JP6927199B2 - Ciphertext matching system, node device, ciphertext matching method, and program - Google Patents

Description

(Description of related application)
The present invention is based on the priority claim of Japanese patent application: Japanese Patent Application No. 2016-072770 (filed on March 31, 2016), and all the contents of the application are incorporated in this document by citation. Shall be.
The present invention relates to an encryption technique, and more particularly to a ciphertext matching system, a node device, a ciphertext matching method, and a program.

As cloud computing (cloud) becomes widespread, cloud services that manage the data of the client using the computer resources on the cloud side in which the client communicates with the communication network have become widespread. Since the service manages highly confidential data of the client, for example, it is necessary to ensure that the data handled by the service is secure on the cloud side.

Research on technology for managing data in an encrypted state in an open network environment where users can freely connect to a communication network, and performing search and statistical processing without decrypting the data. Development is in progress.

Recently, crimes using vulnerabilities in personal authentication using passwords or magnetic cards have frequently occurred. As a result, biometric authentication technology that realizes more secure authentication by using information (biological information) based on the characteristics of the living body such as fingerprints or veins is attracting attention.

In one of the typical examples of well-known biometric authentication technology, a client creates a template based on biometric information extracted from the biometric information to be registered, and the created template is sent to a server and stored in the server. .. In the biometric authentication technology, the server performs collation processing using the biometric information extracted by the client from the living body to be authenticated and the template stored in the server (template created by the client and transmitted to the server).

Multiple biological information extracted from the same living body does not always match exactly, but when the distance is measured using a certain distance function, the distance between multiple biological information extracted from the same living body is different. It is known that it is shorter than the distance between a plurality of biological information extracted from each of them.

By utilizing the above-mentioned properties, the biometric authentication technology collates the template generated based on the registration target with the biometric information created based on the authentication target. That is, in biometric authentication technology,
-If the biometric information extracted from the living body to be registered and the biometric information extracted from the living body to be authenticated are similar (or match), the authentication target is accepted.
-If the biometric information extracted from the living body to be registered and the biometric information extracted from the living body to be authenticated are not similar (or match), the authentication target is not accepted.

In general, the similarity of biometric information is determined by distance, as described above. That is,
-If the distance between the biological information extracted from the living body to be registered and the biological information extracted from the living body to be authenticated is equal to or less than a predetermined threshold value, it is accepted.
-If the distance between the biological information extracted from the living body to be registered and the biological information extracted from the living body to be authenticated is larger than a predetermined threshold value, it will not be accepted.

For example, the characteristics of a living body such as fingerprints and veins are considered to be lifelong data. Biological information is one of the information that requires confidentiality because the damage caused when the biometric information is leaked to the outside of the collation system is enormous. Therefore, even if the template leaks to the outside from the collation system that collates the template generated based on the biometric information extracted from the living body to be registered with the biometric information created based on the authentication target. It is desirable to satisfy the property that biometric information does not leak to the outside.

In addition, in biometric authentication technology, as with other authentication technologies, it is necessary to prevent a living body different from the living body in which biometric information is registered from impersonating the living body to be registered (that is, "spoofing"). For example, it can be said that an authentication technique that succeeds in authentication by transmitting a specific value to a matching system is not sufficiently resistant to spoofing.

Further, in the authentication technology, there is a risk that not only the template is leaked but also the communication content at the time of authentication is eavesdropped (intercepted). In the authentication technology, it is necessary to prevent the above-mentioned spoofing even if the communication content is eavesdropped. For example, when the authentication target is accepted, the method of re-accepting the data transmitted to the verification system by retransmitting the data is not sufficiently resistant to spoofing.

For example, Non-Patent Document 2 describes a biometric authentication method that enables authentication while concealing biometric information extracted from a living body to be registered and biometric information extracted from a living body to be authenticated. It is disclosed. Further, Non-Patent Document 1 discloses a homomorphic encryption system having homomorphism regarding addition and multiplication.

The homomorphic encryption method will be outlined. Homomorphic encryption is a public key cryptosystem with a special property called homomorphism or homomorphism.

Public key cryptography is
-Algorithm (key generation algorithm) that generates a public key (called "encryption key") and a private key (called "decryption key"),
-Algorithm that encrypts messages using the generated encryption key (encryption algorithm), and
-Algorithm that decrypts the ciphertext using the generated decryption key (decryption algorithm)
including.

The key generation algorithm (denoted as "Gen") is an algorithm that calculates the encryption key pk and the decryption key sk based on the security parameter λ.
Gen (λ) → (pk, sk) ・ ・ ・ (Equation 1)
It is expressed as. The security parameter λ is a measure of the security of the cipher, and is a parameter that determines the length of the encryption key or the decryption key.

The encryption algorithm (denoted as "Enc") is an algorithm that calculates the ciphertext c in which the message x is encrypted by using the encryption key pk based on the encryption key pk and the message x.
Enc (pk, M) → c ・ ・ ・ (Equation 2)
It is expressed as.

The decryption algorithm (denoted as "Dec") is an algorithm that calculates the decryption result X in which the ciphertext c is decrypted using the decryption key sk based on the decryption key sk and the ciphertext c.
Dec (sk, c) → X ... (Equation 3)
It is expressed as.

However,
A (B) → C ... (Equation 4)
Means that when B is input to algorithm A, C is output.

The public key cryptosystem has homomorphism when the conditions shown in the following equation 5 are satisfied.

Enc (pk, x1 # x2) = Enc (pk, x1) @ Enc (pk, x2) ... (Equation 5)

However, # and @ each represent a binary operator. Further, x1 and x2 each represent a message.

In particular, when # is addition, the public key cryptosystem that satisfies the condition shown in Equation 5 is said to have homomorphism for addition. The calculation of Enc (pk, x1) @ Enc (pk, x2) in this case is called "addition of ciphertext".

Further, when # is multiplication, the public key cryptosystem that satisfies the condition shown in Equation 5 is said to have homomorphism for multiplication. The calculation of Enc (pk, x1) @ Enc (pk, x2) in this case is called "ciphertext multiplication".

Further, there is also a homomorphic encryption that satisfies the condition shown in the following equation 6 by applying ciphertext addition and ciphertext multiplication.

Enc (pk, n # x) = Enc (pk, x) @n ... (Equation 6)

However, # and @ each represent a binary operator. Further, x and n each represent a message.

In particular, when # is addition, the public key cryptosystem that satisfies the condition shown in Equation 6 is said to have homomorphism in terms of scalar multiplication. The calculation of Enc (pk, x) @ n in this case is called "scalar times of ciphertext".

A homomorphic encryption method having homomorphism with respect to addition and multiplication described in Non-Patent Document 1 will be described. This method is a cipher based on the difficulty of the ring-LWE problem, which treats polynomials as messages. A feature of cryptography based on the difficulty of the ring-LWE problem is that operations can be performed at high speed.

The key generation algorithm mainly receives four parameters N, q, t, and σ as inputs.

N is an integer of two powers, and defines a polynomial ring R = Z [x] / <x ^N +1>, which ^{is a quotient ring by the polynomial x N +1.}

q is a prime number congruent with 1 (q≡1 mod 2N) modulo 2N, and defines the polynomial ring R _q = R / qR = Z _q [x] / <x ^N +1> representing the ciphertext space (Rq). The elements of are (N-1) degree polynomials in which each coefficient is an element of the group Zq).

t is a positive integer (not necessarily a prime number) smaller than q, and defines a polynomial ring R _t = R / tR = (Z / tZ) [x] / <x ^N +1> representing a plain space in a cryptosystem. (The _{elements of R t} are (N-1) degree polynomials in which each coefficient is an element of the remainder group Z / tZ).

σ is the standard deviation of the N-dimensional discrete Gaussian distribution χ = D (Z ^{N, σ).} The N-dimensional integer vector sampled by the N-dimensional discrete Gaussian distribution is a vector having an integer value rounded to a real value according to a Gaussian distribution (also called a normal distribution) having a standard deviation of σ for each component.
The probability density function of an N-dimensional discrete Gaussian distribution with a standard deviation of σ is

The polynomial ε (x) ∈ R is sampled from the ^N -dimensional discrete Gaussian distribution χ = D (Z N, σ) with a standard deviation of σ. Polynomial addition and multiplication are ^{defined by modulo (x N} + 1, q).

Next, one element (N-1 degree polynomial) s ∈ R sampled from the N-dimensional discrete Gaussian distribution χ whose standard deviation is σ is fixed.

Next, the elements of rings sample uniformly randomly from _{R q} (each coefficient q less than N-1 order polynomial) and _{p 1} ∈R _q. Take the element e ∈ R obtained from the N-dimensional discrete Gaussian distribution χ with standard deviation σ.

next,
p ₀ =-(p ₁ x s + t x e) ... (Equation 8)
To calculate.

pk = (p ₀ , p ₁ ) ... (Equation 9)
Is the public key (encryption key)
sk = s ... (expression 10)
Is the private key (decryption key).

However, _{in the case of calculating the product of polynomials as in the calculation of polynomial p 0} , when the degree of the polynomial is N or more, the following replacement is performed.

x ^N = (x ^N +1) -1 = -1 mod (x ^N +1) ... (Equation 11-1)
x ^{N + 1} = x (x ^N +1) -x = -x mod (x ^N +1) ... (Equation 11-2)

Further, when calculating the sum or product of polynomials, if each coefficient is q or more, the coefficient is divided by q and replaced with the remainder (mod q). As a result, the polynomial to be calculated is always a polynomial of degree N-1 or lower in which each coefficient is smaller than q. The same applies to the following calculations.

The encryption algorithm uses a set of four parameters (N, q, t, σ) input to the above key generation algorithm as inputs, and an encryption key pk = (p ₀ , p) generated by the above key generation algorithm. ₁ ) and receive message x.

However, the message x (x ∈ R _t ) is an N-1 degree polynomial in which each coefficient is smaller than t.

Next, three N-1 degree polynomials u, g and f are generated according to an N-dimensional discrete Gaussian distribution χ with a standard deviation of σ.

Next, from the N-1 degree polynomials u, g and f, and the encryption key (public key) pk, t,
c ₀ = p ₀ x u + t x g + x ... (Equation 12-1)
c ₁ = p ₁ × u + t × f ・ ・ ・ (Equation 12-2)
To calculate.

and,
c = (c ₀ , c ₁ ) ∈ (R _q ) ² ... (Equation 13)
Is output as a ciphertext.

As input, the decoding algorithm is a set of four parameters (N, q, t, σ) input to the above key generation algorithm, the above decoding key sk, and the ciphertext c = (c ₀ , c ₁ ) ∈ (R). _q ) ² or (c ₀ , c ₁ , c ₂ ) ∈ (R _q ) ³
To receive. Hereinafter, in the former case, it is considered that _{c 2 = 0.}

next,
C = c ₀ + c ₁ x sk + c ₂ x sk ² ... (Equation 14)
To calculate.

Assuming that the number of polynomials contained in the ciphertext is l + 1,
_{c = (c 0, ···,} c l) for ^{_{∈ (R q) l + 1}} ,
C = Σ _{i = 0 to l} c _i sk ⁱ ∈ R _q ··· (Equation 15)
To calculate.

Let D be the remainder of dividing C by q. When D is q / 2 or more, D is changed to Dq. This is a modulo operation on [−q / 2, q / 2] modulo q of D.

Next, the remainder (D mod t) obtained by dividing D by t is output as the decoding result X.

This public key cryptosystem has homomorphism in addition and information.

For the two messages x and y, the ciphertext is changed from Enc (pk, x) → (c ₀ , c ₁ ) ... (Equation 16-1).
Enc (pk, y) → (d ₀ , d ₁ ) ... (Equation 16-2)
And.

At this time, the addition of the ciphertext is
Enc (pk, x) + Enc (pk, y) = (c ₀ + d ₀ , c ₁ + d ₁ ) ... (Equation 17)
Can be calculated by.

By applying the case where x = y in the addition of the ciphertext, the scalar multiple of the ciphertext can be calculated for any integer n smaller than t. That is, the scalar multiple of the ciphertext is
n × Enc (pk, x) = (n × c ₀ , n × c ₁ ) ・ ・ ・ (Equation 18)
Can be calculated by.

Ciphertext multiplication is
Enc (pk, x) @ Enc (pk, y) = (c ₀ x d ₀ , c ₀ x d ₁ + c ₁ x d ₀ , c ₁ x d ₁ ) ... (Equation 19)
Can be calculated by.

This public key cryptosystem treats polynomials as messages. A vector can be regarded as a polynomial by regarding each component of the vector as each coefficient of the polynomial. Therefore, the vector can be encrypted using this public key cryptosystem.

A method of calculating the ciphertext of the inner product of two vectors while encrypting the two vectors will be described by devising a method of converting the vector into a polynomial and further using the additive homomorphism and the multiplication homomorphism.

Two L (L <N) -order vectors, each component less than t,
A = (a ₀ , ..., a _L-1 ),
B = (b ₀ , ..., b _L-1 )
And.

_{The polynomials f A} and f _B are obtained according to Equations 20 and 21, respectively, by using each component of the vector A as a coefficient in ascending order and each component of the vector B as a coefficient in descending order.

f _A (x) = Σ _{i = 0 to L-1} a _i × x ⁱ ... (Equation 20)

_{f B (x) = - Σ} i = 0~L-1 b i × x N-i ··· ( Formula 21)

The calculation methods of Equations 20 and 21 for converting a vector into a polynomial are called "ascending polynomialization" and "descending polynomialization", respectively. The product of the two polynomials f _A and f _B is calculated as follows.

f _A (x) × f _B (x) = _{−Σ i = N−L + 1 to N-1} (Σ _{j = 0 to} i (a _j × b _{N−i + j} )) x ⁱ + Σ _{i = 0 to L-1} Σ _{j = i to L-1} (a _j × b _j-i ) x ⁱ ... (Equation 22)

Constant term of the polynomial equation _{22, Σ j (a j × b} j), i.e. vectors A, inner product of B <A, B> = Σ i = 0~n-1 a i × b i ··· ( wherein 23)
Is equal to.

_{Two vectors A = (a 0} , ..., a _L-1 ) where each component is 0 or 1.
B = (b ₀ , ..., b _L-1 )
The number of different components among the corresponding components is called the Hamming distance d _H (A, B).

That is, for each i (i = 0, ..., L-1), the Hamming distance is the number of _{i satisfying a i} ≠ bi. The Hamming distance between the two vectors can be calculated using the inner product.

Let the N-dimensional vector C be a vector in which all components are 1, that is, C = (1, ..., 1). At this time, the following equation 24 holds for the Hamming distance.

d _H (A, B) = <A, C> + <C, B> -2 <A, B> ... (Equation 24)

Also, two vectors A = (a ₀ , ..., a _L-1 ),
B = (b ₀ , ..., b _L-1 )
About, the Euclidean distance between A and B is
_{d E (A, B) =} Σ i = 0~n-1 (a i -b i) 2 ··· ( Equation 25)
Defined in.

The Euclidean distance between the two vectors can be calculated using the inner product as shown in Equation 26 below.

_{d E (A, B) =} (Σ i = 0~n-1 a i 2) + (Σ i = 0~n-1 b i 2) -2 <A, B> ··· ( Formula 26)

The biometric authentication method described in Non-Patent Document 2 is configured by using the homomorphic encryption method (Gen, Enc, Dec) having homomorphism with respect to addition and multiplication described in Non-Patent Document 1 above. NS.

In this method, it is assumed that vectors of less than Nth order can be extracted from a living body, the Hamming distance of vectors extracted from the same living body is short, and the Hamming distance of vectors extracted from different living bodies is long. The above equation 24 is used to calculate the Hamming distance.

The biometric authentication method described in Non-Patent Document 1 is executed as follows. _{Biological information A = (a 0} , ..., a _L-1 ) represented in the form of a vector in which each component is 0 or 1.
When registering, the client a vector A, and f _A by ascending polynomial in accordance with Equation 20 above, the encryption is encrypted using the encryption key pk text Enc (pk, f _A) as a template, the server To memorize.

_{Biological information B = (b 0} , ..., b _L-1 ) represented in the form of a vector in which each component is 0 or 1.
When performing authentication, the client converts the vector B into a descending polynomial according to the above equation 21 to obtain f _B, and sends the ciphertext Enc (pk, f _B ) encrypted using the encryption key pk to the server. I will send it.

The server has a polynomial f _C = Σ _{i = 0 to n-1} x ⁱ ... (Equation 27) in which all coefficients are 1.
_{Enc (pk, f C} ) encrypted using the encryption key pk is calculated, and according to the above equation 24,
_{Enc (pk, f A) @Enc} (pk, f C) + Enc (pk, f C) @Enc (pk, f B) -2Enc (pk, f A) @Enc (pk, f B) ··· ( Equation 28)
To calculate.

By sending this to an entity having a decryption key different from that of the server and the client, the entity decrypts the ciphertext.

The constant term of the polynomial, which is the message obtained by decoding with the entity, is the Hamming distance d _H (A, B) of the two vectors A and B.

The authentication result is determined by whether the obtained Hamming distance is longer or shorter than a predetermined threshold value.

Further, it is pointed out in Non-Patent Document 3 that authentication can be performed according to the length of the Euclidean distance by using the method of Non-Patent Document 2 and the above equation 26 (distance between two vectors).

Further, the method of Non-Patent Document 2 does not have resistance to spoofing attacks. For example, when the communication content is eavesdropped and it is accepted, it is accepted again by resending the data transmitted to the collation system.

Specifically, when the client authenticates the biometric information B = (b ₀ , ..., B _L-1 ), the client converts the vector B into a descending polynomial according to the above equation 21 to obtain f _B. , Ciphertext Enc (pk, f _B ) is sent to the server and accepted.

If an attacker who eavesdrops on this Enc (pk, f _{B ) resends the Enc (pk, f B} ) as it is, the attacker will be accepted.

In the methods of Non-Patent Document 2 and Non-Patent Document 3, the entity having the decryption key calculates the distance between the biometric information. In Non-Patent Document 4, it is pointed out that the restoration of the registered biometric information by the entity cannot be prevented in the situation where the entity that can obtain the distance between the biometric information can make an active attack. .. Further, Non-Patent Document 4 describes a method of calculating an authentication result for all entities including the entity having a decryption key while keeping the distance between biometric information secret.

Brakerski, Z .; Vaikuntanathan, V., "Fully homomorphic encryption from ring-LWE and security for key dependent messages", CRYPTO 2011 Yasuda, M .; Shimoyama, T .; Kogure, J .; Yokoyama, K .; Koshiba, T., "Secure Pattern Matching Using Somewhat Homomorphic Encryption", CCSW 2013. Yasuda, M .; Shimoyama, T .; Kogure, J .; Yokoyama, K .; Koshiba, T., "Practical Packing Method in Somewhat Homomorphic Encryption", DPM2013. Haruna Higo; Toshiyuki Isshiki; Kengo Mori; Ken Obana, "Secret biometric authentication method that conceals the distance between biometric information", 2016 Cryptography and Information Security Symposium (SCIS2016).

An analysis of related technologies is given below.

Since the biometric authentication method described in Non-Patent Document 2 is configured by using a cipher based on the difficulty of the ring-LWE problem, the calculation at the time of authentication is light.

However, as described above, the biometric authentication method described in Non-Patent Document 2 is not sufficiently resistant to spoofing.

Therefore, there is a demand for a biometric authentication method that can perform calculations at high speed and can prevent leakage of biometric information and spoofing attacks.

An object of the present invention has been devised in view of the above-mentioned problems, and one of the objects is ciphertext matching which enables speeding up of calculation and prevention of leakage of biometric information and spoofing attacks. To provide systems, nodes, methods, and programs for them.

The ciphertext verification system according to the uniform state of the present invention includes a registration request device, a verification auxiliary device, an authentication request device, and a verification device. The verification device calculates a pair of an encryption key and a decryption key of a homomorphic encryption method capable of polynomial operations, and discloses the encryption key. The registration requesting device polynomializes the registration information, which is a numerical vector, and encrypts the polynomialized registration information using the encryption key. The verification auxiliary apparatus receives an authentication request from the authentication request device, one factor of the order selected at random, to generate a single term equation where the coefficients other than the coefficient of the order is set to 0, the single term A challenge consisting of an encrypted text in which the expression is encrypted using the encryption key is sent to the authentication requesting device. The authentication requesting device uses the encryption key to polynomialize the authentication information, which is a numerical vector, based on the polynomialized authentication information and the challenge from the collation assisting device. information and calculates a product ciphertext with the single term expression used for the generation of the challenge, the ciphertext of the product of the said used to generate the polynomial of the said authentication information challenge single polynomial Is sent to the collation assisting device as the response. When the collation assisting device receives a response from the authentication requesting device, the collation assisting device is based on the response, a challenge assist composed of the one coefficient and its order, and the registration information encrypted by the registration requesting device. Using the encryption key, the ciphertext of the distance between the registration information and the authentication information is calculated, and the ciphertext of the distance between the registration information and the authentication information is sent to the verification device. The verification device decodes the ciphertext of the distance between the registration information and the authentication information received from the verification assisting device using the decryption key to calculate the distance, and calculates the distance or the distance. And the comparison result with the predetermined threshold value are output as the collation result.

The device according to the uniformity of the present invention is a collation assisting device for acquiring the encryption key published by a verification device for calculating a pair of encryption key and decryption key of a quasi-identical encryption method capable of polymorphic operation. Upon receiving the authentication request from the authentication request device, one factor of the order selected at random, to generate a single term equation where the coefficients other than the coefficient of the order is set to 0, the single term formulas, the encryption key A challenge generator that sends a challenge consisting of a cipher statement encrypted using wherein calculating the ciphertext of the product of the authentication information and the single term expression used for the generation of the challenge, the encryption of the product of the used to generate the polynomial of the said authentication information challenge single polynomial The statement is received from the authentication requesting device that outputs the statement as a response, and the response, the challenge assistance consisting of the one coefficient and its order, and the polymorphization that is encrypted by the registration requesting device and stored in the storage device. Based on the registered information and the encryption key, the encryption text of the distance between the registration information and the authentication information is calculated, and the encryption text of the distance between the registration information and the authentication information is sent to the verification device. It includes a query generation unit. In the verification device, the ciphertext of the distance between the registration information and the authentication information is decrypted using the decryption key to calculate the distance, and the calculated distance or the distance and a predetermined threshold value are used. The comparison result is output as the collation result.

The device according to the uniformity of the present invention is an authentication request for calculating a pair of an encryption key and a decryption key of a quasi-isomorphic encryption method capable of polymorphic operation and acquiring the encryption key from a verification device that discloses the encryption key. The device includes an authentication information extraction unit that converts authentication information that is a numerical vector into a polymorphism, and an authentication request generation unit that generates an authentication request to be transmitted to a verification assisting device. Further, when receiving the authentication request, one factor of the order selected at random, to generate a single term equation where the coefficients other than the coefficient of the order is set to 0, the single term formulas, the encryption key The cipher is based on the authentication information obtained by receiving the challenge from the collation assisting device that sends the challenge composed of the encrypted text encrypted by the use to the authentication requesting device and polynomializing the authentication request generation unit, and the challenge. using encryption key, and the authentication information polynomial of, calculates a cryptogram of the product of the single-term expression used for the generation of the challenge, were used to generate the polynomial of the said authentication information challenge wherein the ciphertext of the product of the single-term equation, as a response, further comprising a response generation unit to be sent to the verification auxiliary apparatus. The collation assisting device uses the encryption key based on the response, the challenge assist consisting of the one coefficient and its order, and the polymorphic registration information encrypted by the registration requesting device. The ciphertext of the distance between the registration information and the authentication information is calculated, and the ciphertext of the distance between the registration information and the authentication information is sent to the verification device.

Apparatus according to one aspect of the present invention, when receiving an authentication request from the authentication request device, one factor of the order selected at random, to generate a single term equation where the coefficients other than the coefficient of the order is set to 0, the single-term equation, the challenge consists of ciphertext encrypted using the encryption key and send it to the authentication request device receives a response from the authentication request device, its degree the and response, the one coefficient Based on the challenge assistance consisting of the challenge assistance and the polymorphic registration information stored in the storage device encrypted by the registration request device, the encryption key is used to encrypt the distance between the registration information and the authentication information. A verification device connected to a collation assisting device for calculating Upon receiving the cipher of the distance between the registration information and the authentication information from the collation assisting device, the cipher of the distance between the registration information and the authentication information is decrypted using the decryption key to calculate the distance. It includes a query verification unit and a collation result generation unit that outputs the calculated distance or the comparison result between the distance and a predetermined threshold as a collation result.

The method in the uniform state of the present invention is a ciphertext processing method by at least one computer.
(A) Calculate a pair of encryption key and decryption key of homomorphic encryption method capable of polynomial arithmetic, and publish the encryption key.
(B) When registering registration information
Polynomialize the registered information, which is a numerical vector,
The polynomialized registration information is encrypted using the encryption key,
(C) In the collation assistance process,
Upon receiving an authentication request, one coefficient and its order are randomly selected,
The coefficients other than the coefficient of the order to generate the 0 and the single section type,
The single-term equation, send a challenge consisting of ciphertext encrypted by using the encryption key to the requesting of the authentication request,
(D) At the authentication request source,
Polynomialize the authentication information, which is a numerical vector,
A polynomial of the said authentication information, based on said challenge from said verification auxiliary processing, using the encryption key, the product of the single term expression used for the generation of the polynomial of the said authentication information challenge Calculate the ciphertext of
The ciphertext of the product of the polynomial of the said authentication information used for the generation of the challenge the single term formulas, the response sent to the verification auxiliary processing,
(E) In the collation assistance process,
When a response is received from the authentication requester, the registration information is obtained by using the encryption key based on the response, the challenge assistance consisting of the one coefficient and its order, and the encrypted registration information. Calculate the ciphertext of the distance of the authentication information,
The ciphertext of the distance between the registration information and the authentication information is sent to the verification destination.
(F) At the verification destination,
The ciphertext of the distance between the registration information and the authentication information received from the verification assistance process is decrypted using the decryption key to calculate the distance.
The calculated distance or the comparison result between the distance and a predetermined threshold value is output as a collation result.

The program according to the uniformity of the present invention is connected to a verification device that calculates a pair of encryption key and decryption key of a homomorphic encryption method capable of polynomial operations and publishes the encryption key, and is connected to an authentication request device. For the computers that make up the verification assist device
When an authentication request is received from the authentication request device, one coefficient and its order are randomly selected.
The coefficients other than the coefficient of the order to generate the 0 and the single section type,
Wherein a process of a single section type, sends a challenge consisting of ciphertext encrypted by using the encryption key to the authentication request device,
Polynomial the authentication information is a numeric vector, based on said challenge using said encryption key, it calculates a cryptogram of the product of the single-term expression used for the generation of the polynomial of the said authentication information challenge , the ciphertext of the product of the said used to generate the polynomial of the said authentication information challenge single section type, a process of receiving a response from the authentication request device for outputting as a response,
When a response is received from the authentication request device, the response, the challenge assistance consisting of the one coefficient and its order, and the polymorphic registration information encrypted by the registration request device and stored in the storage device are displayed. Based on this, the process of calculating the ciphertext of the distance between the registration information and the authentication information using the encryption key and sending the ciphertext of the distance between the registration information and the authentication information to the verification device is executed. It consists of a program to let you.

The program according to the uniformity of the present invention obtains an encryption key published by a verification device that calculates a pair of encryption key and decryption key of a homomorphic encryption method capable of polynomial operations.
Upon receiving the authentication request, one factor of the order is randomly selected, the coefficients other than the coefficient of the order to generate the 0 and the single section type, the single term equation, using the encryption key cryptography A challenge consisting of the encrypted encrypted text is sent to the authentication requesting device, the response received from the authentication requesting device, the challenge assistance consisting of the one coefficient and its order, and the polynomialized registration encrypted by the registration requesting device. Based on the information, the encryption key is used to calculate the encryption text of the distance between the registration information and the authentication information, and the encryption text of the distance between the registration information and the authentication information is sent to the verification device. To the computer that constitutes the authentication request device connected to the auxiliary device,
The process of generating the authentication request and transmitting it to the verification assisting device, and
The process of receiving a challenge from the verification assist device and
Based on the authentication information that is polynomialized and polynomialized from the authentication information that is a numerical vector and the challenge received from the collation assisting device, the authentication information that is polynomialized and the challenge are generated using the encryption key. calculating a product ciphertext between the single term expression used in,
The ciphertext of the product of the polynomial of the said authentication information and said single-term expression used for the generation of the challenge, as the response consists of a program for executing a processing to be sent to the verification auxiliary apparatus.

Program according to one aspect of the present invention, when receiving an authentication request from the authentication request device, one factor of the order selected at random, to generate a single term equation where the coefficients other than the coefficient of the order is set to 0, the single-term equation, the challenge consists of ciphertext encrypted using the encryption key and send it to the authentication request device receives a response from the authentication request device, its degree the and response, the one coefficient Based on the challenge assistance consisting of the challenge assistance and the polynomialized registration information stored in the storage device encrypted by the registration request device, the encryption key is used to encrypt the distance between the registration information and the authentication information. To the computer that configures the verification device connected to the verification auxiliary device that calculates
A key generation process that calculates a pair of the encryption key and the decryption key of the homomorphic encryption method capable of polynomial operations and publishes the encryption key.
When the ciphertext of the distance between the registration information and the authentication information is received from the collation assisting device, the ciphertext of the distance between the registration information and the authentication information is decrypted using the decryption key. Query verification for calculating the distance. Processing and
The program comprises a program for executing a collation result generation process that outputs the calculated distance or the comparison result between the distance and a predetermined threshold value as a collation result. According to one aspect of the present invention, a computer-readable storage medium (semiconductor memory, magnetic disk medium / optical disk medium, etc .: non-transitory computer-readable recording medium) on which the above program is recorded is provided.

According to the present invention, it is possible to perform collation processing at high speed and prevent leakage of plaintext data and spoofing attacks.

It is a figure which illustrates the structure of the 1st and 3rd exemplary embodiments of this invention. It is a figure explaining an example of the process of the preparation phase of the 1st and 3rd exemplary embodiments of this invention. It is a figure explaining an example of the process of the registration phase of the 1st and 3rd exemplary embodiments of this invention. It is a figure explaining an example of the processing of the authentication phase of the 1st and 3rd exemplary embodiments of this invention. It is a figure which illustrates the structure of the 2nd and 4th exemplary embodiments of this invention. It is a figure explaining an example of the process of the preparation phase of the 2nd and 4th exemplary embodiments of this invention. It is a figure explaining an example of the process of the registration phase of the 2nd and 4th exemplary embodiments of this invention. It is a figure explaining an example of the processing of the authentication phase of the 2nd and 4th exemplary embodiments of this invention.

First, the basic concept of the present invention will be described. In the system (ciphertext verification system) according to one aspect of the present invention, the verification device (means) calculates a pair of an encryption key pk and a decryption key sk of a quasi-isomorphic encryption method capable of polypoly arithmetic, and performs the encryption. Publish the key pk.

The registration requesting device (means) (for example, 110 in FIG. 1) converts the registration information (A = (a ₀ , ..., a _L-1 )) which is a numerical vector into a polynomial (for example, f _A ), and the registration is made into a polynomial. Information is encrypted using the encryption key (pk) (for example, Enc (pk, f _{A )), and the sum of squares Enc (pk, Σ i = 0 to} ) of each coefficient of the polynomial (each component of the numerical vector). _{n-1 ai} ² )) may be included).

When the verification auxiliary device (means) (for example, 140 in FIG. 1) receives an authentication request from the authentication request device (means) (for example, 130 in FIG. 1), one coefficient (r) and its order (h) are randomly assigned. selected, the coefficients other than the coefficient of the degree (h) to generate a single term expression was 0 (r × x ^h), the single term formula (r × x ^h), using the encryption key pk A challenge consisting of an encrypted encrypted text (Enc (pk, r × x ^h )) is sent to the authentication requesting device (means).

When the collation assisting device (means) receives a response (Enc (pk, (r × x ^h ) × (f _B )) from the authentication requesting device (means), the response and the one coefficient (r) based on and its degree (h) challenge auxiliary consisting of (r, h), and the registration information encrypted by the registration request unit (means) (e.g., 110 in FIG. _{1) (Enc (pk, f} a)) , The encryption key (pk) is used to generate an encrypted inner product (Enc (pk, f _A × f _B )) of the _{registration information Enc (pk, f A) and the authentication information.} The means) are an encryption key (pk), an encryption inner product (Enc (pk, f _A × f _B )), and encrypted registration information (Enc (pk, Σ _{i = 0 to n-1} a _i ^2). a)), Enc (pk included in the response, sigma _{i =} based on _{0~n-1 b} ^{i 2),} the distance _{(d E (a, B)} ) ciphertext _{(Enc (pk, d E (} a , B))) are calculated.

The collation assisting device (means) sends the ciphertext of the distance between the encrypted registration information and the authentication information to the verification device (for example, 150 in FIG. 1).

The authentication requesting device (means) is a _{polynomialized authentication information (b 0} , ..., B _L-1 ) which is a numerical vector, and the polynomialized authentication information and the collation assisting device (means) transmitted. Challenge (based on the ^{Enc (pk, r × x h} ), using said encryption key (pk), a polynomial of the said authentication information _{(f B)} and used for the generation of the challenge the single term formula ( A cipher of the product of r × x ^h ) (Enc (pk, (r × x ^h ) × (f _B ))) and a cipher of the sum of squares of each coefficient of the polynomial (each component of the numerical vector). _{(Enc (pk, Σ i =} 0~n-1 b i 2)) is calculated.

The authentication request device (means), a polynomial of the said authentication information (f _B), the ciphertext of the product of the said used to generate the challenge single term formula ^{(r × x h) (Enc} (pk _{^{, r × x h) × (}} f B)), and the ciphertext of the sum of the squares of the coefficients of the polynomial (each component of a numeric _{vector) (Enc (pk, Σ i} = 0~n-1 b i 2) ) Is sent to the collation assisting device (means) as the response.

_{The verification device (means) converts the ciphertext (Enc (pk, d E} (A, B))) of the distance between the registration information and the authentication information received from the verification auxiliary device (means) into the decryption key. Decryption is performed using (sk), the distance between the registration information and the authentication information is calculated, and the calculated distance or the comparison result between the distance and a predetermined threshold value is output as a collation result.

According to one embodiment of the present invention, a storage device (for example, 120 in FIG. 1) is further provided. The storage device is
The registered data storage unit (for example, 123 in FIG. 1) and
An identifier assigning unit (means) (for example, 121 in FIG. 1) that assigns an identifier to the encrypted registration information received from the registration requesting device (means).
A registration data generation unit (means) (for example, 122 in FIG. 1) that generates registration data composed of a set of the encrypted registration information and the identifier and stores the registration data in the registration data storage unit.
Upon receiving the registration data request from the collation assisting device (means), the registered data stored in the registration data storage unit is encrypted and is paired with the identifier included in the registration data request. The configuration may include a registration data search unit (means) (for example, 124 in FIG. 1) for sending the registered information to the collation assisting device (means).

In this case, the verification auxiliary device (means) is included in the authentication request received from the authentication request device (means), and sends a registration data request including an authentication identifier corresponding to the authentication information to the storage device (means). It may be configured to be used. The collation assisting device (means) receives the encrypted registration information corresponding to the authentication identifier from the storage device (means), the response received from the authentication requesting device (means), and the challenge assist. And, based on the encrypted registration information received from the storage device (means), the encrypted text of the distance between the registration information and the authentication information may be calculated.

