Secure biometric image sensor and authentication scheme based on compressed sensing Hiroyuki Suzuki,1,* Masamichi Suzuki,1 Takuya Urabe,1 Takashi Obi,1 Masahiro Yamaguchi,2 and Nagaaki Ohyama1 1

2

Imaging Science and Engineering Laboratory, Tokyo Institute of Technology, 4259 Nagatsutacho, Midori, Yokohama, Kanagawa 226-8503, Japan

Global Scientific Information and Computing Center, Tokyo Institute of Technology, 2-12-1-I7-6 O-okayama, Meguro-ku, Tokyo 152-8550, Japan *Corresponding author: [email protected] Received 20 August 2013; accepted 8 October 2013; posted 24 October 2013 (Doc. ID 196076); published 20 November 2013

It is important to ensure the security of biometric authentication information, because its leakage causes serious risks, such as replay attacks using the stolen biometric data, and also because it is almost impossible to replace raw biometric information. In this paper, we propose a secure biometric authentication scheme that protects such information by employing an optical data ciphering technique based on compressed sensing. The proposed scheme is based on two-factor authentication, the biometric information being supplemented by secret information that is used as a random seed for a cipher key. In this scheme, a biometric image is optically encrypted at the time of image capture, and a pair of restored biometric images for enrollment and verification are verified in the authentication server. If any of the biometric information is exposed to risk, it can be reenrolled by changing the secret information. Through numerical experiments, we confirm that finger vein images can be restored from the compressed sensing measurement data. We also present results that verify the accuracy of the scheme. © 2013 Optical Society of America OCIS codes: (100.0100) Image processing; (100.4998) Pattern recognition, optical security and encryption; (200.0200) Optics in computing; (200.4560) Optical data processing. http://dx.doi.org/10.1364/AO.52.008161

1. Introduction

It is widely believed that biometric information could provide convenient and reliable user authentication. There is no possibility of forgetting secret information such as a password, and no equipment is needed to identify oneself. In addition, it is difficult to masquerade or forge biometric data. However, there is a critical problem in that the enrolled biometric data (known as a biometric template) is impossible to change following its leakage. To solve this problem, new technologies such as biometric template protection [1–6] have been attracting extensive attention. 1559-128X/13/338161-08$15.00/0 © 2013 Optical Society of America

Typical examples include cancelable biometrics [1,2], which enable the biometric template to be changed repeatedly by transforming it with some “helper data,” and biometric cryptosystems [3–5], which can generate a cryptographic key from a biometric feature. The above studies have only proposed algorithms for protecting the biometric information; that is, they do not consider threats that may occur while the raw biometric information acquired by a biometric sensor is being transformed into the hidden data. It is important to enhance resistance against these threats, because they are becoming increasingly frequent, and cracking techniques are becoming ever more sophisticated. Meanwhile, a novel signal processing technique known as compressed sensing (CS) [7] has recently 20 November 2013 / Vol. 52, No. 33 / APPLIED OPTICS

8161

been studied. In CS, the original signal, which is assumed to be sparse or transformable into a sparse signal, can be reconstructed from small amounts of measurement data by employing an L1 norm minimization. Based on the principle of CS, a compressive imaging (CI) system, consisting of a digital micromirror device (DMD) for generating random intensity patterns and a photodetector instead of an image sensor, has been proposed [8]. Its ability to restore a good quality object image from small amounts of measurement data has also been demonstrated. CS is applicable to data ciphering, in which the observation matrix is used as a cipher key [9]. In the CI system, the observation matrix indicates the series of random intensity patterns generated by a DMD. In the case where a biometric feature is captured by the CI system, the biometric data can be obtained as hidden information for people who do not know the observation matrix, and these data can be altered by changing the observation matrix of the CI system. This means that the CI system can capture cancelable biometric data. Furthermore, the CI system makes it possible to optically transform the biometric feature into cancelable biometric data without capturing the raw biometric features. If a raw biometric image is not used as electronic information, but exists only as optical information, the biometric feature can be preserved more securely. This is because there is little risk of optical information being read, whereas digital data in electronic devices are inevitably exposed to a number of security risks. Therefore, the direct optical capture of cancelable biometric data could contribute to more secure biometric authentication. In this paper, we investigate the feasibility of a CI system targeting finger vein images and propose a cancelable vein authentication scheme based on CS. 2. Finger Vein Image Restoration Using Compressed Sensing

