JP6805584B2 - Relationship encryption - Google Patents

Description

[Refer to related applications]
This application is a partial continuation of US Patent Application No. 14 / 287,051, a partial continuation of the May 25, 2014 application, US Patent Application No. 14 / 797,025, and a partial continuation of the July 10, 2015 application. It is an application. The entire contents of the above application are incorporated herein by reference.

The embodiments discussed herein relate to relational encryption.

The form of user authentication may include biometric authentication. Biometrics typically involves measuring a user's biometric characteristics that are unique to the user. The measured biometric features, or representations thereof, are then used as the basis for authenticating the user's identity. Biometric features include the user's fingerprint, iris, veins, section of DAN (deoxyribonucleic acid), etc. Biometrics has the advantage that it is possible to authenticate the user without having to remember the password. obtain. Privacy is important in biometric systems because the biometric features are immutable.

The subject matter claimed herein is not limited to embodiments that resolve the shortcomings described above or that function only in the environment described above. Rather, this background technique is provided solely to illustrate an example of a technical field in which the plurality of embodiments described herein are implemented.

According to one aspect of an embodiment, the proximity verification method using relational encryption is linear representing information that has been processed to a randomization level associated with security parameters and encrypted using relational linear cryptography. The step of receiving the sex cipher, the step of determining the linear relationship between the linear cipher and the registered linear cipher using the linear relationship secret key, and the process of processing to the randomization level and Between the step of receiving a proximity cipher representing the information encrypted using the relational proximity encryption method and the proximity cryptographic text and the registered proximity cipher using the proximity relational secret key. And the step of determining the approximate similarity between the proximity cipher and the registered proximity cipher based on the security parameters, the linearity, and the proximity relationship. And the combination of the first verification key assigned to the user device and the second verification key assigned to one of the plurality of authentication servers accesses the result of the step of determining the approximate similarity. When allowed to do so, one or more authentication servers send an authentication signal to the user device indicating whether or not the approximate similarity between the proximity cipher and the registered proximity cipher exists. If the authentication signal communicates and does not allow the combination of the first and second verification keys to access the result of the step of determining the approximate similarity, the authentication signal is the proximity cipher and the registered proximity. It has a step of not communicating the authentication signal to the user apparatus, whether or not it indicates that the approximate similarity exists with the sex cipher.

According to another aspect of one embodiment, the method is a step of receiving medical and biological information and a step of processing the medical and biological information at a randomized level as a plaintext vector, said randomization. The level has steps and, which are related to the security level. The method is to encrypt the plaintext vector using a relational linear encryption method in order to generate a linear cipher that represents the plaintext vector, and to generate a proximity cipher that represents the plaintext vector. Further, the plaintext vector is encrypted by using the relational proximity encryption method, and the linear text and the proximity cipher are communicated with the authentication server. The method represents the linear relationship between the linear ciphertext and the registered linear ciphertext found using the relational linearity key and medical and biological information and is detected using the relational proximity key. It may further have a step of receiving a security level authentication signal indicating the proximity between the proximity ciphertext and the registered proximity ciphertext from the authentication server.

The objectives and advantages of the embodiments will be understood and will be achieved using at least the elements, features and combinations noted in the claims.

It is understood that both the general description above and the detailed description below are for illustration and explanation purposes only and do not limit the scope of the claims.

Exemplary embodiments are described and described with reference to the accompanying drawings, along with additional specificity and details.
It is a block diagram of an exemplary operating environment. It is a block diagram of an exemplary biometric authentication environment. It is a flow chart of the exemplary method of biometric authentication. It is a flow diagram of an exemplary method of relational encryption. It is a flow diagram of an exemplary method of relational encryption. It is a flow diagram of an exemplary method for discovering a linear relationship of a relational encryption method. It is a flow chart of an exemplary method for detecting the proximity of a relational encryption method. It is a flow diagram of the example method of the key generation of the relational linearity encryption method. It is a flow diagram of an exemplary method of encrypting a first plaintext vector using a relational linearity encryption method. It is a flow chart of the example method of the key generation of the relational proximity encryption method. It is a flow chart of the exemplary method of encrypting the first plaintext vector using the relational proximity encryption method. It is a flow chart of the exemplary method of decrypting the first linear ciphertext. It is a flow chart of another exemplary method of decrypting the first linear ciphertext. It is a block diagram of an exemplary operating environment. It is a flow diagram of an exemplary method of encrypting non-uniformly distributed data using a relational encryption method. FIG. 5 is a flow chart of an exemplary method of processing non-uniformly distributed data, all configured according to at least one embodiment described herein. It is a block diagram of another exemplary operating environment. It is a figure explaining the 1st example of the proximity verification method using relational encryption. It is a figure explaining the 2nd example of the proximity verification method using relational encryption. It is a figure explaining the third example of the proximity verification method using relational encryption. It is a figure explaining the 4th example of the proximity verification method using relational encryption. It is a figure explaining the 5th example of the proximity verification method using relational encryption. An example of the access restriction table is shown. It is a figure explaining the sixth example of the proximity verification method using relational encryption. It is a block diagram of still another exemplary operating environment. A block diagram of a further exemplary operating environment 100 arranged by at least one embodiment described herein is shown.

The challenge of biometrics may be that the user cannot change the biometric features used as the basis for authentication. For example, the user may register a biometric template containing biometric data representing one or more unique features of the user, such as the user's fingerprint or the user's iris pattern. If the biometric template is at risk, the user cannot change the unique features represented by the biometric template. Therefore, once at risk, another biometric template may be registered, or a biometric template of another biometric feature may be registered. At least for this reason, biometric systems can benefit from strong privacy guarantees. In real-life biometric data, the biometric data can be significantly non-uniform.

In some biometric systems, various approaches have been implemented to provide a secure biometric system. For example, some biometric authentication systems implement a "feature conversion approach", a "biocryptographic system approach", and / or an "isomorphic cryptographic approach". However, each of these approaches has limited privacy and security, at least in part, due to the communication of information that could endanger each, such as biometric templates, client-specific keys, public keys, etc. Only provide.

Therefore, some embodiments discussed herein relate to privacy-protected biometrics. Privacy-protected biometrics may be based on relationship encryption. Relational encryption (or relational encryption) is an encryption method using a relational key. Relationship encryption allows the authenticator to discover the relationship between ciphertexts without having the authenticator restore the plaintext or generate a fraudulent ciphertext that has a specific relationship with the real ciphertext. .. For example, an exemplary embodiment has a method of biometric authentication. The method may include a step of receiving a registration input. The registration input may have a user's first biometric template. The first biometric template may represent the unique features of the user's biometric features. The method may include steps to generate a first linear ciphertext and a first proximity ciphertext according to the relational encryption scheme. The method may include a step of communicating a first linear ciphertext and a first proximity ciphertext to an authentication server. The method may have a step of receiving a challenge input. The challenge input may have a second biometric template. The second biometric template may represent one or more unique features of the user's biometric features. The method may include steps to generate a second linear ciphertext and a second proximity ciphertext according to the relational encryption scheme. The method may include a step of communicating a second linear ciphertext and a second proximity ciphertext to the authentication server. The authentication server may discover the linear relationship between the first and second linear ciphertexts and detect the proximity between the first and second proximity ciphertexts. The method may include a step of receiving a signal indicating an authentication decision from the authentication server. The certification decision may be based on the presence or absence of linearity relationships and / or proximity.

In some embodiments, the underlying data may be processed first before generating the linear or proximity ciphertext. For example, the underlying data may be passed through a linear extractor that can provide a level of randomization within the underlying plaintext. Embodiments of the present disclosure will be described below with reference to the accompanying drawings.

FIG. 1 shows a block diagram of an exemplary operating environment 100 arranged according to at least one embodiment described herein. In the operating environment 100, relational encryption may be executed. The relational encryption may have a cryptographic primitive that allows the first entity 152 to determine one or more relationships between two or more ciphertexts provided by the second entity 150. In particular, relational encryption causes the first entity 152 to discover a linear relationship between two or more ciphertexts and detect the proximity between two or more ciphertexts. In addition, relational encryption causes a first entity 152 to recover plaintext from a ciphertext or to construct a fraudulent ciphertext that has a particular relationship with a particular real ciphertext.

Relationship encryption may be implemented in various environments. For example, relationship encryption may be performed in a social environment where individuals want to keep their location private, but semi-reliable services may allow detection of location-to-location proximity. Further, the relational encryption may be performed in the image comparison environment. Proximity may be detected between images from the database to determine the similarity between the images. The privacy of the image may be maintained. The user may search for the image using relational encryption without touching the image in the database. In addition, relational encryption may be performed in a private data storage environment. The user may encrypt the data and communicate the encrypted data to the database. Analysis (eg, storage, clustering, etc.) can be performed on the encrypted data without the risk of the encrypted data being decrypted.

For example, the second entity 150 may receive the first plaintext vector 142A and the second plaintext vector 142B (usually the plaintext vector 142 or a plurality of plaintext vectors 142). The plaintext vector 142 may have arbitrary data sets such as biometric templates, location information, and so on. The second entity 150 may communicate a first ciphertext having an encrypted version of the first plaintext vector 142A to the first entity 152. Later, the second entity 150 may communicate a second ciphertext with an encrypted version of the second plaintext vector 142B to the first entity 152. The first entity 152 may discover whether or not there is a linear relationship between the first ciphertext and the second ciphertext, and the first ciphertext and the second ciphertext Proximity between them may be detected. In some embodiments, proximity may be in terms of Hamming distance.

However, relational encryption does not allow the first entity 152 to construct the plaintext vector 142 from the first and second ciphertexts. In addition, relational encryption causes the first entity 152 to construct a third ciphertext having a particular linear relationship and / or a particular proximity to the first ciphertext and / or the second ciphertext. I won't allow that. FIG. 1 shows an embodiment having two plaintext vectors 142 and thus two ciphertexts. In some embodiments, more than two plaintext vectors 142 and thus more than two ciphertexts may be included in the operating environment 100.

The relationship encryption may have one or more relationship keys. The relationship key may be similar to the public and / or signature key and may be provided to or generated by the first entity 152. The relationship key may allow the determination of the relationship between the ciphertexts, but does not allow the decryption of the ciphertexts or the restoration of the plaintext vector 142. Moreover, the relationship key does not allow the construction of ciphertexts that have a particular relationship with a particular ciphertext.

In some embodiments, the relational encryption may be defined according to the relational cryptography for the relations having tuples of the algorithm. The algorithm may include a key generation algorithm, a first encryption algorithm, a first decryption algorithm, a first encryption algorithm, a second decryption algorithm, and a verification algorithm. Relationships may be defined as subsets of three sets. In addition, the relationships and algorithms may satisfy one or more accuracy conditions. For example, the relationship may meet the following exemplary accuracy conditions.

R⊆XxYxZ
(Pkx, skx, pky, sky, skR) ← KeyGen (1 ^λ )
cx ← EncX (pkx, x)
cy ← EncY (pky, y)
b ← Verify (skR, cx, cy, z)
b≈R (x, y, z)
In the accuracy condition, R represents a relationship. The operator ⊆ represents a subset operator. The parameters X, Y, Z represent a set. The parameter x represents the first plaintext vector 142A. The parameter y represents the second plaintext vector 142B. KeyGen represents a key generation algorithm. EncX represents the first encryption algorithm. EncY represents a second encryption algorithm. Verify represents a verification algorithm. The operator ← represents an output operator. The parameter pkx represents the first public key. The parameter pky represents the second public key. The parameter skx represents the first private key. The parameter sky represents the second private key. The parameter skR represents the relational secret key. The parameter cx represents the first ciphertext. The parameter cy represents the second ciphertext. The parameter b represents the output by the verification algorithm. The parameter λ represents a security parameter. The parameter z represents a particular value that can be selected by the validation entity. The operator ≒ represents a congruency operator. In the accuracy condition, the output from the verification algorithm matches the relationship with overwhelming probability.

The relational encryption method is secure in the sense that the relational key does not allow the construction of a ciphertext having a particular relationship with a particular ciphertext and the restoration of the plaintext vector 142A from a particular ciphertext. possible. For example, a relational encryption scheme can be secure if the following equations are preserved.
1) The algorithm for performing KeyGen (1 ^λ ) is Kx (1 ^λ ), and the output (pkx, skx, pky, sky, skR) and the output (pkx, skx) are taken in. As a result, (Kx, EncX, DecX) is IND-CPA secure.
2) Let the algorithm for performing KeyGen (1 ^λ ) be Ky (1 ^λ ), and take in the output (pkx, skx, pky, sky, skR) and the output (pkx, skx). As a result, (Ky, EncY, DecY) is IND-CPA secure.
3) The algorithm for performing KeyGen (1 ^λ ) is KR (1 ^λ ), and the output (pkx, skx, pky, sky, skR) and the output (pkx, skx, skR) are taken in. As a result, EncX (pkx, ·) and EncY (pky, ·) are one-way functions when skR is known.

In the above equation, pkx, skx, pky, sky, skR, KeyGen, EncX () and EncY () are as described above. DecX represents the first decoding algorithm. DecY represents a second decoding algorithm. Kx (), Ky (), and KR () are as described in the above equation. The symbol "・" indicates an arbitrary value. The term "IND-CPA" is an abbreviation for indistinguishability under chosen-plaintext attack. In some other embodiments, (Ky, EncY, DecY) and / or (Kx, EncX, DecX) are IND-CCA (indistinguishability under chosen ciphertext attack) (eg, IND-CCA1 or IND-CCA2) or It may be secure according to another computational security metric like any other suitable security metric.

Further, in some embodiments, the relational encryption method may have a relational linearity encryption method. The relational linearity encryption method may determine the relation according to the following exemplary linearity relational expression.

R = {(x, y, z) | x + y = z∧x, y, z ∈ F ⁿ _p }
In the linearity relational expression, R, x, y, and z are as described above. The operator ∈ represents a membership operator. The operator | represents a "satisfying the condition of" (such that) operator. The operator ∧ represents a logical join operator. Parameter F represents a field. The subscript n usually represents the dimension of the field. The dimension of the field may have one or more lengths of the keys as discussed elsewhere herein. The subscript p represents the base-number of the fields. For ^example, the ^{F 10} _3, field has a base number of dimensions and 3 of 10. A base number of 3 indicates that each element of the field is 0, 1, or 2.

Further, in some embodiments, the relational encryption method may have a relational proximity encryption method that defines the relation according to the following exemplary proximity formula.

R _δ = {(x, y) | dist (x, y) ≤ δ ∧ x, y ∈ F ^k _p }
In the proximity equation, R, x, ∧, ∈, and y are as described above. The parameter δ represents a distance that determines intimacy. The operator dist represents the Hamming distance. Parameter F represents a field, as in the linearity relation. However, the field in the proximity equation may have a different dimension than the field in the linear relation equation. The dimension of the field in the proximity equation may be related to the linear error correction code.

The relational encryption method discussed in the present specification may be implemented in the operating environment 100 of FIG. The relational encryption scheme allows the second entity 150 to communicate the cryptographic information to the first entity 152, and the first entity 152 discovers the linear relationship between the cryptographic information and / Or it may be possible to determine the proximity between the encrypted information.

The operating environment 100 may have a user device 102 associated with the second entity 150 and an authentication server 140 associated with the first entity 152. The user apparatus 102 and the authentication server 140 may be implemented in the operating environment 100 in order to perform the relational encryption.

The user apparatus 102 and the authentication server 140 generally allow the generation and communication of information and / or data related to relational encryption (eg, ciphertext, key, plaintext vector 142A, etc.) via network 107. You may have a computing device. Some examples of the user device 102 are mobile phones, scanning devices, smartphones, tablet computers, laptop computers, desktop computers, set-top boxes, or connected devices (eg, smart watches, smart glasses, smart pedometers, or any). It may have other connected devices). Some examples of the authentication server 140 may have a hardware server or a computing device based on another processor configured to act as a server.

The network 107 may be wired or wireless. The network 107 may have a number of configurations, including star configurations, token ring configurations or other configurations. Further, the network 107 may have a LAN (local area network), a WAN (wide area network) (eg, the Internet), and / or other interconnected data paths through which a plurality of devices can communicate. In some examples, the network 107 may have a peer-to-peer network. The network 107 may be coupled to or include a portion of a communication network that transmits data in a variety of different communication protocols. In some examples, the network 107 is a Bluetooth® communication network or SMS (short messaging service), MMS (multimedia messaging service), HTTP (hypertext transfer protocol), direct data connection, WAP (wireless application protocol), It may have a cellular communication network that transmits and receives data including via e-mail and the like.

The user device 102 may include a related encryption / decryption module (enc / dec module) 110, a processor 124A, a memory 122A, and a communication unit 126A. The enc / dec module 110, the processor 124A, the memory 122A, and the communication unit 126A may be connected by the bus 120A. The authentication server 140 may include a related authentication module 108, a processor 124B, a memory 122B, and a communication unit 126B. The relationship authentication module 108, the processor 124B, the memory 122B, and the communication unit 126B may be connected by the bus 120B.

Processors 124A and 124B are generally referred to herein as processor 124 or a plurality of processors 124. The memories 122A and 122B are generally referred to as memory 122 in the present specification. The communication units 126A and 126B are generally referred to herein as the communication unit 126 or the plurality of communication units 126. Buses 120A and 120B are generally referred to herein as bus 120 or a plurality of buses 120.

The processor 124 may have an ALU (arithmetic logic unit), a microprocessor, a general purpose controller, or any other processor or processor array for performing computation and privacy protection. Processor 124 may be coupled to bus 120 for communication with other components (eg 108, 110, 122, and 126). Processor 124 generally has a variety of computing architectures, including a complex instruction set computer (CISC) architecture, a reduced instruction set computer (RISC) architecture, or an architecture that implements a combination of instruction sets. Is also good. In FIG. 1, the user apparatus 102 and the authentication server 140 may each have a signal processor 124. However, the user device 102 and / or the authentication server 140 may have a plurality of processors. Other processors, operating systems, and physical configurations are also possible.

The memory 122 may be configured to store instructions and / or data that may be executed by one or more of the processors 124. The memory 122 may be coupled to the bus 120 to communicate with other components. The instructions and / or data may have code that performs the techniques or methods described herein. The memory 122 may include a DRAM element, a SRAM element, a flash memory, or some other memory element. In some embodiments, the memory 122 is a non-volatile memory or hard disk drive, floppy disk drive, CD-ROM device, DVD-ROM device, DVD-RAM device, DVD-RW device, flash memory device or conventionally known. You may also have similar permanent storage devices and media, including certain other mass storage devices that store information more permanently.

The communication unit 126 may be configured to transmit and / or receive data from the user equipment 102 and / or the authentication server 140. The communication unit 126 may be coupled to the bus 120. In some embodiments, the communication unit 126 may have a port for direct physical connection to network 107 or to another communication channel. For example, the communication unit 126 may have a similar port for wired communication with a USB (universal serial bus), SD (standard definition), CAT-5, or component of the operating environment 100 of FIG. In some embodiments, the communication unit 126 transmits data over a communication channel using one or more wireless communication methods, including IEEE 802.11, IEEE 802.16, Bluetooth® or another suitable wireless communication method. Have a wireless communicator to replace.

In some embodiments, the communication unit 126 transmits and receives data over a cellular communication network that includes SMS, MMS, HTTP, direct data connection, WAP, email, or another suitable type of electronic communication. It has a cellular communication communication device. In some embodiments, the communication unit 126 has a wired port and a wireless communicator. The communication unit 126 uses standard network protocols including TCP / IP (transmission control protocol / internet protocol), HTTP, HTTP Secure (HTTPS), and SMTP (Simple Mail Transfer Protocol) to distribute files and / or media objects. Other connections to network 107 may be provided for this purpose.

The ench / dec module 110 may be configured to set a relational encryption scheme, such as the relational encryption scheme described above, or having one or more of the features described above. The ench / dec module 110 may then receive the plaintext vector 142, encrypt the plaintext vector 142, and communicate the ciphertext to the authentication server 140 via the network 107. Further, the enc / dec module 110 may be configured to decrypt the ciphertext in order to construct one or more of the plaintext vectors 142. In an embodiment in which the enc / dec module 110 is configured to perform an encryption and / or decryption process, the ench / dec module 110 is an encryption / decryption algorithm and / or an encryption / or encryption / decryption algorithm discussed herein. The decryption key may be used to perform encryption and / or decryption processing.

In an embodiment in which the ench / dec module 110 is configured to set the relational encryption scheme, the ench / dec module 110 applies one or more relational secret keys and / or one or more verification algorithms to the authentication server 140. It may be configured to communicate with the relational authentication module 108. In other embodiments, the relationship authentication module 108 may generate the relationship secret key and / or the verification algorithm locally, and / or may obtain the relationship secret key or verification algorithm from another source.

The relational authentication module 108 may be configured to receive the ciphertext, the relational secret key, the verification algorithm, or any combination thereof from the enc / dec module 110 or another source. The relationship authentication module 108 may then discover the linear relationship between the ciphertexts and / or detect the proximity between the ciphertexts. The relationship authentication module 108 may use the relationship secret key and / or the verification algorithm to discover the linear relationship between the ciphertexts and detect the proximity.

In the operating environment 100 of FIG. 1, the ench / dec module 110 may include a linear encryption / decryption module 112, a proximity encryption / decryption module 114, a communication module 116, and a setting module 114. Further, the relationship authentication module 108 may include the server communication module 134, the linearity authentication module 132, and the proximity authentication module 128. In some embodiments, the configuration module 144, or a module configured to perform one or more operations belonging to the configuration module 144, may be included in the relationship authentication module 108.

enc / dec module 110, linear encryption / decryption module 112, proximity encryption / decryption module 114, communication module 116, setting module 144, relationship authentication module 108, server communication module 134, linearity authentication module 132, And the proximity authentication module 128 may be collectively represented as a related module. One or more of the related modules may be implemented as software that includes one or more routines configured to perform one or more of the operations described herein. The relevant module may have an instruction set executable by processor 124 to provide the functionality described herein. In some examples, the relevant modules may be stored in memory 122 or at least temporarily loaded into it and may be accessible or executable by one or more of processors 124. One or more of the related modules may be applied for collaboration and communication with one or more of the processors 124 via one or more of the buses 120.

Generally referring to related modules, the communication module 116 and / or the server communication module 134 is an enc / dec module 110 or a related authentication module 108, and other components of the user device 102 or the authentication server 140 (eg, 122, 124, respectively). , And 126) may be configured to handle communication with. The communication module 116 and / or the server communication module 134 may be configured to transmit data to and receive data from the user device 102 or the authentication server 140 via the communication unit 126. In some examples, the communication module 116 and / or the server communication module 134 is another related module for receiving and / or transferring data from the user apparatus 102 or the authentication server 140 via the communication unit 126. You may collaborate with.

The linear encryption / decryption module 112 relates to encrypting the plaintext vector 142 to construct a linear ciphertext and / or one or more related to decrypting the linear ciphertext. It may be configured to perform the operation. The linearity authentication module 132 may be configured to perform one or more operations related to the linearity ciphertext. For example, the linearity authentication module 132 may be configured to discover a linearity relationship between two or more of the linearity ciphertexts.

The linear encryption / decryption module 114 relates to encrypting the plaintext vector 142 to construct the proximity ciphertext and / or one or more related to decrypting the proximity ciphertext. It may be configured to perform the operation. The proximity authentication module 128 may be configured to perform one or more operations related to the proximity ciphertext. For example, the proximity authentication module 128 may be configured to detect proximity between two or more of the proximity ciphertexts.

Configuration module 144 to generate one or more keys (eg, public key, private key, related secret key) and / or one or more algorithms (eg, encryption algorithm, decryption algorithm, and validation algorithm). It may be configured. The configuration module 144 then transfers one or more of the keys and algorithms to the relationship authentication module 108 by the communication module 116 and the server communication module 134, or to the linear encryption / decryption module 112 and proximity encryption /. You may communicate with the decoding module 114.

In the following paragraphs, the relational proximity encryption method is described following the relational linearity encryption method. The relational linearity encryption scheme is described with reference to the bit vector and then the p-ary vector. In each of the descriptions, the configuration module 144 generates a key. This will be explained first. Using the key, one of the linear encryption / decryption module 112 or the proximity encryption / decryption module 114 performs encryption. This will be explained next. The ciphertext (eg, linear or proximity ciphertext) is then one of linearity authentication module 132 and proximity authentication module 128 for which a linearity relationship is discovered or proximity is detected. May be communicated with. Finally, the decryption of the ciphertext that can be performed by the linear encryption / decryption module 112 or the proximity encryption / decryption module 114 is described.

<Relationship linearity encryption method>
In one or more actions involved in the step of discovering the linearity relationship between ciphertexts, the configuration module 144 outputs a key that can be at least partially based on the plaintext vector 142 and / or the basic number of ciphertext elements. You may. For example, the basic number of elements may have 2 (eg, binary or bit vector). Therefore, the plaintext vector 142 and the ciphertext may include elements having 0 or 1. Alternatively, the basic number of elements may have 3 (eg, tri-ary or vector). Therefore, the plaintext vector 142 and the ciphertext may include elements having 0, 1, or 2. In general, the base number is represented by the variable "p" (eg, a p-ary vector). The p-ary vectors are 0, 1, ... .. .. , P-2, and p-1 may be included. The relational linearity encryption scheme is slightly different based on whether the plaintext vector 142 and / or the ciphertext is a bit vector or a p-ary vector. First, the relational linear encryption method of the bit vector is discussed, and then the relational linear encryption method of the p-ary vector follows.

In the relational linearity encryption method of bit vector and p-ary vector, the setting module 144 may be configured to generate the key of the relational linearity encryption method. In the illustrated embodiment, the configuration module 144 has a first linearity secret key, a second linearity secret key, a first linearity public key, a second linearity public key, and a linearity relationship secret key ( Collectively, a "linearity key") may be generated. The linearity key is used to encrypt the plaintext vector 142, to generate the linear ciphertext, to decrypt the linear ciphertext, and to discover the linearity relationship between the linear ciphertexts. May be done.

For example, the first linearity public key may be used by the linear encryption / decryption module 112 to encrypt the first plaintext vector 142A to generate the first linear ciphertext. The first linear ciphertext may be communicated to the authentication server 140 by the communication module 116. The first linear ciphertext may be stored in the authentication server 140 as the registered ciphertext 130. The second linearity public key may be used by the linear encryption / decryption module 112 to encrypt the second plaintext vector 142B to generate a second linear ciphertext. The second linear ciphertext may be communicated to the authentication server 140 by the communication module 116. The linearity relationship secret key is used in the authentication server 140, especially by the linearity authentication module 132, to discover the linearity relationship between the second linear ciphertext and the first linear ciphertext. You may. This linearity relationship is stored as the registered ciphertext 130.

The first and second linearity secret keys may be used by the linear encryption / decryption module 112 to decrypt one or more of the linear ciphertexts. For example, the first linear ciphertext may be decrypted using the first private key. In addition, the first and second linearity secret keys may be used by the configuration module 144 to generate the relational linearity key. The linearity key and some additional details of the above behavior are provided below for bit vectors and for p-ary vectors.

<Bit vector relation linear encryption method>
In embodiments where bit vectors are implemented, linearity keys may be generated for security parameters. In general, the security parameters used herein may represent key lengths. To generate the key, the configuration module 144 may generate three bilinear groups of prime order. The prime order may be an exponent in the security parameter. The configuration module 144 samples the first generator of the first bilinear group of the three bilinear groups and the second generator of the second bilinear group of the three bilinear groups. The original may be sampled.

The configuration module 144 may generate a first linearity secret key by randomly sampling a specific number of elements from a set of integers. The set of integers may have values ranging from zero to prime order-1. The configuration module 144 may generate a second linearity secret key by randomly sampling a specific number of elements from a set of integers.

The configuration module 144 may define a first linearity public key. The first linearity public key may have an element that is the first generator. The first linearity public key may further have one or more other elements, including a first generator that is raised by the corresponding element of the first linearity secret key. In some embodiments, the first generating element may be the first element of the first linearity public key. This cannot be explained by the correspondence between the first linearity public key and the first linearity secret key. For example, in the above and in other embodiments, the "sixth" element of the first linearity public key (eg, the first element is described) is the fifth element of the first linearity secret key. It may have a first generator raised to the power of. Throughout this application, similar conventions may be practiced for correspondence between elements.

The configuration module 144 may define a second linearity public key. The second linearity public key may have an element that is the second generator. The second linearity public key may further have one or more other elements, including a second generator that is raised by the corresponding element of the second linearity secret key. In some embodiments, the element that is the second generator may be the first element of the second linearity public key. This is not taken into account in the correspondence between the second linearity public key and the second linearity secret key.

The setting module 144 may determine the linearity relation secret key. Each element of the linearity secret key may have the sum of the corresponding element of the second linearity secret key and the corresponding element of the first linearity secret key. For example, the fifth element of the linearity secret key may have the sum of the fifth element of the first linearity secret key and the fifth element of the second linearity secret key.

In some embodiments, the linearity key generation may follow the following exemplary linearity bit vector key equation.

When λ is given, to produce a _{G 1, G 2, G T} of q

In the linearity bit vector key equation, ← and λ are generally as described above. Further, in the linearity bit vector key equation, pkxlin represents the first linearity public key, skxlin represents the first linearity secret key, pkylin represents the second linearity public key, and skylin represents the second linearity public key. Represents the linearity secret key of, and skRlin represents the relational linearity key. In addition, the parameters pkxlin, skxlin, pkylin, skylin, and skRlin may represent at least one linear portion of the output of the key generation algorithm (KeyGen) described above.

The parameter G ₁ represents the first bilinear group. Parameter G ₂ represents a second bilinear group. Parameter G _T represents the third bilinear group. The parameter q represents a prime order. The parameter g ₀ represents an element of the first generator and the first linearity public key. The parameter h ₀ represents an element of the second generator and the second linearity public key. Parameters g _i denotes the other elements of the first linearity public key. Parameter h _i represents the other elements of the second linearity public key. The parameter n represents a specific number (for example, a specific number of elements). Parameter i represents an index variable. In the linearity bit vector key equation, the index variable has a range from 1 to a specific number. The parameter Z _q represents a set of integers from 0 to a number one less than a prime order. The parameter _ai represents an element of the first linearity secret key. The element of the first linearity secret key may be a random value of a set of integers. Parameters b _i represents the elements of the second linearity private key. The element of the second linearity secret key may be a random value in a set of integers. The operator <> represents a simple notation. For ^{_{example, <b i> n i =}} 1 _{is, b 1,} b _2,. .. .. , B _n .

The linear encryption / decryption module 112 may encrypt the plaintext vector 142. The linear encryption / decryption module 112 may receive the plaintext vector 142. In addition or alternatives, the communication module 116 may receive the plaintext vector 142 and communicate the plaintext vector 142 to the linear encryption / decryption module 112.

The plaintext vector 142 may have members of the first field. The first field may have elements 0 and 1 and a certain number of dimensions. The elements of the field may be determined by the basic number of elements. For example, in a bit vector, the first field may have elements 0 and 1. On the other hand, in the p-ary vector, the fields are 0, 1, ... .. .. , P-1 may be included.

The linear encryption / decryption module 112 may sample random numbers from a set of integers. The linear encryption / decryption module 112 may then construct a first linear ciphertext and a second linear ciphertext. The first linear ciphertext may have a first element that is a first generator that is raised to a random number. The first linear ciphertext may further include one or more elements having the corresponding elements of the first linear public key raised to the power of the linear encryption index. The linear encryption exponent of the first linear ciphertext may have a random number multiplied by -1 and raised to the power of the corresponding element of the first plaintext vector 142A. In some embodiments, the first element of the first linear ciphertext cannot be explained in correspondence.

The second linear ciphertext may have a first element that is a second generator that is raised to a random number. The second linear ciphertext may further include one or more elements having the corresponding elements of the second linear public key raised to the power of the linear encryption index. The linear encryption exponent of the second linear ciphertext may have a random number multiplied by -1 and raised to the power of the corresponding element of the second plaintext vector 142B. In some embodiments, the first element of the second linear ciphertext cannot be explained in correspondence.

In some embodiments, the linear encryption / decryption module 112 may encrypt the plaintext vector 142 according to the following exemplary linear bit vector encryption.

The linearity bit vector encryption _{formula, <>, cx, cy,} g 0, h 0, g i, h i, i, and n are as described above. Further, in the linearity bit vector encryption formula, the parameter cx represents the first ciphertext and the parameter cy represents the second ciphertext. The parameter m1 represents the first plaintext vector 142A. The parameter m1 _i represents an element of the first plaintext vector 142A. The parameter m2 represents the second plaintext vector 142B. The parameter m2 _i represents an element of the second plaintext vector 142B. Parameter F represents the first field. The subscript 2 next to the field represents the basic number of the first field. The subscript n next to the field represents the dimension of the first field.

The linearity bit vector encryption formula may define the first encryption algorithm (EncX) and the second encryption algorithm (EncY) described above. For example, the first encryption algorithm may be defined as follows. When the first plaintext vector 142A and first linearity public key given, first encryption algorithm samples the random _{^{number, cx = g r 0, <}} g i (-1) m1ir> n i = as ₁ constructing the first linearity ciphertext. Similarly, the second encryption algorithm may be defined as follows. When the first plaintext vector 142A and second linearity public key given, a second encryption algorithm samples the random _{^{number, cy = h r 0, <}} h i (-1) m2ir> n i = as ₁ constructing the second linearity ciphertext.

