 Research
 Open Access
 Published:
Unlinkable improved multibiometric iris fuzzy vault
EURASIP Journal on Information Securityvolume 2016, Article number: 26 (2016)
Abstract
Iris recognition technologies are deployed in numerous largescale nationwide projects in order to provide robust and reliable biometric recognition of individuals. Moreover, the iris has been found to be rather stable over time, i.e. iris biometric reference data provides a strong and permanent link between individuals and their biometric traits. Hence, unprotected storage of (iris) biometric data provokes serious privacy threats, e.g. identity theft, limited renewability, or crossmatching. Biometric cryptosystems grant a significant improvement in data privacy and increase the likelihood that individuals will effectively consent in the biometric system usage. However, the vast majority of proposed biometric cryptosystems do not guarantee desired properties of irreversibility, unlinkability, and renewability without significantly degrading the biometric performance.
In this work, we propose an unlinkable multiinstance iris biometric cryptosystem based on the improved fuzzy vault scheme. The proposed system locks biometric feature sets extracted from binary iris biometric reference data, i.e. iriscodes, of the left and right irises in a single fuzzy vault. In order to retain the size of the protected template and authentication speed, the proposed fusion step combines the most discriminative parts of two iriscodes at feature level. It is shown that the proposed keybinding process enables the generation of irreversible protected templates which prevents from previously proposed crossmatching attacks. Further, we investigate the optimal choice among potential decoding strategies with respect to biometric performance and time of key retrieval. The fully reproducible system is integrated to two different publicly available iris recognition systems and evaluated on the CASIAv3Interval and the IITDv1 iris databases. Compared to the corresponding unprotected recognition schemes, genuine match rates of approximately 95 and 97 % at which no false accepts are observed and maintained in a single and multiinstance scenario, respectively. Moreover, the multiiris system is shown to significantly improve privacy protection achieving security levels of approximately 70 bits at practical biometric performance.
Introduction
Biometrics refers to the automated recognition of individuals based on their behavioral and biological characteristics, e.g. fingerprint or face [1, 2]. It is generally conceded that a substitute to biometrics for positive identification in integrated security applications is nonexistent. In past decades, iris recognition [3, 4] emerged as a rapidly growing field of research. Due to its intricate structure, the iris constitutes one of the most powerful biometric characteristics. Existing approaches to iris recognition achieve auspicious biometric performance and deployments in diverse application scenarios, such as border control, underline its tremendous impact [5]. On nationalsized biometric systems, the use of multiple biometric characteristics has been found to significantly improve the accuracy and reliability especially in challenging identification scenarios [6], while recognition systems based on a single biometric indicator often have to contend with unacceptable error rates [7]. However, improvement in biometric performance as a result of biometric fusion should be weighed against the associated overhead involved, such as additional sensing cost, i.e. it is preferred to combine biometric characteristics that can be acquired in a single presentation [8]. For instance, in the Unique IDentification Authority of India (UIDAI) [9], which aims at registering all 1.2 billion Indian citizens, both irises and all fingers of a subject are acquired at enrollment. Similar national projects are also under way in Indonesia and in several smaller countries [10].
Generic iris recognition systems, see Fig. 1 a, consist of four major modules: (1) image acquisition; (2) preprocessing; (3) feature extraction; and (4) comparison. At image acquisition, goodquality NIR images are required to provide a robust recognition, where most current deployments require subjects to fully cooperate with the system. At preprocessing, the pupil and the outer boundary of the iris are detected. Subsequently, general iris recognition algorithms transform the iris ring to a normalized rectangular texture on which image enhancement methods, e.g. histogram stretching, are applied. To complete the preprocessing, the parts of the iris texture which are occluded by eyelids, eyelashes, or reflections are detected and stored in an according noise mask. The vast majority of feature extraction algorithms follow the approach of Daugman [3], in which a binary feature vector, i.e. iriscode, is extracted by applying adequate filters to the iris texture in a rowwise manner. The data representation based on an iriscode offers compact storage and rapid Hamming distancebased (H D) comparison.
Recently, different researchers have shown that, in case an attacker has full knowledge of the employed feature extraction, iriscodes can be utilized in order to reconstruct images of subjects’ iris textures [11, 12]. Such images can be presented to an iris recognition system in order to successfully launch presentation attacks [13]. In order to safeguard individuals’ privacy, protection of biometric templates is of utmost importance, since unprotected storage of biometric templates poses serious privacy threats. Technologies of biometric template protection [14, 15], which are commonly categorized as biometric cryptosystems [16] and cancelable biometrics [17], offer solutions to privacy preserving biometric authentication. Biometric cryptosystems are designed to securely bind a digital key to a biometric or generate a digital key from a biometric signal [16] in order to meet the two major requirements of biometric template protection defined in the ISO/IEC IS 24745 [18]: (1) irreversibility, i.e. knowledge of a protected template can not be exploited to reconstruct a biometric sample which is equal or close (within a small margin of error) to an original captured sample of the same source; (2) unlinkability, i.e. different versions of protected biometric templates can be generated based on the same biometric data (renewability), while protected templates should not allow crossmatching.
Apart from fulfilling the above properties, an ideal biometric cryptosystem shall not cause a decrease in biometric performance with respect to the corresponding unprotected system [19]. The vast majority of existing techniques do not satisfy desired template protection requirements in practice, mostly resulting in a tradeoff between privacy protection and biometric performance [20]. The incorporation of multiple biometric characteristics to biometric cryptosystems has been found to improve biometric performance [7], while the protection of multibiometric templates is especially crucial as they contain information regarding multiple characteristics of the same subject [21]. In contrast to conventional biometric systems, where fusion may take place at score or decision level [7], with respect to template protection schemes, featurelevel fusion has been identified as most suitable. A separate storage of two or more protected biometric templates would enable parallelized attacks. In contrast, a single protected template, which has been obtained by means of featurelevel fusion, is expected to improve privacy protection, since the fused template comprises more biometric information [21]. This is analogous to an access control system which requires multiple low strength (few bits) keys, where each key can be attacked individually. Such a system is less secure than one which uses a single key with a larger number of bits. Obviously, the development of multibiometric cryptosystems is accompanied by further issues such as common data representation, storage requirement, or feature alignment [22].
Contribution of work
In this work, we present an unlinkable multibiometric iriscryptosystem based on the fuzzy vault scheme [23]. As shown in Fig. 1 b, one property of the proposed scheme is that it can be seamlessly integrated to an existing iris recognition system. Since it is designed to protect iriscodes, a reenrolment of already registered subjects is not required, in contrast to proposed irisbased fuzzy vault schemes (see Section 2), which build upon specific feature extractors. The presented scheme is extended to a multiiris template protection scheme where biometric fusion takes place at feature level, in order to maximize privacy protection. In order to minimize processing time as well as storage requirement, the fusion process is designed to retain the size of a single protected template. To maximize the entropy, and hence discriminativity, of the fused template, the most reliable feature parts of two iriscodes are combined, and based on a detailed investigation of decoding strategies, we choose an ideal tradeoff between computational and biometric performance. Thereby, authentication times, which are of equal magnitude for single and multiiris fuzzy vaults, are kept low while accuracy is significantly improved.
The proposed system, which is evaluated on two publicly available iris databases for different iris biometric feature extractors, maintains biometric performance of corresponding unprotected baseline systems. In addition, security analysis show that the system is resistant to existing crossmatching attacks and provides cryptographically acceptable security levels confirming the soundness of the presented approach.
