Decodability Attack against the Fuzzy Commitment Scheme with Public Feature Transforms

The fuzzy commitment scheme is a cryptographic primitive that can be used to protect biometric templates. If multiple records extracted from the same biometric characteristic have been intercepted, their correspondence can be examined, i.e., cross-matching, via the decodability attack. As a countermeasure, Kelkboom et al. proposed to apply a public but record-specific permutation to the feature string given as input to the fuzzy commitment scheme. In this paper, it is shown that this countermeasure does not prevent an adversary from cross-matching completely: He still may be able to examine records protecting slightly different templates and now even may recover them explicitly. The feasibility of the attack is demonstrated experimentally in this paper. Furthermore, it is proven that the attack cannot be prevented using another transformation process in a binary fuzzy commitment scheme. Fortunately, such a transformation can be designed for the non-binary case and it is briefly discussed how the improved fuzzy vault scheme by Dodis et al. can be used for protecting binary feature vectors while preventing record multiplicity attacks.