Loading...
private.me Docs
Get xPrint
PRIVATE.ME · Technical White Paper

Xprint: Biometric Template Protection

A compromised fingerprint cannot be reset. Xprint splits biometric templates via XorIDA threshold sharing across independent storage nodes. No single node holds a usable template. Reconstruction requires a threshold of cooperating nodes with HMAC verification ensuring integrity. Supports fingerprint, face, iris, and voice modalities with ISO format compatibility.

v0.1.0 2-of-3 default 4 modalities 0 npm deps HMAC verified Dual ESM/CJS
Section 01

Executive Summary

Biometric data is uniquely dangerous: unlike passwords, a compromised fingerprint or iris scan cannot be reset. A single database breach permanently compromises every user's biometric identity.

Xprint solves this by splitting biometric templates via XorIDA threshold sharing across multiple independent storage nodes. Each node stores a share that reveals zero information about the original template in isolation. Template reconstruction requires a configurable threshold of nodes (default 2-of-3), and every reconstruction is validated with HMAC-SHA256 integrity verification before returning biometric data.

Two core functions: enrollTemplate() splits a biometric template (fingerprint minutiae, face embedding, iris code, or voice print) into shares with HMAC signatures. reconstructTemplate() combines threshold shares, verifies integrity, and returns the original template for matching operations.

The security model is information-theoretic: individual shares are computationally useless even to quantum adversaries. An attacker must compromise K of N independent storage nodes to reconstruct any template. This transforms biometric breach risk from "single database = total compromise" to "must compromise multiple independent systems simultaneously."

4
Modalities
2-of-3
Default Threshold
HMAC
Integrity Check
0
npm Dependencies
Section 02

Developer Experience

Xprint provides structured error handling with 6 error codes and actionable hints to help developers build reliable biometric systems.

Basic Enrollment

Enroll a fingerprint template
import { enrollTemplate, reconstructTemplate } from '@private.me/biometricvault';
import type { BiometricTemplate, BiometricVaultConfig } from '@private.me/biometricvault';

const template: BiometricTemplate = {
  templateId: 'TPL-001',
  subjectId: 'USER-42',
  modality: 'fingerprint',
  format: 'ISO-19794-2',
  data: new Uint8Array([/* minutiae template bytes */]),
  quality: 85,
};

const config: BiometricVaultConfig = {
  storageNodes: 3,
  threshold: 2
};

// Enroll — split template across storage nodes
const result = await enrollTemplate(template, config);
if (!result.ok) throw new Error(result.error.message);

// result.value.shares = array of 3 shares, each with HMAC
// Store shares[0] on Node A, shares[1] on Node B, shares[2] on Node C

Template Reconstruction

Reconstruct from any 2-of-3 nodes
// Retrieve any 2 shares from storage nodes
const share0 = await fetchFromNodeA(templateId);
const share1 = await fetchFromNodeB(templateId);

// Reconstruct template for matching
const rebuilt = await reconstructTemplate([share0, share1]);
if (!rebuilt.ok) throw new Error(rebuilt.error.message);

// rebuilt.value.data is identical to original template data
// HMAC verified before return — fail closed on tampering
const matchScore = await biomatchEngine.compare(
  rebuilt.value.data,
  candidateTemplate
);

Error Handling

Xprint uses a Result<T, E> pattern with structured error codes.

Error Code When Resolution
INVALID_CONFIG storageNodes < 2, threshold < 2, or threshold > storageNodes Validate configuration before enrollment
SPLIT_FAILED XorIDA split failure during enrollment Check template data format and size
HMAC_FAILED HMAC verification failed — data may be tampered Reject reconstruction, audit storage nodes
RECONSTRUCT_FAILED XorIDA reconstruction or shares from different templates Verify shares belong to same templateId
INSUFFICIENT_SHARES Fewer shares than threshold provided Retrieve additional shares from storage nodes
ENROLLMENT_FAILED General enrollment failure Check logs for underlying cause
Fail-Closed Security
HMAC verification happens before template data is returned to the caller. If verification fails, the function returns an error and no biometric data is exposed. This fail-closed design prevents silent tampering from going undetected.
Section 03

The Problem

Traditional biometric systems store templates in centralized databases. A single breach compromises every enrolled user permanently.

