JP2021061633A - Computer system, verification method of secret information, and computer - Google Patents

Abstract

To provide a technique of a biometric cipher capable of satisfying both efficiency and safety.SOLUTION: The computer system includes a computer. The computer generates feature data based on bio-information obtained from a user, generates error feature data showing the error that occurs in bio-information and steady-state feature data showing the part other than the error that occurs in bio-information based on the feature data, generates a template based on error feature data of the bio-information, generates first secret information used for cryptographic processing based on the steady-state feature data of the bio-information, and generate first verification information based on the first secret information.SELECTED DRAWING: Figure 1

Description

The present invention relates to a system that performs processing such as authentication, encryption, and signature based on the biometric information of a user.

Biometric authentication technology that authenticates an individual based on biometric information such as fingerprints, veins, faces, and irises is widely used. In the conventional biometric authentication technology, the following processing is performed. First, at the time of user registration, the terminal registers the feature data extracted from the user's biological information in the system as a template. At the time of user authentication, the terminal compares the template with the feature data extracted from the user's biometric information again, and if the similarity is sufficiently large, that is, if the distance between the two feature data is sufficiently close, the authentication is successful. Judgment is made, and if the similarity is small, it is judged that the authentication has failed.

Biological information is generally irreplaceable information. Therefore, leakage of biological information becomes a big problem. To solve this problem, template-protected biometric authentication technology that authenticates biometric information while keeping it confidential has been researched and developed. Among them, a technique called biometric encryption, which generates key data from biometric information and performs processing such as cryptographic authentication processing, encryption processing, decryption processing, and signature generation processing, is attracting attention.

In the biometric encryption, the terminal generates the protection template T by converting the feature data X of the biometric information and embedding the private key K at the time of registering the biometric information. After that, the terminal restores the private key K by using the newly acquired feature data X'of the biometric information and the protection template T. If the restoration of the private key is successful, the terminal can perform cryptographic authentication processing, encryption processing, decryption processing, and electronic signature generation processing using the private key K.

Due to security requirements, it must be sufficiently difficult to restore or estimate feature data X using protection template T in biometric cryptography. On the other hand, if the feature data X'is sufficiently similar to the feature data X, the private key restoration process must be successful.

As a specific method for realizing biometric encryption, for example, the method described in Non-Patent Document 1 has been proposed. In Non-Patent Document 1, the feature data extracted from the biological information is
It is an n-dimensional real number vector X as shown in the equation (1), and an error of up to ± δ is allowed for each element. That is, if the error of the value is in the range of ± δ, it is accepted as the person. Further, the private key can be expressed as an integer vector as shown in the equation (2). Each element of the private key s_i
Are q-bit integers, respectively. Here, the subscript i is a value from 1 to n, and q is an arbitrary integer. Therefore, the element s_i is ^{an integer of 0 or more and 2 q} -1 or less.

The template T at the time of registration of biometric information can be expressed as a vector as shown in the equation (3).
The element t_i is calculated based on the equation (4). Here, the subscript i is a value from 1 to n.

The newly acquired feature data X'of the biological information can be expressed as a vector as shown in the equation (5).

At the time of verification of the private key, the terminal uses the saved template T and the feature data X'to execute the operation shown in the equation (7) to execute each element of the private key S'represented by the equation (6). Calculate the value of. As a result, the private key S'is restored. Here, the subscript i is a value from 1 to n. The symbol "[]" represents an operation in which the fractional part of the value in parentheses is truncated and the integer part is extracted.

Here, when the equation (8) is satisfied, the restored private key S'matches the private key S. Therefore, the terminal determines that the private key has been restored correctly, and the user who verifies the private key. Is accepted as the user registered in the system.

Since the feature data X and the private key S cannot be uniquely obtained by using the template T used in Non-Patent Document 1, the protection of the template having a certain effect can be realized by using the method of Non-Patent Document 1. ..

Gang Zheng, et.al., “Cryptographic Key Generation from Biometric Data Using Lattice Mapping”, In 18th International Conference on Pattern Recognition (ICPR'06), 2006.

However, the method of Non-Patent Document 1 has problems in safety and efficiency.

Regarding security, there is a problem that the candidates for the feature data X and the private key S can be narrowed down by using the template T. Specifically, due to the restriction that the element s_i of the secret key S is an integer of q bits, an attacker who knows t_i selects a candidate for the element x_i of the feature data X based on the equation (4) (9). ) Can be narrowed down to the range shown in).

Further, the value that the element x_i of the feature data can take is the range shown in the equation (10), and if the attacker knows the range, the candidate of the element x_i is the common range of the equations (9) and (10). Can be narrowed down to.

For example, when the element x_i = x_max and the element s_i = 0, the element t_i has a value as shown in the equation (11) according to the equation (4). Therefore, an attacker who knows the template T can know from the equation (9) that the element x_i satisfies the equation (12).

Therefore, from the equations (10) and (12), the range of the element x_i is shown in the equation (13), so that the attacker knows that the element x_i = x_max. The attacker also knows the element s_i = 0 from the equation (4).

In cases other than the above assumptions, the range of element x_i may be stochastically narrowed down. Therefore, in order to ensure sufficient safety, | x_min | and | x_max
Increase the value of q so that 2 ^q is sufficiently larger than |, and also increase the element s_ of the secret key S.
It is necessary to generate i uniformly and randomly in the range of 0 or more and 2 ^{q -1 or less.}

However, when q is increased, the size of the template T also increases, which poses an efficiency problem. Specifically, when the number of expressed digits of the fractional part of the element x_i of the feature data X is r digits in binary display, the integer part of the element t_i of the template T is q bits and the fractional part is r bits. .. Therefore, the data size of the template T is n (q + r) bits.

When q = 256, r = 52 (the number of mantissa copies of double), and n = 1000, the data size of the template T is 38.5 KB. When one template T is generated from the fingerprint of one finger, ten template Ts are generated for one user. If template T for 100 million people is registered in the system, the total data size will be 38.5 TB. When trying to realize 1: n authentication, which is an authentication method that collates the authentication data with all the registered N templates, it is necessary to access 38.5 TB of data, so the authentication process In, the access time to the storage area for storing the data becomes dominant.

An object of the present invention is to improve security and efficiency, which are problems of conventional biometric cryptography. Specifically, the purpose is to generate a template in which feature data is difficult to estimate and the size is small.

A typical example of the invention disclosed in the present application is as follows. That is, it is a calculator system including at least one calculator, and the at least one calculator is
It has a calculation device and a storage device connected to the calculation device, and the calculation device generates first feature data based on the first biometric information acquired from the user, and based on the first feature data, the calculation device generates first feature data. Error feature data showing the error generated in the first biometric information and stationary feature data showing the part other than the error generated in the first biometric information are generated, and a template is created based on the error feature data of the first biometric information. The user's identification information and the template are associated with each other and stored in the storage device, and the first secret information used for cryptographic processing is generated based on the stationary feature data of the first biometric information. Generate the first verification information based on the first secret information,
When the user's identification information and the first verification information are associated and stored in the storage device and the execution request of the cryptographic processing is received, the second feature is based on the second biometric information acquired from the user. Data is generated, second secret information is generated based on the template and the second feature data, second verification information is generated based on the second secret information, and the first verification information and the first (2) The second secret information is verified by comparing the verification information, and the cryptographic processing is executed based on the result of the verification of the second secret information.

According to the present invention, it is possible to realize a biometric encryption technique in which the size of the template is significantly reduced and the feature data is difficult to estimate. Issues, configurations and effects other than those mentioned above will be clarified by the description of the following examples.

It is a figure which shows the configuration example of the biometric authentication system of Example 1. FIG. It is a figure which shows an example of the hardware configuration of the computer which comprises the biometric authentication system of Example 1. FIG. FIG. 5 is a flowchart illustrating a registration process executed by the registration terminal of the first embodiment. It is a flowchart explaining the verification process executed by the authentication terminal of Example 1. FIG. It is a flowchart explaining the generation process of the template T of Example 1, and the generation process of a secret information sk. It is a flowchart explaining the restoration process of the secret information sk'of the first embodiment.

Hereinafter, examples of the present invention will be described with reference to the accompanying drawings. The same reference numerals are given to common configurations in each figure.

In the biometric authentication system of the first embodiment, first, the computer included in the biometric authentication system generates verification information for verifying the template and the restored secret information (private key) from the biometric information of the user, and registers the verification information in the database. To do. When the computer verifies the confidential information accompanying the execution of the cryptographic process, the computer restores the confidential information using the registered template and the newly acquired biometric information of the user. In addition, the calculator is based on the restored confidential information and verification information.
Confidential information is verified, and user authentication processing, encryption processing, decryption processing, etc. are performed based on the verification result.
And perform cryptographic processing such as electronic signature generation processing.

FIG. 1 is a diagram showing a configuration example of the biometric authentication system of the first embodiment. FIG. 2 is a diagram showing an example of the hardware configuration of the computer constituting the biometric authentication system of the first embodiment.

The biometric authentication system includes a registration terminal 100, an authentication terminal 110, a DB server 120, and a network 130. Registration terminal 100, authentication terminal 110, and DB server 12
0s are connected to each other via the network 130. The network 130 is a LAN (
Local Area Network) and WAN (Wide Area Network) and WAN (Wide Area Network)
rk) etc. can be considered. Note that this embodiment is not limited to the type of network 130. Further, the connection method of the network 130 may be either wired or wireless.

The registration terminal 100 acquires biometric information from the user, generates a template and verification information using the biometric information, and registers the template and verification information in the DB server 120.

Here, the hardware configuration of the registration terminal 100 will be described. As shown in FIG. 2, the registration terminal 100 includes a CPU 200, a memory 201, a storage device 202, an input device 203, an output device 204, and a communication device 205. The authentication terminal 110 and the DB server 120, which will be described later, also have the same hardware configuration.

The CPU 200 is an arithmetic unit of the registration terminal 100 and executes a program stored in the memory 201. When the CPU 200 executes the process according to the program,
It operates as a module that realizes a specific function. In the following description, when the process is described with the module as the subject, it is shown that the CPU 200 is executing the program that realizes the module.

The memory 201 is the main storage device of the registration terminal 100, and stores a program executed by the CPU 200 and data used by the program. Further, the memory 201 includes a temporary area temporarily used by the program.

The storage device 202 is a sub-storage device of the registration terminal 100 and permanently stores data.
The storage device 202 includes, for example, an HDD (Hard Disk Drive) and an SSD (S).
oil State Drive) and the like can be considered.

The input device 203 is a device for inputting various data to the registration terminal 100, and includes a keyboard, a mouse, a touch panel, a sensor, and the like.

The output device 204 is a device for outputting various information, and includes a touch panel, a display, and the like.

The communication device 205 is an interface for communicating with a large number of devices via a network.

Here, the functional configuration of the registration terminal 100 will be described. Memory 201 of registration terminal 100
Data acquisition module 101, feature data extraction module 102, template generation module 103, secret information generation module 104, and verification information generation module 105.
Stores the program that realizes.

The data acquisition module 101 acquires registration biometric information such as fingerprints and veins from the user, and outputs the acquired biometric information for registration to the feature data extraction module 102.

The feature data extraction module 102 extracts the feature data for registration from the biometric information for registration, and outputs the extracted feature data for registration to the template generation module 103 and the secret information generation module 104.

The template generation module 103 generates a template based on the feature data for registration. The template generation module 103 registers the template in the template DB 122 by transmitting the template to the DB server 120.