Organisation of article
The remainder of this article is organized as follows: Section 2 briefly summarizes related works regarding iris biometric cryptosystems and the fuzzy vault scheme. Section 3 provides a detailed description of key components of the proposed unlinkable improved (multi)biometric iris fuzzy vault. Experiments are presented in Section 4. Finally, conclusions are drawn in Section 5.
Related work
Iris biometric cryptosystems
Among conceptual proposals [24, 25], the first implementation of an iris biometric cryptosystem, in which the fuzzy commitment scheme is employed [26], was presented in [27]. The fuzzy commitment scheme by Juels and Wattenberg [26] represents a cryptographic primitive, which combines techniques from the area of error correcting codes and cryptography. At keybinding, a prechosen key is prepared with error correcting codes and bound to a binary biometric feature vector of the same length by XORing both resulting in a difference vector. In addition, a hash of the key is stored together with the difference vector forming the commitment. During key retrieval, another binary feature vector is XORed with the stored difference vector and error correction decoding is applied. In case the presented feature vector is sufficiently “close” to the stored one, the correct key is returned, which can be tested using the stored hash. In [27], 2048bit iriscodes are applied to bind and retrieve 140bit keys prepared with Hadamard and ReedSolomon error correction codes. On an inhouse dataset comprising 700 iris images of 70 subjects, a FNMR of 0.47 % at a zero FMR is reported. To provide a more efficient error correction decoding in an irisbased fuzzy commitment scheme, twodimensional iterative minsum decoding was introduced in [28] achieving a FNMR of 5.62 % at a zero FMR on the ICE 2005 iris database [29], where bound keys consist of 40 bits. A contextbased reliable component selection used to extract keys from iriscodes which are then bound to Hadamard codewords is presented in [30]. Further, diverse techniques to improve the performance and security of (iris) fuzzy commitment schemes have been proposed, e.g. [31–34]. In [35, 36], different attacks have been suggested, which utilize the fact that error correction codes underlie distinct structures. Statistical attacks based on socalled error correction code histograms have been successfully conducted against irisbased fuzzy commitment schemes in [37]. In [38], it was found that fuzzy commitment schemes leak information in bound keys and nonuniform templates. Suggestions to prevent from information leakage in fuzzy commitment schemes have been proposed in [39]. In addition, attacks via record multiplicity could be applied to decode stored commitments [40, 41]. In [33], a bitpermutation process was introduced to prevent from crossmatching attacks. It is, however, important to note that even if one uses recordspecific bitpermutation processes, crossmatching may still be possible for records protecting very similar feature vectors and then even enables reversibility attacks from record multiplicity [42]. Considering proposed attacks, the security provided by irisbased fuzzy commitment is rather doubtable.
Focusing on iris, the first implementation of a fuzzy vault scheme (see Section 2.2) was presented in [43, 44] in which salient feature points are extracted from iris textures. Based on several enrolment samples, independent component analysis and kmeans clustering is employed to extract 16 coefficients from most stable parts of the iris textures. On the BERC [45] and the CASIAv3Interval iris database [46], a GMR of approximately 99 and 80 %, respectively, was achieved at a zero FMR employing 128 bit keys. In order to prevent from attacks via record multiplicity, an iris fuzzy vault which is hardened with an additional password is presented in [47, 48]. Image enhancement techniques are applied to extract iris fibres from which minutiaelike coordinates are extracted. Experiments are reported for the CASIAv1 [49] and the MMU iris database [50] achieving a GMR of at most 90 % at a zero FMR. In [51], a multibiometric fuzzy vault based on fingerprint and iris is proposed. Secret keys, which are used to generate an irisbased fuzzy commitment, are directly encoded, fused with fingerprint data at feature level, and locked in the fuzzy vault scheme, achieving a GMR of approximately 98 % at a FMR of 0.01 % on the inhouse MSUDBI fingerprint [52] and the CASIAv1 iris database [49] for a key size of 208 bit. However, the scheme requires an additional storage of corresponding difference vectors which allows for previously mentioned attacks. Further proposal of iris fuzzy vaults, e.g. [53–55], omit a detailed description of employed iris feature encoding or experimental protocols.
The majority of proposed approaches to iris biometric cryptosystems lack a thorough security analysis. It is important to note that the length of employed keys in biometric cryptosystems represents only an upper bound for the provided security. For instance, the scheme in [27], which is designed to bind and retrieve 140 bit keys, provides a security of approximately 40 bits [51]. This reduction is mainly caused by dependencies among neighbouring iriscode bits resulting in a large entropy loss.
Apart from iris biometric cryptosystems, different approaches to cancelable iris biometrics have been proposed, e.g. [56–60]. For further details on cancelable iris biometrics, the reader is referred to [15, 61].
Fuzzy vault scheme
By design, the fuzzy vault scheme [23, 62] enables protection and errortolerant verification with feature sets. It is due to this property that led researchers to consider the fuzzy vault scheme as a promising tool for protecting fingerprint minutiae sets [63]. This preliminary analysis was followed by a series of working implementations for fingerprints most of which are minutiaebased [64, 65]. However, the fuzzy vault scheme as proposed by Juels and Sudan is vulnerable to a certain kind of linkage attacks, the correlation attack [66, 67], that very clearly conflicts with the unlinkability requirement and (even worst) with the irreversibility requirement of effective biometric template protection. Moreover, the use of public unprotected auxiliary alignment data can ease an attacker in performing linkage attacks. As a countermeasure, an implementation for absolutely prealigned minutiae that avoids any correlation between related records of the fuzzy vault scheme has been proposed [68]. Another advantage from the construction in [68] is that the improved fuzzy vault scheme by Dodis et al. [69] can be used for template protection which results in significantly more compact record sizes. Compared to earlier works [63, 64], security levels have been revealed to be approximately 40 bits for singlefinger fuzzy vaults. It is important to note that other linkage attacks can be applied to the improved fuzzy vault scheme but they can, however, be effectively avoided [70].
It is a widely accepted hypothesis that the fingerprint modality does not contain a sufficient amount of effective entropy to resist attacks exploiting the distribution of fingerprint features, specifically falseaccept attacks. From this perspective, we should increase the amount of entropy by considering implementations for fused templates extracted from more than one finger of a person [71] or, as a promising alternative, consider other biometric modalities such as a person’s iris(es).
When designing a fuzzy vaultbased cryptosystem, a practical decoding strategy is needed. Though, in the original fuzzy vault [23, 62], a ReedSolomon decoder [72] has been proposed, its resulting errorcorrecting capabilities are not sufficient to achieve a practical implementation for single finger. As a consequence, the use of a Lagrangebased decoder has been proposed [64] and adopted for other singlefinger implementations [65, 68]. A multifinger implementation has been proposed in [71]. If a Lagrangebased decoder was chosen for the implementation, then the decoding complexity would become infeasible. A reasonable tradeoff between decoding time and verification performance can be achieved using a GuruswamiSudanbased decoder [71, 73] of which a ReedSolomon decoder can be viewed as a special case. In this paper, these strategies are considered for key retrieval in Section 3.4.
