Template Protection for HMM-based On-line Signature Authentication
E. Maiorana*, M. Martinez-Diaz**, P. Campisi*, J. Ortega-Garcia**, A. Neri*
*Dip. Elettronica Applicata
Universit
´
a degli Studi “Roma Tre”
Via Della Vasca Navale 84, I-00146 Roma, Italy
http://www.comlab.uniroma3.it/people.htm
**ATVS, Escuela Politecnica Superior,
Universidad Autonoma de Madrid,
C/ Francisco Tomas y Valente 11, 28049 Madrid, Spain
http://atvs.ii.uam.es/listpeople.do
Abstract
The security of biometric data is a very important issue
in the deployment of biometric-based recognition systems.
In this paper, we propose a signature-based biometric au-
thentication system, where signal processing techniques are
applied to the acquired on-line signature in order to gen-
erate protected templates, from which retrieving the orig-
inal data is computationally as hard as randomly guess-
ing them. A Hidden Markov Model (HMM)-based matching
strategy is employed to compare the transformed signatures.
The proposed protected authentication system generates a
score as the result of the matching process, thus allowing
to implement protected multibiometric recognition systems,
through the application of score-fusion techniques. The ex-
perimental results show that, at the cost of only a slight per-
formance reduction, the desired protection for the employed
biometric templates can be properly achieved.
1. Introduction
The most emerging technology for automatic people
recognition is biometrics. In contrast with traditional ap-
proaches, based on what a person knows (password) or what
a person has (ID card, tokens), biometric-based authentica-
tion relies on who a person is or what a person does. Un-
fortunately, the use of biometric data in an automatic recog-
nition system involves various risks, not affecting other tra-
ditional methods: if biometric data are somehow stolen or
copied, they can be hardly replaced. Moreover, biomet-
ric data can contain sensitive information (health, genetic
background, age), that can be used in an unauthorized man-
ner for malicious or undesired intents [1]. Users’ privacy
can also be compromised if a cross-matching between dif-
ferent biometric database is performed, in order to track the
enrolled subjects. Therefore, when designing a biometric-
based recognition system, the issues deriving from the ex-
posed security and privacy concerns have to be carefully
considered. The adopted measures should be able to en-
hance biometric data resilience against attacks, while allow-
ing the matching to be performed efficiently, thus guaran-
teeing acceptable recognition performance.
In this contribution, a non-invertible transform-based ap-
proach is proposed for the implementation of an on-line
signature-based biometric authentication system, where the
stored templates cannot reveal any information about the
originally acquired biometric characteristics.
2. Biometric Template Security
In a typical biometric-based authentication system, eight
possible vulnerable points can be individuated [2]. The
unauthorized acquisition of the employed biometric data,
which represents one of the possible consequences of the
attacks to a biometric recognition system, is probably the
most dangerous treat regarding the privacy and the secu-
rity of the users. Different solutions have been investigated,
in the recent past, to secure the biometric templates gener-
ated from the feature extractor module. Among them, the
most promising approaches consist in the implementation
of what have been called cancelable biometrics. The con-
cept of cancelable biometrics has been introduced in [2],
and can be roughly described as the application of an inten-
tional and repeatable modification to the original biometric
template. Through the application of these distortions to
the biometric data, the properties of renewability and non-
invertibility [2] should be guaranteed. Moreover, the recog-
nition performance achievable using cancelable templates,
in terms of False Rejection Rate (FRR) and False Accep-
tance Rate (FAR), should not degrade significantly, when
compared to an unprotected system.