Biometrics cannot be reset. Unlike passwords, you cannot issue a new fingerprint or iris scan after a breach. Once a biometric template leaks, the user's biometric identity is compromised for life across every system that uses that modality.

Centralized storage is a single point of failure. Database breaches happen regularly. Encryption at rest helps, but the keys are often stored on the same infrastructure. An attacker who compromises the database typically also compromises the encryption keys.

Legal consequences are severe. GDPR Article 9 classifies biometric data as "special category" personal data requiring heightened protection. Breaches trigger mandatory notification, significant fines (up to 4% of global revenue), and potential lawsuits from affected individuals.

Existing mitigations are insufficient. Cancelable biometrics (template transformation) can be reversed if the transformation key is compromised. Homomorphic encryption is computationally expensive and has limited matching accuracy. Neither approach provides information-theoretic security.

Property Centralized DB Encrypted DB Cancelable Xprint
Breach impact Total loss Key compromise = loss Partial (if key safe) Requires K of N nodes
Single point of failure Yes Yes (key + DB) Yes (transform key) No
Info-theoretic security No No No Yes
Matching accuracy Baseline Baseline Reduced Baseline
Performance overhead None Decrypt cost Transform cost ~2ms reconstruct
GDPR Art. 9 compliance Risky Better Better Strong defense
Real-World Impact
In 2019, a biometric database breach exposed 27.8 million records including fingerprints of 1 million individuals. Those fingerprints remain compromised forever. Xprint's distributed model means an attacker must compromise multiple independent infrastructure providers simultaneously — exponentially harder than a single database breach.
Section 04

Real-World Use Cases

Six industries where biometric template protection is critical for compliance, security, and user trust.

🏥
Healthcare
Patient Identity

HIPAA-compliant biometric authentication for EHR access. Templates split across hospital infrastructure, cloud HSM, and identity provider. Single breach cannot compromise patient biometrics.

3-of-5 threshold, HIPAA compliant
🏦
Financial
Banking Authentication

Voice biometrics for phone banking. Shares distributed across regional data centers. PCI-DSS compliance via distributed storage with no single point of compromise.

Voice modality, 2-of-3 multi-region
🏛
Government
National ID Systems

Fingerprint and iris templates for national identity programs. Shares split across independent government agencies. Constitutional privacy protections via distributed custody.

Fingerprint + iris, 3-of-5 fault-tolerant
🏢
Enterprise
Physical Access Control

Face recognition for building entry. Templates split across on-premises server, cloud backup, and security operations center. Zero single-point compromise risk.

Face modality, ISO-19794-5 format
✈️
Transportation
Border Control

Automated border control gates with facial recognition. Traveler templates protected via distributed storage across border agency, airport authority, and national security database.

Face templates, 2-of-4 international
🎓
Education
Student Verification

Fingerprint authentication for exam proctoring and campus access. Templates split between university IT, exam board, and identity verification service. FERPA compliance.

Fingerprint ISO-19794-2, 2-of-3
Section 05

Architecture

Two core operations: enrollment splits templates into shares with HMAC signatures. Reconstruction combines shares with integrity verification.

Enrollment
Split + HMAC
PKCS7 padding to block size
HMAC-SHA256 signature generation
XorIDA threshold split (GF(2))
Per-share HMAC key + signature
Reconstruction
Verify + Reconstruct
Threshold check (K of N)
HMAC verification (fail closed)
XorIDA reconstruction
PKCS7 unpadding + return
Storage
Independent Nodes
Each node: 1 share only
Geographic distribution
Infrastructure isolation
No cross-node communication
Security
Info-Theoretic
Single share = zero info
Quantum-proof by construction
SHA-256 template hash
HMAC tampering detection
Section 05a

Enrollment Flow

Five-step pipeline: pad → HMAC → split → package → distribute.

Step 1: Padding

Template data is padded via PKCS7 to the next odd prime block size. Block size = nextOddPrime(N) - 1 where N = total storage nodes. This ensures XorIDA split compatibility.

Step 2: HMAC Signature

A random 256-bit HMAC key is generated via crypto.getRandomValues(). The padded template is signed with HMAC-SHA256. The signature and key are stored with each share for post-reconstruction verification.

