Negative Databases for Biometric Data
aa r X i v : . [ c s . CR ] M a y Negative Databases for Biometric Data
Julien Bringer and Herv´e Chabanne , Sagem S´ecurit´e, France. T´el´ecom ParisTech, France.November 11, 2018
Abstract
Negative databases – negative representations of a set of data – havebeen introduced in 2004 to protect the data they contain. Today, nosolution is known to constitute biometric negative databases. This issurprising as biometric applications are very demanding of such protectionfor privacy reasons. The main difficulty comes from the fact that biometriccaptures of the same trait give different results and comparisons of thestored reference with the fresh captured biometric data has to take intoaccount this variability. In this paper, we give a first answer to thisproblem by exhibiting a way to create and exploit biometric negativedatabases.
Keywords. Biometric data, Negative database, Privacy.
Biometric data must be protected in order to prevent someone to be able totrack back the users of a biometric system. Recently, they have been a lot ofresearches on their storage in a way which is renewable and which does notleak information. Typically, biometric data are quantized and encrypted. Thisencryption must still permit the matching of the underlying biometric datawithout decrypting them. On one hand, some very simple techniques of encryp-tion, known as secure sketches have been suggested [10, 19] but their resistanceseems doubtful in practice [2, 20]. On the other hand, secure sketches can becombined with homomorphic encryption but in this case, the performances ofthe computations are penalized [1, 5, 21].In this paper, we have a different approach following the one of the negativedatabases [12]. In a negative database, instead of having the elements of adatabase DB , we consider the complementary DB of these elements. This meansthat instead of checking whether b ∈ DB , we have to equivalently verify that b / ∈ DB . The representation of negative databases is made possible thanks toa wild-card symbol ∗ which stands for all the values; for instance, as we arehere going to work with binary vectors, a ∗ for a bit means either the value 01r 1. Negative databases got very interesting properties. Firstly, for a givendatabase DB , different negative databases DB can be established. Moreover,starting from DB , it is hard to retrieve DB . Finally, relational algebra alsoexists for negative databases. It should be noted that our approach is differentfrom the previous one which treats biometric data individually while we arehere considering a database as a whole.The difficulty we encounter is that each capture of the same biometric datagives a different value. We here consider binarized biometric data, i.e. b standsfor a binary vector representing a biometric trait. A new capture of this bio-metric trait will give a binary vector with numerous coordinates differing fromthe ones of b . Our approach follows the one described in for identifying peoplethanks to their iris [16]. We here how show to handle this problem.We begin in Section 2 by recalling some works on the binarization of biomet-ric data. We state the properties these binarized data have to fulfill for the restof our work. In Section 3, we give a short introduction to negative databases.Section 4 constitutes the core of our proposal and explains how to create anduse biometric negative databases. We give an example to gauge the efficiency ofour solution when applied to a real-life case. And finally, Section 6 concludes.We conclude this introduction by recalling some basic facts about biometricdata. A reader, familiar with this topic, can skip it to go directly to Section 2. Biometric recognition techniques can lead to quite different applications thanthose which are possible when you are dealing with, for instance, passwords.A major difference comes from the fact that your biometric data enable toidentify yourself among a large set of people during your whole lifetime. Thischaracteristic is reinforced by the fact that biometric data are non-transferableto someone else. On one hand, a positive aspect is that this can been seen asa very natural and easy-to-deploy way of identifying populations (think at thecensus of the citizens of a country). On the other hand, biometric data mustbe protected to respect their privacy. Today, AFIS (Automated FingerprintIdentification System) are present in many countries worldwide for police or civilapplications. These AFIS can gather together the biometric data of millions ofusers. Usually, for measuring their performances, we evaluate their accuracy interms of FAR (False Acceptance Rate: the probability that the system rejectsa genuine user) and FRR (False Reject Rate: the probability that the systemaccepts an impostor). These 2 rates FAR and FRR cannot be reduced bothat the same time and some compromise must be found according your wish tofavour security or comfort. In this paper, we are looking at biometric systemsof smaller scale. Typically, we are considering biometric readers mainly usedfor restricting the access control to a building or a room. The need for storageof biometric data is then limited to less than one hundred records.2
