JP2007189590A - Personal authentication device, server device, authentication system and authentication method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To make it difficult for an unauthorized person to successfully pretend to be another person even when information stored in a server device is leaked and to use an optional means as a similarity determining means for biological information with each other. <P>SOLUTION: This personal authentication device 201 transmits, to the server device by using a multiparty protocol, a partial key information generated by dividing an encryption key obtained by encrypting biological information b at registration stored by the server device into a plurality of parts and partial identification information generated by dividing biological information b' for authentication inputted by a biological information reading part 214 into a plurality of parts and makes the server device to verify the correctness of the encryption key and the correctness of the biological information b' for authentication. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a personal authentication device and server device for performing personal authentication using biometric information as information for identifying an individual, a server device, a personal authentication system, a personal authentication method, and particularly biometric information acquired by the personal authentication device Personal authentication device and server device, personal authentication system that enables personal authentication by the server device without disclosing biometric information itself to the server device without transmitting and storing the server to the server device via the network, It relates to personal authentication methods.

In recent years, personal authentication methods using biometric information such as fingerprints, veins, and irises have attracted attention. In client authentication in a personal authentication system using biometric information, biometric information acquired by a personal authentication device is transmitted to a server device via a network, and the server device authenticates the client using this biometric information.
Since biometric information is unique to an individual and there is no fear of forgetting or losing, biometric information makes it possible to realize highly convenient personal authentication. On the other hand, if biometric information is leaked, it is very difficult to change the biometric information unique to an individual. Therefore, the biometric information itself is not transmitted and stored in the server. Information leakage prevention technology has been proposed.

For example, in Japanese Patent Application Laid-Open No. 2005-130384 (Patent Document 1), the personal authentication device converts the biometric information by a conversion function, and the server device converts the biometric information at the time of registration and the biometric information at the time of authentication converted. A method is described in which personal authentication is made possible by determining similarity and performing authentication without disclosing the biometric information itself to the server device.
On the other hand, one of cryptographic protocols is called a multi-party protocol (or Secure Computation). Using a multi-party protocol, for example, when entity A has a secret value a and entity B has a secret function F (x), F (a) is calculated while keeping both secrets. Is possible. In Non-Patent Document 1, even if it is assumed that there is an unauthorized person, such calculation can be performed for an arbitrary function F by using an encryption protocol called Oblivious Transfer (lost communication). Are listed. Non-Patent Document 2 describes a specific method for calculating a value by using Obvious Transfer when F (x) is a polynomial.
JP 2005-130384 PR D. Beaver and S.M. Goldwasser, “Multipartity Computation with Capacity Major,” in Proceedings of Foundations of Computer Science, Oct. 30-Nov. 1, 1989, pp. 468-473. M.M. Naor and B. Pinkas, “Obliographic Transfer and Polynomial Evaluation,” in Proceedings of the 31st Annual ACM Symposium on Theory of Computing, May 1-4, 19-p. 245-254.

  However, in the method using the conversion function described in Patent Document 1, if the registered biometric information stored in the server device leaks, the biometric information itself does not leak, but it is impersonated by an unauthorized person. There was a problem that it was easy. Further, since the similarity is determined between the converted biometric information, there is a problem that only a simple one such as a normalized Hamming distance or Euclidean distance can be used as the similarity determination means.

  The present invention has been made to solve the above-described problems, and even if information stored in a server device is leaked, it is difficult to impersonate an unauthorized person, and moreover, between biometric information The main purpose is to make it possible to use any of the similarity determination means.

The personal identification information encrypted using the encryption key according to the present invention is inputted and stored as registration identification information, and the central processing unit (CPU) is used by using the stored registration identification information. A personal authentication device that executes authentication processing, is connected to a server device that transmits the result of the executed authentication processing by the communication device via a network, and receives the result of authentication processing transmitted by the server device by the communication device,
The personal authentication device is
A central processing unit (CPU) for executing processing;
A memory for storing a result of processing performed by the CPU;
A key storage unit for storing the encryption key;
An information input unit for inputting personal identification information for authentication;
The encryption key stored in the key storage unit is divided, a plurality of partial key information is generated by the CPU and stored in the memory, and the personal identification information for authentication input by the information input unit is divided into a plurality of partial identifications. Information is generated by the CPU and stored in the memory. The plurality of partial key information and the plurality of partial identification information stored in the memory are used to verify the validity of the encryption key, the personal identification information for authentication, and the registration Verification information for verifying the coincidence with the identification information is generated by the CPU, stored in the memory and output, and the result information obtained as a result of the server device executing the authentication process using the verification information from the server device An encryption part input by the CPU;
A communication unit that transmits the verification information output from the encryption unit to the server device by a communication device and receives result information from the server device via the network by the communication device.

  The personal authentication device of the present invention encrypts personal authentication information, for example, biometric information, using an encryption key stored in the personal authentication device, and the server device stores only the encrypted result. For this reason, even if the biometric information encrypted with the encryption key stored in the server device leaks, there is an effect that the biometric information itself can be prevented from leaking. In addition, the personal authentication device transmits the partial key information and the partial identification information to the server device, respectively, and the server device side authenticates the encryption key, authenticates personal identification information (for example, biometric information), and the server device. The personal identification information (for example, biometric information) stored for registration is verified, so even if information is leaked during the communication of information between the personal authentication device and the server device, the personal identification There is an effect that information and encryption key information itself can be prevented from being leaked.

Embodiment 1 FIG.
FIG. 1 is a configuration diagram of a personal authentication system using biometric information. In FIG. 1, the authentication system 100 includes a personal authentication device 201 and a server device 301 that are client devices, and a network 101 that connects the personal authentication device 201 and the server device 301. In addition, the personal authentication device 201 inputs the biometric information of the person 248 acquired by the biometric information acquisition device 250 as personal identification information. The personal identification information input from the biometric information acquisition apparatus 250 includes biometric information at registration b251 (an example of registration identification information) that is biometric information input for the purpose of registration in the server apparatus 301 and the server apparatus 301 side. Authentication biometric information b′253 (an example of authentication personal identification information) that is biometric information input for the purpose of authentication. The biometric information at registration b251 is encrypted and transmitted from the personal authentication device 201 to the server device 301 via the network 101. The biometric information at authentication b′253 itself is transmitted from the personal authentication device 201 to the server. Not sent to device 301. The server device 301 stores the biometric information b at the time of registration encrypted using the encryption key, executes an authentication process using the biometric information b at the time of registration, and sends the result of the authentication process to the personal authentication device 201. 101 to transmit.

Next, the device configuration of the personal authentication device 201, the server device 301, and the authentication system 100 and the hardware (H / W) configuration of the device will be described.
FIG. 2 is a diagram illustrating a device configuration included in the authentication system. In FIG. 2, the authentication system 100 includes a personal authentication device 201, a server device 301, and a network 101. The personal authentication device 201 and the server device 301 have the same device configuration. Therefore, the device configuration of the personal authentication device 201 will be described, and the description of the device configuration of the server device 301 will be omitted.
In FIG. 2, a personal authentication device 201 includes a system unit 910, a display device 901 having a CRT (Cathode Ray Tube) or LCD (liquid crystal) display screen, a keyboard 902 (K / B), a mouse 903, and an FDD904 (Flexible Disk Drive). ), A compact disk device 905 (CDD), and the like, which are connected by a cable or a signal line.
The system unit 910 is a computer and is connected to the Internet 940 via a local area network 942 (LAN) and a gateway 941. The server device 301 has the same configuration as that of the personal authentication device 201 and connects the personal authentication device 201 via the Internet 940. The network 101 includes a LAN 942, a gateway 941, and the Internet 940. The authentication system 100 includes a personal authentication device 201 having the device configuration shown in FIG. 2, a server device 301, and a network 101.

FIG. 3 is a diagram illustrating an example of hardware resources of the personal authentication device 201 and the server device 301 in FIG. In FIG. 3, the personal authentication device 201 and the server device 301 have the same H / W configuration. Therefore, the H / W configuration of the personal authentication device 201 will be described, and the description of the H / W configuration of the server device 301 will be omitted.
The personal authentication device 201 includes a CPU 911 (also referred to as a central processing unit, a central processing unit, a processing unit, or an arithmetic unit) that executes a program. The CPU 911 is connected to the ROM 913, the RAM 914, the communication board 915, the display device 901, the keyboard 902, the mouse 903, the FDD 904, the CDD 905, and the magnetic disk device 920 via the bus 912, and controls these hardware devices. Instead of the magnetic disk device 920, a storage device such as an optical disk device or a memory card read / write device may be used.
The RAM 914 is an example of a volatile memory (also simply referred to as “memory”). The storage media of the ROM 913, the FDD 904, the CDD 905, and the magnetic disk device 920 are an example of a nonvolatile memory. These are examples of a storage device or a storage unit.
The communication board 915, the keyboard 902, the FDD 904, and the like are examples of an information input unit and an input device.
The communication board 915, the display device 901, and the like are examples of a communication unit, a communication device, an output unit, and an output device.

  The communication board 915 is connected to the LAN 942 or the like. The communication board 915 is not limited to the LAN 942 and may be connected to the Internet 940, a WAN (wide area network) such as ISDN, or the like. When connected to a WAN such as the Internet 940 or ISDN, the gateway 941 is unnecessary.

