A noninvertible cancelable fingerprint template generation based on ridge feature transformation
Abstract
In a biometric verification system, leakage of biometric data leads to permanent identity loss since original biometric data is inherently linked to a user. Further, various types of attacks on a biometric system may reveal the original template and utility in other applications. To address these security and privacy concerns cancelable biometric has been introduced. Cancelable biometric constructs a protected template from the original biometric template using transformation functions and performs the comparison between templates in the transformed domain. Recent approaches towards cancelable fingerprint generation either rely on aligning minutiae points with respect to singular points (core/delta) or utilize the absolute coordinate positions of minutiae points. In this paper, we propose a novel noninvertible ridge feature transformation method to protect the original fingerprint template information. The proposed method partitions the fingerprint region into a number of sectors with reference to each minutia point employing a ridgebased coordinate system. The nearest neighbor minutiae in each sector are identified, and ridgebased features are computed. Further, a cancelable template is generated by applying the Cantor pairing function followed by random projection. We have evaluated our method with FVC2002, FVC2004 and FVC2006 databases. It is evident from the experimental results that the proposed method outperforms existing methods in the literature. Moreover, the security analysis demonstrates that the proposed method fulfills the necessary requirements of noninvertibility, revocability, and diversity with a minor performance degradation caused due to cancelable transformation.
Date of publication xxxx 00, 0000, date of current version xxxx 00, 0000. \doi10.1109/ACCESS.2017.DOI
The authors are thankful to SERB (ECR/2017/000027), Department of science & Technology, Govt. of India for providing financial support to carry out this research work.
Corresponding author: Rudresh Dwivedi (email: phd1301201006@ iiti.ac.in).
iometric, cancelable biometrics, fingerprint, minutiae, alignmentfree, feature extraction, privacy, security
=15pt
I Introduction
\PARstartThe compromise of stored biometric template causes permanent identity theft of a user as biometric data is irreplaceable and irrevocable. There are various types of attacks and privacy concerns linked with sharing of biometric information across multiple applications [1, 2]. Jain et al. [3] identified four levels of attacks in a biometric system. At the first level, the attacker presents a falsified biometric input to the sensor, and the sensor may not be able to differentiate between genuine and fake biometric inputs. Second, the attacker intercepts the communication link between the different modules to enter into the system. At the third level, the attacker intercepts the executable program of a module to get the desired output. Such attacks are called TrojanHorse attacks. Last, the attacker replaces/ derives a spoof of the stored template which causes the security breach. Therefore, biometric template protection is necessary to address such security challenges. To provide biometric template protection against the aforementioned attacks, an idea of cancelable biometrics has been presented. The cancelable biometric scheme applies a transformation to derive a protected template which is used for verification instead of the original template of a user. The transformation relies on a noninvertible function such that it is hard to retrieve the original template even if the attacker knows the transformed template and transformation function. In a compromise situation, a new protected template can be derived by altering the parameter values of the transformation function. The transformation should fulfill the following requirements described by Breebaart et al. [4]:

Noninvertibility: It should be computationally hard to construct the original template from the transformed template. This prevents the recovery of the original biometric information by an imposter.

Diversity: Identical cancelable template should not be used in different applications to avoid crossmatching of the stored template.

Revocability: The transformation should be able to derive numerous protected templates from the same biometric input and there should be immediate revocation in case of compromise.

Performance: The transformation should not exhibit significant performance degradation.
Bolle et al. [5] introduced four types of transformations for cancelable fingerprint template generation which utilize the core and delta points (singular points) of an input fingerprint. The biohashing based approaches proposed in [6, 7] combine a userspecific key onto the original biometric features to derive a protected template. BioHashing and its variants [6, 7], are proved to be impractical if the unique seed is compromised. Ahmad et al. [8] proposed a fingerprint template protection scheme that uses relative minutiae information in the polar coordinate system as described in [9]. The proposed scheme underperforms on the FVC2002 DB3 database where lowquality fingerprint images exist. The performances of the techniques presented in [9, 10, 11, 12] get degraded if the userspecific key or token is compromised. Further, the limitation of the methods proposed in [5, 13, 14] lies with the accurate detection of the singular point (core or reference point). However, it is not possible to identify the singular points from fingerprint images of all users. Moreover, accurate detection of core point from an arch type or a poor quality fingerprint image is a challenging task.
Farooq et al. [15] derived a binary representation of the different features computed from all possible triplets which require a large number of computations. Cappelli et al. [16] introduced a stateoftheart Minutiae Cylinder Code (MCC) based fingerprint representation which outperforms the most of the existing methods. However, the original MCC approach does not provide any protection mechanism for minutiae information. Later, Ferrara et al. [17] proposed the protected MCC (PMCC) approach to secure the minutiae information. Further investigations reveal the irrevocability issue of PMCC technique. In order to provide revocability, Ferrara et al. [18] proposed a twofactor protected Minutiae Cylinder Code (2PMCC) scheme which performs curtailed permutation onto cylinders in PMCC using a secret key.
Few approaches [14, 19] in literature utilize fixedradius transformation. These approaches may cause performance degradation if the minutiae points are at the edge of the radius. Owing to noise or local distortion these minutiae could be considered inside the radius for the first sample and outside the radius for the second sample for the same fingerprint. Further, Ahmad et al. [8] and Sutcu et al. [19] applied a transformation considering a threshold onto the number of minutiae point to derive the protected template. Certain methods [12, 11] directly use the position and direction information of minutiae points to derive a protected fingerprint template. However, selection of invariant features from the minutiae points results in significant performance improvement over the original minutiae information. Earlier, we have proposed a coprime mapping based transformation to protect the original ridge features. In the prior work [20], a very less number of bruteforce attempts are required yielding the approach invertible. Moreover, the method is susceptible to the Attackviarecordmultiplicity (ARM) attack. Also, the performance degrades in case of FVC2004 where the users are allowed to exaggerate deformations at the time of acquisition. In this work, we have proposed random projection based transformation to mitigate the limitations of our prior work.
In summary, to address the limitations of the existing approaches depicted above, we propose a novel cancelable fingerprint template generation method based on ridge feature transformation. Ridgebased features are computed for the nearest neighbor structure drawn for each reference minutiae point. Next, the Cantor pairing function is applied to encode the ridge features, and the logarithm function is used to uniformly distribute the paired features. Finally, the random projection is utilized to derive a noninvertible protected template. In a nutshell, we highlight the contributions of our work:

We have proposed a novel cancelable fingerprint template design methodology where transformation is applied over ridge features to cope with rotation, translation and scale deformations in the input fingerprint image.

The proposed transformation does not lean upon prior alignment with the singular point which is hard to discover in the poor quality or missing singular point fingerprint images.

The ridge feature transformation is applied around each minutia to derive a feature matrix instead of fixedradius transformation to overcome the boundary problems.

The Cantor pairing function followed by random projection is utilized to generate noninvertible cancelable fingerprint template.

The proposed scheme is analyzed with respect to the necessary criteria of cancelable template generation i.e. noninvertibility, revocability and diversity. Further, the method is also analyzed against different types of attacks such as Attack via Record Multiplicity (ARM), preimage attack, crossmatching attack, distinguishing attack and annealing attack. The security analysis demonstrates that the proposed approach fulfills the desired criteria and is robust enough to sustain such attacks.

