Commitment-based device-pairing protocol with synchronized drawings and comparison metrics

This article presents a new method for pairing devices securely. The commitment-based authentication uses a fuzzy secret that the devices only know approximately. Its novel feature is time-based opening of commitments in a single round. We also introduce a new source for the fuzzy secret: synchronized drawing with two fingers of the same hand on two touch screens or surfaces. The drawings are encoded as strings and compared with an edit-distance metric. A prototype implementation of this surprisingly simple and natural pairing mechanism shows that it accurately differentiates between true positives and man-in-the-middle attackers.