The secret information generation module 104 generates secret information based on the feature data for registration. The secret information generation module 104 outputs the secret information to the verification information generation module 105.

The verification information generation module 105 generates verification information for verifying the secret information restored by the authentication terminal 110 based on the secret information. The verification information generation module 105 registers the verification information in the verification information DB 123 by transmitting the verification information to the DB server 120.

The authentication terminal 110 newly acquires biometric information from the user, restores the confidential information based on the newly acquired biometric information and the template, and verifies the restored confidential information. Further, the authentication terminal 110 executes cryptographic processing such as user authentication processing, encryption processing, decryption processing, and electronic signature generation processing based on the verification result of the restored confidential information.

Here, the functional configuration of the authentication terminal 110 will be described. Memory 201 of authentication terminal 110
Stores a program that realizes a data acquisition module 111, a feature data extraction module 112, a secret information restoration module 113, a secret information verification module 114, and a data processing module 115.

The data acquisition module 111 acquires biometric information for generating confidential information from the user, and outputs the acquired biometric information to the feature data extraction module 112.

The feature data extraction module 112 extracts feature data from biological information and outputs the extracted feature data to the secret information restoration module 113.

The confidential information restoration module 113 restores the confidential information based on the feature data and the template, and outputs the restored confidential information to the confidential information verification module 114.

The confidential information verification module 114 verifies the correctness of the restored confidential information based on the verification information. That is, it is determined whether or not the secret information generated by the registration terminal 100 and the restored secret information match.

The data processing module 115 uses the confidential information to perform cryptographic processing such as authentication processing, encryption processing, decryption processing, and electronic signature generation processing.

The DB server 120 manages various data used in the biometric authentication system. Further, the DB server 120 executes data registration processing, data search processing, and the like.

Here, the functional configuration of the DB server 120 will be described. Memory 2 of DB server 120
01 stores the program that realizes the database management module 121, and also stores the template DB 122 and the verification information DB 123. The template DB 122
And the verification information DB 123 may be stored in the storage device 202 of the DB server 120.

The database management module 121 registers, updates, and searches data. The template DB 122 is a database for storing the template. Template DB1
In 22, one or more data associated with the user's identification information and the template are stored. For example, a table-type database containing one or more entries composed of a field for storing user identification information and a field for storing a template can be considered.

The verification information DB 123 is a database that stores verification information. Verification information DB123
Stores one or more data associated with the user's identification information and verification information. For example, a table-type database containing one or more entries composed of a field for storing user identification information and a field for storing verification information can be considered.

In this embodiment, one DB server 120 is the template DB 122 and the verification information DB 1.
Although 23 is retained, it may be managed by using a distributed database composed of a plurality of DB servers 120. In this case, the template and the verification information are distributed and stored in each DB server 120. By managing templates and verification information in a distributed manner, the risk of information leakage is reduced, and thus safety can be improved.

The authentication terminal 110 may hold at least one of the template DB 122 and the verification information DB 123. Further, even if at least one of the template DB 122 and the verification information DB 123 is stored in a portable medium such as an IC card, a USB memory, a printed matter in which data is converted into a QR code (registered trademark), or a personal terminal such as a smartphone. Good.

In this embodiment, the registration terminal 100, the authentication terminal 110, and the DB server 120 are described as physically independent computers, but the present invention is not limited thereto. Multiple functions may be integrated into one computer. For example, the authentication terminal 110 and the DB server 120 may be realized by using one computer.

For each module of the registration terminal 100, the authentication terminal 110, and the DB server 120, two or more modules may be combined into one module, or one module may be combined into a plurality of modules for each function. You may divide it.

Next, the details of the registration process of the first embodiment will be described with reference to FIG. FIG. 3 is a flowchart illustrating a registration process executed by the registration terminal 100 of the first embodiment.

When the registration terminal 100 receives the operation of the user or the operator, the registration terminal 100 starts the registration process described below. First, the data acquisition module 101 of the registration terminal 100 is the input device 2.
The biometric information for registration is acquired from the user using 03 (step S301). The data acquisition module 101 also acquires user identification information such as a user's ID and name at the start of registration processing or acquisition of biometric information for registration.

Next, the feature data extraction module 102 of the registration terminal 100 extracts the feature data for registration from the biometric information for registration (step S302). For example, an image and a feature vector are extracted as feature data.

Next, the template generation module 103 of the registration terminal 100 generates the template T based on the feature data for registration (step S303). The details of the template T generation process will be described later.

Next, the secret information generation module 104 of the registration terminal 100 generates the secret information sk based on the feature data for registration (step S304). The details of the secret information sk generation process will be described later.

Next, the verification information generation module 105 of the registration terminal 100 generates verification information vk based on the secret information sk (step S305). Here, an example of a method of generating the verification information vk will be described. The following three methods can be considered as a method of generating the verification information vk based on the secret information sk.

(Generation Method 1) As shown in the equation (14), the verification information generation module 105 generates the verification information vk using an arbitrary one-way function Hash (). As the one-way function Hash (), for example, a cryptographic hash function such as SHA256 and SHA3 can be considered.

(Generation method 2) As shown in the equation (15), the verification information generation module 105 has a cyclic group G.
The verification information vk is generated using the mapping φ from the set of = <g> and the secret information sk to the integer set. Here, g is a generator of G.

The generated pairs (sk, vk) are ElGamal encryption / signature, DSA, Schnorr.
It can be treated as a set of private and public keys in many public key cryptography / digital signature algorithms, such as signatures or their elliptic curve algorithms.

(Generation method 3) As shown in Equation (16), the verification information generation module 105 uses the function Enc () with p as a variable, which is a secret key or parameter for generating verification information, to generate verification information vk. Generate. In addition, p may be set in the user unit or the biometric information unit for registration, or may be set in the authentication terminal 110 unit or the biometric authentication system unit.

The function Enc () is an encryption function in AES or RSA, a hash function with a key, and the like. The above is the description of the process of step S305.

Next, the template generation module 103 and the verification information generation module 105 of the registration terminal 100 register the template T and the verification information vk in the DB server 120, respectively (step S306). After that, the registration terminal 100 ends the registration process.

Specifically, the template generation module 103 transmits a registration request including the user identification information and the template T to the DB server 120, and the verification information generation module 105 sends a registration request including the user identification information and the verification information vk. It is transmitted to the DB server 120.

When the DB server 120 receives the registration request from the template generation module 103, the DB server 120 registers the data associated with the user identification information and the template T in the template DB 122. Further, when the DB server 120 receives the registration request from the verification information generation module 105, the DB server 120 converts the data associated with the user identification information and the verification information vk into the verification information DB 12
Register in 3.

Next, the details of the verification process in the first embodiment will be described with reference to FIG. FIG. 4 is a flowchart illustrating a verification process executed by the authentication terminal 110 of the first embodiment.

When the authentication terminal 110 receives the operation of the user or the operator, the authentication terminal 110 starts the authentication process described below. First, the data acquisition module 111 of the authentication terminal 110 is the input device 2.
The biometric information for verification is acquired from the user using 03 (step S401). The data acquisition module 111 also acquires user identification information such as a user's ID and name at the start of verification processing or acquisition of biometric information for verification.

Next, the feature data extraction module 112 of the authentication terminal 110 extracts verification feature data from the verification biometric information (step S402).

Next, the secret information restoration module 113 of the authentication terminal 110 acquires the template T from the template DB 122 of the DB server 120, and restores the secret information sk'based on the template T and the feature data for verification (step S403). The details of the restoration process (generation process) of the secret information sk'will be described later.

When the secret information restoration module 113 acquires the template T, the secret information restoration module 113 transmits a template acquisition request including the user's identification information to the DB server 120. DB server 120
Refers to the template DB 122, searches for a template to which the user's identification information is associated, and transmits the search result to the authentication terminal 110.

Next, the secret information verification module 114 of the authentication terminal 110 acquires the verification information vk from the verification information DB 123 of the DB server 120, and verifies the correctness of the secret information sk'based on the verification information vk (step S404). That is, it is determined whether or not sk'= sk holds.

Specifically, the secret information verification module 114 generates the verification information vk'from the secret information sk', and determines whether or not the verification information vk'and the verification information vk acquired from the DB server 120 match. As the method for generating the verification information vk', the following methods can be considered depending on the method for generating the verification information vk.

When (generation method 1) is adopted, the verification information vk'is given by the equation (17), and when (generation method 2) is adopted, the verification information vk'is given by the equation (18), and (generation method 3) is adopted. ) Is adopted, the verification information vk'is given by the equation (19). In equation (19), p is the same value as the value used when the verification information vk was generated. The above is the description of the process of step S404.

Next, the authentication terminal 110 executes cryptographic processing based on the verification result of the secret information sk'(step S405). After that, the authentication terminal 110 ends the authentication process.

Next, the details of the template T generation process and the secret information sk generation process will be described with reference to FIG. FIG. 5 is a flowchart illustrating a template T generation process and a secret information sk generation process of the first embodiment. In the following description, the value of each element of the vector shall be expressed in binary or decimal notation.

The template generation module 103 generates the normalization feature vector X for registration shown in the equation (20) by executing at least one of the conversion process and the normalization process on the feature data for registration (step S501). ). Each element X_i of the normalization feature vector X for registration is a real number. If the feature data has already been normalized, the normalization process may not be executed.

The normalized feature vector X'for verification, which will be described later, is expressed as in Eq. (21). Each element X'_i of the normalized feature vector X'for verification is a real number.

Further, the distance between the two feature vectors X and X'is defined as in the equation (22). In this embodiment, when the authentication terminal 110 satisfies the equation (23), it is determined that the two feature vectors X and X'are the feature vectors of the biometric information acquired from the same user.

In step S501, the template generation module 103 holds the equation (23) with high probability for the biometric information acquired from the same user, and the equation (23) with high probability for the biometric information acquired from different users. ) Is not established, and appropriate conversion processing or scaling is performed on the feature data for registration.

Next, the template generation module 103 has an integer vector XI having an integer part of each element X_i as an element and a decimal vector XD having a decimal part of each element X_i as an element, based on the normalization feature vector X for registration. Is generated (step S502). Integer vector XI
And the decimal vector XD are expressed as Eqs. (24) and Eq. (25), respectively.

Specifically, the template generation module 103 generates an integer vector XI by truncating the decimal point of the element X_i. In addition, template generation module 1
03 generates a decimal vector XD by executing the operation of the equation (26).

Next, the template generation module 103 sets each element XD_i of the decimal vector XD.
The rounding process of rounding to k digits after the decimal point is executed, and the rounding decimal vector X as shown in equation (27).
Generate Dr (step S503).

Specifically, the template generation module 103 rounds the k + 1 decimal place and below.
As a result, a rounded decimal vector XDr having a value up to the kth decimal place as an element is generated. For example, when the element XDr_i expressed in binary is k digits, that is, k bits.
The size of the rounded decimal vector XDr is nk bits.

As a method of rounding, rounding down, rounding up, closest rounding, even rounding, and the like can be considered.

By reducing the number of digits of the element in this way, the size of the template T can be further reduced. However, if the rounding size is small, there is a high probability that the confidential information restoration process will fail due to an error due to the rounding process. The relationship between the probability and k that specifies the rounding size will be described later. In the following description, the probability that the confidential information restoration process will fail due to an error due to the rounding process will also be described as an error probability.

Next, the template generation module 103 generates salt (step S504).
..

