Re: Fingerprint as cryptokey

In article <ed3tcb$l0r$6@xxxxxxxxxxxxxxxxxx>,
kim@xxxxxxxxxxx (Kim G. S. Øyhus) wrote:
Francois Grieu <fgrieu@xxxxxxxxxxxx> wrote:
I'm trying to find an information-theoretic argument that
there can't be a Biometrics -> Cryptokey function, not using
a database CONSTRUCTED FROM enrolled person's inputs, that
- generates the same output from two inputs acquired from
the same person with sizable probability (say > 2^-10)
- but still is very unlikely to produce the same outputs
from two inputs acquired from any two different persons
(say 2^-100 probability).

Any clue ?

Definitely. I have made such a proof, but I cannot show it
because it tells too much about how it can be solved.

I can give you good hints though:

Start with the simplest possible biocrypto system possible:
A system which outputs code 1 for people below 1.8 meters and
code 2 for people above 1.8 meters.

Show that people near 1.8 meters are a problem.

Then show that this is the best case, and that using more
data makes the problem worse, not better.

Hint: The curse of dimensionality.

I like your proof sketch, and model of biometrics:
N independent variables in R (the reals), each with some
probability distribution.

I'm a stuck on the "more data makes the problem worse" bit.
I fail to disprove that some approriate selection of the
measurements/dimensions can't be made without feeding
extra data. Maybe, I fail to identify the approriate
definition of "problem".

Of course, if one is allowed to make a function accepting
the biometric plus some extra data crafted at enrollment,
by using this extra data as foward error correction,
the problem can be solved. With litle extra work, this
allows a machine, of 100% public design, that let one
encipher, and decipher on a different machine of
the same model, using fingerprint / biometric as key,
and some provably quantifiable degree of security.
I can't beleive this concept is new.

But "translate variable prints into cryptographic keys
with absolutely no variation", that would be new, I guess.


François Grieu
.

Quantcast