E ﬃ cient Implementation of Homomorphic and Fuzzy Transforms in Random-Projection Encryption Frameworks for Cancellable Face Recognition

: To circumvent problems associated with dependence on traditional security systems on passwords, Personal Identiﬁcation Numbers (PINs) and tokens, modern security systems adopt biometric traits that are inimitable to each individual for identiﬁcation and veriﬁcation. This study presents two di ﬀ erent frameworks for secure person identiﬁcation using cancellable face recognition (CFR) schemes. Exploiting its ability to guarantee irrevocability and rich diversity, both frameworks utilise Random Projection (RP) to encrypt the biometric traits. In the ﬁrst framework, a hybrid structure combining Intuitionistic Fuzzy Logic (IFL) with RP is used to accomplish full distortion and encryption of the original biometric traits to be saved in the database, which helps to prevent unauthorised access of the biometric data. The framework involves transformation of spatial-domain greyscale pixel information to a fuzzy domain where the original biometric images are disﬁgured and further distorted via random projections that generate the ﬁnal cancellable traits. In the second framework, cancellable biometric traits are similarly generated via homomorphic transforms that use random projections to encrypt the reﬂectance components of the biometric traits. Here, the use of reﬂectance properties is motivated by its ability to retain most image details, while the guarantee of the non-invertibility of the cancellable biometric traits supports the rationale behind our utilisation of another RP stage in both frameworks, since independent outcomes of both the IFL stage and the reﬂectance component of the homomorphic transform are not enough to recover the original biometric trait. Our CFR schemes are validated on di ﬀ erent datasets that exhibit properties expected in actual application settings such as varying backgrounds, lightings, and motion. Outcomes in terms standard metrics, including structural similarity index metric (SSIM) and area under the receiver operating characteristic curve (AROC), suggest the e ﬃ cacy of our proposed schemes across many applications that require person identiﬁcation and veriﬁcation.