Specifically, the template generation module 103 is a randomly generated character string or bit string of a predetermined length (for example, s bits), or a numerical value of a predetermined length randomly generated from an arbitrary numerical range. Is generated as a salt. Further, the template generation module 103 may generate a salt by using different values for each user or for each biometric information for registration, such as a user ID and a counter. The length of the salt may be such that a brute force attack is difficult, for example, 128 or more.

Next, the template generation module 103 generates a template T based on the rounded decimal vector XDr and the salt (step S505). Specifically, the template generation module 103 generates a set of a rounded decimal vector XDr and a salt as shown in the equation (28) as a template.

It is not always necessary to execute the rounding process on the decimal vector XD. Further, it is not always necessary to generate the template T by using salt. That is, the decimal vector XD
Alternatively, the template T may be generated only from the rounded decimal vector XDr.

The above is the explanation of the template generation process. The template generation module 10
In 3, the template T is registered in the template DB 122, and the integer vector XI is used.
And the salt are output to the secret information generation module 104.

The secret information generation module 104 uses the secret information s based on the integer vector XI and the salt.
Generate k (step S511).

For example, as shown in the equation (29), the secret information verification module 114 inputs the secret information sk by inputting the data obtained by concatenating the integer vector XI and the salt into the one-way function Hash () such as SHA256 or SHA3. Generate. The symbol “||” in equation (29) represents a concatenation of data.

Further, as shown in the equation (30), the confidential information verification module 114 concatenates an integer vector XI and a salt to a function Enc () such as an encryption function such as AES or a hash function with a key, and optionally. Confidential information sk by entering the parameter p'of
To generate.

The above is the explanation of the secret information generation process.

Here, the features of the template T of this embodiment will be described.

As described above, the data size of the rounded decimal vector XDr is nk bits. When the length of the salt is s bits, the size of the template T is (nk + s) bits from the equation (28).

Here, when n = 1000, k = 8, and s = 128, the size of the template T is 8.
It is 128 bits (1016 bytes) and is about 1 kB. Since the size of the template generated based on the technique described in Non-Patent Document 1 is 38.5 kB, the template of this embodiment can compress the size of the conventional template to about 1/40. Therefore,
Since the size of the template can be significantly reduced as compared with the conventional technique, the efficiency of the biometric authentication system can be improved.

Even when the template T is generated using the decimal vector XD, the size of the conventional template is sufficiently smaller because the integer part of the feature vector X is deleted.

Further, the salt contained in the template T is a value that does not depend on biological information. so that,
The only way for an attacker to estimate biometric information from template T is to estimate the normalized feature vector X for registration from the rounded decimal vector XDr contained in template T.

The rounded decimal vector XDr is data generated by rounding the fractional part of the normalization feature vector X for registration. More specifically, the rounded decimal vector XDr is the data in which the integer part of the feature vector X and the k + 1 decimal place and below are deleted. Since an error occurs in the biometric information even when it is acquired from the same user, a stochastic error also occurs in the range of about ± 0.5 for each element of the normalized feature vector X. Therefore, since the fractional part contains almost no information that identifies the user, the rounded decimal vector X
It is difficult enough to estimate or restore the normalized feature vector X from Dr.

From the above, by applying the template generation method of this embodiment, the size of the template can be reduced and sufficient safety can be ensured.

In this embodiment, the template T is generated using the feature vector, but the template T having the same features can be generated by using data other than the feature vector. That is, the registration terminal 100 is based on the feature data or the data generated by using the feature data.
It generates error data, which is data of an error portion generated in biological information, and stationary data, which is data other than error data. The registration terminal 100 generates the template T using the error data, and also generates the secret information sk using the stationary data.

Next, the details of the restoration process of the secret information sk'will be described with reference to FIG. FIG. 6 is a flowchart illustrating a restoration process of the secret information sk'of the first embodiment.

The secret information restoration module 113 generates the normalization feature vector X'for verification shown in the equation (21) by executing at least one of the conversion process and the normalization process on the feature data for verification ( Step S601). If the feature data has already been normalized, the normalization process may not be executed.

Next, the secret information restoration module 113 calculates the difference feature vector XC shown in the equation (31) based on the rounded decimal vector XDr included in the acquired template T and the normalized feature vector X'for verification (step). S602).

Specifically, the secret information restoration module 113 executes the operation shown in the equation (32).

Next, the secret information restoration module 113 is based on the difference feature vector XC, and the equation (33) is used.
) Is generated (step S603).

Specifically, the secret information restoration module 113 executes the operation shown in the equation (34). The symbol "[]" represents an operation that truncates the fractional part of the value in parentheses and extracts the integer part.

Next, the secret information restoration module 113 generates the restoration secret information sk'based on the restoration integer vector XI'and the salt included in the acquired template T (step S604).
). The method of generating the secret information is the same process as in step S511.

Here, the verification of the secret information sk and the restored secret information sk'will be described.

ε_i is defined by Eq. (35). Here, ε_i is a value representing the rounding error of the rounding decimal vector XDr, and is a value having a decimal point k + 1 or less. Therefore, the absolute value of ε_i is 2.
It will be less than ^−k.

From the equations (26), (32), and (35), the equation (34) can be modified as the equation (36).

When the distance defined by the equation (22) satisfies the equation (37) and ε_i = 0, the equation (
38) is always established. Further, when the equation (38) is satisfied, the secret information sk and sk'are generated from the integer vectors XI and XI'and the salt, and are generated by the same method.
Equation (39) holds. Further, when the equation (39) holds, the verification information vk and vk'are the same.

When the equation (37) holds, the equation (38) holds with a high probability if the non-zero ε_i is sufficiently small. On the contrary, the case where the equation (38) does not hold is limited to the case where the equation (40) is satisfied.
Therefore, since the error probability is approximately ^{proportional to 2 −k} , it decreases exponentially as the parameter k in the rounding process increases. Therefore, when k is a value between 8 and 16, the accuracy of the verification process is sufficiently high.