The first linear ciphertext and the second linear ciphertext may be communicated to the linearity authentication module 132. In addition or alternatives, the first linear ciphertext and the second linear ciphertext may be communicated to the authentication server via network 107. The server communication module 134 receives the first linear ciphertext and the second linear ciphertext, and communicates the first linear ciphertext and the second linear ciphertext with the linearity authentication module 132. Is also good.

In some embodiments, the first linear ciphertext may be communicated to the linearity authentication module 132 prior to the communication of the second linear ciphertext. The linearity authentication module 132 may store the first linear ciphertext as the registered ciphertext 130 in the memory 122B. After communicating the first linear ciphertext, the second linear ciphertext may be communicated to the linearity authentication module 132. Further, the setting module 144 may communicate the relational linearity key to the linearity authentication module 132.

In some embodiments where relational encryption is used for authentication, the first linear ciphertext may be stored as registered ciphertext 130. The registered ciphertext 130 may be used as the basis for comparison with a second linear ciphertext or any other subsequent linear ciphertext. In other embodiments where the relational encryption is performed, the first linear ciphertext does not have to be stored as the registered ciphertext 130. For example, the first linear ciphertext and the second linear ciphertext may be analyzed without storing them, or both may be stored.

The linearity authentication module 132 may be configured to discover a linear relationship between a first linear ciphertext and a second linear ciphertext. In order to discover the linearity relationship, the linearity authentication module 132 may determine a specific vector. The specific vector may be a member of the first field. The authentication problem determined by the linearity authentication module 132 may be to determine whether the particular vector is the sum of the first plaintext vector 142A and the second plaintext vector 142B.

The linearity authentication module 132 has a first element of the first linearity ciphertext (eg, a first power raised by a random number) and a second linearity raised by a linearity relationship secret key. The first value may be calculated as a pairing function of the first element of the ciphertext (for example, a second power source raised to a power by a random number).

The linearity authentication module 132 is in the second linear ciphertext of the first linear ciphertext and the second linear ciphertext obtained by exponentiating -1 with the corresponding element of the specific vector. A second value may also be calculated as a result of the pairing function of each of the corresponding elements of.

The linearity authentication module 132 may determine whether the first value is equal to the second value. In response that the first value is equal to the second value, the linearity authentication module 132 states that the first linear ciphertext is in a linear relationship with the second linear ciphertext and the defined vector. You may conclude.

In some embodiments, the linearity authentication module 132 establishes a linear relationship between the first linear ciphertext and the second linear ciphertext according to the following exemplary linearity bit vector validation equation. Discover.

The linearity bit vector verification _{equation, <>, cx, cy,} g 0, h 0, g i, h i, i, n, F, skR and r are as described above. The parameter cx ₀ represents the first element of the first linear ciphertext. The parameter cy ₀ represents the first element of the second linear ciphertext. The parameter cx _i represents another element of the first linear ciphertext. The parameter cy _i represents another element of the second linear ciphertext. The parameter z represents a specific vector. Parameter z _i represents the elements of a particular vector. The operator e represents a pairing function. The pairing function may be associated with a bilinear group. The operator Π represents the product operator. The linearity bit vector verification formula may define the above-mentioned verification algorithm (Verify). For example, the validation algorithm may be defined to check the following equation given the ciphertext, specific vector, and relational linearity key.

Further, in some embodiments, the linear encryption / decryption module 112 may decrypt the first and / or second linear ciphertext. The linear encryption / decryption module 112 may determine each element of the resulting plaintext vector 142 based on the value of the linear ciphertext. For example, the value may be determined for each element of the first plaintext vector (eg, first plaintext vector 142A) constructed by decrypting the first linear ciphertext.

For each element, the linear encryption / decryption module 112 (1) has the corresponding element in the first linear ciphertext multiplied by the corresponding element of the first linear secret key. Equal to the first element of the first linear ciphertext, or (2) the corresponding element in the first linear ciphertext is multiplied by -1 by the corresponding element of the first linearity secret key. Is it equal to the first element of the first linear ciphertext, or (3) the corresponding element in the first linear ciphertext is equal to another value? May be decided.

In response to the corresponding element in the first linear ciphertext being equal to the first element of the first linear ciphertext multiplied by the corresponding element of the first linearity secret key (For example, (1) in the immediately preceding paragraph), the linear encryption / decryption module 112 may set the element of the first plaintext vector 142A to 0 (zero). The first element of the first linear ciphertext whose corresponding element in the first linear ciphertext is multiplied by -1 and the corresponding element of the first linearity secret key. In response to (eg, (2) in the previous paragraph), the linear encryption / decryption module 112 may set the element of the first plaintext vector 142A to 1. In response that the corresponding element in the first linear ciphertext is equal to another value (eg, (3) in the previous paragraph), the linear encryption / decryption module 112 returns an error. You may. The second linear ciphertext may be similarly decrypted using the second linearity secret key and the second linearity ciphertext.

In some embodiments, the linear encryption / decryption module 112 may decrypt the linear ciphertext according to the following exemplary linear bit vector decoding formula.

The linearity bit vector decoding _{formula, cx i, cy i, cx} 0, cy 0, a i, b i, m1 i, and m @ 2 _i are as described above. The parameter ⊥ represents an error.

The linearity bit vector decoding formula may define the first decoding algorithm (DecX) and the second decoding algorithm (DecY) described above. For example, the first decoding algorithm may be defined as follows. Given the first linear ciphertext and the first linearity secret key, the first decoding algorithm may construct the first plaintext vector 142 bit by bit according to the following equation.

Similarly, the second decoding algorithm may be defined as follows. Given the second linear ciphertext and the second linearity secret key, the second decoding algorithm may construct a second plaintext vector 142B bit by bit according to the following equation.

<P-ARY vector relation linearity encryption method>
In embodiments where the p-ary vector is implemented (eg, the plaintext vector 142 and / or the ciphertext is the p-ary vector), the linearity key may be generated for the security parameter. To generate the key, the configuration module 144 may generate three groups of prime orders. The prime order is an exponent in the security parameter and may be equal to the remainder (1 modulo p) of 1 divided by the basic number (p). Therefore, in these embodiments, subgroups may be present in a set of zero-removed integers. Subgroups may have a basic number order. The setting module 144 may select an arbitrary generator of the subgroup.

The setting module 144 may sample the first generator and the second generator. The first generator may be sampled from the first bilinear group and the second generator may be sampled from the second bilinear group. The first linearity secret key and the second linearity secret key may be generated as described above for embodiments that implement the bit vector.

The configuration module 144 may define a first linearity public key that includes an element that is the first generator. The first linearity public key may further have one or more other elements, including a first generator that is raised by the corresponding element of the first linearity secret key. Further, the element of the first linearity public key may have an arbitrary generator. In some embodiments, the first element of the first linearity public key may be any generator, and the second element of the first linearity public key is the first generator. It may be. The first and second elements of the second linearity public key are not considered in the correspondence.

The configuration module 144 may define a second linearity public key. The second linearity public key may have an element that is the second generator. The second linearity public key may further have one or more other elements that may include a second generator that is raised by the corresponding element of the second linearity secret key. Further, the element of the second linearity public key may have an arbitrary generator. In some embodiments, the first element of the second linearity public key may be any generator, and the second element of the second linearity public key is the second generator. It may be. The first and second elements of the second linearity public key are not considered in the correspondence.

The setting module 144 may determine the linearity relation secret key. Each element of the linearity secret key may have the sum of the corresponding element of the second linearity secret key and the corresponding element of the first linearity secret key.

In some embodiments, the generation of linearity keys may follow the following exemplary linearity p-ary vector key equation.

When lambda is given, to produce a _{G 1,} G 2, _{G T} equal to 1 be exponential in λ q (mod p)

The linearity p-ary vector key _{expression, <>, g 0, h} 0, g i, h i, a i, b i, i, n, Z, F, skR, r, G 1, G 2, G _T , q, pkxlin, skxlin, pkylin, skylin, skRlin, ←, and λ are generally as described above. The parameters pkxlin, skxlin, pkylin, skylin, and skRlin may represent at least one linear part of the output of the key generation algorithm described above.

The parameter p represents a basic number. The parameter J _p represents a subgroup of degree p. The parameter ω represents an arbitrary generator. The operator mod represents a modulo function. The "*" next to Z indicates that 0 (zero) is removed from the set of integers.

The linear encryption / decryption module 112 may receive the plaintext vector 142. In addition or as an alternative, the communication module 116 may receive the plaintext vector 142 and may communicate the plaintext vector 142 with the linear encryption / decryption module 112. The plaintext vector 142 may have members of the second field. The second field may have elements (eg, 0, 1, ..., p-1) having a value from 0 to a value of the basic number -1.

The linear encryption / decryption module 112 may sample random numbers from a set of integers. The linear encryption / decryption module 112 may then construct a first linear ciphertext and a second linear ciphertext. The first linear ciphertext may have a first element that is a first generator that is raised to a random number. Further, the first linear ciphertext may have one or more other elements having the corresponding elements of the first linear public key raised to the power of the linear encryption index. The linear encryption exponent of the first linear ciphertext may have a random number multiplied by an arbitrary source and raised to the power of the corresponding element of the first plaintext vector 142A. In some embodiments, the first element of the first linear ciphertext is not considered in the correspondence.

The second linear ciphertext may have a first element that is a second generator that is raised to a random number. Further, the second linear ciphertext may have one or more other elements having the corresponding elements of the second linear public key raised to the power of the linear encryption index. The linear encryption exponent of the second linear ciphertext may have a random number multiplied by an arbitrary source and raised to the power of the corresponding element of the second plaintext vector 142B. In some embodiments, the first element of the second linear ciphertext is not considered in the correspondence.

In some embodiments, the linear encryption / decryption module 112 may encrypt the plaintext vector 142 according to the following exemplary linearity vector decryption equation.

The linearity p-ary vector encryption _{formula, <>, m1, m1 i} , m2, m2 i, cx, cy, g 0, h 0, g i, h i, i, and n, are as described above is there. Parameter F represents the second field. The subscript p next to the second field represents the basic number of the second field. The subscript n next to the second field represents the dimension of the second field. The dimension of the second field may be a specific number.

同様に、第２の暗号化アルゴリズムは次のように定められても良い。第１の平文ベクトル１４２Ａ及び第２の線形性公開キーが与えられると、第２の暗号化アルゴリズムは、乱数をサンプリングし、次式のように第２の線形性暗号文を構築する。

The linearity p-ary vector encryption formula may define the first encryption algorithm (EncX) and the second encryption algorithm (EncY) described above. For example, the first encryption algorithm may be defined as follows. Given the first plaintext vector 142A and the first linearity public key, the first encryption algorithm samples a random number and constructs the first linear ciphertext as in the following equation.

Similarly, the second encryption algorithm may be defined as follows. Given the first plaintext vector 142A and the second linearity public key, the second encryption algorithm samples a random number and constructs a second linearity ciphertext as in the following equation.

The first linear ciphertext and the second linear ciphertext may be communicated to the linearity authentication module 132. In addition or alternatives, the first linear ciphertext and the second linear ciphertext may be communicated to the authentication server via network 107. The server communication module 134 receives the first linear ciphertext and the second linear ciphertext, and communicates the first linear ciphertext and the second linear ciphertext with the linearity authentication module 132. Is also good.

In order to discover the linearity relationship, the linearity authentication module 132 may determine a specific vector. The specific vector may be a member of the second field. The specific vector may be defined as the sum of the first plaintext vector 142A and the second plaintext vector 142B. The linearity authentication module 132 has a first element of the first linearity ciphertext (eg, a first source raised by a random number) and a second linearity raised by a linearity relationship secret key. The first value may be calculated as a pairing function of the first element of the ciphertext (for example, a second power source raised to a power by a random number).

The linearity authentication module 132 is a second linear ciphertext raised to an arbitrary source raised by the product of each element of the first linear ciphertext and the corresponding elements of -1 and a particular vector. A second value may also be calculated as a result of the pairing function with the corresponding element of.

The linearity authentication module 132 may determine whether the first value is equal to the second value. In response that the first value is equal to the second value, the linearity authentication module 132 may conclude that the first linear ciphertext is in a linear relationship with the second linear ciphertext.

In some embodiments, the linearity authentication module 132 follows the following exemplary linearity p-ary vector validation equation for the linearity between the first linear ciphertext and the second linear ciphertext. Discover relationships.

In the linearity p-ary vector verification formula, the parameters and operators are as described above.

The linearity p-ary vector verification formula may define the above-mentioned verification algorithm (Verify). For example, the validation algorithm may be defined to check the following equation given the ciphertext, specific vector, and relational linearity key.

Further, in some embodiments, the linear encryption / decryption module 112 may decrypt the first and / or second linear ciphertext. The linear encryption / decryption module 112 may determine each element of the resulting plaintext vector 142 based on the value of the linear ciphertext. For example, the value may be determined for each element of the first plaintext vector (eg, first plaintext vector 142A) constructed by decrypting the first linear ciphertext.

A specific element value may be determined in order to decrypt the ciphertext. The specific element values may be connected by a polynomial in the security parameter. Further, the specific element value may be a member of a field having an element including a basic number. For each element of the first plaintext vector 142A, the linear encryption / decryption module 112 is an arbitrary source in which the corresponding element in the first linear ciphertext is raised to a power by a specific element value. Determines if there is a specific element value that is equal to the first element of the first linear ciphertext raised by the product of the first linearity secret key and the corresponding element. You may.

The first linear ciphertext whose corresponding element is raised by the product of any source raised to the power of a particular element value and the corresponding element of the first linearity secret key. In response to the existence of a specific element value that is equal to the first element of the linear ciphertext, the linear encryption / decryption module 112 sets the element to the specific element value.

In response to the absence of such a particular element value, the linear encryption / decryption module 112 may output an error. The second linear ciphertext may be similarly decrypted using the second linearity secret key and the second linearity ciphertext.

In some embodiments, the linear encryption / decryption module 112 may decrypt the linear ciphertext according to the following exemplary linearity vector decoding formula.

The linearity p-ary vector decoding _{formula, cx i, cy i, cx} 0, cy 0, a i, b i, m1 i, and m @ 2 _i are as described above. The parameter ⊥ represents an error. The parameter μ represents a specific element value.

The linearity p-ary vector decoding formula may define the first decoding algorithm (DecX) and the second decoding algorithm (DecY) described above. For example, the first decoding algorithm may be defined as follows. Given the first linear ciphertext and the first linearity secret key, the first decoding algorithm may construct the first plaintext vector 142A bit by bit according to the following equation.

Similarly, the second decoding algorithm may be defined as follows. Given the second linear ciphertext and the second linearity secret key, the second decoding algorithm may construct a second plaintext vector 142B bit by bit according to the following equation.

<Relationship proximity encryption method>
The relational proximity encryption method may be used to determine the closeness between the proximity ciphertexts. In some embodiments, accessibility may be provided in terms of Hamming distance. In the relational proximity encryption scheme, the configuration module 144 generates a key. Using the key, the proximity encryption / decryption module 114 performs encryption and / or decryption of the plaintext vector 142. The proximity ciphertext may then be communicated to the proximity authentication module 128. The proximity authentication module 128 may detect proximity between proximity ciphertexts.

For example, the configuration module 144 may generate output of a CPA (chosen-plaintext attack) key generation algorithm and a linearity key generation algorithm. For example, the configuration module 144 runs the linearity key, as described elsewhere herein. The CPA key generation algorithm may output a CPA public key and a CPA private key. The linearity key generation algorithm may output the above-mentioned pkxlin, skxlin, pkylin, skylin, and skRlin.

Further, the setting module 144 may select an error correcting code (ECC). ECC may be a linear error correction coding method. ECC may have length, rank, and distance. In addition, ECC may also have an ECC encoding operator (ENCODE) and an ECC decoding operator (DECODE). The configuration module 144 then comprises a first proximity secret key, a second proximity secret key, a first proximity public key, a second proximity public key, and a proximity relationship secret key (collectively). , "Accessibility key") may be generated. The proximity key is used in relational encryption to encrypt the plaintext vector 142 to generate the proximity ciphertext, to decrypt the proximity ciphertext, and to detect the proximity between the proximity ciphertexts. Used for.

The first proximity secret key may be determined based on the CPA secret key and the first linearity secret key. The second proximity secret key may be determined based on the CPA secret key and the second linearity secret key. The first accessibility public key may be determined based on the ENCODE, DECODE, CPA public key and the first linearity public key. The second accessibility public key may be determined based on the ENCODE, DECODE, CPA public key and the second linearity public key. The proximity relationship secret key may be determined based on the CPA secret key and the linearity relationship secret key.

In some embodiments, the configuration module 144 may generate an accessibility key according to the following exemplary accessibility key generation equation.

In the proximity key generation formula, pkxlin, pkylin, skxlin, skylin, skRlin, ←, X, m, and n are as described above. The parameter pkCPA represents a CPA public key. The parameter skCPA represents the CPA private key. The parameter KeyGenCPA represents a CPA key generation algorithm. The parameter pkxprox represents the first accessibility public key. The parameter pkyprox represents a second accessibility public key. The parameter skxprox represents the first proximity secret key. The parameter skyprox represents a second proximity secret key. The parameter skRprox represents the proximity relationship secret key. In addition, the parameters pkxprox, skxprox, pkyprox, skyprox, and skRprox may represent at least one proximity portion of the output of the key generation algorithm (KeyGen) described above. The parameter X represents a linear extractor. Although the particular iterations have been described above, any linear extractor may be used.

The first linearity public key may be used by the proximity encryption / decryption module 114 to encrypt the first plaintext vector 142A to generate the first proximity ciphertext. The proximity encryption / decryption module 114 may receive the plaintext vector 142. In addition or alternatives, the communication module 116 may receive the plaintext vector 142 and communicate the plaintext vector 142 with the proximity encryption / decryption module 114. The plaintext vector 142 may have members of the first or second field.

The proximity encryption / decryption module 114 may sample the proximity random number from the third field. The third field may have a base number and a dimension which may be the rank of ECC. The proximity encryption / decryption module 114 may then construct a first proximity ciphertext and a second proximity ciphertext. Each of the first proximity ciphertext and the second proximity ciphertext may have two parts. The first part of the first proximity ciphertext has a CPA encryption algorithm that receives the sum of the CPA public key and the first plaintext vector 142A as input, and ENCODE that receives the proximity random number as input. You may. The second part of the first proximity ciphertext may have a first linear encryption algorithm that receives a first linearity public key and a proximity random number.

The first part of the second proximity ciphertext has a CPA encryption algorithm that receives the sum of the CPA public key and the second plaintext vector 142B as input, and ENCODE that receives the proximity random number as input. You may. The second part of the second proximity ciphertext may have a second linearity encryption algorithm that receives a second linearity public key and a proximity random number as inputs.

In some embodiments, the proximity ciphertext may be generated according to the following exemplary proximity encryption formula.

In the proximity encryption formula, ENCODE, m1, m2, pkcpa, pkxlin, and pkylin are as described above. EncCPA represents a CPA encryption algorithm. The parameter cxp1 represents the first part of the first proximity ciphertext. The parameter cxp2 represents the second part of the first proximity ciphertext. The parameter cxp represents the first proximity ciphertext. The parameter cyp1 represents the first part of the second proximity ciphertext. The parameter cyp2 represents the second part of the second proximity ciphertext. The parameter cyp represents a second proximity ciphertext. The parameter EncXLinear represents a first linear encryption algorithm. The parameter EncYLinear represents a second linear encryption algorithm.

The first proximity ciphertext may be communicated to the authentication server 140 by the communication module 116. The first proximity ciphertext may be stored in the authentication server 140 as the registered ciphertext 130. The second proximity public key may be used by the proximity encryption / decryption module 114 to encrypt the second plaintext vector 142B to generate a second proximity ciphertext. The second proximity ciphertext may be communicated to the authentication server 140 by the communication module 116. The proximity relationship secret key is used in the authentication server 140, especially by the proximity authentication module 128, to detect the proximity between the second proximity ciphertext and the first proximity ciphertext. Is also good. This proximity is stored as the registered ciphertext 130.

The proximity authentication module 128 may be configured to detect the proximity between the first proximity ciphertext and the second proximity ciphertext. To detect the proximity, the proximity authentication module 128 may access the DECODE available in the public key information. The proximity authentication module 128 may restore the randomness sum of the first proximity ciphertext. The sum of the randomness of the first proximity ciphertext may be defined as DECODE. DECODE is a CPA decoding algorithm that receives the sum of the CPA secret key and the first part of the first proximity ciphertext as input, and the CPA secret key and the first part of the second proximity ciphertext. Is received as an input with a CPA decoding algorithm.

If DECODE returns an error, the proximity authentication module 128 may return a denial. Further, the proximity authentication module 128 may output a linearity verification algorithm. The linearity verification algorithm receives the linearity relation secret key, the first part of the second proximity ciphertext, the second part of the second proximity ciphertext, and the sum of the randomness as inputs.

Therefore, the proximity verification algorithm may be defined to receive the first proximity ciphertext, the second accessibility ciphertext, and the accessibility secret key. The proximity verification algorithm may restore the sum of randomness and output a rejection or linearity verification algorithm. The linearity verification algorithm receives the linearity relation secret key, the first part of the second proximity ciphertext, the second part of the second proximity ciphertext, and the sum of the randomness as inputs. For example, the proximity authentication module 128 may perform the operation again according to the following exemplary proximity verification algorithm.

In the proximity verification algorithm, skcpa, cx1, cx2, cy1, cy2, ⊥, skRlin, X, and DECODE are as described above. The parameter Output indicates the output of the proximity authentication module 128. The parameter Z _rs represents the sum of randomness. DecCPA represents a CPA decoding algorithm. VerifyLinear represents a linearity verification algorithm.

The relational proximity encryption scheme described herein can be secure if the following conditions are true: ECC is a (n, k, 2δ) linear error correction method; (KeyGenCPA, EncCPA, DecCPA) is an IND-CPA secure encryption method; (KeyGenLinear, EncXLinear, DecXLinear, EncYLinear, DecYLinear, DecYLinear) , F ^k ₂ is a linear relational encryption method.

Among the conditions, KeyGenCPA, EncCPA, DecCPA, KeyGenLinear, EncXLinear, DecXLinear, EncYLinear, DecYLinear, VerifyLinear, and F are as described above. ECC stands for ECC. The parameter n represents the length, k represents the rank, and 2δ represents the distance.

FIG. 2 shows a block diagram of a biometric authentication system (biometric system) 200 configured according to at least one embodiment described herein. The biometric authentication system 200 is included in or may be included in the exemplary operating environment 100 of FIG. 1 in which the authentication service is provided. In the biometric authentication system 200, the authentication of the user 206 may be executed by the authentication server 140. In the biometric authentication system 200, the relationship encryption discussed with reference to FIG. 1 may be used to authenticate the identity of user 206.

The authentication service may have a registration process and an authentication process. The registration process may include a step of obtaining information and data that can be used in the authentication process from the user 206. The authentication process may occur later in time (eg, following the registration process). In the authentication process, the identity of the user 206 may be authenticated using one or more of the relational encryption operations discussed with reference to FIG. In general, the identity of user 206 is determined by discovering the linearity between the first linear ciphertext and the second linear ciphertext, and by first proximity, as described herein. It may be authenticated by detecting the proximity between the sex ciphertext and the second proximity ciphertext. The first linear ciphertext and the first proximity ciphertext may be provided by user 206 in the form of a first biometric template. The first biometric template may be included in the first plaintext vector 142A and / or the registration input of FIG.

User 206 and / or fake 222 (discussed below) may have an individual with one or more biometric features. The biometric feature may have one or more unique features. For example, the biometric feature may have a fingerprint of user 206 with a pattern of ridges and / or ridges. In some embodiments, the user 206 may be associated with the user device 102. For example, the user 206 may own or periodically operate the user device 102. In some embodiments, the user 206 does not have to be specifically associated with the user device 102. For example, the user device 102 may be publicly accessible by a plurality of users, including the user 206. In some embodiments, the fake 222 may have an entity that supplies an input that can represent a biometric feature.

In some embodiments, the user device 102 may have a sensor 298. Sensor 298 may have hardware devices configured to measure or capture biometric features used, for example, to authenticate user 206. When the biometric features of user 206 are measured or captured, user equipment 102 may generate a biometric template. The biometric template may represent biometric features and may have at least some of the unique features of user 206 biometric features. The biometric template may have, for example, a graphical representation and / or an algorithmic representation of the biometric features.

Some examples of the sensor 298 are generated by a fingerprint scanner, a camera configured to capture iris images, a device configured to measure DNA, a heart rate monitor configured to capture heartbeats, and skeletal muscles. It may have a wearable myoelectric sensor configured to capture electrical activity, or any other sensor 298 configured to measure or capture biometric features.

In the illustrated biometric authentication system 200, the sensor 298 is included in the user device 102. In other embodiments, the sensor 298 may be communicably coupled to the user device 102 or a processor included therein. For example, the sensor 298 may be configured to communicate a signal to the user device 102 via a network such as the network 107 of FIG. Although FIG. 2 shows only one sensor 298, in some embodiments the user device 102 may have one or more sensors 298.

The enc / dec module 110 may generate a first linear ciphertext and a first proximity ciphertext from the registration input 232. The ench / dec module 110 may then communicate with the authentication server 140 using the first linear ciphertext and the first proximity ciphertext as registration data 234.

The relational authentication module 108 may store the first linear ciphertext and the first proximity ciphertext as the registered ciphertext 130. The registered ciphertext 130 may be associated with the user 206. For example, user 206 may have an associated user identifier. In some embodiments, the registered ciphertext 130 may be stored in memory 122B.

The ench / dec module 110 may then receive a first challenge input 236A or a second challenge input 236B (generally a challenge input 236). The first challenge input 236A and the second challenge input 236B may be an attempt by the user 206 or the fake 222 to authenticate their identity. The first challenge input 236A and / or the second challenge input 236B may have, for example, a second biometric template read by sensor 298. The second biometric template may represent the unique features of the biometric features of user 206 or fake 222.

The enc / dec module 110 may generate a second linear ciphertext and a second proximity ciphertext from the challenge input 236. The ench / dec module 110 may then communicate with the authentication server 140 using the second linear ciphertext and the second proximity ciphertext as challenge data 238.

The relationship authentication module 108 may receive the challenge data 238. The relational authentication module 108 may then read the registered ciphertext 130 of the user 206.

The relationship authentication module 108 may determine the linear relationship between the first linear ciphertext stored as the registered ciphertext 130 and the second linear ciphertext received from the user apparatus 102. Further, the relationship authentication module 108 may determine the proximity relationship between the first proximity ciphertext stored as the registered ciphertext 130 and the second proximity ciphertext received from the user apparatus 102. ..

The first linear ciphertext has a linear relationship with the second linear ciphertext, and there is a particular proximity between the first proximity ciphertext and the second proximity ciphertext. In response, the authentication server 140 may determine that there is an approximate similarity between the first biometric template and the second biometric template.

Therefore, if the first challenge input 236A provided by user 206 is the basis of the second linear ciphertext and the second proximity ciphertext, then the first linear ciphertext and the second linearity There may be a linear relationship with the ciphertext and there may be proximity between the first proximity ciphertext and the second proximity ciphertext.

However, if the second challenge input 236B provided by the fake 222 is the basis of the second linear ciphertext and the second proximity ciphertext, then the first linear ciphertext and the second linearity There is no linear relationship with the ciphertext, and there is no proximity between the first proximity ciphertext and the second proximity ciphertext.

Based on the linearity relationship and / or the proximity, the relationship authentication module 108 can determine the authentication. For example, the relationship authentication module 108 may determine whether the challenge data 238 is due to the user 206 or the fake 222. The relationship authentication module 108 may communicate the authentication signal 242 based on the discovery of the linear relationship and / or the detection of the proximity. The ench / dec module 110 may receive the authentication signal 242.

Changes, additions or omissions may be made to the biometric authentication system 200 without departing from the scope of the present disclosure. Specifically, the embodiment shown in FIG. 2 has one user 206, one user device 102, and one authentication server 140. However, the present disclosure applies to one or more users 206, one or more user devices 102, one or more authentication servers 140, or a biometric authentication system 200 having any combination thereof.

Moreover, the division of the various components within the embodiments described herein does not mean that the division occurs in all embodiments. It is understood by the benefit of the present disclosure that the described components may be integrated into a single component or split into multiple components. For example, in some embodiments, the enc / dec module 110 and / or one or more functions belonging to it may be performed by a module located on the authentication server 140.

The relational authentication module 108 and / or the enc / dec module 110 may have codes and routines for biometric authentication. In some embodiments, the relationship authentication module 108 and / or the enc / dec module 110 may partially operate as a thin client application that may be stored, for example, in a user device 102 or another computing device. , May operate as part of a component that may be stored in the authentication server 140. In some embodiments, the relationship authentication module 108 and / or the enc / dec module 110 can be implemented using hardware including an FPGA (field-programmable gate array) or an ASIC (application-specific integrated circuit). In some other examples, the relationship authentication module 108 and / or the enc / dec module 110 may be implemented using a combination of hardware and software.

FIG. 3 is a flow diagram of an exemplary method 300 of biometric authentication configured according to at least one embodiment described herein. Method 300 may be performed in a biometric authentication system such that it can be implemented in the biometric authentication system 200 of FIG. 2 or in the operating environment 100 of FIG. The method 300 may be program-controlled and executed in some embodiments by the authentication server 140 described herein. The authentication server 140 encodes and stores a non-temporary computer-readable medium (eg, memory 122B in FIG. 1) that encodes and stores program code or instructions that can be executed by a processor to execute or control the execution of method 300. It may include or be communicatively coupled to it. In addition or as an alternative, the authentication server 140 may have a processor (eg, processor 124B in FIG. 1) configured to execute computer instructions to execute or control the execution of method 300. Although shown as separate blocks, depending on the desired implementation, the various blocks may be subdivided into additional blocks, combined into fewer blocks, or removed.

Method 300 may start at block 302. At block 302, the first linear ciphertext may be received. The first linear ciphertext may represent a first biometric template encrypted using a relational linear encryption scheme. At block 304, the first proximity ciphertext may be received. The first proximity ciphertext may represent a first biometric template encrypted using a relational proximity encryption scheme.

At block 306, the first linear ciphertext and the first proximity ciphertext may be stored as registered ciphertexts. At block 308, the linear relationship secret key and the proximity relationship secret key may be received. A second proximity ciphertext may be received at block 310. The second proximity ciphertext may represent a second biometric template encrypted using a relational proximity encryption scheme. At block 312, a second linear ciphertext may be received. The second linear ciphertext may represent a second biometric template encrypted using a relational linear encryption scheme.

At block 314, the linearity relationship between the first linearity ciphertext and the second linearity ciphertext may be found using the linearity relationship secret key. At block 316, the proximity between the first proximity ciphertext and the second proximity ciphertext may be detected using the proximity relationship secret key. Proximity may be determined in terms of Hamming distance. At block 318, user identity may be authenticated based on proximity and linearity relationships.

For any of the procedures and methods disclosed herein, the processes and functions performed within the methods may be performed in a different order. Further, the schematic steps and actions are provided merely as an example, and some steps and actions are optional, combined with fewer steps and actions, or additional steps and actions without departing from the disclosed embodiments. It may be extended to operation.

4A and 4B are flow diagrams of an exemplary method 400 of relational encryption configured according to at least one embodiment described herein. Method 400 may be performed in a biometric authentication system such that it can be implemented in the biometric authentication system 200 of FIG. 2 or in the operating environment 100 of FIG. The method 400 may be program-controlled and executed in some embodiments by the user apparatus 102 described herein. The user apparatus 102 encodes and stores a non-transitory computer-readable medium (eg, memory 122A in FIG. 1) that encodes and stores program code or instructions that can be executed by a processor to execute or control the execution of method 400. It may be included or communicably coupled to it. In addition or as an alternative, the user apparatus 102 may have a processor (eg, processor 124A of FIG. 1) configured to execute computer instructions to execute or control the execution of method 400. Although shown as separate blocks, depending on the desired implementation, the various blocks may be subdivided into additional blocks, combined into fewer blocks, or removed.

With reference to FIG. 4A, method 400 may start at block 402. At block 402, the key of the relational linear encryption method may be generated. The key for the relational linearity encryption method may be generated for security parameters. At block 403, the first non-uniformly distributed data may be randomized to an appropriate randomization level as the first plaintext vector. The non-uniformly distributed data may be biometric data. Appropriate randomization levels are described in detail below. At block 404, the first plaintext vector may be encrypted using a relational linearity encryption scheme. The encryption of the first plaintext vector may generate a first linear ciphertext representing the first plaintext vector. At block 406, a key for the relational proximity encryption method may be generated. Relationship proximity encryption keys may be generated for security parameters. At block 408, the first plaintext vector may be encrypted using a relational proximity encryption scheme. The encryption of the first plaintext vector using the relational proximity encryption method may generate a first proximity ciphertext representing the first plaintext vector. At block 410, the first linear ciphertext and the first proximity ciphertext may be communicated to the authentication server.

