JP2013123142A - Biometric signature system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To implement a system capable of generating a signature for an arbitrary message (electronic document) by using biometric information itself as a secret key without requiring secret data such as secret key data in a conventional electronic signature scheme or a template in a conventional biometric authentication scheme or requiring data other than the biometric information.SOLUTION: A biometric signature system embeds, at registration, a predetermined secret key in a feature amount of biometric information on a user, and issues a biometric certificate composed of a set of the feature amount and a corresponding public key. At signature, the biometric signature system newly generates a pair of a temporary secret key and a temporary public key for a signature feature amount of the biometric information on the user, creates a signature for a message by using the temporary secret key, creates a commitment by embedding the temporary secret key in the signature feature amount, takes a set of the temporary public key, the signature, and the commitment as a biometric signature. At verification of the biometric signature, the biometric signature system verifies the signature using the temporary public key, generates a difference secret key and a difference public key from the biometric certificate, the commitment, and the temporary public key, and verifies their correspondence.

Description

  The present invention relates to a so-called electronic signature. In particular, the present invention relates to a system for generating and verifying an electronic signature using personal biometric information as a secret key.

  Electronic signatures are widely used for the purpose of preventing forgery and falsification of electronic documents and for personal authentication. Conventionally, a digital key has a private key / public key pair generated in advance and stored. In particular, the secret key can be used only by the signer, and is generally stored in an IC card or the like and managed by the signer so that it is secret from others. The signer can generate a signature for any electronic document using the private key, and the verifier can use the public key to verify that the signature / electronic document pair is correct (not forged or falsified). Can be verified. Examples of such digital signature algorithms include RSA, DSA, and Schnorr signatures, and a PKI (Public Key Infrastructure) is constructed using the algorithms.

  On the other hand, biometric authentication, which performs personal authentication based on biometric information, has the advantages of not losing, forgetting, and being stolen compared to authentication based on cards and passwords, and has high convenience and impersonation resistance. Can be realized. A general biometric authentication system extracts a feature amount (template) from a user's biometric information in advance and stores it. At the time of authentication, the feature amount is extracted again from the user's biometric information, and if it is determined to be coincident (similar enough) compared with the template, the authentication is successful. However, biometric information such as fingerprints and veins cannot be replaced. For this reason, once a template is leaked, lifelong safety cannot be restored.

  For example, Non-Patent Document 1 discloses a technique (biometric key generation technique) that generates a secret key from biometric information while protecting the biometric information. These techniques embed a secret key K into the biometric information X in an inseparable manner during registration to create auxiliary information H = F (X, K). At the time of key restoration, the biometric information X ′ is acquired again, and the secret key K ′ = G (X ′, H) is restored using the auxiliary information H. If X ′ is sufficiently close to X, the embedding function F and the restoration function G are configured using an error correction code technique or the like so that K ′ = K.

"Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data", Y. Dodis et.al., EUROCRYPTO2004 (2004)

As mentioned above, the signer who generates the electronic signature owns the property such as an IC card and keeps the private key secure, and activates the private key at the time of signing so that it cannot be used by others. You will need to enter a password and PIN. For this reason, there are problems such as low convenience and high introduction and operation costs.
Therefore, from the viewpoint of user convenience, it is possible to generate and verify signatures only by presenting biometric information such as fingerprints and veins, without having to store personal information such as IC cards and secret information such as passwords and passwords. Realization of a system that can do this is desired. On the other hand, for example, a system that simply combines a general biometric authentication system and an electronic signature system is conceivable. Specifically, the feature quantity (template) of the user's biometric information and the secret key are registered in the system in advance, and the signer's biometric information is checked against the template at the time of signing. Create a signature for your electronic document. These pieces of information need to be stored in the system or some device. However, once the template and / or private key is leaked, there is a risk that the biometric information is forged or the signature is forged. In particular, since biometric information such as fingerprints and veins cannot be replaced, once a template is leaked and there is a risk of forgery, it is impossible to restore lifelong safety.

  Therefore, a method for constructing an electronic signature system using a biometric key generation technique can be considered. Specifically, a secret key / public key pair for electronic signature is generated at the time of registration, and auxiliary information is created by embedding the secret key in the biometric information of the user. At the time of signature generation, a secret key is restored using the user's biometric information and auxiliary information, and an electronic signature is generated using this. The verifier verifies the electronic signature using the public key. However, this method always requires auxiliary information when signing. For this reason, a storage location for auxiliary information and means for the signature creation terminal to access the auxiliary information are required. When auxiliary information is stored in an IC card or the like, it is necessary for the user to possess his / her belongings for signature, which reduces convenience. On the other hand, if it is stored in the local terminal, the signature can be generated only from the terminal, and the application is limited. Also, when storing in the server, the signature can be created only from a terminal connected to the network, and communication with the server occurs every time the signature is created, so there is a problem that it takes time to create the signature.

