Inverse operation and preimage attack on BioHashing

Abstract

BioHashing generates a BioCode from a user's biometric features by projecting them onto user-specific random vectors and then discritizes the projection coefficients into zero or one. Since biometric features are distorted by the non-invertible transforms and template matching is performed in a transformed state, it has been claimed that BioHashing is oneway and a BioCode is as secure as a hashed password. However, we disprove it by showing that even without a genuine's private random vectors, a preimage of a BioCode is easily calculated from a lost BioCode and an attacker can gain an illegal access to a system.