignment based fingerprint minutiae template protection algorithm

in Eq.(1)-(3). The random offset table contains L rowscorresponding to the L orientations that have been selectedfor an alignment. The purpose of introduction of Dmax and Dl

in Eq.(6) is to make the actual offsets adaptive to Vi'sminutiae distribution density. In this way, diversification canbe achieved by setting different parameters S to constructthe random offset table. For example, S can be a unique IDfor the current template in the database, and a pseudo-random number generator (PRNG) takes S as the initiativevector or the key to output a sequence from which the tablecan be constructed by assigning randomly generated realvalues to dxl and dyl within the value range (-1,1).

D. Superimposition of Minutiae after offsettingNote that for different l, different offsets (dxl,dyl) are used

in Eq.(4). Subsequent to the alignment of minutiae andadding offsets to the coordinates, we superimpose all thealigned minutiae groups G'l (l=1,2,...,L) and form the finalprotected vicinity Vai as shown in Fig.1(b). This will increasethe complexity to invert from an offset point Jaj to itsoriginal only-aligned version J'j because an attacker willhave no clue which out of the L orientations was used togenerate this aligned and offset minutia Jaj.

E. An Illustrative ExampleWe give an example in Fig.2 to better understand the

minutia vicinity geometric alignment (Section II. B) andcoordinates offsetting process (Section II. C). Taking anarbitrary minutia mi in the fingerprint image in Fig.2(a) as anexample, we set the number of closest neighboring minutiaeincluded within Vi as M=3. Thus there are totally 12orientations (mi→ci1, mi→ci2, mi→ci3, ci1→ci3, ci2→ci3,ci1→ci2, ci1→mi, ci2→mi, ci3→mi, ci3→ci1, ci3→ci2, ci2→ci1)that can be used for alignment. Without loss of generality,let L = 5 and for eaxample we select the first 5 orientationsfor alignment, as shown in Fig.2(b). Then along theseorientations, alignment and offsetting can be performed.Fig.2(c) gives an example to do offsetting on the orientationO1-aligned minutiae group G1 = {c'i2 ,c'i3} with the offsetsvalue (∆x1,∆y1), generating two protected minutiae Ja1 andJa2. The xo orientation is the old x-axis orientation, and φ =∠x-MDP-xo. The offset ∆x1 and ∆y1 are added in the polardirection and its perpendicular direction respectively.

F. Comparison and Computing a General ScoreDifferent fingers and fingerprint images from the same

source finger may vary in the number of detected minutiae.Consequently the generated protected templates may containa different number of protected minutiae vicinities. Theprotected templates can only be compared in a vicinity-wiseway. This can be interpreted as the challenge to find aprotected vicinity Vaip generated from the probe that canmatch a protected vicinity Vair in the protected referencetemplate. A threshold T is set to decide if the two protectedvicinities can match in Hausdorff distance [25-26]: if

H(Vaip,Vair) < T, (9)

the two protected vicinities match; otherwise they aredeemed as from two different unprotected minutiaevicinities. Here the Hausdorff distance is defined as

H(A,B) = max(h(A,B),h(B,A)) (10)

where

h(A,B) = ||||minmax baBbAa

−∈∈ (11)

(a) Minutia vicinity delimitation

(b) Example of L = 5 orientations definition: O1~O5 on Vi={mi,ci1,ci2,ci3}

(c) Example of orientation O1 (mi→ci1) based alignment and offsetting

Fig. 2. Example of minutia vicinity formation, orientation definition, geometric alignment and offsetting: neighboring minutiae number M = 3, selected orientations' number L=5 and the first 5 orientations selected, without loss of generality.

and ||.|| is a distance metric such as Euclidean distancebetween points a and b. The direct Hausdorff distance h inEq.(11) is an asymmetric distance measure between the twosets A and B, and therefore the final Hausdorff distance H iscalculated as the maximum out of h(A,B) and h(B,A).

Once Vaip finds a match Vair in the protected referencetemplate, the general score, which is initiated as zero beforethe first searching, increases by one; and then the algorithmabandons the further searching operations targeted atanother possible match for Vaip but begins the next searchingtask for another Vaip from the probe. After comparison of allprotected vicinities Vaip generated from the probe with allprotected vicinities Vair in the protected reference template,we can obtain the general comparison score - the totalnumber of the matched cases as a reference for verification.

