오류정정부호의 응용 편집위원 : 송홍엽(연세대)

Error Correction Codes for Biometric Cryptosystem:

An Overview
Andrew Beng Jin Teoh, Jaihie Kim
Yonsei University

Abstract messages so that two or more persons can communicate

in a way that guarantees to meet the desired subset of

In cryptographic applications, the key protection is the following four goals - confidentiality, data integrity,

either knowledge-based (passwords) or possession-based authentication and non-repudiation [1]. However, there
are some practical problems associated with the use of
(tamper-proof device). Unfortunately, both approaches
cryptosystem since the current methods authenticate
are easily forgotten or stolen, thus introducing various
the key instead of the user. The need for a proper and
key management issues. By incorporating biometrics
reliable key management mechanism is required in
technologies which utilize the uniqueness of personal
order to confirm that the listed keys actually belong
characteristics, the security of cryptosystems could
to the given entities. Currently, a manual method of
be strengthened as authentication now requires the
authentication using identification card, company number
presence of the user. Biometric Cryptosystem (BC)
or license, is required for enrolment of public keys. In
encompasses the design of cryptographic keys protection
addition, the security depends on the large size of a
methods by incorporating biometrics. BC involves
cryptographic secret key generated, and it is not feasible
either key-biometrics binding or direct key generation
to require user to remember such a long key. Thus a
from biometrics. However, the wide acceptance and
simple password is still required for key encryption which
deployment of BC solutions are constrained by the
in turn leads to continuing potential hacker attack on the
fuzziness related with biometric data. Hence, error
password to retrieve the cryptographic keys.
correction codes (ECCs) should be adopted to ensure
Biometrics is the science of using unique human
that fuzziness of biometric data can be alleviated. In
characteristics for personal authentication based on a
this overview paper, we present such ECC solutions
person’s biological and behavioral characteristics[2].
used in various BCs. We also delineate on the important
Biological biometrics includes fingerprint, retina, face and
facts to be considered when choosing appropriate ECCs
iris features and the behavioral biometrics such as typing
for a particular biometric based solution from accuracy
dynamic, signature and voice etc. Traditionally, biometrics
performance and security perspectives.
based authentication for access into systems has always been
yes/no decision-based depending on how “close” the test
biometrics is to a stored template as shown in <Figure 1>.
I. Introduction The template is usually obtained from the user during
enrolment and is usually stored in a local or server-side
With widespread information exchange and access storage. For local storage, normally a password is required
to resources over public network, cryptography has for release of the template while for some challenge-
become an important and necessary mechanism for response protocol needs to be in place to enable secure
secure channel access and authentication. The aim exchange of the biometric template. The decision of how
of cryptography is to provide secure transmission of “close” the test biometrics is to the template is determined

JUNE·2015 | 39
 주제 | Error Correction Codes for Biometric Cryptosystem: An Overview

an individual can vary during each capture due to

acquisition noise and environmental condition. While
providing evidence to the fact that biometric data cannot
be encrypted simply as in cryptography. It is necessary
to incorporate error tolerant mechanisms such as Error
Correction Code (ECC) when dealing with biometric data
to address the effect of noisy biometric inputs [6].
Figure 1. Conventional Biometric Authentication ECCs are commonly used to correct the errors in
messages that are sent over noisy communication
empirically and entails tuning of a threshold.
channels. ECCs can be defined as a set of codewords C,
Biometrics and cryptography have two very different
where each codeword c∈C represents an n-bit sequence
objectives. The former is continuous and stochastics in
in which the k bit messages m∈M (n>k) are mapped to
nature, and its acceptance and rejection are governed
before transmission. The (n−k) bits are dubbed as parity
by some empirically trained threshold. In contrast to
bits which used to restore the transmitted codeword
biometrics, cryptography is discrete, and authentications from a corrupted received codeword. Denote size of error
are based on what is personally known like password correcting capability as t, this implies that c can correct
and keys held in possession. Biometrics takes into up to t errors, subject to the minimum distance of any
consideration the physical presence of the user but two codewords in C is at least 2t+1. An analogy can be
however, suffers from permanently loss if compromised. established between the noisy communication channels
On the other hand, cryptography has been used widely and the fuzzy biometric system whereby biometric data
for securing transactions and access into systems without can be perceived as corrupted codewords [6]. Several
authenticating the physical presence of the user, and widely deployed ECCs in BC systems are Reed Solomon
the keys used are replaceable. Both biometrics and (RS) Codes [7], Hadamard Codes [8], Binary Bose-
cryptography are highly complementary, hence the Chaudhuri-Hocquenghem (BCH) Codes [9], Low-Density
motivation for their integrated application: Biometric Parity-Check (LDPC) Codes [10], Turbo Codes [11] or
Cryptosystems (BC) [3]. their combinations [8]. The choice of an ECC is one of the
The notion of BC was first put forward in the mid- most crucial elements of BC scheme. The ECC must be
90s by Tomko et al [4] and also dubbed as “Biometric able to remove the noise of biometric data, yet secure, i.e.
Encryption” [5]. BC either securely bind a digital key to a not leaking information to an adversary.
biometrics, or generate a digital key from the biometrics , In this paper, we outlined such ECC solution used in
so that no biometric data is stored. What is stored is a BC while explaining how they are deployed in several
piece of data coined as helper data. In general, helper instances of BC. We will discuss the vital role of ECC
data should be computationally difficult to retrieve either plays in BC from accuracy performance and security
the key or the biometrics. That is, helper data should perspectives.
leak no or minimal information about key or biometrics.
The key is recreated only if the correct biometric data is
presented on verification. In literature, several dominant II. Various ECCs Enabled Biometric
instances of BC are fuzzy vault, fuzzy commitment, Cryptosystems
secure sketch, fuzzy extractor etc.
However, the popularity of BC solutions are somewhat
limited by the stochastics nature that associated with
1. Fuzzy Commitment
biometric data. For example, biometric data from The fuzzy commitment scheme of Juels and Wattenberg