  The object of the present invention does not require the existence of secret data to be stored on a system (or an apparatus such as an IC card) such as secret key data in a conventional digital signature scheme or a template in a conventional biometric authentication scheme, and A system capable of generating a signature for an arbitrary message (electronic document) using the biometric information itself as a secret key without requiring data other than biometric information (such as auxiliary information in the biometric key generation scheme) This is called "biological signature system".

  In order to solve the above problems, the present invention uses biometric information as a secret key. For this purpose, in the present invention, a secret key is embedded in the feature quantity of the biometric information, and a certificate is issued as a pair with a public key corresponding to the secret key. In addition, when using these, a new temporary private key / temporary public key pair is generated for the feature quantity in which the secret key is embedded, that is, the signature feature quantity, and the message is sent using the temporary secret key. Create a signature for. Also, a commitment is created by embedding a temporary secret key in the signature feature quantity, and a combination of the temporary public key, signature, and commitment is used as a biometric signature, and at the time of biometric signature verification, the signature is verified with the temporary public key. At this time, a differential secret key and a differential public key are generated from the biometric signature, commitment, and temporary public key, and the correspondence is verified.

The following modes for realizing this processing are also included in the present invention.
A registration terminal that creates a biometric certificate based on the registration feature quantity of the biometric information of the registered user, and a signature generation terminal that generates a signature for a predetermined message based on the signature feature quantity of the biometric information of the signature generation user A biometric signature system including a signature verification device that verifies the signature based on the biometric certificate,
The registered terminal
A sensor for acquiring user biometric information;
A feature quantity extraction unit that extracts the registration feature quantity from the biological information;
A biometric public key creation unit that creates a pair of a secret key and a public key based on a predetermined electronic signature algorithm, and creates registration commitment information from the secret key and the registration feature amount;
A biometric certificate creating unit for creating the biometric certificate including the registration commitment information and the public key;
The signature generation terminal
A message input unit for inputting the message;
A sensor for acquiring user biometric information;
A feature quantity extraction unit for extracting the signature feature quantity from the biometric information;
Generating a pair of a temporary private key and a temporary public key based on a predetermined electronic signature algorithm; generating an electronic signature based on the predetermined electronic signature algorithm for the message using the temporary private key; and A biometric signature generating unit that generates signature commitment information from a key and the signature feature, and generates a biometric signature including the temporary public key, the electronic signature, and the signature commitment;
The signature verification terminal
An input unit for inputting the message and the biometric signature;
Whether or not the electronic signature included in the biometric signature is a correct signature for the message is verified using the temporary public key included in the biometric signature and the predetermined electronic signature algorithm, and the registration signature A biometric signature verification unit that verifies the validity of a set of commitment information and the signature commitment information using the public key and the temporary public key;
It is a biometric signature system having a verification result output unit that makes a final determination result successful when the verification is successful. In addition, about the final determination result, the aspect made into "success" when each of the said verification is successful is also contained in this invention.

  The present invention includes a biometric signature method using the above biometric signature system, each device constituting the biometric signature system, and sub-combinations thereof.

  According to the present invention, the user can eliminate (or reduce) the necessity of storing personal belongings and confidential information, and can use any terminal to sign an electronic signature for an arbitrary electronic document using only his / her own biological information. It is possible to create a highly convenient electronic signature system (biometric signature system). In addition, it is not necessary to store secret information such as secret keys and templates, and a digital signature system that is safe and low in operating costs can be constructed. Furthermore, there is no need to register (or reduce) user-dependent information in advance on the terminal, and it is not necessary to be connected to the network at the time of signature generation. It can be used.

It is a block diagram which shows the function structure of one Example of this invention. It is a flowchart which shows the registration process in one Example of this invention. It is a flowchart which shows the signature production | generation process in one Example of this invention. It is a flowchart which shows the signature verification process in one Example of this invention. It is a block diagram which shows the hardware constitutions of the authentication apparatus in one Example of this invention.