Suppose that an object represented by an Ndimensional signal x
x1 ; …; xN T is observed by the CI system shown in Fig. 1. A DMD generates M kinds of random binary patterns, and an M-dimensional vector y
y1 ; …; yM T, which indicates the series of intensity values of the light

Fig. 1. CI system for capturing finger vein patterns. 8162

APPLIED OPTICS / Vol. 52, No. 33 / 20 November 2013

reflected by the DMD and detected by a photodetector, is obtained as measurement data. Then, y is expressed as follows: y
Φx;

(1)

where Φ denotes the observation matrix of the CI system. This matrix consists of an M × N binary random number sequence. Each row denotes the random pattern exhibited in the DMD. In order to restore the objective signal x from the measurement data y, M ≥ N is required in general. However, with a signal reconstruction technique based on CS, even the case M < N, can be solved with a high probability if the objective signal can be transformed into a sparse one using a linear transform, as follows: s
Ψx;

(2)

where Ψ denotes the linear transform operator. Using Eq. (1) and Eq. (2), we derive y
ΦΨ−1 s;

(3)

where Ψ−1 is the inverse linear transform operator. The estimated solution of the sparse vector s can then be obtained by means of minimizing its L1 norm, that is, Minimize‖ˆs‖1 ;

subject to y
ΦΨ−1 sˆ ;

(4)

where sˆ denotes the estimated vector of s. It is well known that L1 norm minimization can be solved by employing linear programming methods. Thus, the estimated objective signal xˆ can be obtained as follows: xˆ
Ψ−1 sˆ:

(5)

Considering the possibility of transforming a finger vein image into a sparse signal, the spatial frequency components of finger vein images tend to be concentrated in low-frequency regions, because the majority of finger vein patterns are not as complicated as fingerprints or facial images. Therefore, it is anticipated that a finger vein image can be transformed into a sparse signal by employing an orthogonal transformation, such as a cosine or wavelet transform. In addition, as almost all finger vein images have a similar spatial frequency distribution, the coefficients of the principal component analysis (PCA) or the Karhunen–Loève (KL) transform dominate over the very-low-order bases. Eigenfaces [10] are a well-known example of a biometric image being expressed with very few PCA coefficients. Therefore, we employ a two-dimensional discrete cosine transform (2D-DCT), two-dimensional discrete wavelet transform (2D-DWT), and the KL transform (KLT) as linear transforms for reconstructing vein images in the CI system.

Fig. 2. Diagram of the proposed vein authentication system.

3. Vein Authentication Scheme

Figure 2 shows a diagram of the proposed system for finger vein authentication. In this system, we assume that the authentication server is sufficiently reliable to store data securely and conduct its operations as intended. That is, the leaking of data or execution of a malicious code cannot happen in the authentication server. In the enrollment procedure, a finger vein image is captured with the CI system. The CS measurement data are stored in the biometric template repository, which is installed in the authentication server. In this case, the random patterns exhibited on the DMD are generated according to a random seed, which is treated as secret information that only authorized persons can access. It can be supposed that the random seed is memorized by the user or stored in some media such as an IC card. In the verification procedure, the CS measurement data of the user’s finger vein image are obtained, and her/his secret information is used to generate random patterns on the DMD. The CS measurement data and the secret information are then sent to the authentication server. In order to verify whether the user is an authorized person, the finger vein image taken for verification and that used for enrollment are restored from the corresponding CS measurement data with her/his secret information. Subsequently, the restored finger vein images are verified by calculating their similarity. If both the finger vein image and the secret information are provided correctly, the same vein images are restored and the user is authorized. The proposed system is effective for biometric template protection, because the measurement data are encrypted when they are captured as electronic information and the raw vein image can only be restored in the authentication server. Moreover, if the biometric template is leaked, it can be altered by changing the secret information. Meanwhile, if

the CS measurement data and the secret information are simultaneously obtained by an unauthorized person, then there is a chance that the finger vein image will be revealed. To prevent this, the CS measurement data and the secret information must be sent through different channels from the sensor device to the authentication server. 4. Numerical Experiments A. Linear Transform of a Finger Vein Image into a Sparse Signal

