Skip to main content
SpringerLink
Log in

Cryptographic Authentication from the Iris

  • Conference paper
  • First Online:
Information Security (ISC 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11723))

Included in the following conference series:

Abstract

Biometrics exhibit noise between repeated readings. Due to the noise, devices store a plaintext template of the biometric. This stored template is an appetizing target for an attacker.

Fuzzy extractors derive a stable cryptographic key from biometrics (Dodis et al., Eurocrypt 2004). Despite many attempts, there are no iris key derivation systems that prove lower bounds on key strength.

Our starting point is a fuzzy extractor due to Canetti et al. (Eurocrypt 2016). We modify and couple the image processing and cryptographic algorithms. We then present a sufficient condition on the iris distribution for security, and analysis this condition using the ND0405 Iris dataset.

We build an iris key derivation system with \(32\) bits of security even when multiple keys are derived from the same iris. We acknowledge \(32\) bits of security is insufficient for a secure system. Multifactor systems hold the most promise for cryptographic authentication. Our scheme is suited for incorporation of additional noiseless factors such as a password.

Our scheme is implemented in C and Python and is open-sourced.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The quantity \(h_2(t/n)*n\) is the binary entropy of t/n multiplied by n. The quantity \(h_2(t/n)*n\) is larger than t (when \(t\le .5n\)). For example, if \(t=.1n\) then \(h_2(t/n)*n \approx .427n\).

  2. 2.

    Any distribution limited to people on the earth can be described using 33 bits. The estimate of 249 should be understood as the randomness involved in creating a new iris.

  3. 3.

    The actual result of Boyen applies to secure sketches which imply fuzzy extractors. A secure sketch is a frequently used tool to construct a fuzzy extractor.

  4. 4.

    Unlinkability prevents an adversary from telling if two enrollments correspond to the same physical source [21, 47]. Our construction satisfies unlinkability (assuming security of the underlying cryptographic tools).

  5. 5.

    The security/correctness tradeoff of our system immediately improves with an iris transform with lower error rate.

References

  1. Alamélou, Q., et al.: Pseudoentropic isometries: a new framework for fuzzy extractor reusability. In: AsiaCCS (2018)

    Google Scholar 

  2. Apon, D., Cho, C., Eldefrawy, K., Katz, J.: Efficient, reusable fuzzy extractors from LWE. In: Dolev, S., Lodha, S. (eds.) CSCML 2017. LNCS, vol. 10332, pp. 1–18. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-60080-2_1

    Chapter  Google Scholar 

  3. Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: ACM Conference on Computer and Communications Security (CCS), pp. 62–73 (1993)

    Google Scholar 

  4. Bernstein, D.J., Lange, T., Schwabe, P.: The security impact of a new cryptographic library. In: Hevia, A., Neven, G. (eds.) LATINCRYPT 2012. LNCS, vol. 7533, pp. 159–176. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33481-8_9

    Chapter  Google Scholar 

  5. Bitansky, N., Canetti, R.: On strong simulation and composable point obfuscation. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 520–537. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_28

    Chapter  Google Scholar 

  6. Blanton, M., Aliasgari, M.: On the (non-) reusability of fuzzy sketches and extractors and security improvements in the computational setting. IACR Cryptology ePrint Archive 2012, 608 (2012)

    Google Scholar 

  7. Blanton, M., Aliasgari, M.: Analysis of reusability of secure sketches and fuzzy extractors. IEEE Transact. Inf. Forensics Secur. 8(9–10), 1433–1445 (2013)

    Article  Google Scholar 

  8. Blanton, M., Gasti, P.: Secure and efficient protocols for iris and fingerprint identification. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 190–209. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23822-2_11

    Chapter  Google Scholar 

  9. Blundo, C., De Cristofaro, E., Gasti, P.: EsPRESSo: efficient privacy-preserving evaluation of sample set similarity. In: Di Pietro, R., Herranz, J., Damiani, E., State, R. (eds.) DPM/SETOP -2012. LNCS, vol. 7731, pp. 89–103. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-35890-6_7

    Chapter  Google Scholar 

  10. Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: 2012 IEEE Symposium on Security and Privacy, pp. 538–552. IEEE (2012)

    Google Scholar 

  11. Bonneau, J., Herley, C., Van Oorschot, P.C., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: IEEE Symposium on Security and Privacy, pp. 553–567. IEEE (2012)