The performance of the proposed method is evaluated with two different protocols (FVC and 1VS1) for all datasets (i.e. DB1, DB2, DB3 and DB4) of FVC2002, FVC2004 and FVC2006 databases. The experimental results demonstrate that our approach outperforms existing approaches.
The rest of the paper is organized as follows. In Section II, we briefly summarize the existing methods related to the generation of cancelable fingerprint template. Section III describes the procedural steps of the proposed method. Section IV demonstrates experimental results as well as compares the proposed method with the existing cancelable template generation approaches. Section V provides the security analysis of our method. Conclusions and direction of future research are presented in Section VI.
Ii Related work
In recent years, several methods have been introduced to generate the cancelable template in the literature. Ratha et al. [21] first introduced the notion of cancelable biometric with three different types of transformations (Cartesian, polar and functional) to provide privacy and security to the original biometric information. The cartesian transformation method maps the fingerprint minutiae into cells of fixed size. The minutiae positions in the cells are permuted to derive the cancelable template. In polar transformation method, the minutiae positions are mapped onto a polar coordinate space. Further, the coordinate space is divided into sectors, and sector positions are shuffled based on a key to generate the cancelable template. Functional transformation method alters the minutiae positions and orientation based on a parametric Gaussian function. Quan et al. [1] proved that the functional transformation could be cracked if the parameters and transformed template are revealed. The rest two transformations cater with high Equal Error Rate (EER). Moreover, all these methods require corepoint for alignment before the transformation, and the determination of corepoint is not always feasible.
Boult et al. [22] proposed secure biotokens for fingerprint template protection. The method constructs a minutiae pair table which contains distance, relative orientation, and orientation of the line connecting two minutiae points. The features are then divided into quotient and modulus part. The quotient part is encrypted using RSA algorithm and modulus part is concatenated with the encrypted quotient to form a cluster. In verification stage, minutiae pair tables of the query and stored templates are traversed to construct clusters and to compute the comparison scores. Lee et al. [23] proposed an alignmentfree protected fingerprint template generation scheme using minutia orientation. They applied two different changing functions (i.e., positions and respective orientations) which are used to secure the minutiae information. The stored template can thus be regenerated and revoked by altering the input parameters of the changing functions in the situation of compromise. In BioHashing based approaches [6, 7], the protected template is derived after discretizing the inner product of the biometric features with the projection matrix. Yang et al. [24] proposed a nonlinear dynamic random projection scheme to increase the computational complexity against the inversion attack. Instead of conventional random projection utilized by BioHashing, the projection matrix is dynamically constructed based on an index vector which is constructed from the quantization of the biometric feature vector. Lee et al. [12] presented a method to derive cancelable fingerprint template based on 3D array mapping. In this work, a minutia from the minutiae set is assigned as the reference, and remaining minutiae are aligned with respect to the reference minutiae. Then, the aligned minutiae points are mapped into a 3D array, based on the positions (xy coordinate) and orientations of the minutiae points. The cells in the 3D array are marked as 1, which include minutiae points. The array is sequentially traversed to derive a bitstring. The derived bitstring is exploited to random permutation utilizing a userspecific PIN and minutiae type. Wang et al. [25] proposed a template protection mechanism where manytoone mapping is applied onto the pairminutiae based bitstring evaluated using the method proposed by Lee et al. [12]. Then, the userspecific PIN is applied to the complex vector derived by discrete Fourier transform on bitstring. Wang et al. [10] proposed another method for cancelable fingerprint template design using circular convolution. The procedure adopted till bitstring generation is identical to it’s earlier method [25]. Then, a random sequence is derived by utilizing a userspecific PIN. Bitstring and random sequence are exploited to discrete Fourier transform and product of both DFT’s are computed. The cancelable template is stored by applying inverseDFT and removing the first points from the output. Das et al. [13] constructed a graph structure based on the minimum possible distance from core/delta point to remaining minutiae points. Correspondence search algorithms [13] are used for verification of query template. Liu et al. [14] proposed a template protection scheme which derives a protected fixedlength template viz., random local region descriptor (RLRD). In this scheme, a random reference point is selected initially. Next, Tico’s sampling structure [14] is utilized to generate uniformly distributed sampling point structure around the random reference. The order of the sampling points is decided through a random seed. Finally, a protected template is derived as the angular width between the reference and sampling points. Further, graycode encoding of sine and cosine of angular width is performed to generate a bitstring. Wong et al. [26] proposed a multiline code (MLC) for minutiaebased fingerprint template protection which is an extension of Wong et al. [11] work. In this method, the minutia set is divided into angular partitions with respect to a straight line drawn at the reference minutiae. Next, few sample points with equal distance to each other are taken with uniform distribution on the straight line. Circles are constructed on each of the sample points, and minutiae points falling in each lower region (semicircle) are counted. A binary string is derived considering 1 if the count is greater than 0, and 0 otherwise. The result is stored as the cancelable template. In their extended work [26], the mean distance from minutiae to the line is computed in each semicircle along the lines. The quantization is performed over the mean distances. The binary string is derived and permuted with a userspecific PIN to generate the cancelable template. Ahmad et al. [8] proposed a cancelable fingerprint template design scheme using manytoone sector mapping for relative minutiae information in the polar coordinate system as described in [9].
Farooq et al. [15] proposed a triangular transformation which derives a binary representation of minutiae features. The method utilizes the minutiae triplet features: length of each side, the angle subtended between each side, each minutiae orientation in the triplet and the height of triplet. These features are quantized into 24 bits to derive a bit binary representation. Sutcu et al. [19] introduced a geometric design which represents minutiae information into a fixed length string. The method computes mean of minutiae x and y coordinate as centroid. Next, a circle is constructed centered at centroid and divided into an arc of equal angular width. Then, a straight line is drawn in between each minutiae pair and intersection with the circumference is marked. The number of intersection mark is collected sequentially for each arc to derive the transformed template. Wang et al. [27] proposed a scheme which utilizes DFT for pairminutiae bit string. Further, the complex sequence is fed to FiniteImpulseResponse (FIR) with a userspecific key to derive the protected template. The method performs optimally yet weak against attack via record multiplicity (ARM). In their future work, Wang et al. [28] proposed a partial Hadamard based transformation the to protect original pair minutiae bitstring.
Cappelli et al. [16] introduced a stateoftheart Minutiae Cylinder Code (MCC) algorithm which frames a 3D cylindrical structure around minutiae neighborhood considering each minutia as a reference. Each cylinder of height and radius is tessellated into a number of cells. Each cell stores the minutiae position and orientation in the neighborhood of each minutia taken as a reference at a time. A cylinder which contains less valid information is discarded. Two cylinders are verifiable if direction difference between two minutiae is less than a certain value. MCC is a fixed radius local minutiae construct which provides notable recognition performance. However, high computation cost of cell construction for each cylinder is the drawback associated with this method. Ferrara et al. [17] then proved that few genuine minutiae points (approximately 25.4%) could be correctly revealed by calculating likelihood between two cylinders. Later, a novel representation namely ProtectedMCC (PMCC) is proposed where a noninvertible transform has been applied onto MCC template incorporating binaryKL projection which provides a greater level of security and privacy.
Iii Proposed Methodology
This section describes our proposed method to derive the protected fingerprint template. The overall design flow for the proposed method is displayed in Fig. 1. The proposed method consists of three major tasks which are displayed in rectangles in the block diagram. First, the input fingerprint image is preprocessed to extract the minutiae points by utilizing the thinned fingerprint image. Next, we form a nearest neighbor structure around each minutiae point using the ridgebased coordinate system and compute the ridge features from the thinned image and minutiae information. Thereafter, we apply Cantor pairing function to encode the ridge features uniquely. Finally, the random projection is applied onto the paired output to derive the protected template. In the verification phase, the same mechanism is followed to generate the protected query template from the query fingerprint and comparison is performed between the protected enrolled and protected query templates in the transformed (cancelable) domain.
Iiia Preprocessing and minutiae extraction
Fingerprint images may have different levels of contrast throughout the image. Preprocessing is performed to enhance the quality of input fingerprint image subsequently reducing the noise. In literature, different methods have been proposed to reduce noise and detect minutiae points from input fingerprint image. In this work, the preprocessing and extraction of minutiae points are performed by following the method presented in [29]. The extracted minutiae points are denoted as follows:
(1) 
where, represents the set of untransformed (raw) minutia points detected from the input fingerprint and n is the total number of minutiae points in . The minutiae point is denoted by where and are the coordinate positions and orientation, respectively. Also, a thinned fingerprint image is obtained during preprocessing step which is further used for the invariant features extraction.
IiiB Nearest neighbor structure construction
We use minutiae information to create the nearest neighbor structure on the thinned fingerprint image. First, one of the minutiae point from is selected as a reference minutia. Next, the nearest neighbor structure is formed in the vicinity of reference minutiae point considering the ridgebased coordinate system as depicted in Fig. 2(a). In the ridgebased coordinate system, reference axis coincides with the orientation of the selected reference minutiae. Further, we divide the fingerprint region into ‘s’ sectors of equal angular width around the reference minutia in an anticlockwise direction. In each sector, the nearest neighbor minutiae point is identified by selecting the minimum distance from the reference minutiae point. This procedure is followed for all minutiae points in . It may be noted that if there is no minutia located in any of the sectors, we assign the nearest neighbor to be 0 in that sector. Further, we do not take into account the sectors with no minutiae point at the time of comparison. We consider eight sectors ( = 8) in our method as shown in Fig. 2(a). In Fig. 2(a), is the nearest neighbor of reference minutiae in sector 3.
IiiC Ridge feature computation
The accuracy of the fingerprintbased verification system could be affected by translation, rotation and scale deformations produced while acquisition. Hence, it is necessary to compute invariant features from the input fingerprint image. In this work, we consider ridge count and average ridge orientation between the nearest neighbor minutiae and the reference minutiae in each sector as invariant features. To compute these features, the reference minutiae and the nearest neighbor minutiae points are identified first. Then, we compute the number of ridges along the straight line between these two minutiae in the thinned image and denote the ridge count in sector as . Figure 2(a) shows a descriptive example where ridge count between nearest neighbor minutiae () and the reference minutiae () is 2. To compute ridge orientation, a tangent is drawn at the intersection point of the line and ridge. Next, we measure the angle subtended by the tangent and straight lines between two minutiae points for each ridge crossing the straight line. For example, the orientation () of the first ridge in the first sector as shown in Fig. 2(b) is evaluated as:
where , denotes the slope of the line connecting nearest neighbor minutiae to the reference minutiae in the first sector. is the angle subtended by the tangent line from the first ridge crossing and the reference axis. In a similar manner, we calculate the orientation of the second ridge in the first sector and compute the mean ridge orientation for the first sector. The mean ridge orientation for the sector, denoted as is calculated using Eq. (2).
(2) 
where, represents the total number of ridges between the reference and nearest minutiae in the sector. Similarly, we find ridge count and mean ridge orientation for all minutiae and store it as , where is the number of sectors and is the total number of minutiae.
IiiD Cantor pairing function
The Cantor pairing function [30, 31] is utilized to uniquely encode two natural numbers into a single natural number. Let = 0, 1, 2, 3,…. be the set of positive integers and be the set of all ordered pairs of nonnegative integers, a bijection from to is called the Cantor pairing function which is defined as in Eq. (3).
Consider a function:
such that:
(3) 
We apply this function to encode ridge features. For each minutiae point, we compute the paired output of ridge features ( and ) for each sector and stored in a 2D matrix as defined in Eq. (4).
(4)  
where, and represent the ridge features (i.e. ridge count and mean ridge orientation) between the nearest minutiae in the sector corresponding to reference minutiae. is paired output of ridge features of the sector with respect to the reference minutiae. Next, we apply pointwise logarithm operation onto the paired outputs to obtain uniform distribution. Log function is defined in Eq. (5) and the base () of log function is chosen empirically (for details see Section III()). For instance, if an input fingerprint image comprising minutiae points is divided into ‘’ sectors, the matrix would result into entries. After applying the log function, we obtain the log template (LT) of size .
(5) 
IiiE Random projection
In order to derive noninvertible and revocable cancelable template, we perform random projection onto log template (). A random projection matrix () of size is derived using a random seed, where . Moreover, each of the entries of is computed from a Gaussian independent and identical distribution (i.i.d.) with unit variance and mean is equal to zero. Now, each row of log template () is projected onto random projection matrix () to derive the cancelable template () of size as shown in Eq. (6).
(6) 
where, rank()=.
In linear algebra, a theorem of linear systems [32] claims a unique solution when ranks of the coefficient matrix as well as the augmented matrix are same. Further, if rank becomes lower than the unknowns present, the linear system leads to infinite solutions as confirmed in the following proposition. Hence, is one of those infinite solutions of Eq. (6).
Proposition 1: A linear nonhomogeneous system of equations such as including unknowns and n equations contain an infinite number of solutions.
Proof: Initially, we claim that is solvable. It is evident from Eq. (6) that is a linear combination of columns of , which states that lies in the column space of . Hence, rank()=rank([ ]). Due to same rank of coefficient matrix and augmented matrix, a solution exists for .
Next, since rank()= , there are infinitely many possible solutions to Eq. (6). The proposition illustrates that is concealed among infinitely many possible solutions which become infeasible to an attacker even if he/she unveils and . The attacker would not be able to achieve true biometric template as evaluation of pseudoinverse results obsolete as shown in the following example:
Example: Suppose, we have one row of log template and random projection matrix as follows:
Hence, rank()=2 and
is corresponding protected template.
Let represents the pseudoinverse . is computed as:
=[0.3579 0.0993 0.0240 0.1927],
where, denotes pseudoinverse of . Concurrently, we evaluate another solution manually,
=[0 0 0.3396 0.8692]. Hence, it is verified that and .
This random projection based transformation guarantees the privacy and security of the proposed method. An imposter has no clue about even if the protected template gets compromised. Further, if we consider the worst case of stolen and , it would be very hard to retrieve from infinitely many possible solutions. We illustrate this with a mathematical proof [33]:
Proposition 2: An underdetermined system of linear equations either contains an infinite number of solutions or become inconsistent.
Proof: Consider this linear and underdetermined system, (see Eq. (6)).
We assume that has infinitely many solutions. Let be the matrix,
We define . Further we evaluate,
subject to the constraint . For evaluation of , the must exist for all , this is nontrivial. Hence, achieved may look similar as , but it would not be identical.
The user’s original information cannot be compromised even if an adversary obtains the stored fingerprint template because of the randomness present in the . The steps for cancelable template generation are summarized in Algorithm 1.
IiiF Comparison
The comparison between enrolled and query templates is performed in the protected domain to maintain secrecy. We compute local and global similarity to evaluate overall comparison score. We use Dice coefficient to measure the local similarity between the enrolled and query templates as utilized in [26]. Finally, the likelihood of the enrolled and query template being the two fingerprint of the same subject is measured to compute global similarity score.
IiiF1 Local similarity score
Let us consider, the enrolled and query protected templates are denoted by and respectively where and represents the number of minutiae in the query and enrolled templates, respectively. To evaluate the local similarity score, each row of the CT is crossmatched with all rows in QT by computing the inner product of and where and . We obtain a similarity matrix after applying the Eq. (7).
(7) 
where and .
The row of and the row of are considered to be verifiable if and only if = max ([]) and = max ([]) are valid simultaneously. Therefore, each of the entries in similarity matrix is reevaluated to eliminate double comparison in the following manner:
Let,
(8a)  
and  
(8b)  
be the maximum scores acquired for all minutiae in and , respectively. Next, we construct a binary mask , which records the positions of the coinciding maxima;
(9) 
where returns 1 when the nested condition is true and 0, otherwise. Hence, the filtered similarity matrix is represented by:
(10) 
where, represents elementwise multiplication.
IiiF2 Global similarity score
To perform overall comparison score between and , the likelihood of and being two instances of the same fingerprint is measured. From the similarity matrix () obtained in Eq. (11), we calculate the comparison score () with the following equation:
(11) 
Algorithm 2 describes the overall comparison procedure.
Iv Experimental results and analysis
In this section, we present the details of experimental design and results to illustrate the performance of the proposed method. We also analyze the effect of the different parameters as well as comparison with the existing approaches.
Iva Database selection
We have conducted our experiment on publicly available fingerprint databases FVC2002, FVC2004, and FVC2006 and each database contain four sets namely, DB1, DB2, DB3, and DB4 since most of the authors of biometrics research community utilize FVC databases [34]. Each set of the first two databases comprise of 100 subjects with 8 images per subject. Each set of the FVC2006 database includes 140 subjects with 12 images per subject.
IvB Experimental design
In accordance with the ISO standard [35], we use the following four metrics to evaluate the performance of our method:

FMR: The probability of getting a positive comparison decision for an imposter

FNMR: The probability of getting a negative comparison decision for a genuine user

GMR: Can be calculated as 1FNMR

EER: The error rate where FMR and FNMR hold equality
The computation of these performance metrics involves the evaluation of genuine and imposter scores. Genuine score refers to the comparison of a fingerprint impression of a subject with the other impressions of the same subject, whereas imposter score is derived by comparing a fingerprint impression of each subject against the fingerprint impressions of all other subjects. Also, we have used standard FVC protocol and 1VS1 protocol to compute the performance of our method.
In the 1VS1 protocol, the first fingerprint image of each subject is compared with the second fingerprint image of the same subject to compute the FNMR. To measure the FMR, the first image of each subject is compared with the first image of other subjects. This results to measure 100 genuine and =4950 imposter scores for each set of the FVC2002 and FVC2004 databases. For each set of FVC2006 database, 140 genuine and =9730 imposter scores are computed.
In the FVC protocol, each fingerprint image of a subject is compared with the remaining fingerprint images of the same subject to compute the FNMR and to evaluate the FMR, the first fingerprint image of each subject is compared with the first fingerprint image of the different subjects. This results in providing =2800 genuine and =4950 imposter scores computation for each set of FVC2002 and FVC2004 databases. For each set of FVC2006, =9240 genuine and =9730 imposter scores are computed.
IvC Validation of parameters
The proposed method utilizes two parameters to derive the protected fingerprint template. These parameters are: number of sectors () in the nearest neighbor structure [see section III(B)] and logbase value (b) [see section III(D)]. In this section, we highlight the impact of these parameters on the performance of our approach. We have validated these parameters with respect to dataset DB1 of FVC2002, DB3 of FVC2004 and DB1 of FVC2006 using FVC protocol since they have good quality images.

Number of sectors (): After conducting preprocessing steps, we divide input fingerprint image into number of sectors with an equal angular width in the ridgebased coordinate system. To validate the parameter , we have performed exhaustive testing considering the different angular widths with interval. We have considered = 24, 12,…and 4 corresponding to angular width , , …and , respectively. To carry out this experiment, we have considered logbase value () as 1.2. The performance is measured with respect to EER and results are reported in Table 1. It has been observed that the method gives the best result for =8 on dataset DB1 of FVC2002, DB3 of FVC2004 and DB1 of FVC2006. The small value of degrades the performance of the method as the transformation becomes sensitive to noise. We also observe that EER increases for large values of as there are more sectors with 0 minutiae points. Hence, we have considered = 8 for all other experimental evaluations.
Angular width Number of sectors () EER (in %) FVC2002 DB1 FVC2004 DB3 FVC2006 DB1 15 24 5.03 7.89 11.32 30 12 3.91 6.75 8.03 45 8 1.75 3.97 5.14 60 6 2.17 4.64 6.38 90 4 3.81 5.44 7.19 TABLE I: Number of sectors in nearest neighbor structure 
Logbase value (): We apply the log function onto the paired output derived using Cantor pairing function to obtain the uniform features distribution. We have conducted a number of experiments by considering the different values of = 1.1, 1.2, 1.3,…, 2 and measured the performance in terms of EER for dataset DB1 of FVC2002, DB3 of FVC2004 and DB1 of FVC2006 as reported in Table 2. The experimental evaluation illustrates that the method performs the best on = 1.2. We observe that small value of amplifies the distribution of paired output reducing EER. Also, EER gets increases as the discrimination between features of the different subjects gets reduced for high values of . Therefore, we consider =1.2 to evaluate the performance of our method.

EER (in %)  