  The magnetic disk device 920 stores an operating system 921 (OS), a window system 922, a program group 923, and a file group 924. The programs in the program group 923 are executed by the CPU 911, the operating system 921, and the window system 922.

The program group 923 stores programs for executing functions described as “˜unit”, “˜processing”, and “˜means” in the description of the embodiments described below. The program is read and executed by the CPU 911.
In the file group 924, data and signals described as “˜generated result”, “˜judgment result”, “˜calculation result”, and “˜processing result” in the description of the embodiment described below. Values, variable values, and parameters are stored as items of “˜file” and “˜database”.
In addition, the arrows in the flowcharts described in the following description of the embodiments mainly indicate input / output of data and signals. The data and signal values are the RAM 914 memory, the FDD 904 flexible disk, the CDD 905 compact disk, and the magnetic field. The data is recorded on a recording medium such as a magnetic disk of the disk device 920, other optical disk, mini disk, or DVD (Digital Versatile Disk). Data and signals are transmitted online via a bus 912, signal lines, cables, or other transmission media.

  In addition, what is described as “˜unit”, “˜processing”, and “˜means” in the description of the embodiment described below may be realized by firmware stored in the ROM 913. Alternatively, it may be implemented by software alone, hardware alone, a combination of software and hardware, or a combination of firmware. Firmware and software are stored as programs in a recording medium such as a magnetic disk, a flexible disk, an optical disk, a compact disk, a mini disk, and a DVD. The program is read by the CPU 911 and executed by the CPU 911. That is, the program causes the computer to function as “to part”, “to process”, and “to means” described below. Alternatively, the computer executes the procedures of “to part”, “to process”, and “to means” described below.

  FIG. 4 is a block diagram illustrating a configuration example of the personal authentication device 201 in the authentication system (FIG. 1) using biometric information. In FIG. 4, a communication unit 211 is means for communicating with the server device 301 by a communication device. The encryption unit 212 is a means for performing key generation for common key encryption, encryption / decryption for common key / public key encryption, random number generation, and the like. The key storage unit 213 is a data storage unit that stores an encryption key. FIG. 6 shows an example of data stored in the key storage unit 213. In FIG. 6, the key storage unit 213 stores a plurality of different client IDs. The client ID is information for identifying a person corresponding to the biometric information. The encryption key is a key for encrypting the biometric information, and encrypts the biometric information using a different encryption key for each person. The server name is information for identifying the server device to which the personal authentication device is connected. In FIG. 1, the personal authentication device is connected to one server device. However, one personal authentication device may be connected to a plurality of server devices. In this case, the key storage unit 213 stores different server names, and stores different encryption keys corresponding to the server names so that the same biometric information can be encrypted with different encryption keys. I can do it.

The biometric information reading unit 214 is an information input unit that reads biometric information and outputs data. The biological information acquisition device 250 performs an operation of reading the biological information from the person 248, and the biological information reading unit 214 inputs the biological information output by the biological information acquisition device 250. Alternatively, the biological information reading unit 214 may directly read the biological information from the person 248. In this case, it is assumed that the biological information reading unit 214 also has the function of the biological information acquisition device 250.
The format conversion unit 215 is a means for converting data representing biological information into a specific format.
The algorithm storage unit 216 stores an encryption algorithm E223 that is a program created in advance for encrypting the biometric information b251 at the time of registration.
The encryption unit 212 further includes a decryption processing unit 2120, a key verification processing unit 2121, an identification extraction processing unit 2122, and an identification information generation processing unit 2123. The functions and operations of these processing units will be described in detail with reference to FIGS. 10 and 11 described below.
Further, the data flow of the personal authentication device 201 will be described in detail with reference to FIGS. 10 and 11.

FIG. 5 is a block diagram illustrating a configuration example of the server device 301 in the authentication system (FIG. 1) using biometric information. In FIG. 5, a communication unit 311 is means for communicating with the personal authentication device 201 by a communication device. The encryption unit 312 is means for performing encryption / decryption of common key / public key encryption, generation of random numbers, and the like. A biometric information storage unit 313 that is an identification information storage unit is a data storage unit that stores encrypted biometric information of each person (user) in association with a client ID. FIG. 7 shows an example of data stored in the biological information storage unit 313. In FIG. 7, the client ID is information for identifying a person corresponding to the biological information. The encrypted biometric information is information obtained by encrypting biometric information for registration, and is information used for authentication processing when an individual is authenticated.
The biometric information collating unit 314 is a unit that performs biometric information matching determination, and is an identification information collating unit. The format verification unit 315 is a unit that determines whether the data representing the biological information is in a specific format.
The verification unit 317 includes a biometric information matching unit 314, a format verification unit 315, and an encryption unit 312.
The algorithm / function storage unit 316 uses a decryption algorithm D′ 320 for calculating original information for calculating a decryption algorithm D corresponding to an encryption algorithm E described below, or when an input is in a specific format. A function F1′321 that calculates original information for calculating the objective function F1 that outputs 1 as long as possible, and an objective function that outputs only biological information by inputting biological information (including redundant information) according to a specific format A function F2′323 for calculating original information for calculating F2, or a biometric information matching function M that outputs 1 only when two pieces of biometric information are input and it is determined that they are from the same person. A function M ′ 324 for calculating original information for calculating the objective function M is stored. In FIG. 1, it is described that biometric information b at the time of registration is communicated between the personal authentication device 201 and the server device 301 via the network 101. 'Is described for emphasizing that communication is not directly performed between the personal authentication device 201 and the server device 301. Therefore, in FIG. 4 and FIG. 5, the biometric information b251 at the time of registration is not shown between the personal authentication device 201 and the server device 301, but the registration identification information stored in the server device 301 is personal authentication. When the information is transmitted from the apparatus 201 to the server apparatus 301, a line for transmitting the biometric information at registration b251 encrypted by the communication unit 211 of the personal authentication apparatus 201 to the server apparatus 301 by the communication apparatus is illustrated.
The personal authentication device 201 and the server device 301 shown in FIG. 4 have the device configuration shown in FIG. 2 and the H / W configuration shown in FIG. The communication unit 211, the encryption unit 212, the biometric information reading unit 214, the format conversion unit 215, the communication unit 311, the encryption unit 312, the biometric information matching unit 314, and the format verification unit 315 of the personal authentication device 201 The CPU 911 operates. The key storage unit 213, algorithm storage unit 216, and biometric information storage unit 313 and algorithm / function storage unit 316 of the server device 301 include, for example, an FDD904 flexible disk, a CDD905 compact disk, and a magnetic disk. It is a recording medium such as a magnetic disk of the apparatus 920, other optical disk, mini disk, DVD (Digital Versatile Disk), and the like.
In addition, the communication unit 211 and the communication unit 311 communicate information between the personal authentication device 201 and the server device 301 by using, for example, the communication device of the communication board 915.

FIG. 8 is a flowchart for explaining the biometric information registration process in the present embodiment. 9, FIG. 10 and FIG. 11 are flowcharts for explaining the personal authentication processing in the present embodiment.
First, the operation in the biometric information registration process will be described with reference to the flowchart of FIG.
First, the encryption unit 212 of the personal authentication device 201 generates the encryption key k220 (step S601), and the generated encryption key k220 is stored in the key storage unit 213 by the CPU (step S602). Next, the biological information reading unit 214 converts the biological information corresponding to the person 248 (information such as fingerprint, vein, iris, retina, face, handwriting, voice, DNA, etc., hereinafter referred to as biometric information at the time of registration) b into the biological information. The information is read from the information acquisition device 250 and stored in the memory by the CPU (step S603). The biometric information b251 at the time of registration may be data such as images and sounds, or may be information after processing such as feature point extraction is performed by the biometric information acquisition device 250. Thereafter, the format conversion unit 215 converts the biometric information at registration b251 stored in the memory into information f222 according to a specific format, and stores the information in the memory by the CPU (step S604). The information f222 includes all the contents of the biometric information at registration b251 and redundant information. As redundant information, for example, a parity related to biometric information b251 at the time of registration, a hash value of biometric information b251 at the time of registration, time information, or a predetermined character string can be used.
Next, the encryption unit 212 inputs an encryption algorithm E223 predetermined in the present system from the algorithm storage unit 216, and uses the encryption key k220 stored in the key storage unit 213 according to the encryption algorithm E223 to store the memory. The encrypted biometric information e224 is obtained by encrypting the information f222 stored in, and is stored in the memory by the CPU (step S605). The program of the encryption algorithm E223 is a function represented by e = E (k, f).

The personal authentication device 201 transmits the client ID corresponding to the person 248 and the encrypted biometric information e224 as registration information 225 to the server device 301 by the communication device via the communication unit 211 (steps S606 and S607). This may be executed offline via a flexible disk, a card-type storage medium, or the like, or may be executed online by establishing a safe communication path using a communication device via the communication units 211 and 311. . A secure communication path can be established by using existing techniques such as Diffie-Hellman key exchange and SSL (Secure Socket Layer) server authentication.
The client ID is assigned in advance to a person 248 who is permitted to use the personal authentication device, and is stored in the storage unit of the personal authentication device. When the person 248 causes the biological information acquisition apparatus 250 to read the biological information, the person 248 inputs the client ID using the input device. This input device is provided in the biometric information acquisition device 250 or in the personal authentication device 201. Then, the input client ID is compared with the client ID stored in the storage unit of the personal authentication device in advance by the biometric information reading unit 214, and if the matching client ID can be searched, the biometric information reading unit 214 The communication unit 211 performs the process of step S606.
Finally, the server device 301 stores the registration information 225 having the client ID and the encrypted biometric information e received by the communication device via the communication unit 311 in the biometric information storage unit 313 by the CPU (step S608).