According to one embodiment of the present invention, a storage device (for example, 220 in FIG. 5) is further provided. The storage device is
With the registered data storage unit (for example, 223 in FIG. 5),
An identifier assigning unit (means) (for example, 221 in FIG. 5) that assigns an identifier to the encrypted registration information received from the registration requesting device (means).
A registration data generation unit (means) (for example, 222 in FIG. 5) that generates registration data composed of a set of the encrypted registration information and the identifier and stores the registration data in the registration data storage unit.
It may be configured to include.

In this case, among one or a plurality of registered data stored in the registered data storage unit (223 in FIG. 5) in response to a registration data request from the collation assisting device (means) (for example, 240 in FIG. 5). , A part or all of the registered data may be transmitted to the collation assisting device (means) (240 in FIG. 5). The collation assisting device (means) (240 in FIG. 5) receives one or more registered data from the storage device (means), and requests the authentication for each registered data received from the storage device (means). The encrypted registration information and the authentication information based on the response received from the device (means) (for example, 230 in FIG. 5), the challenge assistance, and the encrypted registration information included in the registration data. The ciphertext of the distance is calculated, and for the registered data, the pair of the calculated ciphertext of the distance between the registration information and the authentication information and the identifier included in the registration data is used as verification data, and one or the generated one or A plurality of the verification data may be sent to the verification device (means) (for example, 250 in FIG. 5).

The verification device (means) (250 in FIG. 5) receives one or more of the verification data from the verification auxiliary device (means) (240 in FIG. 5), and each verification data is included in the verification data. The ciphertext of the distance to be obtained is decrypted using the decryption key to calculate the distance, and the result of comparison between the calculated distance and a predetermined threshold, or the calculated distance and the identifier included in the verification data. The pair with and may be used as the collation result, and the collation result may be output.

As described above, according to one aspect of the present invention, the polynomial generated based on the registration information which is a numerical vector is encrypted by using the encryption key, and the coefficient of one term is a random number and the coefficient of the other term is and challenge the single term expression was encrypted is 0, it generates a ciphertext of the product of the generated polynomial based on the authentication information is a numeric vector, and ciphertext generated polynomial based on the registration information, the challenge And the cipher of the product of the polynomial generated based on the challenge and the authentication information, the cipher of the distance between the registration information and the authentication information is generated. Then, the ciphertext (the ciphertext of the distance between the registration information and the authentication information) is decrypted using the decryption key, and the distance is calculated.

In the above aspect, the registration requesting device uses the i-th component of the registration information (registration vector) (where i is a non-negative integer of L-1 or less and L is a positive integer of 2 or more) as the coefficient of the i-order term. A -1st order polypoly (fA) is generated, and the authentication requesting device uses the inverse element of the i-th component (where i is a non-negative integer less than or equal to L-1) of the authentication information (authentication vector) as the N−i order (N is). An Nth-order polypoly is generated as a coefficient of the term (a positive integer greater than L), but the registration requesting device is the inverse of the i-th component (where i is a non-negative integer less than or equal to L-1) of the registration information (registration vector). An N-th order polymorphic element is generated with the element as a coefficient of the term of N-th order (N is a positive integer larger than L), and the authentication requesting device generates the i-th component (where i is L-) of the authentication information (authentication vector). A non-negative integer of 1 or less and L is a positive integer of 2 or more) may be used as the coefficient of the i-th order term to generate an L-1st order polymorphic fA.

An exemplary embodiment of the present invention will be described in detail with reference to the drawings.

In each of the following exemplary embodiments, the case where the present invention is used as biometric authentication will be described. The ciphertext verification system of each embodiment is not limited to the use of biometric authentication.

(First Embodiment)
FIG. 1 is a diagram illustrating the configuration of the ciphertext verification system 100 according to the first exemplary embodiment. The ciphertext verification system 100 is composed of an information processing system such as a computer system. The ciphertext verification system 100 according to the first exemplary embodiment is roughly classified into a registration request device 110, a storage device 120, an authentication request device 130, a verification auxiliary device 140, and a verification device 150.

The registration request device 110 includes a registration information extraction unit 111, a first template generation unit 112, a second template generation unit 113, and a template generation unit 114.

The storage device 120 includes an identifier assigning unit 121, a registration data generation unit 122, a registration data storage unit 123, and a registration data search unit 124.

The authentication request device 130 includes an authentication request generation unit 131, an authentication information extraction unit 132, a first response generation unit 133, a second response generation unit 134, and a response generation unit 135.

The collation auxiliary device 140 includes a challenge auxiliary generation unit 141, a challenge generation unit 142, a registration data request generation unit 143, an encryption inner product calculation unit 144, and a query generation unit 145.

The verification device 150 includes a key generation unit 151, a decryption key storage unit 152, a query verification unit 153, and a collation result generation unit 154.

The registration request device 110 and the storage device 120, the storage device 120 and the verification auxiliary device 140, the authentication request device 130 and the verification request device 140, and the verification auxiliary device 140 and the verification device 150 communicate with each other via, for example, a communication network. It shall be possible. Alternatively, the registration request device 110, the storage device 120, the verification auxiliary device 140, the authentication request device 130, and the verification device 150 are connected via a network such as a LAN (Local Area Network) or a WAN (Wide Area Network). May be. Of course, a plurality of devices among the registration request device 110, the storage device 120, the verification assist device 140, the authentication request device 130, and the verification device 150 may be mounted in one unit. The registration request device 110, the storage device 120, the verification auxiliary device 140, and the authentication request device 130 are the public keys disclosed by the verification device 150 (the encryption key of the homomorphic encryption method created by the verification device 150 and capable of polymorphic operation). The encryption key of the decryption key pair) can be obtained. In at least one device of the registration request device 110, the storage device 120, the verification auxiliary device 140, the authentication request device 130, and the verification device 150, or all the devices, at least a part or all of the processing of each part is performed by a computer (CPU (Central)). It may be realized by a program executed by a processing unit) or a processor). In this case, the program is read from a computer-readable semiconductor memory, HDD (Hard Disk Drive), CD (Compact Disk), DVD (Digital Versaille Disk), etc. on which the program is recorded into the main memory of the computer and executed. The processing of each part is realized.

In the ciphertext verification system 100, the registration request device 110 and the authentication request device 130 may be collectively referred to as a "first node". In the ciphertext verification system 100, the storage device 120 and the verification auxiliary device 140 may be collectively referred to as a “second node”. Further, in the ciphertext verification system 100, the verification device 150 may be referred to as a "third node". That is, the ciphertext verification system 100 is not limited to the mode illustrated in FIG.

[Explanation of operation]
Next, the operation of the ciphertext verification system 100 according to the present embodiment will be described with reference to the drawings. The processing in the ciphertext verification system 100 according to the first exemplary embodiment of the present invention will be described.

The processing in the ciphertext verification system 100 is roughly classified.
・ Preparation phase,
・ Registration phase and
-Includes collation phase.

First, the outline of the processing in each phase will be described. The ciphertext verification system 100 according to the first exemplary embodiment of the present invention uses a homomorphic encryption system having homomorphism in addition and multiplication. For convenience of explanation, the cryptosystem used is assumed to handle an N-1 degree polynomial in which each coefficient is a non-negative integer smaller than t as a message (coefficient ∈ Z _t = {0, 1, 2, ..., t-1}).

In the preparation phase, the encryption key and the decryption key are mainly generated using the received security parameters.

In the registration phase, a template in which the extracted registration vector is encrypted is mainly created and stored using the encryption key generated in the preparation phase.

In the collation phase, the distance between the newly extracted authentication vector and one registration vector is calculated mainly by using the decryption key generated in the preparation phase.

Next, the process executed by the ciphertext verification system 100 in each of the above-mentioned phases will be described in detail.

FIG. 2 is a flowchart showing an example of processing executed by the ciphertext verification system 100 according to the first exemplary embodiment in the preparation phase. The process executed by the ciphertext verification system 100 according to the present embodiment in the preparation phase will be described with reference to FIG.

The key generation unit 151 in the verification device 150 receives the security parameter, and uses the received security parameter, for example, according to the above-mentioned key generation algorithm (Non-Patent Document 1), the encryption key (public key) pk, and the key generation unit 151. A decryption key (private key) sk is generated (step A1). The generated encryption key and decryption key conform to the public key cryptosystem having homomorphism in addition and multiplication.

The key generation unit 151 publishes the generated encryption key pk in the ciphertext verification system 100 (step A2).

The key generation unit 151 stores the generated decryption key sk in the decryption key storage unit 152 (step A3).

The process executed by the ciphertext verification system 100 according to the present embodiment in the preparation phase is not limited to the mode illustrated in FIG.

FIG. 3 is a flowchart showing an example of processing executed by the ciphertext verification system 100 according to the first exemplary embodiment in the registration phase. The process executed by the collation system 100 according to the present embodiment in the registration phase will be described with reference to FIG.

The registration information extraction unit 111 in the registration request device 110 receives biological information (referred to as “registration vector”) from the living body to be registered.
A = (a ₀ , ..., a _L-1 ) ... (Equation 29)
Is extracted (step B1).

Next, the first template generation unit 112 in the registration request device 110 uses the encryption key pk to generate each i-th (i = 0, ..., L-1) of the registration vector A according to the following equation 30. component _{a i} a i-th order having the coefficients of the terms L-1 order polynomial _f a _{of) (x) = Σ i =} 0~L-1 a i × x i ··· ( formula 30)
Ciphertext Enc (pk, f _A )
Is calculated (step B2).

Ciphertext calculated in step B2 Enc (pk, _{f A)} being referred to as the "first template".

Next, the second template generation unit 113 in the registration request device 110 uses the encryption key pk to sum the squares of each component of the registration vector A Σ _{i = 0 to L-1} a _i ² ... (Equation 31). )
Ciphertext Enc (pk, Σ _{i = 0 to L-1} a _i ² )
Is calculated (step B3).

_{The squared sum ciphertext Enc (pk, Σ i = 0 to L-1 ai} ² ) of each component of the registration vector A calculated in step B3 is referred to as a “second template”.

Next, the template generation unit 114 in the registration request device 110 puts together the first template and the second template, and the templates (Enc (pk, f _A ), Enc (pk, Σ _{i = 0 to n-1} a _i ² )). ) ・ ・ ・ (Equation 32)
(Step B4).

The registration requesting device 110 sends the template (Enc (pk, f _A ), Enc (pk, Σ _{i = 0 to n-1 ai} ² )) to the storage device 120 (step B5).

Next, the storage device 120 receives a template (Enc (pk, f _A ), Enc (pk, Σ _{i = 0 to n-1} a _i ² )) from the registration request device 110 (step B6).

The identifier assigning unit 121 in the storage device 120 is an identifier _{unique to the template (Enc (pk, f A} ), Enc (pk, Σ _{i = 0 to n-1} a _i ² )) received from the registration request device 110. The registration identifier id is determined (step B7).

The storage device 120 sends the registration identifier id to the registration request device 110 (step B8).

Next, the registration request device 110 receives the registration identifier id from the storage device 120 (step B9).

The registration request device 110 displays the received registration identifier id on a user interface (UI) such as a display (step B10). Alternatively, the registration request device 110 may store the received registration identifier id in an IC (integrated_cycle) card such as an employee ID card or an identifier card.

Next, the registration data generation unit 122 in the storage device 120 puts together the template and the registration identifier id, and the registration data ((Enc (pk, f _A ), Enc (pk, Σ _{i = 0 to n-1} a _i ² )). ), Id) ・ ・ ・ (Equation 33)
(Step B11).

The registration data (Equation 33) is stored in the registration data storage unit 123 in the storage device 120 (step B12).

The process executed by the ciphertext verification system 100 according to the present embodiment in the registration phase is not limited to the mode illustrated in FIG. For example, step B11 and step B12 may be executed prior to step B8.

FIG. 4 is a flowchart showing an example of processing executed by the ciphertext verification system 100 according to the first exemplary embodiment in the authentication phase. The process executed by the collation system 100 according to the present embodiment in the authentication phase will be described with reference to FIG.

The authentication requesting device 130 receives an identifier (referred to as an “authentication identifier”) possessed by the authentication target (step C1).

Next, the authentication request generation unit 131 in the authentication request device 130 generates an authentication request including the received authentication identifier (step C2).

The authentication request device 130 sends an authentication request to the verification auxiliary device 140 (step C3).

The verification auxiliary device 140 receives an authentication request from the authentication request device 130 (step C4).

Next, the challenge auxiliary generation unit 141 in the collation auxiliary device 140 randomly selects an integer r smaller than the integer t and an integer h smaller than N-1. The challenge assistance generation unit 141 collects the selected values r and h and sets them as challenge assistance (r, h) (step C5).

Then, the challenge generating unit 142 in the verification auxiliary apparatus 140 uses the encryption key pk, challenge auxiliary (r, h) the single term equation r × ^x h ··· calculated from (Equation 34)
The ciphertext Enc (pk, r × x ^h ) of is calculated (step C6). The ciphertext Enc (pk, r × x ^h ) calculated in step C6 is called a “challenge”.

The collation assisting device 140 sends the challenge Enc (pk, r × ^h ) to the authentication requesting device 130 (step C7).

Next, the registration data request generation unit 143 in the collation assisting device 140 generates a registration data request including the authentication identifier included in the authentication request received from the authentication request device 130 (step C8).

The collation assisting device 140 sends the registration data request to the storage device 120 (step C9).

Next, the storage device 120 receives a registration data request from the collation assisting device 140 (step C10).

The registration data search unit 124 in the storage device 120 identifies the registration data including the authentication identifier included in the registration data request among one or a plurality of registration data stored in the registration data storage unit 123 (step C11). ). The template included in the specified registration data is called a "matching target template".

The storage device 120 sends the collation target template to the collation assisting device 140 (step C12).

The collation assisting device 140 receives the collation target template from the storage device 120 (step C13).

The authentication requesting device 130 receives the challenge transmitted by the verification assisting device 140 in step C7 (step C14).

Next, the authentication information extraction unit 132 in the authentication request device 130 receives biometric information (referred to as “authentication vector”) from the living body to be authenticated.
B = (b ₀ , ..., b _L-1 ) ... (Equation 35)
Is extracted (step C15).

Then, the first response generator 133 of the authentication requesting device 130 in accordance with the above equation 21, the authentication each i-th vector B (i = 0, ..., L-1) inverse -b concerning the addition component _{b i} of _i a, N-i Next N order polynomial _f B having the coefficient of the term _{(x) = - Σ i =} 0~n-1 b i × x N-i ··· ( formula 36)
Is calculated. Moreover,
・ Encryption key PK and
・ The generated polynomial f _B and
-Challenge Enc (pk, r × x ^h ) received from the collation assisting device 140 and
Based on
For example, using the property (Equation 6) of the encryption method that can calculate the scalar multiple of the ciphertext, the first response Enc (pk, (r × x ^h ) × (f _B )) ... (Equation 37)
Is generated (step C16).

Then, the second response generator 134 in the authentication request unit 130 uses the encryption key pk, the authentication vector ₌ 0 to _L-1 square sum sigma _i of each component of B ^{b i} 2 ··· (wherein 38 )
Ciphertext _{Enc (pk, Σ i = 0~L} -1 b i 2)
Is calculated (step C17). The ciphertext of the sum of squares of each component of the authentication vector B calculated in step C17 is called a "second response".

Next, the response generation unit 135 in the authentication request device 130
-First response Enc (pk, (r × x ^h ) × (f _B )),
And second response _{Enc (pk, Σ i = 0~L} -1 b i 2) and combined, the response (Enc (pk, (r × x h) × (f B)), Enc (pk, Σ i = ^{_{0~L-1 b i 2))}} ··· ( equation 39)
(Step C18).

The authentication request device 130 sends the above response (Equation 39) generated in step C18 to the collation assisting device 140 (step C19).

Next, the collation assisting device 140 receives the above response (Equation 39) from the authentication requesting device 130 (step C20).

Next, the encryption inner product calculation unit 144 in the collation auxiliary device 140
・ Encryption key PK and
· Generated challenge auxiliary in step C5 (r, h) the single term expression ^{-r -1} × ^{x N-h} generated from,
Response (Enc (pk, (r × x h) × (f B)), Enc (pk, Σ i = 0~L-1 b i 2)) received in step C20 to the first response Enc included ( pk, (r × x ^h ) × (f _B )),
Based on
For example, using the property (Equation 5) of the encryption method that can calculate the scalar multiple of the ciphertext,
Enc (pk, f _B ) = (-r ^-1 x x ^N-h ) x Enc (pk, (r x x ^h ) x (f _B )) ... (Equation 40)
To calculate.

Further, the encrypted inner product calculation unit 144
・ Encryption key PK and
· First template Enc (pk, _{f A)} included in the comparison target template received in step C13 and,
-Calculated ciphertext Enc (pk, f _B ) and
Based on
Cryptographic inner product Enc (pk, f _A x f _B ) using the multiplication homomorphism of the cryptosystem
Is generated (step C21).

Incidentally, as described above (Equation 22, Equation 23), the constant term of _{f A} × _{f B} is the inner product of the registration vectors A and authentication vector B <A, B> = Σ i = 0~n-1 a i × bi _i
Is equal to.

Next, the query generation unit 145 in the collation assisting device 140
・ Encryption key PK and
-Encryption inner product Enc (pk, f _A x f _B ) generated in step C21.
When,
_{-The second template Enc (pk, Σ i = 0 to n-1 ai} ² ) included in the collation target template received in step C13, and
And second response _{Enc (pk, Σ i = 0~L} -1 b i 2) included in the response received in step C20 and,
From, using the additive homomorphism of the cryptosystem, the query Enc (pk, f)
Is generated (step C22).

However, in the query Enc (pk, f), the constant term of f is the Euclidean distance d _E (A, B) = (Σ _{i = 0 to n-1) between the registration vector A and the authentication vector B according to the above equation 26. ^{a i 2) + (Σ i}} = 0~n-1 b i 2) -2 <A, B>
And.

The collation assisting device 140 sends the query Enc (pk, f) to the verification device 150 (step C23).

