262 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL.

16, 2021

SecureFace: Face Template Protection

Guangcan Mai , Member, IEEE, Kai Cao , Xiangyuan Lan ,
and Pong C. Yuen , Senior Member, IEEE

Abstract— It has been shown that face images can be

reconstructed from their representations (templates). We propose
a randomized CNN to generate protected face biometric
templates given the input face image and a user-specific key. The
use of user-specific keys introduces randomness to the secure
template and hence strengthens the template security. To further
enhance the security of the templates, instead of storing the key,
we store a secure sketch that can be decoded to generate the key
with genuine queries submitted to the system. We have evaluated
the proposed protected template generation method using three
benchmarking datasets for the face (FRGC v2.0, CFP, and
IJB-A). The experimental results justify that the protected
template generated by the proposed method are non-invertible
and cancellable, while preserving the verification performance.
Index Terms— Biometric, template security, deep templates,
template protection, randomized CNN, protected templates.
I. I NTRODUCTION
B IOMETRIC recognition systems are being widely
deployed in security-sensitive (e.g., personal devices1 and
border security2) and privacy-aware applications (banking3
and patient ID4 ). It is critical to protecting the biometric data
stored in the system because biometrics is unique and irrevo-
cable once it is compromised [1]. To ensure the security and
privacy, biometric vendors generally store biometric templates,
representations of raw biometric data (e.g., face images),
instead of raw biometric data in the systems. However, recent
studies show that, raw biometric data can be reconstructed
from plaintext biometric templates (Fig. 1) and then used to
access the target system and identify the target users (e.g.,
face [2], [3], fingerprint [4], and iris [5]). Thus, biometric
templates stored in the systems have to be protected.
One straightforward approach to protect biometric templates
is to use standard ciphers [6] such as SHA-3. However, due
Manuscript received December 28, 2019; revised April 19, 2020 and
June 9, 2020; accepted July 6, 2020. Date of publication July 15, 2020;
date of current version July 31, 2020. This work was supported in part by
the Hong Kong RGC under Grant HKBU 12200820. The associate editor
coordinating the review of this manuscript and approving it for publication
was Prof. Raymond Veldhuis. (Corresponding author: Pong C. Yuen.)
Guangcan Mai was with the Department of Computer Science, Hong Kong
Baptist University, Hong Kong. He is now with the Lenovo Machine Intelli-
gence Center, Hong Kong (e-mail:
Fig. 1. Security and privacy issues introduced by inverting biometric
templates. Raw biometric data (e.g., face and fingerprint images) can be
reconstructed from the corresponding templates stored in the system. The
reconstructed data can then be presented to authentication systems to get
access (security issues) and identified by a biometric search engine (privacy
issues).
to the intra-subject variation in biometric templates and the
avalanche effect [6] of standard ciphers, biometric templates
must be decrypted before comparison.5 This is different
from traditional passwords that can be compared in their
encrypted (hash) form. Another possible cipher for the pro-
tection of biometric templates is homomorphic encryption [9],
[10]. Such encryption approaches compare templates in their
encrypted form to give the encrypted results, which are
then decrypted to yield the decision. However, homomorphic
encryption is computationally expensive, especially for high-
dimensional biometric templates. It also suffers from the
same key management issue as most homomorphic encryption
construction [9], in which the decryption key of the encrypted
results can be used to decrypt the encrypted templates. An
alternative approach is the use of biometric template protection
schemes [11]–[13], which generates a pseudonymous identifier
(PI)6 and auxiliary data (AD)7 from the plaintext enrollment
template and store them in the systems. During authentication,
the stored PI is compared directly with the PI* generated from
the query template and the stored AD. The generally agreed
criteria for template protection schemes [11]–[14] are:
• Non-invertibility (security): It should be computationally
infeasible8 for the protected templates (PI and AD) to be
inverted into the plaintext biometric template or recon-
structed into the raw biometric data.

[email protected]).
Kai Cao was with the Department of Computer Science and Engineer- 5 To our knowledge, there are two available methods to directly compare
ing, Michigan State University, East Lansing, MI 48824 USA (e-mail: the biometric templates in their hash form [7], [8]. However, only constrained
[email protected]). datasets are used in their evaluation, and the samples of all enrolled subjects
Xiangyuan Lan and Pong C. Yuen are with the Department of Computer are used to train the template extractor.
Science, Hong Kong Baptist University, Hong Kong (e-mail: xiangyuanlan@ 6 Unless specified otherwise, the variables with a superscript ‘∗’ denote data
life.hkbu.edu.hk; [email protected]). processed at the query stage and correspond to the data processed at the
Digital Object Identifier 10.1109/TIFS.2020.3009590 enrollment stage (e.g., a query raw biometric data x ∗ and an enrollment raw
1 https://www.apple.com/iphone-x/#face-id
biometric data x.)
2 http://fortune.com/2016/09/12/border-security-biometrics/ 7 We use the terms ‘PI and AD’ and ‘protected template’ interchangeably,
3 http://www.citibank.com.hk/english/ways-to-bank/voice-biometrics.htm because they are the secure form of plaintext biometric templates.
4 https://www.kairos.com/human-analytics/healthcare 8 Cannot be solved using an algorithm with polynomial complexity.

1556-6013 © 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.

Authorized licensed use limited to: WASHINGTON UNIVERSITY LIBRARIES. Downloaded on August 25,2021 at 17:44:37 UTC from IEEE Xplore. Restrictions apply.
MAI et al.: SECUREFACE: FACE TEMPLATE PROTECTION
• Cancellability (revocability and unlinkability): A new
protected template can be generated for a subject whose
template is compromised. Besides, different templates of
a subject can be generated for different applications.
• Verification performance: The protected templates must
be discriminative enough to satisfy the requirements for
authenticating a person.
This work aims at generating protected or secure biometric
templates from raw biometric data. State-of-the-art approaches
for generating protected templates are based on two-stage
approaches (i.e., template extraction followed by template pro-
tection). For such an approach, the biometric templates are first
extracted from raw biometric data using a template extractor
(e.g., Eigenface [15], deep templates [16]) which is generally
optimized for verification performance only. The template
protection schemes (e.g., feature transformation [17]–[19],
biometric cryptosystems [20]–[24] and hybrid approaches
[14]) are then applied on the extracted templates. There are
two limitations with such two-stage approaches: (a) the two
stages (i.e., template extraction and template protection) can
be attacked individually by adversaries with knowledge of the
template extractor and the template protection methods. (b) the
template extractors used to extract biometric templates are
generally optimized to improve the verification performance,
whereas the security-related objectives are often neglected and
can only be improved at the stage of template protection.
This usually causes a significant trade-off issue between ver-
ification performance and template security because they are
not optimized jointly. Besides, the entropy (security) of the
protected templates is upper bounded by the entropy of the
extracted templates. Otherwise, adversaries can directly guess
the extracted templates for an easier attack.
To address these limitations, we propose an end-to-end9
approach for generating protected biometric templates. Specif-
ically, the proposed approach includes a randomized CNN and
a secure sketch construction components. With these two com-
ponents, we formulate two loss functions (i.e., a randomized
triplet loss and an orthogonal triplet loss) to jointly optimize
the verification performance and the security of the resultant
protected biometric templates. Different from typical template
extractors which generate templates based on raw biometric
data only, the proposed randomized CNN generates templates
additionally depending on user-specific keys, to introduce
randomness into the protected biometric templates.
To train the randomized CNN, we propose a randomized
triplet loss, aiming to make the protected templates sufficiently
similar given the same user-specific key, and the input raw
biometric data coming from the same subject. A typical system
with the randomized CNN is required to store the enrollment
templates extracted from the raw biometric data, and the
corresponding keys in the enrollment stage, where the stored
keys are needed for extracting query templates from the raw
biometric data in the query stage. However, the stored keys
would make it easy to invert the enrollment template once
the keys are compromised, which is not secure. To avoid
9 The ‘end-to-end’ refers that the model for extracting protected templates
in this paper can be optimized in an end-to-end way.
Authorized licensed use limited to: WASHINGTON UNIVERSITY LIBRARIES. Downloaded on August 25,2021 at 17:44:37 UTC from IEEE Xplore. Restrictions apply.
263
key storage, we store the secure sketches generated from the
keys and binary intermediate features of the randomized CNN.
With this construction, the keys can be decoded from the
secure sketch at the query stage only if the query biometric
data is sufficiently similar to the enrollment biometric data.
To improve the decoding success rate of the secure sketches
for genuine queries and strengthens the security of the secure
sketches, we propose an orthogonal triplet loss for optimizing
the binary intermediate features. In a nutshell, this paper makes
the following contributions:
• A randomized CNN to generate protected deep biometric
templates, which depend on both raw biometric data (e.g.,
face images) and user-specific keys.
• A randomized triplet loss to train the randomized CNN.
The protected deep biometric templates are similar for
biometric data of the same subject with the same user-
specific key, and different sufficiently otherwise.
• A secure system construction using the randomized CNN
without storing the keys. We store the secure sketches
generated from the keys and binary intermediate features
of the randomized CNN.
• An orthogonal triplet loss to extract the binary intermedi-
ate features, which are used to generate the secure sketch.
• Evaluation and analysis based on three face benchmark-
ing datasets (FRGC v2.0 [25], CFP [26] and IJB-A [27]
demonstrate that the proposed method satisfies the criteria
for template protection schemes [11], [13], i.e., non-
invertibility (security), cancellability (unlinkability and
revocability), while maintaining verification performance.
II. R ELATED W ORK
A. Template Reconstruction Attack
It was believed that templates extracted from raw biometric
data are not possible to be inverted back. However, it has been
demonstrated that such inversion can be done on face [2],
[3], fingerprint [4], and iris [5]. In general, a realistic threat
to biometric systems under template reconstruction attack is
analogous to a chosen-plaintext attack in cryptography, where
the input biometric data and templates are regarded as plaintext
and ciphertext, respectively. To achieve the attack, the adver-
sary typically requires the following knowledge: (a) The
templates of the target subject (This is usually caused by either
database leakage or insider attack). (b) The template of any
input biometric data (This can be introduced by subscribing a
(black-box) template extractor (biometric SDK) of the target
system or standardized templates (e.g., fingerprint minutiae
[28])). With the above knowledge, a typical strategy for an
adversary is to first learn an inversion function of the template
extractor by collecting biometric input data and then inverting
the templates of the target [3].
A straightforward countermeasure for the template recon-
struction attack is to strengthen the security of template
databases to avoid the database leakage and the insider attack.
However, even with strict security measures, it is impossible to
avoid the database leakage completely10, .11 To further protect
10 https://goo.gl/QUMHpv
11 https://goo.gl/KdxzqT
264
Fig. 2. An overview of the proposed secure system construction with the proposed randomized CNN. The protected deep templates {S S, prpt , y p } stored in the
system satisfy the criteria for template protection, i.e., non-invertibility (security), cancellability (unlinkability and revocability), and verification performance.
biometric systems from template reconstruction attack, it is
suggested to secure the templates using template protection
schemes [11]–[13].
B. Biometric Template Protection
Unlike traditional passwords that can be compared in their
encrypted or hash form with standard ciphers (e.g., AES and
SHA-3), biometric templates cannot be compared in such form
due to typical intra-user variations [11], [13] and the avalanche
effect of standard ciphers [6]. Biometric template protection
[11]–[13] aims to create a secure form of the templates, and
then the comparison can be performed in the secure form.
Specifically, in the enrollment stage, biometric template pro-
tection schemes generate PI and AD from plaintext enrollment
template and store them in the systems. In the query stage,
PI* is first generated from the query template with the stored
AD and then directly compared with the stored PI, without
revealing the plaintext enrollment template.
Biometric template protection schemes that are designed
for compact binary or real-valued vectors can be categorized
into feature transformation [17]–[19], biometric cryptosystems
[20]–[24] and hybrid approaches [14]. Please refer to [11] for
detailed analysis about the security and cancellability of the
biometric template protection schemes.
A trade-off exists between verification performance and
template security because of the two-stage process that uses
template protection schemes after extraction of biometric
templates. This trade-off exists because the biometric template
extractors are generally optimized for improving template
discriminability, whereas the security-related objective is often
Authorized licensed use limited to: WASHINGTON UNIVERSITY LIBRARIES. Downloaded on August 25,2021 at 17:44:37 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 16, 2021
neglected and can only be improved in the module of tem-
plate protection. Besides, the two-stage process is vulnerable
because the modules of template extraction and protection can
be attacked individually.
III. T HE P ROPOSED A PPROACH
An overview of a secure system constructed with the
proposed randomized CNN is shown in Fig. 2. In the training
stage, the neural network is jointly optimized by the random-
ized triplet loss Lrt and the orthogonal triplet loss Lot in an
end-to-end manner. The processes of enrollment and query are
shown with blue and red lines, respectively.
A. Secure System Overview
This section first mathematically describes how the
enrollment and query of a biometric verification system can be
performed with the proposed randomized CNN (Section III-B)
and the secure sketch construction (Section III-C). Then,
the requirements for the protected templates to satisfy the
criteria for template protection are also discussed.
Enrollment: Given an enrollment image x, a user-specific
key k ∈ {0, 1}m , and a user-specific permutation vector pr pt ,
our system’s enrollment process E(·) generates and stores a
randomized template y p and a secure sketch SS,
y p , SS = E(x, k, pr pt ) (1)
where the secure sketch SS ∈ {0, 1}n , (n ≥ m). Note that the
key k is not stored in our system and is decoded from the
stored secure sketch SS at the query stage. The permutation
MAI et al.: SECUREFACE: FACE TEMPLATE PROTECTION
vector pr pt = { pr1pt , · · · prr pt , · · · prRpt }(R > n) and satisfy that
∀r  ∈ {1 · · · R}, ∃r  = prr pt . Here, the randomized template
y p refer to the PI, the secure sketch SS and the permutation
vector pr pt refer to AD, in a system with a template protection
scheme [11]–[13].
Query: Given a query image x ∗ , the secure sketch SS as
well as the permutation vector pr pt stored in the system, our
system’s query process Q(·) first generates a query template
y∗p ,
y∗p ∗
= Q(x , SS, pr pt ) (2)
The decision of accepting or rejecting the query image x ∗
is then made on the basis of the similarity scor e( y p , y∗p )
between the enrollment and query templates. To ensure that
the protected templates (PI: y p and AD: SS, pr pt ) stored in
the constructed secure system satisfy the criteria for template
protection [11]–[13], it is required to achieve the following:
• Non-invertibility (security): It is not computationally
feasible to reconstruct (synthesize) the enrollment image
x from the stored randomized template y p , the secure
sketch SS and the permutation vector pr pt .
• Cancellability (revocability and unlinkability): A new
set of a randomized template y p , a secure sketch SS, and
a permutation vector pr pt can be generated for the target
subject whose template is compromised. There is no
method to determine whether two randomized templates
(e.g., y1p and y2p ) or two secure sketches (e.g., SS 1 and
SS 2 ), or two permutation vectors (e.g., pr1pt and pr2pt ))
are derived from the same subject or not, given the
different subject-specific keys.
• Verification performance: The similarity between the
enrollment template and the genuine query template
should be maximized if the same key is given. Otherwise,
the similarity should be minimized.
B. Randomized CNN
The randomized CNN is obtained by embedding random-
ness into a CNN. The randomized CNN generates a random-
ized template y p and an intermediate feature bB using an
input image x and a key k, which indicates the random-
ness embedded within the deep network. The randomized
template y p is then used as the PI in the system, and the
intermediate feature bB will be used to construct the secure
sketch SS (AD in the system, see section III-C). To satisfy
the criteria for template protection, we introduce the RandNet
into the CNN for producing the randomized template y p .
With the discriminability preserved, the randomized templates
y p extracted from the same images x with different keys
k differ significantly and cannot be matched to each other.
Besides, there is no way to invert the randomized templates
y p back into the input image x without the corresponding
keys k, which is assumed here to be secure and is discussed
in sections III-C.
The randomized CNN consists of three components:
a feature extraction network f ext (·), a random partition
fr pt (·, pr pt ), and the RandNet frnd (·, k), which is a fully con-
nected neural network with key k-based randomness (Fig. 2).
Authorized licensed use limited to: WASHINGTON UNIVERSITY LIBRARIES. Downloaded on August 25,2021 at 17:44:37 UTC from IEEE Xplore. Restrictions apply.
265
The feature extraction network f ext (·) is a convolutional
network with at least one fully connected layer for extraction
of intermediate features. It can be constructed using the
convolutional part of a popular CNN such as ResNet [29].
Let b denote the extracted intermediate feature to be sent to
the random partition, we have
b = f ext (x) (3)
The random partition fr pt (·, pr pt ) separates the intermediate
feature b into two parts, b A and bB ,
b A , bB = fr pt (b, pr pt )
s.t.b A = {b pr1pt , · · · , b p R−n }
r pt
bB = {b p R−n+1 , · · · , b p R } (4)
r pt
r pt
where b A would be sent to the RandNet for extraction of
the randomized template y p , and bB is used to construct the
secure sketch SS. Note that to avoid the linkability between the
protected template y p and the secure sketch SS, the elements
in b A and bB are designed to be mutually exclusive. Besides,
the permutation vector pr pt for random partition are designed
to be specific to both the subject and the application to further
enhance the security and privacy of the resulting templates.
The RandNet uses an intermediate feature partition b A and
a subject-specific key k as input to produce the protected
template,
y p = frnd (b A , k) (5)
The RandNet introduces the key k-based randomness and
is the key component in the randomized CNN. We have
introduced two types of randomness in the RandNet: ran-
dom activation and random permutation-flip. In the RandNet,
we first create a different subnetwork from a father network
via random activation and deactivation of its neurons according
to the key k, where the template y with partial randomness is
produced. Then, with our random permutation-flip, the ele-
ments in the template y are randomly permuted, and the
signs of randomly selected elements are flipped, depending
on the key k. The output template is the final randomized
template y p .
1) Random Activation: Given a neural network with all
neurons activated, various subnetworks can be created by
random deactivation of some neurons. An example is shown
in Fig. 3, in which the networks in Figs. 3(b), 3(c), and 3(d)
are subnetworks created from the father network in Fig. 3(a)
by random deactivation of half of the neurons in each layer.
With random activation, an L-layer father neural network
with h l (1 ≤ l ≤ L) neurons at each layer will have N L
subnetworks,

L
h 
NL = l
dl (6)
l=1
where dl denotes the number of the neurons at layer l to
be deactivated. The random activation can be regarded as
randomly assigning a subnetwork to an enrollment subject, for
which the assignment is indicated by the key k. Specifically,
the activation of the neurons are indicated by a randomly
266 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 16, 2021

Fig. 3. Subnetworks produced by a standard network with random activation, in which the black and white circles denote ‘activated’ and ‘deactivated’
neurons, respectively. (a) Standard network with all neurons activated; (b), (c), and (d) are different subnetworks obtained by random deactivation of some
neurons.

