Cancellable speech template via random binary orthogonal matrices projection hashing

Highlights

• A new scheme (RBOMP) to protect speech template e.g. i-vector.

• Modification of Winner Take All hashing to strengthen the privacy security.

• RBOMP provides strong security and privacy against ARM attacks

• RBOMP can be applied to variety of biometric feature with real-valued vector.

Abstract

The increasing advancement of mobile technology explosively popularizes the mobile devices (e.g. iPhone, iPad). A large number of mobile devices provide great convenience and cost effectiveness for the speaker recognition based applications. However, the compromise of speech template stored in mobile devices highly likely lead to the severe security and privacy breaches while the existing proposals for speech template protection do not completely guarantee the required properties such as unlinkability and non-invertibility. In this paper, we propose a cancellable transform, namely Random Binary Orthogonal Matrices Projection (RBOMP) hashing, to protect a well-known speech representation (i.e. i-vector). RBOMP hashing is inspired from Winner-Takes-All hash and further strengthened by the integration of the prime factorization (PF) function. Briefly, RBOMP hashing projects the i-vector using random binary orthogonal matrices and records the discrete value. Due to the strong non-linearity of RBOMP, the resultant hashed code withstands the template invertibility attack. Further, the experimental results suggest that the speech template generated using RBOMP hashing can still be verified with reasonable accuracy. Besides that, rigorous analysis shows that the proposed cancellable technique for speech resists several major attacks while the other criteria of biometric template protection can be justified simultaneously.

Introduction

Given the advancement of technologies and the increase in the popularity of mobile devices, speaker recognition system is emerging into a rapid growing field of research. In [1], Unar et al. stated the possibilities of using voice biometric modalities in different applications involving mobile commerce and transactions. Voice, consisting of unique features of different speakers, is often used to identify and verify the legitimate user in numerous applications. Typically, speaker recognition can be categorized as speaker identification and speaker verification. Speaker identification classifies a given voice to a specific speaker, while speaker verification decides a pair of voices as from the same speaker. State-of-the-art speaker recognition systems widely use i-vector modeling as a frontend technique to jointly model speaker and channel variabilities in a speech utterance due to its favorable performance as well as its condensed representation [2]. Moreover, Probabilistic Linear Discriminative Analysis (PLDA) is commonly adopted as a supervised backend modeling approach to strengthen speaker information while restraining channel variability and other sources of undesired variabilities [3], [4], [5]. Instances of speaker recognition systems that use both i-vector and PLDA can refer to [6], [7]. It is worth mentioning that two general methods applying Deep Neural Network (DNN) to speaker recognition system brought impressive gains in performance. The first method trained a DNN acoustic model to produce frame alignments by the standard Gaussian Mixture Model (GMM) in the conventional framework [8]. The second method used the DNN acoustic model to extract phonetic features [9], [10]. The phonetic features are the outputs of the bottleneck layer of a DNN or the low dimensional features after applying PCA to DNN’s outputs of tied triphone state phoneme posterior probabilities. The phonetic features were then concatenated to Mel Frequency Cepstral Coefficient (MFCC) to generate tandem feature.

In i-vector/PLDA framework, a speaker recognition system can determine the authenticity of a user by matching the voice reference (i.e. i-vector) stored in the database. However, this raises the concern on the protection of the voice reference (also known as template) stored in the database to prevent security and privacy threats. In [11], [12], it has shown that biometric template leakage is considered as one of the most harmful attacks in the biometric security system. The compromised biometric template can lead the impostor to create physical spoof from the stolen template, replace the template and gain illegitimate access to the system [12], [13], [14]. It is further complicated by the fact that biometric traits are irreplaceable once compromised. Therefore, a biometric-based application equipped with template protection capability is urgently needed.

In the literature, a number of proposals have been reported to secure the biometric templates. The existing proposals in protecting biometric template can be divided into three types: biometric cryptosystems (or helper data methods), feature transformation (or cancellable biometrics) and hybrid biometric cryptosystem [12]. Biometric cryptosystems require the usage of helper data, a biometric-dependent public information which does not reveal the original biometric template, to retrieve or generate keys. Instance of biometric cryptosystem can refer to [15]. The authentication process for this approach is to perform biometric comparison to determine the validity of the key retrieved or generated. Depending on how the helper data is derived, this approach can further be divided into key-binding or key-generation systems [16]. On the other hand, cancellable biometrics transforms the original biometric feature in such a way that it is computationally difficult to reconstruct the original biometric feature [16], [17]. The advantages of using this approach is that the adversary is computationally hard to recover the original biometric feature even if the transformed feature vector had been compromised. However, the transformation of feature often leads to the loss of accuracy and this will likely degrade the performance of the biometric recognition system [17]. Instances of cancellable biometric can refer to [18], [19]. Lastly, the hybrid biometric cryptosystem is the combination of biometric cryptosystems and cancellable biometrics to enjoy the strength from each type of method. An ideal template protection scheme is required and must fulfill all of the following requirements [20]:

• Irreversibility. It should always be computationally hard for the adversary to invert the protected biometric template.

• Unlinkability. It should always be computationally hard for the adversary to distinguish whether multiple protected biometric templates were generated using the same biometric trait of a user.

• Revocability. The protected biometric template should be able to be revoked or renewed to replace the old template while the original template should be computationally hard to be inverted from multiple protected biometric templates derived from the same biometric trait of a user.

• Performance. The performance of the biometric recognition rate should not be seriously degraded.

In this section, the previous works on the speech template protection are discussed and summarized. Generally, the revisit of the speech template protection schemes follows the categories of biometric template protection, i.e. cancellable biometrics, biometric cryptosystems and hybrid biometric cryptosystem [12].

Cancellable biometrics, the intentional distortion of the biometric feature, was formalized by Ratha et al. [21] to protect the privacy of the user. In the event that the cancellable feature is compromised, the same biometric feature can be mapped into another new distinct template using the pre-designed distortion characteristics. Cancellable biometrics can further be divided into biometric salting and non-invertible transformation.

Biometric salting [22] blends an auxiliary data (e.g. a user specific key or password) with the biometric feature. A concrete example of biometric salting for speech template protection is probabilistic random projection proposed by Chong and Teoh [23]. Two-dimensional principal component analysis was applied on the feature matrix before going through a random projection process via an externally derived pseudo random-number. The projected matrix was then fed into a Gaussian Mixture Model (GMM) to obtain probabilistic speaker models. The presented scheme was shown to be resisted from the stolen-token attacks where even if the token had been compromised, the recognition performance of the system was still able to retain at the feature vector level. However, the scheme was vulnerable to attack via record multiplicity (ARM) as the adversary can recover the original feature template by exploiting multiple templates generated using different random projection matrices [24].

Cancellable biometrics also often refers to the use of one-way transformation function that converts the voice feature to a protected template that is computationally hard to be inverted [22]. In 2008, Xu and Cheng [25] proposed a cancellable voice template protection method based on fuzzy vault scheme [26]. Chaff points were added to the unordered Mel-Frequency Cepstral Coefficient matrix to create a vault and a prime accumulator was used to separate the genuine points from chaff points. Besides, a non-invertible function was used to conceal the raw features while polynomial reconstruction was used for authentication. However, Chang et al. [27] revealed that the selection of the chaff points is not independent as the selection of new chaff point depends on the location of the previous selected point. It was observed that the latecomers, referring to the points added later, will likely to have more nearby points. Hence, increasing the number of chaff points will likely lead the adversary to correctly guess the genuine points. In addition to that, if the prime accumulator had been compromised, the adversary will be able to easily determine the genuine points.

Recently, Pandev et al. [28], [29] proposed a new technique called deep secure encoding for protecting face template. The face features were first extracted and trained using deep convolutional neural networks to generate an unprotected binary template. The unprotected binary template was divided into n k-bit blocks. Each k-bit block was then fed as an input of a cryptographic hash function (e.g. SHA-256). Finally, the n outputs of hash function were stored in the database for matching purposes. During the matching phase, the face image is first queried. Subsequently, similar training and feature extraction processes will be carried out using the queried face image to generate an unprotected binary template. The unprotected template is then divided into n k-bit blocks as the inputs of the underlying hash function. The n outputs of the hash will then be compared with the hashed codes stored in the database. The matching is successful if i out of n outputs of the hash are matched where i must be greater than the pre-defined threshold value. The proposed scheme is interesting as a random key is chosen and is embedded during face extraction and training processes to generate an unprotected binary template while no key is needed to secure the unprotected binary template. If the template is compromised, a new key will be selected and the training process must be carried out again to re-generate a new unprotected binary template. Thus, Pandev et al. claimed that their scheme offers the property of cancellability without using key (where no key is needed after the feature extraction and training processes). This idea is different with typical template protection schemes where key is needed in securing the unprotected template to offer the property of cancellability. The size of protected template is of n × k bits. In the experiment performed by Pandev et al. using two different datasets (i.e. CMU PIE and Extended Yale B), the size of a protected template is of $64\times 1024=65536$ bits. Since a typical feature extraction method does not involve any key, we propose a template protection scheme involving a key after the feature extraction method. Our proposed scheme enjoys the benefit that one does not need to focus on the training and feature extraction processes of the underlying biometrics and our scheme can be generalised to other biometric modalities with real value representation. Other than the brute-force attack examined by Pandev et al. on their proposed method, we also provide extensive analysis on different security concerns of our proposed template protection scheme.

Biometric cryptosystems [30] can broadly be divided into key-binding and key-generation. The representative instances of key-binding schemes are fuzzy commitment [31] and fuzzy vault [26]. Fuzzy commitment scheme was first proposed by Juels and Wattenburg. Fuzzy commitment is a two-steps algorithm consisting of commitment and decommitment. The fuzzy commitment scheme F commits a random codeword c using a one-way hash function h and a template x, where both c and x can be expressed as n-bit strings. Mathematically, we have $F(c,x)=\left(h\right(c),x-c)$ and the output is stored in the database. To decommit a query, x′ denoted as the witness is used such that the extracted commitment $c^{\prime }=f(x^{\prime }-(x-c))$ where f is the decommit function. Decommitment is successful if $h\left(c\right)=h\left(c^{\prime }\right)$.The decommitment can always succeed if the distance between the query and the template is less than approximate half the minimum distance. In this case, the minimum distance is considered as the minimum Hamming distance between two codewords encoded by an error-correcting code.

The fuzzy commitment scheme was first realized by Inthavasis and Lopresti [32] who proposed password based cryptographic key regeneration. They utilized Dynamic Time Warping (DTW) on the extracted feature vector and mapped DTW features to a binary string called feature descriptor. Subsequently, the feature descriptor was used to define distinguishing features. The template was hardened by perturbing the template many times and one of the stable features is extracted each time. The extracted feature will be the key in DTW. The process continued until the distinguishing descriptor had less than or equal to half of the feature vector length. Finally, the harden template was fed through the transformation, permutation and key binding processes using fuzzy commitment framework. It was shown that the security of this scheme is dominated by the password instead of the biometric feature [32].

Billeb et al. [33] proposed to construct a voice protection scheme based on the Universal Background Model (UBM). The proposed scheme binarized the supervector derived from UBM and an adapted fuzzy commitment scheme was used as the basis for the template protection scheme. Even though security analysis against unlinkability and privacy protection was provided, the proposed scheme still suffers from ARM when both key and the difference vectors are compromised. The adversary can exploit the compromised information to reconstruct the template stored in the database.

Paulini et al. [34] proposed the use of multi-bit allocation instead of single bit allocation. Different to Billeb’s work, the proposed scheme divided the feature space into 2^k intervals and encodes each interval with k bits. A modified fuzzy commitment scheme was then applied on the binarized features. Their work outperformed the single bit allocation approach and preserved the performance of the recognition system with lesser degradation in the recognition ability. However, similar to Billeb’s work, the presented scheme was vulnerable to ARM.

On the other hand, fuzzy vault scheme was proposed by Juels and Sudan [26]. The general idea of the proposed fuzzy vault scheme is to lock the secret key k under an unordered set A. A polynomial p was selected in such a way that it is able to encode k into variable x. Random chaff points that do not lie on p were then added to set A, creating a vault which consists of collection of points which lie on p and chaff points. To unlock the key k by the means of set B, if B overlaps substantially with A, the collection of points that lie on polynomial p can be determined. Using these points, with error correction ability, the polynomial p can be reconstructed and thereby key k.

Johnson et al. [35] proposed a vaulted verification protocol, where a challenge-respond protocol and fuzzy vault were used in their security scheme. This work used the same database as the work [32] and the results had shown that it was able to achieve a better performance as compared to [32] under the scenario that all the keys had been compromised. The user voice feature was first separated into several blocklets and a chaff/fake blocklet was added to each real blocklet, forming many pairs of real and chaff blockets. These pairs were then encrypted by password and stored in the template. During the authentication phase, the template was first decrypted and a challenging bitstring was generated such that real block represents “0” and chaff block represents “1”. The pairs were then randomly swapped. The score computation was carried out by matching the bitstring response given by the user with the template. However, limited biometric information such as limited voice samples will not be able to vary the data in the challenge-response process due to lesser pairs of real and chaff blocks and thus the adversary will have higher probability in guessing the correct response [35].

As biometric cryptosystems have limitations such as unable to generate multiple unlinkable templates, a hybrid approach of combining cancellable biometrics with biometric cryptosystems is proposed to overcome such limitation [12]. As the name implied, hybrid biometric cryptosystem is a combination of two or more template protection schemes such as bio-hashing with fuzzy vault scheme and key-binding scheme with non-invertible transformation [36]. Hybrid biometric cryptosystem reaps the benefit of cancellable properties from cancellable biometric while providing stronger security and privacy protection inherited from biometric cryptosystem. An instance of hybrid biometric cryptosystem is the cancellable speech template based on chaff point mixture method proposed by Zhu et al. [37] where a two-step hybrid approach (i.e. random projection and fuzzy vault) was used. The voice feature matrix was first randomly projected into another feature space and chaff points were added to the projected space instead of directly to the original feature matrix. Binary indices were used to bind the points and accumulator of genuine indices (key) were calculated using OR operator. The key will be sent to the matcher to filter out the genuine points from query using AND operator. The proposed work had shown that it was able to preserve the performance of the recognition system, however the security of the proposed work is not analyzed in detail as ARM analysis and lost key scenario were not considered. In the event that the binary indices and the key are compromised, the adversary will be able to differentiate the genuine points from randomly added chaff points.

Feng et al. [38] proposed a three-step hybrid framework for face template protection. A random projection matrix was first applied to the original biometric template to provide cancellability. To strike the balance between the security and the recognition performance, a class distribution preserving transform was then used to enhance the discriminatory power of the template and at the same time convert the template from real value to binary space. A distance function and thresholding were used in such a way that if the distance measured between the distinguishing points and the template is lower than the threshold, a “0” bit is generated, otherwise “1” bit is generated. The final step of the proposed framework was to hash the generated binary template using MD5 hashing algorithm. The proposed work had shown a significant improvement on the recognition performance; however the proposed work was vulnerable to several security attacks. Wang and Yu [39] had outlined several drawbacks of using MD5 hash and concluded that finding a collision for MD5 is feasible.

From the existing voice template protection schemes, we have observed that there are several issues that need to be addressed as follows:

• Robustness to attacks: It is observed that most of the speech template protection schemes were vulnerable to different attacks such as attack-via multiplicity (ARM) and stolen-token attacks. The vulnerability of the scheme is most likely due to the high correlation between the templates generated using the same biometric feature. Hence, the adversary is able to derive the original template by analyzing multiple compromised templates. Thus there is an urgent need to ensure that the generated templates are independent to each another, fulfilling the unlinkability and revocability criteria.

• Performance degradation: It can be seen from [32] and [36] that the transformation of the biometric feature from one space to another will cause the loss of the discriminative features. Thus, it will result in the increase of the intra-class variation and eventually lead to the drop of accuracy in the performance. Therefore, the template protection scheme should be able to preserve the performance of the system as much as possible while providing sufficient security protection.

In this paper, we propose a cancellable transform named Random Binary Orthogonal Matrices Projection (RBOMP) hashing, for the well-known voice representation, namely i-vector [2] to address the aforementioned security and privacy issues. Our proposed method is inspired from a hashing method, i.e. Winner Takes All [40] which is designed for the task of fast similarity search initially. Our main contributions are listed as follow:

• We proposed a cancellable transform e.g. RBOMP hashing to project the biometric feature to ordinal space using binary orthogonal matrices which will induce a strong non-invertible property and is resilient to small intra-class variation simultaneously.

• Prime Factorization (PF) feature is proposed to further enhance the security and privacy, more specifically, a many-to-one function, namely prime factorization approach together with a user-specific key, are incorporated.

• Security and Performance analysis. Through analysis on the security and performance of the proposed method are given to justify the common tradeoff of security and performance.

• Attack-via-Multiplicity (ARM) analysis. Extensive theoretical and simulation analyses on ARM are conducted to boost confidence towards the security against this major attack.

For the rest of the paper, a brief introduction to the generation of i-vector is provided in Section 2. Section 3 presents the proposed RBOMP hashing in detail. Section 4 demonstrates the experimental results and general security analysis. Besides, Section 5 provides detailed ARM analysis. Finally, an outline of the conclusion for this work is given in Section 6.