A classification of the already proposed solutions for the
generation of secure and renewable biometric templates has
been presented in [3], consisting of two macro-categories
referred to as biometric cryptosystem and feature transfor-
mation approaches. Biometric cryptosystems typically em-
ploy binary keys in order to secure the biometric templates,
and during the process some public information, usually re-
ferred to as helper data, is used. This category can be fur-
thered divided in key binding systems, where the helper data
are obtained by binding a key with the biometric template,
as it happens for the fuzzy commitment [4] and the fuzzy
vault [5], and key generation systems, where both the helper
data and the cryptographic key are directly generated from
1
978-1-4244-2340-8/08/$25.00 ©2008 IEEE
Repositorio Institucional de la Universidad Autónoma de Madrid
https://repositorio.uam.es
Esta es la versión de autor de la comunicación de congreso publicada en:
This is an author produced version of a paper published in:
IEEE Computer Society Conference on Computer Vision and Pattern
Recognition Workshops (CVPRW). IEEE, 2008. 1-6
DOI: http://dx.doi.org/ 10.1109/CVPRW.2008.4563114
Copyright: © 2008 IEEE
El acceso a la versión del editor puede requerir la suscripción del recurso
Access to the published version may require subscription
the biometric template, as in [6].
In a feature transformation approach, a transformation
function (typically dependent on some random parameters
which are employed as transformation keys) is applied to
the biometric templates, and the desired cancelable bio-
metrics are given by the transformed versions of the orig-
inal data. It is possible to distinguish between salting ap-
proaches, where the employed transformation functions are
invertible, and where therefore the security of the templates
relies in the secure storage of the function parameters [7],
and non-invertible transform approaches, where a one-way
function is applied to the considered biometrics, producing
templates from which it is computationally hard to retrieve
the original data, even if the transformation’s defining pa-
rameters are known. Implementing recognition system ac-
cording to this last category, the transformed templates can
remain in the same (feature) space of the original ones, be-
ing then possible to employ, during the authentication, the
matchers originally designed for the considered biometric
templates, and thus allowing to guarantee performances that
are similar to those of an unprotected approach. Moreover,
having the possibility of employing dedicated matchers, a
score can be obtained as the output of a recognition pro-
cess, even if it has been performed in a transformed and se-
cure domain: secure multibiometric systems can therefore
be implemented through score-level fusion techniques [8].
The method presented in this paper falls in the cate-
gory of the non-invertible transform approaches, being then
possible to use it to protect the considered biometric data,
while performing user authentication with performances
very similar to those of an unprotected system, and giving
the opportunity of designing multibiometric system. The
first practical non-invertible transform-based approach for
the protection of biometric data was presented in [9], where
the minutiae pattern extracted from a fingerprint undergoes
a key-dependent geometric transform. Generalizing this ap-
proach, three different non-invertible transforms, namely a
cartesian, a polar and a functional transform, were proposed
in [10] for generating cancelable fingerprint templates.
As far as signature template protection is concerned, it
was first considered in [11] with a key generation approach.
In [12] an adaptation of the fuzzy vault to signature protec-
tion is proposed, while also the fuzzy commitment (more
specifically, its practical translation known as Helper Data
System [13]) has been employed to provide security to the
features extracted from an on-line signature, as proposed in
[14]. A comprehensive survey on signature template protec-
tion can be found in [15]. Each of the referenced approaches
relies on the extraction of some parametric features from the
considered on-line signatures. On the other hand, the ap-
proach proposed in this paper directly works with the signa-
ture time sequences acquired by touch screens or digitizing
tablets, trying to modify them in such a way that is com-
putationally hard to recover the original information. Deal-
ing with time sequences instead of parametric features will
allow to manage a greater amount of information, thus en-
abling us to obtain significant authentication performances,
as outlined in Section 5.
3. Proposed Approach for Cancelable On-line
Signature Biometrics
As already pointed out, in this paper a non-invertible
transform approach is proposed for the protection of on-
line signature templates. Specifically, the template that has
to be protected consists of a set of signature discrete time
sequences (e.g., position trajectories, pressure, etc.). The
desired protection is accomplished by properly modifying
the considered time sequences, in such a way that it is not
possible to retrieve the original data from the transformed
one. A function-based authentication approach is then im-
plemented in order to perform the matching, directly apply-
ing Hidden Markov Models (HMMs) for the modelization
of the transformed templates. In Section 3.1, the employed
feature extraction process, together with the implemented
matching strategy, is presented.
