A survey on biometric cryptosystems and cancelable biometrics

A. Performance measurement

When measuring the performance of biometric systems widely used factors include False Rejection Rate (FRR), False Acceptance Rate (FAR), and Equal Error Rate (EER) [1, 27] (defined in ISO/IEC FDIS 19795-1). As score distributions overlap, FRR and FAR intersect at a certain point, defining the EER of the system (in general, decreasing the FRR increases the FAR and vice versa).

These performance metrics are directly transferred to key-release schemes. In the context of BCSs the meaning of these metrics change since threshold-based "fuzzy comparison" is eliminated. Within BCSs acceptance requires the generation or retrieval of hundred percent correct keys, while conventional biometric systems response with "Yes" or "No". The fundamental difference between performance measurement in biometric systems and BCSs is illustrated in Figure 3. The FRR of a BCS defines the rate of incorrect keys untruly generated by the system, that is, the percentage of incorrect keys returned to genuine users (correct keys are user-specific and associated with according helper data). By analogy, the FAR defines the rate of correct keys untruly generated by the system, that is, the percentage of correct keys returned to non-genuine users. A false accept corresponds to the an untrue generation or retrieval of keys associated with distinct helper data at enrollment.

Compared to biometric systems, BCSs generally reveal a noticeable decrease in recognition performance [8]. This is because within BCS in most cases the enrolled template is not seen and, therefore, cannot be aligned properly at comparison. In addition, the majority of BCSs introduce a higher degree of quantization at feature extraction, compared to conventional biometric systems, which are capable of setting more precise thresholds to adjust recognition rates.

B. Approaches to biometric key-binding

1) Mytec1 and Mytec2 (Biometric Encryption™)

The first sophisticated approach to biometric key-binding based on fingerprints was proposed by Soutar et al. [28–30]. The presented system was called Mytec2, a successor of Mytec1 [20], which was the first BCS but turned out to be impractical in terms of accuracy and security. Mytec1 and Mytec2 were originally called Biometric Encryption™, the trademark was abandoned in 2005. The basis of the Mytec2 (and Mytec1) algorithm is the mechanism of correlation.

Operation mode (see Figure 4): at enrollment a filter function, H(u), is derived from f₀(x), which is a two-dimensional image array (0 indicates the first measurement). Subsequently, a correlation function c(x) between f₀(x) and any other biometric input f₁(x) obtained during verification is defined by $c\left(x\right)=F{T}^{-1}\left\{F_1\left(u\right)F_0^{*}\left(u\right)\right\}$, which is the inverse Fourier transform of the product of the Fourier transform of a biometric input, denoted by F₁(u), and $F_0^{*}\left(u\right)$, where $F_0^{*}\left(u\right)$ is represented by H(u). The output c(x) is an array of scalar values describing the degree of similarity. To provide distortion tolerance, the filter function is calculated using a set of T training images $\left\{f_0^1\left(x\right),f_0^2\left(x\right),\dots ,f_0^T\left(x\right)\right\}$. The output pattern of $f_0^t\left(x\right)$ is denoted by $c_0^t\left(x\right)$ with its Fourier transform $F_0^t\left(u\right)H\left(u\right)$. The complex conjugate of the phase component of H(u), e ^iϕ (H(u)), is multiplied with a random phase-only array of the same size to create a secure filter, H _stored (u), which is stored as part of the template while the magnitude of H(u) is discarded. The output pattern c₀(x) is then linked with an N-bit cryptographic key k₀ using a linking algorithm: if the n-th bit of k₀ is 0 then L locations of the selected part of c₀(x) which are 0 are chosen and the indices of the locations are written into the n-th column of a look-up table which is stored as part of the template, termed BioScrypt. During linking, redundancy is added by applying a repetitive code. Standard hashing algorithms are used to compute a hash of k₀, termed id₀ which is stored as part of the template, too. During authentication a set of biometric images is combined with H _stored (u) to produce an output pattern c₁(x). With the use of the look-up table an appropriate retrieval algorithm calculates an N-bit key k₁ extracting the constituent bits of the binarized output pattern. Finally, a hash id₁ is calculated and tested against id₀ to check the validity of k₁.

The algorithm was summarized in a patent [31], which includes explanations of how to apply the algorithm to other biometric characteristics such as iris. In all the publications, performance measurements are omitted.

2) Fuzzy commitment scheme

In 1999 Juels and Wattenberg [15] combined techniques from the area of error correcting codes and cryptography to achieve a type of cryptographic primitive referred to as fuzzy commitment scheme.

Operation mode (see Figure 5): A fuzzy commitment scheme consists of a function F, used to commit a codeword c ∈ C and a witness x ∈ {0, 1} ⁿ . The set C is a set of error correcting codewords c of length n and x represents a bitstream of length n, termed witness (biometric data). The difference vector of c and x, δ ∈ {0, 1} ⁿ , where x = c + δ, and a hash value h(c) are stored as the commitment termed F(c, x) (helper data). Each x', which is sufficiently "close" to x, according to an appropriate metric, should be able to reconstruct c using the difference vector δ to translate x' in the direction of x. A hash of the result is tested against h(c). With respect to biometric key-binding the system acquires a witness x at enrollment, selects a codeword c ∈ C, calculates and stores the commitment F(c, x) (δ and h(c)). At the time of authentication, a witness x' is acquired and the system checks whether x' yields a successful decommitment.

Proposed schemes (see Table 1): The fuzzy commitment scheme was applied to iris-codes by Hao et al. [32]. In their scheme, 2048-bit iris-codes are applied to bind and retrieve 140-bit cryptographic keys prepared with Hadamard and Reed-Solomon error correction codes. Hadamard codes are applied to eliminate bit errors originating from the natural biometric variance and Reed-Solomon codes are applied to correct burst errors resulting from distortions. The system was tested with 700 iris images of 70 probands obtaining rather impressive results which were not achieved until then. In order to provide an error correction decoding in an iris-based fuzzy commitment scheme, which gets close to a theoretical bound, two-dimensional iterative min-sum decoding is introduced by Bringer et al. [33, 34]. Within this approach a matrix is created where lines as well as columns are formed by two different binary Reed-Muller codes. Thereby a more efficient decoding is available. The proposed scheme was adapted to the standard iris recognition algorithm of Daugman to bind and retrieve 40-bit keys. Due to the fact that this scheme was tested on non-ideal iris images a more significant performance evaluation is provided. Rathgeb and Uhl [35] provide a systematic approach to the construction of iris-based fuzzy commitment schemes. After analyzing error distributions between iris-codes of different iris recognition algorithms, Reed-Solomon and Hardamard codes are applied (similar to [32]). In other further work [36] the authors apply context-based reliable component selection in order to extract keys from iris-codes which are then bound to Hadamard codewords. Different techniques to improve the performance of iris-based fuzzy commitment schemes have been proposed [37–39]. Binary iris-codes are suitable to be applied in a fuzzy commitment scheme, in addition, template alignment is still feasible since it only involves a one-dimensional circular shift of a given iris-code. Besides iris, the fuzzy commitment scheme has been applied to other biometrics as well, which always requires a binarization of extracted feature vectors.

