Two-Factor Authenticated Key Exchange from Biometrics with Low Entropy Rates

Multi-factor authenticated key exchange (AKE) enables a user to be authenticated by a server using multiple factors and negotiate a shared session key to protect subsequent communications. Most existing multi-factor AKE schemes utilize biometrics as one factor due to their uniqueness and invariance properties. To support matching for noisy biometrics and protect them, fuzzy extractors are employed to extract a constant random string from varying biometric measurements without disclosing biometric data. However, the fuzzy extractors used in these schemes merely work on biometrics with an entropy rate greater than the error rate. Hence these schemes are unsuitable for biometrics with low entropy rates. In this paper, we propose a secure two-factor AKE scheme dubbed AHEAD from passwords and biometrics, which eliminates the limitation of biometric entropy rates. In AHEAD, we conceive a matching mechanism to simultaneously check whether an input biometric measurement with low entropy rates is close enough to the registered one, and whether an input password exactly matches the registered password. The mechanism allows a valid user to generate a secret element shared with the server in an oblivious way. By adopting a randomization technique, the secret element can be randomized for derivation of session keys. The security and efficiency of AHEAD are demonstrated by formal security proofs and experimental evaluations.