A Novel Length-Flexible Lightweight Cancelable Fingerprint Template for Privacy-Preserving Authentication Systems in Resource-Constrained IoT Applications

Fingerprint authentication techniques have been employed in various Internet of Things (IoT) applications for access control to protect private data, but raw fingerprint template leakage in unprotected IoT applications may render the authentication system insecure. Cancelable fingerprint templates can effectively prevent privacy breaches and provide strong protection to the original templates. However, to suit resource-constrained IoT devices, oversimplified templates would compromise authentication performance significantly. In addition, the length of existing cancelable fingerprint templates is usually fixed, making them difficult to be deployed in various memory-limited IoT devices. To address these issues, we propose a novel length-flexible lightweight cancelable fingerprint template for privacy-preserving authentication systems in various resource-constrained IoT applications. The proposed cancelable template design primarily consists of two components: 1) length-flexible partial-cancelable feature generation based on the designed re-indexing scheme; and 2) lightweight cancelable feature generation based on the designed encoding-nested-difference-XOR scheme. Comprehensive experimental results on public databases~FVC2002 DB1-DB4 and FVC2004 DB1-DB4 demonstrate that the proposed cancelable fingerprint template achieves equivalent authentication performance to state-of-the-art methods in IoT environments, but our design substantially reduces template storage space and computational cost. More importantly, the proposed length-flexible lightweight cancelable template is suitable for a variety of commercial smart cards (e.g., C5-M.O.S.T. Card Contact Microprocessor Smart Cards CLXSU064KC5). To the best of our knowledge, the proposed method is the first length-flexible lightweight, high-performing cancelable fingerprint template design for resource-constrained IoT applications.

various sensors or smart devices via the Internet or other communication channels [1]. The 'things' connected in the IoT may perform functions of data collection, data processing or information communication. However, these functions are vulnerable to privacy leakage [2]- [4], especially during data collection and data processing, if there is no protection to raw information. Therefore, identity authentication has been one of the promising options for access control in IoT applications [5], [6]. An identity authentication system usually consists of two procedures: enrollment and verification. The enrollment procedure is aimed at registering a user by generating and storing the user's template, while the verification procedure attempts to match the template generated for a query against the enrolled template.
Fingerprints have proven to be one of the most popular and efficient biometric traits and have been pervasively used for identity authentication [7], [8]. Compared to traditional token-based identity authentication [9]- [11], fingerprintbased authentication systems are user-friendly because, unlike passwords, fingerprints won't be forgotten. Along with convenience, however, fingerprint-based authentication systems without any protection also expose IoT applications to privacy breaches and security risks. First and foremost, raw fingerprint data leakage in unprotected IoT applications may render the authentication system insecure, because the raw fingerprint data can be repeatedly utilized to spoof the authentication system. Simultaneously, a finger would be 'lost' forever once its raw fingerprint data is compromised. Another issue is regarding legal regulations on data privacy around the world. For example, to protect personal private information, specific laws and legal regulations have been formulated in many regions and countries, such as the General Data Protection Regulation 1 in European Union, the Personal Information Protection Law of the People's Republic of China in China, and the California Privacy Rights Act 2 in the United States. Therefore, it is essential to implement protection schemes to fingerprint authentication systems in IoT applications.
Fingerprint protection can be typically divided into two categories: 1) cryptography-based approaches and 2) cancelable fingerprint template approaches. In cryptographybased approaches, cryptographic techniques (e.g., symmet-ric/asymmetric encryption and homomorphic encryption) are commonly utilized to encrypt fingerprint templates so as to avoid original template leakage [12]- [14]. The benefit is that encrypted templates tend to be very secure and cannot easily cracked. The downside is that the encryption and decryption processes are usually time-consuming. Therefore, the cryptography-based methods are unsuitable for resourceconstrained IoT devices [13].
Cancelable biometrics is another template protection technique [15]- [20]. The core idea of cancelable fingerprint templates is to irreversibly transform the raw fingerprint template into a new template to avoid privacy leakage. Four objectives are demanded in the design of cancelable fingerprint templates [15], [21]: 1) diversity: different unrelated fingerprint templates can be obtained with disparate distortions; 2) revocability: a new template can be issued to replace the compromised template; 3) non-invertibility: it should be computationally infeasible to retrieve the original fingerprint template from the transformed (cancelable) template; and 4) accuracy: cancelable fingerprint templates should not significantly deteriorate the accuracy of fingerprint recognition. Therefore, cancelable fingerprint templates can effectively avoid privacy leakage and provide strong protection to the original templates. However, to suit resource-constrained IoT devices, oversimplified cancelable fingerprint templates deployed in resourceconstrained IoT applications would compromise authentication performance significantly. In addition, the length of existing cancelable fingerprint templates is usually fixed, making them difficult to be implemented in various resource-constrained IoT devices. Moreover, designing cancelable fingerprint templates that meet the above four objectives is challenging, especially for IoT applications.