Authors	Char.	FRR/FAR	Remarks
Hao et al. [32]		0.47/0	Ideal images
Bringer et al. [34]	Iris	5.62/0	Short key
Rathgeb and Uhl [39]		4.64/0	-
Teoh and Kim [40]		0.9/0	User-specific tokens
Tong et al. [44]	Fingerprint	78/0.1	-
Nandakumar [45]		12.6/0	-
Van der Veen et al. [46]		3.5/0	>1 enroll. sam.
Ao and Li [43]	Face	7.99/0.11	-
Lu et al. [47]		~30/0	Short key
Maiorana and Ercole [48]	Online Sig.	13.07/4	>1 enroll. sam.

Teoh and Kim [40] applied a randomized dynamic quantization transformation to binarize fingerprint features extracted from a multichannel Gabor filter. Feature vectors of 375 bits are extracted and Reed-Solomon codes are applied to construct the fuzzy commitment scheme. The transformation comprises a non-invertible projection based on a random matrix derived from a user-specific token. It is required that this token is stored on a secure device. Similar schemes based on the feature extraction of BioHashing [41] (discussed later) have been presented in [42, 43]. Tong et al. [44] proposed a fuzzy extractor scheme based on a stable and order invariant representation of biometric data called Fingercode reporting inapplicable performance rates. Nandakumar [45] applies a binary fixed-length minutiae representation obtained by quantizing the Fourier phase spectrum of a minutia set in a fuzzy commitment scheme, where alignment is achieved through focal point of high curvature regions. In [46] a fuzzy commitment scheme based on face biometrics is presented in which real-valued face features are binarized by simple thresholding followed by a reliable bit selection to detect most discriminative features. Lu et al. [47] binarized principal component analysis (PCA) based face features which they apply in a fuzzy commitment scheme.

A method based on user adaptive error correction codes was proposed by Maiorana et al. [48] where the error correction information is adaptively selected based on the intra-variability of a user's biometric data. Applying online signatures this seems to be the first approach of using behavioral biometrics in a fuzzy commitment scheme. In [49] another fuzzy commitment scheme based on online signatures is presented.

While in classic fuzzy commitment schemes [15, 32] biometric variance is eliminated applying error correction codes, Zheng et al. [50] employ error tolerant lattice functions. In experiments a FRR of ~ 3.3% and a FAR of ~ 0.6% are reported. Besides the formalism of fuzzy extractors and secure sketches, Dodis et al. [13] introduce the so-called syndrome construction. Here an error correction code syndrome is stored as part of the template and applied during authentication in order to reconstruct the original biometric input.

3) Shielding functions

Tuyls et al. [51] introduced a concept which is referred to as shielding functions.

Operation mode (see Figure 6): It is assumed that at enrollment a noise-free real-valued biometric feature vector X of fixed length is available. This feature vector is used together with a secret S (the key) to generate the helper data W applying an inverse δ-contracting function G ^{- 1}, such that G(W, X) = S. Like in the fuzzy commitment scheme [15], additionally, a hash F(S) = V of the secret S is stored. The core of the scheme is the δ-contracting function G which calculates a residual for each feature, which is the distance to the center of the nearest even-odd or odd-even interval, depending on whether the corresponding bit of S is 0 or 1. W can be seen as correction vector which comprises all residuals. At authentication another biometric feature vector Y is obtained and G(W, Y) is calculated. In case ||X - Y|| ≤ δ, G(W, Y) = S' = S = G(W, X). In other words, noisy features are added to the stored residuals and the resulting vector is decoded. An additional application of error correction is optional. Finally, the hash value F(S') of the reconstructed secret S' is tested against the previously stored one (V) yielding successful authentication or rejection. In further work [52] the authors extract reliable components from fingerprints reporting a FRR of 0.054% and a FAR of 0.032%.

Buhan et al. [53] extend the ideas of the shielding functions approach by introducing a feature mapping based on hexagonal zones instead of square zones. No results in terms of FRR and FAR are given. Li et al. [54] suggest to apply fingerprint in a key-binding scheme based on shielding functions.

4) Fuzzy vault

One of the most popular BCSs called fuzzy vault was introduced by Juels and Sudan [16] in 2002.

Operation mode (see Figure 7): The key idea of the fuzzy vault scheme is to use an unordered set A to lock a secret key k, yielding a vault, denoted by V _A . If another set B overlaps largely with A, k is reconstructed, i.e., the vault V _A is unlocked. The vault is created applying polynomial encoding and error correction. During the enrollment phase a polynom p is selected which encodes the key k in some way (e.g., the coefficients of p are formed by k), denoted by p ← k. Subsequently, the elements of A are projected onto the polynom p, i.e., p(A) is calculated. Additionally, chaff points are added in order to obscure genuine points of the polynom. The set of all points, R, forms the template. To achieve successful authentication another set B needs to overlap with A to a certain extent in order to locate a sufficient amount of points in R that lie on p. Applying error correction codes, p can be reconstructed and, thus, k. The security of the whole scheme lies within the infeasibility of the polynomial reconstruction and the number of applied chaff points. The main advantage of this concept is the feature of order invariance, i.e., fuzzy vaults are able to cope with unordered feature set which is the case for several biometric characteristics (e.g., fingerprints [27]).

Proposed schemes (see Table 2): Clancy et al. [55] proposed the first practical and most apparent implementation of the fuzzy vault scheme by locking minutiae points in a "fingerprint vault". A set of minutiae points, A, are mapped onto a polynom p and chaff points are randomly added to construct the vault. During authentication, Reed-Solomon codes are applied to reconstruct the polynom p out of which a 128-bit key is recreated. An pre-alignment of fingerprints is assumed which is rarely the case in practice (feature alignment represents a fundamental step in conventional fingerprint recognition systems). To overcome the assumption of pre-alignment, Nandakumar et al. [56] suggest to utilize high curvature points derived from the orientation field of a fingerprint as helper data to assist the process of alignment. In their fingerprint fuzzy vault, 128-bit keys are bound and retrieved. Uludag et al. [8, 57, 58] propose a line-based minutiae representation which the authors evaluate on a test set of 450 fingerprint pairs. Several other approaches have been proposed to improve the alignment within fingerprint-based fuzzy vaults [59–61]. Rotation and translation invariant minutiae representations have been suggested in [62].