Step 3: XorIDA Split

The signed, padded template is split via XorIDA threshold sharing over GF(2). For a 2-of-3 configuration, 3 shares are generated. Any 2 shares can reconstruct. Individual shares reveal zero information about the template.

Step 4: Share Packaging

Each share is packaged with metadata: templateId, subjectId, modality, nodeIndex, threshold, total, hmac (signature), hmacKey, and originalSize. All binary data is base64-encoded for transport.

Step 5: Distribution

Each share is sent to a different storage node. Nodes must be infrastructure-independent (different clouds, different physical locations, different administrative domains). No node should be able to communicate with other nodes to combine shares.

Enrollment result structure
interface EnrollResult {
  readonly templateId: string;         // UUID or provided ID
  readonly shares: readonly TemplateShare[]; // Array of N shares
  readonly templateHash: string;       // SHA-256 hex for audit
}
Section 05b

Reconstruction

Four-step verification and reconstruction: threshold check → HMAC verify → XorIDA reconstruct → unpad.

Step 1: Threshold Check

The function verifies that at least threshold shares are provided. If fewer shares are available, reconstruction returns INSUFFICIENT_SHARES error. All shares must have matching templateId, threshold, and total values.

Step 2: HMAC Verification

Critical security step. After XorIDA reconstruction, the reconstructed padded template is re-signed with the stored HMAC key. The computed signature is compared against the stored signature via constant-time comparison. If they differ, the function returns HMAC_FAILED error and does NOT return template data. This prevents silent tampering.

Step 3: XorIDA Reconstruction

Shares are decoded from base64 and passed to reconstructXorIDA() from @private.me/crypto. The function uses Lagrange interpolation over GF(2) to recover the original padded template. Reconstruction fails if shares belong to different templates or have incompatible indices.

Step 4: Unpadding and Return

The reconstructed padded template is unpadded via PKCS7 unpadding to the original size (stored in each share as originalSize). The unpadded template is returned as a BiometricTemplate object ready for matching operations.

Fault Tolerance
A 2-of-3 configuration tolerates 1 node failure. A 3-of-5 configuration tolerates 2 node failures. Choose threshold and total based on availability requirements. Lower threshold = more fault-tolerant but higher breach risk if multiple nodes compromised.
Section 06

Security Model

Xprint provides information-theoretic security: individual shares reveal zero information about the template, even to quantum adversaries.

Information-Theoretic Security

XorIDA threshold sharing over GF(2) provides perfect secrecy for shares below the threshold. An attacker who holds K-1 shares (where K is the threshold) gains zero information about the plaintext template. This is not computationally hard to break — it is mathematically impossible to break.

Contrast with AES-256: AES is computationally secure, meaning breaking it is hard but theoretically possible with sufficient computing power (or a quantum computer with Grover's algorithm). XorIDA shares are information-theoretically secure: no amount of computing power can extract information from K-1 shares.

Threat Model

Xprint protects against the following attacks:

  • Single node compromise: Attacker gains 1 share. Learns nothing about template. Zero risk.
  • K-1 node compromise: Attacker gains threshold-1 shares. Still learns nothing. Zero risk.
  • Tampering attack: Attacker modifies share data. HMAC verification fails. Reconstruction rejected.
  • Cross-template attack: Attacker tries to combine shares from different templates. Reconstruction fails validation.
  • Quantum adversary: Even with quantum computer, attacker cannot extract template from K-1 shares. Info-theoretic security is quantum-proof by construction.

What Xprint Does NOT Protect Against

Xprint protects templates at rest. It does NOT protect:

  • Sensor spoofing: Fake fingerprints, face photos, replay attacks. Use liveness detection.
  • Matching algorithm compromise: Attacker compromises the biometric matcher itself. Protect matching infrastructure separately.
  • Template in memory: Reconstructed template exists in memory during matching. Use secure enclaves (SGX, TrustZone) for matching operations.
  • K-of-N node simultaneous compromise: If attacker compromises threshold nodes, templates can be reconstructed. Use geographically distributed, infrastructure-isolated nodes.
Operational Security
Information-theoretic security is only as strong as your infrastructure isolation. Store shares on independent clouds (AWS + Azure + GCP), different administrative domains, and ideally different legal jurisdictions. Simultaneous compromise of K independent infrastructures is exponentially harder than single database breach.

