EP2344979A1 - Biometric authentication method - Google Patents

Biometric authentication method

Info

Publication number
EP2344979A1
EP2344979A1 EP09749134A EP09749134A EP2344979A1 EP 2344979 A1 EP2344979 A1 EP 2344979A1 EP 09749134 A EP09749134 A EP 09749134A EP 09749134 A EP09749134 A EP 09749134A EP 2344979 A1 EP2344979 A1 EP 2344979A1
Authority
EP
European Patent Office
Prior art keywords
zone
enrolled
ongoing
zones
projected
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP09749134A
Other languages
German (de)
French (fr)
Inventor
David-Olivier Jaquet-Chiffelle
Bernhard Anrig
Emmanuel Benoist
Florent Wenger
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Haute Ecole Specialisee Bernoise Technique Et Informatique
Original Assignee
Haute Ecole Specialisee Bernoise Technique Et Informatique
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Haute Ecole Specialisee Bernoise Technique Et Informatique filed Critical Haute Ecole Specialisee Bernoise Technique Et Informatique
Priority to EP09749134A priority Critical patent/EP2344979A1/en
Publication of EP2344979A1 publication Critical patent/EP2344979A1/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V40/00Recognition of biometric, human-related or animal-related patterns in image or video data
    • G06V40/10Human or animal bodies, e.g. vehicle occupants or pedestrians; Body parts, e.g. hands
    • G06V40/18Eye characteristics, e.g. of the iris
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V10/00Arrangements for image or video recognition or understanding
    • G06V10/70Arrangements for image or video recognition or understanding using pattern recognition or machine learning
    • G06V10/74Image or video pattern matching; Proximity measures in feature spaces
    • G06V10/75Organisation of the matching processes, e.g. simultaneous or sequential comparisons of image or video features; Coarse-fine approaches, e.g. multi-scale approaches; using context analysis; Selection of dictionaries
    • G06V10/751Comparing pixel values or logical combinations thereof, or feature values having positional relevance, e.g. template matching

