On the Unlinkability of Fingerprint Shell

To prevent the leakage of original biometric information of a user, it may be transformed into a cancelable form. A cancelable biometric transformation should satisfy four requirements: unlinkability, revocability, noninvertibility, and performance. In 2014, Moujahdi et al. proposed a new cancelable fingerprint transformation called fingerprint shell, which was also later discussed by Ali et al. In this paper, we show that all of the shell fingerprint schemes presented by Moujahdi et al. and Ali et al. do not satisfy the condition of unlinkability.


Introduction
e development of sensor technology has made it easier to use biometric recognition systems, and as a result, the demand for biometric authentication has increased sharply in devices such as smart phones and tablets. Biometric authentication is simpler and more convenient than other authentication methods using the secret user information.
However, biometric information cannot be replaced if it is compromised or exposed, meaning that it must be protected [1,2]. In feature transformation schemes, biometric information is transformed into a protected biometric template using the transformation function stored on a server. During the verification process, queried biometric information is also transformed using the same function and a matching score is calculated between the stored transformed template on the server and the queried transformed template to determine the validity of the information.
According to the property of transformation functions, feature transformation can be classified two ways: noninvertible transformation [3,4] and salting [5,6]. e noninvertible transformation applies a one-way function such as a hash function to the original biometric information. It should be computationally difficult to reconstruct the original biometric information from the transformed template even if the parameters of the functions are revealed. Salting is an invertible transformation that uses a userspecific key. at is, if an adversary obtained both the user key and the transformed template, they could recover the original biometric information. e noninvertible feature transformation methods must meet the following properties [7]: (i) Revocability: it should be possible to revoke and replace the transformed template. is is necessary because if the transformed biometric template were to become compromised, it should be revoked and replaced with a new one based on the biometric information of the same user. (ii) Unlinkability: it should be impossible to link transformed templates derived from the same user. is is necessary because if the user were to make a new transformed template after the user's old transformed template is revoked, it is desirable for the two transformed templates to look independent. (iii) Noninvertibility: it must be computationally difficult to discern the original template from the transformed template. Consequently, template matching must be done between the transformed templates.
(iv) Performance: the performance of biometric recognition using template transformation should be plausibly efficient compared to the performance of biometric recognition without transformation.
e unlinkability is often called diversity [8,9]. Diversity means that it is necessary to be able to generate diverse templates in one fingerprint, and there should be no relation between them. In addition, cross-matching should not be possible between templates in different applications. In other words, it is called unlinkability. We use unlinkability, which is more intuitive than diversity.
Recently, as various biometric traits such as ECG (electrocardiogram) and speech are widely used, concern about security has increased. Chee et al. proposed the speech template protection technique using the cancelable transform, called Random Binary Orthogonal Matrices Projection (RBOMP) hashing [10]. Wu et al. generated cancelable ECG templates with a subspace-based approach, MUSIC algorithm [11]. Some attacks have also been studied for cancelable biometric templates such as zero effort attack, inversion attack, ARM (attacks via record multiplicity), and similarity-based attack [8,12]. Dong et al. proposed a similarity-based attack framework that can be applied to any cancelable biometric templates [13].
In 2014, Moujahdi et al. proposed a new noninvertible feature transformation scheme for minutiae-based fingerprint recognition called fingerprint shell [9]. Ali and Prakash proposed new fingerprint shell schemes [14,15]. We propose a method to extract the original distance that should be protected from the fingerprint shell and use the framework to quantify how unsafe the shells are in this method. As a result, we show that the shells do not satisfy the condition of unlinkability.

Review of Fingerprint Shell
e basic idea of the fingerprint shell is to make a spiral curve using the information extracted from minutiae and singular points of a user. e process of making a fingerprint shell is as follows: (1) Minutiae and singular points are extracted from the fingerprint of a user. (2) For each singular point, the distance between each minutiae and singular point is calculated. We note that the distances are not changed by shifting or rotating a fingerprint image. We also note that the number of curves will be equal to the number of singular points.  (Figures 1 and 2). It should be noted that user key d 0 is added to all extracted distances d i before triangle construction. h i represents the length of the height of the triangle, which is calculated with the Pythagorean theorem. e hypotenuse of the previous triangle becomes the base of the proceeding triangle. As a result, except the initial triangle, all subsequent triangles rotate by the accumulated angle. (5) Finally, the fingerprint shell template consists of the top vertices of the triangles, which are stored as transformed templates.
For example, suppose that a fingerprint has two minutiae with (3, 2) and (5, 7) and singular point with (5, 5) coordinates. e sorted distances, d 1 and d 2 , between the minutiae and the singular point are 2 and �� 13 √ . Suppose also that a fingerprint shell is made using user key d 0 � 1.5. en, ), and (0, 1.1279), respectively. erefore, each point of the fingerprint shell to be stored is (1.5, �� 10 √ ) and (− 1.8585, 4.7533). In the verification, the fingerprint shell template is created from a query fingerprint and it is compared with the enrolled fingerprint shell using the Hausdorff distance. e Hausdorff distance between two sets A and B is defined as

Analysis of Unlinkability of Fingerprint Shell
In this section, we show that the fingerprint shell does not satisfy unlinkability. We first show that we can extract a user's secret key from the fingerprint shell of the user, if the fingerprint shell is revealed. And we show that the fingerprint shell does not satisfy the condition of unlinkability either. Figure 1: Simple example of fingerprint shell construction.

Fingerprint Shell Construction
: sorted distances d 1 , d 2 , …, d n and user's key d 0 Figure 2: Fingerprint shell construction algorithm.

Extraction of User Key.
In [9], the authors proposed a new template representation for fingerprint feature protection. Due to design problems, however, the user private key used to create the fingerprint shell is easily exposed. e fingerprint shell used (d i + d 0 ) to protect d i , the features of user fingerprint. It is not difficult to reconstruct d i using an exposed user private key d 0 because it uses simple addition operations. It can be done without any additional information besides the fingerprint shell. e fingerprint shell is stored on the server without any additional cryptographic operations because of the cancelable template property.
us, if an attacker gets a fingerprint shell from the server, it causes key exposure and template linkable. e first point (x 1 , y 1 ) in Figure 3) in the fingerprint shell is the top vertex of the first triangle. In the first triangle, the length of the base is d 0 (as same as x 1 in Figure 3), the length of the hypotenuse is d 1 + d 0 , and the length of the height is 0 (as same as y 1 in Figure 3). erefore, the coordinates of the first point are (x 1 , y 1 ) � Figure 3). As a result, we can easily obtain the user key d 0 � x 1 from the first point of the fingerprint shell. Furthermore, since the distances between each point in the fingerprint shell and origin point are in the form of d 0 + d i , we can reconstruct d i from the given fingerprint shell by extracting d 0 as described above (Figure 4).

Linkability of the Fingerprint Shell.
Unlinkability is defined by ISO/IEC 24745 : 2011 as "a property of two or more biometric references that cannot be linked to each other or to the subject(s) from which they were derived" [16].
In [17], the authors proposed a framework to evaluate linkability.
is framework defines mated and nonmated samples as two types of score distributions. e mated sample distribution is a set of scores computed between two templates from the same user. e nonmated sample distribution is made using scores computed between two templates from two different users. As shown in Figure 5, the sample distributions can be used to distinguish three different levels of linkability: fully unlinkable, fully linkable, and semilinkable. Figure 5(a) shows that the mated sample distribution with different keys (cross-matching) is identical to the nonmated sample distribution. It means that similarity scores between templates from the same finger using different keys are indistinguishable from similarity scores between different fingers.
is is referred to as fully unlinkable. Under a fully linkable scenario, the mated sample and nonmated sample distributions are completely separable ( Figure 5(c)). us, given the two templates, we can distinguish templates whether they originated from the same finger or different fingers. Semilinkable means that they were linked only for a subset of the templates. In the overlapping part of the mate sample and nonmated sample distributions ( Figure 5(b)), it is impossible to differentiate which templates are from the same or different fingers.
We measured the unlinkability of the fingerprint shell using the framework in [17]. e experiments were executed on four FVC2002 databases (DB1, DB2, DB3, and DB4) [18]. Each database contains 100 fingers with 8 impressions each. A linkage score calculated for two fingerprint shells, FS 1 and FS 2 , is HD(D 1 ′ , D 2 ′ ), where HD(·) is the Hausdorff distance and D 1 ′ and D 2 ′ are the extracted distance sets from FS 1 and FS 2 using Figure 4, respectively. If the given fingerprint shell FS 1 and FS 2 are the mated samples, the Hausdorff distance is small. Otherwise, the Hausdorff distance is large.
For the linkability test, we generated 51 fingerprint shells from the first impression of each finger using different user keys.
en, one of them is selected as a reference and compared against the remaining fingerprint shells of the same finger (i.e., 5000 attempts). Figure 6 represents the sample distributions for each FVC2002 database. It can be seen that the mated and nonmated distributions are clearly separated in all of the databases. In other words, the fingerprint shell is fully linkable on these four FVC2002 databases.

Linkability of Enhanced Fingerprint Shell.
Ali and Prakash proposed the enhanced fingerprint shell scheme in [14].
eir method is a two-step process of fingerprint shell construction and shell translation that uses two keys. e first step uses one of the key pairs to create a fingerprint shell that essentially replicates the original fingerprint shell construction. e next step is to add (k 0 × sin k 0 , k 0 × cos k 0 ), which is generated by the second key k 0 of the key pair, to all points in the created fingerprint shell.
For example, suppose that a fingerprint shell which is created in Section 2 is used to construct an enhanced fingerprint shell and a second user key k 0 used to shift the fingerprint shell is 1.2. For translation (k 0 × sin k 0 , k 0 × cos k 0 ) � (1.1184, 0.4348) is added to all points of the fingerprint shell. en, each point of the enhanced fingerprint shell to be stored is (1.5 + 1.1184, �� 10 √ + 0.4348) � (2.6184, 3.5971) and (− 1.8585 + 1.1184, 3.7533 + 0.4348) � (− 0.7401, 4.1881). ey wanted to enhance the security of the original fingerprint shell scheme with the additional key. However, it is not difficult to reconstruct the original fingerprint shell from a shell of the Ali and Prakash scheme [14]. e shell of Ali and Prakash's scheme consists of right angle triangles [14]. erefore, we can calculate the origin of the shell by finding intersection of perpendicular lines to connecting lines of neighboring shell points (Figure 7). e lines can be expressed as follows: e l i in (1) is an equation connecting P i and P i+1 , and the l ⊥ i in (2) is an equation perpendicular to l i passing through P i (Figure 7). e shifted origin is an intersection of the perpendicular lines l ⊥ i . Even if we do not know the second key of the key pair, we can recover the original fingerprint shell with only one key if the origin of the shell from Ali and Prakash's scheme is moved to the coordinate origin [14]. e translated shell is exactly the same as the original fingerprint shell [9]. erefore, Ali and Prakash's scheme in [14] also shows that it does not provide unlinkability in the same method as the previous section.

Linkability of 3D Secured Fingerprint Shell. Ali and
Prakash also proposed a new 3D fingerprint shell scheme based on the fingerprint shell [15]. ey used an angle in addition to the distance between singular and minutia. It is used to generate a new secured distance, l i . e set of l i and user key l 0 are used to generate a new one. e generated shell is rotated in the xy plane and xz plane using the user key s 0 and l 0 , respectively, and translated using the user key k 0 (see Figure 8). However, this algorithm is also vulnerable.
Translate the transformed 3D curve so that the first point of the curve is the origin and project each point on the curve to the xy plane such that the distance to the origin is maintained. en, using the origin calculation of the previous chapter, we can get the shell before the translation, as shown in Figure 9(b). As mentioned earlier, we can easily recover the l i from the shell. e l i is as follows: Suppose that the attacker has three different databases, from the same d i and θ i , then two equations can be obtained as follows: We know the s 0,A , s 0,B , and s 0,C through the inverse operation of the rotation in calculating l i from the new 3D shell. Equation (4) can be transformed as follows: e left side of equation (5) consists of the known values. So, the values obtained from the template of each database are calculated by using the left side of equation (5) and compared to determine whether the user is the same user.

Conclusions
Moujahdi et al. proposed a new noninvertible fingerprint transformation method called the fingerprint shell in [9] and Ali and Prakash proposed an enhanced fingerprint shell scheme in [14] and a new 3D fingerprint shell scheme in [15]. All the schemes present low computational cost and high levels of accuracy and are less sensitive to rotating fingerprint images.
However, the accuracy of these three schemes depends on a technique of singular point extraction. e singular point extraction is challenged with low quality images [19]. Table 1 shows the number of images used for experiments in [15]. For FVC2002 DB3 and FVC2004 DB2, only about 750 of 800 were used. e authors in [15] observed that the singular point extraction had filed for about 50 images due to the low image quality and excluded those low-quality images in the experiments. erefore, the fingerprint shell schemes might not be adequate for the low-quality images. Besides, we showed that all the fingerprint shell schemes of [9,14,15] do not provide unlinkability. at is, we have shown that we can construct a distinguisher which can tell whether the two  fingerprint shells are from the same user or different users with a high degree of success. ese problems come from using invertible operations such as translation, addition, and linear geometric transformation in making cancelable templates. To make secure and unlinkable templates, the cancelable template generation algorithms must use the nonlinear and noninvertible operations such as the many-to-one mapping and functional transformation in [20].
As a future work, it would be interesting to construct a new fingerprint shell scheme providing unlinkability.

Data Availability
e data used to support the findings of this study are included within the article.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this paper.