  Step S602 in FIG. 8 is a key storage process, and step S608 is an identification information storage process. The key storage process may include step S601. Further, the identification information storing step may include step S607.

Next, before explaining the operation in the personal authentication process, the principle of the personal authentication process will be described.
At the time of personal authentication, information held by the personal authentication device 201 is an encryption key k220 and biometric information read at the time of authentication (hereinafter referred to as biometric information at authentication b′253) b ′, and information held by the server is registered. This is encrypted biometric information e included in the information 225. If the encryption key k220 and the biometric information b'253 at the time of authentication are disclosed to the server device 301, the server device 301 confirms F1 (D (k, e)) = 1, thereby verifying the validity of the encryption key k220. By confirming that M (F2 (D (k, e)), b ′) = 1, the authenticity of the biometric information b′253 at the time of authentication (the similarity to the biometric information b at the time of registration is sufficiently high) ) Can be confirmed and personal authentication can be completed.
Here, D is a decryption algorithm corresponding to the encryption algorithm E223, F1 is a function that outputs 1 only when the input conforms to a specific format, and F2 is biometric information according to the specific format (including redundant information). Is a function that outputs only biological information, and M is a biological information matching function that outputs 1 only when two pieces of biological information are input and it is determined that they are from the same person. However, disclosure of the encryption key k220 and authentication biometric information b′253 used in the execution of these functions and algorithms means disclosure of biometric information. For this reason, it is necessary to show the validity of the encryption key and the biometric information for authentication without disclosing them.

  In order to achieve the above object, the authentication system 100 executes an existing cryptographic protocol called a multi-party protocol. By using the multi-party protocol in the authentication system 100, the encryption key k220 and the authentication biometric information b′253, which are the secret information of the personal authentication device 201, remain secret in the server device 301, that is, in the server device 301. It is possible to calculate the above-described function value without transmitting the encryption key k220 and the authentication biometric information b′253 as they are.

Details of the operation in the personal authentication process will be described with reference to the flowchart of FIG.
First, the biometric information reading device 214 of the personal authentication device 201 inputs the biometric information b ′ 253 at the time of authentication obtained by the biometric information acquisition device 250 from the person 248, and reads the biometric information b ′ 253 at the time of authentication corresponding to the person 248. (Step S701). At this time, the person 248 inputs the client ID with the input device when the biological information acquisition device 250 reads the biological information. This input device is provided in the biometric information acquisition device 250 or in the personal authentication device 201. Then, the input client ID is compared with the client ID stored in the storage unit of the personal authentication device in advance by the biometric information reading unit 214, and when a matching client ID can be searched, the process of the next step S702 is performed. I do. In the processing of S702, after the communication units 211 and 311 establish a safe communication path, the communication unit 211 transmits the client ID corresponding to the person 248 as the authentication information 257 to the communication unit 311 of the server device 301 by the communication device. (Steps S702 and S703). A secure communication path can be established by using existing techniques such as Diffie-Hellman key exchange and SSL server authentication. The server device 301 uses the encrypted biometric information e corresponding to the client ID received by the communication unit 311 via the communication device, and the client ID is obtained from the registration information 225 stored in the biometric information storage unit 313 using the client ID as a search key. The matching information is acquired, and the encrypted biometric information e is extracted from the acquired registration information 225 and stored in the memory by the CPU (step S704).

  Thereafter, the communication unit 211, the encryption unit 212 of the personal authentication device 201, the communication unit 311 of the server device 301, the encryption unit 312, the biometric information matching unit 314, and the format verification unit 315 communicate with each other and execute the multi-party protocol. Thus, the server device keeps the encryption key k220, which is the secret information of the client, and the biometric information b′253 at the time of authentication secret from the server device 301, and the server device has the objective function value F1 (D (k, e)) and M (F2 (D (k, e)), b ′) is obtained (step S705). D, F1, F2, and M are the functions described above, and are calculated by the verification unit 317 including the encryption unit 312, the format verification unit 315, and the biometric information matching unit 314. The calculation result is stored in the memory by the CPU. Detailed operation will be described later with reference to FIGS.

  After the end of the multi party protocol, the format verification unit 315 of the server device 301 checks whether F1 (D (k, e)) = 1 (step S706). The result of the confirmation is stored in the memory. If the result of the objective function F1 stored in the memory is not “1”, the format verification unit 315 terminates the authentication process as an authentication failure. When the result of the objective function F1 stored in the memory is “1”, the biometric information matching unit 314 of the server device 301 confirms whether M (F2 (D (k, e)), b ′) = 1. (Step S707). The result of the confirmation is stored in the memory by the CPU. If the result of the objective function M stored in the memory is not “1”, the biometric information matching unit 314 ends the client authentication process as an authentication failure. When the result of the objective function M stored in the memory is “1”, the biometric information matching unit 314 generates result information 227 indicating that the authentication is successful, and stores the result information 227 in the memory by the CPU. The communication unit 311 extracts the result information 227 stored in the memory, the communication unit 311 transmits the result information 227 to the communication unit 211 of the personal authentication device 201 by the communication device, and the communication unit 211 of the personal authentication device 201 receives the server device 301. Is received by the communication device (steps S708 and S709), the received result information 227 is stored in the memory, and the processing ends as successful authentication.

  The process in step S701 in FIG. 9 described above is an information input process, the processes in S702, S705, and S709 are verification instruction result reception processes, and the processes in steps S703 to S708 are verification processes.

An example of the operation for the server apparatus 301 to obtain the value of the objective function F1 (D (k, e)) in the multi-party protocol execution process in step S705 of FIG. 9 will be described with reference to the flowchart of FIG. .
The encryption unit 212 divides the encryption key k220 into several pieces of partial information, generates a plurality of pieces of partial key information, and stores the pieces of partial key information in the memory by the CPU. Further, the encryption unit 212 randomly creates dummy information equal to the number of divisions of the encryption key k that cannot be distinguished from the plurality of partial key information, and stores the dummy information in the memory by the CPU (Step S1). S801). The number to be divided is set in advance by the user using the input device and stored in the storage device of the personal authentication device 201. Based on the content of the decryption algorithm D, the user determines in advance the number of divisions of the encryption key k. In addition, the method for dividing the encryption key k is based on the content of the decryption algorithm D, and the user sets information indicating the division procedure in advance in the personal authentication device 201 using the input device. Stored in the storage device. The encryption unit 212 extracts information indicating the division procedure from the storage device, and divides the encryption key k according to the procedure.

  The communication unit 211 extracts one partial key information and corresponding dummy information from among the plurality of partial key information stored in the memory in step S801, and uses the two pieces of extracted information as verification information 255. It transmits to 301 by a communication apparatus (step S802). At this time, the information is transmitted so that it is not known from the outside which of the two pieces of information included in the verification information 255 is true information and which is dummy information. The communication unit 311 of the server apparatus 301 receives the transmitted verification information 255 by the communication apparatus. The encryption unit 312 partially applies the decryption algorithm D to each of the two pieces of information included in the verification information 255 received by the communication unit 311, calculates decryption source information, The obtained calculation result is stored in the memory by the CPU (step S803). The partial application means that the decryption source information is calculated based on the decryption algorithm D by using another decryption algorithm D ′ using the partial key information as a parameter of the decryption algorithm D. The decryption algorithm D ′ is created in advance by the user, input by the input device of the server device 301, and stored in the storage device, for example, the algorithm / function storage unit 316. The encryption unit 312 extracts the decryption algorithm D′ 320 stored in the storage device, for example, the algorithm / function storage unit 316, and calculates the decryption source information.

  The encryption unit 312 encrypts the two pieces of decryption source information obtained in step S803 according to the procedure of Obvious Transfer, stores them in the memory, and stores the two pieces of decryption source information encrypted by the communication unit 311 in the memory. Are transmitted from the communication device to the personal authentication device 201 as result information 227 (step S804). The encryption in step S804 is performed using a common key or a public key, and can be decrypted by the personal authentication device 201. The transmitted result information 227 is received by the communication unit 211 of the personal authentication device 201 by the communication device and stored in the memory. Then, the encryption unit 212 decrypts only one of the necessary encrypted decryption source information out of the two encrypted decryption source information included in the result information 227 stored in the memory, and the partial key information Is obtained by applying the decryption algorithm D ′ to the memory and stored in the memory by the CPU (step S805). The two pieces of decryption source information transmitted to the personal authentication device 201 in accordance with the procedure of Oblivious Transfer can determine which of the two pieces of decryption source information is required. For this reason, the encryption unit 212 can determine one necessary decryption source information.

The procedure from step S802 to step S805 is repeated as many times as the number obtained by dividing the encryption key k in step S801. That is, when the iterative process is completed, the same number of decrypted pieces of decryption source information as the number obtained by dividing the encryption key is stored in the memory.
The encryption unit 212 integrates a plurality of pieces of decryption source information stored in the memory obtained by repetition of steps S802 to S805, and obtains decryption information t1 that is some value t1 related to D (k, e). The calculation is performed and stored in the memory by the CPU (step S806). The integration method is performed according to an integration procedure set in advance by the user based on the decoding algorithm D. The user creates information indicating the integration procedure based on the content of the decryption algorithm D, inputs the information indicating the integration procedure with the input device of the personal authentication device 201, and integrates the information into the storage device, for example, the algorithm storage unit 216. Information indicating the procedure is stored. The encryption unit 212 reads information indicating the integration procedure stored in the storage device, for example, the algorithm storage unit 216, and generates decryption information t1. The decryption information t1 cannot be calculated by the personal authentication apparatus 201 from the decryption information t1, but the server apparatus 301 calculates D (k, e) from the decryption information t1. It ’s something you can do.
Steps S801, S802, S805, and S806 described above are decoding processing steps executed by the decoding processing unit 2120. The decoding processing unit 2120 generates and outputs decoding information 2125 that is decoding information t1. Steps S803 and S804 are decoding processes.

  The encryption unit 212 divides the decryption information t1 into several pieces of partial information, generates a plurality of pieces of partial decryption information, and stores them in the memory. Further, the same number of pieces of dummy information as the number obtained by dividing the decoding information that cannot be distinguished from the plurality of pieces of partial decoding information is randomly generated and stored in the memory by the CPU (step S807). The number to be divided is set in advance by the user using the input device and stored in the storage device of the personal authentication device 201. The user determines in advance the number of divisions of the decoding information t1 based on the contents of the objective function F1. The method for dividing the decryption information t1 is based on the content of the objective function F1, and the user previously sets information indicating the division procedure in the personal authentication device 201 using the input device. Stored in the storage device. The encryption unit 212 extracts information indicating the division procedure from the storage device, and divides the decryption information t1 according to the procedure.

  The communication unit 211 extracts one partial decoding information and one corresponding dummy information from among the plurality of partial decoding information stored in the memory in step S807, and uses the two pieces of extracted information as verification information 255, and the server device It transmits to 301 by a communication apparatus (step S808). At this time, the information is transmitted so that it is not known from the outside which of the two pieces of information included in the verification information 255 is true information and which is dummy information. The communication unit 311 of the server apparatus 301 receives the transmitted verification information 255 by the communication apparatus. The format verification unit 315 partially applies the objective function F1 to each of the two pieces of information included in the verification information 255 received by the communication unit 311 to calculate verification source key information. The calculation result obtained in this way is stored in the memory by the CPU (step S809). The partial application is to calculate the verification source key information using another function F1 'that uses partial decryption information as a parameter of the function based on the objective function F1. The function F <b> 1 ′ is created in advance by the user, input by the input device of the server device 301, and stored in the storage device, for example, the algorithm / function storage unit 316. The format verification unit 315 extracts the function F1′321 stored in the storage device, for example, the algorithm / function storage unit 316, and calculates verification source key information.

  The encryption unit 312 encrypts the two pieces of verification source key information obtained in step S809 according to the procedure of Oblivious Transfer, stores them in the memory, and stores the two pieces of verification source key information encrypted by the communication unit 311 in the memory. And the two pieces of information are transmitted as result information 227 to the personal authentication device 201 by the communication device (step S810). The encryption in step S810 is performed using a common key or a public key, and can be decrypted by the personal authentication device 201. The transmitted result information 227 is received by the communication unit 211 of the personal authentication device 201 by the communication device and stored in the memory. Then, the encryption unit 212 decrypts only one of the necessary encrypted verification source key information out of the two encrypted verification source key information included in the result information 227 stored in the memory, A value obtained by applying the function F1 ′ to the decryption information is acquired and stored in the memory by the CPU (step S811). The two pieces of verification source key information transmitted to the personal authentication device 201 in accordance with the procedure of Oblivious Transfer can determine which of the two pieces of verification source key information is required. For this reason, the encryption unit 212 can determine the required verification source key information.

  The encryption unit 212 integrates a plurality of pieces of verification source key information stored in the memory obtained by repetition from step S808 to step S811, and uses a certain value t2 related to the objective function F1 (D (k, e)). Certain key verification information t2 is calculated and stored in the memory by the CPU (step S812). The integration method is performed according to an integration procedure set in advance by the user based on the objective function F1. The user creates information indicating the integration procedure based on the contents of the objective function F1, inputs information indicating the integration procedure with the input device of the personal authentication device 201, and integrates the information into the storage device, for example, the algorithm storage unit 216. Is stored. The encryption unit 212 reads information indicating the integration procedure stored in the storage device, for example, the algorithm storage unit 216, and generates key verification information t2. The key verification information t2 cannot be calculated from the key verification information t2 by the personal authentication device 201, but the server device 301 can calculate the key verification information t2 to F1 (F1 (D (k, e)). D (k, e)) can be calculated.

The communication unit 211 extracts the key verification information t2 calculated in step S812 and stored in the memory, and transmits it as verification information 255 to the communication unit 311 of the server device 301 by the communication device (step S813). The communication unit 311 receives the key verification information t2 transmitted as the verification information 255 from the personal authentication device 201 and stores it in the memory. The format verification unit 315 calculates the objective function F1 (D (k, e)) from the key verification information t2 stored in the memory, obtains the value of the objective function, and stores it in the memory (step S814). Here, instead of calculating the objective function F1 (D (k, e)) itself, the value of the objective function is calculated by a calculation procedure that replaces the objective function F1 (D (k, e)) using the key verification information t2. Get. The calculation procedure that replaces the objective function F1 is generated in advance by the user and stored in the storage device of the server device 301, for example, the algorithm / function storage unit 316. The format verification unit 315 extracts a calculation procedure instead of the objective function F1 from the algorithm / function storage unit 316, and obtains the value of the objective function using the key verification information t2.
In step S706 in FIG. 9, the value of the calculation result of the objective function F1 (D (k, e)) stored in the memory in step S814 is confirmed.

  Steps S807, S808, S811, S812, and S813 described above are key verification processing steps executed by the key verification processing unit 2121. In step S807, the decryption information 2125 generated by the decryption processing unit 2120 of the encryption unit 212 and stored in the memory is output to the key verification processing unit 2121. Steps S809 and S810 are verification source key information calculation steps.

By each step of FIG. 10 described above, the server apparatus 301 obtains the calculation result of the objective function F1. The server device 301 is not notified of the encryption key k from the personal authentication device 201, that is, the personal authentication device 201 keeps the encryption key k secret from the server device 301, and the server device 301 does not verify the encryption key k. Can be verified.
The above is an example of the operation of the multi-party protocol, and does not limit the available multi-party protocol.

  Refer to the flowchart of FIG. 11 for an example of the operation for the server to obtain the value of the objective function M (F2 (D (k, e)), b ′) in the multi-party protocol execution process of step S705 of FIG. While explaining.

The processing from steps S801 to S806 in FIG. 11 is the same as the processing from steps S801 to S806 in FIG.
The encryption unit 212 divides the decryption information t1 into several pieces of partial information, generates a plurality of pieces of partial decryption information, and stores them in the memory. Further, the same number of pieces of dummy information as the number obtained by dividing the decoding information that cannot be distinguished from the plurality of pieces of partial decoding information is randomly generated and stored in the memory by the CPU (step S807). The number to be divided is set in advance by the user using the input device and stored in the storage device of the personal authentication device 201. The user determines in advance the division number of the decoding information t1 based on the content of the objective function F2. The method for dividing the decryption information t1 is based on the content of the objective function F2, and the user previously sets information indicating the division procedure in the personal authentication device 201 using the input device. Stored in the storage device. The encryption unit 212 extracts information indicating the division procedure from the storage device, and divides the decryption information t1 according to the procedure.

  The communication unit 211 extracts one partial decoding information and one corresponding dummy information from among the plurality of partial decoding information stored in the memory in step S807, and uses the two pieces of extracted information as verification information 255, and the server device It transmits to 301 by a communication apparatus (step S808). At this time, the information is transmitted so that it is not known from the outside which of the two pieces of information included in the verification information 255 is true information and which is dummy information. The communication unit 311 of the server apparatus 301 receives the transmitted verification information 255 by the communication apparatus. The format verification unit 315 partially applies the objective function F2 to each of the two pieces of information included in the verification information 255 received by the communication unit 311 to calculate the identification extraction source information. The calculation result obtained in this manner is stored in the memory by the CPU (step S820). The partial application is to calculate the identification extraction source information based on the objective function F2 and using another function F2 'that uses partial decoding information as a function parameter. The function F <b> 2 ′ is created in advance by the user, input by the input device of the server device 301, and stored in the storage device, for example, the algorithm / function storage unit 316. The format verification unit 315 extracts the function F2′323 stored in the storage device, for example, the algorithm / function storage unit 316, and calculates the identification / extraction source information.