Next, the verification device 150 receives the query Enc (pk, f) from the collation assisting device 140 (step C24).

Next, the query verification unit 153 in the verification device 150 decodes the query Enc (pk, f) using the decryption key sk.

The constant term of the polynomial obtained as the decoding result Dec (sk, Enc (pk, f)) is used as the verification result (step C25).

As described above, the verification result is the Euclidean distance d _E (A, B) between the registration vector A and the authentication vector B.

Next, the collation result generation unit 154 in the verification device 150 uses the verification result as the collation result. Alternatively, the collation result generation unit 154 may use the result of comparing the magnitude of the verification result with the predetermined threshold value as the collation result (step C26).

The verification device 150 outputs the calculated collation result (step C27).

The process executed by the ciphertext verification system 100 according to the present embodiment in the authentication phase is not limited to the mode illustrated in FIG. For example, steps C9 to C13 may be executed prior to step C5.

In the above description of the ciphertext verification system 100 according to the present embodiment,
· Polynomial f _A of the first template generation unit 112 is generated in step B2 in FIG. 3 in the registration request unit 110, and a polynomial generated according to equation 19 from the registration vectors A,
_{The polynomial f B} generated by the first response generation unit 133 in the authentication request device 130 in step C16 of FIG. 4 is assumed to be a polynomial generated from the authentication vector according to the equation 21. However, it is clear that the method of generating the two polynomials in this embodiment is not limited to the above method. for example,
· A polynomial f _A of the first template generation unit 112 is generated in step B2 in the registration request unit 110, based on the registration vector A, the polynomial to be generated according to Equation 21,
_{The polynomial f B} generated by the first response generation unit 133 in the authentication request device 130 in step C16 may be a polynomial generated according to the equation 20 based on the authentication vector.

[Explanation of effect]
Next, the effect of the ciphertext verification system 100 according to the first exemplary embodiment will be described.

According to the collation system 100 according to the first exemplary embodiment, it is possible to safely realize 1: 1 authentication in which a user requesting authentication presents his / her own living body and an identifier to perform authentication. Is. That is, it has the following two effects.

According to the ciphertext verification system 100 according to the first exemplary embodiment, the registration vector extracted by the registration request device 110 is encrypted on the registration request device 110 and sent to the storage device 120. Further, the authentication vector extracted by the authentication request device 130 is encrypted on the authentication request device 130 and sent to the verification auxiliary device 140.

It is the verification device 150 having the decryption key that can decrypt these ciphertexts, but the data received by the verification device 150 is the ciphertext of the Euclidean distance between the registration vector and the authentication vector, and the registration vector and the authentication vector. The value of is not disclosed. Therefore, according to the ciphertext verification system 100 according to the first exemplary embodiment, values other than the distance between the registration vector and the authentication vector are not leaked to devices other than the device that extracts each vector, and verification is performed. In the device, it is possible to calculate the distance between the registration vector and the authentication vector.

Further, according to the ciphertext verification system 100 according to the first exemplary embodiment, even when authenticating with the same registration vector, the process using the random number selected in step C5 of FIG. 4 can be performed. Will be done. Therefore, even if the communication content of the verification process is leaked,
・ Resend the leaked content or
・ Even if you send data created using the leaked content,
It is not possible to calculate a distance equal to or a small value at the time of the leaked collation. In particular, when the ciphertext verification system 100 according to the first exemplary embodiment is used for authentication of "acceptance" when the distance between the registration vector and the authentication vector is smaller than the threshold value, the registration vector is not known. It has the property that an attacker is not "accepted", that is, it is resistant to spoofing attacks.

Further, the ciphertext verification system 100 according to the first exemplary embodiment can be modified so as not to disclose the Euclidean distance between the registration vector and the authentication vector to the verification device 150 having the decryption key. For example, by applying the same method as that described in Non-Patent Document 4, the verification device 150 having a decryption key can be transformed into a method in which the Euclidean distance between the registration vector and the authentication vector cannot be calculated. The method of not disclosing the Euclidean distance between the registration vector and the authentication vector to the verification device 150 having the decryption key means that the verification device 150 having the decryption key calculates the value of the registration vector even under special circumstances. Since it can be prevented, higher safety can be achieved.

[Second Embodiment]
[Description of configuration]
FIG. 5 is a diagram schematically illustrating the configuration of the ciphertext verification system (also referred to as “information processing system”) 200 according to the second exemplary embodiment. The ciphertext verification system 200 according to the second exemplary embodiment is roughly classified into a registration request device 210, a storage device 220, an authentication request device 230, a verification auxiliary device 240, and a verification device 250.

The registration request device 210 includes a registration information extraction unit 211, a first template generation unit 212, a second template generation unit 213, and a template generation unit 214.

The storage device 220 includes an identifier assigning unit 221, a registration data generation unit 222, and a registration data storage unit 223.

The authentication request device 230 includes an authentication request generation unit 231, an authentication information extraction unit 232, a first response generation unit 233, a second response generation unit 234, and a response generation unit 235.

The collation auxiliary device 240 has a challenge auxiliary generation unit 241, a challenge generation unit 242, a registration data request generation unit 243, an encryption inner product calculation unit 244, a query generation unit 245, and a verification data generation unit 246. ..

The verification device 250 includes a key generation unit 251, a decryption key storage unit 252, a query verification unit 253, and a collation result generation unit 254.

The registration request device 210 and the storage device 220, the storage device 220 and the verification auxiliary device 240, the authentication request device 230 and the verification request device 240, and the verification auxiliary device 240 and the verification device 250 communicate with each other via, for example, a communication network. Is possible.

In the ciphertext verification system 200, the registration request device 210 and the authentication request device 230 may be collectively referred to as a "first node". In the ciphertext verification system 200, the storage device 220 and the verification auxiliary device 240 may be collectively referred to as a "second node". Further, in the ciphertext verification system 200, the verification device 250 may be referred to as a "third node". That is, the ciphertext verification system 200 is not limited to the mode illustrated in FIG.

[Explanation of operation]
Next, the operation of the ciphertext verification system 200 according to the second exemplary embodiment will be described.

The operation in the ciphertext verification system 200 according to the second exemplary embodiment of the present invention will be described. The processing in the ciphertext verification system 200 is roughly classified into a preparation phase, a registration phase, and a verification phase. First, the outline of the processing in each phase will be described.

In the ciphertext verification system according to the second exemplary embodiment of the present invention, a homomorphic encryption method having homomorphism in addition and multiplication is used. For convenience of explanation, it is assumed that the encryption method used handles an N-1 degree polynomial in which each coefficient is a non-negative integer smaller than t as a message.

In the preparation phase, the encryption key and the decryption key are mainly generated using the received security parameters.

In the registration phase, a template in which the extracted registration vector is encrypted is mainly created and stored using the encryption key generated in the preparation phase.

In the collation phase, the distance between the newly extracted authentication vector and one or more registration vectors is calculated, mainly using the decryption key generated in the preparation phase.

Next, the process executed by the ciphertext verification system 200 in each of the above-mentioned phases will be described in detail.

FIG. 6 is a flowchart showing an example of processing executed by the ciphertext verification system 200 according to the second exemplary embodiment in the preparation phase. The process executed by the ciphertext verification system 200 according to the second exemplary embodiment in the preparation phase will be described with reference to FIG.

The key generation unit 251 in the verification device 250 receives the security parameters, and uses the received security parameters to generate the encryption key pk and the decryption key sk according to, for example, the above-mentioned key generation algorithm (step D1). .. The generated encryption key and decryption key conform to the public key cryptosystem having homomorphism in addition and multiplication.

The key generation unit 251 discloses the encryption key pk in the ciphertext verification system 200 (step D2).

The key generation unit 251 stores the decryption key sk in the decryption key storage unit 252 (step D3).

The process executed by the ciphertext verification system 200 according to the present embodiment in the preparation phase is not limited to the mode illustrated in FIG.

FIG. 7 is a flowchart showing an example of processing executed by the ciphertext verification system 200 according to the second exemplary embodiment in the registration phase. The process executed by the collation system 200 according to the present embodiment in the registration phase will be described with reference to FIG. 7.

The registration information extraction unit 211 in the registration request device 210 receives biological information (referred to as “registration vector”) from the living body to be registered.
A = (a ₀ , ..., a _L-1 ) ... (Equation 41)
Is extracted (step E1).

Next, the first template generation unit 212 in the registration request device 210 uses the encryption key pk to generate each i-th (i = 0, ..., L-1) of the registration vector A according to the following equation 42. component _{a i} a i following sections having a coefficient L-1 order polynomial _f a _{of) (x) = Σ i =} 0~L-1 a i × x i ··· ( formula 42)

Ciphertext Enc (pk, _{f A)} to calculate the (step E2).

Ciphertext calculated at step E2 Enc (pk, _{f A)} is referred to as "first template".

Next, the second template generation unit 213 in the registration request device 210 uses the encryption key pk to sum the squares of each component of the registration vector A Σ _{i = 0 to L-1} a _i ² ... (Equation 43). )
The ciphertext Enc (pk, Σ _{i = 0 to L-1 ai} ² ) of is calculated (step E3). _{The squared sum ciphertext Enc (pk, Σ i = 0 to L-1 ai} ² ) of each component of the registration vector A calculated in step E3 is called a “second template”.

Next, the template generation unit 214 in the registration request device 210 puts together the first template and the second template, and the templates (Enc (pk, f _A ), Enc (pk, Σ _{i = 0 to n-1} a _i ² )). ) ・ ・ ・ (Equation 44)
(Step E4).

The registration requesting device 210 sends the above template (Enc (pk, f _A ), Enc (pk, Σ _{i = 0 to n-1 ai} ² )) to the storage device 220 (step E5).

Next, the storage device 220 receives the above template (Enc (pk, f _A ), Enc (pk, Σ _{i = 0 to n-1} a _i ² )) from the registration request device 210 (step E6).

The identifier assigning unit 221 in the storage device 220 determines the registration identifier id, which is an identifier unique to the received template (step E7).

The storage device 220 sends the registration identifier id to the registration request device 210 (step E8).

Next, the registration request device 210 receives the registration identifier id from the storage device 220 (step E9). For example, the registration requesting device 210 may display the received registration identifier id on a user interface (UI) such as a display (step E10). Alternatively, the registration request device 210 may store the received registration identifier in an IC (integrated_cycle) card such as an employee ID card or an identifier card.

Next, the registration data generation unit 222 in the storage device 220 puts together the template and the registration identifier, and the registration data ((Enc (pk, f _A ), Enc (pk, Σ _{i = 0 to n-1 ai} ² ))). , Id) ・ ・ ・ (Equation 45)
(Step E11).

The registration data generation unit 222 in the storage device 220 stores the registration data in the registration data storage unit 223 (step E12).

The process executed by the ciphertext verification system 200 according to the second exemplary embodiment in the registration phase is not limited to the mode illustrated in FIG. 7. For example, step E11 and step E12 may be executed prior to step E8.

FIG. 8 is a flowchart showing an example of processing executed by the ciphertext verification system 200 according to the second exemplary embodiment in the authentication phase. The process executed by the collation system 200 according to the present embodiment in the authentication phase will be described with reference to FIG.

The authentication request generation unit 231 in the authentication request device 230 generates an authentication request (step F1).

The authentication request device 230 sends an authentication request to the verification assist device 240 (step F2).

The verification auxiliary device 240 receives an authentication request from the authentication request device 230 (step F3).

Next, the challenge auxiliary generation unit 241 in the collation auxiliary device 240 randomly selects r as an integer smaller than t and an integer h smaller than N-1. The selected values are put together and used as challenge assistance (r, h) (step F4).

Then, the challenge generating unit 242 in the verification auxiliary apparatus 240 uses the encryption key pk, challenge auxiliary (r, h) the single term equation r × ^x h ··· calculated from (Equation 46)
The ciphertext Enc (pk, r × x ^h ) of is calculated (step F5).

The ciphertext Enc (pk, r × x ^h ) calculated in step F5 is called a “challenge”.

The collation assisting device 240 sends the challenge to the authentication requesting device 230 (step F6).

Next, the registration data request generation unit 243 in the collation assisting device 240 generates a registration data request (step F7).

The collation assisting device 240 sends the registration data request to the storage device 220 (step F8).

Next, the storage device 220 receives a registration data request from the collation assisting device 240 (step F9).

The storage device 220 sends a part or all (M pieces) of registered data of one or a plurality of registered data stored in the registered data storage unit 223 to the collation assisting device 240 (step F10). ). However, each registration data is a set of a template and a registration identifier.

The collation assisting device 240 receives M registration data from the storage device 220 (step F11).

In the following, it is assumed that the template included in each j-th (j = 1, ..., M) registration data is generated from _{the registration vector Aj.}

Each j-th (j = 1, ..., M ) a first template that is included in the registration data of the registration vector _{A j} polynomial generated from _{f A,} ciphertext _{j Enc (pk, f A,} j) Suppose that

Each j-th (j = 1, ..., M ) second templates included in the registration data of the registration vector _{A j} square sum Σ _{i = 0~n-1 a j} of the ^{components, i} 2 · ·・ (Equation 47)
Ciphertext Enc (pk, Σ _{i = 0 to n-1} a _{j, i} ² )
Suppose that

The authentication requesting device 230 receives the challenge Enc (pk, r × ^h ) from the verification assisting device 240 (step F12).

Next, the authentication information extraction unit 232 in the authentication request device 230 receives biometric information (referred to as "authentication vector") from the living body to be authenticated.
B = (b ₀ , ..., b _L-1 ) ... (Equation 48)
Is extracted (step F13).

Then, the first response generator 233 of the authentication requesting device 230 according to the above formula 21, the authentication each i-th vector B (i = 0, ..., L-1) inverse -b concerning the addition component _{b i} of _i a, N order polynomial _f B with a coefficient of N-i following section _{(x) = - Σ i =} 0~n-1 b i × x N-i ··· ( formula 49)
Is calculated. Moreover,
・ Encryption key PK and
・ The generated polynomial f _B and
・ The challenge Enc (pk, r × x ^h ) received and
from,
For example, using the property of the encryption method that can calculate the scalar multiple of the ciphertext (Equation 6),
First response Enc (pk, (r × x ^h ) × (f _B )) ・ ・ ・ (Equation 50)
Is generated (step F14).

Then, the second response generator 234 of the authentication requesting device 230 uses the encryption key pk, the authentication vector ₌ 0 to _L-1 square sum sigma _i of each component of B ^{b i} 2 ··· (wherein 51 )
Ciphertext _{Enc (pk, Σ i = 0~L} -1 b i 2) to calculate the (step F15). Step F15 In ciphertext _{Enc (pk, Σ i = 0~L} -1 b i 2) of the square sum of the components of the calculated authentication vector B is referred to as a "second response".

Next, the response generation unit 235 in the authentication request device 230 summarizes the first response and the second response, and the response (Enc (pk, (r × x ^h ) × (f _B )), Enc (pk, Σ _{i =). ^{0~L-1 b i 2))}} ··· ( formula 52)
(Step F16).

The authentication request device 230 sends the above-mentioned response, which is a combination of the first response and the second response, to the verification assisting device 240 (step F17).

Next, the collation assisting device 240 receives the above response from the authentication requesting device 230 (step F18).

Next, the encrypted inner product calculation unit 244 in the collation assisting device 240
・ Encryption key PK and
^{-The term expression -r -1} x x ^N-h generated from the challenge assistance (r, h) generated in step F4,
-The first response Enc (pk, (r × x ^h ) × (f _B )) included in the response received in step F18,
Based on
For example, using the property (Equation 6) of the encryption method that can calculate the scalar multiple of the ciphertext,
Enc (pk, f _B ) = (-r ^-1 x x ^N-h ) x Enc (pk, (r x x ^h ) x (f _B )) ... (Equation 53)
To calculate.
Further, the encryption inner product calculation unit 244 in the collation assisting device 240 describes each j (j = 1, ..., M).
・ Encryption key PK and
_{-The first template Enc (pk, fA, j} ) included in the jth registered data among the M registered data received in step F11, and
-Calculated ciphertext Enc (pk, f _B ) and
(Pk, f _{A, j} × f _B ) ... (Equation 54)
Is generated (step F19).

Incidentally, as described above, each of j (j = 1, ..., M) _{for, f A,} the constant term of the _j × _{f B} is the inner product of the registration vector _{A j} and an authentication vector B _<A j ,B> = Σ _{i = 0~n-1 a j,} i × b i
Is equal to.

Next, the query generation unit 245 in the collation assisting device 240 describes each j (j = 1, ..., M).
・ Encryption key PK and
-Encryption inner product Enc (pk, f _{A, j} × f _B ) generated in step F19.
When,
_{-The second template Enc (pk, Σ i = 0 to n-1} a _{j, i} ² ) included in the jth registered data among the M registered data received in step F11, and
And second response _{Enc (pk, Σ i = 0~L} -1 b i 2) contained has a response received in step F18 and,
Based on, using the additive homomorphism of the cryptosystem,
Query Enc (pk, f _j )
Is generated (step F20).

However, for each j (j = 1, ..., M), _{the constant term of f j} follows the above equation 26, and the Euclidean distance d _E (A _j , B) = (Σ) _{between the registration vector A j and the authentication vector B. ^{i = 0~n-1 a j,}} i 2) + (Σ i = 0~n-1 b i 2) -2 <A j ,B>
And.

Next, the verification data generation unit 246 in the collation assisting device 240 uses step F20 from the second template included in the jth registered data among the M registered data for each j (j = 1, ..., M). The generated query and the registration identifier included in the j-th registration data among the M registration data are set as the j-th verification data (step F21).

Next, the collation assisting device 240 sends M verification data to the verification device 250 (step F22).

Next, the verification device 250 receives M verification data from the verification auxiliary device 240 (step F23).

The query verification unit 253 in the verification device 250 uses the decryption key pk for each j (j = 1, ..., M) to decode the query included in the jth verification data among the M verification data. , The constant term of the polynomial obtained as the decoding result is used as the verification result (step F24).

