Paper 2024/100

IrisLock: Iris Biometric Key Derivation with 42 bits of security

Abstract

Despite decades of effort, a chasm exists between the theory and practice of device-level biometric authentication. Deployed authentication algorithms rely on data that overtly leaks private information about the biometric; thus systems rely on externalized security measures such as trusted execution environments. The authentication algorithms have no cryptographic guarantees. This is frustrating given the research that has developed theoretical tools, known as fuzzy extractors, that enable secure, privacy-preserving biometric authentication with public enrollment data (Dodis et al., SIAM JoC 2008). Unfortunately, fuzzy extractor systems either: -Make strong independence assumptions, such as: -- Bits of biometrics are i.i.d. (or that all correlation is pairwise between features (Hine et al., TIFS 2023)), or -- For an error-correcting code, the nearest codeword and the coset of biometric readings are independent (Zhang, Cui, and Yu, ePrint 2021/1559). These assumptions either have not been statistically checked or statistical analysis indicates they are false. - Or use incorrect cryptographic analysis. Simhadri et al. (ISC, 2019) assume the security of sample-then-lock (Canetti et al., Journal of Cryptology 2021) is captured by the average min-entropy of subsets. Zhang et al. (ICPR, 2022) show an attack on this incorrect analysis. This work introduces IrisLock, an iris key derivation system powered by technical advances in both 1) feature extraction from the iris and 2) the fuzzy extractor used to secure authentication keys. The fuzzy extractor builds on sample-then-lock (Canetti et al., Journal of Cryptology 2021). We correct a proof in Canetti et al. and show the minimum of min-entropy of subsets is the relevant security measure. Our primary parameters are $42$ bits of security at $45\%$ true accept rate (TAR). Our quantitive level of security is as good as the above systems, Simhadri et al's incorrect analysis yields an estimate of $32$ bits, while Zhang et al.'s system on the face estimates $45$ bits (with the independence condition). One can easily incorporate a password, boosting security to $64$ bits. Irises used to evaluate TAR and security are class disjoint from those used for training and collecting statistics (the open dataset regime). The only statistical assumption made is necessary: the accuracy of min-entropy estimation.

Note: This version is substantially reworked from the prior version. In particular, the entropy test was changed to evaluate min-entropy instead of Shannon entropy. This resulted in very different parameters and conclusion. Most evaluation is new.