JP2015060433A - Authentication method, authentication device, authentication system, and authentication program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To perform collation processing in a one-to-N authentication with a collation target limited to registration data for which an authentication with input data is possibly successful.SOLUTION: Provided is an authentication method including: receiving, by a computer, input data as an authentication target; and executing, by the computer, processing of collation of registration data having a second feature quantity not less than a threshold with respect to a first feature of the input data used to determine whether an authentication is successful with the input data.

Description

  The present invention relates to a technique for authenticating a user.

  There is an authentication technique for authenticating a user using a network. In an authentication apparatus that performs authentication, registration information to be verified at the time of authentication, such as password information and biometric information, is registered in advance, and at the time of authentication, the registration information and input information are compared. Then, based on the comparison result, the success or failure of the authentication is determined. Such an authentication technique is used for, for example, an authentication function in a bank system, an authentication function in electronic commerce or electronic payment, and the like.

  In addition to a person, a technique for authenticating a device is also known. For example, there is device authentication using a function called a PUF (Physical Unclonable Function) that outputs a device-specific value using physical characteristics of a device that are difficult to replicate.

  Here, there are roughly two types of authentication technologies. A technique called one-to-one authentication and a technique called one-to-N authentication (also called ID-less authentication). In the one-to-one authentication, for example, by receiving a user ID for identifying a user, one registration information associated with the user ID is specified from registration information registered in advance. Then, the input information and one registered information are collated, and the success or failure of the authentication is determined according to the collation result.

  On the other hand, 1-to-N authentication does not accept a user ID or the like. Therefore, at the time of authentication, the input information and a plurality of registered information are collated. In the one-to-N authentication, for example, input information and all registration information are collated, and success or failure of the authentication is determined based on the most similar registration information.

  For example, there is an authentication system that performs 1-to-N authentication (for example, Patent Document 1). The authentication system is a system that performs personal authentication using a fingerprint. When registering fingerprint feature data, the authentication system gives classification information to the registered fingerprint feature data based on the similarity between the reference data and the fingerprint feature point data. On the other hand, when collating the input fingerprint feature data, classification information of the input fingerprint feature data is generated, and based on the classification information of the input fingerprint feature data, the fingerprint feature data to be verified is limited or prioritized. Search with collation.

JP 2002-297549 A

  However, for example, the authentication system can limit the fingerprint feature data to be collated, but there is no guarantee that the fingerprint feature data that may match the input fingerprint feature data is included. That is, it is not possible to limit the range to be verified after including fingerprint feature data that may match the input fingerprint feature data.

  In addition, the authentication system can, for example, prioritize and repeat the collation with the registered fingerprint feature data (search collation) until the authentication is successful, but the registered fingerprint feature point data. As a result, authentication failure cannot be determined until collation with all registered fingerprint feature data is performed.

  Therefore, the technique disclosed in the present embodiment is intended to perform collation processing with input data only in the one-to-N authentication for registration data that may be successfully authenticated with input data.

  In order to solve the above-described problem, in one embodiment, an authentication method includes: a process in which a computer receives input data to be authenticated; and determining whether the authentication is successful from a first feature amount of the input data. Including a process of executing a collation process with the input data for registered data having a second feature amount that is within a threshold value used in the process.

  According to one aspect of the present invention, in one-to-N authentication, the number of times of matching processing can be reduced by performing matching processing only on registered data that may match input data. Therefore, it is possible to reduce the time and calculation cost required for the authentication process.

FIG. 1 is a diagram for explaining an authentication system according to the first embodiment. FIG. 2 is a functional block diagram of the authentication device 1. FIG. 3 is a functional block diagram of the terminal device 2. FIG. 4 is a data configuration example of a registration data table stored in the storage unit 13. FIG. 5 is a diagram for explaining the narrowing down of collation targets. FIG. 6 is a process flowchart of the terminal device 2 in the first embodiment. FIG. 7 is a process flowchart of the authentication device 1 in the first embodiment. FIG. 8 is a flowchart of the collation process in the first embodiment. FIG. 9 is a data configuration example of a registration data table in the second embodiment. FIG. 10 is a flowchart of the collation process in the second embodiment. FIG. 11 is a process flowchart of the authentication device 1 ″ according to the third embodiment. FIG. 12 is a flowchart of the collation process in the third embodiment. FIG. 13 is a functional block diagram of the authentication device 6 according to the fourth embodiment. FIG. 14 is a processing flowchart of the authentication device 6 in the fourth embodiment. FIG. 15 is a system configuration diagram according to the fifth embodiment. FIG. 16 is a functional block diagram of the authentication device 7 and the verification device 8 according to the fifth embodiment. FIG. 17 is a process flowchart of the authentication device 7 in the fifth embodiment. FIG. 18 is an example of a hardware configuration of each device according to the present invention.

  Detailed examples of the present invention will be described below. Note that the following embodiments can be appropriately combined within a range in which the contents of processing do not contradict each other. Embodiments will be described below with reference to the drawings.

[First embodiment]
FIG. 1 is a diagram for explaining an authentication system according to the first embodiment. First, the authentication system in the present embodiment will be described. The authentication system includes an authentication device 1 and a terminal device 2. Note that the authentication device 1 and the terminal device 2 are connected via a network N. The network N is, for example, the Internet. For communication via the network N, it is desirable to apply an encrypted communication technique such as Secure Socket Layer (SSL).

  The authentication device 1 is a computer that performs authentication in response to a request from the terminal device 2. In the present embodiment, the authentication device 1 performs 1-to-N authentication. That is, when the authentication device 1 acquires input data to be authenticated from the terminal device 2, the authentication device 1 performs authentication by comparing the input data with a plurality of registration data. The registration data is data registered in advance in the authentication device 1 and is information unique to each user, for example.

  The input data and registration data are, for example, binary format data. Furthermore, in the present embodiment, since the authentication device 1 performs biometric authentication, the registration data and input data are binary data indicating biometric information. However, the technology disclosed in the present embodiment can be applied to other authentication methods besides biometric authentication. For example, the technique disclosed in the present embodiment is applied to device authentication using a value unique to a device using PUF (Physical Unclonable Function).

  The terminal device 2 is a computer that requests the authentication device 1 for authentication. In the present embodiment, the terminal device 2 is connected to a reading device 3 for reading biological information. For example, the reading device 3 acquires an image such as a vein or fingerprint of the user 5 and generates biometric information from the image. Various conventional methods are used as an algorithm for generating biometric information from an image. For example, information such as the number and position of vein branches is extracted by image analysis, and biological information is generated based on the extracted information.

  Then, the terminal device 2 acquires biological information from the reading device 3. The biometric information is converted into a binary format, but the conversion may be performed by the reading device 3 or the terminal device 2.

  Here, when registering biometric information in the authentication device 1 as preparation for receiving authentication, the terminal device 2 transmits a registration request including binary data of biometric information acquired from the reading device 3 to the authentication device 1. Then, the authentication device 1 stores the received binary data as registration data in its own storage device.

  On the other hand, at the time of authentication, the terminal device 2 transmits an authentication request including binary data of biometric information acquired from the reading device 3 to the authentication device 1. Then, the authentication device 1 collates the received binary data and a plurality of registered data, and performs authentication based on the collation result. In the present embodiment, the collation process is executed after limiting the registration data to be collated. Details will be described later.

  Next, a functional configuration of the authentication device 1 will be described. FIG. 2 is a functional block diagram of the authentication device 1. The authentication device 1 includes a communication unit 11, a control unit 12, and a storage unit 13. The communication unit 11 is a process of communicating with another device, and communicates with the terminal device 2, for example. The control unit 12 is a processing unit that controls various processes in the authentication device 1 and executes, for example, a registration process and an authentication process. The storage unit 13 is a storage unit that stores information necessary for various processes, and stores, for example, registration data.

  The control unit 12 includes a calculation unit 14, a registration processing unit 15, and an authentication processing unit 16. For example, when the calculation unit 14 acquires binary data of biometric information from the terminal device 2, the calculation unit 14 calculates a feature amount of the binary data. For example, the number of 1s or 0s in the binary data is the feature amount. Hereinafter, in the present embodiment, a case where a Hamming weight indicating the number of 1 in binary data is used as the feature amount will be described.

  For example, when the communication unit 11 receives a registration request, the calculation unit 14 calculates a Hamming weight for binary data of biometric information included in the registration request. Then, the calculated result is output to the registration processing unit 15. On the other hand, when the communication unit 11 receives the authentication request, the calculation unit 14 calculates a Hamming weight for the binary data of the biometric information included in the authentication request. Then, the calculated result is output to the authentication processing unit 16.

  Next, when the registration processing unit 15 receives a registration request from the terminal device 2, the registration processing unit 15 executes a registration process. Specifically, the registration processing unit 15 registers the binary data included in the registration request and the feature amount calculated by the calculation unit 14 in association with each other in the storage unit 13. Further, the registration processing unit 15 may further store the user ID generated by the terminal device 2 in association with the registration data. The user ID is identification information for identifying the user. Further, the user ID may be generated by the registration processing unit 15. For example, the user ID is generated so as to be a character string different from the character string used as the user ID so far.

  When receiving an authentication request from the terminal device 2, the authentication processing unit 16 performs authentication processing. Specifically, the authentication processing unit 16 performs authentication by collating binary data included in the authentication request with a plurality of registration data stored in the storage unit 13. The binary data included in the authentication request is an example of input data. For example, when the difference between the input data and the registered data is equal to or smaller than the authentication determination threshold value, it is determined that the authentication is successful. The determination result is transmitted to the terminal device 2 via the communication unit 11.

  The difference between the input data and the registered data is the Hamming distance between the binary data. The Hamming distance is the number of different characters existing at corresponding positions between the character string of the input data and the character string of the registered data, and indicates the similarity between the binary data. In other words, the Hamming distance between binary data is the number of different bits existing at corresponding positions between input data and registered data. For example, the exclusive OR operation of each digit in two binary data is performed. The number of 1 in the result. In the present embodiment, the authentication processing unit 16 determines that the registration data corresponding to the input data is registered in advance when the Hamming distance is equal to or less than the authentication determination threshold value.

  Furthermore, in the present embodiment, the authentication processing unit 16 narrows down registration data to be collated with input data. Specifically, the authentication processing unit 16 limits the collation target using the feature amount of the input data calculated by the calculation unit 14 and the authentication determination threshold value. Although details will be described later, registration data in which the difference between the input data and the registration data is clearly greater than or equal to the authentication determination threshold in the light of the feature amount of the input data is excluded from the verification target.

  Next, the functional configuration of the terminal device 2 will be described. FIG. 3 is a functional block diagram of the terminal device 2. The terminal device 2 includes a communication unit 21, an acquisition unit 22, a control unit 23, and a display unit 24. The communication unit 21 is a processing unit that communicates with another device, and communicates with the authentication device 1, for example. The acquisition unit 22 is a processing unit that acquires information to be registered or authenticated, and for example, acquires biometric information from the reading device 3.

  The control unit 23 is a processing unit that controls the entire processing of the terminal device 2 and generates, for example, a registration request or an authentication request. The display unit 24 is a processing unit that displays various types of information, and displays, for example, an authentication result received from the authentication device 1. The terminal device 2 may further include a storage unit that stores various types of information.

  Next, registration data stored in the storage unit 13 of the authentication device 1 will be described. FIG. 4 is a data configuration example of a registration data table stored in the storage unit 13. The registration data table is a table for managing registration data.

  The registration data table stores a user ID, a Hamming weight, and registration data in association with each other. The user ID is information for identifying the user indicated by the registration data. The hamming weight is an example of a feature amount of registered data, and is the number of 1 or 0 in the registered data. The registration data is binary data included in the registration request and is information unique to the user.

  Next, a process for narrowing registered data to be collated with input data will be described. FIG. 5 is a diagram for explaining the narrowing-down process of the collation target. In the first embodiment, the authentication processing unit 16 in the authentication device 1 also executes a narrowing process in the authentication process. Other embodiments will be described later.

  However, the registration data table shown in FIG. 5 lists the registration data in the feature quantity order, not in the ID order as shown in FIG. The registration data table may register the registration data in the order of feature amounts as shown in FIG. Details of an example of registration in the order of feature amounts will be described in the second embodiment.

  In FIG. 5, the input data is M ′, and the hamming weight of the input data is represented by HW (M ′). Also, the registration data is represented by Mi, and the hamming weight of the registration data is represented by HW (Mi). Further, the Hamming distance between the input data and the registration data is indicated as HD (M ′, Mi). Note that i corresponds to the record number of the registration data table.

  When authentication is determined to be successful in the authentication processing, the Hamming distance HD (M ′, Mi) needs to be equal to or less than the authentication determination threshold d. Therefore, by making the registration data Mi that meets the following condition 1 as a verification target, the verification process can be performed only for the registration data Mi that can be successfully authenticated.

(Condition 1)

  In other words, the registration data Mi that meets the following condition 2 is excluded from the verification target. By excluding the registered data Mi that is clearly unsuccessful from the verification target, the number of verification processes can be reduced, and the time and calculation cost for the authentication process can be reduced.

(Condition 2)

  Conditions 1 and 2 are derived conditions based on the following logic. First, Expression 1 is a condition for successful authentication. Here, the Hamming distance HD (M ′, Mi) is at least an absolute value of a difference between the Hamming weight HW (M ′) of the input data and the Hamming weight HW (Mi) of the registered data. This is because, when input data having a Hamming weight HW (M ′) is subjected to exclusive OR operation for each bit, the registration data having the Hamming weight HW (Mi) is applied to the bit indicating “1”. This is because the maximum number of bits for which an output of “0” can be obtained is up to the Hamming weight HW (Mi) of the registered data.

That is, the number of bits of “1” in the exclusive OR operation result (that is, the Hamming distance HD (M ′, Mi) is an absolute value obtained by subtracting the Hamming weight HW (Mi) from the Hamming weight HW (M ′). Therefore, Expression 2 is established, and then the relationship between the absolute value of the result of subtracting the Hamming weight HW (Mi) from the Hamming weight HW (M ′) and the authentication determination threshold in Expression 2. Condition 1 is obtained by expanding the expression.
(Formula 1)

(Formula 2)

  For example, as shown in FIG. 5, when the input data M ′ is “10000111”, the Hamming weight HW (M ′) is “4”. Further, assuming that the authentication determination threshold value d is “2”, registration data having a Hamming weight HW (Mi) larger than 2 and smaller than 6 is a target of collation processing, that is, within the rectangle of FIG. The registered data group shown is a verification target.

  In the example of FIG. 5, the registration data with the user ID “5” and the input data completely match, but normally, in the case of biometric authentication, the input data and registration data are the same person. Is unlikely to match exactly. This is due to an error caused by, for example, the position of the hand or the tilt of the hand when the reader 3 captures a vein or fingerprint. Therefore, in many cases, registration data having a different Hamming weight becomes registration data most similar to the input data, rather than registration data having the same Hamming weight.

  Therefore, in this embodiment, by registering registration data having a Hamming weight smaller than the authentication determination threshold as a reference based on the Hamming weight of input data, registration data that may be successfully authenticated is leaked. It can be used as a verification target.

  Next, processing of the terminal device 2 in the first embodiment will be described. FIG. 6 is a process flowchart of the terminal device 2 in the first embodiment. The control unit 23 determines whether or not to execute the registration process (Op. 1). For example, an affirmative determination is made when there is an input from the user to start the registration process.

  When executing the registration process (Op. 1 Yes), the control unit 23 generates a user ID (Op. 2). Here, the user ID is generated on the terminal device 2 side, but the control unit 23 may request the authentication device 1 to generate a user ID. When the user ID is not generated on the terminal device 2 side, a user ID may be generated on the authentication device 1 side in response to a registration request described later.

  Furthermore, the acquisition part 22 acquires biometric information from the reader 3 (Op.3). And the control part 23 produces | generates the registration request | requirement containing the converted binary data and user ID while converting biometric information into a binary format. And the control part 23 controls the communication part 21, and transmits a registration request to the authentication apparatus 1 (Op.4).

  On the other hand, when the registration process is not executed (Op. 1 No), the acquisition unit 22 acquires biometric information from the reading device 3 (Op. 5). Then, the control unit 23 generates an authentication request and controls the communication unit 21 to transmit the authentication request to the authentication device 1 (Op. 6). Here, the control unit 23 converts the biometric information into binary data and generates a registration request including the binary data. In this embodiment, since 1-to-N authentication is performed, the user does not need to input a user ID. Therefore, the registration request does not include the user ID.

  Next, the control unit 23 determines whether an authentication result for the authentication request has been received (Op. 7). Wait until the authentication result is received (Op. 7 No), and when the communication unit 21 receives the authentication result (Op. 7 Yes), the display unit 24 displays the authentication result under the control of the control unit 23 ( Op.8). For example, the display unit 24 displays a screen that notifies the user of success or failure of the authentication result.

  Next, processing of the authentication device 1 in the first embodiment will be described. FIG. 7 is a process flowchart of the authentication device 1 in the first embodiment. The control unit 12 determines whether or not the communication unit 11 has received a registration request (Op. 11).

  When the registration request is received (Op. 11 Yes), the control unit 12 executes a registration process. First, the calculation unit 14 calculates the hamming weight HW (Mi) of the registration data using the binary data included in the registration request as registration data (Op. 12). The Hamming weight is an example of a feature amount of registered data. Then, the calculation unit 14 outputs the registration data, the Hamming weight HW (Mi), and the user ID to the registration processing unit 15.

  And the registration process part 15 stores registration data, Hamming weight HW (Mi), and user ID in the registration data table of the memory | storage part 13 (Op.13). And the control part 12 complete | finishes a series of registration processes.

  On the other hand, when the registration request has not been received (No in Op. 11), the control unit 12 determines whether or not the communication unit 11 has received the authentication request (Op. 14). Here, when the authentication request has not been received (No in Op. 14), the control unit 12 ends the series of processes.

  When the authentication request is received (Op. 14 Yes), the calculation unit 14 calculates the hamming weight HW (M ′) of the input data using the binary data included in the authentication request as input data (Op. .15). Next, the authentication process part 16 performs a collation process (Op.16). In the collation process in the present embodiment, it is determined whether or not the collation process is to be executed for each of a plurality of registration data, and the collation process is performed on the registration data that is determined to be collated.

  FIG. 8 is a flowchart of the collation process in the first embodiment. First, the authentication processing unit 16 performs initial setting (Op. 21). The minimum hamming distance variable HDmin is set to the number of bits of registration data (8 in the case of FIG. 4). Note that the minimum hamming distance variable is a variable indicating the minimum hamming distance among the hamming distances of the input data and the registration data, and is updated by executing the subsequent matching process. Further, the minimum ID variable IDmin is set to “−1”. This is a variable indicating the ID of the registered data that minimizes the Hamming distance with the input data, and is updated by executing the subsequent matching process.

  Further, the authentication processing unit 16 sets the counter variable i to “1” in the initial setting. The counter variable corresponds to the record number of the registration data table. Further, the authentication processing unit 16 sets the number of records in the registration data table as the maximum counter value Ni.

  After completion of the initial setting, the authentication processing unit 16 determines whether the counter variable i matches the maximum counter value Ni (Op.22). If they do not match (Op. 22 No), the authentication processing unit 16 refers to the record corresponding to the counter variable i, and acquires the hamming weight HW (Mi) of the registered data (Op. 23). Then, based on the Hamming weight HW (M ′) of the verification data and the authentication determination threshold d, the authentication processing unit 16 determines whether or not the Hamming weight HW (Mi) of the registration data satisfies the condition 1 (Op.24). ).

  When the condition 1 is satisfied (Op. 24 Yes), the authentication processing unit 16 acquires the registration data of the record corresponding to the counter variable i and calculates the hamming distance HD (M ′, Mi) between the input data and the registration data. (Op. 25). Then, the authentication processing unit 16 determines whether the hamming distance HD (M ′, Mi) is smaller than the minimum hamming distance variable HDmin (Op. 26).

  When the hamming distance HD (M ′, Mi) is smaller than the minimum hamming distance variable HDmin (Op. 26 Yes), the authentication processing unit 16 sets the minimum hamming distance variable HDmin to Op. The Hamming distance HD (M ′, Mi) calculated in 25 is updated, and the minimum ID variable IDmin is updated to the user ID in the record corresponding to the counter variable i (Op.27).

  Op. 27, when the condition 1 is not satisfied (Op. 24 No), or when the Hamming distance HD (M ′, Mi) is equal to or greater than the minimum Hamming distance variable HDmin (Op. 26 No), the authentication processing unit 16 The counter variable i is incremented (Op.28). And Op. Return to 22 and repeat the process.

  That is, when a smaller Hamming distance HD (M ′, Mi) is found, the minimum Hamming distance HDmin is updated to the Hamming distance HD (M ′, Mi). Further, the minimum ID variable IDmin is also updated to the corresponding user ID in accordance with the update of the minimum hamming distance HDmin.

  If the counter variable i matches the maximum counter value Ni (Op. 22 Yes), the processing has been completed for all records, and the authentication processing unit 16 ends the matching process.

  Next, returning to FIG. 7, after the collation process (Op.16) is completed, the authentication processing unit 16 determines whether or not the minimum hamming distance HDmin is smaller than the authentication determination threshold value d (Op.17). . If the minimum hamming distance HDmin is smaller than the authentication determination threshold value d (Op. 17 Yes), the authentication processing unit 16 determines that the authentication is successful and displays an authentication result indicating that the authentication is successful. Generate. The authentication result also includes the user ID set in the minimum ID variable IDmin. And the communication part 11 transmits the authentication result which shows that authentication was successful to the terminal device 2 (Op.18).

  On the other hand, when the minimum hamming distance HDmin is equal to or greater than the authentication determination threshold value d (Op. 17 No), the authentication processing unit 16 determines that the authentication has failed and displays an authentication result indicating that the authentication has failed. Generate. And the communication part 11 transmits the authentication result which shows that authentication failed to the terminal device 2 (Op.19). At this time, the authentication result does not include the user ID set in the minimum ID variable IDmin.

  As described above, the authentication processing unit 16 uses the Op. 25 to Op. 27 is omitted. That is, the authentication processing unit 16 does not perform verification. On the other hand, for registered data that satisfies the condition 1 and that may be successfully authenticated, the authentication processing unit 16 prevents the correct answer data from being excluded from the narrowing down targets by executing collation.

  Therefore, the authentication device 1 according to the present embodiment can limit registration data to be subjected to collation processing among the registration data. The authentication process in the authentication device 1 can be performed in a shorter time compared to the case where the verification process is performed with all registered data. In addition, since registration data that can be successfully authenticated is a target of the collation process, correct data can be prevented from being excluded from the target of the collation process.

  Here, the authentication system disclosed in Japanese Patent Application Laid-Open No. 2002-297549 uses different determination criteria when determining the success or failure of personal authentication and when limiting the range to be verified. The registration data that satisfies the criteria for determining the success or failure of personal authentication is a probabilistic limiting means that it is highly likely that the criteria for limiting the scope of verification will also be met. May not be included in the target range. On the other hand, since the technique disclosed in the present embodiment uses the authentication determination threshold to limit registration data to be verified, registration data that may be successfully authenticated is excluded from the verification target. prevent.

[Second Example]
In the second embodiment, the registration method of registration data in the registration data table is different from the first embodiment. Furthermore, the processing flow of the verification process is different. Hereinafter, the second embodiment will be described focusing on differences from the first embodiment. Compared with the first embodiment in which registration data is registered in the order of user ID, the second embodiment can specify registration data to be used for collation processing in a short time.

  The authentication device 1 ′ according to the second embodiment is different from the authentication device 1 according to the first embodiment shown in FIG. 2 in place of the registration processing portion 15 in the first embodiment. And an authentication processing unit 16 ′ instead of the authentication processing unit 16 in the first embodiment, and a storage unit 13 ′ instead of the storage unit 13. The functional configuration of the terminal device is the same as that of the terminal device 2 according to the first embodiment.

  First, FIG. 9 is a data configuration example of a registration data table in the second embodiment. Upon receiving a registration request, the registration processing unit 15 ′ registers registration data in the registration data table. The registration data table is stored in the storage unit 13 '. Similar to the first embodiment, the registration data table includes a user ID, a hamming weight, and registration data. However, the registration data is registered in order of Hamming weight. That is, as shown in FIG. 9, the registration data is stored in the ascending order of the Hamming weight. The registration data may actually be registered in the order of the Hamming weights, or the corresponding registration data can be stored using the pointers by storing the pointers indicating the storage locations of the registration data corresponding to the respective Hamming weights. May be referred to.

  Next, a flow of collation processing according to the second embodiment will be described. FIG. 10 is a flowchart of the collation process in the second embodiment. In the second embodiment, the authentication process shown in FIG. 7 is executed. At 16, the verification process shown in FIG. 10 is executed. That is, processes other than the collation process are the same as those in the first embodiment and the second embodiment.

  First, the authentication processing unit 16 ′ of the authentication device 1 ′ performs initial setting (Op. 31). Here, the authentication processing unit 16 'sets the minimum hamming distance variable HDmin to the number of bits of the registration data. Further, the authentication processing unit 16 ′ sets the minimum ID variable IDmin to “−1”. Further, the management variable k is set to 0. The management variable k indicates the difference between the hamming weight HW (M ′) of the input data and the hamming weight HW (Mi) of the registered data.

  For example, when the management variable k is “0”, registration data having the same hamming weight as the hamming weight HW (M ′) of the input data is designated as the registration data to be processed. In the present embodiment, the authentication processing unit 16 ′ uses the management variable k to limit the registration data that is subject to the verification process. Specifically, the authentication processing unit 16 'sets the registration data specified by the management variable k smaller than the authentication determination threshold as a verification target.

  When the initial setting is completed, the authentication processing unit 16 'determines whether the management variable k is smaller than the authentication determination threshold value d (Op.32). When the management variable k is smaller than the authentication determination threshold value d (Op. 32 Yes), the authentication processing unit 16 ′ sets flg (flag) to “−1” (Op. 33). The flag is information for defining the processing direction.

  For example, when the management variable k is “1”, registration data having a hamming weight “1” different from the hamming weight HW (M ′) of the input data is processed, but the hamming weight HW (M of the input data) Whether the registration data having a Hamming weight that is one greater than ') or the registration data having a Hamming weight that is one smaller than the Hamming weight HW (M') of the input data is managed by a flag To do. Here, by setting the flag “−1” first, the following processing is executed on registration data having a Hamming weight that is one smaller than the Hamming weight HW (M ′) of the input data. And When the management variable k is “0”, the process related to setting the flag may be omitted.

  Next, the authentication processing unit 16 'sets the counter variable j to "1" (Op.34). The counter variable j in the present embodiment is a variable for managing registration data having the same hamming weight. For example, when there are three registration data having the same Hamming weight, each registration data is handled as j = 1, j = 2, and j = 3. Further, the authentication processing unit 16 'sets the number of registered data having the same hamming weight as the maximum counter value Nj. According to the previous example, Nj is “3”.

  The authentication processing unit 16 'determines whether the counter variable j matches the maximum counter value Nj (Op.35). If they do not match (Op. 35 No), the authentication processing unit 16 ′ acquires registration data corresponding to the management variable k, the flag value, and the counter variable j, and the Hamming distance HD (M between the input data and the registration data) ', Mi) is calculated (Op. 36). Then, the authentication processing unit 16 'determines whether the Hamming distance HD (M', Mi) is smaller than the minimum Hamming distance variable HDmin (Op.37).

  When the hamming distance HD (M ′, Mi) is smaller than the minimum hamming distance variable HDmin (Op. 37 Yes), the authentication processing unit 16 ′ sets the minimum hamming distance variable HDmin to Op. The Hamming distance HD (M ', Mi) calculated in 36 is updated, and the minimum ID variable IDmin is updated to the user ID in the record corresponding to the management variable k, the flag value, and the counter variable j (Op.38).

  Op. 38, or when the hamming distance HD (M ′, Mi) is equal to or greater than the minimum hamming distance variable HDmin (Op. 37 No), the authentication processing unit 16 ′ increments the counter variable j (Op. 39). . And Op. Return to 35 and repeat the process.

  If the counter variable j matches the maximum counter value Nj (Op. 35 Yes), the authentication processing unit 16 ′ determines whether the flag is “−1” (Op. 40). If the flag is “−1” (Op. 40 Yes), the authentication processing unit 16 ′ sets the flag to “1” (Op. 41). That is, the processing direction is reversed. Then, after the flag is set to “1”, Op. 34 to Op. The process of 39 is repeated. However, when the management variable k is 0, Op. In 40, a negative determination may be made.

  On the other hand, when the flag is not “−1” (Op. 40 No), the authentication processing unit 16 ′ increments the management variable k (Op. 42). And Op. The process after 32 is repeated. That is, the matching process is performed on registration data whose difference from the Hamming weight HW (M ′) of the input data is one larger than that in the process so far.

  On the other hand, when the management variable k is greater than or equal to the authentication determination threshold value d (Op. 32 No), the authentication processing unit 16 ′ ends the matching process. That is, the matching process is not executed for the registration data specified by the management variable k that is equal to or greater than the authentication determination threshold d. This is because, similarly to the condition 2 described above, there is no possibility that the authentication process will be successful for registered data of the management variable k or more.

  As described above, also in the second embodiment, it is possible to limit the registration data to be subjected to the matching process among the registration data. Therefore, the authentication process in the authentication apparatus 1 ′ can be performed in a shorter time compared to the case where the verification process is performed on all registered data. In addition, since registration data that can be successfully authenticated is a target of the collation process, correct data can be prevented from being excluded from the target of the collation process.

[Third embodiment]
In the third embodiment, the processing time can be further shortened by limiting the registration data to be collated as compared with the first embodiment or the second embodiment. The authentication device 1 '' according to the third embodiment is different from the authentication device 1 according to the first embodiment shown in FIG. 2 in place of the authentication processing unit 16 in the first embodiment. Part 16 ″. The authentication processing unit 16 '' executes an authentication process different from that in the first embodiment or the second embodiment. The functional configuration of the terminal device is the same as that of the terminal device 2 according to the first embodiment.

  FIG. 11 is a process flowchart of the authentication device 1 ″ according to the third embodiment. In addition, about the process same as the process flowchart of the authentication apparatus 1 which concerns on a 1st Example, while attaching | subjecting the same code | symbol, description is abbreviate | omitted. In the third embodiment, the verification process (Op. 50) and the authentication success / failure determination process (Op. 51) following the verification process are different.

  In FIG. 11, when the calculation unit 14 calculates the hamming weight HW (M ′) of the input data (Op. 15), the authentication processing unit 16 ″ executes a matching process (Op. 50).

  FIG. 12 is a flowchart of the collation process in the third embodiment. In addition, about the process same as the collation process in a 2nd Example, while attaching the same code | symbol, description is simplified. First, as in the second embodiment, the authentication processing unit 16 ″ performs initial setting. That is, the minimum hamming distance variable HDmin is set to the number of bits of registration data. Further, the minimum ID variable IDmin is set to “−1”. Further, the management variable k is set to 0.

  When the initial setting is completed, the authentication processing unit 16 '' determines whether the management variable k is smaller than the authentication determination threshold value d (Op.32). When the management variable k is smaller than the authentication determination threshold d, flg (flag) is set to “−1” (Op.33). Next, the authentication processing unit 16 ″ sets the counter variable j to “1” (Op. 34). Further, the authentication processing unit 16 ″ sets the number of registered data having the same hamming weight as the maximum counter value Nj.

  The authentication processing unit 16 '' determines whether the counter variable j matches the maximum counter value Nj (Op.35). If they do not match (Op. 35 No), the authentication processing unit 16 ″ acquires registration data corresponding to the management variable k, the flag value, and the counter variable j, and the Hamming distance HD ( M ′, Mi) is calculated (Op. 36).

  Then, the authentication processing unit 16 ″ determines whether the hamming distance HD (M ′, Mi) is smaller than the authentication determination threshold d (Op. 52). That is, in the third embodiment, the authentication device 1 ″ determines whether the authentication data is registered data that succeeds in the verification process.

  When the hamming distance HD (M ′, Mi) is smaller than the authentication determination threshold d (Op. 52 Yes), the authentication processing unit 16 ″ sets the minimum hamming distance variable HDmin to Op. The Hamming distance HD (M ′, Mi) calculated in 36 is updated, and the minimum ID variable IDmin is updated to the user ID in the record corresponding to the management variable k, the flag value, and the counter variable j (Op. 53).

  Further, the authentication processing unit 16 '' updates the authentication determination threshold value d to HDmin (Op.54). That is, the Op. In 32, as compared with d before the update, the criterion for limiting the processing target of the collation processing becomes stricter.

  Then, as in the second embodiment, the authentication processing unit 16 ″ increments the counter variable j (Op. 39), and Op. The process after 35 is repeated. If the counter variable j matches the maximum counter value Nj (Op. 35 Yes), the authentication processing unit 16 ″ determines whether the flag is “−1” (Op. 40). If the flag is “−1” (Op. 40 Yes), the authentication processing unit 16 ″ sets the flag to “1” (Op. 41). When the management variable k is 0, Op. In 40, a negative determination may be made. After the flag is set to “1”, p. 34 to Op. The process of 39 is repeated.

  On the other hand, when the flag is not “−1” (Op. 40 No), the authentication processing unit 16 ″ increments the management variable k (Op. 42). And Op. The process after 32 is repeated. If the management variable k is equal to or greater than the authentication determination threshold value d (Op. 32 No), the authentication processing unit 16 ″ ends the process. In other words, the collation process is not executed for the registration data of the management variable k or more. The authentication judgment threshold d is Op. If updated in 54, the updated authentication determination threshold value d is set to Op. 32 is used for determination.

  Here, the relationship between the update of the authentication determination threshold d and the limitation of the processing target will be described with reference to FIG. It is assumed that the authentication determination threshold value d before update is “2”. In this case, in the first embodiment or the second embodiment, the registration data in the range shown as the comparison target in FIG. 5 is the processing target.

  On the other hand, in the third embodiment, since the matching process is executed from the registration data whose management variable k is “0” at the beginning, when the input data M ′ is “1000111”, the registration data of the user ID “5”. Registration data “11011000” of “1000111” or user ID “8” is first collated with input data M ′.

  Specifically, taking registration data “1000111” of user ID “5” as an example, Op. In 36, “0” is calculated as the Hamming distance HD (M ′, Mi). Then, in the subsequent process, the authentication processing unit 16 ″ determines that the hamming distance HD (M ′, Mi) is smaller than the authentication determination threshold value d (Op. 52 Yes). Then, the authentication processing unit 16 ″ updates the minimum hamming distance variable HDmin to “0” and sets the minimum ID variable IDmin to the user ID “5” in the record corresponding to the management variable k, the flag value, and the counter variable j. (Op. 53). Further, the authentication processing unit 16 ″ updates the authentication determination threshold value d to HDmin “0” (Op. 54).

  Therefore, when the collation with the registered data whose management variable k is “0” is completed (Op. 35 Yes), Op. 40 (NO), the authentication processing unit 16 ″ receives the Op. 42 is executed. That is, the authentication processing unit 16 ″ updates the management variable k to “1”. Next, when the updated authentication determination threshold value d “0” is compared with the management variable k “1”, Op. Since a negative determination is made at 32, the collation process ends. That is, according to the present embodiment, the collation target can be limited to two registration data from the six registration data that are the collation targets shown in FIG.

  In other words, when the registration data Mi that succeeds in authentication is found, the authentication device 1 ″ only needs to search for registration data that is more similar to the input data M ′ than the registration data Mi. The authentication determination threshold value d is updated to a stricter threshold value. Therefore, the authentication device 1 ″ according to the third embodiment can further limit the verification processing targets.

  In the example of FIG. 5, since there is registration data Mi that matches the input data M ′, the authentication determination threshold value d is updated to “0”, but even when the input data M ′ and the registration data Mi do not completely match, By updating to a smaller authentication determination threshold d, the same effect can be obtained.

  Next, returning to FIG. 11, the authentication processing unit 16 ″ determines whether or not the minimum ID variable IDmin has been updated from “−1” at the initial setting after the collation processing (Op. 50) is completed. (Op. 51). When the minimum hamming distance variable HDmin is not “−1” (Op. 51 No), the authentication processing unit 16 ″ determines the authentication success and sends an authentication result indicating that the authentication is successful to the communication unit 11. To the terminal device 2 (Op.18).

  On the other hand, when the minimum hamming distance variable HDmin is “−1” (Op. 51 Yes), the authentication processing unit 16 ″ determines the authentication failure and transmits an authentication result indicating that the authentication has failed. It transmits to the terminal device 2 via the part 11 (Op.18).

  Op. 53, if the minimum ID variable IDmin “−1” at the time of initialization is updated to another value, Op. In 52, it is possible to search for registration data indicating successful authentication. Therefore, Op. In 51, if the minimum ID variable IDmin has been updated from “−1” at the time of initial setting, the success of authentication is determined.

  On the other hand, Op. 53, if the minimum ID variable IDmin “−1” at the time of initialization is not updated to another value, Op. In 52, it is impossible to search for registration data indicating successful authentication. Therefore, Op. In 51, if the minimum ID variable IDmin has not been updated from “−1” at the time of initial setting, authentication failure is determined.

  As described above, the authentication device 1 ″ according to the present embodiment can further execute the authentication process by limiting the verification target. That is, when registration data having a Hamming distance HD (M ′, Mi) equal to or smaller than the authentication determination threshold d is found, the authentication device 1 ″ is more similar to the input data M ′ than the registration data Mi in the subsequent processing. Since it is only necessary to search whether or not there is registration data to be registered, it is possible to further exclude from the verification target registration data that is not likely to be similar to the input data M ′ than the registration data Mi.

[Fourth embodiment]
In the fourth embodiment, the verification processing is executed in parallel by a plurality of processing units. As a fourth embodiment, an example in which a plurality of verification processing units exist in one authentication apparatus will be disclosed. In the fourth embodiment, compared with the first to third embodiments, since the matching process is executed in parallel, the time required for the matching process, and thus the authentication process, can be shortened. The system configuration includes the terminal device 2 and the authentication device 6. The functional configuration of the terminal device according to the fourth embodiment is the same as that of the terminal device 2 according to the first embodiment.

  FIG. 13 is a functional block diagram of the authentication device 6 according to the fourth embodiment. The authentication device 6 includes a communication unit 61, a main control unit 62, a first slave control unit 63, a second slave control unit 64, a first storage unit 65, and a second storage unit 66. The main control unit 62 includes a calculation unit 621, a registration processing unit 622, and an authentication processing unit 623. The first slave control unit 63 includes a first verification processing unit 631, and the second slave control unit 64 includes a second verification processing unit 641. In addition, although demonstrated here as two subordinate control parts performing collation processing in parallel, three or more subordinate control parts may perform collation processing in parallel.

  The communication unit 61 is a process of communicating with another device, and communicates with the terminal device 2, for example. The main control unit 62 is a processing unit that controls various processes in the authentication device 6 and executes, for example, an authentication process. The 1st memory | storage part 65 and the 2nd memory | storage part 66 are memory | storage parts which memorize | store the information required for various processes, for example, memorize | store registration data. In addition, the 1st memory | storage part 65 and the 2nd memory | storage part 66 memorize | store registration data exclusively. Registration data is managed by a registration data table having the same data configuration as the first embodiment and the second embodiment.

  When the calculation unit 621 acquires the binary data of the biological information from the terminal device 2, the calculation unit 621 calculates the feature amount of the binary data. For example, when the communication unit 61 receives a registration request, the calculation unit 621 calculates a Hamming weight for the binary data of biometric information included in the registration request. On the other hand, when the communication unit 61 receives the authentication request, the calculation unit 621 calculates a Hamming weight for the binary data of the biometric information included in the authentication request. Then, the calculation unit 621 outputs the calculated result to the registration processing unit 622 or the authentication processing unit 623.

  Next, when the registration processing unit 622 receives a registration request from the terminal device 2, the registration processing unit 622 performs registration processing. Specifically, the registration processing unit 622 registers the binary data included in the registration request and the feature amount calculated by the calculation unit 621 in the first storage unit 65 or the second storage unit 66 in association with each other. For example, the registration processing unit 622 stores the registration data in a storage unit having a smaller number of registered data. In addition, the registration processing unit 622 determines a storage unit as a registration destination of registration data so that the number of registered data having the same Hamming weight is approximately the same in the first storage unit 65 and the second storage unit 66. May be.

  When the authentication processing unit 623 receives an authentication request from the terminal device 2, the authentication processing unit 623 performs authentication processing. Specifically, the authentication processing unit 623 performs authentication by controlling the first slave control unit 63 and the second slave control unit 64. When the first verification processing unit 631 of the first secondary control unit 63 and the second verification processing unit 641 of the second secondary control unit 64 execute the verification process, the verification result is output to the authentication processing unit 623. The authentication processing unit 623 determines that the authentication has been successful based on each matching result, for example, when there is registration data whose difference from the input data is equal to or less than the authentication determination threshold.

  The first matching processing unit 631 and the second matching processing unit 641 execute a matching process. The specific processing content for the collation processing is the content shown in any of the first embodiment, the second embodiment, and the third embodiment. However, when the verification process of the third embodiment is executed, when the authentication determination threshold is updated by one of the verification processing units, the other verification process is controlled under the control of the main control unit 62. Is notified of the updated authentication determination threshold.

  Next, the flow of the authentication device 6 in the fourth embodiment will be described. FIG. 14 is a processing flowchart of the authentication device 6 in the fourth embodiment. First, the main control unit 62 determines whether or not the communication unit 61 has received a registration request (Op. 61).

  When the registration request is received (Op. 61 Yes), the main control unit 62 executes the registration process. First, the calculation unit 621 calculates the hamming weight HW (Mi) of registration data using the binary data included in the registration request as registration data (Op. 62). Then, the calculation unit 621 outputs the registration data, the Hamming weight HW (Mi), and the user ID to the registration processing unit 622.

  Then, the registration processing unit 622 determines whether the number N1 of registration data in the first storage unit 65 is smaller than the number N2 of registration data in the second storage unit (Op.63). When N1 is smaller than N2 (Op. 63 Yes), the registration processing unit 622 stores the registration data, the Hamming weight HW (Mi), and the user ID in the registration data table of the first storage unit 65 (Op. 64). ). Then, the main control unit 62 ends a series of registration processes.

  On the other hand, when N1 is N2 or more (Op. 63 No), the registration processing unit 622 stores the registration data, the Hamming weight HW (Mi), and the user ID in the registration data table of the second storage unit 66 (Op. .65). Then, the main control unit 62 ends a series of registration processes.

  On the other hand, when the registration request has not been received (Op. 61 No), the main control unit 62 determines whether or not the communication unit 61 has received the authentication request (Op. 66). Here, when the authentication request has not been received (No in Op. 66), the main control unit 62 ends the series of processes.

  If the authentication request is received (Op. 66 Yes), the calculation unit 621 calculates the hamming weight HW (M ′) of the input data using the binary data included in the authentication request as input data (Op. .67). Next, the authentication processing unit 623 instructs the first verification processing unit 631 and the second verification processing unit 641 to execute verification processing. And the 1st collation process part 631 and the 2nd collation process part 641 perform a collation process (Op.68). In this embodiment, it is assumed that the matching process (FIG. 8) shown in the first embodiment is executed.

  The first verification processing unit 631 outputs the verification processing result to the authentication processing unit 623. The collation process result includes the minimum hamming distance variable HDmin1 and the minimum ID variable IDmin1 at the end of the collation process by the first collation processing unit 631. Further, the second verification processing unit 641 outputs the verification processing result to the authentication processing unit 623. Note that the collation processing result includes the minimum hamming distance variable HDmin2 and the minimum ID variable IDmin2 at the end of the collation processing by the second collation processing unit 641.

  The authentication processing unit 623 determines whether the minimum hamming distance variable HDmin1 is smaller than the minimum hamming distance variable HDmin2 (Op.69). When the minimum hamming distance variable HDmin1 is smaller than the minimum hamming distance variable HDmin2 (Op. 69 Yes), the authentication processing unit 623 determines the minimum hamming distance variable HDmin with the minimum hamming distance variable HDmin1 and minimizes the minimum ID variable IDmin. Confirm with ID variable IDmin1 (Op.70).

  On the other hand, when the minimum hamming distance variable HDmin1 is equal to or greater than the minimum hamming distance variable HDmin2 (Op. 69 No), the authentication processing unit 623 determines the minimum hamming distance variable HDmin as the minimum hamming distance variable HDmin2 and also sets the minimum ID variable IDmin. Is determined by the minimum ID variable IDmin2 (Op.71).

  Then, the authentication processing unit 623 determines whether the minimum hamming distance variable HDmin is smaller than the authentication determination threshold d (Op. 72). When the minimum hamming distance HDmin is smaller than the authentication determination threshold value d (Op. 72 Yes), the authentication processing unit 623 determines that the authentication is successful, and displays an authentication result indicating that the authentication is successful. Generate. The authentication result also includes the user ID set in the minimum ID variable IDmin. And the communication part 61 transmits the authentication result which shows that authentication was successful to the terminal device 2 (Op.73).

  On the other hand, when the minimum hamming distance HDmin is equal to or greater than the authentication determination threshold d (Op. 72 No), the authentication processing unit 623 determines that the authentication has failed and displays an authentication result indicating that the authentication has failed. Generate. Then, the communication unit 61 transmits an authentication result indicating that the authentication has failed to the terminal device 2 (Op.74). At this time, the authentication result does not include the user ID set in the minimum ID variable IDmin.

  As described above, according to this embodiment, the first verification processing unit 631 that executes the verification process with reference to the first storage unit 65 and the second verification unit that executes the verification process with reference to the second storage unit 66. The collation processing unit 641 executes collation processing in parallel. Therefore, the collation process is executed in a shorter time. As a result, the authentication processing time in the authentication device 6 is shortened.

[Fifth embodiment]
In the fifth embodiment, collation processing is executed in parallel by a plurality of collation devices. In the fifth embodiment, compared with the first to third embodiments, since the matching process is executed in parallel, it is possible to shorten the time required for the matching process and thus the authentication process.

  A system configuration according to the fifth embodiment will be described. FIG. 15 is a system configuration diagram according to the fifth embodiment. The authentication system includes a terminal device 2, an authentication device 7, a first verification device 81, and a second verification device 82. Here, two collation devices perform collation processing in cooperation with the authentication device 7, but three or more collation devices may perform collation processing in cooperation with the authentication device 7.

  The authentication device 7 and the terminal device 2 are connected via a network N. The network N is, for example, the Internet. For communication via the network N, it is desirable to apply an encrypted communication technique such as Secure Socket Layer (SSL). Further, the authentication device 7, the first verification device 81, and the second verification device 82 are also connected via the network N '. For communication via the network N ′, it is desirable to apply an encrypted communication technique such as Secure Socket Layer (SSL). Note that the network N ′ may be the same network as the network N or a different network.

  The authentication device 7 is a computer that performs authentication in response to a request from the terminal device 2. In the present embodiment, the authentication device 7 executes 1-to-N authentication. In addition, the authentication device 7 executes authentication processing and registration processing in cooperation with the first verification device 81 and the second verification device 82.

  The terminal device 2 is a computer that requests the authentication device 7 for authentication. In the present embodiment, the terminal device 2 is connected to a reading device 3 for reading biological information. For example, the reading device 3 acquires an image such as a vein or fingerprint of the user 5 and generates biometric information from the image. Then, the terminal device 2 acquires biological information from the reading device 3.

  Here, when registering the biometric information for later authentication, the terminal device 2 transmits a registration request including the binary data of the biometric information acquired from the reading device 3 to the authentication device 7. Then, the authentication device 7 outputs the received binary data of the biometric information to the first verification device 81 or the second verification device 82 as registered data. When the first verification device 81 and the second verification device 82 acquire the registration data, they are stored in their storage devices.

  On the other hand, at the time of authentication, the terminal device 2 transmits an authentication request including binary data of biometric information acquired from the reading device 3 to the authentication device 7. Then, the authentication device 7 transmits a verification request to the first verification device 81 and the second verification device 82 so as to verify the received binary data of biometric information and a plurality of registered data. The verification request includes the binary data of the biometric information received as the input data and includes the feature amount of the input data. The feature amount may be calculated by each of the first verification device 81 and the second verification device 82.

  When receiving the verification request, the first verification device 81 and the second verification device 82 execute the verification process after limiting the registration data to be verified. In the collation process, as in the fourth embodiment, any one of the collation processes of the first embodiment, the second embodiment, and the third embodiment is executed. And the authentication apparatus 7 will authenticate based on a collation result, if a collation result is received from the 1st collation apparatus 81 and the 2nd collation apparatus 82. FIG.

  FIG. 16 is a functional block diagram of the authentication device 7 and the verification device 8 according to the fifth embodiment. Here, the first verification device 81 and the second verification device 82 are collectively referred to as the verification device 8. The terminal device 2 has the same functional configuration as that of the first embodiment.

  The authentication device 7 includes a communication unit 71 and a control unit 72. In addition, you may further have a memory | storage part which memorize | stores information required for various processes. The communication unit 71 is a process for communicating with other devices, and communicates with, for example, the terminal device 2 and the verification device 8. The control unit 72 is a processing unit that controls various processes in the authentication device 7, and executes, for example, an authentication process.

  The control unit 72 includes a calculation unit 73, a registration management unit 74, and an authentication processing unit 75. When the calculation unit 73 acquires the binary data of the biological information from the terminal device 2, the calculation unit 73 calculates the feature amount of the binary data. For example, when the communication unit 71 receives a registration request, the calculation unit 73 calculates a Hamming weight for binary data of biometric information included in the registration request. On the other hand, when the communication unit 71 receives the authentication request, the calculation unit 73 calculates a Hamming weight for the binary data of the biometric information included in the authentication request. Then, the calculation unit 73 outputs the calculated result to the registration management unit 74 or the authentication processing unit 75.

  Next, when receiving a registration request from the terminal device 2, the registration management unit 74 executes a registration management process. Specifically, the registration management unit 74 outputs a registration request including the binary data included in the registration request and the feature amount calculated by the calculation unit 73 to the first verification device 81 or the second verification device 82. .

  For example, the registration management unit 74 requests registration of registered data to the collation device 8 having a smaller number of registered data. In addition, the registration management unit 74 determines the collation device 8 that stores the registration data so that the number of registration data having the same hamming weight is approximately the same in the first collation device 81 and the second collation device 82. May be. In this case, it is desirable that the authentication device 7 holds information regarding registered data to be stored for each collation device 8 that performs collation processing in cooperation.

  The authentication processing unit 75 executes authentication processing when receiving an authentication request from the terminal device 2. Specifically, the authentication processing unit 75 performs authentication in cooperation with the first verification device 81 and the second verification device 82. The authentication processing unit 75 determines that the authentication has been successful based on the collation result of each collation device, for example, when there is registration data whose difference from the input data is equal to or less than the authentication determination threshold.

  Next, the verification device 8 will be described. The collation device 8 includes a communication unit 801, a control unit 802, and a storage unit 803. The communication unit 801 is a process for communicating with another device, and communicates with the authentication device 7, for example. The control unit 802 is a processing unit that controls various processes in the collation device 8, and executes, for example, collation processing.

  The storage unit 803 is a storage unit that stores information necessary for various processes, and stores registration data, for example. In addition, the memory | storage part 803 in a 1st collation apparatus and the memory | storage part 803 in a 2nd collation apparatus memorize | store registration data exclusively. The registration data is managed by a registration data table having the same data configuration as that of the first embodiment.

  The registration processing unit 804 executes registration processing when receiving a registration request from the authentication device 7. Specifically, the registration processing unit 804 registers the binary data included in the registration request, the feature amount, and the user ID in the storage unit 803 in association with each other.

  The collation processing unit 805 executes collation processing. The specific processing content of the collation processing is the content shown in any of the first embodiment, the second embodiment, and the third embodiment. However, when the verification process of the third embodiment is executed, when the authentication determination threshold is updated in one of the verification devices, it is updated via the authentication device 7 to the other verification device. The authentication determination threshold value is notified.

  Next, a processing flow of the authentication device 7 in the fifth embodiment will be described. FIG. 17 is a process flowchart of the authentication device 7 in the fifth embodiment. About the process similar to a 4th Example, the same code | symbol is attached | subjected and description is simplified.

  First, the control unit 72 determines whether or not the communication unit 71 has received a registration request (Op. 61). When the registration request is received (Op. 61 Yes), the calculation unit 73 calculates the hamming weight HW (Mi) of the registration data (Op. 62).

  Then, the registration management unit 74 determines whether the number N1 of registration data in the first verification device 81 is smaller than the number N2 of registration data in the second verification device 82 (Op.80). When N1 is smaller than N2 (Op. 80 Yes), the registration management unit 74 transmits a registration request including registration data, a Hamming weight HW (Mi), and a user ID to the first verification device 81 (Op. 81). ). And the control part 62 complete | finishes a series of registration processes.

  On the other hand, when N1 is N2 or more (Op. 80 No), a registration request including registration data, a hamming weight HW (Mi), and a user ID is transmitted to the second verification device 82 (Op. 81). And the control part 62 complete | finishes a series of registration processes. The communication unit 71 may receive a response indicating that registration is complete.

  On the other hand, when the registration request has not been received (Op. 61 No), the control unit 72 determines whether or not the communication unit 71 has received the authentication request (Op. 66). Here, when the authentication request has not been received (Op. 66 No), the control unit 72 ends the series of processes.

  When the authentication request is received (Op. 66 Yes), the calculation unit 73 calculates the hamming weight HW (M ′) of the input data using the binary data included in the authentication request as the input data M ′. (Op. 67). Next, the authentication processing unit 75 transmits a verification request to the first verification device 81 and the second verification device 82 via the communication unit 71 (Op. 83). The matching request includes the input data M ′ and the hamming weight HW (M ′) of the input data.

  When receiving the verification request, the first verification device 81 and the second verification device 82 each execute a verification process. In this embodiment, it is assumed that the matching process (FIG. 8) shown in the first embodiment is executed. Then, the first verification device 81 transmits the verification processing result to the authentication device 7 via the communication unit 801. Note that the collation processing result includes the minimum Hamming distance variable HDmin1 and the minimum ID variable IDmin1 at the end of the collation processing by the collation processing unit 805 in the first collation device 81.

  Further, the second verification device 82 transmits the verification processing result to the authentication device 7 via the communication unit 801. Note that the collation processing result includes the minimum Hamming distance variable HDmin2 and the minimum ID variable IDmin2 at the end of the collation processing by the collation processing unit 805 in the second collation device 82.

  The authentication processing unit 75 of the authentication device 7 receives the verification processing result from the first verification device 81 and the second verification device 82 via the communication unit 71 (Op.84). In this process, the authentication processing unit 75 waits for a subsequent process until it receives processing results from both the verification apparatuses 8 of the first verification apparatus 81 and the second verification apparatus 82. In addition, when each collation apparatus 8 performs the collation process which concerns on a 3rd Example, under the control of the authentication process part 75, the value of the authentication determination threshold value d updated by one of the collation apparatuses 8 is set. And sent to the other verification device 8.

  The authentication processing unit 75 determines whether the minimum hamming distance variable HDmin1 is smaller than the minimum hamming distance variable HDmin2 (Op.69). When the minimum hamming distance variable HDmin1 is smaller than the minimum hamming distance variable HDmin2 (Op. 69 Yes), the authentication processing unit 75 determines the minimum hamming distance variable HDmin as the minimum hamming distance variable HDmin1 and minimizes the minimum ID variable IDmin. Confirm with ID variable IDmin1 (Op.70).

  On the other hand, when the minimum hamming distance variable HDmin1 is greater than or equal to the minimum hamming distance variable HDmin2 (Op. 69 No), the authentication processing unit 75 determines the minimum hamming distance variable HDmin as the minimum hamming distance variable HDmin2 and Is determined by the minimum ID variable IDmin2 (Op.71).

  And the authentication process part 75 determines whether the minimum Hamming distance variable HDmin is smaller than the authentication determination threshold value d (Op.72). When the minimum hamming distance HDmin is smaller than the authentication determination threshold d (Op. 72 Yes), the communication unit 71 transmits an authentication result indicating that the authentication is successful to the terminal device 2 (Op. 73). . On the other hand, when the minimum hamming distance HDmin is equal to or greater than the authentication determination threshold d (Op. 72 No), the communication unit 71 transmits an authentication result indicating that the authentication has failed to the terminal device 2 (Op. 74). .

  As described above, according to this embodiment, the authentication device 7, the first verification device 81, and the second verification device 82 cooperate to execute the authentication process. Therefore, the time required for the authentication process is shortened.

[Hardware configuration example]
FIG. 18 is an example of a hardware configuration of each device according to the present invention. 18 shows a hardware configuration of a computer 1000 that functions as the authentication device 1, the authentication device 1 ′, the authentication device 1 ″, the authentication device 6, and the authentication device 7. However, the terminal device 2 and the collation device 8 are also realized by a computer having the same hardware configuration.

  The computer 1000 executes authentication processing (including verification processing), and functions as any of the authentication device 1, the authentication device 1 ′, the authentication device 1 ″, the authentication device 6, and the authentication device 7 in each embodiment. A computer 1000 includes a central processing unit (CPU) 1001, a read only memory (ROM) 1002, a random access memory (RAM) 1003, a communication device 1004, a hard disk drive (HDD) 1005, an input device 1006, a display device 1007, and a medium reading device 1007. 1008, and each unit is connected to each other via a bus 1009. Each unit can exchange data with each other under the control of the CPU 1001.

  The authentication program describing the authentication process shown in the flowchart of each embodiment is recorded on a recording medium readable by the computer 1000. As for the registration process, the registration program is recorded on a recording medium readable by the computer 1000. Examples of the recording medium readable by the computer 1000 include a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory. Examples of the magnetic recording device include an HDD, a flexible disk (FD), and a magnetic tape (MT).

  Optical discs include Digital Versatile Disc (DVD), DVD-RAM, Compact Disc-Read Only Memory (CD-ROM), and Compact Disc-Recordable / Rewritable (CD-R / RW). Magneto-optical discs (MO) are examples of magneto-optical recording media. When distributing the authentication program, for example, a portable recording medium such as a DVD or a CD-ROM in which the authentication program is recorded may be sold.

  Then, the medium reading device 1008 of the computer 1000 that executes the authentication program in which the authentication process according to each embodiment is described reads the program from the recording medium on which the authentication program is recorded. The CPU 1001 stores the read authentication program in the HDD 1005, the ROM 1002, or the RAM 1003.

  A CPU 1001 is a central processing unit that controls operation of the entire authentication apparatus according to each embodiment. Then, the CPU 1001 reads out an authentication program related to each embodiment from the HDD 1005 and executes it. The CPU 1001 functions as a control unit in each device. As described above, the program may be stored in the ROM 1002 or the RAM 1003 accessible to the CPU 1001. Next, the communication device 1004 functions as a communication unit in each device under the control of the CPU 1001.

  The HDD 1005 functions as a storage unit in each device under the management of the CPU 1001. That is, the HDD 1005 stores information necessary for registration processing and authentication processing. Similar to the program, information necessary for registration processing and authentication processing may be stored in the ROM 1002 or the RAM 1003 accessible to the CPU 1001. Further, various information generated in the course of processing is stored in the RAM 1003, for example. That is, the RAM 1003 may function as a storage unit.

  The input device 1006 accepts various inputs. The input device 1006 is, for example, a keyboard or a mouse. The display device 1007 displays various information. The display device 1007 is a display, for example.

DESCRIPTION OF SYMBOLS 1 Authentication apparatus 11 Communication part 12 Control part 13 Storage part 2 Terminal device 21 Communication part 22 Acquisition part 23 Control part 24 Display part 6 Authentication apparatus 61 Communication part 62 Main control part 63 First slave control part 64 Second slave control part 65 First storage unit 66 Second storage unit 7 Authentication device 71 Communication unit 72 Control unit 8 Verification device 801 Communication unit 802 Control unit 803 Storage unit 1000 Computer 1001 CPU
1002 ROM
1003 RAM
1004 Communication device 1005 HDD
1006 Input device 1007 Display device 1008 Medium reader 1009 Bus

Claims (10)

Computer
Receive input data to be authenticated,
A matching process with the input data is performed on registration data having a second feature amount that is within a threshold used when determining the success or failure of the authentication from the first feature amount of the input data. Authentication method. The input data and the registration data are binary data,
The authentication method according to claim 1, wherein the feature quantity is the number of 1 or 0 in the binary data. The computer further includes:
3. The process according to claim 1, wherein when the difference between the input data and the feature amount is equal to or less than the threshold value, a process of determining that the authentication for the input data is successful is executed. The authentication method described.   The authentication according to any one of claims 1 to 3, wherein when the registration request for the registration data is received, the registration data and the feature amount of the registration data are stored in association with each other. Method. In the verification process, when the difference between the input data and the registered data is equal to or less than the threshold, the threshold is changed to a new threshold according to the difference,
5. The collation processing with the input data is executed for other registered data having a third feature amount within the new threshold from the first feature amount. 6. The authentication method according to any one of the above.   The second feature value has any value from a first value obtained by subtracting the threshold value from the first feature value to a second value obtained by adding the threshold value to the first feature value. The authentication method according to any one of claims 1 to 5, wherein: The computer
7. The matching process according to claim 1, wherein the matching process is not executed for registered data having a fourth feature amount larger than the threshold value from the first feature amount. 8. Authentication method. A communication unit that receives input data to be authenticated;
A control unit that executes a collation process with the input data for registered data having a second feature amount that is within a threshold used when determining the success or failure of the authentication from the first feature amount of the input data; An authentication apparatus comprising: An authentication system including an authentication device and a verification device,
The verification device is
A first communication unit that receives input data to be authenticated;
First, a matching process with the input data is performed on registration data having a second feature amount that is within a threshold used when determining the success or failure of the authentication from the first feature amount of the input data. Control unit,
The authentication device
A second communication unit that receives a result of the verification process in the verification device;
A second control unit that executes the authentication for the input data based on the result of the matching process;
An authentication system characterized by that. On the computer,
Receive input data to be authenticated,
A process of executing a matching process with the input data for registered data having a second feature quantity that is within a threshold used when determining the success or failure of the authentication from the first feature quantity of the input data is executed. An authentication program characterized by letting

Images