A non-invertible transformation based technique to protect a ﬁngerprint template

A ﬁngerprint-based authentication system provides security to the applications of numerous ﬁelds and usually stores minutiae information in the database as a template. It has been observed from the literature that the reconstruction of an original ﬁngerprint is possible from minutiae points information; hence the security of the stored template becomes extremely crucial. Cancellable biometric techniques based on non-invertible transformation protect the stored template. These techniques prevent the reconstruction of original ﬁngerprint data from the compromised template and avoid unauthorized access to the system. In this paper, a technique based on the non-invertible transformation to protect a ﬁngerprint template is proposed. In the technique, minutiae locations in a ﬁngerprint are transformed by using the minutiae’s original locations and orientation information, and a user keyset. A principal component analysis based approach to align the probe and gallery templates of ﬁngerprint images while matching is also proposed. The evaluation of the proposed technique is carried out on seven different ﬁngerprint databases taken from FVC2000, FVC2002, and FVC2004 databases, and its performance is compared with other existing state-of-the-art techniques in the literature. The comparative performance shows that the proposed technique is highly robust and performs exceptionally well compared to other existing techniques.


INTRODUCTION
Biometric authentication system refers to the automated recognition of a person based on physiological and behavioural traits. Fingerprint, iris, face etc., come under the physiological characteristics, whereas behavioural traits include gait, signature, voice. Biometric systems provide extra comfort and security for authentication to a user as compared to the traditional ways of authentication, such as based on passwords and keys. However, there are some serious challenges such as identity theft and privacy of biometric data that the biometric system carries [1,2]. It has been shown in [3] that there are several kinds of attacks possible in different stages of a biometric authentication system. Of these, the database is one of the stages which is prone to attack, and as biometric information of a person is immutable, the security of the stored biometric template in the database is a great concern in biometrics.
This is an open access article under the terms of the Creative Commons Attribution License, which permits use, distribution and reproduction in any medium, provided the original work is properly cited. Among various physiological biometric traits, the fingerprint is extensively used as it is convenient to capture, easy to process, and is found to be persistent. Fingerprint-based authentication systems [4,5] mainly rely on the information of minutiae points and singular points. In a fingerprint image, points of ridge bifurcation and ridge ending are the widely used minutiae points. Further, the core point and the delta point in a fingerprint are used as singular points where the core point is defined as a point where the curvature of the ridges is the most, and the delta point is defined as the point where ridges form a delta shape. An example of a fingerprint image with minutiae points and singular points marked on it is shown in Figure 1. In a fingerprint-based authentication system, usually, information of minutiae points (i.e. location of minutiae point and orientation of ridge at minutiae point) is stored in the database to recognize a person. If any attack happens on the database and stored information is compromised, then it is possible to reconstruct the original fingerprint image by using the information of minutiae points [1,6]. Moreover, in [7], a method describes that even an original fingerprint can be formed by using the minutiae template of ISO standard. As we know, the fingerprint is a permanent biometric feature associated with a person, and it is not possible to change it if it is compromised in the event of an attack. To protect the information of fingerprint template, many template protection techniques have been proposed, which are mainly classified under two categories: biometric cryptosystem [8] and cancellable biometrics [3]. The technique proposed here falls under the latter category, which suggests that a biometric template obtained by transforming the original template should be stored in the database instead of the original template to protect it. This transformation should exhibit some essential characteristics, which are given below.
• Renewability: Renewability requires that it must be possible to generate an entirely new template using the same biometric data if the stored template is compromised. This completely new template is further stored in the database to replace the compromised one. • Unlinkability: It states that the templates which are generated by utilizing the different parameters of the transformation function should be unlinkable with each other. Due to the unlinkability of a user template, a stored template can easily be replaced by another one in the event of an attack on the database. • Security: If a template which is constructed after performing a transformation on an original template is compromised, then intruder should not be able to reconstruct the original biometric image by utilizing it. This ensures that the transformation technique is strong enough to protect the privacy of users and prevent unauthorized access in the biometric system.
• Recognition rate: Recognition rate or matching performance of a biometric system should not be degraded due to the transformation used to protect the original biometric template.
A new technique to protect fingerprint templates is presented. The proposed technique satisfies all the characteristics listed above and is shown to be robust to attacks. The significant contributions of this research work are mentioned below.
• The proposed technique generates a non-invertible 3D user template which ensures the security of fingerprint data of a user stored in the database. • As alignment is a crucial step in a fingerprint-based system, an alignment technique utilizing the principal component analysis (PCA) is proposed, which does not store any auxiliary information into the database for alignment during verification. • A large number of distinct user templates can be constructed from the same biometric data using different values of keysets. This makes the templates fully unlinkable and renewable. • The transformed user templates are highly secure as it is infeasible to restore the original fingerprint data from the transformed template even if an adversary gets the information of keyset. • The proposed technique has shown good performance even in the case of challenging databases such as FVC2002 DB3, FVC2004 DB1, and FVC2004 DB2.
The rest of the paper is organized as follows. In Section 2, a review of existing techniques in the area of biometric template security has been presented. The proposed template protection technique has been given in Section 3. This section discusses the transformation, alignment, and matching procedures used in the proposed technique. Section 4 presents the experimental validation of the proposed technique with respect to the aforementioned characteristics. In the end, the paper has been concluded in Section 5.

RELATED WORK
The work available in the literature related to the area of fingerprint template protection can be broadly classified into two categories: biometric cryptosystem and cancellable biometrics. Biometric cryptosystem [8][9][10] secures biometric information by utilizing the cryptography techniques. Key-binding and key-generation schemes come under the biometric cryptosystem, as explained in [11]. Cancellable biometrics is divided into two types, namely, biometric salting [12] and non-invertible transformation [13]. Biometric salting refers to the generation of a user template based on an invertible transformation where the transformation is performed using a user-defined key. The key can be changed to get a new template if the existing one is compromised. However, the security of the user-defined key is the most important, as if the key is compromised, then by using it, an intruder can easily reconstruct the original biometric information.
This makes the biometric salting technique similar to a password-based authentication system [13]. In non-invertible transformation-based template protection techniques, even if parameters (keys) which are used to transform the biometric data are compromised, it is impossible or practically infeasible to reconstruct the original biometric information from the transformed one. The review of the template protection technique under the two umbrella terms mentioned above is given below.

Biometric cryptosystem
As mentioned above the categories of biometric cryptosystems, in key-binding scheme, a secure key is attached with the biometric data of the template to generate helper information, and this helper data is used to generate the key utilizing genuine query biometric data for successful authentication. A key is generated directly from the biometric data in a key generation scheme, for instance, in a quantization scheme [14]. Fuzzy commitment scheme [15] and fuzzy vault scheme [16] are two mainly used key binding schemes in the area of biometric cryptosystem. Fuzzy commitment scheme [8,17,18] utilizes the error correction codes to secure the biometric data in the binary format. Whereas in fuzzy vault scheme [19][20][21][22], polynomial encoding and error correction codes are utilized to secure the biometric data in the form of a vault such that the vault can be unlocked using genuine biometric data at the time of verification.

Cancellable biometrics
Cancellable template protection techniques are completely based on the transformation performed on the biometric features. In cancellable biometrics, templates are generated by modifying the features of biometric data, which makes it computationally infeasible for an intruder to reconstruct the original biometric data from the user template. Ratha et al. in [3] have discussed about the different attacks possible in a biometric system and introduced the concept of cancellable biometrics. Cancellable biometrics are mainly categorized into biometric salting and non-invertible transformation, where non-invertible transformation has great advantages over biometric salting. First, we review the techniques which are based on biometric salting and then discuss the other techniques which are based on non-invertible transforms. In [12], authors have proposed a salting method to construct a revocable template. The technique calculates the hash, called as palm-hash, of biometric data by utilizing a pseudo-random key that can be stored in a portable device such as a smart card and chip. In [23], a new encoding scheme has been proposed called as S-Iris encoding, which is a repetitive product of a random number and biometric features. Teoh et al. have proposed a technique in [24] which generates a non-invertible template by using biometric features and a token. They have called this representation of biometric features as biophasor.
Cappelli et al. in [25] have proposed a technique called Minutia Cylinder-Code (MCC) to generate the cancellable biometric template for fingerprint. In this technique, original locations and orientations of minutiae points can be traced back, which makes it an insecure technique. Ferrara et al. in [26] have proposed an extended version of MCC [25]. This technique produces completely secure and non-invertible templates. Although the technique has shown good performance, templates are not revocable in it. In [27], Ahmed et al. have proposed a technique based on the local structure (pair-polar structure) of minutiae points. The template is non-invertible in this technique and is computed using many-to-one mapping of pair-polar coordinates of minutiae points. A similar alignmentfree template protection technique is being proposed by Wang and Hu in [28]. This technique makes use of infinite-to-one mapping. In [29], Jin et al. have used three-tuple quantization to compute a bit string from minutiae sets. In the technique, minutiae sets have been obtained by dividing the complete fingerprint impression into a polar grid. In [30], Jin et al. have incorporated Hamming Embedding, which is based on graphs and is random in nature, to compute a secure fingerprint template. A densely infinite-to-one mapping (DITOM) has been introduced in [28] to construct the secure user template. Sandhya and Prasad in [31] have proposed a technique to compute the cancellable template by utilizing the k-nearest neighbourhood structure of minutiae points. By using these structures, they have computed a binary string, which is further used as a cancellable template. In [32], to construct the fingerprint template, instead of using the location of minutiae points, Delaunay triangles formed by minutiae points have been used. In [33], a blind system identification approach has been developed to construct the cancellable fingerprint template, and the quantized pair-minutia vector has been used to design the blind system. Sandhya et al. [34] have introduced a technique to compute a non-invertible fingerprint template which is based on the Delaunay triangulation, and these features are quantized into a 3D array to compute a binary string, which is further used as a template after performing a non-invertible transformation. Sandhya and Prasad in [35] have utilized a bit-string to construct the cancellable template, which is a fusion of bit-strings computed from the local and distant features of minutiae points. In [36], a translation/rotation independent non-invertible transformation-based technique has been proposed, which has been further improved in [37].
In [38], Moujahdi et al. have proposed a technique, called as Fingerprint Shell, in which a spiral curve is constructed by using the distances between minutiae points and singular point to form a secured fingerprint template. However, these distances are not secured and can easily be acquired by an intruder. To eliminate this shortcoming of fingerprint shell, Ali and Prakash have proposed an enhanced form of fingerprint shell in [39,40], which is further improved in [41,42]. In [43], Ali et al. have proposed a framework based on polynomial curves, which is known as Polynomial Vault. Though it is highly secure, it shows poor performance with respect to the same key attack scenario.
In the proposed technique, a non-invertible transformation is used to construct fingerprint templates. The technique satisfies all important criteria, namely, renewability, unlinkability, security, and consistent recognition rate required for any template protection technique.

PROPOSED TECHNIQUE
Minutiae points in a fingerprint image hold rich details of ridge patterns, which makes them very useful to differentiate between two fingerprint images of different users. We leverage this property of minutiae points to construct a secured user template. We propose a technique to produce a secure fingerprint-based biometric template with the help of a non-invertible transformation. The technique considers an original biometric template computed from a fingerprint image and transforms it with the help of a keyset {d , } to produce a secured version of the original template. The original fingerprint-based template is defined with the help of locations of the minutiae points along with their orientation information. To enroll a user with the recognition system, a secured template is computed from the original template and is stored in the database. An example of a fingerprint image with minutiae points marked on it is shown in Figure 1 In a fingerprint recognition system, the alignment of fingerprint templates is an important concern while performing matching. This is true irrespective of whether we are matching the original fingerprint templates or secured templates obtained from the original templates. To handle this in the proposed technique, we make use of PCA-based approach where we propose to align a secured fingerprint template by orienting it to a unique axis, and the angle of the rotation is calculated by using a fingerprint image. Since in the proposed technique, transformed locations of minutiae points have been used to construct the secured template and transformation being used is non-invertible, it is infeasible for an attacker to reconstruct the actual fingerprint image (or obtain the original minutiae attributes) by stealing the stored template. The overview of the proposed technique is shown in Figure 2. The detailed description of various steps followed to create a secure fingerprint template is given below.

Construction of secured user template
To construct the secured user template, first, features which are basically the location of minutiae points and their orientation information, are extracted from the fingerprint image. These features define the original user template for the fingerprint image. A transformation is applied to the features of the original template, and a new set of features is obtained in 3D space using our proposed technique. This new set of features define the secured user template. Let a set of minutiae points be represented as   Figure 4. The value of d ′ can be formally calculated using Equation (2). The transformed locations of all the minutiae points collectively define the secured user template with respect to original user template obtained from the original minutiae locations.
After computing the secured template, it is centred at the singular point as given in Equation (4). The centring of the template at a singular point makes the secured template translation invariant, whereas rotation helps in aligning the template to a unique direction, which in turn makes the matching of the two secured templates rotation invariant. In addition, sometimes, a fingerprint may contain more than one singular point. In order to address it, the number of the computed secured templates during enrollment are made equal to the number of singular points present in the fingerprint by computing a template with respect to each singular point. At the time of verification, the secured template is calculated with respect to the singular point, which is nearest to the centre of the probe fingerprint. Further, the template is rotated by an angle, which is computed using PCA as explained in the next section. (1)

Alignment using PCA
We make use of PCA to align the secured fingerprint template to a standard axis by utilizing the angle of rotation calculated from a fingerprint image. As we observe, a fingerprint impression captured through a fingerprint sensor is usually of elliptical  [44] (oval) shape. Hence, if PCA is performed on the coordinates of the pixels of the fingerprint impression, the two principal components of the PCA produce the axes of the ellipse circumscribing the fingerprint impression where the first principal component of the PCA represents the direction of major axis of the ellipse and the second principal component represents the minor axis. To orient secured fingerprint template to a standard direction, it is rotated in such a way that the first principal component obtained from the fingerprint image aligns with Y-axis or the second principal component aligns with X-axis. In [44], PCA has been demonstrated to align different types of images such as magnetic resonance imaging (MRI) scans of the brain, images of modified national institute of standards and technology (MNIST) dataset [45], and fingerprint images. For performing alignment in this work, coordinates of all the pixels of fingerprint impression (included ridges and valleys) are used as an input to PCA. However, the use of coordinates of all the pixels makes the computation of principal components very slow in PCA. To overcome this, we propose the use of only coordinates of pixels of thinned ridges. This drastically reduces the computational cost of alignment without compromising the correctness of alignment. Figure 5 shows the comparison of alignment obtained by our technique with that of [44]. We observe that the principal component directions in both cases are very similar. This is to be noted that the PCA is carried out using the pixel coordinates of thinned fingerprint ridges, whereas the obtained principal components (mainly second principal component) are used to align the secured fingerprint template, which mainly encompasses the transformed minutiae locations of the fingerprint image. Alignment of secured fingerprint template by using the principal component, as discussed here, makes the secured template rotation invariant. The complete procedure followed in the alignment is described below.
In the proposed alignment process, a fingerprint image is first enhanced using [46,47] to enable accurate computation of ridges in the image. An example of fingerprint enhancement is shown in Figure 6. To obtain the thin (one pixel wide) ridges, the enhanced image is first thresholded and later thinned using a morphological operator.
Let A be a 2D matrix containing coordinates of p points representing the ridge pixels of the thinned fingerprint image.
Matrix A can be formally written as follows where the size of the matrix is p × 2, and each row defines the coordinates of a ridge point: To compute the principal components of the data represented by A, its covariance matrix C of size 2 × 2 is computed as follows after centring the ridge points around the mean (m a , m b ).
Principal components are computed by performing the singular value decomposition of the covariance matrix C using Equation (7). In the equation, U and V are two orthogonal matrices whereas S is a diagonal matrix. The matrix S contains eigenvalues in decreasing order, where the first diagonal element contains the largest value. In matrix U, each column contains an eigenvector corresponding to an eigenvalue in S. The eigenvector obtained with respect to the largest eigenvalue (i.e. the first column of U) corresponds to the first principal component in PCA.  .
(10) Since the covariance matrix C is of size 2 × 2, the size of the matrix U is also obtained as 2 × 2. This means it contains two eigenvectors (principal components) as shown in Equation (8), where the first column represents the eigenvector corresponding to the largest eigenvalue (first principal component) and so on. To align the fingerprint template to a standard direction, it is rotated in such a way that the second principal component (i.e. eigenvector corresponding to the smallest eigenvalue) obtained from the fingerprint aligns with X -axis. We calculate the angle made by the second principal component with the X -axis using Equation (9). Steps followed to align a fingerprint image to a standard direction using PCA Before performing the rotation (alignment) of the secured fingerprint template, it is centred to a singular point using Equation (4). This helps in making the secured user template computed for the fingerprint later translation invariant. In Equation (4), the coordinates of the singular point are considered as (x sing , y sing , z sing ), where the value of z sing is considered as zero. The final transformed location of the original fingerprint template points (minutiae points) after rotating the points of secured user template by angle is given by Equation (10). The complete procedure in the algorithmic form is given in Algorithm 1 to compute the secured user template ST. This algorithm summarizes the working of Sections 3.1 and 3.2, which takes the matrix M and A as inputs and computes the secured transformed template, which is both translation and rotation invariant. In order to do that, first, it computes the transformed 3D locations of minutiae points denoted as (x ′ i , y ′ i , z ′ i ) by using the user keyset values d , , and d ′ (combination of d and as mentioned in Equation 2). These transformed locations are completely secure; however, to make them translation invariant; further, the transformed locations are subtracted from the singular point location, which is basically making the singular point as origin. After these steps, the translation invariant secured fingerprint template is being rotated to align by means of the PCAbased alignment technique and a fingerprint image. In PCAbased alignment technique, principal components are calculated for the pixels locating the ridges of thinned fingerprint image as shown in Figure 6, which provides an estimate of rotation angle with respect to the standard axis (X or Y ). Further, by utilizing the information computed in the previous step, the final transformed fingerprint template is computed as given in Algorithm 1, which is both translation and rotation invariant. Further, the aligned secured fingerprint template for a user is stored in the database as a gallery template. The user keyset is also stored in the database so that a similar transformation can be applied to compute the secured template from the probe image before matching. The detailed steps are explained in Sections 3.1 and 3.2.
In addition to that, we also propose a technique to secure the user keyset by utilizing a user PIN (Personal Identification Number) to prevent the spoofing attack as given in the next section.

Securing the user keyset
While enrolling a subject with the database using a secured user template, the user keyset {d , } used in the computation of a secured user template for a subject is also stored in the database. The storage of the user keyset in the database is required to enable us to use the keyset to convert the query user template to an equivalent secured user template. As the transformation used in obtaining a secured user template is non-invertible, even though both stored template as well as the keyset are stolen by an intruder, it is impossible for him/her to reconstruct the original biometric data back from the compromised information. Thus, the proposed technique ensures the security of the original fingerprint information, such as attributes of minutiae points, ridge patterns, in case of an attack on the database. However, an intruder can get access to the biometric system in the case of a spoofing attack. To prevent it, the proposed protective measure has been elaborated as follows.

Protection against spoof attack
We further propose a PIN-based technique to protect the template against the spoofing attack. In case of a spoofing attack, an attacker may get access to the fingerprint authentication system by spoofing biometric data. To handle this situation in the proposed technique, a PIN is assigned to each user. The output of the XOR operation between the binary equivalent of ALGORITHM : 10: /* Reducing translation due to intra-subject variance, from step 11 to 13 */ 11: :

30: end for
the keyset and the PIN is stored in the database instead of the direct user keyset. Thus, at the time of authentication, without a PIN, the keyset will not be unlocked even if the spoofed impression is much similar to the genuine one. Binary equivalent of integral parts of keys d and are concatenated and its bitwise XOR operation is computed with the binary equivalent of user PIN at the time of enrollment. The outcome of the bitwise XOR operation is further stored in the database with a secured user template. The reverse of this process is followed during the verification for extraction of keyset to compute the secure probe fingerprint template for matching The procedure that has been followed to match the secured gallery and probe fingerprint template is given in the next section.

Matching procedure
Let Q be the probe fingerprint image. To match it with the enrolled secured templates, first, its equivalent secured template is obtained by using the similar approach followed during enrollment as mentioned in Sections 3.1 and 3.2. Let the points in the secured probe template be q ∈ {q 1 , q 2 , …. q n } whereas the points in a secured user template stored in the database (secured gallery template) be t ∈ {t 1 , t 2 , …. t m }. A point q i in the probe template is matched to a point t i in the gallery template if point q i exists within a sphere of radius th centred at point t i and vice versa. The value of th works as a threshold used in the proposed technique to find out the matching between any two points belonging to probe and gallery templates, respectively. Let m qt be the number of points in the probe template which match to some points of gallery template and m tq be the number of points of the gallery template which match to some points of probe image. Then, the matching score for a probe and gallery pair can be given using Equation (11). ] .
Sometimes, due to the poor quality of fingerprint images or availability of only partial fingerprint impressions, PCA does not align the template properly. To overcome this, we match probe and gallery templates multiple times by rotating the probe template from −5 • to +5 • with an increment of 1 • in each iteration. The best score out of these 11 iterations is considered as the final match score.

EXPERIMENTAL ANALYSIS
In this section, the proposed technique has been evaluated with respect to four main criteria, namely, renewability, unlinkability, security, and performance, used in the analysis of a template protection technique. We have used FVC2000 DB2, FVC2002 DB1, FVC2002 DB2, FVC2002 DB3, FVC2002 DB4, FVC2004 DB1, and FVC2004 DB2 fingerprint databases (where FVC represents Fingerprint Verification Competition [48] and DB represents Database) to carry out the experiments. The total number of fingerprint images in each database are 800, which includes 100 subjects having 8 samples each. To extract the minutiae information from fingerprint images, Verifinger SDK (Demo version) [49] has been used. Singular points are being extracted by utilizing the technique proposed in [50]. Since this approach is not able to compute the location of singular points in arch-type fingerprint images, the technique proposed in [51] has been used to detect singular points in arch-type fingerprint images. To compute a secured template for analysis, key values are chosen randomly in a range. The range of values used for d is (0,1000] whereas the values of are taken in the range (0, 360]. Integer values are considered for d , whereas the values of are both integer and fractional taken from the above-mentioned range. However, it would always be better to select the keys for different users by maintaining a difference of at least 1 between the two consecutive keys, especially in the case of fractional values. The standard metrics used to evaluate any biometric system are FRR (false rejection rate), FAR (false acceptance rate), GAR (genuine acceptance rate), and EER (Equal Error Rate). FRR is defined as the rate of rejection of genuine users, whereas FAR is defined as the rate of acceptance of non-genuine users. Further, GAR is defined as the acceptance rate of genuine users and can be calculated as: GAR = 1 − FRR. EER is defined as the rate of error at a point when the values of FAR and FRR are the same. The 1-versus-1 (1-vs.-1) matching protocol has been used to evaluate the proposed technique. FRR has been computed for each database by matching the first sample of each subject with the second sample of the same subject, whereas to compute the FAR, the first sample of each subject has been matched with the first sample of rest of the subjects. We have performed experimentation on a machine having Intel ® Xeon processor with 64 GB of RAM and MATLAB ® 2019a. Statistical techniques have also been used to analyse the experimental results for different databases. Kolmogorov-Smirnov test (KStest) and t-test have been used to carry out the statistical analysis. A detailed discussion on the analysis of the results based on the aforementioned aspects is presented below.

Renewability analysis
A template protection technique is said to possess the property of renewability if it is possible to replace the stored user template in the biometric database with a completely new template in the situation when the stored template gets compromised. In the proposed technique, it is possible to generate a completely new secured template for a user from his/her fingerprint data by changing the keyset. Since a stored template can be replaced by a new template, which is completely different from the stored one, an adversary cannot get access to the biometric system by using the compromised template. An example of secured templates constructed by the proposed technique using different keys and the same fingerprint image are shown in Figure 8. From the figure, we can see that the two templates are very different from each other though they have been obtained from the same fingerprint data. Further, to analyse the renewability of the proposed technique, a framework which is used in [52], has been utilized. According to this framework, the pseudo-genuine score is calculated for each subject, which is a matching score between the stored template and a template computed using different keyset and the same fingerprint data. The mean and variance of these scores along with the imposter and genuine score are also calculated for all the database as given in Table 1. It is clearly observed from Table 1 that the mean and variance values of pseudo-genuine and imposter score are nearly similar and very far from the mean and variance of the genuine scores. It clearly depicts that the renewed template is completely different from the stored one, and the overall technique can be considered as highly renewable.

Unlinkability analysis
It is observed that in the proposed technique, there is no link found between the user templates, which are constructed using the same fingerprint data and different keysets. This makes the templates generated by the proposed technique diverse in nature. Further, the existence of diversity in the templates can also prevent the cross-matching attack as the templates that are stored in different biometric systems for the same biometric data of a subject would be unlinkable from each other. To further analyse and show the unlinkability of user templates computed by the proposed technique, we have utilized the process mentioned in [53]. Accordingly, we have calculated the matching score of two templates, which have been selected based on the following four cases.
• Same impression: In this case, templates are constructed using the same fingerprint impression of a subject by utilizing different keysets. After computing the templates, the matching score between them is computed. The same procedure is repeated for all the subjects present in the database to compute the matching scores. • Same subject: In this case, templates are constructed using the different fingerprint impressions of the same subject by utilizing different keysets and the matching scores are calculated for all the subjects of the database.
• Different subjects: In this case, templates are constructed using the fingerprint impressions of two different subjects by utilizing different keysets and the matching scores are calculated for all the subjects of the database. • Genuine score: In this case, templates are constructed using two different samples of the same subject by utilizing the same keys for both the templates.
In each case, two templates are constructed for each subject present in the database. Thus, the total number of matching scores for each database used in the experimentation would be 100 as each of them contains 100 subjects. The scores of the first three cases are compared with the genuine score obtained in the fourth case. Figure 9 shows these comparisons for all the databases. It can be clearly seen from Figure 9 that the distribution of pseudo-genuine scores calculated based on the first FIGURE 10 Representing the security (non-invertible nature of secured fingerprint template) provided by the proposed technique three cases is completely different from the distribution of the genuine matching scores computed in the fourth case for all the databases. This shows that the templates constructed in the proposed technique using different keysets are unlinkable to each other. Moreover, according to a generalized framework mentioned in [54], the distribution of the same impression (mated samples) and different subjects (non-mated samples) is overlapped with each other as shown in Figure 9 which shows that the templates are fully unlinkable. So in the event of an attack in a database, if compromised templates are replaced by completely new templates, it will make it impossible for an intruder to get access to the system by using the compromised user template due to the unlinkability of the old and new user templates.

Security analysis
A template protection technique is called secured if it is computationally infeasible to reconstruct the original fingerprint data from the stored user template. Since a non-invertible transformation has been used in the proposed technique to compute the secured user template from an original minutiae pointbased user template, it is difficult to invert the secured template and get the original fingerprint data from it even when keyset is available. Moreover, since there is no information stored in the database regarding the orientation of the minutiae points, it makes it even more difficult to construct the ridge patterns of the original fingerprint image. The security of the template in the proposed technique has been analysed by considering the following events of the attack.

Non-invertibility analysis
To analyse the non-invertibility of the template in the proposed technique, let us assume that an adversary has stolen the secured template and keyset values from the database. As demonstrated in Figure 10, in that case, by utilizing the values of d and , the location q ′ i in XY -plane can be computed. Further, for finding the original location of a minutia point m i corresponding to the transformed location m ′ i , the location of point q i is needed. However, there are infinite possibilities for the location of q i around the point q ′ i on the circumference of the circle of radius d . For instance, if we just assume that there are 360 possibilities on the circle, the total number of possibilities to find out all the original location of minutiae points would be 360 n , where n represents the total number of minutiae points in a fingerprint image. Thus, it is clearly infeasible for an adversary to compute the original location of minutiae points from the compromised template even when the user keyset is available.

4.3.2
Attack via record multiplicity (ARM) In the event of an ARM attack, an adversary uses multiple templates that have been computed using the same fingerprint image and different keysets to get the original template and fingerprint image information by attempting to relate them. However, it is infeasible to reconstruct the original template and further the fingerprint image in the proposed approach. In order to show that, lets assume an adversary has gotten three transformed template ST 1 , ST 2 , and ST 3 which are obtained using the same fingerprint image and three different keysets {d 1 , 1 }, {d 2 ,

Brute force attack
In the brute force attack scenario, an adversary tries all possibilities to get back the original template from the transformed template stored in the database. In the proposed technique, keysets are stored in the database after performing the bitwise XOR operation between the keyset and user defined PIN (32-bit) as shown in Figure 7. Let us consider the assigned PIN comes under the range of a minimum decimal number of four digits to a maximum decimal number of nine digits. Hence, first, to unlock the keyset, there are 9 × 10 3 (10 0 + 10 1 + ⋯ + 10 5 ) ≈ 9.9 × 10 8 possibilities of PIN (32-bit) out of that only a combination can unlock the keyset; thus, the probability of guessing the value of PIN correctly is 1 9.9×10 8 ≈ 1.01 × 10 −9 . In addition to that, there are approximately 360 n (n number of original minutiae) possibilities for trying to guess the original minutiae locations from a transformed template out of which n are the correct guesses; thus, the probability of guessing the minutiae points is given as 24 9.9×10 8 ×360 24 ≈ 1.08 × 10 −69 , if n = 24. It clearly shows that the probability of guessing the Note "-" denotes non-availability of data.
original minutiae locations is negligible, and hence the proposed technique is highly robust against the brute force attack.

Analysis of recognition performance
In this section, the recognition performance of the proposed technique is being analysed on seven different databases, namely, FVC2000 DB2, FVC2002 DB1, FVC2002 DB2, FVC2002 DB3, FVC2002 DB4, FVC2004 DB1, and FVC2004 DB2. The performance has also been compared with the existing techniques. The evaluation has been carried out using different metrics such as FAR, FRR, GAR, and EER in the samekey scenario where the same user keyset is used by all the subjects of a database. The comparison of results with the existing techniques has been performed based on the EER values. The values of EER obtained for different databases in the proposed technique, and their comparison with that of existing techniques are given in Table 2. It can be observed from the table that the performance of the proposed technique is superior to that of existing techniques except for the technique proposed by Ferrara et al. in [26]. However, the technique in [26] does not possess the revocability property, whereas the template produced in the proposed technique is completely revocable. Also, the secured templates produced by the proposed technique using different keysets are found to be unlinkable with each other, which makes them diverse as well. Although the quality of fingerprint images is not good in FVC2002 DB3 and FVC2002 DB4 databases, the proposed technique has outperformed most of the techniques in the case of FVC2002 DB3,  Figure 11. ROC curves for all the databases are shown in Figure 11 for the same key scenario, which shows the robustness of the proposed technique. The distribution of genuine and imposter scores is given in Figure 12 for all the databases under the same key scenario. As it is clearly shown in Figure 12 that the distribution of genuine and imposter scores are significantly different from each other. In addition, a statistical analysis is performed as described in the following section to show the significant difference between genuine and imposter scores.

Statistical analysis
We have also performed statistical analysis to show the segregation of genuine and imposter scores in the proposed technique.
We have used KS test [59] and student's t-test [60] for this purpose.
• KS test: It is a non-parametric and distribution free statistical test to find out the difference between two sets of samples. The value of KS-test varies in the range [0, 1], where a lower value shows that the two sets are completely similar to each other, whereas a higher value shows that the two sets are significantly different from each other. The results of KS-test performed on the genuine and imposter scores computed using the proposed technique for different databases are given in Table 3. It can be clearly seen in the table that the values of KS-test obtained for the proposed technique are close to 1 and are much higher as compared to the same obtained for other existing techniques. This shows that the genuine and imposter scores computed in the proposed technique are well-separated and are significantly different from each other. • Student's t-test: It is a statistical hypothesis test used to show the significant difference between two sets of observations. We have performed two-sample unpaired t-test at the significance level of 5%. The results of t-test obtained for all the databases for genuine and imposter scores obtained using the proposed technique are shown in Table 4. In the t-test, if the value of |t − stat | is greater than the value of t − critical , then the null hypothesis is rejected, and it represents that the input samples are significantly different from each other. It is clearly seen from Table 4 that for all the database, obtained value of |t − stat | is greater than the value of t − critical . This substantiates that the genuine and imposter distributions are well separated.

CONCLUSIONS
In a fingerprint-based biometric system, the security of a user template stored in the database is essential; otherwise, it can cause a privacy breach and provide unauthorized access to a biometric system. This paper has proposed a technique based on a non-invertible transformation to protect fingerprint templates. The transformation has been performed on the locations of the minutiae points in a fingerprint image by utilizing the values of a user keyset. The obtained transformed locations are stored in the database after performing a PCA-based alignment. The transformed locations of minutiae points are computed in such a way that it is computationally infeasible to compute the original location of minutiae points from the stored template even-though an intruder may have the user keyset values. The information of orientation at each minutia point is also not stored in the database, which makes it difficult to identify the ridge patterns. At the time of verification, the probe template has been computed using the same procedure followed during the enrollment. Thus, in the technique, matching is performed between the transformed template of minutiae points instead of the original minutiae locations. We have used FVC2000 DB2, FVC2002 DB1, FVC2002 DB2, FVC2002 DB3, FVC2002 DB4, FVC2004 DB1, and FVC2004 DB2 fingerprint databases to evaluate the performance of the proposed technique. We have used EER as a metric to evaluate the performance of the technique. Low EER value obtained for proposed technique as compared to other existing techniques shows the superiority of the technique. The results have been analysed considering four main aspects, namely, renewability, unlinkability, security, and performance. Statistical analysis of genuine and imposter score distributions has also been performed to show the well-separation of genuine and imposter scores. The overall analysis of the results shows the effectiveness of the proposed technique. In the future, the proposed technique can be extended to a multi-modal biometric authentication system. Further, it can be combined with a biometric cryptosystem to construct a hybrid system. The proposed technique utilizes 2D fingerprint images to compute the secured template. It can be further extended to contactless 3D fingerprint images.