Proposed system
From iriscodes to feature sets
As aforementioned, conventional iris recognition schemes extract twodimensional binary feature vectors, i.e. iriscodes, from iris images [3, 4], cf. Fig. 5. Since the fuzzy vault scheme operates on feature sets, the first processing step of the proposed system represents a feature type transformation [74], in particular a binarytointeger orderedtounordered transformation. In our scheme, an extracted iriscode is vertically divided into B blocks of size w×h bits, where each block, and hence each column, is associated with a block index b=0,…,B−1. Subsequently, transform f is applied to each column c _{ i }∈{0,1}^{h},i=0,…,w−1, of a block with index b,f(c _{ i },b)= int(c _{ i })· log2B+b, where int denotes the conversion of a binary vector to its integer representation. Each block yields a vector V _{ b } of feature values, V _{ b }=(v _{0},…,v _{ w−1}), with v _{ i }=f(c _{ i },b). For each vector, V _{ b },P _{ b } denotes the sets of unique vector elements, P _{ b }={v _{0},…,v _{ l }}_{≠},l≤w. The setbased representation conceals the ordering of columns within each block; in addition, multiple entries are discarded. Since iriscode bits are not mutually independent [3], correlation between (neighbouring) columns is expected. Hence, a certain amount of columns within each processed block will be identical, as will be shown in experiments; see Section 4. Let P _{ b }=l be the number of unique feature values of a transformed iriscode block. For a potential attacker, the reconstruction of the original iriscode block involves an arranging of l codewords to w positions. The degree of irreversibility provided by transform f could be quantified by the number of possible blocks resulting in the same set of features which is estimated as,
which follows from a simple application of the inclusionexclusion principle. Large values of ℓ prevent an attacker from reconstructing (guessing) corresponding original iriscode blocks, which further improves privacy protection. It is important to note that, in contrast to fingerprints, where approximations of original fingerprints can be reconstructed from minutiae coordinates [75], this estimation only applies to the use of iriscodes. The final set of feature values P is estimated as the union of all sets of unique vector elements of all blocks, \(\mathbf {P}= \bigcup _{b=0}^{B1} \mathbf {P}_{b}\), where \(\mathbf {P} = \sum _{b=0}^{B1} \mathbf {P}_{b}\), since each block index b is unique. The entire procedure of generating P from an iriscode is illustrated in Fig. 2.
In the comparison stage, generic iris recognition systems apply circular bit shifts and estimate H D scores at different shifting positions, i.e. relative tilt angles, in order to compensate for head tilts. The minimal obtained H D, which corresponds to an optimal alignment, represents the final score. It is important to note that the number of shifting positions employed to determine an appropriate alignment between pair of iriscodes may vary depending on the application scenario. The proposed setbased representation is alignmentfree to a certain extent, since equal columns within certain blocks are mapped to identical feature values. Hence, selfpropagating errors caused by an inappropriate alignment of iriscodes are eliminated (radial neighbourhoods persist). The rotationcompensating property of the proposed system comes at the cost of location information of iriscode columns. In case iriscodes are strongly misaligned, columns will end up in different blocks yielding different feature sets. However, as will be shown in experiments, in case of iris images captured under favourable conditions, the proposed representation maintains distinctiveness if w and h are chosen appropriately.
Multiinstance singlealgorithm fusion
An overview of the multiinstance singlealgorithm fusion, which is designed to fuse biometric information extracted from the left and right iris of a subject, is depicted in Fig. 3. The proposed fusion technique is motivated by two facts:

1.
Average decoding times generally increase with the size of a fuzzy vault. Hence, a fusion of the most discriminative parts of two iriscodes to one of the size of a single iriscode is preferable, in order to maintain reasonable decoding times.

2.
Upper and lower iris parts are frequently occluded by eyelids or eyelashes, cf. Fig. 4 (even under active participation of captured subjects). It has been found that the use of a general noise mask reveals performance gains comparable to that obtained by subjectspecific masks [76].
In order to extract discriminative and stable feature sets of reasonable size, iriscode parts which originate from upper and lower iris parts (marked grey in Fig. 3) are discarded. Discarding iriscode blocks originating from those parts represents a static way of extracting half of the bits expected to be rather stable, which does not require the storage of any auxiliary data. Note that additional subjectspecific data pointing at most reliable iriscode parts might enable linkage attacks. The resulting iriscode parts of the left and right iris of width w×K/2 are concatenated, resulting in a single iriscode of dimension equal to that of an iriscode extracted from a single image (without deleting upper and lower iriscode parts). The stability of selected iriscode parts will be empirically analysed in experiments; see Section 4. Finally, the previously described method is employed to extract a single feature set. The presented featurelevel fusion does not affect the size of the vault compared to singleinstance scenario and, at the same time, retains biometric information expected to be most discriminative [4].
The proposed multiinstance fusion technique requires irises to be aligned properly. However, nowadays, iris sensors are capable of acquiring the left and right irises of a subject simultaneously (using two sensors), which results in an implicit alignment of both irises. Moreover, it is generally conceded that favorable acquisition conditions are considered a fundamental premise for biometric template protection [14]. Hence, the suggested trivial concatenation of iriscode parts is expected to preserve the alignmentfree representation of subsequently processed iriscode blocks. Other fusion techniques, e.g. a random shuffling or interleaving of iriscode columns, would obscure neighbourhoods of columns within iriscode blocks and, thus, are expected to decrease the biometric performance of the system.
Key binding
In the first step of the binding process, a secret polynomial κ∈F[X] of degree smaller than k is chosen, and the hash SHA(κ) is stored. Given a feature set P, extracted from both or a single iris image(s) of a subject, SHA(κ) is used as seed for a recordspecific but public bijection σ:F→F, which is applied to remap the elements of \(\mathbf {P}, \hat {\mathbf {P}}=\sigma (\mathbf {P})=\{\sigma (v)v\in \mathbf {P}\}\). This step is performed in order to prevent from the attack proposed in [70], which is based on the extended Euclidean algorithm. Let V(X) and W(X) be two related vault records protecting the feature sets P and P ^{′}, respectively; unlinkability can be attacked efficiently and effectively, provided that
In [70], it is also shown that the probability of Eq. 2 can be destroyed by applying the abovementioned remapping of feature elements. Note that the employment of these public maps does not affect the operational performance of the system. Moreover, as σ is generated based on SHA(κ), no additional data storage is required. Due to the assumed randomness of two maps σ and σ ^{′}, the corresponding sets σ(P) and σ ^{′}(P ^{′}) are random and, based on the definition of the hypergeometric distribution, the probability that with these sets Eq. 2 is fulfilled is equal to
where \(\omega _{0}=\lceil (\mathbf {P}+k)/2\rceil, \rho =2^{h+\log _{2} B}\), and w.l.o.g. P≥P ^{′}. In experiments, it will be shown that the probability of Eq. 3 is sufficiently low in a cryptographic sense; see Section 4.
The next step is performed based on the improved fuzzy vault scheme [69], which improves the original construction by means that it generates significantly more compact records. In the improved fuzzy vault, scheme genuine and chaff feature elements are encoded by a monic polynomial of degree \(t=\hat {\mathbf {P}}\). The features in \(\hat {\mathbf {P}}\), interpreted as elements of a finite field F where F=ρ, are bound to the secret polynomial κ by computing \(V(X)=\kappa (X)+\prod _{v\in \hat {\mathbf {P}}}(Xv)\), such that the pair (V(X),SHA(κ)) builds our final record.