III. EXPERIMENTAL RESULTS

We tested our proposed algorithm on the publicfingerprint database FVC2002_DB2_A with 560×296 sizedgray-scale images collected from 100 different fingers and 8samples for each finger. VeriFinger 6.0 fromNeurotechnology [27] was used to detect all minutiae fromevery fingerprint image. In order to benchmark the proposedalgorithm's biometric performance with different fingerprinttemplate protection algorithm reviewed in [21], we also usedthe first two out of the 8 samples for experiments as in [21].The 100 first samples were used for enrollment and the 100second samples as probes. False-match-rate (FMR) andfalse-none-match-rate (FNMR) were employed to evaluatethe biometric performance defined as follows:

attemptsimposterofnumbertotalattemptsimposteracceptedofnumberFMR = (12)

attemptsgenuineofnumbertotalattemptsgenuinerejectedofnumberFNMR = (13)

where “accepted” and “rejected” are decided by thresholdsequally set within the value range [0,1] into which all thegeneral comparison scores obtained by the method describedin section II.F were normalized - dividing them by the totalnumber N of minutiae in their corresponding probes.

In the experiments, we compare each of the protectedtemplates from the 100 probes to all the 100 protectedreference templates. The parameters we used forexperiments are: minutiae number in one vicinity M = 3;number of orientations selected for alignment L = 5, whichcorresponds to the same 5 orientations set in the example insection II.E and Fig.2(b); also 100 different random offsettables containing L = 5 rows were generated for all the 100reference templates; for each pair of minutia vicinities forcomparison, the Hausdorff distance threshold in Eq.(9) wasset to be T = 16. In the above parameters, we set M = 3 andL = 5 because in this setting an acceptable trade-off can beachieved between the security and the protected templatesize (around 10 times the size of the original template'sminutiae coordinates data volume).

To test the influence of randomness introduced by therandom offset table on the biometric performance, we did 20

experiments with different 100 random offset tablesgenerated for each experiment. Thus we simulatediversification and situation that a data subject is enrolled in20 disjunct applications, which should not store linkablereferences for the subject. From these 20 experiments, 20Equal Error Rates (EER) were obtained as in the Table 1.We note from Table 1 that randomness did have noticeableinfluence on the biometric performance. In this experiments,the diversified vicinities apprears quite different from eachother and roughly have a uniform distribution of protectedminutiae points. The average EER is 0.0404, which issatisfactory compared to the algorithm [9]'s performance(EER around 0.10) reported in [21]. This result is evencomparable to the results by some unprotected fingerprintverification algorithms participated in FVC2002 [28]. Onthe other hand, we assume this satisfactory result alsobenefited from the accuracy of Neurotechnology's minutiaeextractor. In our experiments, the EER calculated from thesame unprotected templates by VeriFinger 6.0's Matcher isclose to zero. Although the proposed algorithm cannotcompete with biometric performance reported in theBiotokens algorithm [15], its protected template's size isrelatively compact. Assuming one coordinate value isrepresented with 14 bits by the ISO biometric datainterchange formats [29], an unprotected template with 10-80 minutiae can be converted into a protected template withstorage size 0.34 - 2.73 KB in the case of M = 3 and L = 5,with roughly average size of 1.37 KB for a 40-minutiaetemplate. The size can be further deduced if we set smallervalues for M and L. This storage requirement is not so largeas in [15] which is in average 13KB. Furthermore and mostimportant, the proposed algorithm has no obvious

Table 1. EER values of 20 experiments with different random offset tables

Fig. 3. Experimental biometric performance results: highest EER = 0.0531 (Exp.15) and the lowest EER = 0.0265 (Exp.17) out of 20 experiments with different random parameters (dxl,dyl) for each experiment.

invertibility and linkability concerns regarding the protectedtemplates, which undermine [9] and [15] respectively.

Fig.3 presents two FNMR-FMR performance curvesExp.15 and Exp.17, to show the two experimental resultswith highest and lowest EER, respectively, out of the 20experiments we did in different parameter settings.

IV. SECURITY ANALYSIS

The proposed algorithm is based on vicinity-wisecomparison, which boils down the security of the protectedtemplate to the security of each protected vicinity. Weconsider several threats relevant to biometric templateprotection: the brute-force attack to restore the originaltemplate, the brute-force attack to match the protectedtemplate, the inversion attack to restore a original vicinity,and the linking attack among different protected vicinities.

(1)The brute-force attack to restore the original template

This scenario is actually independent of the templateprotection and the complexity is mainly decided by thefingerprint images themselves. In our experiments, theoriginal images' width W=296, height H=560, and thefingerprints' ridge width WR = 10. For the brute-force attackaiming at correctly guessing the original minutia vicinity,there are totally ⎟⎟

⎠

⎞⎜⎜⎝

⎛ ××10

)/()( RR WWHW = ⎟⎟⎠

⎞⎜⎜⎝

⎛ ××10

)1010/()560296( ≈ 285

possibilities to correctly locate 10 original minutiae, if weassume that (a) an original minutiae template can beregarded as compromised when at least 10 minutiae arecorrectly guessed, and (b) two different minutiae have atleast a distance of a ridge width between each other.