40 | 정보와 통신
 주제 | Error Correction Codes for Biometric Cryptosystem: An Overview

[13] is inspired from extension of a cryptographic bit fingerprint [12] etc. An early practical work of
commitment [14] but it allows some variability in the applying fuzzy commitment scheme on iris biometrics
committed value via ECCs notion. In a bit commitment is demonstrated by Hao et al [8]. The authors used a
scheme, a sender commits an encrypted version of x combination of two ECCs, namely Hadamard and Reed-
bit, denote enc(x), an encrypted version of x, in such a Solomon. The 2048-bit iris template is segmented into
way that the receiver unable to determine the true value 32 blocks of 64 bits each. The blocks are the codewords
from the encrypted commitment. Bit restoration is only of the (64, 7) Hadamard ECC which outputs a 7-bit word
possible if sender can validate that enc(x) is an encrypted and can correct at least 15 random bit errors. The second
version of x. On the other hand, the commitment cannot ECC, Reed-Solomon code, removes the remaining block
be de-commited by anyone else since the transformation level (burst) errors. It works with the 7-bit words, so
of x to enc(x) is only recognized to the sender. that 32 words decode 20 output words, thus producing a
In biometric cryptosystem context, Juels and 140-bit key. The (32, 20) Reed-Solomon ECC can correct
Wattenberg proposed a way of committing a bit string up to 6 erroneous 7-bit words. Despite Hao et al work

c which is an encoded version of digital key by using depicts very promising results with low variability of iris

ECCs. Denote a set of n bit codewords C with a minimum data. However, when it was evaluated to the challenging

distance among them of at least 2t+1 and a same size ICE database, the key recovery rate is devastatingly

biometric witness b. Then the fuzzy commitment, (d, deteriorated [15]. Subsequently, Bringer et al [15]
proposed an ECC which is a product of two Reed-Muller
h(c)) where, d = cXORb, cC, and h(c) is a one-way
ECCs, (64, 7) and (32, 6), and iterative soft decoding.
hashed version of c. Ideally, the commitment does not
This ECC significantly improved the accuracy of the fuzzy
reveal information on the biometric data, since h(c) is
commitment scheme. Other works follows the same line
a secure one-way function. In order to de-commit (d,
of idea can be found in [16]-[18].
h(c)), it is necessary to produce a biometric trait b’ which
Fuzzy commitment is also particularly suitable for
is sufficiently close to b such as the hamming distance
face biometrics as facial feature is typically presented in
between b’ and b, Hm(b’, b)≤t. In key production
ordered feature vector form that can be easily binarized
stage, we perform c’ = dXORb and if h(c) = h(c’), c
[19]-[21]. BCH codes, which are used for bit level error
will be decoded and a digital key k will be released else
correction, are usually opted due to its simplicity.
the process is terminated. The progression of fuzzy
BCH codes have been used also by Tuyls P. et al.
commitment can be found in <Figure 2>.
[22] in developing a fuzzy commitment scheme which
Fuzzy commitment scheme is commonly applied to
concatenates two fingerprint texture vectors namely
biometric data that is represented in binary ordered
squared directional field and a finger-code obtained
vector form such as iris [8], face [9], texture based
through Gabor filtering.

2. Fuzzy Vault
Fuzzy vault is introduced by Juels A. et al. [23] which
was inspired from the Shamir’s secret sharing scheme.
Fuzzy vault admits non-exactly ordered biometric
representation such as minutiae-based fingerprint thus
complement fuzzy commitment that incapable to handle
this type of biometric data. The security of fuzzy vault
relies completely upon the polynomial reconstruction
Figure 2. Fuzzy Commitment Scheme problem.

JUNE·2015 | 41
 주제 | Error Correction Codes for Biometric Cryptosystem: An Overview

Let consider a digital key k, and during vault query fingerprint image, quantized and coded to create
construction it is encoded into coefficients of a polynomial a set of 16 bit string {r’ i|i=1,…,n’} which are to be
P of degree d. Then, the vault V is constructed by used in polynomial reconstruction. Then, the subset of
projecting a user specific n element biometric set into points that lie in both r’i and sj which is the abscissa
the polynomial while including c element chaff set which of V is determined. Assuming q number of such points
does not lie on P. Furthermore, the k is restored through have been found {(ri, si)|i = 1, 2, ..., q}; they are then
polynomial reconstruction after identifying possible d+ divided into all possible (d +1) combinations, since (d+1)
1 out of n original points by presenting the biometric set unique projection are required to decode a polynomial of
during key production stage. degree d. Thereafter, for each such (d+1) pair Lagrange
At enrolment, the secret message (or digital key in our interpolation polynomial is retrieved as well as from
context), k is encoded into coefficients of a secret sharing the coefficients the possible kc’. Then, the polynomial
polynomial P(x) of degree d. The genuine shares are corresponding to kc’ is divided by h(x) to evaluate the
represented as point (x, y=P(x)) with x being element CRC checksum and if the remainder is zero, no errors in
in biometric set, and are collectively known as genuine kc’ to be assumed. Finally, the k can be recovered from
set G and |G|=n. Then, another set of chaff points, (a, kc’ by removing the bits corresponding to the checksum.
b)∊C, which does not lie on P(x) is generated randomly. Thus, the digital key can only be recovered if and only
The union set of G and C forms a vault V. During key if (d+1) points of query minutiae set match with the
production stage, the k can restored through polynomial enrolled minutiae set.
reconstruction after identifying possible d+ 1 out of n Fuzzy vault security relies on the difficulty of
genuine points by presenting the biometric set. separating genuine points on the vault which lie on the
A practical fuzzy vault based on fingerprint minutiae secretly embedded polynomial. If genuine points can
set realized by [24] adopts Cyclic Redundancy Check be estimated, the digital key can be largely recovered
(CRC), an error detecting coding scheme. During from Lagrange interpolation. However, if the ordinate
enrollment, let k of 128 bits be the digital key to be values of the vault is encrypted, it would forbid the
bounded with fingerprint data. The CRC checksum of k vault decryption even having the correct set of points.
is then computed by means of 16-bit primitive generator This observation was exploited in [25] to improve the
16 15 2
polynomial h(x) = x +x +x +1. The resulting checksum CRC based fuzzy fault by incorporating it with a BCH.
is concatenated with k to generate a new key code, kc Specifically, they quantized and coded fingerprint
of 144 bits and encoded in 9 coefficients in Galois Field minutiae as afore described and then XORed with a set
GF(2 ) of a polynomial P of degree d = 8. Each minutiae
16
of BCH codewords, generated from the ordinate values of
position (x, y) of n fingerprint minutiae is then quantized the vault to compute the fuzzy commitment. Therefore,
and coded into a 16 bit value r, in which the first 8 bits key production is a two-step process of unwrapping the
represents the x coordinate while y represents the rest. fuzzy commitment and thereafter the vault [6].
Thereafter, each r is projected into P and the genuine set
3. Secure Sketch and Fuzzy Extractor
G = {(ri, P(ri))| i=1,…n} is generated. Subsequently, a
set of Chaff points C = {(aj, bj)| j=1,…,m} is produced in Unlike key binding schemes such as fuzzy vault
such a way that aj ≠ rj and bj do not lie on P. Finally, the and fuzzy commitment, Dodis et al. [26] put forward
randomized list of points in G∪C, {(rj, sj)| j=1,…,m+n} a generic model of keys extraction from biometrics
and the degree of polynomial d are kept in vault V. The and other stochastic data. The model consists of two
randomization is to conceal the information that vital for primitives, namely secure sketch and fuzzy extractor .
separating chaff and genuine points. The former addresses the problem of compensating noise
For key production, the minutiae is extracted from in biometrics, by producing a public helper data called

42 | 정보와 통신
 주제 | Error Correction Codes for Biometric Cryptosystem: An Overview

sketch SS(w) about the biometrics. Sketch is to be used a primary instance for applying of BCH codes in secure
to recover the original template w, from noisy input sketch [26]. Pin Sketch adopts (n, k, d) binary BCH code
biometrics, w’, provided both w and w’ are sufficiently where n is the number of bits in the codeword, k is the
close. The latter addresses both the problem of noise number of bits in the message while d denotes the min-
compensation, along with the problem of non-uniformity imum distance of the codewords for error correction. If
of the resulting keys. w is the n bit biometric string to be protected, the secure
The strength in the Dodis’s model is that the authors sketch SS(w) is constructed by taking the syndrome of w,
have defined the model in information-theoretic sense SS(w)=syn(w). When recovering w from a noisy biomet-
complete with the lower bound on the entropy for optimal rics w’, syn(w’) is computed and thus difference set, δ=
security. Dodis et al also elucidated the fuzzy commitment syn(w’) - syn(w) can be obtained. Then BCH decoding is
and fuzzy vault using the fuzzy extractor model for used to identify vector v such that syn(v)=δ. If Hm(w’,
Hamming metric (binary vector form) and set difference w)≤(d−1)/2, w can be recovered by calculating w’+v.
(unordered point set), respectively, and could verify the where Hm( , ) is Hamming distance [6].
security ie. entropy lost via information theory. The model
Lastly, Reed-Solomon (RS) codes have also been de-
would not be directly applied to continuous metric though
ployed in secure sketch that admits fuzzy vault. Let
as with the model in Tuyls and Goseling [28], instead, a
w= {wi|i=1,…,n} be n minutia of fingerprint. Then, w is
quantization process is required to convert a continuous
projected into a polynomial P of degree at most (s-t-1)
feature vector into a discrete/binary vector form.
to compute s pairs V={(wi, P(wi))|i=1,…,s}. Finally the
In general, four variants of secure sketch construction
secure sketch SS(w) is generated by adding (r-s) chaff
are discussed in [26]. For code-offset secure sketch
points to V that do not lie on the polynomial. In order to
implementation, we consider a set of n bit codewords
reconstruct the w from SS(w) and w’, first the points xi
C with a minimum distance at least 2t+1 and a binary
w1 that also lie in SS(w) must be identified. Then, RS de-
biometric vector w of the same size. They have defined
coding can be performed to restore the P and hence the w.
the shift needed to get the codeword c from w as a secure
As aforementioned, fuzzy extractor belongs to one of
sketch of w, SS(w) = cXORw. It is possible to recover
the primitives in Dodis’s key extraction model [26]. The
w from w’ if the dis(w, w’) ≤ t where t is a threshold
fuzzy extractor consists of a secure sketch and a strong
value. The recovery process requires the computation
extractor. During enrollment, output of the strong ex-
of c’ = SS(w)XORw’ and decode c’ to get c to generate
tractor with a biometric input w generates the uniformly
w through SS(w)XORc eventually. A realization in face
biometrics can be found in [29]. random string R while the output of the sketch is stored