Definitions

  • the present invention relates generally to methods using biometric data to authenticate a physical person, e.g. when identifying this person or verifying an alleged identity.
  • biometric authentication biological features are measured from a human biological entity (such as a finger, face, iris, voice, palm, DNA%) to get biometric data that are used to authenticate an individual.
  • biometric raw data for example the picture of a fingerprint or of an iris
  • Processing usually comprises image processing (such as brightness and contrast enhancement, resizing, framing and so on), normalizing in order to unwrap the iris region to a normalized rectangular block with a fixed size, etc.
  • a biometric template is a synthesis of all the characteristics extracted from the source, in a suitable format so as to allow comparison between different templates extracted from a similar biological entity.
  • the authentication process may be either verification or identification:
  • Verification consists in checking that the biometric data of the user are close enough to the biometric data stored supposedly for this user.
  • - Identification consists in determining, among a set of previously stored biometric data, if one of them is close enough to the user's biometric data.
  • Figure 1 depicts a known example of enrolment algorithm for iris recognition.
  • an individual presents a class to be enrolled into the system.
  • a class is defined as a biological entity of one individual.
  • a class is defined as one eye of one individual.
  • a picture of the enrolled individual iris is acquired through a camera.
  • the picture is processed to compute an enrolled biometric iris template which, at step 30, is saved in an enrolment database or on a token.
  • the enrolled biometric template is stored for further reference. Sometimes, even the enrolment biometric raw image is stored instead of the template.
  • Figure 2 depicts a known authentication algorithm based on iris recognition.
  • a picture of the iris of the person to be authenticated is taken with a camera.
  • the system processes this image and creates an iris ongoing template.
  • This ongoing template is matched at steps 40 and 42 to all the reference templates stored in the enrolment database in case of identification, or to the template of the alleged user in case of verification.
  • the matching operates on whole templates and is based on a measure of similarity like the Hamming distance, that gives the proportion of data that are equal between the two templates to check for matching. Usually, the closest match, if it is close enough, identifies at steps 44 and 46 the corresponding user.
  • biometric template is transformed for each application by a secret reversible transformation such as permutation or XOR encryption. This technique prevents from storing sensitive biometric data.
  • biometric templates are produced similarly to above, each template is then transformed using the secret reversible transformation, and the transformed template is stored in a database or on a token.
  • the ongoing template is produced similarly to the above. Transformed templates are reverted to biometric templates (by applying a reverse transformation), to be matched with the ongoing template as described above.
  • sensitive data for example the biometric template
  • a pseudonym identifies unambiguously an individual, without necessarily revealing his actual identity.
  • a single individual may have a plurality of pseudonyms, for example in various applications, but one pseudonym corresponds to a single individual or entity.
  • Pseudonyms can be revoked at any time, just by replacing the one-way function.
  • the comparison between the enrolled and the ongoing biometric data is performed on revocable pseudonyms instead of the original templates.
  • biometric template is not suitable for directly applying a cryptographic mathematical one-way transformation. Even a one-bit difference in the template will lead to very different transformed data, making further similarity check meaningless.
  • the intra-class variability refers to the variability between two different acquisitions of the same class.
  • the extra-class variability refers to the variability between the acquisitions of two different classes.
  • an effective authentication system requires the intra-class variability to be as low as possible (i.e., two acquisition of the same class shall be as identical as possible), and the extra-class variability to be as high as possible (i.e., two acquisition of two different classes shall be as different as possible).
  • the size of the effective region used during enrolment is maximized; smaller subregions are only used as a substitute when it is not possible to extract a single rectangular valid region with the prescribed minimal size from the normalized image. Determining the largest valid region, or set of subregions, which can be extracted from a given image is a task that unnecessarily requires processing power.
  • Another drawback of this method is that the surface and shape of the region or set of subregions depend on each enrolment image. As the confidence level of the authentication process depends on the size and unicity of the templates, this method produces an unpredictable confidence level that depends on each image.
  • the present invention proposes a method such that these drawbacks are avoided.
  • a set of enrolled zones of said enrolled biometric data is selected, each selected enrolled zone having more than one pixel, said set comprising preferably at least 16 zones, possibly 200 zones or more;
  • a matching counter is incremented depending on a match with a corresponding ongoing zone; -a match between the ongoing biometric data and the enrolled biometric data is determined when the value of the matching counter is higher than a predefined threshold.
  • the method thus replaces the global matching process used in the prior art by a zone-by-zone comparison.
  • the authentication is thus based on a two step process:
  • each of a plurality of enrolled zone is compared with a corresponding ongoing zone. If there is a match, the matching counter is incremented
  • the value of the matching counter is compared with a threshold. If this value is in a predetermined relation with this threshold (for example, higher than the threshold), it is determined that the enrolled biometric template matches the ongoing biometric template.
  • An ongoing template thus matches an enrolled template when the number of matching zones is higher than the threshold.
  • all zones have an identical surface and, possibly, an identical shape. This makes the comparison between zones a very repetitive, efficient and fast process.
  • invalid ongoing and/or enrolled zones are ignored, i.e., not used during this matching process.
  • the validity of one zone may be determined during the preprocessing of the image, and depends for example on the number of valid pixels in the zone, and/or on other information provided during preprocessing. Examples of invalid zones or pixels include zones covered by eyelashes, eyelids, reflections and so on.
  • the validity of a zone or pixel depends on its brightness and/or contrast; a pixel may for example be considered invalid if its brightness is outside a predetermined range.
  • zones are iteratively selected during the enrolment, until a predetermined number of valid zones have been found (for example 16, or 200 valid zones)
  • each valid enrolled zone is compared with all the zones of the ongoing image with same shape and dimensions, and with positions which are not different from more than a given number greater than 0, preferably greater than 1.
  • an enrolled zone is compared not only with the zone of the ongoing template that is at the exact same position, but also with a limited number of zones that are in its immediate or close neighborhood. This is useful for taking into account possible shifts and deformation of the iris between two acquisitions.
  • an ongoing zone is determined to match an enrolled zone when the shapes and dimensions of the zones are equal, when the zones are at the same or at close neighbor positions, and when the zones are equal.
  • the comparison between enrolled and ongoing zones is preferably based on projection of the zones computed using error-correction codes.
  • An ongoing zone thus matches an enrolled zone if the projection (i.e., the error-corrected value) of the enrolled zone is equal to the projection of the ongoing zone, or preferably equal to the projection of the ongoing zone minus the later described difference vector. Since the zones have small surfaces, their variability is low, and a simple, fast error correction function is sufficient.
  • the comparison between enrolled and ongoing zones is preferably based on a transformation of the zones computed by using a one way function of the zones, or of the projected zones.
  • An ongoing zone thus matches an enrolled zone if the transformations of their projections are equal, i.e., if their pseudonyms computed with a one-way transformation of the error- corrected zone are equal.
  • the authentication process is thus a very fast and effective process of comparing a series of pseudonyms of the enrolled and corresponding ongoing zones.
  • the result of the matching process is a binary value and indicates whether an ongoing zone matches the corresponding enrolled zone or not. This makes the authentication very fast, and allows for easy use of one-way transformation.
  • the result of the matching process can take more than two different values and indicates the quality of the match between the zones, i.e., depends on the distance between the enrolled zone and the ongoing zone (or between their projections).
  • the value in the matching counter is a sum of the quality factors between each pair of matching zones. This allows for a more reliable authentication process, but requires more processing time, and limits the choice of suitable one-way functions.
  • the zones selected from the enrolled template are selected at random, possibly independently of the image.
  • different selected enrolled zones may overlap, thus allowing a fast selection of the enrolled zones.
  • different zones are not overlapping, i.e., each pixel belongs to one selected zone at most, thus increasing the uniqueness of the set of zones.
  • some heuristic is used for the selection of the enrolled zones.
  • zones are selected so as to reduce the number of invalid zones; for example, less or no zones are selected in regions of the image which are more likely to be covered by eyelids, eyelashes or subject to specular reflections.
  • the zones are selected so as to favor more discriminating regions of the iris.
  • each selected enrolled biometric zone is stored along with the biometric data of the zone, for example along with the template zone or transformed zone.
  • the invention also relates to a method for generating a biometric pseudonym based on a biometric template, comprising the following steps:
  • each selected template zone having a shape, some dimensions and a position
  • the present invention also relates to a method comprising the following steps:
  • biometric raw data acquiring a plurality of biometric raw data, each one being from a different class and called an enrolled biometric raw data
  • the invention further relates to a method for generating a biometric pseudonym based on a biometric template, comprising the following steps: selecting a set of valid zones of a biometric template, each selected template zone having a shape, some dimensions and a position, projecting each selected template zone on an error-correcting code, to produce a set of projected template zones, and applying on each projected template zone a mathematical one-way transformation, to produce a set of transformed zones to be used as the biometric pseudonym.
  • -figure 1 is a flow diagram of the enrolment portion of the iris recognition method as is well-known in the art
  • -figure 2 is a flow diagram of the identification portion of the iris recognition method as is well-known in the art
  • -figure 4 is an example of the definition of a zone within the template domain
  • -figure 5 is an example of a set of zones covering part of the valid features in a particular template
  • FIG. 6 is a flow diagram of the enrolment portion of the iris recognition method according to the invention.
  • -figure 7 is a flow diagram of the identification portion of the iris recognition method according to the invention. Detailed Description
  • the pupil is detected and excluded. Zones covered by eyelids, eyelashes or subject to light reflection are also detected by known image processing techniques and are marked as invalid data.
  • the ring-shaped iris is then stretched into a rectangle, by basically transforming the polar coordinates into Cartesian coordinates.
  • a 2D wavelet transform is applied in order to extract the biometric features (for instance, a Gabor wavelet transform is suitable).
  • the result of this transformation is a complex vector for each original pixel. Since illumination and/or contrast may vary a lot between different images of the same iris, only phase information of each vector is kept. Additionally, a validity bit is computed for each pixel. A pixel is considered valid if all pixels used to compute the pixel's vector are valid, i.e., do not come from a region excluded by iris localization process.
  • An iris template can be viewed as a matrix of fixed dimensions. Each of its elements is a biometric feature extracted from an iris. As shown in figure 3, the ring-shaped iris region 100 is generally mapped to a rectangular template domain 110. The horizontal axis x in a template corresponds to the angle 8 in the iris, the vertical axis y to the radial axis r.
  • FIG. 4 illustrates an example of the definition of a zone in the template domain 110.
  • the zones are defined as rectangles of constant surface but of varying position and varying dimensions: zone A has its top left corner at (x, y) and is of height h and width w. Rectangles of constant dimensions h, w may also be used.