Authors	Char.	FRR/FAR	Remarks
Clancy et al. [55]		20-30/0	Pre-alignment
Nandakumar et al. [56]		4/0.04	-
Uludag et al. [57]	Fingerprint	27/0	-
Li et al. [61]		~7/0	Alignment-free
Nagar et al. [17]		5/0.01	Hybrid BCS
Lee et al. [67]		0.775/0	-
Wu et al. [68]	Iris	5.55/0	-
Reddy and Babu et al. [72]		9.8/0	Hardend vault
Wu et al. [70]		0.93/0	-
	Palmprint
Kumar and Kumar [73]		~1/0.3	-
Wu et al. [71]	Face	8.5/0	-
Kholmatov and Yanikoglu [75]	Online Sig.	8.33/2.5	10 subjects

Numerous enhancements to the original concept of the fuzzy vault have been introduced. Moon et al. [63] suggest to use an adaptive degree of the polynomial. Nagar and Chaudhury [64] arrange encoded keys and biometric data of fingerprints in the same order into separate grids, which form the vault. Chaff values are inserted into these grids in appropriate range to hide information.

In other work, Nagar et al. [17, 65] introduce the idea of enhancing the security and accuracy of a fingerprint-based fuzzy vault by exploiting orientation information of minutiae points. Dodis et al. [13] suggest to use a high-degree polynomial instead of chaff points in order to create an improved fuzzy vault. Additionally, the authors propose another syndrome-based key-generating scheme which they refer to as PinSketch. This scheme is based on polynomial interpolation like the fuzzy vault but requires less storage space. Arakala [66] provides an implementation of the PinSketch scheme based on fingerprints.

Apart from fingerprints, other biometric characteristics have been applied in fuzzy vault schemes. Lee et al. [67] proposed a fuzzy vault for iris biometrics. Since iris features are usually aligned, an unordered set of features is obtained through independent component analysis. Wu et al. [68, 69] proposed a fuzzy vault based on iris as well. After image acquisition and preprocessing, iris texture is divided into 64 blocks where for each block the mean gray scale value is calculated resulting in 256 features which are normalized to integers to reduce noise. At the same time, a Reed-Solomon code is generated and, subsequently, the feature vector is translated to a cipher key using a hash function. In further work, Wu et al. [70] propose a system based on palmprints in which 362 bit cryptographic keys are bound and retrieved. A similar approach based on face biometrics is presented in [71]. PCA features are quantized to obtain a 128-bit feature vector from which 64 distinguishable bits are indexed in a look-up table while variance is overcome by Reed-Solomon codes. Reddy and Babu [72] enhance the security of a classic fuzzy vault scheme based on iris by adding a password with which the vault as well as the secret key is hardened. In case passwords are compromised the systems security decreases to that of a standard one, thus, according results were achieved under unrealistic preconditions. Kumar and Kumar [73, 74] present a fuzzy vault based on palmprints by employing real-valued DCT coefficients of palmprint images binding and retrieving 307 bit keys. Kholmatov and Yanikoglu [75] propose a fuzzy vault for online signatures.

C. Approaches to biometric key-generation

The prior idea of generating keys directly out of biometric templates was presented in a patent by Bodo [76]. An implementation of this scheme does not exist and it is expected that most biometric characteristics do not provide enough information to reliably extract a sufficiently long and updatable key without the use of any helper data.

1) Private template scheme

The private template scheme, based on iris, was proposed by Davida et al. [77, 78] in which the biometric template itself (or a hash value of it) serves as a secret key. The storage of helper data which are error correction check bits are required to correct faulty bits of given iris-codes.

Operation mode (see Figure 8): In the enrollment process M, 2048-bit iris-codes are generated which are put through a majority decoder to reduce the Hamming distance between them. The majority decoder computes the vector V ec(V) = (V₁, V₂, ..., V _n ) for a n-bit code vector, denoted by V ec(v _i ) = (v _{i ,1,}v _{i ,2}, ..., v _i ,_n), where V _j = majority(v_{1, j}, v_{2, j}, ..., v _M ,_j) is the majority of 0's and 1's at each bit position j of M vectors. A majority decoded iris-code T, denoted by V ec(T), is concatenated with check digits V ec(C), to generate V ec(T)||V ec(C). The check digits V ec(C) are part of an error correction code. Subsequently, a hash value Hash (Name, Attr, V ec(T)||V ec(C)) is generated, where Name is the user's name, Attr are public attributes of the user and Hash(·) is a hash function. Finally, an authorization officer signs this hash resulting in Sig(Hash(Name, Attr, V ec(T)||V ec(C))). During authentication, several iris-codes are captured and majority decoded resulting in V ec(T'). With the according helper data, V ec(C), the corrected template V ec(T") is reconstructed. Hash(Name, Attr, V ec(T")||V ec(C)) is calculated and compared against Sig(Hash(Name, Attr, V ec(T")||V ec(C))). Experimental results are omitted and it is commonly expected that the proposed system reveals poor performance due to the fact that the authors restrict to the assumption that only 10% of bits of an iris-code change among different iris images of a single subject. In general, average intra-class distances of iris-codes lie within 20-30%. Implementations of the proposed majority decoding technique (e.g., in [79]) were not found to decrease intra-class distances to that extent.

2) Quantization schemes

Within this group of schemes, helper data are constructed in a way that is assists in a quantization of biometric features in order to obtain stable keys.

Operation mode (see Figure 9): In general quantization schemes, which have been applied to physiological as well as behavioral biometric characteristics, process feature vectors out of several enrollment samples and derive appropriate intervals for each feature element (real-valued feature vectors are required). These intervals are encoded and stored as helper data. At the time of authentication, again, biometric characteristics of a subject are measured and mapped into the previously defined intervals, generating a hash or key. In order to provide updateable keys or hashes, most schemes provide a parameterized encoding of intervals. Quantization schemes are highly related to shielding functions [51] since both techniques perform quantization of biometric features by constructing appropriate feature intervals. In contrast to the shielding functions, generic quantization schemes define intervals for each single biometric feature based on its variance. This yields an improved adjustment of the stored helper data to the nature of the applied biometrics.

Proposed schemes (see Table 3): Feng and Wah [21] proposed a quantization scheme applied to online signatures in order to generate 40-bit hashes. To match signatures, dynamic time warping is applied to x and y-coordinates and shapes of x, y waveforms of a test sample are aligned with the enrollment sample to extract correlation coefficients where low ones indicate a rejection. Subsequently, feature boundaries are defined and encoded with integers. If a biometric sample passed the shape-matching stage, extracted features are fitted into boundaries and a hash is returned out of which a public and a private key are generated. Vielhauer et al. [22, 24] process online signatures to generate signature hashes, too. In their approach an interval matrix is generated for each subject such that hashes are generated by mapping every single feature against the interval matrix. In [80] the authors adopt the proposed feature extraction to an online signature hash generation based on a secure sketch. Authors report a decrease of the FRR but not of the EER. An evaluation of quantization-based key-generation schemes is given in [81]. Sutcu et al. [82] proposed a quantization scheme in which hash values are created out of face biometrics. Li et al. [83] study how to build secure sketches for asymmetric representations based on fingerprint biometrics. Furthermore, the authors propose a theoretical approach to a secure sketch applying two-level quantization to overcome potential pre-image attacks [84]. In [85] the proposed technique is applied to face biometrics. Rathgeb and Uhl [86] extended the scheme of [82] to iris biometrics generating 128-bit keys. In [87] the authors apply a context-based reliable component selection and construct intervals for the most reliable features of each subject.

Authors	Char.	FRR/FAR	Remarks
Feng and Wah [21]		28/1.2
	Online Sig.
Vielhauer et al. [22]		7.05/0
Li et al. [83]	Fingerprint	20/1	>1 enroll. sam.
Sutcu et al. [85]	Face	5.5/0
Rathgeb and Uhl [87]	Iris	4.91/0

D. Further investigations on BCSs

Besides the so far described key concepts of BCSs, other approaches have been proposed. While some represent combinations of basic concepts, others serve different purposes. In addition, multi-BCSs have been suggested.

1) Password hardening

Monrose et al. [19] proposed a technique to improve the security of password-based applications by incorporating biometric information into the password (an existing password is "salted" with biometric data).

Operation mode (see Figure 10): The keystroke dynamics of a user a are combined with a password pwd _a resulting in a hardened password hpwd _a which can be tested for login purposes or used as cryptographic key. ϕ(a, l) denotes a single biometric feature ϕ acquired during the l-th login attempt of user a. To initialize an account, hpwd _a is chosen at random and 2m shares of hpwd _a , denoted by $\left\{S_t^0,S_t^1\right\}$, 1 ≤ t ≤ m, are created by applying Shamir's secret-sharing scheme. For each $b\in {\left\{0,\mathsf{\text{1}}\right\}}^{\frac{a}{m}}$ the shares $\left\{S_t^{b\left(t\right)}\right\}$, 1 ≤ t ≤ m, can be used to reconstruct hpwd _a , where b(i) is the i-th bit of b. These shares are arranged in an instruction table of dimension 2 × m where each element is encrypted with pwd _a . During the l-th login, pwd'_a, a given password to access account a, is used to decrypt these elements (the correctness of pwd' _a is necessary but not sufficient). For each feature ϕ _i , comparing the value of ϕ _i (a, l) to a threshold t _i ∈ ℝ indicates which of the two values should be chosen to reconstruct hpwd _a . Central to this scheme is the notion of distinguishable features: let μ _ai be the mean deviation and σ _ai be the standard deviation of the measurement ϕ _i (a, j₁) . . . ϕ _i (a, j _h ) where j₁, ..., j _h are the last h successful logins of user a. Then, ϕ _i is a distinguishable feature if |μ _ai - t _i | > kσ _ai where k ∈ ℝ⁺. Furthermore, the feature descriptor b _a is defined as b _a (i) = 0 if t _i > μ _ai + kσ _ai , and 1 if t _i < μ _ai - kσ _ai . For other features, b _a is undefined. As distinguishing features ϕ _i develop over time, the login program perturbs the value in the second column of row i if μ _ai < t _i , and vice versa. The reconstruction of hpwd _a succeeds only if distinguishable features remain consistent. Additionally, if a subject's typing patterns change slightly over time, the system will adapt by conducting a constant-size history file, encrypted with hpwd _a , as part of the biometric template. In contrast to most BCSs the initial feature descriptor is created without the use of any helper data.

Proposed schemes: In several publications, Monrose et al. [18, 23, 88] apply their password-hardening scheme to voice biometrics where the representation of the utterance of a data subject is utilized to identify suitable features. A FRR of approximately 6% and a FAR below 20% was reported. In further work [25, 26] the authors analyze and mathematically formalize major requirements of biometric key generators, and a method to generate randomized biometric templates is proposed [89]. Stable features are located during a single registration procedure in which several biometric inputs are measured. Chen and Chandran [90] proposed a key-generation scheme for face biometrics (for 128-bit keys), which operates like a password-hardening scheme [19], using Radon transform and an interactive chaotic bispectral one-way transform. Here, Reed-Solomon codes are used instead of shares. A FRR of 28% and a FAR of 1.22% are reported.

2) BioHashing

A technique applied to face biometrics called "BioHashing" was introduced by Teoh et al. [41, 91–93]. Basically, the BioHashing approach operates as key-binding scheme, however, to generate biometric hashes secret user-specific tokens (unlike public helper data) have to be presented at authentication. Prior to the key-binding step, secret tokens are blended with biometric data to derive a distorted biometric template, thus, BioHashing can be seen as an instance of "Biometric Salting" (see Section 3).