Hereinafter, a first embodiment of the present invention will be described with reference to the drawings.
In this embodiment, data for verifying a signature (hereinafter referred to as “biometric certificate”) based on the user's biometric information at the time of registration is created and registered in a public DB (repository). A biometric signature system in which a signature based on only the user's biometric information (hereinafter referred to as “biometric signature”) is generated for the message and the signature verification apparatus verifies the biometric signature using the biometric certificate will be described as an example. The system of the present embodiment can be used for electronic application in e-government, user authentication via a network, and the like.

FIG. 1 shows a system configuration of a biometric signature system in the present embodiment.
This system includes a registration terminal 100 that issues a user's biometric certificate, a repository server 120 that manages and publishes the biometric certificate, and a signature that generates a biometric signature for a message (electronic document) using the user's biometric information. A generation terminal 110, a signature verification device 130 for verifying a biometric signature, and a network 140 are configured.

  The registration terminal 100 includes a sensor 101 that acquires biometric information for registration such as a fingerprint and a vein from a user, a feature amount extraction unit 102 that extracts a registration feature amount from the biometric information for registration, and an ID that receives an input of a user ID. An input unit 103, a biometric public key creation unit 104 that creates a biometric public key from the registration feature, and a biometric certificate by giving a digital signature of the registration terminal itself to the user ID and the biometric public key A biometric certificate creation unit 105 is created. Note that the biometric public key generation unit 104 and the biometric certificate creation unit 105 may be mounted on other devices.

The repository server 120 includes a public DB 121 for registering the biometric certificate, a DB control unit 122, and a communication unit 123.
The signature generation terminal 110 includes a message input unit 111 that inputs a message that is a signature generation target, an ID input unit 116 that inputs a user ID, a sensor 112 that acquires biometric information for a signature from the user, and the signature A feature amount extraction unit 113 that extracts a signature feature amount from biometric information, a biometric signature generation unit 114 that generates a biometric signature for the message using the signature feature amount, and a biometric signature output unit that outputs the biometric signature 115. Note that the ID input unit 116 and the sensor 112 may be realized by separate devices, or other units may be mounted on separate devices.

  The signature verification apparatus 130 includes a message input unit 131 with a biometric signature that inputs a set of the message and the biometric signature, a biometric certificate acquisition unit 132 that acquires the biometric certificate corresponding to the user ID from the repository server 120, From the biometric certificate verification unit 133 that verifies the integrity of the biometric certificate, the biometric signature verification unit 134 that verifies the biometric signature using the biometric certificate, and the verification result output unit 135 that outputs the verification result Composed.

  The registration terminal 110, the repository server 120, and the signature verification apparatus 130 are connected via the network 140, but the signature generation terminal 110 is not necessarily connected to the network.

  The signature verification apparatus 130 may have a DB and store the biometric certificate. In this case, the signature verification apparatus 130 does not need to acquire the biometric certificate from the repository server, and does not necessarily need to be connected to the network at the time of signature verification.

  FIG. 5 shows a hardware configuration of the registration terminal 100, signature generation terminal 110, repository server 120, and signature verification apparatus 130 in the present embodiment. These can be constituted by a CPU 500, a RAM 501, an HDD 502, an input device 503, an output device 504, and a communication device 505 as shown in the figure.

Next, the registration processing flow in the present embodiment will be described with reference to FIG.
The registration terminal 100 acquires biometric information for registration (such as a fingerprint image and a vein image) of the registered user through the sensor unit 101 (S200).
The feature quantity extraction unit 102 extracts the registration feature quantity X from the biometric information for registration (S201).

  The ID input unit 103 receives an input of a registered user ID (S202). This may be input by a registered user, or may be generated by the registration terminal 100 based on an input time or the like.

The biometric public key creation unit 104 randomly generates a pair of a secret key KSe and a public key KPe in a predetermined electronic signature algorithm (for example, a Schnorr signature) (S203).
The biometric public key creation unit 104 embeds the secret key KSe in the registration feature amount X using a predetermined embedding function Emb and creates a registration commitment Ce = Emb (X, KSe) (S204). At this time, the registration feature amount X and / or the secret key KSe is embedded from the registration commitment Ce so as to be sufficiently difficult to estimate. A specific example of the embedding function Emb will be described later. A set of (KPe, Ce) is called a biometric public key.