At block 411, the second non-uniformly distributed data may be randomized to an appropriate randomization level as the second plaintext vector. The non-uniformly distributed data may be biometric data. Appropriate randomization levels are described in detail below. At block 412, the second plaintext vector may be encrypted using a relational linear encryption scheme. The encryption of the second plaintext vector may generate a second linear ciphertext representing the second plaintext vector. Referring to FIG. 4B, at block 414, the second plaintext vector may be encrypted using a relational proximity encryption scheme. The encryption of the second plaintext vector using the relational proximity encryption method may generate a second proximity ciphertext. At block 416, the second linear ciphertext and the second proximity ciphertext may be communicated to the authentication server. At block 418, the relational linear encryption key generated at block 402 may be communicated to the authentication server. The key may have a relational linearity key and a relational proximity key.

At block 420, the authentication signal may be received from the authentication server. The authentication signal is the linear relationship between the first linear ciphertext and the second linear ciphertext found using the relational linearity key, and the first detected using the relational proximity key. The proximity between the proximity ciphertext and the second proximity ciphertext may be indicated. In some embodiments, the first plaintext vector may have a first biometric template received from the user as registration input. In addition, the second plaintext vector may have a second biometric template received as the challenge input. In the above and other embodiments, the authentication signal may indicate whether the second biometric template is due to the user.

FIG. 5 is a flow diagram of an exemplary method 500 for discovering a linear relationship in a relationship encryption scheme, configured according to at least one embodiment described herein. Method 500 may be performed in a biometric authentication system such that it can be implemented in the biometric authentication system 200 of FIG. 2 or in the operating environment 100 of FIG. Method 500 may be program-controlled and executed in some embodiments by the authentication server 140 described herein. The authentication server 140 encodes and stores a non-temporary computer-readable medium (eg, memory 122B in FIG. 1) that encodes and stores program code or instructions that can be executed by a processor to execute or control the execution of method 500. It may include or be communicatively coupled to it. In addition or as an alternative, the authentication server 140 may have a processor (eg, processor 124B in FIG. 1) configured to execute computer instructions to execute or control the execution of method 500. Although shown as separate blocks, depending on the desired implementation, the various blocks may be subdivided into additional blocks, combined into fewer blocks, or removed.

Method 500 may start at block 502. A specific vector may be defined in block 502. The particular vector may have members of the first field. The first field may have elements 0 and 1 and a certain number of dimensions that are the length of the linearity secret key. In addition or alternative, the particular vector may have members of the second field. The second field may have elements ranging from 0 to 1 less than the basic and specific dimensions.

A first value may be calculated in block 504. The first value is calculated as a pairing function between the first element of the first linear ciphertext and the first element of the second linear ciphertext raised by the linearity relationship secret key. You may. A second value may be calculated in block 506. In some embodiments, the second value is the second linear cipher, which is the power of each element of the first linear ciphertext and -1 to the power of the corresponding element of the particular vector. It may be the result of a pairing function with the corresponding element of the statement. In some embodiments, the second value is the product of each element of the first linear ciphertext and the corresponding element of -1 and a particular vector, raised to the power of any generator. It may be calculated as a result of a pairing function with the corresponding element in the second linear ciphertext. Any generator may be selected from a subgroup of a set of integers with zeros removed.

At block 508, it may be determined whether the first value is equal to the second value. In response that the first value is equal to the second value (“Yes” in block 508), method 500 may proceed to block 510. At block 510, it may be concluded that the first linear ciphertext has a linear relationship with the second linear ciphertext. In response that the first value is not equal to the second value (“No” in block 518), method 500 may proceed to block 512. An error may be output at block 512. This may indicate that the first linear ciphertext is not in a linear relationship with the second linear ciphertext.

FIG. 6 is a flow diagram of an exemplary method 600 for detecting proximity, configured according to at least one embodiment described herein. Method 600 may be performed in a biometric authentication system such that it can be implemented in the biometric authentication system 200 of FIG. 2 or in the operating environment 100 of FIG. The method 600 may be program-controlled and executed in some embodiments by the authentication server 140 described herein. The authentication server 140 encodes and stores a non-temporary computer-readable medium (eg, memory 122B in FIG. 1) that encodes and stores program code or instructions that can be executed by a processor to execute or control the execution of method 600. It may include or be communicatively coupled to it. In addition or as an alternative, the authentication server 140 may have a processor (eg, processor 124B in FIG. 1) configured to execute computer instructions to execute or control the execution of method 600. Although shown as separate blocks, depending on the desired implementation, the various blocks may be subdivided into additional blocks, combined into fewer blocks, or removed.

Method 600 may start at block 602. At block 602, DECODE may be accessed from public key information. At block 604, the sum of randomness may be restored. The sum of randomness may be received for the first proximity ciphertext. The sum of the randomness of the first proximity ciphertext may be defined as DECODE. DECODE is a CPA decryption algorithm that receives (a) the CPA secret key and (b) the sum of the first part of the first proximity ciphertext as input, and the CPA secret key and the second proximity ciphertext. A CPA decoding algorithm that receives the first part of the above as an input, and receives as an input.

At block 606, a rejection may be output in response to DECODE returning an error. Alternatively, the linearity verification algorithm may be output in block 608. Even if the linearity verification algorithm receives the linearity relation secret key, the first part of the second proximity ciphertext, the second part of the second proximity ciphertext, and the sum of randomness as inputs. good.

FIG. 7 is a flow diagram of an exemplary method 700 for key generation of a relational linear encryption scheme, configured according to at least one embodiment described herein. Method 700 may be performed in a biometric authentication system such that it can be implemented in the biometric authentication system 200 of FIG. 2 or in the operating environment 100 of FIG. The method 700 may be program-controlled and executed in some embodiments by the user apparatus 102 described herein. The user apparatus 102 encodes and stores a non-transitory computer-readable medium (eg, memory 122A in FIG. 1) that encodes and stores program code or instructions that can be executed by a processor to execute or control the execution of method 700. It may be included or communicably coupled to it. In addition or as an alternative, the user apparatus 102 may have a processor (eg, processor 124A of FIG. 1) configured to execute computer instructions to execute or control the execution of method 700. Although shown as separate blocks, depending on the desired implementation, the various blocks may be subdivided into additional blocks, combined into fewer blocks, or removed.

Method 700 may start at block 702. Bilinear groups may be generated in block 702. In some embodiments, the bilinear group may be a prime order. The prime order may be an exponent in the security parameter. In addition or alternative, the prime order is an exponent in the security parameter and may be equal to the remainder (1 modulo p) of 1 divided by the base number (p). For example, in an embodiment where the plaintext vector includes a bit vector, the prime order may be an exponent in the security parameter. In embodiments where the plaintext vector includes a p-ary vector, the prime order is an exponent in the security parameter and may be equal to the remainder (1 modulo p) of 1 divided by the base number (p).

The generator may be sampled at block 704. For example, the first generator may be sampled from the first bilinear group, and the second generator may be sampled from the second bilinear group. At block 706, a linearity secret key may be generated. For example, the first linearity secret key and the second linearity secret key may be generated by randomly sampling a specific number of elements from a set of integers. The set of integers may have from 0 to a number one less than a prime order.

A linearity public key may be defined in block 708. For example, the first linearity public key is an element that is the first generator and one or more other elements that are the first generators raised by the corresponding elements of the first linearity secret key. It may have an element. In some embodiments, the first linearity public key may further have any generator. Any generator may be selected from a subgroup of a set of integers with zeros removed. In addition, a second linearity public key may be defined. The second linearity public key is the element that is the second generator and one or more other elements that are the second generator that is raised by the corresponding element of the second linearity secret key. , May have. In some embodiments, the second linearity public key may further have an element of any origin.

A linearity relationship secret key may be defined in block 710. Each element of the linearity secret key may have the sum of the corresponding element of the second linearity secret key and the corresponding element of the first linearity secret key.

FIG. 8 is a flow diagram of an exemplary method 800 for encrypting a first plaintext vector using a relational linear encryption method, configured according to at least one embodiment described herein. Method 800 may be performed in a biometric authentication system such that it can be implemented in the biometric authentication system 200 of FIG. 2 or in the operating environment 100 of FIG. Method 800 may be program-controlled and executed in some embodiments by the user apparatus 102 described herein. The user apparatus 102 encodes and stores a non-transitory computer-readable medium (eg, memory 122A in FIG. 1) that encodes and stores program code or instructions executable by a processor to execute or control the execution of method 800. It may be included or communicably coupled to it. In addition or as an alternative, the user apparatus 102 may have a processor (eg, processor 124A of FIG. 1) configured to execute computer instructions to execute or control the execution of method 800. Although shown as separate blocks, depending on the desired implementation, the various blocks may be subdivided into additional blocks, combined into fewer blocks, or removed.

Method 800 may start at block 802. Random numbers may be sampled in block 802. Random numbers may be sampled from a set of integers. At block 804, the first linear ciphertext may be constructed. The first element of the first linear ciphertext may be a first generator that is raised to a power by a random number. In addition, one or more other elements of the first linear ciphertext may have the corresponding element of the first linearity public key raised to the power of the linear encryption index. In some embodiments, the linear cryptographic exponent may have the product of a random number multiplied by the corresponding element of the first plaintext vector. In some embodiments, the linear cryptographic exponent may have a product of a random number and any generator raised to the power of the corresponding element of the first plaintext vector.

FIG. 9 is a flow diagram of an exemplary method 900 for generating a key for a relational proximity encryption scheme, configured according to at least one embodiment described herein. Method 900 may be performed in a biometric authentication system such that it can be implemented in the biometric authentication system 200 of FIG. 2 or in the operating environment 100 of FIG. The method 900 may be program-controlled and executed in some embodiments by the user apparatus 102 described herein. The user apparatus 102 encodes and stores a program code or instruction that can be executed by a processor to execute or control the execution of the method 900 on a non-transitory computer-readable medium (eg, memory 122A in FIG. 1). It may be included or communicably coupled to it. In addition or as an alternative, the user apparatus 102 may have a processor (eg, processor 124A of FIG. 1) configured to execute computer instructions to execute or control the execution of method 900. Although shown as separate blocks, depending on the desired implementation, the various blocks may be subdivided into additional blocks, combined into fewer blocks, or removed.

Method 900 may start at block 902. ECC may be selected at block 902. ECC may have a length, a rank of the same order of security parameters, a selected minimum distance. At block 904, the key generation algorithm of the CPA secure encryption method may be executed. The CPA secure encryption method may output a CPA public key and a CPA private key. At block 906, the relational linearity key generation algorithm may be executed. The relational linearity key generation algorithm outputs a first linearity public key, a second linearity public key, a first linearity secret key, a second linearity secret key, and a relational linearity secret key. Is also good.

The proximity public key may be defined in block 907. For example, the first accessibility public key may be determined based on the ENCODE, DECODE, CPA public key and the first linearity public key. Further, the second accessibility public key may be determined based on the ENCODE, DECODE, CPA public key and the second linearity public key. The proximity secret key may be defined in block 908. For example, the first proximity secret key may be determined based on the CPA secret key and the first linearity secret key. Further, the second proximity secret key may be determined based on the CPA secret key and the second linearity secret key. The proximity relationship secret key may be defined in block 910. For example, the proximity relationship secret key may be determined based on the CPA secret key and the first relationship linearity secret key.

FIG. 10 is a flow diagram of an exemplary method 1000 for encrypting a first plaintext vector using a relational proximity encryption method, configured according to at least one embodiment described herein. Method 1000 may be performed in a biometric authentication system such that it can be implemented in the biometric authentication system 200 of FIG. 2 or in the operating environment 100 of FIG. The method 1000 may be program-controlled and executed in some embodiments by the user apparatus 102 described herein. The user apparatus 102 encodes and stores a non-transitory computer-readable medium (eg, memory 122A in FIG. 1) that encodes and stores program code or instructions that can be executed by a processor to execute or control the execution of method 1000. It may be included or communicably coupled to it. In addition or as an alternative, the user apparatus 102 may have a processor (eg, processor 124A of FIG. 1) configured to execute computer instructions to execute or control the execution of method 1000. Although shown as separate blocks, depending on the desired implementation, the various blocks may be subdivided into additional blocks, combined into fewer blocks, or removed.

Method 1000 can start at block 1002. Proximity random numbers may be sampled in block 1002. The proximity random number may be sampled from the third field. The third field may have a base number and a dimension that is the rank of ECC. Block 1004 may define the first part of the first proximity ciphertext. The first part may be defined as a CPA encryption algorithm that receives the sum of the CPA public key and the first plaintext vector as input, and an ENCODE that receives the proximity random number as input.

Block 1006 may define a second part of the first proximity ciphertext. The second part may be defined as a first linear encryption algorithm that receives the first linear public key and the proximity random number as inputs.

FIG. 11 is a flow diagram of an exemplary method 1100 for decrypting a first linear ciphertext, configured according to at least one embodiment described herein. Method 1100 may be performed in a biometric authentication system such that it can be implemented in the biometric authentication system 200 of FIG. 2 or in the operating environment 100 of FIG. Method 1100 may be program-controlled and executed in some embodiments by the user apparatus 102 described herein. The user apparatus 102 encodes and stores a non-transitory computer-readable medium (eg, memory 122A in FIG. 1) that encodes and stores program code or instructions that can be executed by a processor to execute or control the execution of method 1100. It may be included or communicably coupled to it. In addition or as an alternative, the user apparatus 102 may have a processor (eg, processor 124A in FIG. 1) configured to execute computer instructions to execute or control the execution of method 1100. Although shown as separate blocks, depending on the desired implementation, the various blocks may be subdivided into additional blocks, combined into fewer blocks, or removed.

Method 1100 may start at block 1102. At block 1102, the corresponding element in the first linear ciphertext is raised by the product of any generator raised to the power of the particular element value and the corresponding element of the first linearity secret key. It may be determined whether or not a specific element value exists that is equal to the first element of the first linear ciphertext. In response to the existence of a specific element value (“Yes” in block 1102), the element may be set to a specific element value. An error may be output in response to the absence of the specific element value (“No” in block 1102).

FIG. 12 is a flow chart of another exemplary method 1200 for decrypting a first linear ciphertext, configured according to at least one embodiment described herein. Method 1200 may be performed in a biometric authentication system such that it can be implemented in the biometric authentication system 200 of FIG. 2 or in the operating environment 100 of FIG. Method 1200 may be program-controlled and executed in some embodiments by the user apparatus 102 described herein. The user apparatus 102 encodes and stores a non-transitory computer-readable medium (eg, memory 122A in FIG. 1) that encodes and stores program code or instructions that can be executed by a processor to execute or control the execution of method 1200. It may be included or communicably coupled to it. In addition or as an alternative, the user apparatus 102 may have a processor (eg, processor 124A in FIG. 1) configured to execute computer instructions to execute or control the execution of method 1200. Although shown as separate blocks, depending on the desired implementation, the various blocks may be subdivided into additional blocks, combined into fewer blocks, or removed.

Method 1200 may start at block 1202. At block 1202, is the corresponding element in the first linear ciphertext equal to the first element of the first linear ciphertext raised by the corresponding element of the first linearity secret key? It may be decided whether or not. In response to the corresponding element in the first linear ciphertext being equal to the first element of the first linear ciphertext multiplied by the corresponding element of the first linearity secret key (“Yes” in block 1202), method 1200 may proceed to block 1208. At block 1208, the element of the first plaintext vector may be set to 0.

Responds that the corresponding element in the first linear ciphertext is not equal to the first element of the first linear ciphertext multiplied by the corresponding element of the first linearity secret key. (“No” in block 1202), method 1200 may proceed to block 1204. In block 1204, the corresponding element in the first linear ciphertext is the corresponding element of the first linearity secret key multiplied by -1 to the power of the first linear ciphertext. It may be determined whether or not it is equal to the first element. The first element of the first linear ciphertext whose corresponding element in the first linear ciphertext is raised to the power of the corresponding element of the first linearity secret key multiplied by -1. In response to equal to (“Yes” in block 1204), method 1200 may proceed to block 1210. In block 1210, the element of the first plaintext vector may be set to 1. The first element of the first linear ciphertext whose corresponding element in the first linear ciphertext is raised to the power of the corresponding element of the first linearity secret key multiplied by -1. In response to not being equal to (“No” in block 1204), the method may proceed to block 1206. At block 1206, it may be determined whether the corresponding element in the first linear ciphertext is equal to another value. Method 1200 may proceed to block 1212 in response to the corresponding element of the first linear ciphertext being equal to another value (“Yes” in block 1206). At block 1212, an error may be returned.

<Non-uniform dispersion data>
In some embodiments, the disclosure may also provide relational encryption of underlying data, such as biometric data, which is not uniformly random. The underlying data may be non-uniformly dispersed and / or correlated. As a non-limiting example, a larger subset of the US population has brown eyes rather than blue eyes. In other words, eye color can be unevenly distributed throughout the population. Similarly, individuals with blue eyes are more likely to have lighter colored hair than darker colored hair. In other words, there can be a correlation between blue eyes and light-colored hair. Due to the lack of randomness (including correlation) in biometric data, the present disclosure also provides efficient randomization of the underlying biometric data prior to using the relational encryption methods described in this disclosure. Can include.

The appropriate level of randomization may depend on the number of features of the data, including the entropy of the data, the noise threshold, the domain of the data, and so on. For convenience in describing these features, examples of fingerprint biometric features are used, but any underlying data, including non-biometric data, may be used. In some embodiments, an appropriate randomization level can be achieved by the dot product of X and r, or the dot product of the underlying data r and matrix X. The matrix X can be a powerful linear extractor as previously known. The feature may be an input when deriving the matrix X. In some embodiments, a linear extractor may be used to reduce the original size of the data to a quarter size in order to randomize the data to the appropriate level. The appropriate randomization level may depend on the security parameter λ. For example, if a security parameter indicates that 80 bits of security are required, then the randomization level requires 80 bits of randomized data after processing with a powerful linear extractor on the raw data. Can be. In another example, if the security parameter indicates that 128 bits of security are required, then the randomization level is 128 bits of randomization after processing with a powerful linear extractor on the raw data. Data may be needed.

The characteristics of the entropy of the data may represent the overall variability or randomness inherent in the data itself. As an example, fingerprints have a certain amount of variability or randomness inherent in the distribution of fingerprints in the human population. This may be referred to as the entropy of biometric features. As the entropy of the data increases, the amount of processing required to reach the appropriate level of randomization can decrease.

The noise threshold feature can represent the amount of variability that exists when reading or retrieving the underlying data. Using the fingerprint example again, there may be some noise or variation when scanning or reading the fingerprint and collecting the fingerprint readings. In other words, the exact same biometric data may not be collected each time a reading is captured for a given individual. In fact, the biometric characteristics of an individual can vary slightly, so even in a complete system, there can be some minor variation in the biometric data between the two samplings. This may be expressed as a noise threshold. If the noise threshold is high, the system will often generate false positives, allowing incorrect data to match the underlying data. Using the fingerprint example, too many similar but not identical fingerprints may be perceived as genuine. Conversely, if the noise threshold is low, the system can often produce false negatives. Using the fingerprint example, the same person taking in the second reading may not be authenticated. As the noise threshold increases, the amount of processing to reach the appropriate randomization level can decrease.

Another feature may be the domain of the data, or the mathematical space in which the underlying data resides. Using the fingerprint example, biometric data is converted into a bitstream or p-nary vector. For example, a given fingerprint can be represented by a 320-bit bitstream. The format and length of the domain may be related to other factors such as noise level and noise threshold. In some embodiments, only the minimum size or vector length of the underlying data is required. As the size of the underlying data and the complexity of the domain increase, the amount of processing can decrease.

The appropriate level of randomization may be proportional to the desired level of security of the data. As the desired level of security increases, the appropriate level of randomization can increase. The desired security level can determine what the security parameter λ represents. For example, if a high security level is desired, the security parameter may require 128 security bits.

FIG. 13 is a block diagram of an exemplary operating environment. Even if the network 107, the communication module 116, the setting module 144, the memory 122A, the processor 124A, the communication unit 126A, the first entity 150, the second entity 152, and the authentication server 140 are the same as those shown in FIG. good. The user device 1302 may be similar to the user device 102, but may be modified to include the related encryption / decryption module 1310. The linear encryption module 1312 and the proximity encryption module 1314 may be similar to the linear encryption / decryption module 112 and the proximity encryption / decryption module 114, but they may use arbitrary ciphertext. It does not have to be configured to decrypt. In some embodiments that use non-uniformly distributed data, the methods and processes described in the present disclosure may be modified to omit any decoding step. The relational encryption / decryption module 1310 may be similar to the relational encryption / decryption module 110, but may be modified to include the randomization module 1320.

The randomization module 1320 may be implemented as software that includes one or more routines configured to perform one or more of the operations described herein. The randomization module 1320 may have an instruction set executable by processor 124 to provide the functionality described herein. In some examples, the randomization module 1320 may be stored in memory 122 or at least temporarily loaded into it and may be accessible or executable by one or more of the processors 124. The randomization module 1320 may be adapted to collaborate and communicate with one or more of the processors 124 over the bus.

The randomization module 1320 may be configured to randomize the underlying data, which may be non-uniformly dispersed data, to an appropriate randomization level. Therefore, the randomized data can be used in relational encryption methods as described in the present disclosure. In some embodiments, it may have a step in which the randomization module 1320 utilizes a linear extractor 1325 to extract appropriately randomized plaintext from non-uniformly distributed data. The linear extractor 1325 may be a powerful linear extractor. The linear extractor 1325 may be performed as a series of arithmetic steps or operations as conventionally known.

As an example, the user apparatus 1302 may receive the first biometric data 1120 and the second biometric data 1130 to be used in the relational encryption scheme in accordance with the present disclosure. The first biometric data 1120 and the second biometric data 1130 may be non-uniformly dispersed. Therefore, before encrypting the underlying data, the first and second biometric data 1120 and 1130 are processed in the randomization module 1320 using the linear extractor 1325 to reach the appropriate randomization level as a plaintext vector. May be done. The plaintext vector may then be encrypted by the linear encryption module 1312 and the proximity encryption module 1314.

FIG. 14 is a flow chart of an exemplary method 1400 for encrypting non-uniformly distributed data using a relational encryption method. Method 1400 may be performed in the biometric system 200 of FIG. 2, in the operating environment 100 of FIG. 1, or in a biometric system such that it can be implemented in the operating environment 1300 of FIG. In some embodiments, method 1200 may be programmatically executed by user device 102 of FIG. 1 or user device 1302 of FIG. The user apparatus 102 or the user apparatus 1302 encodes and stores a program code or instruction that can be executed by a processor to execute or control the execution of the method 1400 (for example, FIG. 1 or FIG. 1 or The memory 122A) of FIG. 13 may be included or communicably coupled to it. In addition or as an alternative, the user apparatus 102 or the user apparatus 1302 comprises a processor configured to execute computer instructions to execute or control the execution of method 1400 (eg, processor 124A of FIG. 1 or 13). You may have. Although shown as separate blocks, depending on the desired implementation, the various blocks may be subdivided into additional blocks, combined into fewer blocks, or removed.

At block 1410, the user device may receive biometric data or other non-uniformly distributed data. This may be received using one or more sensors, detectors, etc. At block 1420, the biometric data may be processed to some randomization level as a plaintext vector. Block 1420 may be further described in FIG. At block 1430, the plaintext vector may be encrypted using the relational linear encryption scheme as described in the present disclosure to generate a linear ciphertext. At block 1440, the plaintext vector may be encrypted using a relational proximity encryption scheme as described in the present disclosure to generate a proximity ciphertext.

At block 1450, the linearity and proximity ciphertext may be communicated to the authentication server. When the linearity and proximity ciphertext is communicated to the authentication server, the authentication server, as described herein, to determine if there is a relationship between the ciphertext and the reference ciphertext. Comparisons and decisions may be performed. If the server determines that a relationship exists, the authentication server may communicate the authentication with the user device. In some embodiments, this may be based on the desired security level at which the underlying data is properly randomized. At block 1460, the user device may receive an authentication from the authentication server indicating whether or not there is proximity between the proximity ciphertext and the registered proximity ciphertext. If the authentication server determines that there is an approximate similarity between the first biometric template and the second biometric template, the authentication or authentication signal received from the authentication server will be a proximity cipher and registered proximity. Indicates that there is proximity to the cipher.

FIG. 15 is a flow chart of an exemplary method 1500 for processing non-uniformly distributed data. Method 1500 may be a substitute or extension of block 1420 of FIG. For example, after block 1410 in FIG. 14, method 1500 may be implemented and then back to block 1440 in FIG. Method 1500 may be performed in the biometric system 200 of FIG. 2, in the operating environment 100 of FIG. 1, or in a biometric system such that it can be implemented in the operating environment 1300 of FIG. In some embodiments, method 1500 may be programmatically executed by user device 102 of FIG. 1 or user device 1302 of FIG. User device 102 or user device 1302 encodes and stores program code or instructions that can be executed by a processor to execute or control the execution of method 1500 (eg, FIG. 1 or FIG. 1 or). The memory 122A) of FIG. 13 may be included or communicably coupled to it. In addition or as an alternative, the user apparatus 102 or user apparatus 1302 comprises a processor configured to execute computer instructions to execute or control the execution of method 1500 (eg, processor 124A of FIG. 1 or 13). You may have. Although shown as separate blocks, depending on the desired implementation, the various blocks may be subdivided into additional blocks, combined into fewer blocks, or removed. For example, blocks 1510 and 1520 may be executed at the same time or may be omitted.

After block 1410 in FIG. 14, method 1500 may start at block 1510. At block 1510, the characteristics of the biometric data may be determined. It may have one or more entropies, noise thresholds, and steps to determine the domain of the data. In some embodiments, this may be a predetermined feature of the data read from the storage device or from a third party. For example, the diversity in the distribution of fingerprints may be a known feature stored and read out if the received biometric data is a bitstream representing the fingerprint. In some embodiments, features may be determined once the biometric data has been read. For example, the noise threshold may be based in part on the hardware, sensors, or other data capture techniques used to collect the biometric data. The method 1500 may then proceed to block 1520.

At block 1520, the appropriate security level may be determined based on the security parameter λ. The appropriate security level may be based on the sensitivity of the biometric data used, the application requiring authentication, and so on. The method 1500 may then proceed to block 1530. At block 1530, an appropriate level of randomization for biometric data may be determined. As mentioned above, this may be based in part on one or more of the features determined in block 1510, or the security parameters used in the determination in block 1520. In some embodiments, the appropriate level of randomization may be proportional to the security parameters. The method 1500 may then proceed to block 1540.

At block 1540, a powerful linear extractor may be used to process the biometric data to a randomized level suitable as a plaintext vector. This can be mathematically expressed as the operation X · r. Once the biometric data has been randomized, method 1500 may be terminated by taking a processing path to block 1430 of FIG.

As described above in connection with the embodiment, the proximity verification uses the proximity relationship secret key to verify the proximity relationship between the proximity ciphertext and the registered proximity ciphertext. Proximity and registered proximity ciphertexts are not decrypted for this verification.

According to the proximity verification using the proximity relationship described above, the user may perform an accessibility search to find out whether or not the information is registered near the specific information in the database. For example, an accessibility search may search for documents in which the occurrence of two or more distinct matching terms is within a certain distance. Here, the distance is, for example, the number of words or letters in the middle. However, certain information, which may be a search term (or word), search text, etc., is transferred in encrypted form and is not decrypted for search and accessibility verification. In addition, the database also has encrypted information that is not decrypted for accessibility verification. As a result, the user can find out whether or not information near the specific information is registered in the database without leaving a search (or browsing) log containing the specific information itself on the web server or the like. , The content of the search can be hidden from third parties. In addition, the user can determine whether information near the specific information is registered in the database, but information near the specific information registered in the database in encrypted form is the user. Can be hidden from.

If the user finds that information near a particular piece of information is registered in the database, the user contacts the database owner or administrator, for example, the owner or administrator shares content with the user. When agreeing to, the configuration necessary to obtain information near the specific information registered in the database (for example, by contact), that is, the content related to the specific information may be made.

In other words, the content of the search is hidden because, for example, even when the database is made accessible to the general public, the information to be searched is transferred in encrypted form and not decrypted for search and accessibility verification. , Can provide searchable encryption. Furthermore, from the result of proximity verification using relational encryption, it is possible to find out whether or not the information near the searched information is registered in the data base. However, since the database contains encrypted information that is not decrypted for accessibility verification, the content associated with the information registered in the database in encrypted form can be hidden and provide searchable encryption.

Therefore, in one application of the embodiment described above, one or more first entities may have one or more pieces of information near the particular information being retrieved from the results of proximity verification using relational encryption. A search may be performed to find out if one or more of the entities are registered in the database. A particular first entity registered in one or more databases when one or more second entities agree to share content with one or more first entities. Information that is close to the information, that is, content related to the specific information may be acquired. As a result, useful information is shared between one or more first entities and one or more second entities that agree to share information, while at the same time content related to specific information registered in the database. Can guarantee confidentiality from a third party. As will be described later, the third party may have one or more first entities that are not allowed to share information by one or more second entities.

In this example, encryption may be performed using first (or search) keys that differ from each other between the first entities when performing the search. In addition, encryption may be performed using second (or registration) keys that differ from each other between the second entities when registering information in individual databases. Here, the second key is different from the first key.

The first entity is one or more of one or more second entities in a cloud computing environment with one or more processors, for example for big data analysis, from the results of proximity verification using relational encryption. A search may be performed to find out if information is registered in the database near the particular information being searched for.

The plaintext data used in the above embodiments may be related to various information and is not limited to biometric information. Examples of various information may include medical and biological information, technical information, financial information, and the like. Medical and biological information may include clinical data, health data, genetic data, and the like. The technical information may include analysis data, evaluation data, experimental data, and the like in various technical fields. The financial information may include data related to banking business, data related to securities, and the like.

Various information may be registered in the database in the form of a registered ciphertext. As an example, registered ciphertexts, including encryption of medical and biological information, may be registered in a database of entities such as hospitals, research facilities, universities, government agencies, government agencies, and the like.

Next, with reference to FIG. 16, an example of one application of the above-described embodiment will be described. FIG. 16 is a block diagram of another exemplary operating environment 1300-1. In FIG. 16, the same parts as the corresponding parts of FIG. 13 are indicated by the same reference numerals, and the description thereof will be omitted. In FIG. 16, a plurality of user devices 1302-1 ,. .. .. , 1302-L, and a plurality of memories 122B-1, which form a database ,. .. .. , 122B-M, Multiple Authentication Servers 140-1 ,. .. .. , 140-M are provided. Here, L and M are natural numbers of 2 or more. L may be equal to or different from M. N databases may be provided. Further, a common database may be provided for two or more authentication servers. Here, N is a natural number of 2 or more and may be equal to or different from M. Instead of providing the database inside the authentication server, the database may be provided outside the authentication server and connected to the network 107. For convenience, user device 1302-1 ,. .. .. , 1302-L are entities (hereinafter also referred to as "users") 150-1, respectively. .. .. , 150-L. Furthermore, the authentication server 140-1 ,. .. .. , 140-M are entities (hereinafter also referred to as "users (or operators)") 152-1 ,. .. .. , 152-M. The network 107 may have one or more networks, and the network 107 may have the Internet. The operating environment 1300-1 may form a cloud computing environment.

FIG. 16 shows the operating environment 1300-1 assuming that it includes a trusted entity server 1108, but the trusted entity server 1108 may be omitted. If a trusted entity server 1108 is provided, the trusted entity server 1108 may have a processor-based computing system. For example, the trusted entity server 1108 may have a hardware server or a computing system based on another processor configured to act as a server. The trusted entity server 1108 may have memory and network communication capabilities. In the operating environment 1300, the reliable entity server 1108 is the user apparatus 1302-1 ,. .. .. , 1302-L, Authentication Server 140-1 ,. .. .. , 140-M, and database 122B may be configured to communicate via network 107.

The trusted entity server 1108 may be associated with a trusted entity. For example, a trusted entity may have a non-interested third party, such as a certification body. User 150-1, ... .. .. , 150-L, and Authentication Server 140-1 ,. .. .. , 140-M related entities may trust, select, and agree on trusted entities.

The trusted entity server 1108 may have a key generation module 1118. The key generation module 1118 may be configured to generate the keys used in the relational encryption protocol. In some embodiments, the key may have a public key set, a relational key, and first and second verification keys described below in connection with FIGS. 22 and 23. The key generated by the key generation module 1118 is the user device 1302-1. .. .. , 1302-L, Authentication Server 140-1 ,. .. .. , 140-M may be communicated or made available.

The method of accessibility verification using relational encryption in the operating environment 1300-1 is described in User Equipment 1302-1. .. .. , 1302-L, authentication server 140-1 ,. .. .. , 140-M for each of the databases, may be performed as described above in connection with FIGS. 1-15.

FIG. 17 is a diagram illustrating a first example of a proximity verification method using relational encryption. In this first example, for convenience, the user 150-1 operates the user device 1302-1 to execute the search, and the information close to the searched information is obtained from the result of the proximity verification using the relational encryption. Is the authentication server 140-1 ,. .. .. , Suppose you discover whether it is registered in the 140-M database. Further, it is assumed that the searched information is registered in the database formed by the memory 122B-1 of the authentication server 140-1 (hereinafter, also referred to as "database 122B-1"). Further, it is assumed that the information retrieved and registered in the database is clinical data that is an example of medical and biological information.

When the information being searched is, for example, a medical ID assigned to an individual, the user device 1302-1 may be provided in an administrative organization, and the authentication server 140-1 and the database 122B-1 may be provided in a hospital. It may be provided inside. As shown in FIG. 17, the database 122B-1 contains the patient name (n), the department visited by the patient (dv), the medical history (ch), the insurance card number (incn), and the cost covered by insurance (ccbi). Clinical data such as, etc. may be registered for each medical ID in an encrypted format. Thus, for example, the medical ID M ₁ is registered in the encryption format Enc ₁ (M ₁ ) and the medical ID M ₂ is registered in the encryption format Enc ₁ (M ₂ ). The authentication server 140-1 may be operated by the user (or operator) 152-1 in order to register clinical data in the database 122B-1 in encrypted form.

User 150-1 of the user device 1302-1 of administrative organization may wish to know the patient with for instance a history ch _1. In this case, the search for the medical history ch ₁ is performed in the encrypted format Enc ₂ (ch ₁ ) and is not decrypted for the search and proximity verification. The encrypted Enc ₂ used for retrieval by the user apparatus 1302-1 is different from the encrypted Enc ₁ used when registering clinical data in the database 122B-1 in encrypted form. Furthermore, the encrypted clinical data registered in database 122B-1 is not decrypted for proximity verification. As a result, a user 150-1 of the user device 1302-1 is without leaving the search (or viewing) log that contains history ch ₁ itself to a web server or the like, medical history near history ch _1, that is, medical history ch ₁ It is possible to find out whether relevant clinical data is registered in the database, and the content of the search can be hidden from third parties. Further, the user 150-1 can find that the medical history near the medical history ch ₁ is registered in the database 122B-1, but the medical history ch ₁ registered in the database 122B-1 in the encrypted form. The medical history in the vicinity of is hidden from user 150-1.

In an example where user 150-1 finds that a medical history near medical history ch ₁ is registered in database 122B-1, for example, user 150-1 is the owner or administrator of database 122B-1, ie. To obtain at least part of the medical history ch1 related content registered in database 122B-1 when contacting the hospital and the owner or administrator agrees to share the content with user 150-1. The required configuration may be generated (eg, by contact). Thus, owner or administrator, and administrative organization, part of history related to medical history ch _1, i.e., may be agreed to share the patients with a history similar to history ch _1. On the other hand, for example, owner or administrator, and administrative organization, another part of the history relating to the medical history ch _1, i.e., agreed to share the medical ID of a patient with a history similar to history ch ₁ It doesn't have to be.

As a result, in this example, useful information, at the same time can be efficiently shared use among hospitals to agree to share information with administrative organization and administrative organization, registered in the database, associated with the history ch ₁ Guarantee the confidentiality of your medical history from a third party. It is also possible to guarantee the confidentiality of a part of the medical history related to medical history ch ₁ registered in the database from the administrative organization and protect the privacy information of patients having a medical history similar to medical history ch _1. Is.

FIG. 18 is a diagram illustrating a second example of the proximity verification method using relational encryption. In FIG. 18, the same parts as the corresponding parts of FIG. 17 are indicated by the same reference numerals, and the description thereof will be omitted.

As shown in FIG. 18, database 122B-1 may register clinical data such as patient's gender, patient's illness, patient's age, etc. in encrypted form for each medical ID. In this example, the combination of multiple clinical data for each medical ID corresponds to the attribute data of the patient with the medical ID. User 150-1 of the user device 1302-1 administrative organization, the attribute data of patients with medical ID M ₁ may desire to know whether or not it is registered in the database. In this case, for example, the search for the attribute data (M ₁ , G ₁ , I ₁ , A ₁ ) is performed in the encryption format Enc ₂ (M ₁ , G ₁ , I ₁ , A ₁ ), and the search and proximity are performed. Not decrypted for sex verification. The encrypted Enc ₂ used for retrieval by the user apparatus 1302-1 is different from the encrypted Enc ₁ used when registering clinical data in the database 122B-1 in encrypted form. Further, the attribute data in the encrypted format registered in the database 122B-1 is not decrypted for proximity verification. As a result, the user 150-1 of the user apparatus 1302-1 does not leave a search (or browsing) log including the attribute data (M ₁ , G ₁ , I ₁ , A ₁ ) itself on the web server or the like, and the attribute data It is possible to find out whether or not the attribute data near (M ₁ , G ₁ , I ₁ , A ₁ ) is registered in the database, and the contents of the search can be hidden from a third party. Further, the user 150-1 can find that the attribute data near the attribute data (M1, G1, I1, A1) is registered in the database 122B-1, but in the encrypted format, the database 122B- The attribute data near the attribute data (M1, G1, I1, A1) registered in 1 can be hidden from the user 150-1.

FIG. 19 is a diagram illustrating a third example of the proximity verification method using relational encryption. In FIG. 19, the same parts as the corresponding parts of FIG. 17 are indicated by the same reference numerals, and the description thereof will be omitted.

If the information being retrieved is a DNA pattern that is an example of medical and biological information, the user device 1302-1 may be provided in the research facility, authentication server 140-1 and database 122B-. 1 may be provided in the hospital. As shown in FIG. 18, the database 122B-1 may register genetic data in encrypted form, such as DNA patterns, diseases associated with DNA patterns, and the like. Therefore, for example, the DNA pattern GTG. .. .. TAG and related diseases I ₁ are registered in the cryptographic forms Enc ₁ (GTG ... TAG) and Enc ₁ (I ₁ ) and have the DNA pattern GTC. .. .. The GAC and related illnesses I ₂ are registered in the encrypted forms Enc ₁ (GTC ... GAC) and Enc ₁ (I ₂ ). The authentication server 140-1 may be operated by the user (or operator) 152-1 in order to register the genetic data in the database 122B-1 in an encrypted format.

The user 150-1 of the user device 1302-1 of the research facility is described, for example, in the DNA pattern GTG. .. .. You may want to know about TAG-related illnesses. In this case, the DNA pattern GTG. .. .. The search for TAG is performed, for example, in the encryption format Enc ₂ (GTG ... TAG), and is not decrypted for search and proximity verification. The encrypted Enc ₂ used for retrieval by the user apparatus 1302-1 is different from the encrypted Enc ₁ used when registering genetic data in the database 122B-1 in an encrypted format. Further, the encrypted gene data registered in the database 122B-1 is not decrypted for proximity verification. As a result, the user 150-1 of the user apparatus 1302-1 sends the DNA pattern GTG. .. .. DNA pattern GTG. Without leaving a search (or browsing) log containing the TAG itself. .. .. It is possible to find out whether or not attribute data near the TAG is registered in the database, and the content of the search can be hidden from a third party. In addition, user 150-1 can see the DNA pattern GTG. .. .. It can be found that the DNA pattern near the TAG is registered in the database 122B-1, but the DNA pattern GTG. Is registered in the database 122B-1 in encrypted form. .. .. DNA patterns near the TAG can be concealed from user 150-1.

User 150-1 has a DNA pattern GTG. .. .. In an example of finding that a DNA pattern near the TAG is registered in database 122B-1, for example, user 150-1 contacts the owner or administrator of database 122B-1, i.e. the hospital, and the owner. Alternatively, when the administrator agrees to share the content with user 150-1, the DNA pattern GTG. .. .. At least part of the content related to TAG, ie the DNA pattern GTG. .. .. The configuration required to obtain the disease, registered in database 122B-1 with respect to the DNA pattern near the TAG, may be generated (eg, by contact). Therefore, in this example, the owner or administrator is the DNA pattern GTG. .. .. Part of the genetic data related to TAG, ie the DNA pattern GTG. .. .. You may agree to share DNA pattern-related diseases near the TAG with your research facility. On the other hand, the owner or administrator has the DNA pattern GTG. .. .. You do not have to agree to share with your laboratory another piece of genetic data related to the DNA pattern near the TAG.

As a result, in this example, useful information can be efficiently shared and used between the research facility and the hospitals that agree to share the information with the research facility, and at the same time, the DNA pattern GTG. .. .. Ensures third-party confidentiality of genetic data associated with DNA patterns near the TAG. In addition, the DNA pattern GTG. .. .. To ensure the confidentiality of some of the genetic data associated with the DNA pattern near the TAG from the laboratory, the DNA pattern GTG. .. .. It is also possible to protect sensitive or confidential information associated with DNA patterns near the TAG.

FIG. 20 is a diagram illustrating a fourth example of the proximity verification method using relational encryption. In FIG. 20, the same parts as the corresponding parts of FIG. 19 are indicated by the same reference numerals, and the description thereof will be omitted.

As shown in FIG. 20, the database 116-1 may register a DNA pattern in a segment (that is, a segment of a single data) which is a meaningful unit related to, for example, a disease or the like. In this example, for example, the DNA segments GTGA, GAAG, TTAT, GATA ,. .. .. , Related diseases I ₁ , etc. are registered in the encryption formats Enc ₁ (GTGA), Enc ₁ (GAAG), Enc ₁ (TTAT), Enc ₁ (GATA), Enc ₁ (I ₁ ), etc. .. In this example, for example, the DNA segments GTCC, TAAG, GTGT, GATAAC ,. .. .. , Related diseases I ₂ , etc. are registered in the encrypted formats Enc ₁ (GTCC), Enc ₁ (TAAG), Enc ₁ (GTGT), Enc ₁ (GATAAC), Enc ₁ (I ₂ ), etc. .. In this case, the user 150-1 of the user apparatus 1302-1 of the research facility can find out whether or not the information related to the DNA segment such as the disease related to the DNA segment GTGA is registered in the database. ..

According to the second example described above, each of the searched information and the registered information has a combination of a plurality of data items. On the other hand, according to the fourth example, each of the retrieved information and the registered information has multiple segments of a single data item.

FIG. 21 is a diagram illustrating a fifth example of the proximity verification method using relational encryption. In FIG. 21, the same parts as the corresponding parts of FIG. 17 are indicated by the same reference numerals, and the description thereof will be omitted.

The first to fourth examples described above perform proximity verification related to medical and biological information. However, as mentioned above, the information subject to accessibility verification is not limited to medical and biological information. The fifth example performs accessibility verification related to financial information as an example of the information type to which accessibility verification is applied.

When the information being searched is, for example, a customer ID assigned to an individual, the user device 1302-1 may be provided in an administrative organization, and the authentication server 140-1 and the database 122B-1 may be provided in a bank. It may be provided inside. As shown in FIG. 21, the database 122B-1 has a customer name (cn), a type of account owned by the customer (ta), an account number (an), a balance of the customer's account (ba), and the like. Data related to banking business (hereinafter, also referred to as "banking business data") may be registered in an encrypted format for each customer ID. Thus, for example, a customer ID M _C1 is registered in an encrypted form _Enc 1 (M _C1), a customer ID _{M C2} is registered in an encrypted form _Enc 1 _{(M C2).} The authentication server 140-1 may be operated by the user (or operator) 152-1 in order to register the banking business data in the database 122B-1 in the encrypted format.

User 150-1 of the user device 1302-1 administrative organization, for example, may desire to know the type of accounts owned by the customer having the customer ID located near the customer ID _{M C1.} In this case, the search for customer ID _{M C1,} for example, is done in an encrypted form _Enc 2 _{(M C1),} not decoded for retrieval and proximity verifier. The encrypted Enc ₂ used for retrieval by the user apparatus 1302-1 is different from the encrypted Enc ₁ used when registering banking data in the database 122B-1 in an encrypted format. Further, the encrypted banking data registered in the database 122B-1 is not decrypted for accessibility verification. As a result, the user 150-1 of the user device 1302-1 is, without leaving the search (or viewing) log that contains the customer ID _{M C1} itself to a web server, or the like, banking data of customers who are close to the customer ID _{M C1} Can be found whether or not is registered in the database, and the content of the search can be hidden from a third party. Furthermore, the user 150-1, may find that the banking customer data near the customer ID _{M C1} is registered in the database 122B-1, is registered in the database 122B-1 in encrypted form was, banking data of customers who are close to the customer ID _{M C1} can be hidden from the user 150-1.

User 150-1, in the example of finding that the banking customer data near the customer ID _{M C1} is registered in the database 122B-1, for example, a user 150-1, the owner of the database 122B-1 or administrator, i.e. contact bank, when the owner or manager to agree to share user 150-1 and content, registered in the database 122B-1, at least the content associated with the customer ID M _C1 The configuration required to obtain a portion may be generated (eg, by contact). Thus, owner or administrator, and administrative organization, part of the banking data associated with the customer ID M _C1, i.e., the type of account owned by the customer having the customer ID located near the customer ID M _C1 You may agree to share. On the other hand, the owner or administrator, and administrative organization, another part of the banking data relating to the customer ID M _C1, in other words, the balance of the customer's customer accounts with a customer ID in the vicinity of the customer ID M _C1 You don't have to agree to share.

As a result, in this example, useful information can be efficiently shared and used between the administrative organization and the banks that agree to share the information with the administrative organization, and at the same time, the customer ID _MC1 registered in the database. Guarantee the confidentiality of relevant banking data from third parties. In addition, registered in the database, the part of the banking data relating to the customer ID M _C1, to guarantee the confidentiality of the administrative organization, customer privacy information with a customer ID in the vicinity of the customer ID M _C1 It is also possible to protect.

Next, a sixth example of the proximity verification method using relational encryption will be described with reference to FIGS. 22 and 23. FIG. 22 shows an example of an access restriction table. FIG. 23 is a diagram illustrating a sixth example of the proximity verification method using relational encryption. In FIG. 23, the same parts as the corresponding parts of FIG. 16 are indicated by the same reference numerals, and the description thereof will be omitted. FIG. 23 shows the case where L = M = 3 in FIG. In this example, each authentication server may restrict access to the database based on the access restriction table. Further, the database is provided outside the authentication server and is connected to the network 107.

FIG. 22 shows three user devices 1302-1 to 1302-3, three authentication servers 140-1 to 140-3, and three databases 122B- in the operating environment 1300-1 shown in FIG. The access restriction table 1800 when 1 to 122B-3 is provided is shown. In FIG. 22, Ka, Kb, and Kc are communicated from the trusted entity server 1108 in any block preceding, for example, block 1460 shown in FIG. 14, and are communicated by user devices 1302-1, 1302-2, and 1302-, respectively. Indicates a verification key that may be received by 3. Further, Kx, Ky, and Kz are communicated from the trusted entity server 1108 at an appropriate time before the authentication signals are communicated from the authentication servers 140-1, 140-2, and 140-3, respectively, and the authentication server 140. Indicates a verification key that may be received by -1, 140-2, and 140-3. In this example, the verification keys Ka, Kb, and Kc are assigned to the users Ua, Ub, and Uc of the user devices 1302-1, 1302-2, and 1302-3, respectively. Further, the verification keys Kx, Ky, and Kz are assigned to the users (or operators) Ux, Uy, and Uz of the authentication servers 140-1, 140-2, and 140-3, respectively. The access restriction table 1800 may be stored in each of the authentication servers 140-1, 140-2, and 140-3. Alternatively, the access restriction table 1800 may be communicated from the trusted entity server 1108 to the authentication servers 140-1, 140-2, and 140-3 at the appropriate time.

The verification key of each user device may be communicated to the authentication server at an appropriate timing. Based on the access restriction table 1800, the authentication server 140 determines whether or not the authentication signal indicates that there is similarity or approximate similarity between the proximity ciphertext and the registered proximity ciphertext. Determines whether or not should be destroyed.

In the access restriction table 1800, as an example, in Ka-x, the user device 1302-1 to which the verification key Ka is assigned accesses the proximity verification result from the authentication server 140-1 to which the verification key Kx is assigned. Show that you can. Similarly, as an example, Ka-y indicates that the user device 1302-1 to which the verification key Ka is assigned can access the proximity verification result from the authentication server 140-2 to which the verification key Ky is assigned. .. Therefore, in these examples, the user apparatus 1302-1 accesses the proximity verification result, and the proximity or the registered proximity ciphertext is located between the authentication servers 140-1 and 140-2. It is allowed to receive an authentication signal indicating whether or not approximate closeness exists.