3.1. HMM-based Signature Modeling
The proposed authentication system with protected tem-
plates is based on the on-line signature verification sys-
tem presented in [16], where a function-based approach is
employed to perform signature-based authentication, using
HMMs to represent and match the signature discrete time
sequences. Specifically, in the proposed approach three
time sequences, the horizontal x[n] and vertical y[n] po-
sition trajectories, together with the pressure signal p[n]
(where n =1,...,N is the discrete time index, and N
is the time duration of the signature in sampling units), are
acquired from each on-line signature through a digitizing
tablet. A geometric normalization, consisting of positions
normalization followed by rotation alignment, is applied to
the considered pen-position functions. Then, other four dis-
crete time sequences are derived from the basic set, and
used as an additional extended set of functions, namely
the path-tangent angle θ[n], the path velocity magnitude
v[n], the log curvature radius ρ[n] and the total acceler-
ation magnitude a[n], with n =1,...,N. The consid-
ered original signature representation is then derived using
both the basic and extended sets, and consists of a matrix
U =[u[1],...,u[N]] whose columns u[n] are obtained
as u[n]=[x[n],y[n],p[n],θ[n],v[n
],ρ[n],a[n]]
T
,n =
1,...,N. Each row of matrix U is therefore given from
one of the F =7considered signature time sequences.
Instead of training a HMM with the original signature
template U, we represent each signature using a trans-
formed version of U, indicated as T =[t[1],...,t[K]].
Each column t[n], n =1,...,K represents a vector of
Figure 1. Example of a signature function transformation, where W =3.
length F , whose elements t[n]=[f
(1)
[n],...,f
(F )
[n]]
T
,
n =1,...,K, are derived from the elements of the original
template in such a way that it is not possible to recover U
from the knowledge of T.
HMMs are employed to model the obtained transformed
signature representations T. Specifically, the employed
models are defined by the number of hidden states H, and
by the number M of Gaussian densities which are used to
describe the probability p
h
(t) of the emission of symbol t
from the state h, h =1,...,H.
During enrollment, E signatures are acquired from each
user, and a client model λ (composed by an initial distri-
bution π, a state transition matrix A and an observation
density functions B [16]) is estimated from the transformed
signature representations
T
(1)
,...,T
(E)
, by following
the iterative strategy presented in [16]. When the user
claims his identity providing a new signature, its represen-
tation T is evaluated, and a similarity score is calculated as
(1/K)logP (T|λ) using the Viterbi algorithm [17].
3.2. Time Sequences Transformation
In the proposed approach, the number of transformed
discrete functions f
(i)
[n], i =1,...,F and n =1,...,K,
which define the transformed template T, equals the num-
ber F of the original functions. The transformed functions
are generated through linear combinations of the time se-
quences belonging to the original signature template U.
Specifically, in the proposed approach each trans-
formed function f
(i)
[n] is derived from a single cor-
responding original function r
(i)
[n], which represents a
generic original discrete time sequence selected among
the F rows of U (i.e. among the signature functions
x[n],y[n],p[n],θ[n],v[n],ρ[n], and a[n]). A number (W −
1) of values d
j
, are randomly selected between 1 and 99
in an ordered fashion, in such a way that d
j
>d
j−1
, j =
1,...,W, and arranged in a vector d =[d
0
,...,d
W
],hav-
ing kept d
0
=0and d
W
= 100. The vector d represents the
key of the employed transformation. Then, the values d
j
are
converted according to the relations b
j
= round(
d
j
100
· N),
j =0,...,W, where round(·)represents the nearest inte-
ger, and the original sequence r
(i)
[n] is divided into W seg-
ments r
(i)j,N
j
[n] of length N
j
= b
j
− b
j−1
, each defined
as
r
(i)j,N
j
[n]=r
(i)
[n + b
j−1
], (1)
for n =1,...,N
j
and j =1,...,W. Basically, the func-
tion r
(i)
[n] is split into W separated parts according to the
randomly generated vector d, as illustrated in Figure 1 for
the case with W =3. A transformed function f
(i)
[n],
n =1,...,K, is then obtained through the linear convo-
lution of the functions r
(i)j,N
j
[n], that is,
f
(i)
[n]=r
(i)1,N
1
[n] ∗ ...∗ r
(i)W,N
W
[n]. (2)
Each transformed function f
(i)
[n] is therefore obtained
through the linear convolutions of parts of the correspond-
ing original functions r
(i)
[n], i =1,...,F. Moreover, each
original function undergoes the same decomposition before
applying the convolutions. As it can be seen, due to the
convolution operation in (2), the length of the transformed
functions is equal to K = N − W +1, being therefore al-
most the same of the original functions one. A final signal
normalization, oriented to obtain zero mean and unit stan-
dard deviation transformed functions, is then applied. Dif-
ferent realizations can be obtained from the same original
functions, simply varying the size or the values of the pa-
rameter key d. The security analysis of the proposed on-
line signature template protection scheme is conducted in
Section 4.
