CA2286749C - Method for secure key management using a biometric - Google Patents
Method for secure key management using a biometric Download PDFInfo
- Publication number
- CA2286749C CA2286749C CA002286749A CA2286749A CA2286749C CA 2286749 C CA2286749 C CA 2286749C CA 002286749 A CA002286749 A CA 002286749A CA 2286749 A CA2286749 A CA 2286749A CA 2286749 C CA2286749 C CA 2286749C
- Authority
- CA
- Canada
- Prior art keywords
- key
- information
- filter
- phase
- function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
Landscapes
- Collating Specific Patterns (AREA)
Abstract
This invention describes a secure method for consistently reproducing a digital key using a biometric, such as a fingerprint. The digital key is linked to the biometric only through a secure block of data, known as the protected filter. The key cannot be released from the protected filter other than via the interaction with the correct biometric image. Once generated, the digital key may be used in a system as an encryption/decryption key, or as a personal identification number (PIN).
Description
Method for secure key management using a biometric Background of the invention While many forms of encryption/decryption algorithms (cipher systems) exist today, a weak link of all systems is the secure management of the encryption/decryption key.
There are basically two types of cipher systems: those based on a single symmetric key, and those based on two distinct public/private keys. A symmetric key algorithm uses a single key to both encrypt and decrypt the data. These algorithms are usually fast and their security lies entirely in maintaining secrecy of the symmetric key. Two problems with these systems are the transportation of the key from the sender to the intended recipient, and the secure storage of the symmetric key. A
public/private key system uses a two key method. The public key is used for encryption and can be distributed over open channels. Because the public key can be sent over open channels, the inconvenience and security risk associated with key transportation is minimized. However, the private key is still used to decrypt the information, and thus must be kept secret.
In the age of electronic transactions, PIN's have become the dominant method by wWch these encryption keys are secured. The encryption keys are then only as secure as the length of the PIN, as the PIN recalls or decrypts the encryption key.
The length of a PIN which can easily be remembered is limited; thus the security of the system is also limited. PIN's are now, of course, prevalent in many other areas of life, such as banking, access control, and as an identification means for social programs. As the number of PIN's that one needs to remember/store escalates, the potential for a security breach arises. This invention overcomes the need to carry, store, or remember private keys for encryption/decryption, or PIN's for any other application by deriving a digital key from a biometric, during a live verification process.
Summary of the invention In the present invention, the digital key is linked to the biometric only through a secure block of data known as the protected filter. The correct key will only be SUBSTITUTE SHEET (RULE 26) derived via the interaction of this protected filter with the correct user biometric. For a biometric to be used conveniently and securely in a method to recover a digital key from a protected filter, the method should possess the following four features:
1) Preferably, the method should be capable of producing an arbitrary M-bit digital key in conjunction with the biometric.
There are basically two types of cipher systems: those based on a single symmetric key, and those based on two distinct public/private keys. A symmetric key algorithm uses a single key to both encrypt and decrypt the data. These algorithms are usually fast and their security lies entirely in maintaining secrecy of the symmetric key. Two problems with these systems are the transportation of the key from the sender to the intended recipient, and the secure storage of the symmetric key. A
public/private key system uses a two key method. The public key is used for encryption and can be distributed over open channels. Because the public key can be sent over open channels, the inconvenience and security risk associated with key transportation is minimized. However, the private key is still used to decrypt the information, and thus must be kept secret.
In the age of electronic transactions, PIN's have become the dominant method by wWch these encryption keys are secured. The encryption keys are then only as secure as the length of the PIN, as the PIN recalls or decrypts the encryption key.
The length of a PIN which can easily be remembered is limited; thus the security of the system is also limited. PIN's are now, of course, prevalent in many other areas of life, such as banking, access control, and as an identification means for social programs. As the number of PIN's that one needs to remember/store escalates, the potential for a security breach arises. This invention overcomes the need to carry, store, or remember private keys for encryption/decryption, or PIN's for any other application by deriving a digital key from a biometric, during a live verification process.
Summary of the invention In the present invention, the digital key is linked to the biometric only through a secure block of data known as the protected filter. The correct key will only be SUBSTITUTE SHEET (RULE 26) derived via the interaction of this protected filter with the correct user biometric. For a biometric to be used conveniently and securely in a method to recover a digital key from a protected filter, the method should possess the following four features:
1) Preferably, the method should be capable of producing an arbitrary M-bit digital key in conjunction with the biometric.
2) The same M-bit digital key should be released each time the system is used by the authorized holder of the protected filter.
3) Preferably, no key should be released when an unauthorized user of the protected filter attempts to use the system.
4) The protected filter, as an independent data block, has to be resilient to "attack".
In German patent DE 42 43 908 A 1 to Bodo, a method was proposed for extracting a digital key directly from a biometric. While the invention of Bodo thus provides a method for producing a digital key from a biometric, the security of such a system is irrevocably lost if the digital key is ever compromised. For this reason, feature I
above is preferred; i.e. for a system to remain secure, there should be the ability to change the digital key. The invention described herein proposes a method for linking a key to the biometric, rather than directly deriving the key from the biometric; thus the key can be changed at any time simply by re-enrolling the user and recreating the protected filter.
Methods have been described to re-generate signals using a biometric, based on the use of conventional matched filters in correlators. It is well known by those skilled in the art that a matched filter does not allow a trade-off between distortion tolerance and discrimination. Thus, in a system using a matched filter, it is impossible to optimally comply with both features 2 and 3 above. Also, it is known that the extraneous terms produced at the output of a system using a matched filter eliminate the possibility of exactly reproducing a block of pre-determined data. Thus, known methods using matched filters do not easily accommodate feature 1 above.
Furthermore, the impulse response of a matched filter will usually reveal enough information about the biometric for an "attacker" to recreate the biometric, and thus the signals. Therefore, a matched filter approach does not possess feature 4.
SUBSTITUTE SHEET (RULE 26) In International Application no. WO 9608093 by Tomko et al., a method was proposed for biometic controlled key generation. A filter is generated as a function both of the Fourier transform of a biometric and of a function derived from a unique number. In order to address features 2 and 3, the filter has to be of the inverse type. However, it can be shown that the inverse-type filter, like a matched one, contains information about the Fourier transform magnitude and, thus, can be successfully "attacked". Therefore, it is impossible to comply with feature 4.
Phase-only filters are known for use with optical correlators to improve signal-to-noise ratio.
US 5,214,534 to Kallman describes such a system.
According to the present invention, there is provided a method for securely recovering a digital key, comprising the steps of: capturing at least one biometric image;
obtaining transformed image information comprising transforming said at least one biometric image to a transform domain; retrieving a protected filter from storage; applying said transformed image information to said protected filter to obtain verification information; and obtaining a digital key from said verification information, characterised by: said protected filter comprising a phase-only filter and linking information, said phase-only filter generated from a random phase-only function and other phase information to obtain cryptographic secrecy, that is, given the phase-only filter, neither the random phase-only function nor the other phase information can be reconstructed other than by a brute force search, said linking information generated, at least in part, from said phase-only function and from said digital key; said obtaining a digital key comprising applying said linking information to a function of said verification information.
According to another aspect of the invention there is provided a method of storing a digital key, comprising the steps of: capturing at least one biometric image;
obtaining transformed image information comprising transforming said at least one biometric image to a transform domain; generating a random function; utilizing said random function and said transformed image information in generating a protected filter; and storing said protected filter;
characterised by: said random function being a random phase-only function such that said protected filter comprises a phase-only filter, having cryptographic secrecy, that is, given the phase-only filter, neither the transformed image information nor the random phase-only function can be reconstructed other than by a brute force search; applying said random phase-only function to said transformed image information to obtain a complex-valued output function; utilizing said output function and a chosen digital key to obtain linking information to said key; and wherein said protected filter also comprises said linking information.
Brief description of the drawings In the figures which illustrate a preferred embodiment of this invention:
Figure 1 presents a diagram of the enrollment process for producing a protected filter.
Figure 2 presents a diagram of a method to link an output plane with a digital key on enrollment.
Figure 3 presents a diagram of the verification process for secure key extraction.
Figure 4 presents a diagram of a method to extract the key on verification.
Description of the preferred embodiments This invention describes a method which firstly, reliably produces a two-dimensional array, c(x), using biometric images in conjunction with a protected filter, and secondly, describes a method for linking elements from c(x) to an M-bit digital key, k. The key, k, is only extracted correctly when the correct biometric is combined with the correct protected filter. The key, k, may be used directly as an encryption/decryption key or as a PIN in security or communication systems.
In the preferred embodiment, the two-dimensional array, c(x) will be fonmed via the interaction of a fingerprint with a filter function, stored within the protected filter.
In the first embodiment, the filter function is designed for a Fourier transform processor.
Neither the filter function nor the fingerprint alone is capable of producing c(x). From the c(x) array, the digital key, k, is extracted. Once k has been extracted, it is used in conjunction with both an encryption algorithm and a hashing algorithm in order to produce an identification code id. The ID-code id will then be compared with a previously stored value ido to determine the validity of the key, before it is released into the encryption system, or other application. The process for obtaining the identification code is as follows. Based on the required input block size of the chosen encryption algorithm, S bits from the protected filter will be encrypted using the generated key k. The resulting ciphertext block will then become the input to a one-way hash function which produces the identification code id. Since the hash algorithm is one-way, the id value cannot be transformed back into the key k.
Examples proposed for the aforementioned encryption algorithm and hash algorithm are the International Data Encryption Algorithm (IDEA) and the Secure Hash Algorithm (SHA), respectively. Note that using both an encryption algorithm and a hash algorithm provides more security than simply storing the hash value of the generated key alone. This is because the S bits that are chosen from the protected filter and encrypted using k will be unique for each user. Thus, an attacker who sought to obtain a "universal" look-up table of the relationship between k and id (so that he could extract ido from the protected filter, and thus determine ko for a particular user), would have to compute all possible permutations of encrypting S-bit messages with M-bit keys. The computational and memory resources required to generate such a look-up table makes such an attack infeasible.
1) Design of the filter function 1.1) Filter function strategy The filter function is designed to be tolerant to distortions of the fingerprint, so that it accommodates the natural variations that are apparent in biometric images over any significant period of time. Therefore, the filter function will be constructed using a set of T training images. It is assumed that the set of training images is sufficient to encompass all of the expected distortions of the fingerprint. The filter function will be calculated during an enrollment session using a series of training images.
The filter function is to be used during a verification session using a series of non-training images. The filter function is designed for a legitimate user, and should be inappropriate for use with a non-legitimate user, or "attacker".
SUBSTITUTE SHEET (RULE 26) The following typeface convention is used:
y(x) - two-dimensional array in image domain Y(u) - two-dimensional array in Fourier domain Y - one-dimensional vector containing float or integer (non-binarized) data y - one-dimensional vector containing binarized data Y - scalar Denote the T images of the biometric by { fo~(x), fo2(x), ..., foT(x)}, where the subscript 0 denotes a training set image.
The filter function that will be constructed using these images is denoted by H(u).
Note that we may refer to complex-valued functions such as H(u) independently by their magnitude and/or phase components, denoted by JH(u)j and e4H(u), respectively, where i = .
The system output in response to fa`(x) is given by cot(x) The Fourier transform of co`(x) is given by Co`(u) = Fo`(u)-H(u), where Fo`(u) is the Fourier transform of the training image, fo`(x).
The desired output pattern that we require from the system is denoted by go(x).
1.2) Filter function criteria We define two criteria, which will be used to optimize the filter function. We will use error terms that relate to two requirements for the filter function: that it consistently produces the same output pattern for a legitimate user, and that it is tolerant to distortions presented in the input images.
For 1<_ t<_ T, we require that co`(x) ;z go(x), i.e. the output pattern should be as close to go(x) as possible for each image, fo`(x), in the training set.
SUBSTITUTE SHEET (RULE 26) We can define an error term, Esimilariry+ such that:
T
Esimilarity = I~ Jcot(x)_go(x dx (1) t=1 The term ESimiia,;ty is thus defined using an arbitrary function, go(x), rather than a delta function, as is normally done in the process of correlation. Also, we wish to minimize the error due to distortion in the input images, i.e.:
If fO`(x)= f05(x)+E1ePa1 ts(x), ~ For s,tE~l,...,T},andt # s (2) then co` (x) =cos (x)+Eoupu,''S (x) ))) Assuming that Einpõt`S(x) do not correlate with fos(x) and with each other, it can be shown that the variance of the error term due to the additive distortion or changes in . fo`(x) is given by:
E noise = JH(u21'(u )du (3) where;
P(u) = average over t and s of IFT{Einput t's W} 2 , where s # t (4) i.e. P(u) represents the power spectrum of the change between the fingerprints in the training set.
In general P(u) is readily approximated by a function which characterizes the type of object for which the filter is designed. P(u) may take the form of a Gaussian function. For fingerprint images, we find that P(u) may also take the form of a simple array whose elements all have unity value. In general, the form of P(u) will be fixed for all users of the system, although it could also be user-specific.
Note that by Parseval's theorem, Esimilarity = I JCo t (u) - Go (u~ du (5) t=1 The term Esimiia,.;ty characterizes the similarity of system output in response to each of the training set images, and the term Enoise characterizes the effect of image-to-image variation. Thus, Esimila,;ry determines how selective (or discriminating) the filter function is, and Enoise determines how tolerant it is to the expected distortions in the SUBSTITUTE SHEET (RULE 26) biometric images.
1.3) Filter definition We wish to derive a filter that minimizes the total error, Etotal=
Etotal = aEnoise + 1- a 2 Esimilarity, 0<- a< 1 (6) By allowing a to vary between 0 and 1, we can minimize E101Se (for a=1) to maximize the distortion tolerance of the filter; or minimize Esimiia,;ry (for a=0) to maximize the discrimination capability; or optimize for some combination of the two (for 0<(X<1).
