A Simple Scheme for Constructing Fault-Tolerant Passwords from Biometric Data

We present a simple combinatorial construction for the mapping of the biometric vectors to short strings, called the passwords. A verifier has to decide whether a given vector can be considered as a corrupted version of the original biometric vector whose password is known or not. The evaluations of the compression factor, the false rejection/acceptance rates, are derived, and an illustration of a possible implementation of the verification algorithm for the DNA data is presented.


Introduction
Let us consider the data transmission scheme in Figure 1. The source generates a vector b ∈ {0, 1} N containing the outcomes of the measurements of some biometric parameters of a user. This vector is encoded as the vector pw(b) ∈ {0, 1} K , called the password of the user, which is stored in the database under the user's name. The password is read from the database upon request and given to the verifier together with the vector b ∈ {0, 1} N generated by some source. The verifier has to check whether the vector b can be considered as a corrupted version of the vector b (accept) or not (reject). The decision can be expressed as the value of a Boolean function ϕ(pw(b), b ) ∈ {Acc, Rej}, and the formal specification of the procedure is an assignment of the functions pw: (1) The scheme in Figure 1 shows a conventional biometric authentication system [1]. We apply our coding theory approaches [2][3][4] to find solutions for the following setup.
(1) The length of the binary representation of the password pw(b) is much less than the length of the vector b, that is, K N.
(2) The probability distribution over the vectors b is not given, and the performance is analyzed for the worst assignment of the input data.
(3) The function pw is a deterministic function. Therefore, the distribution of common randomness between the encoder and the verifier, which is a feature of randomized hashing schemes, is not relevant in our case. The probabilities of the incorrect verifier's decisions are computed over the noise ensemble. Notice that many authors addressed the problem of constructing fault-tolerant passwords, and the list [5][6][7][8][9] is far from being complete. The main difference of the setup analyzed in our correspondence is the point that the scheme does not require randomization. As a result, our approach can essentially simplify an implementation and simultaneously cause some security problems, which are discussed below.
As pw is a deterministic function and the compression factor N/K is large; an attacker, who knows pw(b) and wants to pass through the verification stage with the acceptance decision, can easily succeed by generating a vector b such that pw(b ) = pw(b). Therefore, the scheme is not secure in the same sense as the system, which uses the PIN codes of the users: if the PIN code is stolen and the attacker can enter it into the system, then he succeeds. Thus, one needs to encrypt passwords, and our construction can serve as a preliminary step for conventional schemes. Another kind of security is the possibility of guessing the biometric vector on the basis of its password. If the password is the weight of the vector (which is a special case of our construction), then the probability of the correct guess is very small for most of the vectors. However, the weights 0 and n uniquely determine the vector. Thus, meaning the points above, the secrecy of the scheme can be not sufficient for its separate use in practical biometric systems. However, a very large compression factor, very small probabilities of the incorrect verifier's decisions, and very small complexity of the implementation of our scheme that can be attained simultaneously make such a scheme attractive. In particular, we can recommend it for information transmission systems where the verifier has to make only the rejection decision for the vectors b that definitely cannot be considered as corrupted versions of the original biometrical vector. The final decision for the vectors that passed through this test is made by some other tools in this case.