The biometric certificate creation unit 105 generates an electronic signature S for the set of the user ID and the biometric public key (KPe, Ce) by using a secret key held by the registration terminal 100, and stores these data. The set T = (ID, KPe, Ce, S) is issued as a biometric certificate and transmitted to the repository server 120 (S205). Here, the second electronic signature algorithm for generating the electronic signature S may be different from the predetermined electronic signature algorithm, and a general electronic signature such as RSA, DSA, or Schnorr signature may be used.
The repository server 120 registers the biometric certificate T in the public DB 121 (S206).

  As described above, since it is difficult to estimate the feature amount X and the secret key KSe from the biometric public key, the risk of forgery of biometric information and signatures is sufficiently low even if the biometric certificate T is disclosed, ensuring safety. can do. Also, by disclosing the biometric certificate T, it becomes possible for an arbitrary signature verification device to verify an arbitrary biometric signature. According to the present embodiment, since secret information such as a secret key and a template is not stored anywhere, it is possible to construct an electronic signature system with high security and low operation management cost.

Next, a signature generation flow in this embodiment will be described with reference to FIG.
The signature generation terminal 110 receives an input of an arbitrary message M via the message input unit 111 (S300).

  The ID input unit 116 receives an input of a user ID (S301). Note that this step may be omitted, and a symbol such as NULL may be used as the user ID in the following steps. By doing so, the user does not need to input an ID at the time of signing, and further convenience improvement is expected.

The sensor unit 112 acquires the user's signature biometric information (S302).
The feature amount extraction unit 113 extracts the signature feature amount X ′ from the signature biometric information (S303).

The biometric signature generation unit 114 randomly generates a private key / public key pair in the predetermined electronic signature algorithm (S304). Hereinafter, the respective keys are referred to as a temporary secret key KSs and a temporary public key KPs.
The biometric signature generation unit 114 embeds the temporary secret key KSs in the signature feature quantity X ′ using the embedding function Emb, and creates a signature commitment Cs = Emb (X ′, KSs) (S305).
The biometric signature generation unit 114 generates an electronic signature σ ′ for the message M using the temporary public key KPs and the predetermined electronic signature algorithm (S306).

Further, the biometric signature generation unit 115 outputs the set σ = (ID, KPs, Cs, σ ′) of the user ID, the temporary public key KPs, the signature commitment Cs, and the electronic signature σ ′ as a biometric signature. (S307).
Due to the nature of the above-described embedding function Emb, it is difficult to estimate the signature feature quantity X ′ and the temporary secret key KSs from the signature commitment Cs, so that the biometric information or another biometric signature is forged from the biometric signature. Risk is low enough to ensure safety. Further, when generating a biometric signature, information (for example, auxiliary information) depending on the user is not used at all other than the message M to be signed, the user ID, and the biometric information serving as a secret key. Therefore, it is not necessary to store any user-dependent information in advance in the signature generation terminal, and it is not necessary to inquire the server or the like to acquire the user-dependent information. Therefore, the user can generate a signature using an arbitrary signature generation terminal, and the signature generation terminal does not necessarily need to be connected to the network and can be used as a stand-alone.

Next, the signature generation flow in this embodiment will be described with reference to FIG.
The signature verification apparatus 130 accepts input of the message M and the biometric signature σ = (ID, KPs, Cs, σ ′) (S400).

  The biometric signature acquisition unit 132 transmits the ID included in the biometric signature σ to the repository server 120, and acquires the biometric certificate T = (ID, KPe, Ce, S) corresponding to the ID (S401). .

  The biometric certificate verification unit 133 verifies that the biometric certificate T has not been tampered with using the electronic signature S included in the biometric certificate T and the public key of the registration terminal 100. If the verification fails, the final verification result is “failed” and the process jumps to step S406 (S402). For this verification, the second electronic signature algorithm is used.

  The biometric signature verification unit 134 verifies the electronic signature σ ′ included in the biometric signature σ using the temporary public key KPs included in the biometric signature σ. If the verification fails, the final verification result is “failed” and the process jumps to step S406 (S402).

  The biometric signature verification unit 134 uses a predetermined function Ext from the registration commitment Ce included in the biometric certificate T and the signature commitment Cs included in the biometric signature σ to obtain a differential secret key KSd = Ext (Cs, Ce) is calculated (step S403). At this time, if the registration feature quantity X and the signature feature quantity X ′ are sufficiently close (similar), the difference secret key KSd is “difference” between the secret key KSe and the temporary secret key KSs. The predetermined function Ext is configured to be equal to a predetermined calculation result corresponding to "(KSd = KSe-KSs)". A specific example of the function Ext will be described later.