Substituting the filter constraints defined above yields T Etotal aJH(u2P(u)du+ l-a2 Jcot(u)_Go(u2du (7) t=1 where, as aforenoted Cot(u) = Fo`(u)=H(u) (8) We wish to minimize Eto,ai with respect to H(u). To solve this variational problem, we have to obtain a partial derivative of the expressions inside the integrals over H(u) and set this derivative to zero. Thus:
1-a2 TE[F*pt(u)H*(u)-Gp*(u)Fpt(u)+aH*(u)P(u)=0 (9) t=1 Solving equation (9) for H(u) yields;
~F*Ot(u) GO(u) H(u)= 1 T
-a2 t=1 (10) {u+12 1 jFot(u1 T t=1 Note that P(u) - P*(u), where * denotes complex conjugate.
This defines the filter function that is optimized with respect to the two error terms that were defined in the filter function criteria section. It is convenient to define the following terms:
SUBSTITUTE SHEET (RULE 26) T
AO(u)= T >,FOt(u) (11) t=1 T
Do(u) = T Z'Fot(u~2 (12) t=1 Thus, H(u)a AO*(u)GO(u) (13) aP(u)+ 1- a2 D0 (u) Further, we re-write equation (13) as:
H(u) = Hp(u)GO (u) (14) where the constant scalar 1-a2 1/2 has been ignored. ( ) The expression HF(u) contains all of the terms of the filter relating to the training set of fingerprint images, and Go(u) is the Fourier transform of go(x). Note that equation (14) defines a filter H(u) that is optimized for any function for Go(u). We seek to choose a Gfl(u) that provides maximum security of H(u).
The term a in H(u) provides a trade-off between the discrimination capability and distortion tolerance of the filter. Thus, a can be used to produce a tighter or more forgiving system, depending on the requirements. The value of a is generally determined by testing the performance of filters using a large database of images.
The parameter (x may be universal, in which case it is stored in the system, or it may be user-dependent, in which case it will be stored as part of the protected filter.
1.4) Security of protected filter One of the main requirements of the system is that the protected filter must be immune to attack, i.e. neither the biometric image, f(x), nor the system output, go(x), should be recoverable from the protected filter. Note that at this point the form of the protected filter has not yet been defined. Thus, we have the freedom to choose the form of Go(u) to maximize the security of the protected filter. Security is found to be maximized when Go(u) is a random, uniformly distributed phase function, and only the of HFu denoted e`~HF (u) phase ( ), , is stored. The protected filter thus comprises the product of e4HF (u) and a random phase-only function. The following text SUBSTITUTE SHEET (RULE 26) demonstrates the "perfect secrecy" of the protected filter. Perfect secrecy in this sense implies that given the protected filter, neither of the two elements comprising this filter can be reconstructed.
Theorem 1: (see D. Stinson. Cryptogra hy: Theory and Practice, CRC Press, New York, 1995) Suppose a cipher system has been defined such that the size of the keyspace (K), the plaintext space (P), and the ciphertext space (C), are all equal. Then this cipher system provides perfect secrecy if and only if:
1. every key is used with probability equal to IIIKI, where IKI denotes the size of the keyspace, and 2. for every element x E P, and every element y E C, there exists a unique key k E K such that the encryption of x with k produces the ciphertext y (i.e.
eAW =y).
The above theorem will apply to a cipher system based on the operation of addition modulo 27r if it is assumed that each key k in the keyspace K is equiprobable.
In other words, any key k E K has an equal probability of being chosen as the key. In reality what this implies is that the random number generator being used to produce k is devised in such a way that it does not impose an unequal probability distribution on the keyspace, which would inevitably compromise security. This implies that the random number generator used to provide keys for the following encryption system must choose a random key k in the keyspace K based on an equiprobable distribution.
Note: [0,2n)" used in the following lemma implies an r element string where each element can take on the values j such that 0<_ j< 27t .
Lemma 1: The cipher system defined such that P=C=K=[0,2n)'* and based on the operation of addition modulo 2n with randomly generated keys has perfect secrecy.
Proof: The elements of P, C, and K are defined as a string (or array) of r floating SUBSTITUTE SHEET (RULE 26) point elements where each element falls within the range of 0 to 27t . For simplicity consider (3 as the number of possibilities in the space [0,27r) when taking into account the floating-point precision level. Then we have IKI = ICI = IPI = p r.
Enforcing the above assumption we have that every key has a probability of 1IIKI of being chosen.
We are left to prove that for every x E P and every y E C, there is a unique key k such that e,. (x) = y. Since y = ek (x) = (x + k)mod 27c, if we fix x and y we can solve for k uniquely using the equation: k=(y - x)mod 2n.
Thus we have that a cipher system based on addition mod 27c has perfect secrecy.
What is important in the above discussion to the concept of secure key management using a biometric is the fact that the product of two phase-only arrays is equivalent to an addition mod 2n. Because of this equivalence relationship the above Lemma also applies to a cipher system based on the product of two phase-only arrays.
Thus we have the following:
Lemma 2: The cipher system defined such that P=C=K={e`R}r, where {e`R}' is an r element string and p=[0,27r), based on the operation of multiplication with randomly generated keys, has perfect secrecy.
While it was shown above that saving only the phase of HF(u) allows excellent security of the protected filter to be obtained when combined with a random phase array, the optimal filter defined by equation (14) requires that the magnitude term, IHF(u)l, is used during generation of the output pattern, c(x), for optimal consistency of c(x). The method proposed in the following section addresses both of these requirements:
1.5) Protected filter format In this section, we describe a method for simultaneously satisfying the need for magnitude information in the filter function and maintaining security of the protected filter.
SUBSTITUTE SHEET (RULE 26) Consider generating an array, Go(u), whose elements have unity magnitude, i.e., Go(u) is a phase-only function and whose phase values,j, are random and uniformly distributed such that 0<_ j<2rr, i.e.:
Go (u) = e4o (u) = ei2nU[0,1) (15) where U[0, 1) represents an array of elements whose value, j, is randomly and uniformly distributed such that 0<- j < 1. Note that in the discussion which follows, we will use e4OO(") to essentially represent the random phase only function defined above. Thus using this expression to represent Go(u) and using the set of training images,fo'(x), calculate H(u) using equation (14).
H(u) = AO*(u) e40o(u) (16) aP(u)+ 1- a2 D0 (u) H(u), was optimized to produce a consistent co (x) (and as close to go(x) as is possible) when a member of the training image fo`(x) is presented to the system. The resulting output, co(x) is given by;
ye-`~AO~") c9 (x) = FT-1 F.0 (u) JAO(u~I eiCo (u) (17) aP(u) + 1- aZ DO (u) The expected output, cl(x), from the system when a non-training image (i.e.
during verification) is present is given by:
i~,~ (u) cl (x) = FT-1 F1 (u) JAO (u)e cl,co (u) (18) aP(u)+ 1- a2 DO(u) where the subscript I represents a set of images used in verification.
Clearly, we desire that cl(x) is as close to co(x) as possible, for the legitimate user.
Of course, ci(x) -> co(x) if the testing image, f(x), is identical to the training image, fo(x). We find that as the number of fingerprints, T, in the training set increases, Ao(u) converges to a fixed function (at about T = 6). Because the training set of enrollment images are captured in the same way as the subsequent verification images, at T= 6, 0 i(u)I =[Ao(u)l and Dj(u) - D(,(u), i.e. the average of the set of verification images tends to the average of the set of enrollment images. Therefore, in equations (17) and SUBSTITUTE SHEET (RULE 26) (18), we use Ao(u) to represent Fo(u), and A i(u) to represent F, (u), i.e. we use the average of the fingerprint transforms to represent the individual fingerprints. To ensure that we never have to store any magnitude information in the filter (for optimal security, we wish to store only phase terms), we also approximate IAo(u)l by JA I (u)l and Do(u) by Di(u) in equation (18) to yield:
c0(x)=FT-1 IAO(u/I e4GO(u) (19) aP(u)+ 1- a 2 DO (u) and cl(x)=FT-1 JA1(u)2 4a1 (u)e-4ao(u)e4GO(u) (20) aP(u)+ 1-a2D1(u) It can be seen from equations (19) and (20) that this procedure could be used to satisfy both the constraints that phase-only functions are saved, and that magnitude terms are used to preserve the consistency of the output c(x) patterns. For example, if we re-write the equations as:
c0 (x) = FT-1 JAO (ueiO~ (u) JAO (u) e-iO~ (u)el~GO (u) ~I aP(u)+ l - a2 DO(u) (19) and cl (x) = FT-1 IAl (ullye4A1 (U) JAI (u) e-4no (u)e1~GO (u) aP(u)+ 1- a2 D1(u) (20) Thus, if we store only the product of the phase of the complex conjugate of the training set images, e-`~AO~ ) and the phase-only function, e`OGO( ) i.e.
Hstored (u) = e -4Ap(u) e 4Gp(u) ' (21) and we recreate the magnitude terms of the filter "on-the-fly" during either enrollment SUBSTITUTE SHEET (RULE 26) or verification, then the security and consistency aspects are simultaneously obtained.
Thus, during the processes of enrollment and verification we create transitory filters, JAo (u) ~A1 ~u~l f Hstored (u), and Hstored (u) ~
aP(u) + 1- a2 Dp (u) aP(u)+ a2 Dl (u) respectively, which contain both magnitude and phase information and which are used to calculate c (x) and cI (x), respectively, although only the phase information is ever stored. The method of generating the filter magnitude terms will be described completely in Section 2.2. The preferred method for securely linking a requested key to the array c(x) is presented in the next section. Note that the security of the system may be further enhanced by saving and utilizing only the top (or bottom) portions of the arrays Hstored(U), A(u) and D(u) above to produce the c(x) output functions. This will eliminate any potential problems associated with the symmetry properties of A(u) and D(u).
Secure key generation.
2.1) Enrollment The secure generation of the digital key is described with reference to figures 1-4.
The biometric images comprising the training set are 128x 128 dimensioned float or byte arrays.
With reference to figure 1, we specify, or use a random number generator, 80, to generate, an M-bit key, ko, 90, as is required by the encryption or other system. One example of such a random number generator is the Blum-Blum-Shub (BBS) generator.
Using a random number generator, 40 (possibly distinct from 80), generate a 128x 128 dimensioned array e'~~0 ~"~ , 52, as defined above in equation (15).
Use the training set of data, {f0~(x), f 2(x), ..., f T(x) 10, to produce the expressions of boxes 30 and 51. Combine the expressions of boxes 30 and 51 with e'OG0 (") , 52, SUBSTITUTE SHEET (RULE 26) to derive co(x), 60, using equation (19).
Store the product of the phase-only function e`OGo ("), 52, and e-`~A~ ~ ~ 51, as Hstored (u), 53, as defined by equation (21).
Determine a set of S bits, 103, from Hstored (u), 53, which will be unique for each individual. Using the supplied key ka, 90, as an encryption key, encrypt this set of S
bits, 103, using an encryption algorithm, 94, e.g. IDEA. The output from this algorithm is then used as the input to a one-way hash algorithm, 91, e.g. SHA.
The output of the hash algorithm is used as an identification code, ido, 92.
The output co(x), 60, is a 128x128 complex-valued array.
Referencing figure 2, a link algorithm, 64, used to link elements from co(x), 60, with ko, 90, is defined by the following steps:
First, extract the central 64x64 portion of co(x) to produce an array, 110.
Next, concatenate the real and imaginary parts of array, 110, to form an enrollment template, 111, of dimension 128x64, i.e. an array with 128 columns and 64 rows. For example, if at position x, y of the 64x64 portion of co(x) the element a+bi appears, then, in the enrollment template I 11, element a will appear at position x, y and element b will appear at position (x+64), y.
The elements of the enrollment template, 111, are then sent into the decision box, 113, which sorts the elements by sign. Note that the negative elements from 1 I 1 will eventually represent '0 valued' elements of the key, ko, while positive elements from 111 will be used to represent ' 1 valued' elements of ka.
The negative elements are then ranked in descending order according to their magnitude and the indices of the ranked elements (i.e. the row and column of each SUBSTITUTE SHEET (RULE 26) ranked element in the enrollment template) are stored in the vector Location_zeroes, 130. The same procedure is then executed for the positive elements of 111 in which the indices of the ranked elements are stored in the vector Location ones, 131.
Notice that the names of these vectors have been chosen due to their eventual relation with the bits of the key as noted above.
The value M represents the length of the requested key, ko, 90. Let Mo represent the number of 0's in ko, 90, and let M 1 represent the number of 1's. Retain then the first MoxL elements of Location_zeroes, 130, and the first MixL elements of Location ones, 131.
For each of the M-bits in the requested key, ko, 90, sequentially or randomly extract L
elements from either the first MoxL elements of Location_zeroes, 130, or the first MixL elements of Location_ones, 131, depending on whether the requested bit was a zero or a one, respectively. The L elements extracted for key bit in, form the mtn column of a Link Index array, Ll, 62, with M columns and L rows. The elements of LI, 62, thus form the link index "lookup-table" for the elements of the enrollment template, 111, that have been chosen to represent the key, ko, 90. Note that it has been observed that the probability of an error in each key bit is inversely proportional to the rank of the constituent bits. The rank was determined based on the distance of the point of the enrollment template from either the real or imaginary axes, i.e. the distance of the point from zero, depending on whether that point comes from the real or the imaginary part, respectively. Therefore, we may choose the L elements in an interleaving manner as presented in figure 2, such that the probability of error in each of the M key bits is homogenized. However, the elements may also be chosen randomly so as to minimize the information given to the attacker. Note also that for an M-bit key, the maximum value of L should be limited, so that all valid combinations of the key are supported by the available elements of the enrollment template (the requested key permutation has to be supported by the available number of zeroes and ones in the enrollment template).
Store the protected filter, which comprises Hstored(U), 53, the Link Index array, LI, 62, SUBSTITUTE SHEET (RULE 26) and the ID-code, ido, 92. The protected filter may also contain the value of a and/or the function of P(u), unless they are universal to the system.
2.2) Verification With reference to figure 3, Hs,o,.eju), 53, LI, 62, ido, 92, and, where necessary, a and/or P(u) are read in from the protected filter.
Using the non-training, or verification, set of inputs, {f I1(x), f Z(x), ..., f T(x)}, 11, along with the values of a and P(u), calculate the term in the expression of box 31.
Use the term of box 31 with Hstored(u), 53, to calculate cl(x), 63, using equation (20), i.e.;
cl(x)= FT1 IA1(u) 2 e 10A, (u) Hstored~u) (22) aP(u)+ 1 - a2 D, (u) With reference to figure 4, extract the central 64x64 portion of ci(x), 63, to produce an array, 140.
Concatenate the real and imaginary parts of 140 to form a verification template, 141, of dimension 128x64.
Binarize each element of the verification template, 141, independently by thresholding relative to zero, to produce a binarized verification template, 142, of dimension 128x64.
Define kt, 93, as an M-element vector, and use the following steps to extract the elements of k, from the binarized verification template, 142, and the Link Index, 62.
For the m`h element of ki, 93, sum all of the bits of the binarized verification template whose indices are specified by the mth column of LI, 62. The value of the mth element of ki, 93, is set to one if the sum of the bits is greater than or equal to L/2, and set to zero otherwise.
SUBSTITUTE SHEET (RULE 26) Obtain the same set of S bits, 103, from Hstored (u) as was used in the enrollment process, and, using kt, 93, as an encryption key, encrypt these bits with ki using an encryption algorithm, 94. The output of this algorithm is used as the input to the one-way hash algorithm, 91. The output of this hash algorithm is the ID-code idi, 95.
This code idi, is then compared, 96, with the ido, 92, obtained from the protected filter. If there is a match, then release key, ki, 93.
If idl, 95, does not match ida, 92, then extract the portion of ci(x), 63, that is offset from the centre by one pixel, and repeat the above process to obtain a new idl, 95.
Continue this process with all portions of ci(x) that are one pixel offset from centre, comparing idl with ido for each iteration (eight combinations, including diagonals).
If at any point id, - ido then cease the algorithm and release k, (= ko). If, for all locations, id, # ido, then repeat the above process for extractions that are offset from centre by two pixels, and so on up to approximately sixteen pixel offsets. If idt # ido for all locations, then send a message to the system that verification has failed and thus no key has been released.
It will be clear to those skilled in the art that the above procedure is used as a "brute force" search to accommodate the relative translation of the fingerprint images between enrollment and verification. In general, it is observed that less than +/- 16 pixels of translation in a 128x128 image can be achieved using a suitable jig to position the finger, and thus the range of translation accommodated by the above algorithm is sufficient.
It will be clear that the ID-code, ido, may also be stored at a secure location outside the protected filter. In this case, during verification, a new ID-code, idi, is sent to that location and compared with ido. This will improve the system security in that an attacker trying to retrieve the key, ko, from the protected filter will not have access to ido, and thus can only know whether his/her efforts were successful via messages sent from the secure location and controlled by the system administrator. Hence, the system administrator may limit the number of consecutive failed comparisons SUBSTITUTE SHEET (RULE 26) between id, and ido so that an attacker cannot assemble a large database of fingerprints and use them to attempt to produce the correct key, ko.
While it is not stated in the preferred embodiment, it will be clear to those skilled in the art that &orea(u) may be stored as an array of quantized elements, where each element is one of a limited number, such as sixteen, of phase-levels.
It will be obvious to those skilled in the art that the above algorithm could also be used to accomplish verification of a system user, without release of a key.
This can be achieved, for example, by storing the function, co(x), in the verification system.
Then, when the user verifies the system produces ci(x), which is then compared with co(x) by, for example, summing the Euclidean distance between each of the elements of the two arrays to obtain a single scalar value which describes the similarity between cl(x) and co(x). Alternatively, correlation could be used to judge the similarity between cI (x) with co(x), and the ratio of correlation peak height divided by the total correlation plane energy could be used as the scalar value. This scalar value is then compared with a pre-determined system threshold and the user is either accepted or rejected by the system. If co(x) can remain secure then it would be very difficult for an attacker to defeat such a system by generating an artificial ci(x) and obtaining a positive verification signal.
While the preferred embodiment describes a "brute-force" method of aligning the ci(x) pattern relative to the co(x) by extracting different sections of ci(x), it will be obvious to those skilled in the art that other methods for aligning ci(x) relative to co(x) may be used. For example several minutia points from the biometric could be stored in the protected filter and used to pre-align cI (x) relative to co(x), prior to the extraction of the constituent bits. Another method would reserve some of the bits of the enrollment template to be linked with a system-specified synchronization signal.
During verification, the binarized verification template is searched for the specified synchronization signal, and once located, is used to align cl(x) relative to co(x).
Although the above embodiment sums the constituent bits from the binarized SUBSTITUTE SHEET (RULE 26) verification template with uniform weights, it will be obvious to those skilled in the art that various weighting functions could be used to further enhance performance of the system. As an example, the constituent bits could be weighted according to the inverse rank of each bit and summed. The constituent bits could also be weighted inversely proportional to the expected standard deviation of each bit before being added. Furthermore, the magnitude vectors could be added together using complex weights, comprising an amplitude term such as the standard deviation, and a phase term, which is added to the phase of each element and which is defined by the conjugate of the phase of that element in the enrollment template. For a legitimate user, this phase "correction" will provide a magnitude vector summation along the real axis. The summation will thus be far from the origin. For an attacker, the phase of the verification template will be random with respect to the legitimate user enrollment template. Because of this, the complex weights will not cancel the phase terms and the summation of the magnitude vectors should collapse to zero. The idea here is to force the legitimate user's summation to be far from the binarization threshold (i.e., zero on the real axis), while the attacker's summation is random about the binarization threshold.
It will be obvious to those skilled in the art that error-correcting codes, such as Hamming codes and Reed-Solomon codes, may be used to reduce the number of errors in the digital key, k. This would be achieved, for example, by using the constituent bits of the binarized verification template to derive N bits of data (where N
> M), and then using error-correcting codes to transform the N encoding bits to the M
key-bits.
It will be obvious to those skilled in the art that the preferred embodiment allows for periodic updating of the protected filter. For example, consider that the set of training images for a particular user, f' (x), f 2(x), ..., f T(x), is stored in a secure location, and is available to a system administrator (perhaps, as a privacy/security measure, only after the legitimate user has verified). When this user presents a subsequent set of images, f'(x), f 2(x), ..., f S(x), to the system, the system administrator may combine this new set of images with the previous set to form a new SUBSTITUTE SHEET (RULE 26) set of T+S images which may now be considered as an updated set of training images.
Using this inclusive set of T+S images, Hto,,d(u) and co(x) can be regenerated (using a new version of Go(u)), and a new linking index array, LI, determined. The new versions of Hstord(u) and LI should be stored in the protected filter. This process may be considered as "adaptive filtering", as the contents of the protected filter are adapted over time to encompass more of the natural variations of the biometric image than could be encompassed in a single enrollment session.
It is also obvious that any time a new set of images is acquired, the key, ko, may be modified, if necessary. In this case ido should be modified in the protected filter.
Updating the key has several benefits. For example, if it is known that ko has been compromised, then a new key should be introduced into the system. Also, if it is known that an attacker can establish the value of a key within a certain period of time, for example by using a brute-force computational search, then the value of the key should be updated within this period of time. Updating the value of the key periodically is a standard procedure used in cryptographic and other security systems, and it is evident that this is easily achieved using the methods described herein.
3) Other embodiments of the invention A second embodiment of the invention deals with minutiae-based fingerprint verification techniques.
It has been known for more than 100 years that the minutiae are unique and reasonably robust characteristics of a fingerprint. Classical minutiae are defined as fingerprint ridge endings (type 1 minutiae) and fingerprint ridge bifurcations (type 2 minutiae). It is obvious that the type 1 minutiae may be also defined as fingerprint groove bifurcations and the type 2 minutiae - as groove endings. There are also some other fingerprint characteristics which are sometimes referred to minutiae, such as rods, pores, bridges, islands, line breaks, etc., but they are usually unstable and irreproducible in subsequent attempts. These characteristics often produce false minutiae, or fingerprint noise, because they may be deemed real minutiae during fingerprint verification.
For the past 20 years, many algorithms for automatic minutiae extraction have been SUBSTITUTE SHEET (RULE 26) developed. The strength of these methods is in a fingerprint identification, or so-called "one-to-many" systems, because they allow a fast comparison of a fingerprint to be identified against a huge database with a relatively low false acceptance. However, one of the major drawbacks of the minutiae methods is that they require fingerprints of a high quality and without large scars. This explains the fact that most minutiae methods have a minimum false rejection rate of at least a few per cent in a real-life test.
For the key management in this embodiment, we use one of the known minutiae extraction algorithms (see, for example, U.S. Patent No. 4,752,966 to Schiller). The algorithm scans a fingerprint image and finds a horizontal and vertical, x and y, positions of the minutiae, their orientation angles, 0, and identifies them as types, 1 or 2. To improve the consistency of the minutiae extraction, we may use a few fingerprints both in enrollment and in verification. In one method, the minutiae are tested for their stability: if the same minutia is found, for example, in at least 4 attempts from 5 in total, this minutia will be retained, otherwise, it is considered unstable and dropped. In another method, all minutiae found in 5 --6 attempts are retained for further processing. There might be also an intermediate method, which allows us to tune the system tolerance. At the end of the minutiae extraction process there are usually from 5 -- 7 to 30 -- 50 minutiae found in the fingerprint, depending on the method of the extraction and properties of a particular fingerprint.
At the next step a feature array, f(x,y,8), is formed in a 3D feature space which includes x, y minutiae coordinates and their angles. In a preferred embodiment, x and y are sampled by 64 pixels each and 0 is sampled by 161evels from (-7r) to 7c, thus the total number of pixels is 64x64x16 = 65536. If a minutia occupies a particular cell (xo,yo,0o) in the feature space, then the function f(xo,yo, 00) = 1 if the minutia is of type 1 and f(xo,yo, Oo) = -1 for the type 2 minutiae. Finally, f(xo,yo, 6o) = 0 if there is no minutia in this cell.
After the function f(x,y, 0) is determined, a 3D Fourier transform is performed to obtain a 3D
complex function F(u,v,0). We prefer the Fourier transform to any other transform because it provides translation-invariant verification. Moreover, because we use the minutiae angle as a third coordinate, this embodiment is also rotationally invariant. In other words, if during verification a finger is placed into a different position and at a different angle, this will not significantly affect the performance of the method.
The next steps are very similar to those in the first embodiment. In enrollment, a 3D
function, G (u,v, O), having unity magnitude and a random and uniform phase, is generated. Then we obtain an amplitude, I Fo and the phase, ~ F (u, v, o) , of the Fourier transform of the enrolled feature function, fo(x,y,A). The following two functions are calculated:
-4 p (u,v,E)) Hs,ored (u, v, 0) = Go (u, v, 0)e (23) co(x,Y,e ) = FT-' 0(Fo(u,v,0)J)Go(u,v,0) (24) It is known that a Fourier transform of a real object possesses a symmetry property, i.e.
, F(u,v,0) = F(-u,-v,-O) , which may give some additional information to an attacker having an access to Hstored . To improve the security of the method, only a half of the 64x64x 16 array, Hsto,,d , may be extracted and stored, that is, its dimensions will be, for example, 64x32x16.
A
The operator Q in equation (24) processes the amplitude I Fo I in order to improve the system tolerance. It may contain, for example, a saturation denominator like in the first embodiment (equation (19)).
The function co(x,y,O) is used to encode an M-bit digital key, ko . This is done via a link code and in the same manner as in the first embodiment. More particular, a central portion of co(x,y,O) is extracted; for example, its size may be 32x32x10 or 32x16x10, if the noted half of Hs,old was stored. The real and imaginary parts of the extracted arrays are concatenated and binarized, thus the resulting array contains 20480 bits (or 10240, if the noted half was stored). The link code links each of the M
bits in the key ko to L bits picked from the array of 20480 or 10240 elements.
There may be some more sophisticated methods, including various error correcting codes.
SUBSTITUTE SHEET (RULE 26) The stored protected filter comprises the phase-only function, Hstorea(u,v,0), the data defining the link code, and the ID-code, ido.
In verification, a feature function, fl(x,y,0), and its Fourier transform, Fl(u,v,0), are obtained in the same way as it was done in enrollment. The function Hsrored(u,v,0) is read from the storage means, and a function cl(x,y,0) is calculated as c,(c>1',0 )= FT-' (~(jF,(u,v,0)j)e~~~~u'v'O~ Hsrored(u,v,0) (25) I
~
Here 0F, (u,v,0) is a phase of the Fourier transform F1. Then a centra132x32x10 portion (or 32x16x10, if the noted half of Hstored was extracted during enrollment) of cl is extracted and sequentially scanned across cl until a correct key is retrieved or verification fails. Normally, the size of the box being scanned is 32x32x4 (32x16x4 for the half). However, if the minutiae extraction algorithm also determines a natural center of the fingerprint (usually this is a point of a maximum line curvature), this size can be made much smaller, for example, 4x4x4. This will significantly speed up the verification process. Using the link code, which is also read from the storage means, a decrypted key, kl, is determined from the extracted portion of cl.
Then the hash value, idl, is calculated from kl and compared with the stored value ido. If they match, the correct key is released.
In a third embodiment of the invention, yet another method for obtaining a biometric information signal is used.
In enrollment, the information contained in a 2D fingerprint image, fo(x,y), is sorted into two parts: the most distinctive, fom(x,y), and the least distinctive, foi(x,y).
The most distinctive information contains the areas (we call them "tiles") including minutiae, scars, places with a high line curvature, etc., in other words, the areas which do not have a parallel or quasi-parallel line structure. One of the methods for finding these areas is disclosed in U.S. Patent No.
In German patent DE 42 43 908 A 1 to Bodo, a method was proposed for extracting a digital key directly from a biometric. While the invention of Bodo thus provides a method for producing a digital key from a biometric, the security of such a system is irrevocably lost if the digital key is ever compromised. For this reason, feature I
above is preferred; i.e. for a system to remain secure, there should be the ability to change the digital key. The invention described herein proposes a method for linking a key to the biometric, rather than directly deriving the key from the biometric; thus the key can be changed at any time simply by re-enrolling the user and recreating the protected filter.