As described above, for each j (j = 1, ..., M), the constant term of the polynomial obtained as the decoding result generated from the j-th verification data among the M verification data is authenticated with the _{registration vector Aj.} The Euclidean distance d _E (A _j , B) from the vector B.

Next, the collation result generation unit 254 in the verification device 250 generated each j (j = 1, ..., M) from the query included in the j-th verification data among the M verification data in step F24. The verification result and the registration identifier included in the j-th verification data are put together and used as the j-th verification result.

Alternatively, for each j (j = 1, ..., M), the collation result generation unit 254 in the verification device 250 generates j generated in step F24 from the query included in the j-th verification data among the M verification data. The result of comparing the magnitude of the second verification result with the predetermined threshold value and the registration identifier included in the jth verification data may be combined and used as the jth verification result (step F25).

The verification device 250 outputs the calculated M collation results (step F26).

The process executed by the ciphertext verification system 200 according to the second exemplary embodiment in the authentication phase is not limited to the mode illustrated in FIG. For example, steps F12 to F17 may be executed prior to step F7.

_{In the above description of the ciphertext matching system 200 according to the second exemplary embodiment, the polynomial f A} generated by the first template generation unit 212 in the registration request device 210 in step E2 of FIG. 7 is set to the registration vector A. Based on this, it is assumed that the polynomial is generated according to the above equation 20. _{Further, the polynomial f B} generated by the first response generation unit 233 in the authentication request device 230 in step F16 of FIG. 8 is assumed to be a polynomial generated according to the above equation 21 based on the authentication vector.

The method of generating the two polynomials in the second exemplary embodiment is not limited to the above method. For example, a polynomial f _A of the first template generation unit 212 in the registration request unit 210 generates in step E2, a polynomial generated according to the formula 21 based on the registration vector A, the first response generator 233 of the authentication requesting device 230 _{The polynomial f B} generated in step F16 of FIG. 8 may be a polynomial generated according to the above equation 20 based on the authentication vector.

[Explanation of effect]
Next, the effect of the ciphertext verification system 200 according to the second exemplary embodiment will be described. According to the collation system 200 according to the second embodiment, the user requesting the authentication collates all the registered information with the information used for the authentication without presenting his / her own identifier, 1: N. It is possible to realize authentication securely. That is, it has the following two effects.

According to the ciphertext verification system 200 according to the second exemplary embodiment, the registration vector extracted by the registration request device 210 is encrypted on the registration request device 210 and sent to the storage device 220.

Further, the authentication vector extracted by the authentication request device 230 is encrypted on the authentication request device 230 and sent to the verification auxiliary device 240. It is the verification device 250 that has the decryption key that can decrypt these ciphertexts, but the data received by the verification device 250 is the ciphertext of the Euclidean distance between the registration vector and the authentication vector, and the registration vector and the authentication vector Do not disclose the value.

Therefore, according to the ciphertext verification system 200 according to the second exemplary embodiment, the value other than the distance between the registration vector and the authentication vector is not leaked to the device other than the device that extracts each vector, and the registration vector and the registration vector are used. It is possible to calculate the distance between the authentication vectors.

Further, according to the ciphertext verification system 200 according to the second exemplary embodiment, even when authenticating with the same registration vector, the process using the random number selected in step F5 of FIG. 8 can be performed. Will be done.

Therefore, even if the communication content of the collation process is leaked, the distance equal to the distance at the time of the leaked collation is calculated by resending the leaked content or sending the data created by using the leaked content. It is not possible to make it or calculate a small value.

In particular, when the ciphertext verification system 200 according to the second exemplary embodiment is used for authentication to be "accepted" when the distance is smaller than the threshold value, an attacker who does not know the registration vector is not regarded as "accepted". It has the property of being resistant to spoofing attacks.

Further, in the ciphertext verification system 200 according to the second exemplary embodiment, it is possible to modify the verification device 250 having the decryption key so as not to disclose the Euclidean distance between the registration vector and the authentication vector. Is. For example, by applying the same method as that described in Non-Patent Document 4, the verification device 250 having a decryption key can be transformed into a method in which the Euclidean distance between the registration vector and the authentication vector cannot be calculated. In the method of not disclosing the Euclidean distance between the registration vector and the authentication vector to the verification device 250 having the decryption key, the verification device 250 having the decryption key calculates the value of the registration vector even under special circumstances. Can be prevented. Therefore, higher safety can be achieved.

[Third Embodiment]
Next, a third exemplary embodiment will be described. The third exemplary embodiment is a case where the ciphertext method shown in Non-Patent Document 1 is used in the ciphertext matching system 100 shown in FIG. 1 referred to in the description of the first exemplary embodiment. .. In the following, the characteristic parts according to the third exemplary embodiment will be mainly described, and the same parts as those in the first exemplary embodiment will be omitted as appropriate.

The third exemplary embodiment is constructed using the cryptosystem described in Non-Patent Document 1 described above, which has homomorphism in terms of addition and information. The following features of the encryption method of Non-Patent Document 1 are used for the configuration of the present embodiment.

The parameters received by the key generation algorithm of the encryption method of Non-Patent Document 1 include an integer N and a prime number t. The encryption algorithm of the encryption method of Non-Patent Document 1 receives an N-1 degree polynomial in which each coefficient is smaller than t as a message.

For each coefficient is smaller than t N-1 order polynomial f, ^{f -1} satisfying ^f × f ^-1 = 1 does not necessarily exist. That is, the message encrypted by the encryption method of Non-Patent Document 1 does not necessarily have an inverse element related to multiplication.

On the other hand, since t is a prime number, for any integer r of 1 or more and less than t, there exists an ^{integer r -1} of 1 or more and less than t that satisfies ^{r × r -1 = 1 by modulo t.}

Further, h is an integer of 0 or more and N-1 or less.
x ^h x (-x ^N-h ) = ^{-x N} = 1 ... (Equation 55)
Is established.

About r and h
(R x x ^h ) x (r ^-1 x (-x ^N-h )) = 1 ... (Equation 56)
Is established.

Therefore, for any integer r of 1 or more and less than t and an integer h of 0 or more and N-1 or less, r × x ^h is a message that can be encrypted using the encryption method of Non-Patent Document 1, and the inverse element −r. ^{It has -1} × x ^N−h .

[Description of configuration]
Since the configuration of the third exemplary embodiment is the same as the configuration of the ciphertext verification system 100 according to the first embodiment shown in FIG. 1, the description thereof will be omitted.

[Explanation of operation]
Next, the operation of the ciphertext verification system 100 according to the third exemplary embodiment will be described. The operation in the collation system 100 according to the present embodiment is roughly classified into a preparation phase, a registration phase, and a collation phase, as in the first exemplary embodiment. First, the outline of the processing in each phase will be described.

In the preparation phase, the encryption key and the decryption key are mainly generated using the received security parameters.

In the registration phase, a template in which the extracted registration vector is encrypted is mainly created and stored using the encryption key generated in the preparation phase.

In the collation phase, the distance between the newly extracted authentication vector and one registration vector is calculated mainly using the decryption key generated in the preparation phase.

Next, the process executed by the ciphertext verification system 100 in each of the above-mentioned phases will be described in detail.

The preparation phase of the third exemplary embodiment follows the flowchart of FIG. 2 of the first exemplary embodiment. The process executed by the ciphertext verification system 100 according to the third embodiment in the preparation phase will be described with reference to FIG.

The key generation unit 151 in the verification device 150 has a set of four parameters λ = (N, q, t, σ) ... (Equation 57).
To receive. However, as described above, N is an integer of two powers, q is a prime number congruent with 1 modulo 2N, t is a positive prime number smaller than q, and σ is the standard deviation of the N-dimensional discrete Gaussian distribution.

Next, two N-1 degree polynomials s and e are generated according to an N-dimensional discrete Gaussian distribution with a standard deviation of σ. That is, a polynomial with N values generated according to a discrete Gaussian distribution as coefficients is generated. s is the private key.

Then, each coefficient is generated randomly smaller than t N-1 degree polynomial p _1.

next,
p ₀ =-(p ₁ x s + t x e) ... (Equation 58)
Is calculated (step A1).
(Λ, p ₀ , p ₁ ) is the encryption key pk,
Let (λ, p ₀ , p ₁ , s) be the decryption key sk.

The key generation unit 151 discloses the encryption key pk in the ciphertext verification system 100 (step A2). The key generation unit 151 stores the decryption key sk in the decryption key storage unit 152 (step A3).

The process executed by the ciphertext verification system 100 according to the third embodiment in the preparation phase is not limited to the mode illustrated in FIG.

The registration phase of the third exemplary embodiment follows the flowchart of FIG. 3 of the first exemplary embodiment. The process executed by the ciphertext verification system 100 according to the third embodiment in the registration phase will be described with reference to FIG.

The registration information extraction unit 111 in the registration request device 110 receives biological information (referred to as “registration vector”) from the living body to be registered.
A = (a ₀ , ..., a _L-1 ) ... (Equation 59)
Is extracted (step B1).

Next, the first template generation unit 112 in the registration request device 110 is generated from the registration vector A = (a ₀ , ..., A _L-1 ) according to the following equation 60 (the above equation 20), the registration vector A. each i-th (i = 0, ..., L -1) to component _{a i} of, L-1 degree polynomial _f having the coefficient of i-th order term _{a = Σ i = 0~L-1} a i × x i ... (Equation 60)
To generate.

_{Next, using the parameter σ included in the encryption key pk = (λ, p 0} , p ₁ ) disclosed by the verification device 150 in step A2 of the preparation phase, 3 according to the N-dimensional discrete Gaussian distribution having a standard deviation of σ. Generate two N-1 degree polynomials u ₁ , g ₁ and f _1.

Then, with these, _t contained in the encryption key _pk, and p 0, _{p 1,} and the polynomial _{f A} which generated, based on the following two polynomials,
c _1,0 = p ₀ × u ₁ + t × g ₁ + f _A ... (Equation 61-1)
c _{1, 1} = p ₁ × u ₁ + t × f ₁ ... (Equation 61-2)
To calculate. _Let (c 1,0, c _1,1 ) be the ciphertext C ₁ (step B2).

That is, C ₁ is the ciphertext of f _A by the encryption key pk. _{The ciphertext C 1} = (c _1,0 , c _1,1 ) calculated in step B2 is called the "first template".

Next, the second template generation unit 113 in the registration request device 110 uses the sum of squares of each component of the registration vector A Σ _{i = 0 to L-1} a _i ² ... (Equation 62).
To calculate.

_{Next, using the parameter σ included in the encryption key pk = (λ, p 0} , p ₁ ) disclosed by the verification device 150 in step A2 of the preparation phase, 3 according to the N-dimensional discrete Gaussian distribution having a standard deviation of σ. Generate two N-1 degree polynomials u ₂ , g ₂ and f _2.

Next, based on these, t, p ₀ , p ₁ included in the encryption key, and the generated value Σ _{i = 0 to L-1} a _i ² , the following two polynomials,
c _2,0 = p ₀ × u ₂ + t × g ₂ + (Σ _{i = 0 to L-1} a _i ² ) ・ ・ ・ (Equation 63-1)
c _{2, 1} = p ₁ × u ₂ + t × f ₂ ... (Equation 63-2)
To calculate. _Let (c 2, 0, c ₂ , 1) be the ciphertext C ₂ (step B3). That is, C ₂ is a ciphertext of Σ _{i = 0 to L-1} a _i ² by the encryption key pk. _{The ciphertext C 2} = (c ₂ , 0, c ₂ , 1) calculated in step B3 is called a "second template".

Next, the template generation unit 114 in the registration request device 110 sets the first template C ₁ = (c _1,0 , c ₁ , 1) and the second template C ₂ = (c ₂ , 0, c ₂ , 1). In summary, it is used as a template (C ₁ , C ₂ ) (step B4).

The registration request device 110 sends the above templates (C ₁ , C ₂ ) to the storage device 120 (step B5).

Next, the storage device 120 receives the templates (C ₁ , C ₂ ) from the registration request device 110 (step B6).

The identifier assigning unit 121 in the storage device 120 determines the registration identifier id, which is an identifier unique to the _{received templates (C 1} , C _{2) (step B7).}

The storage device 120 sends the registration identifier id to the registration request device 110 (step B8).

Next, the registration request device 110 receives the registration identifier id from the storage device (step B9).

The registration request device 110 displays, for example, the received registration identifier id on a user interface (UI) such as a display (step B10). Alternatively, the registration data device 102 may store the received registration identifier id in an IC (integrated_cycle) card such as an employee ID card or an identifier card.

Next, the registration data generation unit 122 in the storage device 120 _{collects the templates (C 1} , C ₂ ) and the registration identifier id, and registers the registration data ((C ₁ , C ₂ ), id).
(Step B11).

The registration data generation unit 122 in the storage device 120 stores the registration data ((C ₁ , C ₂ ), id) in the registration data storage unit 123 (step B12).

The process executed by the ciphertext verification system 100 according to the third embodiment in the registration phase is not limited to the mode illustrated in FIG. For example, step B11 and step B12 may be executed prior to step B8.

The authentication phase of the third exemplary embodiment follows the flowchart of FIG. 4 of the first exemplary embodiment. The process executed by the ciphertext verification system 100 according to the third embodiment in the authentication phase will be described with reference to FIG.

The authentication requesting device 130 receives the identifier id (referred to as “authentication identifier”) possessed by the authentication target (step C1).

Next, the authentication request generation unit 131 in the authentication request device 130 generates an authentication request including the received authentication identifier id (step C2).

The authentication request device 130 sends an authentication request to the verification auxiliary device 140 (step C3).

The verification auxiliary device 140 receives an authentication request from the authentication request device 130 (step C4).

Next, the challenge auxiliary generation unit 141 in the collation auxiliary device 140 randomly selects an integer r smaller than t and an integer h smaller than N-1. The selected values are put together and used as challenge assistance (r, h) (step C5).

Then, the challenge generating unit 142 in the verification auxiliary apparatus 140, the challenge auxiliary (r, h) from a single term equation r × ^x h ··· (Formula 64)
Is calculated.

_{Next, using the parameter σ included in the encryption key pk = (λ, p 0} , p ₁ ) disclosed by the verification device 150 in step A2 of the preparation phase, 3 according to the N-dimensional discrete Gaussian distribution having a standard deviation of σ. Generate two N-1 degree polynomials u ₃ , g _3, and f _3.

Next, the N-1 order polynomial _{u 3} and _{g 3} and _{f 3, t} comprising the encryption _key, and p 0, _{p 1,} based on the single-term equation r × ^{x h,,} the following two polynomials,
c _3,0 = p ₀ × u ₃ + t × g ₃ + (r × x ^h ) ・ ・ ・ (Equation 65-1)
c _3,1 = p ₁ × u ₃ + t × f ₃ ... (Equation 65-2)
To calculate. _Let (c 3, _{0, c 3, 1} ) be the ciphertext C ₃ (step C6). That is, C ₃ is a ciphertext of r × x ^{h with} the encryption key pk. _{The ciphertext C 3} = (c _3,0 , c _3,1 ) calculated in step C6 is called a "challenge".

Verification auxiliary apparatus 140, sends the challenge _{C 3} to the authentication request unit 130 (step C7).

Next, the registration data request generation unit 143 in the collation assisting device 140 generates a registration data request including the authentication identifier id included in the authentication request received from the authentication request device 130 (step C8).

The collation assisting device 140 sends the registration data request to the storage device 120 (step C9).

Next, the storage device 120 receives a registration data request from the collation assisting device 140 (step C10).

_{The registration data search unit 124 in the storage device 120 has registered data ((C 1} , C ₂₎ including the authentication identifier id included in the registration data request among one or more registration data stored in the registration data storage unit. ), Id) (step C11).

_{The templates (C 1} , C ₂ ) included in the specified registration data are called "matching target templates".

The storage device 120 sends the collation target template (C ₁ , C ₂ ) to the collation assisting device 140 (step C12).

The collation assisting device 140 receives the collation target template (C ₁ , C ₂ ) from the storage device 120 (step C13).

The authentication requesting device 130 receives the challenge C ₃ = (c _3,0 , c _3,1- ) from the collation assisting device 140 (step C14).

Next, the authentication information extraction unit 132 in the authentication request device 130 receives biometric information (referred to as an authentication vector) from the living body to be authenticated.
B = (b ₀ , ..., b _L-1 ) ... (Equation 66)
Is extracted (step C15).

Then, the first response generator 133 of the authentication requesting device 130 is generated according to the following equation 67, the authentication each i-th vector B (i = 0, ..., L-1) concerning the addition of components _{b i} inverse polynomial having -b _i to the coefficient of N-i following section _{f B = -Σ i = 0~n-} 1 b i × x N-i ··· ( formula 67)

To generate.

However, when the degree of the polynomial is N or more, as described above,
x ^N = -1,
x ^{N + 1} = -x, ...
By replacing with, the polynomial is made N-1th order or less. The same applies to the following calculations.

Next, the challenge C ₃ = (c _3,0 , c _3,1 ) received in step C14 and
Based on the generated polynomial f _B
c _4,0 = f _B × c _3,0 ... (Equation 68-1)
c _4,1 = f _B × c _3,1 ... (Equation 68-2)
To calculate. _Let (c 4, 0, c ₄ , 1) be the ciphertext C ₄ (step C16). That is, C ₄ is a ciphertext of r × x ^h × f _B by the encryption key pk. C ₄ = (c ₄ , 0, c ₄ , 1) is called the "first response".

Then, the second response generator 134 in the authentication request unit 130, the authentication vector each component of the square sum ^{_{Σ i = 0~L-1 b i}} 2 ··· and B (Formula 69)
To calculate.

_{Next, using the parameter σ included in the encryption key pk = (λ, p 0} , p ₁ ) disclosed by the verification device 150 in step A2 of the preparation phase, 3 according to the N-dimensional discrete Gaussian distribution having a standard deviation of σ. Generate two N-1 degree polynomials u ₅ , g _5, and f _5.

Next, and the three N-1 order polynomial _{u 5 g 5} and _{f 5, t} comprising the encryption _key, and p 0, _{p 1,} and the resulting value ^{_{Σ i = 0~L-1 b i}} 2, Based on the following two polynomials,
_{c 5,0 = p 0 × u 5} + t × g 5 + (Σ i = 0~L-1 b i 2) ··· ( Formula 70-1)
c _5,1 = p ₁ × u ₅ + t × f ₅ ... (Equation 70-2)
To calculate. _Let (c 5,0, c _5,1 ) be the ciphertext C ₅ (step C17).

That, _{C 5} is the ciphertext ^{_{Σ i = 0~L-1 b i}} 2 by the encryption key pk. _{The ciphertext C 5} = (c _5,0 , c _5,1 ) calculated in step C17 is called a "second response".

Next, the response generation unit 135 in the authentication request device 130 sets the first response C ₄ = (c ₄ , 0, c ₄ , 1) and the second response C ₅ = (c ₅ , 0, c _{5, 1} ). Conclusion, a response _(C 4, _{C 5)} and (step C18).

The authentication request device 130 sends the above responses (C ₄ , C ₅ ) to the collation assisting device 140 (step C19).

Next, verification auxiliary apparatus 140 receives the response from the authentication request device _{130 (C 4, C 5)} ( Step C20).

Next, the encryption inner product calculation unit 144 in the collation assisting device 140 starts with the challenge assist (r, h) generated in step C5.
−r ^-1 × x ^N−h・ ・ ・ (Equation 71)
To calculate. However, r ^-1 is an integer of 1 or more and less than t that satisfies r × r ^{-1 = 1 modulo t.}

Next, the encryption inner product calculation unit 144 in the collation auxiliary device 140
_-The first response C ₄ = (c 4, 0, c ₄ , 1) included in the above response (C ₄ , C _{5) received in step 19 and}
・ Based on the generated −r ^-1 ×xN ^−h
c _6,0 = (-r ^-1 x x ^N-h ) x c _4,0 ... (Equation 72-1)
c _6,1 = (-r ^-1 x x ^N-h ) x c _{4, 1} ... (Equation 72-2)
To calculate.
(C _6,0 , c _6,1 ) ... (Equation 73)
It is referred to as ciphertext _{C 6.} That is, C ₆ is based on the encryption key pk (r × x ^h × f _B ) × (−r ^-1 × x ^N−h ) = f _B ... (Equation 74).
Ciphertext.

Next, the encryption inner product calculation unit 144 in the collation auxiliary device 140
-The first template C ₁ = (c ₁ , 0, c ₁ , 1) included in the collation target template (C ₁ , C _{2) received in step C13,
-Based} on the generated ciphertext C ₆ = (c 6,0, c _6,1 )
c _7,0 = c _1,0 × c _6,0 ... (Equation 75-1)
c _7,1 = c _1,0 x c _6,1 + c _1,1 x c _6,0 ... (Equation 75-2)
c _7,2 = c _1,1 x c _6,1 ... (Equation 75-3)
To calculate.
(C _7,0 , c ₇ , 1, c ₇ , 2) ... (Equation 76)
Is the ciphertext C ₇ (step C21). That is, C ₇ is a ciphertext of f _A × f _B by the encryption key pk. _{The ciphertext C 7} = ( _{c 7 , 0} , c 7, 1, c ₇ , 2) calculated in step C 21 is called an “encryption inner product”. Incidentally, as described above, the constant term of _{f A} × _{f B} is the inner product of the registration vectors A and authentication vector B <A, B> = Σ i = equals _{0~n-1 a i × b i} .

Next, the query generation unit 145 in the collation assisting device 140
-The second template C ₂ = (c ₂ , 0, c ₂ , 1) included in the collation target template (C ₁ , C _{2) received in step C13,}
-The second response C ₅ = (c ₅ , 0, c _{5, 1} ) included in the response (C ₄ , C _{5) received in step C20,
-Based} on the encrypted inner product C ₇ = ( _{c 7} , 0, c 7, 1, c ₇ , 2) generated in step C21.
c _8,0 = c _2,0 + c _5,0 + -2 × c _7,0 ... (Equation 77-1)
c _8,1 = c _2,1 + c _5,1-2 × c _7,1 ... (Equation 77-2)
c _{8, 2} = -2 x c _{7, 2} ... (Equation 77-3)
To calculate. _Let (c 8, 0, c ₈ , 1, c ₈ , 2) be the ciphertext C ₈ (step C22). That, _{C 8} is due to the encryption key _{pk (Σ i = 0~n-1} a i 2) + (Σ i = 0~n-1 b i 2) -2 × f A × f B ··· ( Equation 78)
Ciphertext. The calculated ciphertext C ₈ = (c ₈ , 0, c ₈ , 1, c ₈ , 2) is called a "query".

Incidentally, as described above, the constant term of _{f A} × _{f B} is the inner product of the registration vectors A and authentication vector B <A, B> = Σ i = equals _{0~n-1 a i × b i} . Therefore, C ₈ is a ciphertext of a polynomial having _{the Euclidean distance d E} (A, B) between the registration vector A and the authentication vector B as a constant term.

Next, the collation assisting device 140 sends the query C ₈ = (c ₈ , 0, c ₈ , 1, c ₈ , 2) to the verification device 150 (step C23).

Next, the verification device 150 _{receives the query C 8} from the collation assisting device 140 (step C24).

The query verification unit 153 in the verification device 150
_-Query C ₈ = (c 8, 0, c ₈ , 1, c ₈ , 2) and
-Based on the private key sk = (λ, p ₀ , p ₁ , s)
D ₁ = c _8,0 + c _8,1 x s + c _8,2 x s ² ... (Equation 79)
To calculate.

Next, _{let D 2} be the remainder obtained by dividing _{D 1 by q.} If D ₂ is q / 2 or more, then D ₃ = D _2- q. If D ₂ is less than q / 2, then D ₃ = D ₂ (D ₂ ∈ Z ^(q) = [−q / 2, q / 2) ∩Z).

Next, _{let D 4 be the} remainder polynomial obtained by dividing _{D 3} by t. Let the constant term of _{D 4 be D 5} (step C25). The calculated value D ₅ is called a “verification result”. As described above, the constant term D _{5 is the Euclidean distance d E} (A, B) between the registration vector A and the authentication vector B.

Next, the collation result generation unit 154 in the verification device 150 sets the verification result D ₅ as the collation result d. Alternatively, the result _{of comparing the magnitude of the verification result D 5} with the predetermined threshold value may be used as the collation result d (step C26).

The verification device 150 outputs the calculated collation result d (step C27).

The process executed by the ciphertext verification system 100 according to the third embodiment in the authentication phase is not limited to the mode illustrated in FIG. For example, steps C9 to C13 may be executed prior to step C5.

In the above description of the ciphertext matching system 100 according to the third embodiment, the polynomial f _A generated by the first template generation unit 112 in the registration request device 110 in step B2 is generated according to the above equation 20 based on the registration vector A. and a polynomial that is, the polynomial f _B of the first response generator 133 of the authentication requesting device 130 is generated in step C16 was to be a polynomial generated according to the formula 21 based on the authentication vector.

The method of generating the two polynomials in the third embodiment is not limited to the above method. For example, a polynomial f _A of the first template generation unit 112 in the registration request unit 110 is generated in step B2, the polynomial is generated in accordance basis formula 21 Registered vector A, the first response generator 133 of the authentication requesting device 130 _{The polynomial f B} generated in step C16 may be a polynomial generated according to Equation 20 based on the authentication vector.

[Explanation of effect]
Next, the effect of the ciphertext verification system 100 according to the third exemplary embodiment will be described.

According to the ciphertext verification system 100 according to the third exemplary embodiment, it is possible to safely realize 1: 1 authentication in which a user requesting authentication presents his / her own living body and an identifier to perform authentication. It is possible. That is, it has the following two effects.

According to the ciphertext verification system 100 according to the third exemplary embodiment, the registration vector extracted by the registration request device 110 is encrypted on the registration request device 110 and sent to the storage device 120. Further, the authentication vector extracted by the authentication request device 130 is encrypted on the authentication request device 130 and sent to the verification auxiliary device 140.

It is the verification device 150 that has the decryption key that can decrypt these ciphertexts, but the data received by the verification device 150 is the ciphertext of the Euclidean distance between the registration vector and the authentication vector, and the registration vector and the authentication vector Do not disclose the value.

Therefore, according to the ciphertext verification system 100 according to the third exemplary embodiment, the value other than the distance between the registration vector and the authentication vector is not leaked to the device other than the device that extracts each vector, and the registration vector and the registration vector are used. It is possible to calculate the distance between the authentication vectors.

Further, according to the ciphertext verification system 100 according to the third exemplary embodiment, even when authenticating with the same registration vector, the process using the random number selected in step C5 is performed.

Therefore, even if the communication content of the collation process is leaked, the distance equal to the distance at the time of the leaked collation is calculated by resending the leaked content or sending the data created by using the leaked content. It is not possible to make it or calculate a small value.

In particular, when the ciphertext verification system 100 according to the third exemplary embodiment is used for authentication to be "accepted" when the distance is smaller than the threshold value, an attacker who does not know the registration vector is not regarded as "accepted". It has the property of being resistant to spoofing attacks.

Further, the ciphertext verification system 100 according to the third exemplary embodiment is configured by using the ciphertext described in Non-Patent Document 1, which is a ciphertext capable of high-speed processing. Therefore, high-speed collation processing is possible.

Further, in the ciphertext verification system 100 according to the third exemplary embodiment, it is possible to modify the verification device 150 having the decryption key so as not to disclose the Euclidean distance between the registration vector and the authentication vector. Is. For example, by applying the same method as that described in Non-Patent Document 4, the verification device 150 having a decryption key can be transformed into a method in which the Euclidean distance between the registration vector and the authentication vector cannot be calculated. The method of not disclosing the Euclidean distance between the registration vector and the authentication vector to the verification device 150 having the decryption key means that the verification device 150 having the decryption key calculates the value of the registration vector even under special circumstances. Can be prevented. Therefore, higher safety can be achieved.

[Fourth Embodiment]
Next, a fourth exemplary embodiment will be described. The fourth exemplary embodiment is a case where the ciphertext method shown in Non-Patent Document 1 is used in the ciphertext matching system 200 shown in FIG. 5 referred to in the description of the second exemplary embodiment. .. Hereinafter, the characteristic parts relating to the fourth exemplary embodiment will be mainly described, and the description of the same parts as those of the second exemplary embodiment will be omitted as appropriate.

The fourth exemplary embodiment is constructed using the cryptosystem described in Non-Patent Document 1, which has homomorphism in terms of addition and information. The following features of the encryption method of Non-Patent Document 1 are utilized in the configuration of the fourth exemplary embodiment.

The parameters received by the key generation algorithm of the encryption method of Non-Patent Document 1 include an integer N and a prime number t.

The encryption algorithm of the encryption method of Non-Patent Document 1 receives an N-1 degree polynomial in which each coefficient is smaller than t as a message. For each coefficient is smaller than t N-1 order polynomial f, ^{f -1} satisfying ^f × f ^-1 = 1 does not necessarily exist. That is, the message encrypted by the encryption method of Non-Patent Document 1 does not necessarily have an inverse element.

^{On the other hand, since t is a prime number, r × r -1} = 1 ... (Equation 80), modulo t, for any integer r greater than or equal to 1 and less than t.
^{There is an integer r -1} that satisfies and is 1 or more and less than t.

Further, h is an integer of 0 or more and N-1 or less. About r and h
(R × x ^h ) × (r ^-1 × (−x ^N−h )) = 1 ・ ・ ・ (Equation 81)
Is established.

Therefore, for any integer r of 1 or more and less than t and an integer h of 0 or more and N-1 or less, r × x ^h is a message that can be encrypted using the encryption method of Non-Patent Document 1, and the inverse element −r. ^{It has -1} × x ^N−h .

[Description of configuration]
Since the configuration of the fourth exemplary embodiment is the same as the configuration of the ciphertext verification system 200 according to the second exemplary embodiment shown in FIG. 5, the description thereof will be omitted.
[Explanation of operation]
Next, the operation of the ciphertext verification system 200 according to the fourth exemplary embodiment will be described.

Next, the operation in the ciphertext verification system 200 according to the fourth exemplary embodiment is roughly classified into a preparation phase, a registration phase, and a verification phase, as in the second exemplary embodiment. .. First, the outline of the processing in each phase will be described.

In the preparation phase, the encryption key and the decryption key are mainly generated using the received security parameters.

In the registration phase, a template in which the extracted registration vector is encrypted is mainly created and stored using the encryption key generated in the preparation phase.

In the collation phase, the distance between the newly extracted authentication vector and one or more registration vectors is calculated, mainly using the decryption key generated in the preparation phase.

Next, the process executed by the ciphertext verification system 200 in each of the above-mentioned phases will be described in detail. The preparation phase of the fourth exemplary embodiment follows the flowchart of FIG. 6 showing an example of processing of the preparation phase executed by the ciphertext verification system 200 according to the second exemplary embodiment. The process executed by the collation system 200 according to the fourth exemplary embodiment in the preparation phase will be described with reference to FIG.

The key generation unit 251 in the verification device 250 has a set of four parameters λ = (N, q, t, σ) ... (Equation 82).
To receive. Where N is a two-power integer, q is a prime number congruent with 1 modulo 2N, t is a positive integer smaller than q, and σ is the standard deviation of a discrete Gaussian distribution on an N-1 degree polynomial.

Next, two N-1 degree polynomials s and e are generated according to an N-dimensional discrete Gaussian distribution with a standard deviation of σ. Then, each coefficient is generated randomly q smaller N-1 degree polynomial p _1.

Next, p ₀ =-(p ₁ x s + t x e) ... (Equation 83)
To calculate.
(Λ, p ₀ , p ₁ ) is the encryption key (public key) pk,
Let (λ, p ₀ , p ₁ , s) be the decryption key (private key) sk (step D1).

The key generation unit 251 discloses the encryption key pk in the ciphertext verification system 200 (step D2). The key generation unit 251 stores the decryption key sk in the decryption key storage unit 252 (step D3).

The process executed by the ciphertext verification system 200 according to the fourth exemplary embodiment in the preparation phase is not limited to the mode illustrated in FIG.

The registration phase of the fourth exemplary embodiment follows the flowchart of FIG. 7 showing an example of processing of the registration phase executed by the ciphertext verification system 200 according to the second exemplary embodiment. The process executed by the collation system 200 according to the fourth exemplary embodiment in the registration phase will be described with reference to FIG. 7.

The registration information extraction unit 211 in the registration request device 210 receives biological information (called a registration vector) A = (a ₀ , ..., a _L-1 ) ... (Equation 84) from the living body to be registered.
Is extracted (step E1).

Next, the first template generation unit 212 in the registration request device 210 is generated from the registration vector A = (a ₀ , ..., a _L-1 ) according to the following equation 85 (the above equation 20), the registration vector A. each i-th (i = 0, ..., L -1) component _{a i} a i following L-1 degree polynomial _{f a = Σ i = 0~L-} 1 a i × with the coefficients of the terms ^{x i} · a・ ・ (Equation 85)
To generate.

_{Next, using the parameter σ included in the encryption key pk = (λ, p 0} , p ₁ ) disclosed by the verification device 250 in step D2 of the preparation phase, 3 according to the N-dimensional discrete Gaussian distribution in which the standard deviation is σ. Generate two N-1 degree polynomials u ₁ , g ₁ and f _1.

Next, based on the N-1 degree polynomials u ₁ , g ₁ and f _{1 , t, p 0} , p ₁ included in the encryption key pk, and the generated polynomial f _A , the following two polynomials,
c _1,0 = p ₀ × u ₁ + t × g ₁ + f _A ... (Equation 86-1)
c _{1, 1} = p ₁ × u ₁ + t × f ₁ ... (Equation 86-2)
To calculate. _Let (c 1,0, c _1,1 ) be the ciphertext C ₁ (step E2). That is, C ₁ is the ciphertext of f _A by the encryption key pk. The calculated ciphertext C ₁ = (c _1,0 , c _1,1 ) is called the "first template".

Next, the second template generation unit 213 in the registration request device 210 uses the sum of squares of each component of the registration vector A Σ _{i = 0 to L-1} a _i ² ... (Equation 87).
To calculate.

_{Next, using the parameter σ included in the encryption key pk = (λ, p 0} , p ₁ ) disclosed by the verification device 250 in step D2 of the preparation phase, 3 according to the N-dimensional discrete Gaussian distribution in which the standard deviation is σ. Generate two N-1 degree polynomials u ₂ , g ₂ and f _2.

Next, the N-1 degree polynomials u ₂ , g _2, and f _{2 , t, p 0} , and p ₁ included in the encryption key pk, and the generated values Σ _{i = 0 to L-1} a _i ² . Based on the following two polynomials,
c _2,0 = p ₀ × u ₂ + t × g ₂ + (Σ _{i = 0 to L-1} a _i ² ) ・ ・ ・ (Equation 88-1)
c _{2, 1} = p ₁ × u ₂ + t × f ₂ ... (Equation 88-2)
To calculate. _Let (c 2, 0, c ₂ , 1) be the ciphertext C ₂ (step E3). That is, C ₂ is a ciphertext of Σ _{i = 0 to L-1} a _i ² by the encryption key pk. The calculated ciphertext C ₂ = (c ₂ , 0, c ₂ , 1) is called a "second template".

Next, the template generation unit 214 in the registration request device 210 sets the first template c ₁ = (c ₁ , 0, c ₁ , 1) and the second template C ₂ = (c ₂ , 0, c ₂ , 1). In summary, it is used as a template (C ₁ , C ₂ ) (step E4).

The registration request device 210 sends the template to the storage device 220 (step E5).

Next, the storage device 220 receives the templates (C ₁ , C ₂ ) from the registration request device 210 (step E6).

The identifier assigning unit 221 in the storage device 220 determines the registration identifier id, which is an identifier unique to the received template (step E7).

The storage device 220 sends the registration identifier id to the registration request device 210 (step E8).

Next, the registration request device 210 receives the registration identifier id from the storage device (step E9). The registration request device 210 displays, for example, the received registration identifier id on a user interface (UI) such as a display (step E10). Alternatively, the registration request device 210 may store the received registration identifier id in an IC (integrated_cycle) card such as an employee ID card or an identifier card.

Next, the registration data generation unit 222 in the storage device 220 _{puts together the template (C 1} , C ₂ ) and the registration identifier id, and the registration data ((C ₁ , C ₂ ), id) ... (Equation 89).
(Step E11).

The registration data generation unit 222 in the storage device 220 stores the registration data ((C ₁ , C ₂ ), id) in the registration data storage unit 223 (step E12).

The process executed by the ciphertext verification system 200 according to the fourth exemplary embodiment in the registration phase is not limited to the mode illustrated in FIG. 7. For example, step E11 and step E12 may be executed prior to step E8.

An example of the processing of the authentication phase of the fourth exemplary embodiment follows the flowchart of FIG. 8 showing an example of the processing executed by the ciphertext verification system 200 according to the second exemplary embodiment. The process executed by the collation system 200 according to the fourth exemplary embodiment in the authentication phase will be described with reference to FIG.

The authentication request generation unit 231 in the authentication request device 230 generates an authentication request (step F1).

The authentication request device 230 sends an authentication request to the verification assist device 240 (step F2).

The verification auxiliary device 240 receives an authentication request from the authentication request device 230 (step F3).

Next, the challenge auxiliary generation unit 241 in the collation auxiliary device 240 randomly selects an integer r smaller than t and an integer h smaller than N-1. The selected values are put together and used as challenge assistance (r, h) (step F4).

Then, the challenge generating unit 242 in the verification auxiliary apparatus 240, the challenge auxiliary (r, h) from a single term equation r × ^x h ··· (Formula 90)
Is calculated.

_{Next, using the parameter σ included in the encryption key pk = (λ, p 0} , p ₁ ) disclosed by the verification device 250 in step D2 of the preparation phase, according to the N-dimensional discrete Gaussian distribution in which the standard deviation is σ. Generate _three N-1 degree polynomials u ₃ , g ₃ and f 3.

Then, the three N-1 order polynomial _{u 3} and _{g 3} and _{f 3, t} comprising the encryption _key, and p 0, _{p 1-,} based on the single-term equation r × ^{x h,,} the following two Two polynomials,
c _3,0 = p ₀ × u ₃ + t × g ₃ + (r × x ^h ) ・ ・ ・ (Equation 91-1)
c _3,1 = p ₁ × u ₃ + t × f ₃ ... (Equation 91-2)
To calculate. _Let (c 3, _{0, c 3, 1} ) be the ciphertext C ₃ (step F5). That is, C ₃ is a ciphertext of r × x ^{h with} the encryption key pk. The calculated ciphertext C ₃ = (c _3,0 , c _3,1 ) is called a "challenge". Verification auxiliary apparatus 240, sends the challenge _{C 3} to the authentication request unit 230 (step F6).

Next, the registration data request generation unit 243 in the collation assisting device 240 generates a registration data request (step F7).

The collation assisting device 240 sends the registration data request to the storage device 220 (step F8).

Next, the storage device 220 receives a registration data request from the collation assisting device 240 (step F9).

The storage device 220 sends a part or all (M pieces) of registered data of one or a plurality of registered data stored in the registered data storage unit 223 to the collation assisting device 240 (step F10). .. However, each registration data is a set of a template and a registration identifier.

The collation assisting device 240 receives M registration data from the storage device 220 (step F11).

In the following, the registered data of each jth (j = 1, ..., M) is (( _{Cj, 1} , _{Cj, 2} ), id _j ) ... (Equation 92).
It is expressed as.

The templates (C _{j, 1} , C _{j, 2 ) included in the registered data ((C j, 1} , C _{j, 2} ), id _j ) of each jth (j = 1, ..., M) are It is assumed that it is generated from the registration vector _Aj.

Further, the first templates C _{j, 1 included in the registration data ((C j, 1} , C _{j, 2} ), id _j ) of each jth (j = 1, ..., M) are from the registration vector A _j. the generated polynomial _{f a,} ciphertext _{j Enc (pk, f a,} j) = (c j, 1,0, c j, 1,1) ··· ( formula 93)
Suppose that

Further, the second template C _{j, 2 included in the registration data ((C j, 1} , C _{j, 2} ), id _j ) of each jth (j = 1, ..., M) is the registration vector A _j . Sum of squares of each component Σ _{i = 0 to n-1} a _{j, i} ² ... (Equation 94)
Ciphertext Enc (pk, Σ _{i = 0 to n-1} a _{j, i} ² ) = (c _{j, 2} , 0, c _{j, 2, 1} ) ... (Equation 95)
Suppose that

The authentication request device 230 receives a challenge from the verification assist device 240 (step F12).

Next, the authentication information extraction unit 232 in the authentication request device 230 receives biometric information (referred to as "authentication vector") from the living body to be authenticated.
B = (b ₀ , ..., b _L-1 ) ... (Equation 96)
Is extracted (step F13).

Next, the first response generation unit 233 in the authentication request device 230 is a component of each i-th (i = 0, ..., L-1) of the authentication vector B generated according to the following equation 97 (the above equation 20). polynomial with b _i additivity about the inverse -b _i of the coefficient of N-i following section _{f B = -Σ i = 0~n-} 1 b i × x N-i ··· ( formula 97)
To generate.

However, if the degree of the polynomial is N or more,
x ^N = -1, x ^{N + 1} = -x, ...
By replacing with, the polynomial is made N-1th order or less. The same applies to the following calculations.

Next, based on the challenge C ₃ = (c _3,0 , c _3,1 ) received in step F12 and the generated polynomial f _B.
c _4,0 = f _B × c _3,0 ... (Equation 98-1)
c _4,1 = f _B × c _3,1 ... (Equation 98-2)
To calculate. _Let (c 4, 0, c ₄ , 1) be the ciphertext C ₄ (step F14). That is, C ₄ is a ciphertext of r × x ^h × f _B by the encryption key pk. C ₄ = (c ₄ , 0, c ₄ , 1) is called the "first response".

Next, the authentication second response generator 234 of the requesting device 230, the authentication vector sum of squares ^{_{Σ i = 0~L-1 b i}} 2 ··· ( wherein 99) of the respective components of B
To calculate.

Next, in step A2 of the preparation phase, the _{parameter σ included in the encryption key pk = (λ, p 0} , p ₁ ) disclosed by the verification device 250 is used, and the standard deviation is σ according to the N-dimensional discrete Gaussian distribution. three generates the N-1 order polynomial _{u 5} and _{g 5} and _{f 5.}

Then, the three N-1 order polynomial _{u 5} and _{g 5} and _{f 5, t} contained in the encryption key _pk, p 0, _{p 1} and the generated value ^{_{Σ i = 0~L-1 b i}} 2 And based on the following two polynomials,
_{c 5,0 = p 0 × u 5} + t × g 5 + (Σ i = 0~L-1 b i 2) ··· ( Formula 100-1)
c _5,1 = p ₁ × u ₅ + t × f ₅ ... (Equation 100-2)
To calculate. _Let (c 5,0, c _5,1 ) be the ciphertext C ₅ (step F15). That, _{C 5} depends on the encryption key _{pk, Σ i = 0~L-1} b i 2
Ciphertext. _{The ciphertext C 5} = (c ₅ , 0, c _{5, 1} ) calculated in step F15 is called a "second response".

Next, the response generation unit 235 in the authentication request device 230 sets the first response C ₄ = (c ₄ , 0, c ₄ , 1) and the second response C ₅ = (c ₅ , 0, c _{5, 1} ). Conclusion, a response _(C 4, _{C 5)} and (step F16).

The authentication request device 230 sends the above responses (C ₄ , C ₅ ) to the collation assisting device 240 (step F17).

Next, verification auxiliary apparatus 240 receives the response from the authentication request device _{230 (C 4, C 5)} ( step F18).

Next, the encryption inner product calculation unit 244 in the collation assisting device 240 starts from the challenge assist (r, h) generated in step F4.
−r ^-1 × x ^N−h・ ・ ・ (Equation 101)
To calculate. However, r ^-1 is modulo t.
r × r ^-1 = 1 (Equation 102)
It is an integer of 1 or more and less than t that satisfies.

Next, the encryption inner product calculation unit 244 in the collation assisting device 240 sets the first response C ₄ = (c ₄ , 0, c ₄ , 1) _{included in the response (C 4} , C _{5) received in step F18.} , Based on the generated −r ^-1 × × ^N−h .
c _6,0 = (-r ^-1 x x ^N-h ) x c _4,0 ... (Equation 103-1)
c _6,1 = (-r ^-1 x x ^N-h ) x c _{4, 1} ... (Equation 103-2)
To calculate.
(C _6,0 , c _6,1 ) ... (Equation 104)
It is referred to as ciphertext _{C 6.} That is, C ₆ is based on the encryption key pk (r × x ^h × f _B ) × (−r ^-1 × x ^N−h ) = f _B ... (Equation 105).
Ciphertext.

Next, the encryption inner product calculation unit 244 in the collation assisting device 240 has, for each j (j = 1, ..., M), out of the M registered data received in step F11.
The first template C _{j, 1} = (c _{j, 1,0} , c _{j, 1, 1} ) included in the j-th registered data ((C _{j, 1} , C _{j, 2} ), id _j),
Based on the generated ciphertext C ₆ = (c _6,0 , c _6,1 )
c _{j, 7,0} = c _{j, 1,0} × c _6,0 ... (Equation 106-1)
c _{j, 7, 1} = c _{j, 1,0} × c _6,1 + c _{j, 1,1} × c _6,0 ... (Equation 106-2)
c _{j, 7, 2} = c _{j, 1,1} × c _6,1 ... (Equation 106-3)
To calculate.

For each j (j = 1, ..., M)
(C _j, 7, 0, c _{j, 7, 1 , c j, 7, 2} ) ... (Equation 107)
Is the ciphertext C _{j, 7} (step F19). That is, for each j (j = 1, ..., M), C _{j and 7 are ciphertexts of f A and j} × f _B by the encryption key pk.

Each j (j = 1, ..., M) for the calculated ciphertext _{C j, 7 = (c j} , 7,0, c j, 7,1, c j, 7,2) "Encryption inner product" Called.

Incidentally, as described above, each of j (j = 1, ..., M) _{for, f A,} inner product of the constant term of the _j × _{f B} is the registered vectors _{A j} and an authentication vector B _<A j ,B> = Σ _{i = 0~n-1 a j,} equal to _i × _{b i.}

Next, the query generation unit 245 in the collation assisting device 240 describes each j (j = 1, ..., M).
-Of the M registered data received in step F11,
The second template C _{j, 2} = (c _{j, 2,0} , c _{j, 2, 1} ) included in the j-th registered data ((C _{j, 1} , C _{j, 2} ), id _{j), and}
-The second response C ₅ = (c ₅ , 0, c _{5, 1} ) included in the response (C ₄ , C _{5) received in step F18,
-Based} on the j-th encrypted inner product C _{j, 7} = (c _{j, 7} , 0, c _{j, 7, 1, c j, 7, 2} ) generated in step F19.
c _{j, 8,0} = c _{j, 2,0} + c _5,0 + -2 × c _{j, 7,0} ... (Equation 108-1)
c _{j, 8, 1} = c _{j, 2, 1} + c ₅ , 1-2 × c _{j, 7, 1} ... (Equation 108-2)
c _{j, 8, 2} = -2 × c _{j, 7, 2} ... (Equation 108-3)
To calculate.

For each j (j = 1, ..., M), let (c _{j, 8} , 0, c _{j, 8} , 1, c _{j, 8, 2} ) be the ciphertext C _{j, 8} (step F20).

That is, for each j (j = 1, ..., M), C _{j, 8} is based on the encryption key pk (Σ _{i = 0 to n-1} a _{j, i} ² ) + (Σ _{i = 0 to n−). ^{1 b i 2) -2 × f}} A, j × f B
... (Equation 109)
Ciphertext.

For each j (j = 1, ..., M), the calculated ciphertext C _{j, 8} = (c _{j, 8} , 0, c _{j, 8} , 1, c _{j, 8, 2} ) ... (Equation 110) )
Is called a "query".

Incidentally, as described above, each of j (j = 1, ..., M) _{for, f A,} inner product of the constant term of the _j × _{f B} is the registered vectors _{A j} and an authentication vector B _<A j ,B> = Σ _{i = 0~n-1 a j,} equal to _i × _{b i.}

Therefore, for each j (j = 1, ..., M), C _{j, 8 is a polynomial ciphertext having the Euclidean distance d E} (A _j , B) between the registration vector A _j and the authentication vector B as a constant term. be.

Next, the verification data generation unit 246 in the collation assisting device 240 describes each j (j = 1, ..., M).
_{-Query C j, 8} = (c _{j, 8} , 0, c _j) generated in step F20 using the second template included in the j-th registered data among the M registered data received in step F11. _{, 8, 1} , c _{j, 8, 2} ),
-Of the M registration data received in step F11, the registration identifier id _j included in the j-th registration data,
Let it be the j-th verification data (C _{j, 8} , id _j ) (step F21).

Next, the collation assisting device 240 sends M verification data to the verification device 250 (step F22).

Next, the verification device 250 receives M verification data from the verification auxiliary device 240 (step F23).

The query verification unit 253 in the verification device 250 describes each j (j = 1, ..., M).
-Of the M verification data received in step F23, the _{query C j, 8} = (c _{j, 8} , 0, c _{j, 8,} ) included in _{the j-th verification data (C j, 8} , id _{j). 1} , c _{j, 8, 2} ) and
-Based on the private key (decryption key) sk = (λ, p ₀ , p ₁ , s)
D _{j, 1} = c _{j, 8,0} + c _{j, 8,1} x s + c _{j, 8,2} x s ² ... (Equation 111)
To calculate.

Next, for each j (j = 1, ..., M), _{the remainder obtained by dividing D j, 1} by q is defined as D _{j, 2} .

Next, for each j (j = 1, ..., M), if D _{j, 2} is q / 2 or more, then D _{j, 3} = D _{j, 2-} q. If D _{j, 2} is smaller than q / 2, then D _{j, 3} = D _{j, 2} . This is a modulo operation on [−q / 2, q / 2] modulo q of D.

Next, for each j (j = 1, ..., M), let _{D j, 4} be the remainder polynomial obtained by dividing _{D j, 3 by t.} Let the constant term of D _{j, 4 be D j, 5} (step F24). For each j (j = 1, ..., M), D _{j, 5} is called a "verification result".

As described above, for each j (j = 1, ..., M), D ₅ generated from the j-th verification data among the M verification data is the Euclidean distance d between the registration vector A _{j and the authentication vector B. E} ( _Aj , B).

Next, the collation result generation unit 254 in the verification device 250 has out of M verification data for each j (j = 1, ..., M).
-Based on the query included in the j-th verification data, the verification results Dj _{, 5} generated in step F24 and
_{-The registration identifier id j} included in the j-th verification data is combined and used as the j-th collation result (D _{j, 5} , id _j ). Alternatively, the collation result generation unit 254 in the verification device 250 has, for each j (j = 1, ..., M), out of M verification data.
_{-The result of comparing the magnitude of the verification result id j} generated in step F24 from the query included in the j-th verification data with the predetermined threshold value, and the result d _j .
_{-The registration identifier id j} included in the j-th verification data may be combined and used as the j-th collation result ( _dj , id _j ) (step F25).

The verification device 250 outputs the calculated M collation results (step F26).

The process executed by the ciphertext verification system 200 according to the fourth exemplary embodiment in the authentication phase is not limited to the mode illustrated in FIG. For example, steps F9 to F13 may be executed prior to step F5.

In the above description of the ciphertext matching system 200 according to the fourth exemplary embodiment, the polynomial f _A generated by the first template generation unit 212 in the registration requesting device 210 in step B2 is based on the registration vector A. _{It is assumed that the polynomial is generated according to 20 and that the polynomial f B} generated by the first response generation unit 233 in the authentication requesting device 130 in step C16 is a polynomial generated according to the above equation 21 based on the authentication vector.

The method of generating the two polynomials in the fourth exemplary embodiment is not limited to the above method. For example, a polynomial f _A of the first template generation unit 212 in the registration request unit 210 is generated in step B2, the polynomial generated according to the formula 21 based on the registration vector A, the first response generator 233 of the authentication requesting device 230 _{The polynomial f B} generated in step F16 may be a polynomial generated according to the above equation 20 based on the authentication vector.
[Explanation of effect]

Next, the effect of the ciphertext verification system 200 according to the fourth exemplary embodiment will be described.

According to the ciphertext verification system 200 according to the fourth exemplary embodiment, the user requesting authentication collates all the registered information with the information used for authentication without presenting his / her own identifier. It is possible to safely realize 1: N authentication. That is, it has the following two effects.

According to the ciphertext verification system 200 according to the fourth exemplary embodiment, the registration vector extracted by the registration request device 210 is encrypted on the registration request device 210 and sent to the storage device 220. Further, the authentication vector extracted by the authentication request device 230 is encrypted on the authentication request device 230 and sent to the verification auxiliary device 240. It is the verification device 250 that has the decryption key that can decrypt these ciphertexts, but the data received by the verification device 250 is the ciphertext of the Euclidean distance between the registration vector and the authentication vector, and the registration vector and the authentication vector Do not disclose the value.

Therefore, according to the ciphertext verification system 200 according to the fourth exemplary embodiment, the value other than the distance between the registration vector and the authentication vector is not leaked to the device other than the device that extracts each vector, and the registration vector and the registration vector are used. It is possible to calculate the distance between the authentication vectors.

Further, according to the ciphertext verification system 200 according to the fourth exemplary embodiment, even when authenticating with the same registration vector, the process using the random number selected in step C5 is performed. Therefore, even if the communication content of the collation process is leaked, the distance equal to the distance at the time of the leaked collation is calculated by resending the leaked content or sending the data created by using the leaked content. It is not possible to make it or calculate a small value.

In particular, when the ciphertext verification system 200 according to the fourth exemplary embodiment is used for authentication to be "accepted" when the distance is smaller than the threshold value, an attacker who does not know the registration vector is not regarded as "accepted". It has the property of being resistant to spoofing attacks.

Further, the ciphertext verification system 200 according to the fourth exemplary embodiment is configured by using the ciphertext described in Non-Patent Document 1, which is a ciphertext capable of high-speed processing. Therefore, high-speed collation processing is possible.

Further, the ciphertext verification system 200 according to the fourth exemplary embodiment can be modified so as not to disclose the Euclidean distance between the registration vector and the authentication vector to the verification device 250 having the decryption key. For example, by applying the same method as that described in Non-Patent Document 4, the verification device 250 having a decryption key can be transformed into a method in which the Euclidean distance between the registration vector and the authentication vector cannot be calculated. The method of not disclosing the Euclidean distance between the registration vector and the authentication vector to the verification device 250 having the decryption key means that the verification device 250 having the decryption key calculates the value of the registration vector even under special circumstances. Can be prevented. Therefore, higher safety can be achieved.

Although not particularly limited, as an application example of the present invention, for example, biometric authentication using a multi-valued vector as a feature amount can be mentioned.

For example, the input data in the registration phase and the input data in the collation phase are biometric information (feature vector) obtained from biometric information acquired from fingerprints, veins, or the like. In this case, by applying the present invention, the encrypted biometric data stored in the storage device and the encrypted biometric data created from the collation requesting device are collected from the same person while keeping the biometric information secret. It is possible to determine whether or not the information has been obtained based on whether or not the distance between the two biometric information is equal to or less than the threshold value.

In particular, it is known that the same data cannot always be stably acquired for biometric information, and the data acquired from the same person are similar (data with a small distance between elements can be acquired). Can be assumed. Therefore, the present invention is useful for utilization in biometric authentication and the like.

The disclosures of the above non-patent documents shall be incorporated into this document by citation. Within the framework of the entire disclosure (including the scope of claims) of the present invention, it is possible to change or adjust the embodiments or examples based on the basic technical idea thereof. Further, various combinations or selections of various disclosure elements (including each element of each claim, each element of each embodiment, each element of each drawing, etc.) are possible within the scope of the claims of the present invention. .. That is, it goes without saying that the present invention includes all disclosure including claims, and various modifications and modifications that can be made by those skilled in the art in accordance with the technical idea.

100, 200 Ciphertext verification system 110, 210 Registration request device 111, 211 Registration information extraction unit 112, 212 First template generation unit 113, 213 Second template generation unit 114, 214 Template generation unit 120, 220 Storage device 121, 221 Identifier assignment unit 122, 222 Registration data generation unit 123, 223 Registration data storage unit 124 Registration data search unit 130, 230 Authentication request device 131, 231 Authentication request generation unit 132, 232 Authentication information extraction unit 133, 233 First response generation unit 134, 234 Second response generation unit 135, 235 Response generation unit 140, 240 Verification assistance device 141, 241 Challenge assistance generation unit 142, 242 Challenge generation unit 143, 243 Registration data request generation unit 144, 244 Encryption inner product calculation unit 145 , 245 Query generation unit 150, 250 Verification device 151, 251 Key generation unit 152, 252 Decryption key storage unit 153, 253 Query verification unit 154, 254 Verification result generation unit 246 Verification data generation unit

Claims (7)

Including a registration request device, a verification auxiliary device, an authentication request device, and a verification device,
The verification device calculates a pair of an encryption key and a decryption key of a homomorphic encryption method capable of polynomial operations, and publishes the encryption key.
The registration request device is
Polynomialize the registered information, which is a numerical vector,
The polynomialized registration information is encrypted using the encryption key,
The collation assisting device is
Upon receiving the authentication request from the authentication request device, one factor of the order selected at random, to generate a single term equation where the coefficients other than the coefficient of the order is set to 0,
The single-term equation, send a challenge consisting of ciphertext encrypted by using the encryption key to the authentication request device,
The authentication requesting device is
Polynomialize the authentication information, which is a numerical vector,
A polynomial of the said authentication information, based on the the challenge, from the verification auxiliary apparatus, using the encryption key, the used for generating the polynomial of the said authentication information challenge the single term formula Calculate the ciphertext of the product,
The ciphertext of the product of the polynomial of the said authentication information used for the generation of the challenge the single section type, as a response, and sent to the verification auxiliary apparatus,
The collation assisting device is
When receiving the response from the authentication request device, using the a response, the one coefficient and the challenge auxiliary consisting of its degree, based on said registration information encrypted by the registration request unit, the encryption key Then, the ciphertext of the distance between the registration information and the authentication information is calculated.
The ciphertext of the distance between the registration information and the authentication information is sent to the verification device.
The verification device is
It said received from the verification auxiliary apparatus, the ciphertext of the distance of the authentication information and the registration information, and calculates the distance and decrypted using the decryption key,
The calculated distance or the comparison result between the distance and a predetermined threshold value is output as a collation result .
The registration requesting device uses the i-th component (where i is a non-negative integer of L-1 or less and L is a positive integer of 2 or more) of the registration information which is the numerical vector as the coefficient of the i-order term. An order polynomial is generated, and the authentication requesting device uses the inverse element of the i-th component of the authentication information, which is the numerical vector, as a coefficient of a term of N-th order (where N is a positive integer larger than L). Generate an order integer or
The registration requesting device sets the inverse element of the i-th component (where i is a non-negative integer of L-1 or less and L is a positive integer of 2 or more) of the registration information which is the numerical vector to N-i order (however, N). Is a positive integer greater than L), and the N-th order polymorphic element is generated. A cryptographic matching system characterized by generating an order integer. Including additional storage
The storage device is
Memory and
An identifier assigning unit that assigns an identifier to the encrypted registration information received from the registration requesting device,
A registration data generation unit that stores registration data consisting of a set of encrypted registration information and an identifier in the storage unit, and a registration data generation unit.
Upon receiving the registration data request from the collation assisting device, the encrypted registration information, which is paired with the identifier included in the registration data request, is obtained from the registration data stored in the storage unit. The registration data search unit to be sent to the verification assist device and
With
The collation assisting device is
A registration data request included in the authentication request received from the authentication request device and including the authentication identifier corresponding to the authentication information is sent to the storage device.
Upon receiving the encrypted registration information corresponding to the authentication identifier from the storage device,
The ciphertext of the distance between the registration information and the authentication information is calculated based on the response received from the authentication request device, the challenge assistance, and the encrypted registration information received from the storage device. The ciphertext verification system according to claim 1, wherein the ciphertext verification system is characterized. Including additional storage
The storage device is
Memory and
An identifier assigning unit that assigns an identifier to the encrypted registration information received from the registration requesting device,
A registration data generation unit that stores registration data consisting of a set of the encrypted registration information and the identifier in the storage unit, and a registration data generation unit.
With
In response to the registration data request from the collation assisting device, a part or all of the registration data of one or more registration data stored in the storage unit is transmitted to the collation assisting device.
The collation assisting device is
Receive one or more registration data from the storage device
For each registered data received from the storage device
Based on the response received from the authentication requesting device, the challenge, and the encrypted registration information included in the registration data, a ciphertext of the distance between the encrypted registration information and the authentication information is calculated. ,
For the registration data, a set of a ciphertext of the calculated distance between the registration information and the authentication information and an identifier included in the registration data is used as verification data.
The generated one or more of the verification data is sent to the verification device, and the generated verification data is sent to the verification device.
The verification device is
Receive one or more of the verification data from the collation aid,
Regarding the verification data
The ciphertext of the distance between the registration information and the authentication information included in the verification data is decrypted using the decryption key to calculate the distance.
A comparison result of the calculated distance and a predetermined threshold value or a set of the calculated distance and an identifier included in the verification data is used as a collation result, and the collation result is output. The ciphertext verification system according to claim 1. Ciphertext verification method by at least one computer
The verification process calculates a pair of encryption key and decryption key of a homomorphic encryption method capable of polynomial operations, and publishes the encryption key.
In the registration request processing, when registering registration information,
Polynomialize the registered information, which is a numerical vector,
The polynomialized registration information is encrypted using the encryption key,
In collation assistance processing,
When an authentication request is received from the authentication request processing , one coefficient and its order are randomly selected.
The coefficients other than the coefficient of the order to generate the 0 and the single section type,
The single-term equation, send a challenge consisting of ciphertext encrypted by using the encryption key to the authentication request processing,
In the authentication request processing ,
Polynomialize the authentication information, which is a numerical vector,
A polynomial of the said authentication information, based on said challenge from said verification auxiliary processing, using the encryption key, the product of the single term expression used for the generation of the polynomial of the said authentication information challenge Calculate the ciphertext of
The ciphertext of the product of the polynomial of the said authentication information used for the generation of the challenge the single section type, as a response, and sent to the verification auxiliary processing,
In the collation assistance process,
When receiving the response from the authentication request processing, using the the response, the one coefficient and the challenge auxiliary consisting of its degree, based on said registration information encrypted, the encryption key, said registration information and calculates the ciphertext of length of the authentication information,
Send the ciphertext of the distance of the authentication information and the registration information to the verification process,
In the verification process ,
Received from the verification auxiliary processing, the ciphertext of the distance of the authentication information and the registration information, and decrypted using the decryption key to calculate the distance, calculated the distance or predetermined and the distance The comparison result with the threshold value is output as the collation result .
In the registration request processing, the i-th component of the registration information which is the numerical vector (where i is a non-negative integer of L-1 or less and L is a positive integer of 2 or more) is used as the coefficient of the i-order term. An order polynomial is generated, and in the authentication request processing, the inverse element of the i-th component of the authentication information, which is the numerical vector, is set as the coefficient of the term of the N-i order (where N is a positive integer larger than L). Generate an order integer or
In the registration request processing, the inverse element of the i-th component (where i is a non-negative integer of L-1 or less and L is a positive integer of 2 or more) of the registration information which is the numerical vector is N-i order (however, N). Is a positive integer greater than L), and an Nth-order polymorphic element is generated. A cryptographic text matching method characterized by generating an order integer. Registration request processing and
Collation assistance processing and
Authentication request processing and
Verification process and
Is a program that causes a computer to execute
The verification process calculates a pair of encryption key and decryption key of a homomorphic encryption method capable of polynomial operations, and publishes the encryption key.
In the registration request processing, when registering registration information,
The registration information, which is a numerical vector, is polynomialized, and the polynomialized registration information is encrypted using the encryption key.
In the collation assistance process,
When an authentication request is received from the authentication request processing, one coefficient and its order are randomly selected, a monomial expression in which a coefficient other than the coefficient of the order is set to 0 is generated, and the monomial expression is used with the encryption key. A challenge consisting of the encrypted text is sent to the authentication request processing.
In the authentication request processing,
Based on the polynomialized authentication information obtained by polynomializing the authentication information which is a numerical vector and the challenge from the collation assisting process, the encryption key is used to generate the polynomialized authentication information and the challenge. The ciphertext of the product of the mononomial expression used is calculated, and the ciphertext of the product of the polynomialized authentication information and the mononomial expression used for generating the challenge is sent to the collation assistance process as a response. death,
In the collation assistance process,
When the response is received from the authentication request processing, the registration information is used using the encryption key based on the response, the challenge assistance consisting of the one coefficient and its order, and the encrypted registration information. And the ciphertext of the distance of the authentication information is calculated, and the ciphertext of the distance between the registration information and the authentication information is sent to the verification process.
In the verification process,
The ciphertext of the distance between the registration information and the authentication information received from the collation assistance process is decrypted using the decryption key to calculate the distance, and the calculated distance or the distance is predetermined. The comparison result with the threshold value is output as the collation result.
In the registration request processing, the i-th component (where i is a non-negative integer of L-1 or less and L is a positive integer of 2 or more) of the registration information which is the numerical vector is used as the coefficient of the i-order term. An order polynomial is generated, and in the authentication request processing, the inverse element of the i-th component of the authentication information, which is the numerical vector, is set as the coefficient of the term of the N-i order (where N is a positive integer larger than L). Generate an order integer or
In the registration request processing, the inverse element of the i-th component (where i is a non-negative integer of L-1 or less and L is a positive integer of 2 or more) of the registration information which is the numerical vector is N-i order (however, N). Is a positive integer greater than L), and an Nth-order polymorphic element is generated. A program that generates an order integer. Including a registration request device, a verification auxiliary device, an authentication request device, and a verification device,
The verification device calculates a pair of an encryption key and a decryption key of a homomorphic encryption method capable of polynomial operations, and publishes the encryption key.
The registration request device is
A first template in which the first polynomial generated from each component of the numerical vector of the registration target information is encrypted with the encryption key is generated .
Calculate the sum of squares of each coefficient of the first polynomial,
A second template in which the sum of squares is encrypted with the encryption key is generated.
The collation assisting device is
When an authentication request is received from the authentication request device, one coefficient and its order are randomly selected.
A monomial expression is generated in which a coefficient other than the coefficient of the order is set to 0.
Generate a challenge consisting of a ciphertext in which the monomial is encrypted with the encryption key.
Send the challenge to the certification requester and
The authentication requesting device is
Generate a second polynomial generated from each component of the numerical vector of the authentication target information,
By calculating the product of the challenge and the second polynomial from the collation assisting device while the challenge is encrypted, a first response composed of the ciphertext of the product is generated .
Calculate the sum of squares of each coefficient of the second polynomial,
A second response in which the sum of squares is encrypted with the encryption key is generated.
The first response and the second response are sent to the collation assisting device, and the first response and the second response are sent to the collation assisting device.
The collation assisting device is
Based on the one coefficient and the unary generated from the challenge auxiliary consisting of its degree and the first response, generates a ciphertext of said second polynomial,
Based on the first template and the ciphertext of the second polynomial, the encrypted inner product of the numerical vector of the registration target information and the numerical vector of the authentication target information is obtained.
Using the encrypted inner product, the second template, and the second response, a ciphertext of the distance between the numerical vector of the registration target information and the numerical vector of the authentication target information is calculated.
The ciphertext at the distance is sent to the verification device,
The verification device is
The ciphertext of the distance between the numerical vector of the registration target information and the numerical vector of the authentication target information received from the collation assisting device is decrypted using the decryption key to calculate the distance.
Calculated the distance, or the result of comparison between the distance and the predetermined threshold value, and outputs the collation result,
The registration requesting device generates the first polynomial by polynomializing each component of the numerical vector of the registration target information as a coefficient in ascending order, and the authentication requesting device is a numerical vector of the authentication target information. The second polynomial is generated by polynomialization in which the inverse element of each component of is used as each coefficient in descending order, or
The registration requesting device generates the first polynomial by polynomializing the inverse elements of each component of the numerical vector of the registration target information as each coefficient in descending order, and the certification requesting device generates the authentication target information. A code sentence matching system characterized in that the second polynomial is generated by polynomialization in which each component of the numerical vector of is made into a coefficient in ascending order. Ciphertext verification method by at least one computer
Including registration request processing, verification assistance processing, authentication request processing, and verification processing,
In the verification process, a pair of encryption key and decryption key of a homomorphic encryption method capable of polynomial operation is calculated, and the encryption key is made public.
The registration request processing is
A first template in which the first polynomial generated from each component of the numerical vector of the registration target information is encrypted with the encryption key is generated .
Calculate the sum of squares of each coefficient of the first polynomial,
A second template in which the sum of squares is encrypted with the encryption key is generated.
The collation assistance process is
When an authentication request is received from the authentication request processing, one coefficient and its order are randomly selected.
A monomial expression is generated in which a coefficient other than the coefficient of the order is set to 0.
Generate a challenge consisting of a ciphertext in which the monomial is encrypted with the encryption key.
Send the challenge to the certification request processing and
The authentication request processing is
Generate a second polynomial generated from each component of the numerical vector of the authentication target information,
By calculating the product of the challenge and the second polynomial from the collation assist processing while the challenge is encrypted, a first response composed of the ciphertext of the product is generated .
Calculate the sum of squares of each coefficient of the second polynomial,
A second response in which the sum of squares is encrypted with the encryption key is generated.
The first response and the second response are sent to the collation assistance process,
The collation assistance process is
Based on the one coefficient and the unary generated from the challenge auxiliary consisting of its degree and the first response, generates a ciphertext of said second polynomial,
Based on the first template and the ciphertext of the second polynomial, the encrypted inner product of the numerical vector of the registration target information and the numerical vector of the authentication target information is obtained.
Using the encrypted inner product, the second template, and the second response, a ciphertext of the distance between the numerical vector of the registration target information and the numerical vector of the authentication target information is calculated.
The ciphertext at the distance is sent to the verification process and
The verification process is
The ciphertext of the distance between the numerical vector of the registration target information and the numerical vector of the authentication target information received from the collation assistance process is decrypted using the decryption key to calculate the distance.
Calculated the distance, or the result of comparison between the distance and the predetermined threshold value, and outputs the collation result,
The registration request process generates the first polynomial by polynomializing each component of the numerical vector of the registration target information as each coefficient in ascending order, and the authentication request process is the numerical vector of the authentication target information. The second polynomial is generated by polynomialization in which the inverse element of each component of is used as each coefficient in descending order, or
The registration request process generates the first polynomial by polynomializing the inverse element of each component of the numerical vector of the registration target information as each coefficient in descending order, and the authentication request process is the authentication target information. A code sentence collation method, characterized in that the second polynomial is generated by polynomialization in which each component of the numerical vector of is used as each coefficient in ascending order.

Images