Preimage Attack on BioHashing

Patrick Lacharme, Estelle Cherrier, Christophe Rosenberger


Biometric recognition is more and more employed in authentication and access control of various applications. Biometric data are strongly linked with the user and do not allow revocability nor diversity, without an adapted post-processing. Cancelable biometrics, including the very popular algorithm BioHashing, is used to cope with the underlying privacy and security issues. The principle is to transform a biometric template in a BioCode, in order to enhance user privacy and application security. These schemes are used for template protection of several biometric modalities, as fingerprints or face and the robustness is generally related to the hardness to recover the original biometric template by an impostor. In this paper, we propose to use genetic algorithms to approximate the original biometric feature and spoof the authentication system. We show through experimental results on fingerprints the efficiency of the proposed attack on the BioHashing algorithm, by approximating the original FingerCode, given the seed and the corresponding BioCode.


  1. Barni, M., Bianchi, T., Catalano, D., Raimondo, M. D., Labati, R. D., Failla, P., Fiore, D., Lazzeretti, R., Piuri, V., Piva, A., and Scotti, F. (2010). A privacycompliant fingerprint recognition system based on homomorphic encryption and fingercode templates. In IEEE Fourth International Conference On Biometrics: Theory, Applications And Systems (BTAS 2010).
  2. Blanton, M. and Aliasgari, M. (2011). On the (non) reusability of fuzzy scketches and extractors and security in the computational setting. In SECRYPT, pages 68-77.
  3. Blanton, M. and Gasti, P. (2011). Secure and efficient protocols for iris and fingerprint identification. In ESORICS, pages 190-209.
  4. Bolle, R., Connell, J., and Ratha, N. (2002). Biometric perils and patches. Pattern Recognition, 35(12):2727- 2738.
  5. Boyen, X. (2004). Reusable cryptographic fuzzy extractors. In ACM CCS, pages 82-91.
  6. Bringer, J., Chabanne, H., Pointcheval, D., and Tang, Q. (2007). Extended private information retrieval and its application in biometrics authentications. In CANS, pages 175-193.
  7. Cappelli, R., Lumini, A., Maio, D., and Maltoni, D. (2007). Fingerprint image reconstruction from standard templates. IEEE Transactions on Pattern Analysis and Machine Intelligence, 29(9):1489-1503.
  8. Cavoukian, A. and Stoianov, A. (2009). Biometric encryption.
  9. Cheung, K. H., Kong, A. W., You, J., and Zhang, D. (2005). An analysis on invertibility of cancelable biometrics based on biohashing. In CISST'05, pages 40-45.
  10. Cimato, S., Gamassi, M., Piuri, V., Sassi, R., and Scotti, F. (2008). Privacy-aware biometrics: Design and implementation of a multimodal verification system. In Proceedings of ACSAC'08, pages 130-139.
  11. Daugman, J. (2004). How iris recognition works. Circuits and Systems for Video Technology, IEEE Transactions on, 14(1):21-30.
  12. Daugman, J. (2007). New methods in iris recognition. IEEE Transactions on Systems, Man, and Cybernetics, Part B: Cybernetics, 37(5):1167-1175.
  13. Dodis, Y., Reyzin, L., and Smith, A. (2004). Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. In EUROCRYPT'04, pages 523-540. Springer-Verlag.
  14. Goh, A. and Ngo, D. (2003). Computation of cryptographic keys from face biometrics. In Communications and Multimedia Security, pages 1-13. LNCS 2828.
  15. Guo, Z., Zhang, L., Zhang, D., and Zhang, S. (2010). Rotation invariant texture classification using adaptive lbp with directional statistical features. In IEEE International Conference on Image Processing (ICIP).
  16. Hao, F., Anderson, R., and Daugman, J. (2005). Combining cryptography with biometrics effectively. University of Cambridge Computer Laboratory, Tech. Rep.
  17. ISO (2011). ISO/IEC 24745 information technology - security techniques -biometric information protection.
  18. Jain, A. K., Nandakumar, K., and Nagar, A. (2008). Biometric template security. EURASIP J. Advances in Signal Processing, 8(2):1-17.
  19. Juels, A. and Sudan, M. (2002). A fuzzy vault scheme. In ISIT, page 408.
  20. Juels, A. and Wattenberg, M. (1999). A fuzzy commitment scheme. In ACM Conference on Computer and Communications Security, pages 28-36.
  21. Lee, Y., Chung, Y., and Moon, K. (2009). Inverse operation and preimage attack on biohashing. In Workshop on Computational Intelligence in Biometrics.
  22. Maio, D., Maltoni, D., Cappelli, R., Wayman, J. L., and Jain, A. K. (2002). FVC2002: Second fingerprint verification competition. In ICPR, pages 811 - 814.
  23. Maltoni, D., Maio, D., Jain, A., and Prabhakar, S. (2003). Handbook of Fingerprint Recognition. Springer.
  24. Manjunath, B. S. and Ma, W. (1996). Texture features for browsing and retrieval of image data. IEEE Transactions on Pattern Analysis and Machine Intelligence, 18:37-42.
  25. Nagar, A., Nandakumar, K., and Jain, A. K. (2010). Biometric template transformation: A security analysis. Proceedings of SPIE, Electronic Imaging, Media Forensics and Security XII.
  26. Nandakumar, K., Jain, A., and Pankanti, S. (2007). Fingerprint-based fuzzy vault: Implementation and performance. IEEE Transactions on Information Forensics and Security.
  27. O rencik, C., Pedersen, T. B., Savas, E., and Keskinoz, M. (2008). Improved fuzzy vault scheme for fingerprint verification. In SECRYPT, pages 37-43.
  28. Osadchy, M., Pinkas, B., Jarrous, A., and Moskovich, B. (2010). Scifi - a system for secure face identification. In IEEE Symposium on Security and Privacy.
  29. Poon, H. and Miri, A. (2009). A collusion attack on the fuzzy vault scheme. ISC International Journal of Information Security, 1(1):27-34.
  30. Ratha, N., Chikkerur, S., Connell, J., and Bolle, R. (2007). Generating cancelable fingerprint templates. IEEE Transactions on PAMI, 29(4):561-572.
  31. Ratha, N., Connell, J., and Bolle, R. (2001). Enhancing security and privacy in biometrics-based authentication system. IBM Systems J., 37(11):2245-2255.
  32. Rathgeb, C. and Uhl, A. (2011). A survey on biometric cryptosystems and cancelable biometrics. EURASIP J. on Information Security, 3.
  33. Schreier, W. and Boult, T. (2007). Cracking fuzzy vaults and biometric encryption. In Biometrics Symposium.
  34. Simoens, K., Chang, C., and Preneel, B. (2009). Privacy weaknesses in biometric sketches. In 30th IEEE Symposium on Security and Privacy.
  35. Simoens, K., Yang, B., Zhou, X., Beato, F., Busch, C., Newton, E. M., and Preneel, B. (2012). Criteria towards metrics for benchmarking template protection algorithms. In ICB'12, pages 498-505.
  36. Teoh, A., Ngo, D., and Goh, A. (2004). Biohashing: two factor authentication featuring fingerprint data and tokenised random number. Pattern recognition, 40.
  37. Wall, P. (1996). A Genetic Algorithm for ResourceConstrained Scheduling. PhD thesis, MIT.
  38. Whitley, D. (1994). A genetic algorithm tutorial. Statistics and Computing, pages 65-85.
  39. Zhou, X., Kuijper, A., and Busch, C. (2012). Cracking iris fuzzy commitment. In ICB'12.

Paper Citation

in Harvard Style

Lacharme P., Cherrier E. and Rosenberger C. (2013). Preimage Attack on BioHashing . In Proceedings of the 10th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2013) ISBN 978-989-8565-73-0, pages 363-370. DOI: 10.5220/0004524103630370

in Bibtex Style

author={Patrick Lacharme and Estelle Cherrier and Christophe Rosenberger},
title={Preimage Attack on BioHashing},
booktitle={Proceedings of the 10th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2013)},

in EndNote Style

JO - Proceedings of the 10th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2013)
TI - Preimage Attack on BioHashing
SN - 978-989-8565-73-0
AU - Lacharme P.
AU - Cherrier E.
AU - Rosenberger C.
PY - 2013
SP - 363
EP - 370
DO - 10.5220/0004524103630370