(2) The brute-force attack to match the protected template

In this scenario, we assume the attacker has the protectedtemplates, template protection algorithm, the randomparameters, and the protected template comparator at hand.Since a protected template is constituted by protectedvicinities, the brute-force attack actually works towards eachprotected vicinity. Assuming the original vicinities'coordinates dynamic range Ro and the protected vicinities'coordinates dynamic range Rp can be roughly within [-200,200] and [-350, 350], respectively, the brute-force attackcomplexity to match a protected vicinity by guessing M=3neighboring original minutiae in an original vicinity can

roughly be ⎣ ⎦⎟⎟⎠

⎞⎜⎜⎝

⎛ ×M

WR Ro22 /π = ⎣ ⎦

⎟⎟⎠

⎞⎜⎜⎝

⎛ ×3

10/200 22π ≈ 228, if the template

protection process will not noticeably decrease the ability todistinguish protected templates. In our experiments, theprotected templates' distinguishability is related to T in Eq.(9). If we assume the generated protected coordinates areuniformly distributed with random parameter settings, wecan roughly estimate the distinguishability of a protected

vicinity as ⎣ ⎦⎟⎟⎠

⎞⎜⎜⎝

⎛

−××

)1(/ 22

MLTRpπ = ⎣ ⎦

⎟⎟⎠

⎞⎜⎜⎝

⎛

−××

)13(516/350 22π ≈ 284. In the above

analysis, if the attacker does not know the randomparameters dxl and dyl (l=1,2,...,L), which can be livegenerated from the PRNG and thus do not need storage, the

brute-force attack complexity to match a protected vicinity

can roughly be ⎣ ⎦ LRo DM

WR 2max

22)2(/ ×⎟

⎟⎠

⎞⎜⎜⎝

⎛ ×π = ⎣ ⎦ 1022

)4002(3

10/200 ××⎟⎟⎠

⎞⎜⎜⎝

⎛ ×π

≈ 2125. Here we assume the coordinates' range caused by dxl

and dyl in Eq.(6) is 2×Dmax and Dmax = 400.

(3) The inversion attack to restore an original vicinity

As mentioned above, by brute-force attack, the attackerneeds 228 attempts to invert from a protected vicinity to itsoriginal one when he/she knows the random parameters. Butit is still hard to restore the original fingerprint minutiaetemplate especially in the case that all minutiae in oneoriginal vicinity are far from other minutiae than themselvesand therefore form the same vicinity. Besides the brute-forceattack, the inversion attack can also be done by exploitingweakness among the protected vicinity. Considering thedifferent L=5 offset rows used for alignment in differentorientation Ol, the attacker needs to guess which two pointsin the protected vicinity came together from an arbitrary rowin the random offset table, and also Dl (l=1,2,...,L) in the Eq.

(6). This can be roughly estimated by LDL max!24

26

28

210

⋅⋅⎟⎟⎠

⎞⎜⎜⎝

⎛⋅⎟⎟⎠

⎞⎜⎜⎝

⎛⋅⎟⎟⎠

⎞⎜⎜⎝

⎛⋅⎟⎟⎠

⎞⎜⎜⎝

⎛

= 5400!524

26

28

210

⋅⋅⎟⎟⎠

⎞⎜⎜⎝

⎛⋅⎟⎟⎠

⎞⎜⎜⎝

⎛⋅⎟⎟⎠

⎞⎜⎜⎝

⎛⋅⎟⎟⎠

⎞⎜⎜⎝

⎛ ≈ 267 possibilities, which is even larger

than brute-force attack case. In the same condition (withknown parameters), the majority of non-overlapped areas inthe algorithm [9] have distinctly lower security level. If theattacker does not know the random parameters, the

complexity can even be around LDL 2max )2(!

24

26

28

210

⋅⋅⎟⎟⎠

⎞⎜⎜⎝

⎛⋅⎟⎟⎠

⎞⎜⎜⎝

⎛⋅⎟⎟⎠

⎞⎜⎜⎝

⎛⋅⎟⎟⎠

⎞⎜⎜⎝

⎛ =

5400!524

26

28

210

⋅⋅⎟⎟⎠

⎞⎜⎜⎝

⎛⋅⎟⎟⎠

⎞⎜⎜⎝

⎛⋅⎟⎟⎠

⎞⎜⎜⎝

⎛⋅⎟⎟⎠

⎞⎜⎜⎝

⎛ ≈ 2120.