Operation mode (see Figure 11): The original concept of BioHashing is summarized in two stages while the first stage is subdivided in two substages: first the raw image is transformed to an image representation in log-polar frequency domain Γ ∈ ℜ ^M , where M specifies the log-polar spatial frequency dimension by applying a wavelet transform, which makes the output immune to changing facial expressions and small occlusions. Subsequently, a Fourier-Mellin transform is applied to achieve translation, rotation and scale invariance. The generated face feature Γ ∈ ℜ ^M is reduced to a set of single bits $b\in {\left\{0,\mathsf{\text{1}}\right\}}^{l_b}$ of length l _b via a set of uniform distributed secret random numbers r _i ∈ {- 1, 1} which are uniquely associated with a token. These tokenized random numbers, which are created out of a subject's seed, take on a central role in the BioHashing algorithm. First the user's seed is used for generating a set of random vectors {r _i ∈ ℜ ^M |i = 1, ..., l _b }. Then, the Gram-Schmidt process is applied to the set of random vectors resulting in a set of orthonormal vectors $\left\{r_{{\perp }_i}\in {\Re }^M|i=1,...,l_b\right\}$. The dot product of the feature vector and all orthonormal vectors $\left\{⟨\Gamma |r_{{\perp }_i}⟩\in {\Re }^M|i=1,...,l_b\right\}$ is calculated. Finally a l _b -bit FaceHash $b\in {\left\{0,\mathsf{\text{1}}\right\}}^{l_b}$ is calculated, where b _i , the i-th bit of b is 0 if $⟨\Gamma |r_{{\perp }_i}⟩\le \tau$ and 1 otherwise, where τ is a predefined threshold. In the second stage of BioHashing a key k _c is generated out of the BioHash b. This is done by applying Shamir's secret-sharing scheme.

Proposed schemes: Generating FaceHashes, a FRR of 0.93% and a zero FAR are reported. In other approaches the same group adopts BioHashing to several biometric characteristics including fingerprints [94, 95], iris biometrics [96, 97] as well as palmprints [98] and show how to apply generated hashes in generic key-binding schemes [99, 100]. The authors reported zero EERs for several schemes.

Kong et al. [101] presented an implementation of FaceHashing and gave an explanation for the zero EER, reported in the first works on BioHashing. Zero EER were achieved due to the tokenized random numbers, which were assumed to be unique across subjects. In a more recent publication, Teoh et al. [102] address the so-called "stolen-token" issue evaluating a variant of BioHashing, known as multistage random projection (MRP). By applying a multi-state discretization the feature element space is divided into 2 ^N segments by adjusting the user-dependent standard deviation. By using this method, elements of the extracted feature vector can render multiple bits instead of 1 bit in the original BioHash. As a result, the extracted bitstreams exhibit higher entropy and recognition performance is increased even if impostors are in possession of valid tokens. However, zero EERs were not achieved under the stolen-token scenario. Different improvements to the BioHashing algorithm have been suggested [103, 104].

E. Security of biometric cryptosystems

Most BCSs aim at binding or generating keys, long enough to be applied in a generic cryptographic system (e.g., 128-bit keys for AES). To prevent biometric keys from being guessed, these need to exhibit sufficient size and entropy. System performance of BCSs is mostly reported in terms of FRR and FAR, since both metrics and key entropy depend on the tolerance levels allowed at comparison, these three quantities are highly inter-related.

Buhan et al. [53, 125] have shown that there is a direct relation between the maximum length k of cryptographic keys and the error rates of the biometric system. The authors define this relation as k ≤ - log₂(FAR), which has established as one of the most common matrices used to estimate the entropy of biometric keys. This means that an ideal BCS would have to maintain an FAR ≤ 2 ^-k which appears to be a quite rigorous upper bound that may not be achievable in practice. Nevertheless, the authors pointed out the important fact that the recognition rates of a biometric system correlate with the amount of information which can be extracted, retaining maximum entropy. Based on their proposed quantization scheme, [22]. Vielhauer et al. [126] describe the issue of choosing significant features of online signatures and introduce three measures for feature evaluation: intrapersonal feature deviation, interpersonal entropy of hash value components and the correlation between both. By analyzing the discriminativity of chosen features the authors show that the applied feature vector can be reduced by 45% maintaining error rates [127]. This example underlines the fact that BCSs may generate arbitrary long keys while inter-class distances (= Hamming distance between keys) remain low. Ballard et al. [25, 26] propose a new measure to analyze the security of a BCS, termed guessing distance. The guessing distance defines the number of guesses a potential imposter has to perform in order to retrieve either the biometric data or the cryptographic key. Thus, the guessing distance directly relates to intra-class distances of biometric systems and, therefore, provides a more realistic measure of the entropy of biometric keys. Kelkboom et al. [128] analytically obtained a relationship between the maximum key size and a target system performance. A increase of maximum key size is achieved in various scenarios, e.g., when applying several biometric templates at enrollment and authentication or when increasing the desired false rejection rates. In theory-oriented work, Tuyls et al. [129, 130] estimate the capacity and entropy loss for fuzzy commitment schemes and shielding functions, respectively. Similar investigations have been done by Li et al. [131, 132] who provide a systematic approach of how to examine the relative entropy loss of any given scheme, which bounds the number of additional bits that could be extracted if optimal parameters were used. A method for arranging secret points and chaff points in fuzzy vaults such that entropy loss is minimized is presented in [133].

Obviously, key lengths have to be maximized in order to minimize the probability that secret keys are guessed [128]. A second factor which affects the security of biometric cryptosystems is privacy leakage, i.e., the information that the helper data contain (leak) about biometric data [134]. Ideally, privacy leakage should be minimized (for a given key length), to avoid identity fraud. The requirements on key size and privacy leakage define a fundamental trade-off within approaches to BCSs, which is rarely estimated. In [135] this trade-off is studied from in an information-theoretical prospective and achievable key length versus privacy leakage regions are determined. Additionally, stored helper data have to provide unlinkability.

A. The issue of performance evaluation

While in the majority of proposed approaches to CB template alignment is non-trivial and applied transforms are selected to be non-invertible, still some schemes (e.g., in [72, 102]), especially to biometric salting, report an increase in performance. In case user-specific transforms are applied at enrollment and authentication, by definition, two-factor authentication is yielded which may increase the security but does not effect the accuracy of biometric authentication.

A significant increase of recognition rates can be caused by unpractical assumptions during performance evaluations. If user-specific transforms are applied to achieve CB these transforms have to be considered compromised during inter-class comparisons. Otherwise, biometrics becomes meaningless as the system could rely on secret tokens parameters without any risk [101]. Secret tokens, be it transform parameters, random numbers or any kind of passwords are easily compromised and must not be considered secure [1]. Thus, performance evaluations of approaches to CB have to be performed under the so-called "stolen-token scenario" where each impostor is in possession of valid secret tokens (the same applies to BCSs in case secret tokens are applied). Figure 13 illustrates how inter-class distances may change with or without considering the stolen-token scenario. If different tokens are applied for each subject a clear separation of intra-class and inter-class distributions is achieved by adopting a new threshold. In contrast, if secret tokens are considered compromised accuracy decreases. Performance is untruly gained if this scenario is ignored during experiments causing even more vulnerable systems in case of compromise [139].

B. Approaches to non-invertible transforms

1) IBM approaches

Ratha et al. [12] were the first to introduce the concept of CB applying noninvertible transforms.

Operation mode (see Figure 14): Generally, at enrollment, non-invertible transforms are applied to biometric inputs choosing application-dependent parameters. During authentication, biometric inputs are transformed and a comparison of transformed templates is performed.

Several types of transforms for constructing multiple CB from pre-aligned fingerprints and face biometrics have been introduced in [12, 140, 141] including cartesian transform and functional transform. In further work [136], different techniques to create cancelable iris biometrics have been proposed. The authors suggest four different transforms applied in image and feature domain where only small performance drops are reported. Hammerle-Uhl et al. [138] applied classic transformations suggested in [12] to iris biometrics. Furthermore, in [142] it is shown that applying both transforms to rectangular iris images, prior to preprocessing, does not work. Similar to [136] Rathgeb and Uhl [143] suggest to apply row permutations to iris-codes. Maiorana et al. [144–146] apply non-invertible transforms to obtain cancelable templates from online signatures. In their approach, biometric templates, which represent a set of temporal sequences, are split into non-overlapping sequences of signature features according to a random vector which provides revocability. Subsequently, the transformed template is generated through linear convolution of sequences. The complexity of reconstructing the original data from the transformed template is computationally as hard as random guessing.

2) Revocable biotokens

Boult et al. [147, 148] proposed cryptographically secure biotokens which they applied to face and fingerprints. In order to enhance security in biometric systems, biotokens, which they refer to as Biotope™, are adopted to existing recognition schemes (e.g., PCA for face).

Operation mode (see Figure 15): Each measured biometric feature v is transformed via scaling and translation resulting in v' = (v - t) · s. The key idea is to split v' into a stable part g termed integer and an unstable part r. For face biometrics the authors suggest to simply split real feature values into an integer part and a fractional part (e.g., 15.4 is splitted into 15 and 0.4). Since g is considered stable, and a "perfect matching" is claimed to be feasible at authentication, comparisons can be performed in the encrypted domain. A one-way transform of g, denoted by w is stored as first part of the secure biometric template. As second part of the template the unencoded r which has been obscured via the transform, as well as s and t are stored. At authentication, features are transformed applying s and t onto a residual region defined by r. Then, the unencrypted r is used to compute the local distance within a "window", which is referred to as robust distance measure, to provide a perfect match of w. However, since a perfect match is required only for a number of features defined by the system threshold, biotokens are not matched exactly. Additionally, user-specific passcodes can be incorporated to create verification-only systems. Although the authors ideas seem promising, several questions with respect to the presented approaches are left open, for instance, the design of the helper function which separates biometric features into stable and unstable parts and the adoption of this scheme to other biometric characteristics (which is claimed to be feasible). In further work, bipartite biotokens [149, 150] are introduced and applied to fingerprints in order to provide secure communication via an untrusted channel, where cryptographic keys are released based on successful comparisons of biotokens.

C. Approaches to biometric salting

Savvides et al. [137] generate cancelable face biometrics by applying so-called minimum average correlation filters which provide non-invertibility. User-specific secret personal identification numbers (PINs) serve as seed for a random basis for the filters similar to [31]. As previously mentioned, BioHashing [41] without key-binding provides cancelable biometric templates, too. Early proposals of the BioHashing algorithm did not consider the stolen-token scenario. In more recent work [151] it is demonstrated that the EER for the extraction of cancelable 180-bit fingercodes increases from 0% to 5.31% in the stolen-token scenario. The authors address this issue by proposing a new method which they refer to as MRP [152, 153]. It is claimed that MRP (which is applied to face and speech) retains recognition performance in the stolen-token scenario. Furthermore, the authors proposed a method to generate cancelable keys out of dynamic hand signatures [154, 155] based on the random mixing step of BioPhasor and user-specific 2 ^N discretization. To provide CB, extracted features are randomly mixed with a token T using a BioPhasor mixing method. Kim et al. [156] apply user-specific random projections to PCA-based face features followed by an error minimizing template transform. However, the authors do not consider a stolen-token scenario. Another approach to biometric salting was presented by Wang et al. [157] in which face features are transformed based on a secret key. Non-invertibility is achieved by means of quantization. Ouda et al. [158, 159] propose a technique to obtain cancelable iris-codes. Out of several enrollment templates a vector of consistent bits (BioCode) and their positions are extracted. Revocability is provided by encoding the BioCode according to a selected random seed. Pillai et al. [160] achieve cancelable iris templates by applying sector random projection to iris images. Recognition performance is only maintained if user-specific random matrices are applied.

D. Further investigations on cancelable biometrics

Jeong et al. [161] combine two different feature extraction methods to achieve cancelable face biometrics. PCA and ICA (independent component analysis) coefficients are extracted and both feature vectors are randomly scrambled and added in order to create a transformed template. Tulyakov et al. [162, 163] propose a method for generating cancelable fingerprint hashes. Instead of aligning fingerprint minutiae, the authors apply order invariant hash functions, i.e., symmetric complex hash functions. Ang et al. [164] suggest to apply a key-dependent geometric transform to fingerprints. In the first step a core point is selected in the fingerprint image and a line is drawn through it where the secret key defines the angle of the line (0 ≤ key ≤ π). Secondly, all minutiae below the line are reflected above the line to achieve a transformed template. Yang et al. [165] apply random projections to minutiae quadruples to obtain cancelable fingerprint templates. In further work [166] the authors address the stolen-token scenario by selecting random projection matrices based on biometric features. Lee et al. [167] presented a method for generating alignment-free cancelable fingerprint templates. Similar to [59, 162, 163], orientation information is used for each minutiae point. Cancelability is provided by a user's PIN and the user-specific random vector is used to extract translation and rotation invariant values of minutiae points. Hirata and Takahashi [168] propose CB for finger-vain patterns where images are transformed applying a Fourier-like transform. The result is then multiplied with a random filter where the client stores the inverse filter on some token. At authentication the inverse filter is applied to regenerate the transformed enrollment data and correlation-based comparison is performed. A similar scheme is applied to fingerprints in [169]. Bringer et al. [170] presented an idea of generating time-dependent CB to achieve untraceability among different identities across time.

E. Security of cancelable biometrics

While in the vast majority of approaches, security is put on a level with obtained recognition accuracy according to a reference system, analysis with respect to irreversibility and unlinkability is rarely done. According to irreversibility, i.e., the possibility of inverting applied transforms to obtain the original biometric template, applied feature transformations have to be analyzed in detail. For instance, if (invertible) block permutation of biometric data (e.g., fingerprints in [140] or iris in [138]) is utilized to generate cancelable templates the computational effort of reconstructing (parts of) the original biometric data has to be estimated. While for some approaches, analysis of irreversibility appear straight forward for others more sophisticated studies are required (e.g., in [145] irreversibility relies on the difficulty in solving a blind deconvolution problem).

In order to provide renewability of protected biometric templates, applied feature transformations are performed based on distinct parameters, i.e., employed parameters define a finite key space (which is rarely reported). In general, protected templates differ more as more distant the respective transformation parameters are [146]. To satisfy the property of unlinkability, different transformed templates, generated from a single biometric template applying different parameters, have to appear random to themselves (like templates of different subjects), i.e., the amount of applicable parameters (key space) is limited by the requirement of unlinkability.

F. Cancelable biometrics versus biometric cryptosystems

The demand for cancelable biometric keys results in a strong interrelation between the technologies of BCSs and CB [8]. Within common key-binding schemes in which chosen keys are bound to biometric templates, keys are updatable by definition. In most cases, revoking keys require re-enrollment (original biometric templates are discarded after enrollment). In case a key-binding system can be run in secure sketch mode (e.g., [15, 16]), original biometric templates can be reconstructed from another biometric input. With respect to key-generation schemes, revoking extracted keys require more effort. If keys are extracted directly from biometric features without the application of any helper data (e.g., as suggested in [76]), an update of the key is not feasible. Within helper data-based key-generation schemes stored helper data has to be modified in a way that extracted keys are different from previous ones (e.g., changing the encoding of intervals in quantization schemes). Alternatively, the key-generation process could comprise an additional stage in which biometric salting performed prior to the key-generation process [171, 172]. In [173] it is suggested to combine a secure sketch with cancelable fingerprint templates. While CB protect the representation of the biometric data, the biometric template is reconstructed from the stored helper data. Several other approaches to generating cancelable biometric keys have been proposed in [174–177].

A. Advantages and applications

1) Encryption/decryption with biometric keys

The most apparent application of BCSs is biometric-dependent key-release within conventional cryptosystems, replacing insecure password- or PIN-based key-release [8]. Eliminating this weak link within cryptosystems, biometric-dependent key-release results in substantial security benefits making cryptographic systems more suitable for high security applications.

Operation mode (see Figure 16): Any subject registered with the BCS is able to release cryptographic keys upon presenting biometric characteristics. Biometric-dependent keys are then transferred to the applied cryptographic algorithm to encrypt plain data. While several approaches to BCSs fulfill the requirement of generating sufficiently long cryptographic keys to be used in symmetric cryptosystems, most schemes fail in extracting an adequate amount of information to construct public key infrastructures (with few exceptions, e.g., [178]). Subsequently, encrypted data are transmitted via any untrusted channel. To decrypt the cipher text again, biometrics are presented to release decrypting keys. It is important to point out that by using biometric keys in generic cryptosystems the generated cipher text is not harder to decipher (in fact it will be even easier to decipher since biometric keys often suffer from low entropy).

2) Pseudonymous biometric databases

BCSs and CB meet the requirements of launching pseudonymous biometric databases [9] since both technologies provide biometric comparisons in encrypted domain while stored helper data or transformed templates do not reveal significant information about original biometric templates.

Operation mode (see Figure 17): At enrollment, biometric characteristics of a subject are employed as input for a BCS or CB (as suggested in [12] diverse obscured templates are generated for different databases). Depending on the type of application further encrypted records are linked to the template where decryption could be applied based on biometric-dependent keys. Since biometric templates are not exposed during comparisons [4], the authentication process is fully pseudonymous and, furthermore, the activities of any subject are untraceable.

Several other applications for the use of BCSs and CB have been suggested. In [10], biometric ticketing, consumer biometric payment systems and biometric boarding cards are suggested. VoIP packages are encrypted applying biometric keys in [179]. A remote biometric authentication scheme on mobile devices based on biometric keys is proposed in [180] and a framework for an alternative PIN service based on CB is presented in [181]. In [182], helper data-free key-generation is utilized for biometric database hashing. Privacy preserving video surveillance has been proposed in [183].

B. Potential attacks

Several attacks have been encountered to infiltrate conventional biometric systems [4, 184]. The technologies of BCS and CB prevent from different traditional attacks while they appear still vulnerable to some. The most common points of attacks to a biometric system are shown in Figure 18. In addition, numerous techniques have been especially designed to attack key approaches to BCSs and CB.

BCSs and CB do not prevent from classic spoofing attacks [184] (presenting fake physical biometrics). However, there are other possibilities to detect fake biometric inputs (e.g., liveness detection [185]) which can be integrated in both technologies, the same holds for replay attacks. Performing substitution attacks to BCSs is more difficult compared to conventional biometric systems since biometric templates are either bound to cryptographic keys or used to extract helper data (the original biometric template is discarded). Substitution attacks against BCSs require additional knowledge (e.g., of bound keys in case of key-binding schemes). In case of CB substitution, attacks are feasible if impostors are in possession of secret transform parameters or secret keys within approaches to biometric salting. Both technologies are more resilient to masquerade attacks [10, 186]. Since reconstruction of original biometric templates should not be feasible the synthetization of original biometric inputs is highly complicated (e.g., [187]). Performance rates of both technologies decrease compared to conventional biometric systems which makes BCSs and CB even more vulnerable to false acceptance attacks. In contrast to CB, overriding final yes/no responses in a tampering scenario is hardly feasible within BCSs as these return a key instead of binary decisions (intermediate score-based attacks could still be applied [188]).

C. Privacy aspects

Subjects can no longer be trusted based on credentials; however, credentials can be revoked and reissued. In order to abolish credential-based authentication, biometrics are increasingly applied for authentication purposes in a broad variety of commercial (e.g., fingerprint door locks) and institutional applications (e.g., border control). Therefore, biometric authentication requires more stringent techniques to identify registered subjects [208]. Besides the fact that subjects share biometric traits rather reluctantly, the common use of biometrics is often considered as a threat to privacy [209]. Most common concerns include abuse of biometric data (e.g., intrusion by creating physical spoofs) as well as permanent tracking and observation of activities (e.g., function creep by cross-matching).

BCSs and CB are expected to increase the confidence in biometric authentication systems (trusted identification). Both technologies permanently protect biometric templates against unauthorized access or disclosure by providing biometric comparisons in the encrypted domain, preserving the privacy of biometric characteristics [8, 27]. BCSs and CB keep biometric templates confidential meeting security requirements of irreversibility, and unlinkability.