Introduction
Biometric signals and images from persons are used across different domains and applications such as identification, verification, and authentication. The most common biometrics are fingerprints, faces, iris, palm/vein prints, and speech signals. The utilisation of biometric traits in identification has witnessed tremendous growth and sophistication making it ubiquitous for a wide range of applications. Today, institutions, companies, universities, banks, and airports have their own systems using different biometric traits. The basic idea of operation of these systems involves collection of biometrics from enrolled persons, extraction of discriminating features from the collated biometrics as a tool for data reduction, and storage of these features in a database. This registration or enrollment process is considered as the training phase. In the other phase, known as the testing phase, features from incoming biometrics for new persons are extracted and matched with the stored features [1,2]. This phase can be performed with or without classifiers.
Fingerprint recognition depends on the extraction of minutia, which are specific plot points on a fingerprint, to discriminate between different persons. On the other hand, facial recognition relies on discrimination of geometric markers of facial features including eyes, nose, and mouth for person identification and authentication. Meanwhile, in iris recognition, the initial focus is on the localisation of the iris region in the image, which is followed by the elimination of the effects of eyelids and eyelashes, which are considered as noise. Subsequently, transformations of polar or rectangular coordinates are used to isolate features that are extracted from the transformed patterns and then coded. As outlined, features extracted from fingerprint and face images are geometric features, while those extracted from iris images are transform domain features.
In contrast, speech recognition differs from face, fingerprint, and iris recognition as it deals with one-dimensional (1D) signals. Moreover, since speech signals have power distributed on the same frequency band, speakers can be distinguished based on their resolved power profile over this wide band. Most speaker identification systems adopt similar concepts to resolve speech signals of the speakers over the same band and obtain power distributions over the non-linearly segmented overlapping sub-bands required to extract discriminating features between speakers.
Traditional biometric systems depend on the acquisition of signals or images from the users or subscribers, extraction of features from these signals or images, and subsequent feature matching with a previously stored database. The main disadvantage of this traditional approach is that each person has to provide his original biometrics for enrollment as well as possible feature extraction and storage in the database. This means that, once the database is compromised, the integrity of the original biometrics will be lost forever and, hence, the whole system loses its confidentiality and credibility. Moreover, users whose biometrics have been compromised will not be able to use them again in other systems. Thus, traditional three-step biometric systems that depend on enrollment, feature extraction and feature matching are no longer credible.
Recently, the paradigm of cancellable biometrics has emerged as a motif to safeguard the important biometric data. A major advantage of Cancellable Biometric Systems (CBS) is their ability to support the protection of the original biometric data. In these systems, different biometric inputs can be revised or updated without affecting the entire system. To illustrate, in CBS that depend on geometric transforms, one-way geometric transforms can be used to modify the biometric patterns. Such transforms can be easily revised whilst maintaining the unidirectional security feature. For biometrics such as iris, feature extraction is very essential, and hence, for biometric security, operations such as bio-hashing can be executed at the feature level. Similarly, for 1D biometric signals, such as speech signals, operations such as bio-convolution can be executed.
Cancellable biometric frameworks provide templates to safeguard the integrity of biometric data for different applications [3][4][5][6][7][8][9]. In [3], Soliman et al. presented a CBS based on Double Random Phase Encoding (DRPE) for applications in both face and iris recognition. This approach depends on generation of feature matrices from either the face or iris to be encrypted by the DRPE technique. The simulation results reported an Equal Error Rate (EER) value of 0.17% and an Area under the Receiver Operating Characteristic (AROC) of 99.3%. In [4], Savvides et al. presented a correlation filter-based CBS that depends on generating random user-specific convolution kernels. During the enrollment stage, a Personal Identification Number (PIN) is used to generate a random convolution kernel to be convolved with the training images in order to generate a Minimum Average Correlation Energy (MACE) filter. The MACE encrypted filter is subsequently used to measure correlation with the encrypted test images through the convolution process. Furthermore, in [5], Kaur and Khanna introduced a multi-level transformation-based CBS that depends on Log-Gabor filters and the RP technique to produce cancellable feature vectors to be used in person authentication and verification. In their contribution in [6], Maiorana et al. presented a convolution-based technique to generate new versions of original biometric templates based on template segmentation. The segmented sequences are subjected to a linear convolution process that produces transformed cancellable versions of the sequences. Moazz et al. presented a CBS for face recognition using Bloom filters in [7]. This system depends on the extraction of features from faces to be used in the generation of new templates. The feature bits are passed through Bloom filters with the help of PINs. In [8], Andrew et al. presented a bio-hashing CBS for face recognition. In this system, an extracted low-dimension feature matrix is re-projected randomly to generate a binary bit string. In another interesting contribution [9], Kaur and Khanna reported a CBS using Gaussian random vectors and one-way modulus hashing. This method was utilised in face and palm print identification. Simulation results reported in that study proved that the generated templates are non-invertible, easy to revoke, and they also give good performance.
While building on these efforts, among others, in this study, we present two new frameworks for generating efficient cancellable face templates. Like the studies highlighted, our proposed cancellable face recognition (CFR) frameworks utilise pre-processing stages to generate sophisticated patterns from the original biometrics. However, in this study, both pre-processing stages are non-invertible, a property that is further exploited to realise a random projection (RP) based encryption mechanism, which is subsequently used to mask the extracted patterns. Moreover, in the first framework (i.e., CFR1), a hybrid structure combining intuitionistic fuzzy logic (IFL) and random projection (RP) is used to accomplish full distortion and encryption of the original biometric traits to be saved in the database. In the second framework (i.e., CFR2), cancellable biometric traits are generated via homomorphic transform followed by application of the RP on the reflectance components which can be considered as signatures to evaluate the original biometric templates. Random kernel convolution and salting are considered in evaluating the performance of the RP encryption step, while the encrypted templates are stored in a database that is revocable via different random matrices. Furthermore, several quality tests and metrics are employed to provide an extensive evaluation of the robustness of the proposed frameworks when exposed to different types of attacks.
The rest of this paper is organised as follows. An overview of IFL, homomorphic transform, and Gaussian RP is provided in the next section (i.e., Section 2). This foundation motivates the design of the two proposed CFR biometric frameworks based on IFL and homomorphic transforms, whose rudiments are presented in Section 3. Experiments and performance evaluation of both CFR frameworks are presented and discussed in Section 4.