To address these issues, we design a length-flexible lightweight, high-performing cancelable fingerprint template for privacy-preserving authentication systems with applications to resource-constrained IoT devices. The proposed cancelable fingerprint template is based on the state-of-the-art minutia cylinder-code (MCC) [22], which is a robust minutiabased local descriptor with excellent authentication performance on public fingerprint databases. However, the original MCC is not designed for resource-constrained IoT devices. More importantly, the original MCC has no template protection function. The proposed cancelable fingerprint template design consists of two components: 1) length-flexible partialcancelable feature generation; and 2) lightweight cancelable feature generation. For the first component, we propose a simple, efficient yet effective method to flexibly re-index the original MCC feature. For the second component, we develop an encoding-nested-difference-XOR scheme. The novel cancelable template possesses four advantages: 1) flexible length: the template length can be flexibly adjusted to suit various memory-limited IoT devices; 2) lightweight: this makes the proposed template further applicable to memoryand computation-constrained IoT devices; 3) cancelablility: this protects raw fingerprint data against privacy leakage; and 4) high performance: extensive experiments demonstrate the satisfactory performance of the proposed cancelable template on eight public fingerprint datasets.
The main contributions of this study are summarized as follows: • To the best of our knowledge, this study proposes the first length-flexible, high-performing privacy-preserving fingerprint template suited to various memory-limited IoT devices. As IoT devices are usually embedded with varying storage space, it is essential to provide lengthflexible but high-performing fingerprint templates. • We propose an innovative lightweight cancelable fingerprint template based on the re-indexing operation and the encoding-nested-difference-XOR operation. The template size is reduced by up to 85% (around 64K bits) while achieving superior verification performance in the privacy-preserving IoT environment. The cancelable characteristic can also protect the original fingerprint data against hill-climbing and pre-image attacks, thus making the proposed template appropriate for resourceconstrained IoT applications. • Comprehensive experimental results obtained on eight public benchmark datasets FVC2002 DB1-DB4 3 [23] and FVC2004 DB1-DB4 4 [24] demonstrate that the proposed template achieves equivalent authentication accuracy to the state-of-the-art cancelable fingerprint templates in IoT settings, but our design significantly reduces template storage space and computational cost. The rest of this paper is organized as follows. We review state-of-the-art studies on privacy-preserving fingerprint templates and lightweight fingerprint authentication systems for IoT applications in Section II. We detail the proposed cancelable template in Section III. We present the experimental setting and analyze the experimental results in Section IV. We conclude the paper in Section V.

II. RELATED WORK
Cryptographic techniques (e.g., symmetric/asymmetric encryption and homomorphic encryption) have been used to protect original fingerprint templates by encrypting them [12], [25], [26]. Xi et al. [25] reviewed topical cryptographic techniques and fingerprint biometrics and discussed the applications of the cryptographic technique in fingerprint-based authentication systems. Kim et al. [12] proposed using fully homomorphic encryption to protect the original fingerprint image by encrypting its features. This method can provide strong protection to the original template. However, this method is time-consuming and unsuitable for resource-constrained IoT devices. Yang et al. [26] introduced a similar homomorphic encryption-based fingerprint authentication method, in which minutiae pairs are used as original features. However, the authentication accuracy (EER=8.25%) of this method is unsatisfactory. Azzaz et al. [27] proposed a symmetric encryptionbased method to encrypt a fingerprint image instead of its features (e.g., minutiae) to avoid privacy leakage. The disadvantage is that fingerprints could be lost forever once the cipher key is leaked. Besides, the encryption and decryption would increase computational complexity. Liu et al. [28] presented a fingerprint encryption-based online fingerprint authentication scheme, in which homomorphic addition is used to encrypt fingerprint data. However, this method is cloudoriented and unsuitable for IoT applications. In summary, cryptography-based fingerprint authentication methods tend to be time-consuming and resource-intensive due to the encryption and decryption operations. Besides, original fingerprint information are still at risk to privacy breaches due to keyrelated hacking.
Another popular protection scheme is cancelable fingerprint template techniques, which are aimed to irreversibly transform the raw fingerprint template into a new one to avoid privacy breaches [15]. Kho et al. [29] proposed a cancelable fingerprint template design based on the local minutia descriptor and permutated randomized non-negative least square. Wu et al. [30] designed a privacy-preserving cancelable pseudotemplate based on a random distance transformation technique. Kavati et al. [31] proposed a cancelable fingerprint template protection scheme using elliptical structures guided by fingerprint minutiae. Although this method provides strong protection to the raw fingerprint template, the authentication accuracy is poor with EER of 7.3% and 5.13% for FVC2002 DB1 and DB2, respectively. Tran et al. [21] proposed a multifilter matching framework for cancelable fingerprint template design and achieved good authentication performance. Bedari et al. [32] presented an alignment-free cancelable MCC-based fingerprint template design. Similarly, Yin et al. [33] proposed an IoT-oriented cancelable fingerprint template based on the MCC feature and achieved state-of-the-art authentication performance in an IoT environment. Unlike aforementioned methods, Lee et al. [34] developed a tokenless cancelable template for multi-modal biometric systems, where the realvalued face and fingerprint vectors are fused into a cancelable template. In summary, compared to cryptography-based fingerprint template protection methods, cancelable fingerprint templates can effectively protect raw fingerprint data because the cancelable template instead of the raw template is stored in the authentication system. However, most of these approaches are designed for cloud applications or powerful devices rather than resource-constrained IoT applications. Besides, most of these cancelable templates are usually of fixed length, making them unsuitable for resource-constrained IoT devices.
Fingerprint-based authentication systems in IoT environments have been explored in the literature [35]- [37]. Habib et al. [38] introduced an authentication framework based on biometric and radio fingerprinting for the IoT in an eHealth application. Through the embedded authentication system, the framework can guarantee that the monitored private data is associated with the correct patient. Punithavathi et al. [36] proposed a lightweight fingerprint authentication system based on machine learning for smart IoT devices in a cloud computing environment. However, the authentication accuracy evaluated on public datasets FVC2002 DB1-DB2 and FVC2004 DB1-DB2 is poor. Golec et al. [39] introduced a fingerprint-based authentication system in an IoT environment, where the fingerprint data in the communication channel and database is protected by the AES-128-bit key encryption method. Sabri et al. [40] developed a fingerprint-based authentication framework for match-on-card and match-onhost applications, but the fingerprint template is unprotected. Kumar [41] utilized a fingerprint authentication system in an IoT environment to defend communication channels against black hole attacks. However, the fingerprint template used in the authentication system is vulnerable to privacy breaches. In summary, fingerprints or fingerprint features have been used for identity authentication in various IoT applications and even on resource-constrained IoT devices, such as smart cards. However, the original fingerprint data in these studies faces privacy leakage issues.

III. THE PROPOSED LIGHTWEIGHT CANCELABLE
FINGERPRINT TEMPLATE A fingerprint authentication system typically consists of two procedures: 1) enrollment and 2) verification. The enrollment procedure is aimed at registering a user by generating and storing the user's template, while the verification procedure is aimed at generating a template for a query user and matching the template against the enrolled one. The enrollment procedure usually consists of fingerprint acquisition via a fingerprint sensor, template generation and template storage. The verification procedure usually consists of fingerprint acquisition, template generation and template matching. In cloud-based applications, a fingerprint is captured on the end-user side and then transferred to the cloud for template generation, template storage and template matching. Thus, the end-user is responsible for capturing a fingerprint, transferring it to the cloud, and then receiving the verification result from the cloud. The security issue here is that the private fingerprint data is held by the cloud. This may cause privacy leakage due to security concerns in relation to cloud servers or attackers. In the IoT applications discussed in this work, the fingerprint data does not leave the IoT. The IoT application takes responsibility for fingerprint acquisition, template generation, template storage and template verification. As opposed to cloud-based applications where the raw fingerprint needs to be transferred to the cloud, in IoT applications, a cancelable template stays in the IoT. As an advantage, the raw fingerprint enrolled in the IoT application is securely protected because a compromised cancelable template would not reveal the raw fingerprint information.
The core step in both enrollment and verification is template generation. This work proposes a novel method for generating a lightweight cancelable fingerprint template for resource-constrained privacy-preserving IoT applications. In the rest of this section, we firstly introduce the preliminary procedure about minutia extraction and minutia-based MCC feature extraction in Section III-A. Then, we describe the details of partial-cancelable feature generation in Section III-B and lightweight cancelable feature generation in Section III-C. Finally, we present template matching in Section III-D.
A. Preliminary Procedure 1) Minutia Extraction: Minutiae as a popular feature starting point have been widely used in fingerprint biometrics. In this paper, minutiae are also utilized to generate the proposed IoT-oriented cancelable fingerprint template. Given a fingerprint image captured by the embedding fingerprint sensor, n minutiae are extracted to represent this fingerprint, denoted by T = {m 1 , m 2 , · · · , m n }. Each minutia is in the format of ISO/IEC 19794-2, 5 defined by m i = {x i , y i , θ i } where x i and y i are the coordinates in pixels and θ i ∈ [0, 2π] stands for the minutia orientation. In the proposed IoT-oriented fingerprint authentication system, minutia extraction is conducted upon the minutia extraction algorithm, Mindtct [42], from the opensource NIST biometric image software. 6 2) MCC Template: The MCC template [22] is a robust minutia-based local feature representation and has been proved successful in fingerprint authentication. As the MCC feature is defined by the relative relationship between a minutia and its neighboring minutiae, the MCC feature possesses some desirable properties, such as translation-and rotationinvariance, and fixed length. The MCC feature is defined for each minutia and represented by a cylinder which is discretized into cube-like cells. The value for each cell is used to measure the relative distance contribution between the cell and neighboring minutiae, as well as to measure the relative orientation contribution between the cell, the reference minutia and neighboring minutiae.
The MCC feature for each minutia contains two vectors: 1) the cell value vector and 2) the cell validity vector. The cell value is calculated by the distance and orientation contributions, while the cell validity is used to indicate the cell status. An MCC feature is represented by where c denotes the cell value vector and b the cell validity vector [22]. According to the parameter settings for the MCC feature in [22], the cylinder diameter is set to N S = 16 cells and the height of the cylinder is set to N D = 5 cells. Therefore, the length of the cell value vector c is represented by L c = 1, 280 (i.e., N S × N S × N D ), while the length of the cell validity vector b is represented by L b = 256 (i.e., N S × N S ).

B. Length-Flexible Partial-cancelable Features
A simple, efficient yet effective scheme is proposed to generate the partial-cancelable feature by re-indexing the original MCC feature. The new feature contains two parts: 1) the cell value part and 2) the cell validity part. To design a lightweight feature, we assign a percentage value p ∈ [50%, 100%] to control the length of the new cancelable feature. Given the MCC feature vector v with the length L c , its index set I is defined by its cell value part c is represented by and its cell validity part can be easily obtained by replicating the base mask for each cell section in the cylinder because each section shares the same base mask, without causing ambiguity, where the i th bit b i denotes the validity of the i th value in the cell value part c. A re-indexing set I ′ is generated by randomly selecting l unique integers from the set I, represented by l is set to a multiple of eight to facilitate the subsequent feature extraction. For convenience, we alternatively denote l = 8k. The new cell value vector is then obtained by collecting the corresponding values from c with the index in I ′ , expressed as and the cell validity vector is similarly obtained from b, given by In summary, the partial-cancelable feature is formulated by This is a partial-cancelable feature, because it satisfies three of the four objectives of cancelable templates: diversity, revocability and accuracy. The diversity is guaranteed by many re-indexing sets that exist, namely Lc! (Lc−l)! . 8 Regarding the revocability, as the re-indexing process is controlled by a random generator, a new template can be easily obtained by choosing a different random seed. The accuracy is also not much affected by this new feature. Especially, setting p = 100% maintains the same accuracy, because the similarity between two features defined in [22] is order-invariant to the feature elements. At this stage, the feature in Eq. (7) does not achieve non-invertibility, because the original template may be retrieved by gathering the features and the corresponding index sets. In Section III-C, we will propose a scheme to attain non-invertibility and a lightweight design.

C. Lightweight Cancelable Features
To achieve the non-invertibility objective as well as the lightweight design, we propose an encoding-nested-difference-XOR scheme, which contains three operations: 1) the nesteddifference operation, 2) the encoding operation; and 3) the bitwise XOR Boolean operation. As a notable benefit to resource-constrained IoT devices, the new feature will save approximately 87.5% storage space when p = 50% compared to the bit-MCC feature [22]. For example, for the partialcancelable feature with p = 50% containing 8k cell values, the proposed lightweight cancelable feature will result in 2k bits.
1) The Nested-difference Operation: This operation is to calculate the nested difference of four neighboring cell values in the partial-cancelable vector. For clarity, we define the firstlayer nested difference by vector e L1 , whose i th element e L1 i , formulated by Eq. (8), is calculated upon the partial-cancelable vector c ′ in Eq. (5).
where 1 i 4k. The second-layer nested difference vector e L2 is then calculated upon the first-layer nested difference, represented by where the i th element and 1 i 2k. For convenience and without causing ambiguity, we use e to represent e L2 and use e i to represent the i th element in e. As c i is in the range [0, 1], e i is therefore in the range [-2, 2]. For the cell validity part, we use the OR Boolean operator to concatenate four neighboring cell masks so that valid cells can remain. The new validity vector is formulated by where the i th element and | denotes the OR Boolean operator. This procedure has three advantages: 1) the nested difference can significantly reduce the number of elements because it can incorporate four values; 2) the proposed operation increases the difficulty to revert to the original feature; and 3) the simple relationship between four values can effectively identify the distinguishability of the original feature, which is also supported by the experimental results in Section IV-D and IV-E.
2) The Encoding Operation: The encoding operation is using two bits to encode the relationship between the nested difference and a threshold. For a well-defined threshold, this relationship can effectively model the original feature information without significantly deteriorating the matching accuracy. Given a nested difference e and a threshold τ (τ is optimally set to 0.2 in our experiments), the encoding table is shown in Table I. By encoding the vector e (in Eq. (9)) according to Table I, a new vectorē in bits is obtained as where each unitē i contains two bits. Its validity vector is the same as d in Eq. (10). The encoding procedure has two key advantages: 1) the threshold in the encoding operation can enhance the privacy of the original feature, thus making it impossible to revert to the original MCC feature; and 2) the encoding that converts float values into bits can significantly reduce the storage space.
3) The Bitwise XOR Boolean Operation: The XOR Boolean operation conducts the bitwise XOR between two neighboring unitsē i andē i+1 . Given the encoded vector e = (ē 1 ,ē 2 , · · · ,ē 2k ), the new feature vectorê in bits is formulated byê whereê i =ē 2i−1 ⊕ē 2i , 1 i k, and ⊕ denotes the bitwise XOR Boolean operator. For example, givenē 1 = 10 andē 2 = 00, we obtainê 1 = 10 ⊕ 00 = 10. The corresponding validity vector is obtained bŷ  16], the length of the proposed cell validity vector is less than that of the original cell validity vector; otherwise, we can alternatively use the base mask to easily obtain the cell validity vector without increasing extra storage costs.

D. Template Matching
Template matching is to decide whether two templates are matched, which is an essential process in biometric authentication. This procedure comprises two steps: 1) computation of the similarity between two feature vectors; and 2) computation of the decision score.
1) Computation of the Similarity between Two Feature Vectors: Given two feature vectors v q = [ê q ,d q ] and v p = [ê p ,d p ] coming from the query template and the enrolled template, respectively, the intersection between the two cell validity vectors is defined by where ⊗ denotes the bitwise AND Boolean operator. To facilitate the subsequent computation, we must align the intersected validity vector with the cell value vectors. The aligned validity vectord qp is obtained by duplicating each bit of d qp , represented bŷ The similarity between two features is calculated by where The similarity is in the range [0,1], where the higher the value, the more similar the two features are.
2) Computation of the Decision Score: The decision score is used to measure the matching probability between a query template and an enrolled template. Given a query template containing n feature vectors and an enrolled template containing m feature vectors, a score matrix s of size n × m is obtained by calculating the similarity of each pair of feature vectors from the query and enrolled templates. The element s qp of the score matrix s is given by Eq. (16). The decision score is then calculated upon the score matrix s using the local greedy similarity (LGS) algorithm in [43]. The decision score is in the range [0, 1], with a larger value indicating a higher matching probability between the query and enrolled templates.

