Neural Fuzzy Extractors: A Secure Way to Use Artificial Neural Networks for Biometric User Authentication

For the registration phase, a codebook is defined over the vector space, and restricted to the support of the expander’s output. Different methods can be used to define such a code, but an optimal choice would be a capacity-achieving code (for an additive White Gaussian noise (AWGN) channel, if the vector space is of the form $\mathbb{R}^{n}$, and for a binary symmetric channel if the vector space is defined over $GF(2^{n})$). For our specific example, in which embeddings are defined over $\mathbb{R}^{128}$, we choose a low-density lattice code (LDLC) [48] in $128$ dimensions. This codebook is made up of a set of codewords, which are represented by the black dots in the middle portion of Figure 2. Each such black dot is surrounded by its decoding sphere (or Voronoi region). Any data point (represented as a vector) falling inside a particular codeword’s Voronoi region can be decoded to this particular codeword (which is that codeword in the codebook that is closest to the data point).

Next, we identify the center of the AU’s decision region – denote it as $\mathbf{r}_{i}$ – and “decode” it to the closest codeword in the codebook – denote this codeword as $\mathbf{c}_{i}$. We then calculate the difference vector (DV) $\mathbf{d}_{i}=\mathbf{r}_{i}-\mathbf{c}_{i}$ between the center of the AU’s decision region and the closest codeword (a translated copy of $\mathbf{d}_{i}$ is shown as the small yellow arrow in the bottom-right part of the middle part of Figure 2). The DV $\mathbf{d}_{i}$ is stored as part of the AU’s authentication record, along with the hash $h(\mathbf{r}_{i})$ of the center of the AU’s decision region.

For each of registered user $i$, the verifier has access to their tuple $(\mathbf{d}_{i},h(\mathbf{r}_{i}))$. Upon verifying a user’s claim to be user $i$, the current biometric reading – denote it as $\mathbf{b}$ is placed (by virtue of the expander-enhanced classifier) into the vector space, and the DV is subtracted from it. Let the result be $\mathbf{f}_{i}=\mathbf{b}-\mathbf{d}_{i}$. In the right part of Figure 2, $\mathbf{b}$ is represented as a light-blue triangle, while $\mathbf{f}_{i}$ is the tip of the upper yellow arrow. The vector $\mathbf{f}_{i}$ is then decoded to the closest codeword – denote this codeword as $\mathbf{c}_{j}$ and note that if $\mathbf{b}$ is indeed the biometric of user $i$, then we should have $\mathbf{c}_{j}=\mathbf{c}_{i}$. Finally, the DV $\mathbf{d}_{i}$ is added to this codeword $\mathbf{c}_{j}$ (in an attempt to recover the center of the AU’s decision region), and the hash of the result $h(\mathbf{c}_{j}+\mathbf{d}_{i})$ is compared to the one in user $i$’s record $h(\mathbf{r}_{i})$. The user is authenticated if $h(\mathbf{c}_{j}+\mathbf{d}_{i})=h(\mathbf{r}_{i})$.

NOTE 1: In general, instead of decoding the center of the AU’s decision region to the closest codeword, we could simply choose a random codeword, and calculate the DV between the center of the AU’s decision region and this codeword. But in this case, additional steps have to be taken to ensure that the DV does not leak any information about the center of the AU’s decision region. For example, if we choose a codeword in the upper-left of the large sphere in Figure 2, the DV has a large amplitude, and an attacker could infer that the center of the AU’s decision region is in the lower right. To avoid such leakage, we would need to add to DV an additional random vector, the effect of which is neutral when wrapped around the large sphere (zero modulo the large sphere).

NOTE 2: It may appear at a first glance that the system can be further simplified by hashing directly the (closest, or randomly-chosen) codeword. However, with such an implementation, care must be taken to ensure that different users are assigned different codewords, which results in a net increase of the system complexity. Using the extra steps required to store the hash of the center of the AU’s decision region as above will naturally ensure that different users have different hashes in the authentication table.

We assume a biometric-based authentication system, implemented with the help of an artificial neural network on an authentication server (which, as a particular case, and in a broad sense, can be hosted on the local machine to which users attempt to log in). Each of the legitimate users of the system undergo the registration phase, in which multiple readings of their biometric feature(s) are taken and used to train the authentication system. The trained authentication system, as well as the users’ authentication records, are stored (possibly encrypted) on the authentication server. We assume no malicious interference during, or eavesdropping of, the registration phase – this phase can be completed in a protected environment, just like the one required when users set up their new accounts and passwords on any password-based authentication system. Further, we assume that the attacker cannot observe an authentication procedure in real time, and hence does not have direct access to the biometric information entered by the user. In reality, such access is possible if the attacker eavesdrops the connection between authentication server and biometric sensor, or if the attacker has admin privileges and scans the memory during the authentication process. We should note that all of these assumptions are standard in biometric authentication, and any efforts to strengthen the authentication system for the event when any of these assumptions fail are compatible with, but outside the scope of, our work.

The threat model consists of an attacker who can recover the weights of the ANN-based authentication system, as well as all users’ biometric records. The attacker has access to this information only after the registration phase is complete, and has no further access to the authentication server, except potentially as a regular legitimate user of the system. Further, the attacker has ready access to technology that can produce exactly one biometric reading that is fully under the control of the attacker, and cannot be distinguished from a real biometric reading from a real person. The restriction to exactly one biometric reading is required to avoid the situation when the attacker brute-forces the biometric authentication system – the effort required by a biometric brute-force attack depends only on the entropy of the biometric, and has little to do with the authentication mechanism that is using it, and the security of which this paper aims to improve.

The attacker’s goal is to complete a successful login attempt as any one of the system’s legitimate users – of course, with the exception of the user that the attacker already owns or has compromised. The attacker wins if they can log in as a (different) legitimate user of the system, with probability significantly higher than a non-legitimate random person attempting to log in by properly providing biometric readings to the authentication system.

In order to log in as a (different) legitimate user of the system, the attacker would have to input the user name of a user of their choice (the attacker has a list of all user names from the authentication records), and to produce a biometric reading which, when passed through the authentication mechanism, yields the same output as the one in the authentication record associated to the chosen user name.

In the case of a standard ANN-based authentication mechanism, this is feasible, as the output corresponding to each user is merely a well defined set (usually a region of the output vector space) of scores – for instance, the authentication mechanism decides that the input belongs to user 1 if the first component of the output exceeds a certain threshold. The attacker can then choose an output vector in this set, and work backwards towards the input of the ANN classifier. The recovered input of the classifier (note that usually a continuum of such valid inputs exist) can then be chosen as the biometric reading. Recall that under our threat model above, the attacker can force the authentication mechanism to consume the biometric reading of their choice.

In the case of the NFE-enhanced classifier, the chosen user’s authentication record consists of a user name, a difference vector and a hash value. The difference vector contains no information about the pre-image of the hash value. Neither can such a pre-image be found from the hash value, as long as the hash function is pre-image resistant. Therefore, the attacker has no idea about what the output of the expander should be for the chosen user. The best the attacker can do is to choose randomly one of the codewords, and add to it the difference vector located in the chosen user’s authentication record, in the hope that the result is actually the center of the chosen user’s decision region. The attacker can then work back through the ANN+expander to produce a biometric reading corresponding to this result. Recall however that the codebook is designed such that the number of codewords is the same as the number of possible distinguishable user profiles. Therefore, choosing a codeword from the codebook at random is no better than choosing a person at random, and asking them to provide a biometric reading. Now the probability that the attacker can successfully log in as a different user is equal to the probability that a non-legitimate random person can log in as that user by providing their own biometric readings, plus the probability that the attacker can find a pre-image for the user’s hash value. Hence, within our threat model, and assuming a pre-image-resistant hash function, the attacker cannot win.

