A Federated Learning Approach for Privacy-Preserving Automated Signature Verification ^†

Abstract

The growing interconnectivity of digital systems has led to the massive collection and centralization of sensitive data, raising serious concerns about confidentiality and compliance with privacy regulations. Biometric authentication systems, such as offline signature verification, are particularly vulnerable. Federated learning (FL) provides a promising framework by enabling model training without exposing raw client data. However, keeping data strictly localized inherently creates severe data scarcity, which is a significant barrier to building robust deep learning (DL) models. This work investigates the feasibility of a privacy-preserving writer-dependent (WD) offline signature verification (OSV) system within an FL framework. To make local training viable under these constraints, we integrate complementary techniques into the federated pipeline: data augmentation is utilized to increase local sample diversity, while transfer learning provides robust pre-trained feature representations, drastically reducing the volume of data required for effective local fine-tuning. The proposed WD-OSV system was trained and evaluated on the popular CEDAR signature dataset, for which an average area under the curve of 0.8893, along with an average binary accuracy (ACC) of 80.12%, are reported as preliminary results.

1. Introduction

The necessity of identity verification dates back to ancient civilizations, where fingerprint impressions were employed as an early authentication method [1]. In contemporary times, biometric systems automate identification and verification tasks. The fingerprint trait belongs to physiological biometrics, a category including distinct and immutable physical traits such as palm prints, iris patterns, facial features, retinal scans, vein patterns, and DNA [2]. Lips constitute an interesting exception, presenting both physiological and behavioral characteristics [3]. Behavioral biometrics instead rely on dynamic traits derived human actions, including voice or speech, gait, handwritten signature, handwritten text, keystroke, and breath [2].

This work focuses on offline handwritten signature verification, widely used in banking, commerce, e-health, access control, and document authentication. Signatures offer high user acceptance because of users’ familiarity, its simplicity to produce, and ability to be socially embedded. Their uniqueness arises from neuromotor processes that reflect individual behavioral patterns, making them suitable for biometric recognition [4]. Concurrently, signature verification remains a challenging domain in pattern recognition and computer vision. Deep learning attracts increasing research interest in this field, providing promising results over traditional feature-engineering approaches, although it typically requires substantially larger datasets [5].

Biometric signature verification systems can be distinguished by data modality and acquisition. Online systems capture dynamic time-series data (e.g., x–y coordinates, pressure, velocity, and acceleration) using digital tablets or stylus-equipped devices. Conversely, offline verification systems collect static signature images acquired via scanners or cameras, typically extracting geometric and structural descriptors (e.g., shape, aspect ratio, pixel density, and stroke characteristics, slant angle, texture features). Due to the absence of temporal information, offline verification remains more challenging. Regarding training strategies, the distinction lies between writer-independent (WI) systems, which utilize a single classifier for all users, and WD systems, which train a separate classifier per signer, achieving superior accuracy but lacking scalability [6]. WD models are trained exclusively on genuine signatures and random forgeries [7]; however, the lack of forgeries and limited genuine data pose significant obstacles for deep learning (DL) architectures. Consequently, achieving robust DL performance for automated feature extraction and verification under data scarcity remains an open research problem [8]. Promising directions to mitigate this limitation include data augmentation [9], generative adversarial networks (GANs) [10,11], few-shot learning [12], and transfer learning [13].

Centralizing handwritten signatures introduces a privacy risk to clients’ sensitive biometric information which is protected by strict regulations like the GDPR. To enhance data privacy and trust, we incorporate FL, introduced by McMahan et al. [14], into offline signature verification (OSV), which ensures compliance with privacy regulations. As shown in Figure 1, FL enables collaborative model training without transferring raw data to a central server or across clients, thereby keeping the clients’ data distributed. In writer-dependent settings, FL offers a secondary benefit, the new clients fine-tune a global model locally rather than training from scratch.

This work demonstrates the feasibility of a privacy-preserving WD baseline system by integrating established techniques into a FL framework using the federated averaging (FedAvg) algorithm. To overcome the fundamental constraint of local data scarcity inherent in FL, we employ a dual strategy: (a) data augmentation techniques are applied to directly increase local sample diversity, while (b) transfer learning—via a DenseNet-121 model pre-trained on ImageNet—is utilized to provide rich, pre-learned feature representations, thereby requiring significantly fewer local samples for effective fine-tuning. The system is trained and evaluated on the publicly available CEDAR signature database.

