Reusable Authentication from the Iris

Mobile platforms use biometrics for authentication. Biometrics exhibit noise between repeated readings. Due to the noise, biometrics are stored in plaintext increasing risk if a device is compromised. Since biometrics cannot be regenerated or refreshed, they will be reused, increasing the impact of such a compromise. Fuzzy extractors derive a stable cryptographic key from biometrics (Dodis et al., Eurocrypt 2004). Previous works claim biometric key derivation systems using fuzzy extractors but these works either assume an adversary model where plaintext biometric storage is secure or have incorrect analysis. In addition, no construction handles the case of biometric reuse. The goal of this work is to derive keys from an actual biometric with formal and explicit conditions for security. We focus on the iris due to its strong uniqueness (Prabhakar, Pankanti, and Jain, IEEE S&P 2003). We build an iris key derivation system with 45 bits of security even when the iris is reused. Our starting point is sample-then-lock, a recent fuzzy extractor due to Canetti et al. (Eurocrypt 2016). Achieving satisfactory parameters requires modifying and coupling the image processing and cryptographic algorithms. Our system is based on repeated hashing which simplifies incorporating multiple factors (such as a password). The construction is implemented in C and Python and is open-sourced. This system is fast enough for use on desktop applications with successful authentication usually completing within .30s.

[1]  Sébastien Marcel,et al.  Image Quality Assessment for Fake Biometric Detection: Application to Iris, Fingerprint, and Face Recognition , 2014, IEEE Transactions on Image Processing.

[2]  Rama Chellappa,et al.  Cancelable Biometrics: A review , 2015, IEEE Signal Processing Magazine.

[3]  Natalia A. Schmid,et al.  A Model Based, Anatomy Based Method for Synthesizing Iris Images , 2006, ICB.

[4]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[5]  Ran Canetti,et al.  Obfuscating Point Functions with Multibit Output , 2008, EUROCRYPT.

[6]  Gregory Valiant,et al.  A CLT and tight lower bounds for estimating entropy , 2010, Electron. Colloquium Comput. Complex..

[7]  Stéphane Cauchie,et al.  Practical Reusable Fuzzy Extractors for the Set Difference Metric and Adaptive Fuzzy Extractors , 2016, IACR Cryptol. ePrint Arch..

[8]  Robert K. Cunningham,et al.  Iris Biometric Security Challenges and Possible Solutions: For your eyes only?Using the iris as a key , 2015, IEEE Signal Processing Magazine.

[9]  Shuai Han,et al.  Reusable fuzzy extractor from the decisional Diffie–Hellman assumption , 2018, Des. Codes Cryptogr..

[10]  John Daugman How iris recognition works , 2004 .

[11]  Rafail Ostrovsky,et al.  Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data , 2004, SIAM J. Comput..

[12]  Yael Tauman Kalai,et al.  On Symmetric Encryption and Point Obfuscation , 2010, TCC.

[13]  Sharath Pankanti,et al.  Biometric Recognition: Security and Privacy Concerns , 2003, IEEE Secur. Priv..

[14]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[15]  Lujo Bauer,et al.  Of passwords and people: measuring the effect of password-composition policies , 2011, CHI.

[16]  Daniel Wichs,et al.  Obfuscating Compute-and-Compare Programs under LWE , 2017, 2017 IEEE 58th Annual Symposium on Foundations of Computer Science (FOCS).

[17]  Mark Mohammad Tehranipoor,et al.  Hardware security meets biometrics for the age of IoT , 2016, 2016 IEEE International Symposium on Circuits and Systems (ISCAS).

[18]  Stéphane Cauchie,et al.  Pseudoentropic Isometries: A New Framework for Fuzzy Extractor Reusability , 2018, AsiaCCS.

[19]  Marina Blanton,et al.  Analysis of Reusability of Secure Sketches and Fuzzy Extractors , 2013, IEEE Transactions on Information Forensics and Security.

[20]  Bart Preneel,et al.  Privacy Weaknesses in Biometric Sketches , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[21]  Leonid Reyzin,et al.  Computational Fuzzy Extractors , 2013, ASIACRYPT.

[22]  Xavier Boyen,et al.  Reusable cryptographic fuzzy extractors , 2004, CCS '04.

[23]  Noam Nisan,et al.  Randomness is Linear in Space , 1996, J. Comput. Syst. Sci..

[24]  Nir Bitansky,et al.  On Strong Simulation and Composable Point Obfuscation , 2010, CRYPTO.