Model for the Noise of Observations
We will assume that where T, n are positive integers and n is even. Represent the vectors b and b as concatenations of T blocks of length n and write where b t , b t ∈ {0, 1} n for all t = 1, . . . , T. The blocks will be processed in parallel, and we describe the model for the probabilistic transformation of an input block b to the received block b having the weights If the received block is generated independently of the input block, we assume that w is the value of a random variable having the binomial probability distribution where If the received block is a corrupted version of the input block, we assume that w is the value of a random variable having the given conditional probability distribution Examples.
(1) Binary symmetric channel. Suppose that the vector b is the outcome of a binary symmetric channel having the crossover probability p ∈ (0, 1/2) when the vector b was sent. Then, (2) The insertion/deletion channel. Let ε ∈ (0, 1/2). For all k ∈ {0, . . . , n}, let be the probability that n − k components of the vector b are noiselessly transmitted, while the remaining k positions are filled with an arbitrary vector generated with the probability n k 2 −n . Then, Ω(w | w) is expressed by (8) with ε/2 substituted for p.
Discussion over the Model. As the input vector b is fixed, the vector w is also fixed. Given an acceptance set, the probability that the verifier makes an incorrect rejection decision can be computed after the conditional probabilities Ω(0 | w), . . . , Ω(n | w) are specified. However, one cannot compute the probability that the verifier makes an incorrect acceptance decision for the best strategy of an attacker, unless the probability distribution over the input vectors (which determines the probability distribution over passwords) is given. We can only compute this probability for a blind attacker, who generates the vector b by flipping a fair coin, which results in the binomial probability distribution over passwords w . Then, computations become equivalent to the estimation of the ratios of the cardinalities of the sets of input vectors with coinciding passwords and 2 −Tn . Notice that this estimation is a typical problem when universal hashing schemes are studied [10]. Since our scheme is oriented to the preprocessing of the pairs of received vectors, the performance of the scheme for a blind attacker is also of interest for practical biometric applications.

Description of the Verification Scheme
Given the vectors b = (b 1 , . . . , b T ) and b = (b 1 , . . . , b T ), let pw(b) = w and pw(b ) = w , where components of the vectors w and w are defined as w t = wt(b t ) and w t = wt(b t ) for all t = 1, . . . , T. Thus, For all vectors w ∈ {0, . . . , n} T , let D (T) (w) ⊆ {0, . . . , n} T be a subset of vectors of the length T whose components belong to the alphabet {0, . . . , n}, which is called the acceptance set and associated with the following decoding rule: The verification scheme is illustrated in Figure 2.
Notice that the compression factor, defined as the ratio of the length of the biometric vector and the length of the corresponding password, is equal to and it does not depend on T.
The possible verification errors are the false rejection of the identical biometric entity and the false acceptance of the different biometric entity. The probabilities of these events, called the false rejection and the false acceptance rates, can be expressed as where The false rejection event corresponds to the case when the blocks of the input biometric vector are transmitted over a channel in such a way that weights of these blocks are transformed to the weights of the received blocks by a memoryless channel specified by the conditional probabilities Ω(0 | w), . . . , Ω(n | w). The false acceptance event corresponds to the case when the blocks of the received vector are generated by a Bernoulli source having the probabilities of zeroes and ones equal to 1/2.
The goals of the designer of the system can be different. In particular, the acceptance set D (T) (w) can be assigned according to the maximum likelihood decision rule. Another assignment is oriented to the minimization of the absolute value of the difference of FRR(w, D (T) (w)) and FAR(w, D (T) (w)). Furthermore, this set can be assigned in such a way that the false rejection/acceptance rate is fixed and the false acceptance/rejection rate is minimized. We will present the assignments of the decision sets that provide us with small decoding error probabilities of both types, which makes efficient solutions to the above problems possible.
Our main claim can be summarized as follows.
Theorem 1. The decision sets D (T) (w), w ∈ {0, . . . , n} T , can be assigned in such a way that the scheme has the following features: (a) the compression factor β is expressed by (12), and it tends to 0 as an almost linear function of n independently of T, and (b) the false acceptance and the false rejection rates tend to 0 as exponential functions of T in such a way that and E FRR , E FAR tend to constants depending only on p, as n increases.
The (a) part of the claim directly follows from the description of the scheme. The (b) part of the claim follows from the analysis presented in Section 5. Notice that the fact that the probabilities of error exponentially vanish with T when the expected values of the corresponding random variables differ is a classical result of detection and estimation theory [11]. We will meet the situation of coinciding expected values, and such a behavior is attained due to the difference of the variances of these variables.
Let us first discuss possible approaches to constructing verification schemes for the noiseless case (p = 0) when the biometric vectors are mapped to passwords by a deterministic function. In this case, the verifier constructs the password for the vector b and makes the acceptance decision if and only if it coincides with the password associated with the claimed user. As a result, the false rejection rate is equal to 0: if b = b, then the passwords are identical.
Suppose that the password is defined as a binary vector of length T where the tth bit is the parity of the tth block of the vector b (the tth bit of the password is equal to 1 if and only if the weight of the vector b t is odd), t = 1, . . . , T. Then, the compression factor is equal to Tn/T = n and the false acceptance rate is equal to 2 −T , that is, the scheme has a similar features as our scheme. However, to attain a large 4 EURASIP Journal on Information Security compression factor for p > 0, one needs a very large T to obtain low false rejection and false acceptance rates. Another approach to the verification for the noiseless case is based on the specification of the password as a vector consisting of weights of the blocks. Then, the compression factor is equal to β while the false acceptance rate is equal to It decreases with T as an exponential function and decreases with n as a polynomial function. We claim that a similar conclusion is also valid for p ∈ (0, 1/2).

Processing the 1-Block Vectors
Suppose that T = 1, denote b = b, b = b , and use the notation (4). We also write D(w) = D (1) (w) and represent (11) as The maximum likelihood decision rule is implemented by using the acceptance set Then, the false rejection and the false acceptance rates are expressed as where δ 0 and δ 1 are the minimum integers satisfying the inequalities To check the (b) claim of the theorem, we use the Gaussian approximations where stands for the Gaussian probability density function with the mean m and the variance σ 2 . The convergence (21) is the standard Gaussian approximation for the binomial distribution. The convergence (20) follows from for all j ∈ {0, . . . , w }. Furthermore, the replacement of the sum over j at the right-hand side of (8) with the integral over j taken over the interval (−∞, +∞) results in (20).
In particular, Ω(n/2) and B are two Gaussian probability density functions having the same mean n/2 and different variances equal to np(1 − p) and n/4, respectively. The maximum likelihood decoding in this case is equivalent to the selection of one of two hypotheses about the variance of the Gaussian probability distributions having the same mean. It is well known (see, for example [  probabilities of the incorrect decisions are determined by the ratio of variances, which is equal to p(1 − p)/(1/4) and does not depend on n.
The simplest upper bound for the false acceptance and the false rejection rates can be expressed using the Bhattacharyya distance [13] between the probability density functions Ω(w |w) and B(w ). Namely, denote where Examples of the probability density functions Ω(w | n/2) and B(w ) are given in Figure 3 where we also show the false rejection and the acceptance rates for the maximum likelihood decision rule.
The values of F RR(w), F AR(w) can be bounded from above as The inequalities (26) follow from the observations The multiplications of the probabilities Ω(w | w) and B(w ) in (24) by the square roots above and extension of the integration over all possible values of w bring the desired bounds.
The value of the integral at the right-hand side of (26) can be easily computed using the statement below.

Proposition 1.
For all pairs (m 1 , σ 1 ) and (m 2 , σ 2 ) such that The proof is given in the Appendix. The use of (28) with (m 1 , σ 1 ) = ((n − w)p + w(1 − p), np(1 − p)) and (m 1 , σ 1 ) = (n/2, n/4) shows that the worst case corresponds to w = n/2 and where The bounds (29) are very simple, but they can be useless. For example, if p = 0.05, then δ = 0.856. If the acceptance set for the vector w consisting of T blocks is defined as the set of vectors w such that w t ∈ D(w t ) for at least T/2 indices t ∈ {1, . . . , T} and the estimate of the probability of incorrect decision for each block is greater than 1/2, then the estimate of probability of incorrect decision for T blocks is close to 1. Nevertheless, if the acceptance set is defined differently, considerations of this section are of interest.

Processing the T-Block Vectors
Let us first summarize our verification scheme, which can be also called a basic scheme. Enrollment. Represent the input vector b of length Tn as a result of concatenation of T blocks of length n. Compute the weights of the blocks w 1 , . . . , w n and store them in the database as the vector w.
Verification. Having received a binary vector b , construct the vector of weights of its blocks and denote this vector by w . Compute and make the acceptance decision if the obtained value is greater than a fixed threshold Λ that has to be chosen in advance depending on the requirements to the false acceptance and the false rejection rates, that is, We write 6 EURASIP Journal on Information Security when FRR(w), FAR(w) are defined by (13) with the set D (T) Λ (w) substituted for the set D (T) (w). Let us also denote where The probabilities introduced above can be easily estimated for Λ = 0, which corresponds to the maximum likelihood decision rule. Namely, where where δ is defined in (30). Hence, − ln δ n is a lower bound on the exponents E FRR , E FAR in (15). Let us denote Then, the inequalities (36) can be represented as the following statement: if T = kΔT n , then Similarly, the inequalities (38) can be represented as the following statement: if T = kΔT, then F RR 0 (w), F AR 0 (w) ≤ 10 −k .
Some values of ΔT n and ΔT are given in Table 1.
Suppose that the biometric vectors have length N = 4 Kbytes = 32568 bits. Let us partition this length in T = 128 blocks of length n = 256 bits (we will refer to the corresponding line in Table 1). In our scheme, each block is mapped to a binary vector of length log 257 = 9 bits, and the length of the password is equal to 9T = 1152 bits = 144 bytes. The compression factor is equal to β = 256/9 = 28.4. Suppose that p = 0.05. Then, the expected number of errors when the biometric vector is corrupted is equal to 32568 · 0.05 = 6514, which is 5.6 times greater than the length of the password. Nevertheless, we attain the false rejection and the false acceptance rates not greater than 10 −128/14.06 < 10 −9 . Furthermore, if T is increased twice and becomes equal to 256 (the length of the vectors is equal to 8 Kbytes), then the false rejection and the false acceptance rates are not greater than 10 −256/14.06 < (10 −9 ) 2 = 10 −18 . Similar conclusions can be drawn for any length in a way that the increase of the length by 14 blocks reduces the false rejection and the false acceptance rates 10 times. If p = 0.01 or p = 0.1, then we have to substitute 4.31 or 35.94 for 14.06 in these considerations. Notice also that these numbers are very close to the numbers that are asymptotically attained and have a simple formal expression.

A Variant of the Verification Scheme Based on Balancing
The vector c is called a balanced vector if it contains equal number of zeroes and ones. Thus, the weight of a balanced vector is equal to n/2. Given a vector b, let denote the set of indices i such that the transformation The transformation (44) is illustrated in Table 2.
It is well known [14] that Introduce the following algorithm.
Make the acceptance decision if and only if w ∈ D (T) Λ (w * ), where w * is the vector whose components are equal to n/2 and the acceptance set D (T) Λ (w * ) is defined in (32). For example, if n = 4, then the vector 0000 is mapped to the password "2", the vector 0101 is mapped to the passwords "0", "2", "4" with the probabilities 1/3, and the vector 0100 is mapped to the passwords "1", "3" with probability 1/2. Proposition 2. Let a given vector b be transmitted over a binary symmetric channel having the crossover probability p, that is, the conditional probability of receiving the vector b at the output of the channel is expressed as If i ∈ {0, . . . , n} is assigned in such a way that b ⊕ 1 i 0 n−i is the balanced vector and denote the probability of receiving a vector b with then The proof is given in the Appendix. An idea of the introduction of the balanced scheme is to reduce the performance of the verifier to the worst case performance for the basic scheme when all components of the vector w are equal to n/2. Another disadvantage of the scheme is the point that an attacker passes through the verification stage with the acceptance decision by presenting an alternating vector 0101 . . . 01. On the other hand, the balancing scheme allows us to hide any biometric vector of the user in his password, contrary to the basic scheme where the password consisting of all zeroes discovers the original vector. Furthermore, in most of the cases the same biometric vector can be mapped to many different passwords, since the mapping is stochastic when the cardinality of at least one of the sets I(b 1 ), . . . , I(b T ) is greater than 1.
The conclusion about the secrecy of the balanced scheme, meaning the possibility of the discovery of the block given its password, is based on the considerations below. Given an i ∈ {0, . . . , n}, let Then (see Table 2), where the first inequality follows from the observation that w = n/2 specifies one of terms of the sum for any i. Hence, the total number of biometric vectors that are mapped to the same password is bounded from below as and the exponent asymptotically coincides with Tn.

Example of Using the Verification Scheme for the DNA Data
There are data received on the basis of the DNA measurements [15]. We previously used them to illustrate coding schemes in [16,17]. The example, described in this section, is mainly introduced for the illustration, since the performance of the 8 EURASIP Journal on Information Security verifier probably does not allow one to recommend it for practical use. Nevertheless, transformations of the outcomes of the measurements seem to be typical. Notice also that the DNA data are universal in a sense that there are 24-28 deciphered alleles where the corresponding probability distributions of the outcomes of the measurements are recognized as stable distributions, while processing fingerprints, iris, and so forth requires the description of a number of technical details.

Structure of the DNA Data and the Mathematical Model.
The most common DNA variations are Short Tandem Repeats (STR), arrays of 5 to 50 copies (repeats) of the same pattern (the motif) of 2 to 6 pairs. As the number of repeats of the motif highly varies among individuals, it can be effectively used for identification of individuals. The human genome contains several 100,000 STR loci, that is, physical positions in the DNA sequence where an STR is present. An individual variant of an STR is called allele. Alleles are denoted by the number of repeats of the motif. The genotype of a locus comprises both the maternal and the paternal allele. However, without additional information, one cannot determine which allele resides on the paternal or the maternal chromosome. If the measured numbers are equal to each other, then the genotype is called homozygous. Otherwise, it is called heterozygous. The STR measurement errors are usually classified into three groups: (1) allelic dropin, when in a homozygous genotype, an additional allele is erroneously included, for example, genotype (10,10) is measured as (10,12); (2) allelic drop-out, when an allele of a heterozygous genotype is missing, for example, genotype (7,9) is measured as (7,7); (3) allelic shift, when an allele is measured with a wrong repeat number, for example, genotype (10,12) is measured as (10,13).
The points above can be formalized as follows [16]. Suppose that there are N * sources. Let the tth source generate a pair of integers according to the probability distribution Pr DNA A t,1 , A t,2 = a t,1 , a t,2 = π t a t,1 π t a t,2 , where a t,1 , a t,2 ∈ {c t , . . . , c t + k t − 1} and c t , k t are given positive integers. Thus, we assume that A t,1 and A t,2 are independent random variables that contain information about the number of repeats of the tth motif in the maternal and the paternal allele. We also assume that (A t,1 , A t,2 ),t = 1, . . . , N * , are mutually independent pairs of random variables, that is, where A = (A 1, , . . . , A n, ) and a = (a 1, , . . . , a n, ), = 1, 2. Let us fix a t ∈ {1, . . . , N * } and denote Then, the probability distribution of a pair of random variables which represents the outcome of the tth measurement, can be expressed as where γ t (i, j) Thus, the total number of outcomes having positive probability is equal to 7.2. Mapping of the DNA Data to Binary Vectors and Introducing the Passwords. The outcomes of the DNA measurements bring the following results [16]: the total number of alleles is 28, one can extract 128 bits from the measurements of a person, the entropy of the probability distribution over the outcomes is equal to 109, and the maximum probability of a vector consisting of 28 outcomes is equal to 2 −76 . In the following discussion, we will assume that N * = 27 (the DYS391 allele is excluded). Let us fix t ∈ {1, . . . , 27} and let S t denote the set of cardinality |S t | = K t consisting of the outcomes that can be received from the t-th allele with positive probability. Associate the outcomes with the integers 1, . . . , K t and let γ (i) t denote the probability of the outcome, which is mapped to the integer i. Let us run the procedure that maps i ∈ {1, . . . , K t } to the integer u ∈ {0, . . . , 7} : partition the set S t in 8 subsets S t0 , . . . , S t7 in such a way that and set The use of this procedure for t = 1, . . . , N * maps 27 outcomes to a vector (u 1 , . . . , u 27 ) ∈ {0, . . . , 7} 27 , which can be expressed by a binary vector b = (b 1 , . . . , b 81 ). Let us apply the verification scheme described in Section 3 for T = 3 and n = 27. Thus, the vector b is mapped to the password (w 1 , w 2 , w 3 ), where w 1 , w 2 , w 3 ∈ {0, . . . , 27}, and we need 15 bits to express a password in binary format. Furthermore, let us postulate the following model for the noise when the DNA data of the same user are measured for the second time: with probability 1 − ε , the outcome of the measurement at the tth allele is the same as before; with probability ε , it is equal to the integer i chosen from the set {1, . . . , K t } according to a uniform probability distribution. In the following formal considerations, we assume a simplified model where the approximate equality (62) is replaced with the equality for all u ∈ {0, . . . , 7} and t ∈ {1, . . . , 27}. One also assumes that the outcome of the measurement of the same user copies the previous value of u with probability 1 − ε and that it takes an arbitrary value belonging to the set {0, . . . , 7} with probability ε, where ε is less than ε . In a practical system, ε = 0.05 [15], we set ε = 0.02. Notice that our assumptions do not seem to be critical: after these assumptions are relaxed, the formal analysis below has to be updated with the correction factors without essential change of the conclusions.
For v = 0, . . . , 3, set and, for v, v = 0, . . . , 3 and v / = v, set Then, q v,v is equal to the probability of the event that "the weights of the tth DNA measurements" of a randomly chosen person are equal to v and v at the enrollment and the verification stages, respectively, v, v = 0, . . . , 3.
The data processing above illustrates several points that can be important for the practical implementation of the verification algorithm. In particular, notice that the conditional probability distributions Ω(w | w),w = 0, . . . , 27, were introduced using the input probability distributions, but they are almost independent on w and their approximation, Ω(w | w),w = 0, . . . , 27, can be assigned only as the function of ε, This value has to be multiplied by a factor having the order of magnitude of (0.15) 3 = 0.003 if one is interested in the average false acceptance rate. Notice also that the mapping (63) gives an additional resource that decreases the false acceptance rate: if we randomize over the mapping for t = 1, 2, 3, then the same factor of the false acceptance rate is obtained for a fixed input vector consisting of pairs of outcomes of the DNA measurements. Our example also indicates the point that the mapping of the available data to a binary string with the further computation of the weight of the vector looks as an artificial transformation, and "a more natural password" would be specified as the arithmetic average of 9 integers that form the block. However, the arithmetic average is a float, and we also meet a problem of the specification of the length of a binary string needed for its representation (it also determines the length of the password in bits). We plan to discuss this point in a future correspondence.

Conclusion
We presented some variants of the verification schemes oriented to practical applications where the original biometric vectors are split into blocks and converted to short strings using block-by-block transformations. The key idea is the translation of the statistical dependence between the vectors of the same user into the statistical dependence between passwords assigned to the corresponding blocks. The scheme can be introduced without assumptions about a coordinate-wise dependence between the biometric vectors, which is important for many practical applications, like processing of the iris or fingerprints. In general case, "the weight of the block" is the function of the total amount of information extracted from a fixed number of outcomes of the measurements. In particular, it can be understood as the number of minutiae points belonging to a certain area while measuring the fingerprint. Different types of the observation errors, and like missing of some data, registration errors, synchronization errors, are also accumulated. To implement the verification algorithm, one is supposed to find a proper description of the conditional probability distribution Ω without specification of the errors that cause the corresponding transitions. This problem is oriented to a particular application, since we do not think that there exists a universal procedure for any biometric observations. The analysis presented in our correspondence can serve as a basis for the analysis of the verification performance depending on this probability distribution. Notice that the verification scheme can be also effectively used when the name of a person, which is used as a pointer to a particular password stored in the database, is not given. In this case, our approach serves as a filter to make a preselection of passwords of the users whose biometric vectors can be close to the presented biometric vector. As a result, we get a typical application of hashing when the rejection decision are made with the data that are stored in a random access memory.
Notice also that there are different variants of the basic procedure. One of them, called the balancing verification scheme, was described. Another variant appears with nonuniform partitioning of the biometric vectors in blocks. In this case, the blocks of lengths n 1 , . . . , n T are created in such a way that their weights are shifted from n 1 /2, . . . , n T /2 "as much as possible" to improve the performance. However, the positions of the boundaries of the blocks have to be stored, and one has to investigate the tradeoff between the performance and the required size of the memory. We did not consider this problem in the present correspondence assuming that the length of the original biometric vector and the length of the password are fixed. In this case, for the basic scheme, the values of Tn and T log(n + 1) are fixed, and the values of the parameters T and n are determined.