2. Review

Deep learning has gained substantial attention for complex pattern recognition tasks, such as handwritten signature verification. However, its effective integration faces two main challenges: the guarantee of stringent privacy requirements and the data scarcity. To tackle privacy concerns, Xie, Liyang, et al. [15] proposed a writer-independent cross-lingual online signature verification system, combining the Bert model with a federated learning framework. Similarly, Zhang et al. [16] introduced a lightweight 1D-CNN-based online verification system within an FL framework, optimized for low computational resources and data confidentiality. Alternative, Xia et al. [17] developed a secure KNN algorithm resilient to ciphertext attacks, while Kaur, Harshdeep and Kansal [18] introduced a Hadamard transform-based approach to safeguard signature templates.

For the challenge of limited data, several techniques have been explored, including transfer learning, data augmentation, meta-learning, few-shot, and knowledge distillation. Transfer learning and data augmentation are widely adopted to address limited training data. Chetry et al. [19] proposed an offline writer-dependent system using a pre-trained lightweight SqueezeNetV1.0 model, while Harika et al. [20] proposed a hybrid MobileNet-CNN leveraging transfer learning. Comparative studies have examined hybrid approaches combining deep learning models with machine learning verifiers [21,22,23,24]. Conventional data augmentation is extensively utilized to enlarge datasets, frequently alongside transfer learning [25]. Alternatively, AI-generated data or features such as generative adversarial networks (GANs) provides a supplementary data expansion methodology [10,26,27,28]. Furthermore, Badie and Sajedi [29] present a graph neural network-based approach.

Knowledge distillation represents another transfer approach on student–teacher architecture, where a smaller student model learns from a pre-trained larger teacher model [30,31]. The few-shot paradigm encompasses Siamese neural networks (SNNs), which have shown effectiveness under data scarcity, exemplified by SigNet [32]. Advanced architectures of SNN include two-stage SNNs [33], hybrid Siamese–transformer networks with triplet loss [34], and recent transformer-based verification models [35,36]. The meta-learning paradigm, designed for data-scarce environments, has also been adapted, with Hafemann et al. [37] extending the MALM method that leverages different loss functions during during adaptation and meta-learning phases.

3. Proposed System

This section presents a privacy-preserving offline handwritten signature verification system based on a FL framework. By integrating the DenseNet121 CNN architecture, the system enables collaborative model training while keeping raw client data distributed and secure. The methodology encompasses the complete local data collection and data pipeline, preprocessing, augmentation and the FL protocol and the CNN verifier architecture.

3.1. Federated Learning Framework

FL is a collaborative model training, introduced by McMahan [14]. In this framework, clients train their local model on their private data and share only the trained model parameters (e.g., weights) with a central coordinator, rather than exposing their sensitive data to other entities. The coordinator is responsible for implementing a strategy regarding client selection for FL training participation, orchestrating local training rounds, and aggregating the received clients’ model parameters using the federated average (FedAvg) aggregator of Algorithm 1 to update the global model with aggregated parameters. This fundamental privacy-by-design approach, which eliminates the need to expose sensitive raw data, makes FL particularly suitable architecture for applications governed by strict data protection regulations like the GDPR.

Algorithm 1: Federated Averaging (FedAvg) Algorithm.

In our proposed system, each FL training epoch proceeds with the following strategy. The coordinator first defines the local training hyperparameters, setting the number of local rounds to $r=8$ and the batch size to $b=10$. Then, it randomly selects a subset of N training participant clients, denoted as $C=\{c_1,\dots ,c_N\}$, from all available $A=\{c_1,c_2,\dots ,c_K\}$ clients, where $C\subset A$. Each selected client $c_i$ gathers its local training dataset $D_i=\{s_1^{\left(i\right)},s_2^{\left(i\right)},\dots ,s_{n_i}^{\left(i\right)}\}$ and trains its local model using the predefined hyperparameters. Upon completing local training, all clients synchronously upload their updated model parameters $w_{t+1}^{\left(i\right)}$ to the server. The coordinator server aggregates these parameters using the FedAvg algorithm.

$$w_{t+1}=\sum _{i=1}^N{\displaystyle \frac{n_i}{n_C}}{w}_{t+1}^{\left(i\right)},\mathrm{where}{n}_C=\sum _{j=1}^N{n}_j$$

(1)

Finally, the server updates the global model with the aggregated weights and distributes the new model back to the clients. This iterative process is repeated until the global model converges or for a predefined FL epochs e = 100 in case of a plateau phenomenon.