All elements of \(\hat {\mathbf {P}}\) represent columns consisting of exactly h+ log2B bits. The size of the vault increases with t and is upper bounded by the width of processed iriscodes, i.e. V(X)≤512(h+ log2B) bits. In order to obscure the size of the vault, which might leak information about the protected iriscode, an additional zerobit is appended to each element in \(\hat {\mathbf {P}}\). Subsequently, random values, for which this additional bit is set to 1, are added to \(\hat {\mathbf {P}}\) until a desired maximum vault size is reached. The maximum vault size might be defined as 512(h+1+ log2B) bits or by a maximum observed vault size maxn∈N t _{ n }(h+1+ log2B), where N is the number of registered subjects.
It is important to note that the correlation attack [66, 67], which is a special linkage attack, cannot be applied due to the fact that the improved fuzzy vault scheme encodes a maximal number of chaff points. In such a way, no correlation can be exploited between feature sets protected by two (or more) related instances of the applied fuzzy vault records.
Polynomial reconstruction strategy and key retrieval
On authentication, an unlocking set U⊂F×F of size u is built containing ω pairs being interpolated by the polynomial κ; we call these pairs genuine. If ω≥k, then it is possible to reconstruct the polynomial κ from U if we assume that we can verify the correctness of κ, e.g. by using the hash value SHA(κ). It may, however, not be feasible to reconstruct κ from U in case ω≥k. For example, we found from our training (see Section 4.2) that we can expect the unlocking set to be of size u≈300; furthermore, if we want to achieve a practical genuine acceptance rate, we need to be able to successfully recover κ from U when it contains ω=100 genuine pairs. In the following, we discuss different recovery strategies for this representative example to find a reasonable decoder.
Iterated Lagrange strategy
One way to reconstruct κ from U is to select k pairs from U and compute the unique polynomial κ ^{∗} of degree smaller than k that interpolates them. If all k selected pairs are genuine, then κ∗=κ which can be verified with overwhelming reliability by observing SHA(κ ^{∗})=SHA(κ). If not all k selected pairs are genuine, then most likely SHA(κ ^{∗})≠SHA(κ) and we may repeat the procedure until SHA(κ ^{∗})=SHA(κ). This procedure is guaranteed to, eventually, reveal the secret polynomial κ if ω≥k while for a single step the probability of success is equal to
However, the procedure can become very impractical to be performed. For instance, if u=300,ω=100, and k=20, then we have to expect to run 2^{34} iterations before κ is recovered. This is too costly for a practical polynomial reconstruction strategy.
Iterated ReedSolomon strategy
Alternatively, we may apply a ReedSolomon decoder (e.g. see [72]). This class of algorithms is capable of recovering κ from U efficiently (by means of deterministic polynomial time) if ω≥(u+k)/2. On the other hand, these class of algorithms will fail to recover κ from U for ω<(u+k)/2. In order to establish a decoding mechanism reasonably dealing with these cases, it is conceivable to choose a csized subset U _{0}⊂U randomly where U≥c≥k, apply the ReedSolomon decoder to U _{0}, and if successfully revealing κ ^{∗} with SHA(κ ^{∗})=SHA(κ), output the recovered polynomial; otherwise, the procedure is repeated up to a predefined number of steps. This mechanism will succeed eventually if ω≥(c+k)/2 which improves upon the bound ω≥(u+k)/2 since c≥u. The success probability for a single step of the procedure is equal to
If in addition, the time z _{ RS }(c,k) for a single iteration is known, then the expected time for the iterated ReedSolomon strategy to successfully recover κ can be calculated as
In order to assess feasibility of the iterated ReedSolomon decoding strategy, we consider our case example where (u,ω,k)=(300,100,20). For each c=k,...,2ω−k computed with Eq. (5), we applied an experimentally supported analysis on the estimated effort for the iterated ReedSolomon decoding strategy to successfully decode the vault. For each c, we measured the time z _{ RS }(c,k) a ReedSolomon decoder applied to an unlocking set of size c would consume and estimated the expected time for a successful recovery using Eq. (6). We found that for c=36, the effort becomes minimal with z _{RS}(c,k) being very close to zero and p _{RS}(u,ω,k,c)≈2^{−27}. Yet, even though significantly improving upon the iterated Lagrange decoding strategy, an effort of 27 bits is still too costly for a practical implementation.
Iterated GuruswamiSudan strategy
The bound ω≥(u+k)/2 can be significantly improved by applying a GuruswamiSudan algorithm [73]. This class of algorithms can potentially recover κ from U provided that \(\omega >\sqrt {u\cdot (k1)}\). However, in practice, implementations of the GuruswamiSudan decoder may be too timeconsuming if one aims at recovering exactly up to \(u\sqrt {u\cdot (k1)}\) errors. The number of errors that one can tolerate depends on an additional parameter controlling input to a GuruswamiSudan algorithm called multiplicity. The higher the multiplicity, the more errors the algorithm can tolerate while also being more inefficient. The lower the multiplicity, the more efficient is the algorithm but being able to tolerate fewer errors, e.g. \(\approx u\sqrt {2\cdot u\cdot (k1)}\) for a single multiplicity. Yet, this can still be a significant improvement as compared to a ReedSolomon decoder.
In the same way as for the iterated ReedSolomon strategy, we could apply an iterated GuruswamiSudan strategy which, given u,ω,k, and c, will recover κ from U in a single step with probability
For (u,ω,k)=(300,100,20) we found that c=297 yields the best iterated GuruswamiSudan strategy (for a single multiplicity) where each step consumes z _{ GS }(c,k) time (a fraction of a second on a standard workstation, see Section 4.3) with success probability p _{ GS }(u,ω,k,c)≈0.96 %. It has furthermore been measured that a single step is approximately 2^{9} times harder to perform than a single Lagrange interpolation. This results in an overall difficulty to recover κ from U with more than 95 % probability of only 9 bits and clearly shows that this strategy outperforms the iterated Lagrange and ReedSolomon strategy.
Proposed strategy
The different decoding strategies that we discussed above have been tested for (u,ω,k)=(300,100,20) which is a typical property of an unlocking set being built on a genuine verification. Since a GuruswamiSudan strategy clearly is the best choice from the above experiments, we choose a GuruswamiSudan strategy. Furthermore, since c≈u has been found as the optimal choice, we will only apply a single step of the GuruswamiSudan algorithm to the entire unlocking set U and no subsets thereof. Moreover, we use a multiplicity of three which yields a decoder with a reasonable tradeoff of error tolerance and decoding time, i.e. less than a second [71].
Our discussion emphasizes that it is hard to choose an optimal polynomial recovery strategy, mainly due to the fact that one can either optimize the decoding time or the success probability but not both (unless a predefined tradeoff between the two criteria can be selected). From our discussion, we have chosen the final decoding strategy from experimental observations and a final educated guess. However, it must be stressed that a GuruswamiSudan strategy is not necessarily the best strategy. For example, whenever one wants to successfully decode even if ω=k, then the iterated Lagrange strategy is optimal, and if ω≥(u+k)/2, then the ReedSolomon decoding strategy yields to the best decoder. It seems therefore reasonable to develop a dynamic decoder switching between different strategies depending on the expected values for ω given u and k. This is an interesting topic; the analysis of which we leave open for future research. The reader should be aware of the fact that from an attacker’s point of view, other strategies can be much more efficient—e.g. strategies that employ the statistics of the protected features as, for example, a falseaccept attack.