Cryptographic Primitives

Primitive Algorithm Purpose
Threshold Sharing XorIDA (GF(2)) Information-theoretic template splitting
Integrity HMAC-SHA256 Tamper detection on reconstructed templates
Hash SHA-256 Template hash for audit logging
Padding PKCS7 Block size alignment for XorIDA
RNG crypto.getRandomValues() HMAC key generation, no Math.random()
Section 07

Integration

Xprint integrates with existing biometric capture and matching infrastructure. Enrollment happens once during user registration. Reconstruction happens during authentication.

System Architecture

Typical deployment
// 1. Enrollment (registration)
const template = await biometricScanner.capture(); // ISO format
const result = await enrollTemplate(template, { storageNodes: 3, threshold: 2 });

// Store shares on independent infrastructure
await storeOnAWS(result.value.shares[0]);
await storeOnAzure(result.value.shares[1]);
await storeOnGCP(result.value.shares[2]);

// 2. Authentication (matching)
const candidateTemplate = await biometricScanner.capture();

// Retrieve any 2 shares (parallel fetch)
const [share0, share1] = await Promise.all([
  fetchFromAWS(userId),
  fetchFromAzure(userId),
]);

// Reconstruct enrolled template
const rebuilt = await reconstructTemplate([share0, share1]);
if (!rebuilt.ok) return { authenticated: false, error: rebuilt.error };

// Run biometric matching
const score = await matcher.compare(rebuilt.value.data, candidateTemplate.data);
return { authenticated: score >= threshold };

Storage Node Options

  • Multi-cloud: AWS DynamoDB + Azure Cosmos DB + GCP Cloud Storage
  • On-prem + cloud: Local PostgreSQL + AWS RDS + Azure SQL
  • HSM + cloud: On-premises HSM + AWS CloudHSM + Azure Key Vault
  • Geographic distribution: US East + EU West + Asia Pacific data centers
  • Jurisdiction distribution: US + EU + Switzerland for legal independence

Matching Engine Integration

Xprint works with any ISO-compliant biometric matching engine. Reconstructed templates are returned in original ISO format (ISO-19794-2 for fingerprint, ISO-19794-5 for face, etc.). Pass reconstructed template to your existing matcher without modification.

Performance Tip
Fetch shares in parallel via Promise.all() to minimize latency. A 2-of-3 configuration only needs 2 shares, so you can race 3 fetches and use the first 2 responses, discarding the slowest node automatically.
Section 08

Benchmarks

Performance measured on Node.js 20.x (Apple M1 Max, 32GB RAM). All timings include HMAC generation/verification.

Template Size Config Enroll Reconstruct Total Roundtrip
512 bytes 2-of-3 ~1.2ms ~0.9ms ~2.1ms
2 KB 2-of-3 ~1.8ms ~1.3ms ~3.1ms
8 KB 2-of-3 ~3.2ms ~2.4ms ~5.6ms
512 bytes 3-of-5 ~1.5ms ~1.1ms ~2.6ms
2 KB 3-of-5 ~2.3ms ~1.7ms ~4.0ms

Network latency dominates in production. Reconstruction ~2ms is negligible compared to 50-200ms multi-cloud fetch latency. Use parallel fetch and CDN-proxied storage endpoints to minimize total authentication time.

Typical Template Sizes

Modality Typical Size ISO Format
Fingerprint 256-512 bytes ISO-19794-2 (minutiae)
Face 512-2048 bytes ISO-19794-5 (embedding)
Iris 256-512 bytes ISO-19794-6 (code)
Voice 1024-4096 bytes Proprietary (i-vector/x-vector)
Section 09

Honest Limitations

Xprint is not a complete biometric security solution. It protects templates at rest. It does not protect against all biometric attack vectors.