generated binary string, where the corresponding random seed where s k ∈ {+1, −1} A is a randomly (uniformly distrib-
depends on the key k. uted) generated sign vector, based on the key k. Note that
There are two requirements for the subnetworks: (a) the information on the order and sign of the elements ym in the
templates extracted using the subnetworks should be discrim- enrollment template y is necessary to invert the template [2],
inative, and (b) the templates extracted from the same subject [3], analyze the linkability, and perform comparison. This is
should be sufficiently different while different keys are given. because that in general, each element of a template vector,
To these ends, motivated by the Dropout technique [30] and represents a different semantic meaning. Examples like the
the triplet loss [31], we formulate a randomized triplet loss to projection on the different basis for most component analysis,
directly train the father network, whose neurons are randomly e.g., PCA [15]. Suppose that the cosine similarity is used
deactivated depending on keys. Thus, the subnetworks are for calculating the comparison score between templates when
implicitly trained. Specifically, the randomized triplet loss Lrt applying the random permutation-flip, it can be shown that:
aims to minimize the distance of positive pairs given the same (a) Score-Preserving: if the same key is given, the similarity
key and maximize the distance of positive pairs given the score between two templates is preserved. Therefore, as long
different keys and negative pairs. Mathematically, the Lrt can as the key is known, the discriminability of the randomized
be expressed as template is well-preserved. (b) Zero-Expectation: if different
keys are given, the expectation of the similarity score between
1  
Q
pos 2 two templates is zero, where the range of the cosine similarity
Lrt = D pos − yq,k
anc
− yq,kq 2 + αrt
Q q
+ is [-1,1]. Note that the cosine similarity of zero would not
q=1
  be classified as the same subject in typical face verification
neg
+ D pos − yq,k
anc
− yq,kq 22 + αrt systems.12
+
q
 The cosine similarity between the enrollment template y
anc neg 2
+ D pos − yq,kq − yq,k  2 + αrt (7) and the query template y∗ can be expressed as
q +
pos y T y∗ 1 
A
where D pos = yq,k anc − y
q
2
q,kq 2 denotes the distance of the scor e( y, y∗ ) = = ya ya∗ (9)
positive pairs given the same key. The size of a mini-batch y · y∗ y · y∗
a=1
for optimization is Q, given that the randomized CNN is
Score-Preserving: Given the same key k, it can be shown
optimized using a mini-batch based stochastic gradient descent
anc , y pos , and yneg denote the templates of that the cosine similarity between the enrollment and query
(SGD). The yq,k q q,kq q,kq randomized template equal to scor e( y, y∗ ).
anchor, positive, and negative samples in the q-th triplet,
pos neg
where the key kq is given. The yq,k  , and yq,k  denote the  ( y kp )T y∗,k
p
q q
corresponding templates of positive and negative samples, with scor e y kp , y∗,k =
y kp · y∗,k
p
a different key kq . Note that kq and kq are two different keys
p

which are uniformly sampled for every triplet in the training 1 

A

stage. The αrt is a margin that is enforced between positive = (sak )2 y pak y ∗p k
y · y∗ a
a=1
pairs given the same key and the other pairs.
2) Random Permutation-Flip: Given an enrollment template 1 
A
= ya ya∗ = scor e( y, y∗ )
y = {y1 , · · · , ya , · · · , y A } extracted from the deep networks y · y∗
a=1
with random activation, we further embed the randomness by
(10)
random permutation-flip. The objective is to further enhance
∗,k ∗
the non-invertibility and cancellability of the final randomized Zero-Expectation: Let y kp ( y p ) denote the randomized
template y p . Specifically, let pk = { p1k , · · · , pak , · · · , p kA } template obtained by applying randomized permutation-flip
denote a permutation vector that depends on k and satisfies on templates y ( y∗ ) with keys k (k∗ ). It can be shown that
∀a  ∈ {1 · · · A}, ∃a  = pak , the randomized template given by 12 As reported in [3], with FaceNet [31] and BLUFR [32] as feature extractor
the random permutation-flip can be expressed as and protocol, resp., the mean verification thresholds on LFW [33] and FRGC
v2.0 [25] were 0.51 and 0.80, respectively, at FAR=0.1%, and 0.38 and 0.64,
y kp = {s1k y p k , · · · , sak y pak , · · · , s Ak y p k } (8) respectively, at FAR=1.0%.
1 A

Authorized licensed use limited to: WASHINGTON UNIVERSITY LIBRARIES. Downloaded on August 25,2021 at 17:44:37 UTC from IEEE Xplore. Restrictions apply.
MAI et al.: SECUREFACE: FACE TEMPLATE PROTECTION
the expectation of the scores between templates y kp and y∗,k
p ,
∗,k ∗
E[scor e( y p , y p )] is zero. Please refer to the Supplemen-
k
tary A for the proof.
C. Secure Sketch Construction
To extract a randomized template y∗p that is similar to
y p from a genuine query image x ∗ , the user-specific key k
is required in the query stage. One of the straightforward
methods for providing the key k in the query stage is to
store it in the system in the enrollment stage. However, for
smart adversaries, the availability of the k would significantly
reduce the difficulties of inverting the enrollment template y p
and linking the enrollment templates across systems. Note that
the study of the template protection generally assumes that
adversaries can access to the templates stored in the system.
To solve this problem, we propose to store a secure sketch
SS generated from the key k, instead of the key itself in
the system. The stored secure sketch SS can be successfully
decoded if the query image x ∗ is sufficiently similar to the
corresponding enrollment image x. The similarity can be mea-
sured using the hamming distance between their corresponding
binary intermediate features bB . A successful decoding implies
that the decoded key k∗ is identical to the corresponding
key k.
We now present how the secure sketch SS is constructed
from a key k and an intermediate feature bB that is generated
from the randomized CNN in the enrollment stage. Then
we describe how the key k∗ is decoded from SS with the
corresponding intermediate feature b∗B in the query stage.
Enrollment: Motivated by the fuzzy commitment [20],
the secure sketch SS is generated with the error correcting
code (ECC)
SS = c ⊕ bB
where ⊕ denotes a modulo-2 addition. The codeword c has
length n (same as the length of the bB ) and is obtained by
encoding the key k using a ECC encoder E NCecc (·):
c = E NCecc (k)
Query: In the query stage, the key k∗ can be decoded with
k∗ = D ECecc (b∗B ⊕ SS)
where D ECecc (·) denotes the decoder of the ECC employed
in the system. The decoded key k∗ is identical to k only if the
distance |bB | between features b B and b∗B less than the error
tolerance τecc of the chosen ECC, accordingly to the properties
of ECC [34], [35]. This is because
b∗B ⊕ SS = c ⊕ b B ⊕ b∗B
= c ⊕ (b B ⊕ b∗B )
= c ⊕ b B
Requirements: The requirements related to the construction
of the secure sketch SS are listed as below:
1) Small |bB | for Genuine Queries: For genuine queries,
the SS can be correctly decoded, that is, the decoded key
k∗ = k. According to Eqs.(13) and (14), this requires
Authorized licensed use limited to: WASHINGTON UNIVERSITY LIBRARIES. Downloaded on August 25,2021 at 17:44:37 UTC from IEEE Xplore. Restrictions apply.
267
∗
Fig. 4. Given a ECC with sufficiently large code length n and the average
error tolerance τecc /n, the lower bound and an upper bound of the code
rate [34], [35], i.e., m/n, where m denotes the message length.
that |bB | for genuine queries is less than the error
tolerance τecc of the chosen ECC.
2) Large |bB | for Impostor Queries: The SS should not
be correctly decoded by impostor queries to prevent the
false accept attack and therefore the |bB | for impostor
queries is greater than the error tolerance τecc of the
chosen ECC.
3) High Entropy of Both bB and k: It should be difficult to
obtain (guess) the key k from the SS without genuine
query images x ∗ (or the corresponding genuine features
b∗B ); This requires that the entropy of both the key k
and the entropy of the feature bB are high, because
the adversary can obtain the key k via either directly
guessing or guessing the binary feature bB with Eq. (13).
To fulfill the above requirements, one should first understand
that the entropy m of the message (key k in our construction)
which can be encoded in an ECC codeword c is decreasing
(11) while the corresponding error tolerance τecc increases, accord-
ing to the coding theory [34], [35]. Besides, given a ECC
whose code length n (the size of the codeword c in Eq.(12))
is sufficiently large, there are an upper bound and a lower
bound for the code rate m/n with the average error tolerance
(12) τecc /n [34], [35] (Fig. 4). Therefore, to allow a small error
tolerance τecc and high key entropy m, the minimization of
the intra-subject variations for bB should be weighted more.
(13) Given that bB consists of part of the elements of b, assuming
that the elements of b equally contribute to the satisfication
of the requirements for bB , we optimize the b in the training
stage with the requirements for bB .
To optimize the binary intermediate feature b with desired
properties, i.e., high entropy, minimum intra-subject variations,
and maximum inter-subject variations, we have formulated an
orthogonal triplet loss Lot . Note that instead of optimizing the
binary intermediate feature b in the binary form, we optimize
b by optimizing its relaxed form h,
(14)
b = sgn (h) , h ∈ (−1, 1)|b| (15)
where sgn(h i ) = 1 if h i >= 0 and sgn(h i ) = 0 otherwise,
pos neg
i ∈ {1, · · · , |b|}. Let hanc
q , hq and hq are column vectors
that denote the intermediate features of anchor, positive and
negative samples in the q-th triplet of a mini-batch, we have
268 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 16, 2021

formulated the Lot as below:

1  
Q
pos neg 2
Lot = λ hanc
q − hq
2
2 − hanc
q − hq 2 + αot
Q +
q=1
+ μLort h + ωLbin (16)
where αot is a margin that is enforced between positive and
negative pairs. Different from the original triplet loss [31],
we introduce a hyper-parameter λ > 1 to control the fac-
tor of optimizing intra and inter subject variations. This is
because that, to allow an ECC with smaller error tolerance,
it is required to weight more on optimizing the intra-subject
variations. To improve the entropy of the resultant templates,
we introduce the orthogonal term Lot with factor μ to mini-
mize the correlation of binary intermediate features of different
subjects. Mathematically,
Fig. 5. Example images from training datasets: (a) VGG-Face2, (b) MS-
1   anc T neg 2
Q Celeb-1M; and testing datasets: (c) FRGC v2.0, (d) CFP, and (e) IJB-A.
Lort h = (hq ) hq (17)
Q
q=1
A. Experiment Setting
To reduce the binarization loss in the testing stage, we intro-
duce the binarization term Lbin with factor ω, where Lbin can 1) Datasets: We use two large scale face datasets (i.e.,
be expressed as VGG-Face2 [36] and MS-Celeb-1M [37]) for training the
proposed randomized CNN. Three benchmarking face datasets
1 
Q
pos neg (i.e., FRGC v2.0 [25], CFP [26], and IJB-A [27]) are used for
Lbin = |hanc
q |−1 + |hq |−1 + |hq |−1
Q 1 1 1 testing. Example images of these datasets are shown in Fig. 5.
q=1
In the following, we briefly describe these datasets.
(18)
• VGG-Face2 [36] comprises of 3.31 million images
D. Network Architecture of 9,131 subjects downloaded from Google Image
Search. The training partition with 3.15 million images
Input: We use RGB images of size 112 × 112 × 3 as input. of 8631 subjects is used.
Feature Extraction Network: We first employ the ResNet- • MS-Celeb-1M [37] originally contains 10 million images
50 [29] without the fully connected (FC) layers as our con- of 100K subjects. We used the refined MS-Celeb-1M
volutional layers to extract 512 feature maps, whose size are [38] where the images that far from the subject center
3 × 3. The 512 feature maps are then flattened and connected has been removed. The refined MS-Celeb-1M consists
to a fully connected layer of 4096 hidden units, where tanh of 3.8 million images of 85K subjects.
activation is applied. • FRGC v2.0 [25] is a constrained dataset that contains
RandNet: The output of the feature extraction network is frontal face images taken under different illuminations.
then connected to FC layers, i.e., two fully connected layers There are 50K images of 4,003 subjects in FRGC v2.0,
of 512 hidden units, where the ReLU activation is applied on where 16,028 images of 466 subjects (as specified in the
the first fully connected layer. target set of Experiment 1 of FRGC v2.0 [25]) are used
Output: The loss layers for the intermediate features and in this study.
output template are connected on the output of feature extrac- • CFP [26] is an unconstrained dataset, which consist of
tion network (Lot ) and FC layers (Lrt ), respectively (Fig. 2). images from 500 subjects. There are 10 frontal face and
4 profile images for each subject.
IV. P ERFORMANCE E VALUATION AND A NALYSIS
• IJB-A (IARPA Janus Benchmark A) [27] is an
This section evaluates the proposed protected template unconstrained benchmarking dataset, which comprises
generation method according to the criteria of the tem- of 5,712 still images and 2,085 videos from 500 subjects.
plate protection schemes [11]–[14], verification performance,
Note that the images from both VGG-Face2 and MS-Celeb-1M
non-invertibility, and cancellability. Specifically, the trade-off
are preprocessed by [38].13 The images from FRGC v2.0 and
between the verification performance and the non-invertibility
CFP are aligned with landmarks detected by MTCNN [39].
(security) is first analyzed (Section IV-B). Then, the evaluation
The images from IJB-A are aligned with the provided land-
on unlinkability (cancellability) is reported (Section IV-C).
marks. All of the images are cropped to 112 × 112 before
Section IV-D discusses the verification performance of the pro-
being used. Besides, each pixel (in [0,255]) in RGB images
posed method, the accuracy of the state-of-the-art secure face
is normalized to [-1,1] by first subtracting 127.5 and then
templates, and the face templates without protection. Finally,
dividing by 128.
the security of the proposed protected template under various
attacks are analyzed (IV-E). In the following, we describe the
13 Provided with https://github.com/deepinsight/insightface
experimental settings and report the evaluation results.

Authorized licensed use limited to: WASHINGTON UNIVERSITY LIBRARIES. Downloaded on August 25,2021 at 17:44:37 UTC from IEEE Xplore. Restrictions apply.
MAI et al.: SECUREFACE: FACE TEMPLATE PROTECTION
2) Verification Protocols: The evaluation in this paper bases
on verification tasks of FRGC v2.0 [25], CFP [26], and IJB-
A [27]. For FRGC v2.0 and CFP, we report the results based on
our constructed FVC2004 [40] like protocol with 10-fold vali-
dation. Specifically, in each validation, we enroll 10% subjects
with one image in the system. The genuine comparisons are
constructed by comparing all images (excluding the enrollment
image) of the enrolled subjects against the corresponding
enrollment image. The impostor comparison is constructed by
comparing each enrollment subject against one image of all
non-enrolled subjects. On average, for FRGC v2.0, we have
1,556 and 19,544 genuine and impostor comparisons in each
fold. Note that only the frontal faces in CFP are used and
there are 450 and 22,500 genuine and impostor comparisons
in each fold. For IJB-A, we report the results based on the
1:1 verification protocols. Different from typical verification
tasks that the comparison is image-to-image, the comparison
in IJB-A is template-to-template. A template in IJB-A is either
a still image or a sequence of video frames. For the template
of video frames, we fuse them as they can be processed as
a single image by averaging the corresponding output of the
feature extraction network (h). All of the protocols used in
our evaluation are based on 10-fold validation. We report the
average results over the 10 folds.
3) Implementation Details: We implemented the pro-
posed randomized CNN with deep learning framework
MXNet14 [41]. The parameters of the neural network were
initialized using ‘Xavier’ with Gaussian random variables in
the range of [−2, 2] normalized by the number of input neu-
rons. The SGD with a momentum of 0.9 and weight decay of
5 × 10−4 is used for the optimization. To train the randomized
CNN, we first initialize the neural network parameters by
pre-training on VGG-Face2 [36] with SoftMax loss. Then
the randomized CNN is optimized by fine-tuning MS-Celeb-
1M [37] with the proposed randomized and orthogonal triplet
loss. The pre-training is done with 400K batches and the
batch size is set to 64, where the momentum is set to 0 and
the learning rate is 0.1. The finetuning is trained with 400K
batches and each batch has 40 triplets, where the learning
rate is initialized with 0.005 and is divided by 10 at the 40K
iteration.
The parameters αrt and αot in Eqs.(7) and (16) are set to
0.35. In Eq.(16), we set the λ = 2 to focus more on minimizing
the intra-subject variations and set the binarization factor ω =
0.01. To demonstrate the availability of different accuracy-
security trade-off, we train the proposed randomized CNN
with different orthogonal factors, μ ∈ {0.01, 0.02, 0.03, 0.04}.
In the testing stage, we used the BCH [34] codes with the
code length of 2047 as the ECC for generating the secure
sketch. Thus, in each evaluation, we randomly partition binary
intermediate feature b with 4096 elements into 2049 and
2047 elements to construct the b A and bB , respectively.
B. Verification Performance Versus Non-Invertibility
In general, there is a trade-off between the verification
performance and the non-invertibility of the deployed secure
14 Version 0.10.0 from https://github.com/dmlc/mxnet/
Authorized licensed use limited to: WASHINGTON UNIVERSITY LIBRARIES. Downloaded on August 25,2021 at 17:44:37 UTC from IEEE Xplore. Restrictions apply.
269
biometric system. This is because that both the verification
performance and non-invertibility (security) depends on the
error tolerance τecc of the chosen ECC for constructing the
secure sketches. We analyze this trade-off using the curve
of GAR @ (FAR = 0.1%) versus entropy, by varying the
τecc , where the GAR (FAR) denotes the genuine (false) accept
rate. In this section, how the verification performance and
non-invertibility depend on the error tolerance τecc is first
elaborated. Then, the trade-off analysis of the proposed method
is reported.
1) Verification Performance and Error Tolerance τecc :
In terms of verification performance, the constructed system
based on the proposed randomized CNN can be viewed as a
‘and’-based fusion of the decisions made by both the binary
intermediate feature bB and the randomized template y p .
Specifically, a genuine query image x ∗ that can be accepted
by the system requires that: (a) the randomized templates for
enrollment y p and query y∗p are sufficiently similar; and (b) the
distance |bB | between the intermediate features for enrollment
b B and query b∗B is less than the error tolerance τecc (Eq. (14)).
This implies that the GAR given by the intermediate feature bB
dominates the GAR of the overall system, where the threshold
is given by the error tolerance τecc . For the FAR, an impostor
query image can be rejected based on the intermediate feature
bB with the comparison score threshold τecc . If the rejection
is not successful, the impostor query image can be further
rejected based on the randomized template y p .
2) Security and Error Tolerance τecc : The security level
indicates the difficulties of inverting the enrollment template
(both randomized template y p and secure sketch SS) back
to the input image x  . The successfully inverted input image
x  can be used to access the system as the corresponding
enrolled subject. The most straightforward way to synthesize
the image x  is the brute-force attack that directly guesses
the pixel values of the image x  . However, this is infeasible
because the possible combinations of the pixel values are huge,
(112 × 112)256 for an image with size 112 × 112 as used in
this work.
To the best of our knowledge, perhaps the most effective
inverting strategy is to synthesize the image x  by learn-
ing a reconstruction model [3]–[5] which takes randomized
templates y p and secures sketches SS as input. However,
such reconstruction models cannot be learned directly because
the randomized templates y p not only depend on the input
images x, but also the subject-specific keys k. To learn the
reconstruction model, the adversaries have to obtain the key k
first. As mentioned in the second requirement in section III-C,
one could guess the key k by directly guessing k or alterna-
tively guessing the intermediate feature bB [42]. Therefore,
the difficulties for obtaining the key k depends on the easier
way and can be expressed as
Hsys = min{m, H } (19)
where m denotes the message length of the chosen ECC with
given error tolerance τecc and the H denotes the entropy of the
intermediate feature bB . Assuming that the average impostor
Hamming distance (aIHD) generates from the intermediate
feature bB obeys a binomial distribution with expectation
270 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 16, 2021

Fig. 6. Trade-off analysis of the verification performance and non-invertibility on FRGC v2.0, where the networks trained with different loss functions are
compared. ‘SoftMax’ (‘Triplet’) corresponds to the setting that the both loss functions (one for the binary intermediate feature and one of the final template)
are SoftMax (triplet) loss. The final template of the remaining models are trained with the proposed randomized triplet loss. The binary intermediate feature
of the ‘RandTri’ is trained with the triplet loss. For (a), the binary intermediate feature of the model named ‘μ = x’ is trained by the proposed orthogonal
triplet loss with parameter μ = x. For (b), the ‘Combined’ denotes the combined results of models named μ = 0.01, 0.02, 0.03, and 0.04.

Fig. 7. Trade-off analysis of the verification performance and non-invertibility on CFP, where the networks trained with different loss functions are compared.
‘SoftMax’ (‘Triplet’) corresponds to the setting that the both loss functions (one for the binary intermediate feature and one of the final template) are
SoftMax (triplet) loss. The final template of the remaining models are trained with the proposed randomized triplet loss. The binary intermediate feature of
the ‘RandTri’ is trained with the triplet loss. For (a), the binary intermediate feature of the model named ‘μ = x’ is trained by the proposed orthogonal triplet
loss with parameter μ = x. For (b), the ‘Combined’ denotes the combined results of models named μ = 0.01, 0.02, 0.03, and 0.04.

E H D and standard variation V H D , then the entropy H can
be measured using the degree of freedom (DOF) [43]
E H D (1 − E H D )
H=
V H2 D
3) The Trade-off Analysis: According to the above analysis,
both the verification performance and security of the con-
structed system depend on the error tolerance τecc of the
chosen ECC (BCH [34], [35] with code length 2047). For
each model, we have summarized the DOF (H ), and the
GAR @ (FAR = 0.1%) versus the message length m of
the chosen ECC by vary the τecc into Figs. 6, 7 and 8. In
these results, the ‘SoftMax’ (‘Triplet’) corresponds to both
loss functions (one for the binary intermediate feature and one
of the final template) for training the randomized CNN are
SoftMax (triplet) loss. For the remaining models (‘RandTri’
and μ = x), the loss function for training their final template
is the proposed randomized triplet loss. The loss function
for training the binary intermediate feature of the ‘RandTri’
is the triplet loss. For Figs. 6(a), 7(a) and 8(a), the loss
function for training the models corresponded to ‘μ = x’ is
the proposed orthogonal triplet loss function with parameter
μ = x. The curves of ‘Combined’ in Figs. 6(b), 7(b) and 8(b)
denote the best results among the four models trained with the
randomized triplet loss and the orthogonal triplet loss with the
parameter μ which is set to 0.01, 0.02, 0.03 and 0.04.
(20) It is observed that, given the system security Hsys , the pro-
posed method achieved the highest verification performance,
GAR@(FAR = 0.1%). Note that the error tolerance τecc of
the chosen ECC and hence different security strengths is pre-
set before deployment. Therefore, the curves of ‘Combined’
in Figs. 6(b), 7(b) and 8(b) show the verification performance
of the proposed method given different security strengths. At
a security level of 56 bits,15 the proposed method are able
to achieve a GAR@(FAR = 0.1%) of 99.81%, 85.36%, and
78.19% on FRGC v2.0, CFP, and IJB-A, respectively. The
best performer of the other compared methods, ‘RandTri’, can
only achieve the corresponding accuracy of 96.99%, 49.07%,
and 49.63%. Besides, it is observed that, the entropy H of
the b B increases with the increase of orthogonal factor, μ.
This validates the effectiveness of the orthogonal terms Lort h
(Eq. (17)) for increasing the entropy of bB .
15 A security level of 53 bits is equivalent to the security strength a system
with an 8-character password (94-character alphabet) [23]

Authorized licensed use limited to: WASHINGTON UNIVERSITY LIBRARIES. Downloaded on August 25,2021 at 17:44:37 UTC from IEEE Xplore. Restrictions apply.
MAI et al.: SECUREFACE: FACE TEMPLATE PROTECTION 271

Fig. 8. Trade-off analysis of the verification performance and non-invertibility on IJB-A, where the networks trained with different loss functions are
compared. ‘SoftMax’ (‘Triplet’) corresponds to the setting that the both loss functions (one for the binary intermediate feature and one of the final template)
are SoftMax (triplet) loss. The final template of the remaining models are trained with the proposed randomized triplet loss. The binary intermediate feature
of the ‘RandTri’ is trained with the triplet loss. For (a), the binary intermediate feature of the model named ‘μ = x’ is trained by the proposed orthogonal
triplet loss with parameter μ = x. For (b), the ‘Combined’ denotes the combined results of models named μ = 0.01, 0.02, 0.03, and 0.04.

C. Unlinkability Analysis Therefore, we report the linkability of different settings using

This section evaluates the linkability of the templates
extracted from the same subject using the proposed
randomized CNN with different keys k (in different
applications). The linkability measures how likely that two
templates are extracted from the same subject instead of
two different subjects [48]. Note that the constructed secure
system stores a randomized template y p (PI) and a secure
sketch SS (AD) for an enrolled subject. There are two
possible ways for the adversaries to link the subjects across
systems: either link the y p or the SS. The secure sketches SS
in our construction are unlinkable because the features bB for
constructing the SS are formed by elements randomly selected
from b, which is the output of the feature extraction network.
The property of the linear ECC16 [11], [34] for analyzing the
linkability of the typical fuzzy commitment construction [20]
is therefore not applicable to SS in our construction.
For the linkability of the randomized templates y p , we ana-
lyze it using the linkability benchmarking metrics D↔ (s) and
sys
D↔ defined in [48]. D↔ (s) is a local score-wise measure
based on the likelihood ratio between the ‘Mated’ and ‘Non-
sys
Mated’ sample score distributions, and D↔ is a global
measure for benchmarking system-wise linkability. A ‘Mated’
(‘Non-Mated’) sample is a pair of enrollment and query
templates extracted from the same (different) subject(s). We
have analyzed the unlinkability of the templates extracted
from the randomized CNN with [48],17 where the results for
FRGC v2.0, CFP and IJB-A are shown in Figs. 9-11, respec-
tively. The ‘Unprotected’ shows the linkability of the templates
extracted without the random activation as well as the random
permutation-flip, where the keys k are not applicable. The
’RandAct’ (’RandPF’) shows the linkability of the templates
extracted with random activation (random permutation-flip)
only. The ’RandAct + RandPF’ shows the linkability of
the templates extracted with both randomizations. Ideally,
the linkability of the randomized templates with different keys
should be the highest one given different comparison metrics.
16 In a linear ECC, any linear combination of codewords is also a codeword.
17 Code from https://github.com/dasec/unlinkability-metric.git
two different metrics, i.e., A and B. Specifically, the metric A
is for the comparison scores calculated by the cos similarity,
which is the comparison function of the system used in this
study. The metric B corresponds to the comparison scores
calculated by first removing sign of elements of the protected
templates and then sorting the elements according to the
numeric value. This is because that the sign and the order of
the elements has been randomly flipped and permuted, resp.,
by the random permutation-flip (Rand-PF). Therefore, higher
linkability can be derived using the metric B if the random
permutation-flip is applied.
It is observed from the Figs. 9-11 that, the linkability
of templates are fairly high while no protection is applied.
sys
Specifically, the D↔ on the FRGC v2.0, CFP, and IJB-A
are 0.9987, 0.9821, and 0.9079, respectively. The linkability
of the templates is partially reduced on all three datasets if
only the random activation is applied, shown in Figs. 9-11(b),
or random permutation-flip, as shown in Figs. 9-11(c).
Finally, the linkability can be further reduced by using both
the random activation, and the random permutation-flip.
sys
Specifically, no matter which metric is used, the highest D↔
on the FRGC v2.0, CFP, and IJB-A are 0.0139, 0.0214, and
0.0163, respectively, as shown in Figs. 9(e), 10(d), and 11(d).
This implies that the proposed protected template satisfies the
criteria of unlinkability.
D. Discussion of the Verification Performance
1) Secure Face Templates: We have summarized state-of-
the-art secure face templates [8], [44]–[47] in TABLE I. Due
to the severe tradeoff between the verification performance and
security, state-of-the-art secure face templates [8], [46], [47]
are mainly evaluated using the constrained face benchmarking
datasets (e.g., CMU-PIE, FEI, Color FERET and FRGC).
However, state-of-the-art face verification systems [49]–[55]
are seldom evaluated on these constrained datasets, but on
unconstrained datasets (e.g., CFP and IJB-A). To date, a few
of secure templates are evaluated using unconstrained datasets
(e.g, the homomorphic encryption based method [44] and

Authorized licensed use limited to: WASHINGTON UNIVERSITY LIBRARIES. Downloaded on August 25,2021 at 17:44:37 UTC from IEEE Xplore. Restrictions apply.
272 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 16, 2021

Fig. 9. Unlinkability analysis for the templates extracted by the proposed randomized CNN on FRGC v2.0 [25].

Fig. 10. Unlinkability analysis for the templates extracted by the proposed randomized CNN on CFP [26].

Fig. 11. Unlinkability analysis for the templates extracted by the proposed randomized CNN on IJB-A [27].

the retrieval based method [56]. However, as mentioned in a challenging key-management problem. Besides, the retrieval
Section I, the homomorphic encryption based method [44] based method [56] did not follow a popularly used evaluation
requires to store a decryption key and therefore introduces protocol that the training and testing images share no subject.

Authorized licensed use limited to: WASHINGTON UNIVERSITY LIBRARIES. Downloaded on August 25,2021 at 17:44:37 UTC from IEEE Xplore. Restrictions apply.
MAI et al.: SECUREFACE: FACE TEMPLATE PROTECTION 273

TABLE I
S TATE - OF - THE -A RT S ECURE FACE T EMPLATES

Note that the proposed method does not require to store keys TABLE II
in the system and is evaluated using practical unconstrained GAR ON IJB-A 1:1 V ERIFICATION P ROTOCOL @(FAR = 0.1%)
face benchmarking datasets with popularly used evaluation
protocol.
To compare the verification performance with state-of-
the-art secure face templates on the same dataset with the
GAR@(FAR=0.1%), we have evaluated the proposed method
on Color FERET [57] and CMU-PIE [58]. The key results
have been summarized in TABLE I, where the detail results
are included in Supplementary B. It is observed that the
proposed method outperforms Homomorphic Encryption [44]
on IJB-A, outperforms LSSC [45], [46] on Color FERET,
outperforms Deep CNN Based [8] on CMU-PIE. Besides,
the proposed method is comparable with Deep LDPC [47]
on CMU-PIE.
Note that the proposed method not only works well on
the constrained face benchmarking datasets (Color FERET,
ResNet-50 with ResNet-100 in the Feature Extraction
CMU-PIE, and FRGC v2.0) compared with the state-of-the-
Network and retrained the proposed randomized CNN,
art secure face templates [8], [45]–[47], but also works well
which corresponds to the row of Proposed (ResNet-100) in
on the unconstrained face benchmarking datasets (CFP and
TABLE II. It is observed that the Proposed (ResNet-100)
IJB-A), compared with the Homomorphic Encryption [44].
achieves a GAR of 81.9% at FAR = 0.1%. The verification
The unconstrained face recognition is getting more and
performance is well-preserved by the proposed method, with
more popular in the face recognition community. In con-
a drop of 6% compared to the state-of-the-art face templates
trast, the performance of the secure face templates [8],
without protection [55].
[45]–[47] on unconstrained face benchmarking datasets is
not known.
2) Face Templates Without Protection: TABLE II sum- E. Security of the System Under Attacks
marizes the verification performance, GAR@(FAR = 0.1%), We have quantified the security of the proposed secure
of state-of-the-art face verification templates, which were templates as Hsys in Eq. (19). However, there are attacks
evaluated using 1:1 verification protocol on the IJB-A [27]. (e.g., decodability attacks [59]–[61], attacks via record mul-
Note that the objective of this work is not the feature fusion for tiplicity [62], and similarity attacks [2], [63]) claimed to be
video-based face verification, therefore, we summarized the able to violate either unlinkability or the non-invertibility of
state-of-the-art methods which fuse the video-based templates the secure templates with reduced attacking complexity. This
using average pooling and calculated the comparison section analyzes the security of proposed secure templates
score using the cosine (L2) similarity in TABLE II for a under these attacks.
fair comparison. It is observed that the proposed method 1) Decodability Attack via Secure Sketch SS: The decod-
outperforms the methods [49]–[53] and achieves a GAR ability attack can be categorized into (conventional) decod-
of 78.2% at FAR = 0.1%. To demonstrate that the accuracy of ability attack [59] and generalized decodability attack [60],
the proposed method can be further improved by increasing the [61]. Conventional decodability attack [59] links two secure
complexity of the Feature Extraction Network, we replaced sketches SS 1 and SS 2 based on whether SS 1 ⊕ SS 2 = c1 ⊕

Authorized licensed use limited to: WASHINGTON UNIVERSITY LIBRARIES. Downloaded on August 25,2021 at 17:44:37 UTC from IEEE Xplore. Restrictions apply.
274
Fig. 12. Mated/Non-Mated hamming distance distribution on IJB-A with the model trained with μ = 0.2, where 2047 bits are chosen from b (contains
4096 bits) to form the bB . (a) direct comparison, b B , (b) Comparison with reversing bit-permutation, b B ∗ .
c2 ⊕ bB can be decoded, where SS = bB ⊕ c. It has been
shown in [59], [60] that, with a high probability, SS 1 ⊕ SS 2
is decodable if bB ≤ τecc and vice versa. The work in [59]
has shown that the conventional decodability attack [59] can
be prevented by bit-permutation randomization. The gener-
alized decodability attack [61] is proposed against the bit-
permutation based prevention. The basic idea of the gener-
alized decodability attack is to construct a new ECC based
on the chosen ECC of two different applications and their
corresponding bit-permutation matrices. Let bB,1 = P 1 bB,1∗,
and bB,2 = P 2 bB,2∗ , the generalized decodability attack can
determine whether bB,1 and bB,2 come from the same subject,
if bB ∗ = bB,1∗ ⊕ bB,2∗ ≤ τecc with attacking complexity
b
  
B ∗
n C (2047, 527) > 2047527
C n, bB ∗ =
r
r=1
where P 1 (P 2 ) denotes a permutation matrix to permute
bB,1∗(bB,2∗) to be bB,1(bB,2).
The proposed secure face templates are secure under both
the conventional decodability attack [59] and generalized
decodability attack [60], [61]. This is because that the binary
feature bB for constructing our secure sketches SS is obtained
by a user and application specific random partition (as
described in Section III-C). The proposed random partition
can be viewed as that the bB is obtained by a cascade of
bit-selection and bit-permutation on the binary intermediate
feature b.
With the random partition, the conventional decodability
attack [59] is not able to tell whether two secure sketches
come from the same subject or not. This is because that the
corresponding bB are large enough for both mate and non-
mated samples (mated sample denotes that two bB come from
the same subject). Besides, the distribution of bB for both
mated and non-mated samples are similar (see Figure 12(a)),
where the minimum bB for mate samples is 942. Note
that the maximum error tolerance τecc is 511 for BCH codes
with n = 2047. It has also been justified in [59] that the
conventional decodability attack [59] can be prevented by bit-
permutation randomization.
The generalized decodability attack [60], [61] is not able to
tell whether two secure sketches come from the same subject
or not because of the random partition, which, as mentioned
above, can be viewed as a cascade of random bit-selection and
Authorized licensed use limited to: WASHINGTON UNIVERSITY LIBRARIES. Downloaded on August 25,2021 at 17:44:37 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 16, 2021
random bit-permutation. The generalized decodability attack
can eliminate the effect of random bit-permutation, while the
effect of random bit-selection cannot be eliminated. Therefore,
perhaps the calculation of the minimum bB ∗ corresponds
to the generalized decodability attack is: (a) first to reverse
the bit-permutation process: reorder elements in bB,1 and b B,2
such that the bits come from the same indices in b are placed
in corresponding indices in bB,1∗ and bB,2∗ ; (b) calculate
bB ∗ = bB,1∗ ⊕ bB,2∗ . Note that due to the random bit-
selection process, part of elements in bB,1 and bB,2 do not
share the bit indices in b. The distribution of bB ∗ for both
mated and non-mated samples are shown in Figure 12(b),
where the minimum bB for mate samples is 527. The
corresponding complexity
  of generalized decodability attack is
≈ 2 1679 , which is computationally dif-
(21) ficult. Furthermore, considering an extreme case with reduced
attacking complexity that the bB,1 and bB,2 are extracted
from the same input image, the elements in bB,1 and bB,2
share the bit indices in b are identical and therefore the error
occurs between the elements in bB,1 and bB,2 do not share
the bit indices in b. Let n share denotes the number of the bits
with shared indices, then the corresponding attack complexity
is reduced to C (2047 − n share , 527). In our experiments,
the maximum n share is 1090 and C (2047 − 1090, 527) ≥
2956, which is much higher than the attacking complexity of
guessing the key k or the feature bB . Therefore, the gen-
eralized decodability attack could not reduce the attacking
complexity of the proposed secure templates.
2) Attacks via Record Multiplicity (ARM): Attacks via
record multiplicity (ARM) [62] aims to construct images x̂
that can be used to access the system as the target user,
given multiple compromised protected templates. In our cases,
the protected template stored in the system is the PI ( y p )
and AD ( pr pt and SS). Perhaps the most effective way for
attacking the proposed method is first to estimate binary
feature b A and bB from the y p and SS. Then the b can be
reconstructed with pr pt and the input image x can be recon-
structed using [3]. However, it is computationally difficult
to estimate the b A from the y p because the y p is extracted
from b A with randomness specified by a randomly generated
key k, which is not stored in the system. Besides, the SS is
constructed using the bB and the key k and it is difficult to
obtain bB without k. Therefore, the availability of the multiple
compromised protected templates cannot help in reducing the
MAI et al.: SECUREFACE: FACE TEMPLATE PROTECTION
attacking complexity of the proposed method. The attacking
complexity of the proposed method under ARM is, therefore,
lower bounded by the effort of exhaustively searching the key
k. This implies that the ARM could not reduce the attacking
complexity of the proposed secure templates.
3) Similarity Attack via Protected Templates y p : Similarity
attack [2], [63] aims to estimate a pre-image x̂ which is
similar to the enrollment image x such that
 the comparison
score of the corresponding PIs, scor e y p yˆp , y p , less than
the system decision threshold, given the AD (i.e., SS and
pr pt ) of the system. The key of a success similarity attack
is the similarity preserving
  property of theinput and output
space, i.e., scor e y p yˆp , y p ≈ scor e x x̂, x . In the proposed
method, the similarity preserving property is not satisfied if the
estimated image x̂ is not sufficiently similar to the enrollment
image x. Thanks to the random activation and the random
permutation-flip (as mentioned in Section III-B), the extracted
protection template y p not only depends on the biometric
input x, but also a randomly generated user specific key k,
which is not stored in the system but encoded into the secure
sketch SS. Note that the key k can be successfully decoded
from SS only if the query estimated image x̂ is sufficiently
similar to the enrollment x. If the key k cannot be successfully
decoded, there is no advantage to tell whether two protection
templates ( y p and yˆp ) come from the same subject or not. This
can also be justified by the “Mated” (in blue dash line) and
“Non-Mated” (in blue line) sample score distribution for the
protection templates, as shown in Figs. 9-11(d). In a nutshell,
the similarity attack can break the security of the proposed
scheme only if (i) the initial guess of the input image xˆ0 is
sufficiently similar to the enrollment image x or (ii) the key k
is known. These two scenarios can be viewed as a brute-force
attack on the enrollment image x, or the attack of the key k.
The former is infeasible due to the large search space, and the
security of the latter is described in Eq. (19). This implies that
the similarity attack could not reduce the attacking complexity
of the proposed secure templates.
V. C ONCLUSIONS
In this paper, we propose a novel method which can
construct protected biometric systems whose stored deep
templates are non-invertible, cancellable and discriminative.
A randomized CNN is proposed to generates secure deep
biometric templates based on both the input biometric data
(e.g., face image) and user-specific keys. In our construction,
no user-specific key is stored in the system, where a secure
sketch generated from both a user-specific key and an inter-
mediate feature which is stored in the enrollment stage. In
the query stage, the user-specific key can be decoded from a
stored secure sketch if the query image is sufficiently close to
the corresponding enrollment image. Experimental results and
analysis on three face benchmark datasets (FRGC v2.0, CFP,
and IJB-A) show that the protected templates in the proposed
construction are non-invertible and unlinkable. Furthermore,
the verification performance of our protected templates is well
preserved. Specifically, at a security level of 56-bits (stronger
than an 8-character password system), we achieve state-of-
the-art accuracy (GAR) on FRGC v2.0 0,of 99.81% at a FAR
Authorized licensed use limited to: WASHINGTON UNIVERSITY LIBRARIES. Downloaded on August 25,2021 at 17:44:37 UTC from IEEE Xplore. Restrictions apply.
275
of 0.1%. The corresponding GAR on CFP and IJB-A are
85.36% and 78.19%, respectively.
ACKNOWLEDGMENT
The authors would like to thank Dr. Anil K. Jain,
Dr. Jiawei Li, and Dr. Mang Ye for their suggestions. The
majority of this work was done when Guangcan Mai was a
Ph.D. candidate at Hong Kong Baptist University.
R EFERENCES
[1] G. Mai, M.-H. Lim, and P. C. Yuen, “Binary feature fusion for
discriminative and secure multi-biometric cryptosystems,” Image Vis.
Comput., vol. 58, pp. 254–265, Feb. 2017.
[2] Y. C. Feng, M.-H. Lim, and P. C. Yuen, “Masquerade attack on
transform-based binary-template protection based on perceptron learn-
ing,” Pattern Recognit., vol. 47, no. 9, pp. 3019–3033, Sep. 2014.
[3] G. Mai, K. Cao, P. C. Yuen, and A. K. Jain, “On the reconstruction
of face images from deep face templates,” IEEE Trans. Pattern Anal.
Mach. Intell., vol. 41, no. 5, pp. 1188–1202, May 2019.
[4] K. Cao and A. K. Jain, “Learning fingerprint reconstruction: From
minutiae to image,” IEEE Trans. Inf. Forensics Security, vol. 10, no. 1,
pp. 104–117, Jan. 2015.
[5] J. Galbally, A. Ross, M. Gomez-Barrero, J. Fierrez, and
J. Ortega-Garcia, “Iris image reconstruction from binary templates:
An efficient probabilistic approach based on genetic algorithms,”
Comput. Vis. Image Understand., vol. 117, no. 10, pp. 1512–1525,
Oct. 2013.
[6] W. Stallings, Cryptography and Network Security: Principles and Prac-
tice, vol. 7. London, U.K.: Pearson, 2016.
[7] R. K. Pandey, Y. Zhou, B. U. Kota, and V. Govindaraju, “Deep secure
encoding for face template protection,” in Proc. IEEE Conf. Comput.
Vis. Pattern Recognit. Workshops (CVPRW), Jun. 2016, pp. 77–83.
[8] A. K. Jindal, S. Chalamala, and S. K. Jami, “Face template protec-
tion using deep convolutional neural network,” in Proc. IEEE/CVF
Conf. Comput. Vis. Pattern Recognit. Workshops (CVPRW), Jun. 2018,
pp. 462–470.
[9] C. Gentry, A Fully Homomorphic Encryption Scheme. Stanford, CA,
USA: Stanford Univ., 2009.
[10] M. Albrecht et al., “Homomorphic encryption security standard,” Homo-
morphicEncryption.org, Toronto, ON, Canada, Tech. Rep., Nov. 2018.
[11] K. Nandakumar and A. K. Jain, “Biometric template protection: Bridg-
ing the performance gap between theory and practice,” IEEE Signal
Process. Mag., vol. 32, no. 5, pp. 88–100, Sep. 2015.
[12] Information Technology—Security Techniques—Biometric Information
Protection, Standard ISO/IEC 24745:2011, 2011.
[13] A. K. Jain, K. Nandakumar, and A. Ross, “50 years of biomet-
ric research: Accomplishments, challenges, and opportunities,” Pattern
Recognit. Lett., vol. 79, pp. 80–105, Aug. 2016.
[14] Y. C. Feng, P. C. Yuen, and A. K. Jain, “A hybrid approach for generating
secure and discriminating face template,” IEEE Trans. Inf. Forensics
Security, vol. 5, no. 1, pp. 103–117, Mar. 2010.
[15] M. A. Turk and A. P. Pentland, “Face recognition using Eigenfaces,” in
Proc. CVPR, 1991, pp. 302–306.