    Google Scholar 

  12. Bowyer, K.W., Flynn, P.J.: The ND-IRIS-0405 iris image dataset. arXiv preprint arXiv:1606.04853 (2016)

  13. Bowyer, K.W., Hollingsworth, K., Flynn, P.J.: Image understanding for iris biometrics: A survey. Comput. Vis. Image Underst. 110(2), 281–307 (2008)

    Article  Google Scholar 

  14. Bowyer, K.W., Hollingsworth, K.P., Flynn, P.J.: A survey of iris biometrics research: 2008–2010. In: Burge, M., Bowyer, K. (eds.) Handbook of iris Recognition. ACVPR, pp. 15–54. Springer, London (2013). https://doi.org/10.1007/978-1-4471-4402-1_2

    Chapter  Google Scholar 

  15. Boyen, X.: Reusable cryptographic fuzzy extractors. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS 2004, pp. 82–91. ACM, New York (2004)

    Google Scholar 

  16. Boyen, X., Dodis, Y., Katz, J., Ostrovsky, R., Smith, A.: Secure remote authentication using biometric data. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 147–163. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_9

    Chapter  Google Scholar 

  17. Bringer, J., Chabanne, H., Cohen, G., Kindarji, B., Zémor, G.: Optimal iris fuzzy sketches. In: First IEEE International Conference on Biometrics: Theory, Applications, and Systems, 2007, BTAS 2007, pp. 1–6. IEEE (2007)

    Google Scholar 

  18. Bringer, J., Chabanne, H., Patey, A.: SHADE: Secure HAmming DistancE computation from oblivious transfer. In: Adams, A.A., Brenner, M., Smith, M. (eds.) FC 2013. LNCS, vol. 7862, pp. 164–176. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-41320-9_11

    Chapter  Google Scholar 

  19. Canetti, R., Dakdouk, R.R.: Obfuscating point functions with multibit output. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 489–508. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_28

    Chapter  Google Scholar 

  20. Canetti, R., Fuller, B., Paneth, O., Reyzin, L., Smith, A.: Reusable fuzzy extractors for low-entropy distributions. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 117–146. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_5

    Chapter  Google Scholar 

  21. F. Carter and A. Stoianov. Implications of biometric encryption on wide spread use of biometrics. In EBF Biometric Encryption Seminar (June 2008), 2008

    Google Scholar 

  22. Cheon, J.H., Jeong, J., Kim, D., Lee, J.: A reusable fuzzy extractor with practical storage size: modifying Canetti et al.’s Construction. In: Susilo, W., Yang, G. (eds.) ACISP 2018. LNCS, vol. 10946, pp. 28–44. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93638-3_3

    Chapter  Google Scholar 

  23. Dakdouk, R.R.: Theory and Application of Extractable Functions. PhD thesis, Yale University (2009). http://www.cs.yale.edu/homes/jf/Ronny-thesis.pdf

  24. Daugman, J.: How iris recognition works. IEEE Transact. Circuits Syst. Video Technol. 14(1), 21–30 (2004)

    Article  Google Scholar 

  25. Delvaux, J., Gu, D., Verbauwhede, I., Hiller, M., Yu, M.-D.M.: Efficient fuzzy extraction of puf-induced secrets: theory and applications. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 412–431. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53140-2_20

    Chapter  MATH  Google Scholar 

  26. Deshmukh, S., Carter, H., Hernandez, G., Traynor, P., Butler, K.: Efficient and secure template blinding for biometric authentication. In: 2016 IEEE Conference on Communications and Network Security (CNS), pp. 480–488. IEEE (2016)

    Google Scholar 

  27. Dodis, Y., Kanukurthi, B., Katz, J., Reyzin, L., Smith, A.: Robust fuzzy extractors and authenticated key agreement from close secrets. IEEE Transact. Inf. Theory 58(9), 6207–6222 (2012)

    Article  MathSciNet  Google Scholar 

  28. Dodis, Y., Katz, J., Reyzin, L., Smith, A.: Robust fuzzy extractors and authenticated key agreement from close secrets. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 232–250. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175_14

    Chapter  Google Scholar 

  29. Dodis, Y., Ostrovsky, R., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. SIAM J. Comput. 38(1), 97–139 (2008)

    Article  MathSciNet  Google Scholar 

  30. Dodis, Y., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 523–540. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_31