Experimental evaluation
Database and experimental method
Experiments are carried out on the CASIAv3Interval [46] and the IITDv1 iris database [77], where all left eye images of the CASIAv3 database are used for training purposes (see Section 4.2) and all five images of left and right eyes of the IITDv1 dataset are used for performance evaluations. Both datasets comprise goodquality NIR iris images of size 320×240 pixel. Number of subjects, images, and resulting amounts of genuine and impostor authentication attempts are summarized in Table 1. Sample pairs of left and right iris images of the IITDv1 database are depicted in Fig. 4.
At preprocessing, the iris of a given sample image is detected, unwrapped to an enhanced rectangular texture of 512×64 pixel, shown in Fig. 5 a–c applying the weighted adaptive Hough algorithm proposed in [78]. In the feature extraction stage, two different iris recognition algorithms are employed where normalized enhanced iris textures are divided into stripes to obtain 10 onedimensional signals, each one averaged from the pixels of 5 adjacent rows (the upper 512 × 50 rows are analysed). The first feature extraction method follows the Daugmanlike 1DLogGabor feature extraction algorithm of Masek [79] (LG) and the second follows the algorithm proposed by Ma et al. [80] (QSW) based on a quadratic spline wavelet. Both feature extraction techniques generate iriscodes of 512 × 20 = 10,240 bit. Sample iriscodes generated by both feature extraction methods are shown in Fig. 5 d, e. Custom implementations of employed segmentation and feature extractors are freely available in the University of Salzburg Iris Toolkit (USIT) [81]. For further details on the employed feature extraction algorithms, the reader is referred to [10].
In accordance with IS ISO/IEC 197951:2006 [82], biometric performance is evaluated in terms of genuine match rate (GMR), false nonmatch rate (FNMR), false match rate (FMR), and equal error rate (EER). In addition, for the proposed fuzzy vault schemes, we estimate average genuine decoding time (GDT) and average impostor decoding time (IDT) and provided bruteforce security (BFS) in bits. All experiments were performed on a single core of an Intel Core i73610QM CPU with 3.2 GHz on a standard workstation with sufficient RAM.
Its resistance to recovery attacks, i.e. the effort for an imposter given a vault record to recover the original feature sets or the secret polynomial, represents a fundamental aspect of a fuzzy vault implementation. Generally, the fuzzy vault can be attacked by a bruteforce attack, where the attacker repeatedly samples k points from the vault and tries to interpolate the secret polynomial from these. The expected number of attempts of this attack can be estimated by combinatorial means [83]. In contrast, the falseaccept attack exploits the specific distribution of the biometric features, by repeatedly simulating verifications employing features of randomly chosen (real) iriscodes. The success probability of the falseaccept attack is equal to the FMR provided by the employed parameter setting. In order to optimize the success rate, the attacker can deviate from the parameters used in actual operation; however, in the proposed scheme, the number of decoding iterations is the only parameter that is not already fixed at the time of enrolment. It has been proven in [68] that the expected number of decoding attempts of the falseaccept attack is minimized for using one iteration. Moreover, it has been shown that an attacker’s success probability is maximized by using simple polynomial interpolation as opposed to using a ReedSolomon decoder. Hence, we report the security in terms of falseaccept security (FA security) using this optimal strategy.
Estimating high security levels assumes sharp estimations of FMRs when they are close to zero. In biometric systems with deterministic verification algorithm, the FMR can only be estimated down to the magnitude of 1/I, where I is the number of impostor verifications performed in the evaluation. However, the verification of our implementation is probabilistic as soon as the unlocking set contains more than k points. This property allows us to give heuristic estimates of FMRs that are much smaller than 1/I: For each single impostor verification, we compute the success probability based on the size of the unlocking set and the number of correct points contained, and finally, we estimate the FMR as the mean over all verifications. For details, we refer to [68].
Training stage
In the training stage ω, the number of genuine elements in the unlocking set is employed as comparison score between genuine and impostor pairs of feature sets. Since biometric cryptosystems should be operated at reasonable low FMRs, configurations which achieve the highest GMRs at a zero FMR are preferred. Biometric performance in terms of GMR at a zero FMR for different values of h and w is shown in Table 2. Feature blocks are obtained from the uppermost h adjacent rows of iriscodes bits originating from inner bands of the iris, i.e. the number of blocks is estimated as K=512/w for all configurations. Two configurations are identified as optimal, h=10 and w=16 as well as h=10 and w=32. Note that the training step is performed on a disjoint dataset where a single instance, i.e. iris image, is used per subject to calculate ω between pairs feature sets.
Performance estimation
Sample pairs of left and right iris images of the evaluation dataset are shown in Fig. 4. In the baseline systems, H Dbased dissimilarity score are estimated, where ±8 circular bit shifts are performed to obtain a minimum H D. For both feature extraction methods, Fig. 7 visualizes the probability of mismatching bits between genuine iriscode comparisons. Similar typical twodome pattern of unstable bits are clearly visible for both feature extractors. Obtained biometric performance is summarized in Table 3 and Fig. 6. As expected, a sumrulebased scorelevel fusion of comparison scores between iriscode obtained from both iris images significantly improves biometric performance, yielding EERs below 0.5 %. Note that, in the context of scorelevel fusion, using the sumrule with proper normalization, which is implicitly provided due to the use of a single feature extraction per fusion, has been observed to result in competitive performance [8]. Table 4 shows obtained biometric performance after applying the proposed transform for different parameter settings. Again, a sumrulebased fusion of ω scores across all iriscode blocks is performed for using both iris images. On the one hand, we observe that the setbased representation does not affect (or might even improve) the biometric performance in case a single iris is used. On the other hand, if both irises are employed, a sumrulebased fusion of H Dbased scores reveals better biometric performance, compared to the proposed representation.
For the singleinstance scenario (using iris images of the left eye), the obtained GMRs and corresponding FMRs, provided security, GDTs, and IDTs for different polynomial degrees k are summarized in Tables 5 and 6 for the LG and QSW feature extraction, respectively. According relations between FNMR and FMR are plotted in Fig. 8. Note that scales for FNMR and FMR have been adjusted to improve visibility. As can be observed, the biometric performance of both unprotected baseline systems is either maintained or slightly improved. Moreover, for best performing configurations, with respect to the polynomial degree k, GDTs and IDTs are significantly smaller than 1 s.
Focusing on the proposed multibiometric fuzzy vault, the probabilities of mismatching bits shown in Fig. 7 confirm the soundness of the proposed selection of iriscode parts. Obtained performance for both feature extractors using different configurations is summarized in Tables 7 and 8, respectively. Compared to obtained performance rates for a sumrulebased fusion of ω scores across all iriscode blocks shown in Table 4, the presented fusion strategy clearly improves recognition accuracy. According FNMRs and FMRs are plotted in Fig. 9. As can be observed, biometric performance is significantly improved for multibiometric fuzzy vaults achieving better rates than according baseline systems, which confirms that the proposed fusion retains highly discriminative feature sets. In addition, decoding times increase only sightly due to the compact representation of fused feature sets. By comparing relations between FNMRs and FMRs of singleiris and multiiris fuzzy vaults, cf. Figures 8 and 9, it can be observed that, for reasonable values of k, both rates significantly decrease across all configurations.
For chosen parameters h=10 and w=16,32, the vault size is estimated as 512(h+1+ log2(512/w)). For single and multiiris vaults, this results in 512×16=8192 and 512×15=7680 bits for w=16 and w=32, respectively. Hence, compared to the original 512 × 20 bit iriscodes, resulting vault sizes are even smaller, since only the upper (more discriminative) half of the original iriscode is employed. As aforementioned, vault sizes may be further reduced based on an maximum observed number of feature elements in extracted point sets.
Security analysis
For chosen parameter settings, the average number of unique feature elements per iriscode block, l, and the corresponding amount of different sequences of iriscode columns which result in a single set of feature values, ℓ, according to Eq. 1, is summarized in Table 4. The large values of ℓ indicate a certain degree of irreversibility, which will hamper a systematic reconstruction of iriscode blocks from the proposed setbased representation, even if an attacker succeeds in unlocking the vault. A more thorough analysis of potential reconstruction attacks is beyond the scope of this work.
For all employed parameter settings h=10,w=16,32,k=4,...,32, and 256≤P ^{′}≤P≤512, one can verify experimentally that the probability of Eq. 2 never becomes larger than 2^{−155}. This clearly shows that the crossmatching attack from [70] can be effectively prevented.
We estimate the security against recovery attacks by the expected number of decoding attempts that an attacker has to perform with a Lagrangebased decoder after having built the unlocking set using a query template [68]. In this way, our notion of security is a measure of resistance against a certain falseaccept attack by also accounting for a decoding complexity. However, it is important to note that there may be more efficient strategies for an attacker to perform. For example, the attacker may rely on a GuruswamiSudanbased decoder as in the verification protocol or on a completely different (currently unknown) strategy. However, we stress that the security achieved with a GuruswamiSudanbased decoder cannot be estimated beyond the bound of 2^{15} times the decoding complexity—even if the true security is significantly higher. The method from [68] allows to estimate a higher falseaccept security; but, the reader should be aware that the resulting security estimates are heuristic falseaccept security estimates. Yet, these estimates are still much more realistic and plausible than security estimates against bruteforce attacks. Figure 10 compares obtained GMRs versus the security levels, for different parameter settings of the proposed (multi)biometric fuzzy vault schemes for both employed feature extraction algorithms. Firstly, we observe that security levels provided by iris biometric fuzzy vaults using a single iris appear satisfactory. For GMRs above 90 %, security levels of approximately 50 bits are obtained. Secondly, the use of both irises is shown to be beneficial. On the one hand, it improves biometric performance: at a fixed security level, higher GMRs are obtained when using both eyes; on the other hand, privacy protection is increased: for a fixed GMR, higher security levels are achieved; Hence, depending on the chosen size of k, recognition accuracy and/or privacy protection is improved. At operation points which achieve reasonable GMRs of approximately 90 and 95 %, the security level is increased from 50 to almost 70 bits and 40 to 50 bits, respectively.
Another very important security aspect concerns the risk of correlation attacks on two or more vault records of the same user. Since we use the improved fuzzy vault scheme, which effectively uses all finite field elements as vault points [69], the correlation attack from [66] cannot be applied. On the other hand, there are specific correlation attacks against the improved fuzzy vault scheme based on solving systems of polynomial equations [84] or deploying the extended Euclidean algorithm [70]. However, these attacks only work if in both vault records the features are represented by the same finite field elements, and, hence, are prevented by our use of a recordspecific permutation σ of the field elements [68].
Conclusions
The link between individuals and their biometric (physiological) characteristics is considered strong and permanent, particularly for iris [3]. Therefore, iriscodes must be protected in order to safeguard individuals’ privacy and biometric systems’ security. Albeit this is rarely the case in operational systems, favourable capture conditions (resulting in low intraclass variance) are considered a fundamental premise for biometric cryptosystems. Consequentially, compared to conventional recognition systems, biometric cryptosystems suffer from a significant decrease in biometric performance. Multibiometric cryptosystems, which should be designed to combine multiple biometric characteristics at feature level [21], might bridge the gap between biometric performance and privacy protection [19].
The key advantages of the proposed (multi)iris fuzzy vault scheme can be summarized in three terms: (1) in contrast to the vast majority of biometric cryptosystems, the proposed system maintains biometric performance obtained by the corresponding unprotected iris recognition system in a single or multiinstance scenario; (2) the suggested fusion technique combines most discriminative information of two iriscodes to a single fuzzy vault and key retrieval is performed based on an analysis of suitable decoding strategies providing fast decoding times; (3) in contrast to existing proposals the presented (multi)iris fuzzy vault scheme is designed to protect iriscodes, i.e. the protection of an iris biometric database does not require reenrolment registered subjects.
Furthermore, it is shown that the proposed (multi)iris fuzzy vault schemes obtain unrivalled security levels in comparison to fuzzy vaults based on other biometric characteristics. Even minutiaebased multifinger fuzzy vaults using four fingers do not achieve higher security levels [71]. Like in the vast majority of biometric cryptosystems, obtained decoding times may limit the system to be operated in verification mode while protected biometric templates still enable a compact storage. A security analysis for the scenario where an adversary might be in possession of one iriscode prior to attacking a multiiris fuzzy vault might be subject to future research. Finally, we note that the presented work is based on opensource software and evaluated on public biometric databases, i.e. represents fully reproducible research [85].
References
 1
AK Jain, A Ross, S Prabhakar, An introduction to biometric recognition. IEEE Trans. Circ. Syst. Video Technol. 14:, 4–20 (2004).
 2
AK Jain, P Flynn, AA Ross, Handbook of Biometrics (Springer, New York, 2008).
 3
J Daugman, How iris recognition works. IEEE Trans. Circ. Syst. Video Technol. 14(1), 21–30 (2004).
 4
KW Bowyer, K Hollingsworth, PJ Flynn, Image understanding for iris biometrics: a survey. Elsevier Comput. Vis. Image Underst. 110(2), 281–307 (2007).
 5
A Ross, Iris recognition: the path forward. Computer. 43:, 30–35 (2010).
 6
A Ross, K Nandakumar, AK Jain, Handbook of Multibiometrics (Springer, Secaucus, NJ, USA, 2006).
 7
A Ross, AK Jain, Information fusion in biometrics. Pattern Recogn. Lett. 24:, 2115–2125 (2003).
 8
AK Jain, B Klare, AA Ross, in In Proc. of the 8th Int. Conf. on Biometrics 2015 (ICB’15). Guidelines for best practices in biometrics research (IEEE, 2015), pp. 1–5.
 9
Unique Identification Authority of India, Aadhaar: http://uidai.gov.in/. retrieved July, 2016. http://uidai.gov.in/.
 10
C Rathgeb, A Uhl, P Wild, Iris Recognition: From Segmentation to Template Security. Advances in Information Security, vol. 59 (Springer, New York, 2013).
 11
S Venugopalan, M Savvides, How to generate spoofed irises from an iris code template. IEEE Trans. Inf. Forensics Secur. 6:, 385–395 (2011).
 12
J Galbally, A Ross, M GomezBarrero, J Fiérrez, J OrtegaGarcia, Iris image reconstruction from binary templates: an efficient probabilistic approach based on genetic algorithms. Comp. Vision Image Underst. 117(10), 1512–1525 (2013).
 13
S Marcel, M Nixon, SZ Li, Handbook of Biometric AntiSpoofing (Spring, New York, 2014).
 14
AK Jain, K Nandakumar, A Nagar, Biometric template security. EURASIP J. Adv. Sig. Process. 2008:, 1–17 (2008).