IV. EXPERIMENTS
In this section, we evaluate the proposed template in an IoT environment in terms of matching accuracy and efficiency. First, We present the experimental setting in Section IV-A, including the benchmark datasets, the evaluation protocol, and the measurement metrics. Next, we evaluate the effect of the feature length using different values of p in Section IV-B. Then, we comprehensively compare the proposed lightweight cancelable template with state-of-the-art methods in Section IV-D, and implement an IoT prototype system to evaluate the authentication performance on eight benchmark datasets in Section IV-E. Finally, security analysis is conducted in Section IV-F.
A. Experimental Setting 1) Benchmark Datasets: Eight benchmark datasets are used in the experiments, including four from FVC2002 [23] and four from FVC2004 [24]. Each dataset is composed of eight hundred fingerprint images collected from one hundred fingers, with eight images per finger. Details about the FVC2002 datasets and FVC2004 datasets are shown in Table III and  Table IV, respectively.  2) Evaluation Protocol: The widely used FVC evaluation protocol is adopted to assess the performance of the proposed template. In this protocol, genuine scores and imposter scores are calculated to evaluate the performance. The genuine scores are obtained by matching each fingerprint image of a finger against the remaining ones of the same finger. If the matching of P against Q is performed, the symmetric one (i.e., Q against P ) is not tested to avoid correlation. For each dataset, the total number of genuine scores is therefore 2,800 (i.e., (8×7)/2×100). The imposter scores are obtained by matching the first fingerprint image of each finger against the first one of remaining fingers. Similarly, repeating tests are not performed. For each database, the total number of imposter scores is therefore 4,950 (i.e., (100 × 99)/2).
3) Measurement Metrics: The following metrics, which are commonly used in biometric authentication, are adopted to evaluate the authentication accuracy of the proposed template:

B. Authentication Accuracy with Different Values of p
In this experiment, we evaluate the effect of the feature length, controlled by p in Eq. (4), on the authentication accuracy in terms of the DET curve, the EER, and the FMR 1000 . To avoid redundant computation, we evaluate three feature lengths, namely 1 4 L c , 1 6 L c and 1 8 L c , with p = 1, p = 2/3 and p = 1/2, respectively. For convenience, we use 'eMCC 1 ', 'eMCC 2/3 ' and 'eMCC 1/2 ' to indicate these three features, respectively. Table V summarizes the relationship between the feature length and the parameter p as well as the comparison of the length between these three features and the original MCC feature. To minimize the side effects caused by missing and spurious minutiae, the commercial software Verifinger 12.1 9 is employed in this experiment to extract minutiae. The LGS algorithm mentioned in Section III-D is used to perform the template matching.   Fig. 1 shows the comparison of DET curves evaluated by eMCC 1 , eMCC 2/3 , and eMCC 1/2 on datasets FVC2002 DB1-DB4 and FVC2004 DB1-DB4. It is clearly shown that similar DET curves are obtained by eMCC 1 , eMCC 2/3 , and eMCC 1/2 on these eight datasets, especially on datasets FVC2002 DB1, FVC2002 DB2, FVC2002 DB4, FVC2004 DB1, FVC2004 DB2, and FVC2004 DB3. We can also observe that there are no significant differences at the intersections between the DET curves and the FMR 1000 line and the EER line. The DET curves obtained by eMCC 1 on these eight datasets are slightly better than those obtained by eMCC 2/3 , and eMCC 1/2 , which is because eMCC 1 incorporates the whole information of the original MCC feature, while eMCC 2/3 , and eMCC 1/2 only utilize two thirds and half of the original MCC feature, respectively. It is worth noting that there are fewer differences between the DET curves obtained by eMCC 2/3 and those obtained by eMCC 1/2 . In summary, eMCC 1 performs marginally better than eMCC 2/3 and eMCC 1/2 , while eMCC 2/3 and eMCC 1/2 achieve much similar performance.
2) Comparison of the EER and FMR 1000 Evaluated with Different Values of p: Table VI demonstrates the comparison of verification accuracy in terms of the EER and FMR 1000 evaluated by eMCC 1 , eMCC 2/3 , and eMCC 1/2 on FVC2002 DB1-DB4 and FVC2004 DB1-DB4. As shown in Table VI, eMCC 1 achieves slightly better EER on most of these eight datasets than eMCC 2/3 and eMCC 1/2 , except on FVC2002 DB2 where eMCC 1/2 achieves a slightly better EER than eMCC 1 and eMCC 2/3 . On these eight datasets, eMCC 2/3 and eMCC 1/2 achieve comparable accuracy in terms of the EER, evidenced by eMCC 2/3 performing better on five of these eight datasets than eMCC 1/2 , while eMCC 1/2 obtains better EER on the other three datasets than eMCC 2/3 . Regarding FMR 1000 , eMCC 1 performs better on seven of these eight datasets than eMCC 2/3 and eMCC 1/2 , while on FVC2004 DB1, eMCC 1/2 achieves a slightly better result. eMCC 2/3 and eMCC 1/2 achieve comparable accuracy of FMR 1000 , evidenced by eMCC 1/2 achieving better results on five of these eight datasets than eMCC 2/3 , while eMCC 2/3 performs better on the other three datasets than eMCC 1/2 . In summary, eMCC 1 performs better on most of these eight datasets than eMCC 2/3 and eMCC 1/2 , while eMCC 2/3 and eMCC 1/2 achieve much similar performance.

C. Performance Against the Number of Nesting Layers
The main idea of our nested-difference operation is to extract discriminative features exhibiting the difference of   (9). Eight cells of the cell vector will contribute to the nested difference in the third layer e L3 , where the i th element e L3 i is formulated by Eq. (17).
We use dMCC 1 to denote the new template defined by Eq. (17) with p = 1. Experiments are conducted to show the performance against the number of nesting layers (i.e., number of cell vector values involved in the nested difference). As shown in Table VII, Fig. 2 and Table VIII, compared to eMCC 1 , dMCC 1 obtains much worse accuracy in terms of EER and FNMR 1000 , although it saves half storage space. Compared to eMCC 1/2 which has the same storage space, dMCC 1 still achieves much worse accuracy in terms of EER and FNMR 1000 for all four datasets. Apparently, two layers of nesting can strike the best balance between the template size and authentication accuracy.

D. Comparison of the Proposed Lightweight Cancelable Template with State-of-the-art Methods
In this section, we comprehensively compare the proposed lightweight cancelable template with state-of-the-art methods in four essential aspects: 1) Template characteristics, including template length, IoT oriented, binary, and cancelable; 2) Distributions of matching score; 3) DET curves; and 4) EER and FMR 1000 evaluation. Similar to Section IV-B, to reduce the impact of missing and spurious minutiae, the commercial software Verifinger 12.1 is adopted in this experiment for minutia extraction. The LGS algorithm introduced in Section III-D is used to perform the template matching. The three state-of-the-art templates used as the baseline are summarized as follows: 1) the original MCC template [22] (denoted as 'MCC'); 2) the original binary MCC template [22] (denoted as 'bMCC') obtained by binarizing the MCC template; and 3) the latest IoT-oriented privacypreserving template [33] (denoted as 'cMCC') developed upon the MCC template. The experimental results for MCC, bMCC, and cMCC are provided by [33].
1) Comparison of the Template Characteristics: Table IX compares the template characteristics of the proposed lightweight cancelable template and the baseline (i.e., the aforementioned three state-of-the-art fingerprint templates MCC, bMCC and cMCC). Compared with MCC and bMCC, the IoT-oriented binary cancelable template cMCC reduces half of the cell value part but does not save the cell validity part. By contrast, the proposed template achieves substantial storage savings in both the cell value part and the cell validity part.  3) DET Curves: Fig. 5 and Fig. 6 show the comparison of DET curves obtained by MCC, bMCC, cMCC, eMCC 1 , eMCC 2/3 , and eMCC 1/2 on datasets FVC2002 DB1-DB4 and FVC2004 DB1-DB4, respectively. On FVC2002 DB4 and FVC2004 DB4, the proposed eMCC 1 , eMCC 2/3 and eMCC 1/2 show similar DET curves compared to MCC, bMCC and cMCC. On FVC2002 DB1, FVC2002 DB3, FVC2004 DB1 and FVC2004 DB2, for FMR < 10 −3 , the proposed eMCC 1 , eMCC 2/3 , and eMCC 1/2 achieve close FNMR values compared to MCC, bMCC and cMCC. In summary, eMCC 1 , eMCC 2/3 and eMCC 1/2 only have minor deterioration in authentication accuracy, but they make considerable savings in the storage space. This demonstrates the validity of the proposed template. Table X compares the EER and FMR 1000 obtained by MCC, bMCC, cMCC, eMCC 1 , eMCC 2/3 and eMCC 1/2 on datasets FVC2002 DB1-DB4 and FVC2004 DB1-DB4. With a sizable reduction on the template length, the proposed eMCC 1 , eMCC 2/3 and eMCC 1/2 achieve relatively close EER on most of these eight datasets, and eMCC 1 even outperforms the IoT-oriented template cMCC on FVC2002 DB3 and FVC2004 DB3. Regarding FMR 1000 , the proposed eMCC 1 , eMCC 2/3 , and eMCC 1/2 also achieve similar accuracy on most of the eight datasets. On FVC2002 DB3, eMCC 1 even performs better than bMCC and cMCC. On FVC2004 DB4, eMCC 1 has a better FMR 1000 than bMCC. On FVC2004 DB1, eMCC 1/2 achieves a better FMR 1000 than    bMCC. In summary, this demonstrates that with a significantly reduced template length, the proposed lightweight cancelable template shows no degradation in authentication accuracy.

