Biometric Template Protection for Dynamic Touch Gestures Based on Fuzzy Commitment Scheme and Deep Learning

Abstract

Privacy plays an important role in biometric authentication systems. Touch authentication systems have been widely used since touch devices reached their current level of development. In this work, a fuzzy commitment scheme (FCS) is proposed based on deep learning (DL) to protect the touch-gesture template in a touch authentication system. The binary Bose–Ray-Chaudhuri code (BCH) is used with FCS to deal with touch variations. The BCH code is described by the triplet (n, k, t) where n denotes the code word’s length, k denotes the length of the key and t denotes error-correction capability. In our proposed system, the system performance is investigated using different lengths k. The learning-based approach is applied to extract touch features from raw touch data, as the recurrent neural network (RNN) is used based on a convolutional neural network (CNN). The proposed system has been evaluated on two different touch datasets: the Touchalytics dataset and BioIdent dataset. The best results obtained were with a key length k = 99 and n = 255; the false accept rate (FAR) was 0.00 and false reject rate (FRR) was 0.5854 for the Touchalytics dataset, while the FAR was 0.00 and FRR was 0.5399 with the BioIdent dataset. The FCS shows its effectiveness in dynamic authentication systems, as good results are obtained and compared with other works.

1. Introduction

A biometric authentication system is a system that uses a user’s biometric data to identify them. Despite all biometrics authentication systems’ advantages, one of their main challenges is the biometric data template, which suffers from security breaches and is vulnerable to attacks. Additionally, it is difficult to exchange a user’s biometric data that has been stolen [1,2]. For these reasons, protecting the biometric template is important in order to increase the security level of biometric authentication systems [3,4]. Template protection encrypts the biometric data before it is stored in the database [5,6].

A considerable amount of work has been focused on biometric template protection, such as biometric cryptosystems and feature transformation schemes. A biometric cryptosystem is a system that creates biometric cryptographic keys (BCKs) and combines these keys with user’s biometrics in order to increase the security level and keep the user’s information safe from identity theft [7,8]. There are two kinds of biometric cryptosystem: key binding and key generation schemes. The key binding scheme uses ‘binding’ techniques to bind the biometric template to a key. The binding process is achieved by applying cryptographic algorithms [9]. In contrast, key generation schemes generate the cryptographic key or hash immediately from entered biometric data and encrypt the biometric data using this key [8]. The feature transformation template protection transforms the biometric template into binary form using either the bio-hashing or non-invertible technique.

Most of these template protection techniques are based on physical biometrics, such as the face [10], iris [11], or fingerprint [12,13]. A few focused on behavioral biometrics, such as gait [14,15], speech [16], and touch stroke [17].

Nowadays, with the spread of the technology and due to the presence of several important uses for mobile devices (including entering confidential data, dealing with banks, and purchasing via the internet [18]), there is an urgent need to protect these devices and thus protect user’s data. Most of the devices have touch screen technology, which is considered the main interface for various use cases ranging from smartphones to big touch tables [19]. Thus, the most dominant behavioral biometric use in these devices is touch gesture [7]. Many works have been proposed to authenticate the user based on their touch behavior. However, these systems store the touch-gesture template without template protection.

The main goal of this research is to propose the use of a touch-gesture behavioral biometric with a fuzzy commitment scheme (FCS) biometric cryptosystem in order to increase the security level of touch-based devices.

The main contributions of this work are as follows:

• Employing a learning-based approach for feature extraction in a touch authentication system.
• Appling FCS to secure a touch-gesture template and store helper data rather than the touch-gesture template. To the best of our knowledge, this is the first work to apply FCS to secure touch gestures in a touch authentication system and use deep learning (DL) to extract touch features from raw data.

This paper is organized as follows. Section 2 provides a background on biometric template protection. Section 3 introduces the related works on biometric template protection, either for physical or behavioral biometrics. Section 4 provides a proposed system of template protection for touch authentication systems. Section 5 highlights the experiments and results. The conclusion and feature work are shown in Section 6.

2. Background on Biometric Template Protection

There are three types of biometric template protection: biometric cryptosystems [3], feature-transformation-based schemes, and hybrid approaches [2].

A biometric cryptosystem is a system that is used to protect the biometric template by combining a cryptography key with the biometrics template [20,21]. In this system, neither the biometric data nor the key is stored in the database. Instead, the system stores helper data, which comes from combining the key with the biometric template [4,22]. Furthermore, the helper data does not contain any information about biometric data or the key. The helper data is used to retrieve the key when the genuine biometric data is given [22].

Mainly, biometric cryptosystems have been classified into key binding and key generation schemes. In the key binding approach, the key is generated and bound with biometric data [7,23] to produce helper data, which is then stored in the database. For the key binding approach, the key is independently generated from biometric data. In the authentication phase, the key will be released if there is a match between the two sets of biometric data. In this approach, an error-correction code (ECC) is used to deal with biometric data variations. There are two well-known methods proposed in the key binding approach: fuzzy commitment and fuzzy vault [23]. Fuzzy commitment schemes are one of the earliest methods of binding biometrics and user keys. To commit (bind) a binary key k, a codeword C is generated based on K using a predefined ECC. The ultimate commitment will be (h(C), BC), where B is a biometric binary template and h is a cryptographic hash function. To de-commit a commitment, an individual must provide a fresh biometric sample B0 that is close enough to B. Then, h(C) is used to verify that the right key is released [4,7]. The fuzzy vault approach is used to project a biometric feature onto a polynomial whose coefficients are encoded by a selected binary key. It conceals these genuine points within a set of chaff points that do not lie on the polynomial. The binary key can only be recovered for positive verification if the polynomial can be reconstructed by identifying sufficient points in another point set [4].

In the key generation approach, the helper data is first generated from a biometric template, then the cryptographic key is generated from the helper data. This approach is a fuzzy extractor scheme (secure sketch (SS) with strong randomness extractors) that operates in the Hamming domain, which converts nonuniform binary biometric inputs into stable binary strings; these strings can be used as encryption keys for subsequent cryptographic applications [4].