In addition, code-offset secure sketch can be extended as a helper data (similar to SS(w)) that publicly avail-

to a syndrome based secure sketch in which SS(w) is re- able. During authentication, the helper data along with

defined as the syndrome of w, syn(w) = Gw, where G a close enough noisy input w’ could recover the R. The
is the parity check matrix. The sketch can be restored vital characteristic of such fuzzy extractor is that the R
by w’ and SS(w) by solving the unique error vector will not be stored; instead they are generated on-the-fly
e with hamming weight ≤ t, such that syn(e) = syn- when required via w’ which is sufficiently close to w.
(w’)XORSS(w) and hence w = w’XORe. A practical Similar to secure sketch, fuzzy extractor admits both
implementation dubbed fuzzy syndrome hashing is ordered binary feature vector and unordered point set bio-
demonstrated in [10] whereby syndromes of Low- metrics such as iris, face, handwritten signature finger-
Density Parity-Check (LDPC) codes are adopted for error print etc. A handful realizations of fuzzy extractor include
correction on iris features. [31]-[34] in which they mostly applied on fingerprint mi-
Another variant of secure sketch, coined Pin Sketch is nutia, iris and combination of multiple biometrics.

JUNE·2015 | 43
 주제 | Error Correction Codes for Biometric Cryptosystem: An Overview

4. Others codes indeed provide a powerful mechanism to cope

with variations in biometric data. Quantitatively, the
Vetro et al. [35] proposed a secure sketch alike
performance of biometric cryptosystems is commonly
biometric cryptosystem based on distributed source
quantified via indicators such as False Acceptance rate
coding. A Slepian-Wolf framework is used to store a
(FAR) and False Rejection Rate (FRR). The FAR is the
secured biometric template during enrollment stage
probability that the biometric system will incorrectly
and recover the template at authentication stage. They
accept an unauthorized user. Likewise, the FRR is the
demonstrated to use LDPC codes in combination with a
probability that an authorized user is rejected. FAR/FRR
hash function to provide secure iris template storage.
is a trade-off and largely rely on the error correction
Santos et al. [36] follow same line of design as in [35]
capability with respect to bit error rate (BER) of the
and put forward a universal mask which selects only the
underlying ECCs used in the system. The error correcting
5142 most reliable bit positions of the 9600 bits in the iris
capability must be sufficiently good to distinguish
templates to enhance the security of the system.
between intra-class and inter-class variability. Thus,
On the other hand, Nagar et al. [37] and Sutcu et al. [38]
before deciding on an ECC scheme it is vital to examine
developed secure fingerprint systems by using syndromes
the genuine and imposter distance distribution, which
of LDPC codes. In their systems, fingerprint minutiae
respectively reflect intra-class and inter-class variability
maps are transformed into binary vectors which are
of the considered biometric information[40].
suitable for LDPC coding. Syndromes obtained via LDPC
Linear codes such as BCH, Hadamard, RS, LDPC
coding of these binary vectors serve as secure biometrics.
and their combinations were largely explored in the
On top of providing very low false accept rates and low
literature [7]-[12],[16]-[22],[25],[29],[31]-[34],[36],[38].
false reject rates, the design ensures that distributed
Unfortunately, these linear codes are inflexible[30].
biometric coding is information-theoretically secure.
Firstly, the application of linear block codes requires
A turbo code enabled keys extraction scheme that
binary biometric vector having the same size of
inspired by the code-offset sketches, along with
the employed codewords, thus some bits have to be
constellation modulation is proposed recently[39]. The
discarded, or a bits-padding has to be performed. A loss
scheme allows to set the template size without constraint
in discriminability may occur in the former case, while
and to manage data characterized by a high intraclass
in the latter case a severe leakage of information about
variability of biometric data without exploiting specific
codewords can result from the observation of the code-
characteristics of the biometrics of interest. These tasks
offset[48]. It is vital to adopt codewords whose length can
are accomplished by utilizing turbo codes which allows to
be adjusted to the length of binary biometric vector, and
achieve high ECCs, while constellation modulations are
not vice versa. A promising solution is by using Turbo
used to let the codes operating in soft-decoding modality,
code as reported in [39].
thus further enhancing their correction capabilities and
Secondly, linear block codes often incapable offer
providing a highly flexible framework with different
high satisfactory error correction capability to cope
operating conditions. A real implementation of this scheme
biometric data with significant intra-class variability,
has been demonstrated through handwritten signature.
thus resulting in poor FRRs. Ideally the error correcting
capability must be 100 % even for highest possible
distance (or BER) while exhibiting 0% for inter-class BER
III. Impact of ECCs to Biometric [6]. This procedure would help in identifying the most
Cryptosystems Performance suitable ECC for a BC in the early stage. Nevertheless,
these ideal situations are highly unlikely be satisfied
As evident from the literature, error-correcting practically, hence fine tuning is necessary for the selected