The purpose of the NFE is to cast the embeddings of different users’ biometric readings in quasi-spherical regions in a certain vector space. In the left portion of Figure 2 we show multiple such quasi-spherical clusters, such that each cluster (represented by markers with a specific shape and color) corresponds to the embeddings of the available biometric readings for a single user. In this figure, we decide to consider the support of the expander output as a sphere that includes all the available biometric data points. Taking the smallest such sphere may artificially reduce the perceived security of the biometric authentication system – because it will result in a smaller codebook – so, to be safe, consider a sphere of radius 10% larger than that of the smallest outer sphere.

The radius of the user-specific decoding region (the small sphere corresponding to the user of interest in Figure 2) is usually chosen to provide a certain false-positive-false-negative tradeoff. For simplicity of implementation, we choose the same radius (technically, the same error-correction code) for all users.

As an example, for the VGG-16 architecture retrofitted with the NFE, the FVC2006 database yields outer sphere of radius $1.0153$, and a small sphere of radius $0.7$ (this radius is chosen such that the distance-based decoder achieves 95.36% accuracy on the training data set), meaning that at most $(1.0153/0.7)^{128}\simeq 4.7\cdot 10^{20}$ small spheres can be packed inside the large 128-dimensional sphere. We could say that the maximum number of distinct individuals whose biometric reading embeddings in our new vector space fit within non-overlapping small spheres is thus about $4.7\cdot 10^{20}\simeq 2^{68.67}$, or that the entropy of the secret biometric information, as represented in this space, is about $68.67$ bits. In other words, the proposed methodology for the expansion of biometric data provides – as a byproduct – a way of evaluating the authentication potential of various types of biometric data. It would be possible in this framework to decide (at least approximately, based on the upper and lower bounds on the entropy of a user’s biometric data) whether fingerprint-based biometrics, for instance, are more or less secure than, say retina-scan-based biometrics. This evaluation is related to the average (across multiple possible AUs) accuracy of the associated classifier, but is not straightforward to derive from it, and would not be feasible in the absence of the expander.

We should note here that previous efforts to quantify the entropy of various types of biometrics take different approaches. For example, [49] produces empirical distributions of fingerprint data, and yields a measure of entropy per pixel for different fingerprint databases. Their FVC2002 and FVC2004 databases are comparable to our FVC2006 database. However, their entropy upper bounds – slightly above 0.25 bits per pixel – would yield entropies in the order of 50,000 bits for each image. Note that this is the entropy of the fingerpint image, not the entropy of the fingerprint-based biometric modality that we calculate. To approximate the latter, [49] uses the mutual information between fingerprint images, and ends up with a maximum number of distinct individual representations of $10^{28}$ – making our estimate of $4.7\cdot 10^{20}$ somewhat conservative. Other methods for evaluating biometric entropy are introduced in [50] and [51].

The VGG16 [52, 53] weights are pre-trained on ImageNet using Keras. To adapt this classifier to fingerprint-based user authentication, we removed the final softmax layer, rendering an output of size 4608. The size of the vector space (4608) is way too large to match to any efficient decoding mechanism. Therefore, to retrofit the NFE to this classifier, we constructed an expander, by adding three more fully connected layers of 512, 256 and 128 neurons respectively.

The ResNet50 [54] weights are pre-trained on ImageNet using Keras. After removing the final softmax layer, we were left with an output of size 2048 by average pooling the last layer. Then we constructed an expander by adding 4 fully connected layers of size 1024, 512, 256, and 128, respectively.

We used a modified MobileNet v1 model architecture [55] with weights pre-trained on ImageNet using Keras. After removing the final softmax layer, we were left with the output of 1024 by average pooling the last layer. Then we constructed an expander by adding 3 fully connected layers of size 512, 256 and 128, respectively.