    Chapter  Google Scholar 

  31. Dupont, P.-A., Hesse, J., Pointcheval, D., Reyzin, L., Yakoubov, S.: Fuzzy password-authenticated key exchange. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 393–424. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_13

    Chapter  Google Scholar 

  32. Evans, D., Huang, Y., Katz, J., Malka, L.: Efficient privacy-preserving biometric identification. In: Proceedings of the 17th Conference Network and Distributed System Security Symposium, NDSS (2011)

    Google Scholar 

  33. Fuller, B., Meng, X., Reyzin, L.: Computational fuzzy extractors. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8269, pp. 174–193. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-42033-7_10

    Chapter  Google Scholar 

  34. Fuller, B., Reyzin, L., Smith, A.: When are fuzzy extractors possible? In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 277–306. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_10

    Chapter  Google Scholar 

  35. Fuller, B., Simhadri, S., Steel, J.: Reusable authentication from the iris. Cryptology ePrint Archive, Report 2017/1177 (2017). https://eprint.iacr.org/2017/1177

  36. Fuller, B., Simhadri, S., Steel, J.: Computational fuzzy extractors (2018). https://github.com/benjaminfuller/CompFE

  37. Goldreich, O.: A sample of samplers: a computational perspective on sampling. In: Goldreich, O. (ed.) Studies in Complexity and Cryptography. Miscellanea on the Interplay between Randomness and Computation. LNCS, vol. 6650, pp. 302–332. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22670-0_24

    Chapter  Google Scholar 

  38. Grossmann, A., Morlet, J.: Decomposition of Hardy functions into square integrable wavelets of constant shape. SIAM J. Math. Anal. 15(4), 723–736 (1984)

    Article  MathSciNet  Google Scholar 

  39. Guo, Z., Karimian, N., Tehranipoor, M.M., Forte, D.: Hardware security meets biometrics for the age of IoT. In: 2016 IEEE International Symposium on Circuits and Systems (ISCAS), pp. 1318–1321. IEEE (2016)

    Google Scholar 

  40. Hao, F., Anderson, R., Daugman, J.: Combining crypto with biometrics effectively. IEEE Transact. Comput. 55(9), 1081–1088 (2006)

    Article  Google Scholar 

  41. Holenstein, T., Renner, R.: One-way secret-key agreement and applications to circuit polarization and immunization of public-key encryption. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 478–493. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_29

    Chapter  Google Scholar 

  42. Hollingsworth, K.P., Bowyer, K.W., Flynn, P.J.: The best bits in an iris code. IEEE Transact. Pattern Anal. Mach. Intell. 31(6), 964–973 (2009)

    Article  Google Scholar 

  43. Itkis, G., Chandar, V., Fuller, B.W., Campbell, J.P., Cunningham, R.K.: Iris biometric security challenges and possible solutions: for your eyes only? using the iris as a key. IEEE Sig. Process. Mag. 32(5), 42–53 (2015)

    Article  Google Scholar 

  44. Josefsson, S.: The memory-hard argon2 password hash function. In: Memory (2015)

    Google Scholar 

  45. Juels, A., Wattenberg, M.: A fuzzy commitment scheme. In: Sixth ACM Conference on Computer and Communication Security, pp. 28–36. ACM, November 1999

    Google Scholar 

  46. Kanade, S., Camara, D., Krichen, E., Petrovska-Delacrétaz, D., Dorizzi, B.: Three factor scheme for biometric-based cryptographic key regeneration using iris. In: Biometrics Symposium 2008, BSYM 2008, pp. 59–64. IEEE (2008)

    Google Scholar 

  47. Kelkboom, E.J., Breebaart, J., Kevenaar, T.A., Buhan, I., Veldhuis, R.N.: Preventing the decodability attack based cross-matching in a fuzzy commitment scheme. IEEE Transact. Inf. Forensics Secur. 6(1), 107–121 (2011)

    Article  Google Scholar 

  48. Komanduri, S., et al.: Of passwords and people: measuring the effect of password-composition policies. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 2595–2604. ACM (2011)

    Google Scholar 

  49. Krichen, E., Mellakh, A., Salicetti, S., Dorizzi, B.: OSIRIS (open source for IRIS) reference system (2017)

    Google Scholar 

  50. Lynn, B., Prabhakaran, M., Sahai, A.: Positive results and techniques for obfuscation. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 20–39. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_2