Intuitionistic Fuzzy Sets
Fuzzy processing is a common component employed in the pre-processing step of many image processing techniques [10]. The concept of fuzzy sets, where a degree of membership and its shape are used to denote a user's choice, was introduced by Zadeh in 1965. The shapes include Gaussian, triangular, trapezium and other shapes. In [11], Atanassov proposed a modified fuzzy set called intuitionistic fuzzy sets (IFS), which has both degrees of membership and non-membership that differ from the complements of the membership function. The IFS is considered as a powerful extension of Zadeh's fuzzy theory dealing with applications in vague and uncertain systems [12].
Consequently, it has found applications in numerous dynamic fields, such as industrial informatics, medical image diagnosis and machine learning [13][14][15] with intriguing prospects for extension to the field of cancellable biometrics.
Mathematically, the IFS representation of an image A can be described as: where µ A (p) : P → [0, 1] is the degree of membership of pixel p in the finite set P and v A (p) can be computed using (2).
is the non-membership function of pixel p in a finite set P with the condition that it can satisfy the relation in Equation (3).
The third parameter π A is called the hesitation degree, and it is represented by the Equation: where 0 ≤ π A (o) ≤ 1 for all p ∈ P. For images, the first step in the IFS depends on generating membership and non-membership degrees for each grey-scale value in the image. Vlachos and Sergiadis [16] proposed the determination of both functions, where an M × N sized image A is fuzzified according to the relationship in (5).
where p is a grey level of the original image A, p min and p max are the minimum and maximum grey levels in the image, respectively. The membership degree of the IFS image is calculated according to (6).
and the non-membership degree of the IFS image is similarly denoted using: Therefore, the hesitation degree of the IFS image can be deduced using: where λ ≥ 1.
The biometric source image can be represented as an IFS image in the form: Moreover, Atanassov recommended a deconstruction methodology to convert the IFS image into the grey-scale domain using (10) and (11) [15]. and where p and p are the initial and final intensity levels of the image, respectively, and α is a constant value selected in the range [0, 1]. The intuitionistic fuzzy process can be summarised in the form presented in Figure 1, which represents the decorrelation step for the image pixels prior to the subsequent encryption step [17,18].

Homomorphic Transform
Generally, an image is an aggregate of light reflected from objects such that any image , can be represented using two different components: one representing the light falling on the objects and the other representing the light reflected from the objects [19]. These two components are called the illumination and reflectance components denoted as , and , , respectively.
Consequently, an image can be represented in the form presented below: where , represents the greyscale values of pixels in the image, , is the illumination component and , is the reflectance component. Since the light falling over the scene is nearly constant and its distribution is approximately the same, changes occur in an image for the most important features in the reflectance component. Further, this component can be separated using a logarithmic operation defined in Equation (13) and a High-Pass Filter (HPF) as illustrated in Figure 2. Homomorphic transform is a popular image decomposition transform whose basic idea involves isolating details from the illumination component of an image as represented by the reflectance component [19]. In cancellable biometric applications, these details can be reused instead of the original biometrics. In our proposed cancellable face recognition framework, reflectance components of face images are encrypted with random projections (RP) to generate the cancellable face templates.

Gaussian RP
The random projection (RP) is the process of projecting a signal or a feature vector onto a random space. It can be implemented through the multiplication of the signal or the feature vector by a random matrix. If the original data can be represented as multiplying it by some random matrix A (of dimensions k × d) produces the RP output that is represented as: The RP is adopted in this study as a tool to encrypt the extracted patterns from the original biometrics either with fuzzy processing or homomorphic transformation. In recent implementations of CBS, the RP has been applied on the original biometric templates directly [9,18,[20][21][22]. Both