In the case of standard identification methods, a set of images are fed into an ANN to get an output probability for each one of the different classes. For example, if we want to distinguish between a cat and a dog we want to collect a lot of images (possibly more than 500 images per class) to improve model accuracy. The drawback of this type of network in fingerprint identification is first, it is nearly impossible to get a lot of images and second, if we want to include a new user in our database, we need to retrain the model to identify the new user as well. It is for these reasons that we choose to train our classifier in a Siamese network configuration, as explained below.

It should be noted that for this specific application, our “expander” is in fact not expanding at all, but rather contracting the ANN’s output. This is to reduce the complexity of the decoding involved in the secure sketch. Nevertheless, the same exact principles apply in situations in which the expander actually expands the output size.

A siamese network (sometimes called a twin neural network) is an ANN which learns to differentiate between two inputs instead of classifying. It takes two input images, runs through the same network simultaneously, and generates two vector embeddings of the images which are run through a logistic loss to calculate a similarity score between the two images [56]. This is very useful as it does not require many data points to train the model. For training purposes, we only need to store one image belonging to the legitimate user as a reference image, and calculate the similarity for every new instance presented to the network.

For our implementation, we used a triplet loss function with the Siamese networks. The benefit of using a triplet loss function (explained in the next subsection) in conjunction with a Siamese network is twofold [57]:

1. 1.

   It extracts more features by learning to maximize the similarity between two similar images (Anchor-Positive) and the distance between two different images (Anchor-Negative) at the same time.

2. 2.

   It generates more training samples than logistic loss. If we have $P$ similar pairs and $N$ dissimilar pairs then for logistic loss we will have $P+N$ total training samples. Whereas, we will have $PN$ triplets for training. This will impove the model accuracy.

Our Siamese network architecture is depicted Figure 3. It is interesting to note that Siamese network training will naturally encourage the embeddings of the data points to cluster in spheres. This is a direct consequence of its loss function that causes embeddings from the same class to be close together, and embeddings from different classes to be well separated in terms of Euclidean distance. Nevertheless, under different circumstances, with more available training data, other expander architectures can be used, as long as their loss functions are adjusted to include similar distance-based penalties.

Triplet loss functions are widely used in various applications in computer vision, such as face recognition [58], person re-identification [59] and image retrieval [60]. Taking inspiration from that we used this for fingerprint verification. We will further explain how triplet loss functions work.

If we use a CNN to convert an image $x$ into a d-dimensional Euclidean space, then the embedding is represented by $f(x)\in\mathbb{R}^{d}$. Here $f$ is the function computed by the CNN. For training we used triplets of fingerprint images, as shown in Figure 4:

• •

  A is an ”anchor” image – a fingerprint image of a user.

• •

  P is a ”positive” image – a fingerprint image of the same user.

• •

  N is a ”negative” image – a fingerprint image of a different user.

We write triplets as $(A^{(i)},P^{(i)},N^{(i)})$ where i denotes the $i^{th}$ training example. We want to make sure that P is closer to A than N. Thus, we want

for all $\{f(A^{(i)}),f(P^{(i)}),f(N^{(i)})\}\in T$, where $T$ is the set of all possible triplets. Here, we want to make sure that the positive pair ($A^{(i)}-P^{(i)}$) has at least a margin difference of $\alpha$ over the negative pair ($A^{(i)}-N^{(i)}$). So the ”triplet cost” function for the CNN becomes

Generating all possible triplets for training will result in slower convergence, so it is important to select a combination of ”hard” and ”easy” batches for the improvement of the model.

There is no limit on the number of users in practice. Recall our (conservative, compared to [49]) estimate of a maximum of $4.7\cdot 10^{20}$ differentiable users. Clearly, if this many users were registered with the authentication server, then any input biometric would most likely correspond to at least one legitimate user. Fortunately, the world’s population is still far below this number, and an authentication attempt would not only have to provide the biometric reading, but also the associated user name, making a successful authentication attempt very unlikely.

To prepare the original neural-network-based classifier for the NFE retrofit, we recommend removing the final softmax layer, if such a layer exists. The size of the output after this trimming procedure should be large enough to prevent the loss of biometric input information due to excessive compression.

The appropriate codeword size $n$ depends on the efficiency of the decoding algorithm and on the acceptable computation overhead during user authentication. Based on the capabilities of consumer-grade hardware at the time of this writing, we recommend to choose $n$ in the range of $[100,500]$. See [62] for more detailed results on the computational overhead as a function of $n$, for an efficient LDLC decoder. Also, as noted above, setting $d=3$ should provide very acceptable performance in this range.

As mentioned above, controlling the FPR-FNR tradeoff of the LDLC code is done not by modifying the code (whose constellation is fixed), but by scaling the NFE’s output by a scalar factor $\gamma$. When implementing our NFE, we recommend trying multiple values of $\gamma$ to build an approximation of the ROC curve, and then choosing an operating point on this curve.

This database consists of 4 distinct subsets DB1, DB2, DB3 and DB4. Each database consists of 150 fingers and 12 impressions per finger. Each subset is further divided into ”set A” and ”set B” where ”set A” contains 140x12 images and ”set B” contains 10x12 images At the time of this writing we only used DB1, which has an image size of 96x96 but we expect similar results with the other databases. The images in the FVC2006 database were collected as part of the European Project BioSec, from anonymous volunteers, and was released publicly as part of the 2006 Fingerprint Verification Competition, organized by The Biometric System Laboratory (University of Bologna), the Pattern Recognition and Image Processing Laboratory (Michigan State University), the Biometric Test Center (San Jose State University) and the Biometrics Research Lab - ATVS (Universidad Autonoma de Madrid) [63]. At the time of this writing, we have no reason to doubt the ethical aspects of the data collection process.

This database contains 2016 fingerprint images from 336 different users, i.e., 6 impressions per user. The size of the image is 328x356 initially. To make it consistent with our initial dataset, we augmented the images using several data augmentation techniques like the addition of random noise and random rotation. In this way, we generated 6 additional impressions per user, bringing our dataset to 12 fingerprint images per 336 users and converted the size of these images to 224x224. The PolyU database was released in 2017 for public use by the The Hong Kong Polytechnic University. At the time of this writing, we have no reason to doubt the ethical aspects of the data collection process.

For either one of the databases, training data consisted of 10 impressions per finger (total of 140x10 images for the FVC2006 database, and a total of 336x10 images for the PolyU database). Out of these images, we generated the triplet pairs. In this paper, we used 50% ”hard” and 50% ”easy” triplet pairs.

For either of the two databases, testing data consisted of 2 impressions per finger.

Our first experiment is meant to provide a baseline for the evaluation of the expander-enhanced architectures. For this purpose, we trained the three classifier architectures (ResNet50, MobileNet and VGG16) separately. Since we used two datasets – FVC2006 with 140 users and PolyU with 336 users – our classification model’s top layer was a softmax layer with 140 nodes in the case of FVC2006 and 336 nodes in the case of the PolyU dataset, respectively.

The final layer of the classification model gives us the probabilities (or, more generally, some scores for the events) that the input image belongs to each possible user. We transform the model into a binary classifier by establishing a score threshold for each one of the users. Hence, to calculate the false positive rate for a single class, we took 20 different fingerprint images from other classes fed them through the network. If the score output value for the image is greater than the probability threshold for that particular class we are interested in, then that’s the condition of false positive.

Similarly, to calculate the FNR for a single class, we took 2 images for that class from the test set, augmented them using several data augmentation techniques like addition of random noise and rotation to generate another 20 images and fed them through the network. If the output probability value of the node of the class that we are concerned with is less than the probability threshold, then that’s the condition of false negative.

In the second experiment, we trained the three classifiers individually, using a Triplet-based Siamese-network configuration. No expander was used in this experiment, and thus the size of the final embeddings vary according to the architecture: ResNet50 uses an embedding of size 2048 (the size of the final layer before the softmax layer), MobileNet uses an embedding size of 1024, and VGG-16 uses a size of 4608. This experiment was designed to provide a fair baseline comparison for the expander-enhanced architectures, just in case that this Siamese-network configuration training proved overall superior to the standard training of experiment BC above – it turns out that its superiority is in fact classifier-dependent.

In the third experiment, we use the classifiers already-trained under the second (CSN) experiment, and retrofit them with expanders. Then, only the expanders are trained, using the classifier-plus-expander architectures in the standard Siamese-network configuration. This experiment emulates a scenario in which an existing neural network-based classification architecture is already trained and provides good performance by itself. In such a situation, training only the expander while keeping the original classifier’s weights fixed can provide significant computational savings.

In this last experiment, we first retrofitted all three classification architectures with an expander, and trained the classifier-plus-expander architectures from scratch, using the standard Siamese-network configuration. Our initial expectation was that such joint training of the classifier and expander would provide the best performance. In reality, the results show that this is in fact classifier-dependent.

For each of the CSN+ESN and (C+E)SN experiments, we execute, and report the results of, two types of error-correction decoding: (a) using simple fixed-distance-based decoding, and (b) using the LDLC decoder. The purpose of the distance-based decoder is solely to provide a baseline for evaluating the performance degradation due to the LDLC decoder (however, in reality, as our results will show, the LDLC decoder usually out-performs the distance-based decoder). The distance-based decoder is not a viable option in practice, as it would require that the center of the AU’s decision region is saved as part of the AU’s authentication record. This would defeat the purpose of the NFE.

For VGG-16 architecture, we trained all its layers for the both baseline and the Siamese-network-based configurations, to get the better generalization of the model.

For ResNet50 architecture, in the Siamese-network-based configuration, we froze the first 143 layers and trained the remaining 32 layers to perform the transfer learning. However, in the case of the baseline model, we trained the whole architecture without freezing any layers.

For the MobileNet architecture in the Siamese-network-based configuration, we trained just the last 23 layers. However, in the case of the baseline model, we trained all the layers of the architecture to get a better generalization of the model.

To evaluate the impact of the expander, we compared the performance of the three classifier architectures in the BC and CSN experiments, to the NFE-retrofitted architectures – experiments CSN+ESN and (C+E)SN – but performing distance-based decoding instead of LDLC-based decoding. For our two datasets, the results are given in Tables I and II.

We notice that for the FVC2006 database (Table I), with small exceptions, all three architectures exhibit comparable EER values under the CSN experiment, with the CSN+ESN distance and (C+E)SN distance experiments. However, it appears that the ResNet50 and MobileNet architectures in the BC experiment exhibit significantly lower EER values, albeit also smaller AUROC values, than in the other two experiments. This shows that some particular performance degradation around the EER point may be caused by the training configuration, i.e. training under the baseline configuration outperforms training under the Siamese-network-based configuration. However, considering the AUROC values, such performance degradation is localized around the EER point.

The opposite holds true for the VGG-16 architecture, where the BC experiment shows higher EER – and this time also lower AUROC – than all the other experiments.

The same difference in performance between the BC and CSN experiments is observed for the PolyU dataset (Table II), where again it appears that ResNet50 and MobileNet do significantly better in the BC experiment, while VGG-16 does significantly worse.

Interestingly, on both datasets, all architectures do much better in the CSN+ESN distance experiment than in the (C+E)SN distance experiment, suggesting that training of the expander alone, rather than joint training of the expander and original classifier, is the better choice.

To evaluate the impact of the error-correction-code on the NFE performance, we compare the results in the experiments CSN+ESN distance and (C+E)SN distance to the experiments CSN+ESN LDLC and (C+E)SN LDLC, respectively. We notice that for both datasets, and for each one of the classifiers, the EER and AUROC values appear very similar between the distance-based decoding and the LDLC-based decoding. If anything, the LDLC-based decoder seems to perform very slighly better. One notable exception is the case of the MobileNet architecture, on the FVC2006 dataset (Table I), where the LDLC decoder appears to help a lot, lowering ERR from 4.4% (for the case of CSN+ESN distance-based decoding) to 2.5%. Such improvements in performance due to LDLC decoding may be explained by the fact that the LDLC decoding regions are not perfectly spherical (even in 128 dimensions), and fill up the vector space better than perfectly spherical regions (which are implicit with distance-based decoding).

Connsidering the best performance among the BC and CSN experiments, and the best performance among the CSN+ESN LDLC and (C+E)SN LDLC experiments, we draw the conclusion that there appears to be no, or very slight, performance degradation due to the use of the NFE. This is an encouraging result, and should motivate the future evaluation of the application of NFEs to other architectures, and to other biometric authentication modalities.

We can also notice that overall, the PolyU Dataset performed better than the FVC2006 dataset in most scenarios. This might be because PolyU images are of bigger resolution and have less noise than FVC2006 images.

We evaluated the training times and the running times of the three different architectures, under each one of our four experiments and two datasets. All our models were trained on a GeForce RTX 2080 TI GPU with 4 cores, with the maximum memory size at 25GB. For studying the runtime performance, we ran our user authentication mechanisms on a more realistic work station – specifically, a personal laptop with Apple’s M1 silicon chip, and with 16GB of memory.

The execution times are listed in Tables III and IV for the FVC2006 and the PolyU datasets, respectively. For training, we list in parentheses the number of training epochs that were necessary for each one of the experiments to observe the convergence of the training process. We note that for the BC experiment, convergence is observed a lot sooner than for the other experiments (fewer than 80 epochs, compared to over 4000 epochs). This is most probably due to the Siamese-Network configuration, which is employed by all the other experiments.

We observe that under the BC experiment, both training and running times are significantly smaller than in all the other experiments. We also note that there are only small differences between the CSN+ESN and (C+E)SN experiments, and the CSN experiment, in both training and running times, and with all three classifier architectures. As expected, training and running for the CSN+ESN and (C+E)SN experiments in general takes slightly longer, but not by much.

We can therefore infer that the addition of the expander incurs minimal overhead. However, switching from a standard baseline architecture to a Siamese-network-based architecture does incur significant penalties – in the order of a few hours for training, and in the order of hundreds of milliseconds for runtime.

We should note here that the running times reported in Tables III and IV do not include the running times of the decoder for the CSN+ESN and (C+E)SN experiments. Our implementation of the LDLC decoder is based directly on the method proposed in [48], which is known to be rather inefficient. Many subsequent works have proposed much more efficient techniques for decoding LDLCs, see for example [65, 66, 67, 62]. For example, when considering decoding parameters similar to ours ($d=3$ and $n\in[100,1000]$), running on consumer-grade hardware, [62] reports running times of around $4.2ms$ per iteration for $n=100$ and $36ms$ per iteration for $n=1000$, leading to total decoding times of between $0.42s$ and $3.6s$ (corresponding to 100 iterations). These decoding times are well within the acceptable range for user authentication. Nevertheless, the integration of efficient LDLC decoders with NFEs is outside the scope of the current paper, and is the subject of future work.

A performance comparison with the plain fuzzy extractors of [1] is not fair – it has already been established that they suffer from low performance [4, 2]. However, in terms of security and cost comparisons, plain fuzzy extractors appear similar to our proposed NFEs. The security provided by NFEs relies on the secure sketch construction – a concept borrowed from the plain fuzzy extractors, and hence the security guarantees are identical. Since both types of extractors have to store only hash values and difference vectors for each of the registered users, the storage requirements are also similar – of course, NFEs have to also store the weights of the associated neural network. In terms of runtime performance, both NFEs and plain fuzzy extractors have to implement a complex decoding procedure, which accounts for the bulk of the user authentication computation in NFEs, and for almost the entire computation in the case of plain fuzzy extractors.