What Xprint Does NOT Do

  • Liveness detection: Xprint does not detect fake fingerprints, face photos, or replay attacks. Use sensor-level liveness detection (capacitive, thermal, multi-spectral imaging).
  • Presentation attack detection (PAD): Xprint does not defend against spoofing. Integrate ISO-30107 PAD algorithms at capture time.
  • Template protection in memory: Reconstructed templates exist in plaintext in memory during matching. Use secure enclaves (Intel SGX, ARM TrustZone, AWS Nitro Enclaves) for matching operations.
  • Matching accuracy guarantees: Xprint returns exact original template. Matching accuracy depends on your biometric matching engine, not Xprint.
  • Key management: HMAC keys are generated per-template and stored with shares. If all shares are compromised, HMAC keys are also compromised. This is acceptable because threshold compromise already exposes the template.

Operational Challenges

  • Infrastructure complexity: Distributed storage is harder to operate than a single database. You need monitoring, alerting, and recovery procedures for multiple independent infrastructure providers.
  • Cost: Storing shares across 3-5 independent clouds costs more than a single database. Evaluate cost vs. security benefit for your use case.
  • Latency: Parallel fetch from multiple nodes adds network latency. Typical 50-200ms for multi-cloud fetch dominates the ~2ms reconstruction cost.
  • Availability: If fewer than threshold nodes are available, authentication fails. Choose threshold carefully based on availability requirements. 2-of-3 tolerates 1 node failure. 3-of-5 tolerates 2 node failures.

Compliance Limitations

Xprint helps with GDPR Article 9 compliance (biometric data protection) but does NOT guarantee compliance alone. You still need:

  • Explicit user consent for biometric processing
  • Data processing agreements with storage node providers
  • Breach notification procedures
  • Data subject access request (DSAR) handling
  • Data retention and deletion policies
Not a Silver Bullet
Xprint is one layer in a defense-in-depth strategy. Combine it with liveness detection, secure enclaves, audit logging, anomaly detection, and strong access controls for comprehensive biometric security.
Advanced Topics

Deep Dive

Standards compliance, API reference, error taxonomy, and implementation details for production deployments.

Appendix A1

Biometric Modalities

Xprint supports fingerprint, face, iris, and voice modalities with ISO format compatibility.

Modality ISO Standard Template Type Typical Size
Fingerprint ISO-19794-2 Minutiae (ridge endings, bifurcations) 256-512 bytes
Face ISO-19794-5 Feature vector embedding (FaceNet, ArcFace) 512-2048 bytes
Iris ISO-19794-6 IrisCode (binary phase encoding) 256-512 bytes
Voice Proprietary i-vector or x-vector embedding 1024-4096 bytes

Modality Selection Guidance

  • Fingerprint: High accuracy, mature technology, ISO standardized. Best for physical access control, identity documents.
  • Face: Contactless, user-friendly, works at distance. Best for border control, public safety, retail authentication.
  • Iris: Highest accuracy, stable over lifetime, difficult to spoof. Best for high-security access, national ID systems.
  • Voice: Remote authentication, phone/call center use. Best for banking authentication, customer service verification.
Appendix A2

Standards Compliance

Xprint aligns with ISO biometric standards and GDPR requirements for special category data protection.

ISO Biometric Standards

Standard Scope Xprint Alignment
ISO-19794-2 Fingerprint minutiae data Accepts and returns ISO-19794-2 format
ISO-19794-5 Face image and embedding data Supports ISO-19794-5 templates
ISO-19794-6 Iris image and code data Compatible with ISO-19794-6 format
ISO-24745 Biometric information protection Threshold sharing = distributed protection
ISO-30107 Presentation attack detection Xprint does NOT provide PAD (integrate separately)

GDPR Article 9 Compliance

GDPR Article 9 classifies biometric data for unique identification as "special category" personal data requiring heightened protection. Xprint provides technical measures to support compliance:

  • Data minimization: No single storage node holds a usable template (Article 5(1)(c))
  • Integrity and confidentiality: HMAC verification + distributed storage (Article 5(1)(f))
  • Breach notification: Single node breach does NOT constitute a breach of biometric data (Article 33)
  • Data protection by design: Information-theoretic protection built into architecture (Article 25)
Legal Disclaimer
Xprint provides technical measures to support GDPR compliance. It does NOT guarantee legal compliance alone. Consult with legal counsel on data processing agreements, consent mechanisms, and breach notification procedures for your jurisdiction.
Appendix A3

Full API Surface

Complete function signatures and type definitions.

enrollTemplate(template: BiometricTemplate, config: BiometricVaultConfig): Promise<Result<EnrollResult, BiometricError>>

Enroll a biometric template by splitting it via XorIDA threshold sharing. Returns shares with HMAC signatures for distributed storage.

reconstructTemplate(shares: TemplateShare[]): Promise<Result<BiometricTemplate, BiometricError>>

Reconstruct a biometric template from threshold shares. Verifies HMAC integrity before returning template data (fail closed on tampering).

