LineCAPTCHA: Visual Curve-Tracing

• LineCAPTCHA is a graphical reverse Turing test that requires users to trace a hidden noisy curve, effectively distinguishing humans from automated agents.
• It employs cubic Bézier curves or segmented polylines along with Gaussian blur and distractor elements to thwart machine vision attacks.
• Performance studies indicate high pass rates and fast completion times on both desktop and mobile platforms while maintaining robust security metrics.

LineCAPTCHA is a graphical reverse Turing test developed to distinguish humans from automated agents by requiring the user to visually trace a hidden line embedded within a noisy background, typically rendered as a cubic Bézier curve or broken polyline. Unlike traditional text-distortion CAPTCHAs, which depend on the user’s ability to recognize and transcribe distorted characters, LineCAPTCHA shifts the challenge to continuous-curve following—a task that is natural for humans but difficult for existing machine-vision algorithms. Two principal implementations have been documented: for general web platforms (Karunathilake et al., 2014) and for mobile touch interfaces (Bulumulla et al., 2014).

1. Generation Algorithm and Challenge Construction

LineCAPTCHA images are generated in three key stages: background creation, base-line drawing, and distraction ("hardening for machines").

Background Creation: An off-screen bitmap canvas (e.g., 200×80 pixels for desktop or m×p grid on mobile) is covered with numerous randomly placed and colored shapes (e.g., 50–200 anti-aliased circles, rectangles, polygons on desktop (Karunathilake et al., 2014); n snippet-images from a pool of size M, e.g., 8 out of 12 on mobile (Bulumulla et al., 2014)). This noise increases entropy and inhibits background isolation attacks.

Base-Line Drawing: The challenge curve is either a single continuous cubic Bézier (parametric form $$B(t) = (1-t)^3P_0 + 3(1-t)^2tP_1 + 3(1-t)t^2 P_2 + t^3 P_3$$, $t\in [0,1]$), where control points $P_0,\ldots,P_3$ are randomly positioned, or a polyline broken into $N$ small equal-length segments. Sampling at intervals $\Delta t$ (e.g., 0.005–0.01) yields 100–200 curve points. On desktop, a multi-color gradient is applied to the stroke to further resist color-filtering; on mobile, a black-and-white curve is used over black-and-white snippets.

Distraction Techniques: Two complementary approaches are reported. (1) Gaussian blur ($\sigma\approx 1.5-3.0$ px) is applied post-rendering to obscure crisp line boundaries and defeat edge-detection. (2) In the segmented-line variant, the curve is visually broken by erasure of connections between segments, and $M \gg N$ distractor segments—randomly oriented and colored—are interspersed, yielding combinatorial complexity for automated region-linking.

Core parameters impacting security and usability are summarized:

Parameter	Typical Range	Effect
$N$ (curve segments)	1–50	More: higher security, harder to trace
$M$ (distractor segments)	≥5×N	More: higher security, harder usability
$\sigma$ (blur radius)	0–3 px	More: greater anti-edge-detection
Color bands (desktop)	5–10	More: higher attack cost
$M,n$ (snippets, mobile)	M=12, n=8	Larger: higher background entropy

No low-level mathematical details are reported beyond the above parametric formulation.

2. User Interaction Paradigms

The user is tasked to trace the concealed curve by pressing and holding the mouse (desktop) or by finger/stylus (mobile), with continuous visual feedback (thin semi-transparent trace) provided throughout. For the desktop variant, the entire motion is a single drag-and-drop: "Press and hold your left mouse button at one end of the hidden line and drag along it until you reach the other end" (Karunathilake et al., 2014). In the mobile adaptation, the user is enabled to "Clear" or "Submit" their drawing with real-time feedback (Bulumulla et al., 2014).

Input is captured as a sequence of sampled screen positions $\{(u_j, v_j)\}$ (DrawData), while the canonical curve is stored as $\{(x_i, y_i)\}$ (CurveData). Precise mouse/touch tracking is mandatory, with performance measurements indicating real-time responsiveness: curve and snippet rendering in $\approx 120$ ms, and evaluation in $8$ ms on 1 GHz Cortex-A5 devices (Bulumulla et al., 2014).

3. Verification and Grading Algorithms

Server-side matching proceeds in two stages depending on the platform:

Desktop (Karunathilake et al., 2014):

• For each sampled user point, compute the minimal Euclidean distance to the curve and tally the fraction within threshold $\tau$ (e.g., 5 px). If at least a proportion $\rho$ (e.g., 80%) of user points are matched within $\tau$, the attempt is accepted. This approach scales as $O(L \log L)$ for $L$ sampled points.

Mobile (Bulumulla et al., 2014):

• First, a bounding-box comparison ensures the user drawing is spatially compatible: if $$|{\rm min}X_{\rm curve} - {\rm min}X_{\rm draw}| > \varepsilon_1$$ or $$|{\rm max}Y_{\rm curve} - {\rm max}Y_{\rm draw}| > \varepsilon_1$$, the solution is rejected.
• Second, a two-sample $z$-test on $x$- and $y$-coordinates independently is performed. The test statistic is:

$$z = \frac{\bar{x}_d - \bar{x}_c}{\sqrt{\sigma^2_{d}/n_d + \sigma^2_{c}/n_c}}$$

Both $|z_x|$ and $|z_y|$ must fall below a significance cut-off $z_{\alpha/2}$ (e.g., $z_{0.01/2}=2.5758$ for $\alpha=0.01$) to pass.

4. Security Analysis and Attack Models

The primary attack vectors addressed are:

• Image processing/vision: Traditional methods such as Hough Transform, edge detection, color thresholding, region growing, and contour tracing.
• Combinatorial segmentation: In segmented challenges with $N$ target segments among $M$ distractors, identifying the correct sequence is $O\left(\binom{M+N}{N}\right)$ complexity.
• Random guessing: "No-effort" mouse paths or random touch trajectories.

Empirically observed and theoretically estimated bot success rates are summarized:

Attack Method	Bot Success Rate (mobile)
Random-guess ($\alpha=0.01$)	≈ 1.0%
Segmentation-based	< 5.0%
Erosion/dilation filter	< 2.0%
Edge-detection exploits	< 1.0%

The desktop approach argues a random-guess success rate below $0.2\%$ under appropriate $N, M$ parameter settings (Karunathilake et al., 2014). Multi-color line rendering (desktop) further multiplies adversarial effort by $C$ (number of color bands).

Key resistance features include intentional overlap in geometric moments (length, curvature) between distractor and valid curve segments, making region-based attacks produce high false merges or splits (Bulumulla et al., 2014).

5. Usability, Human Performance, and Trade-Offs

Human-oriented metrics include first-attempt pass rate, mean completion time, and user complaint rates relative to traditional CAPTCHAs.

• Desktop informal pilots showed $>80\%$ first-attempt success for inexperienced users, with median solving times under 10 s (well below the 30 s threshold for user-friendliness) (Karunathilake et al., 2014).
• Mobile user study ($N=40$): single long-curve variant mean time $7.4$ s ($\pm 1.1$ s, $96\%$ success), short segmented-curve $9.1$ s ($\pm 1.5$ s, $89\%$ success), with $85\%$ of users preferring LineCAPTCHA over reCAPTCHA (Bulumulla et al., 2014).
• Error “hot spots” on mobile were predominantly at the curve endpoints; users rapidly adapted to the interaction. False positives (bots passing) were rare or unobserved in pilot evaluations, and false negatives (humans failing twice) were uncommon due to rechallenge (Karunathilake et al., 2014).

Trade-offs are strictly controlled by the following parameters:

• Increasing $\sigma$ or $M$ (distractors) reliably raises attack difficulty but may degrade human pass rate below $60\%$ if excessive.
• Lowering $\tau$ (acceptance threshold) or $\alpha$ (significance) increases spurious rejections of genuine users; recommended values are $\tau=5$ px, $\rho=0.8$ (desktop) and $\alpha=0.01$ (mobile).
• Curve complexity (order or segmentation) increases solver requirements without significantly enhancing human-friendliness (quintic or spline curves are unnecessary for current settings).

6. Practical Implementation Considerations and Variants

Guidelines for effective deployment of LineCAPTCHA include:

1. Maintain $\geq 80\%$ first-attempt pass rate for humans.
2. Set $M \gg N$ (e.g., $M \geq 5N$) without overwhelming the user visually.
3. Use $\sigma=1$–$3$ px blur to balance edge-detection defense and perceptual clarity.
4. Employ real-time stroke feedback for traceability and user reassurance.
5. On mobile, tune background entropy by varying $M$ or $n$; $M=10$, $n=8$ yields background entropy $\approx 20.8$ bits ($N_{\rm bg}=1\,814\,400$).

Variants include:

• Long single-curve (faster for users, slightly lower security).
• Segmented curves (higher security, increased solve-time).
• Colorful vs. monochrome line rendering (affecting attack surface and platform compatibility).

Performance measurements indicate suitability for both high- and low-end hardware, with minimal memory and CPU overhead—bitmap buffer $\sim$56 KB; curve data $\sim$2 KB; total rendering and evaluation typically <$150$ ms (Bulumulla et al., 2014).

7. Comparative Perspective and Design Rationale

LineCAPTCHA is conceived as a "user-friendly" alternative to heavily distorted text CAPTCHAs, directly addressing criticisms about language-dependence and user frustration found in earlier solutions (Karunathilake et al., 2014, Bulumulla et al., 2014). By capitalizing on the "continuous-curve tracing" cognitive faculty, it circumvents the reliance on optical character recognition difficulty while maintaining robust resistance against known automated attacks. The challenge remains tunable via a small set of well-understood parameters, permitting deployment across a spectrum of usability–security requirements.

No off-the-shelf machine-vision or learning-based solver is reported to defeat the principal LineCAPTCHA schemes under recommended parameter regimes. The method’s independence from language, age, or textual fluency increases accessibility relative to mainstream OCR-dependent CAPTCHAs.

Key sources: (Karunathilake et al., 2014, Bulumulla et al., 2014).