WO2014175334A1 - 暗号文照合システムと方法とプログラム - Google Patents
暗号文照合システムと方法とプログラム Download PDFInfo
- Publication number
- WO2014175334A1 WO2014175334A1 PCT/JP2014/061437 JP2014061437W WO2014175334A1 WO 2014175334 A1 WO2014175334 A1 WO 2014175334A1 JP 2014061437 W JP2014061437 W JP 2014061437W WO 2014175334 A1 WO2014175334 A1 WO 2014175334A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data
- ciphertext
- unit
- input
- key
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/32—User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/008—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3231—Biological data, e.g. fingerprint, voice or retina
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/24—Key scheduling, i.e. generating round keys or sub-keys for block encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/34—Encoding or coding, e.g. Huffman coding or error correction
Definitions
- the present invention is based on a Japanese patent application: Japanese Patent Application No. 2013-091468 (filed on April 24, 2013), and the entire contents of the application are incorporated herein by reference.
- the present invention relates to a ciphertext verification system, method, and program.
- biometric authentication technology based on biometric features such as fingerprints and veins with higher safety has attracted attention.
- biometric authentication it is necessary to store a template related to biometric information in a database in order to verify authentication information.
- Biometric information such as fingerprints and veins is basically data that does not change throughout life. The biometric information is the information that is most required to be confidential when the leakage is serious. Therefore, it is necessary to prevent “spoofing” from being performed even if the template is leaked.
- Patent Document 1 discloses a method of performing biometric authentication by expressing fingerprint data as a point on a polynomial, adding a random point to the point, and concealing the fingerprint data as a template.
- Patent Document 1 has a problem as to whether biometric information is protected with sufficient strength when biometric authentication is repeated many times. *
- Non-Patent Document 1 discloses a method of protecting biological information by masking a template placed on a database with a random BCH (Bose-Chaudhuri-Hocquenghem) codeword.
- a biometric authentication template is generated using biometric information Z and confidential information S.
- Fig. 5 is a diagram based on Fig. 2 of Non-Patent Document 1. Feature extraction (Feature ⁇ Extraction), statistical processing (Statistical Analysis), quantization (Quantization), etc. It is omitted. Template enrollment is performed as follows.
- the secret information S is input to the encoder (enc) and error correction coding (ECC) is performed to generate a code word C.
- ECC uses a binary BCH code of parameters (K, s, d).
- K is the length of the code word
- s is the number of information symbols
- d is the number of correctable errors.
- Calculate an exclusive OR of C and Z W2 C (+) Z (where (+) represents a bitwise exclusive OR operation (bitwise XOR)).
- the hash value H (S) is obtained by inputting S to a cryptographic hash function (cryptographic (one-way) hash function) H such as SHA (Secure Hash Algorithm) -1.
- SHA Secure Hash Algorithm
- Verification Verification as to whether or not the template generated by the above (1) to (4) and another biological information Z ′ are collected from the same person is performed as follows.
- (3) S ′ is input to a cryptographic hash function H such as SHA-1, and a hash value H (S ′) is calculated.
- Read H (S) from the database (DB) and check whether H (S) H (S ′) is satisfied.
- H (S) H (S ′)
- H (S ′) H (S ′)
- the above method does not depend on the acquisition method of the biological information Z. For this reason, generally, a method for verifying whether or not the ciphertext is obtained by encrypting the presented data and data within a certain Hamming distance without decrypting the concealed (encrypted) data Can be interpreted.
- Non-Patent Document 1 the ciphertext is collated with plaintext information in order to make it possible to collate whether the presented data is encrypted data within a certain Hamming distance. Sometimes it needs to be sent out.
- collation can be performed by obtaining a value of Z ′ and retransmitting it. This means that when this act is seen as biometric authentication, it is possible to impersonate the person by obtaining data sent for authentication by the person.
- the present invention was created in view of the above-mentioned problems, and the purpose thereof is a system capable of avoiding information leakage of the original plaintext and ensuring safety in collation of ciphertext, It is to provide a method and a program.
- the plaintext Hamming distance is used for the first ciphertext that is input data is encrypted and registered in the storage device, and the second ciphertext that is the input data to be verified is encrypted.
- a one-way conversion of intermediate data generated based on the difference between the first ciphertext and the second ciphertext and the second auxiliary data, and a result of one-way conversion of the intermediate data;
- the hamming distance of the plaintext corresponding to the difference between the first ciphertext and the second ciphertext is less than or equal to the predetermined value using the first auxiliary data that has been unidirectionally converted.
- a ciphertext verification system including means for determining whether or not there is provided.
- a biometric authentication system including the ciphertext matching system is provided.
- the plaintext Hamming distance is used for the first ciphertext that is input data is encrypted and registered in the storage device, and the second ciphertext that is the input data to be verified is encrypted.
- a one-way conversion of intermediate data generated based on the difference between the first ciphertext and the second ciphertext and the second auxiliary data; Hamming of plaintext corresponding to the difference between the first ciphertext and the second ciphertext using the result of the one-way conversion of the intermediate data and the first auxiliary data subjected to the one-way conversion
- a ciphertext matching method for determining whether or not the distance is equal to or less than the predetermined value is provided.
- the plaintext Hamming distance is used for the first ciphertext that is input data is encrypted and registered in the storage device, and the second ciphertext that is the input data to be verified is encrypted.
- a process for determining whether or not the Hamming distance of the plaintext corresponding to is less than or equal to the predetermined value is provided.
- a computer-readable recording medium magnetic / optical recording medium, semiconductor recording medium
- Embodiment 1 of this invention It is a figure which illustrates the structure of Embodiment 1 of this invention.
- (A), (B) is a figure explaining the data registration phase and ciphertext collation phase of Embodiment 1 of this invention. It is a figure which illustrates the structure of Embodiment 2 of this invention. It is a figure explaining the ciphertext collation phase of Embodiment 2 of this invention. It is a figure which illustrates the system of nonpatent literature 1. It is a figure explaining an invention concept.
- Embodiments of the present invention will be described. First, the basic concept of the present invention will be described.
- input data to be collated is encrypted
- registration data for performing collation of the input data is encrypted
- a collation (match) determination (verification) index (The plaintext Hamming distance is used as an index of ambiguity.
- the input data for verification is encrypted by an encryption method with high confidentiality.
- key information used for data concealment is changed every time collation is performed. For this reason, even when collation is performed many times, the possibility of leakage of information related to plaintext can be kept low, increasing attack resistance and contributing to security improvement.
- the ciphertext matching system 10 provides an auxiliary data (an auxiliary for verifying a ciphertext using a plaintext Hamming distance).
- auxiliary data an auxiliary for verifying a ciphertext using a plaintext Hamming distance.
- the auxiliary data generation means (unit) (14) encrypts the input data to be encrypted by the encryption means (unit) (11) and is registered in the storage device (13) and the input data to be verified. For the ciphertext 2 encrypted by the means (unit) (12), it is verified that the Hamming distance of the plaintext between the ciphertext 1 and the ciphertext 2 is not more than a predetermined value. Auxiliary data 1 and auxiliary data 2 are generated respectively.
- the collation determination means (unit) performs unidirectional conversion on at least a part of the auxiliary data 1 by the unidirectional conversion means (unit) (14h), and the difference between the ciphertext 1 and the ciphertext 2
- the intermediate data generated based on the auxiliary data 2 is unidirectionally converted by the unidirectional conversion means (unit) (15h), Using the result of one-way conversion of the intermediate data and the auxiliary data 1 subjected to the one-way conversion, the ciphertext 1 registered in the storage device (13) and the encryption of the input data to be collated It is determined whether or not the plain text Hamming distance corresponding to the difference of sentence 2 is less than or equal to the predetermined value.
- Each means of the ciphertext verification system 10 (apparatus) may realize its processing / function by a program executed on a computer constituting the ciphertext verification system 10 (apparatus).
- an exclusive OR of a codeword obtained by encoding a key for encrypting the plaintext of the input data with an error correction code having linearity and the plaintext is the ciphertext
- the storage The ciphertext registered in the device and the first and second auxiliary data related to the ciphertext of the input data to be collated are respectively calculated as an inner product of the key and a constant, the ciphertext, and a random number. It is calculated based on the exclusive OR with the cryptographic hash function to be applied.
- the data sent by the user performing the collation is also encrypted with an encryption key that is not known to, for example, the database administrator who performs the collation processing operation. It becomes. For this reason, even when collation processing is performed a plurality of times, or even when a database administrator or the like performing the collation processing is malicious, it is possible to prevent leakage of information regarding the original plaintext during the collation processing.
- the system according to the first embodiment of the present invention includes a registered data generation device 100, a storage device 200, a data concealment device 300, and a designated data verification device 400.
- Each of these devices may be configured as one device by combining them at one site or the like, or may be configured to be distributed and interconnected via communication means.
- the registration data generation apparatus 100 includes an encryption unit 101, a key generation unit 102, a registration auxiliary data generation unit 103, and a unidirectional conversion unit 104.
- the encryption unit 101 receives input data to be concealed and a key for concealing the input data, and outputs encrypted data obtained by performing concealment processing on the input data using the key.
- the key generation unit 102 generates a key for the encryption unit 101 to conceal input data, and outputs the key to the encryption unit 101 and the registration auxiliary data generation unit 103.
- the registration auxiliary data generation unit 103 Input data and Encrypted data output from the encryption unit 101;
- the key output from the key generation unit 102 is used as an input.
- the registration auxiliary data generation unit 103 is configured such that the input data corresponding to the encryption data output from the encryption unit 301 of the data concealment device 300 is equal to or less than a predetermined value in which the input data input to the encryption unit 101 and the Hamming distance are predetermined. Outputs data for determining that it is (within a certain number).
- the one-way conversion unit 104 outputs a result of one-way conversion of part or all of the data (intermediate data) generated by the registration auxiliary data generation unit 103.
- the ciphertext output by the encryption unit 101 of the registered data generation apparatus 100 is:
- the ciphertext obtained by encrypting the input data m1 with the key k1 is c1
- the ciphertext obtained by encrypting the input data m2 with the key k2 is c2.
- the sum c1 + c2 of c1 and c2 is a ciphertext obtained by encrypting the input data m1 + m2 with the key k1 + k2.
- the storage device 200 includes an identifier management unit 201, a ciphertext storage unit 202, and an auxiliary data storage unit 203.
- the ciphertext storage unit 202 and the auxiliary data storage unit 203 receive and store the encrypted data and registration auxiliary data output from the registered data generation apparatus 100, respectively.
- the ciphertext storage unit 202 and the auxiliary data storage unit 203 may be configured as a database (or may have a file configuration).
- the ciphertext storage unit 202 and the auxiliary data storage unit 203 designate encrypted data and auxiliary data corresponding to the identifier input from the designated data collating device 400 when collating the encrypted data under the control of the identifier managing unit 201.
- the data is output to the data verification device 400.
- the identifier management unit 201 of the storage device 200 manages the identifier that uniquely identifies the encrypted data and auxiliary data input from the registered data generation device 100.
- the identifier management unit 201 sends the encrypted data and auxiliary data corresponding to the input identifier to the ciphertext storage unit 202 and the auxiliary data storage unit 203. Outputs an instruction to output each of them.
- the ciphertext storage unit 202 stores the encrypted data output from the encryption unit 101 of the registered data generation device 100, and outputs the corresponding encrypted data when an encryption data output command is input from the identifier management unit 201. To do.
- the auxiliary data storage unit 203 stores auxiliary data output by the registration auxiliary data generation unit 103 of the registration data generation apparatus 100, and when the encryption data output command is input from the identifier management unit 201, the corresponding auxiliary data is stored. Output.
- the data concealment device 300 includes an encryption unit 301, a key generation unit 302, and an auxiliary data generation unit 303.
- the encryption unit 301 receives input data to be concealed (input data to be collated) and a key for concealing the input data, and performs encryption processing on the input data using the key. Output data.
- the key generation unit 302 generates a key for the encryption unit 101 to conceal input data, and outputs the key to the encryption unit 301 and the auxiliary data generation unit 303.
- the auxiliary data generation unit 303 ⁇ The input data (input data to be verified) The encrypted data output by the encryption unit 301; A key output from the key generation unit 302 to the encryption unit 301; As an input.
- the auxiliary data generation unit 303 includes input data (plain text) corresponding to encryption data (registered encryption data) output from the encryption unit 101 of the registration data generation device 100 and input data (plain text) input to the encryption unit 301.
- Auxiliary data for determining that the hamming distance between and is less than or equal to a predetermined value (within a certain number) is output.
- the Hamming distance between the input data (plain text) corresponding to the registered encrypted data) and the input data to be verified (plain text) input to the encryption unit 301 is equal to or less than a predetermined value (or less than a predetermined value). If it is, it is determined that collation (matching) is performed, and when the predetermined value is exceeded (or greater than or equal to the predetermined value), it is auxiliary information used for determining that collation is not performed (mismatch).
- the ciphertext output by the encryption unit 301 of the data concealment device 300 is calculated by the same method as the encryption unit 101. That is, The ciphertext obtained by encrypting the input data m1 with the key k1 is c1, The ciphertext obtained by encrypting the input data m2 with the key k2 is c2. Then, the sum c1 + c2 of c1 and c2 is a ciphertext obtained by encrypting the input data m1 + m2 with the key k1 + k2.
- the designated data collating apparatus 400 includes an identifier holding unit 401, a ciphertext subtracting unit 402, a coincidence determining unit 403, a control unit 404, and a unidirectional conversion unit 405.
- the identifier holding unit 401 outputs an instruction to the identifier management unit 201 of the storage device 200 so that the identifier is input and the ciphertext data and the auxiliary data corresponding to the identifier input to the storage device 200 are output. .
- the ciphertext subtraction unit 402 One of the encrypted data (registered encrypted data) stored in the ciphertext storage unit 202 of the storage device 200; -With the encrypted data output from the encryption unit 301 of the data concealment device 300 as input, The difference c1-c2 between the two input encrypted data c1 and c2 is output.
- c1 is a ciphertext obtained by encrypting the input data m1 with the key k1
- c2 is the ciphertext obtained by encrypting the input data m2 with the key k2
- the difference c1-c2 between the two ciphertexts c1 and C2 is the ciphertext obtained by encrypting the input data m1-m2 with the key k1-k2. It has become.
- the coincidence determination unit 403 Auxiliary data stored in the auxiliary data storage unit 203 of the storage device 200; Auxiliary data output from the auxiliary data generation unit 303 of the data concealment device 300; A difference between two encrypted data output from the ciphertext subtraction unit 402 is input.
- the coincidence determination unit 403 Auxiliary data output from the auxiliary data generation unit 303 of the data concealment device 300; A difference between the two encrypted data output from the ciphertext subtraction unit 402; Is sent to the unidirectional conversion unit 405.
- the one-way conversion unit 405 returns the result of one-way conversion of the halfway data sent from the match determination unit 403 to the match determination unit 403.
- the coincidence determination unit 403 Unidirectionally converted data generated by the unidirectional conversion unit 405 according to the intermediate data; One of the one-way converted auxiliary data stored in the auxiliary data storage unit 203 of the storage device 200; To output whether or not the hamming distances of the plaintexts m1 and m2 corresponding to the two cipher data c1 and c2 input to the ciphertext subtracting unit 402 are equal to or less than a predetermined value.
- the control unit 404 controls communication and the like when the data concealment device 300 and the designated data verification device 400 exchange data.
- the operation of the ciphertext verification system of the first embodiment is roughly divided into two phases, a data registration phase and a ciphertext verification phase.
- the data registration phase is a phase in which input data is input to the registration data generation device 100, the input data is encrypted, and is registered in the storage device 200 together with auxiliary data.
- the input data input to the data concealment device 300 is encrypted, and the encrypted data generated at that time and the auxiliary data are encrypted data in the storage device specified by an identifier that is separately input, And a phase for determining whether or not the plain text is close to the auxiliary data (the Hamming distance is equal to or smaller than a predetermined value).
- input data to be concealed is input to the encryption unit 101 of the registration data generation device 100 (step A1 in FIG. 2A).
- the key generation unit 102 of the registration data generation device 100 generates a key used for concealing input data, and outputs the key to the encryption unit 101 and the registration auxiliary data generation unit 103 (step A2 in FIG. 2A). .
- the encryption unit 101 of the registered data generation device 100 calculates encrypted data obtained by encrypting the input data from the input data and the key that have been input, and stores the encrypted data in the ciphertext storage unit 202 of the storage device 200. (Step A3 in FIG. 2A).
- the input data input in step A1, the key generated in step A2, and the encrypted data generated in step A3 are input to the registration auxiliary data generation unit 103 of the registration data generation device 100 to be registered.
- the auxiliary data generation unit 103 generates auxiliary data (step A4 in FIG. 2A).
- the auxiliary data output from the registration auxiliary data generation unit 103 is output to the unidirectional conversion unit 104.
- the unidirectional conversion unit 104 of the registration data generation apparatus 100 calculates post-conversion auxiliary data obtained by unidirectional conversion of the auxiliary data, and outputs it to the registration auxiliary data generation unit 103 (step A5 in FIG. 2A).
- the registration auxiliary data generation unit 103 of the registration data generation device 100 stores the converted auxiliary data input in step A5 in the auxiliary data storage unit 203 of the storage device 200 (step A6 in FIG. 2A). .
- a unique identifier is allocated to the data input to the storage device 200 by the identifier management unit 201, and later calling (reading) with the allocated identifier becomes possible.
- an identifier is input to the identifier holding unit 401 of the designated data verification device 400.
- the cipher data (registered cipher data) corresponding to the input identifier is input from the ciphertext storage unit 202 of the storage device 200 to the ciphertext subtraction unit 402 of the designated data verification device 400.
- auxiliary data corresponding to the input identifier is input from the auxiliary data storage unit 203 of the storage device 200 to the match determination unit 403 of the designated data verification device 400 (step B1 in FIG. 2B).
- the input data (data to be verified) is input to the encryption unit 301 of the data concealment device 300 (step B2 in FIG. 2B).
- the key generation unit 302 of the data concealment device 300 generates a key used for concealing input data, and outputs the generated key to the encryption unit 301 and the auxiliary data generation unit 303 of the data concealment device 300 (FIG. 2 (B), step B3).
- the encryption unit 301 of the data concealment device 300 calculates encrypted data obtained by encrypting the input data from the input data input in step B2 and the key input in step B3, and designates the designated data collating device. 400 is input to the ciphertext subtraction unit 402 (step B4 in FIG. 2B).