Homomorphic Transform
Generally, an image is an aggregate of light reflected from objects such that any image f (x, y) can be represented using two different components: one representing the light falling on the objects and the other representing the light reflected from the objects [19]. These two components are called the illumination and reflectance components denoted as i(x, y) and r(x, y), respectively. Consequently, an image can be represented in the form presented below: where f (x, y) represents the greyscale values of pixels in the image, i(x, y) is the illumination component and r(x, y) is the reflectance component. Since the light falling over the scene is nearly constant and its distribution is approximately the same, changes occur in an image for the most important features in the reflectance component. Further, this component can be separated using a logarithmic operation defined in Equation (13) and a High-Pass Filter (HPF) as illustrated in Figure 2.
Homomorphic transform is a popular image decomposition transform whose basic idea involves isolating details from the illumination component of an image as represented by the reflectance component [19]. In cancellable biometric applications, these details can be reused instead of the original biometrics. In our proposed cancellable face recognition framework, reflectance components of face images are encrypted with random projections (RP) to generate the cancellable face templates.

Homomorphic Transform
Generally, an image is an aggregate of light reflected from objects such that any image , can be represented using two different components: one representing the light falling on the objects and the other representing the light reflected from the objects [19]. These two components are called the illumination and reflectance components denoted as , and , , respectively.
Consequently, an image can be represented in the form presented below: where , represents the greyscale values of pixels in the image, , is the illumination component and , is the reflectance component. Since the light falling over the scene is nearly constant and its distribution is approximately the same, changes occur in an image for the most important features in the reflectance component. Further, this component can be separated using a logarithmic operation defined in Equation (13) and a High-Pass Filter (HPF) as illustrated in Figure 2. Homomorphic transform is a popular image decomposition transform whose basic idea involves isolating details from the illumination component of an image as represented by the reflectance component [19]. In cancellable biometric applications, these details can be reused instead of the original biometrics. In our proposed cancellable face recognition framework, reflectance components of face images are encrypted with random projections (RP) to generate the cancellable face templates.

Gaussian RP
The random projection (RP) is the process of projecting a signal or a feature vector onto a random space. It can be implemented through the multiplication of the signal or the feature vector by a random matrix. If the original data can be represented as multiplying it by some random matrix A (of dimensions k × d) produces the RP output that is represented as: The RP is adopted in this study as a tool to encrypt the extracted patterns from the original

Gaussian RP
The random projection (RP) is the process of projecting a signal or a feature vector onto a random space. It can be implemented through the multiplication of the signal or the feature vector by a random matrix. If the original data can be represented as X d×N multiplying it by some random matrix A (of dimensions k × d) produces the RP output that is represented as: The RP is adopted in this study as a tool to encrypt the extracted patterns from the original biometrics either with fuzzy processing or homomorphic transformation. In recent implementations Electronics 2020, 9, 1046 6 of 23 of CBS, the RP has been applied on the original biometric templates directly [9,18,[20][21][22]. Both Homomorphic and fuzzy transforms share the common feature of non-invertibility. Therefore, their use supports retention of details from the original biometric data.
We also note that, in computing (14), the relative distances between the original biometric templates should be unchanged or increased in the RP space. Moreover, the RP matrix must be selected to satisfy the Johnson and Lindenstrauss lemma (i.e., the JL lemma) [18], which helps to preserve the distances between encrypted biometric templates close to their original counterparts between original templates. Gaussian random matrices achieve the required distances in the random space.

Cancellable Face Recognition Frameworks
Building on the studies highlighted in the previous sections, the rudiments of our use of cancellable biometric systems (CBS) in face recognition, i.e., cancellable face recognition (CFR) schemes are presented in this section.

CFR Framework Based on Intuitionistic Fuzzy Logic and Random Projection
In this section, an efficient, robust, and revocable Gaussian RP process is proposed to safeguard biometric templates. The block diagram of the proposed CFR framework is presented in Figure 3 and, as seen therein, following fuzzy pre-processing of the images, Gaussian RP is used to encrypt the images. In the enrollment phase, IFS computation is performed on the raw biometric images of all users. More precisely, the greyscale values of the images are transformed to an intuitionistic fuzzy domain using the approach adduced by Handmandlu et al. in [23] according to the three-step EGE protocol presented in the sequel.
Step 1: E: Estimation of the membership function via (15).
where µ ij refers to the degree of brightness of the grey level intensity at coordinates i and j.
Step 2: G: Generation of the membership and non-membership functions.
Using (15), the fuzzy membership of each pixel in the image is constructed. The membership and non-membership functions are generated according to Equations (6) and (7). Upon retrieving the intuitionistic components of the biometric image, a defuzzification phase is applied to convert the image from its fuzzy intuitionistic domain to a greyscale domain as dictated by Equations (10) and (11).
Step 3: E: Encryption based on Gaussian RP.
Finally, the intuitionistic output image is encrypted using the RP technique presented earlier in Section 2.3 to perform additional distortion of the biometric templates. A Gaussian random matrix with zero mean and a variance of 0.1 is used as provided in (14). Consequently, highly secure, revocable, and non-invertible biometric templates are generated and stored in the database. The outline of the proposed framework, i.e., CFR1, is presented in Figure 3. Homomorphic and fuzzy transforms share the common feature of non-invertibility. Therefore, their use supports retention of details from the original biometric data. We also note that, in computing (14), the relative distances between the original biometric templates should be unchanged or increased in the RP space. Moreover, the RP matrix must be selected to satisfy the Johnson and Lindenstrauss lemma (i.e., the JL lemma) [18], which helps to preserve the distances between encrypted biometric templates close to their original counterparts between original templates. Gaussian random matrices achieve the required distances in the random space.

Cancellable Face Recognition Frameworks
Building on the studies highlighted in the previous sections, the rudiments of our use of cancellable biometric systems (CBS) in face recognition, i.e., cancellable face recognition (CFR) schemes are presented in this section.

CFR Framework Based on Intuitionistic Fuzzy Logic and Random Projection
In this section, an efficient, robust, and revocable Gaussian RP process is proposed to safeguard biometric templates. The block diagram of the proposed CFR framework is presented in Figure 3 and, as seen therein, following fuzzy pre-processing of the images, Gaussian RP is used to encrypt the images. In the enrollment phase, IFS computation is performed on the raw biometric images of all users. More precisely, the greyscale values of the images are transformed to an intuitionistic fuzzy domain using the approach adduced by Handmandlu et al. in [23] according to the three-step EGE protocol presented in the sequel.
Step 1: E: Estimation of the membership function via (15).
where ij  refers to the degree of brightness of the grey level intensity at coordinates i and j.
Step 2: G: Generation of the membership and non-membership functions.
Using (15), the fuzzy membership of each pixel in the image is constructed. The membership and non-membership functions are generated according to Equations (6) and (7). Upon retrieving the intuitionistic components of the biometric image, a defuzzification phase is applied to convert the image from its fuzzy intuitionistic domain to a greyscale domain as dictated by Equations (10) and (11).
Step 3: E: Encryption based on Gaussian RP.
Finally, the intuitionistic output image is encrypted using the RP technique presented earlier in Section 2.3 to perform additional distortion of the biometric templates. A Gaussian random matrix with zero mean and a variance of 0.1 is used as provided in (14). Consequently, highly secure, revocable, and non-invertible biometric templates are generated and stored in the database. The outline of the proposed framework, i.e., CFR1, is presented in Figure 3.

CFR Framework Based on Homomorphic Transform and Random Projection
The reflectance components obtained from the homomorphic transform are adopted in the cancellable biometric framework as they contain most of the image details [22]. Furthermore, to generate cancellable biometric templates in conformity with (14), RP is applied on the reflectance components. Figure 4 presents the outline of the proposed cancellable face recognition framework based on homomorphic transform and RP (i.e., CFR2). Therefrom, it can be seen that, during the enrollment phase of the system, the original templates are processed to extract the reflectance components, which are then encrypted using RP to generate the cancellable biometric templates that are subsequently stored in the database. Meanwhile, in the authentication phase, the correlation score is used as matching criterion [24].

CFR Framework Based on Homomorphic Transform and Random Projection
The reflectance components obtained from the homomorphic transform are adopted in the cancellable biometric framework as they contain most of the image details [22]. Furthermore, to generate cancellable biometric templates in conformity with (14), RP is applied on the reflectance components. Figure 4 presents the outline of the proposed cancellable face recognition framework based on homomorphic transform and RP (i.e., CFR2). Therefrom, it can be seen that, during the enrollment phase of the system, the original templates are processed to extract the reflectance components, which are then encrypted using RP to generate the cancellable biometric templates that are subsequently stored in the database. Meanwhile, in the authentication phase, the correlation score is used as matching criterion [24].

Results and Discussion
In this study, the facial recognition system is implemented via a workstation equipped with MATLAB Intel ® Core ™ i5-4210U on a CPU with 1.7 GHz processor. The primary objective of any CBS scheme is to prove resistance to intrusion attacks. Therefore, we present a study of the robustness of the two proposed CFR frameworks to intrusion attacks. Samples of facial images obtained from the Research Laboratory for Olivetti and Oracle (ORL) database [25], the NiST Face Recognition Technology (FERET) dataset [26] and the Mass Labelled Faces in the Wild (LFW) dataset of the University of Massachusetts' Computer Vision laboratory [27] are used in our simulations. To evaluate the robustness of the proposed frameworks, i.e., CFR with IFL and Gaussian RP (or simply CFR1) and CFR with Homomorphic transform and Gaussian RP (or simply CFR2), several metrics are used. Additionally, we validate the effectiveness of the proposed frameworks by comparison with the random salting encryption in the homomorphic domain and random kernel convolution in the homomorphic domain.

Performance Evaluation for Encryption Mechanisms and Cancellable Schemes
The first set of results presented are those for the ORL dataset, whose sample images were presented in Figure 5. This dataset contains 40 subjects, with 10 images for each subject. The images were taken at different times, varying lighting, varying facial expressions and with small variations in the facial orientation [25]. Encrypted versions of the sample images in Figure 5 are presented in Figure 6.
Histogram distributions are used in evaluating the robustness of the encryption scheme to statistical attacks. Histogram distributions for sample test images in Figure 5 are presented in Figure  7. A comparison between the histogram distributions obtained in CFR1, CFR2, salting after homomorphic transform, and random kernel convolution after homomorphic transform are presented in Figure 8a-d. The figure reveals disparity in histogram distributions from those of the original face images, which is a property of good encryption schemes.
Another effective metric widely used in assessing the efficiency of encryption protocols is the correlation coefficient, which, in our case, measures the correlation between the encrypted images

Results and Discussion
In this study, the facial recognition system is implemented via a workstation equipped with MATLAB Intel ® Core ™ i5-4210U on a CPU with 1.7 GHz processor. The primary objective of any CBS scheme is to prove resistance to intrusion attacks. Therefore, we present a study of the robustness of the two proposed CFR frameworks to intrusion attacks. Samples of facial images obtained from the Research Laboratory for Olivetti and Oracle (ORL) database [25], the NiST Face Recognition Technology (FERET) dataset [26] and the Mass Labelled Faces in the Wild (LFW) dataset of the University of Massachusetts' Computer Vision laboratory [27] are used in our simulations. To evaluate the robustness of the proposed frameworks, i.e., CFR with IFL and Gaussian RP (or simply CFR1) and CFR with Homomorphic transform and Gaussian RP (or simply CFR2), several metrics are used. Additionally, we validate the effectiveness of the proposed frameworks by comparison with the random salting encryption in the homomorphic domain and random kernel convolution in the homomorphic domain.

