Biometric-Assisted Reseeding: Privacy-Preserving Fuzzy Extractors for Anchor Rotation

Mechanism

The reseeding mechanism rests on three structural components: the fuzzy extractor, the rotation schedule, and the continuity bridge. The fuzzy extractor consumes a noisy biometric capture and produces a stable bit string of bounded length together with helper data. The rotation schedule determines when a new capture is taken and the prior seed retired. The continuity bridge binds the prior seed to the new seed through a hash-chain step so that the participant's identity persists across the rotation while the underlying material does not.

The fuzzy extractor uses a secure-sketch construction. The sketch is computed from the capture and stored as helper data; it reveals enough information to correct future captures of the same biometric within a tolerance but does not reveal the biometric itself. The extractor produces a near-uniform bit string by hashing the corrected capture together with a domain-separation tag. The output is the seed; the helper data is stored locally to the participant and is never centralized.

Rotation is initiated when one of three conditions holds: the elapsed time since the prior reseed exceeds a scope-defined interval, the cumulative number of operations performed under the current seed exceeds a scope-defined budget, or an external policy signal demands rotation. On rotation, a fresh capture is acquired, the fuzzy extractor produces a new seed, and the continuity bridge emits a transition record.

The continuity bridge is the structural element that distinguishes this system from naive reseeding. The bridge computes B = H(s_prior, s_new, t, ctx), where s_prior is the seed being retired, s_new is the seed taking effect, t is the rotation timestamp, and ctx is the scope context. The bridge value B is appended to the participant's hash chain, and s_prior is then erased. Verifiers who hold any prior chain state can extend their verification across the rotation by consuming B; verifiers who join after the rotation can verify forward from any committed bridge.

Rotation breaks long-term tracking because the seed under which the participant operates after rotation is statistically independent of the seed before rotation. An adversary who has correlated activity under the prior seed cannot extend that correlation across the bridge without capturing the bridge value, and the bridge value is itself a hash output that conveys no information about either seed. Continuity is preserved because the bridge itself is a verifiable cryptographic link between the seeds, allowing the participant's history to be traversed by any party with appropriate scope access.

Raw biometric data is never stored at any point in the protocol. The capture exists in volatile memory long enough for the fuzzy extractor to compute the sketch and the seed, after which the capture is erased. The sketch and the seed are stored, but the sketch alone does not permit reconstruction of the biometric, and the seed is itself rotated on schedule. The system therefore avoids the structural liability that conventional biometric systems incur by maintaining template stores.

Operating Parameters

The rotation interval is the primary scheduling parameter. Typical values range from minutes for high-security scopes to days or weeks for routine scopes. The interval is selected by scope policy and carried in the participant's profile. Verifiers reject any chain that fails to rotate within the declared interval, treating prolonged use of a single seed as a continuity violation.

The operation budget is a complementary parameter. It bounds the number of distinct operations that may be performed under a single seed before rotation is required. Budgets are scope-specific and typically range from a few thousand operations for low-friction scopes to a few dozen for high-stakes financial scopes. When either the time interval or the operation budget is exhausted, rotation is mandatory.

The seed length is a cryptographic parameter selected to match the hash function in use. Seeds of 256 bits are appropriate for SHA-384 chains, and seeds of 384 bits or larger are appropriate for SHA-512 or SHA3-512 chains. The fuzzy extractor's output length is configured to match the seed length.

The minimum entropy of the corrected capture is bounded below by a per-modality floor. Fingerprint and iris modalities typically clear 80 to 120 bits after correction. Behavioral modalities such as keystroke dynamics or gait may produce 40 to 80 bits and are therefore composed with secondary signals to reach the seed-length entropy target.

The helper data size is bounded by the secure-sketch construction in use. Code-offset sketches over BCH or Reed-Solomon codes produce helper data on the order of a few hundred to a few thousand bytes per capture. The helper data is stored locally and need not propagate to verifiers; verifiers consume only the bridge value and the chain state.

The bridge record is a constant-size structure containing the bridge hash, the rotation timestamp, the scope identifier, and the chain step counter. It is signed implicitly through its position in the hash chain and explicitly through the participant's per-step continuity proof. The record is permanent and cannot be elided without breaking the chain.

Alternative Embodiments

A first embodiment uses a single biometric modality with code-offset secure-sketch correction. This embodiment is appropriate for deployments where a single high-entropy capture device is available, such as iris scanners in controlled environments.

A second embodiment composes multiple modalities through XOR of their independently extracted seeds. The composite seed inherits the entropy of the highest-entropy contributor, plus statistical contributions from the lower-entropy modalities. This embodiment is appropriate for mobile devices that combine fingerprint, behavioral, and contextual signals.

A third embodiment reseeds without retiring the prior seed immediately. The prior seed remains valid for a brief overlap window during which both seeds can authenticate, supporting graceful rotation across distributed verifiers that may not synchronize on the rotation instant. The overlap window is bounded by policy and never exceeds a small multiple of the verifier consensus latency.

A fourth embodiment extends the fuzzy extractor with a hardware root-of-trust that signs the helper data. The signature does not protect the seed itself but binds the helper data to a specific physical device, preventing relay of helper data from a captured device to an attacker's device.

A fifth embodiment uses a continuous-capture modality, such as ongoing physiological monitoring, in which the rotation is performed automatically at every capture window. This embodiment is appropriate for medical, athletic, or operator-monitoring deployments where the participant is in continuous contact with the capture apparatus.

A sixth embodiment performs rotation on event triggers in addition to time and operation triggers. Event triggers include device handoff, scope crossing, and detected anomaly in the trust-slope signal. Each trigger is logged in the bridge record's context field, providing an audit trail of why rotation occurred.

A seventh embodiment integrates with a stateless hash-based signature scheme such that the bridge record includes a SPHINCS+ signature over the seeds. The signature is optional and provides non-interactive third-party verifiability of the rotation event without revealing either seed.

Composition

Biometric-assisted reseeding composes with the dynamic hash chain by occupying one chain step per rotation. The bridge record is the chain output for the rotation step, and subsequent steps proceed under the new seed. Verifiers consume the bridge transparently as part of their normal chain verification; no special protocol path is required for rotation steps.

The mechanism composes with the trust-slope validator by feeding the new seed's entropy estimate into the slope computation. The validator can therefore detect rotations in which the new seed's entropy falls below threshold and refuse to advance the chain until a higher-entropy capture is provided. This integration prevents an adversary from forcing rotation onto a low-entropy capture path.

The mechanism composes with the append-only lineage by recording each bridge as a lineage entry. The lineage thus contains a history of all rotations, retrievable by authorized auditors. Because the lineage entries record only bridge hashes and metadata, the lineage does not leak biometric or seed material.

The mechanism composes with the post-quantum posture of the system because the bridge is a hash output and the seed mixing is performed through hash construction. No public-key primitive is introduced by the rotation, and the security of the bridge inherits the post-quantum properties of the underlying hash function.

The mechanism composes with scope-bound delegation by allowing each scope to declare its own rotation policy. A participant operating across multiple scopes may experience scope-specific rotation cadences, with the chain serializing the rotations into a single ordered sequence even when they are scoped differently.

Prior-Art Distinction

Conventional biometric authentication stores templates centrally and matches incoming captures against the store. The disclosed system stores no template and performs no centralized match. Prior biometric systems are therefore not anticipatory of the structural choice to consume captures into hash-chain seeds and discard them.

Prior fuzzy-extractor literature describes the construction in isolation, primarily for one-shot key derivation from a noisy biometric. The disclosed system extends fuzzy extraction into a rotation regime with continuity bridges and integrates the extractor into a long-running hash-chain identity. The combination is structurally distinct from any single-shot key-derivation use of fuzzy extractors.

Key-rotation protocols in TLS, signal protocol, and similar transport-layer systems rotate symmetric keys derived from a long-lived asymmetric handshake. The disclosed system has no long-lived asymmetric handshake; rotation is rooted in fresh biological capture rather than in a previously negotiated secret. The rotation property is therefore not derived from any prior key-rotation protocol.

Privacy-enhancing technologies such as anonymous credentials and zero-knowledge attestations provide unlinkability across uses but typically do so by issuing many one-time credentials from a long-lived master. The disclosed system achieves unlinkability across rotation boundaries through the bridge structure rather than through credential issuance, and it does not require a master credential or a credential issuer.

Continuous authentication systems in the literature monitor behavioral signals and adjust trust scores. They do not generally reseed cryptographic material from those signals, nor do they bridge old and new seeds through a hash-chain commitment. The disclosed system's combination of continuous monitoring, fuzzy-extractor reseeding, and hash-chain bridging is distinct.

Disclosure Scope

This disclosure covers the periodic reseeding of a biological-identity thread in a keyless identity system through a privacy-preserving fuzzy extractor whose output is bound to the participant's hash chain through a continuity bridge. The scope includes any biometric or behavioral modality satisfying the entropy floor, any secure-sketch construction whose helper data does not reveal the underlying biometric, and any rotation schedule based on time, operation count, or event trigger.

The scope further includes single-modality and composed-modality embodiments, overlapping and non-overlapping rotation windows, hardware-rooted and software-only fuzzy extractors, continuous-capture and event-driven capture regimes, and integration with hash-based signature schemes for non-interactive rotation attestations. The scope includes the composition of the foregoing with hash chain, trust-slope validation, append-only lineage, and scope-bound delegation.

The scope excludes systems that store raw biometric data, systems whose continuity persists by retaining a long-lived seed, and systems whose unlinkability across rotations depends on credential issuance from a long-lived master rather than on a hash-chain bridge between fresh seeds. The scope excludes any embodiment in which the bridge between old and new seeds is constructed from a public-key primitive, because such an embodiment would import hardness assumptions that the disclosed system structurally avoids.

The disclosure is structural rather than algorithmic: the protected matter is the architectural decision to make biometric capture an ephemeral source of seed material, to bridge successive seeds through a hash-chain commitment that preserves continuity while breaking linkability, and to maintain no template and no long-lived secret at any point in the protocol. Implementations that adopt this architecture inherit the rotation, continuity, and privacy properties; implementations that retain template storage or long-lived seeds do not, regardless of any rotation features layered atop them.