  • zone B When the ring-shape iris is mapped into a rectangular matrix as described above, the zones can loop horizontally but not vertically as illustrated by zone B. Thanks to the use of zones, it is possible to process data that are exclusively or mostly valid, and a significant advantage will become more apparent below.
  • a valid zone when referring to a valid zone, it means that the zone could contain a small amount of invalid pixels, but below a predetermined threshold, the case where the zone contains only valid data being of course included.
  • Figure 5 shows a sample iris template 150 with typical invalid areas due to the occlusion of the upper eyelid 120 and lower eyelid 122, and to a specular reflection 124.
  • Five zones 130 are drawn to illustrate how the valid features can be partially covered.
  • the zones 130b and 130d overlaps, the zone 130e contains a small amount of invalid data, and the zone 130c contains a large amount of invalid data.
  • the zone 130e containing a small amount of invalid data could be considered as a valid zone, whereas the zone 130c, containing a large amount of invalid data, could be considered as invalid.
  • Figure 6 describes the enrolment algorithm according to the present invention.
  • the steps of image acquisition 10 and template production 20 remain unchanged compared to algorithm described above. Invalid portions are detected as explained above. But instead of keeping the whole template, a fixed number N of zones are selected (and called selected enrolled template zones) at step 50, projected by using an error- correction code and transformed with a one-way function at step 52, thus producing a set of N transformed zones. Those transformed zones are stored at step 54 in an enrolment database.
  • the template's validity rate is too low.
  • Another template shall be enrolled again, based on a new acquisition of the user's iris, asking him to open his eyes wider or removing his glasses or contact lenses, if any.
  • less restricted algorithm is used for selecting zones, for example an algorithm authorizing overlapping of zones, and/or zone of different dimensions, and/or zones with more invalid pixels.
  • zones are chosen sequentially among all valid zones, from one corner of the entire template.
  • zones are randomly selected among all the valid zones, excluding overlapping zones.
  • zones are randomly selected among all the valid zones, including overlapping zones.
  • a heuristic may also be used during the zone selection process, in order for example to avoid regions of the template which are more likely to include invalid pixels, or less discriminating regions.
  • the optional transformation 52 aims at solving the intra-class variability issue and subsequently at solving privacy or security issues about biometric data. It consists at least in:
  • This parameter data can be user-dependent, such as a password or a PIN (Personal Identification Number) code. It is either asked to the user during enrolment, or it can be allocated to the user. This parameter data can also be application-dependent.
  • an application A can combine always the same data Daduring enrolment, and another application B can combine always the same data Db during enrolment, preventing application A and application B to share their biometric data once transformed using the mathematical one-way transformation.
  • the parameter data can also be both user-dependent and application-dependent.
  • Error-correcting code can be viewed as a kind of geometric projection.
  • an error-correcting code is composed of a plurality of codewords (i.e., the words forming the code).
  • the data to be corrected are projected on the codewords, the projection being normally performed by selecting the codeword whose distance from the data to correct is minimal.
  • a Hamming distance is suitable for distance computation. It results in an error correction since a set of data that are close enough to a codeword will generally be projected onto the same codeword and the projected data (which is the codeword) is considered as the corrected data.
  • a low-pass filter may also be used to reduce variability caused by high-frequency noise in the images.
  • an error-correcting code is applied, during the enrolment process, to each selected template zone.
  • Each selected template zone is projected on a codeword of the error-correcting code, called the projected template zone.
  • the difference between the selected template zone and the projected template zone is computed and stored for each selected template zone, and will be used in the subsequent identification process described hereafter.
  • the difference can be viewed as a difference vector representing the "errors" of the selected template zone.
  • the selected template zones on which the error-correcting code is applied contains a number of invalid data under a given threshold.
  • the threshold is determined so that the number of invalid data per template zone is within the error correcting ability of the error-correcting code.
  • a one-way transformation is defined as a function that is easy to compute on every input, but hard to invert.
  • “easy” and “hard” are to be understood in the sense of computational complexity.
  • Such transformations can be cryptographic hash functions, such as for example SHA-256, which are easy to implement. Consequently, the set of transformed zones produced is non-sensitive since it cannot, in a practical sense, be reverted into biometric sensitive data.
  • one-way functions may be used, including homomorphic functions that may be used if one wants to compute the distance between the enrolled and ongoing transformed zone, rather than just verifying their equality.
  • the Reed-Muller RM(1,8) code may be used for error-correction. With this configuration, the code can correct up to 63 errors per 256-bit word.
  • all the selected template zones are stored in an enrolment database at step 54, still referring to figure 6.
  • all the selected template zones are stored in an enrolment database at step 54, still referring to figure 6.
  • at least the following data are preferably stored:
  • the transformed zone i.e. the projected template zone, possibly combined to a parameter data, and transformed by the one-way mathematical function
  • the whole set of data for the same template is what we call a biometric pseudonym, and does reveal neither the actual identity of the individual hidden behind it, nor his/her biometric data.
  • Adding a parameter data is a very interesting feature since, for a given class, it is possible to produce a plurality of biometric pseudonyms, by changing the parameter data.
  • a biometric pseudonym can consequently be revoked (for instance when it is compromised), and replaced by another one, through a new enrolment with a new parameter data.
  • Figure 7 states a new identification algorithm. The process is iterative, being performed successively with each zone of each enrolled class stored during the enrolment procedure described hereunder.
  • all possible valid zones of the ongoing biometric template are determined at step 60 and tested during the identification. In another embodiment, only the ongoing zones that are at the same position or in the neighborhood of at least one of the enrolled zones of one class are determined.
  • An enrolled class is selected at step 62 (which enrolled class is selected being unimportant since all enrolled classes will be iteratively processed until a match is found) and will be called the current enrolled class.
  • a selected zone of the current enrolled class is selected at step 64 among the set of selected zones. Which zone is selected is unimportant since all zones in the set of selected zones of the current enrolled class will be iteratively processed). This zone will be called the current enrolled zone.
  • step 68 all ongoing valid zones determined at step 60 are processed according to the following steps:
  • each projected ongoing zone by using the same mathematical one-way transformation as used during enrolment, to produce a set of transformed ongoing zones.
  • Subtracting the difference vector of the current enrolled zone of the current enrolled class to each ongoing valid zone ensures that an ongoing valid zone is projected on the same codeword as its closest enrolled template zone. If this operation is omitted, the ongoing valid zone would be projected directly on its closest codeword. It could be possible, in that case, that an ongoing valid zone and a very close enrolled zone are not projected onto the same codeword, which is not what is desired.
  • the subtraction is performed only on the valid data, the invalid data being reported as is in the translated ongoing zone.
  • an additional step can be advantageously implemented, consisting in combining a parameter data to each projected ongoing zone, to produce a set of combined ongoing zone.
  • the parameter data can be also either user-dependent, application- dependent or both, and the combination algorithm shall be the same as for the enrolment procedure.
  • the combined ongoing zone is then transformed by a one-way transformation, to produce a set of transformed ongoing zones. It has to be mentioned that combining a parameter data during the identification makes sense if and only if a parameter data was combined during the enrolment procedure. Moreover, when a parameter data was combined during the enrolment, the same parameter data shall be combined during identification procedure.
  • Step 70 is a matching process and searches if one of the transformed ongoing zones matches the current enrolled zone.
  • an ongoing zone is considered to match the current enrolled zone when both zones have the same shape, the same dimensions (for example same height h and same width w for a rectangle shape, same diameter for a disc), the same position and the same transformed data.
  • an ongoing zone is considered to match the current enrolled zone when they have the same shape, the same dimensions, the same transformed data and a close position (the coordinate x of the ongoing zone and the coordinate x of the current enrolled zone are not different from more than a given positive number, and the coordinate y of the ongoing zone and the coordinate y of the current enrolled zone are not different from more than a given positive number).
  • This feature considers for example that the user can slightly tilt his head during iris image acquisition, leading to slightly shift the mapping of the iris in the template between enrolment and identification.
  • a per-class matching counter For each enrolled class, a per-class matching counter is implemented. Each time an ongoing zone matches one of the current zone of the current enrolled class, the counter corresponding to the current enrolled class is incremented at step 72. The increment value may be one, if only equality is tested, or depend on the distance between each ongoing zone and the corresponding enrolled zone.
  • the steps 64, 68, 70 and 72 are repeated until all the zones of the current enrolled class are processed, or until the value of the matching counter reaches a threshold sufficient for determining a match with some probability.
  • the steps 62, 64, 68, 70 and 72 are repeated until all the enrolled classes are processed (i.e., until all reference templates in the enrolment database have been tested), or until a satisfying match has been found.
  • step 78 it is verified if the ongoing biometric data matches one enrolled biometric data based on the value of the matching counter. Alternatively, the closest matching class is found from the per-class matching counters whose value is the highest among all per-class matching counters.
  • the identification privilege is granted if the per-class matching counter whose value is the highest is above a threshold, which can be application dependent just as with traditional biometric systems.
  • the search for the closest matching class can be replaced by the search for the first per-class matching counter whose value is above a threshold; this avoids repeating the process for the remaining enrolled classes.
  • Tests have been performed to empirically determine parameters that give good results. These parameters are given hereafter as non- limiting examples.
  • a good trade-off between efficiency and practicability is obtained by selecting rectangular zones. Good results are obtained by using fixed-area rectangular zones, but whose dimensions can vary. A good trade-off is obtained with small zones having a 256-data area (256 pixels).
  • the number of per-user enrolled zones was set to 300.
  • a threshold for matching decision (which is the ratio between the closest user matching number and the number of zones of the closest user template) between 0.7 and 0.8 was used.
  • This threshold may be adapted, depending on the application, to get a good trade-off between convenience and security. Considering that zones can slightly shift between enrolment and identification, zones where checked for matching for positions differing of up to 2 for x and y.
  • the preceding description is based on iris biometrics. It will be evident to apply the present invention to other biometric techniques producing fixed-size templates or to other biometric techniques by transforming templates into fixed-sized templates. Moreover, the preceding description is based on an identification scenario involving one-to-many comparisons. It is of course applicable, with few modifications that can be easily performed by someone skilled in the art, to implement a verification scenario involving one-to-one comparison.
  • the identification algorithm is described as sequential operations.
  • One skilled in the art will encounter no particular difficulty to parallelize the operations in order to improve the processing time.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Multimedia (AREA)
  • Human Computer Interaction (AREA)
  • Ophthalmology & Optometry (AREA)
  • Artificial Intelligence (AREA)
  • Computing Systems (AREA)
  • Databases & Information Systems (AREA)
  • Evolutionary Computation (AREA)
  • Medical Informatics (AREA)
  • Software Systems (AREA)
  • Collating Specific Patterns (AREA)

Abstract

A biometric authentication method for verifying a match between an ongoing biometric data matches and a previously enrolled biometric data, comprising the following steps: -selecting a set of enrolled zones (130) of said enrolled biometric data (50), each selected enrolled zone having more than one pixel, said set comprising at least 16 zones; - for each of a plurality of said selected enrolled zone, incrementing (72) a matching counter depending on a match between said selected enrolled zone with a corresponding ongoing zone of said ongoing biometric data; -verifying (76, 78) if the ongoing biometric data matches the enrolled biometric data based on the value of said matching counter.

Description

Biometric authentication method
Field of the invention
The present invention relates generally to methods using biometric data to authenticate a physical person, e.g. when identifying this person or verifying an alleged identity.
Background of the invention
In biometric authentication, biological features are measured from a human biological entity (such as a finger, face, iris, voice, palm, DNA...) to get biometric data that are used to authenticate an individual. For that purpose, biometric raw data (for example the picture of a fingerprint or of an iris) is processed to be transformed into a biometric template. Processing usually comprises image processing (such as brightness and contrast enhancement, resizing, framing and so on), normalizing in order to unwrap the iris region to a normalized rectangular block with a fixed size, etc.
A biometric template is a synthesis of all the characteristics extracted from the source, in a suitable format so as to allow comparison between different templates extracted from a similar biological entity.
Generally, such techniques require two steps:
- an enrolment process, during which biometric data from an individual are acquired, processed and stored,
- an authentication process, during which biometric data from an individual are acquired, processed and compared to biometric data previously stored during the enrolment process. The authentication process may be either verification or identification:
- Verification consists in checking that the biometric data of the user are close enough to the biometric data stored supposedly for this user.
- Identification consists in determining, among a set of previously stored biometric data, if one of them is close enough to the user's biometric data.
Among all biometric techniques, iris recognition enables to authenticate individuals with speed and reliability. A popular implementation is disclosed in the U.S. Pat. No. 5,291,560.
Figure 1 depicts a known example of enrolment algorithm for iris recognition. Traditionally, an individual presents a class to be enrolled into the system. A class is defined as a biological entity of one individual. In iris recognition systems, a class is defined as one eye of one individual.
At step 10, a picture of the enrolled individual iris is acquired through a camera. At step 20, the picture is processed to compute an enrolled biometric iris template which, at step 30, is saved in an enrolment database or on a token. In both cases, the enrolled biometric template is stored for further reference. Sometimes, even the enrolment biometric raw image is stored instead of the template.
Figure 2 depicts a known authentication algorithm based on iris recognition. Likewise, at step 10, a picture of the iris of the person to be authenticated is taken with a camera. At step 20, the system processes this image and creates an iris ongoing template. This ongoing template is matched at steps 40 and 42 to all the reference templates stored in the enrolment database in case of identification, or to the template of the alleged user in case of verification. The matching operates on whole templates and is based on a measure of similarity like the Hamming distance, that gives the proportion of data that are equal between the two templates to check for matching. Usually, the closest match, if it is close enough, identifies at steps 44 and 46 the corresponding user.
Otherwise, the authentication fails and the person is rejected, i.e., identification or verification privilege is not granted.
This technique offers very low error rates, i.e., verify or identify individuals with a high confidence level. However, as biometric templates are directly processed, stored and compared, such iris recognition method has several disadvantages, with regard to personal security and privacy. First, if biometric data are compromised (for example if anyone can access to the biometric template of a user), the owner has no choice but to revoke them - if ever possible - to avoid future fraudulent use. By doing so, he loses permanently all benefits linked to his biological entity - here, his iris - in terms of convenience and security. Second, if a person registers the same biometric for use in different applications, his corresponding partial identities can be easily linked through his biometric compromised data. Linkability of personal information constitutes a serious threat to his privacy.
In patent WO02/095657 entitled "Application-specific biometric templates", it is suggested that the biometric template is transformed for each application by a secret reversible transformation such as permutation or XOR encryption. This technique prevents from storing sensitive biometric data. During enrolment process, biometric templates are produced similarly to above, each template is then transformed using the secret reversible transformation, and the transformed template is stored in a database or on a token. During identification process, the ongoing template is produced similarly to the above. Transformed templates are reverted to biometric templates (by applying a reverse transformation), to be matched with the ongoing template as described above. Linkability concerns are reduced since transformed templates from different applications are not directly compatible (i.e., a template transformed for one application cannot be directly used in another application having a different secret transformation). However, a transformed template for application A may be used by application B but it has first to be transformed by reversing transformation A and then applying transformation B. Moreover, applying a reversible transformation only makes biometric data harder to compromise since it simply relies on a secret key. A secret key may also be compromised, and if encryption is too weak, brute force means may even allow retrieving the original biometric template, implying the same privacy and/or security threats as above.
In order to avoid this risk, the use of mathematical one-way transformations, such as cryptographic hash function, has been suggested in the prior art in order to maintain the confidentiality of the users' biometric templates and to achieve both security and privacy protection. One-way transformations prevent from getting back to the biometric original data, even by knowing the transformation applied.
In this case, sensitive data, for example the biometric template, is transformed into a pseudonym by applying the mathematical one-way transformation. A pseudonym identifies unambiguously an individual, without necessarily revealing his actual identity. A single individual may have a plurality of pseudonyms, for example in various applications, but one pseudonym corresponds to a single individual or entity. Pseudonyms can be revoked at any time, just by replacing the one-way function.
In this case, the comparison between the enrolled and the ongoing biometric data is performed on revocable pseudonyms instead of the original templates.
Example of documents that suggest the use of one-way functions for computing revocable biometric signatures (pseudonyms) include:
Valerie Viet Triem Tong et al: « Biometric Fuzzy Extractors Made Practical : A proposal based on fingercodes » , Advances in biometrics; [Lectures notes in Computer science], Springer, Berlin Heidelberg, Vol. 4642, 27 August 2007, pages 604-613; Arati Arakala et al : « Fuzzy Extractors for Minutiae-Based Fingerprint
Authentication)), Advances in biometrics; [Lectures notes in Computer science], Springer, Berlin Heidelberg, Vol. 4642, 27 August 2007, pages 760- 769;
Karthik Nandakumar et al: "Multibiometric Template Security Using Fuzzy Vault" Biometrics: Theory, Applications and Systems, 2008, BTAS 2008. " 2nd IEEE International Conference on IEEE, Piscataway, NJ, USA, 29 September 2008, pages 1-6;
WO-A2-2006/044917;
Feng Hao: "On using fuzzy data in security mechanisms", April 2007, dissertation, Queens' College, Cambridge, Chapters 3 and 4
However, due to the natural intra-class variability of biometric data (i.e., for a single class, the template will slightly differ from one acquisition to another), biometric template is not suitable for directly applying a cryptographic mathematical one-way transformation. Even a one-bit difference in the template will lead to very different transformed data, making further similarity check meaningless.
The intra-class variability refers to the variability between two different acquisitions of the same class. The extra-class variability refers to the variability between the acquisitions of two different classes. Generally, an effective authentication system requires the intra-class variability to be as low as possible (i.e., two acquisition of the same class shall be as identical as possible), and the extra-class variability to be as high as possible (i.e., two acquisition of two different classes shall be as different as possible).
In order to reduce the intra-class variability, it has already been suggested in the prior art to project the enrolled and the ongoing biometric templates into corresponding projected templates, using for example an error-correcting function. F. Hao et al., "Combining cryptography with biometrics effectively", Technical Report UCAMCL-TR- 640, University of Cambridge, July 2005 relates to a biometric iris authentication method using a two layer error correction technique to generate a constant string from a variable biometric template. Intra-class variability is eliminated by correcting random errors and burst errors, since slightly different templates will result in an exactly same corrected string. However, the scheme works only if the proportion of invalid features in the biometric templates, due e.g. to occluding eyelids and eyelashes, is within the correcting capabilities of the code. Otherwise, non- valid template areas may introduce far more errors than what can practically be corrected with the error correction code. Therefore, if large parts of the biometric raw image are invalid due to eyelids, eyelashes or reflections for example, the error correction function does not output the expected projected biometric template, causing the verification to fail.
It is of course possible to use an error correction function with a higher error-correction capability. A very high error correction capability produces however a lot of redundancy, and reduces the extra-class variability of the projected templates, thus increasing the risk of false positives during authentication.
K. Miyazawa et al.: "An Effective Approach for Iris Recognition Using Phase-Based Image Matching" , IEEE Transactions on Pattern Analysis and Machine Intelligence, IEEE Service Center, Los Alamitos, Vol. 30, N°10, 1 October 2008, pages 1741-1756, suggests a method in which one region of a biometric template is extracted from a normalized iris image while eliminating irrelevant (invalid) regions such as masked eyelid and specular reflections. If most of the normalized iris image is covered by the eyelid, multiple effective subregions are extracted from each iris image, for example six subregions.
In this solution, the size of the effective region used during enrolment is maximized; smaller subregions are only used as a substitute when it is not possible to extract a single rectangular valid region with the prescribed minimal size from the normalized image. Determining the largest valid region, or set of subregions, which can be extracted from a given image is a task that unnecessarily requires processing power.
Another drawback of this method is that the surface and shape of the region or set of subregions depend on each enrolment image. As the confidence level of the authentication process depends on the size and unicity of the templates, this method produces an unpredictable confidence level that depends on each image.
In addition, it has been found that the use of large size regions or subregions is not optimal. In fact, due to inherent intra-class variability, it is unlikely that two different acquisitions of a large region will produce the same biometric template. Projecting a large region or set of subregions using an error-correcting code appears to be impractical. It would either require that the region contains only a small amount of errors to be within the correcting ability of an error-correcting code with many codewords, or to use an error-correcting code having the ability to correct a lot of errors. Ensuring a good picture quality may be difficult in practice, for example when the pictures are acquired outdoors. Correcting a large amount of errors would generally result in using a code having fewer codewords, and would therefore increase the probability that two templates from two different classes are projected onto the same codeword, thus producing a higher rate of false positives during the authentication process.
Brief summary of the invention
The present invention proposes a method such that these drawbacks are avoided.
It is another aim of the invention to propose a biometric authentication method which is more reliable, especially when the raw image contains many invalid regions or pixels.
It is another aim of the invention to propose a biometric authentication method which does not necessarily rely on powerful error correcting codes for reducing the intra-class variability of large regions.
In order to achieve those goals, a new method for verifying whether an ongoing biometric data matches a previously enrolled biometric data is suggested, in which:
- a set of enrolled zones of said enrolled biometric data is selected, each selected enrolled zone having more than one pixel, said set comprising preferably at least 16 zones, possibly 200 zones or more;
- for each of a plurality of selected enrolled zone, a matching counter is incremented depending on a match with a corresponding ongoing zone; -a match between the ongoing biometric data and the enrolled biometric data is determined when the value of the matching counter is higher than a predefined threshold.
The method thus replaces the global matching process used in the prior art by a zone-by-zone comparison. The authentication is thus based on a two step process:
a) in a first step, each of a plurality of enrolled zone is compared with a corresponding ongoing zone. If there is a match, the matching counter is incremented
b) when all the possible matches have been verified, the value of the matching counter is compared with a threshold. If this value is in a predetermined relation with this threshold (for example, higher than the threshold), it is determined that the enrolled biometric template matches the ongoing biometric template.
An ongoing template thus matches an enrolled template when the number of matching zones is higher than the threshold.
In one embodiment, all zones have an identical surface and, possibly, an identical shape. This makes the comparison between zones a very repetitive, efficient and fast process.
In one embodiment, invalid ongoing and/or enrolled zones are ignored, i.e., not used during this matching process. The validity of one zone may be determined during the preprocessing of the image, and depends for example on the number of valid pixels in the zone, and/or on other information provided during preprocessing. Examples of invalid zones or pixels include zones covered by eyelashes, eyelids, reflections and so on. In one example, the validity of a zone or pixel depends on its brightness and/or contrast; a pixel may for example be considered invalid if its brightness is outside a predetermined range.
In one embodiment, a fixed number of valid zones are used, this number being independent of the enrolled or ongoing template. Again, this makes the comparison between zones a very repetitive, efficient and fast process, while increasing the independence of the confidence level with regard to the image. In one embodiment, zones are iteratively selected during the enrolment, until a predetermined number of valid zones have been found (for example 16, or 200 valid zones)
In one embodiment, each valid enrolled zone is compared with all the zones of the ongoing image with same shape and dimensions, and with positions which are not different from more than a given number greater than 0, preferably greater than 1. Thus, an enrolled zone is compared not only with the zone of the ongoing template that is at the exact same position, but also with a limited number of zones that are in its immediate or close neighborhood. This is useful for taking into account possible shifts and deformation of the iris between two acquisitions.
In one embodiment, an ongoing zone is determined to match an enrolled zone when the shapes and dimensions of the zones are equal, when the zones are at the same or at close neighbor positions, and when the zones are equal.
In order to compensate for the intra-class variability within the zone, the comparison between enrolled and ongoing zones is preferably based on projection of the zones computed using error-correction codes. An ongoing zone thus matches an enrolled zone if the projection (i.e., the error-corrected value) of the enrolled zone is equal to the projection of the ongoing zone, or preferably equal to the projection of the ongoing zone minus the later described difference vector. Since the zones have small surfaces, their variability is low, and a simple, fast error correction function is sufficient.
In order to maintain the privacy of the biometric data, the comparison between enrolled and ongoing zones is preferably based on a transformation of the zones computed by using a one way function of the zones, or of the projected zones. An ongoing zone thus matches an enrolled zone if the transformations of their projections are equal, i.e., if their pseudonyms computed with a one-way transformation of the error- corrected zone are equal.
The authentication process is thus a very fast and effective process of comparing a series of pseudonyms of the enrolled and corresponding ongoing zones.
In one embodiment, the result of the matching process is a binary value and indicates whether an ongoing zone matches the corresponding enrolled zone or not. This makes the authentication very fast, and allows for easy use of one-way transformation.
In another embodiment, the result of the matching process can take more than two different values and indicates the quality of the match between the zones, i.e., depends on the distance between the enrolled zone and the ongoing zone (or between their projections). In this case, the value in the matching counter is a sum of the quality factors between each pair of matching zones. This allows for a more reliable authentication process, but requires more processing time, and limits the choice of suitable one-way functions.
According to one aspect, the zones selected from the enrolled template are selected at random, possibly independently of the image. In one embodiment, different selected enrolled zones may overlap, thus allowing a fast selection of the enrolled zones. In another embodiment, different zones are not overlapping, i.e., each pixel belongs to one selected zone at most, thus increasing the uniqueness of the set of zones.
In another embodiment, some heuristic is used for the selection of the enrolled zones. In a first example, zones are selected so as to reduce the number of invalid zones; for example, less or no zones are selected in regions of the image which are more likely to be covered by eyelids, eyelashes or subject to specular reflections. In a second example, which may be combined with the first example, the zones are selected so as to favor more discriminating regions of the iris.
Not all the valid pixels need to be included in one zone; the selection of zones can be stopped when enough valid zones have been extracted. Some perfectly valid parts of the iris image thus remain unused, thus further improving the privacy of the whole iris.
The position of each selected enrolled biometric zone is stored along with the biometric data of the zone, for example along with the template zone or transformed zone.
In one aspect, the invention also relates to a method for generating a biometric pseudonym based on a biometric template, comprising the following steps:
selecting a set of zones of a biometric template, each selected template zone having a shape, some dimensions and a position,
projecting each selected template zone on an error correcting code, to produce a projected zone, and
applying on each projected zone a mathematical one-way transformation, to produce a set of transformed zones to be used as the biometric pseudonym. Additionally, the present invention also relates to a method comprising the following steps:
acquiring a plurality of biometric raw data, each one being from a different class and called an enrolled biometric raw data,
producing an enrolled biometric template from each enrolled biometric raw data,
producing an enrolled biometric pseudonym from each enrolled biometric template,
storing, in a non-volatile memory, for a set of zones of each enrolled biometric template:
• a class identifier, unique for all zones of a given class,
• a difference vector between the selected template zone and the projected template zone,
• the transformed zone,
• the shape of the selected template zone,
• the dimensions of the selected template zone, and
• the position of the selected template zone.
The invention further relates to a method for generating a biometric pseudonym based on a biometric template, comprising the following steps: selecting a set of valid zones of a biometric template, each selected template zone having a shape, some dimensions and a position, projecting each selected template zone on an error-correcting code, to produce a set of projected template zones, and applying on each projected template zone a mathematical one-way transformation, to produce a set of transformed zones to be used as the biometric pseudonym.
Brief Description of the Drawings
The above and other objects, features, and advantages of the present invention will become further apparent from the following description referring to the accompanying drawings, in which:
-figure 1 is a flow diagram of the enrolment portion of the iris recognition method as is well-known in the art,
-figure 2 is a flow diagram of the identification portion of the iris recognition method as is well-known in the art,
-figure 3 shows the mapping of the iris region to the template domain,
-figure 4 is an example of the definition of a zone within the template domain,
-figure 5 is an example of a set of zones covering part of the valid features in a particular template,
-figure 6 is a flow diagram of the enrolment portion of the iris recognition method according to the invention,
-figure 7 is a flow diagram of the identification portion of the iris recognition method according to the invention. Detailed Description
The computation of a biometric template from an iris raw image (taken by a camera) is well known in the art. The following steps may be implemented.
-Iris localization and stretching. Using image processing techniques, the pupil is detected and excluded. Zones covered by eyelids, eyelashes or subject to light reflection are also detected by known image processing techniques and are marked as invalid data. The ring-shaped iris is then stretched into a rectangle, by basically transforming the polar coordinates into Cartesian coordinates.
- Wavelets transform. A 2D wavelet transform is applied in order to extract the biometric features (for instance, a Gabor wavelet transform is suitable). The result of this transformation is a complex vector for each original pixel. Since illumination and/or contrast may vary a lot between different images of the same iris, only phase information of each vector is kept. Additionally, a validity bit is computed for each pixel. A pixel is considered valid if all pixels used to compute the pixel's vector are valid, i.e., do not come from a region excluded by iris localization process.
One can refer to U.S. Pat. No. 5,291,560 for a comprehensive description of the method.
An iris template can be viewed as a matrix of fixed dimensions. Each of its elements is a biometric feature extracted from an iris. As shown in figure 3, the ring-shaped iris region 100 is generally mapped to a rectangular template domain 110. The horizontal axis x in a template corresponds to the angle 8 in the iris, the vertical axis y to the radial axis r.
An important and advantageous aspect of the invention is to work with portions of biometric data (subtemplates) instead of entire templates, referring to such portions or subtemplates as zones. Figure 4 illustrates an example of the definition of a zone in the template domain 110. In this example, the zones are defined as rectangles of constant surface but of varying position and varying dimensions: zone A has its top left corner at (x, y) and is of height h and width w. Rectangles of constant dimensions h, w may also be used. When the ring-shape iris is mapped into a rectangular matrix as described above, the zones can loop horizontally but not vertically as illustrated by zone B. Thanks to the use of zones, it is possible to process data that are exclusively or mostly valid, and a significant advantage will become more apparent below.
In the following description, when referring to a valid zone, it means that the zone could contain a small amount of invalid pixels, but below a predetermined threshold, the case where the zone contains only valid data being of course included.
Figure 5 shows a sample iris template 150 with typical invalid areas due to the occlusion of the upper eyelid 120 and lower eyelid 122, and to a specular reflection 124. Five zones 130 are drawn to illustrate how the valid features can be partially covered. The zones 130b and 130d overlaps, the zone 130e contains a small amount of invalid data, and the zone 130c contains a large amount of invalid data. The zone 130e containing a small amount of invalid data could be considered as a valid zone, whereas the zone 130c, containing a large amount of invalid data, could be considered as invalid.
Figure 6 describes the enrolment algorithm according to the present invention. The steps of image acquisition 10 and template production 20 remain unchanged compared to algorithm described above. Invalid portions are detected as explained above. But instead of keeping the whole template, a fixed number N of zones are selected (and called selected enrolled template zones) at step 50, projected by using an error- correction code and transformed with a one-way function at step 52, thus producing a set of N transformed zones. Those transformed zones are stored at step 54 in an enrolment database. In a preferred embodiment, the number N of zones is large, preferably larger than 16, possibly larger than 100, for example N=200 zones. When the number of selected template zones in an enrolled template is below the required number N of zones to be enrolled (meaning that the template contains too many invalid data), the template's validity rate is too low. Another template shall be enrolled again, based on a new acquisition of the user's iris, asking him to open his eyes wider or removing his glasses or contact lenses, if any. In another embodiment, less restricted algorithm is used for selecting zones, for example an algorithm authorizing overlapping of zones, and/or zone of different dimensions, and/or zones with more invalid pixels.
In a first embodiment of the zone selection process 50, zones are chosen sequentially among all valid zones, from one corner of the entire template.
In a second embodiment of the zone selection process 50, zones are randomly selected among all the valid zones, excluding overlapping zones.
In a third embodiment of the zone selection process 50, zones are randomly selected among all the valid zones, including overlapping zones.
As already mentioned, a heuristic may also be used during the zone selection process, in order for example to avoid regions of the template which are more likely to include invalid pixels, or less discriminating regions.
The optional transformation 52 aims at solving the intra-class variability issue and subsequently at solving privacy or security issues about biometric data. It consists at least in:
-projecting each selected template zone on an error-correcting code, to produce a set of projected template zones, and
-applying on each projected template zone a one-way transformation, to produce a set of transformed zones. During the transformation, an additional step can be advantageously implemented, consisting in combining a parameter data with each projected template zone, to produce a set of combined template zones. Each combined template zone is then transformed by a one-way transformation, to produce a set of transformed zones. The combination can be performed through a concatenation or any other known technique. This parameter data can be user-dependent, such as a password or a PIN (Personal Identification Number) code. It is either asked to the user during enrolment, or it can be allocated to the user. This parameter data can also be application-dependent. For example, an application A can combine always the same data Daduring enrolment, and another application B can combine always the same data Db during enrolment, preventing application A and application B to share their biometric data once transformed using the mathematical one-way transformation. The parameter data can also be both user-dependent and application-dependent.
Error-correcting code can be viewed as a kind of geometric projection. Considering a general case, an error-correcting code is composed of a plurality of codewords (i.e., the words forming the code). The data to be corrected are projected on the codewords, the projection being normally performed by selecting the codeword whose distance from the data to correct is minimal. A Hamming distance is suitable for distance computation. It results in an error correction since a set of data that are close enough to a codeword will generally be projected onto the same codeword and the projected data (which is the codeword) is considered as the corrected data. Alternatively, a low-pass filter may also be used to reduce variability caused by high-frequency noise in the images.
In the present invention, an error-correcting code is applied, during the enrolment process, to each selected template zone. Each selected template zone is projected on a codeword of the error-correcting code, called the projected template zone. Additionally, when projecting a selected template zone, the difference between the selected template zone and the projected template zone is computed and stored for each selected template zone, and will be used in the subsequent identification process described hereafter. The difference can be viewed as a difference vector representing the "errors" of the selected template zone.
As mentioned above, the selected template zones on which the error-correcting code is applied, contains a number of invalid data under a given threshold. Advantageously, the threshold is determined so that the number of invalid data per template zone is within the error correcting ability of the error-correcting code. Working with zones containing mostly valid data and projecting them on an error-correcting code reduces drastically the intra-class variability. It means that two template zones (located at the same place in the templates), computed from two different pictures of the same class will generally be (slightly) different, but will be projected more often on the same codeword than two template zones from two different classes. The subsequent matching process can then be replaced by an equality test, instead of a similarity test.
Solving the intra-class variability of each zone makes it possible to apply a mathematical one-way transformation to each projected (i.e., error-corrected) zone. A one-way transformation is defined as a function that is easy to compute on every input, but hard to invert. Here "easy" and "hard" are to be understood in the sense of computational complexity. Such transformations can be cryptographic hash functions, such as for example SHA-256, which are easy to implement. Consequently, the set of transformed zones produced is non-sensitive since it cannot, in a practical sense, be reverted into biometric sensitive data.
Other example of one-way functions may be used, including homomorphic functions that may be used if one wants to compute the distance between the enrolled and ongoing transformed zone, rather than just verifying their equality.
The Reed-Muller RM(1,8) code may be used for error-correction. With this configuration, the code can correct up to 63 errors per 256-bit word. One can refer to the book "Introduction to coding and information theory" Springer-Verlag, 1997, by S. Roman, pp 234-243 for a comprehensive description of the code and its implementation.
For each user to enroll, all the selected template zones are stored in an enrolment database at step 54, still referring to figure 6. For each zone, at least the following data are preferably stored:
- a class identifier, unique for all zones of a given enrolled class,
- the difference vector between the selected template zone and the projected template zone,
- the transformed zone (i.e. the projected template zone, possibly combined to a parameter data, and transformed by the one-way mathematical function),
- the shape of the selected template zone,
- the dimensions of the selected template zone, and
- the position of the selected template zone.
The whole set of data for the same template is what we call a biometric pseudonym, and does reveal neither the actual identity of the individual hidden behind it, nor his/her biometric data.
Adding a parameter data is a very interesting feature since, for a given class, it is possible to produce a plurality of biometric pseudonyms, by changing the parameter data. A biometric pseudonym can consequently be revoked (for instance when it is compromised), and replaced by another one, through a new enrolment with a new parameter data. When a pseudonym is compromised, the user can continue to benefit from the convenience of its biological entity for authentication purpose. Figure 7 states a new identification algorithm. The process is iterative, being performed successively with each zone of each enrolled class stored during the enrolment procedure described hereunder.
While not necessarily all zones are stored during the enrolment, all possible valid zones of the ongoing biometric template are determined at step 60 and tested during the identification. In another embodiment, only the ongoing zones that are at the same position or in the neighborhood of at least one of the enrolled zones of one class are determined.
An enrolled class is selected at step 62 (which enrolled class is selected being unimportant since all enrolled classes will be iteratively processed until a match is found) and will be called the current enrolled class.
A selected zone of the current enrolled class is selected at step 64 among the set of selected zones. Which zone is selected is unimportant since all zones in the set of selected zones of the current enrolled class will be iteratively processed). This zone will be called the current enrolled zone.
At step 68, all ongoing valid zones determined at step 60 are processed according to the following steps:
- subtracting the difference vector of the current enrolled zone of the current enrolled class to each ongoing valid zone, to produce a set of translated ongoing zones,
- projecting each translated ongoing zone on the same error- correcting code as used during enrolment, to produce a set of projected ongoing zones, and
- transforming each projected ongoing zone by using the same mathematical one-way transformation as used during enrolment, to produce a set of transformed ongoing zones. Subtracting the difference vector of the current enrolled zone of the current enrolled class to each ongoing valid zone ensures that an ongoing valid zone is projected on the same codeword as its closest enrolled template zone. If this operation is omitted, the ongoing valid zone would be projected directly on its closest codeword. It could be possible, in that case, that an ongoing valid zone and a very close enrolled zone are not projected onto the same codeword, which is not what is desired.
When the ongoing valid zone contains some invalid data (it is recalled that a valid zone can contain a small amount of invalid data), the subtraction is performed only on the valid data, the invalid data being reported as is in the translated ongoing zone.
As for the enrolment procedure, an additional step can be advantageously implemented, consisting in combining a parameter data to each projected ongoing zone, to produce a set of combined ongoing zone. The parameter data can be also either user-dependent, application- dependent or both, and the combination algorithm shall be the same as for the enrolment procedure. The combined ongoing zone is then transformed by a one-way transformation, to produce a set of transformed ongoing zones. It has to be mentioned that combining a parameter data during the identification makes sense if and only if a parameter data was combined during the enrolment procedure. Moreover, when a parameter data was combined during the enrolment, the same parameter data shall be combined during identification procedure.
Step 70 is a matching process and searches if one of the transformed ongoing zones matches the current enrolled zone.
In a first embodiment of the matching process 70, an ongoing zone is considered to match the current enrolled zone when both zones have the same shape, the same dimensions (for example same height h and same width w for a rectangle shape, same diameter for a disc), the same position and the same transformed data. In a second embodiment of the matching process 70, an ongoing zone is considered to match the current enrolled zone when they have the same shape, the same dimensions, the same transformed data and a close position (the coordinate x of the ongoing zone and the coordinate x of the current enrolled zone are not different from more than a given positive number, and the coordinate y of the ongoing zone and the coordinate y of the current enrolled zone are not different from more than a given positive number). This feature considers for example that the user can slightly tilt his head during iris image acquisition, leading to slightly shift the mapping of the iris in the template between enrolment and identification.
It is mentioned that, when a parameter data is combined during enrolment and identification, two transformed zone can match, in a practical sense, only if the same parameter data was given during enrolment and identification. Otherwise, transformed zone have no reason to match even for the same class.
For each enrolled class, a per-class matching counter is implemented. Each time an ongoing zone matches one of the current zone of the current enrolled class, the counter corresponding to the current enrolled class is incremented at step 72. The increment value may be one, if only equality is tested, or depend on the distance between each ongoing zone and the corresponding enrolled zone.
The steps 64, 68, 70 and 72 are repeated until all the zones of the current enrolled class are processed, or until the value of the matching counter reaches a threshold sufficient for determining a match with some probability.
The steps 62, 64, 68, 70 and 72 are repeated until all the enrolled classes are processed (i.e., until all reference templates in the enrolment database have been tested), or until a satisfying match has been found.
At step 78, it is verified if the ongoing biometric data matches one enrolled biometric data based on the value of the matching counter. Alternatively, the closest matching class is found from the per-class matching counters whose value is the highest among all per-class matching counters. At step 80, the identification privilege is granted if the per-class matching counter whose value is the highest is above a threshold, which can be application dependent just as with traditional biometric systems.
In another embodiment, the search for the closest matching class can be replaced by the search for the first per-class matching counter whose value is above a threshold; this avoids repeating the process for the remaining enrolled classes.
Tests have been performed to empirically determine parameters that give good results. These parameters are given hereafter as non- limiting examples.
A good trade-off between efficiency and practicability is obtained by selecting rectangular zones. Good results are obtained by using fixed-area rectangular zones, but whose dimensions can vary. A good trade-off is obtained with small zones having a 256-data area (256 pixels).
- The number of per-user enrolled zones was set to 300.
- A threshold for matching decision (which is the ratio between the closest user matching number and the number of zones of the closest user template) between 0.7 and 0.8 was used. This threshold may be adapted, depending on the application, to get a good trade-off between convenience and security. Considering that zones can slightly shift between enrolment and identification, zones where checked for matching for positions differing of up to 2 for x and y.
The preceding description is based on iris biometrics. It will be evident to apply the present invention to other biometric techniques producing fixed-size templates or to other biometric techniques by transforming templates into fixed-sized templates. Moreover, the preceding description is based on an identification scenario involving one-to-many comparisons. It is of course applicable, with few modifications that can be easily performed by someone skilled in the art, to implement a verification scenario involving one-to-one comparison.
Using a different error-correcting code or hashing function is also an option.
In the preceding description, the identification algorithm is described as sequential operations. One skilled in the art will encounter no particular difficulty to parallelize the operations in order to improve the processing time.