Methods have been described to re-generate signals using a biometric, based on the use of conventional matched filters in correlators. It is well known by those skilled in the art that a matched filter does not allow a trade-off between distortion tolerance and discrimination. Thus, in a system using a matched filter, it is impossible to optimally comply with both features 2 and 3 above. Also, it is known that the extraneous terms produced at the output of a system using a matched filter eliminate the possibility of exactly reproducing a block of pre-determined data. Thus, known methods using matched filters do not easily accommodate feature 1 above.
Furthermore, the impulse response of a matched filter will usually reveal enough information about the biometric for an "attacker" to recreate the biometric, and thus the signals. Therefore, a matched filter approach does not possess feature 4.
SUBSTITUTE SHEET (RULE 26) In International Application no. WO 9608093 by Tomko et al., a method was proposed for biometic controlled key generation. A filter is generated as a function both of the Fourier transform of a biometric and of a function derived from a unique number. In order to address features 2 and 3, the filter has to be of the inverse type. However, it can be shown that the inverse-type filter, like a matched one, contains information about the Fourier transform magnitude and, thus, can be successfully "attacked". Therefore, it is impossible to comply with feature 4.
Phase-only filters are known for use with optical correlators to improve signal-to-noise ratio.
US 5,214,534 to Kallman describes such a system.
According to the present invention, there is provided a method for securely recovering a digital key, comprising the steps of: capturing at least one biometric image;
obtaining transformed image information comprising transforming said at least one biometric image to a transform domain; retrieving a protected filter from storage; applying said transformed image information to said protected filter to obtain verification information; and obtaining a digital key from said verification information, characterised by: said protected filter comprising a phase-only filter and linking information, said phase-only filter generated from a random phase-only function and other phase information to obtain cryptographic secrecy, that is, given the phase-only filter, neither the random phase-only function nor the other phase information can be reconstructed other than by a brute force search, said linking information generated, at least in part, from said phase-only function and from said digital key; said obtaining a digital key comprising applying said linking information to a function of said verification information.
According to another aspect of the invention there is provided a method of storing a digital key, comprising the steps of: capturing at least one biometric image;
obtaining transformed image information comprising transforming said at least one biometric image to a transform domain; generating a random function; utilizing said random function and said transformed image information in generating a protected filter; and storing said protected filter;
characterised by: said random function being a random phase-only function such that said protected filter comprises a phase-only filter, having cryptographic secrecy, that is, given the phase-only filter, neither the transformed image information nor the random phase-only function can be reconstructed other than by a brute force search; applying said random phase-only function to said transformed image information to obtain a complex-valued output function; utilizing said output function and a chosen digital key to obtain linking information to said key; and wherein said protected filter also comprises said linking information.
Brief description of the drawings In the figures which illustrate a preferred embodiment of this invention:
Figure 1 presents a diagram of the enrollment process for producing a protected filter.
Figure 2 presents a diagram of a method to link an output plane with a digital key on enrollment.
Figure 3 presents a diagram of the verification process for secure key extraction.
Figure 4 presents a diagram of a method to extract the key on verification.
Description of the preferred embodiments This invention describes a method which firstly, reliably produces a two-dimensional array, c(x), using biometric images in conjunction with a protected filter, and secondly, describes a method for linking elements from c(x) to an M-bit digital key, k. The key, k, is only extracted correctly when the correct biometric is combined with the correct protected filter. The key, k, may be used directly as an encryption/decryption key or as a PIN in security or communication systems.
In the preferred embodiment, the two-dimensional array, c(x) will be fonmed via the interaction of a fingerprint with a filter function, stored within the protected filter.
In the first embodiment, the filter function is designed for a Fourier transform processor.
Neither the filter function nor the fingerprint alone is capable of producing c(x). From the c(x) array, the digital key, k, is extracted. Once k has been extracted, it is used in conjunction with both an encryption algorithm and a hashing algorithm in order to produce an identification code id. The ID-code id will then be compared with a previously stored value ido to determine the validity of the key, before it is released into the encryption system, or other application. The process for obtaining the identification code is as follows. Based on the required input block size of the chosen encryption algorithm, S bits from the protected filter will be encrypted using the generated key k. The resulting ciphertext block will then become the input to a one-way hash function which produces the identification code id. Since the hash algorithm is one-way, the id value cannot be transformed back into the key k.
Examples proposed for the aforementioned encryption algorithm and hash algorithm are the International Data Encryption Algorithm (IDEA) and the Secure Hash Algorithm (SHA), respectively. Note that using both an encryption algorithm and a hash algorithm provides more security than simply storing the hash value of the generated key alone. This is because the S bits that are chosen from the protected filter and encrypted using k will be unique for each user. Thus, an attacker who sought to obtain a "universal" look-up table of the relationship between k and id (so that he could extract ido from the protected filter, and thus determine ko for a particular user), would have to compute all possible permutations of encrypting S-bit messages with M-bit keys. The computational and memory resources required to generate such a look-up table makes such an attack infeasible.
1) Design of the filter function 1.1) Filter function strategy The filter function is designed to be tolerant to distortions of the fingerprint, so that it accommodates the natural variations that are apparent in biometric images over any significant period of time. Therefore, the filter function will be constructed using a set of T training images. It is assumed that the set of training images is sufficient to encompass all of the expected distortions of the fingerprint. The filter function will be calculated during an enrollment session using a series of training images.
The filter function is to be used during a verification session using a series of non-training images. The filter function is designed for a legitimate user, and should be inappropriate for use with a non-legitimate user, or "attacker".
SUBSTITUTE SHEET (RULE 26) The following typeface convention is used:
y(x) - two-dimensional array in image domain Y(u) - two-dimensional array in Fourier domain Y - one-dimensional vector containing float or integer (non-binarized) data y - one-dimensional vector containing binarized data Y - scalar Denote the T images of the biometric by { fo~(x), fo2(x), ..., foT(x)}, where the subscript 0 denotes a training set image.
The filter function that will be constructed using these images is denoted by H(u).
Note that we may refer to complex-valued functions such as H(u) independently by their magnitude and/or phase components, denoted by JH(u)j and e4H(u), respectively, where i = .
The system output in response to fa`(x) is given by cot(x) The Fourier transform of co`(x) is given by Co`(u) = Fo`(u)-H(u), where Fo`(u) is the Fourier transform of the training image, fo`(x).
The desired output pattern that we require from the system is denoted by go(x).
1.2) Filter function criteria We define two criteria, which will be used to optimize the filter function. We will use error terms that relate to two requirements for the filter function: that it consistently produces the same output pattern for a legitimate user, and that it is tolerant to distortions presented in the input images.
For 1<_ t<_ T, we require that co`(x) ;z go(x), i.e. the output pattern should be as close to go(x) as possible for each image, fo`(x), in the training set.
SUBSTITUTE SHEET (RULE 26) We can define an error term, Esimilariry+ such that:
T
Esimilarity = I~ Jcot(x)_go(x dx (1) t=1 The term ESimiia,;ty is thus defined using an arbitrary function, go(x), rather than a delta function, as is normally done in the process of correlation. Also, we wish to minimize the error due to distortion in the input images, i.e.:
If fO`(x)= f05(x)+E1ePa1 ts(x), ~ For s,tE~l,...,T},andt # s (2) then co` (x) =cos (x)+Eoupu,''S (x) ))) Assuming that Einpõt`S(x) do not correlate with fos(x) and with each other, it can be shown that the variance of the error term due to the additive distortion or changes in . fo`(x) is given by:
E noise = JH(u21'(u )du (3) where;
P(u) = average over t and s of IFT{Einput t's W} 2 , where s # t (4) i.e. P(u) represents the power spectrum of the change between the fingerprints in the training set.
In general P(u) is readily approximated by a function which characterizes the type of object for which the filter is designed. P(u) may take the form of a Gaussian function. For fingerprint images, we find that P(u) may also take the form of a simple array whose elements all have unity value. In general, the form of P(u) will be fixed for all users of the system, although it could also be user-specific.
Note that by Parseval's theorem, Esimilarity = I JCo t (u) - Go (u~ du (5) t=1 The term Esimiia,.;ty characterizes the similarity of system output in response to each of the training set images, and the term Enoise characterizes the effect of image-to-image variation. Thus, Esimila,;ry determines how selective (or discriminating) the filter function is, and Enoise determines how tolerant it is to the expected distortions in the SUBSTITUTE SHEET (RULE 26) biometric images.
1.3) Filter definition We wish to derive a filter that minimizes the total error, Etotal=
Etotal = aEnoise + 1- a 2 Esimilarity, 0<- a< 1 (6) By allowing a to vary between 0 and 1, we can minimize E101Se (for a=1) to maximize the distortion tolerance of the filter; or minimize Esimiia,;ry (for a=0) to maximize the discrimination capability; or optimize for some combination of the two (for 0<(X<1).
Substituting the filter constraints defined above yields T Etotal aJH(u2P(u)du+ l-a2 Jcot(u)_Go(u2du (7) t=1 where, as aforenoted Cot(u) = Fo`(u)=H(u) (8) We wish to minimize Eto,ai with respect to H(u). To solve this variational problem, we have to obtain a partial derivative of the expressions inside the integrals over H(u) and set this derivative to zero. Thus:
1-a2 TE[F*pt(u)H*(u)-Gp*(u)Fpt(u)+aH*(u)P(u)=0 (9) t=1 Solving equation (9) for H(u) yields;
~F*Ot(u) GO(u) H(u)= 1 T
-a2 t=1 (10) {u+12 1 jFot(u1 T t=1 Note that P(u) - P*(u), where * denotes complex conjugate.
This defines the filter function that is optimized with respect to the two error terms that were defined in the filter function criteria section. It is convenient to define the following terms:
SUBSTITUTE SHEET (RULE 26) T
AO(u)= T >,FOt(u) (11) t=1 T
Do(u) = T Z'Fot(u~2 (12) t=1 Thus, H(u)a AO*(u)GO(u) (13) aP(u)+ 1- a2 D0 (u) Further, we re-write equation (13) as:
H(u) = Hp(u)GO (u) (14) where the constant scalar 1-a2 1/2 has been ignored. ( ) The expression HF(u) contains all of the terms of the filter relating to the training set of fingerprint images, and Go(u) is the Fourier transform of go(x). Note that equation (14) defines a filter H(u) that is optimized for any function for Go(u). We seek to choose a Gfl(u) that provides maximum security of H(u).
The term a in H(u) provides a trade-off between the discrimination capability and distortion tolerance of the filter. Thus, a can be used to produce a tighter or more forgiving system, depending on the requirements. The value of a is generally determined by testing the performance of filters using a large database of images.
The parameter (x may be universal, in which case it is stored in the system, or it may be user-dependent, in which case it will be stored as part of the protected filter.
1.4) Security of protected filter One of the main requirements of the system is that the protected filter must be immune to attack, i.e. neither the biometric image, f(x), nor the system output, go(x), should be recoverable from the protected filter. Note that at this point the form of the protected filter has not yet been defined. Thus, we have the freedom to choose the form of Go(u) to maximize the security of the protected filter. Security is found to be maximized when Go(u) is a random, uniformly distributed phase function, and only the of HFu denoted e`~HF (u) phase ( ), , is stored. The protected filter thus comprises the product of e4HF (u) and a random phase-only function. The following text SUBSTITUTE SHEET (RULE 26) demonstrates the "perfect secrecy" of the protected filter. Perfect secrecy in this sense implies that given the protected filter, neither of the two elements comprising this filter can be reconstructed.
Theorem 1: (see D. Stinson. Cryptogra hy: Theory and Practice, CRC Press, New York, 1995) Suppose a cipher system has been defined such that the size of the keyspace (K), the plaintext space (P), and the ciphertext space (C), are all equal. Then this cipher system provides perfect secrecy if and only if:
1. every key is used with probability equal to IIIKI, where IKI denotes the size of the keyspace, and 2. for every element x E P, and every element y E C, there exists a unique key k E K such that the encryption of x with k produces the ciphertext y (i.e.
eAW =y).
The above theorem will apply to a cipher system based on the operation of addition modulo 27r if it is assumed that each key k in the keyspace K is equiprobable.
In other words, any key k E K has an equal probability of being chosen as the key. In reality what this implies is that the random number generator being used to produce k is devised in such a way that it does not impose an unequal probability distribution on the keyspace, which would inevitably compromise security. This implies that the random number generator used to provide keys for the following encryption system must choose a random key k in the keyspace K based on an equiprobable distribution.
Note: [0,2n)" used in the following lemma implies an r element string where each element can take on the values j such that 0<_ j< 27t .
Lemma 1: The cipher system defined such that P=C=K=[0,2n)'* and based on the operation of addition modulo 2n with randomly generated keys has perfect secrecy.
Proof: The elements of P, C, and K are defined as a string (or array) of r floating SUBSTITUTE SHEET (RULE 26) point elements where each element falls within the range of 0 to 27t . For simplicity consider (3 as the number of possibilities in the space [0,27r) when taking into account the floating-point precision level. Then we have IKI = ICI = IPI = p r.
Enforcing the above assumption we have that every key has a probability of 1IIKI of being chosen.
We are left to prove that for every x E P and every y E C, there is a unique key k such that e,. (x) = y. Since y = ek (x) = (x + k)mod 27c, if we fix x and y we can solve for k uniquely using the equation: k=(y - x)mod 2n.
Thus we have that a cipher system based on addition mod 27c has perfect secrecy.
What is important in the above discussion to the concept of secure key management using a biometric is the fact that the product of two phase-only arrays is equivalent to an addition mod 2n. Because of this equivalence relationship the above Lemma also applies to a cipher system based on the product of two phase-only arrays.
Thus we have the following:
Lemma 2: The cipher system defined such that P=C=K={e`R}r, where {e`R}' is an r element string and p=[0,27r), based on the operation of multiplication with randomly generated keys, has perfect secrecy.
While it was shown above that saving only the phase of HF(u) allows excellent security of the protected filter to be obtained when combined with a random phase array, the optimal filter defined by equation (14) requires that the magnitude term, IHF(u)l, is used during generation of the output pattern, c(x), for optimal consistency of c(x). The method proposed in the following section addresses both of these requirements:
1.5) Protected filter format In this section, we describe a method for simultaneously satisfying the need for magnitude information in the filter function and maintaining security of the protected filter.