 15
C Rathgeb, A Uhl, A survey on biometric cryptosystems and cancelable biometrics. EURASIP J. Inf. Secur. 2011(3) (2011).
 16
U Uludag, S Pankanti, S Prabhakar, AK Jain, Biometric cryptosystems: issues and challenges. Proc. IEEE. 92(6), 948–960 (2004).
 17
NK Ratha, JH Connell, RM Bolle, Enhancing security and privacy in biometricsbased authentication systems. IBM Syst. J. 40(3), 614–634 (2001).
 18
ISO/IEC JTC1 SC27 Security Techniques:ISO/IEC 24745:2011. Information Technology  Security Techniques  Biometric Information Protection International Organization for Standardization (ISO, 2011). International Organization for Standardization.
 19
K Nandakumar, AK Jain, Biometric template protection: bridging the performance gap between theory and practice. IEEE Sig. Process. Mag.  Spec. Issue Biom. Secur. Priv. 32(5), 1–12 (2015).
 20
Y Wang, S Rane, SC Draper, P Ishwar, A theoretical analysis of authentication, privacy, and reusability across secure biometric systems. Trans. Inf. Forensics Secur. 7(6), 1825–1840 (2012).
 21
A Nagar, K Nandakumar, AK Jain, Multibiometric cryptosystems based on featurelevel fusion. Trans. Inf. Forensics Secur. 7(1), 255–268 (2012).
 22
C Rathgeb, C Busch, in New Trends and Developments in Biometrics. Multibiometric template protection: issues and challenges (InTechRijeka, 2012), pp. 173–190.
 23
A Juels, M Sudan, in Proc. IEEE Int’l Symp. on Information Theory. A fuzzy vault scheme (IEEE, 2002), p. 408.
 24
G Davida, Y Frankel, B Matt, On enabling secure applications through offline biometric identification. Proc. IEEE, Symp. Secur. Priv, 148–157 (1998).
 25
G Davida, Y Frankel, B Matt, On the relation of error correction and cryptography to an off line biometric based identication scheme. Proc. of WCC99, Work. Coding Cryptogr, 129–138 (1999).
 26
A Juels, M Wattenberg, in Proc. 6th ACM Conf. on Computer and Communications Security. A fuzzy commitment scheme (ACM, 1999), pp. 28–36.
 27
F Hao, R Anderson, J Daugman, Combining cryptography with biometrics effectively. IEEE Trans. Comput. 55(9), 1081–1088 (2006).
 28
J Bringer, H Chabanne, G Cohen, B Kindarji, G Zemor, Theoretical and practical boundaries of binary secure sketches. IEEE Trans. Inf. Forensics. Secur. 3:, 673–683 (2008).
 29
National Institute of Standards and Technology (NIST): Iris Challenge Evaluation (ICE) 2005. http://www.nist.gov/itl/iad/ig/ice.cfm. (2005). Accessed Oct 2016.
 30
C Rathgeb, A Uhl, Contextbased biometric keygeneration for iris. IET Computer Vision (Spec. Issue Futur. Trends Biom. Process.), IET. 5(6) (2012).
 31
ABJ Teoh, J Kim, Secure biometric template protection in fuzzy commitment scheme. IEICE Electron. Express. 4(23), 724–730 (2007).
 32
L Zhang, Z Sun, T Tan, S Hu, in In Proc. of the 3rd Int. Conf. on Biometrics 2009 (ICB’09) LNCS: 5558. Robust biometric key extraction based on iris cryptosystem (Springer, 2009), pp. 1060–1070.
 33
ERC Kelkboom, J Breebaart, TAM Kevenaar, I Buhan, RNJ Veldhuis, Preventing the decodability attack based crossmatching in a fuzzy commitment scheme. Trans. Inf Forensics Secur. 6(1), 107–121 (2011).
 34
E Maiorana, P Campisi, A Neri, in Int. Conf. on Acoustics, Speech and Signal Processing (ICASSP’14). Iris template protection using a digital modulation paradigm (IEEE, 2014), pp. 3759–3763.
 35
A Cavoukian, A Stoianov, in Biometrics: Fundamentals, Theory, and Systems. Biometric encryption: the new breed of untraceable biometrics (WileyNew York, 2009).
 36
A Stoianov, T Kevenaar, M van der Veen, in 2009 IEEE Toronto International Conference on Science and Technology for Humanity (TICSTH). Security issues of biometric encryption (IEEE, 2009), pp. 34–39.
 37
C Rathgeb, A Uhl, Statistical attack against fuzzy commitment scheme. IET Biom. 1(2), 94–104 (2012).
 38
T Ignatenko, FMJ Willems, Information leakage in fuzzy commitment schemes. IEEE Trans. Inf. Forensics Secur. 5(2), 337–348 (2010).
 39
P Failla, Y Sutcu, M Barni, in Proc. of the 12th ACM Workshop on Multimedia and Security. MM&Sec ’10. esketch: a privacypreserving fuzzy commitment scheme for authentication using encrypted biometrics (ACM, 2010), pp. 241–246.
 40
K Simoens, P Tuyls, B Preneel, in Proc. of the 30th IEEE Symposium on Security and Privacy. Privacy weaknesses in biometric sketches (IEEE, 2009), pp. 188–203.
 41
I BuhanDulman, JG Merchan, E Kelkboom, in Proc. of IEEE Workshop on Information Forensics and Security (WIFS). Efficient strategies for playing the indistinguishability game for fuzzy sketches (IEEE, 2010).
 42
B Tams, Decodability attack against the fuzzy commitment scheme with public feature transforms. CoRR. abs/1406.1154: (2014).
 43
YJ Lee, K Bae, SJ Lee, KR Park, J Kim, in Proc. of Second Int. Conf. on Biometrics. Biometric key binding: fuzzy vault based on iris images (Springer, 2007), pp. 800–808.
 44
YJ Lee, KR Park, SJ Lee, K Bae, J Kim, A new method for generating an invariant iris private key based on the fuzzy vault system. Trans. Syst. Man, Cybern. Part B: Cybern. 38(5), 1302–1313 (2008).
 45
Biometrics Engineering Research Center (BERC): Iris database (version 1) (2008).
 46
Chinese Academy of Sciences’ Institute of Automation: CASIA Iris Image Database V3.0 — Interval. http://biometrics.idealtest.org (2002). Accessed Oct 2016.
 47
ES Reddy, I Ramesh Babu, in 8th Int. Conf. on Computer and Information Technology Workshops, 2008. Performance of iris based hard fuzzy vault (IEEE, 2008), pp. 248–253.
 48
ES Reddy, I Ramesh Babu, in Second Asia Int. Conf. on Modeling Simulation AICMS’08. Authentication using fuzzy vault based on iris textures (IEEE, 2008), pp. 361–368.
 49
Chinese Academy of Sciences’ Institute of Automation: CASIA Iris Image Database V1.0. http://biometrics.idealtest.org (2002). Accessed Oct 2016.
 50
Multimedia University: MMU Iris Image Database. http://pesona.mmu.edu.my/ccteo (2004). Accessed Oct 2016.
 51
K Nandakumar, AK Jain, in 2nd Int. Conf. on Biometrics: Theory, Applications and Systems (BTAS’08). Multibiometric template security using fuzzy vault (IEEE, 2008), pp. 1–6.
 52
AK Jain, S Prabhakar, A Ross, Fingerprint matching: data acquisition and performance evaluation. Michigan State Univ., Tech. Rep., TR9914 (1999).
 53
M Fouad, A El Saddik, J Zhao, E Petriu, in Int. Systems Conf. (SysCon’11). A fuzzy vault implementation for securing revocable iris templates (IEEE, 2011), pp. 491–494.
 54
R Álvarez Mariño, FH Álvarez, LH Encinas, A cryptobiometric scheme based on iristemplates with fuzzy extractors. Inf. Sci. 195:, 91–102 (2012).
 55
S Sowkarthika, N Radha, in 7th Int. Conf. on Intelligent Systems and Control (ISCO’13). Securing iris and fingerprint templates using fuzzy vault and symmetric algorithm (IEEE, 2013), pp. 189–193.
 56
J Zuo, NK Ratha, JH Connel, in Proc. of the 19th Int. Conf. on Pattern Recognition 2008 (ICPR’08). Cancelable iris biometric (IEEE, 2008), pp. 1–4.
 57
S Kanade, D PetrovskaDelacretaz, B Dorizzi, in Proc. of the IEEE Computer Society Conf. on Computer Vision and Pattern Recognition, CVPR ’09. Cancelable iris biometrics and using error correcting codes to reduce variability in biometric data (IEEE, 2009), pp. 120–127.
 58
J HämmerleUhl, E Pschernig, A Uhl, in Proc. of the 12th Int. Information Security Conf. (ISC’09). LNCS, 5735, ed. by P Samarati, M Yung, F Martinelli, and CA Ardagna. Cancelable iris biometrics using block remapping and image warping (SpringerNew York, 2009), pp. 135–142.
 59
JK Pillai, VM Patel, R Chellappa, NK Ratha, Secure and robust iris recognition using random projections and sparse representations. Trans. Pattern Anal. Mach. Intell. 33(9), 1877–1893 (2011).
 60
C Rathgeb, C Busch, Cancelable multibiometrics: mixing iriscodes based on adaptive bloom filters. Comput. Secur. 42:, 1–12 (2014).
 61
C Rathgeb, A Uhl, P Wild, in Iris Biometrics. Advances in Information Security, 59. Cancelable iris biometrics (SpringerNew York, 2013), pp. 223–231.
 62
A Juels, M Sudan, A fuzzy vault scheme. Des. Codes Cryptogr. 38(2), 237–257 (2006).
 63
TC Clancy, N Kiyavash, DJ Lin, in Proc. ACM SIGMM Workshop on Biometrics Methods and Applications. WBMA ’03. Secure smartcardbased fingerprint authentication (ACMNew York, NY, USA, 2003), pp. 45–52.
 64
K Nandakumar, AK Jain, S Pankanti, Fingerprintbased fuzzy vault: implementation and performance. IEEE Trans. Inf. Forensics Secur. 2(4), 744–757 (2007).
 65
A Nagar, K Nandakumar, AK Jain, A hybrid biometric cryptosystem for securing fingerprint minutiae templates. Pattern Recogn. Lett. 31:, 733–741 (2010).
 66
WJ Scheirer, TE Boult, in Proc. of Biometrics Symp. Cracking fuzzy vaults and biometric encryption (IEEE, 2007), pp. 1–6.
 67
A Kholmatov, B Yanikoglu, in Proc. SPIE, 6819. Realization of correlation attack against the fuzzy vault scheme (SPIE, 2008).
 68
B Tams, P Mihăilescu, A Munk, Security considerations in minutiaebased fuzzy vaults. IEEE Trans. Inf. Forensics Secur. 10(5), 985–998 (2015).
 69
Y Dodis, R Ostrovsky, L Reyzin, A Smith, Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. SIAM J. Comput. 38(1), 97–139 (2008).
 70
J Merkle, B Tams, Security of the improved fuzzy vault scheme in the presence of record multiplicity (full version). CoRR (2013). https://arxiv.org/abs/1312.5225. Accessed Oct 2016.
 71
B Tams, Unlinkable minutiaebased fuzzy vault for multiple fingerprints. IET Biom. 5(3), 170–180 (2016). IET Digital Library.
 72
S Gao, in Communications, Information and Network Security, V.Bhargava, H.V.Poor, V.Tarokh, and S.Yoon. A new algorithm for decoding reedsolomon codes (Dordrecht, 2002), pp. 55–68.
 73
V Guruswami, M Sudan, Improved decoding of reedsolomon and algebraicgeometric codes. IEEE Trans. Inf. Theory. 45:, 1757–1767 (1998).
 74
MH Lim, ABJ Teoh, J Kim, Biometric featuretype transformation: making templates compatible for template protection. IEEE Sig. Process. Mag. 32(5), 77–87 (2015).
 75
R Cappelli, A Lumini, D Maio, D Maltoni, Fingerprint image reconstruction from standard templates. IEEE Trans. Pattern Anal. Mach. Intell. 29(9), 1489–1503 (2007).
 76
W Dong, Z Sun, T Tan, Iris matching based on personalized weight map. IEEE Trans. Pattern Anal. Mach. Intell. 33(9), 1744–1757 (2011).
 77
Indian Institute of Technology Delhi (IITD): IITD Iris Database version 1.0 (2007). http://www4.comp.polyu.edu.hk/~csajaykr/IITD/Database_Iris.htm. Accessed Oct 2016.
 78
A Uhl, P Wild, in Proc. 5th Int’l Conf. on Biometrics. Weighted adaptive hough and ellipsopolar transforms for realtime iris segmentation, (2012), pp. 1–8.
 79
L Masek, Recognition of human iris patterns for biometric identification. Master’s thesis (University of Western Australia, 2003).
 80
L Ma, T Tan, Y Wang, D Zhang, Efficient iris recognition by characterizing key local variations. IEEE Trans. Image Process. 13(6), 739–750 (2004).
 81
USIT – University of Salzburg Iris Toolkit. http://www.wavelab.at/sources/Rathgeb12e. version 1.0.x. Accessed Oct 2016.
 82
ISO/IEC TC JTC1 SC37 Biometrics: ISO/IEC 197951:2006, Information Technology – Biometric Performance Testing and Reporting – Part 1: Principles and Framework. International Organization for Standardization and International Electrotechnical Committee (2006). International Organization for Standardization and International Electrotechnical Committee.
 83
P Mihăilescu, A Munk, B Tams, in Proc. of BIOSIG. The fuzzy vault for fingerprints is vulnerable to brute force attack (IEEE, 2009), pp. 43–54.
 84
M Blanton, M Aliasgari, Analysis of reusability of secure sketches and fuzzy extractors. IEEE Trans. Inf. Forensics Secur. 8(9), 1433–1445 (2013).
 85
P Vandewalle, J Kovacevic, M Vetterli, Reproducible research in signal processing  What, why, and how. IEEE Sig. Process. Mag. 26(3), 37–47 (2009).
 86
AJ Mansfield, JL Wayman, Best practices in testing and reporting performance of biometric devices. Technical report. U.K. Goverment Biometrics Working Group (August 2002).
Acknowledgements
This work has been partially supported by the German Federal Ministry of Education and Research (BMBF) within the Center for Research in Security and Privacy (CRISP).
Competing interests
The authors declare that they have no competing interests.
Author information
Rights and permissions
Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.
About this article
Received
Accepted
Published
DOI
Keywords
 Biometrics
 Iris recognition
 Template protection
 Multibiometrics
 Biometric cryptosystem
 Fuzzy vault scheme