Binarization of Biometric Data
Let β designate the biometric trait of an user. Let b ← β indicate that the value b has been captured by a sensor.We here make the hypothesis that the biometric b are quantized and can bepresented as binary vectors of length n , b ∈ { , } n in such a way that: Condition 1
1. Two different captures b, b ′ from the same user U are withhigh probability at a Hamming distance d ( b, b ′ ) ≤ λ min .2. Captures b , b of different users U , U are at a Hamming distance d ( b , b ) >λ max . The origin of Condition 1 comes from iris recognition technology [8] wherethe concept of iriscodes has been introduced. Iriscodes are binary vectors oflength n = 2048 where the features of iris are represented. They are comparedby their Hamming distance. Following this, various attempts have been madefor applying this kind of representations to fingerprints [3, 18] or faces as in [6].Condition 1 has been exploited in [16] for an efficient search algorithm over alarge database. With a high probability the vectors we are comparing will havemany small portions of their coordinates equal whenever they come from thesame user as they are close for the Hamming distance. Let DB = { b , . . . , b N } .[16] uses h , . . . , h , projections of binary vectors (here iriscodes) over a partof their coordinates. They consider that a freshly captured iris b can match anelement stored in DB whenever: h j ( b ) = h j ( b k ) , h j ( b ) = h j ( b k ) , h j ( b ) = h j ( b k ) (1)for 1 ≤ j < j < j ≤
128 and 1 ≤ k ≤ n .We here skip the details. This way of proceeding will serve us as the basis ofour work on biometric negative databases which is described in Section 4. Werecall a definition that formalizes this notion and which has been introduced forapproximate nearest neighbor search: Definition 1 (Locality-Sensitive Hashing, [17])
Let ( E, d ) be the Hammingspace, F be a set, r , r ∈ R with r < r , p , p ∈ [0 , with p > p . Let H = { h , . . . , h L } be a family of functions h i : E → F .The family H is ( r , r , p , p ) -LSH, if ∀ x, x ′ ∈ E (cid:26) P r h ∈H [ h ( x ) = h ( x ′ ) | d ( x, x ′ ) < r ] > p P r h ∈H [ h ( x ) = h ( x ′ ) | d ( x, x ′ ) > r ] < p In the sequel we will assume that the inequalities above are equalities, i.e.the first (resp. second) probability is equal to p (resp. p ). This holds for thehash constructions used by [16].In practice, we apply Condition 1 to a family of Locality-Sensitive Hashingfunctions that are combined to obtain the following result:3 roposition 1 Let the family H = { h , . . . , h L } be a ( λ min , λ max , p , p ) -LSHfamily. Let m be the number of hash functions that we consider simultaneously,following the principle of Equation (1).The probability not to output ‘matching’ for a genuine user – called FalseReject Rate (FRR) – is approximately P fr = m − X i =0 (cid:18) Li (cid:19) p i (1 − p ) L − i and the probability to output ‘matching’ for an impostor – called False AcceptRate (FAR) – is approximately P fa = L X i = m (cid:18) Li (cid:19) p i (1 − p ) L − i . The variable m is called order of the hash equalities in the sequel. Proof.
Let b , b be two different biometric captures (possibly coming fromthe same user). They are considered as a matching pair as soon there is at least m functions h i , . . . , h i m from H such that h i ( b ) = h i ( b ) , . . . , h i m ( b ) = h i m ( b ) . As H is ( λ min , λ max , p , p )-LSH, from Condition 1, we know that with ahigh probability P r h ∈H [ h ( b ) = h ( b )] = p if b , b come from the same userand P r h ∈H [ h ( b ) = h ( b )] = p if they come from different users. ✷ A negative database consists of the representation of the negative image of agiven database. The goal is to represent all the elements not in the originaldatabase instead of storing explicitly the data itself. The main issue is to find away to represent concisely the negative database without letting the possibilityto retrieve easily the original records. Note that there exists an extended notionof negative database where almost all elements not in the original database arerepresented. In this section, we refer only to the first notion for which thedefinition – inspired by by Esponda et al. [12] and subsequent works – follows.