Performance Evaluation for Encryption Mechanisms and Cancellable Schemes
The first set of results presented are those for the ORL dataset, whose sample images were presented in Figure 5. This dataset contains 40 subjects, with 10 images for each subject. The images were taken at different times, varying lighting, varying facial expressions and with small variations in the facial orientation [25]. Encrypted versions of the sample images in Figure 5 are presented in Figure 6.
Histogram distributions are used in evaluating the robustness of the encryption scheme to statistical attacks. Histogram distributions for sample test images in Figure 5 are presented in Figure 7. A comparison between the histogram distributions obtained in CFR1, CFR2, salting after homomorphic transform, and random kernel convolution after homomorphic transform are presented in Figure 8a       Another effective metric widely used in assessing the efficiency of encryption protocols is the correlation coefficient, which, in our case, measures the correlation between the encrypted images stored in the database and the encrypted versions of new subjects. Mathematically, the correlation coefficient is estimated as follows: where N is the total number of pixels, x and y are the encrypted templates stored in the database and the new subject encrypted template, respectively. Figure 9 presents the correlation coefficient values estimated between authorised biometrics and their counterparts in the database in the presence of noise for all encryption schemes. Similarly, Figure 10 shows the correlation coefficient values estimated for unauthorised records with all records stored in the database. The results in both figures reveal that all correlation scores for authorised patterns are higher than 0.3, while those for unauthorised patterns are less than 0.05. Thus, a threshold can be easily set in the margin of 0.05 to 0.3 to effectively discriminate between authorised and unauthorised patterns. This indicates high security and performance of the proposed frameworks since a wide margin can be used to set the verification threshold.
Furthermore, to better understand the results, they are further interpreted in terms of statistical parameters of the Receiver Operating Characteristic (ROC) curves. Specifically, we study the False Acceptance Rate (FAR) versus the False Rejection Rate (FRR) [3,19,24]. The FAR reflects the misclassified imposters as being genuine, while the FRR represents the percentage of genuine examinations misunderstood and interpreted as being impostors. Figure 11 reports the ROC curves for all four CFR cancellable biometric frameworks reported in our experiments. From these curves, it can be deduced that the AROC values for both proposed frameworks are the highest, which points to the strength of these frameworks. Moreover, to further buttress this, the probability distributions of the correlation coefficients of the genuine and imposter tests are presented in Figure 12. Here, the rightmost Probability Distribution Functions (PDFs) are for the two proposed CFR frameworks. Electronics 2020, 9,        Structural Similarity Index Metric (SSIM) is a widely used tool that measures congruity between two images. In this study, the SSIM is utilised as a metric for encryption strength. A good encryption scheme should have SSIM values (between original and encrypted images) close to zero. Mathematically, we adopt the definition of SSIM in (17) [28] for assessment of encryption strength. Electronics 2020, 9,    At this juncture, it is noteworthy that the ORL dataset whose results were reported above lacks the verity expected in actual application settings. Further, it is classified into a small database and has less variation. Consequently, to enrich the validation of our proposed CFR schemes, we consider the FERET [26] and LFW [27] datasets, which, in addition to all the properties of images in the ORL dataset, are taken with varying backgrounds and lighting as well as motion typical of actual  At this juncture, it is noteworthy that the ORL dataset whose results were reported above lacks the verity expected in actual application settings. Further, it is classified into a small database and has less variation. Consequently, to enrich the validation of our proposed CFR schemes, we consider the FERET [26] and LFW [27] datasets, which, in addition to all the properties of images in the ORL dataset, are taken with varying backgrounds and lighting as well as motion typical of actual  where µ x and µ y are the mean values of the images x and y, respectively, δ 2 x , and δ 2 y are their variances, δ xy is the cross-covariance between them, S 1 and S 2 are small values [10], and the value of SSIM is ideally less than 1. Table 1 summaries the evaluation metrics of the proposed cancellable biometric frameworks. The area under the receiver operating characteristic (AROC) values, SSIM values between stored templates in the database and an imposter template as well as mean values of authorised and unauthorised correlation distributions are presented as metrics to establish the utility of the proposed scheme. The results indicate that both proposed CFR frameworks exhibit high encryption strength, while also retaining the ability to distinguish between authorised and unauthorised templates. The high AROC values of 0.9774 and 0.9720 and the corresponding low SSIM values of 0.058 and 0.0086 affirm the strength of the proposed frameworks (these are highlighted in bold in Table 1). At this juncture, it is noteworthy that the ORL dataset whose results were reported above lacks the verity expected in actual application settings. Further, it is classified into a small database and has less variation. Consequently, to enrich the validation of our proposed CFR schemes, we consider the FERET [26] and LFW [27] datasets, which, in addition to all the properties of images in the ORL dataset, are taken with varying backgrounds and lighting as well as motion typical of actual application environments. However, both the FERET and LFW datasets consist of colour images; therefore, as a preprocessing stage, a transformation operation defined in (18) is used to generate greyscale versions of images in both datasets. G = 0.3R + 0.59G + 0.11B (18) where R, G, and B are the colour components of the facial images. Figures 13 and 14 present sample images from the FERET and LFW datasets, respectively. Furthermore, Figures 15-21 present simulation results implementing our two schemes (i.e., CFR1 and CFR2 in (a) and (b)) as well as homomorphic transform followed by salting (in (c)) and homomorphic transform followed by random kernel convolution (in (d)) for greyscale images from the FERET dataset.  (18) where R, G, and B are the colour components of the facial images. Figures 13 and 14 present sample images from the FERET and LFW datasets, respectively. Furthermore, Figures 15-21 present simulation results implementing our two schemes (i.e., CFR1 and CFR2 in (a) and (b)) as well as homomorphic transform followed by salting (in (c)) and homomorphic transform followed by random kernel convolution (in (d)) for greyscale images from the FERET dataset.        Figure 13 (i.e., from FERET dataset) for (a) CFR1 (b) CFR2, (c) homomorphic transform followed by salting and (d) homomorphic transform followed by random kernel convolution. Figure 16. Histograms of the sample facial images in Figure 13. Figure 16. Histograms of the sample facial images in Figure 13.            Tables 2 and 3 present summaries of the performance indices in terms of SSIM, AROC as well as mean values of authorised and unauthorised correlation distributions for images in the FERET and LFW datasets, respectively with the best AROC results highlighted in bold. Finally, Table 4 presents a summary of the performance of our CFR schemes, i.e., CFR1 (i.e., IFL followed by Gaussian random projection) and CFR2 (i.e., Homomorphic transform followed by Gaussian random projection) for images in the three datasets (i.e., ORL, FERET and LFW) alongside results reported for similar techniques.  [29,30] 0.8837 Jigsaw only [31] 0.8967 [32] 0.9076 [33] 0.8737 [34] 0.7187 [35] 0.8630 [29] 0.8684 As seen from the table, AROC values for our cancellable schemes vary between 0.9668 to 0.9744 for CFR1 and 0.9294 to 0.9774 for CFR2 (with best results for CFR1 (ORL), CFR2 (ORL), CFR1 (FERET), and CFR1 (LFW) highlighted in bold in Table 4). Relative to the similar studies reported in the table, AROC values for our two CFR schemes outperform those in [29][30][31][32][33][34][35].

Execution Time and Complexity Analysis
The average execution times required for the implementation of both CFR frameworks are recorded in Table 5. These temporal requirements are considered acceptable since the process of generating Therefore, adding it all up, the complexity of the algorithm proposed to execute the recognition procedure is O(max(n, (n × (M × N))) which compares with those reported in similar studies [27][28][29][30][31][32][33][34], as summarised in Table 6. Table 6. Comparison of computational complexity between the proposed approach and other approaches.

Conclusions
The study presented two revocable and non-invertible cancellable face recognition (CFR) frameworks that have potential applications in enhancing security in banking, airports, and other important sectors by safeguarding identity and data of authorised users and customers. Both frameworks share the Gaussian random projection stage for encryption, which is preceded by a pre-processing phase to extract an uninvertible signature from each biometric. Such non-invertible signatures secure the biometric templates even if the random projection process is inverted. Moreover, both the intuitionistic fuzzy and homomorphic transforms used provide a first level security that is further strengthened using random projections. Furthermore, the proposed frameworks satisfy the JL lemma, which guarantees a large distance between encrypted templates in the random space. This guarantees a high level of accuracy in the verification process of both CFR frameworks. The two schemes are validated using three datasets that exhibit properties expected in real-life scenarios, such as varying backgrounds, lightings, motion, etc. Outcomes based on standard metrics support claims that the proposed schemes would enhance many applications that require person identification, authentication, and verification. Efforts to improve outcomes from our study are being pursued along two directions. First, in ongoing work, the study is being refined via integration of new recognition and encryption approaches that will be validated using larger and more robust datasets. Second, in future work, inputs from real-time cameras where dynamic images will be used evaluate the proposed CFR frameworks for deployment across multiple application scenarios.