On the other hand, in the access restriction table 1800, X in the combination of the verification key Kb and Kz is from the authentication server 140-3 to which the user device 1302-2 to which the verification key Kb is assigned is assigned the verification key Kz. Indicates that access to the proximity verification result is denied. In this example, the user apparatus 1302-2 determines that the authentication server 140, regardless of whether the authentication signal indicates that there is a similarity or approximate similarity between the proximity ciphertext and the registered proximity ciphertext. It is not allowed to receive the authentication signal from -3.

Therefore, the accessibility of each authentication server's database from each user device can be controlled based on the access restriction table.

FIG. 24 is a block diagram of yet another exemplary operating environment. In FIG. 24, the same parts as the corresponding parts of FIG. 16 are indicated by the same reference numerals, and the description thereof will be omitted. In the operating environment 1300-2 shown in FIG. 24, the plurality of authentication servers 140-1 shown in FIG. 16 ... .. .. , 140-M functionality is integrated into a single authentication server 140 that can be operated by the user (or operator) 152. Further, the plurality of databases 112B-1 are integrated into a single database 112B.

FIG. 25 is a block diagram of a further exemplary operating environment. In FIG. 25, the same parts as the corresponding parts of FIG. 16 are indicated by the same reference numerals, and the description thereof will be omitted. In the operating environment 1300-3 illustrated in FIG. 25, the trusted entity server 1108 illustrated in FIG. 16 is omitted. Further, the user device 1302-1 ,. .. .. , 1302-L are each provided with a key generation module 1118A which may be similar to the key generation module 1118 of the trusted entity server 1108. Furthermore, the authentication server 140-1 ,. .. .. , 140-M are each provided with a relation key generation module 1118B to generate a relation key.

The embodiments described herein may include the use of a specific purpose or general purpose computer with various computer hardware or software modules, as discussed in more detail below.

The embodiments described herein can be implemented using a computer-readable medium that conveys or stores instructions or data structures that can be executed by a computer. Such a computer-readable medium can be a usable medium accessible by a general purpose or special purpose computer. As an example and not limited to, such computer-readable media include RAM (Random Access Memory), ROM (Read-Only Memory), EEPROM (Electrically Erasable Programmable Read-Only Memory), and CD-ROM (Compact Disc Read-Only). Memory) or other non-transitory computer-readable storage media, including optical disk storage devices, magnetic disk storage devices or other magnetic storage devices, flash memory devices (eg, solid-state memory elements), or computer-executable instructions or data structures. It may have other media that are used to convey or store the desired program code means in the form of and accessible by a general purpose or special purpose computer. The above combinations may also be included in the scope of computer readable media.

Instructions that can be executed by a computer include, for example, instructions and data that cause a general purpose computer, a special purpose computer (eg, one or more processors), or a special purpose processing unit to execute a specific function or functional group. Although the subject matter of the present invention has been described in terms specific to structural features and / or methodological behaviors, it is understood that the subject matter of the present invention is not limited to the particular features or behaviors described above as defined in the claims. It should be. Rather, the particular features and behaviors described above are disclosed as exemplary embodiments of the claims.

As used herein, the term "module" or "component" is a specific hardware implementation configured to perform the operation of a module or component, and / or general purpose hardware of a computing system (eg, computer readable). It may represent a software object or software routine that can be stored in and / or executed by a medium, processor, etc.). In some embodiments, components, modules, engines and services different from those described herein may be implemented as objects or processes performed on the computing system (eg, as separate threads). .. Some of the systems and methods described herein are generally described as being implemented in software (stored in and / or executed in general purpose hardware), but are implemented in dedicated hardware or software. It is also possible to implement a combination of and dedicated hardware. In the present description, the "computer entity" may be a computing system, or a module or a combination of modules executed in the computing system, as defined above herein.

Although the above description uses terms such as "determine" to describe embodiments, such terms are abstractions of the actual action performed. Therefore, as will be apparent to those skilled in the art, the actual behavior corresponding to such terms may vary depending on the implementation.

Examples are numbered by, for example, "first", "second", "third", "fourth", "fifth", or "sixth", but the ordinal numbers are of the examples. Does not indicate priority. Many other modifications and changes are apparent to those skilled in the art.

All examples and conditional statements described herein are for educational purposes to help the reader understand the principles of the present disclosure and the concepts devised by the inventor and to facilitate the art. It should be considered not limited to these specifically described examples and conditions. Although embodiments of the present disclosure have been described in detail, it should be understood that various modifications, substitutions and modifications can be made without departing from the spirit and scope of the present disclosure.

In addition to the above embodiments, the following additional notes will be further disclosed.
(Appendix 1) This is a method of accessibility verification using relational encryption.
The step of receiving a linear ciphertext that represents information that has been processed to a randomization level related to security parameters and that has been encrypted using a relational linear encryption method.
A step of determining the linearity relationship between the linearity ciphertext and the registered linearity ciphertext using the linearity relationship secret key, and
A step of receiving a proximity ciphertext representing the information processed to the randomization level and encrypted using the relational proximity encryption method.
Proximity relationship A step of determining the proximity relationship between the proximity ciphertext and the registered proximity ciphertext using the secret key, and
A step of determining the approximate similarity between the proximity ciphertext and the registered proximity ciphertext based on the security parameters, the linearity relationship, and the proximity relationship.
That the combination of the first validation key assigned to the user device and the second validation key assigned to one of the plurality of authentication servers accesses the result of the step of determining the approximate similarity. Authentication indicating whether or not the approximate similarity between the proximity ciphertext and the registered proximity ciphertext exists from the one of the plurality of authentication servers to the user device, if permitted. If the signal is communicated and the combination of the first and second verification keys does not allow access to the result of the step of determining the approximate similarity, then the authentication signal is the proximity ciphertext and said. A step of not communicating the authentication signal to the user device, regardless of whether or not it indicates that the approximate similarity exists with the registered proximity ciphertext.
Method to have.
(Appendix 2) The step of receiving the second linear ciphertext and the second proximity ciphertext, and
A step of storing the second linear ciphertext as the registered linear ciphertext, and
A step of storing the second proximity ciphertext as the registered proximity ciphertext, and
The step of receiving the linearity relationship secret key and the proximity relationship secret key, and
The method according to Appendix 1, further comprising.
(Appendix 3) A step of receiving the first verification key from a trusted entity server by the user device, and
The step of receiving the second verification key from the trusted entity server, and
The method according to Appendix 1, further comprising.
(Appendix 4) The method according to Appendix 1, wherein the information has a combination of a plurality of data items or a plurality of segments of a single data item.
(Appendix 5) The method according to Appendix 1, wherein the information is related to one of medical and biological information, technical information, and financial information.
(Appendix 6) The method according to Appendix 5, wherein the medical and biological information includes one of clinical data, health data, and genetic data.
(Appendix 7) A non-transitory computer-readable medium having coded programming code that can be executed by one of a plurality of processors to perform or control the execution of an operation. ,
The step of receiving a linear ciphertext that represents information that has been processed to a randomization level related to security parameters and that has been encrypted using a relational linear encryption method.
A step of determining the linearity relationship between the linearity ciphertext and the registered linearity ciphertext using the linearity relationship secret key, and
A step of receiving a proximity ciphertext representing the information processed to the randomization level and encrypted using the relational proximity encryption method.
Proximity relationship A step of determining the proximity relationship between the proximity ciphertext and the registered proximity ciphertext using the secret key, and
A step of determining the approximate similarity between the proximity ciphertext and the registered proximity ciphertext based on the security parameters, the linearity relationship, and the proximity relationship.
The combination of the first verification key assigned to the user device and the second verification key assigned to one of the plurality of authentication servers accesses the result of the step of determining the approximate similarity. When the above is permitted, an authentication signal indicating whether or not the approximate similarity between the proximity ciphertext and the registered proximity ciphertext exists is transmitted to the user apparatus, and the first and second If the combination of verification keys does not allow access to the results of the step of determining the approximate similarity, then the authentication signal is between the proximity ciphertext and the registered proximity ciphertext. A step of not communicating the authentication signal to the user device, whether or not it indicates that similarities exist.
A non-transitory computer-readable medium that has.
(Appendix 8) The operation is
The step of receiving the second linear ciphertext and the second proximity ciphertext,
A step of storing the second linear ciphertext as the registered linear ciphertext, and
A step of storing the second proximity ciphertext as the registered proximity ciphertext, and
The step of receiving the linearity relationship secret key and the proximity relationship secret key, and
The non-transitory computer-readable medium according to Appendix 7, further comprising.
(Appendix 9) The operation is
The step of receiving the first and second verification keys from a trusted entity server,
The non-transitory computer-readable medium according to Appendix 7, further comprising.
(Appendix 10) The non-transitory computer-readable medium according to Appendix 7, wherein the information has a plurality of data items or a combination of a plurality of segments of a single data item.
(Appendix 11) The non-temporary computer-readable medium according to Appendix 7, wherein the information is related to one of medical and biological information, technical information, and financial information.
(Appendix 12) The non-transitory computer-readable medium according to Appendix 11, wherein the medical and biological information comprises one of clinical data, health data, and genetic data.
(Appendix 13) A step of receiving a linear ciphertext representing medical and biological data processed to a randomization level related to security parameters and encrypted using a relational linear encryption method.
A step of determining the linearity relationship between the linearity ciphertext and a registered linearity ciphertext representing medical and biological information using the linearity relationship secret key.
The step of receiving the proximity ciphertext representing the medical and biological information processed to the randomization level and encrypted using the relational proximity encryption method.
Proximity relationship The step of determining the proximity relationship between the proximity ciphertext and the registered proximity ciphertext representing medical and biological information using the secret key, and
A step of determining the approximate similarity between the proximity ciphertext and the registered proximity ciphertext based on the security parameters, the linearity relationship, and the proximity relationship.
Method to have.
(Appendix 14) The method according to Appendix 13, wherein the medical and biological information includes one of clinical data, health data, and genetic data.
(Appendix 15) A non-transitory computer-readable medium having coded programming code that can be executed by a processor to perform or control the execution of an operation.
The step of receiving linear ciphertext representing medical and biometric information processed to a randomization level related to security parameters and encrypted using a relational linear encryption method,
A step of determining the linearity relationship between the linearity ciphertext and a registered linearity ciphertext representing medical and biometric information using the linearity relationship secret key.
The step of receiving the proximity ciphertext representing the medical and biometric information processed to the randomization level and encrypted using the relational proximity encryption method.
Proximity relationship A step of determining the proximity relationship between the proximity ciphertext and a registered proximity ciphertext representing medical and biometric information using the secret key, and
A step of determining the approximate similarity between the proximity ciphertext and the registered proximity ciphertext based on the security parameters, the linearity relationship, and the proximity relationship.
A non-transitory computer-readable medium that has.
(Appendix 16) The non-transitory computer-readable medium according to Appendix 15, wherein the medical and biological information comprises one of clinical data, health data, and genetic data.
(Appendix 17) Steps to receive medical and biological information,
A step of processing the medical and biological information into a randomized level as a plaintext vector, wherein the randomized level is associated with a security parameter.
A step of encrypting the plaintext vector using a relational linear encryption method in order to generate a linear ciphertext representing the plaintext vector.
A step of encrypting the plaintext vector using a relational proximity encryption method in order to generate a proximity ciphertext representing the plaintext vector.
The step of communicating the linear ciphertext and the proximity ciphertext with the authentication server,
The authentication server represents the linear relationship between the linear ciphertext and the registered linear ciphertext determined using the relational linearity key, and medical and biometric information and uses the relational proximity key. A step of receiving an authentication signal based on the security parameter indicating the proximity between the determined proximity ciphertext and the registered proximity ciphertext.
Method to have.
(Supplementary Note 18) The method according to Supplementary Note 17, wherein the medical and biological information includes one of clinical data, health data, and genetic data.

100 Operating environment 102 User device 107 Network 108 Relationship authentication module 110 Relationship encryption / decryption module 122 Memory 114 Proximity encryption / decryption module 116 Communication module 124 Processor 126 Communication unit 128 Proximity authentication module 130 Registered cipher 132 Linear Gender Authentication Module 134 Server Communication Module 140 Authentication Server 142A First Plaintext Vector 142B Second Plaintext Vector 144 Setting Module 150 Second Entity 152 First Entity

Claims (11)

It is a method of operating a system that executes proximity verification using relational encryption. The system has a plurality of authentication servers and a user device, and each of the plurality of authentication servers includes a communication module, a relational authentication module, and a memory. The operation method is
In each of the authentication servers, a linear ciphertext representing information processed by the communication module from the user device to a randomization level related to security parameters and encrypted using a relational linear encryption method is transmitted. Steps to receive and
In each of the authentication servers, the relationship authentication module uses the linearity relationship secret key to determine the linearity relationship between the linearity ciphertext and the registered linearity ciphertext stored in the memory. When,
In each of the authentication servers, the communication module receives a proximity ciphertext representing the information processed at the randomization level and encrypted using the relational proximity encryption method from the user apparatus. When,
In each of the authentication servers, the relationship authentication module uses the proximity relationship secret key to determine the proximity relationship between the proximity ciphertext and the registered proximity ciphertext.
In each of the authentication servers, the relationship authentication module determines the approximate similarity between the first biometric template and the second biometric template based on the security parameters, the linearity relationship, and the proximity relationship. The first biometric template is represented by one or more of the registered linear cipher and the registered proximity cipher, and the second biometric template is the linear cipher and the linear cipher. A step , represented by one or more of the proximity ciphers ,
A step of receiving a first verification key assigned to the user device from a trusted entity server by the user device .
In each of the authentication servers, a step of receiving a second verification key assigned to one of the plurality of authentication servers from the trusted entity server by the communication module .
By the one of the multiple authentication servers, if that allows combination of the first verification key and the second verification key, to access the results of the step of determining the approximate similarity, the user communicating an authentication signal that indicates whether the previous SL approximate similarity exists to the device, the combination of the first and second validation keys permitted to access the results of the step of determining the approximate similarity If no, the steps of the authentication signal regardless of whether show that there is a pre-Symbol approximate similarity, does not communicate the authentication signal to the user equipment,
Method to have. A step of receiving a second linear ciphertext and a second proximity ciphertext from the user device by the communication module in each of the authentication servers .
In each of the authentication servers, a step of storing the second linear ciphertext as the registered linear ciphertext in the memory, and
In each of the authentication servers, a step of storing the second proximity ciphertext as the registered proximity ciphertext in the memory, and
In each of the authentication servers, a step of receiving the linearity-related secret key and the proximity-related secret key from the user device by the communication module, and
The method according to claim 1, further comprising. The method of claim 1, wherein the information comprises a combination of a plurality of data items or a plurality of segments of a single data item. The method of claim 1, wherein the information relates to one of medical and biological information, technical information, financial information. The method of claim 4 , wherein the medical and biological information comprises one of clinical data, health data, and genetic data. A computer program that causes a computer to execute the method according to any one of claims 1 to 5 . A storage medium for storing the computer program according to claim 6 . A method of operating a system that executes proximity verification using relational encryption, wherein the system has an authentication server and a user device, and the authentication server has a communication module, a relational authentication module, and a memory. The operation method is
The communication module receives from the user equipment a linear ciphertext representing medical and biological data processed to a randomized level associated with a security parameter and encrypted using a relational linear encryption method. Steps and
The relationship authentication module uses the linear relationship secret key to determine the linear relationship between the linear ciphertext and the registered linear ciphertext representing medical and biological information stored in the memory. Steps and
The step of receiving the proximity ciphertext representing the medical and biological information processed by the communication module from the user device and encrypted using the relational proximity encryption method.
A step of determining the proximity relationship between the proximity ciphertext and a registered proximity ciphertext representing medical and biological information using the proximity relationship secret key by the relationship authentication module .
The step of determining the approximate similarity between the first biometric template and the second biometric template based on the security parameters, the linearity relationship, and the proximity relationship by the relationship authentication module. The first biometric template is represented by one or more of the registered linear ciphertext and the registered proximity ciphertext, and the second biometric template is among the linear ciphertext and the proximity ciphertext. A step , represented by one or more ,
A step of receiving a first verification key assigned to the user device from a trusted entity server by the user device.
In each of the authentication servers, a step of receiving a second verification key assigned to the authentication server from the trusted entity server by the communication module.
The approximate similarity to the user apparatus when the authentication server allows the combination of the first verification key and the second verification key to access the results of the step of determining the approximate similarity. Communicates with an authentication signal indicating the presence or absence of, and does not allow the combination of the first and second verification keys to access the result of the step of determining the approximate similarity. The step of not communicating the authentication signal to the user device, regardless of whether or not indicates that the approximate similarity exists.
Method to have. The method of claim 8 , wherein the medical and biological information comprises one of clinical data, health data, and genetic data. A computer program that causes a computer to perform the method according to claim 8 or 9 . A storage medium for storing the computer program according to claim 10 .

Images