  The encryption unit 312 encrypts the two identification / extraction source information obtained in step S809 according to the procedure of Oblivious Transfer, stores them in the memory by the CPU, and the two identification extractions that the communication unit 311 encrypts. The original information is read from the memory, and the two pieces of information are transmitted as result information 227 to the personal authentication device 201 by the communication device (step S821). The encryption in step S821 is performed using a common key or public key, and can be decrypted by the personal authentication device 201. The transmitted result information 227 is received by the communication unit 211 of the personal authentication device 201 by the communication device and stored in the memory by the CPU. Then, the encryption unit 212 decrypts only one of the necessary encrypted identification extraction source information out of the two encrypted identification extraction source information included in the result information 227 stored in the memory, A value obtained by applying the function F2 ′ to the decryption information is acquired and stored in the memory by the CPU (step S833). The two pieces of identification extraction source information transmitted to the personal authentication apparatus 201 according to the procedure of Oblivious Transfer can determine which of the two pieces of identification extraction source information is required. For this reason, the encryption part 212 can determine one required identification extraction source information.

  The encryption unit 212 integrates a plurality of pieces of verification source key information stored in the memory obtained by repetition of steps S808, S820, S821, and S833, and performs some kind of relationship with the objective function F2 (D (k, e)). The identification extraction information t3, which is the value t3, is calculated and stored in the memory by the CPU (step S822). The integration method is performed according to an integration procedure set in advance by the user based on the objective function F2. The user creates information indicating the integration procedure based on the content of the objective function F2, inputs information indicating the integration procedure with the input device of the personal authentication device 201, and integrates the information into the storage device, for example, the algorithm storage unit 216. Is stored. The encryption unit 212 reads information indicating the integration procedure stored in the storage device, for example, the algorithm storage unit 216, and generates identification extraction information t3. The identification extraction information t3 cannot be calculated by the personal authentication device 201 from the identification extraction information t3, but F2 (D (k, e)). D (k, e)) can be calculated.

  Steps S807, S808, S833, and S822 described above are identification extraction processing steps executed by the identification extraction processing unit 2122. In step S807, the decryption information 2125 generated by the decryption processing unit 2120 of the encryption unit 212 and stored in the memory is output to the identification extraction processing unit 2122. Steps S820 and S821 are identification extraction source information calculation steps.

  Subsequently, the encryption unit 212 extracts the identification extraction information t3 stored in the memory in step S822 by the CPU, combines the extracted identification extraction information t3 and the authentication biometric information b ′, and combines the combined information t5 by the CPU. Is generated. The generated combination information t5 is stored in the memory by the CPU.

  The procedure for combining is set in advance by the user using the input device and stored in the storage device of the personal authentication device 201. Based on the content of the objective function M, the user determines in advance a procedure for combining the identification extraction information t3 and the authentication biometric information b '. In addition, information indicating the coupling procedure is set in the personal authentication device 201 using the input device and stored in the storage device of the personal authentication device 201. The encryption unit 212 extracts information indicating the coupling procedure from the storage device, and couples the identification extraction information t3 and the authentication biometric information b 'according to the procedure to generate the coupling information t5.

  Then, the encryption unit 212 extracts the combined information t5 stored in the memory by the CPU, divides the extracted combined information t5 into several pieces of partial information, generates a plurality of pieces of partial identification information, and stores them in the memory by the CPU. Remember. Further, the same number of pieces of dummy information as the number obtained by dividing the combined information t5 that cannot be distinguished from the plurality of pieces of partial identification information is randomly generated and stored in the memory by the CPU (step S825). The number to be divided is set in advance by the user using the input device and stored in the storage device of the personal authentication device 201. Based on the content of the objective function M, the user determines in advance the division number of the combined information t5. Further, the method of dividing the combined information t5 is based on the content of the objective function M, and the user previously sets information indicating the division procedure in the personal authentication device 201 using the input device. Store in a storage device. The encryption unit 212 extracts information indicating the division procedure from the storage device, and divides the combined information t5 according to the procedure.

  The communication unit 211 extracts one piece of partial identification information and one corresponding piece of dummy information from among the plurality of pieces of partial identification information stored in the memory in step S825, and uses the two pieces of extracted information as verification information 255. It transmits to 301 by a communication apparatus (step S826). At this time, the information is transmitted so that it is not known from the outside which of the two pieces of information included in the verification information 255 is true information and which is dummy information. The communication unit 311 of the server device 301 receives the transmitted verification information 255 by the communication device. The biometric information matching unit 314 calculates the verification source identification information by partially applying the objective function M to each of the two pieces of information included in the verification information 255 received by the communication unit 311, The calculation result obtained for the CPU is stored in the memory by the CPU (step S827). The partial application means that the identification extraction source information is calculated based on the objective function M by using another function M ′ that uses partial identification information as a parameter of the function. The function M ′ is created in advance by the user, input by the input device of the server device 301, and stored in a storage device, for example, the algorithm / function storage unit 316. The biometric information matching unit 314 extracts the function M ′ 324 stored in the storage device, for example, the algorithm / function storage unit 316, and calculates verification source identification information.

  The encryption unit 312 encrypts the two verification source identification information obtained in step S827 according to the procedure of Oblivious Transfer, stores the verification source identification information in the memory by the CPU, and the two verification sources encrypted by the communication unit 311. The identification information is read from the memory, and the two pieces of information are transmitted as result information 227 to the personal authentication device 201 by the communication device (step S828). The encryption in step S828 is performed using a common key or a public key, and can be decrypted by the personal authentication device 201. The transmitted result information 227 is received by the communication unit 211 of the personal authentication device 201 by the communication device and stored in the memory by the CPU. Then, the encryption unit 212 decrypts only one of the necessary encrypted verification source identification information among the two encrypted verification source identification information included in the result information 227 stored in the memory, A value obtained by applying the function M ′ to the identification information is acquired and stored in the memory by the CPU (step S830). The two pieces of verification source identification information transmitted to the personal authentication device 201 in accordance with the procedure of Obvious Transfer can determine which of the two pieces of verification source identification information is required. For this reason, the encryption part 212 can determine one verification origin identification information required.

  The encryption unit 212 integrates a plurality of pieces of verification source identification information stored in the memory obtained by repeating steps S826, S827, S828, and S829, and obtains an objective function M (F2 (D (k, e)), b The identification information verification information t4, which is some value t4 related to '), is calculated and stored in the memory by the CPU (step S831). The integration method is performed according to an integration procedure set in advance by the user based on the objective function M. The user creates information indicating the integration procedure based on the content of the objective function M, inputs information indicating the integration procedure with the input device of the personal authentication device 201, and integrates the information into the storage device, for example, the algorithm storage unit 216. Is stored. The encryption unit 212 reads information indicating the integration procedure stored in the storage device, for example, the algorithm storage unit 216, and generates identification information verification information t4. Note that the identification information verification information t4 cannot be calculated by the personal authentication apparatus 201 from the identification information verification information t4, but the server apparatus 301 can calculate M (F2 (D (k, e)), b ′). M (F2 (D (k, e)), b ′) can be calculated from the identification information verification information t4.

The communication unit 211 extracts the identification information verification information t4 calculated in step S830 and stored in the memory, and transmits the identification information verification information 255 to the communication unit 311 of the server device 301 as verification information 255 (step S831). The communication unit 311 receives the identification information verification information t4 transmitted as the verification information 255 from the personal authentication device 201 and stores it in the memory. The biometric information matching unit 314 calculates the objective function M (F2 (D (k, e)), b ′) from the identification information verification information t4 stored in the memory, obtains the value of the objective function, and the CPU Is stored in the memory (step S832). Here, the objective function M (F2 (D (k, e)), b ′) itself is not calculated, but the objective function M (F2 (D (k, e)) is used by using the identification information verification information t4. , B ′), the objective function value is obtained by a calculation procedure. A calculation procedure that replaces the objective function M is generated in advance by the user and stored in the storage device of the server device 301, for example, the algorithm / function storage unit 316. The biometric information matching unit 314 extracts a calculation procedure that replaces the objective function M from the algorithm / function storage unit 316, and obtains the value of the objective function using the identification information verification information t4.
In step S707 of FIG. 9, the value obtained by calculating the objective function M (F2 (D (k, e)), b ′) stored in the memory in step S832 is used as the calculation result of the objective function M.

  Steps S823, S825, S826, S829, S830, and S831 described above are identification information generation processing steps executed by the identification information generation processing unit 2123. Steps S827 and S828 are verification source identification information calculation steps.

  The server device 301 obtains the calculation result of the objective function M through the steps in FIG. 11 described above. The server device 301 is not notified of the encryption key k and the authentication biometric information b ′ from the personal authentication device 201, that is, the personal authentication device 201 sends the encryption key k and the authentication biometric information b ′ to the server device 301. The server device 301 can verify the authenticity of the authentication biometric information b ′ while keeping it secret.

  As described above, by encrypting the biometric information using the encryption key that is the secret information held only by the personal authentication device 201 and storing only the encrypted result in the server device 301, this server device 301 should be used. Even when the information stored in is leaked, the biological information itself is not leaked. Further, by converting the biometric information into a specific format using the format conversion unit 215 and then encrypting it, even if information is leaked, the property that impersonation by an unauthorized person is difficult is achieved. Furthermore, since the biometric information before encryption can be collated by using the multi-party protocol, the property that any biometric information collating means can be used is achieved.

  In the present embodiment, fingerprints, veins, irises, retinas, faces, handwriting, voices, and DNAs are given as examples of biological information. However, other biological information can be used.