Claims

Claims
1. A biometric authentication method for verifying a match between an ongoing biometric data and an enrolled biometric data, comprising the following steps:
-selecting a set of enrolled zones (130) of said enrolled biometric data (50), each selected enrolled zone having more than one pixel, said set comprising at least 16 zones;
- for each of a plurality of said selected enrolled zone, incrementing (72) a matching counter depending on a match between said selected enrolled zone with a corresponding ongoing zone of said ongoing biometric data;
-verifying (76, 78) if the ongoing biometric data matches the enrolled biometric data based on the value of said matching counter.
2. The method of claim 1, further comprising the following steps: -determining the validity of each said selected enrolled zone
(130);
-ignoring enrolled zones (130c) which are not valid.
3. The method of one of the claims 1 or 2, further comprising the following steps: -determining the validity of each said ongoing zone (130);
-ignoring ongoing zones (130c) which are not valid.
4. The method of one of the claims 2 or 3, wherein a zone (130a, 130b, 130d, 130e) is considered valid if the number of valid pixels in said zone is higher than a determined threshold.
5. The method of one of the claims 1 to 4, wherein an ongoing zone matches the current enrolled zone when:
- a ongoing zone and the current enrolled zone are equal,
- the shapes of the zones are equal,
- the dimensions of the zones are equal, and - the positions of the zones are not different from more than a given number >1.
6. The method of one of the claims 1 to 5, wherein said enrolled zone is projected (68) into a projected enrolled zone using an error- correcting code; wherein said ongoing zone is projected into a projected ongoing zone using an error-correcting code or a homomorphic function; and wherein the incrementation of said matching counter depends on the match between said ongoing and enrolled projected zones.
7. The method of claim 6, wherein said projected enrolled zone is transformed (68) into a transformed enrolled zone using a one-way function; wherein said projected ongoing zone is transformed into a transformed ongoing zone using a one-way function; and wherein the incrementation of said matching counter depends on the match between said ongoing and enrolled transformed zones.
8. The method of claim 7, wherein a parameter data is combined with each projected enrolled and ongoing zone before the transformation of said zone with a one-way function.
9. The method of one of the claims 1 to 8, wherein the amount by which said matching counter is incremented can take more than two different values and depends on the similarity between said ongoing and enrolled zone.
10. The method of one of the claims 1 to 9, wherein the selected zones (130) in said set are selected randomly.
11. The method of one of the claims 1 to 9, wherein the selected zones in said set are selected so as to reduce the number of invalid zones.
12. The method of one of the claims 1 to 11, wherein the selected zones in said set are selected so as to favour more discriminating regions.
13. The method of one of the claims 1 to 12, wherein the dimensions of all selected zones are identical.
14. The method of one of the claims 1 to 13, further comprising the steps of storing, in a non-volatile memory, for each enrolled zone:
- the difference vector between the selected template zone and the projected template zone;
- the transformed zone; and - the position of the selected template zone.
15. The method according to claim 14 comprising furthermore the following steps:
- subtracting the difference vector of the current enrolled zone to each ongoing valid zone, to produce a set of translated ongoing zones;
- projecting each translated ongoing zone on an error- correcting code, to produce a set of projected ongoing zones;
- transforming each projected ongoing zone by using a mathematical one-way transformation, to produce a set of transformed ongoing zones;
- implementing a searching process, to search if a transformed ongoing zone matches the current enrolled zone.
16. A carrier medium, comprising program instructions executable on a data processing system for performing the method of one of the claims 1 to 15.
EP09749134A 2008-11-13 2009-11-12 Biometric authentication method Withdrawn EP2344979A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP09749134A EP2344979A1 (en) 2008-11-13 2009-11-12 Biometric authentication method

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
EP08169061A EP2187338A1 (en) 2008-11-13 2008-11-13 Biometric pseudonyms of a fixed-sized template
PCT/EP2009/065071 WO2010055104A1 (en) 2008-11-13 2009-11-12 Biometric authentication method
EP09749134A EP2344979A1 (en) 2008-11-13 2009-11-12 Biometric authentication method

Publications (1)

Publication Number Publication Date
EP2344979A1 true EP2344979A1 (en) 2011-07-20

Family

ID=40756549

Family Applications (2)

Application Number Title Priority Date Filing Date
EP08169061A Withdrawn EP2187338A1 (en) 2008-11-13 2008-11-13 Biometric pseudonyms of a fixed-sized template
EP09749134A Withdrawn EP2344979A1 (en) 2008-11-13 2009-11-12 Biometric authentication method

Family Applications Before (1)

Application Number Title Priority Date Filing Date
EP08169061A Withdrawn EP2187338A1 (en) 2008-11-13 2008-11-13 Biometric pseudonyms of a fixed-sized template

Country Status (2)

Country Link
EP (2) EP2187338A1 (en)
WO (1) WO2010055104A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9165130B2 (en) 2012-11-21 2015-10-20 Ca, Inc. Mapping biometrics to a unique key
US11201745B2 (en) 2019-01-10 2021-12-14 International Business Machines Corporation Method and system for privacy preserving biometric authentication
CN113987309B (en) * 2021-12-29 2022-03-11 深圳红途科技有限公司 Personal privacy data identification method and device, computer equipment and storage medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5291560A (en) 1991-07-15 1994-03-01 Iri Scan Incorporated Biometric personal identification system based on iris analysis
US20040193893A1 (en) 2001-05-18 2004-09-30 Michael Braithwaite Application-specific biometric templates
CA2584121C (en) * 2004-10-15 2014-08-19 The Regents Of The University Of Colorado, A Body Corporate Revocable biometrics with robust distance metrics
US7751598B2 (en) * 2005-08-25 2010-07-06 Sarnoff Corporation Methods and systems for biometric identification

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
"D3.16: Biometrics: PET or PIT?", 20 August 2009 (2009-08-20), XP055052860, Retrieved from the Internet <URL:http://www.fidis.net/fileadmin/fidis/deliverables/new_deliverables2/fidis-WP3-del3.16-biometrics-PET-or-PIT.PDF> [retrieved on 20130208] *
FLORENT WENGER: "BioCrypt Project, light version", 1 August 2008 (2008-08-01), XP055053237, Retrieved from the Internet <URL:https://pdb.bfh.ch/pdbwebinterface/download.aspx?imgId=1eae31eb-3b59-466c-824c-69f5baab5955> [retrieved on 20130213] *
See also references of WO2010055104A1 *

Also Published As

Publication number Publication date
WO2010055104A1 (en) 2010-05-20
EP2187338A1 (en) 2010-05-19

Similar Documents

Publication Publication Date Title
Lai et al. Cancellable iris template generation based on indexing-first-one hashing
Tulyakov et al. Symmetric hash functions for secure fingerprint biometric systems
Rathgeb et al. A survey on biometric cryptosystems and cancelable biometrics
Uludag et al. Securing fingerprint template: Fuzzy vault with helper data
Dwivedi et al. A privacy-preserving cancelable iris template generation scheme using decimal encoding and look-up table mapping
Li et al. A new biocryptosystem-oriented security analysis framework and implementation of multibiometric cryptosystems based on decision level fusion
EP3918751B1 (en) System and method for producing a unique stable biometric code for a biometric hash
KR101527711B1 (en) Defining classification thresholds in template protection systems
Benhammadi et al. Password hardened fuzzy vault for fingerprint authentication system
US20230246839A1 (en) System and method for complex confirmation of biometric information without stored biometric data
Asaker et al. A novel cancellable Iris template generation based on salting approach
Wilber et al. Secure remote matching with privacy: Scrambled support vector vaulted verification (s 2 v 3)
Dash et al. Efficient private key generation from iris data for privacy and security applications
Cimato et al. A multi-biometric verification system for the privacy protection of iris templates
Ziauddin et al. Robust iris verification for key management
US8122260B2 (en) Shaping classification boundaries in template protection systems
EP2344979A1 (en) Biometric authentication method
Baghel et al. Adaptation of pair-polar structures to compute a secure and alignment-free fingerprint template
Kumar et al. Iris template protection using discrete logarithm
Xi et al. FE-SViT: A SViT-based fuzzy extractor framework
Champaneria et al. A cancelable biometric authentication scheme based on geometric transformation
Reddy et al. Authentication using fuzzy vault based on iris textures
Al-Assam et al. Multi-factor challenge/response approach for remote biometric authentication
Wickramaarachchi et al. An effective iris biometric privacy protection scheme with renewability
Jegede et al. Face recognition and template protection with shielding function

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20110510

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO SE SI SK SM TR

AX Request for extension of the european patent

Extension state: AL BA RS

DAX Request for extension of the european patent (deleted)
17Q First examination report despatched

Effective date: 20130222

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20130601