However, since the size of the template T is proportional to the size of the parameter k, the value of k needs to be determined in consideration of the balance between the accuracy and efficiency of the verification process.

As described above, according to the present embodiment, the size of the template T can be significantly reduced, and the resistance to an attack for estimating the original feature data X from the template T can be increased. Therefore, it is possible to realize a biometric encryption technique in which high efficiency and security are guaranteed.

The following are typical viewpoints of the invention other than those described in the claims.
(1) A computer that executes cryptographic processing using confidential information used to conceal data.
The calculator
It has an arithmetic unit, a storage device connected to the arithmetic unit, and an interface connected to the arithmetic unit.
Through the interface, a template generated based on the error feature data indicating an error generated in the first feature data generated from the input first biometric information, and a part of the feature data other than the error feature data are displayed. Connect to the database that manages the first verification information generated based on the stationary feature data shown.
The arithmetic unit
When the execution request of the cryptographic processing is received, the second feature data is generated based on the second biometric information acquired from the user.
The second secret information is generated based on the template and the second feature data.
The second verification information is generated based on the second secret information, and the second verification information is generated.
The second secret information is verified by comparing the first verification information and the second verification information.
A computer characterized by executing the cryptographic processing based on the result of verification of the second confidential information.
(2) The calculator according to (1).
The first feature data and the second feature data are feature vectors having real numbers as elements.
The error feature data is a vector having a fractional part of each element of the feature vector as an element.
A computer characterized in that the stationary feature data is a vector having an integer portion of each element of the feature vector as an element.
(3) The calculator according to (2).
The arithmetic unit
Based on the second feature data and the error feature data of the first biometric information included in the template, the stationary feature data of the second biometric information is generated.
A computer characterized in that the second secret information is generated by inputting the stationary feature data of the second biometric information into at least one of a hash function, a keyed hash function, and an encryption function.

The present invention is not limited to the above-described examples, and includes various modifications.
Further, for example, the above-described embodiment describes the configuration in detail in order to explain the present invention in an easy-to-understand manner, and is not necessarily limited to the one including all the described configurations.
In addition, a part of the configuration of each embodiment can be added, deleted, or replaced with another configuration.

Further, each of the above configurations, functions, processing units, processing means and the like may be realized by hardware by designing a part or all of them by, for example, an integrated circuit. The present invention can also be realized by a program code of software that realizes the functions of the examples. In this case, a storage medium in which the program code is recorded is provided to the computer, and the processor included in the computer reads the program code stored in the storage medium. In this case, the program code itself read from the storage medium realizes the functions of the above-described embodiment, and the program code itself and the storage medium storing the program code itself constitute the present invention. Examples of the storage medium for supplying such a program code include a flexible disk, a CD-ROM, a DVD-ROM, a hard disk, and an SSD (Solid Sta).
te Drive), optical disks, magneto-optical disks, CD-Rs, magnetic tapes, non-volatile memory cards, ROMs, and the like are used.

Further, the program code that realizes the functions described in this embodiment is, for example, an assembler, C.
It can be implemented in a wide range of programs or scripting languages such as / C ++, perl, Shell, PHP, Java®.

Further, by distributing the program code of the software that realizes the functions of the examples via the network, it is stored in a storage means such as a hard disk or memory of a computer or a storage medium such as a CD-RW or a CD-R. , The processor provided in the computer may read and execute the program code stored in the storage means or the storage medium.

In the above-described embodiment, the control lines and information lines show what is considered necessary for explanation, and do not necessarily indicate all the control lines and information lines in the product. All configurations may be interconnected.

100 Registration terminal 101, 111 Data acquisition module 102, 112 Feature data extraction module 103 Template generation module 104 Confidential information generation module 105 Verification information generation module 110 Authentication terminal 113 Confidential information restoration module 114 Confidential information verification module 115 Data processing module 120 DB server 121 Database management module 122 Template DB
123 Verification information DB
130 network 200 CPU
201 Memory 202 Storage device 203 Input device 204 Output device 205 Communication device

A typical example of the present invention is as follows. That is, a computer system including at least one computer, wherein the at least one computer has a calculation device and a storage device connected to the calculation device, and the at least one computer is a living body acquired from a user. based on the information, the generated constant characteristic data indicating the portion other than the error generated error characteristic data and the biometric information indicating the error generated biometric information to generate a template based on the error characteristic data, the It is characterized in that verification information is generated based on stationary feature data, and the template, the verification information, and the user's identification information are associated with each other and stored in the storage device of the computer or another computer. And.

