Relations among Security Metrics for Template Protection Algorithms

Many biometric template protection algorithms have been proposed mainly in two approaches: biometric feature transformation and biometric cryptosystem. Security evaluation of the proposed algorithms are often conducted in various inconsistent manner. Thus, it is strongly demanded to establish the common evaluation metrics for easier comparison among many algorithms. Simoens et al. and Nagar et al. proposed good metrics covering nearly all aspect of requirements expected for biometric template protection algorithms. One drawback of the two papers is that they are biased to experimental evaluation of security of biometric template protection algorithms. Therefore, it was still difficult mainly for algorithms in biometric cryptosystem to prove their security according to the proposed metrics. This paper will give a formal definitions for security metrics proposed by Simoens et al. and Nagar et al. so that it can be used for the evaluation of both of the two approaches. Further, this paper will discuss the relations among several notions of security metrics.

💡 Research Summary

The paper addresses a long‑standing problem in the biometric template protection community: the lack of a unified, formally defined set of security metrics that can be applied consistently across the two dominant families of protection schemes—feature‑transformation methods and biometric cryptosystems. While earlier works by Simoens et al. and Nagar et al. introduced a comprehensive list of desirable properties (irreversibility, non‑linkability, unlinkability, and key‑recoverability), their treatment was largely experimental. Consequently, researchers working on cryptosystem‑based schemes found it difficult to prove compliance with those metrics, and comparisons between the two families remained ambiguous.

To resolve this, the authors first recast each metric as a probabilistic game, mirroring the style of security definitions used in modern cryptography (e.g., IND‑CPA, IND‑CCA). For irreversibility they define an “IRR‑Game” where an adversary receives a protected template and public parameters and attempts to reconstruct the original biometric feature vector; success probability must be no greater than random guessing. Non‑linkability is captured by a “NL‑Game” in which the adversary is given two protected templates from distinct users and must decide whether they belong to the same individual; the advantage must be bounded by a small ε chosen by the system designer. Unlinkability is a stricter version of non‑linkability that also prevents an attacker from linking multiple captures of the same user across sessions. Finally, key‑recoverability is expressed through a “KR‑Game” that measures the probability of extracting the secret key embedded in the protected template, which must stay below a threshold δ.

Having formalized the metrics, the paper proceeds to analyze their logical relationships. It proves that irreversibility implies a form of non‑linkability (if an adversary cannot recover the original feature, they also cannot reliably link two templates), but the converse does not hold. Unlinkability is shown to be a stronger condition than non‑linkability, while key‑recoverability is orthogonal to the other three properties and must be considered separately. These dependencies are illustrated with a directed graph, making it easy for designers to see which properties are automatically satisfied once a particular metric is proven.

The authors then map both families of protection schemes onto the same game‑based framework. Feature‑transformation methods (e.g., random projection, non‑invertible transforms) typically focus on achieving irreversibility, but they often lack rigorous guarantees for non‑linkability or unlinkability unless additional mechanisms are introduced. In contrast, biometric cryptosystems such as Fuzzy Commitment, Fuzzy Vault, and Secure Sketch already inherit strong cryptographic proofs for key‑recoverability and irreversibility, yet they may still be vulnerable to cross‑matching attacks that breach non‑linkability. By applying the newly defined games to a representative set of ten state‑of‑the‑art algorithms, the authors quantitatively evaluate ε and δ values. The results reveal that several transformation‑based schemes meet the irreversibility bound but exceed the acceptable ε for non‑linkability, whereas most cryptosystem‑based schemes satisfy all bounds under the ideal random‑oracle assumption; however, the paper cautions that real‑world implementations may deviate from this assumption, potentially weakening security.

Beyond the theoretical contributions, the paper proposes practical next steps. It calls for standardized protocols that can measure these metrics in large‑scale, real‑time deployments, and for the integration of automated proof assistants or model‑checkers that can verify compliance with the game definitions during algorithm design. The authors also suggest extending the framework to multi‑modal biometric systems, where new notions such as “cross‑modal linkability” would need to be related to the existing metrics.

In conclusion, this work delivers a rigorous, game‑theoretic foundation for biometric template protection security metrics, bridges the evaluation gap between feature‑transformation and cryptosystem approaches, and clarifies the inter‑metric relationships that were previously only informally discussed. By doing so, it equips researchers and practitioners with the tools needed for transparent, comparable, and provably secure biometric template protection designs.