In the feature transformation scheme, the features template is transformed into a new template [2]. There are two main approaches to feature transformation: bio-hashing and non-invertible transform. In the bio-hashing approach, a biometric template is transformed into a binary code by code by projection the feature vector with transformation matrix using binary key, then thresholds the individual elements [2]. The non-invertible transform approach is used to preserve the biometric template’s confidentiality. In this approach, a cancellable template is generated from a biometric template such that it does not contain any information about the genuine template. We cannot reconstruct the genuine template from the cancellable template. If the stored template has been attacked, a new cancellable template will be generated, changing the disfigurement features of the non-invertible transform [11].

The last approach is the hybrid approach, which combines the two previous approaches.

3. Related Works

Many methods have been proposed in the literature to secure biometric templates, whether for physical or behavioral biometrics. This section reviews the work conducted on biometric template protection.

Many studies protect the biometric template using biometric cryptosystems, either using fuzzy vault [12,24] or fuzzy commitment [14,15] in the key binding approach or fuzzy extractor in the key generation approach [13]. Others combine two template protection techniques [11]. Additionally, some works use classical encryption methods, such as Rivest–Shamir–Adleman (RSA) [10,25].

Sujitha et al. [24] used the fuzzy vault technique as biometric template protection to protect fingerprint minutiae and palm prints in a multi-biometric authentication system. In the enrollment (encoding) phase, users will be enrolled using their biometric linked and shed on polynomial. Then, this vector will be bound to a secret key to generate the vault, and the chaff (or dummy) points will be concatenated with the new vector. The reverse process of encoding will be applied during the authentication (decryption) phase. The authors achieved a false accept rate (FAR) value of 0.01 at polynomial degree 12.

Baghel et al. [12] proposed a fuzzy vault to protect the fingerprint template. They enhanced the fuzzy vault by filtering the genuine vault points from a combination of genuine and chaff points. The authors used principal component analysis (PCA) to align the enrollment template and authentication template. The results they obtained were 0.28 and 4.60 for FAR and equal error rate (EER), respectively, with polynomial degree = 9 using the FVC2002 DB1 dataset; 0.06 and 4.89 for RAR and EER, respectively, with polynomial degree = 10 using the FVC2002 DB2 dataset; and 1.77 and 18.35 for RAR and EER, respectively, with polynomial degree = 10 using the FVC2004 DB1 dataset.

Another study, by Panchal et al. [13], used the key generation approach to protect the fingerprint template in a fingerprint authentication system. The encrypted key is generated from fingerprint features after image preprocessing. Then, the encrypted key is XORed with a binary message. As a result, the authors achieved a genuine accept rate (GAR) of 97.25% for two feature sets.

Some studies have combined two template protection techniques, such as the work done by Priya et al. [26]. These authors use fuzzy commitment (key binding) with a key generation scheme to protect a fingerprint template. They generate a 128-bit key from the extracted minutiae points using a one-way transformation function, then generate a random key in order to bind the keys together and generate a mixed key. The result showed that the mixed key is 50% more secure than the biometric key only.

Maček et al. [11] combined two techniques to protect iris and fingerprint templates: cancellable template (non-invertible transforms) and key generation. In their method, the key is generated from iris biometric features and then hashed to be stored in the system storage. The cancellable template is generated from the fingerprint biometric. The authors obtained a false reject rate (FRR) of 6.75% and FAR of 0% at a key length of 192.

Vasavi et al. [10] used RSA encryption to protect the face, iris, and palm biometric templates with a public key, which is randomly generated to come up with a cipher text. The authors extract their features using empirical mode decomposition (EMD). They used feature-level fusion for each pair of biometric features, and they obtained 93.33% accuracy.

Kirchgasser et al. [27] proposed a cancellable template protection scheme based on index-of-maximum (IoM) hashing to protect a finger vein template. They use six methods to extract finger vein features: Gabor filter (GF), isotropic undecimated wavelet transform (IUWT), maximum curvature (MC), principal curvature (PC), repeated line tracking (RLT), and wide line detector (WLD). The best result they obtained was EER = 0.71 when using the PC feature extraction method on the UTFVP dataset.

For behavior biometric template protection, Hoang et al. [14] and Elrefaei et al. [15] used FCS to secure a gait template. The binary key is randomly generated and encrypted to a codeword using the BCH encoding scheme. Then, the key hash code will be computed. After that, the template will be secured by binding the cryptographic key to the biometric template using a hash function. The helper data is stored in the database for authentication. The result showed that 0.0% for FAR, and FRR for key length equal to 139 is 16.18%, for key length equal to 71 is 20.59%, and for key length equal to 50 is 14.91% [14]. FAR and FRR were 0% for key length equal to 50 for CMU MoBo dataset FAR and FRR = 0 for key length equal to 45 for CASIA A database [15].

Additionally, Nagakrishnan et al. [16] proposed a new biometric template protection technique based on the deoxyribonucleic acid (DNA) encryption approach and chaotic mapping to protect a person’s speech template in speech-based authentication systems. The Mel frequency cepstral coefficient (MFCC) features are extracted from a person’s speech, and then clustering is used to cluster the features and reduce memory spacing. The result was 97% for system accuracy using the AVSpoof database.

Another work proposed by Zhi et al. [17] protected a touch stroke template by using the cancelable template protection approach based on learning IoM hashing. The IoM hashing transforms the template into the indices of the largest values chosen from a number of random projections of original template features. They use the second version of the Touchalytics dataset, which used a hand-crafted feature extraction approach [28]. The best result they obtained was EER = 9.60 with length of m = 30 using the intra-session scenario.

All of the previous works extracted biometric features using traditional methods such as image processing. In contrast, Sudhakar et al. [29] used CNN DL for feature extraction. The authors proposed cancelable template protection based on quick response (QR) for iris/finger vein template protection. After feature extraction, the features are transformed to cancelable templates using random projection. At authentication, they use a multi-layer perceptron (MLP) to classify the users. The best result they obtained was 99.55% using 5-fold cross-validation for the FV-USM dataset.