[25]  M. Angela Sasse,et al.  Are Passfaces More Usable Than Passwords? A Field Trial Investigation , 2000, BCS HCI.

[26]  Gregory Valiant,et al.  Estimating the unseen: an n/log(n)-sample estimator for entropy and support size, shown optimal via new CLTs , 2011, STOC '11.

[27]  Salil P. Vadhan,et al.  Constructing Locally Computable Extractors and Cryptosystems in the Bounded-Storage Model , 2003, Journal of Cryptology.

[28]  Mark Zhandry The Magic of ELFs , 2016, CRYPTO.

[29]  K.W. Bowyer,et al.  The Iris Challenge Evaluation 2005 , 2008, 2008 IEEE Second International Conference on Biometrics: Theory, Applications and Systems.

[30]  Simon Josefsson,et al.  The scrypt Password-Based Key Derivation Function , 2016, RFC.

[31]  K.W. Bowyer,et al.  The Best Bits in an Iris Code , 2009, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[32]  Marina Blanton,et al.  Biometric-Based Non-transferable Anonymous Credentials , 2009, ICICS.

[33]  Patrick J. Flynn,et al.  A Survey of Iris Biometrics Research: 2008-2010 , 2013, Handbook of Iris Recognition.

[34]  Feng Hao,et al.  Combining Crypto with Biometrics Effectively , 2006, IEEE Transactions on Computers.

[35]  A. Grossmann,et al.  DECOMPOSITION OF HARDY FUNCTIONS INTO SQUARE INTEGRABLE WAVELETS OF CONSTANT SHAPE , 1984 .

[36]  Amit Sahai,et al.  Positive Results and Techniques for Obfuscation , 2004, EUROCRYPT.

[37]  Dimitriadis Evangelos,et al.  The Quest to Replace Passwords : a Framework for Comparative Evaluation of Web Authentication Schemes , 2016 .

[38]  Laurent Amsaleg,et al.  Locality sensitive hashing: A comparison of hash function types and querying mechanisms , 2010, Pattern Recognit. Lett..

[39]  Dawu Gu,et al.  Efficient Fuzzy Extraction of PUF-Induced Secrets: Theory and Applications , 2016, CHES.

[40]  Omer Paneth,et al.  Reusable Fuzzy Extractors for Low-Entropy Distributions , 2016, Journal of Cryptology.

[41]  Alice J. O'Toole,et al.  FRVT 2006 and ICE 2006 Large-Scale Experimental Results , 2010, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[42]  Patrick J. Flynn,et al.  The ND-IRIS-0405 Iris Image Dataset , 2016, ArXiv.

[43]  Alex Biryukov,et al.  The memory-hard Argon2 password hash function , 2015 .

[44]  Leonid Reyzin,et al.  When Are Fuzzy Extractors Possible? , 2016, IEEE Transactions on Information Theory.

[45]  S. Kanade,et al.  Three factor scheme for biometric-based cryptographic key regeneration using iris , 2008, 2008 Biometrics Symposium.

[46]  Gérard D. Cohen,et al.  Optimal Iris Fuzzy Sketches , 2007, 2007 First IEEE International Conference on Biometrics: Theory, Applications, and Systems.

[47]  Marina Blanton,et al.  On the (Non-)Reusability of Fuzzy Sketches and Extractors and Security Improvements in the Computational Setting , 2012, IACR Cryptol. ePrint Arch..

[48]  Srinivas Devadas,et al.  Trapdoor Computational Fuzzy Extractors and Stateless Cryptographically-Secure Physical Unclonable Functions , 2017, IEEE Transactions on Dependable and Secure Computing.

[49]  Leonid A. Levin,et al.  A Pseudorandom Generator from any One-way Function , 1999, SIAM J. Comput..

[50]  Patrick J. Flynn,et al.  Image understanding for iris biometrics: A survey , 2008, Comput. Vis. Image Underst..

[51]  Anil K. Jain,et al.  An Introduction to Biometric Authentication Systems , 2005 .

[52]  Jonathan Katz,et al.  Efficient, Reusable Fuzzy Extractors from LWE , 2017, CSCML.

[53]  Raymond N. J. Veldhuis,et al.  Preventing the Decodability Attack Based Cross-Matching in a Fuzzy Commitment Scheme , 2011, IEEE Transactions on Information Forensics and Security.

[54]  Quynh H. Dang,et al.  Secure Hash Standard | NIST , 2015 .