1 Introduction

Biometric authentication systems are gaining high popularity and public acceptance due to a wide variety of uses. It includes identification, authentication, forensics, and access control. With the increase in usage, the number of threats and attacks like spoofing attacks, template thefts, etc. are also increasing. Thus, securing the biometric system itself is a challenge as biometric data for an individual is irreplaceable. If it is compromised, then it cannot be changed or replaced making its protection a very crucial task.

To overcome problems such as spoof attacks, poor input data quality, non-universality, etc. multimodal biometric systems came into existence [1]. Here, information from complementary and fairly independent modalities was fused to reach a final decision [2]. This fusion process may take place at the feature level, score level, decision level, sensor level, and rank level. In feature level fusion, extracted features from various biometric modalities are fused to generate a more discriminative feature. On the other hand, matching score values from multiple classifiers is combined in score level fusion [3]. At decision level fusion, results from different classifiers are combined together using methods like majority voting [2, 4]. Fusion at feature level generally provides better results as compared to other fusion techniques since the information available about biometric data is very high at this level [4, 5]. But to achieve fusion at feature level is strenuous as in many cases the features are not compatible. Generally, multimodal systems are very helpful in dealing with above-stated issues but no protection is available for biometric data itself in case of template hacking or database stealing. The security of biometric data should be of top priority as biometric information cannot be replaced easily. If biometric templates are stolen, the user’s identity is compromised for multiple applications and subject to cross-application attacks as well. Overall, it not only threatens the security, but it may also incur a significant financial or social loss. To resolve these issues, cancelable biometrics is widely used.

Cancelable biometric systems use a pseudo-biometric template instead of the original template for matching and verification purposes. These pseudo-templates are generated from original templates using various transformation mechanisms. For instance, in non-invertible geometric transformations, a feature domain transformation is applied using transformation techniques such as Cartesian, polar and functional transformation [6]. Random projection is also used as a non-invertible transformation [7, 8] wherein an extracted feature \(x \in F_n \) is projected to a random subspace \(Y \in F_n \times N\) with \(n<N\) and all element of y are independently realized from a random variable as \(z = Yx\) where z is random projection vector. A random convolution method was proposed in [9] to produce cancelable templates wherein a user-specific kernel is used to encrypt the biometric data. Bio-convolving is also a convolution-based approach for generating cancelable templates [10]. In this, biometric template was segmented into various sequences and a transformed sequence is generated using linear convolution. An extension of random projection is bio-hashing [11] wherein a bio-hash template was generated using a user-specific random number. Random permutation of features is also been used by many researchers for generating cancelable templates [12]. There are also various salting methods where a random pattern or noise is mixed with the original template. The techniques used for the cancelable biometric template must exhibit properties, viz. revocability, security, diversity, and accuracy. Recently, researchers are also working at hybrid methods where more than one technique is used to generate cancelable templates.

In the proposed work, a multimodal biometric system is introduced using two complementary biometric traits, viz. fingerprint and iris where complementary information is fused using feature-level fusion. The proposed system is highly secure as well as tolerant of template hacking by means of cancelable templates. Cancelable templates are generated using a novel transformation technique where the feature vectors from two modalities are used to generate abscissa and ordinate of a feature point. These feature points are orthogonally projected on a random plane generated using a user-specific key. The projected point is then transformed into a cylindrical coordinate system to receive \(\theta , \rho , z\) values. In the next step, \(\theta \) values for every feature point are combined together to generate a transformed template which is irreversible in nature. The proposed method is faster, cheaper and provides high performance. Also, the cancelable templates generated are non-invertible, revocable and diverse in nature. The proposed method is evaluated on multimodal chimeric datasets obtained from benchmarked images. A brief summary of the proposed work is discussed as follows:

  • A novel multimodal biometric system using two complementary features, namely fingerprint and iris is proposed. A cancelable biometric template feature is generated by combining the information from these traits.

  • Cancelable biometric templates are generated from the feature vectors of the modalities using a user-specific random key set. Here, the feature points from the corresponding feature vectors used as abscissa and ordinate are projected on a random plane that is generated using a user-specific random key set.

  • The point of projection on a random plane is transformed into a cylindrical coordinate system to generate \(r, \theta , z\) values. A different plane is generated for each feature point to generate unique points of projection. From every point, \(\theta \) values are combined together to generate cancelable template.