(4) The linking attack among protected vicinities

Regarding the linking attack, there is no obviouslinkability that can be found across different protectedvicinities generated from the same source unprotectedvicinity in our proposed algorithm, thanks to the offsetoperations in the polar direction (and its perpendiculardirection) and also the different offset values set foralignments in different orientations. Furthermore, the offsets∆xl and ∆yl are dependent not only on dxl and dyl, but alsoon unknown factors – the inherent biometric features Dl

(l=1,2,...,L) in the Eq.(6), which results in a different ratio of∆xl compared to ∆yl for a different vicinity, even while thesame dxl and dyl are employed for all the vicinities in onetemplate. This further removes the topological correlationamong the protected minutiae, which might be exploited forlinking attacks. Although the number of vicinities does notchange after template protection, which could be exploitedfor linkability to some degree, this linkability is weakespecially in the case of large-scale database and the casethere is big minutiae number variance among probes. Notethat the algorithm [15] shares the same weakness as ourproposed algorithm, but furthermore the unprotectedinformation (“control” and “residual” bytes in [15]) makes itgreatly susceptible to the linking attack.

V. CONCLUSIONS AND FUTURE WORK

We proposed a parameterized geometric alignmentmethod in this paper to infuse randomness into the minutiavicinity self alignment process to achieve diversification andcoordinates encryption effect. The parameterized geometricalignment based minutiae template protection algorithmdoes not need inherent homologous points such as core ordelta as a geometric reference for alignment, and exhibitssatisfactory biometric performance compared to existingminutiae template protection algorithms, while possessinghigh security against the brute-force attack, the templateinversion attack and the linking attack. We willmathematically analyze the diversification property of theproposed algorithm and try extracting robust binary stringsfrom the protected minutiae vicinities in order to reduce thetemplate size in our future work.

ACKNOWLEDGMENT

The authors would like to thank Julien Bringer from SagemSécurité and Koen Simoens Katholieke Universiteit Leuvenfor their valuable comments.

The work is supported by funding under the 7th FrameworkProgramme of the European Union, Project TURBINE(ICT-2007-216339). This document has been created in thevicinity of the TURBINE project. All information isprovided as is and no guarantee or warranty is given that theinformation is fit for any particular purpose. The user thereofuses the information at its sole risk and liability. TheEuropean Commission has no liability in respect of thisdocument, which is merely representing the authors’ view.

REFERENCES

[1] A. Juels and M. Wattenberg, “A fuzzy commitment scheme,” in Proc.of 6th ACM Conference on Computer and Communications Security,Singapore, November 1999, pp. 28–36.

[2] A. Juels and M. Sudan, “A fuzzy vault scheme,” in Proc. of IEEEInternational Symposium on Information Theory, Lausanne,Switzerland, 2002.

[3] M. Savvides and B. V. K. Vijaya Kumar, “Cancellable biometricfilters for face recognition,” in Proc. of IEEE InternationalConference Pattern Recognition, vol. 3, Cambridge, UK, August2004, pp. 922–925.

[4] P. Tuyls, A. H. M. Akkermans, T. A. M. Kevenaar, G.-J. Schrijen, A.M. Bazen, and R. N. J. Veldhuis, “Practical biometric authenticationwith template protection,” in Proc. of 5th International Conference onAudio- and Video-based Biometric Person Authentication, Rye Town,USA, July 2005, pp. 436–446.

[5] Y. Sutcu, H. T. Sencar, and N. Memon, “A secure biometricauthentication scheme based on robust hashing,” in Proc. of ACMMultimedia and Security Workshop, New York, USA, pp.111-116.,Aug.,2005.

[6] A. Nagar, K. Nandakumar, A. K. Jain, “Securing fingerprint template:fuzzy vault with minutiae descriptors,” in Proc. of InternationalConference on Pattern Recognition (ICPR), Tampa, Florida, USA,Dec 2008.

[7] A. B. J. Teoh, A. Goh, and D. C. L. Ngo, “Random multispacequantization as an analytic mechanism for BioHashing of biometricand random identity inputs,”IEEE Transactions on Pattern Analysisand Machine Intelligence, vol. 28, no. 12, pp.1892–1901, December2006.

[8] GenKey. “System, portable device and method for digitalauthenticating, crypting and signing by generating short-livedcryptokeys,” US Patent 2006/0198514A1.

[9] N. K. Ratha, S. Chikkerur, J. H. Connell, and R. M. Bolle,“Generating cancelable fingerprint templates,” IEEE Transactions onPattern Analysis and Machine Intelligence, vol. 29, no. 4, pp. 561–572, April 2007.

[10] E. J. C. Kelkboom, B. Gkberk, T. A. M. Kevenaar, A. H. M.Akkermans, and M. van der Veen, ““3D face”: biometric templateprotection for 3D face recognition,” in Proc. of 2nd InternationalConference on Biometrics, Seoul, South Korea, August 2007.

[11] Y. J. Lee, K. Bae, S. J. Lee, K. R. Park, and J. Kim, “Biometric keybinding: fuzzy vault based on iris images,” in Proc. of 2nd

International Conference on Biometrics, Seoul, South Korea, August2007, pp. 800–808.

[12] W. J. Scheirer and T. E. Boult, “Cracking fuzzy vaults and biometricencryption,” in Proc. of Biometrics Symposium, September 2007.

[13] A. Arakala, J. Jeffers, and K. J. Horadam, “Fuzzy extractors forminutiae-based fingerprint authentication,” in Proc. of 2nd

International Conference on Biometrics, Seoul, South Korea, August2007.

[14] E. C. Chang and S. Roy, “Robust extraction of secret bits fromminutiae,” in Proc. of 2nd International Conference on Biometrics,Seoul, South Korea, August 2007.

[15] T. E. Boult, W. J. Scheirer, R. Woodworth, “Revocable fingerprintbiotokens: accuracy and security analysis,” in Proc. IEEE Inter. Conf.on Comput. Vis. & Patt. Recog, USA, 2007.

[16] C. Lee, J. Y. Choi, K. A. Toh, S. Lee, and J. Kim, “Alignment-freecancelable fingerprint templates based on local minutiaeinformation,”IEEE Trans. on Systems, Man, and Cybernetics – PartB: Cybernetics, Vol.37, No.4, pp.980-992., 2007.

[17] J. Breebaart, C. Busch, J. Grave, E. Kindt, “A reference architecturefor biometric template protection based on pseudo identities,”BIOSIG 2008. in Proc. of the Special Interest Group on Biometricsand Electronic Signatures. Editor: Brömme, A. Bonn: Gesellschaft fürInformatik, 2008, pp.25-37.

[18] N. Delvaux, H. Chabanne, J. Bringer, B. Kindarji, P. Lindeberg, J.Mdgren, J. Breebaart, T. Akkermans, M. Van der Veen, R. Vedhuis,E. Kindt, K. Simoens, C. Busch, P. Bours, D. Gafurov, B. Yang, J.Stern, C. Rust, B. Cucinelli, D. Skepastianos, “Pseudo identities basedon fingerprint characteristics,” in Proc. of IEEE Inter. Conf. onIntelligent Information Hiding and Multimedia Signal Processing,Harbin, China, 2008, pp.1063-1068.

[19] B. Yang, C. Busch, P. Bours, D. Gafurov, “Non-invertible geometricaltransformation for fingerprint minutiae template protection,” in Proc.of 1st International Workshop on Security and CommunicationNetworks, Trondheim, Norway, May 2009.

[20] B. Yang, C. Busch, M. Derawi, P. Bours, D. Gafurov, “Geometric-aligned cancelable fingerprint templates,” in Proc. of 15th

International Conference on Image Analysis and Processing, Salerno,Italy, September, 2009.

[21] A. K. Jain, K. Nandakumar, A. Nagar, “Biometric template security,”EURASIP Journal of Advances in Signal Processing. vol.2008,Article ID: 579416, 2008.

[22] Information Technology – Identification cards – On-Card biometriccomparison, ISO/IEC CD3 24787, December 2008.

[23] A. M. Bazen, R. N. J. Veldhuis, “Likelihood-ratio-based biometricverification,” IEEE Trans. on Circuits and Systems for VideoTechnology, vol.14, no.1, pp.86-94, 2004.

[24] H. J. Wolfson, I. Rigoutsos, “Geometric hashing: an overview,” IEEEComputational Science and Engineering Magazine, vol.4, no.4, pp.10-21, 1997.

[25] http://en.wikipedia.org/wiki/Hausdorff_distance[26] D. P. Huttenlocher, G. A. Klanderman, W. J. Rucklidge, “Comparing

images using the Hausdorff distance,” IEEE Trans. on PatternAnalysis and Machine Intelligence, vol.15, no.9, pp.850-863,September 1993.

[27] VeriFinger Software. http://www.neurotechnology.com [28] Fingerprint Verification Competition (FVC2002) Results on DB2.

http://bias.csr.unibo.it/fvc2002/results/res_db2_a.asp[29] ISO/IEC FDIS 19794-2. Information technology - Biometric data

interchange formats - Part 2: Finger minutiae data. 2005.