The following are typical viewpoints of the invention other than those described in the claims.
(1) A computer that executes cryptographic processing using confidential information used to conceal data.
The calculator
It has an arithmetic unit, a storage device connected to the arithmetic unit, and an interface connected to the arithmetic unit.
Through the interface, a template generated based on the error feature data indicating an error generated in the first feature data generated from the input first biometric information, and a part of the feature data other than the error feature data are displayed. Connect to the database that manages the first verification information generated based on the stationary feature data shown.
The arithmetic unit
When the execution request of the cryptographic processing is received, the second feature data is generated based on the second biometric information acquired from the user.
The second secret information is generated based on the template and the second feature data.
The second verification information is generated based on the second secret information, and the second verification information is generated.
The second secret information is verified by comparing the first verification information and the second verification information.
A computer characterized by executing the cryptographic processing based on the result of verification of the second confidential information.
(2) The calculator according to (1).
The first feature data and the second feature data are feature vectors having real numbers as elements.
The error feature data is a vector having a fractional part of each element of the feature vector as an element.
A computer characterized in that the stationary feature data is a vector having an integer portion of each element of the feature vector as an element.
(3) The calculator according to (2).
The arithmetic unit
Based on the second feature data and the error feature data of the first biometric information included in the template, the stationary feature data of the second biometric information is generated.
A computer characterized in that the second secret information is generated by inputting the stationary feature data of the second biometric information into at least one of a hash function, a keyed hash function, and an encryption function.
(4) A computer system including at least one computer.
The at least one calculator has an arithmetic unit and a storage device connected to the arithmetic unit.
The arithmetic unit
Generate the first feature data based on the first biometric information acquired from the user,
Based on the first feature data, error feature data showing an error occurring in the first biometric information and stationary feature data showing a portion other than the error occurring in the first biometric information are generated.
A template is generated based on the error feature data of the first biometric information, and the user's identification information and the template are associated and stored in the storage device.
The first secret information used for cryptographic processing is generated based on the stationary feature data of the first biometric information, the first verification information is generated based on the first secret information, and the user's identification information and the user are described. The first verification information is associated with the storage device and stored in the storage device.
When the execution request of the cryptographic processing is received, the second feature data is generated based on the second biometric information acquired from the user.
The second secret information is generated based on the template and the second feature data.
The second verification information is generated based on the second secret information, and the second verification information is generated.
By comparing the first verification information and the second verification information, the second secret information is verified.
A computer system characterized by executing the cryptographic processing based on the result of verification of the second secret information.
(5) The computer system according to (4).
The first feature data and the second feature data are feature vectors having real numbers as elements.
The error feature data is a vector having a fractional part of each element of the feature vector as an element.
A computer system characterized in that the stationary feature data is a vector having an integer portion of each element of the feature vector as an element.
(6) The computer system according to (5).
The arithmetic unit
A rounding process for rounding the value of each element of the error feature data is executed.
A computer system characterized in that error feature data of the first biometric information on which the rounding process is executed is generated as the template.
(7) The computer system according to (5).
The arithmetic unit
Generate a salt that is a data string of arbitrary length
A computer system characterized in that an error feature data of the first biometric information on which the rounding process is executed and a set of the salt are generated as the template.
(8) The computer system according to (5).
The arithmetic unit
The first secret information is generated by inputting the stationary feature data of the first biometric information into at least one of a hash function, a keyed hash function, and an encryption function.
Based on the second feature data and the error feature data of the first biometric information included in the template, the stationary feature data of the second biometric information is generated.
A computer system characterized in that the second secret information is generated by inputting stationary feature data of the second biometric information into at least one of the hash function, the keyed hash function, and the encryption function. ..
(9) A method for verifying confidential information in a computer system that executes cryptographic processing using confidential information.
The computer system includes an arithmetic unit and at least one computer having a storage device connected to the arithmetic unit.
The method for verifying the confidential information is
The first step in which the arithmetic unit generates the first feature data based on the first biometric information acquired from the user, and
Based on the first feature data, the arithmetic unit generates error feature data indicating an error occurring in the first biometric information and stationary feature data indicating a portion other than the error occurring in the first biometric information. 2 steps and
A third step in which the arithmetic unit generates a template based on the error characteristic data of the first biometric information, associates the user's identification information with the template, and stores the template in the storage device.
The computing device generates first secret information used for the cryptographic processing based on the stationary feature data of the first biometric information, and generates first verification information based on the first secret information. A fourth step of associating the user's identification information with the first verification information and storing the first verification information in the storage device, and
When the arithmetic unit receives the execution request of the cryptographic processing, the fifth step of generating the second feature data based on the second biometric information acquired from the user, and the fifth step.
A sixth step in which the arithmetic unit generates the second secret information based on the template and the second feature data.
The seventh step in which the arithmetic unit generates the second verification information based on the second secret information,
An eighth step in which the arithmetic unit verifies the second secret information by comparing the first verification information and the second verification information.
A method for verifying confidential information, which comprises a ninth step in which the arithmetic unit executes the cryptographic process based on the result of verification of the second confidential information.
(10) The method for verifying confidential information described in (9).
The first feature data and the second feature data are feature vectors having real numbers as elements.
The error feature data is a vector having a fractional part of each element of the feature vector as an element.
A method for verifying secret information, wherein the stationary feature data is a vector having an integer portion of each element of the feature vector as an element.
(11) The method for verifying confidential information according to (10).
The third step is
A step in which the arithmetic unit executes a rounding process for rounding the value of each element of the error feature data.
A method for verifying confidential information, wherein the arithmetic unit includes a step of generating error feature data of the first biometric information on which the rounding process is executed as the template.
(12) The method for verifying confidential information according to (10).
The third step is
A step in which the arithmetic unit generates a salt, which is a data string of an arbitrary length,
A method for verifying confidential information, wherein the arithmetic unit includes a step of generating an error feature data of the first biometric information on which the rounding process has been executed and a set of the salt as the template.
(13) The method for verifying confidential information according to (10).
In the fourth step, the arithmetic unit inputs the stationary feature data of the first biometric information to at least one of a hash function, a keyed hash function, and an encryption function to obtain the first secret information. Including steps to generate
The sixth step is
A step in which the arithmetic unit generates stationary feature data of the second biometric information based on the second feature data and the error feature data of the first biometric information included in the template.
A step in which the arithmetic unit generates the second secret information by inputting stationary feature data of the second biometric information into at least one of the hash function, the keyed hash function, and the encryption function. A method for verifying confidential information, which comprises.

Claims (12)

A calculator system that includes at least one calculator
The at least one calculator has an arithmetic unit and a storage device connected to the arithmetic unit.
The arithmetic unit
Generate the first feature data based on the first biometric information acquired from the user,
Based on the first feature data, error feature data showing an error occurring in the first biometric information and stationary feature data showing a portion other than the error occurring in the first biometric information are generated.
A template is generated based on the error feature data of the first biometric information, and the user's identification information and the template are associated and stored in the storage device.
The first secret information used for cryptographic processing is generated based on the stationary feature data of the first biometric information, the first verification information is generated based on the first secret information, and the user's identification information and the user are described. The first verification information is associated with the storage device and stored in the storage device.
When the execution request of the cryptographic processing is received, the second feature data is generated based on the second biometric information acquired from the user.
The second secret information is generated based on the template and the second feature data.
The second verification information is generated based on the second secret information, and the second verification information is generated.
By comparing the first verification information and the second verification information, the second secret information is verified.
A computer system characterized by executing the cryptographic processing based on the result of verification of the second confidential information. The computer system according to claim 1.
The first feature data and the second feature data are feature vectors having real numbers as elements.
The error feature data is a vector having a fractional part of each element of the feature vector as an element.
A computer system characterized in that the stationary feature data is a vector having an integer portion of each element of the feature vector as an element. The computer system according to claim 2.
The arithmetic unit
A rounding process for rounding the value of each element of the error feature data is executed.
A computer system characterized in that error feature data of the first biometric information on which the rounding process is executed is generated as the template. The computer system according to claim 2.
The arithmetic unit
Generate a salt that is a data string of arbitrary length
A computer system characterized in that an error feature data of the first biometric information on which the rounding process is executed and a set of the salt are generated as the template. The computer system according to claim 2.
The arithmetic unit
The first secret information is generated by inputting the stationary feature data of the first biometric information into at least one of a hash function, a keyed hash function, and an encryption function.
Based on the second feature data and the error feature data of the first biometric information included in the template, the stationary feature data of the second biometric information is generated.
A computer system characterized in that the second secret information is generated by inputting stationary feature data of the second biometric information into at least one of the hash function, the keyed hash function, and the encryption function. .. A method for verifying confidential information in a computer system that executes cryptographic processing using confidential information.
The computer system includes an arithmetic unit and at least one computer having a storage device connected to the arithmetic unit.
The method for verifying the confidential information is
The first step in which the arithmetic unit generates the first feature data based on the first biometric information acquired from the user, and
Based on the first feature data, the arithmetic unit generates error feature data indicating an error occurring in the first biometric information and stationary feature data indicating a portion other than the error occurring in the first biometric information. 2 steps and
A third arithmetic unit generates a template based on the error feature data of the first biometric information, associates the user's identification information with the template, and stores the template in the storage device.
Steps and
The computing device generates first secret information used for the cryptographic processing based on the stationary feature data of the first biometric information, and generates first verification information based on the first secret information. A fourth step of associating the user's identification information with the first verification information and storing the first verification information in the storage device, and
When the arithmetic unit receives the execution request of the cryptographic processing, the fifth step of generating the second feature data based on the second biometric information acquired from the user, and the fifth step.
A sixth step in which the arithmetic unit generates the second secret information based on the template and the second feature data.
The seventh step in which the arithmetic unit generates the second verification information based on the second secret information,
An eighth step in which the arithmetic unit verifies the second secret information by comparing the first verification information and the second verification information.
A method for verifying confidential information, which comprises a ninth step in which the arithmetic unit executes the cryptographic process based on the result of verification of the second confidential information. The method for verifying confidential information according to claim 6.
The first feature data and the second feature data are feature vectors having real numbers as elements.
The error feature data is a vector having a fractional part of each element of the feature vector as an element.
A method for verifying secret information, wherein the stationary feature data is a vector having an integer portion of each element of the feature vector as an element. The method for verifying confidential information according to claim 7.
The third step is
A step in which the arithmetic unit executes a rounding process for rounding the value of each element of the error feature data.
A method for verifying confidential information, wherein the arithmetic unit includes a step of generating error feature data of the first biometric information on which the rounding process is executed as the template. The method for verifying confidential information according to claim 7.
The third step is
A step in which the arithmetic unit generates a salt, which is a data string of an arbitrary length,
A method for verifying confidential information, wherein the arithmetic unit includes a step of generating an error feature data of the first biometric information on which the rounding process has been executed and a set of the salt as the template. The method for verifying confidential information according to claim 7.
In the fourth step, the arithmetic unit inputs the stationary feature data of the first biometric information to at least one of a hash function, a keyed hash function, and an encryption function to obtain the first secret information. Including steps to generate
The sixth step is
A step in which the arithmetic unit generates stationary feature data of the second biometric information based on the error feature data of the first biometric information included in the second feature data and the template.
A step in which the arithmetic unit generates the second secret information by inputting stationary feature data of the second biometric information into at least one of the hash function, the keyed hash function, and the encryption function. A method for verifying confidential information, which comprises. A computer that generates templates used to generate confidential information used to conceal data.
The calculator has an arithmetic unit and a storage device connected to the arithmetic unit.
The arithmetic unit
Generate the first feature data based on the first biometric information acquired from the user,
Based on the first feature data, error feature data showing an error occurring in the first biometric information and stationary feature data showing a portion other than the error occurring in the first biometric information are generated.
A rounding process for rounding the value of each element of the error feature data is executed.
Generate a salt that is a data string of arbitrary length
Based on the error feature data of the first biometric information and the salt on which the rounding process is executed, a template used for generating the second secret information to be verified is generated, and the user's identification information and the template are associated with each other. And store it in the storage device
The first secret information is generated based on the stationary feature data of the first biometric information, and the verification information used for the verification of the second secret information is generated based on the first secret information. A computer characterized in that the verification information is associated and stored in the storage device. The calculator according to claim 11.
The first feature data is a feature vector having a real number as an element.
The error feature data is a vector having a fractional part of each element of the feature vector as an element.
A computer characterized in that the stationary feature data is a vector having an integer portion of each element of the feature vector as an element.

Images