Communications of the ACM

DOI:10.1145/2594446

Technical Perspective
The Interplay of Neuroscience
and Cryptography
By Ari Juels and Bonnie Wong

To view the accompanying paper, visit doi.acm.org/10.1145/2594445

THERE IS AN untapped resource, of vast but unknown size, lying hidden under the surface. As scientists explore and attempt to map it, they are only just beginning to understand its extent and how it can best be applied to important human needs. This description might describe natural gas or geothermal energy reserves. But it also applies to the human brain, particularly in the realms of memory and computer security.

The best estimates of the memory capacity of the human brain (by Paul Reber, a co-author of the following paper) place it at around 2.5 petabytes. That is 2.5 x 1015 bytes, equivalent to the combined capacity of thousands of ordinary hard drives. Yet it is difficult for most people to conveniently remember and reliably recall passwords that contain more than 20 bits of randomness, that is, passwords with guessing difficulty greater than a 20-bit random string.

A random alphanumeric password such as “7UquO91,” by comparison, contains a little more than 40 bits of randomness (Because password strength grows exponentially, this is about a million times stronger than a password with 20 bits of randomness.) Strangely, one of the big, unsolved challenges in computer security today is how a tiny secret such as “7UquO91” can be effectively read from and written to a storage device with highly limited bandwidth, but enough capacity to hold the contents of every book in the U.S. Library of Congress.

The implications are huge. Weak passwords are easy to crack, as seen in recent high-profile breaches involving millions of passwords. Forgotten passwords lead to websites’ use of personal questions, such as “What high school did you attend?,” that are often even easier to attack than passwords themselves. (Just ask former Gov. Sarah Palin.) Another problem with ordinary passwords is they can also be given away inappropriately. People can be physically coerced or threatened into revealing

their passwords, or choose to disclose them to others who should not be permitted to use them.

An ideal scheme for password storage in the human brain, then, would enable a password with more than 20 bits of randomness to be input and output from the brain of a human being who is unconscious of the process and thus unable to give away the password or reveal it under coercion.

The following paper describes a way to do exactly that. It involves a fun and unexpected mechanism: Having users play a video game. Players of the game acquire fairly strong passwords using implicit learning, a channel into long-term memory by which information is stored via practice, but not consciously accessible. As presented here—and similarly in our work—this approach is not yet practical for common authentication tasks, such as logging into an email account. Playing the game takes far too long (about 10 minutes). But that is not the point or major contribution of the paper. It offers an important result highlighting the rich and underex-plored intersection between neuroscience and cryptography, not to mention neuroscience and computer security more generally.

One exciting frontier in neuroscience is the use of interfaces to read and stimulate neural activity directly. Electroencephalography (EEG), for instance, permits noninvasive detection of patterns

One exciting frontier
in neuroscience is
the use of interfaces
to read and stimulate
neural activity directly.

of neural activity. Low-cost EEG headsets are paving the way for consumer-grade brain-computer interfaces (BCIs). Some are even available today for gamers. Such interfaces could eliminate users’ need to type responses to stimuli and speed up implicit-memory-based user authentication. Even more advanced techniques could someday provide a fine-grained, real-time functional view of the brain, permitting challenge-response authentication protocols executed directly against neural matter, with no conscious effort by users. Indeed, there is evidence that technologies aiming to stimulate neuroplasticity, that is, adaptation of the brain, can enhance many forms of learning and memory, possibly including passwords. One such technology, transcranial direct current stimulation (tDCS), is now available in low-cost headsets for cognitive “ doping” by gamers. The ambitious Brain Research through Advancing Innovative Neurotechnologies (BRAIN) initiative recently announced by the Obama administration promises to catalyze the invention of more such tools.

There are many other open questions about the interplay of neuroscience and computer security. Can the natural computing facility of the brain be leveraged to achieve the equivalent of a smartcard or hardware authentication token? Can existing implicit memories be elicited with the presentation of carefully crafted stimuli and perhaps with brain-computer interfaces? Ultimately, can the intentions of users be read directly from their brains to detect and prevent malicious activity? What will brain-computer interfaces mean for privacy?

Now, on to a paper that is exciting for stimulating just such questions—and for giving a few answers, too.

Ari Juels (ajuels@gmail.com) is an independent researcher specializing in computer security, Boston, MA. Bonnie Wong (bonniewong38@gmail.com) is a clinical neuropsychologist at Beth Israel Deaconess Medical Center, Boston, MA.