    Chapter  Google Scholar 

  51. Nisan, N., Zuckerman, D.: Randomness is linear in space. J. Comput. Syst. Sci. 52, 43–52 (1993)

    Article  MathSciNet  Google Scholar 

  52. Pass, R., Seth, K., Telang, S.: Obfuscation from semantically-secure multi-linear encodings. Cryptology ePrint Archive, Report 2013/781 (2013). http://eprint.iacr.org/

  53. Patel, V.M., Ratha, N.K., Chellappa, R.: Cancelable biometrics: a review. IEEE Sig. Process. Mag. 32(5), 54–65 (2015)

    Article  Google Scholar 

  54. Percival, C., Josefsson, S.: The scrypt password-based key derivation function. Technical report (2016)

    Google Scholar 

  55. Phillips, P.J., Bowyer, K.W., Flynn, P.J., Liu, X., Scruggs, W.T.: The iris challenge evaluation 2005. In: 2nd IEEE International Conference on Biometrics: Theory, Applications and Systems 2008, BTAS 2008, pp. 1–8. IEEE (2008)

    Google Scholar 

  56. Phillips, P.J., et al.: FRVT 2006 and ICE 2006 large-scale experimental results. In: IEEE Transactions on Pattern Analysis and Machine Intelligence (2006)

    Google Scholar 

  57. Prabhakar, S., Pankanti, S., Jain, A.K.: Biometric recognition: security and privacy concerns. IEEE Secur. Priv. 1(2), 33–42 (2003)

    Article  Google Scholar 

  58. Simoens, K., Tuyls, P., Preneel, B.: Privacy weaknesses in biometric sketches. In: IEEE Symposium on Security and Privacy, pp. 188–203. IEEE (2009)

    Google Scholar 

  59. Valiant, G., Valiant, P.: A CLT and tight lower bounds for estimating entropy. Electron. Colloquium Comput. Complexity (ECCC) 17, 9 (2010)

    Google Scholar 

  60. Valiant, G., Valiant, P.: Estimating the unseen: an n/log (n)-sample estimator for entropy and support size, shown optimal via new CLTs. In: Proceedings of the forty-third annual ACM symposium on Theory of computing, pp. 685–694. ACM (2011)

    Google Scholar 

  61. Wang, D., Zhang, Z., Wang, P., Yan, J., Huang, X.: Targeted online password guessing: an underestimated threat. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1242–1254. ACM (2016)

    Google Scholar 

  62. Wen, Y., Liu, S.: Robustly reusable fuzzy extractor from standard assumptions. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11274, pp. 459–489. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03332-3_17

    Chapter  Google Scholar 

  63. Wen, Y., Liu, S., Han, S.: Reusable fuzzy extractor from the decisional Diffie-Hellman assumption. Des. Codes Crypt. 86, 2495–2512 (2018)

    Article  MathSciNet  Google Scholar 

  64. Woodage, J., Chatterjee, R., Dodis, Y., Juels, A., Ristenpart, T.: A new distribution-sensitive secure sketch and popularity-proportional hashing. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 682–710. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_23

    Chapter  Google Scholar 

Download references

Acknowledgements

We thank the anonymous reviews for their helpful suggestions and comments. Mariem Ouni and Tyler Cromwell contributed to software described in this work. We thank Leonid Reyzin and Alexander Russell for helpful discussions and insights. This work was supported in part through a grant with Comcast Inc. Work of S. Simhadri was done while at University of Connecticut.

Author information

Authors and Affiliations

  1. Google Inc., Cambridge, MA, USA

    Sailesh Simhadri

  2. University of Connecticut, Storrs, CT, USA

    James Steel & Benjamin Fuller

Authors
  1. Sailesh Simhadri
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. James Steel
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Benjamin Fuller
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Benjamin Fuller .

Editor information

Editors and Affiliations

  1. The Ohio State University, Columbus, OH, USA

    Zhiqiang Lin

  2. University of Maryland, College Park, MD, USA

    Charalampos Papamanthou

  3. Stony Brook University, Stony Brook, NY, USA

    Michalis Polychronakis

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Simhadri, S., Steel, J., Fuller, B. (2019). Cryptographic Authentication from the Iris. In: Lin, Z., Papamanthou, C., Polychronakis, M. (eds) Information Security. ISC 2019. Lecture Notes in Computer Science(), vol 11723. Springer, Cham. https://doi.org/10.1007/978-3-030-30215-3_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-30215-3_23

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-30214-6

  • Online ISBN: 978-3-030-30215-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation