DOI:10.1145/2594446
Technical Perspective
The Interplay of Neuroscience
and Cryptography
By Ari Juels and Bonnie Wong
To view the accompanying paper,
visit doi.acm.org/10.1145/2594445
THERE IS AN untapped resource, of vast
but unknown size, lying hidden under
the surface. As scientists explore and
attempt to map it, they are only just beginning to understand its extent and
how it can best be applied to important
human needs. This description might
describe natural gas or geothermal energy reserves. But it also applies to the
human brain, particularly in the realms
of memory and computer security.
The best estimates of the memory
capacity of the human brain (by Paul Reber, a co-author of the following paper)
place it at around 2.5 petabytes. That is
2.5 x 1015 bytes, equivalent to the combined capacity of thousands of ordinary
hard drives. Yet it is difficult for most
people to conveniently remember and
reliably recall passwords that contain
more than 20 bits of randomness, that
is, passwords with guessing difficulty
greater than a 20-bit random string.
A random alphanumeric password
such as “7UquO91,” by comparison,
contains a little more than 40 bits
of randomness (Because password
strength grows exponentially, this is
about a million times stronger than a
password with 20 bits of randomness.)
Strangely, one of the big, unsolved challenges in computer security today is
how a tiny secret such as “7UquO91”
can be effectively read from and written to a storage device with highly limited bandwidth, but enough capacity to
hold the contents of every book in the
U.S. Library of Congress.
The implications are huge. Weak
passwords are easy to crack, as seen
in recent high-profile breaches involving millions of passwords. Forgotten
passwords lead to websites’ use of personal questions, such as “What high
school did you attend?,” that are often
even easier to attack than passwords
themselves. (Just ask former Gov. Sarah
Palin.) Another problem with ordinary
passwords is they can also be given away
inappropriately. People can be physically coerced or threatened into revealing
their passwords, or choose to disclose
them to others who should not be permitted to use them.
An ideal scheme for password storage in the human brain, then, would enable a password with more than 20 bits
of randomness to be input and output
from the brain of a human being who
is unconscious of the process and thus
unable to give away the password or reveal it under coercion.
The following paper describes a way
to do exactly that. It involves a fun and
unexpected mechanism: Having users
play a video game. Players of the game
acquire fairly strong passwords using
implicit learning, a channel into long-term memory by which information is
stored via practice, but not consciously
accessible. As presented here—and
similarly in our work—this approach is
not yet practical for common authentication tasks, such as logging into an
email account. Playing the game takes
far too long (about 10 minutes). But that
is not the point or major contribution
of the paper. It offers an important result highlighting the rich and underex-plored intersection between neuroscience and cryptography, not to mention
neuroscience and computer security
more generally.
One exciting frontier in neuroscience
is the use of interfaces to read and stimulate neural activity directly. Electroencephalography (EEG), for instance, permits noninvasive detection of patterns
One exciting frontier
in neuroscience is
the use of interfaces
to read and stimulate
neural activity directly.
of neural activity. Low-cost EEG headsets
are paving the way for consumer-grade
brain-computer interfaces (BCIs). Some
are even available today for gamers.
Such interfaces could eliminate users’
need to type responses to stimuli and
speed up implicit-memory-based user
authentication. Even more advanced
techniques could someday provide a
fine-grained, real-time functional view
of the brain, permitting challenge-response authentication protocols executed directly against neural matter, with
no conscious effort by users. Indeed,
there is evidence that technologies aiming to stimulate neuroplasticity, that is,
adaptation of the brain, can enhance
many forms of learning and memory,
possibly including passwords. One such
technology, transcranial direct current
stimulation (tDCS), is now available in
low-cost headsets for cognitive “
doping” by gamers. The ambitious Brain
Research through Advancing Innovative
Neurotechnologies (BRAIN) initiative recently announced by the Obama administration promises to catalyze the invention of more such tools.
There are many other open questions
about the interplay of neuroscience and
computer security. Can the natural computing facility of the brain be leveraged
to achieve the equivalent of a smartcard
or hardware authentication token? Can
existing implicit memories be elicited
with the presentation of carefully crafted stimuli and perhaps with brain-computer interfaces? Ultimately, can the
intentions of users be read directly from
their brains to detect and prevent malicious activity? What will brain-computer
interfaces mean for privacy?
Now, on to a paper that is exciting for
stimulating just such questions—and
for giving a few answers, too.
Ari Juels (ajuels@gmail.com) is an independent researcher
specializing in computer security, Boston, MA.
Bonnie Wong (bonniewong38@gmail.com) is a clinical
neuropsychologist at Beth Israel Deaconess Medical
Center, Boston, MA.
Copyright held by Owners/Authors.