Evaluation of PPG Feature Values Toward Biometric Authentication Against Presentation Attacks

In this study, we examined information leakage in photoplethysmogram (PPG)-based biometric authentication and assessed an attack against authentication based on the information leakage. Several approaches have been proposed to apply PPG to biometric authentication using a wearable device; however, there may be several attacks against PPG-based authentication. One of the attacks is a “presentation attack” (PA), which utilizes the information leakage originating from the various PPG measurement sites on a body. The PA records the victim’s PPG stealthily on non-genuine measurement sites and transmits it to the PPG sensor to break the authentication. We examined the information leakage and assessed the PA by evaluating feature values extracted from the PPG signals. We recorded the PPG signals of 12 participants on their fingertips and wrists. We compared the feature values extracted from the recorded PPG signals by computing the differences, correlation coefficients, and mutual information to examine the leakage of information required for the PPG-based authentication. We then assessed the feasibility of a PA based on existing PPG-based authentication algorithms and evaluated the contribution of each value to authentication and PA by computing the permutation importance of all feature values. The experimental results indicated that there might be information leakage and selection of feature values to reduce the feasibility of the PA up to 62.8 %.


I. INTRODUCTION
With the growth of the Internet and wearable devices, such as smartwatches, our bodies are becoming connected to networks [1]. Many devices provide users with applications via networks. The devices often retain and show confidential information in applications such as message exchange by connecting to smartphones. Some devices are even able to provide users with applications such as payment functions using stored personal wallet data without connecting to smartphones [2]. However, there may be attackers who try to access and steal confidential information to show the capability to hack or make a profit from the information. Therefore, The associate editor coordinating the review of this manuscript and approving it for publication was Kin Fong Lei . an authentication function must be added to the device to identify the user of the device and reject attackers in case it is stolen.
There are several authentication methods for wearable devices, such as smartwatches. The pervasive methods are password-and pattern-based authentication, which require touching the touchscreen mounted on the device [3]. However, the authentication methods can be vulnerable to identity spoofing such as shoulder-surfing and brute-force attacks [4]. Several approaches have been proposed to apply biometric authentication to wearable devices. For example, ring-type devices equipped with fingerprint sensors [5] and watchtype devices equipped with electrocardiogram (ECG)-based authentication modules [6] have been developed. These methods contribute to user convenience because there is no risk of forgetting or losing the information required for authentication [7]. However, many biometric authentication methods for wearable devices often restrict the user activity. For example, fingerprint-or ECG-based authentication requires the user to have a specific posture, such as touching the sensor or the electrode with the finger. Therefore, it is necessary to develop a biometric authentication method for wearable devices with few restrictions, such as posture limitations.
Meanwhile, there have been several approaches utilizing the distinctiveness of photoplethysmogram (PPG) for biometric authentication [8]. A PPG signal is a noninvasive circulatory signal related to changes in blood volume in the tissue [9], which can be recorded by a sensor mounted on a smartwatch to provide health information such as SpO 2 (arterial oxygen saturation) [10]. As shown in Fig. 1, the sensor comprises a light source such as a typical lightemitting diode (LED) illuminating the tissue and a photodetector such as a phototransistor (PTr) sensing the arterial expansion and contraction in the intensity of the reflected or transmitted light [10]. PPG-based biometric authentication can be realized by extracting feature values from recorded PPG signals and comparing them to registered templates [11]. The advantage of a PPG is that its measurements can be performed on various sites, such as fingers and wrists using only one sensor, as shown in Fig. 1, whereas ECG measurements require at least two electrodes on separated sites on the body. PPG is often an alternative to ECG for heart rate (HR) estimation because it can be recorded with fewer restrictions than ECG [12]. PPG is expected to seamlessly connect some applications, such as health monitoring and authentication, with one sensor [13]. Therefore, wearable devices may provide PPG-based authentication with PPG sensors installed on them in the near future.
However, there may be specific vulnerabilities in PPG-based authentication. Although the variety of measurement sites on a body with few restrictions is an advantage of PPG measurement, it may lead to a leakage of information required for PPG-based authentication because several biomedical approaches have investigated the similarity in PPG waveforms recorded at different measurement sites on one person [14]. If an attacker stealthily records a victim's PPG signal on non-genuine measurement sites and utilizes the signal as an input to the PPG sensor, the PPG-based authentication algorithm may accept the input as genuine.
In this study, we investigated the vulnerability of PPG-based authentication to develop PPG-based authentication systems with countermeasures. We focused on the variety in PPG measurement sites on the body and the waveforms at each site to examine the leakage of information required for authentication. Several studies have been conducted on PPG-based authentication and its attacks. Our previous work also investigated attacks against PPG-based authentication [15]. The attack utilized a victim's PPG signal stealthily recorded on non-genuine measurement sites on the victim's body and transmitted the signal to the PPG sensor to break authentication. However, there is a paucity of studies investigating the effect of waveform variety on PPG-based authentication and attacks against it. Studying the relationships between PPG waveforms recorded at different sites may lead to the development of countermeasures against attacks. Therefore, we investigated the vulnerability by recording PPG signals at multiple measurement sites on the participants' bodies, examining the information leakage, and assessing the feasibility of the attack using the recorded PPG signals.