E. Evaluation in an IoT Prototype System
In this section, we evaluate the proposed template on an IoT prototype system, implemented using the popular opensource software Open Virtual Platforms™ 10 (OVP™, version 20210408.0) and the RISC-V instruction set architecture. 11 1) Storage of eMCC Template and Runtime: Table XI  shows   The average time taken for fingerprint enrollment and verification is measured by evaluating the prototype system on FVC2002 DB1 with eight hundred fingerprints of size 388 × 374. The fingerprint enrollment process aims to extract minutiae in the format of ISO/IEC 19794-2 and to generate an eMCC template to be stored, so the original fingerprint image or feature is not stored to prevent privacy leakage. The fingerprint verification process sharing the common minutiae extraction and template generation aims to match a query template against the enrolled template. The open-source algorithm Mindtct [42] is utilized to implement the minutiae extraction in this simulation experiment. The average runtime of the minutiae extraction is around 2,300 milliseconds, which obviously can be optimized further. Since minutiae extraction is a relatively independent process, it is beyond the scope of this work. The average runtime of generating eMCC 1 , eMCC 2/3 and eMCC 1/2 is approximately 255, 240 and 225 milliseconds, respectively. Compared with minutiae extraction and template generation, template matching is timeefficient, with an average runtime of 70 milliseconds for eMCC 1 , 55 milliseconds for eMCC 2/3 , and 45 milliseconds for eMCC 1/2 . In summary, slightly depending on the parameter p, the average runtime of the enrollment process varies approximately from 2, 525 milliseconds to 2,555 milliseconds, while the average runtime of the verification process varies approximately from 2570 milliseconds to 2,625 milliseconds. Note that the enrollment and verification procedures require much more time on the time-consuming minutia extraction. Therefore, there is much room for reducing the runtime by either optimizing the minutiae extraction process or integrating a time-saving minutiae extraction method. Table XII shows the comparison of efficiency of the pro-posed eMCC 1/2 with state-of-the-art cryptographic fingerprint authentication methods, namely M1-2021 [44], M2-2021 [28] and M3-2020 [26]. As shown in Table XII, compared with M1-2021 [44] and M2-2021 [28], even though they are based on cloud computing, the proposed eMCC 1/2 achieves better efficiency in terms of authentication time, storage space, and communication cost. Compared with the cloud-based method M3-2020 [26], the proposed eMCC 1/2 performs better in authentication time. In addition, the proposed eMCC 1/2 performs much faster than M3-2020 [26]. The proposed eMCC 1/2 costs about 2,525 ms for a 12,000-bit template, while M3-2020 [26] needs about 123,537 ms for encrypting a 300-bit template. Besides, the proposed eMCC 1/2 achieves a better EER of 1.4% than M3-2020 [26] with an EER of 8.25% on FVC2002 DB2. 2) Comparison of DET Curves: Fig. 7 and Fig. 8 compare the DET curves obtained by MCC, bMCC, cMCC, eMCC 1 , eMCC 2/3 and eMCC 1/2 on datasets FVC2002 and FVC2004, respectively, evaluated using the implemented IoT prototype system. The results for MCC, bMCC, and cMCC are provided by [33]. The results for eMCC 1 , eMCC 2/3 , and eMCC 1/2 are obtained using the implemented IoT system. As shown in Fig. 7, on FVC2002 DB1, FVC2002 DB2, and FVC2002 DB3, the DET curves are similar to each other. On the left side of the FMR 1000 line on FVC2002 DB1 and FVC2002 DB2, eMCC 1 show better DET curves than cMCC. We also observe that on the left side of the FMR 1000 line on FVC2002 DB3, eMCC 1 , eMCC 2/3 and eMCC 1/2 perform better than cMCC. On FVC2002 DB4, it is shown that above the EER line, eMCC 1 , eMCC 2/3 and eMCC 1/2 exhibit better DET curves than the other three templates. Similar experimental results are also observed on FVC2004, as can be seen in Fig. 8. This shows that the authentication accuracy of the proposed template is comparable to that of the state-of-the-art templates.
3) EER and FMR 1000 : Table XIII compares the EER and FMR 1000 obtained by MCC, bMCC, cMCC, eMCC 1 , eMCC 2/3 , and eMCC 1/2 on datasets FVC2002 DB1-DB4 and FVC2004 DB1-DB4, evaluated using the implemented IoT prototype system. As shown in Table XIII, compared with MCC, bMCC and cMCC, the proposed templates eMCC 1 , eMCC 2/3 and eMCC 1/2 achieve comparable accuracy in terms of the EER and FMR 1000 . eMCC 1 even performs better than MCC on FVC2002 DB4 and FVC2004 DB1. eMCC 2/3 and eMCC 1/2 also achieve better EER values than bMCC on FVC2004 DB1. Regarding the FMR 1000 , the accuracy of   F. Authentication Accuracy and Security Analysis 1) Authentication Accuracy Analysis: In authentication, there are two cases: genuine matching and imposter matching. For the genuine matching, because the query cancelable template and the enrolled cancelable template are processed by the same cancelable system, it is obviously clear that the authentication result of the query cancelable template against the enrolled cancelable template will be the same as the results of the original query and enrolled templates with a high probability. This is also supported by authentication accuracy results in Section IV-D and IV-E.
Next we analyze the authentication accuracy for the imposter matching case, As shown in Fig. 9, according to the distribution of ei 2 (in Table I) collected from 18,539 valid MCC feature vectors from five hundred fingerprints, we have the following probabilities: Hence, for an eMCC 1 feature vector defined in Eq. 12 with k = 160, according to the encoding scheme in Table I,  Therefore, for a fake query cancelable template matching against the enrolled cancelable template, the probability that the authentication result is the same as the genuine result is about 0.75 120 * 0.125 20 * 0.125 20 ≈ 7.65×10 −52 . In summary, there is near zero probability for a fake cancelable template to obtain a highly-close authentication accuracy as the genuine query cancelable template.  Table I) collected from 18,539 valid MCC feature vectors from five hundred fingerprints. The x-axis represents the values of ei 2 , and the y-axis is the proportion of the values falling into each bin.

2) Security Analysis on the Cancelable Template Design:
The proposed template design meets the four objectives of cancelable biometrics: diversity, revocability, accuracy and non-invertibility. The diversity is guaranteed by the re-indexing scheme, as there exist numerous re-indexing sets, that is Lc! (Lc−l)! (e.g., L c = 1,280 in the experiments). Regarding the revocability, as the re-indexing process is controlled by a random generator, a completely new template therefore can be easily obtained by choosing a different random seed. The accuracy of the proposed template is comparable to that of the state-of-the-art methods. Especially, when p = 100%, equivalent authentication accuracy is achieved on eight public benchmark datasets FVC2002 DB1-DB4 and FVC2004 DB1-DB4 compared to the state-of-the-art templates. The noninvertibility of the proposed template is guaranteed by the irreversible mapping under two protection mechanisms: 1) the encoding of the nested-difference (Section III-C1 and Section III-C2); and 2) the XOR operation on the encoded vector (Section III-C). As the first protection mechanism, the encoding of the nested-difference utilizes two bits to represent a nested difference of four float values. This process constitutes an infinite-to-one mapping, which is irreversible. Given the encoding bits, there is a near-zero probability to retrieve the original float values, because there exist infinite combinations of float values that can map to the same encoded bits. The second protection mechanism is the XOR Boolean operation on the encoded vector (in Eq. (11)). The XOR operation makes it impossible to retrieve the true encoded vectorē (in Eq. (11)) from the resultant vectorê (in Eq. (12)). For example, even with the most lightweight template with p = 50% for the case of N S = 16 and N D = 15, there exist up to 2 160 possible candidate vectorsē (in Eq. (11)), which can be used as the input and return the same vectorê (in Eq. (12)). In conclusion, the probability of retrieving the original template from the proposed lightweight cancelable template is almost zero. In addition, since the proposed template is revocable, if an enrolled template is compromised, it is easy to issue a completely different template (even of a different length) to ensure the security of the IoT authentication system.
3) Security Analysis against Attacks: The proposed cancelable template is resistant to attacks via record multiplicity (ARM), which utilize multiple compromised protected templates to recover the original template. This attack can be effectively prevented by the proposed encoding-nesteddifference-XOR scheme through two layers of protection. The first layer of protection is the XOR operation (Section III-C). Because the inputs for each bit of the XOR output cannot be uniquely determined, the XOR operation provides computational infeasibility to retrieve the encoded binary feature vectorē in Eq. (11) in Section III-C2, as shown by the example in Section IV-F2. Taking C = A XOR B as an example, according to the truth table of the XOR, C = 1 has two possible inputs: A = 1, B = 0 or A = 0, B = 1.
The case of C = 0 is similar. Therefore, even though the adversary acquires multiple compromised protected templates, the encoded binary vectorsē in Eq. (11) cannot be uniquely determined. The second layer of protection is the encoding operation (Section III-C2), where a threshold is defined to binarize the nested difference. Evidently, given the threshold and binarized values, it is of zero probability to restore the nested differences in that infinite combinations of float values can result in the same encoded bits. In summary, the proposed cancelable template is resilient to the ARM.
The proposed cancelable template is secure against preimage attacks and optimization-based attacks. If the enrolled binary template is compromised, it is not computationally difficult to reconstruct or search for a possible input that can return the same binary vector. However, given that there exist infinite possible candidate inputs, it is of a near-zero probability for the reverted one to be the genuine fingerprint template. In other words, the reverted one cannot be used to generate another legitimate binary template. Therefore, these attacks can be effectively prevented by revoking the compromised binary template. In addition, attacks may also be launched through real-world fingerprint datasets. The impact of this attack can be assessed through authentication accuracy (e.g., the EER and FMR 1000 ). As demonstrated in Section IV-D and Section IV-E, the proposed template achieves favorable authentication accuracy in terms of the EER and FMR 1000 in a privacy-preserving IoT environment.
In case the template has been compromised by an adversary, it is infeasible for the attacker to retrieve the input feature due to the non-invertibility of our proposed template. Without this input feature, the attacker cannot launch an attack via the sensor interface which is the normal system interface. It is, however, possible for the attacker to get authenticated if the attacker can inject the compromised template into the matching module after bypassing the sensor and the builtin transformation module. This is exceedingly difficult but possible. Therefore, it is still difficult to attack a new device even if it has the same compromised template. Our cancelable template design offers further security protection by revoking the compromised template, like the revocation of a password.

V. CONCLUSION
In this paper, we proposed a length-flexible lightweight cancelable fingerprint template design for privacy-preserving authentication systems in resource-constrained IoT applications. The proposed template design consists of two components: 1) length-flexible partial-cancelable feature generation based on the re-indexing scheme; and 2) lightweight cancelable feature generation based on the encoding-nested-difference-XOR scheme. Our template design has a number of benefits to IoT applications, such as flexible feature lengths, lightweight, cancelability and high performance. Comprehensive experimental results evaluated on eight benchmark datasets FVC2002 DB1-DB4 and FVC2004 DB1-DB4 demonstrate that the proposed cancelable fingerprint template achieves equivalent authentication performance compared to the state-of-the-art methods, but our design significantly reduces storage space and computational cost. More importantly, the proposed lengthflexible lightweight cancelable template is suitable for various resource-constrained IoT devices, evidenced by its implementation using a real-world IoT prototype system. To the best of our knowledge, it is the first length-flexible lightweight, high-performing cancelable fingerprint template design for resource-constrained IoT applications.