  In this embodiment, the personal authentication device 201 generates an encryption key in step S601 of FIG. 8, but a reliable third party generates the encryption key and transmits it to the personal authentication device 201. It can also be shaped.

  In this embodiment, common key encryption is used as encryption, but public key encryption can also be used.

  In the present embodiment, the same encryption algorithm is used in the entire system, but a different encryption algorithm may be used for each personal authentication device.

  In this embodiment, the user determines the number of pieces of information to be divided, the division procedure of each information, the partial application procedure of each function, the integration procedure of each function value, the combination procedure of each information, etc. However, these may be determined by a server or a trusted third party.

  Further, the server device and the personal authentication device described in the present embodiment may be, for example, a personal computer and a peripheral device (such as a biometric information reading device).

In this embodiment, in an authentication system using biometric information, a personal authentication device that has undergone biometric information format conversion and encryption is transmitted to the server device, and the personal authentication is performed without disclosing the biometric information to the server device. An example of an authentication system, a personal authentication device, a server device, and an authentication method that enable authentication has been described.
An example of using a multi-party protocol for communication between a personal authentication device and a server device to enable the personal authentication device to perform personal authentication without disclosing biometric information to the server device. explained.

Embodiment 2. FIG.
In the present embodiment, a description will be given of the personal authentication system using biometric information described in the first embodiment that performs biometric information matching using a Hamming distance. Since the system configuration is the same as that described in the first embodiment, description thereof is omitted. In order to simplify the explanation, the conversion used by the format conversion unit 215 is assumed to be an identity function. That is, redundant information is not added to the biometric information b251 at the time of registration.
The flow of the biometric information registration process in the present embodiment is the same as that described in the first embodiment (FIG. 8). In the present embodiment, the conversion used by the format conversion unit 215 is an identity function. The encryption algorithm E223 is an exclusive OR, that is, a function represented by E (k, f) = k ^ f. Note that “^” used in the expression on the left is used as a symbol indicating that exclusive OR is performed. Similarly, the expressions described below and “^” described in the drawings are also used as symbols indicating that exclusive OR is performed.

The flow of the personal authentication process in the present embodiment is the same as that described in the first embodiment (FIG. 9). Since exclusive OR is used as the encryption algorithm E223, the decryption algorithm D is an exclusive OR, that is, a function represented by D (k, e) = k ^ e. Since the identity function is used as the conversion used by the format conversion unit 215, F1 is a function that always outputs 1, and F2 is an identity function. The biometric information matching function M is a function that outputs 1 only when the hamming distance between two input biometric information is equal to or less than a predetermined threshold t. The threshold value t is a value determined by the system in consideration of the principal rejection rate and the stranger acceptance rate.
When each function is determined as described above, F1 (D (k, e)) = 1, M (F2 (D (k, e)), b ′ regarding the value of the objective function calculated in step S705 of FIG. ) = M (k ^ e, b ′) = M (k ^ b ′, e) is established equally. Therefore, in the multi-party protocol executed in step S705, it is only necessary to calculate whether or not the value of M (k ^ b ', e) is 1.

FIG. 12 is a flowchart for explaining a multi-party protocol execution process in the personal authentication process according to the present embodiment.
An example of an operation for the server apparatus 301 to obtain the value of the objective function M (k ^ b ′, e) in the multi-party protocol execution process in step S705 of FIG. 9 will be described with reference to the flowchart of FIG. . Note that the bit length m of the random number si used below is appropriately determined in advance by the system. For example, it is set so that 2 to the power of m is sufficiently larger than the bit length of the biological information. The arithmetic operations described below are all modulo 2 m.
The encryption unit 212 calculates the exclusive OR k ^ b ′ of the encryption key k220 and the authentication biometric information b ′ (step S1201). Further, k ^ b 'is divided for each bit, and the value of each bit is stored in the memory by the CPU (step S1202). The bit length of k ^ b ′ is described as n.
The encryption unit 312 randomly selects a random number r from either −1 or 1, and further selects n random numbers si (s1 to sn) from 0 to an integer less than 2 m to select a CPU. Is stored in the memory (step S1203).
The encryption unit 312 reads the encrypted biometric information e stored in the memory in step S704, sets the i-th bit of e as p, and the partial application result α0 = r × p + si, α1 = of the decryption algorithm D and biometric information matching function M r × (1−p) + si is calculated (step S1204).

The encryption unit 312 encrypts each of the two partial application results obtained in step S1204 according to the procedure of Oblivious Transfer, stores the result in the memory, and reads out the two partial application results encrypted by the communication unit 311 from the memory. Then, the two pieces of information are transmitted as result information 227 by the communication device to the personal authentication device 201 (step S1205). The encryption in step S1205 is performed using a common key or a public key, and can be decrypted by the personal authentication device 201. The transmitted result information 227 is received by the communication unit 211 of the personal authentication device 201 by the communication device and stored in the memory. Then, the encryption unit 212 decrypts only one of the necessary encrypted partial application results among the two encrypted partial application results included in the result information 227 stored in the memory, and the CPU (Step S1206). Here, the required partial application result is α0 when the value of the i-th bit divided and stored in the memory in step S1202 is 0, and α1 when the value is 1. Hereinafter, the partial application result acquired in step S1206 is described as xi. The two partial application results transmitted to the personal authentication device 201 in accordance with the procedure of Obvious Transfer can determine which of the two partial application results is required information. For this reason, the encryption unit 212 can determine the required partial application result.
The encryption unit 212 calculates the sum Σxi of n partial application results xi stored in the memory obtained by repetition from step S1204 to step S1206, and stores it in the memory by the CPU (step S1207).
The communication unit 211 extracts the sum Σxi calculated in step S1207 and stored in the memory, and transmits it as verification information 255 to the communication unit 311 of the server device 301 by the communication device (step S1208). The communication unit 311 receives the sum Σxi transmitted as the verification information 255 from the personal authentication device 201 and stores it in the memory. The encryption unit 312 calculates (Σxi−Σsi) / r to obtain a Hamming distance between k ^ b ′ and e and stores it in the memory (step S1209).

The biometric information matching unit 314 reads a plurality of Hamming distances obtained by repeating Steps S1203 to S1209 for the required number of rounds from the memory, and all the Hamming distances match and have a value of 0 or more and t or less. Only in some cases, the value of the objective function M (k ^ b ', e) is set to 1 and stored in the memory. In other cases, the value of the objective function M (k ^ b ′, e) is set to 0 and stored in the memory (step S1210). The number of rounds is a value determined in advance by the system in consideration of the acceptance rate of others.
The server device 301 obtains the calculation result of the objective function M (k ^ b ′, e) through the above steps in FIG. The server device 301 is not notified of the encryption key k and the authentication biometric information b ′ from the personal authentication device 201, that is, the personal authentication device 201 sends the encryption key k and the authentication biometric information b ′ to the server device 301. The server device 301 can verify the authenticity of the authentication biometric information b ′ while keeping it secret.

  It can be easily confirmed that the value of the objective function M (k ^ b ', e) is correctly calculated by each step of FIG. Further, by using the Oblivious Transfer, the Hamming distance and the value of M (k ^ b ′, e) are set while keeping the encryption key k, the biometric information for authentication b ′ and k ^ b ′ in the server device 301 secret. The property of being able to calculate is achieved. Further, by using the random number si, the personal authentication device 201 achieves the property that it cannot obtain any information other than the authentication processing result. Furthermore, by repeating steps S1203 to S1209 and using a random number r selected at random each time, the probability that an unauthorized person succeeds in falsifying the value of the Hamming distance can be exponentially approached to zero. Has achieved the nature.

  As described above, by encrypting the biometric information using the encryption key that is the secret information held only by the personal authentication device 201 and storing only the encrypted result in the server device 301, this server device 301 should be used. Even when the information stored in is leaked, the biological information itself is not leaked.

Note that the variations described in the first embodiment can be similarly applied to the present embodiment.
In the present embodiment, the random number r is randomly selected from either −1 or 1 in step S1203 of FIG. 12, but may be selected randomly from a wider range. In this case, it is possible to reduce the probability that an unauthorized person succeeds in faking the value of the Hamming distance. In this case, it is necessary to appropriately define the division in step S1209.
In the present embodiment, the server device 301 obtains a Hamming distance of k ^ b ′ and e in step S1209 of FIG. 12, but the server device 301 has a Hamming distance by combining with other multi-party protocols. It is also possible to make it possible to calculate only the value of M (k ^ b ', e) without obtaining This can be realized, for example, by using a multi-party protocol that performs a size comparison while keeping Σxi and Σsi secret.
Further, in the present embodiment, k ^ b ′ is divided for each bit in step S1202 of FIG. 12, and processing is performed bit by bit in steps S1204 to S1206. It is also possible to improve efficiency.