4. Security Analysis
Having defined the function transformation as in eq. (2),
if an attacker gains access to the stored information, he has
to resolve a blind deconvolution problem [18] to retrieve
any information regarding the signature biometrics. Typi-
cally, the goal of blind deconvolution is to recover a source
signal given only the output of an unknown filter, or to sep-
arate different source signals from their convolutive mix-
tures. However, some statistical properties of the filter, or
of the considered sources, have to be assumed. Otherwise,
some further constraints have to be established, in order to
perform the process. In our case, the transformed template
T contains only convolutions between segments extracted
from the original functions, about which no a priori in-
formation can be assumed. Then, employing the proposed
transformation, recovering in a deterministic way the orig-
inal data from the transformed ones, employed to train the
HMMs, is as much hard as randomly guessing the segments
extracted from the signature functions.
Moreover, also considering different transformed tem-
plates employed in different systems (record multiplicity
attack), it is not possible to retrieve the original signature
sequences. In order to properly illustrate this, some as-
sumptions have to be stated. First, it is supposed that the
different transformed versions are derived from exactly the
same original data (although this is almost impossible, be-
ing on-line signatures characterized by a significant intra-
user variability). Moreover, it is worth pointing out that,
in the proposed approach, for each user the HMM λ,es-
timated from the signature representations T, is the stored
template. Then, if someone wants to retrieve the original
signature time sequences, he has to generate realizations
from the available HMMs. In order to analyze the security
of the proposed approach in the worst considerable case, it
is assumed that, from a stored HMM λ, it is possible to syn-
thesize exactly the same functions from which the model
has been estimated. Under these assumptions, which define
a very restrictive scenario, we then consider a case where an
attacker has acquired, from two different systems, two dif-
ferent transformed signature representations T
(1)
and T
(2)
,
generated from the same original template U. Considering
the simplest case with W =2, it is supposed that an attacker
possess two transformed instances f
(1)
[n] and f
(2)
[n], n =
1,...,K = N − 1, of the same original time sequence
r[n], n =1,...,N, obtained using respectively the trans-
formation parameters d
(1)
1
and d
(2)
1
. In order to retrieve the
function r[n], the attacker should be able to obtain the seg-
ments r
(1)
1,N
(1)
1
[n] and r
(1)
2,N
(1)
2
[n], where N
(1)
1
= b
(1)
1
and
N
(1)
2
= N − b
(1)
1
, or the segments r
(2)
1,N
(2)
1
[n] and r
(2)
2,N
(2)
2
[n],
withN
(2)
1
= b
(2)
1
and N
(2)
2
= N − b
(2)
1
, from the avail-
able transformed functions f
(1)
[n]=r
(1)
1,N
(1)
1
[n] ∗ r
(1)
2,N
(1)
2
[n]
and f
(2)
[n]=r
(2)
1,N
(2)
1
[n] ∗ r
(2)
2,N
(2)
2
[n]. Deconvolution prob-
lems are typically coped with in the frequency domain, be-
ing the convolutions transformed into simple multiplica-
tions. In order to properly define the Discrete Fourier Trans-
forms (DFTs) of the considered sub-functions of r[n],the
extended versions ˆr
(j)
i,K
[n], i, j =1, 2, are generated ap-
plying a zero padding to the respective original functions,
until reaching the length K = N − 1 (that is the length
of the convolutions f
(1)
[n] and f
(2)
[n]). Then, a sequence
Δ[n], n =1,...,K, is defined as the difference between
ˆr
(1)
1,K
[n] and ˆr
(2)
1,K
[n], which share a common part that is ex-
actly r
(2)
1,K
[n], having assumed that b
(1)
1
>b
(2)
1
:
Δ[n]=ˆr
(1)
1,K
[n] − ˆr
(2)
1,K
[n],n=1,...,K. (3)
It can then be demonstrated that the following relations can
be derived for the considered finite sequences:
ˆr
(1)
1,K
[n]=ˆr
(2)
1,K
[n]+Δ[n]
ˆr
(1)
2,K
[n − b
(1)
1
]=ˆr
(2)
2,K
[n − b
(2)
1
] − Δ[n]
(4)
where all the considered shifts are circular shifts. Then, ap-
plying the DFT to the a priori known functions f
(1)
[n] and
f
(2)
[n], and considering the relations between the DFT and
the linear convolution of two discrete sequences, it results:
⎧
⎪
⎨
⎪
⎩
DFT{f
(1)
[n]} = DF T{ˆr
(1)
1,K
[n]}·DFT{ˆr
(1)
2,K
[n]} =
DFT{ˆr
(1)
1,K
[n]}·DFT{ˆr
(2)
1,K
[n − b
(1)
1
]}·e
j2π(k/K)b
(1)
1
DFT{f
(2)
[n]} = DF T{ˆr
(2)
1,K
[n]}·DFT{ˆr
(2)
2,K
[n]}
(5)
and using the relations in (4), the first equation of (5) can be
written as:
DFT{f
(1)
[n]} =
DFT{ˆr
(2)
1,K
[n]} + DFT{Δ[n]}
· (6)
DFT{ˆr
(2)
2,K
[n − b
(2)
1
]}−DFT{Δ[n]}
·
e
j2π(k/K)b
(1)
1
and therefore:
⎧
⎪
⎪
⎪
⎪
⎪
⎪
⎪
⎨
⎪
⎪
⎪
⎪
⎪
⎪
⎪
⎩
DFT{f
(1)
[n]} = e
j2π(k/K)b
(1)
1
·
DFT{ˆr
(2)
1,K
[n]}·DFT{ˆr
(2)
2,K
[n]}·e
−j2π(k/K)b
(2)
1
−
DFT{Δ[n]}·DFT {ˆr
(2)
1,K
[n]} + DFT{Δ[n]}·
DFT{ˆr
(2)
2,K
[n]}·e
−j2π(k/K)b
(2)
1
− DF T
2
{Δ[n]}
DFT{f
(2)
[n]} = DF T{ˆr
(2)
1,K
[n]}·DFT{ˆr
(2)
2,K
[n]}
(7)
As it can be seen, the obtained system cannot be re-
solved, due to the fact that the term DFT {Δ[n]} repre-
sents an additional unknown variable, added to the unknown
functions ˆr
(2)
1,K
[n] and ˆr
(2)
2,K
[n]. Then, also if an attacker is
able to acquire more than two distinct transformed versions
of the original signature functions, it is however impossible
to recover the original information using the data coming
from different sources.
5. Experimental Results
An extensive set of experimental results has been per-
formed using the MCYT on-line signature corpus [19]. This
database contains 330 users, for each of which 25 genuine
signatures and 25 skilled forgeries have been captured dur-
ing five different sessions.
In order to properly analyze the proposed non invertible
transform-based signature template protection, the follow-
ing aspects have been investigated:
• which is the variability of the matching performances
when the transformation parameters are changed?
