Hand-Based Multimodal Identification System with Secure Biometric Template Storage

This paper proposes a biometric system for personal recognition (identification) based on three biometric characteristics from a single body part: the hand. Features are extracted from the palmprint, finger surface and hand geometry, in order to create a single template. A protection scheme is applied to guarantee the template's revocability, security and diversity amongst different biometric systems. An error-correcting code (ECC), a cryptographic hash function (CHF) and a binarization module are the core of the template protection scheme. Since the ECC and CHF operate on binary data, an additional feature binarization step is required. This paper proposes: (1) a novel identification architecture that uses hand geometry as a soft biometric to accelerate the identification process and ensure the system's scalability; and (2) a new feature binarization technique

that guarantees that the Hamming distance between transformed binary features is proportional to the difference between their real values.
The proposed system achieves promising recognition performance and speed on two publicly available hand image databases.

Introduction
Biometrics are an attractive and convenient solution for private data protection, time and attendance control, controlling the access to restricted areas, online banking or identity authentication. Traditionally, this is solved using something a person knows (e.g., password) or possesses (e.g., identifying document, smart card). However, these methods present some serious disadvantages, becoming less reliable in a world where security threats are escalating (e.g., identity theft).
The idea behind biometric systems is to recognize individuals, using pattern recognition algorithms on one or more biometric traits, being the latter called multimodal biometrics. Such systems can operate in verification or identification modes. In verification mode, the person presents the biometric to a sensor and claims an identity (via, e.g., a password); a one-to-one comparison with the stored template is performed to decide if the person is who she claims to be. In identification mode, the biometric presented to the sensor is tested by comparing the acquired template with all registered templates and the person is authenticated if a match is found.
Identification can be extremely time-consuming as many comparisons may be required, unless some criteria are used to reduce the search space. The first steps in biometric sample classification were given by Ratha et al. [1], who 3 proposed a method to reduce the search space when performing fingerprint identification, by assigning a fingerprint sample to a specific class according to its texture. A probe biometric sample is then categorized into the corresponding class and only the templates in the same class are used for matching. A similar classification technique has been applied to iris and palmprint identification [2,3] using, in the latter, the number of principal lines as a classification criterion.
An alternative to the above classification schemes is database indexing, where an index value is assigned to every biometric template in the database.
In indexing systems, the identities whose indices are similar to the index value of the probe sample are retrieved. The probe sample is only matched against the retrieved identities, reducing the identification time and, potentially, the identification error rate. An iris database indexing method has been proposed in [4], where a hash is generated from a specific region of the template and used as an index value.
The above mentioned techniques either extract values from the biometric template for database indexing or use implicit features in the biometric sample to divide the database into categories. This paper proposes the usage of the hand's geometry as a soft biometric to sort the list of identification candidates according to the similarity scores and use this sorted list to index the template database. The hand's geometry is not known to be very distinctive between individuals [5] and the issue of its uniqueness is still somewhat controversial [6]. Recent research studies [7,8,9] have shown high recognition rates, but the datasets used in these studies were acquired in highly controlled environments. Thus, even if the hand's geometry is unique amongst a large population, it might not be feasible to extract accurate features in a rather unconstrained environment [6].
Nevertheless, it is suitable to perform a coarse first approach to the main problem faced by a biometric identification system -"who can this person be?" -and let the most likely candidates in the database be compared to in the first place.
Although FS recognition systems are not commonly found in the literature, this biometric trait is usually associated with PP in multimodal systems [14,19,22].
Besides the risk of authenticating an impostor, biometric systems present other potential vulnerabilities. The need to store a biometric template on a database is considered to be the main vulnerability amongst biometric systems because, unlike other authentication methods, a person cannot change a biometric if it is compromised due to a security breach in the recognition system. Jain et al. [26] mentioned that one of the most potentially damaging attacks on a biometric system is against the template database. A 5 secure template storage scheme should be employed in order to protect users' identities and guarantee their privacy. This scheme must, however, deal with the acquisition noise, also called intra-user sample variability [27], which may be caused by: environmental variability (e.g., non-uniform illumination), sample presentation variability (e.g., placing the hand at a different angle), intrinsic biological variability (e.g., elastic skin deformation) or acquisition losses/errors introduced by the sensor.
Several schemes that provide secure template storage and deal with sample variability have been proposed, typically using ECC to handle the intra-user variations. Juels and Wattenberg [28] proposed the fuzzy commitment scheme, where a hash function is used to ensure the privacy of the biometric data together with an ECC to deal with intra-user variability. Juels and Sudan [29], proposed the fuzzy vault scheme, which consists in securing a secret  In this work, the adopted secure template storage technique is similar to the one proposed in [30], but with a different approach concerning the ECC, a different architecture (identification instead of verification) and a novel binarization technique to convert real-valued features into binary strings.
Despite resulting in a more complex and challenging architecture, identification is chosen over the verification mode because one of the main advantages of biometrics is to allow personal recognition without any additional information that can be forgotten or lost.
The remainder of the paper is organized as follows: Section 2 provides an overview of the system's architecture and details of the pre-processing

System Overview
The proposed system architecture is illustrated in Figure 1 and Figure 2, for the enrolment and identification stages, respectively. In both cases, the acquired sample undergoes the same processing until the template binarization module.  Although score-level fusion is the most commonly used fusion technique [31], the proposed system combines PP and FS at feature-level. This is because score-level fusion cannot be applied to the proposed architecture, where only an encrypted (and non-invertible) version of the template is stored in the database, for which it is meaningless to compute matching scores.

Pre-processing
The pre-processing module computes the hand's contour and the regions of interest (ROI), which are the palm and the index, middle, ring and little finger regions. The thumb is discarded because its texture is typically not completely visible in the acquired images due to its sideways positioning. 9 The major pre-processing steps are illustrated in Figure 3. In the first place, the input image is converted to greyscale and resized to a lower dimension in order to reduce the computational burden in further processing. The resized image is binarized using Otsu's method [32] 3 , rp is computed in the same manner.
10 Finally, the ROIs are detected and segmented using the previously calculated points and are then resized to a standard size. The palm area is defined as a square region where two of the vertices, 1 v and 2 , v are computed as 32 11 12 ,. 22 The remaining vertices are derived from 1 v and 2 v by selecting the square that lies inside the contour. The fingers' areas are defined as the largest rectangles that lie inside the finger contours, which are the contour segments delimited by the fw and rp points, depending on the finger. Before feature extraction, the palm and finger ROIs are resized to 16x16 and 32x8 pixels, respectively.

Feature Extraction
Palmprint and finger surface features are extracted using LDA, which projects the ROI vectors into a subspace where the between-class variations are maximized and the within-class variations are minimized [23]. This property is very useful for the proposed binarization scheme (see Section 3.1) which, in turn, has good properties for the initialization procedure in the LDPC decoder Besides improving the recognition performance, limiting the number of features is also a way of assigning weights to each biometric characteristic, i.e., the more discriminative it is, the more features are used to represent it in the template.
Hand geometry features are measures, in pixels, computed from the hand contour, namely: twenty finger widths (four from each finger), five finger lengths, five finger perimeters and five intra-palm distances (see Figure 4).

Secure Template Storage
A CHF is an effective way to encrypt data for it is a non-invertible transform.
However, due to its dispersive nature, it has completely different outputs for similar inputs. This is a major disadvantage when dealing with biometric data, because two measurements of the same user are never exactly equal and so 13 will not be the encrypted data, transformed by the CHF. This is different from what happens in password-based systems. To deal with this issue, an LDPC code is used, which cancels the acquisition noise by correcting the errors in biometric templates. When a user attempts to be recognized, the errors (i.e., differences) in the newly acquired template will be corrected (up to a certain extent) to match the template that was acquired when the user was registered in the biometric system.
To use ECC and CHF, these secure template storage schemes require a fixed-length binary representation of the biometric sample, referred to as a binary feature vector [33] or binary template.

Template Binarization
The binarization module transforms the features in the real-valued template t into binary strings, which are then concatenated to form the binary template b.
Each real-valued feature has its own feature space, which is an interval   ,, cd where c and d are the minimum and maximum observed values of that feature in the training set (defined in Section 4). A quantizer is then applied to each feature space, dividing it into N equiprobable intervals to guarantee that the probability of a feature falling in any interval is the same and equal to 1/ . N According to Chen et al. [34], having the same probability mass in all intervals is beneficial for the users' privacy, as it yields independent output bits. Each interval is then associated with a binary string that is used to code a feature if its value is comprehended between the interval's boundaries. This process is illustrated in Figure 5, where a histogram containing the frequency of the 14 observed values for a given feature is represented, as well as a fitted Gaussian curve for a clearer perception of the equiprobable intervals.
where HD is the Hamming distance between the two binary strings. This condition maintains larger Hamming distances between binary strings used to encode further apart intervals, which guarantees that the distance between two real-valued features is reflected in the Hamming distance computed on the transformed binary features.
The above proposed template binarization scheme produces fixed-length binary templates with ( 1) features T num N    bits.

LDPC Decoder
The LDPC codes were first introduced by Gallager in 1962 [35], but remained unused for 30 years due to the high computational requirements. It was only with the appearance of turbo codes, in 1993, that the application of LDPC codes was made technologically possible and popularized [36].
The LDPC code is suitable for biometric systems due to its granularity and correcting power, i.e., by varying the number of parity bits used, the correcting capacity can be very finely adjusted while maintaining a steep slope curve.
This is of high importance because when used in a biometric system, the objective of an ECC is not to correct all bit errors (to avoid correcting impostor templates), but to correct binary strings with, at most, a determined bit error rate (BER). In this work, BER is defined as the bit error rate measured between two binary templates at the decoder's input side rather than the output side.
The LDPC decoding process is iterative and done by belief propagation [35].
In the proposed system, the number of iterations is limited to 20 because experiments revealed that a larger number of iterations degraded the recognition speed while not bringing significant improvements on the correcting capacity. The decoder's inputs are not the binary template and parity bits, but their associated LLR instead, which is given by: Interval   16 , bb and 7 b in Table 1. For this reason and because the probabilities are only an estimate, the value 1 is changed to 0.95 and the value 0 is changed to 0.05. As for the parity bits, they are not affected by the acquisition noise and are assumed to be uncorrupted, so the LLR is or +   if the parity bit is 1 or 0, respectively.

Enrolment
In the enrolment stage (see Figure 1), the binary template, , b is processed by the LDPC encoder, which computes a set of parity bits, , p that are stored in the template database; b is also processed by a XOR module, which computes the bitwise exclusive disjunction between b and a randomly generated binary string, w, to output a result x . This is done for two reasons: i) to guarantee that two templates from the same person are different in distinct biometric systems and ii) to ensure that if a template is compromised, a new one can be issued just by changing w.
Since w is stored in the database, it would be trivial to recover b from x and w, so x is transformed by a CHF to guarantee its privacy. The result, ( ), Hx is also stored in the database. The user's template is stored as the triplet   ,, p w H and is associated with an ID, which is an automatically generated number. The same ID is associated with the template , HG t which is stored in the hand geometry database.

Identification
The goal is to determine whether a probe binary template, , b belongs to a registered user or not (see Figure 2). First, the probe template HG t is compared to all registered templates in the hand geometry database and the similarity scores are computed using the Euclidean distance and then sorted. respective stored data and the process is repeated. If no more IDs are available, the user is not authenticated.

Experimental Results
The proposed system operates in a semi-constrained environment. The distance between the acquisition device and the user's hand must be approximately constant. Also, the background must be of a colour that contrasts with the skin. However, the user can place his hand freely within the sensor's field of view.
Recognition performance tests were carried out on two publicly available hand image databases that satisfy the abovementioned requirements: the UST [37] and GPDS [38] hand image databases. Although [37] and [38]        In Figure 7 (c), a hand geometry cumulative rank curve is presented. As expected, the smaller population in the GPDS allows better recognition results and the images also produce more reliable hand geometry features because they were acquired using a desk scanner, so the hand is placed on a stable, fixed surface. As a result, the genuine user is sorted out in the first place 85.95% of the times, against the 71.51% in the UST database. Using the hand's geometry as a soft biometric in the proposed system proves to be advantageous because it reduces the number of LDPC decoding attempts, which is a costly process. A comparison is presented in Table 3.   Figure 2).

Pre-process and
The probability estimation scheme, presented in Section 3.2, allows an LDPC decoder to achieve greater correction capability with the same amount of parity bits. In other words, an LDPC decoder requires a smaller amount of parity bits to achieve the same correction capacity as an LDPC decoder with no knowledge about the probabilities (see Figure 8).
25 is the parity-check matrix and b is the binary template. If b has length T and p length k, there are k equations and T unknowns, . Tk  Operating on a binary field, there are 2 Tk  possible solutions [42]. According to [30], the security metric in an ECC-based secure biometric system is the number of security bits, given by . Tk  Summarizing, the proposed LLR initialization method provides the system with more security, measured with the metric described above.

Conclusions and Future Work
This paper proposes a fast multimodal identification system that achieves good recognition accuracy while securing the stored data.
Feature-level fusion is used because, as mentioned in Section 2, score-level fusion is not feasible. Another commonly used fusion strategy, at the decision level, was not used in the proposed system because the recognition based on each finger is not very accurate, as shown in Figure 6. Using decision-level fusion on PP and FSF would also not be very wise, since there would be an even number of decisions. Other levels of fusion (e.g., rank-or sensor-level) are also not applicable to the proposed system [31].
The proposed database indexing technique presents some advantages over previously proposed classification and indexing methods. Unlike classification techniques, no errors are introduced in the system due to misclassification of the input image and unlike the previous indexing techniques, no candidates are excluded. If only a given number of top candidates were considered, the hand's geometry would limit the recognition accuracy. Thus, the proposed system is able to perform faster without affecting the FAR and FRR. Also, the usage of hand geometry as a soft biometric makes the system scalable because the computation of similarity scores is a fast process and, since the similarity scores are sorted, the average number of decoding attempts can be considered independent of the number of registered users.
The downside of storing hand geometry templates in the clear for fast comparisons is that it exposes some information about the user. This does not affect the proposed system because the final decision does not rely on hand geometry; however, it may compromise other biometric systems where this trait is used. In the future, this problem will be addressed.
The proposed binarization technique is a high-level and general method that can be applied to other biometric traits (e.g., face). The interval coding was specifically designed to provide a good estimate of the initial LLR value, which improves the system's security by reducing the number of parity bits that need to be stored along with the hashed version of the template.