It is a block diagram of the personal authentication system using biometric information. It is a figure which shows the apparatus structure with which an authentication system is provided. FIG. 3 is a diagram illustrating an example of hardware resources of a personal authentication device 201 and a server device 301 in FIG. 2. 1 is a block diagram illustrating a configuration example of a personal authentication device 201 in an authentication system (FIG. 1) using biometric information. FIG. 3 is a block diagram illustrating a configuration example of a server device 301 in an authentication system (FIG. 1) using biometric information. It is a figure showing an example of the data which key storage part 213 memorizes. It is a figure showing an example of the data which biometric information storage part 313 memorizes. It is a flowchart figure for demonstrating the biometric information registration process in this Embodiment. FIG. 5 is a flowchart for explaining personal authentication processing in the first embodiment. FIG. 5 is a flowchart for explaining personal authentication processing in the first embodiment. FIG. 5 is a flowchart for explaining personal authentication processing in the first embodiment. FIG. 10 is a flowchart for explaining a multi-party protocol execution process in the personal authentication process according to the second embodiment.

Explanation of symbols

  100 authentication system, 101 network, 201 personal authentication device, 211 communication unit, 212 encryption unit, 213 key storage unit, 214 biometric information reading unit, 215 format conversion unit, 216 algorithm storage unit, 220 encryption key k, 222 information f, 223 encryption algorithm E, 224 encrypted biometric information e, 225 registration information, 227 result information, 248 people, 250 biometric information acquisition device, 251 biometric information b at registration, 253 biometric information b ′ at authentication, 255 verification information, 257 authentication information, 301 server device, 311 communication unit, 312 encryption unit, 313 biometric information storage unit, 314 biometric information collation unit, 315 format verification unit, 316 algorithm / function storage unit, 317 verification unit, 320 decryption algorithm D ′ , 321 Function F1 ′, 323 Function F2 ′, 3 24 function M ′, 901 display device, 902 keyboard, 903 mouse, 904 FDD, 905 CDD, 908 database, 910 system unit, 911 CPU, 912 bus, 913 ROM, 914 RAM, 915 communication board, 920 magnetic disk device, 921 OS, 922 window system, 923 program group, 924 file group, 940 Internet, 941 gateway, 942 LAN, 2120 decryption processing unit, 2121 key verification processing unit, 2122 identification extraction processing unit, 2123 identification information generation processing unit, 2125 Decoding information.

Claims (11)

Personal identification information encrypted using an encryption key is input and stored as registration identification information, and authentication processing is performed by a central processing unit (CPU) using the stored registration identification information. In the personal authentication device that is connected via a network to the server device that transmits the result of the executed authentication process by the communication device and receives the result of the authentication process transmitted by the server device by the communication device,
The personal authentication device is
A CPU that executes processing;
A memory for storing a result of processing performed by the CPU;
A key storage unit for storing the encryption key;
An information input unit for inputting personal identification information for authentication;
The encryption key stored in the key storage unit is divided, a plurality of partial key information is generated by the CPU and stored in the memory, and the personal identification information for authentication input by the information input unit is divided into a plurality of partial identifications. Information is generated by the CPU and stored in the memory. The plurality of partial key information and the plurality of partial identification information stored in the memory are used to verify the validity of the encryption key, the personal identification information for authentication, and the registration Verification information for verifying the coincidence with the identification information is generated by the CPU, stored in the memory and output, and the result information obtained as a result of the server device executing the authentication process using the verification information from the server device An encryption part input by the CPU;
A communication unit that transmits the verification information output from the encryption unit to the server device through a communication device and receives result information from the server device via the network by the communication device; Authentication device. The encryption unit outputs the verification information by the CPU using a multi-party protocol, and inputs result information.
The personal authentication apparatus according to claim 1, wherein the communication unit transmits the verification information by a communication apparatus using a multi-party protocol and receives the result information. The encryption part is
The CPU divides the encryption key stored in the key storage unit, generates a plurality of partial key information, stores the partial key information in the memory, and uses the plurality of partial key information stored in the memory as the verification information. A plurality of decryption source information calculated by the CPU using each partial key information and the registration identification information as the result information from the server device. Decoding information that is received by the communication device via the communication unit and that uses the received result information to generate decoding information that is the original information for generating the decoding result of the registration identification information by the CPU and stores it in the memory A processing unit;
The decoding processing unit divides the decoding information stored in the memory, generates a plurality of partial decoding information by the CPU and stores it in the memory, and uses the plurality of partial decoding information stored in the memory as the verification information for the communication A plurality of verification source key information that is transmitted by the communication device to the server device via the unit and calculated by the CPU using the partial decryption information by the server device as result information from the server device via the communication unit. The server device generates the key verification information used by the server device for verifying the validity of the encryption key using the plurality of verification source key information stored in the memory. A key verification processing unit that transmits the key verification information stored in the memory as the verification information to the server device via the communication unit via the communication unit;
The decoding processing unit divides the decoding information stored in the memory, generates a plurality of partial decoding information by the CPU and stores it in the memory, and uses the plurality of partial decoding information stored in the memory as the verification information for the communication A plurality of pieces of identification extraction source information transmitted by the communication device to the server device via the unit and calculated by the CPU using the partial decoding information by the server device as result information from the server device via the communication unit. Using the plurality of identification extraction source information received by the communication device and stored in the memory, the CPU generates identification extraction information used by the server device to extract the personal identification information before encryption. A processing unit for identification extraction stored in the memory,
The identification extraction information generated by the identification extraction processing unit is extracted from the memory, and the extracted identification extraction information and the authentication personal identification information input by the information input unit are combined to generate combined information by the CPU. And then storing the combined information stored in the memory and generating a plurality of partial identification information by the CPU and storing the partial identification information in the memory as the verification information. A plurality of verification source identification information, which is transmitted by the communication device to the server device via the communication unit and calculated by the CPU using the partial identification information by the server device, is sent to the communication unit as result information from the server device. Received by the communication device via the communication device, stored in the memory, the server device using the plurality of verification source identification information stored in the memory, the server device for the personal identification information for authentication and the registration Identification information verification information used when verifying a match with other information is generated by the CPU and stored in the memory, and the identification information verification information stored in the memory is communicated via the communication unit as the verification information. The personal authentication device according to claim 2, further comprising: an identification information generation processing unit that transmits the information to the server device.   The encryption unit uses the Oblivious Transfer (OT) to transmit the verification information to the server device by the communication device via the communication unit, and sends the result information from the server device to the server device. The personal authentication device according to claim 1, wherein the personal authentication device performs reception by a communication device via a communication unit and storage in a memory. A personal authentication device that stores an encryption key and inputs personal identification information for authentication is connected via a network, and the personal identification information encrypted using the encryption key is input and stored as registration identification information. Using the stored registration identification information, the authentication processing of the authentication personal identification information input by the personal authentication device is executed by a central processing unit (CPU), and the result of the executed authentication processing is stored in the memory. In the server device that transmits the result of the authentication process stored in the memory to the personal authentication device by the communication device,
An identification information storage unit for storing the registration identification information;
A communication unit that communicates with the personal authentication device and the communication device via the network;
A plurality of partial key information generated by the CPU by dividing the encryption key stored in the personal authentication device from the personal authentication device, and a plurality of partial identification information generated by the CPU by dividing the personal identification information for authentication. Is received by the communication device via the communication unit as verification information and stored in the memory, and the verification information stored in the memory is used to input the encryption key itself stored in the personal authentication device and the personal authentication device. The authentication process is executed by the CPU without using the authentication personal identification information itself to verify the validity of the encryption key and the match between the authentication personal identification information and the registration identification information. And a verification unit that transmits the verified result information to the personal authentication device by the communication device via the communication unit. The verification unit inputs the verification information by the CPU using a multi-party protocol, and outputs result information.
The server device according to claim 5, wherein the communication unit transmits the verification information by a communication device using a multi-party protocol and receives the result information. The verification part
A plurality of partial key information generated by dividing the encryption key stored in the personal authentication unit is received from the personal authentication device as the verification information by the communication device via the communication unit and stored in the memory for verification. A plurality of pieces of partial key information stored in the memory as information and a plurality of pieces of registration information stored in the identification information storage unit are used to calculate a plurality of pieces of decryption information related to the result of decoding the registration identification information. A decryption source information calculated by the CPU and stored in the memory, and a result stored in the memory is transmitted as the result information to the personal authentication device by the communication device via the communication unit;
A plurality of pieces of partial decryption information generated by the personal authentication device by the CPU using the plurality of pieces of decryption source information is received by the communication device via the communication unit as the verification information and stored in the memory. Then, using a plurality of partial decryption information stored in the memory as verification information, a plurality of verification source key information used for verifying the validity of the encryption key is calculated by the CPU, stored in the memory, and stored in the memory. Using the plurality of pieces of partial decryption information received as the verification information and stored in the memory while transmitting a plurality of verification source key information as the result information to the personal authentication device by the communication device via the communication unit, A plurality of identification extraction source information used for generation of identification extraction information related to extraction of personal identification information before encryption is calculated by the CPU, stored in the memory, and the duplicated information stored in the memory is stored. A formal verification unit to be transmitted to the personal authentication apparatus identification extracted source information by the communication apparatus via the communication unit as the result information,
A plurality of pieces of partial identification information generated by the CPU by dividing the personal identification information for authentication input by the information input unit from the personal authentication device is received as the verification information by the communication device via the communication unit. A plurality of verification sources used when verifying a match between the authentication personal identification information and the registration identification information using a plurality of partial identification information stored in the memory as verification information. The identification information is calculated by the CPU and stored in the memory, and the verification source identification information stored in the memory is transmitted as the verification information to the personal authentication device by the communication device via the communication unit. The server device according to claim 6, wherein:   The verification unit transmits the result information to the server device by the communication device via the communication unit using the OB (Olive Transfer), and the verification information is transmitted from the personal authentication device. The server device according to claim 6, wherein the server device receives the data via a communication device via the communication unit and stores it in a memory. Personal identification information encrypted using an encryption key is input and stored as registration identification information, and authentication processing is performed by a central processing unit (CPU) using the stored registration identification information. And the server device that transmits the result information indicating the result of the authentication process stored in the memory by the communication device, and the server device via the network, and inputs the personal identification information for authentication. An individual who requests authentication processing of the input personal identification information for authentication from the server device via the network to the server device, and receives the authentication processing result information from the server device via the network by the communication device. In an authentication system comprising an authentication device,
The personal authentication device is
A CPU that executes processing;
A memory for storing a result of processing performed by the CPU;
A key storage unit for storing the encryption key;
An information input unit for inputting personal identification information for authentication;
The encryption key stored in the storage unit is divided, a plurality of partial key information is generated by the CPU and stored in the memory, and the personal identification information for authentication input by the information input unit is divided into a plurality of partial identification information Is generated by the CPU and stored in the memory, and the plurality of partial key information and the plurality of partial identification information stored in the memory are used to verify the validity of the encryption key, the personal identification information for authentication, and the registration identification information. The verification information for verifying the coincidence with the CPU is generated by the CPU, stored in the memory and output, and the server apparatus performs the authentication process by the CPU using the verification information from the server apparatus. And the encryption part to be stored in the memory,
A communication unit that transmits the verification information generated by the encryption unit to the server device by the communication device via the network, receives the result information from the server device by the communication device via the network, and stores it in the memory And
The server device is
An identification information storage unit for storing the registration identification information;
A communication unit that communicates with the personal authentication device and the communication device via the network;
A plurality of partial key information generated by the CPU by dividing the encryption key stored in the personal authentication device from the personal authentication device, and a plurality of partial identification information generated by the CPU by dividing the personal identification information for authentication. Is received by the communication device via the communication unit as verification information and stored in the memory, and the verification information stored in the memory is used to input the encryption key itself stored in the personal authentication device and the personal authentication device. The authentication process is executed by the CPU without using the authentication personal identification information itself to verify that the encryption key is valid and that the authentication personal identification information matches the registration identification information. And a verification unit that transmits the verified result information to the personal authentication device by the communication device via the communication unit. Personal identification information encrypted using an encryption key is input and stored as registration identification information, and authentication processing is performed by a central processing unit (CPU) using the stored registration identification information. Then, the result information indicating the result of the executed authentication process is stored in the memory, the result information stored in the memory is transmitted by the communication device, and the server device is connected to the server device via the network. The result of the above-described authentication process in which the personal identification information is input, the authentication process of the input personal identification information for authentication is requested by the communication apparatus to the server apparatus connected via the network, and stored in the memory from the server apparatus An authentication system comprising a personal authentication device for receiving information by a communication device via the network In testimony method,
A key storage step of storing the encryption key in a key storage unit of the personal authentication device;
An information input step of inputting the personal identification information for authentication from the information input unit of the personal authentication device;
The encryption key stored in the key storage unit is divided, and a plurality of pieces of partial key information are generated by a central processing unit (CPU) and stored in a memory, and the authentication key input by the information input unit is stored. The personal identification information is divided and a plurality of pieces of partial identification information are generated by the CPU and stored in the memory. Using the plurality of partial key information and the plurality of partial identification information stored in the memory, the validity of the encryption key, The verification information for verifying the match between the personal identification information for authentication and the registration identification information is generated by the CPU and stored in the memory, and the verification information stored in the memory is transmitted to the server device by the communication device, From the server device, the server device executes the authentication process by the CPU using the verification information and stores the result information stored in the memory to the communication device. Receiving Ri, and verification instructions result receiving step of executing encryption of the personal identification device to be stored in the memory,
A plurality of partial key information generated by the CPU by dividing the encryption key stored in the personal authentication device from the personal authentication device, and a plurality of partial identification information generated by the CPU by dividing the personal identification information for authentication. Is received by the communication device as verification information and stored in the memory. Using the verification information stored in the memory, the encryption key itself stored in the personal authentication device and the personal identification for authentication input by the personal authentication device The result of verification by executing the above authentication process by the CPU without using the information itself to verify the validity of the encryption key and the match between the authentication personal identification information and the registration identification information. And a verification step by a verification unit of the server device that transmits the result information stored in the memory to the personal authentication device. The verification instruction result receiving step by the encryption unit of the personal authentication device is as follows.
The encryption key stored in the key storage unit is divided and a plurality of pieces of partial key information are generated by the CPU and stored in the memory, and the plurality of pieces of partial key information stored in the memory are used as the verification information by the communication device. A plurality of pieces of decryption source information calculated by the CPU using the partial key information and the registration identification information by the server device as the result information from the server device through the authentication device communication step. The decryption processing unit of the personal authentication device that generates the decryption information, which is the original information for generating the decryption result of the registration identification information, using the result information stored in the memory and stored in the memory by the CPU A processing step for decryption by:
The decoding information generated by the decoding processing step by the decoding processing unit of the personal authentication device is divided, a plurality of pieces of partial decoding information are generated by the CPU and stored in the memory, and the plurality of pieces of partial decoding information stored in the memory are stored. A plurality of verification source key information, which is transmitted by the communication device to the server device as the verification information, is calculated by the CPU using the partial decryption information by the server device as result information from the server device, and is stored in the memory. And using the plurality of verification source key information stored in the memory, the server device generates key verification information used for verifying the validity of the encryption key by the CPU and stores the information in the memory. A key verification processing step by a key verification processing unit of a personal authentication device that transmits the stored key verification information as the verification information to the server device by a communication device;
The decoding information generated by the decoding processing step by the decoding processing unit of the personal authentication device is divided, a plurality of pieces of partial decoding information are generated by the CPU and stored in the memory, and the plurality of pieces of partial decoding information stored in the memory are stored. The verification information is transmitted to the server device by the communication device, and the server device receives a plurality of identification extraction source information calculated by the CPU using each partial composite information from the server device as result information by the communication device. Then, using the plurality of identification extraction source information stored in the memory, the server device generates identification extraction information used for extracting the personal identification information before encryption by the CPU and stores it in the memory. A process for identifying and extracting by the processing unit for identifying and extracting the personal authentication device,
The identification extraction information generated by the identification extraction processing step by the identification extraction processing unit of the personal authentication device is extracted from the memory, and the extracted identification extraction information and the information input step by the information input unit of the personal authentication device are input. The combined personal identification information for authentication is combined and the combined information is generated by the CPU and stored in the memory, and the combined information stored in the memory is divided and a plurality of partial identification information is generated by the CPU and stored in the memory. The plurality of pieces of partial identification information stored in the memory are transmitted as the verification information to the server device by the communication device, and the server device uses the pieces of partial identification information to calculate the plurality of pieces of verification source identification information. The result information from the server device is received by the communication device and stored in the memory, and the plurality of verification source identification information stored in the memory is used to ID information verification information used for verification that the personal identification information for authentication matches the registration identification information is generated by the CPU and stored in the memory, and the identification information verification information stored in the memory An identification information generation processing step by an identification information generation processing unit of a personal authentication device that transmits the verification information to the server device by the communication device as the verification information,
The verification process by the verification unit of the server device,
A plurality of partial key information generated by the CPU by dividing the encryption key stored by the personal authentication unit is received as the verification information from the personal authentication device by the communication device and stored in the memory, and the verification information is stored in the memory. Using the stored partial key information and the registration identification information stored in the identification information storage unit, a plurality of pieces of decryption source information used for calculation of decryption information related to the result of decrypting the registration identification information An encryption process by the encryption unit of the server device that calculates by the CPU, stores the calculated result in the memory, and transmits a plurality of decryption source information stored in the memory as result information to the personal authentication device by the communication device;
A plurality of pieces of partial decryption information generated by the personal authentication device by the CPU using the plurality of pieces of decryption source information is received by the communication device as the verification information, stored in the memory, and the verification information is stored in the memory. The plurality of verification source key information used for verifying the validity of the encryption key is calculated by the CPU and stored in the memory using the plurality of partial decryption information stored as the plurality of verification source key information stored in the memory. Verification source key information calculation step by the format verification unit of the server device that transmits the result information to the personal authentication device by the communication device,
Using the plurality of pieces of partial decryption information received as the verification information, the CPU calculates a plurality of identification extraction source information used for generating the identification extraction information related to the extraction of the personal identification information before encryption and stores it in the memory. A plurality of identification extraction source information stored in a memory and transmitted as identification result information to the personal authentication device by means of a communication device, the identification extraction source information calculation step by the server device;
A plurality of pieces of partial identification information generated by the CPU by dividing the personal identification information for authentication input by the information input unit from the personal authentication device is received by the communication device as the verification information and stored in the memory. The CPU calculates a plurality of pieces of verification source identification information used for verification that the personal identification information for authentication coincides with the registration identification information using a plurality of pieces of partial identification information stored as verification information. A verification source identification information calculation step by an identification information verification unit of a server device that stores the verification source identification information stored in the memory as the verification information to the personal authentication device by a communication device. The authentication method according to claim 10.

Images