It is known that CS can reconstruct an objective signal in the ill-conditioned case if the objective signal can be made sparse via a linear transform. As described in Section 2, we employ three linear transforms (2D-DCT, 2D-DWT, and KLT) for the CS reconstruction. For 2D-DWT, the Haar wavelet is employed, and for the KLT basis vectors, we use 218 finger vein images captured from 10 fingers. Figure 3 shows the cumulative contribution ratio of KLT, and Figs. 4(a)–4(c) show the first- to thirdorder KLT basis vectors. These results show that

Fig. 3. Cumulative contribution ratio of the KLT generated from 218 vein images. 20 November 2013 / Vol. 52, No. 33 / APPLIED OPTICS

8163

Fig. 4. Basis images and contribution ratios for KLT (CR, contribution ratio). (a) First order, CR
32.1%, (b) second order, CR
22.7%, and (c) third order, CR
11.1%.

Fig. 5. Coefficients of linear transforms. (a) Original finger vein image, (b) 2D-DCT (upper left is low frequency), (c) 2D-DWT (upper left is low frequency), and (d) KLT (x axis is order of KLT basis).

the contribution ratio of KLT is not concentrated in the very-low-order (first to third) bases. Here, we investigate whether each linear transform is able to transform a finger vein image into a sparse signal. Figures 5(b)–5(d) show the coefficients obtained by transforming the vein image shown in Fig. 5(a). These graphs indicate that a finger vein image can indeed be transformed into a sparse signal and the signal estimation described in Eq. (4) can be employed. B.

Vein Image Restoration from CS Measurement Data

We can conduct numerical experiments to restore finger vein images from CS measurement data by employing the signal reconstruction technique described in Section 2. In addition, the relation between the restoration accuracy of the finger vein image and the number of CS measurement data

can be investigated. In this experiment, we use pseudo-measurement data that are generated numerically using finger vein images acquired with a commercial finger vein sensor (FDV-570, provided by Fit Design System Co., Ltd). The image size is 64 × 256 [pixels]. Figure 6 shows the restored vein images with a correct observation matrix Φ for 200, 400, 800, and 1600 CS measurement data. 2D-DCT, 2D-DWT, and KLT are employed as the linear transform Ψ in Eq. (2). By way of comparison, restored vein images with L2 norm minimization are also shown. In the case of L1 norm minimization, we can see that the finger vein pattern can be restored with fewer measurement data than the original image size, whereas L2 norm minimization cannot restore the finger vein pattern at all with a similar number of measurement data. Figure 7 illustrates the restoration accuracy calculated as a maximum

Fig. 6. Restored finger vein images with the correct measurement matrix. 8164

APPLIED OPTICS / Vol. 52, No. 33 / 20 November 2013

C.

Fig. 7. Accuracy of restored vein images depending on the number of CS measurement data. Each point denotes the average of the NCC maximum values, and each bar denotes the range of values.

value of the normalized cross correlation (NCC) between the original and restored vein images depending on the number of CS measurement data. The NCC is expressed as follows [11]:

NCCp;q PLy PLx

ˆ j
0 i
0 ff i − p; j − q − μfˆ gff i;j − μf g q


















































;
q


















































PLy PLx ˆ 2 PLy PLx 2 f f i;j − μ g ˆ j
0 i
0 j
0 i
0 ff i;j − μf g f (6)

where fˆ i; j and f i; j denote a restored finger vein image and an original finger vein image, μfˆ and μf are the average values of fˆ i; j and f i; j, respectively, and Lx and Ly are the horizontal and vertical image sizes. The results can be summarized as follows. In the region where the number of CS measurement data is less than about 2500, KLT restores the image with higher quality than 2D-DCT and 2D-DWT. This phenomenon is most apparent below 1000 pieces of data, where the finger vein pattern is barely recognizable in the images restored using 2D-DCT and 2D-DWT. Once 1600 or more pieces of CS data are used, a finger vein pattern is recognizable with any linear transform. However, in the case of using an incorrect observation matrix, a random pattern similar to stationary white noise is obtained, as shown in Fig. 8.