44 | 정보와 통신
 주제 | Error Correction Codes for Biometric Cryptosystem: An Overview

ECC to ensure it can adequately differentiate between the applications, such as data storage or communication
two classes. As a remedy it could be possible to utilize system, but this is not the case for BC. For instance, ECC
known statistics about the existing differences of the that is insecure for BC purposes is a trivial repetition
considered biometrics to design a specific code adapted code, when each key bit is encoded with an odd number
to the biometrics properties. This property has been of bits of the same parity [48]. As shown by [49], an
exploited in [8], where Hadamard and Reed-Solomon adversary can generate a matching score and crack the
codes are jointly employed to manage respectively the BC helper data using a “hill climbing” attack despite BC
background and the burst differences deriving from the is not supposed to have a score.
comparison of two iris templates. However, as observed If we assume that the codeword c is chosen from an
in [15], the performance deteriorates when a more (n, k, t) ECC then k bits of biometric binary vector, b
challenging iris dataset is examined. are protected by the k random bits in c due to the k bits
In general, the impact of ECC on biometric of randomness in c. From information theoretic point
cryptosystem performance relies on the type of the of view, the helper data of BC, such as d = cXORb in
chosen ECCs as well as how to fine tune the selected fuzzy commitment or SS(w) in secure sketch will leak
ECC. The latter could be attained by altering the code n-k bits of information about b. It can be shown that if
rate (increasing or decreasing the amount of parity bits) robustness against a certain number of bit errors in b is
included in the ECC. The effect on the error correcting required, some leakage cannot be avoided [26]. Hence,
capability with the code rate is known as the granular in principle the adversary can set up a linear system of
effect of an ECC. The finer it is possible to tune the ECC’s n-k equations in n unknowns leaving him with k degrees
correction capability, the more precisely it will be possible of freedom. However, this theoretical leakage does not

to adjust the FAR and FRR trade-off. reveal to an adversary how this information can be

Furthermore, an ideal ECC should have a steep roll off exploited to learn specific information on b that was used

characteristic with BER to allow a very high (close to to generate helper data.

100%) error correction in a particular range and almost A number of practical threats were reported in [46],

0% in the other [6]. Hence, apart from the granularity [48] and [50] exploiting the use of linear ECCs and the
fact that many practical ECCs are not perfect codes. In
property, the steepness property is also another important
[46], the authors demonstrates that if two helper data
factor to be accounted. Interested readers on empirical
d1=c1XORb and d2=c2XORb’ of fuzzy commitment
study of granular effect and steepness properties of ECCs
are retrieved, the adversary can compute d1XORd2=
on biometric system are referred to [40].
c1XORc2XOR(bXORb’)=c3XOR(bXORb’) due to the
ECC property that the sum of two codewords is again
a codeword. If this can be decoded, it is highly possible
IV. Impact of ECC to Biometric that b≃b’, attributed to the non-perfectness of the ECC
Cryptosystem Security and the distribution of b. This observation thus implies
bs are linkable across diverse applications or databases,
Despite biometric cryptosystems is provable secure in which is one of the major concerns in privacy leakage.
information theoretic sense, it is indeed vulnerable to Stoianov [48] illustrated zero insertion mechanism that
several dreadful security and privacy attacks in practice. proposed by Kanade et al [18] to improve the accuracy of
We refer curious readers on complete vulnerabilities of IrisCode based fuzzy commitment [8] is indeed insecure.
BC to [41]-[47]. Here we only describe a few attacks that By learning the locations of only 7 zeros for each 32-
have been attributed to ECCs. bit block, an attacker can recover the full 198-bit key
Note ECCs security does not appear in most other ECC within a fraction of a second. Even if the scheme were

JUNE·2015 | 45
 주제 | Error Correction Codes for Biometric Cryptosystem: An Overview

modified such that 12 zeros appended the IrisCode in Acknowledgement

each 32-bit block, for each block, the attacker would still
be able to recover 5 out of 6 key bits. The remaining one This research was supported by Basic Science Research
bit ambiguity could be resolved in a matter of minutes Program through the National Research Foundation of
by random trials and running a Reed-Solomon decoder.
Korea (NRF) funded by the Ministry of Science, ICT and
By and far, for an arbitrary linear ECC, the problem
Future Planning (2013006574)
of cracking the zero insertion scheme is equivalent to
solving a set of linear equations by using a syndrome
decoding.
Despite a combination of codes could be useful for
References
accuracy performance gain, eg. mix of Hadamard and
[1]. B. Schneier. Applied Cryptography: Protocols Algo-
RS codes in [8], it may also leave the system vulnerable
to statistical attacks by exploiting the histograms of rithms and Source Code in C. John Wiley and Sons,

the computed offsets as revealed in [50]. The statistical Inc. 1996.

