LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Uniqueness of fingerprints?

Uniqueness of fingerprints?

Posted Apr 3, 2008 7:44 UTC (Thu) by espeer (subscriber, #39062)
Parent article: Biometrics for identification 

> The problem is that while a fingerprint is unique, it isn't secret.

Is a fingerprint even guaranteed to be unique?

http://biometrics.cse.msu.edu/Publications/Fingerprint/Pa...

And, even if they are unique... What resolution does a typical 
fingerprint scanner operate at? 

Assuming a 2000 dpi 8 bit grayscale scanner, then we're looking at a 
resolution of approximately 2000x1000x256 = 512 million possible images.

We have more than 6 billion people on the planet, so by the pigeon hole 
principle, at least 2 people will have the same fingerprint rendered by 
the scanner.

(Log in to post comments)

Uniqueness of fingerprints?

Posted Apr 3, 2008 9:20 UTC (Thu) by jorism (subscriber, #21807) [Link] 

I think you mean 256^(2000*1000) which is A LOT...

Uniqueness of fingerprints?

Posted Apr 3, 2008 9:31 UTC (Thu) by espeer (subscriber, #39062) [Link] 

Ah yes, that's more like it. I definitely typed that one up without 
thinking it through properly. My bad.

Uniqueness of fingerprints?

Posted Apr 3, 2008 10:56 UTC (Thu) by filipjoelsson (subscriber, #2622) [Link] 

Doesn't matter. One fingerprint does not correlate with one valid image anyway, and not with
two either. I don't know what the correlation is, but I would bet on thousands of valid images
per fingerprint.

The problem is that a fingerprint isn't even presumed to be unique for every living human
(Wikipedia has three examples of false positives, from Europe and the US from 1997 to date,
that is clearly a limited population, time and fingerprint database). And while the
fingerprint has molecular resolution, an image of one hasn't - so uniqueness definitely drops
quit a bit. So instead of one in 100 million, you may very well drop to one in 100 thousand.

The pigeon hole principle certainly applies.

Uniqueness of fingerprints?

Posted Apr 4, 2008 2:16 UTC (Fri) by kevinbsmith (guest, #4778) [Link] 

I went to wikipedia, hoping to read a cool article describing three pairs of people with
identical fingerprints. Boy was I disappointed.

This wikipedia article (http://en.wikipedia.org/wiki/Fingerprint) lists several cases where
fingerprint evidence was misleading, but none of them were likely due to two people actually
having the same fingerprint. One was a blatant clerical error, and one was simply shoddy
police work. In a third case, DNA evidence freed the suspect, and later investigations
concluded the police had misidentified the fingerprint.

The final case had a police officer's fingerprints found at a crime scene where she claimed
not to have been. Early fingerprint experts were of mixed opinions, but later examiners were
overwhelmingly convinced that the fingerprint was not hers. The image may have been ambiguous
and/or there may have been manipulation of the evidence.

So while I'm not a fan of biometrics, and I don't have absolute faith in fingerprints, this
particular article doesn't provide proof that there have been collisions.

Uniqueness of fingerprints?

Posted Apr 3, 2008 9:56 UTC (Thu) by ayeomans (subscriber, #1848) [Link] 

See FBI Appendix F specifications in
http://www.fbibiospecs.org/fbibiometric/docs/EBTS%20V8.00...
500 pixels per inch or 1000 ppi at 8 bits per pixel. Capture size 1.6" x 1.5" (600 Kpixels)
for roll finger or 1" x 2" for thumb (500 Kpixels).

But once you threshold the images, you effectively get rather less than 1 bit per pixel, as
there's a lot of correlation between pixels. Also rotations all count the same. My fingers
have more like 50 ridges per inch. But that's still a *lot* of possible values. 

After extracting the minutiae, there's rather less information held. One finger reader I have
states the software extracts between 10 and 70 minutiae points, held as (x,y) vectors, in a
transform claimed to be non-reversible. If coordinates are accurate to 6 bits, that means 10 x
(6+6) bits = 120 bits minimum. Still allows for significantly more possible prints than the
world population. 

See also Sir James Crosby's report,
http://www.hm-treasury.gov.uk/media/6/7/identity_assuranc..., suggesting that only
non-unique digital representations should be stored. This would allow the master copy in the
database to be replaced with another version, so would provide some limited options to
"change" a compromised fingerprint.

Uniqueness of fingerprints?

Posted Apr 6, 2008 11:32 UTC (Sun) by man_ls (subscriber, #15091) [Link]

Hmmm... doesn't the principle behind the Birthday paradox apply here? Even if there are 366 days in a year, the probability of two people having the same birthday reach 0.5 with a group of only 23 people. Therefore you would only need roughly the square root of the number of possibilities to find a collision.

With 120 bits you are still safe, since the world population is about 2^32. But the security factor is not as high as it would seem. Surely we don't expect all values to be as likely, as with birthdays; if they tend to cluster around certain values (some kinds of fingerprint configurations are more probable than others) then collisions become increasingly likely.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds