Fuzzy Extractors

This chapter presents a general approach for handling secret biometric data in cryptographic applications. The generality manifests itself in two ways: we attempt to minimize the assumptions we make about the data, and to present techniques that are broadly applicable wherever biometric inputs are used. Because biometric data comes from a variety of sources that are mostly outside of anyone’s control, it is prudent to assume as little as possible about how they are distributed; in particular, an adversary may know more about a distribution than a system’s designers and users. Of course, one may attempt to measure some properties of a biometric distribution, but relying on such measurements in the security analysis is dangerous, because the adversary may have even more accurate measurements available to it. For instance, even assuming that some property of a biometric behaves according to a binomial distribution (or some similar discretization of the normal distribution), one could determine the mean of this distribution only to within ≈ 1 √ n after taking n samples; a well-motivated adversary can take more measurements, and thus determine the mean more accurately. Rather than assuming that some statistical information about the biometric input is available, we assume only that the input is unpredictable: i.e., that if an adversary is allowed a single guess at the value of the input, the likelihood that it is correct is 2−m for some m. This is a minimal assumption in the applications we consider: indeed, if the input is easily guessed, then one cannot use it to derive, say, a secret key for encryption or remote authentication. Of course, determining the exact value of m may in itself present a challenge; however, some lower bound on m is necessary for any sort of security claims. Similarly, while some understanding of errors in biometric measurements is possible, we prefer to minimize the assumptions we make about such errors. We assume only that a subsequent measurement is within a given, allowed distance of the measurement taken at enrollment. The broad applicability of the approaches presented here stems from the initial observation that many prior solutions for specific security problems based on noisy data (including biometrics) shared essential techniques and analyses. Instead of designing solutions for each particular setting as it arises, it seems worthwhile to consider the properties that such solutions share, and encapsulate them into primitives that can be used in a variety of contexts.