II. RELATED WORKS
There can be several attacks on biometric authentication systems. A typical biometric authentication system comprises three components: a sensor that obtains biometric information from a user, a feature value extractor that obtains identical information from the biometric information and stores it as templates, and a matcher that compares a new value with the stored templates [16]. Several attack vectors exist for the components of the system. One of the most wellknown vectors is the presentation of fake biometrics to a sensor, which is referred to as a presentation attack (PA). PAs have been demonstrated for pervasive image-based biometric authentication systems utilizing commercially available products. For example, face recognition can be achieved by presenting photographs or liquid-crystal displays to camera [17]. Fingerprint recognition can also be achieved by presenting silicone rubbers or gummi candies to a fingerprint sensor [18].
In general, most pervasive biometric authentication systems utilize physical images such as faces and fingerprints. Recently, an increasing number of approaches have utilized time-series physiological signals for biometric authentication because of their distinctiveness and difficulty in replication [8]. For example, a watch-type device called Nymi Band, which provides authentication using an ECG signal derived from the electrical activity of the heart, is VOLUME 10, 2022 available [6]. An electroencephalogram (EEG) signal, which can be recorded by electrodes mounted on headband-and headset-type devices, is also utilized for biometric authentication [19]. In addition, many approaches utilize PPG signals that can be recorded by sensors mounted on smartwatches for biometric authentication [11]. However, several PAs against biometric authentication using time-series physiological signals and physical image-based authentication have been proposed. For example, several approaches proposed PAs against ECG-based authentication and demonstrated them against the Nymi Band. Eberz et al. proposed a PA against the Nymi Band, which focused on a variety of ECG measurement sites on the body [20]. The PA maps the victim's ECG signal using a device other than the victim's device to produce a genuine signal, which is transmitted to the Nymi Band. Shukla et al. proposed a PA for EEG-based authentication [21]. The PA utilizes the correlation between the recorded EEG and the user's movement during EEG recording. In addition, several PAs against PPG-based authentication have been proposed, focusing on the various PPG measurement sites on the body. Seepers et al. investigated the possibility of passing a heartbeat-based authentication by utilizing heartbeats estimated based on blood circulation in the face using camerabased PPG as an attack vector [22].
Our previous work also proposed a PA against PPG-based authentication that utilizes multiple feature values [15]. We assumed that the victim wore a smartwatch that included a genuine PPG sensor, and often logged into some applications using confidential information after PPG-based authentication. We also assumed that the attacker intended to steal the information through the PA, which was executed as follows: Step 1: Install a malicious PPG sensor in the daily necessities or office supplies such as mouse or a desk that the victim may touch with the finger.
Step 2: Record the victim's PPG signal at the finger using the malicious PPG sensor.
Step 3: Generate an electrical signal or control the light intensity based on the recorded signal.
Step 4: Obtain the victim's smartwatch after he/she removes it for charging the battery.
Step 5: Transmit the signal to the PPG sensor installed on the smartwatch to break its authentication.
In the experiment, we investigated the feasibility of proposed PA using the PPG signals recorded at multiple measurement sites on participants and an existing PPG-based authentication algorithm. The experimental results suggested that the PA could occur [15].
The PAs against biometric authentication using time-series physiological signals in the previous paragraphs are based on a hypothesis about possibility of information leakage; the biometric information required for authentication may be available on other measurement sites or sensing devices. For example, a feature value extracted from a signal recorded at a measurement site may be equal to a value from a signal at another site. However, there are few studies examining the information leakage required for biometric authentication.
To the best of our knowledge, no studies have examined the leakage of information, such as feature values required for PPG-based biometric authentication, to investigate attacks. Our previous work [15] also did not examine the leakage using the feature values in the PPG-based authentication algorithm. If we examine this and evaluate the contribution of information to authentication and PAs, we may derive an optimized authentication algorithm with countermeasures against PAs. For example, if the same feature values extracted from PPG signals recorded at different sites are equal based on the hypothesis, we should eliminate the value from the algorithm against the PA. Therefore, to develop PPG-based authentication with countermeasures, we investigated information leakage as a vulnerability in PPG-based authentication. We evaluated the feature values extracted from the PPG signals recorded on multiple measurement sites to examine information leakage. Then, we evaluated the contribution of each feature value to the authentication and PA to derive an optimized authentication algorithm with countermeasures against the PA.

III. EXPERIMENT A. OVERVIEW
We conducted an experiment to examine information leakage in PPG-based biometric authentication and assess the feasibility of PA. Figure 2 presents an overview of the experimental protocol. We recorded PPG signals at two measurement sites on the participants using the developed sensing system. Then, we extracted feature values from the recorded PPG signals and compared them to examine information leakage for authentication. Subsequently, we assessed the capabilities of the authentication and feasibility of the PA against it using feature values and classifiers based on existing algorithms. At the same time, we evaluated the contribution of each value to the authentication and PA and compared the results in combination with the values.

B. SETUP AND RECORDING
We developed a PPG sensing system to record PPG signals at two measurement sites on the body. The system included two sensors consisting of an LED and a PTr (LED emitting peak wavelength: 570 nm, New Japan Radio Co., Ltd., NJL5303R-TE1). Each output of the PTr was filtered with a low-frequency cutoff of 0.40 Hz and a high-frequency cutoff of 5.0 Hz, amplified with a gain of 47 dB and a sampling rate of 1 kHz with a resolution of 16 bits, and recorded using an AD converter (National Instruments, USB-6216).
We recorded PPG signals from 12 participants (S1, S2,. . . , S12, one female and 11 males, aged 25-30 years) who did not have any cardiovascular diseases. As illustrated in Fig. 3, the sensors were fastened using Velcro tape to record PPG signals on the fingertip and wrist. Although there are more candidates for PPG measurement sites, as shown in Fig. 1, we selected the two sites as our scope to examine the information leakage and assess the PA using PPG signals recorded  on relatively close sites, which might resemble each other in waveform based on the blood vessel configuration and blood circulation. In addition, PPG signals are generally recorded on the fingertips in many clinical applications [23], whereas smartwatches record PPG signals on the wrist. The participants wore the PPG sensors on the two measurement sites and maintained a resting state for 30 s while the PPG signals were recorded. Five recordings (trial T1, T2,. . . , T5) were obtained for each participant. The experiment was approved by the Ethical Committee of Information Technology R&D Center (2020-B001), Mitsubishi Electric Corporation, Japan. Informed consent was obtained from the participants before recording was started.

C. EXAMINATION OF INFORMATION LEAKAGE 1) FEATURE EXTRACTION
We extracted 43 feature values C i,1 , C i,2 , . . . , C i,43 from PPG segments to examine the leakage of the information required for authentication, where i denotes the number of segments. Each PPG segment contained a negative peak at the starting point, followed by at least one positive peak, followed by a negative peak at the end of the segment as illustrated in Fig. 4. The values were originally from previous works on PPG measurement, including not only biometric authentication, but also physiological studies [24]- [27] as follows: 4 were the peak-related values such as number of peaks, which might reflect the arterial stiffness. Gu et al. proposed the first approach to apply PPG to biometric authentication using those four values [24]. • C i,5 , . . . , C i, 15 were mainly statistics-related metrics such as mean and maximum value in a segment. The values also included mean of dynamic time warping (DTW) distance, which was similarity between one time-series segment and another segment. DTW distance might reflect changes in arterial distensibility in one recording. Jindal et al. proposed the first approach to apply a deeplearning technique to PPG-based authentication using those 11 values [25]. 16 , . . . , C i,39 were 24 Mel-frequency cepstral coefficients (MFCC1, . . ., MFCC24), which were often used in audio signal processing systems. They were computed by applying discrete Fourier transform, logarithmic transform of mel-scale warped spectrum, and discrete cosine transform to an input PPG signal. Those MFCCs might reflect frequency characteristics of PPG signals. Siam et al. proposed the application of a deeplearning technique to PPG-based authentication using those MFCCs [26]. 40 , . . . , C i,43 were amplitude-related values such as the peak-to-peak values in each segment. The values included those related to the dicrotic notch, which is a small and brief increase in a segment [28]. The dicrotic notch might reflect the arterial stiffness. Hartmann et al.
proposed them for the evaluation of differences in PPG waveforms recorded at multiple measurement sites on the body, but not for PPG-based authentication [27]. Table 1 shows the abstract of each feature value.

2) EVALUATION OF FEATURE VALUES
We used three evaluation metrics between the feature values: the mean absolute percentage error (MAPE), correlation coefficient (CC), and mutual information (MI) to investigate the relationship between a feature value C wr i,m from the PPG signal recorded on the wrist (PPG wr ) and a value C fi i,m from VOLUME 10, 2022 the PPG signal recorded on the fingertip (PPG fi ), where m denotes the identifier of the extracted feature values (m = 1, 2, . . . , 43). We computed the difference between C wr i,m and C fi i,m as MAPE assuming the former as a true value as follows [29]: where N denotes the total number of segments. We used CC to describe the linear relationship between C wr i,m and C fi i,m as follows [23]: whereC wr i,m andC fi i,m denote the mean of C wr i,m and the mean of C fi i,m , respectively. We computed MI between C wr i,m and C fi i,m to describe a nonmonotonic relationship as follows [31]: where p wr (C wr i,m ), p fi (C fi j,m ), and p(C wr i,m , C fi j,m ) denote marginal probability mass function of C wr i,m , the marginal probability mass function of C fi j,m and joint probability mass function of C wr i,m and C fi j,m , respectively.

D. ASSESSMENT OF PA 1) CLASSIFIER GENERATION
To compute the capability of PPG-based authentication and the feasibility of the PA, we used four classifiers: k-nearest neighbor classifier (kNN), multilayer perceptron (MLP), support vector machine (SVM), and random forest (RF), which were used in existing PPG-based authentication algorithms [24]- [26], [32], [33]. kNN is a classifier based on the minimum distance from the sample feature vectors to the training feature vectors [32]. We selected the Mahalanobis distance (MD) as the distance function, which has been successfully applied in various biometric systems. MD is defined as follows [34]: where C test , C train , and A denote an input sample feature vector from each PPG segment, a trained feature vector, and a variance-covariance matrix of C train , respectively. The MLP is a classifier of feedforward neural networks that can create nonlinear decision boundaries [35]. We used an MLP with three hidden layers consisting of 40, 40, and 10 nodes, which were estimated as the optimal combination of layers and nodes using a grid search approach as well as the original article [25]. SVM is a classifier that creates boundaries that divide data into two or more classes to maximize the margin between the boundaries and data, and has been successfully applied in various biometric systems [36]. RF is a classifier that generates many classifiers and aggregate their results to satisfy the requirement, and has the capability to use many feature values and classes that biometric authentication processes require [36]. We compared the performance of the four classifiers in the verification.

2) VERIFICATION
We computed performance metrics of authentication and PA based on fivefold cross-validation using the feature values in five trials. In the authentication, the validation used the feature values extracted from PPG wr in all trials except one for training and the remaining trials for testing using each classifier to compute the equal error rate (EER) as the performance metric. The EER was computed by tuning parameters such as the threshold for the predicted probability of each classifier to equalize the false rejection rate (FRR) and false acceptance rate (FAR). In the PA, the validation used the feature values extracted from PPG wr in all trials except one for training and the values from PPG fi in the remaining trials for testing using each classifier to compute the segment acceptance rate (SAR) as the performance metric. For example, a classier was generated using the feature values extracted from PPG wr in T1-4, and the values from PPG fi in T5 were input to the classier. SAR is defined as follows: where T , M acpt,t and M t denote the total number of trials, number of authenticated segments in one trial, and total number of segments in one trial, respectively. We used SAR to assess the feasibility of PA by comparing it with EER (= FAR), which describes the feasibility of simple identity spoofing using the authentication device of the other person. Each validation was repeated five times and the average EERs and SARs were computed for each classifier.

3) FEATURE VALUE SELECTION
We evaluated the contribution of each feature value to authentication and PA by computing the permutation importance (PI). The PI is computed by shuffling one column of a dataset of feature values to generate a corrupted dataset and calculating the classification performance using the corrupted dataset. The PI of feature value C i,m is defined as follows [37]: where s, K , and s k,m represent the accuracy score of the trained classifier, total number of repetitions, and accuracy score using the corrupted feature values, respectively. We computed the PIs of all 43 values for both authentication and PA, using these values. If we exclude values with high PIs in PA, we may reduce the SAR. Therefore, we selected values based on PIs to reduce the feasibility of the PA. Several approaches have investigated the optimal number of feature values for PPG-based authentication, and their results showed that 15-24 values were effective in achieving a high accuracy of identification [26], [28], [38]. . We compared the EER and SAR using the combinations i) -iv) for each classifier. Figure 5 shows an example of PPG signals recorded simultaneously at the two measurement sites on a participant's body (S6, T3). Table 1 presents the evaluation metrics (MAPE, CC, and MI) computed for each feature value. However, we exclude the case in which the denominators become zero in in Eq. (1), (2) when we computed the MAPE and CC. MAPEs smaller than 0.100, CCs larger than 0.300, and MIs larger than 0.300 are shown in bold in Table 1. Figures 6,7,8,and 9 show the examples of the relationships between the feature values extracted from the two measurement sites, which were proposed by Gu et al. [24], Jindal et al. [25], Siam et al. [26], and Hartmann et al. [27], respectively. Some of the relationships and evaluation metrics between C wr i,m and C fi i,m showed the possibility of information leakage. For example, Fig. 6(b) C i,2 : positive slant, Fig. 7(a) C i,7 : mean of DTW, Fig. 7(b) C i,11 : minimum value time, and Fig. 9(b) C i,42 : dicrotic notch time show a weak correlation between the values extracted from PPG wr and PPG fi . Generally, if the CC between two values is greater than 0.300, we can assume they have a correlation [30]. Therefore, CC 2 = 0.422, CC 7 = 0.389, CC 11 = 0.398, and CC 42 = 0.389 indicate that there is a correlation between the values PPG wr and PPG fi . Additionally, MI 11 = 0.353 had the highest MI (Table 1). We believe this is because C i,11 is usually at the starting point or the end of the PPG segment, and the latter values from the PPG signals recorded on the different sites would be close to each other if the PPG signals repeat the  same period of the cycle, as shown in Fig. 5. Figure 6(a) C i,1 : number of peaks shows that there were only a few variations in the values of PPG wr and PPG fi . The difference between the values for MAPE 1 = 0.044 was the smallest, as shown in Table 1. Figure 9(a) C i,40 : peak-to-peak also showed that there were fewer variations in the value from wrists than from fingertips. These relationships, such as the correlation and coincidence of the values, suggested that there was leakage of information required for PPG-based authentication. Therefore, the attacker might break the authentication by using PPG signals recorded on non-genuine measurement sites based on information leakage.

1) EXAMINATION OF INFORMATION LEAKAGE
However, as far as we can see in some relationships and evaluation metrics, there were also feature values that did not indicate the possibility of information leakage. For example, Fig. 8(a) C i, 16 : MFCC1 and (b) C i,17 : MFCC2 did not show a definite correlation between the MFCCs extracted from PPG wr and PPG fi . In addition, many MFCCs had MI m = 0.000, as shown in Table 1. These relationships and metrics suggest that there is less information leakage than the other values, and the difficulty of estimating the values of an MFCC extracted from a PPG signal recorded at a measurement site using MFCCs extracted from PPG signals recorded at the other sites. Therefore, the results suggest that the appropriate selection of feature values for the PPG-based authentication algorithm may contribute to a reduction in feasibility of the PA. Table 2 shows the EERs as the capability of authentication and SARs as the capability of PA. The combinations of VOLUME 10, 2022  feature values i)-iv) were selected based on the PI ranks included in Table 1. Smaller numbers of PI ranks indicate greater importance in either authentication or PA when using combinations of all feature values and each classifier. Table 2 i) indicates that the implemented authentication algorithm achieved an EER (= FAR) between 0.001 and 0.019 when using each classifier. Meanwhile, it also indicates that the algorithm SARs were between 0.197 and 0.279 when using each classifier, which were greater than the EERs. These results suggests that PPG-based authentication algorithms might accept the available signals in the PA with a higher probability than the impostor's signal (false acceptance). As shown in Table 1, PI ranks for the feature values often depended on classifiers. However, several values such as C i,7 , C i,41 and C i,42 , as shown in Fig. 7(a), Fig. 9(a), and Fig. 9(b), respectively, contributed to both authentication and PA in many combinations of feature values and classifiers. Using these values for the authentication algorithm is discouraged in terms of countermeasures against the PA, although they contribute to authentication performance. Table 2 indicates that the selection of feature values led to changing EERs and SARs, where i), ii), iii) and iv) denote the combination of all feature values, values that improved the authentication performance, values that improved the PA performance and values that did not improve the PA performance, respectively. Although the same number of values were used in ii) and iv), the SAR in iv) was smaller than the SARs in ii) for each classifier. The EER in iv) was larger than the SAR in ii); however, the EER difference between ii) and iv) was smaller than the SAR difference between ii) and iv) for each classifier. The results suggest that the selection of feature values based on the PIs would be effective for the PPG-based authentication algorithm against the PA. We succeeded in the reduction of SAR by 35.8 %, 52.4 %, 38.6 %, and 62.8 % by comparing the combinations iv) to ii) when we used kNN, MLP, SVM, and RF as the classifier, respectively.

A. RELATIONSHIP BETWEEN INFORMATION LEAKAGE AND PA
Greater evaluation metrics did not necessarily lead to a higher PI rank of PA for the feature values, depending on the classifier as shown in Table 1, although several metrics suggested that there might be information leakage based on their relationships such as the linear correlation between the values from PPG wr and PPG fi . We expected that the PA might be more likely to succeed when many feature values C wr i,m and C fi i,m satisfying C wr We used the 43 values proposed for the authentication and evaluation of differences in PPG waveforms in the four articles [24]- [27] and compared the same feature values such as C wr i,1 from PPG wr and C fi i,1 from PPG fi . Although they were different from each other in the computation methods, there might be correlations between the values extracted from the same PPG signal, which might contribute to information leakage and redundancy in the algorithm. The redundancy cannot be solved by computing and comparing PIs of the feature values. For example, C i, 8 : maximum value and C i,40 : peakto-peak (difference between maximum value and minimum value), which were originally from the different articles [25], [27], may have a correlation that leads to information leakage because both of the values are related to the maximum value of the PPG signal. An attacker may estimate C wr i,m 1 using C fi i,m 2 , where m 1 = m 2 , and generate PPG wr to break the authentication. If we reduce the number of values for authentication based on metrics such as CC and MI between the values extracted from the PPG signal, we can prevent information leakage and realize efficient PPG-based authentication algorithms.

B. LIMITATIONS
Under limited experimental conditions, we examined the information leakage and assessed the PA. We have addressed the following three limitations:

1) RECORDING CONDITION
We have to record PPG signals of a larger number of diverse participants at their more various measurement sites. Although a larger number of participants are required statistically to ensure the reliability of biometric authentication systems [24], [25], we focused on the examination of the information leakage and assessment of the PA rather than the performance of the PPG-based authentication systems. If we record PPG signals at the other measurement sites, there may be more differences in the waveforms than the two sites, which may not lead to information leakage and PA. Meanwhile, the characteristics of blood vessels such as compliances depending on ages and measurement sites contribute to the PPG waveforms [39]. If blood vessels in different measurement sites of one participant have same characteristics, the feature values may be close to each other and contribute to information leakage and PA. In addition, considering the time between registration and authentication, we have to record PPG signals for a longer duration because the PPG waveforms gradually change, which may also contribute to the experimental results.

2) AUTHENTICATION ALGORITHM
We must examine the information leakage and assess the PA using other PPG-based authentication algorithms. We used VOLUME 10, 2022 only the algorithms using hand-crafted feature values such as a maximum value, although there have been many PPG-based authentication algorithms [11]. Some of them use handcrafted feature values such as a maximum value, which includes the values used in the experiment, while others use all PPG signals based on deep-learning techniques such as a combination of convolution neural network (CNN) and long short-term memory (LSTM) [11].

3) SIGNAL GENERATION
PA was assessed by inputting the feature values extracted from the recorded PPG signals to the classifier, rather than transmitting artificial signals such as modulated current or light intensity to the input of the authentication system as proposed in our previous work [15]. Our future works include the assessment of PA by generating and transmitting the signals to the PPG sensor. Fujii et al. investigated a technique to modulate the light intensity to a PPG sensor to get the target HR from smartwatches [40]. We expect that the similar technique may contribute to the PA against the PPG-based authentication, which spoofs the sensor to impersonate a victim.

C. COUNTERMEASURES
More countermeasures against the PA should be considered because Table 2 suggests that it could occur with more SAR than EER (= FAR) in any combination of feature values and classifiers, although the selection of values contributed to reducing SAR. For example, typical replay attack prevention, such as using one-time information, is effective because the PA repeats the recorded signal. It is also effective to add liveness detection techniques, such as a humidity sensor, to the authentication device along with the PPG sensor to recognize the object of measurement as a human body, because we assume that the attacker sends artificial signals to the sensor.

V. CONCLUSION
We assumed that PPG-based authentication would be available in the near future, and that there might be leakage of information required for authentication. The leakage is derived from the characteristics of PPG: a variety of measurement sites on a body. We examined the information leakage as the vulnerability in PPG-based authentication and assessed a PA against PPG-based authentication based on information leakage. In the experiment, we recorded PPG signals of 12 participants on their wrist and fingertip and examined the information leakage by computing evaluation metrics of the feature values extracted from the recorded PPG wr and PPG fi . The results indicated that there were relationships such as linear correlation between some feature values, which might lead to information leakage and PA against PPG-based authentication. Then, we assessed the feasibility of the PA using the recorded PPG wr and PPG fi and evaluated the contributions of the feature values extracted from the signals to the PPG-based authentication and the PA by computing the PI of each value. The experimental results suggest the PA might occur based on the contribution of the feature values and the selection of feature values could reduce the probability of PA up to 62.8 %. SHUN