3.2. Dataset and Pre-Processing

The proposed system is trained and evaluated on the centralized CEDAR database, which contains 2640 grayscale handwritten signature images, including 1320 genuine and 1320 skilled forgeries collected from 55 signers. Each signer contributes 24 genuine and 24 forged samples. To emulate a realistic FL environment characterized by decentralized client distributions, the dataset is partitioned across multiple clients. In WD scenarios, users typically do not possess skilled forgeries of their own signatures. Therefore, signatures from signers 31–50 are treated as random forgeries and uniformly assigned to signers 1–30 (clients 1–30). Each client is thus allocated 24 genuine signatures, 24 skilled forgeries, and 40 random forgeries. The local datasets are further split into training (80%), validation (10%), and testing (10%) subsets, with skilled forgeries reserved exclusively for testing to better reflect operational deployment constraints. A standardized pre-processing pipeline is applied to all signature images, including resizing to 224 × 224 pixels, binarization to enhance stroke fidelity, and normalization to the [0,1] range. To mitigate data scarcity in WD verification, data augmentation is performed during training, consisting of random rotations within ±40 degrees and variation in brightness and contrast. This augmentation increases local sample diversity and supports improved model generalization under limited per-client data regimes. Further, it is used the embedded preprocessing process of keras DenseNet121.

3.3. Verification Model

A convolutional neural network (CNN) is a multilayer architecture composed of convolutional, pooling, and fully connected layers, primarily employed for tasks such as image classification and object detection. CNNs automatically learn hierarchical representations, eliminating the need for handcrafted descriptors and manual feature selection. By integrating feature extraction and classification into a unified framework, CNNs can operate as end-to-end classifiers or as feature encoders. However, their performance strongly depends on access to large training sets, which poses a major limitation in handwritten signature verification scenarios where localized data scarcity is intrinsic. To mitigate this without relying on generating massive sample volumes, we employ transfer learning via the DenseNet121 architecture [38] pretrained on ImageNet. By leveraging pre-learned hierarchical representations, the model does not need to learn fundamental visual features from scratch. This allows the unfrozen client-specific layers to converge effectively and extract highly distinct signature features despite the limited number of local samples. The original classifier is removed, the final 40 layers are unfrozen for client-specific fine-tuning, and a lightweight fully connected layer is appended as the verifier. DenseNet architectures introduce dense block connections, where the ℓ-th layer receives a feature map formed by concatenating the outputs of all preceding layers, $[x_0,x_1,\dots ,x_{\ell -1}]$, and produces $x_{\ell }=H_{\ell }\left([x_0,x_1,\dots ,x_{\ell -1}]\right)$, maintaining a feed-forward structure. This design maximizes information flow, facilitates gradient propagation, and promotes extensive feature reuse. Key advantages include mitigation of the vanishing gradient problem, reduced parameter footprint, and improved regularization. These properties are particularly beneficial for signature verification, as dense connectivity alleviates overfitting and supports effective adaptation under limited and heterogeneous client data environments.

4. Results

The system was trained and evaluated on the CEDAR database. During training, validation used three genuine and three random forgeries per client. Testing was performed under with skilled forgeries and without skilled forgeries settings. In the first case, the test dataset included four skilled forgeries, two genuine, and two random forgeries per client, while in the second case, it consisted of two genuine and two random forgeries per client. Experiments were conducted using different random client selection strategies: three selected clients and five selected clients. The corresponding training plots are shown in Figure 2. The three-client strategy achieved the highest accuracy (78.83%) in the presence of skilled forgeries, whereas the five-client strategy achieved the highest accuracy (87.50%) without skilled forgeries, as summarized in

Table 1. Results of test and train processes (C: clients, SF: skilled forgery, RF: random forgery).

	3C	3C	5C	5C
	SF	RF	SF	RF
Test Accuracy (%)	78.83	81.67	75.42	87.50
Test F1-Score	0.5938	0.7755	0.6040	0.8571
Train Auc	-	1.00	-	1.00
Evaluation Auc	-	0.9030	-	0.9362

. Performance evaluation employed equal error rate (EER) and area under the curve (AUC) during verification, while accuracy and F1-score were used as metrics in the test phase.

5. Conclusions

This work demonstrates a collaborative training approach in which private signature data remain localized on client devices, ensuring confidentiality within a federated learning paradigm. Verifier models are deployed at the data source and acquire knowledge from a global model. However, this privacy-by-design setting inherently relies on strictly localized data, leading to severe data scarcity per client. To make FL viable under these constraints, complementary techniques were required: local data augmentation was applied to artificially expand sample diversity, while transfer learning (DenseNet-121) supplied a robust foundation of pre-trained visual features. Together, they enabled effective model convergence despite the significantly limited per-client sample size. Experimental results show that client participation has a measurable impact on global performance, with a three-client selection strategy achieving better accuracy with skilled forgeries signature. Furthermore, the system remains less robust against skilled forgeries, indicating that additional improvements are required in this scenario. Future work may benefit from integrating a pre-trained writer-independent Siamese feature extractor, such as SigNet, into the writer-dependent verifier pipeline. Additionally, more exploration of data augmentation methods is expected to further enhance performance in data-scarce and heterogeneous client environments.