Type Definitions

Core types
type BiometricModality = 'fingerprint' | 'face' | 'iris' | 'voice';

interface BiometricTemplate {
  readonly templateId: string;
  readonly subjectId: string;
  readonly modality: BiometricModality;
  readonly format: string;          // e.g., "ISO-19794-2"
  readonly data: Uint8Array;
  readonly quality: number;         // 0-100
}

interface BiometricVaultConfig {
  readonly storageNodes: number;   // Total nodes (N)
  readonly threshold: number;      // Min for reconstruct (K)
}

interface TemplateShare {
  readonly templateId: string;
  readonly subjectId: string;
  readonly modality: BiometricModality;
  readonly nodeIndex: number;
  readonly total: number;
  readonly threshold: number;
  readonly data: string;           // base64 share
  readonly hmac: string;           // base64 signature
  readonly hmacKey: string;        // base64 key
  readonly originalSize: number;
}

interface EnrollResult {
  readonly templateId: string;
  readonly shares: readonly TemplateShare[];
  readonly templateHash: string;  // SHA-256 hex
}
Appendix A4

Error Taxonomy

Complete error code reference with resolution guidance.

Code Message Resolution
INVALID_CONFIG storageNodes < 2, threshold < 2, or threshold > storageNodes Validate config: storageNodes >= 2, threshold >= 2, threshold <= storageNodes
SPLIT_FAILED XorIDA split failure during enrollment Check template data format, ensure Uint8Array is valid, verify template size > 0
HMAC_FAILED HMAC verification failed — data may be tampered Reject reconstruction, audit storage nodes, investigate potential tampering
RECONSTRUCT_FAILED XorIDA reconstruction failure or shares from different templates Verify shares have matching templateId, threshold, total. Check share data integrity.
INSUFFICIENT_SHARES Fewer shares than threshold provided Retrieve additional shares from storage nodes. Need at least threshold shares.
ENROLLMENT_FAILED General enrollment failure Check logs for underlying cause. Verify template format and quality score.

Error Structure

BiometricError interface
type BiometricErrorCode =
  | 'INVALID_CONFIG'
  | 'SPLIT_FAILED'
  | 'HMAC_FAILED'
  | 'RECONSTRUCT_FAILED'
  | 'INSUFFICIENT_SHARES'
  | 'ENROLLMENT_FAILED';

interface BiometricError {
  readonly code: BiometricErrorCode;
  readonly message: string;
}

Deployment Options

🌐

SaaS Recommended

Fully managed infrastructure. Call our REST API, we handle scaling, updates, and operations.

  • Zero infrastructure setup
  • Automatic updates
  • 99.9% uptime SLA
  • Enterprise SLA available
View Pricing →
📦

SDK Integration

Embed directly in your application. Runs in your codebase with full programmatic control.

  • npm install @private.me/biometricvault
  • TypeScript/JavaScript SDK
  • Full source access
  • Enterprise support available
Get Started →
🏢

On-Premise Upon Request

Enterprise CLI for compliance, air-gap, or data residency requirements.

  • Complete data sovereignty
  • Air-gap capable deployment
  • Custom SLA + dedicated support
  • Professional services included
Request Quote →

Enterprise On-Premise Deployment

While biometricVault is primarily delivered as SaaS or SDK, we build dedicated on-premise infrastructure for customers with:

  • Regulatory mandates — HIPAA, SOX, FedRAMP, CMMC requiring self-hosted processing
  • Air-gapped environments — SCIF, classified networks, offline operations
  • Data residency requirements — EU GDPR, China data laws, government mandates
  • Custom integration needs — Embed in proprietary platforms, specialized workflows

Includes: Enterprise CLI, Docker/Kubernetes orchestration, RBAC, audit logging, and dedicated support.

Contact sales for assessment and pricing →

Other Requirements? Need white-label deployment or custom integration? Contact our enterprise team →