Additionally, Talreja et al. [30] proposed cancelable biometrics and forward error control (FEC) codes to protect face and iris biometrics templates. Each biometric feature is extracted using CNNs, and then both models are concatenated using a concatenation layer. In their results, GAR is equal to 92.5% at a symbol size of 5006.

Jindal et al. [2] combined the transform-based approach and the biometric cryptosystems FCS approach to introduce a hybrid approach in order to protect the face template. They use the VGG-Face architecture to extract face templates and map the features to binary code for each image. Then, the cryptographic hash (SHA3-512) algorithm is applied to the binary code and feature vector to come up with a 512-bit cryptographic hash, which is stored in the database. The best result they obtained was an EER of 0.15% ± 0.02% for the PIE dataset.

Most of the works discussed above involved physical biometrics. Few studies have examined behavioral biometrics such as gait, speech, and touch stroke gesture. Additionally, most authors have used traditional methods to extract biometric features; few have employed learning-based approaches.

Touch biometrics are proven to be effective and reliable for authentication systems. However, template security for touch biometrics has not been adequately addressed. We will cover this gap using FCS. As DL for template security and touch biometrics has not yet been thoroughly investigated, we will use FCS with DL in touch-gesture biometrics.

Some works have used transfer learning DL models that are pre-trained on other datasets with different scopes (e.g., VGG-19) to extract the features of physical biometrics such as face and iris features [2,30]. However, for behavior biometrics, there are no pre-trained models trained on datasets in a similar domain (touch behavior). Therefore, we decided to train our models from scratch on a touch-gesture dataset.

4. The Proposed Template Protection of Touch-Based Gestures

We propose a touch-based gesture authentication system in which a fuzzy commitment scheme is applied to enhance the security and privacy of the system. The special property of the fuzzy commitment scheme is that it combines techniques from the area of error-correcting codes and cryptography to achieve a type of cryptographic system [15,31]. The proposed system contains three main stages to protect the touch-gesture template in the touch authentication system (Figure 1): feature extraction, feature selection, and FCS. In this section, we will introduce each stage.

4.1. Feature Extraction Stage

To extract touch features, we build a DL model trained from scratch on raw data and run it as a touch authentication system, then use this DL model to extract touch features. The aim of this model is to authenticate the user based on his touch gestures. Many studies of touch authentication systems have extracted touch features from touch raw data using DL [32,33].

Touch Authentication Models

In order to extract helpful features from raw touch data, we follow a learning-based approach [33]. We build a CNN-RNN model that contains CNN and RNN layers. The RNN layer is either long short-term memory (LSTM) or gated recurrent unit (GRU) [33]. The input to these models is users’ raw touch data, and the output is classified class y with probability p.

Table 1. Different DL model architectures.

Model Name	Layers
CNN-LSTM	CNN layer with filters = 512, and kernel_size = length of column, with activation = ‘relu’ and padding = same
	Max pooling layer with pooling size = number of columns
	LSTM layer (700 neurons)
	softMax layer
CNN-GRU	CNN layer with filters = 512, and kernel_size = length of column, with activation = ‘relu’ and padding = same
	Max pooling layer with pooling size = number of columns
	GRU layer
	softMax layer

presents the model structures used in the touch authentication system.

After training the DL models and obtaining the best result, we obtain touch features from the hidden (RNN) layer of touch raw data and rely on these features in the feature selection stage.

4.2. Feature Selection Stage

As we see from Figure 1, the enrollment phase of the feature selection step contains three different processes: quantization scheme, reliable bit, and binarization. The authentication phase has only one process, which is binarization. The input to this phase is the user’s touch features, and the output is binary feature vectors. In this section, we explain each step of feature selection stage.

Quantization scheme: This scheme is employed in the enrollment phase only to obtain the inter-class and intra-class means. The inter-class mean is used later in the binarization step in each of the enrollment and authentication phases and is stored in system storage as helper data. The intra-class mean will be used in the next process in the enrollment phase to obtain the reliable bits of each user [15].

The quantization scheme is obtained by calculating the intra-class mean (Equation (1)) of each user’s template (feature vector) in the enrollment phase and the inter-class mean (Equation (2)). For each user u, there are many templates $T\in \left\{1,\dots ,t\right\}$, and each template T has a number of features $t\in \left\{1,\dots ,ti\right\}$. We calculate the following:

$${\mu }_i=\frac{1}{T_t}{{\displaystyle \sum }}_{i=1}^{T_t}{T}_{i,t }$$

(1)

Additionally, we calculate the inter-class mean by summing the mean of the intra-class means of all users’ templates divided by the number of users in the enrollment phase (Equation (2)):

$$\mu =\frac{1}{U}{{\displaystyle \sum }}_{i=1}^U{\mu }_i$$

(2)

Reliable bit: After we calculate the inter-class mean, we find the reliable bit component for each user u by first calculating the variance of each $t_i$ component in each template $T_{u,i}$ of each user u (Equation (3)) [15]:

$${\left({\sigma }_{u,t}\right)}^2=\frac{1}{T_u}{{\displaystyle \sum }}_{k=1}^{T_u}(T_{u,k}-{\left(\mu {)}_u\right)}^2$$

(3)

where ${\sigma }_{u,t}$ is the variance of ti component in template Ti of the user u. Algorithm 1 presents the steps of calculating the variance [15,31,34].

Algorithm 1 Calculate the Variance of the ith Component.

\\ input: number of users, number of templates num_template, touch template${\mathit{T}}_{\mathit{u},\mathit{i}}$, inter-class mean$\mathit{\mu }$ \\ output: variance of each component in the template${\mathit{\sigma }}_{\mathit{u},\mathit{t}}$ 1 var = 0 2 variance = 0 3 For u in len(users) do: 4           var = 0 5         For t in range (num_template) do: 6                For n in range (${\mathit{T}}_{\mathit{u},\mathit{t}}$) do: 7                         var1 = abs((${\mathit{T}}_{\mathit{u},\mathit{t} -}$$\mathit{\mu }$u)) ^2 8                         var = var + var1 9         variance = var/(num_template-1) 10         ${\mathit{\sigma }}_{\mathit{u},\mathit{n}}^2$ = variance 11      return ${\mathit{\sigma }}_{\mathit{u},\mathit{n}}^2$

To obtain the reliable bit component $r_{u,t}$ of each bit t_i in the template T_i of user u, we use the Gaussian error function (erf) (Equation (4)). Then, we find the indices R_index of reliable component rel_all and sort them in descending order to get the indices of the most reliable bit first. The reliable indices R_index are stored in the system storage to be used later in the authentication phase. Algorithm 2 presents the steps of calculating the reliable bit [15,31,34].

$$r_{u,t}=\frac{(1+erf(\frac{|{\left({\mu }_u\right)}_t|-|{(\mu )}_t|}{\sqrt{2{\sigma }_{u,t}}}))}{2}$$

(4)

Algorithm 2 Calculate the Reliability of the ith Component in User Template $T_{u,i}$.

\\ input: number of templates num_template, number of components in each template num, touch template${\mathit{T}}_{\mathit{u},\mathit{i}}$, inter-class mean$\mathit{\mu }$, intra-class mean${\mathit{\mu }}_i$, and variance of each component in the template for each user${\mathit{\sigma }}_{\mathit{u},\mathit{t}}^2$ \\ output: reliable bit of each component in the template for all users (${\mathit{r}}_{\mathit{u},\mathit{t}}$) 1 Foru in len(users) do: 2       var = 0 3       For t in range(num_template) do: 4                For n in range(num) do: 5                      ${\mathit{r}}_{\mathit{u},\mathit{t}}$= (1/2*(1 + erf(((abs($\mathit{\mu }$u,n) −$\mathit{a}\mathit{b}\mathit{s}(\mu$n))/(sqrt(2*${\mathit{\sigma }}_{\mathit{u},\mathit{t}}$)))))) 6 return${\mathit{r}}_{\mathit{u},\mathit{t}}$

Binarization: After we calculate the intra-class mean $\mu$ and the indices of the most reliable bit R_index, we binarize the feature vectors $f_{}^e$ obtained from the previous phase (feature extraction) with the help of the intra-class mean; we transform the value t_i in template T_i of the user u_i to binary vector $F=\left[f_1,\dots ,f_n\right]$ (Equation (5)). Algorithm 3 presents the steps of feature vector binarization [15,31,34].

$${\left(f_B^e\right)}_i=\{\begin{array}{c}0 if T_{u,i}\le {\left(\mu \right)}_i\\ 1 if T_{u,i}>{\left(\mu \right)}_i\end{array}$$

(5)

Algorithm 3 Binarize the Feature Vector.

\\ input: number of users, number of templates num_template, number of components in each template num_t, touch template${\mathit{T}}_{\mathit{u},\mathit{i}}$, inter-class mean $\mathit{\mu }$. \\ output: Binary feature vector ${\mathit{f}}_{\mathit{B}}^{}$ 1   ${\mathit{f}}_{\mathit{B}}^{}$ = ${\mathit{T}}_{\mathit{u},\mathit{i}}$ 2   For u in len(users) do: 3            For t in range(num_template) do: 4                          For i in range(num_t) do: 5                               IF (${\mathit{T}}_{\mathit{u},\mathit{i} }$<=${\left(\mathit{\mu }\right)}_{\mathit{i}}$) then: 6                                          ${\left({\mathit{f}}_{\mathit{B}}^{}\right)}_{\mathit{u},\mathit{t},\mathit{i}}$ = 0 7                               Else: 8                                          ${\left({\mathit{f}}_{\mathit{B}}^{}\right)}_{\mathit{u},\mathit{t},\mathit{i}}$ = 1 9     return ${\left({\mathit{f}}_{\mathit{B}}^{}\right)}_{}$

After we convert the feature vector to binary feature vector $f_B^e$, we take the most reliable binary bit by using the reliable indices R_index from the previous step. The length of the reliable binary bit is the same as the length of codeword n determined later in FCS [14,15,31,34].

In the authentication phase, we binarize the authentication features $f_B^a$ by using the inter-class mean $\mu$ (Equation (2)) and reliable indices R_index (which are stored in the system storage in the enrollment phase) [15].

4.3. Fuzzy Commitment Scheme Stage

This phase is used to protect the touch-gesture template of the user. The input to this phase is the binary feature vector $f_B^{}$. The stage has two main methods: commit, to secure the template in the enrollment phase, and de-commit, to authenticate the user in the authentication phase using his touch gestures.

Many factors cause variations in touch (e.g., time, pressure, x and y coordinates, etc.). We employ error-correction techniques to deal with these variations. The BCH error-correction code is used in our proposed system. It is a cyclic, error-correcting, variable-length digital code and is used to correct multiple random error patterns. The BCH code can only correct errors that happen at random, as in the touch binary feature vectors. We denote an error-correcting code as [n, k, t], where n is the length of the codeword C, k is the length of the message m, and is t the error-correcting capability. Figure 1 clarifies the use of BCH in the proposed system; it is used to encode the key in the enrollment phase and decode it in the verification phase [15,34].

Commitment: This step is performed during the enrollment phase (Figure 1) to commit the random message m of length k with binary feature vector $f_B^e$. First, a random message m ∈ {0, 1}ⁿ with length k is created and encoded by the BCH encoder into a codeword C ∈ {0, 1}ⁿ with a length of n from C. The codeword C is then XORed with the binary feature vector with length n to obtain the secured touch template $\delta$ where $\delta =$ C⊕$f_B^e$ [14,15,31,34]. The message m is hashed using sha-256 and then stored in the system storage as h(m) to be used later for matching in the authentication phase. Algorithm 4 describes how to commit the binary_enroll_feature $f_B^e$ of the user.

Algorithm 4 Commit the binary_enroll_feature of the user.

\\ input: Binary enrollment features${\mathit{f}}_{\mathit{B}}^{\mathit{e}}$, length of codewordn, length of messagek, error capabilityt \\ output: secured touch template$\mathit{\delta }$, hash of message hash(m)         1          BCHEncode = BCH(n,k,t)          \\Create a BCH object from BCH library         2                 m = random (k)                  \\Generate random message with length k         3          IF length(${\mathit{f}}_{\mathit{B}}^{\mathit{e}}$) > n then:         4                    Error;         5          Else         6                    C = BCHEncode (m)         7                    $\mathit{\delta }$ = C XOR ${\mathit{f}}_{\mathit{B}}^{\mathit{e}}$         8                    Hash(m) = sha256(m)         9          return hash(m), $\delta$

De-commitment: This step is performed during the authentication phase. It decodes the secured touch template $\delta$ using the binary authentication feature vector $f_B^a$. The binary authentication feature $f_B^a$ is XORed with the secured touch template $\delta$, which was stored in the system storage in the enrollment phase, to get the codeword C′. The codeword C′ is then decoded using BCH Decode(C′) to obtain m′. The hash function is also applied here to obtain h(m′). In the matching step, if h(m′)= h(m), then the user will be accepted; otherwise, the user will be rejected. Algorithm 5 describes how to de-commit the secured touch template of the user.

Algorithm 5 De-commit the user using their binary authentication feature.

\\ input: binary authentication features ${\mathit{f}}_{\mathit{B}}^{\mathit{a}}$, secured touch template$\mathit{\delta }$, the hash of message hash(m) \\ output: verify: Boolean          1         C′ = ${\mathit{f}}_{\mathit{B}}^{\mathit{a}}$ XOR $\mathit{\delta }$          2          m′ = BCHdecode(C′)          3          hash(m′) = sha256(m’)          4          IF hash(m′) == hash(m) then:          5                   verify = True          6          Else          7                   verify = False          8          return verify

5. Experiments and Results

Concerning software specification, we used the Python programming language (version 3.7) with the Anaconda Jupiter tool to implement our proposed system. Python libraries including Numpy, Pandas (version 1.19), and sklearn (version 1.0) were used. Additionally, we used the Keras deep learning library version 2.3.1 with the TensorFlow backend (version 2.1). We used the hashlib library for biometric template security. Concerning hardware specification, a Dell device with an Intel^® Core ™ i7-7500U CPU 7500 GHz was used to implement our work. In this section, we introduce the datasets and evaluation metrics used to test our work, followed by our experimental results.

5.1. Touch Datasets

Two publicly available touch datasets were used in our proposed system: Touchalytics [28] and BioIdent [35].

Touchalytics dataset

This dataset contains raw data of touch strokes collected from 41 users during seven sessions (three sessions for horizontal strokes and four sessions for vertical strokes). There were three session types. Intra-session means the strokes are recorded at the time the user interacts with the screen. Inter-session refers to recording strokes from different sessions. Finally, inter-week session refers to strokes recorded from sessions separated by one week. The data has eight columns: pressure, time, x and y coordinates, phone orientation, action, area covered, and finger orientation. Each stroke is recorded from start to end; action = 0 means the stroke began, action = 1 means the stroke ended, and action = 2 means the user is moving on screen and doing the stroke. Horizontal and vertical strokes have been recorded. They recorded horizontal strokes while the user interacts with an image comparison game. The vertical stroke was recorded while users read a Wikipedia document [28].

BioIdent dataset

This dataset also contains raw data of touch strokes. Eight types of data related to touch stroke have been recorded: pressure, time, finger orientation, phone orientation, x and y coordinates, area covered, and action. There is no session separation between strokes. The users participated to record their strokes were 71. Additionally, horizontal and vertical strokes were recorded while the users interacted with the phone, read documents, and played an image comparison game. Eight different devices were used, including tablets, with varying screen sizes. Moreover, the data was obtained during four weeks (not separated by session in the database) [35].

Table 2. The specifications of the Touchalytics and BioIdent datasets.

Dataset Name	Touch Type	Data Type	Touch Data	Number of Samples	Session	Number of Users	Devices
Touchalytics [28]	Stroke	Raw data	time, action, phone orian, X,Y coordaniates, Pressure, area_covered, Finger_orian (8 types of data related to touch)	912,133 samples	7 sessions 4 Wikipedia articles for vertical stroke and 3 Image comparison game for horizontal stroke	41	5 Devices 2 Nexus 1, Nexus S, Samsung Galaxy S, and Droid Incredible.
BioIdent [35]	Stroke	Raw data	time, action, phone orian, X,Y coordaniates, Pressure, Finger_oriantation	231,371 samples	-	71	8 different mobile devices, both tablets and phones

summarizes the specifications of both datasets in terms of touch type, data type, touch data, number of samples, sessions, number of users, and devices.

5.2. Dataset Preparation

In order to prepare our data; we use min–max data normalization and followed by data standardization.

Min–Max Normalization: Since touch data is unbalanced data and the users have different numbers of samples, min–max normalization is used in our proposed system to address the problem of unbalanced data by scaling the data in the same ranges based on predefined lower and upper boundaries $l$ and $u$, respectively [36]. Let R denote the raw data of dataset $R_{ij}$, i ∈ {1, 2, …a}, j ∈ {1, 2, …d}, represented as a matrix of a columns and d rows. The normalized dataset $\widehat{R}$ is obtained by Equation (6):

$$\widehat{R}=\frac{R_{ij}-min\left(R_j\right)}{\mathit{max}\left(R_j\right)-min\left(R_j\right)}\times \left(u-l\right)+l$$

(6)

where $R_{ij}$ is the dataset before min–max Normalization and $\widehat{R}$ is the dataset after min–max normalization [36].

Data Standardization: Additionally, we use data standardization after min–max normalization to convert the data to have a mean of zero, as in Equation (7):

$$F_{new}=\frac{\widehat{R}-\mu }{\sigma }$$

(7)

where $F_{new}$is the data after standardization and $\widehat{R}$ is data before standardization, $\mu$ is the mean, and $\sigma$ is the data’s standard deviation. By considering touch authentication system as multi-class classification, we convert the class Y to one-hot encoding Y ϵ {0, 1}^s, where s is the number of classes.

5.3. Evaluation Metric

In this section, we discuss the performance evaluation of our proposed system. Two types of performance evaluations were used: the performance of DL models in the touch authentication system and the performance of the template security of touch gestures in the touch authentication system.

5.3.1. Evaluation Metrics of Touch Authentication System

In the feature extraction stage, we must train the DL models used to authenticate the user from scratch to ensure that the features represent the corresponding user. To evaluate the performance of these models, we used a confusion matrix and calculated FAR, FRR, and EER.

• Confusion Matrix: This matrix summarizes the prediction results in a classification problem. The confusion matrix is presented in a table with four different combinations of predicted and actual values (Figure 2) [37]:

  ○

  True Positives (TP): The number of cases with correct positive predictions.

  ○

  True Negatives (TN): The number of cases with correct negative predictions.

  ○

  False Positives (FP): The number of cases with incorrect positive predictions.

  ○

  False Negatives (FN): The number of cases with correct negative predictions.

In addition to the confusion matrix, we calculated some other parameters obtained from the matrix:

• False Acceptance Ratio (FAR): This metric measures the security of the biometric system and is calculated by Equation (8):

$$\mathrm{F}\mathrm{A}\mathrm{R}=\frac{\mathrm{F}\mathrm{P}}{\mathrm{F}\mathrm{P}-\mathrm{T}\mathrm{N}}$$

(8)

where FP means false positive, and TN means true negative [10].

• False Rejection Ratio (FRR): This represents the part of correct samples that are incorrectly rejected and is calculated using Equation (9) [10]:

$$\mathrm{F}\mathrm{R}\mathrm{R}=\frac{\mathrm{F}\mathrm{P}}{\mathrm{T}\mathrm{P}-\mathrm{F}\mathrm{N}}$$

(9)

• Equal Error Rate: This metric is achieved when FAR and FRR are equal. However, if more than one values in two rates are equal, we find the mean EER [38].
• Accuracy: This metric is calculated as in Equation (10):

$$Accuracy=\frac{Number of correct prediction}{Total number of predictions}$$

(10)

5.3.2. Evaluation Metrics of Template Security of Touch Gesture

A biometric cryptosystem can be evaluated through two properties: accuracy and security.

• Accuracy:

  ○

  FAR: This metric is obtained from an imposter test in which the system falsely accepts an imposter. We consider the user to be authenticated as the genuine user and all other users as imposters. When the system accepts the imposter user rather than the genuine user at authentication, the FAR will increase [15].

  ○

  FRR: This measure is obtained from a genuine test in which the system falsely rejects a genuine user. The genuine test is conducted by considering the user who will be authenticated as the genuine user and all other users as imposters. When the system rejects the genuine user rather than an imposter user at authentication, the FRR will increase [15].

  ○

  The cryptographic key size k (bits): The key size depends on the error-correction technique BCH and the error-correction capability (t). The performance of the proposed system is evaluated using FAR/FRR with different key lengths (k) and error-correction capabilities (t) [15].

• Security:
  Security analysis of the proposed system, considering different attacks scenarios such as FAR attack, hash inversion, using helper data, and randomness of the key [15].

5.4. Feature Extraction Stage Experiments and Results

We did two experiments with two different DL architectures: CNN-LSTM and CNN-GRU [33]. After conducting several experiments with different values of the training parameters, we adjusted the values of these parameters for all datasets as follows: epochs = 100, batch size = 500, split ratio = (70% training, 10% validation, 20% testing). Adam has been used as an optimizer with its default learning rate.

The CNN-GRU model obtained the best result for the Touchalytics dataset, achieving 96.73%, 96.07%, and 96.08% for training accuracy, validation accuracy, and testing accuracy, respectively. We used this model to obtain the touch features. We extract the features from the GRU layer, which has 700 neurons; thus, the length of our feature vector will be 700. The CNN-LSTM model obtains the best result for the BioIdent dataset, with 84.88%, 77.68%, and 78.07% for training, validation, and testing accuracy, respectively. We obtain the features from the LSTM layer, which has 700 neurons; thus, the feature length will be 700.

5.5. Template Protection Experimental Results

We use the binary BCH code described by the triplet (n, k, t) where n denotes the code word length, k is the key length, and t is the error-correction capability. There is a limited list of possible BCH codes; we chose the code that is appropriate for the dimension of our feature vector (d = 700). Therefore, we prefer codeword length (n) to be 127,255 and 511. We conducted various experiments to test our proposed system.

5.5.1. The Effect of Increasing the Numbers of Enrollment Samples

In this experiment, we randomly choose touch samples for both enrollment and authentication samples. We run the experiment with different numbers of samples: three enrollment samples with one authentication sample, and eight enrollment samples with three authentication samples [15,34]. Each enrollment is authenticated by all authentication samples.

Table 3. The results of the first experiment with the Touchalytics dataset.

			Three Enrollment Samples		Eight Enrollment Samples
n	k	t	FAR	FRR	FAR	FRR
127	120	1	0.0000	0.9512	0.0000	0.9756
	113	2	0.0000	0.9512	0.0000	0.9573
	106	3	0.0000	0.9350	0.0000	0.9400
	99	4	0.0000	0.8943	0.0000	0.9207
	85	5	0.0000	0.8699	0.0000	0.8994
	78	6	0.0000	0.8618	0.0005	0.8628
	71	7	0.0000	0.8049	0.0010	0.8303
	64	9	0.0006	0.6992	0.0017	0.7297
	57	10	0.0018	0.6748	0.0030	0.6921
	50	11	0.0026	0.5935	0.0055	0.6321
	43	13	0.0083	0.4878	0.0082	0.5305
	36	14	0.0118	0.4228	0.0124	0.4807
	29	15	0.0159	0.3740	0.0163	0.4339
	22	21	0.0856	0.2276	0.1070	0.2073
	15	22	0.1112	0.1870	0.1391	0.1697
	12	23	0.1472	0.1626	0.1753	0.1565
	10	24	0.1864	0.1382	0.2147	0.1352
	8	25	0.2297	0.1057	0.2608	0.1108

shows the results of this experiment of touch template protection using FCS with random sampling from the Touchalytics dataset. Figure 3 shows the ERR with respect to k-length. From this scenario, we can see the effect of increasing or decreasing the number of samples in the enrollment. We observe that the FRR increased when the number of enrollment samples increased. Additionally, we can see that FRR is better when we use three enrollment samples.

Figure 4 shows the result of the first experiment when we use random splitting on the BioIdent dataset. The FAR for three enrollment samples coincides with the FAR for eight enrollment samples. We also observe that the FRR increases when there are more enrollment samples.

5.5.2. The Effect of Increasing the Size of Feature Length to n = 255 and n = 511

Since the binary BCH code applied in our proposed system has limited BCH codes, we choose from them the codes appropriate for the dimension of our feature vector. As the feature vector length of a touch is 700, in this scenario we use different numbers of BCH code, n = 255 and n = 511, with three enrollment samples and one authentication sample.

Table 4. The results of the second experiment (with n = 255 and n = 511) for the Touchalytics dataset.

n	k	t	FAR	FRR	n	k	t	FAR	FRR
255	247	1	0.0000	0.9837	255	99	22	0.0053	0.5854
	239	2	0.0000	0.9512		91	23	0.0063	0.5528
	231	3	0.0000	0.9431		87	25	0.0108	0.5041
	223	4	0.0000	0.9431		79	26	0.0140	0.4715
	215	5	0.0000	0.9350		71	27	0.0185	0.4390
	207	6	0.0000	0.9350		63	29	0.0317	0.3740
	199	7	0.0000	0.9187		55	30	0.0398	0.3496
	191	8	0.0000	0.9106		47	31	0.0496	0.3415
	187	9	0.0000	0.9024		45	42	0.3112	0.1138
	179	10	0.0000	0.8943		37	43	0.3504	0.0894
	171	10	0.0000	0.8943		29	45	0.4238	0.0732
	163	11	0.0000	0.8780		21	47	0.5047	0.0488
	155	12	0.0000	0.8374		13	55	0.7990	0.0000
	147	13	0.0000	0.8049		9	59	0.8945	0.0000
	139	14	0.0002	0.7805	511	502	1	0.0000	0.9756
	131	15	0.0004	0.7642		493	2	0.0000	0.9675
	123	18	0.0020	0.7317		484	3	0.0000	0.9593
	115	19	0.0022	0.6992		475	4	0.0000	0.9593
	107	21	0.0037	0.6179		466	5	0.0000	0.9431

shows the results for the Touchalytics dataset with the second experiment for n = 255 and n = 511. From this experiment, we can observe the effect of adding n. At n = 255, the FRR is equal to 0.5854 when k = 99, and the FAR is equal to 0.0053; this is better than the first scenario with respect to k-length and FRR. Increasing n makes the system more secure because it has a longer key length than the first experiment.

We also ran this experiment with the BioIdent dataset (

Table 5. The results of the second experiment (n = 255 and n = 511) for the BioIdent dataset.

n	k	t	FAR	FRR	n	k	t	FAR	FRR
255	247	1	0.0000	0.9906	255	99	23	0.0003	0.5399
	239	2	0.0000	0.9906		91	25	0.0004	0.5023
	231	3	0.0000	0.9765		87	26	0.0004	0.4742
	223	4	0.0000	0.9718		79	27	0.0005	0.4507
	215	5	0.0000	0.9484		71	29	0.0007	0.4366
	207	6	0.0000	0.8967		63	30	0.0007	0.3991
	199	7	0.0000	0.8732		55	31	0.0009	0.3803
	191	8	0.0000	0.8592		47	42	0.0073	0.2019
	187	9	0.0001	0.8357		45	43	0.0080	0.1925
	179	10	0.0001	0.8169		37	45	0.0101	0.1643
	171	11	0.0001	0.7887		29	47	0.0133	0.1362
	163	12	0.0001	0.7559		21	55	0.0364	0.0657
	155	13	0.0002	0.7371		13	59	0.0634	0.0516
	147	14	0.0002	0.7183		9	63	0.1015	0.0329
	139	15	0.0002	0.6995	511	502	1	0.0000	0.9953
	131	18	0.0002	0.6479		493	2	0.0000	0.9906
	123	19	0.0003	0.6291		484	3	0.0000	0.9906
	115	21	0.0003	0.6009		475	4	0.0000	0.9812
	107	22	0.0003	0.5681		466	5	0.0000	0.9624

). Figure 5 shows the results of the second experiment with respect to k-length and n = 255. We achieved the best result from this experiment with n = 255; the FRR is 0.5399 and FAR is 0 with key length 99.

5.5.3. The Effect of Splitting the Samples Based on Session and Stroke Type

We split the data based on session and type of stroke (either horizontal or vertical). Only the Touchalytics dataset is considered in this experiment since it recorded during different sessions:

Intra-session: taking both enrollment and authentication samples from the same session while recording the dataset.

Inter-session: taking the enrollment sample from one session and the authentication sample from the next session (there is no separated day between them).

Inter-week: taking the enrollment sample from one session and the authentication sample from another session with one week of separation.

Only 14 users have been considered in this scenario because only 14 participated in all the sessions while recording the dataset. Figure 6 shows the FAR for this experiment for horizontal and vertical strokes, and Figure 7 shows the FRR for horizontal and vertical strokes. We can see from this experiment that the best results for both FAR and FRR were obtained with vertical strokes and inter-session samples.

Generally, we observe that the values of FAR and FRR are different in each experiment, even with the same key length (k) and code length (n). Additionally, we find that the number of samples can affect the system performance. Finally, selecting the samples based on session and stroke type enhances the system performance.

5.5.4. Comparison with Other Works

In this section, we compare our work with the previous studies of template protection on the Touchalytics dataset.

Table 6. Comparison with other works regarding the Touchalytics dataset.

Reference	Template Protection	Feature Extraction Approach	Key Length	FAR	FRR	EER
Our work	Without template protection	Learning-based	-	0.0009	0.0975	0.0975
Our work	FCS	Learning-based	99	0.0053	0.5854	0.1800
[17] (2019)	Non-invertible Cancelable biometric based on IoM hashing	Hand-crafted feature extraction	30	-	-	0.0960

shows the comparison between our proposed system and other works. The work by Zhi et al. [17] used cancellable biometric template protection based on learning IoM hashing, and the authors used the hand-crafted features as their input. The best result they obtained was 0.0960 for EER. While we use a learning-based approach for feature extraction of raw touch data and for template protection, we use FCS rather than cancellable biometric template protection. Our proposed system obtains comparable results and is a more secure system, with key length = 99.

Additionally, we compare our work with other works done in biometric template protection that used DL to extract biometric features. The comparison is relative because the studies used different biometric, ECC, and template security methods.

Table 7. Comparison with other works done on biometric template protection.

Ref.	Biometric	Feature Extraction Algorithm	Template Protection Method	ECC	Dataset	Result
[29] (2020)	iris/finger vein	CNN	Non-invertible Cancelable biometric	Reed Solomon	IIT-D Database and MMU for iris and FV-USM Dataset	The accuracy is 98% for the IITD dataset, 92% for the MMU dataset, and 99.55% for the FV-USM dataset
[30] (2017)	Face and iris	CNN	Cancelable biometric and forward error control code	Reed Solomon	Face-CNN Iris-CNN Cassia web face	GAR = 92.5% at symbol size = 5006
[2] (2018)	face	CNN	Hybrid approach (transform-based and biometric cryptosystem)	-	CMU-PIE, FEI, and color FERET	EER = 0.15% for k = 25% and multi shots
Our work	Touch Stroke	CNN-GRU	FCS	BCH	Touchalytics dataset, BioIdent dataset	EER= 0.1800 on Touchalytics dataset EER= 0.0900 on BioIdent dataset

shows the comparison. The authors of Sudhakar et al. [29] and Talreja et al. [30] used CNN to extract iris, finger vein, and face features, then secured the biometric template by a cancelable biometric. Additionally, they used Reed Solomon as ECC. The work done by [2] also extracted face features using CNN, and they used a hybrid approach to secure the face template. In comparison, our work is the first done on template security of touch-gesture biometrics using FCS and DL with good results.

5.5.5. Security Analysis

Many privacy requirements are provided by the ISO standard [39] for the protection of biometric templates, including confidentiality, integrity, availability, and renewability/ revocability [39,40]. More specifically, the standard proposes the following privacy requirements concerning biometric information:

Non-invertibility: This requirement means that the biometric template should not be obtained from an individual’s protected biometric reference stored in system storage [39].

Renewability: The original biometric template should not be obtained from multiple instances of the protected biometric reference derived from the same biometric trait of an individual [39,40].

Non-linkability: The biometric template stored in system storage should not be linkable across applications or databases [39,40].

To achieve these requirements, two types of threats have been considered:

High-level threats: These threats do not have knowledge of how the algorithm works. Instead, they exploit high-level information such as the inputs and outputs of the algorithm [40]. For this threat type, we analyze the FAR Attack presented in the next subsection.

Low-level threats: These threats know how the template protection algorithm works and exploit low-level information such as how the biometric template is stored in system storage [39,40]. For this threat type, we analyze hash inversion and threats that use helper data, as we will explain in the next subsections.

FAR attack

A FAR attack is a high-level threat that can be used to exploit the fact that the biometric authentication system has a non-zero FAR. This attack is normally defined in the authentication phase. The threat keeps trying sufficient touches until it is accepted (brute force attack) [39,40]. If the system is operating at FAR = α, then the expected number of trials to obtain a false accept is 1/α [39,40]. Since we obtain FAR = 0.0053 on the Touchalytics dataset, the expected number of trials is 1/0.0053 = ~189. If the system storage contains n templates for the user and the authentication system has FAR = α, then the probability of being accepted by the system is approximately n/α. In our case, there are three templates stored in the database for each user, and the probability of accessing the biometric template is 0.0159. This is a very small number, and so it meets the requirement of non-linkability [40].

Hash inversion

We assume that the threat is a low-level threat that has knowledge of our system and tries to invert the hash of the secret key to obtain our secret key and access the biometric template [23]. It is extremely difficult to recover the secret key from its hash; since we use sha-256 hash function, the attacker needs 2²⁵⁶ effort to invert the hash. This meets the requirement of non-invertibility [40].

Using the helper data

As mentioned above; the biometric template stored in system storage using FCS contains helper data and a hash of the secret key h(m). We assume that the low-level threat can access the helper data. The helper data cannot expose any information about the touch template, even the secret key. This meets the non-linkability requirement. However, if the attacker wants to restore the binary touch template, they need to obtain the secret key first and try all possible hash codes, as mentioned previously. Additionally, there is a possibility of obtaining the secret key from the helper data by making all attempts to expose the binary template, which is close to the template stored in system storage. However, as our binary template n = 255, retrieval is difficult.

Randomness of the secret key

Due to the variation of biometric data, it is necessary to generate a unique and stable key for each user. We assume the threat is a low-level threat and has access to the secret key [41]. The proposed FCS mechanism is able to renew keys, thus changing the helper data and the biometric template stored in system storage. Consequently, this mechanism will provide the specific security requirement of renewability.

6. Conclusions and Future Work

In this work, we propose an FCS to secure a template of touch gestures in a touch authentication system. We use the raw touch data as an input to our proposed system. An RNN based on CNN is used to extract the touch features, then we apply a feature selection algorithm to select the most reliable features. The FCS has been applied to the touch template for template protection, and helper data rather than the touch-gesture template is stored in system storage. We apply three different experiments to test our system, and the best result we obtained was FAR = 0.00 and FRR = 0.5854 with the Touchalytics dataset and FAR = 0 and FRR = 0.5399 with the BioIdent dataset with key length 99 and n = 255. The FCS shows its effectiveness for dynamic authentication systems and obtains good results that are comparable with other works.

The proposed system has several limitations. First, most available datasets do not contain all touch-gesture types. Second, we investigated securing the touch template using only one type of key binding, which is FCS. Additionally, the size of the feature vector is 700, and the BCH codes used to encode the binary feature are limited.

In future work, we want to secure touch templates with other gesture types (e.g., swiping and scrolling) using a second type of biometric cryptosystem (fuzzy vault). Additionally, we want to enhance the proposed system by allowing the DL to extract different lengths of features and map them to binary code directly.