Verification

In order to evaluate the verification accuracy of the proposed system, we carry out two experiments. The first deals with the case where an impostor knows the correct observation matrix Φ for genuine verification, and the second corresponds to the case where an impostor does not know the observation matrix, instead using their own Φ for verification. In our study, evaluation of the former case is named “biometric performance testing” (BPT) and the latter is called “total performance testing” (TPT). TPT indicates an evaluation for the proposed two-factor authentication system (finger vein image and secret information Φ), whereas BPT only evaluates the identification performance using the finger vein image. Finger vein images are captured with the same sensor, and at the same resolution, as described in Section 4.B. Ten people provided five finger vein images of each of their fingers, giving a total of 500 finger vein images in the experiments. In the genuine verification, one finger vein image is used for enrollment and the other four images are used for verification, making a total of 100 attempts. In the impostor verification, a total of 2250 attempts are conducted using other people’s finger vein images. As the criterion for verification, we employ the NCC between the restored vein images and calculate the false rejection rate (FRR) of the genuine verification attempts and the false acceptance rate (FAR) of the impostor verification attempts. In order to increase the verification accuracy, the Fourier transforms of the finger vein images are clipped around the low-frequency region, giving 4 × 16 [pixel] images that are used for verification. In addition, we can draw receiver operating characteristic (ROC) curves, in which each point is plotted according to its FRR (x axis) and FAR (y axis) with a given threshold value. Equal error rates (EERs), where an FRR corresponds to an FAR, are obtained from the ROC curves. Figure 9 and Fig. 11 show ROC curves for BPT and TPT, respectively, and Fig. 10 and Fig. 12 show the EER depending on the number of CS measurement data in BPT and TPT, respectively. In the BPT, when the number of CS measurement data is less than about 400, KLT obviously exhibits a better performance than the other transforms. From around M
400, however, the relative performance of KLT is almost the same as that of 2D-DCT, even though KLT is able to restore a finger vein image with better quality than 2D-DCT, as shown in Fig. 6. This result indicates that even if an impostor tries

Fig. 8. Restored finger vein images with an incorrect measurement matrix, calculated from 2400 pieces of CS measurement data. In this case, random patterns like stationary white noise are obtained. (a) 2D-DCT, (b) 2D-DWT, and (c) KLT. 20 November 2013 / Vol. 52, No. 33 / APPLIED OPTICS

8165

100 90 80 70

FAR [%]

100

2D-DCT 2D-DWT KLT

90

2D-DCT 2D-DWT KLT

80 70

FAR [%]

60 50 40

60 50 40

30

30

20

20

10

10

0

0 0

10

20

30

40

50

60

70

80

90 100

0

10

20

30

FRR [%]

60

70

80

90 100

100

90

2D-DCT 2D-DWT KLT

80

90

70

60 50 40

60 50 40

30

30

20

20

10

10

0 0

10

20

30

40

50

60 70

80

90

2D-DCT 2D-DWT KLT

80

FAR [%]

70

FAR [%]

50

FRR [%]

100

0

100

0

10

20

30

FRR [%]

40

50

60

70

80

90

100

FRR [%]

100

100

2D-DCT 2D-DWT KLT

90 80

60 50 40

2D-DCT 2D-DWT KLT

90 80 70

FAR [%]

70

FAR [%]

40

60 50 40

30

30

20

20

10

10

0

0 0

FRR [%]

10

20

30

40

50

60

70

80

90

100

FRR [%]

Fig. 9. ROC curves from BPT. (a) M
50, (b) M
100, (c) M
200, (d) M
400, (e) M
800, (f) M
1600.

Fig. 10. EER depending on the number of CS measurement data in BPT. 8166

APPLIED OPTICS / Vol. 52, No. 33 / 20 November 2013

to restore her/his finger vein image from her/his CS measurement data using KLT, the restored finger vein image becomes more similar to the genuine finger vein image than that using 2D-DCT. This is because a finger vein image restored with KLT using a similar number of CS measurement data is comprised of a few basis components common to all kinds of finger vein images. In the case of more than about 1600 pieces of CS data, the EER converges to around 6%–7% for each of the linear transforms. Such verification accuracy is not as good as that of the potential finger vein pattern, so there is still room for improvement in the method of finger vein verification. Under TPT, except when fewer than 800 data are used, EER is approximately

Fig. 11. ROC curves from TPT. (a) M
50, (b) M
100, (c) M
200, (d) M
400, (e) M
800, (f) M
1600.

zero for each of the linear transforms. This result indicates that the proposed system has sufficiently good performance in terms of its two-factor authentication. 5. Conclusion

Fig. 12. EER depending on the number of CS measurement data in TPT.