attack based on ECCs is further examined in [52] in [2] A.K. Jain, L. Hong, S. Pankanti. Biometrics Identifi-

great detail whereby the authors reveal that binary cation. Commun. ACM 43 (2) 91–98, 2000.
biometric vectors, which exhibit sufficient entropy, [3] U. Uludag, S. Pankanti, S. Prabhakar, and A. K.
bind cryptographic keys in a secure commitment is Jain, “Biometric cryptosystems: issues and chal-
questionable. The study shows that fuzzy commitment lenges,” Proceedings of the IEEE, vol. 92, no. 6, pp.
can still be cracked. The structure of stored commitment 948–960, Jun. 2004.
is essential to the security of bound keys and biometric [4] Tomko GJ, Soutar C, Schmidt GJ (1996) Fingerprint
templates. controlled pub Invalid source specified.lic key cryp-
tographic sys-tem. US Patent 5541994, 30 July 1996
(Filing date: 7 Sept 1994).
[5] A. Cavoukian, M. Chibba, and A. Stoianov, “Advances
V. Summary
in Biometric Encryption: Taking Privacy by Design

Error correction codes are an integrated part in from Academic Research to Deployment,” Review

most of the biometric cryptosystems to eliminate the of Policy Research, vol. 29, no. 1, pp. 37–61, Jan.

fuzziness associated with biometric data. This overview 2012.

paper delineates how ECCs are setup to achieve the [6] Harsha S. Gardiyawasam Pussewalage, Jiankun Hu,
accuracy performance requirements of various biometric and Josef Pieprzyk, “A Survey: Error Control Meth-
cryptosystems. Depending upon the type of biometric ods Used in Bio-Cryptography,” presented at the
data to be used and their associated error patterns, 2014 10th International Conference on Natural Com-
the ECCs must be selected attentively, considering the putation (ICNC 2014), 2014.
possible security and privacy breach of the underlying [7] T. C. Clancy, N. Kiyavash, and D. J. Lin, “Secure
biometric cryptosystem. Moreover, error correcting smartcardbased fingerprint authentication,” in Pro-
capability characteristics and granularity of ECCs ceedings of the 2003 ACM SIGMM workshop on Bio-
should also be considered when choosing the optimal metrics methods and applications, 2003, pp. 45–52.
coding scheme to achieve a desirable tradeoff between [8] F. Hao, R. Anderson, and J. Daugman, “Combining
performance indicators FAR and FRR. Crypto with Biometrics Effectively,” IEEE Transac-
tions on Computers, vol. 55, no. 9, pp. 1081–1088,
Sep. 2006.

46 | 정보와 통신
 주제 | Error Correction Codes for Biometric Cryptosystem: An Overview

[9] P. Tuyls, A. H. M. Akkermans, T. A. M. Kevenaar, Recognition, IEEE, pp. 120-127, Florida, USA, Jun.
G.-J. Schrijen, A. M. Bazen, and R. N. J. Veldhu- 2009.
is, “Practical biometric authentication with template [18] S. Kanade, D. Camara, E. Krichen, D. Petrovs-
protection,” in Proceedings of the 5th international ka-Delacretaz, and B.Dorizzi, “Three Factor Scheme
conference on Audio- and Video-Based Biometric for Biometric-based Cryptographic Key Regeneration
Person Authentication, Berlin, Heidelberg, 2005, pp. using Iris”, in Biometrics Symposium, IEEE, pp. 59-
436–446. 64, Florida, USA, Sep. 2008.
[10] M. Baldi, M. Bianchi, F. Chiaraluce, J. Rosenthal, [19] M. van der Veen, T. Kevenaar, G.-J. Schrijen, T. H.
and D. Schipani, “On fuzzy syndrome hashing with Akkermans, and F. Zuo, “Face biometrics with re-
LDPC coding,” in Proceedings of the 4th Interna- newable templates,” Proceedings of SPIE, vol. 6072,
tional Symposium on Applied Sciences in Biomedical no. 1, p. 60720J–60720J–12, Feb. 2006.
and Communication Technologies, New York, NY, [20] E. J. C. Kelkboom, B. Gökberk, T. A. M. Kevenaar,
USA, 2011, pp. 24:1–24:5. A. H. M. Akkermans, and M. Veen, “3D Face”: Bio-
[11] E. Maiorana, D. Blasi, and P. Campisi, “Biometric metric Template Protection for 3D Face Recognition,”
template protection using turbo codes and modu- in Advances in Biometrics, vol. 4642, 2007, pp.
lation constellations,” in 2012 IEEE International 566–573.
Workshop on Information Forensics and Security [21] B. Chen and V. Chandran, “Biometric Based Cryp-
(WIFS), 2012, pp. 25 –30. tographic Key Generation from Faces,” in 9th Bien-
[12] Y. Imamverdiyev, A. B. J. Teoh, and J. Kim, “Bio- nial Conference of the Australian Pattern Recogni-
metric cryptosystem based on discretized fingerprint tion Society on Digital Image Computing Techniques
texture descriptors,” Expert Systems with Applica- and Applications, 2007, pp. 394–401.
tions, vol. 40, no. 5, pp. 1888–1901, 2013. [22] P. Tuyls, A. Akkermans, T. Kevenaar, G. Schrijen,
[13] A. Juels and M. Wattenberg, “A fuzzy commitment and R. Veldhuis, “Practical Biometric Authentication
scheme,” in Proceedings of the 6th ACM conference with Template Protection”, in Proceedings of 5 th
on Computer and communications security, New International Conference on Audio-and Video-Based
York, NY, USA, 1999, pp. 28–36. Biometric Person Authentication, Springer, pp. 436-
[14] Giles Brassard, David Chaum, and Claude Crepeau, 446, New York, USA, Jul. 2005.
Minimum Disclosure Proofs of Knowledge Journal [23] A. Juels and M. Sudan, “A fuzzy vault scheme,” in
of Computer and System Sciences, vol. 37, pp. 156- IEEE International Symposium on Information The-
189, 1988 ory, 2002. Proceedings, 2002.
[15] J. Bringer, H. Chabanne, G. Cohen, B. Kindarji, and [24] U. Uludag, S. Pankanti, and A. K. Jain, “Fuzzy
G. Zemor, “Optimal iris fuzzy sketches”, in IEEE Vault for Fingerprints,” in Audio- and Video-Based
First International Conference on Biometrics: Theo- Biometric Person Authentication, 2005, pp. 310–319.
ry, Applications, and Systems, BTAS’07, 2007. [25] A. Nagar, K. Nandakumar, and A. K. Jain, “Secur-
[16] R. Álvarez Mariño, F. Hernández Álvarez, and L. ing Fingerprint Template: Fuzzy Vault with Minutiae
Hernández Encinas, “A crypto-biometric scheme Descriptors”, in Proceedings of 19th International
based on iris-templates with fuzzy extractors,” In- Conference on Pattern Recognition, IEEE, pp. 1-4,
formation Sciences, vol. 195, pp. 91–102, Jul. 2012. Florida, USA, Dec. 2008.
[17] S. Kanade, D. Petrovska-Delacretaz, and B. Dorizzi, [26] Y. Dodis, R. Ostrovsky, L. Reyzin, and A. Smith,
“Cancelable Iris Biometrics and using Error Correct- “Fuzzy Extractors: How to Generate Strong Keys
ing Codes to reduce Variability in Biometric Data”, from Biometrics and Other Noisy Data,” SIAM J.
in IEEE Conference on Computer Vision and Pattern Comput., vol. 38, no. 1, pp. 97–139, Mar. 2008.

JUNE·2015 | 47
 주제 | Error Correction Codes for Biometric Cryptosystem: An Overview

[27] X. Boyen, “Reusable cryptographic fuzzy extractors,” pean Signal Processing Conference (EUSIPCO), Aal-
in Proceedings of the 11th ACM conference on Com- borg, Denmark, August 2010.
puter and communications security, New York, NY, [37] A. Nagar, S. Rane, and A. Vetro, “Privacy and secu-
USA, 2004, pp. 82–91. rity of features extracted from minutiae aggregates,”
[28] P. Tuyls and J. Goseling, Capacity and Examples in Acoustics Speech and Signal Processing (ICASSP),
of Template Protecting. BioAW 2004, LNCS 3087, 2010 IEEE International Conference on, 2010, pp.
158–170, Prague, 2004. 1826 –1829.
[29] Yagiz Sutcu, Qiming Li, and N. Memon, “Protecting [38] Y. Sutcu, S. Rane, J. S. Yedidia, S. C. Draper, and
Biometric Templates With Sketch: Theory and Prac- A. Vetro, “Feature extraction for a Slepian-Wolf
tice,” IEEE Transactions on Information Forensics biometric system using LDPC codes,” in Information
and Security, vol. 2, no. 3, pp. 503–512, Sep. 2007. Theory, 2008. ISIT 2008. IEEE International Sympo-
[30] E. Maiorana, D. Blasi, and P. Campisi, “Biometric sium on, 2008, pp. 2297 –2301.
template protection using turbo codes and modu- [39] E. Maiorana, D. Blasi, and P. Campisi, “Biometric
lation constellations,” in 2012 IEEE International template protection using turbo codes and modu-
Workshop on Information Forensics and Security lation constellations,” in 2012 IEEE International
(WIFS), 2012, pp. 25 –30. Workshop on Information Forensics and Security
[31] A. Arakala, J. Jeffers, and K. J. Horadam, “Fuzzy (WIFS), 2012, pp. 25 –30.
Extractors for Minutiae-Based Fingerprint Authen- [40] S. Noto, P. L. Correia, and L. D. Soares, “Analysis
tication,” in Advances in Biometrics, vol. 4642, S.-W. of error correcting codes for the secure storage of
Lee and S. Z. Li, Eds. Berlin, Heidelberg: Springer biometric templates,” in EUROCON - International
Berlin Heidelberg, 2007, pp. 760–769. Conference on Computer as a Tool (EUROCON), 2011
[32] S. Cimato, M. Gamassi, V. Piuri, R. Sassi, and IEEE, 2011, pp. 1 –4.
F. Scotti, “Privacy-Aware Biometrics: Design [41] X. Zhou, A. Kuijper, R. Veldhuis, and C. Busch,
and Implementation of a Multimodal Verification “Quantifying privacy and security of biometric fuzzy
System,” in Computer Security Applications commitment,” in International Joint Conference on
Conference, 2008. ACSAC 2008. Annual, 2008, pp. Biometrics (IJCB), 2011, pp. 1–8.
130–139. [42] W. J. Scheirer and T. E. Boult, “Cracking Fuzzy
[33] W. Yang, J. Hu, and S. Wang, “A Delaunay Vaults and Biometric Encryption,” in Biometrics
Triangle-Based Fuzzy Extractor for Fingerprint Symposium, 2007, pp. 1–6.
Authentication,” in 2012 IEEE 11th International [43] A. Kholmatov and B. Yanikoglu, “Realization of cor-
Conference on Trust, Security and Privacy in relation attack against the fuzzy vault scheme,” in
Computing and Communications (TrustCom), 2012, Proc. SPIE 6819, Security, Forensics, Steganography,
pp. 66–70. and Watermarking of Multimedia Contents X, 2008,
[34] R. Álvarez Mariño, F. Hernández Álvarez, and L. pp. 68190O–68190O–7.
Hernández Encinas, “A crypto-biometric scheme [44] H. Poon and A. Miri, “A Collusion Attack on the
based on iris-templates with fuzzy extractors,” In- Fuzzy Vault Scheme,” ISeCure: The ISC Internation-
formation Sciences, vol. 195, pp. 91–102, Jul. 2012. al Journal of Information Security, vol. 1, no. 1, pp.
[35] Anthony Vetro, Stark Draper, Shantanu Rane, and 27–34, Jan. 2009.
Jonathan Yedidia, “Securing Biometric Data,” in [45] L. Ballard, S. Kamara, and M. K. Reiter, “The prac-
DISTRIBUTED SOURCE CODING, Elsevier, 2009. tical subtleties of biometric key generation,” in Pro-
[36] T. Santos, L.D. Soares, P.L. Correia, “Iris Verifica- ceedings of the 17th conference on Security sympo-
tion System with Secure Template Storage”, Euro- sium, Berkeley, CA, USA, 2008, pp. 61–74.

48 | 정보와 통신
 주제 | Error Correction Codes for Biometric Cryptosystem: An Overview

[46] K. Simoens, P. Tuyls, and B. Preneel, “Privacy

약 력
Weaknesses in Biometric Sketches,” in Proceedings
1999 National University of Malaysia
of the 2009 30th IEEE Symposium on Security and
2003 National University of Malaysia
Privacy, Washington, DC, USA, 2009, pp. 188–203. 2003~2008 Multimedia University Senior
[47] M. Blanton and M. Aliasgari, “Analysis of Reusabil- Lecturer
ity of Secure Sketches and Fuzzy Extractors,” IEEE 2008~2012 Yonsei Univesity Assistant
Professor
Transactions on Information Forensics and Security,
2012~Present Yonsei Univesity Associate
vol. 8, no. 9, pp. 1433–1455, 2013.
Andrew Beng Professor
[48] A. Stoianov, “Security of Error Correcting Code for Research Interest: Biometrics, Machine Learning,
Jin Teoh
biometric Encryption,” in 2010 Eighth Annual Inter- Information Security

national Conference on Privacy Security and Trust

(PST), 2010, pp. 231–235. 1979년 연세대학교 공과대학 전자공학과 학사
[49] A. Adler, “Vulnerabilities in Biometric Encryption 1984년 Case Western Reserve University,
Systems”, in Audio- and video-based Biometric Electrical Eng. 인공지능, 영상인식 박사
1984년~현재 연세대학교 전기전자공학부 교수
Person Authentication (AVBPA2005), Tarrytown,
2002년~현재 생체인식연구센터 소장
New York, USA. Lecture Notes in Computer Science:
관심분야: 생체인식, 패턴인식, 영상인식
Springer, v. 3546, 2005, pp. 1100–1109.
[50] A. Stoianov, T. Kevenaar, and M. V. der Veen, “Se- Jaihie Kim
curity issues of bio-metric encryption,” in IEEE TIC-
STH Symp. on Information Assurance, Biometric
Security and Business Continuity, Toronto, Canada,
2009.
[51] E. Maiorana, P. Campisi, and A. Neri, “User adaptive
fuzzy commitment for signature templates protection
and renewability,” SPIE Journal of Electronic Imag-
ing, vol. 17, no. 1, March 2008.
[52] C. Rathgeb and A. Uhl, “Statistical attack against
iris-biometric fuzzy commitment schemes,” in 2011
IEEE Computer Society Conference on Computer Vi-
sion and Pattern Recognition Workshops (CVPRW),
2011, pp. 23 –30.

JUNE·2015 | 49