[16] K. Cao and A. K. Jain, “Automated latent fingerprint recognition,”
IEEE Trans. Pattern Anal. Mach. Intell., vol. 41, no. 4, pp. 788–800,
Apr. 2019.
[17] Y.-L. Lai et al., “Cancellable iris template generation based on indexing-
first-one hashing,” Pattern Recognit., vol. 64, pp. 105–117, Apr. 2017.
[18] Z. Jin, J. Y. Hwang, Y.-L. Lai, S. Kim, and A. B. J. Teoh, “Ranking-
based locality sensitive hashing-enabled cancelable biometrics: Index-
of-Max hashing,” IEEE Trans. Inf. Forensics Security, vol. 13, no. 2,
pp. 393–407, Feb. 2018.
[19] H. Kaur and P. Khanna, “Random distance method for generating
unimodal and multimodal cancelable biometric features,” IEEE Trans.
Inf. Forensics Security, vol. 14, no. 3, pp. 709–719, Mar. 2019.
[20] A. Juels and M. Wattenberg, “A fuzzy commitment scheme,” in Proc.
6th ACM Conf. Comput. Commun. Secur. (CCS). New York, NY,
USA: Association for Computing Machinery, 1999, pp. 28–36, doi:
10.1145/319709.319714.
[21] A. Juels and M. Sudan, “A fuzzy vault scheme,” Designs, Codes
Cryptography, vol. 38, no. 2, pp. 237–257, Feb. 2006.
276 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 16, 2021
[22] Y. Dodis, R. Ostrovsky, L. Reyzin, and A. Smith, “Fuzzy extractors:
How to generate strong keys from biometrics and other noisy data,”
SIAM J. Comput., vol. 38, no. 1, pp. 97–139, Jan. 2008.
[23] A. Nagar, K. Nandakumar, and A. K. Jain, “Multibiometric cryptosys-
tems based on feature-level fusion,” IEEE Trans. Inf. Forensics Security,
vol. 7, no. 1, pp. 255–268, Feb. 2012.
[24] T. Stanko, F. Nur Andini, and B. Skoric, “Optimized quantization in
zero leakage helper data systems,” IEEE Trans. Inf. Forensics Security,
vol. 12, no. 8, pp. 1957–1966, Aug. 2017.
[25] P. J. Phillips et al., “Overview of the face recognition grand challenge,”
in Proc. IEEE Comput. Soc. Conf. Comput. Vis. Pattern Recognit.
(CVPR), 2005, pp. 947–954.
[26] S. Sengupta, J.-C. Chen, C. Castillo, V. M. Patel, R. Chellappa, and
D. W. Jacobs, “Frontal to profile face verification in the wild,” in Proc.
IEEE Winter Conf. Appl. Comput. Vis. (WACV), Mar. 2016, pp. 1–9.
[27] B. F. Klare et al., “Pushing the frontiers of unconstrained face detection
and recognition: IARPA janus benchmark a,” in Proc. IEEE Conf.
Comput. Vis. Pattern Recognit. (CVPR), Jun. 2015, pp. 1931–1939.
[28] Information Technology—Biometric Data Interchange Formats—Part 2:
Finger Minutiae Data, Standard ISO/IEC 19794-2:2011, 2011.
[29] K. He, X. Zhang, S. Ren, and J. Sun, “Deep residual learning for
image recognition,” in Proc. IEEE Conf. Comput. Vis. Pattern Recognit.
(CVPR), Jun. 2016, pp. 770–778.
[30] N. Srivastava, G. E. Hinton, A. Krizhevsky, I. Sutskever, and
R. Salakhutdinov, “Dropout: A simple way to prevent neural networks
from overfitting,” J. Mach. Learn. Res., vol. 15, no. 1, pp. 1929–1958,
2014.
[31] F. Schroff, D. Kalenichenko, and J. Philbin, “FaceNet: A unified
embedding for face recognition and clustering,” in Proc. IEEE Conf.
Comput. Vis. Pattern Recognit. (CVPR), Jun. 2015, pp. 815–823.
[32] S. Liao, Z. Lei, D. Yi, and S. Z. Li, “A benchmark study of large-
scale unconstrained face recognition,” in Proc. IEEE Int. Joint Conf.
Biometrics, Sep. 2014, pp. 1–8.
[33] E. Learned-Miller, G. B. Huang, A. RoyChowdhury, H. Li, and G. Hua,
“Labeled faces in the wild: A survey,” in Proc. Adv. Face Detection
Facial Image Anal., 2016, pp. 189–248.
[34] R. Roth, Introduction to Coding Theory. Cambridge, U.K.:
Cambridge Univ. Press, 2006.
[35] J. H. Van Lint, Introduction to Coding Theory, vol. 86. Berlin,
Germany: Springer-Verlag, 2012. [Online]. Available: https://www.
springer.com/gp/book/9783662001745
[36] Q. Cao, L. Shen, W. Xie, O. M. Parkhi, and A. Zisserman, “Vggface2:
A dataset for recognising faces across pose and age,” in Proc. FG, 2018,
pp. 67–74.
[37] Y. Guo, L. Zhang, Y. Hu, X. He, and J. Gao, “MS-Celeb-1M: A dataset
and benchmark for large-scale face recognition,” in Proc. ECCV, 2016,
pp. 87–102.
[38] J. Deng, J. Guo, N. Xue, and S. Zafeiriou, “ArcFace: Additive angu-
lar margin loss for deep face recognition,” 2018, arXiv:1801.07698.
[Online]. Available: http://arxiv.org/abs/1801.07698
[39] K. Zhang, Z. Zhang, Z. Li, and Y. Qiao, “Joint face detection and
alignment using multitask cascaded convolutional networks,” IEEE
Signal Process. Lett., vol. 23, no. 10, pp. 1499–1503, Oct. 2016.
[40] D. Maltoni, D. Maio, A. K. Jain, and S. Prabhakar, Handbook of
Fingerprint Recognition. London, U.K.: Springer-Verlag, 2009. [Online].
Available: https://www.springer.com/gp/book/9781848822535
[41] T. Chen et al., “MXNet: A flexible and efficient machine learning
library for heterogeneous distributed systems,” 2015, arXiv:1512.01274.
[Online]. Available: http://arxiv.org/abs/1512.01274
[42] G. Mai, M.-H. Lim, and P. C. Yuen, “On the guessability of binary
biometric templates: A practical guessing entropy based approach,” in
Proc. IEEE Int. Joint Conf. Biometrics (IJCB), Oct. 2017, pp. 367–374.
[43] J. Daugman, “The importance of being random: Statistical principles
of iris recognition,” Pattern Recognit., vol. 36, no. 2, pp. 279–291,
Feb. 2003.
[44] V. N. Boddeti, “Secure face matching using fully homomorphic encryp-
tion,” in Proc. BTAS, 2018, pp. 1–10.
[45] M.-H. Lim and A. B. J. Teoh, “A novel encoding scheme for effec-
tive biometric discretization: Linearly separable subcode,” IEEE Trans.
Pattern Anal. Mach. Intell., vol. 35, no. 2, pp. 300–313, Feb. 2013.
[46] P. Drozdowski, F. Struck, C. Rathgeb, and C. Busch, “Benchmarking
binarisation schemes for deep face templates,” in Proc. 25th IEEE Int.
Conf. Image Process. (ICIP), Oct. 2018, pp. 191–195.
[47] L. Chen, G. Zhao, J. Zhou, A. T. S. Ho, and L.-M. Cheng, “Face template
protection using deep LDPC codes learning,” IET Biometrics, vol. 8,
no. 3, pp. 190–197, May 2019.
Authorized licensed use limited to: WASHINGTON UNIVERSITY LIBRARIES. Downloaded on August 25,2021 at 17:44:37 UTC from IEEE Xplore. Restrictions apply.
[48] M. Gomez-Barrero, J. Galbally, C. Rathgeb, and C. Busch, “Gen-
eral framework to evaluate unlinkability in biometric template pro-
tection systems,” IEEE Trans. Inf. Forensics Security, vol. 13, no. 6,
pp. 1406–1420, Jun. 2018.
[49] X. Yin and X. Liu, “Multi-task convolutional neural network for pose-
invariant face recognition,” IEEE Trans. Image Process., vol. 27, no. 2,
pp. 964–975, Feb. 2018.
[50] X. Yin, X. Yu, K. Sohn, X. Liu, and M. Chandraker, “Towards large-
pose face frontalization in the wild,” in Proc. IEEE Int. Conf. Comput.
Vis. (ICCV), Oct. 2017, pp. 3990–3999.
[51] S. Sankaranarayanan, A. Alavi, C. D. Castillo, and R. Chellappa, “Triplet
probabilistic embedding for face verification and clustering,” in Proc.
IEEE 8th Int. Conf. Biometrics Theory, Appl. Syst. (BTAS), Sep. 2016,
pp. 1–8.
[52] J. Yang et al., “Neural aggregation network for video face recognition,”
in Proc. IEEE Conf. Comput. Vis. Pattern Recognit. (CVPR), Jul. 2017,
pp. 4362–4371.
[53] L. Tran, X. Yin, and X. Liu, “Representation learning by rotating
your faces,” IEEE Trans. Pattern Anal. Mach. Intell., vol. 41, no. 12,
pp. 3007–3021, Dec. 2019.
[54] X. Yin, X. Yu, K. Sohn, X. Liu, and M. Chandraker, “Feature transfer
learning for face recognition with under-represented data,” in Proc.
IEEE/CVF Conf. Comput. Vis. Pattern Recognit. (CVPR), Jun. 2019,
pp. 5704–5713.
[55] B. Yin, L. Tran, H. Li, X. Shen, and X. Liu, “Towards interpretable
face recognition,” in Proc. IEEE/CVF Int. Conf. Comput. Vis. (ICCV),
Oct. 2019, pp. 9347–9356.
[56] Y. K. Jang and N. I. Cho, “Deep face image retrieval for cancelable
biometric authentication,” in Proc. 16th IEEE Int. Conf. Adv. Video
Signal Based Surveill. (AVSS), Sep. 2019, pp. 1–8.
[57] P. J. Phillips, H. Moon, S. A. Rizvi, and P. J. Rauss, “The FERET
evaluation methodology for face-recognition algorithms,” IEEE Trans.
Pattern Anal. Mach. Intell., vol. 22, no. 10, pp. 1090–1104, Oct. 2000.
[58] T. Sim, S. Baker, and M. Bsat, “The CMU pose, illumination, and
expression (PIE) database,” in Proc. FG, 2002, pp. 53–58.
[59] E. J. C. Kelkboom, J. Breebaart, T. A. M. Kevenaar, I. Buhan, and
R. N. J. Veldhuis, “Preventing the decodability attack based cross-
matching in a fuzzy commitment scheme,” IEEE Trans. Inf. Forensics
Security, vol. 6, no. 1, pp. 107–121, Mar. 2011.
[60] K. Simoens, P. Tuyls, and B. Preneel, “Privacy weaknesses in biomet-
ric sketches,” in Proc. 30th IEEE Symp. Secur. Privacy, May 2009,
pp. 188–203.
[61] B. Tams, “Decodability attack against the fuzzy commitment scheme
with public feature transforms,” 2014, arXiv:1406.1154. [Online]. Avail-
able: http://arxiv.org/abs/1406.1154
[62] W. J. Scheirer and T. E. Boult, “Cracking fuzzy vaults and biometric
encryption,” in Proc. Biometrics Symp., Sep. 2007, pp. 1–6.
[63] Y. Chen, Y. Wo, R. Xie, C. Wu, and G. Han, “Deep secure quantization:
On secure biometric hashing against similarity-based attacks,” Signal
Process., vol. 154, pp. 314–323, Jan. 2019.
Guangcan Mai (Member, IEEE) received the
B.Eng. degree from the South China University
of Technology, China, in 2013, and the Ph.D.
degree from the Department of Computer Science,
Hong Kong Baptist University, Hong Kong, in 2018.
In 2016, he was a Visiting Scholar with Michi-
gan State University, East Lansing, MI, USA. His
research interests include biometric security, com-
puter vision, and machine learning.
Kai Cao received the Ph.D. degree from the
Key Laboratory of Complex Systems and Intel-
ligence Science, Institute of Automation, Chinese
Academy of Sciences, Beijing, China, in 2010.
His research interests include biometric recognition,
image processing, and machine learning.
MAI et al.: SECUREFACE: FACE TEMPLATE PROTECTION
Xiangyuan Lan received the B.Eng. degree from
the South China University of Technology, China,
in 2012, and the Ph.D. degree from the Hong Kong
Baptist University, Hong Kong, in 2016. In 2015,
he was a Visiting Scholar with the University of
Maryland, College Park, MD, USA. He is currently
a Research Assistant Professor with Hong Kong
Baptist University. His current research interests
include sparse representation and deep learning for
computer vision and pattern recognition problems.
Authorized licensed use limited to: WASHINGTON UNIVERSITY LIBRARIES. Downloaded on August 25,2021 at 17:44:37 UTC from IEEE Xplore. Restrictions apply.
277
Pong C. Yuen (Senior Member, IEEE) is currently
the Chair Professor of the Department of Computer
Science, Hong Kong Baptist University. He is also
the Vice President (Technical Activities) of the IEEE
Biometrics Council, an Editorial Board Member
of Pattern Recognition and a Senior Editor of the
Journal of Electronic Imaging (SPIE). He also serves
as a Hong Kong Research Grant Council Engineer-
ing Panel Member. His current research interests
include video surveillance, human face recognition,
biometric security, and privacy.