SUBSTITUTE SHEET (RULE 26) Consider generating an array, Go(u), whose elements have unity magnitude, i.e., Go(u) is a phase-only function and whose phase values,j, are random and uniformly distributed such that 0<_ j<2rr, i.e.:
Go (u) = e4o (u) = ei2nU[0,1) (15) where U[0, 1) represents an array of elements whose value, j, is randomly and uniformly distributed such that 0<- j < 1. Note that in the discussion which follows, we will use e4OO(") to essentially represent the random phase only function defined above. Thus using this expression to represent Go(u) and using the set of training images,fo'(x), calculate H(u) using equation (14).
H(u) = AO*(u) e40o(u) (16) aP(u)+ 1- a2 D0 (u) H(u), was optimized to produce a consistent co (x) (and as close to go(x) as is possible) when a member of the training image fo`(x) is presented to the system. The resulting output, co(x) is given by;
ye-`~AO~") c9 (x) = FT-1 F.0 (u) JAO(u~I eiCo (u) (17) aP(u) + 1- aZ DO (u) The expected output, cl(x), from the system when a non-training image (i.e.
during verification) is present is given by:
i~,~ (u) cl (x) = FT-1 F1 (u) JAO (u)e cl,co (u) (18) aP(u)+ 1- a2 DO(u) where the subscript I represents a set of images used in verification.
Clearly, we desire that cl(x) is as close to co(x) as possible, for the legitimate user.
Of course, ci(x) -> co(x) if the testing image, f(x), is identical to the training image, fo(x). We find that as the number of fingerprints, T, in the training set increases, Ao(u) converges to a fixed function (at about T = 6). Because the training set of enrollment images are captured in the same way as the subsequent verification images, at T= 6, 0 i(u)I =[Ao(u)l and Dj(u) - D(,(u), i.e. the average of the set of verification images tends to the average of the set of enrollment images. Therefore, in equations (17) and SUBSTITUTE SHEET (RULE 26) (18), we use Ao(u) to represent Fo(u), and A i(u) to represent F, (u), i.e. we use the average of the fingerprint transforms to represent the individual fingerprints. To ensure that we never have to store any magnitude information in the filter (for optimal security, we wish to store only phase terms), we also approximate IAo(u)l by JA I (u)l and Do(u) by Di(u) in equation (18) to yield:
c0(x)=FT-1 IAO(u/I e4GO(u) (19) aP(u)+ 1- a 2 DO (u) and cl(x)=FT-1 JA1(u)2 4a1 (u)e-4ao(u)e4GO(u) (20) aP(u)+ 1-a2D1(u) It can be seen from equations (19) and (20) that this procedure could be used to satisfy both the constraints that phase-only functions are saved, and that magnitude terms are used to preserve the consistency of the output c(x) patterns. For example, if we re-write the equations as:
c0 (x) = FT-1 JAO (ueiO~ (u) JAO (u) e-iO~ (u)el~GO (u) ~I aP(u)+ l - a2 DO(u) (19) and cl (x) = FT-1 IAl (ullye4A1 (U) JAI (u) e-4no (u)e1~GO (u) aP(u)+ 1- a2 D1(u) (20) Thus, if we store only the product of the phase of the complex conjugate of the training set images, e-`~AO~ ) and the phase-only function, e`OGO( ) i.e.
Hstored (u) = e -4Ap(u) e 4Gp(u) ' (21) and we recreate the magnitude terms of the filter "on-the-fly" during either enrollment SUBSTITUTE SHEET (RULE 26) or verification, then the security and consistency aspects are simultaneously obtained.
Thus, during the processes of enrollment and verification we create transitory filters, JAo (u) ~A1 ~u~l f Hstored (u), and Hstored (u) ~
aP(u) + 1- a2 Dp (u) aP(u)+ a2 Dl (u) respectively, which contain both magnitude and phase information and which are used to calculate c (x) and cI (x), respectively, although only the phase information is ever stored. The method of generating the filter magnitude terms will be described completely in Section 2.2. The preferred method for securely linking a requested key to the array c(x) is presented in the next section. Note that the security of the system may be further enhanced by saving and utilizing only the top (or bottom) portions of the arrays Hstored(U), A(u) and D(u) above to produce the c(x) output functions. This will eliminate any potential problems associated with the symmetry properties of A(u) and D(u).
Secure key generation.
2.1) Enrollment The secure generation of the digital key is described with reference to figures 1-4.
The biometric images comprising the training set are 128x 128 dimensioned float or byte arrays.
With reference to figure 1, we specify, or use a random number generator, 80, to generate, an M-bit key, ko, 90, as is required by the encryption or other system. One example of such a random number generator is the Blum-Blum-Shub (BBS) generator.
Using a random number generator, 40 (possibly distinct from 80), generate a 128x 128 dimensioned array e'~~0 ~"~ , 52, as defined above in equation (15).
Use the training set of data, {f0~(x), f 2(x), ..., f T(x) 10, to produce the expressions of boxes 30 and 51. Combine the expressions of boxes 30 and 51 with e'OG0 (") , 52, SUBSTITUTE SHEET (RULE 26) to derive co(x), 60, using equation (19).
Store the product of the phase-only function e`OGo ("), 52, and e-`~A~ ~ ~ 51, as Hstored (u), 53, as defined by equation (21).
Determine a set of S bits, 103, from Hstored (u), 53, which will be unique for each individual. Using the supplied key ka, 90, as an encryption key, encrypt this set of S
bits, 103, using an encryption algorithm, 94, e.g. IDEA. The output from this algorithm is then used as the input to a one-way hash algorithm, 91, e.g. SHA.
The output of the hash algorithm is used as an identification code, ido, 92.
The output co(x), 60, is a 128x128 complex-valued array.
Referencing figure 2, a link algorithm, 64, used to link elements from co(x), 60, with ko, 90, is defined by the following steps:
First, extract the central 64x64 portion of co(x) to produce an array, 110.
Next, concatenate the real and imaginary parts of array, 110, to form an enrollment template, 111, of dimension 128x64, i.e. an array with 128 columns and 64 rows. For example, if at position x, y of the 64x64 portion of co(x) the element a+bi appears, then, in the enrollment template I 11, element a will appear at position x, y and element b will appear at position (x+64), y.
The elements of the enrollment template, 111, are then sent into the decision box, 113, which sorts the elements by sign. Note that the negative elements from 1 I 1 will eventually represent '0 valued' elements of the key, ko, while positive elements from 111 will be used to represent ' 1 valued' elements of ka.
The negative elements are then ranked in descending order according to their magnitude and the indices of the ranked elements (i.e. the row and column of each SUBSTITUTE SHEET (RULE 26) ranked element in the enrollment template) are stored in the vector Location_zeroes, 130. The same procedure is then executed for the positive elements of 111 in which the indices of the ranked elements are stored in the vector Location ones, 131.
Notice that the names of these vectors have been chosen due to their eventual relation with the bits of the key as noted above.
The value M represents the length of the requested key, ko, 90. Let Mo represent the number of 0's in ko, 90, and let M 1 represent the number of 1's. Retain then the first MoxL elements of Location_zeroes, 130, and the first MixL elements of Location ones, 131.
For each of the M-bits in the requested key, ko, 90, sequentially or randomly extract L
elements from either the first MoxL elements of Location_zeroes, 130, or the first MixL elements of Location_ones, 131, depending on whether the requested bit was a zero or a one, respectively. The L elements extracted for key bit in, form the mtn column of a Link Index array, Ll, 62, with M columns and L rows. The elements of LI, 62, thus form the link index "lookup-table" for the elements of the enrollment template, 111, that have been chosen to represent the key, ko, 90. Note that it has been observed that the probability of an error in each key bit is inversely proportional to the rank of the constituent bits. The rank was determined based on the distance of the point of the enrollment template from either the real or imaginary axes, i.e. the distance of the point from zero, depending on whether that point comes from the real or the imaginary part, respectively. Therefore, we may choose the L elements in an interleaving manner as presented in figure 2, such that the probability of error in each of the M key bits is homogenized. However, the elements may also be chosen randomly so as to minimize the information given to the attacker. Note also that for an M-bit key, the maximum value of L should be limited, so that all valid combinations of the key are supported by the available elements of the enrollment template (the requested key permutation has to be supported by the available number of zeroes and ones in the enrollment template).
Store the protected filter, which comprises Hstored(U), 53, the Link Index array, LI, 62, SUBSTITUTE SHEET (RULE 26) and the ID-code, ido, 92. The protected filter may also contain the value of a and/or the function of P(u), unless they are universal to the system.
2.2) Verification With reference to figure 3, Hs,o,.eju), 53, LI, 62, ido, 92, and, where necessary, a and/or P(u) are read in from the protected filter.
Using the non-training, or verification, set of inputs, {f I1(x), f Z(x), ..., f T(x)}, 11, along with the values of a and P(u), calculate the term in the expression of box 31.
Use the term of box 31 with Hstored(u), 53, to calculate cl(x), 63, using equation (20), i.e.;
cl(x)= FT1 IA1(u) 2 e 10A, (u) Hstored~u) (22) aP(u)+ 1 - a2 D, (u) With reference to figure 4, extract the central 64x64 portion of ci(x), 63, to produce an array, 140.
Concatenate the real and imaginary parts of 140 to form a verification template, 141, of dimension 128x64.
Binarize each element of the verification template, 141, independently by thresholding relative to zero, to produce a binarized verification template, 142, of dimension 128x64.
Define kt, 93, as an M-element vector, and use the following steps to extract the elements of k, from the binarized verification template, 142, and the Link Index, 62.
For the m`h element of ki, 93, sum all of the bits of the binarized verification template whose indices are specified by the mth column of LI, 62. The value of the mth element of ki, 93, is set to one if the sum of the bits is greater than or equal to L/2, and set to zero otherwise.
SUBSTITUTE SHEET (RULE 26) Obtain the same set of S bits, 103, from Hstored (u) as was used in the enrollment process, and, using kt, 93, as an encryption key, encrypt these bits with ki using an encryption algorithm, 94. The output of this algorithm is used as the input to the one-way hash algorithm, 91. The output of this hash algorithm is the ID-code idi, 95.
This code idi, is then compared, 96, with the ido, 92, obtained from the protected filter. If there is a match, then release key, ki, 93.
If idl, 95, does not match ida, 92, then extract the portion of ci(x), 63, that is offset from the centre by one pixel, and repeat the above process to obtain a new idl, 95.
Continue this process with all portions of ci(x) that are one pixel offset from centre, comparing idl with ido for each iteration (eight combinations, including diagonals).
If at any point id, - ido then cease the algorithm and release k, (= ko). If, for all locations, id, # ido, then repeat the above process for extractions that are offset from centre by two pixels, and so on up to approximately sixteen pixel offsets. If idt # ido for all locations, then send a message to the system that verification has failed and thus no key has been released.
It will be clear to those skilled in the art that the above procedure is used as a "brute force" search to accommodate the relative translation of the fingerprint images between enrollment and verification. In general, it is observed that less than +/- 16 pixels of translation in a 128x128 image can be achieved using a suitable jig to position the finger, and thus the range of translation accommodated by the above algorithm is sufficient.
It will be clear that the ID-code, ido, may also be stored at a secure location outside the protected filter. In this case, during verification, a new ID-code, idi, is sent to that location and compared with ido. This will improve the system security in that an attacker trying to retrieve the key, ko, from the protected filter will not have access to ido, and thus can only know whether his/her efforts were successful via messages sent from the secure location and controlled by the system administrator. Hence, the system administrator may limit the number of consecutive failed comparisons SUBSTITUTE SHEET (RULE 26) between id, and ido so that an attacker cannot assemble a large database of fingerprints and use them to attempt to produce the correct key, ko.
While it is not stated in the preferred embodiment, it will be clear to those skilled in the art that &orea(u) may be stored as an array of quantized elements, where each element is one of a limited number, such as sixteen, of phase-levels.
It will be obvious to those skilled in the art that the above algorithm could also be used to accomplish verification of a system user, without release of a key.
This can be achieved, for example, by storing the function, co(x), in the verification system.
Then, when the user verifies the system produces ci(x), which is then compared with co(x) by, for example, summing the Euclidean distance between each of the elements of the two arrays to obtain a single scalar value which describes the similarity between cl(x) and co(x). Alternatively, correlation could be used to judge the similarity between cI (x) with co(x), and the ratio of correlation peak height divided by the total correlation plane energy could be used as the scalar value. This scalar value is then compared with a pre-determined system threshold and the user is either accepted or rejected by the system. If co(x) can remain secure then it would be very difficult for an attacker to defeat such a system by generating an artificial ci(x) and obtaining a positive verification signal.
While the preferred embodiment describes a "brute-force" method of aligning the ci(x) pattern relative to the co(x) by extracting different sections of ci(x), it will be obvious to those skilled in the art that other methods for aligning ci(x) relative to co(x) may be used. For example several minutia points from the biometric could be stored in the protected filter and used to pre-align cI (x) relative to co(x), prior to the extraction of the constituent bits. Another method would reserve some of the bits of the enrollment template to be linked with a system-specified synchronization signal.
During verification, the binarized verification template is searched for the specified synchronization signal, and once located, is used to align cl(x) relative to co(x).
Although the above embodiment sums the constituent bits from the binarized SUBSTITUTE SHEET (RULE 26) verification template with uniform weights, it will be obvious to those skilled in the art that various weighting functions could be used to further enhance performance of the system. As an example, the constituent bits could be weighted according to the inverse rank of each bit and summed. The constituent bits could also be weighted inversely proportional to the expected standard deviation of each bit before being added. Furthermore, the magnitude vectors could be added together using complex weights, comprising an amplitude term such as the standard deviation, and a phase term, which is added to the phase of each element and which is defined by the conjugate of the phase of that element in the enrollment template. For a legitimate user, this phase "correction" will provide a magnitude vector summation along the real axis. The summation will thus be far from the origin. For an attacker, the phase of the verification template will be random with respect to the legitimate user enrollment template. Because of this, the complex weights will not cancel the phase terms and the summation of the magnitude vectors should collapse to zero. The idea here is to force the legitimate user's summation to be far from the binarization threshold (i.e., zero on the real axis), while the attacker's summation is random about the binarization threshold.
It will be obvious to those skilled in the art that error-correcting codes, such as Hamming codes and Reed-Solomon codes, may be used to reduce the number of errors in the digital key, k. This would be achieved, for example, by using the constituent bits of the binarized verification template to derive N bits of data (where N
> M), and then using error-correcting codes to transform the N encoding bits to the M
key-bits.
It will be obvious to those skilled in the art that the preferred embodiment allows for periodic updating of the protected filter. For example, consider that the set of training images for a particular user, f' (x), f 2(x), ..., f T(x), is stored in a secure location, and is available to a system administrator (perhaps, as a privacy/security measure, only after the legitimate user has verified). When this user presents a subsequent set of images, f'(x), f 2(x), ..., f S(x), to the system, the system administrator may combine this new set of images with the previous set to form a new SUBSTITUTE SHEET (RULE 26) set of T+S images which may now be considered as an updated set of training images.
Using this inclusive set of T+S images, Hto,,d(u) and co(x) can be regenerated (using a new version of Go(u)), and a new linking index array, LI, determined. The new versions of Hstord(u) and LI should be stored in the protected filter. This process may be considered as "adaptive filtering", as the contents of the protected filter are adapted over time to encompass more of the natural variations of the biometric image than could be encompassed in a single enrollment session.
It is also obvious that any time a new set of images is acquired, the key, ko, may be modified, if necessary. In this case ido should be modified in the protected filter.
Updating the key has several benefits. For example, if it is known that ko has been compromised, then a new key should be introduced into the system. Also, if it is known that an attacker can establish the value of a key within a certain period of time, for example by using a brute-force computational search, then the value of the key should be updated within this period of time. Updating the value of the key periodically is a standard procedure used in cryptographic and other security systems, and it is evident that this is easily achieved using the methods described herein.
3) Other embodiments of the invention A second embodiment of the invention deals with minutiae-based fingerprint verification techniques.
It has been known for more than 100 years that the minutiae are unique and reasonably robust characteristics of a fingerprint. Classical minutiae are defined as fingerprint ridge endings (type 1 minutiae) and fingerprint ridge bifurcations (type 2 minutiae). It is obvious that the type 1 minutiae may be also defined as fingerprint groove bifurcations and the type 2 minutiae - as groove endings. There are also some other fingerprint characteristics which are sometimes referred to minutiae, such as rods, pores, bridges, islands, line breaks, etc., but they are usually unstable and irreproducible in subsequent attempts. These characteristics often produce false minutiae, or fingerprint noise, because they may be deemed real minutiae during fingerprint verification.
For the past 20 years, many algorithms for automatic minutiae extraction have been SUBSTITUTE SHEET (RULE 26) developed. The strength of these methods is in a fingerprint identification, or so-called "one-to-many" systems, because they allow a fast comparison of a fingerprint to be identified against a huge database with a relatively low false acceptance. However, one of the major drawbacks of the minutiae methods is that they require fingerprints of a high quality and without large scars. This explains the fact that most minutiae methods have a minimum false rejection rate of at least a few per cent in a real-life test.
For the key management in this embodiment, we use one of the known minutiae extraction algorithms (see, for example, U.S. Patent No. 4,752,966 to Schiller). The algorithm scans a fingerprint image and finds a horizontal and vertical, x and y, positions of the minutiae, their orientation angles, 0, and identifies them as types, 1 or 2. To improve the consistency of the minutiae extraction, we may use a few fingerprints both in enrollment and in verification. In one method, the minutiae are tested for their stability: if the same minutia is found, for example, in at least 4 attempts from 5 in total, this minutia will be retained, otherwise, it is considered unstable and dropped. In another method, all minutiae found in 5 --6 attempts are retained for further processing. There might be also an intermediate method, which allows us to tune the system tolerance. At the end of the minutiae extraction process there are usually from 5 -- 7 to 30 -- 50 minutiae found in the fingerprint, depending on the method of the extraction and properties of a particular fingerprint.
At the next step a feature array, f(x,y,8), is formed in a 3D feature space which includes x, y minutiae coordinates and their angles. In a preferred embodiment, x and y are sampled by 64 pixels each and 0 is sampled by 161evels from (-7r) to 7c, thus the total number of pixels is 64x64x16 = 65536. If a minutia occupies a particular cell (xo,yo,0o) in the feature space, then the function f(xo,yo, 00) = 1 if the minutia is of type 1 and f(xo,yo, Oo) = -1 for the type 2 minutiae. Finally, f(xo,yo, 6o) = 0 if there is no minutia in this cell.
After the function f(x,y, 0) is determined, a 3D Fourier transform is performed to obtain a 3D
complex function F(u,v,0). We prefer the Fourier transform to any other transform because it provides translation-invariant verification. Moreover, because we use the minutiae angle as a third coordinate, this embodiment is also rotationally invariant. In other words, if during verification a finger is placed into a different position and at a different angle, this will not significantly affect the performance of the method.
The next steps are very similar to those in the first embodiment. In enrollment, a 3D
function, G (u,v, O), having unity magnitude and a random and uniform phase, is generated. Then we obtain an amplitude, I Fo and the phase, ~ F (u, v, o) , of the Fourier transform of the enrolled feature function, fo(x,y,A). The following two functions are calculated:
-4 p (u,v,E)) Hs,ored (u, v, 0) = Go (u, v, 0)e (23) co(x,Y,e ) = FT-' 0(Fo(u,v,0)J)Go(u,v,0) (24) It is known that a Fourier transform of a real object possesses a symmetry property, i.e.
, F(u,v,0) = F(-u,-v,-O) , which may give some additional information to an attacker having an access to Hstored . To improve the security of the method, only a half of the 64x64x 16 array, Hsto,,d , may be extracted and stored, that is, its dimensions will be, for example, 64x32x16.
A
The operator Q in equation (24) processes the amplitude I Fo I in order to improve the system tolerance. It may contain, for example, a saturation denominator like in the first embodiment (equation (19)).
The function co(x,y,O) is used to encode an M-bit digital key, ko . This is done via a link code and in the same manner as in the first embodiment. More particular, a central portion of co(x,y,O) is extracted; for example, its size may be 32x32x10 or 32x16x10, if the noted half of Hs,old was stored. The real and imaginary parts of the extracted arrays are concatenated and binarized, thus the resulting array contains 20480 bits (or 10240, if the noted half was stored). The link code links each of the M
bits in the key ko to L bits picked from the array of 20480 or 10240 elements.
There may be some more sophisticated methods, including various error correcting codes.
SUBSTITUTE SHEET (RULE 26) The stored protected filter comprises the phase-only function, Hstorea(u,v,0), the data defining the link code, and the ID-code, ido.
In verification, a feature function, fl(x,y,0), and its Fourier transform, Fl(u,v,0), are obtained in the same way as it was done in enrollment. The function Hsrored(u,v,0) is read from the storage means, and a function cl(x,y,0) is calculated as c,(c>1',0 )= FT-' (~(jF,(u,v,0)j)e~~~~u'v'O~ Hsrored(u,v,0) (25) I
~
Here 0F, (u,v,0) is a phase of the Fourier transform F1. Then a centra132x32x10 portion (or 32x16x10, if the noted half of Hstored was extracted during enrollment) of cl is extracted and sequentially scanned across cl until a correct key is retrieved or verification fails. Normally, the size of the box being scanned is 32x32x4 (32x16x4 for the half). However, if the minutiae extraction algorithm also determines a natural center of the fingerprint (usually this is a point of a maximum line curvature), this size can be made much smaller, for example, 4x4x4. This will significantly speed up the verification process. Using the link code, which is also read from the storage means, a decrypted key, kl, is determined from the extracted portion of cl.
Then the hash value, idl, is calculated from kl and compared with the stored value ido. If they match, the correct key is released.
In a third embodiment of the invention, yet another method for obtaining a biometric information signal is used.
In enrollment, the information contained in a 2D fingerprint image, fo(x,y), is sorted into two parts: the most distinctive, fom(x,y), and the least distinctive, foi(x,y).
The most distinctive information contains the areas (we call them "tiles") including minutiae, scars, places with a high line curvature, etc., in other words, the areas which do not have a parallel or quasi-parallel line structure. One of the methods for finding these areas is disclosed in U.S. Patent No.
5,067,162 to Driscoll et al. Another method may include any minutiae extraction algorithm, that is, after all minutiae have been found, the "tiles" from the original image containing the minutiae as centers are extracted. The least distinctive areas may be found in the opposite manner, that is, the "tiles" are located at the places where the lines are almost parallel and do not contain minutiae. For a 128x 128 image, for example, the "tiles" could have dimensions of 16x 16. Alternatively, the function foi(x,y) may be taken as a straight strip at the bottom, at the top, at the right or the left side of the image, or as a combination of the above. In this case the information contained in foi(x,y) should not necessarily be called least distinctive but rather the information retained for co-alignment.
The functions fom(x,y) and foi(x,y) are 128x 128 images containing the "tiles"
with the most or the least distinctive information, the pixels outside the "tiles" are set equal to 0 or to other pre-determined values. These "tiles" are located at the same places as they were in the original image fo(x,y). The most distinctive information is used for the key linking and is not stored into a protected filter, whereas the least distinctive information is used only to co-align a fingerprint to be verified with the enrolled fingerprint. The least distinctive information is stored into a protected filter.
During both enrollment and verification, a few versions of the same fingerprint may be used to improve its consistency, as it was described in the first embodiment. After a function fom(x,y) is derived, a transformation, T, is performed to obtain a transform, Fom(u,v), of the most distinctive information:
Fom(u, v) = T Uom(x,y)) (26) In this embodiment, the transformation T is not necessarily a Fourier transform, it may be also a fractional Fourier transform, a Gabor transform, one of the wavelet transforms, etc. In other words, the transformation T should not necessarily yield a translation-invariant method, like the Fourier transform, because the images are co-aligned with the least distinctive information. In a preferred version of this embodiment, the remainder of the operations is almost the same as in the first embodiment. A random phase-only function, Go(u,v) is generated; the functions (u,v) Hstored (u, v) = Go (u, v)e 0m (27) and Co(x,y) = T-1 Q(F'o(u,v)j)Go(u,v) (28) SUBSTITUTE SHEET (RULE 26) are calculated, where T-~ is an inverse transformation, and an operator 0 processes the amplitude of Fon,(u,v); a requested key, ko , is linked to co(x,y) via a link code. In this embodiment, the entire co(x,y) array is used, not only a central part, which increases the amount of the available information and improves the performance.
A protected filter comprises Htoõ,d, the link code, the least distinctive information foi(x,y), the coordinates of the "tile" centers for the most distinctive information, and the ID code, ido.
In verification, a new fingerprint image, f(x,y), is obtained. The array fol(x,y) containing the least distinctive information from the enrolled fingerprint is read from the protected filter. The array foi(x,y) is used only to co-align the fingerprint images fo(x,y) and f(x,y). To do that, a correlation function of two arrays, foi(x,y) and f(x,y), is calculated, and x and y positions of the correlation peak, xcor and Ycor, are determined. If the images fo(x,y) and f(x,y) were not shifted relatively to each other, the correlation peak would be located exactly at the center, i.e. at (64,64) in case of 128x 128 images. The values (x,or - 64) and (ycor - 64) determine the relative shift of two images. Then the image f(x,y) is shifted by these values to obtain a shifted image, f'(x,y), so that the imagesfo(x,y) and f'(x,y) are supposed to be co-aligned. At the next stage of the co-alignment, the "tiles" are extracted from f'(x,y) at the same locations as the "tiles" containing the least distinctive information were extracted from fo(x,y) to obtain an image f i'(x,y) which is supposed to be the same as foi(x,y). Then a correlation function of fo(x,y) and fj'(x,y) is calculated. If the correlation peak is located at (64,64), this means that the co-alignment was done correctly, otherwise, the image f'(x,y) is shifted again to the new location of the correlation peak.
After the second stage of the co-alignment is completed, the coordinates of the "tile"
centers for the most distinctive information are read from the protected filter, and "tiles" are extracted at the same locations from f'(x,y) to obtain an array f,n'(x,y) which is supposed to coincide with the array fom(x,y) extracted during enrollment. To improve the accuracy of the method, a few versions of the fingerprint f, (x,y) may be obtained during verification, and a few versions of the arrays f i'(x,y) and f,n'(x,y) may be extracted. If some of the arrays f,n'(x,y) differ too much from the most of the SUBSTITUTE SHEET (RULE 26) arrays, these arrays will be rejected. Then a composite image, f m(x,y), may be formed by adding together the remaining f m'(x,y) arrays.
At the next step the transformation T of f m(x,y) is performed to obtain a transform, Fin,(u,v). A function cl(x,y) is obtained:
n 4p (u>v) cl(x,Y) - T-1 Q(Fm(u,v)J)e !nl 1Ystored(u,v) (29) At the next step a key, ki, is determined from ci(x,y) using the link code which was read from the protected filter. Then the hash value, id1 , is calculated from k, and compared with the stored value ido. If they match, the correct key is released.
In this embodiment, the array cl(x,y) is not scanned, unlike the first and the second embodiments, because the images f(x,y) andfo(x,y) are co-aligned. However, there may be an error of the co-alignment, usually in 1 or 2 pixels. In this case the co-aligned input image f'(x,y) may be shifted by 2 pixels in both x and y directions in order to obtain a few functions f m(x,y) and try them all for the verifications.
A fourth embodiment of the invention deals with another type of biometric information: the eye's iris. It has been shown (see, for example, the article by J.Daugman, IEEE Trans. on Pattern Analysis and Machine Intelligence, Vo1.15, No.1 1, p.p.1148-1161, 1993 incorporated herein by reference) that the iris scan is quite an accurate and reliable method for biometric verification and identification.
There are two important advantages of the iris scan to fingerprint-based biometrics.
First, the iris has a circular shape and, thus, a natural center, which solves the problem of the co-alignment of images. Second, the iris reading is free of mechanical contact, which allows to capture the iris image without irregular distortions. However, the image quality sometimes is poor, especially for dark irises.