  • The proposed method is evaluated over three multimodal chimeric datasets created using benchmarked images. The results reveals high performance, high privacy, high security and low error rate compared to state-of-the-art techniques.

The rest of the manuscript is arranged in the following manner: In Sect. 2, various state-of-the-art methods for generating cancelable templates and feature-fusion techniques are discussed and compared. In Sect. 3, details of the proposed biometric system are discussed at length. Section 4 contains the experimental validation, database design and performance analysis of the proposed method. Finally, Sect. 5 contains the conclusion and future scope of the work done.

2 Related work

Cancelable biometrics is used to protect templates by performing the matching and storage in a different domain [13]. Generally, in the case of template stealing, the stolen template is revoked and an entirely different template is created by altering the key. Thus, it fulfills the necessary requirements for template protections, namely revocability, non-invertibility, diversity and accuracy [13, 14]. Transformation performed on biometric data can be mainly classified as non-invertible transforms and biometric salting. Biometric salting can be additionally classified as projection-based transformations, noise-based transformation, and convolution-based transformation.

Transformations based on random projection projects biometric data to a random sub-space using various transformation techniques. The most popular technique in this category is bio-hashing [11] which projects the features into the orthonormal sub-space. It provides good discrimination capability and high performance. However, this method suffers from the problem of irreversibility if both template and transformation matrix are compromised. In [15], authors proposed an extension of the bio-hash technique to address the issue of stolen-token scenarios. In this, the authors used a novel multi-state discretization technique instead of a simple threshold scheme. Pillai et al. proposed a new variant of random projection, namely Sectored random projection [7] technique where the biometric feature is segmented into various sectors, then on each sector, the random projection is applied and concatenation was performed to generate the cancelable template. This method not only caters to the issue of useful iris area reduction, but it is also robust to common iris outliers. To improve non-invertibility, Teoh et al. [16] introduced a novel technique, random multi-space quantization (RMQ), wherein the biometric feature vector was mapped with a sequence of random sub-spaces using a pseudo-random sequence. In the second step, quantization was performed based on a threshold value. Teoh et al. also proposed a multi-space random projections technique [17] which is a two-factor cancelable formulation and feature vector obtained from biometric modalities is projected to multiple random subspaces based on a user-specific pseudo-random number. Wang et al. proposed a random projection with vector translation method [18] for cancelable biometrics wherein biometric data was projected using a Gaussian random variable. Also, Paul et al. [19] proposed a random cross-folding method using random projection and selection to create cancelable templates. In order to make it a user-dependent dynamic process, Yang et al. proposed a nonlinear projection process in which the projection vector was dynamically decided by feature vector itself [20]. In general, most of the projection techniques discussed are vulnerable to attacks such as inverse operations if both templates and transformation matrix are stolen [21]. Accordingly, researchers have proposed other methods like random convolution transformations for generating cancelable templates.

In random convolution (RC) based transformations, cancelable templates are generated by convolving the biometric feature using a random kernel. Savvides et al. [9] used minimum average correlation energy (MACE) filters as a convolution method to generate cancelable templates. In [22], authors used the concept of locality sensitive hashing to generate secure, cancelable iris features. Maiorana et al. proposed a bio-convolving technique where a set of non-invertible transformations were performed on sequence-based biometric representation [10]. But if kernel used for transformation is known, it can be vulnerable to inverse attacks. To overcome this issue, an algorithm using curtailed circular convolution was proposed [23]. The algorithm convolved input binary features in a circular manner using random binary strings imparting non-invertibility. In [24], the authors used the quality of fingerprint features to determine the presence of live fingerprint. Similarly, Ali et al. [25] used a user key set to modify minutiae information from fingerprint to produce cancelable templates. Further, Trivedi et al. [26] used a binary user key on fingerprint modality to generate cancelable templates. On the other hand, Wu et al. [27] presented ECG as a biometric and generated revocable templates using signal subspace collapsing. The cancelable biometrics is also widely used with multimodal biometric systems to remove various limitations imposed by unimodal systems.

Rathgeb and Busch used adaptive bloom filters to transform iris feature for both eyes of a single subject and fused them at feature level [28]. This method provided improved performance but vulnerable to template linking. A random permutation principal component analysis (RP-PCA) method was introduced by Kumar et al. [29] to generate cancelable biometric using face, iris, and ear modality. The accuracy of the system was unaffected, and the robustness of the system was improved. Also, Dwivedi and Dey [30] created a hybrid scheme for a cancelable multi-biometric system combining mean-closure weighting (MCW) with Dempster-Shafer (DS) theory. This scheme showed robustness against score variability and considerable performance improvement over uni-modal counterparts. Similarly, Walia et al. [31] proposed a cancelable biometric system by performing cross-diffusion of graphs. Later, PCR-6 was used to fuse belief masses from individual classifiers. Experimental results demonstrated better performance than many existing techniques. Kaur and Khanna [32] proposed a novel random distance technique for transformation in a multi-biometric scenario using face, palmprint, and finger-vein as input modalities. Similarly, walia et al. [33] used key images to generate cancelable features and dimension reduction. A multifold random projection was introduced by Paul and Gavrilova [34] for a multimodal biometric system with improved recognition performance. Chin et al. [35] proposed a template protection scheme wherein original fingerprint and palmprint templates were arranged in random rectangles using user-specific keys. Later, statistical features were extracted and fused at the feature level to generate cancelable templates. Similarly, Gomez-Barrero et al. [36] used bloom filters on face-finger vein and face-iris to generate protected templates and a weighted feature level fusion was performed to generate the multimodal cancelable template. With increasing attacks on biometric systems, detection of fake biometric is equally important as the protection of biometric data.

Recently, deep learning methods are widely used for feature representation. For instance, Essam et al. [37] identified various regions in face image using multiple CNNs. Later, bio-convolving encryption was used to generate cancelable templates. Also, Das et al. [38] proposed a finger-vein identification method based on deep learning. Similarly, in [39], a novel architecture ScoreNet was introduced for unconstrained ear recognition wherein deep learning and hand-crafted methods were used together. Further, Liu et al. [40] presented a detailed discussion about various deep learning methods for feature representation.

Based on the above discussion, it is evident that securing biometric systems from various attacks should be of top priority. Accordingly, a multimodal biometric system with cancelable templates and liveness detection is proposed in this manuscript which complements the advantages of various techniques and improves the overall performance of the biometric system. A detailed explanation of the proposed methodology is provided in the next section.

3 Proposed multimodal cancelable biometric system

Figure 1 represents the architecture of the proposed system. In this, a cancelable template is generated for Iris(i) and Fingerprint(p) features using the proposed technique with user-specific keys.

Fig. 1
figure 1

Overview of the proposed cancelable template generation scheme. Extracted features from the input query image are projected onto a plane obtained using a user-specific key. The points of projection are transformed into cylindrical coordinates to generate cancelable templates. These are compared with stored templates to evaluate similarity score to reach a final decision

Full size image

The proposed cancelable biometric system takes two biometric modalities, viz. iris and fingerprint and feature vectors are extracted. For extracting features from iris modality, image pre-processing combined with local binary pattern (LBP) [41] is performed [42]. LBP not only provides low computation but also immune to changes in image grey levels. For fingerprint modality, the input query image is preprocessed by performing binarization and thinning operations. Next, feature extraction is performed to generate minutiae-based features from the input image.

Feature points at ith position of the iris feature vector is considered as abscissa and fingerprint feature as ordinate. Combining them together, a point \((\chi _i,\psi _i)\) is defined in a cartesian coordinate system. Each point thus obtained is projected onto a plane corresponding to each feature point obtained using a user-specific key. The points of projection thus obtained are transformed into a cylindrical space to obtain corresponding feature points. The azimuth values are considered for generating cancelable templates so as to achieve non-invertibility. A similarity score is calculated by matching the generated feature with the stored templates in the database. Finally, the match score is compared with an optimal threshold value to reach a final decision. The proposed system is non-invertible in nature as only the azimuth values are considered for generating the cancelable templates. The in-depth details of the proposed system are presented in the next subsection.

3.1 Multimodal feature extraction

Biometric modalities, viz. iris and fingerprint are processed using feature extraction techniques to determine individual feature vectors. For fingerprint features are extracted using a minutiae-based technique which is widely used by researchers [43, 44] as it provides low complexity with high performance. For this, first of all, binarization and thinning operations are performed as a pre-processing step on input query fingerprint image \(I^{f}\). Binarization operation helps in increasing the contrast between ridges and valleys as shown in Eq. 1

$$\begin{aligned} B\left( x,y\right) =\left\{ \begin{array}{c} 1,\ \ \\ 0, \end{array} \ \ \ \ \ \ \ \ \ \ \begin{array}{c} \mathrm{if}\ I\left( x,y\right) \ge \ h \\ \mathrm{otherwise} \end{array} \right\} \ \ \end{aligned}$$
(1)

where \(I\left( x,y\right) \) shows intensity value at pixel position \(\left( m,n\right) \) and h represents the value of threshold. Also, a thinning operation is used to reduce ridges to the unit-pixel thickness and is carried out using in-built morphological functions in the MATLAB platform on binary images. Rutovitz crossing number (CN) is computed by locating the minutiae over the thinned image using a sliding window of size \(3\times 3\) in an anti-clockwise manner [44]. The CN defines the minutia type and is calculated using Eq. 2

$$\begin{aligned} \mathrm{CN}=\ \frac{1}{2}\sum ^8_{k=1}{|p_k-p_{k-1}|} \end{aligned}$$
(2)

where \(p_k\) is the pixel values of immediate neighbors for pixel k. The value of CN is used to classify ridge pixel as isolated, continuing, ending, crossing point and bifurcation. Further, minutia is represented as a vector \(m=[x,y,\mathrm{CN},\theta ]\) having \(\left( x,y\right) \) as the pixel coordinates and \(\theta \) as angle of orientation. For input fingerprint query image \(I^{f}\), an extracted feature vector, \({\ \eta }^{f}\) is created by combining n minutiae using Eq. 3

$$\begin{aligned} {\eta }^{f}=[m_1,m_2,\dots m_n] \end{aligned}$$
(3)

For iris feature extraction, input iris image \(I_i\) is pre-processed involving localization and normalization processes. In the first step, an integro-differential operator is used for localizing iris and pupillary boundaries. In the second step, Daugman’s rubber sheet model [45] is used to normalize the localized iris into a fixed-sized rectangular block. Further, the processed image is quantified using the histogram of LBP. From LBP histogram values \(l_1, l_2 \dots l_n \) , feature vector for iris \(\eta ^i\) is generated using Eq. 4

$$\begin{aligned} \eta ^i = { (l_1, l_2 \dots \dots l_n)} \end{aligned}$$
(4)

This creates a unique pattern, generating iris feature \({\eta }^{i}\). The extracted feature vectors \({\eta }^{i}\) and \({\eta }^{f}\) are fused together using the proposed method to generate a cancelable feature which is discussed in the next subsection.

3.2 Proposed multimodal feature fusion

The fusion process is very important in a multimodal biometric system for making a decision. Here, we have proposed a feature level fusion method with template protection. The proposed method generates a cancelable template which is revocable, non-invertible and robust to various types of attacks such that true biometric feature will not be revealed to the attacker. Every user is provided with a complex unique key (\(\kappa ^k\)), where \(k \in [1, N]\) used to create random 3-D planes as shown in Eq. 5.

$$\begin{aligned} \kappa ^k = \begin{bmatrix} \kappa _{\alpha 1}^k &{}\quad \kappa _{\beta 1}^k &{}\quad \kappa _{\gamma 1}^k &{}\quad \kappa _{\delta 1}^k \\ \kappa _{\alpha 2}^k &{}\quad \kappa _{\beta 2}^k &{}\quad \kappa _{\gamma 2}^k &{}\quad \kappa _{\delta 2}^k \\ . &{}\quad . &{}\quad .&{}\quad . \\ \kappa _{\alpha n}^k &{}\quad \kappa _{\beta n}^k &{}\quad \kappa _{\gamma n}^k &{}\quad \kappa _{\delta n}^k \\ \end{bmatrix} \end{aligned}$$
(5)

Here, k represents the kth user. The length of the key is equivalent to the length of feature vectors and consists of n rows containing 4 co-efficient values namely \(\kappa _{\alpha i}^k\), \(\kappa _{\beta i}^k\), \(\kappa _{\gamma i}^k\), and \(\kappa _{\delta i}^k\) where \(i \in [1,n]\) and having values randomly distributed in the range \([-1000, 1000]\). The user key is used to generate a random plane defined using Eq. 6 for each feature point as shown above in Fig. 1

$$\begin{aligned} \kappa _{\alpha i} x+\kappa _{\beta i} y+\kappa _{\gamma i} z=\kappa _{\delta i} \end{aligned}$$
(6)

where \(i \in [1,n]\). The random planes generated using user-specific keys are used in combining multiple features using the proposed approach. In this, feature vectors obtained during the feature extraction process are fused together by means of the proposed projection-based approach. Each feature point of the iris feature vector is considered as abscissa and each feature point of the fingerprint feature vector is considered as ordinate in a cartesian coordinate system. In case of different feature size, padding can be used so that every feature vector contain an equal number of feature points. Moreover, the abscissa and ordinates at the corresponding positions are combined to describe a point(Q) \((\chi ,\psi )\) such that any user can be defined as in Eq. 7.

$$\begin{aligned} \upsilon = \begin{bmatrix} (\chi _1,\psi _1) &{} (\chi _2,\psi _2) &{} (\chi _3,\psi _3) &{} . &{} . &{} (\chi _n,\psi _n) \\ \end{bmatrix} \end{aligned}$$
(7)

For simplicity, the above equation can also be represented as shown in Eq. 8

$$\begin{aligned} \upsilon = \begin{bmatrix} Q_1 &{} Q_2 &{} Q_3 &{} . &{} . &{} Q_n \\ \end{bmatrix} \end{aligned}$$
(8)

Also, as discussed above, each user is provided with a unique user-specific key (\(\kappa ^k\)) of dimension \(4 \times n\). The key is used to create a different random plane corresponding to each point Q. Further, an orthogonal projection is performed from each of these points(Q) on the corresponding plane and point of projection(P) is obtained as shown in Fig. 2

Fig. 2
figure 2

Projection of feature points on random planes

Full size image

For \(k^P\)th user, each orthogonal projection from point \(Q_i^k(\chi ,\psi )\) on the random planes obtained using key \(\kappa ^k\) generates a point \(P_i^k(\phi _x,\phi _y,\phi _z)\) as in Eq. 9.

$$\begin{aligned} \begin{bmatrix} P_1^k &{}\quad P_2^k &{}\quad . &{}\quad . &{}\quad P_n^k \\ \end{bmatrix} = \begin{bmatrix} (Q_1^k &{}\quad Q_2^k &{}\quad . &{}\quad . &{}\quad Q_n^k \\ \end{bmatrix} \begin{bmatrix} \kappa _{\alpha 1}^k &{}\quad \kappa _{\beta 1}^k &{}\quad \kappa _{\gamma 1}^k &{}\quad \kappa _{\delta 1}^k \\ \kappa _{\alpha 2}^k &{}\quad \kappa _{\beta 2}^k &{}\quad \kappa _{\gamma 2}^k &{}\quad \kappa _{\delta 2}^k \\ . &{}\quad . &{}\quad .&{}\quad . \\ \kappa _{\alpha n}^k &{}\quad \kappa _{\beta n}^k &{}\quad \kappa _{\gamma n}^k &{}\quad \kappa _{\delta n}^k \\ \end{bmatrix} \end{aligned}$$
(9)

In the next step, each point of projection \((P_i^k)\) is transformed into cylindrical co-ordinates using a function f defined as in Eq. 10

$$\begin{aligned} P_i^k(\theta , \rho , z) = f (P_i^k(\phi _x, \phi _y, \phi _z)) \end{aligned}$$
(10)

where \(\rho \) and \(\theta \) are determined using Eqs. 11 and  12, respectively.

$$\begin{aligned} \rho = \sqrt{{\phi _x}^2 +{\phi _y}^2} \end{aligned}$$
(11)
$$\begin{aligned} \theta = \tan ^{-1}\frac{\phi _y}{\phi _x} \end{aligned}$$
(12)

In the cylindrical coordinate system, point P is represented as \(\theta , \rho , z\). In the last step, the azimuth(\(\theta \)) values corresponding to each point of projection(\(P_i^k\)) for kth user, are concatenated together to generate a fused vector \(\zeta ^k\) that is cancelable and non-invertible in nature as shown in Eq. 13.

$$\begin{aligned} \zeta ^k = (\theta _1,\theta _2,\theta _3,\ldots \theta _n) \end{aligned}$$
(13)

The purpose of conversion to a 3D cylindrical coordinate system is to provide a higher dropout ratio as compared to the 2D coordinate system. Since only azimuth values are used to generate the cancelable template, a dropout ratio of 66.6% is achieved. On the other hand, a 2D point of projection would have led to a dropout ratio of 50% only. Further, in case of template theft, if azimuth (\(\theta \)) values are compromised, it will lead to ambiguous values of \(\phi _x\) and \(\phi _y\) as evident from equation 12 and original feature points will not be exposed. Thus, the generated template is highly non-invertible and robust against theft. Also, the feature vectors from both Iris and Fingerprint modality of dimension \(1 \times n\) are combined and converted into a single vector of dimension \(1 \times n\). The cancelable feature obtained is compared with the stored templates to generate a final match score (S). The final decision is performed based on an optimal threshold value (\(\tau \)), if the match score (S) is greater than \(\tau \), then it is considered as Genuine else imposter. The next section provides details of the experimental validation of the proposed method.

4 Experimental validation

The experimental validation of the proposed multimodal biometric system is performed over three multimodal chimeric databases. During privacy analysis, the proposed system is analyzed for unlinkability, non-invertibility, and revocability. Also, the system is analyzed for various attacks like record multiplicity, substitution, and brute force attacks to establish the robustness of the system. On the other hand, various performance metrics like equal error rate (EER), decidability index (DI), and recognition index (RI) are determined to estimate the system’s performance. Also, the proposed system’s performance is compared with other state-of-the-art methods.

4.1 Database and experimental design

The multimodal datasets are obtained using images from various benchmark datasets for experimental validation. Here, the Chimeric datasets are created by uniquely combining benchmark datasets, namely MCYT bimodal database [46], IITD PolyU iris database [47], Casia iris database (Casia-IrisV1, http://biometrics.idealtest.org/), FVC2006 DB1-A fingerprint database [48], and MMU2 iris database [49]. Sample images from the mentioned benchmarked datasets are shown in Fig. 3.

Fig. 3
figure 3

Sample multimodal database images from the benchmark datasets

Full size image

MCYT fingerprint database contains images captured using two different sensors, namely CMOS-based device and an optical capture device. For every finger, 12 samples are taken with both sensors from 330 subjects. The resolution of image samples is \(300\times 300\) and \(256\times 400\) for sensors 1 and 2, respectively. FVC2006 DB1-A is obtained using an electric Field sensor having an image resolution of 250 dpi. It contains 12 fingerprint samples from 140 subjects. All acquired samples are 256 gray-levels fingerprint images in BMP format. The IITD PolyU iris database contains 5 eye images of both eyes from 224 subjects. The images are captured using a digital CMOS camera of size \(320 \times 240\) pixels. Casia IrisV1 database consists of a total of 756 iris images obtained from 108 subjects. All sample images have a resolution of \(320\times 280\) and are in BMP format. MMU2 Iris database contains 995 iris images from 100 volunteers having resolution \(320\times 238\) in BMP format.

The experimental validation is performed on three chimeric datasets namely D1, D2, and D3. D1 contains fingerprint samples of N different subjects from the MCYT database (sensor 1) and IITD iris PolyU database. Thus, a virtual multimodal dataset is created for N subjects by combining the above-mentioned datasets. Similarly, D2 is created by combining N distinct subjects from the MCYT database (sensor 2) and the Casia Iris-V1 database. Also, the D3 dataset is obtained by combining N distinct subjects from the MMU2 iris database and the FVC2006 DB1-A database. Further, all the subjects in D1, D2, and D3 databases are completely different. In addition, fivefold cross-validation is carried out to obtain balanced results. The proposed system is implemented over a hardware configuration of the Intel i3 processor and 4GB RAM using the MATLAB 2018a platform. The performance analysis of the proposed system is discussed in the next section.

4.2 Performance analysis

The proposed system’s performance is quantitatively analyzed by means of various performance metrics, namely decidability index (DI), equal error rate (EER), and recognition index (RI). Also, the results thus obtained are compared with other state-of-the-art techniques. During this process, the same techniques for generic feature extraction and score calculation are used for evaluating other methods.

4.2.1 Performance metrics

The difference between the imposter and genuine scores is quantified using decidability index (DI) and is calculated using Eq. 14

$$\begin{aligned} \mathrm{DI}=\frac{|\mu _g-\mu _i|}{\sqrt{({\sigma }^2_g-{\sigma }^2_i})/2} \end{aligned}$$
(14)

Here, \(\mu _{g}\), \(\mu _{i}\) denotes the mean values, and \(\sigma _{g}\) and \(\sigma _{i}\) denotes the standard deviation values of score distributions for genuine and imposter, respectively. A high decidability index value suggests a higher ability of the classifier to separate genuine from imposters. Values of decidability index are shown in Table 1 for individual and proposed classifier over chimeric datasets D1, D2, and D3. Equal error rate (EER) is calculated by plotting ROC curves wherein the false acceptance rate (FAR) is plotted against the genuine acceptance rate (GAR). It provides the measure of the accuracy of the proposed biometric system. Recognition index (RI) provides the recognition rate at rank-1 and used for performance evaluation. Cumulative matching characteristics (CMC) curves show the relationship between rank and the recognition rate.

4.2.2 Accuracy analysis

The accuracy of the proposed system is analyzed and compared with state-of-the-art techniques using performance metrics, namely EER, DI, and RI. The performance metric values for various methods viz. Random distance method (RDM) [32], bloom filters [36] and enhanced partial discrete Fourier transform (EP-DFT) [50] are compared with the proposed method in Table 1.

Table 1 Comparison of EER, DI, and RI values for D1, D2 and D3 databases
Full size table

The EER value for the proposed score level fusion method is 0.005 for the D1 database, 0.003 for the D2 database and 0.004 for the D3 database which is lowest in comparison with other state-of-the-art methods. The efficiency of the proposed system is also depicted by a high decidability value of 22.14 for the D1 database, 18.45 for the D2 database and 9.71 for the D3 database and supported by ROC and CMC curves in Figs. 4 and 5, respectively. The variation among EER values is due to the use of different datasets and fivefold cross-validation.

Fig. 4
figure 4

Performance comparision of evaluated methods: ROC curves for D1, D2 and D3 database. a ROC curves for various cancelable biometric techniques over Database D1. b ROC curves for various cancelable biometric techniques over Database D2. c ROC curves for various cancelable biometric techniques over Database D3

Full size image
Fig. 5
figure 5

CMC curves for D1, D2 and D3 databases. a Comparison of CMC curves of various cancelable biometric techniques over Database D1. b Comparison of CMC curves of various cancelable biometric techniques over Database D2. c Comparison of CMC curves of various cancelable biometric techniques over Database D3

Full size image

Accuracy analysis reveals that the limitations of individual classifiers were effectively addressed by the proposed fusion method providing higher accuracy and more reliable results. The proposed system also improves the privacy of every user making it robust against various issues like template thefts and safeguarding the identity of every user which is also discussed in the next subsection.

4.3 Privacy analysis

The performance analysis confirms the high accuracy of the proposed system by means of various performance metrics. The proposed biometric system also ensures user privacy by exhibiting the properties like non-invertibility, revocability, and unlinkability.

4.3.1 Non-invertibility

In order to fulfill the criteria of non-invertibility, it must be infeasible to create the original biometric traits even if the key and the transformed template both are compromised. In a situation when both user-specific key and transformed templates are stolen, non-invertibility in the proposed method is achieved by choosing only the azimuth(\(\theta \)) values during the generation of cancelable templates. Since 67% of the information is discarded, it is not possible to trace back to the original points of projection. Even if points of projection are estimated, it is impossible to find the actual source of projection as there can be infinite points over that line connecting the feature point, Q and projected point on the plane, P. Thus, the proposed method exhibits non-invertibility of biometric templates.

4.3.2 Revocability

For a cancelable biometric system, if the stored templates are stolen, then they are discarded and new templates are generated using a new set of keys. Revocability states that templates generated from the same features should not be correlated. The revocability test is performed to measure the difference between the newly generated template and the old template. In order to check the revocability of the proposed system, 100 different keys were used to obtain 100 transformed templates. Every new user-specific key generates a different random plane and hence different templates. The distribution of imposter vs pseudo-imposter is shown in Fig. 6 which shows that the pseudo-imposter distribution is very similar to imposter distribution. It shows that there is no correlation between the old and new transformed templates. This suggests that transformed templates are treated as different individuals but they were created from the biometric features of the same subject. Thus, the revocability analysis shows that the stolen template can be easily replaced by a new template by using a different set of keys in the proposed system.

Fig. 6
figure 6

Comparision of genuine, imposter and pseudo-imposter distribution for a D1 Database and b D2 Database

Full size image

4.3.3 Unlinkability

Unlinkability states that multiple biometric templates of a single subject must be unlinkable provided different keys are used. This secures the identity of the subject when it is enrolled in multiple applications. In order to analyze unlinkability, the procedure described in [51] is adopted. For this, pseudo-genuine scores are introduced which refers to the match scores between the different templates of the same user by using different user-specific keys. Also, the pseudo-imposter scores are also calculated between different templates generated using a different user-specific key. In this scenario, if we plot the pseudo-imposter and pseudo-genuine distribution, the overlapping nature of both the distribution suggests that the templates generated from the same or different users are indistinct in nature which is also evident from Fig. 7. On the other hand, if pseudo-genuine and pseudo-imposter distributions are separated, it will be easier to identify the templates from the same user. The struggle in differentiating the templates leads to the unlinkability of the system.

Fig. 7
figure 7

Comparision of pseudo-genuine and pseudo-imposter distribution for a D1 Database and b D2 Database

Full size image

Privacy analysis clearly indicates that the proposed system preserves the privacy of each user by means of revocability, unlinkability, and non-invertibility. The complementary traits are fused together generating a cancelable template making system highly secure and robust against various attacks which are discussed in the next subsection.

4.4 Security analysis

The security of the biometric system is of utmost priority. No adversary, in any case, may be able to break through the system as it will arise many security problems. The proposed biometric system is also analyzed against many such attacks.

4.4.1 Brute force attack

Brute Force attack assumes that the adversary possesses no previous knowledge about the transformed or the original biometric feature. Each possible combination is used to generate and match a transformed template. In the worst-case scenario, let us assume the intruder knows the length of the template and the maximum value and the minimum value of the transformed template. In the proposed approach, the maximum and minimum values of template elements are -3.14165834 and 3.14165834 in DB1 with a precision of each element set to 8 decimal digits which amount to a total of \(2^{29}\) possibilities for each element in the template. Hence, to generate a template it would require an exceptionally high brute force effort which makes it computationally infeasible.

4.4.2 Attacks via record multiplicity

During attacks via record multiplicity (ARM), the adversary possesses multiple transformed templates of the same user and tries to establish a connection so as to develop an image of the original biometric trait. For example, let us take two transformed templates T1 and T2 created using a different key for the same user. Also, during privacy analysis, unlinkability between these templates was proven experimentally. Further, the ith value of T1 depends upon the point of projection \(P_1\) and it cannot be connected to ith value of T2 as it depends upon its points of projection \(P_2\).\(P_1\) and \(P_2\) will always be different as different keys are chosen. Therefore, the attacker cannot mount ARM attack even after having different copies of transformed templates from the same user.

4.4.3 Blended substitution attacks

In the blended substitution, the attacker combines its data with user data in a single template. The blended template allows both users and attackers to authenticate against the same ID simultaneously. In the proposed approach, blended substitution is not feasible since, with only half of the user or attacker’s attribute, the matching score would be rejected as an imposter for both user and attacker.

In sum, the proposed system is an accurate, highly robust and reliable solution that can be employed in critical applications. The generated cancelable templates are highly non-invertible, unlinkable and revocable and hence address privacy and security concerns.

5 Conclusion and future directions

In this paper, a multimodal biometric system is proposed that ensures not only high performance but also robustness to security and privacy concerns. The feature size is reduced to half thereby requiring low computational and space complexity. The security analysis of the proposed fusion mechanism shows that the approach is able to defend various attacks, thereby, assuring user-privacy and data-security. Moreover, the generated templates are highly revocable, thus can be regenerated in case the data gets compromised. Hence, the proposed approach can be deployed for biometric authentication in security-critical applications. Experimental analysis shows the effectiveness of the proposed method in comparison to state-of-the-art solutions. On average, the proposed fusion achieves DI of 16.63 and EER of 0.004.

In future, we will look forward to incorporate image quality as a reliability factor into the proposed cancelable biometric system. It will help in enhancing the adaptivity of the system so that it may address various other challenges like poor quality input images, improper sensor interaction, etc. The reliability factor can be learned over a time period by estimating image quality for specific users and can make the system highly reliable and robust. The work can also be extended to integrate different security levels in the proposed framework.