JP2017009914A - Index calculation system, index calculation method, index calculation program, and verification system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an index calculation system, etc., with which it is possible to calculate an index that makes a safer verification process possible.SOLUTION: An index calculation system 901 has: a first index calculation unit 902 for creating, on the basis of a cryptographic key and a numerical value included in a first number sequence, an encrypted first number sequence that includes an encrypted numerical value in which a numerical value included in the first number sequence is encrypted using the cryptographic key, storing the created encrypted first number sequence in a storage unit 904, and calculating an encrypted first index that represents an encrypted value in which a first size representing the magnitude of the first number sequence is encrypted using the cryptographic key; and a second index calculation unit 903 for calculating, on the basis of the encrypted numerical value included in the encrypted first number sequence stored in the storage unit 904 and a second number sequence, an encrypted second index in which a second index representing a value derived by subtracting the first size from a value representing the degree of similarity of the first number sequence and second number sequence represents a value encrypted using the cryptographic key.SELECTED DRAWING: Figure 20

Description

  The present invention relates to an index calculation system that creates information to be referred to when collating information to be collated.

  As cloud computing (cloud) becomes widespread, services for managing data using computer resources that are communicatively connected to a communication network (hereinafter referred to as “network”) have become widespread. Since the service manages highly confidential data, the service needs to ensure that the data handled is secure.

  Research on technology that manages data in an encrypted state in a network environment where users can freely connect to a communication network (open), and performs searches, statistical processing, etc. without decrypting the data Development is underway.

  In addition, crimes using vulnerabilities in personal authentication using passwords or magnetic cards are frequent. As a result, biometric authentication technology that realizes authentication with higher safety using authentication information based on features (biometric information) of a biometric such as fingerprints or veins has attracted attention.

  In biometric authentication technology, a template is created based on biometric information, and the created template is stored in a database as authentication information. In the biometric authentication technique, an authentication target is accepted when authentication information created based on a biometric subject to authentication and a template stored in a database are similar (or coincident). In the biometric authentication technique, an authentication target is not accepted when the authentication information and the template are not similar (or coincident).

  Even if a plurality of pieces of authentication information created from a single living body, the plurality of pieces of authentication information do not necessarily match each other, but when measuring whether they are similar or not using a distance function, The distance between the plurality of authentication information is short. On the other hand, the distance between a plurality of pieces of authentication information created from different living bodies is long. The biometric authentication technology collates the template stored in the database with the authentication information created for the authentication target by using the above characteristics.

  For example, fingerprints, veins, etc. are examples of biometric information, and are data that does not change throughout life. Since the damage when the biometric information is leaked outside the verification system is significant, the biometric information is one of the information that requires confidentiality. Therefore, even if a template leaks outside the verification system, a template protection type biometric authentication technique that prevents biometric information from leaking outside is important.

  Further, in the biometric authentication technique, it is necessary to prevent a living body in which authentication information is registered from impersonating a living body different from the living body (that is, “spoofing”), as in other authentication techniques. For example, an authentication technique that succeeds in authentication by sending a specific value to a matching system is not sufficiently resistant to impersonation.

  Further, in the authentication technology, there is a risk that the communication information is wiretapped (intercepted) as well as the risk of the template leaking. In the authentication technology, even if communication information is wiretapped, it is necessary to prevent spoofing. For example, when a legitimate client succeeds in authenticating the verification system, a method in which authentication is successful by retransmitting data transmitted to the verification system by a different client is likely to be insufficient in impersonation.

  For example, the authentication method disclosed in Patent Document 1 creates a template in which the data is concealed by adding random coordinate values to the data including coordinate values representing the shape of the ridges of the fingerprint. In this method, biometric authentication is executed based on the template. However, the authentication method has a problem that biometric information is not protected with sufficient strength when biometric authentication is repeated.

  The method disclosed in Non-Patent Document 1 protects the biometric information of a client seeking authentication by using an example of public key cryptography having homomorphism regarding addition. The biometric authentication method disclosed in Non-Patent Document 1 maintains the confidentiality of biometric information stored in a server using public key cryptography having homomorphism. However, according to the biometric authentication method, when the authentication information transmitted by the client is compared with the template stored in the server, the load on the server is large. This is because each time the server collates, it is necessary to decrypt the authentication information transmitted by the client and encrypt the decrypted decryption result again. Furthermore, in the biometric authentication method, the template stored in the server is plain text that is not encrypted. That is, the template is not concealed from the server. Therefore, in the biometric authentication method, when a template leaks outside the server, there is a high possibility of “spoofing” using the leaked template. In the biometric authentication method, when the server receives a specific value representing authentication information, the server always determines that the specific value is acceptable based on the template. For this reason, it is possible for different living bodies to perform “spoofing” by transmitting the specific value.

  The ciphertext matching system disclosed in Patent Document 2 conceals registered data from a server by introducing a trusted third party intervention into the system. However, according to the ciphertext verification system, the load of a third party in the verification process is large. Further, according to the ciphertext matching system, the user is accepted as a legitimate user by transmitting a specific value to the server.

  Patent Document 3 describes a technology that reduces the load of a third party in the verification process in a system that introduces a trusted third party intervention. However, when the Euclidean distance is used as the distance index in the technique described in Patent Document 3, the size of the template increases in proportion to the fourth power of the size of the acceptable range. On the other hand, in Non-Patent Document 2, by using a public key cryptography called “Somewhat homomorphic cryptography” instead of a homomorphic cryptography, a square order of an index of the size of the range in which the template size can be accepted A technique for reducing the above is disclosed.

  Patent Document 4 describes a technology in which the size of a template does not depend on the parameter of the range of an acceptable range, and the load on a third party is small. However, in this method, the distance from the biometric information that is a target to be compared with the registered biometric information is disclosed to a third party. It is known that a malicious third party can perform an attack (hill climbing attack) by using the distance obtained at the time of collation.

JP 2006-158851 A International Publication No. 2014/185450 International Publication No. 2014/185447 International Publication No. 2012/114454

Siamak F.M. Shahandashti, Reihaneh Safavi-Naini, and Philip Ogunbona, “Private Fingerprint matching”, ACISP 2012. Pp 426-433 Higo, Isshiki, Mori, Ohana, “Secret fingerprint authentication method with small template size”, Symposium on Encryption and Information Security (SCIS2015), 2015.

  However, there is a possibility that data disclosed in Patent Document 1 to Patent Document 4, Non-Patent Document 1, or Non-Patent Document 2 that needs to ensure confidentiality may be leaked. For example, the data that needs to ensure confidentiality is the distance between the template and the target data. This is because the distance between the target data representing the authentication target and the template needs to be decrypted in the collation process, and data generated by the decryption may be leaked.

  That is, when using the technique as described above, even if the distance between the target data representing the authentication target and the template is calculated while being concealed, the concealed distance is decoded, As a result, whether the calculated value satisfies a predetermined condition determines whether to accept the target data. Therefore, according to the technique, for example, there is a possibility of being subjected to a hill climbing attack based on the decoded distance.

  Therefore, a main object of the present invention is to provide an index calculation system and the like that can calculate an index that enables safer verification processing.

In order to achieve the above object, in one aspect of the present invention, an index calculation system includes:
Based on an encryption key and a numerical value included in the first numerical value sequence, an encrypted first numerical value sequence including an encrypted numerical value obtained by encrypting the numerical value included in the first numerical value sequence using the encryption key is created. And storing the created encrypted first numerical sequence in the storage means, and a first size representing the size of the first numeric sequence representing a value encrypted using the encryption key. First index calculating means for calculating
Based on the encrypted numeric value contained in the encrypted first numeric value sequence stored in the storage means and the second numeric value sequence, the first numeric value sequence and the second numeric value sequence are similar. A second index that represents a value obtained by subtracting the first size from a value that represents a degree; and a second index calculating unit that calculates an encrypted second index that represents a value encrypted using the encryption key.

As another aspect of the present invention, the index calculation method is:
Based on an encryption key and a numerical value included in the first numerical value sequence, an encrypted first numerical value sequence including an encrypted numerical value obtained by encrypting the numerical value included in the first numerical value sequence using the encryption key is created. And storing the created encrypted first numerical sequence in the storage means, and a first size representing the size of the first numeric sequence representing a value encrypted using the encryption key. And the first numeric value sequence and the second numeric value sequence are calculated based on the encrypted numeric value and the second numeric value sequence included in the encrypted first numeric value sequence stored in the storage unit. A second index representing a value obtained by subtracting the first size from a value representing a degree of similarity calculates an encrypted second index representing a value encrypted using the encryption key.

  Further, the object is realized by such an index calculation program and a computer-readable recording medium that records the program.

  According to the index calculation system and the like according to the present invention, it is possible to calculate an index that enables a safer verification process between information to be verified and information to be referred to.

It is a block diagram which shows the structure which the collation system which concerns on the 1st Embodiment of this invention has. It is a flowchart which shows an example of the process which the collation system which concerns on 1st Embodiment performs in a preparation phase. It is a flowchart which shows an example of the process which the collation system which concerns on 1st Embodiment performs in a registration phase. It is a flowchart which shows an example of the process which the collation system which concerns on 1st Embodiment performs in a collation phase. It is a flowchart which shows an example of the process which the collation system which concerns on 1st Embodiment performs in a collation phase. It is a flowchart which shows the process in which an encryption 2nd data part calculates encryption 2nd data. It is a block diagram which shows the structure which the collation system concerning the 2nd Embodiment of this invention has. It is a flowchart which shows an example of the process which the collation system which concerns on 2nd Embodiment performs in a collation phase. It is a flowchart which shows an example of the process which the collation system which concerns on 2nd Embodiment performs in a collation phase. It is a block diagram which shows the structure which the collation system which concerns on the 3rd Embodiment of this invention has. It is a flowchart which shows an example of the process which the collation system which concerns on 3rd Embodiment performs in a collation phase. It is a flowchart which shows an example of the process which the collation system which concerns on 3rd Embodiment performs in a collation phase. It is a block diagram which shows the structure which the collation system which concerns on the 4th Embodiment of this invention has. It is a sequence diagram (flowchart) which shows an example of the process which the collation system which concerns on 4th Embodiment performs in a preparation phase. It is a sequence diagram which shows an example of the process which the collation system which concerns on 4th Embodiment performs in a registration phase. It is a sequence diagram which shows an example of the process which the collation system which concerns on 4th Embodiment performs in a collation phase. It is a sequence diagram which shows an example of the process which the collation system which concerns on 4th Embodiment performs in a collation phase. It is a block diagram which shows the structure which the collation system which concerns on the 5th Embodiment of this invention has. It is a sequence diagram which shows an example of the process which the collation system which concerns on 5th Embodiment performs in a preparation phase. It is a sequence diagram which shows an example of the process which the collation system which concerns on 5th Embodiment performs in a registration phase. It is a sequence diagram which shows an example of the process which the collation system which concerns on 5th Embodiment performs in a collation phase. It is a sequence diagram which shows an example of the process which the collation system which concerns on 5th Embodiment performs in a collation phase. It is a block diagram which shows the structure which the collation system which concerns on the 6th Embodiment of this invention has. It is a sequence diagram which shows an example of the process which the collation system which concerns on 6th Embodiment performs in a collation phase. It is a sequence diagram which shows an example of the process which the collation system which concerns on 6th Embodiment performs in a collation phase. It is a block diagram which shows the structure which the parameter | index calculation system which concerns on the 7th Embodiment of this invention has. It is a flowchart which shows the flow of a process in the parameter | index calculation system which concerns on 7th Embodiment. It is a block diagram which shows roughly the hardware structural example of the calculation processing apparatus which can implement | achieve the parameter | index calculation system (or collation system) which concerns on each embodiment of this invention.

  First, an operator used in each embodiment of the present application will be described.

  The equality operator “=” may be used in the expressions shown in the following equation numbers, but the equality operator is equivalent to the expression (value) combined using the equality operator. It represents that. Further, “...” Described in the middle of each expression indicates that the same calculation included in the middle is omitted. For example, “1+... + N” represents a sum operation of integer values from 1 to N. For example, “X (1) +... + X (N)” represents an operation of adding X (I) with respect to the integer I from 1 to N. For example, “1,..., N” represents an integer from 1 to N. Further, in the following expressions, the power operator “^” may be used. For example, Q ^ R represents Q raised to the Rth power.

  Next, in order to facilitate understanding, public key cryptography (additive homomorphic encryption) having homomorphism with respect to addition will be described.

  Public key cryptography is an algorithm that generates a public key and a secret key (key generation algorithm), an algorithm that encrypts using the generated public key (encryption algorithm), and an encryption that uses the generated secret key Including an algorithm for decrypting the encrypted data (decryption algorithm).

The key generation algorithm is a measure representing the security of encryption, and an algorithm for calculating the public key pk and the secret key sk based on the security parameter 1 ^k that is a parameter for determining the length of the public key and the secret key. It is.

  The encryption algorithm is an algorithm that receives a public key pk and a message m, and calculates a ciphertext c in which the received message m is encrypted using the received public key pk.

  The decryption algorithm is an algorithm that receives a secret key sk and a ciphertext c, and calculates a decryption result M obtained by decrypting the ciphertext c using the received secret key sk.

For convenience of explanation, it is assumed that algorithms included in public key cryptography include the following three algorithms. That is,
Key generation algorithm KeyGen: (1 ^k ) → (pk, sk),
Encryption algorithm Enc: (pk, M) → C,
Decoding algorithm Dec: (sk, C) → M,
However, 1 ^k (that is, a bit string in which 1 bits are arranged in k bits) represents a security parameter. pk represents a public key. sk represents a secret key. M represents the input message. C represents a ciphertext. Enc represents a process for encryption. Dec represents the process to decode. The left side of the operator “→” indicated by the right-pointing arrow represents an input, and the right side of the operator “→” represents an output calculated in the case of the input.

  Public key cryptography has homomorphism when the condition shown in Equation 1 is satisfied.

Enc (pk, m ₁ #m ₂ ) = Enc (pk, m ₁ ) @Enc (pk, m ₂ ) (Equation 1)
However, # and @ represent different binary operators. M ₁ and m ₂ each represent a message.

  For example, the Modified-Elgamal cipher is an example of public key cryptography in which the binary operator “@” in Equation 1 is a multiplication operator and the binary operator “#” in Equation 1 is an addition (addition) operator. is there. That is, the Modified-Elgamal cipher is an example of a public key cipher having homomorphism with respect to addition. In the Modified-Elgamal cipher, the encryption algorithm Enc satisfies the relationship shown in Equation 2.

Enc (pk, m ₁ + m ₂ ) = Enc (pk, m ₁ ) × Enc (pk, m ₂ ) (Expression 2)
However, m ₁ and m ₂ each represent a message.

  Further, in the Modified-Elmal encryption, Expression 3 is established for an arbitrary constant i using Expression 2.

Enc (pk, i × m ₁ ) = Enc (pk, m ₁ ) ⁱ (Expression 3).

  According to Equation 2, an operation is applied to a plurality of plaintexts, and then an operation order in which an encryption algorithm is applied is set to create a ciphertext in which the plaintext is encrypted, and then to the ciphertext It is possible to change the calculation order to apply the calculation. For example, after the addition operation for a plurality of plaintexts, the processing for applying the encryption algorithm applies the encryption algorithm to each of the plaintexts according to Equation 2, and as a result, the calculated ciphertext is calculated. This is equivalent to the process of calculating the product. Further, the process of applying the encryption algorithm after multiplying the plaintext by a constant is equivalent to the operation of applying the encryption algorithm to the plaintext and raising the calculated ciphertext to the power according to Equation 3.

  Note that public key cryptography including an encryption algorithm satisfying Equation 2 is called public key cryptography having homomorphism with respect to addition. The Modified-Elgamal cipher is an example of a cipher having homomorphism.

  Next, registration data and target data, which are terms used for convenience in the following description of the present specification, will be described. It is assumed that the registration data is data representing a target to be concealed. It is assumed that the target data is data representing a target to be checked against registered data. For example, when registering a client in biometric authentication, the registration data represents a feature amount created based on the biometric information of the client. For example, when authenticating a client in biometric authentication, the target data represents a feature amount created based on the biometric information of the client. For example, in biometric authentication, a feature quantity (that is, target data) created based on the biometric information of the client to be authenticated and a feature quantity created based on the biometric information of the registered client (that is, registered data) Matched. Furthermore, in biometric authentication, it is determined whether or not the client to be authenticated can be accepted (accepted) in accordance with the collation result.

  In the following description, “acceptance” indicates that, for example, when registration data and target data are similar (or match), the target data can be accepted.

  In the following description, for the sake of convenience, the processing will be described using the word “distance” in each embodiment of the present application. The distance represents, for example, a Euclidean distance calculated using an element constituting the target data and an element constituting the registration data. However, it may not be a word of distance, but may be another index (similarity indicating the degree of similarity between the target data and the registered data).

<First Embodiment>
With reference to FIG. 1, the configuration of the verification system 101 according to the first embodiment of the present invention will be described in detail. FIG. 1 is a block diagram showing a configuration of a collation system 101 according to the first embodiment of the present invention.

  The collation system 101 according to the first embodiment roughly includes a registration data device 102, a collation request device 112, a storage device 104, a collation device 119, and a verification device 124.

  The registered data device 102 has an encryption unit 103.

  The storage device 104 includes an identifier management unit 106, a registration data information storage unit 105, and a registration data search unit 107.

  The verification device 124 includes a key generation unit 108, a key storage unit 109, a verification data decryption unit 110, and a verification unit 111.

  The collation device 119 includes a collation registration information request unit 120, a collation preparation unit 121, a verification data generation unit 123, and a determination unit 122.

  The verification request device 112 includes a verification request unit 113, an encrypted second data unit 114, an encrypted second aggregation unit 115, an encrypted second mask unit 116, a verification mask unit 117, and a verification data unit 118. Have

  For convenience of explanation, it is assumed that the key storage unit 109 is a storage unit that can be referred to only by the key generation unit 108 and the verification data decryption unit 110.

  It is assumed that the registration data device 102, the verification requesting device 112, the storage device 104, the verification device 119, and the verification device 124 can communicate with each other via a communication network, for example.

  In the verification system 101, the registration data device 102 and the verification request device 112 may be collectively represented as “first node”. In the verification system 101, the storage device 104 and the verification device 119 may be collectively represented as “second node”. In the verification system 101, the verification device 124 may be represented as “third node”. That is, the collation system 101 is not limited to the mode illustrated in FIG.

  Next, processing in the collation system 101 according to the first embodiment of the present invention will be described. The processing in the verification system 101 is roughly divided into a preparation phase, a registration phase, and a verification phase. First, an overview of processing in each phase will be described.

  In the preparation phase, a public key and a secret key are mainly generated using the received security parameters.

  In the registration phase, encrypted registration information in which registration data is encrypted is created mainly using the generated public key.

  In the verification phase, encrypted second data (described later) that is referred to when calculating the distance between the registration data and the target data is calculated. Next, in the verification phase, based on the target data and the calculated ciphertext, verification data is created to verify whether the target data is acceptable while the ciphertext is encrypted. . That is, the verification data is encrypted. Further, in the verification phase, the verification data is decrypted using the secret key created in the preparation phase, and the distance is calculated using the encrypted second data included in the decrypted result. In the verification phase, it is determined whether the target data is acceptable depending on whether the calculated distance satisfies a predetermined condition.

  Next, the processing executed by the verification system 101 in each phase described above will be described in detail.

  With reference to FIG. 2, processing executed by the collation system 101 according to the present embodiment in the preparation phase will be described. FIG. 2 is a flowchart illustrating an example of processing executed by the collation system 101 according to the first embodiment in the preparation phase.

  The key generation unit 108 in the verification device 124 receives the security parameter, and generates a public key and a secret key using the received security parameter, for example, according to the key generation algorithm described above (step A1). Note that the generated public key and secret key are generated according to the key generation algorithm, and therefore conform to public key cryptography having homomorphism with respect to addition. The key generation unit 108 determines a hash function for calculating a specific value for the input value (step A2). For example, the key generation unit 108 determines a hash function by selecting a hash function from a predetermined hash function. The key generation unit 108 makes the public key and the hash function public in the verification system 101 (step A3). The key generation unit 108 stores the secret key in the key storage unit 109 (step A4).

  In addition, the process which the collation system 101 which concerns on this embodiment performs in a preparation phase is not limited to the aspect illustrated in FIG.

  Processing performed in the registration phase by the collation system 101 according to the present embodiment will be described with reference to FIG. FIG. 3 is a flowchart illustrating an example of processing executed by the matching system 101 according to the first embodiment in the registration phase.

  The encryption unit 103 in the registration data device 102 receives registration data that is a basis for creating encrypted registration information. The encryption unit 103 calculates a first index that represents a feature related to the registered data by applying a predetermined calculation to the received registered data. For example, the predetermined calculation is a function for calculating the length (size) of the registered data, and in this case, the first index is the length (size) of the registered data.

  Next, the encryption unit 103 encrypts the element included in the received registration data and the first index using a public key, thereby encrypting the element, And the encryption 1st parameter | index with which this 1st parameter | index was encrypted is calculated. The encryption unit 103 creates encryption registration information including the calculated ciphertext and the calculated first index of encryption (step B1). The encryption unit 103 transmits the created encryption registration information to the identifier management unit 106 in the verification device 119 (step B2).

  The identifier management unit 106 in the storage device 104 receives the encrypted registration information transmitted by the encryption unit 103, and creates a registration identifier that can uniquely identify the received encrypted registration information (step B3). The identifier management unit 106 creates registration data information in which the created registration identifier is associated with the received encrypted registration information, and stores the created registration data information in the registration data information storage unit 105 in the storage device 104. (Step B4). The identifier management unit 106 transmits the created registration identifier to the registration data device 102 (step B5).

  The registration data device 102 in the storage device 104 receives the registration identifier, and displays the received registration identifier on a user interface (UI) such as a display. Alternatively, the registration data device 102 may store the registration identifier in an IC (integrated_circuit) card such as an employee ID card or an identifier card. Alternatively, the identifier management unit 106 may display the created registered identifier on a user interface (UI) such as a display.

  In addition, the process which the collation system 101 which concerns on this embodiment performs in a registration phase is not limited to the aspect illustrated in FIG.

  With reference to FIG. 4A and FIG. 4B, processing executed by the matching system 101 according to the present embodiment in the matching phase will be described. 4A and 4B are flowcharts illustrating an example of processing executed by the verification system 101 according to the first embodiment in the verification phase.

  The collation request unit 113 in the collation request device 112 receives target data representing a target to be collated and a registration identifier. The verification request unit 113 creates a verification request for requesting verification of the received target data and the encrypted registration information associated with the received registration identifier (step C1). The verification request unit 113 transmits the generated verification request to the verification registration information request unit 120 in the verification device 119 (step C2). The verification request includes, for example, the registration identifier.

  The verification registration information request unit 120 in the verification device 119 receives the verification request transmitted by the verification request unit 113 and reads the registration identifier included in the received verification request. The verification registration information request unit 120 creates a registration data request for requesting encrypted registration information associated with the read registration identifier (step C3), and searches the registration data request in the storage device 104 for the created registration data request. It transmits to the part 107 (step C4). The registration data request can be realized using an aspect including the read registration identifier.

  The registration data search unit 107 in the storage device 104 receives the registration data request transmitted by the verification registration information request unit 120. The registration data search unit 107 specifies encrypted registration information associated with the registration identifier included in the received registration data request in registration data information (for example, stored in the registration data information storage unit 105). (Step C5). The registration data search unit 107 transmits the specified encrypted registration information to the verification preparation unit 121 in the verification device 119 (step C6).

  The collation preparation unit 121 in the collation device 119 receives the encrypted registration information transmitted from the registration data search unit 107. The collation preparation part 121 produces | generates a random number according to the procedure which produces | generates a pseudorandom number, for example. The verification preparation unit 121 calculates a ciphertext obtained by multiplying each element in the received encrypted registration information by the random number, and a ciphertext obtained by encrypting the random number (represented as “encrypted random number” for convenience of explanation). To do. As described in the processing related to step B1, since the encrypted registration information includes the ciphertext of each element included in the registration data, the verification preparation unit 121 performs registration in the process of calculating the ciphertext. The ciphertext is calculated with each element included in the data multiplied by a random number. That is, the collation preparation unit 121 calculates a ciphertext having a value obtained by converting each element included in the registration data using the random number. Further, as described in the processing related to step B1, since the encrypted registration information includes the encrypted first index, the collation preparation unit 121 performs the ciphertext calculation based on the encrypted first index. Encrypted first data which is a ciphertext of a value (first multiplication result) obtained by multiplying a certain first index by a random number is calculated (step C7). The collation preparation unit 121 has a first calculation unit, and the first calculation unit calculates the encrypted first data by executing the same process as the process shown in Step C7. An aspect may be sufficient.

  The collation preparation unit 121 creates collation registration information including an element representing a value obtained by encrypting the registration data among the calculated values and the encrypted random number (Step C8), and creates the collation registration information. And transmitted to the encrypted second data unit 114 in the verification requesting device 112 (step C9). Furthermore, the collation preparation unit 121 transmits the encrypted first data included in the calculated value to the verification data generation unit 123 in the collation device 119.

  The encrypted second data unit 114 in the verification requesting device 112 receives the target data and the verification registration information transmitted by the verification preparation unit 121. The encrypted second data unit 114 calculates the encrypted second data by executing the processes shown in steps S101 to S104 shown in FIG. FIG. 5 is a flowchart showing a process in which the encrypted second data unit 114 calculates the encrypted second data.

Step S101: A value is calculated according to a predetermined function for the target data.
Step S102: Multiply the encrypted random number included in the verification registration information by the value calculated in Step S101.
Step S103: “(−2) × Ith element of target data” raised to the I element (where I represents an element number) representing “element related to registration data” included in the collation registration information Calculate the value of
Step S104: A value obtained by multiplying the values calculated in Step S102 and Step S103 is calculated.

  By the processing shown in steps S101 to S104, the encrypted second data unit 114 obtains a value (second index) obtained by subtracting the size of the registration data from a value indicating the degree of similarity between the target data and the registration data. Then, a ciphertext obtained by encrypting a value (second multiplication result) obtained by multiplying the random number that is the basis of the encrypted random number is calculated. That is, the encrypted second data unit 114 calculates a ciphertext having a value obtained by converting the second index using the random number.

  The encrypted second data unit 114 creates encrypted second information including the calculated encrypted second data and the encrypted random number in the verification registration information (step C10), and the created encrypted second information is It transmits to the encryption 2nd collection part 115 in the collation request | requirement apparatus 112. FIG.

  The encrypted second aggregation unit 115 in the verification requesting device 112 receives the encrypted second information transmitted by the encrypted second data unit 114. The encrypted second aggregation unit 115 reads a threshold value t that is a criterion for determining whether or not the target data is acceptable, and an interval [−t, 0] (that is, −−, which is set based on the read threshold value t). A certain value included in the interval from t to 0) is calculated. For example, one value is an integer value. A certain value may be plural.

  Hereinafter, for convenience of explanation, it is assumed that a certain value is L (where L represents a natural number) integer values.

  The encryption second aggregation unit 115 calculates a value obtained by multiplying the encrypted random number included in the received encrypted second information by the integer value, and the calculated value and the encryption in the encrypted second information A value obtained by multiplying the second data is calculated. The encrypted second set unit 115 creates an encrypted second set including the calculated value and the encrypted second data in the received encrypted second information (step C11). The encrypted second set unit 115 transmits the created encrypted second set to the encrypted second mask unit 116 in the verification requesting device 112.

  The encrypted second mask unit 116 in the verification requesting device 112 receives the encrypted second set transmitted by the encrypted second set unit 115. The encryption second mask unit 116 calculates, for example, L random numbers according to a procedure for calculating pseudo-random numbers, and creates a mask value set (also referred to as “random number information”) including the L random numbers. The mask value set thus transmitted is transmitted to the verification mask unit 117. Further, the encryption second mask unit 116 calculates, for each element included in the received encryption second set, a value obtained by multiplying the element and one element included in the mask value set. Then, an encrypted second mask (also referred to as “encrypted reference information”) including the calculated value is created (step C12). The encrypted second mask unit 116 transmits the created encrypted second mask to the verification data unit 118 in the verification requesting device 112.

  The encrypted second mask part is also referred to as an encrypted reference information part.

  The verification mask unit 117 in the verification requesting device 112 receives the mask value set transmitted by the encrypted second mask unit 116. Next, the verification mask unit 117 calculates a hash value by applying the hash function with the received mask value set as an input. The verification mask unit 117 generates a verification mask including the calculated hash value (step C13), and transmits the generated verification mask to the verification data unit 118 in the verification request device 112.

  Hereinafter, the verification mask may be expressed as “verification information”. Further, the verification mask part may be expressed as a “verification information part”.

  The verification data unit 118 in the verification requesting device 112 receives the encrypted second mask transmitted by the encrypted second mask unit 116 and the verification mask transmitted by the verification mask unit 117. The collation data unit 118 rearranges the element order in the received second encryption set and the element order in the received verification mask according to a specific procedure. The collation data unit 118 creates collation data in which elements in the encrypted second mask after sorting and elements in the verification mask after sorting are associated (step C14). In this case, the I-th element (where I represents the element number) of the encryption second mask is associated with the I-th element of the verification mask. The collation data unit 118 transmits the created collation data to the verification data generation unit 123 in the collation device 119 (step C15).

  The verification data generation unit 123 in the verification device 119 receives the encrypted first data transmitted from the verification preparation unit 121 and the verification data transmitted from the verification data unit 118. The verification data generation unit 123 calculates, for each element of the encrypted second mask included in the received verification data, a value obtained by multiplying the element and the received encrypted first data. The verification data generation unit 123 creates verification data in which the value calculated for the first element of the encrypted second mask is associated with the first element of the verification mask included in the received verification data (step C16). The created verification data is transmitted to the verification data decoding unit 110 in the verification device 124 (step C17).

  The verification data decryption unit 110 in the verification device 124 receives the verification data transmitted from the verification data generation unit 123 and further reads the secret key from the key storage unit 109. The verification data decryption unit 110 decrypts the ciphertext included in the received verification data using the read secret key, thereby creating decrypted verification data in which the verification data is decrypted (step C18). . The verification data decoding unit 110 transmits the generated post-decryption verification data to the verification unit 111 in the verification device 124.

  The verification unit 111 in the verification device 124 receives the decrypted verification data transmitted by the verification data decoding unit 110. The verification unit 111 calculates a hash value by applying a hash function to the value decrypted by the verification data decryption unit 110 in the received decrypted verification data. The verification unit 111 compares the calculated hash value with the hash value included in the received decrypted verification data, and determines whether or not it matches the associated element. The verification unit 111 creates a verification result indicating a match when there is a matching element, and creates a verification result indicating a mismatch when there is no matching element (step C19). The verification unit 111 transmits the calculated verification result to the determination unit 122 in the verification device 119 (step C20).

  The determination unit 122 in the verification device 119 receives the verification result transmitted from the verification unit 111. When the verification result is “match”, the determination unit 122 calculates “accept” as the determination result, and when the verification result is “mismatch”, the determination unit 122 calculates “non-accept” as the determination result (step C21). ). The determination unit 122 outputs the calculated determination result (step C22).

  In addition, the process which the collation system 101 which concerns on this embodiment performs in a collation phase is not limited to the aspect illustrated by FIG. 4A and 4B.

  Next, effects related to the matching system 101 according to the first embodiment will be described.

  According to the collation system 101 according to the first embodiment, it is possible to calculate an index that enables safer collation processing between information to be collated and information to be referred to. This is because the encrypted first data and the encrypted second data that are referred to in the collation process are separately calculated by a plurality of different devices that can be connected to each other. In other words, according to the collation system 101 according to the present embodiment, the encrypted first data and the encrypted second data that can calculate the distance between the registration data and the target data are a plurality of different entities. Calculated. As a result, even if at least one of the encrypted first data and the encrypted second data is intercepted, it is impossible to restore the distance. Therefore, the encrypted first data and the encrypted second data In the matching process based on, the risk of information leakage is reduced.

  Furthermore, according to the collation system 101 according to the first embodiment, it is possible to perform further safer collation processing between information to be collated and information to be referred to. This is because, in the verification process, the first value included in the range based on the threshold value t representing the criterion for determining whether or not to accept is subtracted from the distance between the target data and the registered data. This is because the binary value can be obtained without decoding the distance. These processes are mainly executed in step C10 and step C11.

  According to the collation system 101 according to the present embodiment, only the verification device 124 can decrypt the ciphertext. Therefore, in the collation system 101, the registered data device 102, the storage device 104, the collation request device 112, and the collation The device 119 cannot refer to the decoded second value. Since the value decrypted by the verification device 124 is a value obtained by masking the second value with a random number, the verification device 124 cannot refer to the decrypted second value. As a result, the possibility of receiving a hill climbing attack that restores the template based on the decoded distance is reduced.

  Furthermore, according to the verification system 101 according to the first embodiment, even if encrypted registration information including encrypted text in which registration data is encrypted or information transmitted / received between the devices leaks, At this time, there is an effect that the data is not accepted unless the target data whose distance from the registered data is equal to or less than the threshold value is used. Furthermore, according to the collation system 101 according to the first embodiment, even if the collation request device 112 repeatedly receives the target data, it is possible to keep the distance between the target data and the registered data confidential. There is an effect.

  The effects described above can be achieved for any of the following reasons.

    The registration data information storage unit 105 in the registration data device 102 stores encrypted registration information obtained by encrypting the registration data by the encryption unit 103. That is, since the storage device 104 stores the encrypted registration information, the registration data cannot be restored.

    In the collation system 101 according to the present embodiment, since the collation apparatus 119 calculates the encrypted first data and the collation request apparatus 112 calculates the encrypted second data, the collation request apparatus 112 The collation device 119 and the storage device 104 cannot calculate the distance.

    The data calculated by the verification device 124 is data in which the distance is concealed using a hash function (used in processing in step C13, etc.), a random number, etc. (used in processing in step C11, step C12, etc.). . Therefore, according to the collation system 101 according to the first embodiment, it is difficult to estimate the distance even if this data is intercepted.

  Therefore, according to the collation system 101 according to the first embodiment, safer collation processing is possible.

<Second Embodiment>
Next, a second embodiment of the present invention based on the first embodiment described above will be described.

  In the following description, the characteristic parts according to the present embodiment will be mainly described, and the same components as those in the first embodiment described above will be denoted by the same reference numerals, and redundant description will be omitted. To do.

  With reference to FIG. 6, the configuration of the verification system 201 according to the second embodiment of the present invention will be described in detail. FIG. 6 is a block diagram showing a configuration of the collation system 201 according to the second embodiment of the present invention.

  The collation system 201 according to the second embodiment roughly includes a registration data device 102, a collation request device 212, a storage device 104, a collation device 219, and a verification device 224.

  The registered data device 102 has an encryption unit 103.

  The storage device 104 includes an identifier management unit 106, a registration data information storage unit 105, and a registration data search unit 107.

  The verification device 224 includes a key generation unit 108, a key storage unit 109, a verification data decryption unit 110, a verification unit 111, and a verification data generation unit 223.

  The collation device 219 includes a collation registration information request unit 220, a collation preparation unit 221, and a determination unit 222.

  The verification request device 212 includes a verification request unit 213, an encrypted second data unit 214, an encrypted second aggregation unit 215, an encrypted second mask unit 216, a verification mask unit 217, and a verification data unit 218. Have

  It is assumed that the registered data device 102, the verification requesting device 212, the storage device 104, the verification device 219, and the verification device 224 can communicate with each other via a communication network, for example.

  In FIG. 6, the verification system 201 exemplifies a mode including five devices, but is not limited to the mode illustrated in FIG. 6. For example, a first node including the registered data device 102 and the verification requesting device 212, a second node including the storage device 104 and the verification device 219, and a third node including the verification device 224 may be used.

  Next, processing in the verification system 201 according to the second embodiment of the present invention will be described in detail. The processing in the verification system 201 is roughly divided into a preparation phase, a registration phase, and a verification phase.

  Processing performed by the verification system 201 in each phase described above will be described in detail.

  The processing in the preparation phase related to the collation system 201 according to the present embodiment is the same as the processing in the preparation phase related to the collation system 101 according to the first embodiment. For this reason, the description regarding the process in the preparation phase regarding the collation system 201 which concerns on this embodiment is abbreviate | omitted. Furthermore, the process in the registration phase related to the collation system 201 according to the present embodiment is the same as the process in the registration phase related to the collation system 101 according to the first embodiment. For this reason, the description regarding the process in the registration phase regarding the collation system 201 which concerns on this embodiment is abbreviate | omitted.

  With reference to FIG. 7A and FIG. 7B, processing executed by the matching system 201 according to the present embodiment in the matching phase will be described. FIG. 7A and FIG. 7B are flowcharts illustrating an example of processing executed by the verification system 201 according to the second embodiment in the verification phase.

  The collation request unit 213 in the collation request device 212 receives target data representing a target to be collated and a registration identifier. The verification request unit 213 creates a verification request for requesting verification of the received target data and the encrypted registration information associated with the received registration identifier (step D1). The verification request unit 213 transmits the generated verification request to the verification registration information request unit 220 in the verification device 219 (step D2). The verification request includes, for example, the registration identifier.

  The verification registration information request unit 220 in the verification device 219 receives the verification request transmitted by the verification request unit 213, and reads the registration identifier included in the received verification request. The verification registration information request unit 220 creates a registration data request for requesting encrypted registration information associated with the read registration identifier (step D3), and searches the registration data request in the storage device 104 for the created registration data request. It transmits to the part 107 (step D4). The registration data request can be realized using an aspect including the read registration identifier.

  The registration data search unit 107 in the storage device 104 receives the registration data request transmitted by the verification registration information request unit 220. The registration data search unit 107 specifies encrypted registration information associated with the registration identifier included in the received registration data request in registration data information (for example, stored in the registration data information storage unit 105). (Step D5). The registration data search unit 107 transmits the specified encrypted registration information to the verification preparation unit 221 in the verification device 219 (step D6).

  The verification preparation unit 221 in the verification device 219 receives the encrypted registration information transmitted by the registration data search unit 107. The collation preparation part 221 produces | generates a random number according to the procedure which produces | generates a pseudorandom number, for example. The verification preparation unit 221 calculates a value obtained by multiplying each element in the received encrypted registration information by the random number and a ciphertext obtained by encrypting the random number (that is, “encrypted random number”). As described in the processing related to step B1 shown in the first embodiment, since the encrypted registration information includes the ciphertext of each element included in the registration data, the verification preparation unit 221 In the process of calculating a sentence, a ciphertext having a value obtained by multiplying each element included in the registered data by a random number is calculated. That is, the collation preparation unit 221 calculates a ciphertext having a value obtained by converting each element included in the registration data using the random number. Further, as described in the processing related to step B1, since the encrypted registration information includes the encrypted first index, the verification preparation unit 221 uses the encryption first index in the process of calculating the ciphertext. Encrypted first data which is a ciphertext having a value obtained by multiplying a certain first index by a random number is calculated (step D7). The collation preparation unit 221 creates collation registration information including an element representing the encrypted value of the registered data and the encrypted random number among the calculated values (step D8), and creates the collation registration information. Then, the data is transmitted to the encrypted second data unit 214 in the verification requesting device 212 (step D9). Further, the collation preparation unit 221 transmits the encrypted first data calculated in step D7 to the verification data generation unit 223 in the verification device 224 (step D10).

  The encrypted second data unit 214 in the verification request device 212 receives the target data and verification registration information transmitted by the verification preparation unit 221. The encrypted second data unit 214 creates encrypted second information by executing the processing shown in steps S101 to S104 described above (step D11). That is, the encrypted second information includes an encrypted random number and encrypted second data. The encrypted second data unit 214 transmits the calculated encrypted second information to the encrypted second aggregation unit 215 in the verification requesting device 212.

  The encrypted second collection unit 215 in the verification requesting device 212 receives the encrypted second information transmitted by the encrypted second data unit 214. The encryption second aggregation unit 215 reads a threshold value t indicating a criterion for determining whether or not the target data is acceptable, and an interval [−t, 0] (that is, −−, which is set based on the read threshold value t). A certain value included in the interval from t to 0) is calculated. For example, one value is an integer value. A certain value may be plural.

  Hereinafter, for convenience of explanation, it is assumed that a certain value is L (where L represents a natural number) integer values.

  The encryption second collection unit 215 calculates a value obtained by multiplying the encrypted random number included in the received encrypted second information by the integer value, and the calculated value and the encryption in the encrypted second information A value obtained by multiplying the second data is calculated. The encrypted second set unit 215 creates an encrypted second set including the calculated value and the encrypted second data in the received encrypted second information (step D12). The encrypted second set unit 215 transmits the created encrypted second set to the encrypted second mask unit 216 in the verification requesting device 212.

  The encrypted second mask unit 216 in the verification requesting device 212 receives the encrypted second set transmitted by the encrypted second set unit 215. The encryption second mask unit 216 calculates, for example, L random numbers according to a procedure for calculating pseudo-random numbers, creates a mask value set including the L random numbers, and uses the created mask value set as a verification mask. To the unit 217. Further, the encryption second mask unit 216 calculates, for each element included in the received encryption second set, a value obtained by multiplying the element and one element included in the mask value set. Then, an encrypted second mask including the calculated value is created (step D13). The encrypted second mask unit 216 transmits the created encrypted second mask to the verification data unit 218 in the verification request device 212.

  The verification mask unit 217 in the verification requesting device 212 receives the mask value set transmitted by the encrypted second mask unit 216. Next, the verification mask unit 217 calculates a hash value by applying the hash function with the received mask value set as an input. The verification mask unit 217 generates a verification mask including the calculated hash value (step D14), and transmits the generated verification mask to the verification data unit 218 in the verification request device 212.

  The verification data unit 218 in the verification request device 212 receives the encrypted second mask transmitted by the encrypted second mask unit 216 and the verification mask transmitted by the verification mask unit 217. The collation data unit 218 rearranges the element order in the received second encrypted set and the element order in the received verification mask according to a specific procedure. The collation data unit 218 creates collation data in which the element in the encrypted second mask after the rearrangement and the element in the verification mask after the rearrangement are associated (step D15). In this case, the I-th element (where I represents the element number) of the encryption second mask is associated with the I-th element of the verification mask. The verification data unit 218 transmits the generated verification data to the verification data generation unit 223 in the verification device 224 (step D16).

  The verification data generation unit 223 in the verification device 224 receives the encrypted first data transmitted from the verification preparation unit 221 and the verification data transmitted from the verification data unit 218. The verification data generation unit 223 calculates, for each element of the encrypted second mask included in the received collation data, a value obtained by multiplying the element and the received encrypted first data. The verification data generation unit 223 creates verification data in which the value calculated for the first element of the encrypted second mask is associated with the first element of the verification mask included in the received verification data (step D17). The created verification data is transmitted to the verification data decoding unit 110 in the verification device 224.

  Thereafter, processing similar to the processing shown in steps C18 to C22 is executed, and thus the description regarding steps D18 to D22 is omitted.

  Next, effects related to the verification system 201 according to the second embodiment will be described.

  According to the collation system 201 according to the second embodiment, it is possible to calculate an index that enables safer collation processing between information to be collated and information to be referred to. This is because the encrypted first data and the encrypted second data that are referred to in the collation process are separately calculated by a plurality of different devices that can be connected to each other. In other words, according to the collation system 201 according to the present embodiment, the encrypted first data and the encrypted second data that can calculate the distance between the registered data and the target data are calculated by different entities. . As a result, even if at least one of the encrypted first data and the encrypted second data is intercepted, it is impossible to restore the distance. Therefore, the encrypted first data and the encrypted second data In the matching process based on, the risk of information leakage is reduced.

  Furthermore, according to the collation system 201 according to the second embodiment, it is possible to perform further safer collation processing between information to be collated and information to be referred to. This is because, in the verification process, the first value included in the range based on the threshold value t representing the criterion for determining whether or not to accept is subtracted from the distance between the target data and the registered data. This is because the binary value can be obtained without decoding the distance. These processes are mainly executed in step D11 and step D12.

  Since only the verification device 224 can decrypt the ciphertext, in the collation system 201, the registered data device 102, the storage device 104, the collation request device 212, and the collation device 219 refer to the decrypted second value. Can not do it. Further, since the value decrypted by the verification device 224 is a value obtained by masking the second value with a random number, the verification device 224 cannot refer to the decrypted second value. As a result, the possibility of receiving a hill climbing attack that restores the template based on the decoded distance is reduced.

  Furthermore, according to the collation system 201 according to the second embodiment, even if the encrypted registration information including the ciphertext in which the registration data is encrypted or the information transmitted / received between the devices leaks, At this time, there is an effect that the data is not accepted unless the target data whose distance from the registered data is equal to or less than the threshold value is used. Furthermore, according to the collation system 201 according to the second embodiment, even if the collation requesting device 212 repeatedly receives the target data, it is possible to conceal the distance between the target data and the registered data. There is an effect.

  The effects described above can be achieved for any of the following reasons.

    The registration data information storage unit 105 in the registration data device 102 stores encrypted registration information obtained by encrypting the registration data by the encryption unit 103. That is, since the storage device 104 stores the encrypted registration information, the registration data cannot be restored.

    In the collation system 201 according to this embodiment, since the collation apparatus 219 calculates the encrypted first data and the collation request apparatus 212 calculates the encrypted second data, the collation request apparatus 212 The collation device 219 and the storage device 104 cannot calculate the distance.

    The data calculated by the verification device 224 is data in which the distance is concealed using a hash function (used in processing in step D14 or the like) or a random number (used in processing in step D13, step D14 or the like). . Therefore, according to the collation system 201 according to the second embodiment, it is difficult to estimate the distance even if this data is intercepted.

  Therefore, according to the collation system 201 according to the second embodiment, safer collation processing is possible.

<Third Embodiment>
Next, a third embodiment of the present invention based on the first embodiment described above will be described.

  In the following description, the characteristic parts according to the present embodiment will be mainly described, and the same components as those in the first embodiment described above will be denoted by the same reference numerals, and redundant description will be omitted. To do.

  With reference to FIG. 8, the configuration of the verification system 401 according to the third embodiment of the present invention will be described in detail. FIG. 8 is a block diagram showing the configuration of the collation system 401 according to the third embodiment of the present invention.

  A collation system 401 according to the third embodiment roughly includes a registration data device 102, a collation request device 412, a storage device 104, a collation device 423, and a verification device 422.

  The registered data device 102 has an encryption unit 103.

  The storage device 104 includes an identifier management unit 106, a registration data information storage unit 105, and a registration data search unit 107.

  The verification device 422 includes a key generation unit 108, a key storage unit 109, a verification data decryption unit 110, a verification unit 111, and a verification data generation unit 411.

  The collation device 423 includes a collation registration information request unit 415, a collation preparation unit 416, a determination unit 417, an encryption first aggregation unit 418, an encryption first mask unit 419, a verification mask unit 420, and collation data Part 421.

  The verification request device 412 includes a verification request unit 413 and an encrypted second data unit 414.

  It is assumed that the registration data device 102, the verification requesting device 412, the storage device 104, the verification device 423, and the verification device 422 can communicate with each other via a communication network, for example.

  In FIG. 8, the collation system 401 exemplifies a mode including five devices, but is not limited to the mode illustrated in FIG. 8. For example, a first node including the registered data device 102 and the verification requesting device 412, a second node including the storage device 104 and the verification device 423, and a third node including the verification device 422 may be used.

  Next, processing in the collation system 401 according to the third embodiment of the present invention will be described in detail. The processing in the verification system 401 is roughly divided into a preparation phase, a registration phase, and a verification phase.

  Processing performed by the verification system 401 in each phase described above will be described in detail.

  The processing in the preparation phase related to the collation system 401 according to the present embodiment is the same as the processing in the preparation phase related to the collation system 101 according to the first embodiment. For this reason, the description regarding the process in the preparation phase regarding the collation system 401 concerning this embodiment is abbreviate | omitted. Furthermore, the process in the registration phase related to the collation system 401 according to the present embodiment is the same as the process in the registration phase related to the collation system 101 according to the first embodiment. For this reason, the description regarding the process in the preparation phase regarding the collation system 401 concerning this embodiment is abbreviate | omitted.

  With reference to FIG. 9A and FIG. 9B, processing performed by the collation system 401 according to the present embodiment in the collation phase will be described. 9A and 9B are flowcharts illustrating an example of processing executed by the verification system 401 according to the third embodiment in the verification phase.

  The collation request unit 413 in the collation request device 412 receives target data representing a target to be collated and a registration identifier. The verification request unit 413 creates a verification request for requesting verification of the received target data and the encrypted registration information associated with the received registration identifier (step F1). The verification request unit 413 transmits the generated verification request to the verification registration information request unit 415 in the verification device 423 (step F2). The verification request includes, for example, the registration identifier and target data.

  The collation registration information request unit 415 in the collation device 423 receives the collation request transmitted by the collation request unit 413 and reads the registration identifier included in the received collation request. The verification registration information request unit 415 creates a registration data request for requesting encrypted registration information associated with the read registration identifier (step F3), and searches the registration data request in the storage device 104 for the created registration data request. It transmits to the part 107 (step F4). The registration data request can be realized using an aspect including the read registration identifier.

  The registration data search unit 107 in the storage device 104 receives the registration data request transmitted by the verification registration information request unit 415. The registration data search unit 107 specifies encrypted registration information associated with the registration identifier included in the received registration data request in registration data information (for example, stored in the registration data information storage unit 105). (Step F5). The registration data search unit 107 transmits the specified encrypted registration information to the collation preparation unit 416 in the collation device 423 (step F6).

  The collation preparation unit 416 in the collation device 423 receives the encrypted registration information transmitted from the registration data search unit 107. For example, the collation preparation unit 416 generates a random number according to a procedure for calculating a pseudo-random number. The verification preparation unit 416 calculates a value obtained by multiplying each element in the received encrypted registration information by the random number and a ciphertext obtained by encrypting the random number (that is, “encrypted random number”). As described in the processing related to step B1, since the encrypted registration information includes the ciphertext of each element included in the registration data, the collation preparation unit 416 performs registration in the process of calculating the ciphertext. The ciphertext is calculated with each element included in the data multiplied by a random number. That is, the collation preparation unit 416 calculates a ciphertext having a value obtained by converting each element included in the registration data using the random number. Further, as described in the processing related to step B1, since the encrypted registration information includes the encrypted first index, the collation preparing unit 416 performs the ciphertext processing based on the encrypted first index. Encrypted first data that is a ciphertext having a value obtained by multiplying a certain first index by a random number is calculated (step F7). The collation preparation unit 416 creates collation registration information including an element representing registration data encrypted among the calculated values and the encrypted random number (step F8), and creates the collation registration information. And transmitted to the encrypted second data unit 414 in the verification requesting device 412 (step F9). Further, the collation preparation unit 416 creates encrypted first data information including the encrypted first data and the encrypted random number calculated in step F7, and uses the created encrypted first data information as the collation device 423. Is transmitted to the encrypted first set unit 418.

  The encrypted second data unit 414 in the verification requesting device 412 receives the target data and verification registration information transmitted by the verification preparation unit 416. The encrypted second data unit 414 calculates the encrypted second data by executing the processes shown in steps S101 to S104 described above (step F10). That is, the encrypted second information includes the encrypted second data. The encrypted second data unit 414 transmits the calculated encrypted second data to the verification data generation unit 411 in the verification device 422 (step F11).

  Next, the encrypted first collection unit 418 in the verification device 423 receives the encrypted first data information including the encrypted first data and the encrypted random number transmitted from the verification preparation unit 416. The first encryption set unit 418 reads a threshold value t indicating a criterion for determining whether or not the target data is acceptable, and is included in the section [−t, 0] set based on the read threshold value t. A certain value is calculated. For example, one value is an integer value. A certain value may be plural.

  Hereinafter, for convenience of explanation, it is assumed that a certain value is L (where L represents a natural number) integer values.

  The first encryption unit 418 calculates a value obtained by multiplying the encrypted random number included in the received encrypted first data information by the integer value, and is included in the calculated value and the encrypted first data information. A value obtained by multiplying the encrypted first data is calculated. The encrypted first set unit 418 creates an encrypted first set including the calculated value (step F12), and transmits the created encrypted first set to the encrypted first mask unit 419 in the verification device 423. .

  The encrypted first mask unit 419 in the verification device 423 receives the encrypted first set transmitted by the encrypted first set unit 418. The encryption first mask unit 419 calculates, for example, L random numbers according to a procedure for calculating a pseudo-random number, creates a mask value set including the L random numbers, and uses the created mask value set as a collation device. It transmits to the verification mask part 420 in 423. Furthermore, the encryption first mask unit 419 calculates, for each element included in the received first encryption set, a value obtained by multiplying the element and one element included in the mask value set. Then, an encrypted first mask including the calculated value is created (step F13). The encrypted first mask unit 419 transmits the created encrypted first mask to the verification data unit 421 in the verification device 423.

  Next, the verification mask unit 420 in the verification device 423 receives the mask value set transmitted by the encrypted first mask unit 419. The verification mask unit 420 calculates a hash value by applying a hash function with the received mask value set as an input. The verification mask unit 420 generates a verification mask including the calculated hash value (step F14), and transmits the generated verification mask to the verification data unit 421 in the verification device 423.

  Next, the verification data unit 421 in the verification device 423 receives the encrypted first mask transmitted by the encrypted first mask unit 419 and the verification mask transmitted by the verification mask unit 420. The collation data unit 421 creates collation data representing the sorted result by rearranging the received encrypted first mask according to a specific procedure and further rearranging the received verification mask according to the specific procedure. (Step F15). The verification data unit 421 transmits the generated verification data to the verification data generation unit 411 in the verification device 422 (step F16).

  Next, the verification data generation unit 411 in the verification device 422 receives the verification data transmitted by the verification data unit 421 and the encrypted second data transmitted by the encrypted second data unit 414. The verification data generation unit 411 calculates a value obtained by multiplying each element of the encrypted first mask included in the received verification data by the received encrypted second data, and is included in the calculated value and the received verification data Verification data including the verification mask to be generated is created (step F17). The verification data generation unit 411 transmits the created verification data to the verification data decoding unit 110 in the verification device 422.

  Thereafter, processing similar to the processing shown in steps C18 to C22 is executed, and thus the description regarding steps F18 to F22 is omitted.

  Next, effects related to the matching system 401 according to the third embodiment will be described.

  According to the collation system 401 according to the third embodiment, it is possible to calculate an index that enables safer collation processing between information to be collated and information to be referred to. This is because the encrypted first data and the encrypted second data that are referred to in the collation process are separately calculated by a plurality of different devices that can be connected to each other. In other words, according to the collation system 401 according to the present embodiment, the encrypted first data and the encrypted second data that can calculate the distance between the registered data and the target data are calculated by different entities. . As a result, even if at least one of the encrypted first data and the encrypted second data is intercepted, it is impossible to restore the distance. Therefore, the encrypted first data and the encrypted second data In the matching process based on, the risk of information leakage is reduced.

  Furthermore, according to the collation system 401 according to the third embodiment, it is possible to perform further safer collation processing between information to be collated and information to be referred to. This is because, in the verification process, the first value included in the range based on the threshold value t representing the criterion for determining whether or not to accept is subtracted from the distance between the target data and the registered data. This is because the binary value can be obtained without decoding the distance. These processes are mainly executed in step F17.

  Since only the verification device 422 can decrypt the ciphertext, in the verification system 401, the registered data device 102, the storage device 104, the verification request device 412 and the verification device 423 refer to the decrypted second value. Can not do it. Since the value decrypted by the verification device 422 is a value obtained by masking the second value with a random number, the verification device 422 cannot refer to the decrypted second value. As a result, the possibility of receiving a hill climbing attack that restores the template based on the decoded distance is reduced.

  Furthermore, according to the collation system 401 according to the third embodiment, even if encrypted registration information including ciphertext in which registration data is encrypted or information transmitted / received between devices leaks, At this time, there is an effect that the data is not accepted unless the target data whose distance from the registered data is equal to or less than the threshold value is used. Furthermore, according to the collation system 401 according to the third embodiment, even if the collation requesting device 412 repeatedly receives the target data, it is possible to conceal the distance between the target data and the registered data. There is an effect.

  The effects described above can be achieved for any of the following reasons.

    The registration data information storage unit 105 in the registration data device 102 stores encrypted registration information obtained by encrypting the registration data by the encryption unit 103. That is, since the storage device 104 stores the encrypted registration information, the registration data cannot be restored.

In the collation system 401 according to the present embodiment, the collation request device 412 is a distributed processing mode in which the collation device 423 calculates the encrypted first data and the collation request device 412 calculates the encrypted second data. The collation device 423 and the storage device 104 cannot calculate the distance.
The data calculated by the verification device 422 is data in which the distance is concealed using a hash function (used in processing in step F14 or the like), a random number or the like (used in processing in step F13 or the like). Therefore, according to the collation system 401 according to the third embodiment, it is difficult to estimate the distance even if this data is intercepted.

  Therefore, according to the verification system 401 according to the third embodiment, safer verification processing is possible.

<Fourth Embodiment>
Next, a fourth embodiment of the present invention based on the first embodiment described above will be described.

  In the following description, the characteristic part according to the present embodiment will be mainly described.

  With reference to FIG. 10, the configuration of the matching system 501 according to the fourth embodiment of the present invention will be described in detail. FIG. 10 is a block diagram showing a configuration of a collation system 501 according to the fourth embodiment of the present invention.

  The collation system 501 according to the fourth embodiment broadly includes a registration data device 502, a collation request device 512, a storage device 504, a collation device 519, and a verification device 524.

  The registered data device 502 includes an encryption unit 503.

  The storage device 504 includes an identifier management unit 506, a registration data information storage unit 505, and a registration data search unit 507.

  The verification device 524 includes a key generation unit 508, a key storage unit 509, a verification data decryption unit 510, and a verification unit 511.

  The collation device 519 includes a collation registration information request unit 520, a collation preparation unit 521, a verification data generation unit 523, and a determination unit 522.

  The verification request device 512 includes a verification request unit 513, an encrypted second data unit 514, an encrypted second set unit 515, an encrypted second mask unit 516, a verification mask unit 517, and a verification data unit 518. Have

  It is assumed that the registration data device 502, the verification requesting device 512, the storage device 504, the verification device 519, and the verification device 524 can communicate with each other via a communication network, for example.

  In addition, in FIG. 10, although the collation system 501 illustrated the aspect containing five apparatuses, it is not limited to the aspect illustrated in FIG. For example, a first node including the registration data device 502 and the verification requesting device 512, a second node including the storage device 504 and the verification device 519, and a third node including the verification device 524 may be used.

  The collation system 501 according to the present embodiment calculates a distance between two pieces of data (for example, target data and registered data) using an n (where n is a natural number) dimensional Euclidean distance.

  Data X is expressed as (x [1], x [2],..., X [n]), and data Y is (y [1], y [2],..., Y [n]). The n-dimensional Euclidean distance D is a value calculated according to Equation 4.

D (X, Y) = (x [1] −y [1]) ^{2} + (x [2] −y [2]) ^{2} +... + (X [n] −y [n ] ^{2} (Formula 4),
However, x [i] and y [i] (1 ≦ i ≦ n) represent integers.

  For convenience of explanation, it is assumed that data X represents target data and data Y represents registered data.

  For example, the collation system 501 determines that the data X is acceptable when the distance D calculated according to Equation 4 is equal to or less than a threshold value t that represents a criterion for determining whether the target data is acceptable. . On the other hand, the collation system 501 determines that the data X is unacceptable when the distance D calculated according to Equation 4 is greater than the threshold value t.

  In the present embodiment, the processing in the verification system 501 will be described with reference to an example in which Modified-Elgamal encryption is used as public key encryption having homomorphism regarding addition. However, even in the case of other public key ciphers having homomorphism with respect to addition such as the Palier cipher, the collation system 501 according to the present embodiment performs the same process as described later, thereby performing the data X It can be determined whether or not is acceptable.

  First, the Modified-Elgal encryption will be described. The Modified-Elgamal cipher, which is one of public key ciphers, uses a public key and a key generation algorithm for generating a secret key, an encryption algorithm for encryption using the generated public key, and a generated secret key. And a decryption algorithm for decrypting the encrypted data encrypted.

  First, a key generation algorithm will be described in detail among the Modified-Elgal encryption algorithms. The key generation algorithm can be realized, for example, by the processes shown in Step P1 to Step P5.

Step P1: Receive a security parameter ^1k including a value representing the length of the key to be generated.
Step P2: Generate a group G whose order is a prime number p of k bits and its generation source g.
Step P3: g ^x (denoted as y) is calculated by randomly selecting a value x from the set Z _p and calculating the x of the generated generator g.
Step P4: A public key pk associated with the calculated group G, prime number p, generator g, and value y is calculated. The public key pk can be represented as (G, p, g, y), for example,
Step P5: Calculate the calculated public key pk and the secret key sk associated with the value x. The secret key sk can be expressed as (pk, x), for example.

However, 1 ^k (that is, a bit string in which 1 is arranged by k bits) represents a security parameter, and Z _p represents a set of integer values from 1 to (p−1). There are various methods for the processing in step P2, and these methods can also be adopted in this embodiment. Here, detailed description regarding these methods is omitted.

  Next, an encryption algorithm will be described in detail among the modified-Elgal encryption algorithms. The encryption algorithm can be realized, for example, by the processing shown in steps Q1 to Q7.

Step Q1: Receive public key pk and message m.
Step Q2: The eighth value r is randomly selected from the set Z _p .
Step Q3: Read the generator g included in the public key pk, and calculate g ^r (= c [1]) by calculating the read generator g to the power of random number r.
Step Q4: Reads the generator g included in the public key pk, by calculating the m-th power of the generator g read, calculates the g ^m,
Step Q5: Calculate y ^r by reading the value y included in the public key pk and calculating the r of the read value y.
Step Q6: Calculate y ^r × g ^m (= c [2]) by multiplying the value calculated in Step Q4 and the value calculated in Step Q5.
Step Q7: A ciphertext associated with the calculated c [1] and c [2] is calculated.

  The ciphertext c calculated according to the encryption algorithm shown in steps Q1 to Q7 can be expressed as, for example, ciphertext (c [1], c [2]). Alternatively, when the encryption algorithm is expressed as a function Enc, the processing shown in steps Q1 to Q7 can be expressed as Enc (pk, m) = (c [1], c [2]). In this case, (pk, m) represents an input, and (c [1], c [2]) represents an output. The function Enc calculates the ciphertext (c [1], c [2]) when the public key pk and the message m are input.

  A decryption algorithm among the modified-elgal encryption algorithms will be described in detail. The decoding algorithm can be realized, for example, by the processes shown in steps R1 to R3.

Step R1: Receive a secret key sk and ciphertext (c [1], c [2]).
Step R2: Read c [1] and c [2] in the received ciphertext, and read the value x in the received secret key sk.
Step R3: The decoding result M is calculated by dividing the read c [2] by the xth power of the value of c [1]. The decoding result M can be calculated, for example, by calculating according to c [2] / (c [1] ^x ).

  However, the operator “/” represents an inverse element. For example, “1 / QA” represents an inverse element of QA. Also. For example, “QA / QB” represents a value obtained by multiplying QA by the inverse of QB.

  When the decryption algorithm is expressed as a function Dec, the processing shown in steps R1 to R3 can be expressed as Dec (sk, c) = M. That is, the function Dec calculates a decryption result M obtained by decrypting the ciphertext c when the secret key sk and the ciphertext c are input.

  Furthermore, the ciphertext can be transformed by the following algorithm.

Step T1: The ciphertext (c [1], c [2]) and the deformation parameter xp are received.
Step T2: Replace the read c [1] with the value xp of c [1].
Step T3: The deformation result (c [1] ^{xp} , c [2]) is calculated.
The result of adding this modification to the ciphertext Enc (pk, m) = (c [1], c [2]) for the message m is expressed as TEnc (pk, xp, m) = (c [1] ^{xp} , c [2]). For a certain ciphertext (c [1], c [2]) and the transformation parameter xp, this algorithm and the transformation parameter ( ^p [1] ^{xp} , c [2]) When this algorithm is applied to 1 / xp, the original ciphertext (c [1], c [2]) is output.

  In each embodiment of the present invention, processing may be described using a function as described above. For example, when a function is represented as “F (X) = Y”, the function represents a process of calculating the output Y by applying the process represented by the function F to the input X.

Here, it will be described with reference to Equation 5 that the encryption process and the decryption process are appropriately executed according to the key generation algorithm, the encryption algorithm, and the decryption algorithm. Here, in order to show that the encryption process and the decryption process are appropriately executed, the ciphertext of the message m calculated according to the encryption algorithm is decrypted according to the decryption algorithm, so that g ^m Indicates that will be restored.

According to the encryption algorithm described above, a ciphertext (g ^r , y ^r × g ^m ) is calculated for the message m. When the ciphertext is processed according to the decryption algorithm, c [2] / (c [1] ^x ) is calculated as the decryption result M.

c [2] / (c [1] ^x )
= Y ^r × g ^m / ((g ^r ) ^x )
= ((G ^x ) ^r ) × g ^m / ((g ^r ) ^x )
= G ^m (Formula 5).

That is, g ^m is calculated by applying the encryption algorithm shown in steps Q1 to Q7 and the decryption algorithm shown in steps R1 to R3 to the message m. Therefore, according to the above-described key generation algorithm, encryption algorithm, and decryption algorithm, in the case of the Modified-Elgamal cipher in which the encryption process and the decryption process are appropriately executed, the addition operation for a plurality of plaintexts is This can be executed without decrypting the ciphertext obtained by encrypting the plaintext. Similarly, in the case of the Modified-Elgamal cipher, the operation of multiplying the plaintext by a constant can be executed without decrypting the ciphertext obtained by encrypting the plaintext. The reason why these operations are possible will be described with reference to Equation 6 and Equation 7.

  First, the reason why the addition operation for a plurality of plaintexts can be executed without decrypting the ciphertext obtained by encrypting the plaintext will be described.

  The public key pk is represented by (G, p, g, y), the message is represented by m, the message is represented by mp, the ciphertext obtained by encrypting the message m is represented by c, and the ciphertext obtained by encrypting the message mp is represented by cp. According to the encryption algorithm, the ciphertext c shown in Expression 6 is calculated for the message m.

c = Enc (pk, m)
= (C [1], c [2])
^{= (G r, y r ×} g m) ··· ( Equation 6).

  Further, according to the encryption algorithm, the ciphertext shown in Expression 7 is calculated for the message mp.

cp = Enc (pk, mp)
= (Cp [1], cp [2])
= (G ^rp , y ^rp × g ^mp ) (Expression 7).

  In this case, according to Equation 8, a value obtained by encrypting a value obtained by adding a plurality of plaintexts is equivalent to a value obtained by multiplying the plaintexts by the encrypted values.

Enc (pk, m) * Enc (pk, mp)
= (C [1] × cp [1], c [2] × cp [2])
= (G ^{{r + rp}} , y ^{{r + rp}} * g ^{{m + mp}} )
= Enc (pk, m + mp) (Formula 8).

      However, rp represents the eighth value for the message mp. The operator “*” represents that a value obtained by multiplying each element is calculated.

  Next, the reason why the operation of multiplying the plaintext by a constant can be executed without decrypting the ciphertext obtained by encrypting the plaintext will be described.

  Assume that the ciphertext shown in Equation 6 is calculated for the message m in accordance with the encryption algorithm. In this case, according to Equation 8, the process of encrypting the result obtained by multiplying the plaintext by a constant is equivalent to the process of multiplying the value calculated after encrypting the plaintext by the constant power.

Enc (pk, m) ⁱ
= (C [1] ⁱ , c [2] ⁱ )
= (G ^{{i × r}} , y ^{{i × r}} × g ^{{i × m}} )
= Enc (pk, i × m) (Equation 9)
However, the exponentiation with respect to the ciphertext represents an operation for exponentiation with respect to each element included in the ciphertext.

  Next, processing in the collation system 501 according to the fourth embodiment of the present invention will be described in detail. The processing in the verification system 501 roughly includes a preparation phase, a registration phase, and a verification phase.

  First, the process executed in the preparation phase by the matching system 501 according to the present embodiment will be described with reference to FIG. FIG. 11 is a sequence diagram (flow chart) illustrating an example of processing executed by the matching system 501 according to the fourth embodiment in the preparation phase.

The key generation unit 508 in the verification device 524 receives the security parameter 1 ^k . The key generation unit 508 generates the public key pk and the secret key sk using the received security parameter 1 ^k , for example, according to the key generation algorithm shown in steps P1 to P5 (step SA1). The key generation unit 508 determines a hash function H for calculating a specific value for the input value (step SA2). The key generation unit 508 makes the public key pk and the hash function H public in the verification system 501 (step SA3). The key generation unit 508 stores the secret key sk in the key storage unit 509 (step SA4).

For example, with reference to an example in which the key generation algorithm in the verification system 501 is a key generation algorithm in Modified-Elgamal encryption that is one of public key cryptosystems having homomorphism with respect to addition, the processing in the verification system 501 will be described. explain. In this case, the key generation unit 508 receives the security parameter ^{1 k.} The key generation unit 508 generates a group G that is a prime number p having an order of k bits and a generation source g related to the group G. Key generating unit 508 randomly selects a value x from a predetermined set Z _p, and calculates the multiplication x of origin g. That is, the key generation unit 508 calculates g ^x (= y). The key generation unit 508 calculates a public key pk associated with the group G, the prime number p, the generation source g, and the calculated value y. The key generation unit 508 calculates sk = (pk, x) for the public key pk and the secret key associated with the value x.

  Processing performed in the registration phase by the collation system 501 according to the present embodiment will be described with reference to FIG. FIG. 12 is a sequence diagram illustrating an example of processing executed by the matching system 501 according to the fourth embodiment in the registration phase.

  For convenience of explanation, it is assumed that the encryption unit 503 receives registration data X including a plurality of elements as shown in Expression 10.

      X = (x [1],..., X [n]) (Expression 10).

      However, n represents a natural number. x [i] (1 ≦ i ≦ n) represents a real number (for example, an integer).

  The encryption unit 503 receives the registration data X as shown in Expression 10, and calculates the first index by calculating the sum of squares of the elements included in the registration data X (Expression 11).

x [1] ^{2} +... + x [n] ^{2} (Expression 11).

  Next, the encryption unit 503 encrypts the element x [i] included in the data X, thereby encrypting the encrypted text Enc (pk, x [i]) in which the element x [i] is encrypted. calculate. The encryption unit 503 calculates the encrypted first index cc1 obtained by encrypting the first index calculated according to Equation 11 by encrypting the first index. In this case, the ciphertext calculated by the encryption unit 503 can be expressed as shown in Expression 12.

Enc (pk, x [1]) (= denoted as c1 [1]),
...
Enc (pk, x [n]) (= denoted as c1 [n]),
Enc (pk, x [1] ^{2} +... + X [n] ^{2} ) (ie, cc1) (Equation 12).

  Next, the encryption unit 503 creates encryption registration information including a value calculated according to Equation 12 (step SB1). The encryption registration information can be expressed as Equation 13.

      (C1 [1],..., C1 [n], cc1) (Equation 13).

  The encryption unit 503 transmits the created encryption registration information (Formula 13) to the collation preparation unit 521 in the collation device 519 (step (SB2-1)).

The process in step SB1 will be described using an example of the modified-Elgamal cipher that is one of public key ciphers having homomorphism with respect to addition. In this case, the encryption unit 503 selects a plurality of values (hereinafter referred to as “random numbers” for convenience of explanation) from the set Z _p . The plurality of random numbers selected by the encryption unit 503 are represented as r1 [1],..., R1 [n], and rr1.

  When receiving the data X, the encryption unit 503 calculates the sum of squares according to Equation 11. Next, the encryption unit 503 reads the generation source g and the value y from the public key pk. The encryption unit 503 calculates a value (represented as “value 7”) obtained by multiplying the read generation source g by a random number. The encryption unit 503 calculates a value obtained by multiplying the read generator y by the random power and the read generator g multiplied by the “element included in the data X” (represented as “value 5”). . Further, the encryption unit 503 multiplies the read generator y by the random power and the value obtained by multiplying the read generator g by the square sum calculated according to Equation 11 (represented as “value 6”). Is calculated. Next, the encryption unit 503 calculates a ciphertext associated with the value 6 and the value 7 (that is, a ciphertext regarding the sum of squares). That is, the encryption unit 503 calculates the ciphertext represented by Equation 14. That is, the encryption unit 503 creates the ciphertext shown in Expression 14 for the data X using the public key pk.

(G ^{{r1 [1]}} , y ^{{r1 [1]}} × g ^{{x [1]}} ) (that is, Enc (pk, x [1]). For convenience of explanation, it is expressed as c1 [1]. ),
...
(G ^{{r1 [n]}} , y ^{{r1 [n]}} × g ^{{x [n]}} ) (that is, Enc (pk, x [n]). For convenience of explanation, it is expressed as c1 [n]. ),
(G ^{rr1} , y ^{rr1} × g ^{{x [1] ^ {2} +... + X [n] ^ {2}}} ) (ie, Enc (pk, x [1] ^{2} + ... + X [n] ^{2} ) (for convenience of description, expressed as cc1) (Expression 14).

  Next, the encryption unit 503 creates encryption registration information including a value calculated according to Equation 14 (step SB1). The encryption unit 503 transmits the created encryption registration information (for example, Expression 13) to the identifier management unit 506 in the verification device 519 (step (SB2-1)).

  The identifier management unit 506 in the storage device 504 receives the encrypted registration information transmitted by the encryption unit 503 (step (SB2-2)), and creates a registration identifier that can uniquely identify the received encrypted registration information. (Step SB3). The identifier management unit 506 creates registration data information in which the created registration identifier is associated with the received encrypted registration information, and stores the created registration data information in the registration data information storage unit 505 in the storage device 504. (Step SB4). The identifier management unit 506 transmits the created registration identifier to the registration data device 502 (step (SB5-1)).

  The registration data device 502 in the storage device 504 receives the registration identifier (step (SB5-2)), and displays the received registration identifier on a user interface (UI) such as a display (step SB6). Alternatively, the registration data device 502 may store the registration identifier in an IC (integrated_circuit) card such as an employee ID card or an identifier card. Further, the identifier management unit 506 may display the created registered identifier.

  In addition, the process which the collation system 501 which concerns on this embodiment performs in a registration phase is not limited to the aspect illustrated in FIG.

  With reference to FIG. 13A and FIG. 13B, processing executed by the matching system 501 according to the present embodiment in the matching phase will be described. 13A and 13B are sequence diagrams illustrating an example of processing executed by the matching system 501 according to the fourth embodiment in the matching phase.

  The collation request unit 513 in the collation request apparatus 512 receives target data representing a target to be collated and a registration identifier. The collation request unit 513 creates a collation request for requesting collation between the received target data and the encrypted registration information associated with the received registration identifier (step SC1). The verification request unit 513 transmits the generated verification request to the verification registration information request unit 520 in the verification device 519 (step (SC2-1)). The verification request includes, for example, the registration identifier.

  The verification registration information request unit 520 in the verification device 519 receives the verification request transmitted by the verification request unit 513 (step (SC2-2)) and reads the registration identifier included in the received verification request. The verification registration information request unit 520 creates a registration data request for requesting encrypted registration information associated with the read registration identifier (step SC3), and searches the registration data request in the storage device 504 for the registration data request thus created. It transmits to the part 507 (step (SC4-1)). The registration data request can be realized using an aspect including the read registration identifier.

  The registration data search unit 507 in the storage device 504 receives the registration data request transmitted by the verification registration information request unit 520 (step (SC4-2)). The registration data search unit 507 specifies encrypted registration information associated with the registration identifier included in the received registration data request in registration data information (for example, stored in the registration data information storage unit 505). (Step SC5). The registration data search unit 507 transmits the specified encrypted registration information to the verification preparation unit 521 in the verification device 519 (step (SC6-1)).

The collation preparation unit 521 in the collation device 519 receives the encrypted registration information (formula 13) transmitted by the registration data search unit 507 (step (SC6-2)). Next, for example, according to a procedure for generating a pseudo-random number, the collation preparation unit 521 calculates a value S (hereinafter referred to as a random number S), and calculates a ciphertext obtained by encrypting the random number S using the public key pk. To do. Furthermore, the collation preparation unit 521 calculates the random number S power of each element included in the encryption registration information. That is, the collation preparation unit 521 calculates c1 [i] ^{S} (where 1 ≦ i ≦ n) and encrypted first data cc1 ^{S} (step SC7).

  Through the process shown in step SC7, the collation preparation unit 521 relates to the elements included in the data X that is the basis for calculating the encrypted registration information and the sum of squares calculated according to the equation 11 with respect to the data X, respectively. A value (equation 15) obtained by encrypting the value multiplied by the random number S using the public key pk is calculated.

Enc (pk, S) (denoted as c2 [0]),
Enc (pk, S × x [1]) (denoted as c2 [1]),
...
Enc (pk, S × x [n]) (denoted as c2 [n]),
Enc (pk, S × (x [1] ^{2} +... + X [n] ^{2} )) (represented as cc2 or “encrypted first data”) (Equation 15).

  The collation preparation unit 521 creates collation / registration information including the element related to the encrypted registration information and the ciphertext obtained by encrypting the random number S in the calculated value (Formula 15) (step SC8). The verification registration information can be expressed using the form shown in Expression 16.

      (C2 [0], c2 [1],..., C2 [n]) (Expression 16).

  The collation preparation unit 521 transmits the created collation registration information to the encrypted second data unit 514 in the collation requesting device 512 (step (SC9-1)). Further, the collation preparation unit 521 transmits the encrypted first data included in the calculated value to the verification data generation unit 523 in the collation device 519.

For example, the process in step SC7 will be described using an example of the modified-elgamal cipher that is one of public key ciphers having homomorphism with respect to addition. In this case, the verification preparation unit 521, from the set Z _p, the value (hereinafter, for convenience of explanation, expressed. A "random number") to select. The random number selected by the collation preparation unit 521 in this process is represented as r2 [0]. Furthermore, the collation preparation unit 521 generates a random number S according to a procedure for generating a pseudo-random number.

The collation preparation unit 521 reads the generation source g and the value y from the public key pk. Collation preparation unit 521, from among the set _{Z p,} choose a random number xp. The collation preparation unit 521 calculates the value of the read generator g to the power of r2 [0]. The collation preparation unit 521 calculates a value obtained by multiplying the read generation source y by the r2 [0] power and a value obtained by multiplying the read generation source g by the S power. The collation preparation unit 521 creates a ciphertext in which the two calculated values are associated with each other. That is, the collation preparation unit 521 calculates a value TEnc (pk, p, S) obtained by encrypting the random number S using the public key pk through these processes.

  The ciphertext calculated by the collation preparation unit 521 can also be expressed as shown in Expression 17.

(G ^{{xp × r2 [0]}} , y ^{{r2 [0]}} × g ^{S} )
= TEnc (pk, xp, S) (ie, c2 [0]) (Expression 17).

  Next, the collation preparation unit 521 calculates a value obtained by multiplying the value of the element included in the registration data by the random number S power with respect to the encrypted registration information including the ciphertext represented by Expression 13. By this processing, the collation preparation unit 521 has multiplied the random number S with respect to the elements included in the data X that is the basis for calculating the registration data and the sum of squares calculated according to the equation 11 with respect to the data X. The value is encrypted using the public keys pk and xp.

  The value calculated by the collation preparation unit 521 through the above processing can be expressed as in Expression 18.

(C1 [1] [1] ^{{xp × S}} , c1 [1] [2] ^{S} ) (ie, TEnc (pk, xp, S × x [1]), c2 [1]),
...
(C1 [n] [1] ^{{xp × S}} , c1 [n] [2] ^{S} ) (ie, TEnc (pk, xp, S × x [n]), c2 [n]),
(Cc1 [1] ^{{xp × S}} , cc1 [2] ^{S} ) (ie, TEnc (pk, xp, S × (x [1] ^{2} +... + X [n] ^{2} ) , Cc2) (Equation 18).

      However, the ciphertext c1 [i] is (c1 [i] [1], c1 [i] [2]). i represents a natural number.

  The collation preparation unit 521 creates collation registration information (c2 [0], c2 [1],..., C2 [n]) including values calculated according to Equation 15 (step SC8). The collation preparation unit 521 transmits the created collation registration information to the encrypted second data unit 514 in the collation requesting device 512 (step (SC9-1)). Further, the collation preparation unit 521 transmits the calculated encrypted first data (in the case of using the Modified-Elgamal cipher, the random number xp is added to the encrypted first data) to the verification data generation unit 523 in the collation device 519. To do.

  The encrypted second data unit 514 in the verification requesting device 512 receives the target data Y representing the target to be verified and the verification registration information (Equation 16) transmitted by the verification preparation unit 521 (step (SC9-2)). .

  For convenience of explanation, it is assumed that the target data Y includes a plurality of elements (formula 19), similarly to the registration data described above. Furthermore, it is assumed that the elements included in the registration data and the elements included in the target data are associated with each other so that they can be compared with each other. For example, according to the association, the I-th element (where I is a natural number) in the registered data and the I-th element in the target data are associated.

    Y = (y [1], y [2],..., Y [n]) (Equation 19).

  The association is not necessarily limited to the example described above.

  The encrypted second data unit 514, based on the received target data Y and the data X that is the basis for calculating the matching registration information based on the received matching registration information, and the distance between the target data Y, A ciphertext (represented as “encrypted second index”) obtained by encrypting a value (second index) obtained by subtracting the length of data X is calculated (step SC10).

  For example, the process in step SC10 will be described using an example of the modified-elgamal cipher that is one of public key ciphers having homomorphism with respect to addition.

  In this case, the encrypted second data unit 514 calculates the length of the target data Y, for example, by calculating the square sum of the elements included in the received target data Y. Next, the encrypted second data unit 514 reads the 0th element (that is, the value obtained by encrypting the random number S) included in the verification registration information shown in Expression 16, and the read 0th element A value obtained by multiplying the value by “the length” is calculated. In this case, the value calculated by the encrypted second data unit 514 can be expressed as shown in Equation 20.

(C2 [0] [1] ^{{y [1] ^ {2} +... + Y [n] ^ {2}}} , c2 [0] [2] ^{{y [1] ^ {2} +. + Y [n] ^ {2}}} ) (Equation 20).

    However, the ciphertext c2 [i] is (c2 [i] [1], c2 [i] [2]). i represents an integer value of 0 or more.

According to Expression 15, Expression 20 is equivalent to Enc (pk, S × {y [1] ^{2} +... + Y [n] ^{2} }).

  Next, the encrypted second data unit 514 reads the i-th element included in the verification registration information, reads the i-th element included in the target data Y, and reads the i-th element included in the verification registration information. The value obtained by multiplying the i element by “−2 × the i th element included in the target data Y” is calculated. However, i represents a natural number. In this case, the value calculated by the encrypted second data unit 514 can be expressed as shown in Equation 21.

(C2 [i] [1] ^{{−2 × y [i]}} , c2 [i] [2] ^{{−2 × y [i]}} ) (Expression 21).

  According to Equation 15, Equation 21 is equivalent to Enc (pk, −2 × S × x [i] × y [i]).

  Next, the encrypted second data unit 514 calculates a value (Expression 22) obtained by multiplying the value calculated according to Expression 21 by the value calculated regarding the 0th element.

(C2 [0] [1] ^{{y [1] ^ {2} +... + Y [n] ^ {2}}} × c2 [1] [1] ^{{−2 × y [1]}} ×. * C2 [n] [1] ^{{-2 * y [n]}} , c2 [0] [2] ^{{y [1] ^ {2} + ... + y [n] ^ {2}}} xc2 [1] [2] ^{{−2 × y [1]}} ×... × c2 [n] [2] ^{{−2 × y [n]}} ) (Expression 22).

Equation 22 is
Enc (pk, S × {y [1] ^{2} +... + Y [n] ^{2} }) * Enc (pk, −2 × S × x [1] × y [1]) * * Enc (pk, -2 x S x x [n] x y [n]),
Is equivalent to That is, Equation 22 is
Enc (pk, −2 × S × (x [1] × y [1] +... + X [n] × y [n]) + S × (y [1] ^{2} +... + Y [n ] ^{2} ))
Is equivalent to

  For convenience of explanation, the ciphertext calculated according to Equation 22 is expressed as encrypted second data “cc3”.

  The encrypted second data unit 514 in the verification requesting device 512 includes an encrypted text (that is, an encrypted random number) c2 [0] in which the random number in the verification registration information is encrypted, and the calculated encrypted second data cc3. Encrypted second information including is created, and the created encrypted second information is transmitted to the encrypted second aggregation unit 515. The encrypted second information can be expressed as, for example, (c2 [0], cc3).

In the following description, for convenience of description, “−2 × (x [1] × y [1] +... + X [n] × y [n]) + (y [1] ^{2} + ... + Y [n] ^{2} ) ”may be expressed as D2 (X, Y).

  The encrypted second collection unit 515 in the verification requesting device 512 receives the encrypted second information transmitted by the encrypted second data unit 514. The second encryption set unit 515 reads a threshold value t representing a criterion for determining whether or not the target data is acceptable, and calculates a value included in the section divided based on the read threshold value t. For example, the encryption second aggregation unit 515 calculates an integer value ranging from “−t” to “−1”. Next, the encrypted second aggregation unit 515 calculates the power of the integer value of the encrypted random number c2 [0] included in the received encrypted second information, and further, the encryption included in the encrypted second information The value multiplied by the second data cc3 is calculated. The encrypted second set unit 515 creates an encrypted second set including the calculated value.

  The second set of encryption is a value obtained by subtracting the size of the target data Y from the distance between the target data Y and the data X, and each (S × i) (where S × i) (however, The value obtained by subtracting (i is an integer from 1 to t) is encrypted. That is, the encrypted second set includes the value shown in Expression 23.

Enc (pk, −2 × S × (x [1] × y [1] +... + X [n] × y [n]) + S × (y [1] ^{2} +... + Y [n ] ^{2} )-S × 1) (hereinafter referred to as cc4 [1]),
...
Enc (pk, −2 × S × (x [1] × y [1] +... + X [n] × y [n]) + S × (y [1] ^{2} +... + Y [n ] ^{2} ) − S × t) (hereinafter referred to as cc4 [t]) (Formula 23).

  In addition, the encrypted second set unit 515 further creates a new encrypted second set in which the encrypted second data cc3 in the encrypted second information is added to the encrypted second set ( Step SC11).

  For convenience of explanation, the encrypted second data cc3 is represented as cc4 [0]. In this case, the encrypted second set calculated by the encrypted second set unit 515 can be expressed using, for example, the form shown in Expression 24.

    (Cc4 [0],..., Cc4 [t]) (Equation 24).

  The encrypted second set unit 515 transmits the created encrypted second set to the encrypted second mask unit 516 in the verification requesting device 512.

  For example, the process in step SC11 will be described using an example of a modified-elgamal cipher that is one of public key ciphers having homomorphism with respect to addition. In this case, the encrypted second aggregation unit 515 receives the encrypted second information (c2 [0], cc3). Next, the second encryption unit 515 reads the threshold value t, and with respect to the encrypted random number c2 [0] included in the second encryption information, the power of each integer value ranging from “−t” to “−1”. Is calculated. Next, the encrypted second aggregation unit 515 calculates a value (that is, ciphertext) obtained by multiplying the calculated value by the encrypted second data cc3.

  The process in which the encryption 2nd collection part 515 calculates a ciphertext can be represented as Formula 25, for example.

(Cc3 [0] × c2 [0] [1] ^{−1} , cc3 [1] × c2 [0] [2] ^{−1} ),
(Cc3 [0] × c2 [0] [1] ^{{− 2}} , cc3 [1] × c2 [0] [2] ^{{− 2}} ),
...
(Cc3 [0] × c2 [0] [1] ^{{− t}} , cc3 [1] × c2 [0] [2] ^{{− t}} )) (Equation 25).

  Note that Expression 25 is equivalent to Expression 26. Note that u represents an integer value from “−t” to “−1”.

(Cc3 [0] × c2 [0] [1] ^{{− u}} , cc3 [1] × c2 [0] [2] ^{{− u}} )
= Enc (pk, -2 * S * (x [1] * y [1] + ... + x [n] * y [n]) + S * (y [1] ^{2} + ... + y [ n] ^{2} )) x Enc (pk, S) ^{-u}
= Enc (pk, -2 * S * (x [1] * y [1] + ... + x [n] * y [n]) + S * (y [1] ^{2} + ... + y [ n] ^{2} ) × Enc (pk, −u × S)
= Enc (pk, -2 * S * (x [1] y [1] + ... + x [n] y [n]) + S * (y [1] ^{2} + ... + y [n] ^{2} )-S × u) (Equation 26).

  The encrypted second set unit 515 creates an encrypted second set (Equation 24) that includes the value calculated by the process shown in Equation 25, and encrypts the created encrypted second set in the verification requesting device 512. It transmits to the 2nd mask part 516.

  The encrypted second mask unit 516 in the verification requesting device 512 receives the encrypted second set transmitted by the encrypted second set unit 515. Next, the encrypted second mask unit 516 calculates (t + 1) random numbers R [0],..., R [t], for example, according to a procedure for calculating pseudo-random numbers. In this case, the encryption second mask unit 516 may create a mask value set (R [0],..., R [t]) including the calculated random number.

  Next, the encryption second mask unit 516 encrypts the random number R [i] calculated by encrypting the calculated random number R [i] (where 0 ≦ i ≦ t) using the public key pk. The encrypted ciphertext Enc (pk, R [i]) is generated. The encrypted second mask unit 516 multiplies the ciphertext cc4 [i] included in the received second encrypted set by the calculated ciphertext Enc (pk, R [i]) (formula 27). ) Is calculated.

    Enc (pk, R [i]) * cc4 [i] (Equation 27).

  Equation 27 is equivalent to Equation 28.

Enc (pk, R [i]) * cc4 [i]
= Enc (pk, R [i]) * Enc (pk, -2 × S × (x [1] × y [1] +... + X [n] × y [n]) + S × (y [1 ] ^{2} +... + Y [n] ^{2} ) − S × i)
= Enc (pk, -2 * S * (x [1] * y [1] + ... + x [n] * y [n]) + S * (y [1] ^{2} + ... + y [ n] ^{2} ) − S × i + R [i]) (Equation 28).

  Hereinafter, the value (ciphertext) calculated according to Equation 27 is represented as cc5 [i].

  More specifically, the encrypted second mask unit 516 calculates a value according to Equation 29.

Enc (pk, −2 × S × (x [1] × y [1] +... + X [n] × y [n]) + S × (y [1] ^{2} +... + Y [n ] ^{2} )-S × 0 + R [0]),
...
Enc (pk, −2 × S × (x [1] × y [1] +... + X [n] × y [n]) + S × (y [1] ^{2} +... + Y [n ^{2} )-S × t + R [t]) (Equation 29)
The encryption second mask unit 516 creates an encryption second mask including the calculated value (Formula 27) (step SC12).

  The process in step SC12 will be described using an example of Modified-Elgamal cipher that is one of public key ciphers having homomorphism with respect to addition.

In the case of this example, the encrypted second mask unit 516 receives the encrypted second set transmitted by the encrypted second set unit 515. Next, the encrypted second mask unit 516 calculates (t + 1) random numbers R [0],..., R [t], for example, according to a procedure for generating pseudo-random numbers. Next, the encryption second mask unit 516 reads the generation source g from the public key pk, and calculates the generation source g by a random number R [i] raised to the value g ^{{R [i]}} (where 0 ≦ i ≦ t) is calculated. Next, the encryption second mask unit 516 calculates a value (Equation 31) obtained by multiplying the second term of the ciphertext cc4 [i] included in the received encryption second set by the calculated value. To do.

(Cc4 [0] [1], cc4 [0] [2] × g ^{{R [0]}} ),
...
(Cc4 [t] [1], cc4 [t] [2] × g ^{{R [t]}} ) (Expression 31).

Note that (cc4 [i] [1], cc4 [i] [2] × g ^{{R [i]}} ) shown in Expression 31 is equivalent to the expression shown in Expression 32.

TEnc (pk, xp, −2 × S × (x [1] × y [1] +... + X [n] × y [n]) + S × (y [1] ^{2} +. [N] ^{2} ) − S × i) * TEnc (pk, 0, R [i])
= TEnc (pk, xp, -2 x S x (x [1] x y [1] + ... + x [n] x y [n]) + S x (y [1] ^{2} + ... + Y [n] ^{2} ) − S × i + R [i]) (Formula 32).

  Therefore, in this case, the set of values shown in Equation 31 is equivalent to the set of values shown in Equation 33.

(Cc4 [0] [1], cc4 [0] [2] × g ^{{R [0]}} )
= TEnc (pk, xp, -2 x S x (x [1] x y [1] + ... + x [n] x y [n]) + S x (y [1] ^{2} + ... + Y [n] ^{2} ) − S × 0 + R [0])
= Cc5 [0],
...
(Cc4 [t] [1], cc4 [t] [2] × g ^{{R [t]}} )
= TEnc (pk, xp, -2 x S x (x [1] x y [1] + ... + x [n] x y [n]) + S x (y [1] ^{2} + ... + Y [n] ^{2} ) − S × t + R [t])
= Cc5 [t] (Expression 33).

  The encryption second mask unit 516 creates an encryption second mask (cc5 [1],... Cc5 [t]) that includes the value calculated according to Equation 31, and compares the created encryption second mask. The data is transmitted to the verification data unit 518 in the requesting device 512. The encrypted second mask unit 516 transmits the mask value set (R [0],..., R [t]) to the verification mask unit 517.

  Note that cc5 [i] representing the value calculated using Expression 27 can be expressed as Expression 34 using the value D2 (X, Y).

cc5 [i]
= Enc (pk, -2 * S * (x [1] * y [1] + ... + x [n] * y [n]) + S * (y [1] ^{2} + ... + y [ n] ^{2} ) − S × i + R [i])
= Enc (pk, S × D2 (X, Y) −S × i + R [i]) (Expression 34).

The verification mask unit 517 receives the mask value set (R [0],..., R [t]) transmitted by the encrypted second mask unit 516. The verification mask unit 517 reads the generator g included in the public key pk, and the read generator g is R for each of the values (represented by random numbers R [i]) included in the mask value set. [I] The value multiplied is calculated. However, 0 ≦ i ≦ t. Next, the verification mask unit 517 uses the calculated value as an input and applies the hash function H to thereby apply a hash value H (g ^{{R [i]}} ) (hereinafter referred to as h1 [i]) to the value. Is calculated. That is, the hash value H (g ^{{R [i]}} ) calculated by the verification mask unit 517 can also be described as Expression 35.

H (g ^{{R [0]}} ),
...
H (g ^{{R [t]}} ) (Formula 35).

  The verification mask unit 517 creates a verification mask including the calculated hash value (step SC13). For example, the verification mask calculated by the verification mask unit 517 can be expressed as Expression 36.

      (H1 [0],..., H1 [t]) (Expression 36).

  The verification mask unit 517 transmits the created verification mask to the verification data unit 518 in the verification request device 512.

  The verification data unit 518 in the verification requesting device 512 includes the encrypted second mask (cc5 [0],..., Cc5 [t]) transmitted by the encrypted second aggregation unit 515 and the verification mask unit 517. Receive the verification mask.

  The collation data unit 518 randomly creates a permutation π relating to values ranging from 0 to t (hereinafter referred to as [0, t]). The permutation π, that is, the condition that π (i) is an element of [0, t] for any integer i included in the interval [0, t], and each of the conditions included in the interval [0, t] The condition that π (i) does not overlap is satisfied for the integer i.

  Next, the collation data unit 518 rearranges the order of the elements included in the received encrypted second mask according to the created permutation π, and further includes the received verification mask according to the created permutation π. Rearrange the order of the active elements.

  For convenience of explanation, a process for rearranging the order of elements included in the encrypted second mask in accordance with the generated permutation π is represented as cc5 [π (i)]. A process of rearranging the order of elements included in the received verification mask according to the generated permutation π is represented as h1 [π (i)]. Also, cc5 [π (i)] is represented as cc6 [i], and h1 [π (i)] is represented as h2 [i].

  In this case, according to Expression 34, cc6 [i] can be expressed as Expression 37 using the value D2 (X, Y).

      Enc (pk, S × D2 (X, Y) −S × π (i) + R [π (i)]) (Expression 37)

  Next, the collation data unit 518 creates information including the calculated cc6 [i] and the calculated h2 [i], and further stores the information regarding i included in the section [0, t]. Including verification data is created (step SC14). The collation data created by the collation data unit 518 can be expressed using, for example, the mode shown in Expression 38.

  ((Cc6 [0], h2 [0]),..., (Cc6 [t], h2 [t])) (Equation 38).

  The collation data unit 518 transmits the created collation data (for example, the value shown in Expression 38) to the verification data generation unit 523 in the collation device 519 (step (SC15-1)).

  The verification data generation unit 523 in the verification device 519 includes the encrypted first data cc2 (for example, Equation 15) transmitted by the verification preparation unit 521 and the verification data (for example, shown in Equation 38) transmitted by the verification data unit 518. (Step (SC15-2)). The verification data generation unit 523 reads cc6 [i] (where 0 ≦ i ≦ t) included in the received collation data, and the read cc6 [i] and the received encrypted first data cc2 The multiplied value (formula 39) is calculated.

Enc (pk, S × (x [1] ^{2} +... + X [n] ^{2} )) * Enc (pk, S × D2 (X, Y) −S × π (i) + R [π (I)]) (Equation 39).

  The value (formula 39) calculated by the verification data generation unit 523 is equivalent to the formula 40.

Enc (pk, S × (x [1] ^{2} +... + X [n] ^{2} ) + S × D2 (X, Y) −S × π (i) + R [π (i)])
= Enc (pk, S × ((x [1] ^{2} +... + X [n] ^{2} ) −2 × (x [1] × y [1] +... + X [n] × y [n]) + S × (y [1] ^{2} +... + y [n] ^{2} )) − S × π (i) + R [π (i)])
= Enc (pk, S × ((x [1] −y [1]) ^{2} +... + (X [n] −y [n]) ^{2} ) −S × π (i) + R [Π (i)]) (Equation 40).

Therefore, by expressing “(x [1] −y [1]) ^{2} +... + (X [n] −y [n]) ^{2} )” as D (X, Y), Equation 40 is equivalent to Equation 41.

      Enc (pk, S × D (X, Y) −S × π (i) + R [π (i)]) (Formula 41).

  For convenience of explanation, the value shown in Expression 39 is expressed as cc7 [i].

  That is, for i satisfying 0 ≦ i ≦ t, the verification data generation unit 523 calculates the value shown in Expression 42.

Enc (pk, S × D (X, y) −S × π (0) + R [π (0)]),
...
Enc (pk, S × D (X, y) −S × π (t) + R [π (t)]) (Formula 42).

  The verification data generation unit 523 creates information (cc7 [i], h2 [i]) in which the calculated cc7 [i] is associated with h2 [i] included in the received verification data. The verification data generation unit 523 generates verification data including the generated information for i satisfying 0 ≦ i ≦ t (step SC16). For example, the verification data created by the verification data generation unit 523 can be expressed in the form shown in Expression 43.

      ((Cc7 [0], h2 [0]),..., (Cc7 [t], h2 [t])) (Expression 43).

  The verification data decoding unit 510 transmits the created verification data to the verification data decoding unit 510 in the verification device 524 (step (SC17-1)).

  The process in step SC16 will be described using an example of the modified-Elgamal cipher that is one of public key ciphers having homomorphism with respect to addition. In this case, the verification data generation unit 523 receives the random number xp from the verification preparation unit 521 in addition to the encrypted first data cc2. The cc6 [i] (where 0 ≦ i ≦ t) included in the received verification data is read, the read cc6 [i] is transformed by the transformation parameter 1 / xp, and the received encrypted first data A value obtained by multiplying cc2 (that is, TEnc (pk, 1 / xp, cc2) * cc6 [i]) is calculated. Accordingly, for i satisfying 0 ≦ i ≦ t, the verification data generation unit 523 calculates the value shown in Expression 44.

(Cc2 [1] ^{{1 / xp}} × cc6 [0] [1] ^{{1 / xp}} , cc2 [2] × cc6 [0] [2]) (This value is Enc (pk, S × D ( X, y) −S × π (0) + R [π (0)])),
...
(Cc2 [1] ^{{1 / xp}} × cc6 [t] [1] ^{{1 / xp}} , cc2 [2] × cc6 [0] [2]) (This value is Enc (pk, S × D ( X, y) −S × π (t) + R [π (t)])) (formula 44).

  The verification data generation unit 523 creates information in which the calculated cc7 [i] is associated with h2 [i] included in the received verification data. The verification data generation unit 523 generates verification data including the generated information for i satisfying 0 ≦ i ≦ t (step SC16). The verification data generation unit 523 transmits the created verification data (for example, Expression 43) to the verification data decoding unit 510 in the verification device 524 (step (SC17-1)).

  The verification data decryption unit 510 in the verification device 524 receives the verification data transmitted by the verification data generation unit 523 (step (SC17-2)), and further reads the secret key sk from the key storage unit 509. Next, the verification data decryption unit 510 reads the ciphertext cc7 [i] (where 0 ≦ i ≦ t) included in the received verification data, and uses the read ciphertext cc7 [i] as the secret key sk. Decode using The process Dec in which the verification data decryption unit 510 decrypts the ciphertext cc7 [i] using the secret key sk can be expressed in the form shown in Expression 45.

      Dec (sk, cc7 [i]) (Formula 45).

  For convenience of explanation, the value shown in Expression 45 is represented as dd1 [i].

  That is, the verification data decoding unit 510 calculates the value shown in Expression 46 by the above-described processing.

Dec (sk, cc7 [0]),
...
Dec (sk, cc7 [t]) (Formula 46).

  The verification data decoding unit 510 creates information in which the calculated dd1 [i] is associated with h2 [i] included in the verification data. Next, the verification data decoding unit 510 generates post-decryption verification data including information generated regarding i satisfying 0 ≦ i ≦ t (step SC18). The post-decryption verification data created by the verification data decoding unit 510 can be expressed according to the form shown in Equation 47, for example.

      ((Dd1 [0], h2 [0]),..., (Dd1 [t], h2 [t])) (Expression 47).

  For example, the process in step SC17 will be described using an example of the Modified-Elgamal cipher as a public key cipher having homomorphism regarding addition. The verification data decryption unit 510 decrypts cc7 [i] using the value x read from the secret key sk. That is, the procedure processed by the verification data decoding unit 510 can be expressed as shown in Expression 48.

cc7 [0] [2] / (cc7 [0] [1] ^{x} ),
...
cc7 [t] [2] / (cc7 [t] [1] ^{x} ) (Formula 48).

  The verification data decoding unit 510 transmits the created post-decryption verification data to the verification unit 511 in the verification device 524.

  The verification unit 511 in the verification device 524 receives the decrypted verification data (formula 47) transmitted by the verification data decoding unit 510. The verification unit 511 reads dd1 [i] for i satisfying 0 ≦ i ≦ t from the received decrypted verification data, and a value H (dd1 [i]) obtained by applying the hash function H to the read dd1 [i]. ) Is calculated.

  Next, the verification unit 511 reads h2 [i] from the post-decryption verification data for i where 0 ≦ i ≦ t, and whether the read h2 [i] matches the calculated H (dd1 [i]). Determine whether or not.

  The verification unit 511 displays a verification result indicating “match” when h2 [i] and H (dd1 [i]) match for at least one i among 0 ≦ i ≦ t. create. Otherwise, the verification unit 511 creates a verification result indicating “mismatch” (step SC19).

  The verification unit 511 transmits the calculated verification result to the determination unit 522 in the verification device 519 (step (SC20-1)).

  The determination unit 522 in the verification device 519 receives the verification result transmitted by the verification unit 511 (step (SC20-2)). When the verification result is “match”, the determination unit 522 calculates “accept” as the determination result, and when the verification result is “mismatch”, the determination unit 522 calculates “non-accept” as the determination result (step SC21). ). The determination unit 522 may output the calculated determination result (step SC22).

  Next, effects related to the matching system 501 according to the fourth embodiment will be described.

  According to the collation system 501 according to the fourth embodiment, it is possible to calculate an index that enables safer collation processing between information to be collated and information to be referred to. Furthermore, according to the collation system 501 according to the fourth embodiment, it is possible to perform further safer collation processing between information to be collated and information to be referred to. This is because the collation system 501 according to the fourth embodiment includes the configuration of the collation system 101 according to the first embodiment.

  Furthermore, according to the collation system 501 according to the fourth embodiment, even if the encrypted registration information including the ciphertext in which the registration data is encrypted or the information transmitted / received between the devices leaks, At this time, there is an effect that the data is not accepted unless the target data whose distance from the registered data is equal to or less than the threshold value is used. Furthermore, according to the collation system 501 according to the fourth embodiment, even if the collation requesting device 512 repeatedly receives the target data, it is possible to conceal the distance between the target data and the registered data. There is also an effect.

  This is because the configuration of the verification system 501 according to the fourth embodiment includes the configuration of the verification system 101 according to the first embodiment.

  Furthermore, according to the collation system 501 according to the fourth embodiment, there is an effect that the processing load in the collation system 501 is small.

  This is because the amount of information included in the encrypted registration information is small. That is, when the registration data includes n elements, the encryption registration information is encrypted text with (n + 1) elements encrypted when the registration data includes n elements.

  In the present embodiment, an example of the Euclidean distance has been described. However, the present embodiment can be easily applied to other distances (for example, a Hamming distance, a Mahalanobis distance, etc.).

<Fifth Embodiment>
Next, a fifth embodiment of the present invention based on the above-described second embodiment will be described.

  In the following description, the characteristic parts according to the present embodiment will be mainly described, and the same reference numerals will be given to the same configurations as those in the second embodiment or the fourth embodiment described above. Therefore, the overlapping description is omitted.

  With reference to FIG. 14, the configuration of the verification system 601 according to the fifth exemplary embodiment of the present invention will be described in detail. FIG. 14 is a block diagram showing a configuration of a collation system 601 according to the fifth embodiment of the present invention.

  A collation system 601 according to the fifth embodiment roughly includes a registration data device 502, a collation request device 612, a storage device 504, a collation device 619, and a verification device 624.

  The registered data device 502 includes an encryption unit 503.

  The storage device 504 includes an identifier management unit 506, a registration data information storage unit 505, and a registration data search unit 507.

  The verification device 624 includes a key generation unit 508, a key storage unit 509, a verification data decryption unit 510, a verification unit 511, and a verification data generation unit 623.

  The collation device 619 includes a collation registration information request unit 620, a collation preparation unit 621, and a determination unit 622.

  The verification request device 612 includes a verification request unit 613, an encrypted second data unit 614, an encrypted second set unit 615, an encrypted second mask unit 616, a verification mask unit 617, and a verification data unit 618. Have

  It is assumed that the registration data device 502, the verification requesting device 612, the storage device 504, the verification device 619, and the verification device 624 can communicate with each other via a communication network, for example.

  In the present embodiment, a process in the matching system 601 according to the present embodiment will be described with reference to an example in the case of an n-dimensional Euclidean distance as a distance. Further, in the present embodiment, the processing will be described with reference to an example in the case of using the Modified-Elgamal cipher as a public key cipher having homomorphism with respect to the addition. You may use the encryption which has. In the present embodiment, the n-dimensional Euclidean distance and the Modified-Elgamal cipher are the same as the n-dimensional Euclidean distance and the Modified-Elgamal cipher in the fourth embodiment, and thus description thereof is omitted.

  Next, processing in the collation system 601 according to the fifth exemplary embodiment of the present invention will be described in detail. The processing in the verification system 601 roughly includes a preparation phase, a registration phase, and a verification phase.

  First, the process executed in the preparation phase by the collation system 601 according to the present embodiment will be described with reference to FIG. FIG. 15 is a flowchart (sequence diagram) illustrating an example of processing executed by the matching system 601 according to the fifth embodiment in the preparation phase.

The key generation unit 508 in the verification device 624 receives security parameters 1 ^k, in accordance with public key encryption with homomorphism respect additive, the public key pk using the security parameter 1 ^k received, and generates a secret key sk (Step TA1). Note that the generated public key and secret key are generated according to the key generation algorithm, and therefore conform to public key cryptography having homomorphism with respect to addition. Further, the key generation unit 508 determines a hash function H for calculating a specific value for the input value (step TA2). The key generation unit 508 discloses the created hash function H and the generated public key to each unit in the verification system 601 (step TA3). The key generation unit 508 stores the generated secret key in the key storage unit 509 (step TA4).

  For example, the process in step TA1 will be described with reference to an example in which the key generation algorithm is a key generation algorithm in Modified-Elgamal cipher that is one of public key ciphers having homomorphism regarding addition.

The key generation unit 508 receives the security parameter ^{1 k.} Next, the key generation unit 508 generates a group G that is a prime number p having a rank of k bits and a generation source g related to the group G based on the received security parameter 1 ^k . The key generation unit 508, selects from among Z _p values x randomly calculates the multiplication x of origin g. That is, the key generation unit 508 calculates g ^x (= y). The key generation unit 508 calculates a public key pk associated with the group G, the prime number p, the generation source g, and the calculated value y (step TA1). The key generation unit 508 calculates (pk, x) associated with the public key pk and the value x as the secret key sk (step TA1).

  Next, processing executed in the registration phase by the collation system 601 according to the present embodiment will be described with reference to FIG. FIG. 16 is a sequence diagram illustrating an example of processing executed by the matching system 601 according to the fifth embodiment in the registration phase.

  The encryption unit 503 in the registered data device 502 receives data X including a plurality of elements as shown in Expression 10. The encryption unit 503 calculates the sum of squares of the elements included in the received data X (Formula 11). Next, the encryption unit 503 encrypts the elements included in the data X and the calculated sum of squares using the public key pk. Next, the encryption unit 503 creates encrypted registration information (Formula 13) associated with the value calculated according to Formula 12 (Step TB1).

Step TB1 will be described in detail. The encryption unit 503 selects a plurality of values (hereinafter referred to as “random numbers” for convenience of explanation) from the set Z _p . The plurality of random numbers selected by the encryption unit 503 are represented as r1 [1],..., R1 [n], and rr1.

  When receiving the data X, the encryption unit 503 calculates the sum of squares according to Equation 11. Next, the encryption unit 503 reads the generation source g and the value y from the public key pk. The encryption unit 503 calculates a value (represented as “value 7”) obtained by multiplying the read generation source g by a random number. The encryption unit 503 calculates a value obtained by multiplying the read generator y by the random power and the value obtained by multiplying the read generator g by the “element included in the data X” (represented as “value 5”). ). Further, the encryption unit 503 multiplies the read generator y by the random power and the value obtained by multiplying the read generator g by the “square sum calculated according to Equation 11” (represented as “value 6”). ) Is calculated. Next, the encryption unit 503 calculates a ciphertext associated with the value 5 and the value 7 (that is, a ciphertext regarding the sum of squares). That is, the encryption unit 503 calculates the ciphertext represented by Expression 12. The encryption unit 503 creates encryption registration information (Formula 13) including the two ciphertexts (step TB1). The encryption unit 503 transmits the created encryption registration information to the identifier management unit 506 in the verification device 619 (step (TB2-1)).

  The identifier management unit 506 in the storage device 504 receives the encrypted registration information transmitted by the encryption unit 503 (step (TB2-2)), and creates a registration identifier that can uniquely identify the received encrypted registration information. (Step TB3). The identifier management unit 506 creates registration data information in which the created registration identifier is associated with the received encrypted registration information, and stores the created registration data information in the registration data information storage unit 505 in the storage device 504. (Step TB4). The identifier management unit 506 transmits the created registration identifier to the registration data device 502 (step (TB5-1)).

  The registration data device 502 in the storage device 504 receives the registration identifier (step (TB5-2)), and displays the received registration identifier on a user interface (UI) such as a display (step TB6). Alternatively, the registration data device 502 may store the registration identifier in an IC (integrated_circuit) card such as an employee ID card or an identifier card. Further, the identifier management unit 506 may display the created registered identifier.

  In addition, the process which the collation system 601 which concerns on this embodiment performs in a registration phase is not limited to the aspect illustrated in FIG.

  With reference to FIG. 17A and FIG. 17B, processing executed by the matching system 601 according to the present embodiment in the matching phase will be described. FIG. 17A and FIG. 17B are sequence diagrams illustrating an example of processing executed by the collation system 601 according to the fifth embodiment in the collation phase.

  The collation request unit 613 in the collation request device 612 receives target data representing a target to be collated and a registration identifier. The collation request unit 613 creates a collation request for requesting collation between the received target data and the encrypted registration information associated with the received registration identifier (step SD1). The verification request unit 613 transmits the generated verification request to the verification registration information request unit 620 in the verification device 619 (step (SD2-1)). The verification request includes, for example, the registration identifier.

  The verification registration information request unit 620 in the verification device 619 receives the verification request transmitted by the verification request unit 613 (step (SD2-2)), and reads the registration identifier included in the received verification request. The verification registration information request unit 620 creates a registration data request for requesting encrypted registration information associated with the read registration identifier (step SD3), and searches the registration data request in the storage device 504 for the registration data request. It transmits to the part 507 (step (SD4-1)). The registration data request can be realized using an aspect including the read registration identifier.

  The registration data search unit 507 in the storage device 504 receives the registration data request transmitted by the verification registration information request unit 620 (step (SD4-2)). The registration data search unit 507 specifies encrypted registration information associated with the registration identifier included in the received registration data request in registration data information (for example, stored in the registration data information storage unit 505). (Step SD5). The registration data search unit 507 transmits the specified encrypted registration information to the collation preparation unit 621 in the collation device 619 (step (SD6-1)).

  The collation preparation unit 621 in the collation device 619 receives the encrypted registration information (formula 13) transmitted by the registration data search unit 507 (step (SD6-2)). For example, the collation preparation unit 621 generates a value S (hereinafter referred to as a random number S) according to a procedure for generating a pseudo-random number. The collation preparation unit 621 calculates a value obtained by raising each element included in the encrypted registration information to the value S and a ciphertext obtained by encrypting the random number (that is, “encrypted random number”). By this processing, the collation preparation unit 621 encrypts the encrypted data obtained by multiplying the registration data that is the basis of the encrypted registration information by “value S”, and the size of the registration data is “value”. A ciphertext obtained by encrypting the value multiplied by “S” (that is, “encrypted first data”) is calculated (step SD7). The collation preparation unit 621 creates collation registration information including a ciphertext having a value obtained by multiplying each value of the registration data among the calculated values by “value S” and the calculated encrypted random number (step SD8). The created verification registration information is transmitted to the encrypted second data unit 614 in the verification requesting device 612 (step (SD9-1)). Furthermore, the collation preparation unit 621 generates a ciphertext (ie, “encrypted first data”) having a value obtained by multiplying the size of the registered data by “value S” among the values calculated in step SD7. It transmits to the verification data generation part 623 in 624 (step (SD10-1)).

For example, step SD7 and step SD8 will be described in detail with reference to an example of a modified-Elgamal cipher that is one of public key ciphers having homomorphism with respect to addition. In this case, the verification preparation unit 621, from the set Z _p, the value (hereinafter, for convenience of explanation, referred to as "random number") to select. A plurality of random numbers selected by the encryption unit 503 in this process is represented as r2 [0]. Furthermore, the collation preparation part 621 produces | generates the random number S according to the procedure which produces | generates a pseudorandom number, for example.

  The collation preparation unit 621 reads the generation source g and the value y from the public key pk. The encryption unit 503 calculates the value of the read generator g to the power of r2 [0]. The collation preparation unit 621 calculates a value obtained by multiplying the read generator y by the r2 [0] power and the read generator g multiplied by S. The collation preparation unit 621 creates a ciphertext in which the two calculated values are associated. That is, the collation preparation unit 621 calculates the ciphertext Enc (pk, S) (formula 49, that is, the encrypted random number) obtained by encrypting the random number S using the public key pk through these processes.

(G ^{{r2 [0]}} , y ^{{r2 [0]}} × g ^{S} )
= Enc (pk, S) (ie, c2 [0]) (Equation 49).

  Next, the collation preparation unit 621 calculates a value (Formula 50) obtained by multiplying the value of the element included in the registration data by a random number S to the collation registration information including the ciphertext represented by Formula 16.

(C1 [1] [1] ^{S} , c1 [1] [2] ^{S} ) (ie, Enc (pk, S × x [1]), c2 [1]),
...
(C1 [n] [1] ^{S} , c1 [n] [2] ^{S} ) (ie, Enc (pk, S × x [n]), c2 [n]),
(Cc1 [1] ^{S} , cc1 [2] ^{S} ) (ie, Enc (pk, S × (x [1] ^{2} +... + X [n] ^{2} ), cc2). (Equation 50)

      However, the ciphertext c1 [i] is (c1 [i] [1], c1 [i] [2]). i represents a natural number.

  By this processing, the collation preparation unit 621 has multiplied the random number S with respect to the elements included in the data X that is the basis for calculating the registration data and the sum of squares calculated according to the expression 11 with respect to the data X. A value (expression 15) whose value is encrypted using the public key pk is calculated (step SD7). The collation preparation unit 621 creates collation registration information (Formula 16) including the calculated value (Formula 15) (Step SD8). Through step SD7, the collation preparation unit 621 also calculates encrypted first data (cc2 in Expression 15) obtained by encrypting the value obtained by multiplying the square sum by S.

  The encrypted second data unit 614 in the verification requesting device 612 receives the target data Y and the verification registration information transmitted by the verification preparation unit 621 (step (SD9-2)). The encrypted second data unit 614 creates the encrypted second information (c2 [0], cc3) by executing the processing shown in steps S101 to S104 described above (step SD11). That is, the encrypted second information includes the encrypted random number c2 [0] and the encrypted second data cc3.

  For example, the process shown in step SD11 will be described with reference to an example of a modified-Elgamal cipher that is one of public key ciphers having homomorphism with respect to addition.

  In this case, the encrypted second data unit 614 calculates the size of the received target data Y, for example, by calculating the square sum of each element in the received data Y (Equation 19). Next, the encrypted second data unit 614 reads the encrypted random number c2 [0] in the verification registration information shown in Expression 16, and the value obtained by multiplying the read encrypted random number by the magnitude (Expression 20). ) Is calculated.

  Next, the encrypted second data unit 614 reads the i-th element included in the verification registration information and reads the i-th element included in the target data Y. The encrypted second data unit 614 is a value obtained by multiplying the i-th element included in the verification registration information (Expression 16) by “−2 × the i-th element included in the target data Y” (Expression 21). Is calculated. However, i represents a natural number.

  The encrypted second data unit 614 creates encrypted second information (c2 [0], cc3) including the encrypted random number c2 [0] and the calculated encrypted second data cc3 (Equation 22). The encrypted second data unit 614 transmits the created encrypted second information to the encrypted second aggregation unit 615 in the verification requesting device 612.

  The encrypted second aggregation unit 615 in the verification requesting device 612 receives the encrypted second information (c2 [0], cc3) transmitted by the encrypted second data unit 614. The second encryption set unit 615 reads the threshold value t and calculates an integer value from “−t” to “−1”. Next, the encrypted second aggregation unit 615 calculates the power of the integer of the encrypted random number c2 [0] in the received encrypted second information. By this process, the second set of encryption is each value (S × i) (where i is from −t to −1) from (S × (−t)) to (S × (−1)). A value obtained by encrypting (integer) is calculated. The encrypted second set is multiplied by each calculated value and the encrypted second data cc3 (Equation 23). The encrypted second set unit 615 creates an encrypted second set (Equation 24) including the calculated values (step SD12). The encrypted second mask unit 616 transmits the created mask value set and the created encrypted second set to the encrypted second mask unit 616 in the verification requesting device 612.

  For example, the processing in step SD12 will be described using an example of the modified-elgamal cipher that is one of public key ciphers having homomorphism with respect to addition. In this case, the encrypted second aggregation unit 615 receives the encrypted second information (c2 [0], cc3). Next, the second encryption set unit 615 reads the threshold value t, and with respect to the encrypted random number c2 [0] in the second encrypted information, a power of each integer value from “−t” to “−1”. Is calculated. Next, the encrypted second aggregation unit 615 calculates a value obtained by multiplying the calculated value by the encrypted second data cc3 in the encrypted second information (Formula 25). The encrypted second set unit 615 creates an encrypted second set (cc4 [0],..., Cc4 [t]) including the calculated value (step SD12). The encrypted second set unit 615 transmits the created encrypted second set to the encrypted second mask unit 616 in the verification requesting device 612.

  The encrypted second mask unit 616 in the verification requesting device 612 receives the encrypted second set transmitted by the encrypted second set unit 615. The encrypted second mask unit 616 calculates (t + 1) random numbers R [0],..., R [t], for example, according to a procedure for calculating pseudo-random numbers. In this case, the encrypted second mask unit 616 may create a mask value set (R [0],..., R [t]) associated with the calculated random number. Next, the encryption second mask unit 616 encrypts the calculated random number R [i] (where 0 ≦ i ≦ t) using the public key pk, thereby encrypting the random number R [i]. The encrypted ciphertext Enc (pk, R [i]) is generated. Next, the encryption second mask unit 616 multiplies the element cc4 [i] included in the received encryption second set by the calculated ciphertext Enc (pk, R [i]) ( Equation 27) is calculated. That is, the encrypted second mask unit 616 calculates the value shown in Equation 29 according to Equation 27 for i where 1 ≦ i ≦ n. The encryption second mask unit 616 creates an encryption second mask (cc5 [0],..., Cc5 [t]) including the calculated value (Equation 29) (step SD13). The encrypted second mask unit 616 transmits the created encrypted second mask to the verification data unit 618 in the verification request device 612. The encrypted second mask unit 616 transmits the mask value set (R [0],..., R [t]) to the verification mask unit 617.

The process in step SD13 will be described using an example of the modified-elgamal cipher that is one of the public key ciphers having homomorphism with respect to the addition. In this example, the encryption second mask unit 616 performs the encryption process. The second set 615 receives the encrypted second set transmitted. Next, the encrypted second mask unit 616 calculates (t + 1) random numbers R [0],..., R [t], for example, according to a procedure for calculating pseudo-random numbers. Next, the encryption second mask unit 616 calculates the calculated random number R [i] (where 0 ≦ i ≦ t), and encrypts the calculated value using the public key pk, thereby generating a random number. Enc (pk, R [i]) in which R [i] is encrypted is created. That is, the encrypted second mask portion 616, selected from the public key pk, and a generator g, reads the value y, the eighth value ru [i] from the set _{Z p.} Next, the encrypted second mask unit 616 creates Enc (pk, R [i]) in which the random number R [i] is encrypted according to Equation 51.

(G ^{{ru [i]}} , y ^{{ru [i]}} × g ^{{R [i]}} )
= Enc (pk, R [i]) (Formula 51).

  Next, the encryption second mask unit 616 multiplies the ciphertext cc4 [i] included in the received second set of encryption by the calculated ciphertext Enc (pk, R [i]). (Formula 52) is calculated.

cc4 [0] * Enc (pk, R [0]),
...
cc4 [t] * Enc (pk, R [t]) (Formula 52).

  The encryption second mask unit 616 in the verification requesting device 612 generates an encryption second mask (cc5 [1],... Cc5 [t]) including the calculated value (step SD13), and the generated encryption The second mask is transmitted to the collation data unit 618 in the collation requesting device 612. The encrypted second mask unit 616 transmits the mask value set (R [0],..., R [t]) to the verification mask unit 617 in the verification requesting device 612.

The verification mask unit 617 in the verification requesting device 612 receives the mask value set (R [0],..., R [t]) transmitted by the encrypted second mask unit 616. The verification mask unit 617 reads the generator g included in the public key pk, and the read generator g is R for each of the values (represented as random numbers R [i]) included in the mask value set. [I] The value multiplied is calculated. By this processing, the verification mask unit 617 calculates a ciphertext in which the random number R [i] is encrypted. However, 0 ≦ i ≦ t. Next, the verification mask unit 617 calculates a hash value H (g ^{{R [i]}} ) (= h1 [i]) for the value by applying the hash function H with the calculated ciphertext as an input. . That is, the verification mask unit 617 calculates a hash value (Formula 35) related to the ciphertext. The verification mask unit 617 creates a verification mask (h1 [0],..., H1 [t]) including the calculated hash value (step SD14). The verification mask unit 617 transmits the created verification mask to the verification data unit 618 in the verification request device 612.

  The verification data unit 618 in the verification requesting device 612 receives the encrypted second mask (cc5 [0],..., Cc5 [t]) transmitted by the encrypted second aggregation unit 615. The collation data unit 618 further receives the verification mask (h1 [0],..., H1 [t]) transmitted by the verification mask unit 617.

  The collation data unit 618 randomly creates a permutation π relating to values ranging from 0 to t (hereinafter referred to as [0, t]). Next, the collation data unit 618 rearranges the order of elements included in the received encrypted second set according to the generated permutation π, and is included in the received verification mask according to the generated permutation π. Rearrange the order of elements. By this processing, the collation data unit 618 has rearranged the order in the second encryption set (cc6 [0],..., Cc6 [t]), and has rearranged the order in the verification mask ( h2 [0],..., h2 [t]) are calculated.

  Next, the collation data unit 618 creates information in which the calculated cc6 [i] and the calculated h2 [i] are associated with each other, and regarding i included in the section [0, t], Collation data (formula 38) including information is created (step SD15). The verification data unit 618 transmits the generated verification data to the verification data generation unit 623 in the verification device 624 (step (SD16-1)).

  The verification data generation unit 623 in the verification device 624 receives the encrypted first data cc2 transmitted from the verification preparation unit 621 (step (SD10-2)), and further, verification data transmitted from the verification data unit 618 (for example, (Value shown in Expression 38) is received (step (SD16-2)). For example, the verification data generation unit 623 reads the value cc6 [i] (where 0 ≦ i ≦ t) included in the received collation data, and the read value cc6 [i] and the received encrypted first A value cc7 [i] (formula 39) obtained by multiplying the data cc2 is calculated.

  The verification data generation unit 623 creates information (cc7 [i], h2 [i]) in which the calculated value cc7 [i] is associated with h2 [i] included in the received verification data. The verification data generation unit 623 generates verification data (formula 43) including the generated information for i satisfying 0 ≦ i ≦ t (step SD17).

  For example, the processing in step SD17 will be described using an example of Modified-Elgamal cipher that is one of public key ciphers having homomorphism regarding addition. In this case, the verification data generation unit 623 reads the value cc6 [i] (where 0 ≦ i ≦ t) included in the received verification data, and the read value cc6 [i] and the received encryption A value obtained by multiplying the first data cc2 (that is, cc2 * cc6 [i]) is calculated. Therefore, for i satisfying 0 ≦ i ≦ t, the verification data generation unit 623 calculates the value shown in Expression 39 (that is, cc7 [0] to cc7 [t]).

  The verification data generation unit 623 creates information (cc7 [i], h2 [i]) in which the calculated cc7 [i] is associated with h2 [i] included in the received verification data. The verification data generation unit 623 generates verification data including the generated information for i satisfying 0 ≦ i ≦ t. The verification data generation unit 623 transmits the created verification data (for example, Expression 43) to the verification data decoding unit 510 in the verification device 624.

  The verification data decryption unit 510 in the verification device 624 receives the verification data (for example, Expression 43) transmitted from the verification data generation unit 623 and reads the secret key sk from the key storage unit 509. Next, the verification data decryption unit 510 reads the ciphertext cc7 [i] (where 0 ≦ i ≦ t) included in the verification data, and reads the ciphertext cc7 [i] read using the secret key sk. By decoding, the value dd1 [i] (formula 45) is calculated.

  The verification data decoding unit 510 in the verification device 624 creates information (dd1 [i], h2 [i]) in which the calculated dd1 [i] is associated with h2 [i] included in the verification data. . Next, the verification data decoding unit 510 generates post-decoding verification data (formula 47) including information generated for i satisfying 0 ≦ i ≦ t (step SD17). The verification data generation unit 623 transmits the created post-decryption verification data to the verification unit 511 in the verification device 624.

  Thereafter, processing similar to that shown in steps SC18 to SC22 is executed, and thus the description regarding steps SD18 to SD22 is omitted.

  Next, effects related to the matching system 601 according to the fifth embodiment will be described.

  According to the collation system 601 according to the fifth embodiment, it is possible to calculate an index that enables safer collation processing between information to be collated and information to be referred to. Furthermore, according to the collation system 601 according to the fifth embodiment, it is possible to perform further safer collation processing between information to be collated and information to be referred to. This is because the collation system 601 according to the fifth embodiment includes the configuration of the collation system 201 according to the second embodiment.

  Furthermore, according to the collation system 601 according to the fifth embodiment, even if the encrypted registration information including the ciphertext in which the registration data is encrypted or the information transmitted / received between the devices leaks, the collation processing is performed. At this time, there is an effect that the data is not accepted unless the target data whose distance from the registered data is equal to or less than the threshold value is used. Furthermore, according to the collation system 601 according to the fifth embodiment, even if the collation requesting device 612 repeatedly receives the target data, it is possible to conceal the distance between the target data and the registered data. There is also an effect.

  This is because the configuration of the verification system 601 according to the fifth embodiment includes the configuration of the verification system 201 according to the second embodiment.

  Furthermore, according to the collation system 601 according to the fifth embodiment, there is an effect that the processing load in the collation system 601 is small.

  This is because the amount of information included in the encrypted registration information is small. That is, when the registration data includes n elements, the encryption registration information is encrypted text with (n + 1) elements encrypted when the registration data includes n elements.

  In the present embodiment, an example of the Euclidean distance has been described. However, the present embodiment can be easily applied to other distances (for example, a Hamming distance, a Mahalanobis distance, etc.).

<Sixth Embodiment>
Next, a sixth embodiment of the present invention based on the above-described third embodiment will be described.

  In the following description, the characteristic portions according to the present embodiment will be mainly described, and the same reference numerals are assigned to the same configurations as those in the third embodiment or the fourth embodiment described above. Therefore, the overlapping description is omitted.

  With reference to FIG. 18, the configuration of the verification system 801 according to the sixth exemplary embodiment of the present invention will be described in detail. FIG. 18 is a block diagram showing a configuration of a collation system 801 according to the sixth embodiment of the present invention.

  The collation system 801 according to the sixth embodiment is roughly divided into a registration data device 502, a collation request device 812, a storage device 504, a collation device 823, and a verification device 822.

  The registered data device 502 includes an encryption unit 503.

  The storage device 504 includes an identifier management unit 506, a registration data information storage unit 505, and a registration data search unit 507.

  The verification device 822 includes a key generation unit 508, a key storage unit 509, a verification data decryption unit 510, a verification unit 511, and a verification data generation unit 811.

  The collation device 823 includes a collation registration information request unit 815, a collation preparation unit 816, a determination unit 817, an encryption first aggregation unit 818, an encryption first mask unit 819, a verification mask unit 820, and collation data Part 821.

  It is assumed that the registration data device 502, the verification requesting device 812, the storage device 504, the verification device 823, and the verification device 822 can communicate with each other via a communication network, for example.

  The verification requesting device 812 includes a verification request unit 813 and an encrypted second data unit 814.

  In the present embodiment, processing in the matching system 801 according to the present embodiment will be described with reference to an example in which the distance is an n-dimensional Euclidean distance. Further, in the present embodiment, the processing will be described with reference to an example in the case of using the Modified-Elgamal cipher as a public key cipher having homomorphism with respect to the addition. You may use the encryption which has. In the present embodiment, the n-dimensional Euclidean distance and the Modified-Elgamal cipher are the same as the n-dimensional Euclidean distance and the Modified-Elgamal cipher in the fourth embodiment, and thus description thereof will be omitted.

  Next, processing in the verification system 801 according to the sixth embodiment of the present invention will be described in detail. The processing in the verification system 801 roughly includes a preparation phase, a registration phase, and a verification phase.

  The processing in the preparation phase related to the collation system 801 according to the present embodiment is the same as the processing in the preparation phase related to the collation system 501 according to the fourth embodiment. For this reason, the description regarding the process in the preparation phase regarding the collation system 801 concerning this embodiment is abbreviate | omitted. Furthermore, the processing in the registration phase related to the matching system 801 according to the present embodiment is the same as the processing in the registration phase related to the matching system 501 according to the fourth embodiment. For this reason, the description regarding the process in the registration phase regarding the collation system 801 which concerns on this embodiment is abbreviate | omitted.

  Processing performed in the verification phase by the verification system 801 according to the present embodiment will be described with reference to FIGS. 19A and 19B. 19A and 19B are sequence diagrams illustrating an example of processing executed by the matching system 801 according to the sixth embodiment in the matching phase.

  The collation request unit 813 in the collation request device 812 receives target data representing a target to be collated and a registration identifier. The verification request unit 813 creates a verification request for requesting verification of the received target data and the encrypted registration information associated with the received registration identifier (step SF1). The verification request unit 813 transmits the generated verification request to the verification registration information request unit 815 in the verification device 823 (step (SF2-1)). The verification request includes, for example, the registration identifier.

  The verification registration information request unit 815 in the verification device 823 receives the verification request transmitted by the verification request unit 813 (step (SF2-2)), and reads the registration identifier included in the received verification request. The verification registration information request unit 815 creates a registration data request for requesting encrypted registration information associated with the read registration identifier (step SF3), and searches the registration data request in the storage device 504 for a registration data request. It transmits to the part 507 (step (SF4-1)). The registration data request can be realized using an aspect including the read registration identifier.

  The registration data search unit 507 in the storage device 504 receives the registration data request transmitted by the verification registration information request unit 815 (step (SF4-2)). The registration data search unit 507 specifies encrypted registration information associated with the registration identifier included in the received registration data request in registration data information (for example, stored in the registration data information storage unit 505). (Step SF5). The registration data search unit 507 transmits the specified encrypted registration information to the collation preparation unit 816 in the collation device 823 (step (SF6-1)).

  The collation preparation unit 816 in the collation device 823 receives the encrypted registration information (c1 [1],..., C1 [n], cc1) transmitted by the registration data search unit 507 (step (SF6-2)). . Note that cc1 represents an encryption first index. For example, the collation preparation unit 816 calculates a random number S in accordance with a procedure for calculating a pseudo-random number, and calculates a value obtained by multiplying each element in the received encrypted registration information by the random number S to obtain a ciphertext (c2 [1 ],..., C2 [n], cc2). That is, the collation preparation unit 816 calculates a value obtained by multiplying each element of the registration data that is the basis of the encrypted registration information by calculating a value obtained by multiplying each element by the random number, The encrypted first data cc2 obtained by encrypting a value obtained by multiplying the first index relating to the registered data by a random number is calculated (step SF7).

  The collation preparation unit 816 creates an encrypted random number c2 [0] calculated by encrypting the random number S. The verification preparation unit 816 encrypts the values (c2 [1],..., C2 [n]) obtained by encrypting each element of the registration data, which is the basis of the encrypted registration information, and the generated encrypted random number c2 [0. ] (C2 [0], c2 [1],..., C2 [n]) are created (step SF8). The collation preparation unit 816 transmits the created collation registration information to the encrypted second data unit 814 in the collation requesting device 812 (step (SF9-1)).

  The verification preparation unit 816 creates encrypted first data information (formula 56) including the calculated encrypted first data cc2 and the encrypted random number c2 [0] obtained by encrypting the random number S, and creates the created encryption The encrypted first data information is transmitted to the encrypted first aggregation unit 818 in the verification device 823.

  For example, the encrypted first data information can be expressed by the form shown in Expression 56.

      (C2 [0], cc2) (Formula 56).

  The encrypted second data unit 814 in the verification requesting device 812 includes the target data Y and verification registration information (c2 [0], c2 [1],..., C2 [n]) transmitted by the verification preparation unit 816. Is received (step (SF9-2)). The encrypted second data unit 814 calculates the encrypted second data cc3 by executing the same processing as the processing shown in steps S101 to S104 (step SF10). The encrypted second data unit 814 transmits the calculated encrypted second data cc3 to the verification data generation unit 811 in the verification device 823 (step (SF11-1)).

  Next, the first encryption unit 818 in the verification device 823 receives the encrypted first data information (c2 [0], cc2) transmitted by the verification preparation unit 816. The encrypted first collection unit 818 reads the encrypted random number c2 [0] from the received encrypted first data information, and changes the read encrypted random number c2 [0] from “−t” to “−1”. A value representing the power of each integer value is calculated. Note that t is a threshold value t that represents a criterion for determining whether or not acceptance is possible. Next, the first encryption unit 818, for example, multiplies the calculated value by the encrypted first data cc2 included in the received encrypted first data information (formula 57, ie, encryption Sentence).

  The process in which the encryption first collection unit 818 calculates the ciphertext can be expressed as, for example, Expression 57.

(Cc2 [0] × c2 [0] ^{{− 1}} , cc2 [1] × c2 [1] ^{{− 1}} ),
(Cc2 [0] × c2 [0] ^{{− 2}} , cc2 [1] × c2 [1] ^{{− 2}} ),
...
(Cc2 [0] × c2 [0] ^{{− t}} , cc2 [1] × c2 [1] ^{{− t}} )) (Formula 57).

  u represents one integer value among integer values from 1 to t. In this case, one value in Equation 57 is equivalent to Equation 58.

(Cc2 [0] × c2 [0] ^{{− u}} , cc2 [1] × c2 [1] ^{{− u}} )
= Enc (pk, S × (x [1] ^{2} +... + X [n] ^{2} ) * Enc (pk, S) ^{−u}
= Enc (pk, S × (x [1] ^{2} +... + X [n] ^{2} ) * Enc (pk, −S × u)
= Enc (pk, S × (x [1] ^{2} +... + X [n] ^{2} −S × u) (Expression 58).

  For convenience of explanation, the value calculated according to Expression 57 is represented as ff4 [u]. Therefore, the value calculated by the encrypted first aggregation unit 818 is the value shown in Equation 59.

ff4 [1] (= Enc (pk, S × (x [1] ^{2} +... + x [n] ^{2} ) − S × 1)),
...
ff4 [t] (= Enc (pk, S × (x [1] ^{2} +... + x [n] ^{2} ) − S × t)) (Formula 59).

  Further, the encrypted first aggregation unit 818 sets the encrypted first data cc2 included in the received encrypted first data information to ff4 [0].

The first encryption set unit 818 creates a first encryption set including the calculated values (that is, ff4 [0] to ff4 [t]) (step SF12). For example, the encrypted first set created by the encrypted first set unit 818 can be expressed in the form shown in Equation 60. Therefore,
(Ff4 [0],..., Ff4 [t]) (Equation 60).

  The first encryption set unit 818 transmits the created first encryption set to the first encryption mask unit 819 in the verification device 823.

  The encrypted first mask unit 819 in the verification device 823 receives the encrypted first set (for example, Expression 60) transmitted by the encrypted first set unit 818. Next, the encrypted first mask unit 819 calculates (t + 1) random numbers R [0],..., R [t], for example, according to a procedure for calculating pseudo-random numbers. In this case, the encryption first mask unit 819 may create a mask value set (R [0],..., R [t]) including the calculated random number.

  The encrypted first mask unit 819 encrypts the calculated random number R [i] (where 0 ≦ i ≦ t) using the public key pk, thereby encrypting the random number R [i]. (Pk, R [i]) is created. The encrypted first mask unit 819 multiplies the ciphertext ff4 [i] included in the received first encrypted set by the calculated ciphertext Enc (pk, R [i]) (formula 61 ) Is calculated.

      Enc (pk, R [i]) * ff4 [i] (Equation 61).

  Equation 61 is equivalent to Equation 62.

Enc (pk, R [i]) * ff4 [i]
= Enc (pk, R [i]) * Enc (pk, S × (x [1] ^{2} +... + X [n] ^{2} ) − S × i)
= Enc (pk, S * (x [1] ^{2} + ... + x [n] ^{2} )-S * i + R [i]) (Expression 62).

  Hereinafter, the value (ciphertext) calculated according to Equation 62 is represented as ff5 [i].

More specifically, the encryption first mask unit 819 calculates a value according to Equation 63 for i where 1 ≦ i ≦ t. That is,
Enc (pk, S × (x [1] ^{2} +... + X [n] ^{2} ) −S × 0 + R [0]),
...
Enc (pk, S × (x [1] ^{2} +... + X [n] ^{2} ) −S × t + R [t]) (Equation 63).

  The encryption second mask unit creates an encryption first mask including the calculated value (formula 63) (step SF13).

  The process in step SF13 will be described using an example of a modified-Elgamal cipher that is one of public key ciphers having homomorphism with respect to addition.

In this example, the encrypted first mask unit 819 receives the encrypted first set transmitted by the encrypted first set unit 818. The encryption first mask unit 819 calculates (t + 1) random numbers R [0],..., R [t], for example, according to a procedure for calculating pseudo-random numbers. The encrypted first mask unit 819 encrypts the calculated random number R [i] (where 0 ≦ i ≦ t) using the public key pk, thereby encrypting the random number R [i]. (Pk, R [i]) is created. That is, the encrypted first mask part 819, the public key pk, and a generator g, reads a value y, selecting an eighth value ru [i] from the predetermined set _{Z p.} Next, the encrypted first mask unit 819 creates Enc (pk, R [i]) in which the random number R [i] is encrypted according to Equation 64.
(G ^{{ru [i]}} , y ^{{ru [i]}} × g ^{R [i]} ) (Expression 64).

  Next, the encrypted first mask unit 819 multiplies the ciphertext ff4 [i] included in the received first encrypted set by the calculated ciphertext Enc (pk, R [i]). (Expression 65) is calculated. The process in step SF13 calculates a value (formula 65) obtained by multiplying the ciphertext ff4 [i] included in the received encrypted first set and the calculated ciphertext Enc (pk, R [i]). It can also be expressed as a process to perform.

ff4 [0] * Enc (pk, R [0]),
...
ff4 [t] * Enc (pk, R [t]) (Expression 65).

  Note that ff4 [i] * Enc (pk, R [i]) shown in Expression 65 is equivalent to the expression shown in Expression 66.

= Enc (pk, S × (x [1] ^{2} +... + X [n] ^{2} ) − S × i) * Enc (pk, R [i])
= Enc (pk, S * (x [1] ^{2} + ... + x [n] ^{2} )-S * i + R [i]) (Formula 66).

  Therefore, in this case, the set of values shown in Equation 65 is equivalent to the set of values shown in Equation 67.

ff4 [0] * Enc (pk, R [0])
= Enc (pk, S × (x [1] ^{2} +... + X [n] ^{2} ) −S × 0 + R [0])
= Ff5 [0],
...
ff4 [t] * Enc (pk, R [t])
= Enc (pk, S × (x [1] ^{2} +... + X [n] ^{2} ) −S × t + R [t])
= Ff5 [t] (Expression 67).

  The encryption first mask unit 819 creates an encryption first mask (ff5 [0],..., Ff5 [t]) that includes the value calculated according to Expression 65 (step SF13), and creates the encryption first mask that has been created. One mask is transmitted to the verification data generation unit 811 in the verification device 823. The encrypted first mask unit 819 transmits the mask value set (R [0],..., R [t]) to the verification mask unit 820 in the verification device 823.

Next, the verification mask unit 820 in the verification device 823 receives the mask value set (R [0],..., R [t]) transmitted by the encrypted first mask unit 819. The verification mask unit 820 reads the element value from the received mask value set, and calculates a value obtained by raising the generator g included in the public key to the “read value” power. However, 0 ≦ i ≦ t. The verification mask unit 820 calculates a hash value H (g ^{R [i]} ) (= h1 [i]) by using the calculated ciphertext as an input and applying a hash function. The verification mask unit 820 generates a verification mask (h1 [0],..., H1 [t]) including the calculated hash value (step SF14), and generates verification data in the verification device 823 using the generated verification mask. To the unit 811.

  Next, the verification data unit 821 in the verification device 823 transmits the verification mask (h1 [0],..., H1 [t]) transmitted by the verification mask unit 820 and the encrypted first mask unit 819. An encrypted first mask (ff5 [0],... Ff5 [t]) is received. The collation data unit 821 randomly creates a permutation π relating to values ranging from 0 to t (hereinafter referred to as [0, t]). However, t represents a threshold value. The collation data unit 821 rearranges the order of the elements included in the received encrypted first mask according to the generated permutation π, and the order of the elements included in the received verification mask according to the generated permutation π. Sort by.

  For convenience of explanation, processing for rearranging the order of elements included in the encrypted first mask in accordance with the generated permutation π is represented as ff5 [π (i)]. A process of rearranging the order of elements included in the received verification mask according to the generated permutation π is represented as h1 [π (i)]. Further, ff5 [π (i)] is represented as ff6 [i]. h1 [π (i)] is represented as h2 [i].

  Next, the collation data unit 821 creates information (ff6 [i], h2 [i]) in which the calculated ff6 [i] and the calculated h2 [i] are associated with each other, and further, the section [0, For i included in t], collation data including the information is created (step SF15). The collation data created by the collation data unit 821 can be expressed using the form shown in Expression 68, for example.

  ((Ff6 [0], h2 [0]),..., (Ff6 [t], h2 [t])) (Expression 68).

  The collation data unit 821 transmits the created collation data (for example, the value shown in Expression 68) to the verification data generation unit 811 in the verification device 822 (step (SF16-1)).

  Next, the verification data generation unit 811 in the verification device 822 receives the verification data transmitted by the verification data unit 821 (step (SF16-2)), and the encrypted second data unit 814 transmits the encrypted data. 2 data cc3 is received (step (SF11-2)). The verification data generation unit 811 reads the element ff6 [i] (where 0 ≦ i ≦ t) included in the received collation data, reads ff6 [i], and the received encrypted second data cc3. Is multiplied by (Equation 69).

Enc (pk, S × (x [1] ^{2} +... + X [n] ^{2} ) − S × π (i) + R [π (i)]) * Enc (pk, −2 × S × (x [1] × y [1] +... + X [n] × y [n]) + S × (y [1] ^{2} +... + Y [n] ^{2} )) (Formula 69).

  A value (formula 69) calculated by the verification data generation unit 811 is equivalent to the following formula 70.

Enc (pk, S × (x [1] ^{2} +... + X [n] ^{2} ) −2 × S × (x [1] × y [1] +... + X [n] × y [n]) + S × (y [1] ^{2} +... + y [n] ^{2} ) −S × π (i) + R [π (i)])
= Enc (pk, S × ((x [1] ^{2} +... + X [n] ^{2} ) −2 × (x [1] × y [1] +... + X [n] × y [n]) + (y [1] ^{2} +... + y [n] ^{2} )) − S × π (i) + R [π (i)])
= Enc (pk, S × ((x [1] −y [1]) ^{2} +... + (X [n] −y [n]) ^{2} ) −S × π (i) + R [Π (i)])
= Enc (pk, S * D (X, Y) -S * [pi] (i) + R [[pi] (i)]) (Equation 70).

  Therefore, since the equation 70 is the same as the equation 41, the verification data generation unit 811 calculates cc7 [i].

  The verification data generation unit 811 creates information (cc7 [i], h2 [i]) in which the calculated cc7 [i] is associated with h2 [i] included in the received verification data. The verification data generation unit 811 generates verification data including the generated information for i satisfying 0 ≦ i ≦ t (step SF17). For example, the verification data created by the verification data generation unit 811 can be expressed in the form shown in Expression 43.

  For example, the processing in step SF17 will be described using an example of Modified-Elgamal cipher that is one of public key ciphers having homomorphism with respect to addition.

  In this case, the verification data generation unit 811 reads ff6 [i] (where 0 ≦ i ≦ t) included in the received collation data, reads the ff6 [i] read, and the received encrypted second A value obtained by multiplying the data cc3 (that is, cc3 * ff6 [i]) is calculated. Therefore, for i satisfying 0 ≦ i ≦ t, the verification data generation unit 811 calculates a value represented by Expression 71.

cc3 * ff6 [0] (this value is equivalent to Enc (pk, S × D (X, y) −S × π (0) + R [π (0)])),
...
cc3 * ff6 [t] (this value is equivalent to Enc (pk, S × D (X, y) −S × π (t) + R [π (t)])) (Equation 71) .

  The verification data generation unit 811 creates information (cc7 [i], h2 [i]) in which the calculated cc7 [i] is associated with h2 [i] included in the received verification data. The verification data generation unit 811 generates verification data including the generated information for i satisfying 0 ≦ i ≦ t. The verification data generation unit 811 transmits the created verification data (for example, Expression 43) to the verification data decoding unit 510 in the verification device 822.

  Thereafter, processing similar to the processing shown in steps SC18 to SC22 is executed, and thus the description regarding steps SF18 to SF22 is omitted.

  Next, effects related to the matching system 801 according to the sixth embodiment will be described.

  According to the collation system 801 according to the sixth embodiment, it is possible to calculate an index that enables safer collation processing between information to be collated and information to be referred to. Furthermore, according to the collation system 801 according to the sixth embodiment, it is possible to perform further safer collation processing between information to be collated and information to be referred to. This is because the collation system 801 according to the sixth embodiment includes the configuration of the collation system 401 according to the third embodiment.

  Furthermore, according to the collation system 801 according to the sixth embodiment, even if the encrypted registration information including the ciphertext in which the registration data is encrypted or the information transmitted / received between the devices leaks, At this time, there is an effect that the data is not accepted unless the target data whose distance from the registered data is equal to or less than the threshold value is used. Furthermore, according to the collation system 801 according to the sixth embodiment, even if the collation requesting device 812 repeatedly receives the target data, the distance between the target data and the registered data can be concealed. There is also an effect.

  This is because the configuration of the verification system 801 according to the sixth embodiment includes the configuration of the verification system 401 according to the third embodiment.

  Furthermore, according to the collation system 801 according to the sixth embodiment, there is an effect that the processing load in the collation system 801 is small.

  This is because the amount of information included in the encrypted registration information is small. That is, when the registration data includes n elements, the encryption registration information is encrypted text with (n + 1) elements encrypted when the registration data includes n elements.

  In the present embodiment, an example of the Euclidean distance has been described. However, the present embodiment can be easily applied to other distances (for example, a Hamming distance, a Mahalanobis distance, etc.).

<Seventh Embodiment>
The configuration of the index calculation system 901 according to the seventh embodiment of the present invention will be described in detail with reference to FIG. 20 and FIG. FIG. 20 is a block diagram showing a configuration of an index calculation system 901 according to the seventh embodiment of the present invention. FIG. 21 is a flowchart showing the flow of processing in the index calculation system 901 according to the seventh embodiment.

  An index calculation system 901 according to the seventh embodiment includes a first index calculation unit 902 and a second index calculation unit 903. The index calculation system 901 may further include a storage unit 904.

  The first index calculation unit 902 and the storage unit 904 can be connected to each other via a communication network, for example. The second index calculation unit 903 and the storage unit 904 can be connected to each other via a communication network, for example.

  The first index calculation unit 902 and the second index calculation unit 903 may be communicable with each other via a communication network.

  The first index calculation unit 902 receives, for example, a first numerical sequence including a plurality of numerical values from an external device or the like, and represents a size related to the received first numerical sequence (for convenience of explanation, “first size Is expressed) (step S501). The first index calculation unit 902 encrypts a numerical value included in the received first numerical value sequence using an encryption key calculated according to an encryption method having homomorphism with respect to the addition, thereby obtaining the first numerical value sequence. An encrypted first numeric value sequence is generated (step S502). The first index calculation unit 902 calculates an encrypted first index in which the first size is encrypted by encrypting the calculated first size using the encryption key (step S503). The first index calculation unit 902 stores the created encrypted first numerical sequence in the storage unit 904 (step S504).

  The second index calculation unit 903 reads the encrypted first numerical value sequence created by the first index calculation unit 902 from the storage unit 904 (step S505). The second index calculation unit 903 receives, for example, a second numerical value sequence including a plurality of numerical values from an external device or the like, and represents a size related to the received second numerical value sequence (for convenience of explanation, “second size” Is expressed) (step S506). The second index calculation unit 903 performs an operation based on the read encrypted first numerical value sequence and the received second numerical value sequence according to an encryption method having homomorphism with respect to addition (step S507). In other words, the second index calculation unit 903 applies an operation based on a numerical value included in the received second numerical value sequence to the read encrypted first numerical value sequence according to an encryption method having homomorphism regarding addition. Thus, a value (hereinafter referred to as “calculated value”) is calculated. The second index calculation unit 903 uses the additive homomorphism based on the calculated value and the calculated second size to calculate “from a value representing the degree of similarity between the first numerical value sequence and the second numerical value sequence. An encrypted second index representing a ciphertext of “a value obtained by subtracting the first size (second index)” is calculated (step S508).

  In the present embodiment, the size calculated in step S501 and step S506 represents a size (length) calculated according to an expression such as expression 11, for example. Further, the calculated value calculated in step S507 is, for example, the element I included in the encrypted first numerical sequence (where I represents the element number), as shown in Equation 21 and the like. This is a value calculated by multiplying “−2 × the first element included in the second numerical sequence”. In this case, the encrypted second index calculated by the second index calculation unit 903 is “a value obtained by subtracting the first size from the value indicating the degree of similarity between the first numeric string and the second numeric string”. Represents a ciphertext that is As a result, the value obtained by multiplying the encrypted first index calculated by the first index calculation unit 902 and the encrypted second index calculated by the second index calculation unit 903 is the first numeric value sequence, the second numeric value sequence, The degree of similarity (for example, distance) indicating the degree of similarity between the two is equal to the encrypted value.

  For example, the first index calculation unit 902 can be realized by using a function of the registration data device or the like shown in each embodiment of the present invention. Further, the second index calculation unit 903 can be realized by using the function of the encrypted second data unit shown in each embodiment of the present invention.

  Next, effects produced by the index calculation system 901 according to the seventh embodiment will be described.

  According to the index calculation system 901 according to the seventh embodiment, it is possible to calculate an index that enables safer verification processing between information to be verified and information to be referred to.

  The reason for such an effect will be described. For example, when the first index calculation unit 902 and the second index calculation unit 903 execute communication in the process as described above via a communication network, the first index and the second index are encrypted. Is calculated separately by a plurality of different entities. Therefore, in this case, according to the index calculation system 901 according to the present embodiment, the encrypted first index and the encrypted second index that can calculate the similarity between the first numeric string and the second numeric string. The index is calculated by a plurality of different subjects. As a result, even if at least one of the encrypted first index and the encrypted second index is intercepted, it is impossible to restore the first numerical value sequence, the second numerical value sequence, or the similarity. In the verification process based on the first encryption index and the second encryption index, the risk of information leakage is reduced.

  That is, according to the index calculation system 901 according to the seventh embodiment, it is possible to calculate an index that enables a safer verification process between information to be verified and information to be referred to.

(Hardware configuration example)
A configuration example of hardware resources for realizing the above-described collation system or index calculation system in each embodiment of the present invention using one calculation processing device (information processing device, computer) will be described. However, the index calculation system (collation system) may be realized using at least two calculation processing devices physically or functionally. The index calculation system (collation system) may be realized as a dedicated device.

  FIG. 22 is a diagram schematically illustrating a hardware configuration example of a calculation processing apparatus capable of realizing the collation system according to the first to sixth embodiments or the index calculation system according to the seventh embodiment. It is. The computer 20 includes a central processing unit (Central_Processing_Unit, hereinafter referred to as “CPU”) 21, a memory 22, a disk 23, and a nonvolatile recording medium 24. The calculation processing device 20 includes a communication interface (hereinafter referred to as “communication IF”) 27. The calculation processing device 20 may further include an input device 25 and an output device 26. The calculation processing device 20 can transmit / receive information to / from other calculation processing devices and communication devices via the communication IF 27.

  The nonvolatile recording medium 24 is, for example, a compact disk (Compact_Disc) or a digital versatile disk (Digital_Versatile_Disc) that can be read by a computer. The nonvolatile recording medium 24 may be a universal serial bus memory (USB memory), a solid state drive (Solid_State_Drive), or the like. The non-volatile recording medium 24 retains such a program without being supplied with power, and can be carried. The nonvolatile recording medium 24 is not limited to the above-described medium. Further, the program may be carried via the communication network via the communication IF 27 instead of the nonvolatile recording medium 24.

  That is, the CPU 21 copies a software program (computer program: hereinafter simply referred to as “program”) stored in the disk 23 to the memory 22 when executing it, and executes arithmetic processing. The CPU 21 reads data necessary for program execution from the memory 22. When output to the outside is necessary, the CPU 21 outputs an output result to the output device 26. When inputting a program from the outside, the CPU 21 reads the program from the input device 25. The CPU 21 performs a verification program (FIG. 2) in the memory 22 corresponding to the function (processing) represented by each unit shown in FIG. 1, FIG. 6, FIG. 8, FIG. 10, FIG. 3, 4A, 4B, 5, 7A, 7B, 9A, 9B, 11, 12, 13A, 13B, 15, 16, 17A, 17B, FIG. 19A or FIG. 19B) or the index calculation program (FIG. 21) is interpreted and executed. The CPU 21 sequentially executes the processes described in the above embodiments of the present invention.

  That is, in such a case, it can be understood that the present invention can also be realized by such a collation program or such an index calculation program. Furthermore, it can be understood that the present invention can also be realized by a non-volatile recording medium that can be read by a computer in which the matching program or the index calculation program is recorded.

  The present invention has been described above using the above-described embodiment as an exemplary example. However, the present invention is not limited to the above-described embodiment. That is, the present invention can apply various modes that can be understood by those skilled in the art within the scope of the present invention.

In addition, a part or all of each embodiment mentioned above can be described also as the following additional remarks. However, the present invention described by way of example with the above-described embodiments is not limited to the following. That is,
(Appendix 1)
Based on an encryption key and a numerical value included in the first numerical value sequence, an encrypted first numerical value sequence including an encrypted numerical value obtained by encrypting the numerical value included in the first numerical value sequence using the encryption key is created. And storing the created encrypted first numerical sequence in the storage means, and a first size representing the size of the first numeric sequence representing a value encrypted using the encryption key. First index calculating means for calculating
Based on the encrypted numeric value contained in the encrypted first numeric value sequence stored in the storage means and the second numeric value sequence, the first numeric value sequence and the second numeric value sequence are similar. An index comprising: a second index calculating unit that calculates a second index indicating a value obtained by subtracting the first size from a value indicating a degree, and a value encrypted using the encryption key. Calculation system.

(Appendix 2)
An encryption in which a value obtained by converting a numerical value included in the first numerical value sequence based on a first random number based on a cryptographic key and a numerical value included in the first numerical value sequence is encrypted using the encryption key An encrypted first numerical sequence including a digitized value is created, an encrypted random number obtained by encrypting the first random number is calculated, and a first size representing the size of the first numerical sequence is based on the first random number First calculation means for calculating encrypted first data representing a value obtained by encrypting the first data, which is the value converted by the encryption key, using the encryption key;
Based on the second numerical value sequence, the encrypted random number, and the encrypted first numerical value sequence, a value representing the degree of similarity between the first numerical value sequence and the second numerical value sequence and the first size are calculated. An index calculation system comprising: encrypted second data means for calculating encrypted second data representing ciphertext obtained by encrypting the second data whose second index is a value converted based on the first random number. .

(Appendix 3)
An index calculation system according to attachment 2, wherein
A first value included in a range of numerical values based on a threshold according to a homomorphism that can be calculated based on ciphertext obtained by encrypting a plurality of plaintext operation results based on ciphertext obtained by encrypting each plaintext. And a calculation result according to the homomorphism of the first data and the value obtained by converting the first value based on the first random number based on the encrypted random number and the encrypted first data. Further comprising: encryption set means for calculating a ciphertext in which a certain second value is encrypted using the encryption key, and creating an encryption set including the ciphertext in which the calculated second value is encrypted. ,
The second index represents a calculation result calculated according to the homomorphism based on a value representing the degree of similarity between the first numeric value sequence and the second numeric value sequence and the first size. system.

(Appendix 4)
An index calculation system according to attachment 2, wherein
Regarding the first value included in the numerical value range based on the threshold value, the first value is based on the first random number based on the encrypted random number and the encrypted second data, according to the homomorphism. A ciphertext in which a second value that is an operation result according to the homomorphism of the converted value and the second data is encrypted using the encryption key is calculated, and the calculated second value is encrypted. An encryption set means for creating an encrypted set including the encrypted ciphertext,
The second index represents a calculation result calculated according to the homomorphism based on a value representing the degree of similarity between the first numeric value sequence and the second numeric value sequence and the first size. system.

(Appendix 5)
Based on the second random number and the second value, a ciphertext of a third value representing an operation result calculated according to the homomorphism is used as the ciphertext included in the second random number and the encrypted set. Appendix 3 or Appendix 4 further comprising: encrypted reference information means for creating encrypted reference information including the calculated ciphertext and random number information including the second random number based on the homomorphism based on The index calculation system described in.

(Appendix 6)
The ciphertext of the fourth value representing the calculation result calculated according to the homomorphism based on the third value and the first data or the second data is included in the encrypted reference information. A verification data generating unit configured to calculate according to the homomorphism based on the ciphertext relating to the third value and the encrypted first data, and to generate verification data including the calculated ciphertext of the fourth value; The index calculation system according to attachment 5.

(Appendix 7)
The index calculation according to appendix 6, further comprising verification information means for calculating a value by applying a predetermined function to the second random number included in the random number information, and creating verification information including the calculated value system.

(Appendix 8)
The verification information means rearranges the ciphertext of the fourth value included in the verification data according to a certain rearrangement procedure, and rearranges the value included in the verification information according to the predetermined rearrangement procedure. The index calculation system according to attachment 7.

(Appendix 9)
The index calculation system according to appendix 7 or appendix 8,
A value calculated by decrypting the ciphertext of the fourth value included in the verification data and applying the predetermined function to the calculated value, and a value included in the verification information A collation system comprising: determination means for determining whether or not the first numerical value sequence and the second numerical value sequence are similar or coincident based on whether or not they match.

(Appendix 10)
Based on an encryption key and a numerical value included in the first numerical value sequence, an encrypted first numerical value sequence including an encrypted numerical value obtained by encrypting the numerical value included in the first numerical value sequence using the encryption key is created. And storing the created encrypted first numerical sequence in the storage means, and a first size representing the size of the first numeric sequence representing a value encrypted using the encryption key. And the first numeric value sequence and the second numeric value sequence are calculated based on the encrypted numeric value and the second numeric value sequence included in the encrypted first numeric value sequence stored in the storage unit. An index calculation method in which a second index representing a value obtained by subtracting the first size from a value representing a degree of similarity is an encrypted second index representing a value encrypted using the encryption key.

(Appendix 11)
Based on an encryption key and a numerical value included in the first numerical value sequence, an encrypted first numerical value sequence including an encrypted numerical value obtained by encrypting the numerical value included in the first numerical value sequence using the encryption key is created. And storing the created encrypted first numerical sequence in the storage means, and a first size representing the size of the first numeric sequence representing a value encrypted using the encryption key. A first index calculation function for calculating
Based on the encrypted numeric value contained in the encrypted first numeric value sequence stored in the storage means and the second numeric value sequence, the first numeric value sequence and the second numeric value sequence are similar. A second index calculating function for calculating a second index indicating a value obtained by subtracting the first size from a value indicating a degree, and an encrypted second index indicating a value encrypted using the encryption key; Index calculation program to be realized.

DESCRIPTION OF SYMBOLS 101 Verification system 102 Registration data apparatus 103 Encryption part 104 Storage apparatus 105 Registration data information storage part 106 Identifier management part 107 Registration data search part 108 Key generation part 109 Key storage part 110 Verification data decryption part 111 Verification part 112 Verification request apparatus 113 Verification request unit 114 Encryption second data unit 115 Encryption second aggregation unit 116 Encryption second mask unit 117 Verification mask unit 118 Verification data unit 119 Verification device 120 Verification registration information request unit 121 Verification preparation unit 122 Verification unit 123 Verification Data generation unit 124 Verification device 201 Verification system 212 Verification request device 213 Verification request unit 214 Encryption second data unit 215 Encryption second aggregation unit 216 Encryption second mask unit 217 Verification mask unit 218 Verification data unit 219 Verification device 220 Verification registration Information request unit 221 Verification preparation unit 222 Determination unit 223 Verification data generation unit 224 Verification device 401 Verification system 411 Verification data generation unit 412 Verification request device 413 Verification request unit 414 Encrypted second data unit 415 Verification registration information request unit 416 Verification preparation Unit 417 determination unit 418 encryption first set unit 419 encryption first mask unit 420 verification mask unit 421 verification data unit 422 verification device 423 verification device 501 verification system 502 registration data device 503 encryption unit 504 storage device 505 registration data information Storage unit 506 Identifier management unit 507 Registration data search unit 508 Key generation unit 509 Key storage unit 510 Verification data decryption unit 511 Verification unit 512 Verification request device 513 Verification request unit 514 Encryption second data unit 515 Encryption second aggregation unit 516 encryption 2 mask unit 517 verification mask unit 518 verification data unit 519 verification device 520 verification registration information request unit 521 verification preparation unit 522 determination unit 523 verification data generation unit 524 verification device 601 verification system 612 verification request device 613 verification request unit 614 encryption first 2 data part 615 Encrypted second set part 616 Encrypted second mask part 617 Verification mask part 618 Verification data part 619 Verification apparatus 620 Verification registration information request part 621 Verification preparation part 622 Determination part 623 Verification data generation part 624 Verification apparatus 801 Verification system 811 Verification data generation unit 812 Verification request device 813 Verification request unit 814 Encrypted second data unit 815 Verification registration information request unit 816 Verification preparation unit 817 Determination unit 818 Encryption first aggregation unit 819 Encryption first mask unit 820 Verification mask part 821 Verification data unit 822 Verification device 823 Verification device 901 Index calculation system 902 First index calculation unit 903 Second index calculation unit 904 Storage unit 20 Calculation processing device 21 CPU
22 Memory 23 Disk 24 Non-volatile recording medium 25 Input device 26 Output device 27 Communication IF

Claims (10)

Based on an encryption key and a numerical value included in the first numerical value sequence, an encrypted first numerical value sequence including an encrypted numerical value obtained by encrypting the numerical value included in the first numerical value sequence using the encryption key is created. And storing the created encrypted first numerical sequence in the storage means, and a first size representing the size of the first numeric sequence representing a value encrypted using the encryption key. First index calculating means for calculating
Based on the encrypted numeric value contained in the encrypted first numeric value sequence stored in the storage means and the second numeric value sequence, the first numeric value sequence and the second numeric value sequence are similar. An index comprising: a second index calculating unit that calculates a second index indicating a value obtained by subtracting the first size from a value indicating a degree, and a value encrypted using the encryption key. Calculation system. An encryption in which a value obtained by converting a numerical value included in the first numerical value sequence based on a first random number based on a cryptographic key and a numerical value included in the first numerical value sequence is encrypted using the encryption key An encrypted first numerical sequence including a digitized value is created, an encrypted random number obtained by encrypting the first random number is calculated, and a first size representing the size of the first numerical sequence is based on the first random number First calculation means for calculating encrypted first data representing a value obtained by encrypting the first data, which is the value converted by the encryption key, using the encryption key;
Based on the second numerical value sequence, the encrypted random number, and the encrypted first numerical value sequence, a value representing the degree of similarity between the first numerical value sequence and the second numerical value sequence and the first size are calculated. An index calculation system comprising: encrypted second data means for calculating encrypted second data representing ciphertext obtained by encrypting the second data whose second index is a value converted based on the first random number. . The index calculation system according to claim 2,
A first value included in a range of numerical values based on a threshold according to a homomorphism that can be calculated based on ciphertext obtained by encrypting a plurality of plaintext operation results based on ciphertext obtained by encrypting each plaintext. And a calculation result according to the homomorphism of the first data and the value obtained by converting the first value based on the first random number based on the encrypted random number and the encrypted first data. Further comprising: encryption set means for calculating a ciphertext in which a certain second value is encrypted using the encryption key, and creating an encryption set including the ciphertext in which the calculated second value is encrypted. ,
The second index represents a calculation result calculated according to the homomorphism based on a value representing the degree of similarity between the first numeric value sequence and the second numeric value sequence and the first size. system. The index calculation system according to claim 2,
Regarding the first value included in the numerical value range based on the threshold value, the first value is based on the first random number based on the encrypted random number and the encrypted second data, according to the homomorphism. A ciphertext in which a second value that is an operation result according to the homomorphism of the converted value and the second data is encrypted using the encryption key is calculated, and the calculated second value is encrypted. An encryption set means for creating an encrypted set including the encrypted ciphertext,
The second index represents a calculation result calculated according to the homomorphism based on a value representing the degree of similarity between the first numeric value sequence and the second numeric value sequence and the first size. system. Based on the second random number and the second value, a ciphertext of a third value representing an operation result calculated according to the homomorphism is used as the ciphertext included in the second random number and the encrypted set. And further comprising: encrypted reference information means for generating encrypted reference information including the calculated ciphertext and random number information including the second random number based on the homomorphism. Item 5. The index calculation system according to Item 4. The ciphertext of the fourth value representing the calculation result calculated according to the homomorphism based on the third value and the first data or the second data is included in the encrypted reference information. A verification data generating unit configured to calculate according to the homomorphism based on the ciphertext relating to the third value and the encrypted first data, and to generate verification data including the calculated ciphertext of the fourth value; The index calculation system according to claim 5. The index according to claim 6, further comprising verification information means for calculating a value by applying a predetermined function to the second random number included in the random number information and creating verification information including the calculated value. Calculation system. The index calculation system according to claim 7,
A value calculated by decrypting the ciphertext of the fourth value included in the verification data and applying the predetermined function to the calculated value, and a value included in the verification information A collation system comprising: determination means for determining whether or not the first numerical value sequence and the second numerical value sequence are similar or coincident based on whether or not they match.   Based on an encryption key and a numerical value included in the first numerical value sequence, an encrypted first numerical value sequence including an encrypted numerical value obtained by encrypting the numerical value included in the first numerical value sequence using the encryption key is created. And storing the created encrypted first numerical sequence in the storage means, and a first size representing the size of the first numeric sequence representing a value encrypted using the encryption key. And the first numeric value sequence and the second numeric value sequence are calculated based on the encrypted numeric value and the second numeric value sequence included in the encrypted first numeric value sequence stored in the storage unit. An index calculation method in which a second index representing a value obtained by subtracting the first size from a value representing a degree of similarity is an encrypted second index representing a value encrypted using the encryption key. Based on an encryption key and a numerical value included in the first numerical value sequence, an encrypted first numerical value sequence including an encrypted numerical value obtained by encrypting the numerical value included in the first numerical value sequence using the encryption key is created. And storing the created encrypted first numerical sequence in the storage means, and a first size representing the size of the first numeric sequence representing a value encrypted using the encryption key. A first index calculation function for calculating
Based on the encrypted numeric value contained in the encrypted first numeric value sequence stored in the storage means and the second numeric value sequence, the first numeric value sequence and the second numeric value sequence are similar. A second index calculating function for calculating a second index indicating a value obtained by subtracting the first size from a value indicating a degree, and an encrypted second index indicating a value encrypted using the encryption key; Index calculation program to be realized.

Images