In enrollment for the key management, the first step includes receiving a 2D
iris image, pre-processing, and transforming the image to dimensionless projected polar coordinate system (r, 0) to obtain a processed iris image, io(r, 0). During both enrollment and verification, a few versions of the same iris may be used, similar to all previous embodiments.
The next step includes performing a transfonmation of io(r, 0) to obtain SUBSTITUTE SHEET (RULE 26) a transform, Io(R,O). In this embodiment, this is a Gabor transform, Io(R,O)= jJexpl-tw(O-0)-(R-r)/ aZ -(O-0bz1 io(r,8)rdrd6 (30) where the parameters (o, a, and b have been pre-determined. Unlike the Fourier transform, the magnitude of the Gabor transform is not translation-invariant, but this property of the transform is not needed for this embodiment because the images are co-aligned by their natural center.
Then the real and imaginary parts of IO(R,O) are concatenated and binarized (with respect to a threshold equal to 0) to obtain a binary function, BIO(R,O). At the next steps, a random binary function, BGo(R,O), is generated; the key ko is linked to BGo(R,O) via a link code, and a binary stored function is Hstored = BIp(R,O) XOR BGo(R,O) (31) A protected filter comprises Hs,ored , the link code, and the ID code, ido.
In verification, a new processed iris image, il(r, 0), is obtained. Then the Gabor transform is performed, and the real and imaginary parts of its result are concatenated and binarized to obtain a binary function, BI1 (R,O). The function Hstorea is retrieved from the protected filter, and a binary function, BGi (R, O), is obtained:
BGI (R,O) = BI1(R,O) XOR Hscorea (32) At the next step, a decrypted key, ki, is determined from BGi(R,O) using the link code which was read from the protected filter. Then the hash value, id, , is calculated from k, and compared with the stored value ido . If they match, the correct key is released.
One can note that the method for the key linking and retrieval of the fourth embodiment may be considered as a limiting and simplified case of the first embodiment. Because the irregular distortions for the iris images are much less significant than for the fingerprint images, we may neglect the noise term, Enoise, in equation (5) by putting a = 0. Then, if the enrolled imagesfot(x) are approximately identical, it follows from the equations (11) and (12) that Ao(u) = Fo`(u), Do(u) =
I Fo`(u) (`. The same is also true for the images in verification, f(x), that is, A I (u) =
SUBSTITUTE SHEET (RULE 26) Fi(u), D1 (u) - IFi(u) 12. Substituting these results into equations (19) and (20), we obtain:
I i~G (u) c (x)=FT' e i~A (u) -i~A (u) i~C (u) (33) c, (x) = FT -' e' e e This means that only the phase information has left, and the amplitudes I Ao(u) I , I A, (u) I of the transform of the composite images are not important anymore for the distortion-free images. Note that the function Hstored is still defined by the equation (21). As it was aforementioned, the translation invariance of the algorithm is not needed for the iris images, thus an inverse transform may be omitted in equations (33) and the key ko may be linked directly to G(u) in the transformed domain, u, rather than to co(x) in the image domain, x. Finally, if we quantize the phases in equations (33) by 4 levels, namely, 764, 3n/4, 5n/4, and 7n/4, all the complex exponents will have the real and imaginary parts equal to ~. Dropping the factor -52 and concatenating the real and imaginary parts, we obtain an array consisting of elements equal to 1. It is obvious that the product of such arrays is equivalent to the logical XOR operation applied to binary arrays containing zeros and ones only, where the values of -I and +1 are mapped to 1 and 0, respectively.
All these reasonings lead directly to the equations (31) and (32) of the fourth embodiment.
It is obvious that in the fourth embodiment the key management may be also done in a manner similar to the previous embodiments, that is, via a function co(r, 0) and an inverse Gabor (or any other) transform, like in equation (28). The function Hstoõed would not be a binary but a phase-only function.
It is also obvious that the third embodiment of the invention may be also done similarly to the fourth embodiment, that is, by binarizing the function Fom(u,v) and creating Hstomd via the XOR operation, like in equation (31). This would especially make sense if a fingerprint input device were able to produce distortion-free images.
In general, the fourth embodiment may be implemented for any distortion-free SUBSTITUTE SHEET (RULE 26) biometric with co-aligned images.
While the first three embodiments utilized fingerprint images, and the fourth utilized iris images, it is obvious that other biometric images could be also used with all embodiments.
It will be obvious to those skilled in the art that although the preferred embodiments are implemented in an entirely digital environment, it will be possible to implement components of the algorithm through other means, such as optical information processing.
Other modifications will be apparent to those skilled in the art and, therefore, the invention is defined in the claims.
SUBSTiTUTE SHEET (RULE 26)
The functions fom(x,y) and foi(x,y) are 128x 128 images containing the "tiles"
with the most or the least distinctive information, the pixels outside the "tiles" are set equal to 0 or to other pre-determined values. These "tiles" are located at the same places as they were in the original image fo(x,y). The most distinctive information is used for the key linking and is not stored into a protected filter, whereas the least distinctive information is used only to co-align a fingerprint to be verified with the enrolled fingerprint. The least distinctive information is stored into a protected filter.
During both enrollment and verification, a few versions of the same fingerprint may be used to improve its consistency, as it was described in the first embodiment. After a function fom(x,y) is derived, a transformation, T, is performed to obtain a transform, Fom(u,v), of the most distinctive information:
Fom(u, v) = T Uom(x,y)) (26) In this embodiment, the transformation T is not necessarily a Fourier transform, it may be also a fractional Fourier transform, a Gabor transform, one of the wavelet transforms, etc. In other words, the transformation T should not necessarily yield a translation-invariant method, like the Fourier transform, because the images are co-aligned with the least distinctive information. In a preferred version of this embodiment, the remainder of the operations is almost the same as in the first embodiment. A random phase-only function, Go(u,v) is generated; the functions (u,v) Hstored (u, v) = Go (u, v)e 0m (27) and Co(x,y) = T-1 Q(F'o(u,v)j)Go(u,v) (28) SUBSTITUTE SHEET (RULE 26) are calculated, where T-~ is an inverse transformation, and an operator 0 processes the amplitude of Fon,(u,v); a requested key, ko , is linked to co(x,y) via a link code. In this embodiment, the entire co(x,y) array is used, not only a central part, which increases the amount of the available information and improves the performance.
A protected filter comprises Htoõ,d, the link code, the least distinctive information foi(x,y), the coordinates of the "tile" centers for the most distinctive information, and the ID code, ido.
In verification, a new fingerprint image, f(x,y), is obtained. The array fol(x,y) containing the least distinctive information from the enrolled fingerprint is read from the protected filter. The array foi(x,y) is used only to co-align the fingerprint images fo(x,y) and f(x,y). To do that, a correlation function of two arrays, foi(x,y) and f(x,y), is calculated, and x and y positions of the correlation peak, xcor and Ycor, are determined. If the images fo(x,y) and f(x,y) were not shifted relatively to each other, the correlation peak would be located exactly at the center, i.e. at (64,64) in case of 128x 128 images. The values (x,or - 64) and (ycor - 64) determine the relative shift of two images. Then the image f(x,y) is shifted by these values to obtain a shifted image, f'(x,y), so that the imagesfo(x,y) and f'(x,y) are supposed to be co-aligned. At the next stage of the co-alignment, the "tiles" are extracted from f'(x,y) at the same locations as the "tiles" containing the least distinctive information were extracted from fo(x,y) to obtain an image f i'(x,y) which is supposed to be the same as foi(x,y). Then a correlation function of fo(x,y) and fj'(x,y) is calculated. If the correlation peak is located at (64,64), this means that the co-alignment was done correctly, otherwise, the image f'(x,y) is shifted again to the new location of the correlation peak.
After the second stage of the co-alignment is completed, the coordinates of the "tile"
centers for the most distinctive information are read from the protected filter, and "tiles" are extracted at the same locations from f'(x,y) to obtain an array f,n'(x,y) which is supposed to coincide with the array fom(x,y) extracted during enrollment. To improve the accuracy of the method, a few versions of the fingerprint f, (x,y) may be obtained during verification, and a few versions of the arrays f i'(x,y) and f,n'(x,y) may be extracted. If some of the arrays f,n'(x,y) differ too much from the most of the SUBSTITUTE SHEET (RULE 26) arrays, these arrays will be rejected. Then a composite image, f m(x,y), may be formed by adding together the remaining f m'(x,y) arrays.
At the next step the transformation T of f m(x,y) is performed to obtain a transform, Fin,(u,v). A function cl(x,y) is obtained:
n 4p (u>v) cl(x,Y) - T-1 Q(Fm(u,v)J)e !nl 1Ystored(u,v) (29) At the next step a key, ki, is determined from ci(x,y) using the link code which was read from the protected filter. Then the hash value, id1 , is calculated from k, and compared with the stored value ido. If they match, the correct key is released.
In this embodiment, the array cl(x,y) is not scanned, unlike the first and the second embodiments, because the images f(x,y) andfo(x,y) are co-aligned. However, there may be an error of the co-alignment, usually in 1 or 2 pixels. In this case the co-aligned input image f'(x,y) may be shifted by 2 pixels in both x and y directions in order to obtain a few functions f m(x,y) and try them all for the verifications.
A fourth embodiment of the invention deals with another type of biometric information: the eye's iris. It has been shown (see, for example, the article by J.Daugman, IEEE Trans. on Pattern Analysis and Machine Intelligence, Vo1.15, No.1 1, p.p.1148-1161, 1993 incorporated herein by reference) that the iris scan is quite an accurate and reliable method for biometric verification and identification.
There are two important advantages of the iris scan to fingerprint-based biometrics.
First, the iris has a circular shape and, thus, a natural center, which solves the problem of the co-alignment of images. Second, the iris reading is free of mechanical contact, which allows to capture the iris image without irregular distortions. However, the image quality sometimes is poor, especially for dark irises.
In enrollment for the key management, the first step includes receiving a 2D
iris image, pre-processing, and transforming the image to dimensionless projected polar coordinate system (r, 0) to obtain a processed iris image, io(r, 0). During both enrollment and verification, a few versions of the same iris may be used, similar to all previous embodiments.
The next step includes performing a transfonmation of io(r, 0) to obtain SUBSTITUTE SHEET (RULE 26) a transform, Io(R,O). In this embodiment, this is a Gabor transform, Io(R,O)= jJexpl-tw(O-0)-(R-r)/ aZ -(O-0bz1 io(r,8)rdrd6 (30) where the parameters (o, a, and b have been pre-determined. Unlike the Fourier transform, the magnitude of the Gabor transform is not translation-invariant, but this property of the transform is not needed for this embodiment because the images are co-aligned by their natural center.
Then the real and imaginary parts of IO(R,O) are concatenated and binarized (with respect to a threshold equal to 0) to obtain a binary function, BIO(R,O). At the next steps, a random binary function, BGo(R,O), is generated; the key ko is linked to BGo(R,O) via a link code, and a binary stored function is Hstored = BIp(R,O) XOR BGo(R,O) (31) A protected filter comprises Hs,ored , the link code, and the ID code, ido.
In verification, a new processed iris image, il(r, 0), is obtained. Then the Gabor transform is performed, and the real and imaginary parts of its result are concatenated and binarized to obtain a binary function, BI1 (R,O). The function Hstorea is retrieved from the protected filter, and a binary function, BGi (R, O), is obtained:
BGI (R,O) = BI1(R,O) XOR Hscorea (32) At the next step, a decrypted key, ki, is determined from BGi(R,O) using the link code which was read from the protected filter. Then the hash value, id, , is calculated from k, and compared with the stored value ido . If they match, the correct key is released.
One can note that the method for the key linking and retrieval of the fourth embodiment may be considered as a limiting and simplified case of the first embodiment. Because the irregular distortions for the iris images are much less significant than for the fingerprint images, we may neglect the noise term, Enoise, in equation (5) by putting a = 0. Then, if the enrolled imagesfot(x) are approximately identical, it follows from the equations (11) and (12) that Ao(u) = Fo`(u), Do(u) =
I Fo`(u) (`. The same is also true for the images in verification, f(x), that is, A I (u) =
SUBSTITUTE SHEET (RULE 26) Fi(u), D1 (u) - IFi(u) 12. Substituting these results into equations (19) and (20), we obtain:
I i~G (u) c (x)=FT' e i~A (u) -i~A (u) i~C (u) (33) c, (x) = FT -' e' e e This means that only the phase information has left, and the amplitudes I Ao(u) I , I A, (u) I of the transform of the composite images are not important anymore for the distortion-free images. Note that the function Hstored is still defined by the equation (21). As it was aforementioned, the translation invariance of the algorithm is not needed for the iris images, thus an inverse transform may be omitted in equations (33) and the key ko may be linked directly to G(u) in the transformed domain, u, rather than to co(x) in the image domain, x. Finally, if we quantize the phases in equations (33) by 4 levels, namely, 764, 3n/4, 5n/4, and 7n/4, all the complex exponents will have the real and imaginary parts equal to ~. Dropping the factor -52 and concatenating the real and imaginary parts, we obtain an array consisting of elements equal to 1. It is obvious that the product of such arrays is equivalent to the logical XOR operation applied to binary arrays containing zeros and ones only, where the values of -I and +1 are mapped to 1 and 0, respectively.
All these reasonings lead directly to the equations (31) and (32) of the fourth embodiment.
It is obvious that in the fourth embodiment the key management may be also done in a manner similar to the previous embodiments, that is, via a function co(r, 0) and an inverse Gabor (or any other) transform, like in equation (28). The function Hstoõed would not be a binary but a phase-only function.
It is also obvious that the third embodiment of the invention may be also done similarly to the fourth embodiment, that is, by binarizing the function Fom(u,v) and creating Hstomd via the XOR operation, like in equation (31). This would especially make sense if a fingerprint input device were able to produce distortion-free images.
In general, the fourth embodiment may be implemented for any distortion-free SUBSTITUTE SHEET (RULE 26) biometric with co-aligned images.
While the first three embodiments utilized fingerprint images, and the fourth utilized iris images, it is obvious that other biometric images could be also used with all embodiments.
It will be obvious to those skilled in the art that although the preferred embodiments are implemented in an entirely digital environment, it will be possible to implement components of the algorithm through other means, such as optical information processing.
Other modifications will be apparent to those skilled in the art and, therefore, the invention is defined in the claims.
