Plausibility of DNA sequence for encryption

A major problem with modern biometric authentication is the fact that it uses things like your fingerprint as a password. Unlike a real password, a fingerprint is not sufficiently secret. Biometric identities can be used for usernames, which merely need to be unique to you, but not passwords. There are a few issues with using DNA as a private key or any other secret value:

  • You leave exact copies of your DNA on everything you touch.
  • The human genome does not vary much, making brute force a risk.
  • People who you are related to have an even more similar genome.
  • DNA actually changes over time in an individual, so it is not static.
  • You cannot revoke your DNA and change it after compromise.

You leave your DNA everywhere

A good private key or password is something you know, something which you need to voluntarily reveal. "Private key" implies that the key must remain secret and its knowledge allows someone to identify as the original holder. Unlike a password-encrypted private key on your laptop, you leave your DNA around everywhere. In your breath, excretions, skin cells that fall off in the millions, oil, hair, saliva, tears, etc. This makes it pointless for a private key that, as the name implies, must remain secret.

From a recent case where DNA was used to incriminate an individual, three judges pointed out the risk to people's privacy when DNA left unintentionally can be used as evidence in a criminal trial. Regardless of the outcome of this review, the fact that we leave DNA is still there:

The Majority’s approval of such police procedure means, in essence, that a person desiring to keep her DNA profile private, must conduct her public affairs in a hermetically sealed hazmat suit. Moreover, the Majority opinion will likely have the consequence that many people will be reluctant to go to the police station to voluntarily provide information about crimes for fear that they, too, will be added to the CODIS database.... Majority's holding means that a person can no longer vote, participate in a jury, or obtain a driver's license, without opening up his genetic material for state collection and codification. Unlike DNA left in the park or a restaurant, these are all instances where the person has identified himself to the government authority.

It doesn't matter if the government decides whether or not this evidence is admissible. What matters is the fact that the evidence, in the form of DNA, is left over in the first place for anyone to take and analyze. Worse still, once your DNA is "compromised", it cannot be revoked!

The (lack of) genetic variation in Humans

Only a tiny fraction of DNA differs between each person. While DNA itself contains a lot of information, any prototypical human genome is going to be extremely close to your genome. If you use your genome for any sort of cryptographic purposes, the differences will be small enough that brute force becomes feasible. In other words, there's just too little difference between us. Not only that, but your family will have an even more similar genome. Even if random genetic variation were great enough to prevent exhaustive search, do you really want it to take nothing more than both your parents to give up their genome to make it possible to "calculate" your genome? Or your siblings?

A large amount of human genetic differences comes from what's called SNPs, or Single Nucleotide Polymorphisms. These are individual bases in DNA which are known to vary between people. Currently, there are only a few hundred million known polymorphisms. While a hundred million may seem huge, people who are ethnically related will have far fewer genetic differences. A good key will differ equally between users, regardless of whether or not they are related by family or race.

Jumping genes (transposable elements)

There's another problem. If you are analyzing DNA down to each individual base pair, you'll find that it actually changes over time! Small self-reproducing elements called transposons are sequences that copy themselves and re-insert themselves in different areas of our genome. They do this slowly and rather randomly. Over time, this means that even our individual cells won't have the same DNA as they had when we were born. Likewise, even identical twins won't have perfectly identical DNA as a result of this phenomenon. This is not a problem for most modern genetic sequencing, which only counts specific variations on specific genes (called alleles), but will be a problem for anything that requires exact accuracy down to the individual base pair. 40% of DNA is transposable!

DNA as a unique identifier

Now, what could your genome be used for? Identification and authentication. While it's very easy to discover your DNA sequence, it's quite impossible to copy it into another person's body. No matter how much I try, if a single cell of mine is extracted and its DNA analyzed, it will show the DNA I had at birth (ignoring jumping genes), not your DNA. This makes it possible to prove an individual is who they say they are, given sufficiently careful DNA examination. It's like a SSN, but much, much more difficult to use for identity theft. Knowledge of your DNA doesn't let you impersonate it.

DNA is not the only thing that can be used for identification. The pattern of veins in your hand are unique to you, and unlike fingerprints or DNA, are not left all over everything you come into contact with. You need to explicitly place your hand on a vascular scanning device, which is less intrusive than a retina scan. This is actually a technique that is used in Japan. While this is still more private than DNA, it is still better used as a username than as a password, since it can still be obtained surreptitiously.


To underscore Forest's excellent points, here are the good elements of a private key:

  1. It must be private.
  2. It must be portable (ie. you have it when you need it)
  3. You must be able to change it.
  4. You must not reuse it.

Forest addressed 1 and 2, you leave traces of DNA everywhere, and your DNA may change causing your body to "forget" your key. I'll note that now your "circle of trust" includes your doctor, everyone who works in their office, their medical databases, and any labs they work with. If you donate blood, everyone who handles it. Those are all covered under various medical privacy laws, but it still increases your attack surface. But what about your plumber obtaining your DNA from a hair clog?

3 and 4 are all about what happens when your private key is inevitably compromised. Mike Scott pointed this out in the comments.

When someone posts your password online, you can just change it. When someone posts your DNA online you're hosed for life.

Unique passwords act as a firewall, a security breach in one service doesn't affect others. But if you use the same password on multiple sites, now your security is only as good as the weakest site. DNA is a single password you potentially use for everything.

This leads to a nightmare scenario where your private key, your DNA, is a shared password which cannot be changed. It's only as secure as the weakest service. Once there is a breach, all your accounts are compromised for life.


To offer a dimension that the other answer doesn't explore: Biocomputing. Biocomputing is the use of protein chemistry to store and process data. Logic gates and counters can be represented by the states of a protein.

First, to answer your question directly, you can't use genomic data from DNA for encryption because DNA isn't secret. Anyone can take a sample, store it and clone it. In addition, DNA is not exact. There is a tiny degree of genetic variation in samples of DNA collected from the same person because of transcription errors. While this is small enough to reliably identify an individual organism to a high degree of probability, it precludes the use of DNA sequences as encryption keys. This is because encryption depends upon the exact reproduction of a key. Failure to meet this condition results in different cypherdata being produced.

With that said, you could store an encryption key in a nanoprotein specifically engineered for storing exact data. It will have to be much more chemically inert than DNA which can be easily denatured. No such proteins have been produced. As of 2016, the most advanced biocomputers are finite-state machines.