1.1  2.13  4.03  6.84  
1.2  1.75  3.97  5.14  
1.3  2.43  4.87  7.04  
1.4  4.07  5.13  8.93  
1.5  5.51  6.83  9.94  
1.6  6.91  8.03  11.53  
1.7  8.12  10.23  13.18  
1.8  10.03  11.89  14.91  
1.9  11.36  13.97  16.12  
2  12.89  14.64  17.9 
IvD Performance evaluation
To measure the performance of our method, we have conducted two sets of experiments. We evaluate the performance under the same key and different key scenario in the first and second set of experiments, respectively. Each experiment is conducted 10 times, and the average performance of 10 trials is reported in the paper.
IvD1 Same key scenario
This scenario represents the situation in practice when an imposter unveils the random projection matrix (). We have evaluated this scenario by assigning the same to each user present in the database. The ROC curves for FVC2002, FVC2004, and FVC2006 databases with FVC and 1VS1 protocols are shown in Fig. 3, Fig. 4 and Fig. 5, respectively.
FVC2002: For FVC2002 database, we achieve an EER of 1.75, 0.98, 4.02, and 3.74 for DB1, DB2, DB3, and DB4 datasets, respectively using FVC protocol. For 1VS1 protocol, we obtain an EER of 0, 0.13, 3.39, and 3.02 for DB1, DB2, DB3, and DB4, respectively. Out of all FVC2002 datasets, the method exhibit low EER on DB1 and DB2 for both protocols due to the presence of more number of good quality images as compared to other datasets of FVC2002. Further, \nth1 and \nth2 images of a subject in FVC2002 DB2 are acquired in the same session and have less variation and distortion than the other six images. However, images in DB3 and DB4 dataset of FVC2002 contain relatively poor quality images with less number of minutiae points as compared to dataset DB1 and DB2. As a result, we achieve high EER for DB3 and DB4 datasets under both protocols.
FVC2004: For FVC2004 database, we achieve an EER of 4.38, 6.59, 3.97, and 3.16 for DB1, DB2, DB3, and DB4 datasets, respectively using FVC protocol. In the 1VS1 protocol, we obtain an EER of 4.02, 5.77, 3.88, and 3.04 for DB1, DB2, DB3, and DB4, respectively. The method performs better on DB4, out of all FVC2004 datasets in both protocols. However, the method gives a high value of EER on DB2 for both protocols as the first two images of the DB2 dataset are heavily distorted. Moreover, the small overlap area corresponding to the images of stored and query templates is another reason for less accuracy on FVC2004 DB2. For example, if we consider the images of stored and query template, as 96_1.tif and 96_2.tif, the genuine verification attempt fails. This is because 96_1.tif contains the region below the core point, whereas 96_2.tif contains region above the core point. The absence of overlapping area causes very few or zero corresponding minutiae from the stored and query templates. Since the proposed system relies on minutiae neighborhood, the lack of corresponding minutiae pair from the stored and query template pair causes comparison trial to fail. We achieve high EER for all four datasets of the FVC2004 database since all the users were requested to put deliberate perturbations at the time of acquisition [34].
FVC2006: For FVC2006 dataset, we achieve an EER of 5.14, 0.14, 1.63, and 0.49 for DB1, DB2, DB3, and DB4, respectively using FVC protocol. For 1VS1 protocol, we obtain an EER of 3.8, 0.09, 2.02, and 1.03 for DB1, DB2, DB3, and DB4, respectively. All of the four datasets are selected among the heterogeneous populations (i.e., manual workers and elderly people) allowing most difficult fingerprints according to quality index with explicit distortions such as large amounts of rotation and displacement, wet/dry impressions, etc. The dataset DB1 contains small sized poor quality images with missing minutiae. Therefore, the method produces high EER on the DB1 dataset. The method performs optimally on the DB2 dataset for both protocols due to the presence of relatively good quality images. Dataset DB3 and DB4 consist of more number of poor quality images in comparison to dataset DB2. Therefore, it is observed that the performance of the method degrades for DB3 and DB4 of the FVC2006 dataset.
Further, we also observe that the proposed method performs better with 1VS1 protocol compared to standard FVC protocol. The reason lies in the number of genuine verification attempts. In case of 1VS1 protocol, the first two images of the same user are utilized, whereas all eight images from each user are utilized in the genuine verification for the standard FVC protocol. However, we achieve high EER for 1VS1 protocol as compared to FVC protocol for the DB3 and DB4 datasets of the FVC2006 database since the first two images are noisy and involve nonoverlapping regions.
IvD2 Different key scenario
In the second set of experiment, we assign the different projection matrices to the different users by altering the seed value and test our method for both the protocols. For FVC2002 dataset, our method performs ideal for all datasets (EER = 0) with both protocols. Moreover, we achieve an EER of 0 for DB1 and DB2 datasets of FVC2004. Datasets DB3 and DB4 consist of more number of poor quality images with very few or missing minutiae in comparison to datasets DB1 and DB2. For DB3 and DB4 dataset, the method gives EERs of 0.08 and 0.03, respectively. For FVC2006 dataset, we achieve an EER close to 0 for DB1, DB2, DB3, and DB4 using FVC and 1VS1 protocols. Therefore, it is evident that the performance of the method in the different key scenario is almost ideal for all datasets.
IvE Comparison of with and without transformation
To perform a fair comparison, the verification performance of the proposed cancelable biometric system is analyzed with respect to the baseline biometric system (i.e., original ridge features). Further, a comparison process relying on the original minutiae should be taken into account, since the employed ridgebased representation is already part of the process generating the proposed protected templates. Therefore, we compare the performance of the method under three scenarios i.e. original minutiae comparison, original ridge features and protected templates. In this experiment, first we compute the performance for original minutiae comparison based on adaptive image enhancement method proposed by Bartunek et al. [36]. The approach involves publicly available Bozorth3 minutiae matcher [37] from NIST to evaluate the performance. Next, we compute the performance using original ridge features of the query and stored templates. Further, we apply the proposed approach to derive cancelable template and compare the stored and query templates in the transformed domain. Table 3 reports the EERs obtained from the original minutiae comparison, original ridge features and the cancelable (protected) fingerprint template for the different datasets. It has been observed that the proposed ridgebased computation outperforms the original minutiae comparison since Bozorth3 does not perform well for poor quality fingerprint images with fewer minutiae points. Also, Bozorth3 is not robust against the alignment, and scale deformations present between the stored and query templates. Therefore, it is evident that the proposed method outperforms than the Bozorth3 matcher.
For FVC protocol, the reported results in Table 3 exhibit that there is a minor degradation of 0.19%, 0.15%, 0.05% and 0.07% in the performance for DB1, DB2, DB3, DB4 of FVC2002, 0.053%, 0.07%, 0.033%, 0.04% for DB1, DB2, DB3, DB4 of FVC2004 and 0.04%, 0.14%, 0.037%, 0.32% for DB1, DB2, DB3, DB4 of FVC2006, respectively with reference to original ridge features. For 1VS1 protocol, the reported results in Table 4 indicate that the performance is degraded by 0%, 0.85%, 0.08% and 0.09% for DB1, DB2, DB3, DB4 of FVC2002, 0.05%, 0.11%, 0.04%, 0.05% for DB1, DB2, DB3, DB4 of FVC2004 and 0.048%, 2.0%, 0.09%, 0.17% for DB1, DB2, DB3, DB4 of FVC2006, respectively with reference to original ridge features. Therefore, we can conclude that performance degradation produced by the transformation is very low.
Dataset  EER  





DB1  DB2  DB3  DB4  DB1  DB2  DB3  DB4  DB1  DB2  DB3  DB4  
FVC2002  2.8  2.3  6.5  3.9  1.47  0.89  3.81  3.49  1.75  0.98  4.02  3.74  
FVC2004  9.6  5.9  6.2  6.6  4.14  6.12  3.84  3.03  4.38  6.59  3.97  3.16  
FVC2006  5.2  1.39  2.91  1.27  4.93  0.12  1.57  0.37  5.14  0.14  1.63  0.49 
Dataset  EER  




DB1  DB2  DB3  DB4  DB1  DB2  DB3  DB4  DB1  DB2  DB3  DB4  
FVC2002  0.91  1.02  4.3  3.89  0  0.07  3.13  2.77  0  0.13  3.39  3.02  
FVC2004  4.65  6.30  4.72  3.95  3.81  5.19  3.69  2.89  4.02  5.77  3.88  3.04  
FVC2006  4.87  1.04  2.65  2.83  3.62  0.03  1.83  0.88  3.8  0.09  2.02  1.03 
IvF Comparison with the existing cancelable biometric approaches
The approaches in [8, 22, 23, 25, 24, 27, 28] used FVC 2002 database to evaluate the performance of their method using standard FVC protocol. Further, Wong et al. [11] also evaluated the performance on DB1 of FVC2004. In addition to each dataset of FVC2002, Ferrara et al. [17, 18] evaluated their methods on DB1 of FVC2004 and DB2 of FVC2006. The authors, Yang et al. [24] and Wang et al. [27] evaluated the performance on DB2 of FVC2002 with the 1VS1 protocol. Ferrara et al. [17, 18] also evaluated their methods on DB2 of FVC2006 and each datasets of FVC2002 database for 1VS1 protocol. Therefore, we compare our method with these current stateoftheart approaches [8, 22, 23, 25, 24, 11, 17, 18, 27, 28] in the literature. Table 5 and 6 summarizes the comparison in terms of EER on different FVC datasets for 1VS1 and FVC protocols, respectively. From Table 5, we observe that the best result reported in existing literature is EER = 0, 0.02, 3.43, 3.37 and 0.03 for FVC2002DB1, FVC2002DB2, FVC2002DB3, FVC2002DB4 and FVC2006DB2, respectively, whereas our approach yields EER of 0, 0.13, 3.39, 3.02 and 0.09 for FVC2002DB1, FVC2002DB2, FVC2002DB3, FVC2002DB4 and FVC2006DB2, respectively. From Table 6, we observe that the best result reported in existing literature is EER = 1, 0.99, 5.24, 4.84, 10.36 and 0.17 for FVC2002DB1, FVC2002DB2, FVC2002DB3, FVC2002DB4, FVC2004DB1 and FVC2006DB2, respectively, whereas our approach gives EER of 1.75, 0.98, 4.02, 3.74, 4.38 and 0.14 for FVC2002DB1, FVC2002DB2, FVC2002DB3, FVC2002DB4, FVC2004DB1 and FVC2006DB2, respectively. However, we can observe that the performance of the proposed method for the DB2 dataset of FVC2002 and FVC2006 is slightly lower than [17] in 1VS1 protocol and the EER of FVC2002DB1 is lower than that of Wang et al. [28], but it is comparable. Therefore, it is evident from the reported results that the performance of our proposed approach performs better over the existing template protection techniques.
Datasets  Methods  






DB1    0  3  0  
DB2  0.72  0.02  2  0.13  
DB3    3.43  7  3.39  
DB4    3.37    3.02  

DB2    0.03    0.09 
Datasets  Methods  













DB1  9  3.5  3.4  4.69    2.1  1.88  3.3  4  1  1.75  
DB2  6  4    5.03  4.53  1.2  0.99  1.8  3  2  0.98  
DB3  27  7.5          5.24  7.8  8.5  5.2  4.02  
DB4              4.84  6.6      3.74  

DB1        10.36        6.3      4.38  

DB2              0.17  0.3      0.14 

indicates that the author(s) have not reported the results or results are reported for partial dataset, in their work.
V Security analysis
The security of the derived protected template is guaranteed when an adversary has no information about the transformation. If an adversary unveils any information about cancelable transformation, the security of the proposed system is guaranteed by three factors: noninvertibility, revocability, and diversity. In this section, we analyze our method with respect to these three contexts.
Va Noninvertibility
The term, noninvertibility refers that it should be computationally infeasible to derive the original fingerprint template from the protected template. Note that a randomized projection matrix () is utilized to generate a cancelable template from the log template (). To meet the noninvertibility requirement, we have adopted a reference architecture proposed by Breebaart et al. [4]. Figure 6 shows the reference architecture where the protected template (), random projection matrix (), and the parameters (, ) can be presumed as pseudoidentity, auxiliary data and supplementary data, respectively.
In the reference architecture, the protected template () is derived at the enrollment phase. The biometric sample, ridge features and the parameter (, ) are destroyed after the successful verification of stored protected and query protected templates. Due to privacy preservation, it may have been either issued for a limited period or may require revocation when compromised. Moreover, the biometric characteristics may get affected due to aging effects. Hence, it requires renewal after a validity period regulated through watch list. The protected template along with the and supplementary data () are stored in the database. During verification, a protected query template () is generated from the issued , biometric sample and the parameters (, ). Next, the stored protected template () and the query protected template () are forwarded to a comparator/matching server via the communication interface to verify the identity. In this section, we analyze the criterion of noninvertibility with three different architectural components i.e. database, matching server and communication interface for information exchange.
VA1 Compromised database
In this scenario, an attacker can reveal the database i.e. protected template () and the random projection matrix (). On the possession of this information, the attacker would not be able to retrieve the log template () since the size of is where and the entries of are independent and identically distributed (i.i.d.) Gaussian random variables. Evaluation of from results to find a solution for underdetermined system because it is hard to find unknowns from linearly independent equations where (see Proposition 12 in Section IIIE). Further, it has also been proved in Du et al. [38] that if the projection matrix follows the condition and entries in are i.i.d., it is very hard to find the from . Moreover, even if the attacker achieves supplementary information (), it would be infeasible to unveil the as analyzed in the third scenario i.e. compromised communication interface.
VA2 Compromised matching server
Let us assume that an attacker unveils matching server i.e. stored protected template () and query protected template (). Next, an attacker tries to evaluate by correlating the information contained in and . In this situation, an attacker would not be able to retrieve since he does not have any information about the .
VA3 Compromised communication interface
In this scenario, an attacker may have control over communication interface between the database and matching server. In this situation, the adversary would be able to estimate the stored protected template (), query protected template () and the random projection matrix (). On the possession of these information, the attacker may utilize and , or and to retrieve the log template (). This situation is identical to the first scenario i.e. compromised database. Further, the attacker may correlate and to evaluate . This situation is same as the second scenario i.e. compromised matching server.
Further, we assume that the attacker unveils the approximate by applying known key distinguishing attack. In this situation, the imposter tries to estimate or approximate using the value of parameter . However, it would not be possible to retrieve original ridge features since the inversion involves the computation of a square root which gives one to many correspondences as defined in Eq. 12(a)(d).
(12a)  
(12b)  
(12c)  
(12d) 
where, , and represent the ridge count, mean ridge orientation and transformed paired output, respectively. and are the intermediate values in the calculation and is the floor function. Hence, it would not be possible to invert to attain the original ridge features. Therefore, it can be stated that our method preserves the criterion of noninvertibility.
VB Revocability
The term revocability refers to the design of a new protected template if stored template gets leaked. The newly generated template should be adequately dissimilar to the compromised one. In this work, a new protected template can be issued just by altering . To ensure the potent revocability, the biometric templates that are derived by applying different s for the same user in different applications, should not be able to verify each other. Here, the random projection is motivated by the JohnsonLindenstrauss (JL) lemma described in [39]. The lemma states that:
For any and an integer , let be a positive integer such that (). For any set of points in , there exists a map such that: for all ,
(13) 
where, and are two randomly derived vectors in the dimensional Euclidean space, . For innerproduct based similarity, it states that:
This lemma provides a proof that the similarity between any two vectors can be preserved up to a factor of when these vectors are projected onto a random dimensional subspace. Such type of mapping can be performed by utilizing a matrix containing orthonormal columns as described in Lemma 5.2 [40]. The lemma states that:
Let be a matrix of size where . Each of the entries of are i.i.d. Gaussian random variable with zero mean and variance , , =1, , , =1,, .
Let and ; then,
(14) 
(15) 
where, and are elements of and , respectively.
The output here confirms that , where denotes an identity matrix. The elements of are centered around their mean with very small variance. This suggests that vectors with random directions are close to orthogonal (i.e. ). Further, it is obvious that if , then, , where denotes individual columns of . This mathematical proof ensures that columns in are saturated around one which signifies that the vectors in are nearly orthonormal. For revocable biometric template generation, we evaluate the probability of false match when the biometric data of the same user is exploited with the different random projection matrices, denoted as . Therefore, the revocability i.e. probability of a protected template being revocable can be defined as: . The higher value of corresponds to better revocability. In general, zero cannot be obtained if we apply random projection directly onto the biometric data (). Further, this probability can be reduced by adding an extra vector to the , , where denotes the threshold of verification system [41]. In similar manner, the biometric templates with 1 could be derived, if different random projection matrices are exploited on the original template of the same user nullifying the record multiplicity attack [1]. In this work, we achieve = 0.982 corresponding to a threshold, =0.65.
We also verify this security aspect empirically by generating 100 different protected templates using 100 different projection matrices from the same finger. Next, we perform a comparison of these 100 templates with the originally enrolled template to obtain the pseudoimposter scores. We achieve mean and variance of (0.7519; 0.018), (0.3982; 0.177) and (0.3563; 0.189) for genuine, imposter and pseudoimposter distributions, respectively. These values indicate that mean and variance for the pseudoimposter distribution are at a distant to genuine distribution and near towards the imposter distribution. Moreover, we obtain FMR = 0, which depicts that all queries are rejected. This signifies that the derived templates are dissimilar to the enrolled templates for the same finger. Although, the templates are generated from the same finger pattern, they are uncorrelated to each other. Therefore, the claim of revocability is preserved.
VC Diversity
The characteristics of diversity state that it should derive numerous templates and these derived templates should not provide positive biometric claim over other applications to avoid crossmatching. In our method, multiple fingerprint templates can be derived by choosing the different projection matrices () with the different seed values (). Also, the two parameters illustrated in Section IV(C); the number of sectors () and logbase value () can be utilized to derive numerous templates. The derived protected templates are sufficiently different from the raw fingerprint template which indicates that a user can enroll itself with different templates in different applications without any crossmatching. Hence, it has been confirmed that the method validates the property of diversity.
VD Other attacks
We also analyze the possibility of different types of attacks namely Attacks via Record Multiplicity, preimage, crossmatching, distinguishing and annealing attacks to validate the robustness of the proposed work:
Attack via Record Multiplicity (ARM): This is a scenario where the attacker employs multiple stolen protected templates with or without associated parameters to generate original template [42]. For our approach, it is infeasible to apply ARM since stored template’s dimensionality is uncorrelated to the original template’s feature space. Further, numerical values in protected template contain both positive and negative signs due to random projection based transformation. ARM attacks can be launched where the multiplication output contains either all positive or all negative entries. Therefore, the possibility of ARM attack for the proposed method gets nullified.
Preimage attack: In this attack, the attacker can utilize multiple protected instances to derive a preimage instance. Knowledge of Security can also be challenged using feature order with different projection matrices to create a fake template. Biohashing based methods [6, 43, 7, 44] derive binary string by projecting feature vectors with userspecific random numbers. In contrast, the bitstring could be easily exploited to disclose original minutiae information. Moreover, the projection matrix in Biohashing is not only a square matrix but also have orthonormal row vectors i.e. =I, where is the pseudoinverse of and I is the identity matrix. This makes the Biohashing methods vulnerable to preimage attack. However, the proposed random projection based transformation is different to the methods involving Biohashing. Here, the random projection is utilized to hide the log template among infinitely many possible solutions. Also, our method does not depend on the order of feature components while generating the original as well as the protected template. Further, any value could not be investigated from the two projected feature vectors in any position due to the different sized enrolled and query template. Hence, preimage attack could not be utilized to derive the original template in our method.
Crossmatching attack: The crossmatching attack refers to the scenario where an adversary is able to compromise the databases stored in different applications. The protected templates each from different applications are analyzed to restore the original template. However, the random projection transformation described in Eq. (6) avoids any possibility of crossmatching attack across different applications. The proof for the same has been stated in proposition 1 and 2 of Section IIIE.
Distinguishing attack: In distinguishing attack [45], an imposter tries to utilize the same protected template captured from the different applications to derive the original template by correlating the information. To prevent this, the different protected templates can be utilized in the different applications. However, the attacker can retrieve the different protected templates () along with the known random projection matrices () from the different applications in the knownkey distinguishing attack. In this situation, the attacker would be able to unveil log template (). Further, he may estimate the paired output () or approximate using the value of or approximately equal to . However, it is not possible to derive original ridge features since the Cantor pairing function is irreversible as defined in Eq. (12a)(12d) (for details, see Section VA).
Annealing attack: In this attack [2], the protected template is divided into multiple regions, and some regions of a sample template are paired with some regions of the reference template to evaluate similarity score. If the similarity score exceeds the threshold, the vicinity corresponding to sample’s region is included in the gummy template. This step is repeated until it outputs a gummy template including all matched vicinities. Our approach is robust against this type of attack due to the following reasons:

Our approach evaluates the nearest neighbor minutia for each minutiae point causing the different radii to the different minutiae points. Hence, it is very hard to map the gummy template with the original template which is derived from the multiple regions with the variable radius.

Ridgebased features are utilized for the neighboring minutiae in each sector instead of relative distances or the directional difference between minutiae pairs. Here, the measured ridge features are invariant to the interridge distances and locations of minutiae points.
Vi Conclusion and future work
In this paper, we have proposed prealignment free cancelable fingerprint template generation technique. The proposed technique does not rely on detection of singular points. We divide the input fingerprint image into a number of sectors of equal angular width considering each minutia as a reference and use the nearest neighbor minutiae in each sector to compute transformation invariant ridge count and mean ridge orientation features from each sector. Cantor pairing function is applied to encode these features uniquely. Further, the pointwise logarithm operation is exploited to yield uniformly distributed features. Finally, a random projection is adopted to derive a noninvertible and revocable cancelable template. Experimental evaluation performed over four datasets of FVC2002, FVC2004, and FVC2006 databases depict that the significant performance improvement is achieved as compared to the current stateoftheart techniques. Moreover, the security analysis of our work confirms that our approach fulfills the desired characteristics of template protection schemes preserving the recognition performance too. However, the proposed ridgebased feature computation for lowquality fingerprint and partial fingerprint images is still a demanding area. In our future work, we would try to address this limitation. The computational complexity of the proposed method is . Hence, future work along the direction to reduce/improve computational complexity is underway.
References
 [1] F. Quan, S. Fei, C. Anni, and Z. Feifei, “Cracking cancelable fingerprint template of ratha,” in 2008 International Symposium on Computer Science and Computational Technology, vol. 2, Dec 2008, pp. 572–575.
 [2] A. Pashalidis, “Simulated annealing attack on certain fingerprint authentication systems,” in International Conference of the BIOSIG Special Interest Group (BIOSIG), Sept 2013, pp. 1–11.
 [3] A. K. jain, K. Nandakumar, and A. Nagar, “Biometric template security,” EURASIP J. Adv. Signal Processing, pp. 113:1–113:17, jan 2008.
 [4] J. Breebaart, C. Busch, J. Grave, and E. Kindt, “A reference architecture for biometric template protection based on pseudo identities,” in BIOSIG, 2008.
 [5] R. Bolle, J. Connell, and N. Ratha, “System and method for distorting a biometric for transactions with enhanced security and privacy,” dec 2004, US Patent 6,836,554.
 [6] A. B. Teoh, Y. W. Kuan, and S. Lee, “Cancellable biometrics and annotations on biohash,” Pattern Recognition, vol. 41(6), pp. 2034 – 2044, 2008.
 [7] A. T. B. Jin, D. N. C. Ling, and A. Goh, “Biohashing: two factor authentication featuring fingerprint data and tokenised random number,” Pattern Recognition, vol. 37, no. 11, pp. 2245 – 2255, 2004.
 [8] T. Ahmad, J. Hu, and S. Wang, “Pairpolar coordinatebased cancelable fingerprint templates,” Pattern Recognition, vol. 44, no. 1011, pp. 2555 – 2564, 2011.
 [9] Z. Jin, T. S. Ong, C. Tee, and A. B. J. Teoh, “Generating revocable fingerprint template using polar grid based 3tuple quantization technique,” in IEEE 54th International Midwest Symposium on Circuits and Systems, Aug 2011, pp. 1–4.
 [10] S. Wang and J. Hu, “Design of alignmentfree cancelable fingerprint templates via curtailed circular convolution,” Pattern Recognition, vol. 47, no. 3, pp. 1321 – 1329, 2014.
 [11] W. jing Wong, M. ling Dennis Wong, and Y. hee Kho, “Multiline code: A low complexity revocable fingerprint template for cancelable biometrics,” Journal of Central South University, vol. 20, no. 5, pp. 1292–1297, 2013.
 [12] C. Lee and J. Kim, “Cancelable fingerprint templates using minutiaebased bitstrings,” Journal of Network and Computer Applications, vol. 33, no. 3, pp. 236 – 246, 2010.
 [13] P. Das, K. Karthik, and B. Chandra Garai, “A robust alignmentfree fingerprint hashing algorithm based on minimum distance graphs,” Pattern Recognition, vol. 45, no. 9, pp. 3373–3388, 2012.
 [14] E. Liu, H. Zhao, J. Liang, L. Pang, H. Chen, and J. Tian, “Random local region descriptor (RLRD): A new method for fixedlength feature representation of fingerprint image and its application to template protection,” Future Generation Computer Systems, vol. 28(1), pp. 236–243, 2012.
 [15] F. Farooq, R. Bolle, T.Y. Jea, and N. Ratha, “Anonymous and revocable fingerprint recognition,” in IEEE Conference on Computer Vision and Pattern Recognition, June 2007, pp. 1–7.
 [16] R. Cappelli, M. Ferrara, and D. Maltoni, “Minutia cylindercode: A new representation and matching technique for fingerprint recognition,” IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 32, no. 12, pp. 2128–2141, 2010.
 [17] M. Ferrara, D. Maltoni, and R. Cappelli, “Noninvertible minutia cylindercode representation,” IEEE Transactions on Information Forensics and Security, vol. 7, no. 6, pp. 1727–1737, Dec 2012.
 [18] M. Ferrara, D. Maltoni, and R. Cappelli, “A twofactor protection scheme for mcc fingerprint templates,” in International Conference of the Biometrics Special Interest Group (BIOSIG), Sept 2014, pp. 1–8.
 [19] Y. Sutcu, H. T. Sencar, and N. Memon, “A geometric transformation to protect minutiaebased fingerprint templates,” in Defense and Security Symposium, 2007, pp. 65 390E–65 390E.
 [20] R. Dwivedi and S. Dey, “Coprime mapping transformation for protected and revocable fingerprint template generation,” in Mining Intelligence and Knowledge Exploration. Springer International Publishing, 2017, pp. 111–122.
 [21] N. K. Ratha, S. Chikkerur, J. H. Connell, and R. M. Bolle, “Generating cancelable fingerprint templates,” IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 29, no. 4, pp. 561–572, 2007.
 [22] T. E. Boult, W. J. Scheirer, and R. Woodworth, “Revocable fingerprint biotokens: accuracy and security analysis,” in IEEE Int. Conference on Computer Vision and Pattern Recognition, June 2007, pp. 1–8.
 [23] C. Lee, J.Y. Choi, K.A. Toh, and S. Lee, “Alignmentfree cancelable fingerprint templates based on local minutiae information,” IEEE Trans. on Systems, Man, and Cybernetics, vol. 37, pp. 980–992, 2007.
 [24] B. Yang, D. Hartung, K. Simoens, and C. Busch, “Dynamic random projection for biometric template protection,” in IEEE International Conference on Biometrics: Theory Applications and Systems (BTAS), Sept 2010, pp. 1–7.
 [25] S. Wang and J. Hu, “Alignmentfree cancelable fingerprint template design: A densely infinitetoone mapping approach,” Pattern Recognition, vol. 45, no. 12, pp. 4129 – 4137, 2012.
 [26] W. J. Wong, A. B. Teoh, M. D. Wong, and Y. H. Kho, “Enhanced multiline code for minutiaebased fingerprint template protection,” Pattern Recognition Letters, vol. 34, no. 11, pp. 1221 – 1229, 2013.
 [27] S. Wang and J. Hu, “A blind system identification approach to cancelable fingerprint templates,” Pattern Recognition, vol. 54, pp. 14 – 22, 2016.
 [28] S. Wang, G. Deng, and J. Hu, “A partial hadamard transform approach to the design of cancelable fingerprint templates containing binary biometric representations,” Pattern Recognition, vol. 61, pp. 447 – 458, 2017.
 [29] J. Abraham, J. Gao, and P. Kwan, Fingerprint matching using a hybrid shape and orientation descriptor. INTECH Open Access Pub., 2011.
 [30] M. Lisi, “Some remarks on the cantor pairing function,” Le Matematiche, vol. 62, no. 1, pp. 55–65, 2007.
 [31] G. Cantor, Contributions to the Founding of the Theory of Transﬁnite Numbers. New York: Dover, 1955.
 [32] E. Kreyszig, Advanced engineering mathematics. John Wiley & Sons, 2010.
 [33] W.H. Steeb and Y. Hardy, Problems and solutions in introductory and advanced matrix calculus. World Scientific Publishing Company, 2016.
 [34] “Fingerprint Verification Competition,” https://biolab.csr.unibo.it/FVCOnGoing/UI/Form/Home.aspxp.
 [35] “ISO/IEC 238237:2012 information technology – vocabulary – part 37: biometrics 2012,” 2012. [Online]. Available: https://www.iso.org/standard/55194.html
 [36] J. S. Bartunek, M. Nilsson, B. Sallberg, and I. Claesson, “Adaptive fingerprint image enhancement with emphasis on preprocessing of data,” IEEE transactions on image processing, vol. 22, no. 2, pp. 644–656, 2013.
 [37] C. I. Watson, M. D. Garris, E. Tabassi, C. L. Wilson, R. M. McCabe, and S. Janet, “User’s guide to nist fingerprint image software 2 (nfis2),” National Institute of Standards and Technology, 2004.
 [38] W. Du, Y. S. Han, and S. Chen, “Privacypreserving multivariate statistical analysis: Linear regression and classification,” in Proceedings of the SIAM Int. Conference on Data Mining, 2004, pp. 222–233.
 [39] W. B. Johnson, J. Lindenstrauss, and G. Schechtman, “Extensions of lipschitz maps into banach spaces,” Israel Journal of Mathematics, vol. 54, no. 2, pp. 129–138, 1986.
 [40] K. Liu, H. Kargupta, and J. Ryan, “Random projectionbased multiplicative data perturbation for privacy preserving distributed data mining,” IEEE Transactions on knowledge and Data Engineering, vol. 18, no. 1, pp. 92–106, 2006.
 [41] Y. Wang and K. N. Plataniotis, “An analysis of random projection for changeable and privacypreserving biometric verification,” IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics), vol. 40, no. 5, pp. 1280–1293, Oct 2010.
 [42] W. J. Scheirer and T. E. Boult, “Cracking fuzzy vaults and biometric encryption,” in 2007 Biometrics Symposium, Sept 2007, pp. 1–6.
 [43] G. I. Davida, Y. Frankel, and B. Matt, “On enabling secure applications through offline biometric identification,” in IEEE Symposium on Security and Privacy, May 1998, pp. 148–157.
 [44] T. Connie, A. Teoh, M. Goh, and D. Ngo, “Palmhashing: a novel approach for cancelable biometrics,” Information Processing Letters, vol. 93, no. 1, pp. 1 – 5, 2005.
 [45] W. Yang, J. Hu, and S. Wang, “A delaunay quadranglebased fingerprint authentication system with template protection using topology code for local registration and security enhancement,” IEEE Transactions on Information Forensics and Security, vol. 9, no. 7, pp. 1179–1192, July 2014.