SUBSTiTUTE SHEET (RULE 26)
Claims (26)
1. A method for securely recovering a digital key, comprising the steps of:
capturing at least one biometric image;
obtaining transformed image information comprising transforming said at least one biometric image to a transform domain;
retrieving a protected filter from storage;
applying said transformed image information to said protected filter to obtain verification information; and obtaining a digital key from said verification information, characterised by:
said protected filter comprising a phase-only filter and linking information, said phase-only filter generated from a random phase-only function and other phase information to obtain cryptographic secrecy, that is, given the phase-only filter, neither the random phase-only function nor the other phase information can be reconstructed other than by a brute force search, said linking information generated, at least in part, from said phase-only function and from said digital key;
said obtaining a digital key comprising applying said linking information to a function of said verification information.
capturing at least one biometric image;
obtaining transformed image information comprising transforming said at least one biometric image to a transform domain;
retrieving a protected filter from storage;
applying said transformed image information to said protected filter to obtain verification information; and obtaining a digital key from said verification information, characterised by:
said protected filter comprising a phase-only filter and linking information, said phase-only filter generated from a random phase-only function and other phase information to obtain cryptographic secrecy, that is, given the phase-only filter, neither the random phase-only function nor the other phase information can be reconstructed other than by a brute force search, said linking information generated, at least in part, from said phase-only function and from said digital key;
said obtaining a digital key comprising applying said linking information to a function of said verification information.
2. The method of claim 1 wherein said step of obtaining verification information comprises the steps of:
obtaining magnitude information from said transformed image information;
applying at least said magnitude information to said phase-only filter to obtain a transitory filter with phase and magnitude information; and multiplying said transformed image information with said transitory filter.
obtaining magnitude information from said transformed image information;
applying at least said magnitude information to said phase-only filter to obtain a transitory filter with phase and magnitude information; and multiplying said transformed image information with said transitory filter.
3. The method of claim 1 wherein said verification information comprises a complex valued array and including the step of, to obtain a function of said verification information:
(i) obtaining a transform of said verification information;
(ii) taking an array which is at least a portion of said transform of the verification information;
(iii) concatenating real and imaginary parts of said taken array to form a verification template; and (iv) binarizing said verification template by thresholding relative to zero.
(i) obtaining a transform of said verification information;
(ii) taking an array which is at least a portion of said transform of the verification information;
(iii) concatenating real and imaginary parts of said taken array to form a verification template; and (iv) binarizing said verification template by thresholding relative to zero.
4. The method of claim 3 wherein said key has binary elements and said linking information is an array having a pre-determined number of rows and a column for each binary element of said key, and wherein the step of obtaining a key comprises:
obtaining an m th element of said key by summing all bits of said binarized verification template whose indices are specified by an m th column of said linking array a value of the m th element of said key being set to one if said sum is greater than or equal to one-half said number of rows of said linking array and, otherwise said m th key element being set to zero.
obtaining an m th element of said key by summing all bits of said binarized verification template whose indices are specified by an m th column of said linking array a value of the m th element of said key being set to one if said sum is greater than or equal to one-half said number of rows of said linking array and, otherwise said m th key element being set to zero.
5. The method of claim 4 including the steps of retrieving a set of bits, encrypting said bits with said key, passing said encrypted bits through a one-way hash algorithm to obtain a key identifier, comparing said obtained key identifier with a retrieved key identifier and, on a match, releasing said key.
6. The method of claim 5 wherein, if said obtained key identifier does not match said retrieved key identifier, taking an array which is a different portion of said verification information from the array of step (ii) of claim 4 and repeating from step (iii) of claim 4.
7. The method of claim 1 wherein said step of obtaining transformed image information comprises applying an optimization procedure dependent upon desired discrimination and distortion tolerance.
8. The method of claim 1 wherein said transform domain is a Fourier transform domain.
9. The method of claim 1 wherein said biometric image is a fingerprint image and wherein said obtaining transformed image information comprises the steps of:
scanning said fingerprint image to obtain a minutiae template, said minutiae template comprises vertical and horizontal minutiae coordinates, minutiae angles, and minutiae types;
obtaining multi-dimensional feature array from said minutiae template; and performing a transform of said feature array.
scanning said fingerprint image to obtain a minutiae template, said minutiae template comprises vertical and horizontal minutiae coordinates, minutiae angles, and minutiae types;
obtaining multi-dimensional feature array from said minutiae template; and performing a transform of said feature array.
10. The method of claim 1 wherein said protected filter includes alignment information, and wherein the step of obtaining transformed image information comprises the steps of:
retrieving said alignment information from said protected filter;
utilizing said alignment information to align said at least one biometric image to obtain at least one aligned biometric image;
retrieving key-related biometric information from said aligned biometric image; and performing a transform of a function of said key-related biometric information to obtain said transformed image information.
retrieving said alignment information from said protected filter;
utilizing said alignment information to align said at least one biometric image to obtain at least one aligned biometric image;
retrieving key-related biometric information from said aligned biometric image; and performing a transform of a function of said key-related biometric information to obtain said transformed image information.
11. The method of claim 1 wherein said phase-only filter is a binary filter and wherein said transformed image information comprises binary transformed image information;
and wherein said step of obtaining verification information comprises performing an XOR
operation between said binary filter and said binary transformed image information.
and wherein said step of obtaining verification information comprises performing an XOR
operation between said binary filter and said binary transformed image information.
12. The method of claim 1 wherein said phase-only filter has two components, neither of which may be reconstructed from the filter alone.
13. The method of claim 1 wherein said phase-only filter comprises a function of the phase component of said transformed image information.
14. The method of claim 1 wherein said phase-only filter comprises a product of a complex conjugate of the phase component of said transformed image information and a random phase-only function.
15. A method for securely storing a digital key, comprising the steps of:
capturing at least one biometric image;
obtaining transformed image information comprising transforming said at least one biometric image to a transform domain;
generating a random function;
utilising said random function and said transformed image information in generating a protected filter; and storing said protected filter;
characterised by:
said random function being a random phase-only function such that said protected filter comprises a phase-only filter, having cryptographic secrecy, that is, given the phase-only filter, neither the transformed image information nor the random phase-only function can be reconstructed other than by a brute force search;
applying said random phase-only function to said transformed image information to obtain a complex-valued output function;
utilizing said output function and a chosen digital key to obtain linking information to said key; and wherein said protected filter also comprises said linking information.
capturing at least one biometric image;
obtaining transformed image information comprising transforming said at least one biometric image to a transform domain;
generating a random function;
utilising said random function and said transformed image information in generating a protected filter; and storing said protected filter;
characterised by:
said random function being a random phase-only function such that said protected filter comprises a phase-only filter, having cryptographic secrecy, that is, given the phase-only filter, neither the transformed image information nor the random phase-only function can be reconstructed other than by a brute force search;
applying said random phase-only function to said transformed image information to obtain a complex-valued output function;
utilizing said output function and a chosen digital key to obtain linking information to said key; and wherein said protected filter also comprises said linking information.
16. The method of claim 15 wherein said key has M elements and wherein the step of obtaining linking information to said digital key comprises the steps of:
(i) obtaining a transform of said output function;
(ii) concatenating real and imaginary parts of at least a portion of said transform of said output function to form an enrollment template;
(iii) ranking positive elements and negative elements of said enrollment template by magnitude;
(iv) storing row and column indices of said ranked positive elements in a positive locations vector and row and column indices of said ranked negative elements in a negative locations vector; and (v) for each one of the M elements of said key, extracting L elements from said negative location vector if said one key bit is a zero and extracting L
elements from said positive location vector if said one bit is a one to generate a two-dimensional link array having L rows and M columns.
(i) obtaining a transform of said output function;
(ii) concatenating real and imaginary parts of at least a portion of said transform of said output function to form an enrollment template;
(iii) ranking positive elements and negative elements of said enrollment template by magnitude;
(iv) storing row and column indices of said ranked positive elements in a positive locations vector and row and column indices of said ranked negative elements in a negative locations vector; and (v) for each one of the M elements of said key, extracting L elements from said negative location vector if said one key bit is a zero and extracting L
elements from said positive location vector if said one bit is a one to generate a two-dimensional link array having L rows and M columns.
17. The method of claim 16 including the steps of retrieving a set of bits, encrypting said bits with said key, passing said encrypted bits through a one-way hash algorithm to obtain a key identifier, and storing a protected filter, said protected filter comprising said phase-only filter, said linking information, and said key identifier.
18. The method of claim 15 wherein said step of obtaining transformed image information comprises applying an optimization procedure dependent upon desired discrimination and distortion tolerance.
19. The method of claim 16 wherein the step of applying said random phase-only function to said transformed image information comprises applying magnitude information from said transformed image information to a product of the phase component of said transformed image information and said phase-only function.
20. The method of claim 15 wherein said transform domain is a Fourier transform domain.
21. The method of claim 15 wherein said biometric image is a fingerprint image and wherein the step of obtaining transformed image information comprises the steps of:
scanning said fingerprint image to obtain a minutiae template, said minutiae template comprises vertical and horizontal minutiae coordinates, minutiae angles, and minutiae types;
obtaining multi-dimensional feature array from said minutiae template; and performing a transform of said feature array.
scanning said fingerprint image to obtain a minutiae template, said minutiae template comprises vertical and horizontal minutiae coordinates, minutiae angles, and minutiae types;
obtaining multi-dimensional feature array from said minutiae template; and performing a transform of said feature array.
22. The method of claim 15 wherein the step of obtaining transformed image information comprises the steps of:
sorting information contained in said biometric image into key-related biometric information and alignment information;
performing a transform of a function of said key-related biometric information; and wherein said protected filter includes said alignment information.
sorting information contained in said biometric image into key-related biometric information and alignment information;
performing a transform of a function of said key-related biometric information; and wherein said protected filter includes said alignment information.
23. The method of claim 15 wherein said biometric image has a natural alignment feature and wherein the step of obtaining transformed image information comprises the steps of:
aligning said at least one biometric image utilizing said natural alignment feature to obtain at least one aligned image; and performing a transform of a function of said aligned image.
aligning said at least one biometric image utilizing said natural alignment feature to obtain at least one aligned image; and performing a transform of a function of said aligned image.
24. The method of claim 15 wherein said phase-only filter is quantized to at least two levels of phase.
25. The method of claim 15 wherein said transformed image information comprises a complex conjugate of the phase component of a transform resulting from said transforming of said at least one biometric image to said transform domain.
26. The method of claim 25 wherein said applying comprises multiplying said phase-only function with said complex conjugate to obtain said protected filter.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA002286749A CA2286749C (en) | 1997-04-21 | 1998-04-20 | Method for secure key management using a biometric |
Applications Claiming Priority (8)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA2,203,212 | 1997-04-21 | ||
| CA002203212A CA2203212A1 (en) | 1997-04-21 | 1997-04-21 | Methodology for biometric encryption |
| CA2,209,438 | 1997-06-30 | ||
| CA002209438A CA2209438A1 (en) | 1997-04-21 | 1997-06-30 | Biometric encryption |
| US08/947,224 | 1997-10-08 | ||
| US08/947,224 US6219794B1 (en) | 1997-04-21 | 1997-10-08 | Method for secure key management using a biometric |
| PCT/CA1998/000362 WO1998048538A2 (en) | 1997-04-21 | 1998-04-20 | Method for secure key management using a biometric |
| CA002286749A CA2286749C (en) | 1997-04-21 | 1998-04-20 | Method for secure key management using a biometric |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CA2286749A1 CA2286749A1 (en) | 1998-10-29 |
| CA2286749C true CA2286749C (en) | 2008-12-30 |
Family
ID=31721534
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA002286749A Expired - Lifetime CA2286749C (en) | 1997-04-21 | 1998-04-20 | Method for secure key management using a biometric |
Country Status (1)
| Country | Link |
|---|---|
| CA (1) | CA2286749C (en) |
-
1998
- 1998-04-20 CA CA002286749A patent/CA2286749C/en not_active Expired - Lifetime
Also Published As
| Publication number | Publication date |
|---|---|
| CA2286749A1 (en) | 1998-10-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US6219794B1 (en) | Method for secure key management using a biometric | |
| WO1998048538A2 (en) | Method for secure key management using a biometric | |
| Lee et al. | Biometric key binding: Fuzzy vault based on iris images | |
| Hao et al. | Combining cryptography with biometrics effectively | |
| Chen et al. | Biometric based cryptographic key generation from faces | |
| Feng et al. | A hybrid approach for generating secure and discriminating face template | |
| Arakala et al. | Fuzzy extractors for minutiae-based fingerprint authentication | |
| Nagar et al. | Biometrics based asymmetric cryptosystem design using modified fuzzy vault scheme | |
| Yang et al. | A finger-vein based cancellable bio-cryptosystem | |
| Reddy et al. | Performance of iris based hard fuzzy vault | |
| Kim et al. | One-factor cancellable biometrics based on indexing-first-order hashing for fingerprint authentication | |
| Ziauddin et al. | Robust iris verification for key management | |
| Sandhya et al. | A bio-cryptosystem for fingerprints using Delaunay neighbor structures (dns) and fuzzy commitment scheme | |
| Ouda et al. | Security evaluation of negative iris recognition | |
| Nandini et al. | Efficient cryptographic key generation from fingerprint using symmetric hash functions | |
| CN114065169B (en) | Privacy protection biometric authentication method and device and electronic equipment | |
| CA2286749C (en) | Method for secure key management using a biometric | |
| Pussewalage et al. | A survey: Error control methods used in bio-cryptography | |
| Patel et al. | Hybrid feature level approach for multi-biometric cryptosystem | |
| Bokade et al. | Template security scheme for multimodal biometrics using data fusion technique | |
| Soltane et al. | A review regarding the biometrics cryptography challenging design and strategies | |
| Xi et al. | FE-SViT: A SViT-based fuzzy extractor framework | |
| Zhang et al. | Two encryption schemes of finger vein template | |
| Fatima | Securing the biometric template: a survey | |
| Venkatachalam et al. | Cryptography key generation using biometrics |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| EEER | Examination request | ||
| MKEX | Expiry |
Effective date: 20180420 |