D. The state-of-the-art

The state-of-the-art of BCSs and CB is estimated according to several magnitudes, i.e., reported performance rates, biometric modalities, applied test sets, etc., and the best performing and evaluated approaches are compared and summarized.

In early approaches to BCSs [31, 77], performance rates were omitted. Moreover, most of these schemes have been found to suffer from serious security vulnerabilities [8, 190]. Representing one of the simplest key-binding approaches the fuzzy commitment scheme [15] has been successfully applied to iris [32] (and other biometrics). Iris-codes appear to exhibit sufficient information to bind and retrieve long cryptographic keys. Shielding functions [51] and quantization scheme [22, 82] have been applied to several physiological and behavioral biometrics, while focusing on reported performance rates, these schemes require further studies. The fuzzy vault scheme [16] which represents one of the most popular BCS has frequently been applied to fingerprints. Early approaches [55], which required a pre-alignment of biometric templates, have demonstrated the potential of this concept. Recently, several techniques [56, 57] to overcome the shortcoming of pre-alignment have been proposed. In addition, the feature of order-invariance offers solutions to implement applications such as biometric-based secret sharing in a secure manner [122]. Within the BioHashing approach [41], biometric features are projected onto secret domains applying user-specific tokens prior to a key-binding process. Variants of the BioHashing approach have been exposed to reveal unpractical performance rates under the non-stolen-token scenario [101]. While generic BCSs are designed to extract or bind keys from or to a biometric the password-hardening scheme [19] aims at "salting" an existing password with biometric features.

BioHashing [41] (without key-binding) represents the most popular instance of biometric salting which represents a two-factor authentication scheme [139]. Since additional tokens have to be kept secret [137, 157] result reporting turns out to be problematic. Perfect recognition rates have been reported (e.g., in [91]) while the opposite is true [101].

E. Deployments of BCSs and CB

Though BCSs and CB are still in statu nascendi, first deployments are already available.

priv-ID^a, an independent company that was once part of Philips specializes in biometric encryption. By applying a one-way function, which is referred to as BioHASH^®, to biometric data pseudonymous codes are obtained. PerSay^b, a company that provides voice biometric speaker verification collaborates with priv-ID to integrate priv-ID engine to voice biometrics. Genkey^c, a Norway company (which has a large deployment in New Delhi), offers solutions to fingerprint-based key-generation. The company utilized a concept, which is referred to as FlexKey, where several enrollment samples are applied to select only the most discriminating features in order to extract longer keys. Precise Biometrics^TMd is a Swedish company which offers solutions to secure match-on-card fingerprint verification. Securics: The science of security^TMe, founded by T. Boult, provide revocable biometric tokens based on the BioToken approach [147].

The EU project TURBINE [210] which aims to transform a description of fingerprints through cryptobiometrics techniques received a EU funding of over $9 million.

F. Open issues and challenges

With respect to the design goals, BCSs and CB offer significant advantages to enhance the privacy and security of biometric systems, providing reliable biometric authentication at an high security level. Techniques which provide provable security/privacy, while achieving practical recognition rates, have remained elusive (even on small datasets). Additionally, several new issues and challenges arise deploying these technologies [10]. One fundamental challenge, regarding both technologies, represents the issue of alignment, which significantly effects recognition performance. Biometric templates are obscured within both technologies, i.e., alignment of obscured templates without leakage is highly non-trivial. While for some biometric characteristics (e.g., iris) alignment is still feasible, for others (e.g., fingerprints) additional information, which must not lead to template reconstruction, has to be stored. Within conventional biometric systems, align-invariant approaches have been proposed for several biometric characteristics. So far, hardly any suggestions have been made to construct align-invariant BCSs or CB. Feature adaptation schemes that preserve accuracy have to be utilized in order to obtain common representations of arbitrary biometric characteristics (several approaches to extract binary fingerprint templates have been proposed, e.g., [211, 212]) allowing biometric fusion in a form suitable for distinct template protection schemes. In addition, several suggestions for protocols providing provable secure biometric authentication based on template protection schemes have been made [150, 192, 213, 214].

Focusing on BCSs it is not actually clear which biometric characteristics to apply in which type of application. In fact it has been shown that iris or fingerprints exhibit enough reliable information to bind or extract sufficiently long keys providing acceptable trade-offs between accuracy and security, where the best performing schemes are based on fuzzy commitment and fuzzy vault. However, practical error correction codes are designed for communication and data storage purposes such that a perfect error correction code for a desired code length has remained evasive (optimal codes exist only theoretically under certain assumptions [215]). In addition, a technique to generate chaff points that are indistinguishable from genuine points has not yet been proposed. The fact that false rejection rates are lower bounded by error correction capacities [216] emerges a great challenge since unbounded use of error correction (if applicable) makes the system even more vulnerable [188]. Other characteristics such as voice or keystroke dynamics (especially behavioral characteristics) were found to reveal only a small amount of stable information [18, 19], but can still be applied to improve the security of an existing secret. In addition, several characteristics can be combined to construct multi-BCSs [107], which have received only little consideration so far. Thereby security is enhanced and feature vectors can be merged to extract enough reliable data. While for some characteristics, extracting of a sufficient amount of reliable features seems to be feasible it still remains questionable if these features exhibit enough entropy. In case extracted features do not meet requirements of discriminativity, systems become vulnerable to several attacks (e.g., false acceptance attacks). In addition, stability of biometric features is required to limit information leakage of stored helper data. Besides, several specific attacks to BCSs have been proposed. While key approaches have already been exposed to fail high security demands, more sophisticated security studies for all approaches are required since claimed security of these technologies remains unclear due to a lack formal security proofs and rigorous security formulations [135]. Due to the sensitivity of BCSs, more user-cooperation (compared to conventional biometric systems) or multiple enrollment samples [216] are demanded in order to decrease intra-class variation, while sensoring and preprocessing require improvement as well.

Cancelable biometrics require further investigations as well. Transformations and alignment of transformed templates have to be optimized in order to maintain the recognition performance of biometric systems. Additionally, result reporting remains an issue since unrealistic preconditions distort performance rates.

As plenty different approaches to BCSs and CB have been proposed a large number of pseudonyms and acronyms have been dispersed across literature such that attempts to represented biometric template protection schemes in unified architectures have been made [217]. In addition, a standardization on biometric template protection is currently under work in ISO/IEC FCD 24745.