Definition 2
Let DB be a database containing N vectors. Let l denote thelength of the binary vectors belonging to DB . A negative database DB of DB isa finite set of vectors such that • there is an algorithm IsMember DB enabling to check efficiently whether one l bits string is a member of DB ; • x ∈ { , } l is an element represented by DB if and only if x
6∈ DB , i.e.that DB represents { , } l − DB . l is large, then the number of elements represented by DB could be huge.To achieve a compact representation, [14] introduced the wild-card symbol ’ ∗ ’,with the classical role: a position set to ∗ in a string represents both 0 and 1values. This doing a negative database is composed of vectors of length l withthe alphabet { , , ∗} . The associated IsMember DB algorithm corresponds tothe string matching algorithm; a element x is a member if DB contains a vector y for which simultaneous binary valued positions of x and y should be equal: ∀ i ∈ { , . . . , l } , ( x i = y i OR x i = ∗ OR y i = ∗ ) . Several polynomial-time algorithms have been published for negative databasescomputation [7, 9, 13] with quite different techniques. We recall in Table 1 thealgorithm introduced in [12] to compute a negative representation of a databasethanks to the prefix method. w i will stand in the following to a prefix of length i and W i will represent the set of vectors of length i (a part of the w i ’s). i ← W i ← {} W ( i +1) ← set of vectors of length i + 1 with a prefix of length i in W i which is not a prefix of an element of DB
4. for all x in W i +1
5. output a vector y with x as a prefix and complete it with ∗ ’s up tolength l
6. add to DB i ← i + 18. W i ← set of prefixes of length i in DB
9. go back to step 3 while i < l
Table 1: Prefix algorithm for negative representationAs proved in [14], the prefix algorithm outputs a negative database in lN time (where N is the number of records of DB ) and the resulting negativedatabase will have at most lN entries (elements of { , , ∗} l ). This leads for DB to an overall size (2 × N × l ).The prefix algorithm shows the feasibility of negative representation. As forsecurity concerns, [14] demonstrated that the reconstruction of DB from sucha negative database with alphabet { , , ∗} is NP-hard, based on reduction to3-SAT problem. Concerning the way to construct hard instances which resistto SAT solvers, the known algorithms produce negative representations withdifferent level of security, depending for example on the number of ∗ ’s used.See [9, 13] for solutions on how to generate such hard instances. One anotherinteresting property is the capability to create several different randomized neg-ative representations from the same DB .To obtain randomized representation, [13] suggests a non deterministic ver-sion of the prefix algorithm based on: 5 the use of random permutation to include the wild-card symbol also atthe beginning or in the middle of a vector; • a random replacement of wild-card by both the values 0 and 1.The resulting algorithm is designed to run in time l N and produces negativedatabases of size 2 × N × l .From a given negative database, it is even possible to transform it into a newnegative representation which is the negative image of the same database, butfor which the two negative databases are different and it is difficult to determineif they are equivalent. In [11], this operation is denoted Morph.Together with the creation of a negative representation, specific operationson DB are translated in operations applied on DB . Inserting (resp. deleting)a string into (resp. from) DB corresponds to remove (resp. insert) the corre-sponding binary strings from (resp. into) DB . As for the creation algorithm,randomized operations are also available [12]. Then an alternative solution forcreating randomized representation is to start with a randomized negative rep-resentation of the empty set and to delete the data corresponding to DB .As remarked by [13], using these operations many times may have the effecton the size of DB to grow unreasonably. An algorithm, somehow to cleanregularly the representation, is designed to control this bad effect (cf. Clean-Upalgorithm [13]).Moreover, more complex operations are designed in [15] in the field of rela-tional algebra operators (equality, less-than, union, cartesian product, intersec-tion, . . . ). Each operator on DB has its transposition as an negative operatoron DB .Note that several other techniques are analyzed in the literature. For in-stance [7] introduced a negative representation with an higher overall growthfactor but for which the security relies on cryptographic hash properties. We explain now how to manage biometric data via negative representation inorder to protect the content of the enrollment database. The main motiva-tion is authorization scenario, nonetheless our construction can also be used forauthentication.
We recall that our database DB = { b , . . . , b N } . Let H = { h , . . . , h L } be( λ min , λ max , p , p )-LSH family of functions as defined in Definition 1 Section2. Let m be the order of the hash equalities, i.e. the number of these functionswe are using as in Prop. 1. We are now ready to define the biometric negativedatabase DB .For 1 ≤ k ≤ N , let DB b k be the database made of the elements j || . . . || j m || h j ( b k ) || . . . || h j m ( b k ) (2)6ith 1 ≤ j < . . . < j m ≤ L and where || stands for the concatenation. Definition 3 An ( H , m, DB ) -biometric negative database DB is a negative rep-resentation of the dataset U = S Nk =1 DB b k which is made of all order m hashchains obtained with respect to DB and the LSH family H (cf. Equation (2)). The algorithm to determine if one fresh capture b ′ is close to one enrolled tem-plate within the original dataset DB via one of its biometric negative database DB is explained by Table 2. Input: fresh biometric template b ′
1. result ← OK2. For all 1 ≤ j < . . . < j m ≤ L z ← j || . . . || j m || h j ( b ′ ) || . . . || h j m ( b ′ )4. If IsMember DB ( z ) = OK5. Then6. result ← NOK7. Break8. Else Continue9. End For10. Output result
Table 2: Authorization Check for Biometric Negative DatabaseThis construction enables us to achieve the following properties.
Proposition 2
Let DB be an ( H , m, DB ) -biometric negative database.1. DB is not a negative database of DB .2. DB enables to check whether a fresh capture b ′ is close to one element of DB by verifying whether all the derived hash chains following Eq. (2) arenot in DB . The error rates of this membership checking operation are: False ‘Not Member’ Decision P fr (1 − P fa ) N − False ‘Member’ Decision − (1 − P fa ) N . Proof.
7. The first statement comes from the fact that DB is a negative databaseof U = S Nk =1 DB b k , which is not equivalent to DB , thanks to Proposition1 (except in the case where p , p are negligible, which corresponds to thesituation where the hash functions are cryptographic ones with hard-to-find collisions; i.e. the case where almost only original data satisfy theorder m hash equalities).2. The second statement is induced together by Proposition 1 and Definition2. The algorithm IsMember DB gives a way to decide whether data are in U from the negative test of presence in DB . Moreover, Proposition 1 impliesthat for a genuine user, the probability not to find an order m hash chainfollowing Eq. (2) in U is approximately P fr (1 − P fa ) N − (i.e. that you find neither any genuine equalities nor any impostor equal-ities). Similarly, the probability for an impostor to find an order m hashchain following Eq. (2) in U is1 − (1 − P fa ) N . ✷ When using the prefix algorithm described in Table 1, or its randomizedvariant, the overall size of a biometric negative database is given by the followinglemma.
Lemma 1
The size of an ( H , m, DB ) -biometric negative database DB obtainedthrough the prefix algorithm is at most × N × (cid:18) Lm (cid:19) × l where l is the length of the binary representation of an order m hash chain asin Eq. (2). Via its randomized variant, the upper size becomes × N × (cid:18) Lm (cid:19) × l . Proof. DB is a negative database of U = S Nk =1 DB b k . Each DB b k contains allorder m hash chains obtained for the template b k , i.e. all the m choices of hashfunctions among the L from H . The remaining is deduced from the expansionwhen the algorithms for negative representation of Section 3 are applied. ✷ When the original database contains N templates of length n , in the deter-ministic case, the expansion factor is 2 × (cid:0) Lm (cid:1) × l /n and respectively 2 × (cid:0) Lm (cid:1) × l /n in the randomized case.Note that although we focus here on the expansion when applying the prefixalgorithms, our concept is compatible with any algorithm for negative represen-tation generation. 8 .2 Security Discussion Concerning the confidentiality of the original templates, the choice of an ade-quate negative database creation algorithm leads to:
Proposition 3
Let DB be an ( H , m, DB ) -biometric negative database generatedthrough an algorithm which outputs hard instance for the reconstruction problem(cf. Section 3).The knowledge of DB does not allow to retrieve the list of original templatesin DB . This is straightforward, as by the above assumption, reconstructing U ishard. Note that even without that reconstructing the original templates mightbe a difficult task: if one succeeds in retrieving part of the hash chains of U from DB , he still has no idea of which hash chains are related to the same orig-inal template. Nevertheless, one additional advantage on using hard instances,as already mentioned in Section 3, is the possibility to create several, and un-linkable, randomized representations. This means that it is possible to havedifferent biometric negative databases from the same authorization list. Forinstance this fits well to access control use cases where the local terminals canpossess the same authorization list, without – thanks to our technique – lettingthe possibility to make a direct correlation between them.Other advantages are implied by these negative representations and theirrandomization, it hides the number of data which are negatively representedand after insertion or deletion of data, applying randomization on a negativedatabase enables to hide the size variation of the original dataset. On biometric negative databases as defined in Definition 3, we can apply all theoperations available for classical negative databases – see Section 3 – such as therandomization, insertion, deletion, clean-up, relational algebra, . . . , operations.Nevertheless all operations on DB have not the same impact with respect to theoriginal database DB .In particular, we are interested in the two following operations.Enrollment of a new user, via a capture b N +1 , is straightforward using theinsertion functionality of the negative database for all the hash chains computedfrom b N +1 .Revocation of a user is less easy. Due to the property of the biometric neg-ative database structure, only authorization checks are possible and there is noway to link different hash chains together. So when using deletion functionalityof negative databases, with respect to a fresh capture b ′ which is prior deter-mined as authorized (i.e. close to a b k for some k ), you can only delete thehash chains found for b ′ (i.e. to add in DB the hash chains computed from b ′ ). Thus this will not suppress all the hash chains related to b k . Moreover,if the prior authorization corresponds to a False ‘Member’ Decision, then thisrevocation would affect other users. This last point is a common problem for9nonymous membership checks in biometric systems. Concerning the former is-sue, we suggest to mitigate it by avoiding deletion of database through DB butby adding a dedicated revocation database (blacklist), which can be representedin a negative form. The Definition 3 leads to the construction of a biometric negative databasefor authorization checks purpose. When authentication (1-to-1) is aimed, thevariant below is given.
Definition 4 An ( H , m, DB ) -biometric negative database for authentication DB auth is the union of negative representations DB b k of the datasets DB b k ( k = 1 . . . N ).More precisely, we defined DB auth as the database containing for all k , the ele-ments of DB b k with k appended: DB auth = N [ k =1 [ DB b k , k ] . Appending k enables to restrict the verification to one sole DB b k . Theassociated algorithm for authentication check, with a fresh capture b ′ and anidentity claim i , is described in Table 3. Note that this construction can beused as well for identification use cases where no identity claim is provided byrunning comparisons with all elements of DB auth : the list of possible identitieswould be the list of index k for which b ′ is not detected as member of DB b k . Input: fresh biometric template b ′ and identity claim i
1. result ← OK2. For all 1 ≤ j < . . . < j m ≤ L z ← j || . . . || j m || h j ( b ′ ) || . . . || h j m ( b ′ )4. If IsMember DB bi ( z ) = OK5. Then6. result ← NOK7. Break8. Else Continue9. End For10. Output result
Table 3: Authentication Check for Biometric Negative DatabaseSimilar to the results explained in Section 4.1, we have:
Lemma 2
Let DB auth be an ( H , m, DB ) -biometric negative database for au-thentication. The False Reject Rate of the authentication check (Table 3) is P fr . • The False Accept Rate of the authentication check (Table 3) is P fa . • When using the randomized variant of the prefix algorithm, the size of DB auth is × N × (cid:18) Lm (cid:19) × l . Note that here, we give only the size with respect to the randomized variantof the prefix algorithm. We cannot use the deterministic variant as there is nomixing of the different datasets DB k that would ensure unlinkability of the hashchains. Remark 1
This is interesting that the expansion factor in the authorizationscenario is lower or equal to the expansion factor in the authentication scenario.
We describe now the application of our concept to the example of functions usedin [16] for iris identification. The functions used by [16] are L = 128 differentrestrictions of the 2048 bits iris vectors to 10 bits.Let λ min = 0 . · λ max = 0 . · . λ min , λ max , p , p )-LSH family, with the probability p to obtain the same small proportion fortwo iriscodes coming from the same user p = (1 − λ min ) ≃ .
056 and theprobability to obtain the same value for two iriscodes coming from differentusers p = (1 − λ max ) ≃ . m equal to 4, then the binary length ofthe hash chains is l = (7 + 10) × P fr ≃ . P fa ≃ . . and about 2 . with therandomized prefix algorithm.As an even more practical example, if we take the order m equal to 3 –which is the threshold used in [16] for determination of candidates in an irisidentification scenario – and N = 100 enrolled iriscodes from different users,then it leads to an overall biometric negative database of about 20 Go. This paper introduces the notion of negative database for biometric data. Whilethe concept of negative database has been introduced in 2004, our proposal isthe first one, as far as we know on this very subject. Although the storage of11iometric data seems a natural field of application for this concept of negativedatabase, one should understand that what make our work possible are the priorresearches on the quantization of biometric. Indeed, our contribution exploitsthe simpler matching algorithm that this quantization permits. This is not thefirst time that this new matching algorithms raise results. For instance, beyondtheir own interest as an alternative to traditional matching algorithms, they arecurrently considered as a part of the solution for biometric identification in aencrypted way [4].We believe that our scheme can still be optimized. For example, we directlystore in the positive database DB the biometric data taken during the enrollmentphase. Whereas, we are interested in the whole Hamming ball of radius λ min .A clever representation of biometric data should lead to more compact positivedatabase and negative database. References [1] J. Bringer and H. Chabanne. An authentication protocol with encryptedbiometric data. In S. Vaudenay, editor,
AFRICACRYPT , volume 5023 of
Lecture Notes in Computer Science , pages 109–124. Springer, 2008.[2] J. Bringer, H. Chabanne, G. D. Cohen, B. Kindarji, and G. Z´emor. Theoret-ical and practical boundaries of binary secure sketches.
IEEE Transactionson Information Forensics and Security , 3(4):673–683, 2008.[3] J. Bringer, H. Chabanne, and B. Kindarji. The best of both worlds: Ap-plying secure sketches to cancelable biometrics.
Sci. Comput. Program. ,74(1-2):43–51, 2008.[4] J. Bringer, H. Chabanne, and B. Kindarji. Identification with encryptedbiometric data.
Security Comm. Networks , 2010. To appear.[5] J. Bringer, H. Chabanne, D. Pointcheval, and Q. Tang. Extended privateinformation retrieval and its application in biometrics authentications. InF. Bao, S. Ling, T. Okamoto, H. Wang, and C. Xing, editors,
CANS , volume4856 of
Lecture Notes in Computer Science , pages 175–193. Springer, 2007.[6] C. Chen and R. N. J. Veldhuis. Binary biometric representation throughpairwise polar quantization. In M. Tistarelli and M. S. Nixon, editors,
ICB ,volume 5558 of
Lecture Notes in Computer Science , pages 72–81. Springer,2009.[7] G. Danezis, C. D´ıaz, S. Faust, E. K¨asper, C. Troncoso, and B. Preneel.Efficient negative databases from cryptographic hash functions. In J. A.Garay, A. K. Lenstra, M. Mambo, and R. Peralta, editors,
ISC , volume4779 of
Lecture Notes in Computer Science , pages 423–436. Springer, 2007.128] J. Daugman. High confidence visual recognition of persons by a testof statistical independence.
IEEE Trans. Pattern Anal. Mach. Intell. ,15(11):1148–1161, 1993.[9] M. de Mare and R. N. Wright. Secure set membership using 3sat. InP. Ning, S. Qing, and N. Li, editors,
ICICS , volume 4307 of
Lecture Notesin Computer Science , pages 452–468. Springer, 2006.[10] Y. Dodis, L. Reyzin, and A. Smith. Fuzzy extractors: How to gener-ate strong keys from biometrics and other noisy data. In C. Cachin andJ. Camenisch, editors,
EUROCRYPT , volume 3027 of
Lecture Notes inComputer Science , pages 523–540. Springer, 2004.[11] F. Esponda. Everything that’s not important.
IEEE Computational Intel-ligence , 3(2):60–63, 2008.[12] F. Esponda, E. S. Ackley, S. Forrest, and P. Helman. Online negativedatabases. In G. Nicosia, V. Cutello, P. J. Bentley, and J. Timmis, editors,
ICARIS , volume 3239 of
Lecture Notes in Computer Science , pages 175–188. Springer, 2004.[13] F. Esponda, E. S. Ackley, P. Helman, H. Jia, and S. Forrest. Protectingdata privacy through hard-to-reverse negative databases.
Int. J. Inf. Sec. ,6(6):403–415, 2007.[14] F. Esponda, S. Forrest, and P. Helman. Enhancing privacy through neg-ative representations of data. UNM Computer Science Technical ReportTR-CS-2004-18, 2004.[15] F. Esponda, E. Trias, E. Ackley, and S. Forrest. A relational algebra fornegative databases. UNM Computer Science Technical Report TR-CS-2007-18, 2007.[16] F. Hao, J. Daugman, and P. Zielinski. A fast search algorithm for a largefuzzy database.
Information Forensics and Security, IEEE Transactionson , 3(2):203–212, June 2008.[17] P. Indyk and R. Motwani. Approximate nearest neighbors: Towards re-moving the curse of dimensionality. In
STOC , pages 604–613, 1998.[18] A. K. Jain, S. Prabhakar, L. Hong, and S. Pankanti. Fingercode: A filter-bank for fingerprint representation and matching. In
CVPR , pages 2187–.IEEE Computer Society, 1999.[19] A. Juels and M. Wattenberg. A fuzzy commitment scheme. In
ACM Con-ference on Computer and Communications Security , pages 28–36, 1999.[20] K. Simoens, P. Tuyls, and B. Preneel. Privacy weaknesses in biometricsketches. In
IEEE Symposium on Security and Privacy , pages 188–203.IEEE Computer Society, 2009. 1321] Q. Tang, J. Bringer, H. Chabanne, and D. Pointcheval. A formal study ofthe privacy concerns in biometric-based remote authentication schemes. InL. Chen, Y. Mu, and W. Susilo, editors,
ISPEC , volume 4991 of