  The biometric signature verification unit 134 uses a predetermined function Diff from the public key KPe included in the biometric certificate T and the temporary public key KPs included in the biometric signature σ, to obtain a differential public key KPd = Diff. (KPe, KPs) is calculated (step S404). The differential public key KPd corresponds when the predetermined calculation result KSe−KSs corresponding to a “difference” between the secret key KSe and the temporary secret key KSs is regarded as a new secret key. The function Diff is configured to be a public key. A specific example of the function Diff will be described later.

The biometric signature verification unit 134 verifies that the differential secret key KSd and the differential public key KPd are corresponding key pairs in the predetermined electronic signature algorithm. If the verification fails, the final verification result is “failed”, and if the verification is successful, the final verification result is “success” (S407).
The verification result output unit 135 outputs the final verification result (S407).

  According to the present embodiment, if the signature generation user is the same person as the registered user, the registration feature amount X and the signature feature amount X ′ are expected to be sufficiently close (similar). At this time, the differential secret key KSd matches the “difference” between the secret key KSe and the temporary secret key KSs (KSd = KSe−KSs), and the differential key pair verification (S406) is successful.

  Conversely, if the signature generation user and the registered user are different persons, it is expected that the registration feature quantity X and the signature feature quantity X ′ are not close (similar). At this time, the differential secret key KSd does not match the “difference” between the secret key KSe and the temporary secret key KSs (KSd ≠ KSe−KSs), and the differential key pair verification (S406) fails.

  According to the present embodiment, the signature verification apparatus can calculate the differential secret key KSd = KSe−KSs (if the user is the same person), but can specify the secret key KSe and / or the temporary secret key KSs from here. Therefore, the signature cannot be forged, and the registration feature quantity X and / or the signature feature quantity X ′ cannot be restored.

  It is to be noted that an unauthorized user who tries to estimate the secret key KSe and / or the registration feature quantity X uses the biometric feature quantity of the unauthorized person as the signature feature quantity X ′, and the temporary secret key KSs. To generate a biometric signature, create a differential secret key calculation KSd using the predetermined function Ext, estimate the secret key KSe from the differential secret key KSd and the temporary secret key KSs, and forge the biometric signature Think of the attack you are trying to do. If X ′ and X are sufficiently close to each other, KSd = KSe−KSs, so that this is regarded as an equation and the secret key KSe can be specified by solving for KSe. However, in order for this attack to be successful, the attacker must know X 'close to X, which is synonymous with leaking biological information in the first place. That is, it can be said that the secret key KSs cannot be estimated by the above-described attack method unless biometric information is leaked.

  From the above characteristics, the biometric signature system of the present embodiment can generate a correct biometric signature (which can be successfully verified) only when the signing user is the same person as the registered user. Is expected to be unable to generate a biometric signature.

  Hereinafter, specific configuration examples of the predetermined functions Emb, Ext, and Diff will be described.

  The registration feature quantity and signature feature quantity are n-dimensional real vectors and can be represented by (Equation 1).

  In addition, the distance between them can be expressed as (Equation 2).

  If the distance is equal to or less than a predetermined threshold value t (d (X, X ′) ≦ t), it is regarded as a match (same living body). The lattice point set L is defined as (Equation 3).

  Here, K is a predetermined integer sufficiently larger than t and | xi |. Further, a function int for associating one integer z with the integer vector YεL is defined as (Equation 4) below.

Further, the inverse function (function that associates the vector Y with the integer z) is expressed as (Equation 5).

  A Schnorr signature is used as the predetermined electronic signature algorithm. The Schnorr signature private key KSe and public key KPe are generated as follows. First, the secret key KSe is a randomly generated integer, and the public key KPe is expressed by (Equation 6).

Here, p is a sufficiently large prime number, and g is a generator of a multiplicative group of an integer remainder ring Zp modulo p. p and g are public parameters, and are common values for each user.
Based on the above preparation, the embedding function Emb is defined as (Equation 7) below.

  The predetermined function Ext is defined as follows (Equation 8).

  Here, [v] represents an integer vector obtained by rounding each component (real number) of v to an integer (mapped to the nearest integer) with respect to the real vector v. Or, let n be a vector in which n are arranged. At this time, (Equation 9) is established from the method of making Ce and Cs. Therefore, if d (X, X ′) ≦ t, (Equation 10) is established. Here, it is defined as (Equation 11).

  Further, the predetermined function Diff is defined as in the following (Equation 12). Furthermore, from the above definition, the differential key pair verification (step S406) may confirm whether the equation (Equation 13) holds.

DESCRIPTION OF SYMBOLS 100 Registration terminal 101 Sensor part 102 Feature amount extraction part 103 ID input part 104 Biometric public key creation part 105 Biometric certificate creation part 110 Signature generation terminal 111 Message input part 112 Sensor part 113 Feature extraction part 114 Biometric signature generation part 115 Biometric signature Output unit 116 ID input unit 120 Repository server 121 Public DB
122 DB control unit 123 communication unit 130 signature verification device 131 message input unit with biometric signature 132 biometric signature acquisition unit 133 biometric certificate verification unit 134 biometric signature verification unit 135 verification result output unit 140 network

Claims (6)

A registration terminal that creates a biometric certificate based on the registration feature quantity of the biometric information of the registered user, and a signature generation terminal that generates a signature for a predetermined message based on the signature feature quantity of the biometric information of the signature generation user A biometric signature system including a signature verification device that verifies the signature based on the biometric certificate,
The registered terminal
A sensor for acquiring user biometric information;
A feature quantity extraction unit that extracts the registration feature quantity from the biological information;
A biometric public key creation unit that creates a pair of a secret key and a public key based on a predetermined electronic signature algorithm, and creates registration commitment information from the secret key and the registration feature amount;
A biometric certificate creating unit that creates the biometric certificate including the registration commitment information and the public key;
The signature generation terminal
A message input unit for inputting the message;
A sensor for acquiring user biometric information;
A feature quantity extraction unit for extracting the signature feature quantity from the biometric information;
Generating a pair of a temporary private key and a temporary public key based on a predetermined electronic signature algorithm; generating an electronic signature based on the predetermined electronic signature algorithm for the message using the temporary private key; and A biometric signature generating unit that generates signature commitment information from a key and the signature feature, and generates a biometric signature including the temporary public key, the electronic signature, and the signature commitment;
The signature verification terminal
An input unit for inputting the message and the biometric signature;
Whether the electronic signature included in the biometric signature is a correct signature for the message is verified using the temporary public key included in the biometric signature and the predetermined electronic signature algorithm, and the registration commitment A biometric signature verification unit that verifies the validity of the information and the signature commitment information set using the public key and the temporary public key;
The biometric signature system which has a verification result output part which makes a final determination result successful when each of the said verification succeeds. The biometric signature creation unit
An electronic signature is generated for a set including the registration commitment information, the public key, and registered user ID information using a predetermined secret key held by the registration terminal and a predetermined second electronic signature algorithm And creating a biometric certificate including a set of the registration commitment information, the public key, the registered user ID information, and the electronic signature,
The signature verification device includes:
A biometric certificate verification unit that verifies the validity of the biometric certificate by using the digital signature included in the biometric certificate, the public key of the registered terminal, and the second digital signature algorithm; The biometric signature system according to claim 1, wherein: The biometric signature system includes:
A repository server that holds and publishes the biometric certificate;
The registration terminal has means for registering the biometric certificate in the repository server after creating the biometric certificate,
The biometric signature system according to claim 1, wherein the signature verification apparatus includes means for acquiring the biometric certificate from the repository server. The registration feature quantity and the signature feature quantity are vectors,
The biometric public key creation unit creates the registration commitment information by adding or subtracting a secret key vector corresponding to the secret key to the registration feature vector,
The signature generation unit creates the signature commitment information by adding or subtracting a temporary secret key vector corresponding to the temporary secret key to the signature feature vector,
The signature verification unit creates a differential secret key by performing a predetermined first operation on the registration commitment information and the signature commitment information, and determines a predetermined secret key for the public key and the temporary public key. The biometric signature system according to any one of claims 1 to 3, wherein a differential public key is generated by performing the second calculation of and the correspondence between the differential secret key and the public key is verified. . The secret key vector corresponding to the secret key and the temporary secret key vector corresponding to the temporary secret key are each an integral multiple of a predetermined constant for each component,
5. The biometric signature system according to claim 4, wherein the first calculation includes a calculation of dividing a difference between two vectors by the predetermined constant and rounding each element to an integer. The predetermined electronic signature algorithm is a Schnorr signature,
The correspondence between the secret key and the secret key vector and the correspondence between the temporary secret key and the temporary secret key vector are obtained by regarding the vector as an integer of each digit when the L number is displayed with respect to a predetermined integer L. Define
6. The biometric signature system according to claim 5, wherein the second calculation includes a calculation for dividing the public key and the temporary public key by a predetermined integer.

Images