We have proposed a CS-based cancelable biometric authentication scheme. In this method, a finger vein image is optically encrypted using a CI system at the time of image capture, and the raw finger vein image can only be restored in the authentication server. For such optical encryption, double random phase encoding (DRPE) [12] and ghost imaging 20 November 2013 / Vol. 52, No. 33 / APPLIED OPTICS

8167

(GI) [13] are well-known approaches. Compared with these techniques, the CI system is superior in that it allows us to use incoherent light, whereas DRPE and GI must use coherent light and its interference. In a series of numerical experiments, we investigated the verification performance of the proposed scheme and showed that it had reasonable verification accuracy. However, there are some problems that must be solved prior to the scheme’s practical application. One major problem is that a finger vein image needs to be restored in the authentication server. That is to say, if the administrator of the authentication server were acting maliciously, or did not manage the authentication operation appropriately, there would be a risk of the vein image being leaked. Breebaart et al. also reported that cancelable biometric authentication schemes should have some degree of “irreversibility,” that is, biometric feature data for cancelable biometric authentication should be transformed into irreversible information by employing encryption or a one-way function [14]. In future work, we will improve the proposed scheme to enable the verification of biometric features without restoring raw biometric images. Moreover, the security of the proposed method has not been sufficiently analyzed. We should thus conduct a security analysis under a practical use case. References 1. N. K. Ratha, J. H. Connell, and R. M. Bolle, “Enhancing security and privacy in biometrics-based authentication systems,” IBM Syst. J. 40, 614–634 (2001). 2. S. Hirata and K. Takahashi, “Cancelable biometrics with perfect secrecy for correlation-based matching,” ICB ’09

8168

APPLIED OPTICS / Vol. 52, No. 33 / 20 November 2013

3. 4. 5.

6.

7.

8.

9.

10. 11. 12. 13. 14.

Proceedings of the Third International Conference on Advances in Biometrics, LNCS 5558 (2009), pp. 868–878. A. Juels and M. Wattenberg, “A fuzzy commitment scheme,” in Proceedings of the ACM Conference on Computer and Communications Security (1999), pp. 28–36. A. Juels and M. Sudan, “A fuzzy vault scheme,” in IEEE International Symposium on Information Theory (2002). H. Suzuki, M. Yamaguchi, M. Yachida, N. Ohyama, H. Tashima, and T. Obi, “Experimental evaluation of fingerprint verification system based on double random phase encoding,” Opt. Express 14, 1755–1766 (2006). J. K. Pillai, V. Patel, R. Chellappa, and N. Ratha, “Secure and robust iris recognition using random projections and sparse representations,” IEEE Trans. Pattern Anal. Mach. Intell. 33, 1877–1893 (2011). E. J. Candès and M. B. Wakin, “Introduction to compressive sampling,” IEEE Signal Process. Mag. 25(2), 21–30 (2008). M. B. Wakin, J. N. Laska, M. F. Duarte, D. Baron, S. Sarvotham, D. Takhar, K. F. Kelly, and R. G. Baraniuk, “An architecture for compressive imaging,” Proceedings of the International Conference on Image Processing (ICIP) (2006). Y. Rachlin and D. Baron, “The secrecy of compressed sensing measurements,” in IEEE 46th Annual Allerton Conference on Communication, Control, and Computing (2008), pp. 813–817. L. Sirovich and M. Kirby, “Low-dimensional procedure for the characterization of human faces,” J. Opt. Soc. Am. A 4, 519–524 (1987). R. C. Gonzalez and R. E. Woods, Digital Image Processing, 3rd ed. (Addison-Wesley, 1992). P. Refregier and B. Javidi, “Optical image encryption based on input plane and Fourier plane random encoding,” Opt. Lett. 20, 767–769 (1995). P. Clemente, V. Durán, V. Torres-Company, E. Tajahuerce, and J. Lancis, “Optical encryption based on computational ghost imaging,” Opt. Lett. 35, 2391–2393 (2010). J. Breebaart, B. Yang, I. Buhan-Dulman, and C. Busch, “Biometric template protection: the need for open standards,” Datenschutz Datensicherheit 33, 299–304 (2009).