- the auxiliary data generation unit 303 of the data concealment device 300 generates auxiliary data from the input data and the encrypted data obtained by encrypting the input data by the encryption unit 301 (step B5 in FIG. 2B).
- the ciphertext subtracting unit 402 of the designated data collating device 400 that has input the encrypted data from the ciphertext storage unit 202 of the storage device 200 and the encryption unit 301 of the data concealment device 300 is the difference between the two input encrypted data. Is output to the match determination unit 403 of the designated data collating apparatus 400 (step B6 in FIG. 2B). Further, the auxiliary data storage unit 203 of the storage device 200 and the auxiliary data generation unit 303 of the data concealment device 300 controlled by the control unit 404 of the designated data collating device 400 perform communication in cooperation to store the data. Auxiliary data is input from the auxiliary data storage unit 203 of the device 200 and the auxiliary data generation unit 303 of the data concealment device 300 to the matching determination unit 403 of the designated data collating device 400, respectively.
- step B6 the difference between the two encrypted data is input from the ciphertext subtraction unit 402 of the designated data matching device 400, the converted auxiliary data is generated from the auxiliary data storage unit 203 of the storage device 200, and the auxiliary data generation of the data concealment device 300 is performed.
- the coincidence determination unit 403 of the designated data collating apparatus 400 that has received auxiliary data from the unit 303 first generates intermediate data from the difference between the two encrypted data and the auxiliary data, and the unidirectionality of the designated data collating apparatus 400. It outputs to the conversion part 405 (step B7 of FIG. 2 (B)).
- the unidirectional conversion unit 405 of the designated data collating apparatus 400 generates post-conversion intermediate data obtained by unidirectionally transforming the intermediate data, and outputs it to the coincidence determining unit 403 of the designated data collating apparatus 400 (FIG. 2B). Step B8).
- the coincidence determination unit 403 of the designated data collating device 400 includes the plaintext of the encrypted data input from the post-conversion data and the auxiliary data to the ciphertext subtracting unit 402 of the designated data collating device 400 in step B1, and step B4. 2 determines whether or not the Hamming distance with the plaintext of the cipher data input to the ciphertext subtraction unit 402 of the designated data verification device 400 is equal to or less than a predetermined value (FIG. 2). (B) Step B9).
- each apparatus 100, 200, 300, 400 of FIG. 1 may be mounted on one computer system, or each apparatus may be configured as a single unit.
- each unit in each device 100, 200, 300, 400 may be configured as a single device.
- the processing of each unit of each device in FIG. 1 may be realized by a program executed by a computer.
- a recording medium semiconductor memory, magnetic / optical disk on which the program is recorded is provided.
- Embodiment 2 of the present invention will be described.
- input data and an identifier are input to the system, and plaintext of the encrypted data corresponding to the identifier and the input data are compared. Only is input to the system, and the identifier of the encrypted data to be collated with the input data is output.
- the system of the second embodiment includes a registered data generation device 100, a storage device 200, a data concealment device 300, and a data verification device 500.
- the registered data generation device 100, the storage device 200, and the data concealment device 300 have the same configuration as that of the first embodiment, and the configuration of the data verification device 500 is different from that of the first embodiment.
- the data verification device 500 includes an all data request unit 501, a ciphertext subtraction unit 502, a match determination unit 503, a control unit 504, an identifier output unit 505, and a unidirectional conversion unit 506.
- the all data request unit 501 inputs, to the identifier management unit 201, an instruction for sequentially reading all data stored in the storage device 200 in accordance with an instruction from the identifier output unit 505.
- the ciphertext subtracting unit 502 receives one of the encrypted data stored in the ciphertext storage unit 202 of the storage device 200 and the encrypted data output from the encryption unit 301 of the data concealment device 300 as input.
- the difference c1-c2 between the two encrypted data c1 and c2 is output.
- c1 is a ciphertext obtained by encrypting the input data m1 with the key k1
- c2 is the ciphertext obtained by encrypting the input data m2 with the key k2
- the difference c1-c2 between the two ciphertexts c1 and C2 is the ciphertext obtained by encrypting the input data m1-m2 with the key k1-k2. It has become.
- the coincidence determination unit 503 Auxiliary data stored in the auxiliary data storage unit 203 of the storage device 200; Auxiliary data output from the auxiliary data generation unit 303 of the data concealment device 300; A difference between two encrypted data output from the ciphertext subtraction unit 502 is input.
- the coincidence determination unit 503 Auxiliary data output from the auxiliary data generation unit 303 of the data concealment device 300; A difference between two encrypted data output from the ciphertext subtracting unit 502, and Is sent to the unidirectional conversion unit 505.
- the one-way conversion unit 505 returns the result of the one-way conversion of the intermediate data to the coincidence determination unit 503.
- the coincidence determination unit 503 The unidirectionally converted data generated by the unidirectional conversion unit 505 according to the intermediate data; Unidirectionally converted auxiliary data stored in the auxiliary data storage unit 203 of the storage device 200; To output whether or not the Hamming distances of the plaintexts m1 and m2 corresponding to the two cipher data c1 and c2 input to the ciphertext subtracting unit 502 are equal to or less than a predetermined value, respectively.
- the control unit 504 controls communication when the data concealment device 300 and the data collation device 500 exchange data.
- the identifier output unit 505 The identifier that the identifier management unit 201 has issued a data output command to the ciphertext storage unit 202 and the auxiliary data storage unit 203; and The matching result output by the match determination unit 503; When the match determination unit 503 determines that the matching (match) has been made, the identifier input from the identifier management unit 201 is output.
- the data registration phase is a phase in which input data is input to the registration data generation device 100, the input data is encrypted, and is registered in the storage device 200 together with auxiliary data.
- the ciphertext verification phase is in the data concealment device 300. This is a phase in which input data is encrypted and an identifier corresponding to the encrypted data generated at that time and the encrypted data in the storage device 200 in plain text close to the auxiliary data (having a small Hamming distance) is output. Since the data registration phase is the same as that of the first embodiment, description thereof is omitted.
- input data is input to the encryption unit of the data concealment device 300 (step C1 in FIG. 4).
- the key generation unit 302 of the data concealment device 300 generates a key used for concealing input data, and outputs the key to the encryption unit 301 and the auxiliary data generation unit 303 of the data concealment device 300 (step C2 in FIG. 4). .
- the encryption unit 301 of the data concealment device 300 calculates encrypted data obtained by encrypting the input data from the input data input in Step C1 and the key input in Step C2, and the data verification device 500 To the ciphertext subtracting unit 502 (step C3 in FIG. 4).
- an identifier is input to the identifier management unit 201 of the storage device 200 from the all data request unit 501 of the data verification device 500.
- the cipher data corresponding to the input identifier is input from the ciphertext storage unit 202 of the storage device 200 to the ciphertext subtraction unit 502 of the data verification device 500.
- auxiliary data corresponding to the input identifier is input from the auxiliary data storage unit 203 of the storage device 200 to the match determination unit 503 (step C4 in FIG. 4).
- the ciphertext subtracting unit 502 of the data collating device 500 to which the ciphertext is input from the ciphertext storage unit 202 of the storage device 200 and the encryption unit 301 of the data concealment device 300 calculates the difference between the two input encrypted data.
- the data is output to the coincidence determination unit 503 of the data collating apparatus 500 (step C5 in FIG. 4).
- the auxiliary data storage unit 203 of the storage device 200 and the auxiliary data generation unit 303 of the data concealment device 300 controlled by the control unit 504 of the data collating device 500 perform communication in cooperation to store the data.
- Auxiliary data is input from the auxiliary data storage unit 203 of the device 200 and the auxiliary data generation unit 303 of the data concealment device 300 to the match determination unit 503 of the data verification device 500, respectively.
- the difference between the two encrypted data is input from the ciphertext subtracting unit 502 of the data matching device 500, the converted auxiliary data is transmitted from the auxiliary data storage unit 203 of the storage device 200, and the auxiliary data is generated from the auxiliary data generation unit 303 of the data concealment device 300.
- the coincidence determination unit 503 of the data collating apparatus 500 generates intermediate data from the difference between the two encrypted data and the auxiliary data, and the one-way conversion unit 506 of the data collating apparatus 500. (Step C6 in FIG. 4).
- the one-way conversion unit 506 When the one-way conversion unit 506 receives the halfway data output from the match determination unit 503 of the data matching device 500, the one-way conversion unit 506 generates post-conversion halfway data obtained by unidirectionally converting the halfway data. It outputs to the coincidence determination part 503 of the collation apparatus 500 (step C7 of FIG. 4).
- the coincidence determination unit 503 of the data verification device 500 includes the post-conversion intermediate data output from the one-way conversion unit 506 of the data verification device 500 and the auxiliary data from the auxiliary data generation unit 303 of the data concealment device 300.
- the Hamming distance between the plaintext of the encrypted data input to the ciphertext subtracting unit 502 of the data collating device 500 in step C1 and the plaintext of the encrypted data input to the ciphertext subtracting unit 502 of the data collating device 500 in step C4 is It is determined whether or not the value is equal to or less than a predetermined value (step C8 in FIG. 4).
- step C8 If the result of step C8 is determined to be collation, the identifier output unit 505 of the data collation device 500 outputs the identifier input to the identifier management unit 201 of the storage device 200 in step C4 (step C9 in FIG. 4). .
- step C4 to step C9 The processing from step C4 to step C9 is repeated for all identifiers (encrypted data and auxiliary data) stored in the storage device 200 managed by the identifier management unit 201 of the storage device 200.
