point of view, the authors recommend taking a large
number of chaff points. Yet, the authors do not re-
quire to always cover the entire remaining universe
U − x with chaff. Indeed, this is probably infeasi-
ble when dealing with larger universes. However, to
avoid the multiple-use attack as described here, the
entire remaining universe or ﬁxed part of it must be
covered by chaff. That is, R
(i)
x
=
U
′
for all i where
U
′
is a subset of
U (likely U
′
=
U ) that provides a large
number of polynomials that agree on t points and also
a computationally infeasible search space.
In (Boyen, 2004), Boyen considered the issues of
multiple uses of the same fuzzy secret in a general
fuzzy extractor scheme. Boyen pointed out that in the
security model of fuzzy extractors such issue must be
addressed and related security risks accounted for.
Dodis et al. in (Dodis et al., 2004; Dodis et al.,
2006) proposed a scheme that allows for securing bio-
metric feature vectors of type II. This scheme, called
PinSketch, relies on t-error correcting (BCH) code C.
In order to simplify description, let us assume H to be
a parity check matrix of the code C over some ﬁnite
ﬁeld
F . For a given feature vector x which belongs to
F
n
, the scheme computes output syn(x) = Hx, which
is referred to as the syndrome of vector x.
In the reconstruction phase, syn(y) is computed
for a given vector y. Let δ = syn(x) − syn(y). It is
easy to see that there exists at most one vector v such
that syn(v) = δ and weight(v) ≤ t. One of the nice fea-
tures of binary BCH codes is possibility of computing
supp(v) given syn(v) and vice versa, where supp(v)
represents the listing of positions where v has nonzero
coordinate. Computing of supp(v) for a given syn(v)
is the key step in the reconstruction phase. If a dis-
tance metric d(x, y) ≤ t then supp(v) = x△y, and in
that case the original set could be reconstructed by
x = y△supp(x). PinSketch is a secure sketch scheme
that supports biometrics feature vectors of type II.
2.3 Applicability Critique of Error
Correcting-based Schemes for Type
II Templates
From the mathematical point view, the most suitable
method for measuring similarity between two sets is
by their symmetric set difference. However, this quite
reasonable mathematical choice is often a limitation
for practical use. Let us try to illustrate this problem
in the case where it is needed to measure closeness
between two sets A and B that represent biometric
(ﬁngerprint) personal data, of not necessarily differ-
ent persons. This is an inevitable step in the process
of veriﬁcation or identiﬁcation. Reconstruction of A,
using similar set B will be successful if and only if
|A△B| ≤ t, where t is a given parameter that controls
the closeness between sets. It seems that error cor-
recting codes are a suitable choice for reconstructing
A from a noisy input B. Here, t is the error correcting
bound of the chosen code.
We argue that the use of error correcting codes and
consequently the Hamming distance as a measure of
similarity between type II feature vectors is not an ad-
equate choice. For instance, in the PinSketch scheme
(Dodis et al., 2006), templates are represented as char-
acteristic vectors with respect to universe
U . There-
fore, the symmetric difference is simply related to the
Hamming distance between characteristic vectors. In
a typical application of PinSketch, such as ﬁngerprint
identiﬁcation, the scheme has a substantial applica-
bility issue. The number of minutiae, according to
many statistical analyses of ﬁngerprints lies with high
probability in the interval between 20 and 80 (Amen-
gual et al., 1997). Thus, choice of the error correcting
bound t that is used in this scheme seems to be its
main shortcoming.
Considering that size of the universe is not large,
t must be chosen in a way not to compromise secu-
rity. For instance, if a template set is of size 15, then
setting t > 12 would not be an adequate choice, since
an adversary could test all elements or 2-subsets of
the universe (which is feasible for a universe of ﬁn-
gerprint minutiae) and use error correction to obtain
the template set. On the other hand t must be set to
provide proper authentication. Due to imperfections
in the template extraction it is common to have spuri-
ous minutiae and some real minutiae that are not rec-
ognized. Thus, symmetric difference between newly
presented and stored template could became relatively
large, yet the intersection could still be large enough
for authentication of B as A with high conﬁdence. For
example, suppose |A| = 20 and |
U | ≈ 10
6
with pos-
sibly nonuniform distribution. Therefore, t could be
at most 17. If we accept twelve point matching rule
as valid, and if |B| = 22 and |A∩ B| = 12 then B will
not be authenticated as A although intersection is large
enough to conﬁrm the identity. Even if do not accept
twelve point matching rule, it is possible to construct
many examples where symmetric difference does not
appear as an adequate choice for similarity measure.
In most minutia-based authentication systems similar-
ity is measured using the number of points that agree
in the best possible alignment of two sets of minu-
tiae using translation, rotation and potentially scaling.
Therefore, the set intersection is a more appropriate
similarity measure in practice.
The authors of fuzzy vault (Juels and Sudan, 2002;
Juels and Sudan, 2006) indicated that the scheme is
applicable to feature vectors with ﬁxed size and vari-
SECRYPT 2007 - International Conference on Security and Cryptography
28