- each apparatus 100, 200, 300, 500 of FIG. 3 may be mounted on one computer system, or each apparatus may be configured as a single unit.
- each unit in each device 100, 200, 300, 400 may be configured as a single device.
- the processing of each unit of each device in FIG. 1 may be realized by a program executed by a computer.
- a recording medium semiconductor memory, magnetic / optical disk
- the program is recorded.
- Example 1 is a specific example of the first embodiment.
- an N-bit binary string Z is input to the encryption unit 101 of the registration data generation apparatus 100 as input data.
- the key generation unit 102 of the registration data generation device 100 generates a key (K-bit random number) S and outputs it to the encryption unit 101 and the registration auxiliary data generation unit 103.
- the encryption unit 101 obtains an exclusive OR of an N-bit code word C obtained by encoding the input K-bit key S with a binary BCH code and the N-bit input data Z.
- Bit cipher data W1 is calculated (the following equation (1)) and stored in the ciphertext storage unit 202 of the storage device 200.
- the binary BCH code used here is a code that inputs K-bit data and outputs N-bit data (N> K), and any different codeword is guaranteed to have a Hamming distance of at least d or more. Shall be.
- the registration auxiliary data generation unit 103 uses, for example, the following equation (2) by the unidirectional conversion unit 104: According to the above, auxiliary data W2 is calculated.
- c is a K-bit constant.
- R is an N-bit random number (data that is unlikely to be used repeatedly).
- h be a cryptographic hash function (one-way hash function: SHA-256, etc.) with an output of k bits.
- H (x, y, z) is defined as a function expressed by the following equation (3).
- H (a1, b1, c1) (+) H (a2, b2, c2) H (a1 (+) a2, b1, c1) (+) h (b2, c2) ... (4)
- the code word data obtained by performing error correction coding with the BCH code is defined as C3 (where ⁇ is an operation symbol representing the concatenation of bits), and from C3 and Z, the registered auxiliary data generation unit 103 generates auxiliary data.
- W3 is calculated according to the following equation (6).
- the registration auxiliary data generation unit 103 registers the set of (W2, W3) obtained by the above equations (2) and (6) in the auxiliary data storage unit 203 as auxiliary data.
- a unique identifier is allocated to the data input to the storage device 200 by the identifier management unit 201, and later, it is possible to call with the allocated identifier.
- the encrypted data W1 associated with the identifier i and the auxiliary data W2 and W3 are represented as W1 [i], W2 [i], and W3 [i], respectively.
- the identifier i is first input to the identifier holding unit 401 of the designated data verification device 400.
- Cipher data W1 [i] corresponding to the input identifier i is read from the ciphertext storage unit 202 of the storage device 200 and input to the ciphertext subtraction unit 402.
- auxiliary data W2 [i] and W3 [i] corresponding to the input identifier i are read from the auxiliary data storage unit 203 of the storage device 200 and input to the match determination unit 403 of the designated data collating device 400.
- N-bit binary string input data Z ′ (data to be verified) is input to the encryption unit 301 of the data concealment device 300.
- the key generation unit 302 of the data concealment device 300 generates a key (K-bit random number) S ′ used for concealing the input data Z ′, and the encryption unit 301 and the auxiliary data generation unit 303 of the data concealment device 300. Output to.
- the encryption unit 301 of the data concealment device 300 performs an exclusive OR operation between the code word C ′ obtained by performing error correction coding on the key S ′ input from the key generation unit 302 with a binary BCH code and the input data Z ′.
- the encrypted data W1 ′ taken is calculated (the following equation (7)).
- the encryption unit 301 of the data concealment device 300 inputs the encrypted data W1 ′ to the ciphertext subtraction unit 402 of the designated data verification device 400.
- the ciphertext subtraction unit 402 of the designated data collating device 400 includes the cipher data W1 ′ from the encryption unit 301 of the data concealment device 300 and the cipher data W1 [corresponding to the identifier i from the ciphertext storage unit 202 of the storage device 200. i], and the difference (exclusive OR) between the two input encrypted data W1 ′ and W1 [i] (the following equation (8)) is calculated.
- the ciphertext subtraction unit 402 of the designated data verification device 400 outputs the calculated difference between the two encrypted data to the match determination unit 403.
- the group is 1.
- the control unit 404 of the designated data matching device 400 outputs W3 [i] and g_s to the auxiliary data generation unit 303 of the data concealment device 300.
- the auxiliary data generation unit 303 of the data concealment apparatus 300 performs a binary BCH code decoding process on the value obtained by exclusive ORing W3 [i] and the input data Z ′ (the following equation (10)). Apply and obtain h ′ which is the decoding result.
- the auxiliary data generation unit 303 of the data concealment device 300 calculates W2 ′ and g_c from the key S ′, the encrypted data W1 ′, h ′, g, g_s, and the random number nc based on the following equations (11a) and (11b). Each is calculated and output to the coincidence determination unit 403 of the designated data collating apparatus 400.
- the coincidence determination unit 403 of the designated data collating apparatus 400 applies a binary BCH code decryption process to the difference between the two input encrypted data W1 ′ and W1 [i] (the following equation (12)), T, which is a decryption result of the difference between the two encrypted data W1 ′ and W1 [i], is calculated.
- the one-way conversion unit 405 of the designated data collating apparatus 400 calculates H (T, T using the decryption result T, W1 ′, and g_c ** ns of the difference between the two encrypted data W1 ′ and W1 [i].
- W1 ', g_c ** ns and the result of exclusive OR operation of W2' obtained by equation (11a) H (T, W1 ', g_c ** ns) (+) W2'
- the hash value of is calculated (the following formula (13)).
- the coincidence determination unit 403 of the designated data matching device 400 determines that the Hamming distance between the original data (plain text) of W1 [i] and the input data (plain text) Z ′ is equal to or less than d when equation (14) is established. It is determined that On the other hand, if equation (14) does not hold, the coincidence determination unit 403 of the designated data collating apparatus 400 determines that the Hamming distance between the original data (plain text) of W1 [i] and the input data (plain text) Z ′ is d. It is determined that the value exceeds, and the determination result is output. In the BCH encoding, the Hamming distance of any different code word is a value that exceeds at least d.
- the data may be generated by both the coincidence determining unit 403 of the designated data collating device 400 and the auxiliary data generating unit 303 of the data concealing device 300. *
- Example 2 will be described in detail with reference to FIG.
- Example 2 is a specific example of the second embodiment.
- an N-bit binary string Z is input to the encryption unit 101 of the registration data generation apparatus 100 as input data.
- the key generation unit 102 of the registration data generation device 100 generates a K-bit random number S and outputs it to the encryption unit 101 and the registration auxiliary data generation unit 103.
- the encryption unit 101 calculates encrypted data W1 obtained by performing an exclusive OR of a codeword C obtained by encoding the input key S with a binary BCH code and the input data Z, and stores the encrypted text.
- the binary BCH code used here is a code that inputs K-bit data and outputs N-bit data, and any different code word is guaranteed to have a Hamming distance of at least d or more. .
- the registration auxiliary data generation unit 103 calculates auxiliary data W2 by the one-way conversion unit 104 according to the following equation (15).
- c is a K-bit constant.
- R is a random number (data that is unlikely to be used repeatedly).
- (+) Represents an exclusive OR for each bit.
- h is a cryptographic hash function (for example, SHA-256) that outputs k bits.
- the code word data obtained by encoding the data with the BCH code is C3 (where ⁇ is a symbol representing bit concatenation), and from C3 and Z, the registration auxiliary data generation unit 103 of the registration data generation apparatus 100 generates auxiliary data.
- W3 is calculated using the following equation (18).
- the registration auxiliary data generation unit 103 registers the set (W2, W3) generated as described above as auxiliary data in the auxiliary data storage unit 203.
- W1, W2, and W3 associated with the identifier i are represented as W1 [i], W2 [i], and W3 [i], respectively.
- input data Z ′ (data to be verified) is input to the encryption unit 301 of the data concealment device 300.
- the key generation unit 302 of the data concealment device 300 generates a key S ′ (K-bit random number) used for concealing the input data Z ′, and the encryption unit 301 and the auxiliary data generation unit 303 of the data concealment device 300. Output to.
- a key S ′ K-bit random number
- the encryption unit 301 of the data concealment device 300 obtains the encrypted data W1 ′ obtained by taking an exclusive OR of the code word C ′ obtained by encoding the input key S ′ with a binary BCH code and the input data Z ′. Calculate (the following formula (19)).
- the encryption unit 301 of the data concealment device 300 inputs the calculated encrypted data W1 ′ to the ciphertext subtraction unit 502 of the data verification device 500.
- the identifier i is input to the identifier management unit 201 of the storage device 200 from the all data request unit 501 of the data verification device 500.
- the cipher data W1 [i] corresponding to the input identifier i is read from the ciphertext storage unit 202 of the storage device 200 and input to the ciphertext subtraction unit 502 of the data verification device 500.
- auxiliary data W2 [i] and W3 [i] corresponding to the identifier i are read from the auxiliary data storage unit 203 of the storage device 200 and input to the coincidence determination unit 503 of the data verification device 500.
- the ciphertext subtracting unit 502 of the data collating device 500 that has input the encrypted data W1 [i] from the ciphertext storage unit 202 of the storage device 200 and the encrypted data W1 ′ from the encryption unit 301 of the data concealment device 300,
- the difference (the following equation (20)) between the two input encrypted data W1 ′ and W1 [i] is output to the coincidence determination unit 503 of the data collating apparatus 500.
- control unit 504 of the data matching device 500 performs the random number ns and the element g of the predetermined group G.
- g_s g ** ns (21) Is output to the auxiliary data generation unit 303 of the data concealment device 300.
- the auxiliary data generation unit 303 of the data concealment apparatus 300 calculates W2 ′ and g_c based on the following equations (23a) and (23b).
- the auxiliary data generation unit 303 of the data concealment device 300 is data obtained by bit-connecting the inner product (c, S2 ′) and the random number r ′.
- Auxiliary data W3 ' is obtained from C3 and Z' which are binary BCH error correction codes.
- W3 ' C3 (+) Z' (25)
- the coincidence determination unit 503 of the data collating apparatus 500 calculates the difference between the input encrypted data. W1 '(+) W1 [i] (26) Then, the binary BCH code decryption process is applied to T, which is the decryption result of the difference between the two encrypted data W1 and W1 [i].
- the coincidence determination unit 503 of the data collating apparatus 500 performs an exclusive OR of the auxiliary data W3 [i] and W3 ′ (Equation (25)).
- W3 [i] (+) W3 ' ⁇ ⁇ ⁇ (27) Is applied to the decoding process of the binary BCH code to calculate w3 which is the decoding result of the auxiliary data 'W3 [i] (+) W3'.
- the coincidence determination unit 503 of the data verification device 500 calculates H (T, W1 ′, g_c ** ns) using the decryption result T of the difference between the two encrypted data, W1 ′, and g_c ** ns.
- W2 ′ and w3 are output to the unidirectional conversion unit 506.
- the one-way conversion unit 506 of the data verification device 500 calculates H (T, W1 ′, g_c ** ns) calculated using the decryption result T of the difference between the two encrypted data and W1 ′, g_c ** ns. , W2 'and w3 bitwise exclusive OR result H (T, W1 ', g_c ** ns) (+) W2' (+) w3
- the hash value of (the following formula (28)) is calculated.
- the coincidence determination unit 503 of the data collating apparatus 500 checks whether the calculation result of the equation (28) is equal to W2 [i], that is, whether the equation (29) is satisfied.
- the identifier output unit 505 of the data matching device 500 determines that the original data of W1 [i] and the Hamming distance of Z ′ are equal to or less than d, and outputs the identifier i. . If equation (29) does not hold, it is determined that the Hamming distance exceeds d, and the identifier i is not output.
- the above operation is performed on all identifiers i managed by the storage device, and all identifiers having original data such that the Hamming distance with the input data Z ′ is equal to or less than d are output.
- auxiliary data W2′W H (S ′, W1 ′, 'g_s ** nc) (formula (23a)) generated by the auxiliary data generation unit 303 of the data concealment device 300
- the input data in the data registration phase and the input data in the ciphertext verification phase may be biometric information acquired from a fingerprint or a vein.
- the encrypted biometric data stored in the storage device and the encrypted biometric data sent from the data concealment device are collected from the same person while the biometric information is kept secret (encrypted). It can be determined whether or not there is a Hamming distance between the two input data below a predetermined value, and authentication can be performed. Biological information cannot always acquire the same data stably. However, it can be assumed that data acquired from the same person is similar (data with a small Hamming distance can be acquired). For this reason, the present invention is preferably applied to, for example, biometric authentication (however, the application target is not limited to biometric authentication).
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Bioethics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Biodiversity & Conservation Biology (AREA)
- Biomedical Technology (AREA)
- Medical Informatics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
- Document Processing Apparatus (AREA)
Abstract
Description
本発明は、日本国特許出願:特願2013-091468号(2013年 4月24日出願)に基づくものであり、同出願の全記載内容は引用をもって本書に組み込み記載されているものとする。
本発明は、暗号文照合システムと方法とプログラムに関する。
(2)CとZの排他的論理和W2 = C (+) Zを計算する(ただし、(+)はビット毎の排他的論理和演算(bitwise XOR)を表す)。
(3)SをSHA(Secure Hash Algorithm)-1等の暗号学的ハッシュ関数(cryptographic (one-way) hash function)Hに入力してハッシュ値H(S)を得る。
(4)W2及びH(S)をテンプレート情報としてデータベース(DB)に格納する。
(1)Z'とW2との排他的論理和C' = W2 (+) Z' = C (+) (Z (+) Z')を計算する。
(2)C'をデコーダ(DEC)に入力してBCH符号の誤り訂正復号を行い、S'を計算する。
(3)S'をSHA-1等の暗号学的ハッシュ関数Hに入力してハッシュ値H(S')を計算する。
(4)データベース(DB)からH(S)を読み出し、H(S) = H(S')が成立するかチェックする。H(S) = H(S')が成立する場合には、テンプレートと生体情報Z'が同じ人物から採取されたものと判断する。H(S) = H(S')が成立しない場合は、異なる人物から採取されたものと判断する。
前記第1の補助データの少なくとも一部を一方向性変換し、
前記第1の暗号文と前記第2の暗号文との差分と、前記第2の補助データとに基づき生成される途中データを一方向性変換し、前記途中データを一方向性変換した結果と、一方向性変換した前記第1の補助データとを用いて、前記第1の暗号文と前記第2の暗号文の前記差分に対応する平文のハミング距離が前記予め定められた所定値以下であるか否か判定する手段と、を含む暗号文照合システムが提供される。
前記第1の補助データの少なくとも一部を一方向性変換し、
前記第1の暗号文と前記第2の暗号文との差分と、前記第2の補助データとに基づき生成される途中データを一方向性変換し、
前記途中データを一方向性変換した結果と、一方向性変換した前記第1の補助データとを用いて、前記第1の暗号文と前記第2の暗号文の前記差分に対応する平文のハミング距離が前記予め定められた所定値以下であるか否か判定する暗号文照合方法が提供される。
前記第1の補助データの少なくとも一部を一方向性変換し、前記第1の暗号文と前記第2の暗号文との差分と、前記第2の補助データとに基づき生成される途中データを一方向性変換し、前記途中データを一方向性変換した結果と、一方向性変換した前記第1の補助データとを用いて、前記第1の暗号文と前記第2の暗号文の前記差分に対応する平文のハミング距離が前記予め定められた所定値以下であるか否か判定する処理と、をコンピュータに実行させるプログラムが提供される。本発明によれば、該プログラムを記録したコンピュータ読み出し可能な記録媒体(磁気/光記録媒体、半導体記録媒体)が提供される。
前記途中データを一方向性変換した結果と、一方向性変換した前記補助データ1とを用いて、前記記憶装置(13)に登録された暗号文1と、前記照合対象の入力データの前記暗号文2の前記差分に対応する平文のハミング距離が前記予め定められた所定値以下であるか否かを判定する。暗号文照合システム10(装置)の各手段は、暗号文照合システム10(装置)を構成するコンピュータ上で実行されるプログラムでその処理・機能を実現するようにしてもよい。
図1を参照すると、本発明の実施形態1のシステムは、登録データ生成装置100、記憶装置200、データ秘匿装置300、指定データ照合装置400を備えている。なお、これらの各装置は、一つのサイト等にまとめて一つの装置とした構成としてもよいし、あるいは分散配置し通信手段を介して相互接続する構成としてもよい。
入力データと、
暗号化部101が出力した暗号データと、
鍵生成部102が出力した鍵と
を入力とする。登録補助データ生成部103は、データ秘匿装置300の暗号化部301が出力する暗号データに対応する入力データが、暗号化部101に入力された入力データとハミング距離が予め定められた所定値以下(一定数以内)であることを判断するためのデータを出力する。
入力データm1を鍵k1で暗号化した暗号文をc1、
入力データm2を鍵k2で暗号化した暗号文をc2
とした時、
c1とc2の和c1+c2は、入力データm1+m2を鍵k1+k2で暗号化した暗号文となる。
・該入力データ(照合対象の入力データ)と、
・暗号化部301が出力した暗号データと、
・鍵生成部302が暗号化部301に対して出力した鍵と、
を入力とする。補助データ生成部303は、登録データ生成装置100の暗号化部101が出力する暗号データ(登録暗号データ)に対応する入力データ(平文)と、暗号化部301に入力された入力データ(平文)との間のハミング距離が予め定められた所定値以下(一定数以内)であることを判断するための補助データを出力する。これは、登録暗号データ)に対応する入力データ(平文)と、暗号化部301に入力された照合対象の入力データ(平文)との間のハミング距離が、所定値以下(あるいは所定値未満)であれば、照合(一致)すると判定し、前記所定値を超えた(あるいは所定値以上の)場合、照合しない(不一致)と判定するために用いられる補助情報である。
入力データm1を鍵k1で暗号化した暗号文をc1、
入力データm2を鍵k2で暗号化した暗号文をc2
とした時、c1とc2の和c1+c2は、入力データm1+m2を鍵k1+k2で暗号化した暗号文となる。
・記憶装置200の暗号文記憶部202に格納された暗号データ(登録暗号データ)の一つと、
・データ秘匿装置300の暗号化部301から出力される暗号データとを入力とし、
入力された二つの暗号データc1とc2の差c1-c2を出力する。
c1を入力データm1を鍵k1で暗号化した暗号文、
c2を入力データm2を鍵k2で暗号化した暗号文
とした時、二つの暗号文c1、C2の差c1-c2は、入力データm1-m2を、鍵k1-k2で暗号化した暗号文となっている。
・記憶装置200の補助データ記憶部203に格納された補助データと、
・データ秘匿装置300の補助データ生成部303から出力される補助データと、
・暗号文減算部402から出力される二つの暗号データの差分と
を入力とする。
・データ秘匿装置300の補助データ生成部303から出力される補助データと、
・暗号文減算部402から出力される二つの暗号データの差分と、
を少なくとも含むデータから生成される途中データを、一方向性変換部405に送付する。
・一方向性変換部405が途中データに応じて生成した一方向性変換後データと、
・記憶装置200の補助データ記憶部203に格納された一方向性変換された補助データの一つと、
から、暗号文減算部402に入力された二つの暗号データc1とc2にそれぞれ対応する平文m1とm2のハミング距離が予め定められた所定値以下であるか否かを出力する。
次に、本発明の実施形態2について説明する。前述した実施形態1における暗号文照合システムでは、入力データと識別子がシステムに入力され、識別子に対応する暗号データの平文と入力データの照合が行われるのに対して、本実施形態は、入力データのみがシステムに入力され、入力データと照合する暗号データの識別子が出力される。
c1を入力データm1を鍵k1で暗号化した暗号文、
c2を入力データm2を鍵k2で暗号化した暗号文
とした時、二つの暗号文c1、C2の差c1-c2は、入力データm1-m2を、鍵k1-k2で暗号化した暗号文となっている。
・記憶装置200の補助データ記憶部203に格納された補助データと、
・データ秘匿装置300の補助データ生成部303から出力される補助データと、
・暗号文減算部502から出力される二つの暗号データの差分と
を入力する。一致判定部503は、
・データ秘匿装置300の補助データ生成部303から出力される補助データと、
・暗号文減算部502から出力される二つの暗号データの差分と、
を少なくとも含むデータから生成される途中データを一方向性変換部505に送付する。
・一方向性変換部505が途中データに応じて生成した一方向性変換後データと、
・記憶装置200の補助データ記憶部203に格納された一方向性変換された補助データと、
から、暗号文減算部502に入力された二つの暗号データc1とc2にそれぞれ対応する平文m1とm2のハミング距離が予め定められた所定値以下であるか否かを出力する。
識別子管理部201が暗号文記憶部202、及び補助データ記憶部203にデータ出力命令を出した識別子と、
一致判定部503が出力した照合結果と、
を入力とし、一致判定部503が照合(一致)したと判定した場合には、識別子管理部201から入力された識別子を出力する。
次に、本発明の実施例1について図1を参照して詳細に説明する。実施例1は、前記実施形態1の一具体例である。
cは、Kビットの定数である。
Rは、Nビットの乱数(繰り返し利用される可能性の低いデータ)である。
(c, S)は内積を表す。すなわち、(A, B)は、二つのK = (m*k)ビットデータA及びBをkビットごとに分割したベクトルとみなした時の、AとBの内積を表す(演算はガロア拡大体GF(2k)上で行うものとする)。
(+)はビット毎の排他的論理和を表す。
hは、出力がkビットとなる暗号学的ハッシュ関数(一方向性ハッシュ関数:例えばSHA-256等)とする。
h(W1, N) ∥ r ・・・(5)
をBCH符号で誤り訂正符号化した符号語データをC3とし(但し、∥は、ビットの連結(concatenation)を表す演算記号である)、C3とZから、登録補助データ生成部103は、補助データW3を次式(6)に従って計算する。
g_s = g**ns ・・・(9)
を計算する。式(9)において、g**nsは、群G上でのgのns乗を表すものとする(**は冪乗演算子)。なお、群とは、
1.結合則 (∀a, b, c∈Gに対して(a・b)・c=a・(b・c)、
2.単位元の存在 (∃e∈G,∀a∈Gに対してa・e=e・a=a),
3.逆元の存在 (∀a∈Gに対して∃b∈G、a・b=b・a=e)
の規則を満たす2項演算・を持った集合をいう。ここで、群Gは乗法に関して巡回群となり、pを素数として、位数pの乗法群Zp(=Z/pZ)からなり、g**nsの値は素数pを法(modulo)とする剰余(mod p)で与えられる。
H(T, W1', g_c**ns) (+) W2'
のハッシュ値を計算する(次式(13))。
次に、実施例2について図3を参照して詳細に説明する。実施例2は、前記実施形態2の一具体例である。
cは、Kビットの定数である。
Rは、乱数(繰り返し利用される可能性の低いデータ)である。
(A,B)は、二つのK=(m*k)ビットデータA及びBをkビットごとに分割したベクトルとみなした時の、AとBの内積を表す(演算はガロア拡大体GF(2k)上で行うものとする。
(+)はビット毎の排他的論理和を表す。
hは、出力がkビットとなる暗号学的ハッシュ関数(例えばSHA-256等)とする。
H(x, y, z) = (c, x) (+) h(y, z) ・・・(16)
h(W1, N) ∥r ・・・(17)
をBCH符号で符号化した符号語データをC3とし(但し、∥は、ビットの連結を表す記号である)、C3とZから、登録データ生成装置100の登録補助データ生成部103は、補助データW3を、次式(18)を用いて計算する。
g_s = g**ns ・・・(21)
を計算し、データ秘匿装置300の補助データ生成部303に出力する。
S'=S1' (+) S2' ・・・(22)
を満たすS1'とS2'をランダムに選ぶ。
(c, S2') ∥ r' ・・・(24)
を二元BCH誤訂正符号化したC3とZ'から、補助データW3'を、
W3' = C3 (+) Z' ・・・(25)
により計算し、W1'、W2'、W3'、g_cを、データ照合装置500の一致判定部503に出力する。
W1' (+) W1[i] ・・・(26)
に二元BCH符号の復号処理を適用し、二つの暗号データW1とW1[i]の差の復号結果であるTを計算する。
W3[i] (+) W3' ・・・(27)
に二元BCH符号の復号処理を適用し、補助データ'W3[i] (+) W3'の復号結果であるw3を計算する。
H(T, W1', g_c**ns) (+) W2' (+) w3
のハッシュ値(次式(28))を計算する。
11、12 暗号化手段(ユニット)
13 記憶装置
14 補助データ生成手段(ユニット)
14h、15h 一方向性変換手段(ユニット)
15 照合判定手段(ユニット)
100、100’ 登録データ生成装置
101 暗号化部
102 鍵生成部
103 登録補助データ生成部
104 一方向性変換部
200 記憶装置
201 識別子管理部
202 暗号文記憶部
203 補助データ記憶部
300、300’ データ秘匿装置
301 暗号化部
302 鍵生成部
303 補助データ生成部
400 指定データ照合装置
401 識別子保持部
402 暗号文減算部
403 一致判定部
404 制御部
405 一方向性変換部
500 データ照合装置
501 全データ要求部
502 暗号文減算部
503 一致判定部
504 制御部
505 識別子出力部
506 一方向性変換部
Claims (10)
- 入力データを暗号化して記憶装置に登録される第1の暗号文と、照合対象の入力データを暗号化した第2の暗号文に対して、平文のハミング距離を用いて照合を検証するための第1、第2の補助データをそれぞれ生成する手段と、
前記第1の補助データの少なくとも一部を一方向性変換し、
前記第1の暗号文と前記第2の暗号文との差分と、前記第2の補助データとに基づき生成される途中データを一方向性変換し、
前記途中データを一方向性変換した結果と、一方向性変換した前記第1の補助データとを用いて、前記第1の暗号文と前記第2の暗号文の前記差分に対応する平文のハミング距離が前記予め定められた所定値以下であるか否か判定する手段と、
を含む、ことを特徴とする暗号文照合システム。 - 前記入力データの平文に対して暗号化する鍵を線形性を有する誤り訂正符号で符号化した符号語と前記平文との排他的論理和を前記暗号文とし、
前記記憶装置に登録された前記暗号文と前記照合対象の入力データの前記暗号文に関する前記第1及び第2の補助データの各補助データを、それぞれ、対応する前記鍵と定数との内積と、対応する前記暗号文に基づくビット列に対する暗号学的ハッシュ関数の出力と、の排他的論理和を一方向性変換した結果に基づき算出する、ことを特徴とする請求項1記載の暗号文照合システム。 - 登録データ生成装置と、
記憶装置と、
データ秘匿装置と、
指定データ照合装置と、
を備え、
前記登録データ生成装置は、
固定長の入力データと鍵を入力とし、前記入力データを前記鍵で暗号化した暗号文であって、
平文1を鍵1で暗号化した暗号文1と平文2を鍵2で暗号化した暗号2文との和が、前記平文1と前記平文2の和を前記鍵1と前記鍵2の和で暗号化した暗号文に、等しいという関係を満たす暗号文を出力する第1の暗号化部と、
前記第1の暗号化部に入力する前記鍵を生成する第1の鍵生成部と、
前記入力データと、前記第1の鍵生成部で生成された前記鍵とを入力とし、前記第1の暗号化部によって出力された前記第1の暗号文が、前記データ秘匿装置によって出力される第2の暗号文と、平文のハミング距離が予め定められた所定値以下であることを検証するための前記第1の補助データを出力する登録補助データ生成部と、
前記登録補助データ生成部から出力される前記第1の補助データの少なくとも一部を一方向性変換したデータを出力する一方向性変換部と、
を備え、
前記記憶装置は、
前記登録データ生成装置の前記第1の暗号化部が出力する、一または複数の前記第1の暗号文を格納する暗号文記憶部と、
前記登録データ生成装置の前記登録補助データ生成部が出力する、一つ又は複数の前記第1の補助データを格納する補助データ記憶部と、
前記指定データ照合装置から識別子を入力とし、前記暗号文記憶部と前記補助データ記憶部とに対して、前記識別子に対応する前記暗号文と前記第1の補助データとをそれぞれ出力させる識別子管理部と、
を備え、
前記データ秘匿装置は、
固定長の入力データと鍵を入力とし、前記入力データを前記鍵で暗号化した暗号文であって、平文1を鍵1で暗号化した暗号文1と平文2を鍵2で暗号化した暗号2文との和が、前記平文1と前記平文2の和を前記鍵1と前記鍵2の和で暗号化した暗号文に、等しいという関係を満たす暗号文を出力する第2の暗号化部と、
前記第2の暗号化部に入力する前記鍵を生成する第2の鍵生成部と、
前記入力データと、前記第2の鍵生成部で生成された前記鍵とを入力とし、前記第2の暗号化部によって出力された前記第2の暗号文が、前記登録データ生成装置の前記第1の暗号化部によって出力された前記第1の暗号文と、平文のハミング距離が予め定められた所定値以下であることを検証するための前記第2の補助データを出力する補助データ生成部と、
を備え、
前記指定データ照合装置は、
識別子を入力し、前記識別子を前記記憶装置の前記識別子管理部に出力し、前記識別子に対応する暗号文と補助データとを出力するように前記識別子管理部に指示する識別子保持部と、
前記データ秘匿装置の前記第2の暗号化部から出力される前記第1の暗号文と、前記記憶装置の前記暗号文記憶部から読み出された前記暗号文と、を入力とし、入力した二つの前記暗号文の差分を出力する暗号文減算部と、
前記暗号文減算部から出力される前記第1、第2の暗号文の差分と、
前記記憶装置の前記補助データ記憶部から読み出された前記第1の補助データと、
前記データ秘匿装置の前記補助データ生成部から出力される前記第2の補助データと、
を入力とし、
前記暗号文減算部から出力される前記第1、第2の暗号文の差分と、前記データ秘匿装置の前記補助データ生成部から出力される前記第2の補助データとに基づき生成される途中データを一方向性変換部に送付し、
前記一方向性変換部が前記途中データに応じて生成した一方向性変換後データと、
前記記憶装置の前記補助データ記憶部に格納された、一方向性変換された前記第1の補助データの一つと、
が等しいか否かで、前記第1、第2の暗号文の差分に対応する平文のハミング距離が予め定められた所定値以下であるか否かを判定する一致判定部と、
前記一致判定部が計算した前記途中データを入力とし、前記途中データを一方向性変換した結果を出力する前記一方向性変換部と、
前記データ秘匿装置と前記指定データ照合装置との間のデータのやりとりを制御する制御部と、
を備える、ことを特徴とする請求項1記載の暗号文照合システム。 - 登録データ生成装置と、
記憶装置と、
データ秘匿装置と、
データ照合装置と、
を備え、
前記登録データ生成装置は、
固定長の入力データと、鍵を入力とし、前記入力データを前記鍵で暗号化した暗号文であって、
平文1を鍵1で暗号化した暗号文1と平文2を鍵2で暗号化した暗号2文との和が、前記平文1と前記平文2の和を前記鍵1と前記鍵2の和で暗号化した暗号文に、等しいという関係を満たす暗号文を出力する第1の暗号化部と、
前記第1の暗号化部に入力する前記鍵を生成する第1の鍵生成部と、
前記入力データと、前記第1の鍵生成部で生成された前記鍵を入力とし、前記第1の暗号化部によって出力された第1の暗号文が、前記データ秘匿装置によって出力される第2の暗号文と、平文のハミング距離が予め定められた値以下であることを検証するための前記第1の補助データを出力する登録補助データ生成部と、
前記登録補助データ生成部から出力される前記第1の補助データの少なくとも一部を一方向性変換したデータを出力する一方向性変換部と、
を備え、
前記記憶装置は、
前記登録データ生成装置の前記第1の暗号化装置が出力する一又は複数の暗号文を格納する暗号文記憶部と、
前記登録データ生成装置の前記登録補助データ生成部が出力する一又は複数の補助データを格納する補助データ記憶部と、
前記データ照合装置から識別子を入力とし、前記暗号文記憶部と、前記補助データ記憶部とに前記識別子に対応する暗号文と補助データとをそれぞれ出力させる識別子管理部と、
を備え、
前記データ秘匿装置は、
固定長の入力データと鍵を入力とし、前記入力データを前記鍵で暗号化した暗号文であって、
平文1を鍵1で暗号化した暗号文1と平文2を鍵2で暗号化した暗号2文との和が、前記平文1と前記平文2の和を前記鍵1と前記鍵2の和で暗号化した暗号文に、等しいという関係を満たす暗号文を出力する第2の暗号化部と、
前記第2の暗号化部に入力する前記鍵を生成する第2の鍵生成部と、
前記入力データと、前記第2の鍵生成部で生成された前記鍵と、を入力とし、前記第2の暗号化部によって出力された第2の暗号文が、前記登録データ生成装置の前記第1の暗号化部によって出力される第1の暗号文と、平文のハミング距離が予め定められた所定値以下であることを検証するための前記第2の補助データを出力する補助データ生成部と、
前記補助データ生成部から出力された前記第2の補助データの少なくとも1部を一方向性変換したデータを出力する一方向性変換部と、
を備え、
前記データ照合装置は、
識別子出力部からの命令により、前記記憶装置内に格納されている全てのデータを逐次的に読み出す命令を識別子管理部に入力する全データ要求部と、
前記データ秘匿装置の前記第2の暗号化部から出力される前記第2の暗号文と、前記記憶装置内の前記暗号文記憶部に格納される前記第1の暗号文とを入力とし、入力した前記第1、第2の暗号文の差分を出力する暗号文減算装部と、
前記暗号文減算部から出力される前記第1、第2の暗号文の差分と、
前記記憶装置の前記補助データ記憶部から読み出された前記第1の補助データと、
前記データ秘匿装置の前記補助データ生成部から出力される前記第2の補助データと、
を入力とし、
前記暗号文減算部から出力される前記第1、第2の暗号文の差分と、前記データ秘匿装置の前記補助データ生成部から出力される前記第2の補助データとに基づき生成される途中データを一方向性変換部に送付し、
前記一方向性変換部が前記途中データに応じて生成した一方向性変換後データと、
前記記憶装置の前記補助データ記憶部に格納された、一方向性変換された前記第1の補助データの一つと、
が等しいか否かで、前記第1、第2の暗号文の差分に対応する平文のハミング距離が予め定められた所定値以下であるか否かを判定する一致判定部と、
前記一致判定部が計算した前記途中データを入力とし、前記途中データを一方向性変換した結果を出力する前記一方向性変換部と、
前記一致判定部が計算した途中データを入力とし、途中データを一方向性変換した結果を出力する前記一方向性変換部と、
前記一致判定部からの判定結果の出力と、前記識別子管理部の出力とを入力とし、前記一致判定部が、平文のハミング距離が予め定められた所定値以下と判定したデータに対応する識別子を出力する前記識別子出力部と、
前記データ秘匿装置と、前記データ照合装置との間のデータのやりとりを制御する制御部と、
を備える、ことを特徴とする請求項1記載の暗号文照合システム。 - 前記第1、第2の暗号化部が、前記鍵と、前記入力データの平文に対して、前記鍵を、線形性を有する誤り訂正符号で符号化し、誤り訂正符号化結果である符号語と、前記平文とのベクトル上の和を計算した結果を、前記暗号文として出力する、ことを特徴とする請求項3又は4記載の暗号文照合システム。
- 前記登録データ生成装置の前記登録補助データ生成部が出力する前記第1の補助データが、
前記登録データ生成装置の前記第1の暗号化部に入力された鍵をS、
前記第1の暗号化部が出力した暗号文をW1、
繰り返し利用される可能性の低いデータをRとして、式
h((c,S)(+)h(W1,R))
(但し、cは定数、(x、y)はベクトルx、yの内積を表し(c,S)はcとSの内積、hは暗号学的ハッシュ関数、(+)はビット毎の排他的論理和である)
によって計算されるデータを含み、
前記データ秘匿装置の前記補助データ生成部が出力する前記第2の補助データが、
前記データ秘匿装置の前記第2の暗号化部に入力された鍵をS’、
前記第2の暗号化部が出力した暗号文をW1’、
繰り返し利用される可能性の低いデータをR’として、式
(c,S’)(+)h(W1’,R’)
によって計算されるデータ
を含む、ことを特徴とする請求項3又は4記載の暗号文照合システム。 - 前記R’が、Diffie-Hellman鍵共有法によって、前記指定データ照合装置又は前記データ照合装置の前記一致判定部と、前記データ秘匿装置の前記補助データ生成部の双方で生成される、ことを特徴とする請求項6記載の暗号文照合システム。
- 請求項1乃至7のいずれか1項に記載の暗号文照合システムを備え、前記登録データ生成装置、前記データ秘匿装置に入力される入力データが、生体情報によって生成され、前記データ秘匿装置を介して前記指定データ照合装置又は前記データ照合装に入力されたデータが、記憶装置に格納されたデータと一致するか否かを判定することによって生体認証を行う、ことを特徴とする生体認証システム。
- 入力データを暗号化して記憶装置に登録される第1の暗号文と、照合対象の入力データを暗号化した第2の暗号文に対して、平文のハミング距離を用いて照合を検証するための第1、第2の補助データをそれぞれ生成し、
前記第1の補助データの少なくとも一部を一方向性変換し、
前記第1の暗号文と前記第2の暗号文との差分と、前記第2の補助データとに基づき生成される途中データを一方向性変換し、
前記途中データを一方向性変換した結果と、一方向性変換した前記第1の補助データとを用いて、前記第1の暗号文と前記第2の暗号文の前記差分に対応する平文のハミング距離が前記予め定められた所定値以下であるか否か判定する、ことを特徴とする暗号文照合方法。 - 入力データを暗号化して記憶装置に登録される第1の暗号文と、照合対象の入力データを暗号化した第2の暗号文に対して、前記第1の暗号文と前記第2の暗号文との間の平文のハミング距離が、予め定められた所定値以下であることを検証するための第1、第2の補助データをそれぞれ生成する処理と、
前記第1の補助データの少なくとも一部を一方向性変換し、前記第1の暗号文と前記第2の暗号文との差分と、前記第2の補助データとに基づき生成される途中データを一方向性変換し、前記途中データを一方向性変換した結果と、一方向性変換した前記第1の補助データとを用いて、前記第1の暗号文と前記第2の暗号文の前記差分に対応する平文のハミング距離が前記予め定められた所定値以下であるか否か判定する処理と、
をコンピュータに実行させるプログラム。
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2015513802A JP6229715B2 (ja) | 2013-04-24 | 2014-04-23 | 暗号文照合システムと方法とプログラム |
EP14788621.2A EP2991265B1 (en) | 2013-04-24 | 2014-04-23 | Encrypted text matching system, method and program |
US14/786,680 US9985779B2 (en) | 2013-04-24 | 2014-04-23 | Encrypted text matching system, method, and computer readable medium |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2013-091468 | 2013-04-24 | ||
JP2013091468 | 2013-04-24 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2014175334A1 true WO2014175334A1 (ja) | 2014-10-30 |
Family
ID=51791904
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2014/061437 WO2014175334A1 (ja) | 2013-04-24 | 2014-04-23 | 暗号文照合システムと方法とプログラム |
Country Status (4)
Country | Link |
---|---|
US (1) | US9985779B2 (ja) |
EP (1) | EP2991265B1 (ja) |
JP (1) | JP6229715B2 (ja) |
WO (1) | WO2014175334A1 (ja) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10826680B2 (en) | 2015-06-18 | 2020-11-03 | Nec Corporation | Collation system, collation method, and non-transitory recording medium |
WO2023149510A1 (ja) * | 2022-02-04 | 2023-08-10 | 真旭 徳山 | 認証装置、認証支援方法、及びプログラム |
JP7343680B2 (ja) | 2022-02-04 | 2023-09-12 | 真旭 徳山 | 認証装置、認証支援方法、及びプログラム |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20200100481A (ko) * | 2019-02-18 | 2020-08-26 | 삼성전자주식회사 | 생체 정보를 인증하기 위한 전자 장치 및 그의 동작 방법 |
CN111193761B (zh) * | 2019-09-11 | 2021-09-28 | 腾讯科技(深圳)有限公司 | 一种文件传输方法、装置及可读存储介质 |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2006158851A (ja) | 2004-12-10 | 2006-06-22 | Hitachi Ltd | 生体情報の特徴量変換方法および生体認証システム |
JP2008502071A (ja) * | 2004-06-09 | 2008-01-24 | コーニンクレッカ フィリップス エレクトロニクス エヌ ヴィ | バイオメトリック・テンプレートの保護および特徴処理 |
US20100014655A1 (en) * | 2004-05-12 | 2010-01-21 | Samsung Electronics Co., Ltd. | Method and apparatus for generating cryptographic key using biometric data |
WO2011052056A1 (ja) * | 2009-10-29 | 2011-05-05 | 三菱電機株式会社 | データ処理装置 |
WO2014010725A1 (ja) * | 2012-07-13 | 2014-01-16 | 日本電気株式会社 | 暗号文照合システムと方法とプログラム |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030219121A1 (en) * | 2002-05-24 | 2003-11-27 | Ncipher Corporation, Ltd | Biometric key generation for secure storage |
WO2007036822A1 (en) * | 2005-09-29 | 2007-04-05 | Koninklijke Philips Electronics N.V. | Secure protection of biometric templates |
US9077509B2 (en) * | 2005-12-13 | 2015-07-07 | Koninklijke Philips N.V. | Secure threshold decryption protocol computation |
IL199657A0 (en) * | 2009-07-02 | 2011-08-01 | Carmel Haifa University Economic Corp Ltd | Face representation systems for privacy aware applications and methods useful in conjunction therewith |
-
2014
- 2014-04-23 WO PCT/JP2014/061437 patent/WO2014175334A1/ja active Application Filing
- 2014-04-23 JP JP2015513802A patent/JP6229715B2/ja active Active
- 2014-04-23 EP EP14788621.2A patent/EP2991265B1/en active Active
- 2014-04-23 US US14/786,680 patent/US9985779B2/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100014655A1 (en) * | 2004-05-12 | 2010-01-21 | Samsung Electronics Co., Ltd. | Method and apparatus for generating cryptographic key using biometric data |
JP2008502071A (ja) * | 2004-06-09 | 2008-01-24 | コーニンクレッカ フィリップス エレクトロニクス エヌ ヴィ | バイオメトリック・テンプレートの保護および特徴処理 |
JP2006158851A (ja) | 2004-12-10 | 2006-06-22 | Hitachi Ltd | 生体情報の特徴量変換方法および生体認証システム |
WO2011052056A1 (ja) * | 2009-10-29 | 2011-05-05 | 三菱電機株式会社 | データ処理装置 |
WO2014010725A1 (ja) * | 2012-07-13 | 2014-01-16 | 日本電気株式会社 | 暗号文照合システムと方法とプログラム |
Non-Patent Citations (2)
Title |
---|
PIM TUYLS; ANTON H. M. AKKERMANS; TOM A. M. KEVENAAR; GEERT-JAN SCHRIJEN; ASKER M. BAZEN; RAIMOND N. J. VELDHUIS: "Proceedings of AVBPA 2005, Lecture Notes in Computer Science", vol. 3546, 2005, SPRINGER VERLAG, article "Practical Biometric Authentication with Templete Protection", pages: 436 - 446 |
TOSHIYUKI ISSHIKI ET AL.: "New security definitions for biometric authentication with template protection: Toward covering more threats against authentication systems", PROCEEDINGS OF THE 12TH INTERNATIONAL CONFERENCE OF THE BIOMETRICS SPECIAL INTEREST GROUP (BIOSIG 2013, September 2013 (2013-09-01), XP032495092 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10826680B2 (en) | 2015-06-18 | 2020-11-03 | Nec Corporation | Collation system, collation method, and non-transitory recording medium |
WO2023149510A1 (ja) * | 2022-02-04 | 2023-08-10 | 真旭 徳山 | 認証装置、認証支援方法、及びプログラム |
JP7343680B2 (ja) | 2022-02-04 | 2023-09-12 | 真旭 徳山 | 認証装置、認証支援方法、及びプログラム |
Also Published As
Publication number | Publication date |
---|---|
EP2991265A4 (en) | 2016-12-21 |
JP6229715B2 (ja) | 2017-11-15 |
EP2991265B1 (en) | 2020-05-27 |
US9985779B2 (en) | 2018-05-29 |
JPWO2014175334A1 (ja) | 2017-02-23 |
US20160072624A1 (en) | 2016-03-10 |
EP2991265A1 (en) | 2016-03-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6048501B2 (ja) | 暗号文照合システムと方法とプログラム | |
JP6229714B2 (ja) | 暗号文照合システムと方法とプログラム | |
Aumasson et al. | The hash function BLAKE | |
JP6323338B2 (ja) | ビット列照合システムと方法とプログラム | |
JP6931247B2 (ja) | 暗号文照合システム、方法、およびプログラム | |
JP6229715B2 (ja) | 暗号文照合システムと方法とプログラム | |
JP6738061B2 (ja) | 暗号文照合システム、方法、および記録媒体 | |
KR20140011534A (ko) | 특정 포맷을 가지는 대체 데이터의 생성 및 검증 | |
JP6229713B2 (ja) | 暗号文照合システムと方法とプログラム | |
Kazmirchuk et al. | The Improvement of digital signature algorithm based on elliptic curve cryptography | |
Cayrel et al. | Efficient implementation of hybrid encryption from coding theory | |
Yasuda et al. | Privacy-preserving fuzzy commitment for biometrics via layered error-correcting codes | |
Ciocan et al. | A Modified Argon2i Using a Tweaked Variant of Blake3 | |
Wu et al. | Two new message authentication codes based on APN functions and stream ciphers | |
Jauhari et al. | Secure and Optimized Algorithm for Implementation of Digital Signature |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 14788621 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2014788621 Country of ref document: EP |
|
ENP | Entry into the national phase |
Ref document number: 2015513802 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 14786680 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |