WO2014185450A1 - Verification system, node, verification method, and program - Google Patents

Verification system, node, verification method, and program Download PDF

Info

Publication number
WO2014185450A1
WO2014185450A1 PCT/JP2014/062820 JP2014062820W WO2014185450A1 WO 2014185450 A1 WO2014185450 A1 WO 2014185450A1 JP 2014062820 W JP2014062820 W JP 2014062820W WO 2014185450 A1 WO2014185450 A1 WO 2014185450A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
node
verification
authentication data
encrypted
Prior art date
Application number
PCT/JP2014/062820
Other languages
French (fr)
Japanese (ja)
Inventor
寿幸 一色
Original Assignee
日本電気株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電気株式会社 filed Critical 日本電気株式会社
Priority to US14/787,848 priority Critical patent/US9910478B2/en
Priority to JP2015517108A priority patent/JPWO2014185450A1/en
Publication of WO2014185450A1 publication Critical patent/WO2014185450A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • H04L9/3026Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters details relating to polynomials generation, e.g. generation of irreducible polynomials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Definitions

  • the present invention is based on a Japanese patent application: Japanese Patent Application No. 2013-102955 (filed on May 15, 2013), and the entire contents of this application are incorporated in the present specification by reference.
  • the present invention relates to a collation system, a node, a collation method, and a program, and more particularly, to a collation system, a node, a collation method, and a program that allow ambiguity of data to be collated.
  • Biometric authentication it is necessary to store a template related to biometric information in a database in order to verify authentication information.
  • Biometric information such as fingerprints and veins is basically data that does not change throughout the lifetime, and if information is leaked, it causes enormous damage, so high confidentiality is required.
  • template protection type biometric authentication technology that performs authentication while keeping template information secret is becoming important so that “spoofing” cannot be performed even if a template leaks.
  • Patent Document 1 describes a method in which fingerprint data is expressed as a point on a polynomial, and a biometric authentication is performed using data in which fingerprint data is concealed by adding a random point to the point as a template.
  • Non-Patent Document 1 describes a method for protecting the biometric information of a client seeking authentication by using public key cryptography having homogeneity.
  • a certification device encrypts a feature vector for registration using a public key and a random number, registers the encrypted feature vector for registration in an authentication device, and at the time of authentication, the certification device authenticates for authentication.
  • the feature vector is encrypted using a public key and a random number, and the authentication device derives the similarity between the two feature vectors by decryption processing using the secret key while the two encrypted feature vectors remain encrypted.
  • a system is described in which possible encryption similarity information is generated, a decryption device decrypts the encryption similarity information to derive plain text similarity, and if the similarity is greater than or equal to a threshold value, the system determines that the person is the person Yes.
  • Patent Document 1 It is known that the method of Patent Document 1 may not protect biometric information with sufficient strength when biometric authentication is repeated many times.
  • Non-Patent Document 1 proposes a method for protecting biometric information of a client seeking authentication by using public key cryptography having homogeneity.
  • a minutiae is composed of three components: type, coordinates (x, y), and angle.
  • type represents the type of feature point, for example, an end point or a branch point.
  • the coordinate represents the coordinate of the feature point, and the angle represents the slope of the tangent line at the feature point.
  • the server confirms that the minutia extracted from the biometric information of the client matches the minutia registered as the authentication template.
  • the minutia extracted from the biometric information of the client matches the minutia registered as the authentication template.
  • ⁇ d and ⁇ t are parameters determined by the system.
  • the distance evaluated in (2) is called a two-dimensional Euclidean distance or L2 norm.
  • the distance evaluated in (3) is called a one-dimensional Euclidean distance.
  • these are collectively called the Euclidean distance, and the Euclidean distance between D and D ′ is represented as d (D, D ′).
  • Non-Patent Document 1 describes a biometric authentication method capable of concealing biometric information of a client who has requested authentication. Specifically, by using an encryption protocol called Aided Computation and Set Intersection, the minutiae (type1, (x1, y1), ⁇ 1) extracted at the time of authentication is not disclosed to the server, and the minutiae registered on the server It can be confirmed whether (type2, (x2, y2), ⁇ 2) and minutiae (type1, (x1, y1), ⁇ 1) match.
  • Aided Computation and Set Intersection the minutiae (type1, (x1, y1), ⁇ 1) extracted at the time of authentication is not disclosed to the server, and the minutiae registered on the server It can be confirmed whether (type2, (x2, y2), ⁇ 2) and minutiae (type1, (x1, y1), ⁇ 1) match.
  • authentication data data registered in advance from the client to the server.
  • data extracted at the time of authentication and verified with authentication data is referred to as “authenticated data”.
  • minutiae type2, (x2, y2), ⁇ 2) corresponds to authentication data
  • minutiae type1, (x1, y1), ⁇ 1 corresponds to data to be authenticated.
  • Public key cryptography consists of three algorithms: key generation, encryption, and decryption.
  • Key generation is a probabilistic algorithm that receives a security parameter as input and outputs a public key pk and a secret key sk.
  • Encryption is a probabilistic algorithm that receives a public key pk and a message M as input and outputs ciphertext C.
  • Decryption is a definitive algorithm that receives a secret key sk and ciphertext C as input and outputs a decryption result M.
  • Key generation KeyGen (1 ⁇ k) ⁇ (pk, sk) Encryption: Enc (pk, M) ⁇ C
  • Encryption Dec (sk, C) ⁇ M
  • the Paillier cipher is a public key cipher having homomorphism in which (*) is multiplied and (+) is added.
  • the Paillier encryption will be described.
  • Set Intersection is a cryptographic protocol performed between two entities, Alice and Bob. Assume that Alice has some data a and Bob has a set B of data. At this time, Set Intersection is a protocol for confirming whether data a is included in set B while keeping data A held by Alice confidential to Bob.
  • Bob releases the public key pk of the additive homomorphic public key encryption and holds the corresponding secret key sk.
  • Such a polynomial can be easily generated using Lagrange interpolation.
  • Bob encrypts ⁇ [0], ⁇ [1],..., ⁇ [n] using the public key pk.
  • Bob also sends ciphertexts C [0], C [1],..., C [n] to Alice.
  • Alice calculates a ⁇ ⁇ n ⁇ , a ⁇ ⁇ n-1 ⁇ , ..., a ⁇ ⁇ 0 ⁇ .
  • Alice replaces C [n] ⁇ ⁇ a ⁇ ⁇ n ⁇ , C [n-1] ⁇ ⁇ a ⁇ ⁇ n-1 ⁇ , ..., C [0] ⁇ ⁇ a ⁇ ⁇ 0 ⁇ calculate. 4).
  • Set IntersectionIntersection For simplicity, the protocol of SetsectionIntersection by Alice with input a and Bob with set B and secret key sk is denoted as Set Intersection [Alice (a), Bob (B, sk)] (pk).
  • pk represents a public key pk that is a common input to Alice and Bob.
  • Aided Computation is also a cryptographic protocol performed between two entities, Alice and Bob. Assume that Alice has a ciphertext Enc (pk, a) of some data a, and Bob has a secret key sk corresponding to the data set B and the public key pk. Bob's cipher is an additive homomorphic public key cipher. At this time, Aided Computation is a protocol for checking whether data a is included in the set B while keeping Alice's data a confidential to Bob. In Aided Computation, unlike Set Intersection, Alice does not know the plaintext of data a.
  • Bob decrypts C.
  • Bob determines that Alice has the ciphertext of the data included in set B if the decryption result is 0, and if Alice has no ciphertext of the data included in set B if the decryption result is other than 0 to decide.
  • AidedutComputation for Alice with input Enc (pk, a) and the function F (x) by Bob with set B and secret key sk is Aided Computation [Alice (Enc (pk, a)), Bob (B, sk)] (pk, F (x)).
  • pk represents a public key pk that is a common input to Alice and Bob.
  • Non-Patent Document 1 client minutiae (type1, (x1, y1), ⁇ 1) (authenticated data) and authentication template (type2, (x2, y2), ⁇ 2) (authentication data) stored in the server ) Use Set ⁇ Intersection and Aided Computation to confirm that they match. Specifically, the following processing is performed.
  • Type match Set Intersection [client (type 1), server (type 2, sk)] (pk) is performed.
  • (2) Distance match First, the Euclidean distance between (x1, y1) and (x2, y2) is calculated with encryption.
  • the server calculates Enc (pk, x2 ⁇ 2), Enc (pk, x2), Enc (pk, y2 ⁇ 2), and Enc (pk, y2), and sends them to the client.
  • the client calculates Enc (pk, x1 ⁇ 2), Enc (pk, y1 ⁇ 2).
  • Non-Patent Document 1 data to be authenticated that is authenticated based on authentication data registered in the server from the client can be kept secret from the server.
  • authentication data registered on the server is plain text, there is a risk that authentication data, which is client sensitive data, may be leaked from the server.
  • Another problem is that the authentication data is not concealed.
  • An object of the present invention is to provide a collation system, a collation method, and a program that contribute to such a demand.
  • the collation system is: Comprising a first node, a second node and a third node;
  • the first node encrypts authentication data with a public key and transmits the encrypted data to the third node;
  • the encrypted authentication data is obtained from the third node, and the distance between the data to be authenticated and the authentication data is encrypted with the public key
  • a verification data generation unit that generates a value encrypted by the public key by substituting the distance into the polynomial acquired from the third node as verification data and transmits the verification data to the second node.
  • the second node generates a pair of the public key and the secret key, and transmits the public key to the first node;
  • a collation unit that collates the data to be authenticated with the authentication data based on the secret key and the collation data;
  • the third node includes a storage unit that stores the encrypted authentication data;
  • a collation information generating unit that generates a polynomial that includes a threshold value of a distance between the authentication data and the data to be authenticated as a parameter.
  • the collation method is: A first node encrypting authentication data with the public key received from the second node that generates a public key and private key pair and transmitting the encrypted data to the third node;
  • the encrypted authentication data is obtained from the third node, and the distance between the data to be authenticated and the authentication data is encrypted with the public key
  • the process of calculating as it is, Including substituting the distance into the polynomial obtained from the third node and encrypting the encrypted value using the public key as verification data and transmitting the verification data to the second node.
  • the polynomial includes a threshold value of a distance between the authentication data and the data to be authenticated as a parameter.
  • the program according to the fourth aspect of the present invention is: A process of encrypting authentication data with the public key received from the second node that generates a public key and private key pair and transmitting the encrypted authentication data to the third node; When the data to be authenticated that is collated with the authentication data is received, the encrypted authentication data is obtained from the third node, and the distance between the data to be authenticated and the authentication data is encrypted with the public key Processing while calculating A process of substituting the distance into the polynomial obtained from the third node and generating a value encrypted with the public key as verification data and transmitting it to the second node. Run it on the computer provided, The polynomial includes a threshold value of a distance between the authentication data and the data to be authenticated as a parameter.
  • the program can be provided as a program product recorded on a non-transitory computer-readable storage medium.
  • collation system node, collation method, and program according to the present invention, it becomes possible to conceal the data to be authenticated and the authentication data from the server based on simple processing.
  • FIG. 1 is a block diagram illustrating an example of a configuration of a verification system according to an embodiment.
  • the verification system includes a first node 100 corresponding to a client, a second node 200 corresponding to an authentication node, and a third node 300 corresponding to a server.
  • the first node 100 includes an encryption unit 11, a distance calculation unit 22, and a collation data generation unit 23.
  • the second node includes a key generation unit 51 and a verification unit 54.
  • the third node 300 includes a storage unit 31 and a collation information generation unit 41.
  • the key generation unit 51 of the second node 200 generates a public key / private key pair and transmits the public key to the first node 100.
  • the encryption unit 11 of the first node 100 encrypts the authentication data with the public key and transmits it to the third node 300.
  • the storage unit 31 of the third node 300 holds encrypted authentication data.
  • the distance calculation unit 22 of the first node When the distance calculation unit 22 of the first node receives the authentication target data to be verified with the authentication data, the distance calculation unit 22 acquires the encrypted authentication data from the third node 300, and the distance between the authentication target data and the authentication data. Is calculated with the public key encrypted.
  • the verification information generation unit 41 of the third node 300 generates a polynomial including a threshold value of the distance between the authentication data and the data to be authenticated as a parameter.
  • the verification data generation unit 23 of the first node 100 generates a value obtained by substituting the calculated distance into the polynomial acquired from the third node 300 and encrypted with the public key as verification data. Transmit to node 200.
  • the collation unit 54 of the second node 200 collates the data to be authenticated with the authentication data based on the secret key and the collation data.
  • the encryption unit 11 preferably performs encryption based on an encryption method having additive homomorphism.
  • the encryption unit 11 may perform encryption based on Paillier encryption.
  • the collation information generating unit 41 may generate a polynomial that becomes zero when the distance between the independent variable and the authentication data is within the above threshold as the above polynomial.
  • the encryption unit 11 further encrypts the square of the authentication data with the public key and transmits it to the third node 300, and the storage unit 31 further holds the square of the encrypted authentication data. You may do it.
  • the distance calculation unit 22 obtains the encrypted authentication data and the square of the encrypted authentication data from the third node 300, and encrypts the distance between the data to be authenticated and the authentication data using the public key. It is preferable that the calculation is carried out with the change.
  • the authentication data and the data to be authenticated may include an n-dimensional element.
  • the distance calculation unit 22 calculates the n-dimensional Euclidean distance between the data to be authenticated and the authentication data while being encrypted with the public key.
  • the authentication data and the data to be authenticated may include a plurality of elements.
  • the distance calculation unit 22 calculates the above-mentioned distance encrypted for each element
  • the collation information generation unit 41 generates a polynomial for each element
  • the collation data generation unit 23 It is preferable that the verification data is generated, and the verification unit 54 uses the secret key and the verification data generated for a plurality of elements to verify the authentication data with the authentication data.
  • Non-Patent Document 1 the data registered in the server remains in plain text, so there is a possibility of data leaking from the server. Another problem is that data cannot be kept confidential to the server administrator.
  • the collation system not only the data to be authenticated sent from the client (first node) to the server (third node) at the time of authentication but also the database of the server (third node), etc.
  • the stored authentication data is also encrypted using an encryption method with high confidentiality. Therefore, according to such a collation system, the above-mentioned problem in the technique described in Non-Patent Document 1 is solved. Also, by giving the encryption method a special property of homomorphism, it is possible to calculate the Euclidean distance of the data while it is encrypted, and it is guaranteed that the encrypted data can be verified without being decrypted. The Furthermore, by adding a square ciphertext of authentication data as data generated at the time of registration, it becomes possible to calculate the distance between encrypted data, which was impossible in Non-Patent Document 1.
  • the collation system it is possible to prevent leakage of authentication data stored in the third node (server), and even if the server administrator is malicious, Plain text leakage can be prevented.
  • the reason is that at the time of data registration, the authentication data is encrypted by the first node (client) with an encryption key that is not decrypted by the server administrator.
  • FIG. 2 is a block diagram showing an example of the configuration of the collation system according to this embodiment.
  • the collation system includes a registered data generation device 10, a collation request device 20, a storage device 30, a data collation device 40, and a collation auxiliary device 50.
  • FIG. 2 illustrates a case where the verification system is configured by five nodes, but the verification system of the present invention is not limited to the illustrated mode.
  • the registered data generation device 10 and the verification requesting device 20 are collectively set as a first node (client)
  • the verification auxiliary device 50 is set as a second node (authentication node)
  • the storage device 30 and the data verification device 40 are combined.
  • the third node (server) may be used.
  • the registered data generation device 10 has an encryption unit 11.
  • the encryption unit 11 receives the authentication data to be concealed and the encryption key disclosed by the verification assisting device 50, conceals the authentication data using the encryption key, and outputs the encrypted data.
  • the encryption key disclosed by the verification assistant device 50 is a public key of additive homomorphic public key encryption.
  • the storage device 30 includes a storage unit 31 and an identifier management unit 32.
  • the storage unit 31 stores the unique identifier assigned by the identifier management unit 32 together with the encrypted data sent from the registered data generation device 10.
  • the verification request device 20 includes a verification request unit 21, a distance calculation unit 22, and a verification data generation unit 23.
  • the verification request unit 21 receives authentication target data to be verified as input, the verification request unit 21 sends a verification request to the data verification device 40.
  • the distance calculation unit 22 receives the authentication target data to be verified and the verification information received from the data verification device 40, and generates encrypted distance data.
  • the verification data generation unit 23 receives the encrypted distance data as input and generates verification data while interacting with the verification auxiliary device 50.
  • the data collating device 40 includes a collation information generating unit 41, a collation information sending unit 42, a collation auxiliary request unit 43, and a determination unit 44.
  • the verification information generation unit 41 receives the encrypted data stored in the storage device 30 and generates verification information.
  • the collation information sending unit 42 receives the collation request sent from the collation requesting device 20 as an input, and sends the collation information.
  • the verification auxiliary request unit 43 receives the verification data sent from the verification requesting device 20 as an input, generates a verification auxiliary request, and sends it to the verification auxiliary device 50.
  • the determination unit 44 receives the overall result received from the verification assisting device 50 as an input, and generates and outputs the verification result.
  • the collation assisting device 50 includes a key generation unit 51, a collation assisting unit 52, and an overall result assisting unit 53.
  • the key generation unit 51 generates a public key and a secret key of additive homomorphic encryption, discloses the public key, and holds the secret key.
  • the collation assisting unit 52 interacts with the collation data generating unit 23 of the collation requesting device 20 to assist the generation of collation data.
  • the total result auxiliary unit 53 receives the verification auxiliary request sent from the data verification device 40 and the secret key of the additive homomorphic encryption as inputs, and generates a total result.
  • the operation of the verification system is roughly divided into two phases: the data registration phase and the ciphertext verification phase.
  • the data registration phase the authentication data is input to the registration data generation device 10, the authentication data is encrypted and registered in the storage device 30.
  • the data to be authenticated is close to the plaintext of the encrypted data stored in the storage device 30 (the Euclidean distance is small) while concealing the data to be authenticated input to the verification requesting device 20 It is determined whether or not.
  • the operation in each phase will be described in detail.
  • FIG. 3 is a sequence diagram illustrating an operation in the data registration phase of the verification system as an example.
  • the key generation unit 51 of the verification assisting device 50 generates a public key and a secret key of additive homomorphic encryption, and publishes the public key (step A1).
  • the registration data generation device 10 receives authentication data to be concealed and a public key (step A2).
  • the encryption unit 11 of the registration data generation device 10 generates encryption data from the input authentication data and the public key, and sends it to the storage device 30 (step A3).
  • the identifier management unit 32 of the storage device 30 When the identifier management unit 32 of the storage device 30 receives the encrypted data, it assigns a unique identifier to the encrypted data (step A4). Further, the identifier management unit 32 stores the set of the encrypted data and the identifier in the storage unit 31 (Step A5).
  • FIG. 4 is a sequence diagram illustrating an operation in the ciphertext verification phase of the verification system as an example.
  • the verification information generation unit 41 of the data verification device 40 receives the encrypted data stored in the storage unit 31 and the identifier and parameter corresponding to the encrypted data (step B1), and generates verification information. (Step B2).
  • the verification requesting unit 21 of the verification requesting device 20 receives the data to be authenticated and the public key (step B3).
  • the verification request unit 21 of the verification requesting device 20 receives the data to be authenticated and the public key, it generates a verification request and outputs it to the data verification device 40 (step B4).
  • the verification information sending unit 42 of the data verification device 40 When the verification information sending unit 42 of the data verification device 40 receives the verification request, it outputs the verification information to the verification request device 20 (step B5).
  • the distance calculation unit 22 of the verification requesting device 20 calculates the plaintext Euclidean distance between the data to be authenticated and the encrypted data while encrypting it, and generates encrypted distance data (step B6).
  • the verification data generation unit 23 receives the encrypted distance data and the verification information as input, generates verification data while interacting with the verification auxiliary unit 52 of the verification auxiliary device 50, and outputs the verification data to the data verification device 40 (step). B7).
  • the collation assistance request unit 43 of the data collation device 40 receives the collation data, generates a collation assistance request, and outputs it to the collation assistance device 50 (step B8).
  • the overall result auxiliary unit 53 of the verification auxiliary device 50 receives the secret key, generates an overall result, and outputs it to the data verification device 40 (step B9).
  • the determination unit 44 of the data collating device 40 receives the comprehensive result, the determination unit 44 performs the determination and outputs the determination result (step B10).
  • the collation system not only the data to be authenticated sent from the registered data generation device 10 to the storage device 30 during authentication but also the authentication data stored in the storage device 30 uses an encryption method with high confidentiality. Encrypted. Therefore, for example, when the server is configured by the storage device 30 and the data collation device 40, according to the collation system according to the present embodiment, it is possible to prevent leakage of authentication data from the server.
  • additive homomorphic encryption for example, Paillier encryption
  • the key generation unit 51 of the verification assisting device 50 generates the public key pk and the secret key sk of the additive homomorphic encryption, and publishes the public key pk (Step A1).
  • the registration data generation device 10 receives the authentication data D to be concealed and the public key pk generated by the key generation unit 51 (step A2).
  • the encryption unit 11 of the registration data generation device 10 generates encryption data (Enc (pk, D), Enc (pk, D ⁇ 2)) from the input authentication data D and public key pk,
  • the data is sent to the storage device 30 (step A3).
  • Enc (pk, D) represents the result of encrypting the authentication data D using the public key pk.
  • Enc (pk, D ⁇ 2) represents the result of encrypting the square of the authentication data D using the public key pk.
  • the identifier management unit 32 of the storage device 30 When the identifier management unit 32 of the storage device 30 receives the encrypted data, it assigns a unique identifier ID to the encrypted data (step A4). Further, the identifier management unit 32 records the set of encrypted data and the identifier ((Enc (pk, D), Enc (pk, D ⁇ 2)), ID) in the storage unit 31 (step A5).
  • the collation information generating unit 41 of the data collating device 40 includes a set of encrypted data stored in the storage unit 31 and an identifier corresponding to the encrypted data ((Enc (pk, D), Enc (pk , D ⁇ 2)), ID) is received (step B1), and verification information is generated according to the following procedure (step B2).
  • a polynomial of d + 1 order or higher satisfying such a condition can be easily constructed.
  • N d.
  • the collation request unit 21 of the collation requesting device 20 receives the authenticated data D 'and the public key pk (step B3).
  • the verification request unit 21 of the verification requesting device 20 receives the authenticated data D 'and the public key pk, it generates a verification request req and outputs it to the data verification device 40 (step B4).
  • the verification request req is a message for requesting verification.
  • the verification information sending unit 42 of the data verification device 40 When the verification information sending unit 42 of the data verification device 40 receives the verification request, it outputs the verification information to the verification request device 20 (step B5).
  • the distance calculation unit 22 of the verification requesting device 20 receives the verification information, it calculates the encrypted Euclidean distance between the authenticated data D ′ and the encrypted data as encrypted as follows, and generates encrypted distance data: (Step B6).
  • Enc (pk, d (D, D ')) Enc (pk, D ⁇ 2) .
  • Enc (pk, D ' ⁇ 2) is calculated.
  • the collation data generation unit 23 receives the encrypted distance data and the collation information as input, and generates collation data while interacting with the collation auxiliary unit 52 of the collation auxiliary device 50 as follows. (Step B7).
  • the verification assistant unit 52 of the verification assistant device 50 decrypts Enc (pk, r ⁇ d (D, D ′)) using the secret key sk and calculates r ⁇ d (D, D ′).
  • the verification assistant 52 calculates (r ⁇ d (D, D ')) ⁇ ⁇ 2 ⁇ , ..., (r ⁇ d (D, D')) ⁇ ⁇ N ⁇ , and uses the public key pk, respectively.
  • the matching data generation unit 23 uses the r selected in step 1 to enc (pk, ((r ⁇ d (D, D ')) ⁇ ⁇ 2 ⁇ )) ⁇ ⁇ 1 / r ⁇ 2 ⁇ ,.
  • step 6 is performed in order to make the output random when d (D, D ′) ⁇ d. If the output need not be random, step 6 may be omitted.
  • Step 1 is performed in order to keep the value of d (D, D ′) secret from the verification assisting device 50. If it is not necessary to keep secret, step 1 may be omitted.
  • the collation assistance request unit 43 of the data collation apparatus 40 receives the collation data, generates a collation assistance request as follows, and outputs it to the collation assistance apparatus 50 (step B8).
  • Step 1 is performed so as not to notify the verification result to the verification assistant device 50 by randomizing the plaintext of C.
  • step 1 may be omitted.
  • the overall result auxiliary unit 53 of the verification auxiliary device 50 receives the secret key sk, generates the overall result P as follows, and outputs it to the data verification device 40 (step B9). That is, the overall result auxiliary unit 53 decrypts the ciphertext C using the secret key sk, and outputs the decrypted result to the data verification device 40 as the overall result P.
  • the data registered in the storage device 30 is encrypted data. All data sent from the verification requesting device 20 in the verification phase is a ciphertext. Therefore, the information regarding the registered authentication data D and the authenticated data D ′ is not leaked to the storage device 30 and the data verification device 40.
  • the verification requesting device 20 and the data verification device 40 also use the random numbers for the verification assisting device 50 so that no information regarding the registered authentication data D and authenticated data D ′ is leaked.
  • additive homomorphic encryption for example, Paillier encryption
  • the operation in each phase will be described in detail.
  • step A3 of the data registration phase of the collation system according to the second embodiment using the one-dimensional Euclidean distance as the distance the encrypted data (Enc (pk, D), Enc (pk, D ⁇ 2)) is converted into the encrypted data (Enc Replace with (pk, Dx), Enc (pk, Dx ⁇ 2), Enc (pk, Dy), Enc (pk, Dy ⁇ 2)).
  • step B6 is changed as follows.
  • the authentication data registered in the storage device 30 is encrypted data. All data sent from the verification requesting device 20 in the verification phase is a ciphertext. Therefore, the information regarding the registered authentication data D and the authenticated data D ′ is not leaked to the storage device 30 and the data verification device 40.
  • the verification requesting device 20 and the data verification device 40 also use the random numbers for the verification assisting device 50 so that no information regarding the registered authentication data D and authenticated data D ′ is leaked.
  • data having two or more elements is collated in the collation system according to the first embodiment.
  • additive homomorphic encryption for example, Paillier encryption
  • the key generation unit 51 of the verification assisting device 50 generates the public key pk and the secret key sk of the additive homomorphic encryption, and publishes the public key pk (Step A1).
  • the registration data generation device 10 receives the authentication data D to be concealed and the public key pk generated by the key generation unit 51 (step A2).
  • the encryption unit 11 of the registration data generation device 10 uses the input authentication data D and public key pk to generate encrypted data.
  • Enc (pk, t), Enc (pk, t ⁇ 2)), (Enc (pk, x), Enc (pk, x ⁇ 2)), (Enc (pk, y), Enc (pk, y ⁇ 2)) Is sent to the storage device 30 (step A3).
  • Enc (pk, a) represents the result of encrypting data a using the public key pk.
  • Enc (pk, a ⁇ 2) represents the result of encrypting the square of data a using the public key pk.
  • the identifier management unit 32 of the storage device 30 When receiving the encrypted data, the identifier management unit 32 of the storage device 30 gives a unique identifier ID to the encrypted data (step A4).
  • the identifier management unit 32 is a combination of encrypted data and an identifier. ((Enc (pk, t), Enc (pk, t ⁇ 2)), (Enc (pk, x), Enc (pk, x ⁇ 2)), (Enc (pk, y), Enc (pk, y ⁇ 2)), ID) Is stored in the storage unit 31 (step A5).
  • the verification information generation unit 41 of the data verification device 40 includes a set of encrypted data stored in the storage unit 31 and an identifier corresponding to the encrypted data. ((Enc (pk, t), Enc (pk, t ⁇ 2)), (Enc (pk, x), Enc (pk, x ⁇ 2)), (Enc (pk, y), Enc (pk, y ⁇ 2)), ID) Is input (step B1), and verification information is generated by the following procedure (step B2).
  • F (x) x (x-1) (x-2)... (X-d_t) is a d_t + 1 order polynomial satisfying the above property.
  • a polynomial of d_t + 1 order or higher that satisfies such a condition can be easily constructed.
  • G (x) x (x-1) (x-2)... (X-d_t)
  • N d_t. 2.1.
  • G (x) x (x-1) (x-2)...
  • the collation request unit 21 of the collation requesting device 20 receives the input data D 'and the public key pk (step B3).
  • the verification request unit 21 of the verification requesting device 20 receives the authenticated data D 'and the public key pk, it generates a verification request req and outputs it to the data verification device 40 (step B4).
  • the verification request req is a message for requesting verification.
  • the verification information sending unit 42 of the data verification device 40 When the verification information sending unit 42 of the data verification device 40 receives the verification request, it outputs the verification information to the verification request device 20 (step B5).
  • the distance calculation unit 22 of the verification requesting device 20 receives the verification information, it calculates the encrypted Euclidean distance between the data to be authenticated and the encrypted data while encrypting them, and generates encrypted distance data ( Step B6).
  • Enc (pk, t ' ⁇ 2) Enc (pk, x' ⁇ 2), Enc (pk, y ' ⁇ 2).
  • Enc (pk, d (t, t ′)) Enc (pk, t ⁇ 2) ⁇ Enc (pk, t) ⁇ ⁇ 2t ′ ⁇ ⁇ Enc (pk, t ′ ⁇ 2) is calculated. 3.
  • Enc (pk, d ((x, y), (x ', y'))) Enc (pk, x ⁇ 2) ⁇ Enc (pk, x) ⁇ ⁇ -2x ' ⁇ ⁇ Enc (pk, x' ⁇ 2) ⁇ Enc (pk, y ⁇ 2) ⁇ Enc (pk, y) ⁇ ⁇ -2y ' ⁇ ⁇ Enc (pk, y' ⁇ 2) is calculated.
  • the collation data generation unit 23 receives the encrypted distance data and the collation information as input, and generates collation data while interacting with the collation auxiliary unit 52 of the collation auxiliary device 50 as follows. (Step B7).
  • Enc (pk, r_e ⁇ d ((x, y), (x ', y'))) Enc (pk, d ((x, y), (x ', y'))) ⁇ ⁇ r_e ⁇
  • the verification assistant unit 52 of the verification assistant device 50 uses the secret key sk to specify Enc (pk, r_t ⁇ d (t, t ′)) and Enc (pk, r_e ⁇ d ((x, y), (x ′, y ′))) is decoded and r_t ⁇ d (t, t ′) and r_e ⁇ d ((x, y), (x ′, y ′)) are calculated. 4).
  • the collation assisting unit 52 has (r_t ⁇ d (t, t ')) ⁇ ⁇ 2 ⁇ , ..., (r_t ⁇ d (t, t')) ⁇ ⁇ N ⁇ , (r_e ⁇ d ((x, y) , (x ', y'))) ⁇ ⁇ 2 ⁇ , ..., (r_e ⁇ d ((x, y), (x ', y'))) ⁇ ⁇ N ' ⁇ Enc (pk, (r_t ⁇ d (t, t ')) ⁇ ⁇ 2 ⁇ ), ..., Enc (pk, (r_t ⁇ d (t, t')) ⁇ ⁇ N ⁇ ), Enc (pk, (r_e ⁇ d ((x, y), (x ', y'))) ⁇ ⁇ 2 ⁇ ), ..., Enc (pk, (r_e ⁇ d ((x, y
  • the verification data generation unit 23 uses En_ (pk, ((r ⁇ Enc (pk, (r_t ⁇ d (t, t ')) ⁇ ⁇ 2 ⁇ ) using r_t and r_e selected in steps 1 and 2.
  • Enc (pk, G (d ((x, y), (x ', y'))))))) (Enc (pk, ((d ((x, y ), (x ', y'))) ⁇ ⁇ N ' ⁇ )) ⁇ ⁇
  • Enc (pk, d (D, D ')) Enc (pk, F (d (t, t'))) ⁇ Enc (pk, G (d ((x, y), (x ', y')) ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) Is calculated. 8). R is selected at random, and Enc (pk, F (d (D, D ′)))) ⁇ ⁇ R ⁇ is calculated and output to the data verification device 40.
  • step 8 is performed in order to randomize the output when d (D, D ′) ⁇ d. If the output need not be random, step 8 may be omitted. Steps 1 and 2 are performed to conceal the value of d (D, D ′) from the verification assisting device 50. If it is not necessary to keep secret, steps 1 and 2 may be omitted.
  • Step 1 is performed so as not to notify the verification result to the verification assistant device 50 by randomizing the plaintext of C.
  • step 1 may be omitted.
  • the overall result auxiliary unit 53 of the verification auxiliary device 50 receives the secret key sk, generates the overall result P as follows, and outputs it to the data verification device 40 (step B9). That is, the overall result auxiliary unit 53 decrypts the ciphertext C using the secret key sk, and outputs the decrypted result to the data collating device 40 as the overall result P.
  • the data registered in the storage device 30 is encrypted data. All data sent from the verification requesting device 20 in the verification phase is a ciphertext. Therefore, the information regarding the registered authentication data D and the authenticated data D ′ is not leaked to the storage device 30 and the data verification device 40.
  • the verification requesting device 20 and the data verification device 40 also use the random numbers for the verification assisting device 50 so that no information regarding the registered authentication data D and authenticated data D ′ is leaked.
  • the present invention can be easily applied to a case where data is composed of three or more elements. Is possible. Further, the present invention can be easily applied when the Euclidean distance as an index is three-dimensional or more.
  • the authentication system according to the above embodiment can be applied to biometric authentication using a minutiae whose elements are a type, a two-dimensional coordinate, and an angle.
  • the input data in the data registration phase and the input data in the ciphertext collation phase are biometric information (maneuver) acquired from a fingerprint or a vein.
  • biometric information manufactured in the storage device and the encrypted biometric data created from the verification requesting device are collected from the same person while keeping the biometric information secret
  • biometric information cannot always stably acquire the same data.
  • [Form 1] It is as the collation system which concerns on the said 1st viewpoint.
  • [Form 2] The collation system according to aspect 1, wherein the encryption unit performs encryption based on an encryption method having additive homomorphism.
  • [Form 3] The collation system according to mode 2, wherein the encryption unit performs encryption based on Paillier encryption.
  • [Form 4] The collation system according to any one of aspects 1 to 3, wherein the collation information generation unit generates a polynomial that becomes zero when the distance between the independent variable and the authentication data is within the threshold as the polynomial.
  • the encryption unit further encrypts the square of the authentication data with the public key and transmits it to the third node,
  • the storage unit further holds the square of the encrypted authentication data,
  • the distance calculation unit acquires the encrypted authentication data and the square of the encrypted authentication data from the third node, and calculates the distance between the authentication target data and the authentication data as the public key. 5.
  • the collation system according to any one of forms 2 to 4, wherein calculation is performed with encryption performed by the method.
  • the authentication data and the data to be authenticated include an n-dimensional element, The collation system according to mode 5, wherein the distance calculation unit calculates an n-dimensional Euclidean distance between the data to be authenticated and the authentication data while being encrypted with the public key.
  • the authentication data and the data to be authenticated include a plurality of elements,
  • the distance calculation unit calculates the distance while encrypting each element,
  • the verification information generation unit generates the polynomial for each element,
  • the verification data generation unit generates the verification data for each element,
  • the verification system according to any one of modes 1 to 6, wherein the verification unit uses the secret key and verification data generated for the plurality of elements to verify the data to be authenticated with the authentication data. .
  • [Form 8] As in the node according to the second viewpoint.
  • [Form 9] The node according to mode 8, wherein the encryption unit performs encryption based on an encryption method having additive homomorphism.
  • [Mode 10] The node according to mode 9, wherein the encryption unit performs encryption based on Paillier encryption.
  • the encryption unit further encrypts the square of the authentication data with the public key and transmits it to the second node,
  • the distance calculation unit acquires the encrypted authentication data and the square of the encrypted authentication data from the third node, and calculates the distance between the authentication target data and the authentication data as the public key.
  • the authentication data and the data to be authenticated include an n-dimensional element, The node according to mode 12, wherein the distance calculation unit calculates an n-dimensional Euclidean distance between the data to be authenticated and the authentication data while being encrypted with the public key.
  • the authentication data and the data to be authenticated include a plurality of elements, The distance calculation unit calculates the distance while encrypting each element, The collation data generation unit generates the collation data for each element using the polynomial generated for each element, and transmits the collation data to the second node. Nodes.
  • a verification method in a verification system comprising a first node, a second node, and a third node, comprising: The second node generates a public / private key pair and transmits the public key to the first node; The first node encrypts authentication data with the public key and transmits it to the third node; The third node holding the encrypted authentication data; When the first node receives data to be authenticated that is collated with the authentication data, the encrypted authentication data is acquired from the third node, and the distance between the data to be authenticated and the authentication data Calculating with encryption using the public key; The third node generates a polynomial including a threshold value of a distance between the data to be authenticated and the authentication data as a parameter and transmits the generated polynomial to the first node; A step in which the first node substitutes the distance into the polynomial and encrypts a value encrypted with the public key as verification data and transmits the data to the second node; The second node includes
  • [Form 16] It is as the collation method which concerns on the said 3rd viewpoint.
  • [Form 17] The collation method according to mode 16, wherein the first node performs encryption based on an encryption method having additive homomorphism.
  • [Form 18] The collation method according to mode 17, wherein the first node performs encryption based on Paillier encryption.
  • [Form 19] The collation method according to any one of modes 16 to 18, wherein the polynomial is a polynomial that becomes zero when the distance between the independent variable and the authentication data is within the threshold.
  • the first node further includes encrypting the square of the authentication data with the public key and transmitting to the third node; The first node acquires the encrypted authentication data and the square of the encrypted authentication data from the third node, and discloses the distance between the authentication target data and the authentication data. 20.
  • the collation method according to any one of forms 17 to 19, wherein the calculation is performed while encrypted with a key.
  • the authentication data and the data to be authenticated include an n-dimensional element, The collation method according to mode 20, wherein the first node calculates an n-dimensional Euclidean distance between the data to be authenticated and the authentication data while being encrypted with the public key.
  • the authentication data and the data to be authenticated include a plurality of elements
  • the first node calculates the distance while encrypting each element
  • the collation data generation unit generates the collation data for each element using the polynomial generated for each element, and transmits the collation data to the second node. Collation method.
  • the program is related to the fourth viewpoint.
  • the program according to mode 23 which causes the computer to execute processing for encryption based on an encryption method having additive homomorphism.
  • the program according to mode 24 which causes the computer to execute processing for encryption based on Paillier encryption.
  • the authentication data and the data to be authenticated include an n-dimensional element, The program according to aspect 27, causing the computer to execute a process of calculating an n-dimensional Euclidean distance between the authentication data and the authentication data while being encrypted with the public key.
  • the authentication data and the data to be authenticated include a plurality of elements, A process of calculating the distance for each element with encryption;
  • the collation data generation unit generates the collation data for each element using the polynomial generated for each element, and causes the second node to perform transmission processing on the computer. Thirty-eighth program.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Analysis (AREA)
  • Algebra (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

A second node generates a public key/secret key pair, and transmits the public key to a first node. The first node uses the public key to encrypt authentication data, and transmits the encrypted authentication data to the third node. The third node stores the encrypted authentication data therein. When data to be authenticated that is to be verified against the authentication data is received, the first node acquires the encrypted authentication data from the third node, and calculates the distance between the data to be authenticated and the authentication data in a state of being encrypted by the public key. The third node generates a polynomial expression including, as a parameter thereof, a threshold value for the distance between the data to be authenticated and the authentication data, and transmits the polynomial expression to the first node. The first node assigns the distance to the polynomial expression to generate, as verification data, a value encrypted by the public key, and transmits said value to the second node. The second node verifies, against the authentication data, on the basis of the secret key and the verification data, the data to be authenticated. As a result, data to be authenticated and authentication data are concealed in a server on the basis of simple processing.

Description

照合システム、ノード、照合方法およびプログラムVerification system, node, verification method and program
 [関連出願についての記載]
 本発明は、日本国特許出願:特願2013-102955号(2013年5月15日出願)に基づくものであり、同出願の全記載内容は引用をもって本書に組み込み記載されているものとする。
 本発明は、照合システム、ノード、照合方法およびプログラムに関し、特に、照合されるデータの曖昧さを許容する照合システム、ノード、照合方法およびプログラムに関する。 [Description of related applications]
The present invention is based on a Japanese patent application: Japanese Patent Application No. 2013-102955 (filed on May 15, 2013), and the entire contents of this application are incorporated in the present specification by reference.
The present invention relates to a collation system, a node, a collation method, and a program, and more particularly, to a collation system, a node, a collation method, and a program that allow ambiguity of data to be collated.
 近年、クラウドの普及に伴い、ネットワークに接続された計算機資源に利用者のデータを蓄積し、蓄積されたデータを用いて提供されるサービスが急速に広がってきている。このようなサービスでは、利用者の機微なデータを扱う機会も増大してきている。したがって、利用者のデータが安全に管理されていることを保証することが重要になってきている。 In recent years, with the spread of the cloud, users' data is accumulated in computer resources connected to the network, and services provided using the accumulated data are rapidly spreading. In such services, opportunities for handling sensitive data of users are increasing. Therefore, it has become important to ensure that user data is managed safely.
 このような状況の下、オープンなネットワーク環境でデータを暗号化したまま管理し、データを復号することなく、検索、統計処理などを行う技術の研究開発が活発に行われている。 Under such circumstances, research and development of techniques for managing data while encrypting it in an open network environment and performing search, statistical processing, etc. without decrypting the data are being actively conducted.
 また、近年、パスワードや磁気カードを用いた個人認証の脆弱性をついた犯罪が頻発しており、指紋、静脈などの生体的な特徴に基づくより安全性の高い生体認証技術が注目を集めている。 In recent years, crimes with vulnerability to personal authentication using passwords and magnetic cards have frequently occurred, and biometric technology with higher safety based on biometric features such as fingerprints and veins has attracted attention. Yes.
 生体認証においては、認証情報の検証を行うために、生体情報に関するテンプレートをデータベースに保管する必要がある。指紋、静脈などの生体情報は基本的に生涯不変のデータであり、情報が漏洩すると甚大な被害がもたらされるため、高い機密性が要求される。 In biometric authentication, it is necessary to store a template related to biometric information in a database in order to verify authentication information. Biometric information such as fingerprints and veins is basically data that does not change throughout the lifetime, and if information is leaked, it causes enormous damage, so high confidentiality is required.
 このため、テンプレートが漏洩しても「なりすまし」を行えないように、テンプレート情報を秘匿したまま認証を行うテンプレート保護型の生体認証技術が重要となってきている。 For this reason, template protection type biometric authentication technology that performs authentication while keeping template information secret is becoming important so that “spoofing” cannot be performed even if a template leaks.
 例えば、特許文献1には、指紋データを多項式上の点として表現し、その点にランダムな点を付加して指紋データを秘匿したデータをテンプレートとして生体認証を行う方式が記載されている。 For example, Patent Document 1 describes a method in which fingerprint data is expressed as a point on a polynomial, and a biometric authentication is performed using data in which fingerprint data is concealed by adding a random point to the point as a template.
 また、非特許文献1には、凖同型性を有する公開鍵暗号を利用することにより、認証を求めているクライアントの生体情報を保護する方式が記載されている。 Further, Non-Patent Document 1 describes a method for protecting the biometric information of a client seeking authentication by using public key cryptography having homogeneity.
 さらに、特許文献2には、証明装置が公開鍵と乱数を用いて登録用の特徴ベクトルを暗号化し、登録用の暗号化特徴ベクトルを認証装置に登録し、認証時に、証明装置が認証用の特徴ベクトルを公開鍵と乱数を用いて暗号化し、認証装置が2つの暗号化特徴ベクトルが暗号化された状態のままで、秘密鍵を用いた復号処理により2つの特徴ベクトル間の類似度を導出可能な暗号化類似度情報を生成し、復号装置が暗号化類似度情報を復号して平文の類似度を導出し、類似度がしきい値以上であれば本人と判定するシステムが記載されている。 Further, in Patent Document 2, a certification device encrypts a feature vector for registration using a public key and a random number, registers the encrypted feature vector for registration in an authentication device, and at the time of authentication, the certification device authenticates for authentication. The feature vector is encrypted using a public key and a random number, and the authentication device derives the similarity between the two feature vectors by decryption processing using the secret key while the two encrypted feature vectors remain encrypted. A system is described in which possible encryption similarity information is generated, a decryption device decrypts the encryption similarity information to derive plain text similarity, and if the similarity is greater than or equal to a threshold value, the system determines that the person is the person Yes.
特開2006-158851号公報JP 2006-158581 A 国際公開第2011/052056号International Publication No. 2011/052056
 上記の特許文献および非特許文献の全開示内容は、本書に引用をもって繰り込み記載されているものとする。以下の分析は、本発明者によってなされたものである。 The entire disclosure of the above-mentioned patent documents and non-patent documents is incorporated by reference in this document. The following analysis was made by the present inventors.
 特許文献1の方式は、生体認証を何度も繰り返したとき、十分な強度で生体情報が保護されていないおそれがあることが知られている。 It is known that the method of Patent Document 1 may not protect biometric information with sufficient strength when biometric authentication is repeated many times.
 一方、非特許文献1は、凖同型性を有する公開鍵暗号を利用することにより、認証を求めているクライアントの生体情報を保護する方式を提案している。 On the other hand, Non-Patent Document 1 proposes a method for protecting biometric information of a client seeking authentication by using public key cryptography having homogeneity.
 生体情報を保護しない生体認証方式では、生体情報(例えば、指紋など)からマニューシャと呼ばれる特徴点を抽出し、マニューシャを認証用テンプレートとしてサーバに登録する。一般に、マニューシャは、タイプ、座標(x,y)、角度という3つの成分から成る。タイプは特徴点のタイプを表し、例えば、端点、分岐点などがある。座標は特徴点の座標を表し、角度は特徴点における接線の傾きを表す。 In a biometric authentication method that does not protect biometric information, feature points called minutiae are extracted from biometric information (for example, fingerprints) and the minutiae is registered in the server as an authentication template. Generally, a minutiae is composed of three components: type, coordinates (x, y), and angle. The type represents the type of feature point, for example, an end point or a branch point. The coordinate represents the coordinate of the feature point, and the angle represents the slope of the tangent line at the feature point.
 サーバは、認証時において、クライアントの生体情報から抽出されたマニューシャと、認証用テンプレートとして登録されたマニューシャが一致することを確認する。(1)特徴点のタイプが一致し、(2)特徴点間の距離が閾値以内であり、(3)特徴点における接線の傾きの差が閾値以内である、という3条件が満たされたとき、マニューシャは一致したとみなされる。 At the time of authentication, the server confirms that the minutia extracted from the biometric information of the client matches the minutia registered as the authentication template. When the following three conditions are satisfied: (1) the feature point types match, (2) the distance between the feature points is within the threshold, and (3) the tangential slope difference at the feature point is within the threshold. , Maneusha is considered a match.
 具体的には、認証時に抽出されたマニューシャを(type1,(x1,y1),θ1)とし、登録されたマニューシャを(type2,(x2,y2),θ2)としたとき、
(1)type1=type2
(2)0≦((x1-x2)^2+(y1-y2)^2)≦δd
(3)0≦(θ1-θ2)^2≦δt
の3条件が満たされたとき、2つのマニューシャが一致したとみなされる。 Specifically, when the minutiae extracted at the time of authentication is (type1, (x1, y1), θ1) and the registered minutiae is (type2, (x2, y2), θ2),
(1) type1 = type2
(2) 0 ≦ ((x1-x2) ^ 2 + (y1-y2) ^ 2) ≦ δd
(3) 0 ≦ (θ1-θ2) ^ 2 ≦ δt
When the three conditions are satisfied, it is considered that the two minutiae coincide.
 ここで、δd、δtはシステムによって決められるパラメータである。また、(2)で評価される距離は、2次元ユークリッド距離、または、L2ノルムと呼ばれる。同様に、(3)で評価される距離は1次元ユークリッド距離と呼ばれる。以下では、これらをまとめてユークリッド距離と呼び、DとD’のユークリッド距離をd(D,D’)と表す。 Here, δd and δt are parameters determined by the system. The distance evaluated in (2) is called a two-dimensional Euclidean distance or L2 norm. Similarly, the distance evaluated in (3) is called a one-dimensional Euclidean distance. Hereinafter, these are collectively called the Euclidean distance, and the Euclidean distance between D and D ′ is represented as d (D, D ′).
 非特許文献1には、認証要求をしているクライアントの生体情報を秘匿できる生体認証方式が記載されている。具体的には、Aided ComputationおよびSet Intersectionと呼ばれる暗号プロトコルを利用することにより、認証時に抽出されたマニューシャ(type1,(x1,y1),θ1)をサーバに明かさずに、サーバに登録されたマニューシャ(type2,(x2,y2),θ2)とマニューシャ(type1,(x1,y1),θ1)とが一致するかどうかを確認することができる。 Non-Patent Document 1 describes a biometric authentication method capable of concealing biometric information of a client who has requested authentication. Specifically, by using an encryption protocol called Aided Computation and Set Intersection, the minutiae (type1, (x1, y1), θ1) extracted at the time of authentication is not disclosed to the server, and the minutiae registered on the server It can be confirmed whether (type2, (x2, y2), θ2) and minutiae (type1, (x1, y1), θ1) match.
 以下では、クライアントからサーバに対して事前に登録されるデータを「認証データ」という。また、認証時に抽出され認証データとの照合が行われるデータを「被認証データ」という。上記の例では、マニューシャ(type2,(x2,y2),θ2)は認証データに相当し、マニューシャ(type1,(x1,y1),θ1)は被認証データに相当する。 In the following, data registered in advance from the client to the server is referred to as “authentication data”. Data extracted at the time of authentication and verified with authentication data is referred to as “authenticated data”. In the above example, minutiae (type2, (x2, y2), θ2) corresponds to authentication data, and minutiae (type1, (x1, y1), θ1) corresponds to data to be authenticated.
 これらの暗号プロトコルを説明する準備として、公開鍵暗号について説明する。公開鍵暗号は、鍵生成、暗号化、復号の3つのアルゴリズムからなる。鍵生成はセキュリティパラメータを入力として受け取り、公開鍵pkと秘密鍵skを出力する確率的アルゴリズムである。暗号化は、公開鍵pkとメッセージMを入力として受け取り、暗号文Cを出力する確率的アルゴリズムである。復号は、秘密鍵skと暗号文Cを入力として受け取り、復号結果Mを出力する決定的アルゴリズムである。 As a preparation for explaining these cryptographic protocols, public key cryptography will be explained. Public key cryptography consists of three algorithms: key generation, encryption, and decryption. Key generation is a probabilistic algorithm that receives a security parameter as input and outputs a public key pk and a secret key sk. Encryption is a probabilistic algorithm that receives a public key pk and a message M as input and outputs ciphertext C. Decryption is a definitive algorithm that receives a secret key sk and ciphertext C as input and outputs a decryption result M.
 以下、鍵生成、暗号化、復号の各アルゴリズムを次のように記載する。
鍵生成:KeyGen(1^k)→(pk,sk)
暗号化:Enc(pk,M)→C
復号:Dec(sk,C)→M Hereinafter, the key generation, encryption, and decryption algorithms are described as follows.
Key generation: KeyGen (1 ^ k) → (pk, sk)
Encryption: Enc (pk, M) → C
Decryption: Dec (sk, C) → M
 公開鍵暗号方式が凖同型性を有するとは、ある演算(*)、(+)に対して、以下の式が成立する場合をいう。
Enc(pk,M1(+)M2)=Enc(pk,M1)(*)Enc(pk,M2) The public key cryptosystem has homomorphism means that the following expression holds for certain operations (*) and (+).
Enc (pk, M1 (+) M2) = Enc (pk, M1) (*) Enc (pk, M2)
 例えば、Paillier暗号は、(*)を乗算、(+)を加算とした凖同型性を有する公開鍵暗号であることが知られている。次に、Paillier暗号について説明する。 For example, it is known that the Paillier cipher is a public key cipher having homomorphism in which (*) is multiplied and (+) is added. Next, the Paillier encryption will be described.
鍵生成:セキュリティパラメータ1^kを受け取る。
kビットの素数p,qをランダムに選び、n=pqとする。
次に、g=1+n mod n^2とする。
公開鍵pk=(n,g)、秘密鍵sk=(p,q)を出力する。 Key generation: Receives security parameter 1 ^ k.
K-bit prime numbers p and q are selected at random, and n = pq.
Next, g = 1 + n mod n ^ 2.
The public key pk = (n, g) and the secret key sk = (p, q) are output.
暗号化:pk=(n,g)、メッセージmを入力として受け取る。
Z*_{n^2}からランダムにrを選ぶ。
C=(1+mn)・r^n mod n^2を計算する。
暗号文Cを出力する。 Encryption: pk = (n, g), message m is received as input.
Choose r at random from Z * _ {n ^ 2}.
C = (1 + mn) · r ^ n mod n ^ 2 is calculated.
Output ciphertext C.
復号:sk=(p,q)、暗号文Cを入力として受け取る。
λ=(p-1)(q-1)を計算する。
m=(c^{λ} mod n^2 -1)/(g^{λ} mod n^2 -1) mod nを計算する。
平文mを出力する。 Decryption: sk = (p, q), ciphertext C is received as input.
Calculate λ = (p−1) (q−1).
m = (c ^ {λ} mod n ^ 2 −1) / (g ^ {λ} mod n ^ 2 −1) mod n is calculated.
Output plaintext m.
C1=Enc(pk,m1)=(1+m1 n)・r1^n mod n^2、C2=Enc(pk,m2)=(1+m2 n)・r2^n mod n^2とすると、C1×C2=(1+(m1+m2)n+m1・m2・n^2)・(r1r2)^n mod n^2=(1+(m1+m2)n)・(r1r2)^n mod n^2 =Enc(pk,m1+m2)となり、Paillier暗号は凖同型性を有する。このように、暗号化したまま平文の加算を行うことができる公開鍵暗号を、加法凖同型公開鍵暗号と呼ぶ。 If C1 = Enc (pk, m1) = (1 + m1 n) ・ r1 ^ n mod n ^ 2, C2 = Enc (pk, m2) = (1 + m2 n) ・ r2 ^ n mod n ^ 2 C1 × C2 = (1+ (m1 + m2) n + m1 ・ m2 ・ n ^ 2) ・ (r1r2) ^ n mod n ^ 2 = (1+ (m1 + m2) n) ・ (r1r2) ^ n mod n ^ 2 = Enc (pk, m1 + m2), and the Paillier cipher has homomorphism. Thus, public key cryptography that can add plaintext while encrypted is called additive homomorphic public key cryptography.
 Set Intersection とは、2人のエンティティであるアリス(Alice)とボブ(Bob)の間で行われる暗号プロトコルである。アリスはあるデータaを持ち、ボブはデータの集合Bを持つものと仮定する。このとき、Set Intersectionはアリスの持つデータaをボブに秘匿したまま、データaが集合Bに含まれるかどうかを確認するプロトコルである。 “Set Intersection” is a cryptographic protocol performed between two entities, Alice and Bob. Assume that Alice has some data a and Bob has a set B of data. At this time, Set Intersection is a protocol for confirming whether data a is included in set B while keeping data A held by Alice confidential to Bob.
 簡単のため、集合B={b1,b2,b3}としてSet Intersectionを説明する。また、ボブは加法凖同型公開鍵暗号の公開鍵pkを公開し、対応する秘密鍵skを保持しているものとする。 For simplicity, Set Intersection will be described as a set B = {b1, b2, b3}. Bob releases the public key pk of the additive homomorphic public key encryption and holds the corresponding secret key sk.
1.ボブはx=b1,b2,b3のとき、値が0となり、それ以外のとき、値が0以外となる多項式F(x)を生成する。例えば、F(x)=(x-b1)(x-b2)(x-b3)とすればよい。このような多項式は、ラグランジェ補間を利用して容易に生成することができる。ここで、F(x)の係数をα[0]、α[1]、…、α[n]とする。すなわち、F(x)=α[n]x^n+α[n-1]x^{n-1}+…+α[1]x+α[0]である。
2.ボブは、公開鍵pkを使用してα[0]、α[1]、…、α[n]をそれぞれ暗号化する。また、ボブは、暗号文C[0]、C[1]、…、C[n]をアリスに送付する。
3.アリスは、a^{n}、a^{n-1}、…、a^{0}を計算する。さらに、アリスは、C[n]^{a^{n}}、C[n-1]^{a^{n-1}}、…、C[0]^{a^{0}}を計算する。
4.アリスは、C=C[n]^{a^{n}}・C[n-1]^{a^{n-1}}・…・C[0]^{a^{0}}を計算する。凖同型性により、C=Enc(pk、F(a))である。また、アリスは、ランダムにrを選択し、C’=C^{r}とする。さらに、アリスは、C’をボブに送付する。
5.ボブは、受け取ったC’を復号する。ボブは、復号結果が0の場合、アリスは集合Bに含まれるデータを有すると判断し、復号結果が0以外の場合、アリスは集合Bに含まれるデータを持たないと判断する。 1. Bob generates a polynomial F (x) having a value of 0 when x = b1, b2, b3, and a value other than 0 otherwise. For example, F (x) = (x−b1) (x−b2) (x−b3) may be set. Such a polynomial can be easily generated using Lagrange interpolation. Here, the coefficients of F (x) are α [0], α [1],..., Α [n]. That is, F (x) = α [n] x ^ n + α [n-1] x ^ {n-1} + ... + α [1] x + α [0].
2. Bob encrypts α [0], α [1],..., Α [n] using the public key pk. Bob also sends ciphertexts C [0], C [1],..., C [n] to Alice.
3. Alice calculates a ^ {n}, a ^ {n-1}, ..., a ^ {0}. In addition, Alice replaces C [n] ^ {a ^ {n}}, C [n-1] ^ {a ^ {n-1}}, ..., C [0] ^ {a ^ {0}} calculate.
4). Alice uses C = C [n] ^ {a ^ {n}} ・ C [n-1] ^ {a ^ {n-1}} ...… C [0] ^ {a ^ {0}} calculate. Due to the isomorphism, C = Enc (pk, F (a)). Alice selects r at random and sets C ′ = C ^ {r}. In addition, Alice sends C 'to Bob.
5. Bob decrypts the received C ′. Bob determines that Alice has data included in set B if the decoding result is 0, and determines that Alice does not have data included in set B if the decoding result is other than 0.
 簡単のため、入力aを持つアリスと、集合Bおよび秘密鍵skを持つボブによるSet IntersectionのプロトコルをSet Intersection[アリス(a),ボブ(B,sk)](pk)と表記する。ここで、pkはアリスとボブへの共通入力である公開鍵pkを表す。 For simplicity, the protocol of SetsectionIntersection by Alice with input a and Bob with set B and secret key sk is denoted as Set Intersection [Alice (a), Bob (B, sk)] (pk). Here, pk represents a public key pk that is a common input to Alice and Bob.
 次に、Aided Computationを説明する。Aided Computationも、2人のエンティティであるアリスとボブの間で行われる暗号プロトコルである。アリスはあるデータaの暗号文Enc(pk,a)を持ち、ボブはデータの集合Bおよび公開鍵pkに対応する秘密鍵skを持つものと仮定する。ボブの暗号は、加法凖同型公開鍵暗号である。このとき、Aided Computationはアリスの持つデータaをボブに秘匿したまま、データaが集合Bに含まれるかどうかを確認するプロトコルである。Aided Computationでは、Set Intersectionとは異なり、アリスはデータaの平文を知らない。 Next, Aided Computation will be explained. Aided Computation is also a cryptographic protocol performed between two entities, Alice and Bob. Assume that Alice has a ciphertext Enc (pk, a) of some data a, and Bob has a secret key sk corresponding to the data set B and the public key pk. Bob's cipher is an additive homomorphic public key cipher. At this time, Aided Computation is a protocol for checking whether data a is included in the set B while keeping Alice's data a confidential to Bob. In Aided Computation, unlike Set Intersection, Alice does not know the plaintext of data a.
 簡単のため、B={b1,b2,b3}としてAided Computationを説明する。また、x=b1,b2,b3のときに0となり、それ以外のときに0以外となる多項式F(x)が公開されているものとする。すなわち、F(x)=α[n]x^n+α[n-1]x^{n-1}+…+α[1]x+α[0]であり、α[0]~α[n]が公開されているとする。 For simplicity, Aided Computation is described as B = {b1, b2, b3}. Further, it is assumed that a polynomial F (x) that is 0 when x = b1, b2, b3, and other than 0 otherwise is disclosed. That is, F (x) = α [n] x ^ n + α [n-1] x ^ {n-1} +… + α [1] x + α [0], and α [0] to α [n] is publicly available.
1.アリスはランダムにrを選び、Enc(pk,ra)={Enc(pk,a)}^{r}を計算し、ボブに送付する。
2.ボブはEnc(pk,ra)を復号し、raを得る。
3.ボブは(ra)^{α[1]}、(ra)^{α[2]}、…、(ra)^{α[n]}を計算し、それぞれ公開鍵pkを用いて暗号化する。すなわち、C[i]=Enc(pk,(ra)^{α[i]})をi=1~nに対して行い、C[1]~C[n]をアリスに送付する。
4.アリスは、i=1~nに対してC’[i]=(C[i])^{1/(r^{i})}を計算する。
5.アリスはC=C’[1]・C’[2]・…・C’[n]・Enc(pk,α[0])を計算し、ボブに送付する。凖同型性より、C=Enc(pk,F(a))である。
6.ボブは、Cを復号する。ボブは、復号結果が0の場合、アリスが集合Bに含まれるデータの暗号文を有すると判断し、復号結果が0以外の場合、アリスが集合Bに含まれるデータの暗号文を持たないと判断する。 1. Alice chooses r at random, calculates Enc (pk, ra) = {Enc (pk, a)} ^ {r} and sends it to Bob.
2. Bob decrypts Enc (pk, ra) and gets ra.
3. Bob computes (ra) ^ {α [1]}, (ra) ^ {α [2]}, ..., (ra) ^ {α [n]} and encrypts each using the public key pk. . That is, C [i] = Enc (pk, (ra) ^ {α [i]}) is performed for i = 1 to n, and C [1] to C [n] are sent to Alice.
4). Alice calculates C ′ [i] = (C [i]) ^ {1 / (r ^ {i})} for i = 1 to n.
5. Alice calculates C = C '[1], C' [2], ..., C '[n], Enc (pk, α [0]), and sends it to Bob. From the isomorphism, C = Enc (pk, F (a)).
6). Bob decrypts C. Bob determines that Alice has the ciphertext of the data included in set B if the decryption result is 0, and if Alice has no ciphertext of the data included in set B if the decryption result is other than 0 to decide.
 簡単のため、入力Enc(pk,a)を持つアリスと、集合Bおよび秘密鍵skを持つボブによる関数F(x)に対するAided ComputationのプロトコルをAided Computation[アリス(Enc(pk,a)),ボブ(B,sk)](pk,F(x))と表す。ここで、pkはアリスとボブへの共通入力である公開鍵pkを表す。 For simplicity, the protocol of AidedutComputation for Alice with input Enc (pk, a) and the function F (x) by Bob with set B and secret key sk is Aided Computation [Alice (Enc (pk, a)), Bob (B, sk)] (pk, F (x)). Here, pk represents a public key pk that is a common input to Alice and Bob.
 非特許文献1では、クライアントのマニューシャ(type1,(x1,y1),θ1)(被認証データ)と、サーバに保管されている認証用テンプレート(type2,(x2,y2),θ2)(認証データ)が一致することを確認するために、Set IntersectionとAided Computationを利用する。具体的には、以下の処理を行う。 In Non-Patent Document 1, client minutiae (type1, (x1, y1), θ1) (authenticated data) and authentication template (type2, (x2, y2), θ2) (authentication data) stored in the server ) Use Set 一致 Intersection and Aided Computation to confirm that they match. Specifically, the following processing is performed.
(1)タイプの一致:Set Intersection[クライアント(type1),サーバ(type2,sk)](pk)を行う。 (1) Type match: Set Intersection [client (type 1), server (type 2, sk)] (pk) is performed.
(2)距離の一致:まず暗号化したまま(x1,y1)および(x2,y2)間のユークリッド距離を計算する。
(ア)サーバは、B={0,1,…,δd}として、F(x)を生成する。
(イ)サーバは、Enc(pk,x2^2),Enc(pk,x2),Enc(pk,y2^2),Enc(pk,y2)をそれぞれ計算し、クライアントに送付する。
(ウ)クライアントは、Enc(pk,x1^2),Enc(pk,y1^2)を計算する。
(エ)クライアントは、Enc(pk,x1^2)・{Enc(pk,x2)}^{-2x1}・Enc(pk,x2^2)・Enc(pk,y1^2)・{Enc(pk,y2)}^{-2y1}・Enc(pk,y2^2)=Enc(pk,(x1-x2)^2+(y1-y2)^2)を計算する。
(オ)Aided Computation[クライアント(Enc(pk,(x1-x2)^2+(y1-y2)^2)),サーバ({0,1,…,δd},sk)](pk,F(x))を実行する。 (2) Distance match: First, the Euclidean distance between (x1, y1) and (x2, y2) is calculated with encryption.
(A) The server generates F (x) as B = {0, 1,..., Δd}.
(A) The server calculates Enc (pk, x2 ^ 2), Enc (pk, x2), Enc (pk, y2 ^ 2), and Enc (pk, y2), and sends them to the client.
(C) The client calculates Enc (pk, x1 ^ 2), Enc (pk, y1 ^ 2).
(D) Clients are Enc (pk, x1 ^ 2), {Enc (pk, x2)} ^ {-2x1}, Enc (pk, x2 ^ 2), Enc (pk, y1 ^ 2), {Enc ( pk, y2)} ^ {-2y1} · Enc (pk, y2 ^ 2) = Enc (pk, (x1-x2) ^ 2 + (y1-y2) ^ 2) is calculated.
(E) Aided Computation [Client (Enc (pk, (x1-x2) ^ 2 + (y1-y2) ^ 2)), Server ({0,1,…, δd}, sk)] (pk, F ( x)) is executed.
(3)角度の一致:距離の一致と同様に、Enc(pk,(θ1-θ2)^2)を計算し、B’={0,1,…,δt}に対応したG(x)に対するAided Computation[クライアント(Enc(pk,(θ1-θ2)^2)),サーバ(B’,sk)](pk,G(x))を実行する。 (3) Angle match: Similar to the distance match, Enc (pk, (θ1-θ2) ^ 2) is calculated and for G (x) corresponding to B '= {0,1, ..., δt} Execute AidedutComputation [client (Enc (pk, (θ1-θ2) ^ 2)), server (B ', sk)] (pk, G (x)).
 非特許文献1に記載された技術によると、クライアントからサーバに登録された認証データに基づいて認証される被認証データを、サーバに対して秘匿することができる。しかしながら、非特許文献1に記載された技術によると、サーバ上に登録された認証データが平文であるため、サーバからクライアントの機微データである認証データが漏えいするおそれがあり、サーバ管理者に対して認証データを秘匿していないという問題もある。 According to the technique described in Non-Patent Document 1, data to be authenticated that is authenticated based on authentication data registered in the server from the client can be kept secret from the server. However, according to the technique described in Non-Patent Document 1, since authentication data registered on the server is plain text, there is a risk that authentication data, which is client sensitive data, may be leaked from the server. Another problem is that the authentication data is not concealed.
 なお、かかる問題を解消するために、特許文献2に記載された技術を採用することが考えられる。しかしながら、特許文献2に記載された技術によると、登録用の特徴ベクトル(認証データ)および認証用の特徴ベクトル(被認証データ)の暗号化の際に、二重凖同型暗号と呼ばれる特殊な凖同型暗号を用いる必要がある。一般に、二重凖同型暗号は計算コストがかかり、かつ、秘密鍵や公開鍵のサイズがとても大きくなるため、現実的な時間で処理することが難しいという問題がある。 In order to solve this problem, it is conceivable to employ the technique described in Patent Document 2. However, according to the technique described in Patent Document 2, when encrypting a feature vector for registration (authentication data) and a feature vector for authentication (authenticated data), a special trap called double-homomorphic encryption is used. It is necessary to use the same cipher. In general, the double homomorphic encryption has a calculation cost and has a problem that it is difficult to process in a realistic time because the size of the secret key and the public key becomes very large.
 そこで、簡便な処理に基づいて、被認証データおよび認証データをサーバに対して秘匿することが要望される。本発明の目的は、かかる要望に寄与する照合システム、照合方法およびプログラムを提供することにある。 Therefore, it is desired to conceal the data to be authenticated and the authentication data from the server based on simple processing. An object of the present invention is to provide a collation system, a collation method, and a program that contribute to such a demand.
 本発明の第1の視点に係る照合システムは、
 第1のノード、第2のノードおよび第3のノードを備え、
 前記第1のノードは、公開鍵により認証データを暗号化して前記第3のノードに送信する暗号化部と、
 前記認証データと照合される被認証データを受信すると、暗号化された前記認証データを前記第3のノードから取得して、前記被認証データと前記認証データとの距離を前記公開鍵により暗号化したまま算出する距離計算部と、
 前記第3のノードから取得した多項式に前記距離を代入して前記公開鍵により暗号化した値を、照合用データとして生成して前記第2のノードに送信する照合用データ生成部と、を有し、
 前記第2のノードは、前記公開鍵と秘密鍵の対を生成し、前記公開鍵を第1のノードに送信する鍵生成部と、
 前記秘密鍵と前記照合用データに基づいて、前記被認証データを前記認証データと照合する照合部と、を有し、
 前記第3のノードは、暗号化された前記認証データを保持する記憶部と、
 前記多項式として、前記認証データと前記被認証データの距離の閾値をパラメータとして含む多項式を生成する照合用情報生成部と、を有する。 The collation system according to the first aspect of the present invention is:
Comprising a first node, a second node and a third node;
The first node encrypts authentication data with a public key and transmits the encrypted data to the third node;
When the data to be authenticated that is collated with the authentication data is received, the encrypted authentication data is obtained from the third node, and the distance between the data to be authenticated and the authentication data is encrypted with the public key A distance calculation unit to calculate as is,
A verification data generation unit that generates a value encrypted by the public key by substituting the distance into the polynomial acquired from the third node as verification data and transmits the verification data to the second node. And
The second node generates a pair of the public key and the secret key, and transmits the public key to the first node;
A collation unit that collates the data to be authenticated with the authentication data based on the secret key and the collation data;
The third node includes a storage unit that stores the encrypted authentication data;
A collation information generating unit that generates a polynomial that includes a threshold value of a distance between the authentication data and the data to be authenticated as a parameter.
 本発明の第2の視点に係るノードは、
 公開鍵と秘密鍵の対を生成する第2のノードから受信した前記公開鍵により、認証データを暗号化して第3のノードに送信する暗号化部と、
 前記認証データと照合される被認証データを受信すると、暗号化された前記認証データを前記第3のノードから取得して、前記被認証データと前記認証データとの距離を前記公開鍵により暗号化したまま算出する距離計算部と、
 前記第3のノードから取得した多項式に前記距離を代入して前記公開鍵により暗号化した値を、照合用データとして生成して前記第2のノードに送信する照合用データ生成部と、を備え、
 前記多項式は、前記認証データと前記被認証データの距離の閾値をパラメータとして含む。 The node according to the second aspect of the present invention is:
An encryption unit that encrypts authentication data with the public key received from the second node that generates a public key and private key pair, and transmits the encrypted authentication data to the third node;
When the data to be authenticated that is collated with the authentication data is received, the encrypted authentication data is obtained from the third node, and the distance between the data to be authenticated and the authentication data is encrypted with the public key A distance calculation unit to calculate as is,
A verification data generation unit that generates a value encrypted with the public key by substituting the distance into the polynomial acquired from the third node, and generates the verification data and transmits the verification data to the second node; ,
The polynomial includes a threshold value of a distance between the authentication data and the data to be authenticated as a parameter.
 本発明の第3の視点に係る照合方法は、
 第1のノードが、公開鍵と秘密鍵の対を生成する第2のノードから受信した前記公開鍵により、認証データを暗号化して第3のノードに送信する工程と、
 前記認証データと照合される被認証データを受信すると、暗号化された前記認証データを前記第3のノードから取得して、前記被認証データと前記認証データとの距離を前記公開鍵により暗号化したまま算出する工程と、
 前記第3のノードから取得した多項式に前記距離を代入して前記公開鍵により暗号化した値を、照合用データとして生成して前記第2のノードに送信する工程と、を含み、
 前記多項式は、前記認証データと前記被認証データの距離の閾値をパラメータとして含む。 The collation method according to the third aspect of the present invention is:
A first node encrypting authentication data with the public key received from the second node that generates a public key and private key pair and transmitting the encrypted data to the third node;
When the data to be authenticated that is collated with the authentication data is received, the encrypted authentication data is obtained from the third node, and the distance between the data to be authenticated and the authentication data is encrypted with the public key The process of calculating as it is,
Including substituting the distance into the polynomial obtained from the third node and encrypting the encrypted value using the public key as verification data and transmitting the verification data to the second node.
The polynomial includes a threshold value of a distance between the authentication data and the data to be authenticated as a parameter.
 本発明の第4の視点に係るプログラムは、
 公開鍵と秘密鍵の対を生成する第2のノードから受信した前記公開鍵により、認証データを暗号化して第3のノードに送信する処理と、
 前記認証データと照合される被認証データを受信すると、暗号化された前記認証データを前記第3のノードから取得して、前記被認証データと前記認証データとの距離を前記公開鍵により暗号化したまま算出する処理と、
 前記第3のノードから取得した多項式に前記距離を代入して前記公開鍵により暗号化した値を、照合用データとして生成して前記第2のノードに送信する処理と、を第1のノードに設けられたコンピュータに実行させ、
 前記多項式は、前記認証データと前記被認証データの距離の閾値をパラメータとして含む。
 なお、プログラムは、非一時的なコンピュータ可読記録媒体(non-transitory computer-readable storage medium)に記録されたプログラム製品として提供することができる。 The program according to the fourth aspect of the present invention is:
A process of encrypting authentication data with the public key received from the second node that generates a public key and private key pair and transmitting the encrypted authentication data to the third node;
When the data to be authenticated that is collated with the authentication data is received, the encrypted authentication data is obtained from the third node, and the distance between the data to be authenticated and the authentication data is encrypted with the public key Processing while calculating
A process of substituting the distance into the polynomial obtained from the third node and generating a value encrypted with the public key as verification data and transmitting it to the second node. Run it on the computer provided,
The polynomial includes a threshold value of a distance between the authentication data and the data to be authenticated as a parameter.
The program can be provided as a program product recorded on a non-transitory computer-readable storage medium.
 本発明に係る照合システム、ノード、照合方法およびプログラムによると、簡便な処理に基づいて被認証データおよび認証データをサーバに対して秘匿することが可能となる。 According to the collation system, node, collation method, and program according to the present invention, it becomes possible to conceal the data to be authenticated and the authentication data from the server based on simple processing.
一実施形態に係る照合システムの構成を一例として示すブロック図である。It is a block diagram which shows the structure of the collation system which concerns on one Embodiment as an example. 第1の実施形態に係る照合システムの構成を一例として示すブロック図である。It is a block diagram which shows the structure of the collation system which concerns on 1st Embodiment as an example. 第1の実施形態に係る照合システムのデータ登録動作を一例として示すシーケンス図である。It is a sequence diagram which shows the data registration operation | movement of the collation system which concerns on 1st Embodiment as an example. 第1の実施形態に係る照合システムの暗号文照合動作を一例として示すシーケンス図である。It is a sequence diagram which shows the ciphertext collation operation | movement of the collation system which concerns on 1st Embodiment as an example.
 はじめに、一実施形態の概要について説明する。なお、この概要に付記する図面参照符号は、専ら理解を助けるための例示であり、本発明を図示の態様に限定することを意図するものではない。 First, an outline of one embodiment will be described. Note that the reference numerals of the drawings attached to this summary are merely examples for facilitating understanding, and are not intended to limit the present invention to the illustrated embodiment.
 図1は、一実施形態に係る照合システムの構成を一例として示すブロック図である。図1を参照すると、照合システムは、クライアントに相当する第1のノード100と、認証ノードに相当する第2のノード200と、サーバに相当する第3のノード300とを備えている。第1のノード100は、暗号化部11、距離計算部22、および、照合用データ生成部23を有する。一方、第2のノードは、鍵生成部51および照合部54を有する。また、第3のノード300は、記憶部31および照合用情報生成部41を有する。 FIG. 1 is a block diagram illustrating an example of a configuration of a verification system according to an embodiment. Referring to FIG. 1, the verification system includes a first node 100 corresponding to a client, a second node 200 corresponding to an authentication node, and a third node 300 corresponding to a server. The first node 100 includes an encryption unit 11, a distance calculation unit 22, and a collation data generation unit 23. On the other hand, the second node includes a key generation unit 51 and a verification unit 54. The third node 300 includes a storage unit 31 and a collation information generation unit 41.
 第2のノード200の鍵生成部51は、公開鍵と秘密鍵の対を生成し、公開鍵を第1のノード100に送信する。第1のノード100の暗号化部11は、公開鍵により認証データを暗号化して第3のノード300に送信する。第3のノード300の記憶部31は、暗号化された認証データを保持する。 The key generation unit 51 of the second node 200 generates a public key / private key pair and transmits the public key to the first node 100. The encryption unit 11 of the first node 100 encrypts the authentication data with the public key and transmits it to the third node 300. The storage unit 31 of the third node 300 holds encrypted authentication data.
 第1のノードの距離計算部22は、認証データと照合される被認証データを受信すると、暗号化された認証データを第3のノード300から取得して、被認証データと認証データとの距離を公開鍵により暗号化したまま算出する。第3のノード300の照合用情報生成部41は、認証データと被認証データの距離の閾値をパラメータとして含む多項式を生成する。第1のノード100の照合用データ生成部23は、第3のノード300から取得した多項式に算出した距離を代入して公開鍵により暗号化した値を、照合用データとして生成して第2のノード200に送信する。第2のノード200の照合部54は、秘密鍵と照合用データに基づいて、被認証データを認証データと照合する。 When the distance calculation unit 22 of the first node receives the authentication target data to be verified with the authentication data, the distance calculation unit 22 acquires the encrypted authentication data from the third node 300, and the distance between the authentication target data and the authentication data. Is calculated with the public key encrypted. The verification information generation unit 41 of the third node 300 generates a polynomial including a threshold value of the distance between the authentication data and the data to be authenticated as a parameter. The verification data generation unit 23 of the first node 100 generates a value obtained by substituting the calculated distance into the polynomial acquired from the third node 300 and encrypted with the public key as verification data. Transmit to node 200. The collation unit 54 of the second node 200 collates the data to be authenticated with the authentication data based on the secret key and the collation data.
 ここで、暗号化部11は、加法準同型性を有する暗号化方式に基づいて暗号化を行うことが好ましい。一例として、暗号化部11は、Paillier暗号に基づいて暗号化を行ってもよい。 Here, the encryption unit 11 preferably performs encryption based on an encryption method having additive homomorphism. As an example, the encryption unit 11 may perform encryption based on Paillier encryption.
 照合用情報生成部41は、上記の多項式として、独立変数と認証データの距離が上記の閾値以内であるときにゼロとなる多項式を生成してもよい。 The collation information generating unit 41 may generate a polynomial that becomes zero when the distance between the independent variable and the authentication data is within the above threshold as the above polynomial.
 また、暗号化部11は、さらに、公開鍵により認証データの2乗を暗号化して第3のノード300に送信し、記憶部31は、さらに、暗号化された認証データの2乗を保持するようにしてもよい。このとき、距離計算部22は、暗号化された認証データおよび暗号化された認証データの2乗を第3のノード300から取得して、被認証データと認証データとの距離を公開鍵により暗号化したまま算出することが好ましい。 In addition, the encryption unit 11 further encrypts the square of the authentication data with the public key and transmits it to the third node 300, and the storage unit 31 further holds the square of the encrypted authentication data. You may do it. At this time, the distance calculation unit 22 obtains the encrypted authentication data and the square of the encrypted authentication data from the third node 300, and encrypts the distance between the data to be authenticated and the authentication data using the public key. It is preferable that the calculation is carried out with the change.
 さらに、認証データおよび被認証データは、n次元の要素を含んでいてもよい。このとき、距離計算部22は、被認証データと認証データとのn次元ユークリッド距離を、公開鍵により暗号化したまま算出することが好ましい。 Furthermore, the authentication data and the data to be authenticated may include an n-dimensional element. At this time, it is preferable that the distance calculation unit 22 calculates the n-dimensional Euclidean distance between the data to be authenticated and the authentication data while being encrypted with the public key.
 また、認証データおよび被認証データは、複数の要素を含んでいてもよい。このとき、距離計算部22は、各要素について上記の距離を暗号化したまま算出し、照合用情報生成部41は、各要素について多項式を生成し、照合用データ生成部23は、各要素について照合用データを生成し、照合部54は、秘密鍵と複数の要素について生成された照合用データとを用いて、被認証データを前記認証データと照合することが好ましい。 Further, the authentication data and the data to be authenticated may include a plurality of elements. At this time, the distance calculation unit 22 calculates the above-mentioned distance encrypted for each element, the collation information generation unit 41 generates a polynomial for each element, and the collation data generation unit 23 It is preferable that the verification data is generated, and the verification unit 54 uses the secret key and the verification data generated for a plurality of elements to verify the authentication data with the authentication data.
 非特許文献1に記載された技術によると、サーバに登録されているデータが平文のままであるため、サーバからデータが漏えいする可能性がある。また、サーバ管理者へのデータの秘匿が行えないという問題もある。 According to the technology described in Non-Patent Document 1, the data registered in the server remains in plain text, so there is a possibility of data leaking from the server. Another problem is that data cannot be kept confidential to the server administrator.
 上記一実施形態に係る照合システムによると、認証時にクライアント(第1のノード)からサーバ(第3のノード)に送付される被認証データのみならず、サーバ(第3のノード)のデータベース等に格納される認証データも秘匿強度の高い暗号方式を用いて暗号化される。したがって、かかる照合システムによると、非特許文献1に記載された技術における上記の問題が解消される。また、暗号化方式に凖同型性という特殊な性質を持たせることで、暗号化したままデータのユークリッド距離を計算することを可能とし、暗号データを復号することなく照合可能であることが保証される。さらに、登録時に生成するデータとして、認証データの2乗の暗号文を追加することにより、非特許文献1では不可能であった、暗号化されたデータ間の距離が計算可能となる。 According to the collation system according to the above embodiment, not only the data to be authenticated sent from the client (first node) to the server (third node) at the time of authentication but also the database of the server (third node), etc. The stored authentication data is also encrypted using an encryption method with high confidentiality. Therefore, according to such a collation system, the above-mentioned problem in the technique described in Non-Patent Document 1 is solved. Also, by giving the encryption method a special property of homomorphism, it is possible to calculate the Euclidean distance of the data while it is encrypted, and it is guaranteed that the encrypted data can be verified without being decrypted. The Furthermore, by adding a square ciphertext of authentication data as data generated at the time of registration, it becomes possible to calculate the distance between encrypted data, which was impossible in Non-Patent Document 1.
 以上のとおり、上記一実施形態に係る照合システムによると、第3のノード(サーバ)に保存された認証データの漏えいを防止することができ、サーバ管理者に悪意がある場合でも、認証データの平文の漏えいを防止することができる。その理由は、データ登録時に、第1のノード(クライアント)によって、サーバ管理者に復号されることのない暗号化鍵によって認証データが暗号化されるからである。 As described above, according to the collation system according to the embodiment, it is possible to prevent leakage of authentication data stored in the third node (server), and even if the server administrator is malicious, Plain text leakage can be prevented. The reason is that at the time of data registration, the authentication data is encrypted by the first node (client) with an encryption key that is not decrypted by the server administrator.
<実施形態1>
 次に、第1の実施形態に係る照合システムついて図面を参照して詳細に説明する。 <Embodiment 1>
Next, the collation system according to the first embodiment will be described in detail with reference to the drawings.
 図2は、本実施形態に係る照合システムの構成を一例として示すブロック図である。図2を参照すると、照合システムは、登録データ生成装置10、照合要求装置20、記憶装置30、データ照合装置40、および、照合補助装置50を備えている。 FIG. 2 is a block diagram showing an example of the configuration of the collation system according to this embodiment. Referring to FIG. 2, the collation system includes a registered data generation device 10, a collation request device 20, a storage device 30, a data collation device 40, and a collation auxiliary device 50.
 なお、図2は照合システムが5つのノードによって構成される場合を例示するが、本発明の照合システムは図示の態様に限定されない。一例として、登録データ生成装置10と照合要求装置20をまとめて第1のノード(クライアント)とし、照合補助装置50を第2のノード(認証ノード)とし、記憶装置30とデータ照合装置40をまとめて第3のノード(サーバ)としてもよい。 Note that FIG. 2 illustrates a case where the verification system is configured by five nodes, but the verification system of the present invention is not limited to the illustrated mode. As an example, the registered data generation device 10 and the verification requesting device 20 are collectively set as a first node (client), the verification auxiliary device 50 is set as a second node (authentication node), and the storage device 30 and the data verification device 40 are combined. The third node (server) may be used.
 登録データ生成装置10は、暗号化部11を有する。暗号化部11は、秘匿の対象となる認証データと、照合補助装置50が公開する暗号化鍵とを入力とし、認証データを暗号化鍵を用いて秘匿処理し、暗号データとして出力する。 The registered data generation device 10 has an encryption unit 11. The encryption unit 11 receives the authentication data to be concealed and the encryption key disclosed by the verification assisting device 50, conceals the authentication data using the encryption key, and outputs the encrypted data.
 ここで、照合補助装置50により公開される暗号化鍵は、加法凖同型公開鍵暗号の公開鍵である。 Here, the encryption key disclosed by the verification assistant device 50 is a public key of additive homomorphic public key encryption.
 記憶装置30は、記憶部31および識別子管理部32を有する。記憶部31は、登録データ生成装置10から送付された暗号データとともに、識別子管理部32により付与された固有の識別子を記憶する。 The storage device 30 includes a storage unit 31 and an identifier management unit 32. The storage unit 31 stores the unique identifier assigned by the identifier management unit 32 together with the encrypted data sent from the registered data generation device 10.
 照合要求装置20は、照合要求部21、距離計算部22、および、照合用データ生成部23を有する。照合要求部21は、認証データと照合すべき被認証データを入力として受け取ると、データ照合装置40へ照合要求を送付する。距離計算部22は、照合すべき被認証データと、データ照合装置40から受信した照合用情報を入力として、暗号化距離データを生成する。照合用データ生成部23は、暗号化距離データを入力として、照合補助装置50と対話しながら、照合用データを生成する。 The verification request device 20 includes a verification request unit 21, a distance calculation unit 22, and a verification data generation unit 23. When the verification request unit 21 receives authentication target data to be verified as input, the verification request unit 21 sends a verification request to the data verification device 40. The distance calculation unit 22 receives the authentication target data to be verified and the verification information received from the data verification device 40, and generates encrypted distance data. The verification data generation unit 23 receives the encrypted distance data as input and generates verification data while interacting with the verification auxiliary device 50.
 データ照合装置40は、照合用情報生成部41、照合用情報送付部42、照合補助要求部43、および、判定部44を有する。照合用情報生成部41は、記憶装置30に記憶されている暗号データを入力として、照合用情報を生成する。照合用情報送付部42は、照合要求装置20から送付された照合要求を入力として受け取り、照合用情報を送付する。照合補助要求部43は、照合要求装置20から送付された照合用データを入力として受け取り、照合補助要求を生成し、照合補助装置50へ送付する。判定部44は、照合補助装置50から受信した総合結果を入力として受け取り、照合結果を生成して出力する。 The data collating device 40 includes a collation information generating unit 41, a collation information sending unit 42, a collation auxiliary request unit 43, and a determination unit 44. The verification information generation unit 41 receives the encrypted data stored in the storage device 30 and generates verification information. The collation information sending unit 42 receives the collation request sent from the collation requesting device 20 as an input, and sends the collation information. The verification auxiliary request unit 43 receives the verification data sent from the verification requesting device 20 as an input, generates a verification auxiliary request, and sends it to the verification auxiliary device 50. The determination unit 44 receives the overall result received from the verification assisting device 50 as an input, and generates and outputs the verification result.
 照合補助装置50は、鍵生成部51、照合補助部52、および、総合結果補助部53を有する。鍵生成部51は、加法凖同型暗号の公開鍵および秘密鍵を生成し、公開鍵を公開し、秘密鍵を保持する。照合補助部52は、照合要求装置20の照合用データ生成部23と対話を行い、照合用データの生成を補助する。総合結果補助部53は、データ照合装置40から送付された照合補助要求と、加法凖同型暗号の秘密鍵を入力として受け取り、総合結果を生成する。 The collation assisting device 50 includes a key generation unit 51, a collation assisting unit 52, and an overall result assisting unit 53. The key generation unit 51 generates a public key and a secret key of additive homomorphic encryption, discloses the public key, and holds the secret key. The collation assisting unit 52 interacts with the collation data generating unit 23 of the collation requesting device 20 to assist the generation of collation data. The total result auxiliary unit 53 receives the verification auxiliary request sent from the data verification device 40 and the secret key of the additive homomorphic encryption as inputs, and generates a total result.
 次に、本実施形態に係る照合システム(図2)の動作を、図面を参照して詳細に説明する。 Next, the operation of the verification system (FIG. 2) according to this embodiment will be described in detail with reference to the drawings.
 照合システムの動作は、データ登録フェーズと暗号文照合フェーズの2つのフェーズに大別される。データ登録フェーズでは、登録データ生成装置10に認証データを入力し、認証データを暗号化し、記憶装置30に登録する。一方、暗号文照合フェーズでは、照合要求装置20に入力された被認証データを秘匿しながら、被認証データが、記憶装置30に記憶されている暗号データの平文と近い(ユークリッド距離の小さい)ものであるか否かを判定する。以下、各フェーズにおける動作に関して詳細に説明する。 The operation of the verification system is roughly divided into two phases: the data registration phase and the ciphertext verification phase. In the data registration phase, the authentication data is input to the registration data generation device 10, the authentication data is encrypted and registered in the storage device 30. On the other hand, in the ciphertext verification phase, the data to be authenticated is close to the plaintext of the encrypted data stored in the storage device 30 (the Euclidean distance is small) while concealing the data to be authenticated input to the verification requesting device 20 It is determined whether or not. Hereinafter, the operation in each phase will be described in detail.
[データ登録フェーズ]
 図3は、照合システムのデータ登録フェーズにおける動作を一例として示すシーケンス図である。 [Data registration phase]
FIG. 3 is a sequence diagram illustrating an operation in the data registration phase of the verification system as an example.
 図3を参照すると、照合補助装置50の鍵生成部51は、加法凖同型暗号の公開鍵および秘密鍵を生成し、公開鍵を公開する(ステップA1)。 Referring to FIG. 3, the key generation unit 51 of the verification assisting device 50 generates a public key and a secret key of additive homomorphic encryption, and publishes the public key (step A1).
 次に、登録データ生成装置10は、秘匿対象となる認証データと、公開鍵を受け取る(ステップA2)。 Next, the registration data generation device 10 receives authentication data to be concealed and a public key (step A2).
 次に、登録データ生成装置10の暗号化部11は、入力された認証データと、公開鍵とから、暗号データを生成し、記憶装置30に送付する(ステップA3)。 Next, the encryption unit 11 of the registration data generation device 10 generates encryption data from the input authentication data and the public key, and sends it to the storage device 30 (step A3).
 記憶装置30の識別子管理部32は、暗号データを受信すると、暗号データに対して固有の識別子を付与する(ステップA4)。また、識別子管理部32は、暗号データと識別子の組を記憶部31に記憶する(ステップA5)。 When the identifier management unit 32 of the storage device 30 receives the encrypted data, it assigns a unique identifier to the encrypted data (step A4). Further, the identifier management unit 32 stores the set of the encrypted data and the identifier in the storage unit 31 (Step A5).
[暗号文照合フェーズ]
 図4は、照合システムの暗号文照合フェーズにおける動作を一例として示すシーケンス図である。 [Ciphertext verification phase]
FIG. 4 is a sequence diagram illustrating an operation in the ciphertext verification phase of the verification system as an example.
 図4を参照すると、データ照合装置40の照合用情報生成部41は、記憶部31に記憶された暗号データと暗号データに対応する識別子およびパラメータを受け付け(ステップB1)、照合用情報を生成する(ステップB2)。 Referring to FIG. 4, the verification information generation unit 41 of the data verification device 40 receives the encrypted data stored in the storage unit 31 and the identifier and parameter corresponding to the encrypted data (step B1), and generates verification information. (Step B2).
 次に、照合要求装置20の照合要求部21は、被認証データと公開鍵を受け付ける(ステップB3)。 Next, the verification requesting unit 21 of the verification requesting device 20 receives the data to be authenticated and the public key (step B3).
 次に、照合要求装置20の照合要求部21は、被認証データと公開鍵を受け付けると、照合要求を生成し、データ照合装置40に出力する(ステップB4)。 Next, when the verification request unit 21 of the verification requesting device 20 receives the data to be authenticated and the public key, it generates a verification request and outputs it to the data verification device 40 (step B4).
 データ照合装置40の照合用情報送付部42は、照合要求を受信すると、照合要求装置20に照合用情報を出力する(ステップB5)。 When the verification information sending unit 42 of the data verification device 40 receives the verification request, it outputs the verification information to the verification request device 20 (step B5).
 照合要求装置20の距離計算部22は、照合用情報を受信すると、被認証データと暗号データの平文のユークリッド距離を暗号化したまま計算し、暗号化距離データを生成する(ステップB6)。 Upon receiving the verification information, the distance calculation unit 22 of the verification requesting device 20 calculates the plaintext Euclidean distance between the data to be authenticated and the encrypted data while encrypting it, and generates encrypted distance data (step B6).
 照合用データ生成部23は、暗号化距離データと照合用情報を入力とし、照合補助装置50の照合補助部52と対話しながら、照合用データを生成し、データ照合装置40に出力する(ステップB7)。 The verification data generation unit 23 receives the encrypted distance data and the verification information as input, generates verification data while interacting with the verification auxiliary unit 52 of the verification auxiliary device 50, and outputs the verification data to the data verification device 40 (step). B7).
 データ照合装置40の照合補助要求部43は、照合用データを受信すると、照合補助要求を生成し、照合補助装置50に出力する(ステップB8)。 The collation assistance request unit 43 of the data collation device 40 receives the collation data, generates a collation assistance request, and outputs it to the collation assistance device 50 (step B8).
 照合補助装置50の総合結果補助部53は、照合補助要求を受信すると、秘密鍵を入力として、総合結果を生成し、データ照合装置40へ出力する(ステップB9)。 When receiving the verification assistance request, the overall result auxiliary unit 53 of the verification auxiliary device 50 receives the secret key, generates an overall result, and outputs it to the data verification device 40 (step B9).
 データ照合装置40の判定部44は、総合結果を受信すると、判定を行い、判定結果を出力する(ステップB10)。 When the determination unit 44 of the data collating device 40 receives the comprehensive result, the determination unit 44 performs the determination and outputs the determination result (step B10).
 本実施形態に係る照合システムによると、認証時に登録データ生成装置10から記憶装置30に送付される被認証データのみならず、記憶装置30に格納される認証データも秘匿強度の高い暗号方式を用いて暗号化される。したがって、例えば、記憶装置30とデータ照合装置40によりサーバを構成した場合、本実施形態に係る照合システムによると、サーバから認証データが漏洩することを防ぐことが可能となる。 According to the collation system according to the present embodiment, not only the data to be authenticated sent from the registered data generation device 10 to the storage device 30 during authentication but also the authentication data stored in the storage device 30 uses an encryption method with high confidentiality. Encrypted. Therefore, for example, when the server is configured by the storage device 30 and the data collation device 40, according to the collation system according to the present embodiment, it is possible to prevent leakage of authentication data from the server.
<実施形態2>
 次に、第2の実施形態に係る照合システムについて、図面を参照して説明する。 <Embodiment 2>
Next, a verification system according to the second embodiment will be described with reference to the drawings.
 本実施形態では、第1の実施形態に係る照合システムにおいて、距離として1次元ユークリッド距離を用いる。すなわち、d(D,D’)=(D-D’)^{2}が閾値d以下である場合、マッチしたと判定し、dよりも大きい場合、マッチしなかったと判定する。また、本実施形態では、加法凖同型暗号(例えば、Paillier暗号など)を利用する。以下、各フェーズにおける動作に関して図3および図4を参照して詳細に説明する。 In this embodiment, a one-dimensional Euclidean distance is used as a distance in the collation system according to the first embodiment. That is, when d (D, D ′) = (D−D ′) ^ {2} is equal to or less than the threshold value d, it is determined that the match is satisfied, and when it is greater than d, it is determined that the match is not satisfied. In this embodiment, additive homomorphic encryption (for example, Paillier encryption) is used. Hereinafter, the operation in each phase will be described in detail with reference to FIG. 3 and FIG.
[データ登録フェーズ]
 図3を参照すると、照合補助装置50の鍵生成部51は、加法凖同型暗号の公開鍵pkおよび秘密鍵skを生成し、公開鍵pkを公開する(ステップA1)。 [Data registration phase]
Referring to FIG. 3, the key generation unit 51 of the verification assisting device 50 generates the public key pk and the secret key sk of the additive homomorphic encryption, and publishes the public key pk (Step A1).
 次に、登録データ生成装置10は、秘匿対象となる認証データDと、鍵生成部51により生成された公開鍵pkを受け付ける(ステップA2)。 Next, the registration data generation device 10 receives the authentication data D to be concealed and the public key pk generated by the key generation unit 51 (step A2).
 次に、登録データ生成装置10の暗号化部11は、入力された認証データDと公開鍵pkから、暗号データ(Enc(pk,D),Enc(pk,D^2))を生成し、記憶装置30に送付する(ステップA3)。ここで、Enc(pk,D)は、公開鍵pkを用いて認証データDを暗号化した結果を表す。同様に、Enc(pk,D^2)は、公開鍵pkを用いて認証データDの2乗を暗号化した結果を表す。 Next, the encryption unit 11 of the registration data generation device 10 generates encryption data (Enc (pk, D), Enc (pk, D ^ 2)) from the input authentication data D and public key pk, The data is sent to the storage device 30 (step A3). Here, Enc (pk, D) represents the result of encrypting the authentication data D using the public key pk. Similarly, Enc (pk, D ^ 2) represents the result of encrypting the square of the authentication data D using the public key pk.
 記憶装置30の識別子管理部32は、暗号データを受信すると、暗号データに対して固有の識別子IDを付与する(ステップA4)。また、識別子管理部32は、暗号データと識別子の組((Enc(pk,D),Enc(pk,D^2)),ID)を記憶部31に記録する(ステップA5)。 When the identifier management unit 32 of the storage device 30 receives the encrypted data, it assigns a unique identifier ID to the encrypted data (step A4). Further, the identifier management unit 32 records the set of encrypted data and the identifier ((Enc (pk, D), Enc (pk, D ^ 2)), ID) in the storage unit 31 (step A5).
[暗号文照合フェーズ]
 図4を参照すると、データ照合装置40の照合用情報生成部41は、記憶部31に記憶された暗号データと、暗号データに対応する識別子の組((Enc(pk,D),Enc(pk,D^2)),ID)を受け付け(ステップB1)、照合用情報を以下の手順で生成する(ステップB2)。 [Ciphertext verification phase]
Referring to FIG. 4, the collation information generating unit 41 of the data collating device 40 includes a set of encrypted data stored in the storage unit 31 and an identifier corresponding to the encrypted data ((Enc (pk, D), Enc (pk , D ^ 2)), ID) is received (step B1), and verification information is generated according to the following procedure (step B2).
1.x=0,1,…,dである場合F(x)=0、それ以外の場合F(x)≠0となる多項式F(x)をランダムに生成する。例えば、F(x)=x(x-1)(x-2)…(x-d)は上記の性質を満たすd+1次の多項式である。一般に、このような条件を満たすd+1次以上の多項式は容易に構成することができる。簡単のため、F(x)の係数をα[0]~α[N]とする。すなわち、F(x)=α[N]x^N+α[N-1]x^{N-1}+…+α[0]である。F(x)=x(x-1)(x-2)…(x-d)の場合、N=dとなる。 1. When x = 0, 1,..., d, a polynomial F (x) is randomly generated such that F (x) = 0, otherwise F (x) ≠ 0. For example, F (x) = x (x-1) (x-2)... (X-d) is a d + 1 order polynomial satisfying the above properties. In general, a polynomial of d + 1 order or higher satisfying such a condition can be easily constructed. For simplicity, the coefficient of F (x) is α [0] to α [N]. That is, F (x) = α [N] x ^ N + α [N-1] x ^ {N-1} + ... + α [0]. When F (x) = x (x-1) (x-2)... (X-d), N = d.
2.((Enc(pk,D),Enc(pk,D^2)),α[0]~α[N])を照合用情報とする。 2. ((Enc (pk, D), Enc (pk, D ^ 2)), α [0] to α [N]) is used as collation information.
 次に、照合要求装置20の照合要求部21は、被認証データD’と公開鍵pkを受け付ける(ステップB3)。 Next, the collation request unit 21 of the collation requesting device 20 receives the authenticated data D 'and the public key pk (step B3).
 次に、照合要求装置20の照合要求部21は、被認証データD’と公開鍵pkを受け付けると、照合要求reqを生成し、データ照合装置40に出力する(ステップB4)。照合要求reqは、照合を要求するメッセージである。 Next, when the verification request unit 21 of the verification requesting device 20 receives the authenticated data D 'and the public key pk, it generates a verification request req and outputs it to the data verification device 40 (step B4). The verification request req is a message for requesting verification.
 データ照合装置40の照合用情報送付部42は、照合要求を受信すると、照合要求装置20に照合用情報を出力する(ステップB5)。 When the verification information sending unit 42 of the data verification device 40 receives the verification request, it outputs the verification information to the verification request device 20 (step B5).
 照合要求装置20の距離計算部22は、照合用情報を受信すると、次のように、被認証データD’と暗号データの平文のユークリッド距離を暗号化したまま計算し、暗号化距離データを生成する(ステップB6)。 When the distance calculation unit 22 of the verification requesting device 20 receives the verification information, it calculates the encrypted Euclidean distance between the authenticated data D ′ and the encrypted data as encrypted as follows, and generates encrypted distance data: (Step B6).
1.Enc(pk,D’^2)を計算する。
2.Enc(pk,d(D,D’))=Enc(pk,D^2)・Enc(pk,D)^{-2D’}・Enc(pk,D’^2)を計算する。 1. Calculate Enc (pk, D '^ 2).
2. Enc (pk, d (D, D ')) = Enc (pk, D ^ 2) .Enc (pk, D) ^ {-2D'}. Enc (pk, D '^ 2) is calculated.
 照合用データ生成部23は、暗号化距離データと照合用情報を入力とし、次のように、照合補助装置50の照合補助部52と対話しながら、照合用データを生成し、データ照合装置40に出力する(ステップB7)。 The collation data generation unit 23 receives the encrypted distance data and the collation information as input, and generates collation data while interacting with the collation auxiliary unit 52 of the collation auxiliary device 50 as follows. (Step B7).
1.ランダムにrを選び、Enc(pk,r・d(D,D’))=Enc(pk,d(D,D’))^{r}を計算し、照合補助装置50に送付する。
2.照合補助装置50の照合補助部52は、秘密鍵skを用いてEnc(pk,r・d(D,D’))を復号し、r・d(D,D’)を計算する。
3.照合補助部52は、(r・d(D,D’))^{2}、…、(r・d(D,D’))^{N}を計算し、公開鍵pkを用いてそれぞれ暗号化し、Enc(pk,((r・d(D,D’))^{2}))、…、Enc(pk,((r・d(D,D’))^{N}))を計算し、照合要求装置20へ出力する。
4.照合用データ生成部23は、ステップ1で選んだrを用いて、Enc(pk,((r・d(D,D’))^{2}))^{1/r^2}、…、Enc(pk,((r・d(D,D’))^{N}))^{1/(r^{N})}を計算し、Enc(pk,((d(D,D’))^{2}))、…、Enc(pk,((d(D,D’))^{N}))を得る。
5.Enc(pk,F(d(D,D’)))=(Enc(pk,((d(D,D’))^{N}))^{α[N]}・(Enc(pk,((d(D,D’))^{N-1}))^{α[N-1]}・…・(Enc(pk,d(D,D’)))^{α[1]}・Enc(pk,α[0])を計算する。
6.ランダムにRを選び、Enc(pk,F(d(D,D’)))^{R}を計算し、データ照合装置40に出力する。 1. R is selected at random, and Enc (pk, r · d (D, D ′)) = Enc (pk, d (D, D ′)) ^ {r} is calculated and sent to the verification assisting device 50.
2. The verification assistant unit 52 of the verification assistant device 50 decrypts Enc (pk, r · d (D, D ′)) using the secret key sk and calculates r · d (D, D ′).
3. The verification assistant 52 calculates (r · d (D, D ')) ^ {2}, ..., (r · d (D, D')) ^ {N}, and uses the public key pk, respectively. Enc (pk, ((r ・ d (D, D ')) ^ {2})), ..., Enc (pk, ((r ・ d (D, D')) ^ {N})) Is output to the verification requesting device 20.
4). The matching data generation unit 23 uses the r selected in step 1 to enc (pk, ((r · d (D, D ')) ^ {2})) ^ {1 / r ^ 2},. , Enc (pk, ((r ・ d (D, D ')) ^ {N})) ^ {1 / (r ^ {N})} and calculate Enc (pk, ((d (D, D ')) ^ {2})), ..., Enc (pk, ((d (D, D')) ^ {N})).
5. Enc (pk, F (d (D, D '))) = (Enc (pk, ((d (D, D')) ^ {N})) ^ {α [N]} ・ (Enc (pk, ((d (D, D ')) ^ {N-1})) ^ {α [N-1]} ...… (Enc (pk, d (D, D'))) ^ {α [1] } ・ Enc (pk, α [0]) is calculated.
6). R is selected at random, and Enc (pk, F (d (D, D ′))) ^ {R} is calculated and output to the data verification device 40.
 ここで、ステップ6は、d(D,D’)<dの場合の出力をランダムにするために行われる。出力をランダムにする必要がない場合、ステップ6を省略してもよい。また、ステップ1は、d(D,D’)の値を照合補助装置50に秘匿するために行われる。秘匿する必要がない場合、ステップ1を省略してもよい。 Here, step 6 is performed in order to make the output random when d (D, D ′) <d. If the output need not be random, step 6 may be omitted. Step 1 is performed in order to keep the value of d (D, D ′) secret from the verification assisting device 50. If it is not necessary to keep secret, step 1 may be omitted.
 データ照合装置40の照合補助要求部43は、照合用データを受信すると、次のように、照合補助要求を生成し、照合補助装置50に出力する(ステップB8)。 The collation assistance request unit 43 of the data collation apparatus 40 receives the collation data, generates a collation assistance request as follows, and outputs it to the collation assistance apparatus 50 (step B8).
1.ランダムにsを選び、C=Enc(pk,F(d(D,D’)))^{R}・Enc(pk,s)を計算し、照合補助装置50に出力する。 1. S is selected at random, and C = Enc (pk, F (d (D, D ′))) ^ {R} · Enc (pk, s) is calculated and output to the verification auxiliary device 50.
 ここで、ステップ1は、Cの平文をランダムにすることにより、照合補助装置50に照合結果を知らせないために行われる。照合補助装置50に照合結果を知らせてもよい場合、ステップ1を省略してもよい。 Here, Step 1 is performed so as not to notify the verification result to the verification assistant device 50 by randomizing the plaintext of C. When the verification result may be notified to the verification auxiliary device 50, step 1 may be omitted.
 照合補助装置50の総合結果補助部53は、照合補助要求を受信すると、秘密鍵skを入力として、総合結果Pを次のように生成し、データ照合装置40へ出力する(ステップB9)。すなわち、総合結果補助部53は、秘密鍵skを用いて暗号文Cを復号し、復号結果を総合結果Pとして、データ照合装置40へ出力する。 When receiving the verification assistance request, the overall result auxiliary unit 53 of the verification auxiliary device 50 receives the secret key sk, generates the overall result P as follows, and outputs it to the data verification device 40 (step B9). That is, the overall result auxiliary unit 53 decrypts the ciphertext C using the secret key sk, and outputs the decrypted result to the data verification device 40 as the overall result P.
 データ照合装置40の判定部44は、総合結果Pを受信すると、次のように判定を行い、判定結果を出力する(ステップB10)。すなわち、判定部44は、P=sの場合、0≦d(D,D’)≦dであると判定し、それ以外の場合、d(D,D’)>dであると判定する。 When receiving the comprehensive result P, the determination unit 44 of the data collating device 40 performs the determination as follows and outputs the determination result (step B10). That is, the determination unit 44 determines that 0 ≦ d (D, D ′) ≦ d when P = s, and determines that d (D, D ′)> d otherwise.
 本実施形態では、記憶装置30に登録されているデータは暗号データである。また、照合フェーズにおいて照合要求装置20から送付されるデータはいずれも暗号文である。したがって、記憶装置30、データ照合装置40に対して、登録された認証データDおよび被認証データD’に関する情報は一切洩れない。 In this embodiment, the data registered in the storage device 30 is encrypted data. All data sent from the verification requesting device 20 in the verification phase is a ciphertext. Therefore, the information regarding the registered authentication data D and the authenticated data D ′ is not leaked to the storage device 30 and the data verification device 40.
 さらに、照合補助装置50に対しても、照合要求装置20およびデータ照合装置40が乱数を用いることにより、登録された認証データDおよび被認証データD’に関する情報を一切漏らさない。 Furthermore, the verification requesting device 20 and the data verification device 40 also use the random numbers for the verification assisting device 50 so that no information regarding the registered authentication data D and authenticated data D ′ is leaked.
<実施形態3>
 次に、第3の実施形態に係る照合システムについて説明する。 <Embodiment 3>
Next, a verification system according to the third embodiment will be described.
 本実施形態では、第1の実施形態に係る照合システムにおいて、距離として2次元ユークリッド距離を用いる。すなわち、2つの2次元データD=(Dx,Dy)とD’=(D’x,D’y)の距離d(D,D’)=(Dx-D’x)^{2}+(Dy-D’y)^{2}が閾値d以下である場合、マッチしたと判定し、dよりも大きい場合、マッチしなかったと判定する。また、本実施形態では、加法凖同型暗号(例えば、Paillier暗号など)を利用する。以下、各フェーズにおける動作に関して詳細に説明する。 In the present embodiment, the two-dimensional Euclidean distance is used as the distance in the matching system according to the first embodiment. That is, the distance d (D, D ') = (Dx-D'x) ^ {2} + (2) between the two two-dimensional data D = (Dx, Dy) and D' = (D'x, D'y) Dy-D'y) ^ If {2} is less than or equal to the threshold d, it is determined that there is a match, and if it is greater than d, it is determined that there is no match. In this embodiment, additive homomorphic encryption (for example, Paillier encryption) is used. Hereinafter, the operation in each phase will be described in detail.
[データ登録フェーズ]
 距離として1次元ユークリッド距離を用いる第2の実施形態に係る照合システムのデータ登録フェーズのステップA3において、暗号データ(Enc(pk,D),Enc(pk,D^2))を暗号データ(Enc(pk,Dx),Enc(pk,Dx^2),Enc(pk,Dy),Enc(pk,Dy^2))に置き換える。 [Data registration phase]
In step A3 of the data registration phase of the collation system according to the second embodiment using the one-dimensional Euclidean distance as the distance, the encrypted data (Enc (pk, D), Enc (pk, D ^ 2)) is converted into the encrypted data (Enc Replace with (pk, Dx), Enc (pk, Dx ^ 2), Enc (pk, Dy), Enc (pk, Dy ^ 2)).
[暗号文照合フェーズ]
 距離として1次元ユークリッド距離を用いる第2の実施形態に係る照合システムの暗号文照合フェーズにおいて、ステップB6を以下のように変更する。 [Ciphertext verification phase]
In the ciphertext verification phase of the verification system according to the second embodiment using the one-dimensional Euclidean distance as the distance, step B6 is changed as follows.
1.Enc(pk,D’x^2),Enc(pk,D’y^2)を計算する。
2.Enc(pk,d(D,D’))=Enc(pk,Dx^2)・Enc(pk,Dx)^{-2D’x}・Enc(pk,D’x^2)・Enc(pk,Dy^2)・Enc(pk,Dy)^{-2D’y}・Enc(pk,D’y^2)を計算する。 1. Calculate Enc (pk, D'x ^ 2), Enc (pk, D'y ^ 2).
2. Enc (pk, d (D, D ')) = Enc (pk, Dx ^ 2), Enc (pk, Dx) ^ {-2D'x}, Enc (pk, D'x ^ 2), Enc (pk , Dy ^ 2) · Enc (pk, Dy) ^ {-2D'y} · Enc (pk, D'y ^ 2).
 本実施形態では、第2の実施形態と同様に、記憶装置30に登録されている認証データは暗号データである。また、照合フェーズにおいて照合要求装置20から送付されるデータはいずれも暗号文である。したがって、記憶装置30、データ照合装置40に対して、登録された認証データDおよび被認証データD’に関する情報は一切洩れない。 In this embodiment, as in the second embodiment, the authentication data registered in the storage device 30 is encrypted data. All data sent from the verification requesting device 20 in the verification phase is a ciphertext. Therefore, the information regarding the registered authentication data D and the authenticated data D ′ is not leaked to the storage device 30 and the data verification device 40.
 さらに、照合補助装置50に対しても、照合要求装置20およびデータ照合装置40が乱数を用いることにより、登録された認証データDおよび被認証データD’に関する情報を一切漏らさない。 Furthermore, the verification requesting device 20 and the data verification device 40 also use the random numbers for the verification assisting device 50 so that no information regarding the registered authentication data D and authenticated data D ′ is leaked.
<実施形態4>
 次に、第4の実施形態に係る照合システムについて、図面を参照して説明する。 <Embodiment 4>
Next, a verification system according to a fourth embodiment will be described with reference to the drawings.
 本実施形態では、第1の実施形態に係る照合システムにおいて、2つ以上の複数要素を持つデータの照合を行う。ここでは、一例として、各データが2つの要素を持ち、一方は1次元ユークリッド距離、もう一方を2次元ユークリッド距離を指標として照合を行う場合について説明する。すなわち、2つのデータD=(t,(x,y))、D’=(t’,(x’,y’))としたとき、d(t,t’)≦d_{t}、かつ、d((x,y),(x’,y’))≦d_{e}である場合、マッチしたと判定し、それ以外の場合、マッチしなかったと判定する。また、本実施形態では、加法凖同型暗号(例えば、Paillier暗号など)を利用する。以下、各フェーズにおける動作に関して詳細に説明する。 In this embodiment, data having two or more elements is collated in the collation system according to the first embodiment. Here, as an example, a case will be described in which each data has two elements and one is collated using one-dimensional Euclidean distance as an index and the other as a two-dimensional Euclidean distance as an index. That is, when two data D = (t, (x, y)), D ′ = (t ′, (x ′, y ′)), d (t, t ′) ≦ d_ {t}, and , D ((x, y), (x ′, y ′)) ≦ d_ {e}, it is determined that there is a match, otherwise it is determined that there is no match. In this embodiment, additive homomorphic encryption (for example, Paillier encryption) is used. Hereinafter, the operation in each phase will be described in detail.
[データ登録フェーズ]
 図3を参照すると、照合補助装置50の鍵生成部51は、加法凖同型暗号の公開鍵pkおよび秘密鍵skを生成し、公開鍵pkを公開する(ステップA1)。 [Data registration phase]
Referring to FIG. 3, the key generation unit 51 of the verification assisting device 50 generates the public key pk and the secret key sk of the additive homomorphic encryption, and publishes the public key pk (Step A1).
 次に、登録データ生成装置10は、秘匿対象となる認証データDと、鍵生成部51により生成された公開鍵pkを受け付ける(ステップA2)。 Next, the registration data generation device 10 receives the authentication data D to be concealed and the public key pk generated by the key generation unit 51 (step A2).
 次に、登録データ生成装置10の暗号化部11は、入力された認証データDと公開鍵pkから、暗号データ
(Enc(pk,t),Enc(pk,t^2)),(Enc(pk,x),Enc(pk,x^2)),(Enc(pk,y),Enc(pk,y^2))
を生成し、記憶装置30に送付する(ステップA3)。 Next, the encryption unit 11 of the registration data generation device 10 uses the input authentication data D and public key pk to generate encrypted data.
(Enc (pk, t), Enc (pk, t ^ 2)), (Enc (pk, x), Enc (pk, x ^ 2)), (Enc (pk, y), Enc (pk, y ^ 2))
Is sent to the storage device 30 (step A3).
 ここで、Enc(pk,a)は公開鍵pkを用いてデータaを暗号化した結果を表す。同様に、Enc(pk,a^2)は公開鍵pkを用いてデータaの2乗を暗号化した結果を表す。 Here, Enc (pk, a) represents the result of encrypting data a using the public key pk. Similarly, Enc (pk, a ^ 2) represents the result of encrypting the square of data a using the public key pk.
 記憶装置30の識別子管理部32は、暗号データを受信すると、暗号データに対して固有の識別子IDを付与する(ステップA4)。また、識別子管理部32は、暗号データと識別子の組
((Enc(pk,t),Enc(pk,t^2)),(Enc(pk,x),Enc(pk,x^2)),(Enc(pk,y),Enc(pk,y^2)),ID)
を記憶部31に記録する(ステップA5)。 When receiving the encrypted data, the identifier management unit 32 of the storage device 30 gives a unique identifier ID to the encrypted data (step A4). In addition, the identifier management unit 32 is a combination of encrypted data and an identifier.
((Enc (pk, t), Enc (pk, t ^ 2)), (Enc (pk, x), Enc (pk, x ^ 2)), (Enc (pk, y), Enc (pk, y ^ 2)), ID)
Is stored in the storage unit 31 (step A5).
[暗号文照合フェーズ]
 図4を参照すると、データ照合装置40の照合用情報生成部41は、記憶部31に記憶された暗号データと、暗号データに対応する識別子の組
((Enc(pk,t),Enc(pk,t^2)),(Enc(pk,x),Enc(pk,x^2)),(Enc(pk,y),Enc(pk,y^2)),ID)
を入力とし(ステップB1)、照合用情報を次の手順で生成する(ステップB2)。 [Ciphertext verification phase]
Referring to FIG. 4, the verification information generation unit 41 of the data verification device 40 includes a set of encrypted data stored in the storage unit 31 and an identifier corresponding to the encrypted data.
((Enc (pk, t), Enc (pk, t ^ 2)), (Enc (pk, x), Enc (pk, x ^ 2)), (Enc (pk, y), Enc (pk, y ^ 2)), ID)
Is input (step B1), and verification information is generated by the following procedure (step B2).
1.x=0,1,…,d_tの場合F(x)=0、それ以外の場合F(x)≠0となる多項式F(x)をランダムに生成する。例えば、F(x)=x(x-1)(x-2)…(x-d_t)は上記の性質を満たすd_t+1次の多項式である。一般に、このような条件を満たすd_t+1次以上の多項式は容易に構成することができる。簡単のため、F(x)の係数をα[0]~α[N]とする。すなわち、F(x)=α[N]x^N+α[N-1]x^{N-1}+…+α[0]である。例えば、F(x)=x(x-1)(x-2)…(x-d_t)の場合、N=d_tとなる。
2.1.と同様にして、x=0,1,…,d_eの場合G(x)=0、それ以外の場合G(x)≠0となる多項式G(x)をランダムに生成する。簡単のため、G(x)の係数をβ[0]~β[N’]とする。すなわち、G(x)=β[N’]x^n+β[N’-1]x^{n-1}+…+β[0]である。例えば、G(x)=x(x-1)(x-2)…(x-d_e)の場合、N’=d_eとなる。
3.((Enc(pk,t),Enc(pk,t^2)),(Enc(pk,x),Enc(pk,x^2)),(Enc(pk,y),Enc(pk,y^2)),α[0]~α[N],β[0]~β[N’])を照合用情報とする。 1. When x = 0, 1,..., d_t, a polynomial F (x) is generated randomly such that F (x) = 0, otherwise F (x) ≠ 0. For example, F (x) = x (x-1) (x-2)... (X-d_t) is a d_t + 1 order polynomial satisfying the above property. In general, a polynomial of d_t + 1 order or higher that satisfies such a condition can be easily constructed. For simplicity, the coefficient of F (x) is α [0] to α [N]. That is, F (x) = α [N] x ^ N + α [N-1] x ^ {N-1} + ... + α [0]. For example, when F (x) = x (x-1) (x-2)... (X-d_t), N = d_t.
2.1. Similarly, a polynomial G (x) that satisfies G (x) = 0 in the case of x = 0, 1,..., D_e, and G (x) ≠ 0 in other cases is randomly generated. For simplicity, the coefficient of G (x) is β [0] to β [N ′]. That is, G (x) = β [N '] x ^ n + β [N'-1] x ^ {n-1} + ... + β [0]. For example, when G (x) = x (x-1) (x-2)... (X-d_e), N ′ = d_e.
3. ((Enc (pk, t), Enc (pk, t ^ 2)), (Enc (pk, x), Enc (pk, x ^ 2)), (Enc (pk, y), Enc (pk, y ^ 2)), α [0] to α [N], β [0] to β [N ']) are used as collation information.
 次に、照合要求装置20の照合要求部21は、入力データD’と公開鍵pkを受け付ける(ステップB3)。 Next, the collation request unit 21 of the collation requesting device 20 receives the input data D 'and the public key pk (step B3).
 次に、照合要求装置20の照合要求部21は、被認証データD’と公開鍵pkを受け付けると、照合要求reqを生成し、データ照合装置40に出力する(ステップB4)。照合要求reqは、照合を要求するメッセージである。 Next, when the verification request unit 21 of the verification requesting device 20 receives the authenticated data D 'and the public key pk, it generates a verification request req and outputs it to the data verification device 40 (step B4). The verification request req is a message for requesting verification.
 データ照合装置40の照合用情報送付部42は、照合要求を受信すると、照合要求装置20に照合用情報を出力する(ステップB5)。 When the verification information sending unit 42 of the data verification device 40 receives the verification request, it outputs the verification information to the verification request device 20 (step B5).
 照合要求装置20の距離計算部22は、照合用情報を受信すると、次のように、被認証データと暗号データの平文のユークリッド距離を暗号化したまま計算し、暗号化距離データを生成する(ステップB6)。 When the distance calculation unit 22 of the verification requesting device 20 receives the verification information, it calculates the encrypted Euclidean distance between the data to be authenticated and the encrypted data while encrypting them, and generates encrypted distance data ( Step B6).
1.Enc(pk,t’^2),Enc(pk,x’^2),Enc(pk,y’^2)を計算する。
2.Enc(pk,d(t,t’))=Enc(pk,t^2)・Enc(pk,t)^{-2t’}・Enc(pk,t’^2)を計算する。
3.Enc(pk,d((x,y),(x’,y’)))=Enc(pk,x^2)・Enc(pk,x)^{-2x’}・Enc(pk,x’^2)・Enc(pk,y^2)・Enc(pk,y)^{-2y’}・Enc(pk,y’^2)を計算する。 1. Calculate Enc (pk, t '^ 2), Enc (pk, x' ^ 2), Enc (pk, y '^ 2).
2. Enc (pk, d (t, t ′)) = Enc (pk, t ^ 2) · Enc (pk, t) ^ {− 2t ′} · Enc (pk, t ′ ^ 2) is calculated.
3. Enc (pk, d ((x, y), (x ', y'))) = Enc (pk, x ^ 2) ・ Enc (pk, x) ^ {-2x '} ・ Enc (pk, x' ^ 2) ・ Enc (pk, y ^ 2) ・ Enc (pk, y) ^ {-2y '} ・ Enc (pk, y' ^ 2) is calculated.
 照合用データ生成部23は、暗号化距離データと照合用情報を入力とし、次のように、照合補助装置50の照合補助部52と対話しながら、照合用データを生成し、データ照合装置40に出力する(ステップB7)。 The collation data generation unit 23 receives the encrypted distance data and the collation information as input, and generates collation data while interacting with the collation auxiliary unit 52 of the collation auxiliary device 50 as follows. (Step B7).
1.ランダムにr_tを選び、Enc(pk,r_t・d(t,t’))=Enc(pk,d(t,t’))^{r_t}を計算する。
2.ランダムにr_eを選び、
Enc(pk,r_e・d((x,y),(x’,y’)))=Enc(pk,d((x,y),(x’,y’)))^{r_e}
を計算し、1.で計算したEnc(pk,r_t・d(t,t’))とともに照合補助装置50に送付する。
3.照合補助装置50の照合補助部52は、秘密鍵skを用いてEnc(pk,r_t・d(t,t’))およびEnc(pk,r_e・d((x,y),(x’,y’)))を復号し、r_t・d(t,t’),r_e・d((x,y),(x’,y’))を計算する。
4.照合補助部52は、(r_t・d(t,t’))^{2}、…、(r_t・d(t,t’))^{N}、(r_e・d((x,y),(x’,y’)))^{2}、…、(r_e・d((x,y),(x’,y’)))^{N’}を計算し、公開鍵pkを用いてそれぞれ暗号化し、Enc(pk,(r_t・d(t,t’))^{2})、…、Enc(pk,(r_t・d(t,t’))^{N})、Enc(pk,(r_e・d((x,y),(x’,y’)))^{2})、…、Enc(pk,(r_e・d((x,y),(x’,y’)))^{N’})を計算し、照合要求装置20へ出力する。
5.照合用データ生成部23は、ステップ1、2で選んだr_t,r_eを用いて、Enc(pk,((r・Enc(pk,(r_t・d(t,t’))^{2})^{1/r_t^2}、…、Enc(pk,(r_t・d(t,t’))^{N})^{1/(r_t)^N}、Enc(pk,(r_e・d((x,y),(x’,y’)))^{2})^{1/r_e^2}、…、Enc(pk,(r_e・d((x,y),(x’,y’)))^{N’})^{1/(r_e)^{N}}を計算し、Enc(pk,((r・Enc(pk,(r_t・d(t,t’))^{2})、…、Enc(pk,(r_t・d(t,t’))^{N})、Enc(pk,(r_e・d((x,y),(x’,y’)))^{2})、…、Enc(pk,(r_e・d((x,y),(x’,y’)))^{N’})を得る。
6.Enc(pk,F(d(t,t’)))=(Enc(pk,((d(t,t’))^{N}))^{α[N]}・(Enc(pk,((d(t,t’))^{N-1}))^{α[N-1]}・…・(Enc(pk,d(t,t’)))^{α[1]}・Enc(pk,α[0]),Enc(pk,G(d((x,y),(x’,y’))))=(Enc(pk,((d((x,y),(x’,y’)))^{N’}))^{β[N’]}・(Enc(pk,((d((x,y),(x’,y’)))^{N’-1}))^{β[N’-1]}・…・(Enc(pk,d((x,y),(x’,y’))))^{β[1]}・Enc(pk,β[0])を計算する。
7.Enc(pk,d(D,D’))=Enc(pk,F(d(t,t’)))・Enc(pk,G(d((x,y),(x’,y’))))を計算する。
8.ランダムにRを選び、Enc(pk,F(d(D,D’)))^{R}を計算し、データ照合装置40に出力する。 1. R_t is selected at random, and Enc (pk, r_t · d (t, t ′)) = Enc (pk, d (t, t ′)) ^ {r_t} is calculated.
2. Choose r_e at random,
Enc (pk, r_e ・ d ((x, y), (x ', y'))) = Enc (pk, d ((x, y), (x ', y'))) ^ {r_e}
And is sent to the verification assistant device 50 together with Enc (pk, r_t · d (t, t ′)) calculated in 1.
3. The verification assistant unit 52 of the verification assistant device 50 uses the secret key sk to specify Enc (pk, r_t · d (t, t ′)) and Enc (pk, r_e · d ((x, y), (x ′, y ′))) is decoded and r_t · d (t, t ′) and r_e · d ((x, y), (x ′, y ′)) are calculated.
4). The collation assisting unit 52 has (r_t · d (t, t ')) ^ {2}, ..., (r_t · d (t, t')) ^ {N}, (r_e · d ((x, y) , (x ', y'))) ^ {2}, ..., (r_e · d ((x, y), (x ', y'))) ^ {N '} Enc (pk, (r_t · d (t, t ')) ^ {2}), ..., Enc (pk, (r_t · d (t, t')) ^ {N}), Enc (pk, (r_e ・ d ((x, y), (x ', y'))) ^ {2}), ..., Enc (pk, (r_e ・ d ((x, y), (x ' , y ′))) ^ {N ′}) is calculated and output to the verification requesting device 20.
5. The verification data generation unit 23 uses En_ (pk, ((r · Enc (pk, (r_t · d (t, t ')) ^ {2}) using r_t and r_e selected in steps 1 and 2. ^ {1 / r_t ^ 2}, ..., Enc (pk, (r_t ・ d (t, t ')) ^ {N}) ^ {1 / (r_t) ^ N}, Enc (pk, (r_e ・ d ((x, y), (x ', y'))) ^ {2}) ^ {1 / r_e ^ 2}, ..., Enc (pk, (r_e ・ d ((x, y), (x ' , y '))) ^ {N'}) ^ {1 / (r_e) ^ {N}} and calculate Enc (pk, ((r ・ Enc (pk, (r_t ・ d (t, t ') ) ^ {2}), ..., Enc (pk, (r_t ・ d (t, t ')) ^ {N}), Enc (pk, (r_e ・ d ((x, y), (x', y '))) ^ {2}), ... Enc (pk, (r_e · d ((x, y), (x', y '))) ^ {N'}).
6). Enc (pk, F (d (t, t '))) = (Enc (pk, ((d (t, t')) ^ {N})) ^ {α [N]} ・ (Enc (pk, ((d (t, t ')) ^ {N-1})) ^ {α [N-1]} ...… (Enc (pk, d (t, t'))) ^ {α [1] } ・ Enc (pk, α [0]), Enc (pk, G (d ((x, y), (x ', y'))))) = (Enc (pk, ((d ((x, y ), (x ', y'))) ^ {N '})) ^ {β [N']} ・ (Enc (pk, ((d ((x, y), (x ', y'))) ) ^ {N'-1})) ^ {β [N'-1]} ...… (Enc (pk, d ((x, y), (x ', y')))) ^ {β [ 1]} ・ Enc (pk, β [0]) is calculated.
7). Enc (pk, d (D, D ')) = Enc (pk, F (d (t, t'))) ・ Enc (pk, G (d ((x, y), (x ', y')) ))) Is calculated.
8). R is selected at random, and Enc (pk, F (d (D, D ′))) ^ {R} is calculated and output to the data verification device 40.
 ここで、ステップ8は、d(D,D’)<dの場合の出力をランダムにするために行われる。出力をランダムにする必要がない場合、ステップ8を省略してもよい。また、ステップ1、2は、d(D,D’)の値を照合補助装置50に秘匿するために行われる。秘匿する必要がない場合、ステップ1、2を省略してもよい。 Here, step 8 is performed in order to randomize the output when d (D, D ′) <d. If the output need not be random, step 8 may be omitted. Steps 1 and 2 are performed to conceal the value of d (D, D ′) from the verification assisting device 50. If it is not necessary to keep secret, steps 1 and 2 may be omitted.
 データ照合装置40の照合補助要求部43は、照合用データを受信すると、次のように、照合補助要求を生成し、照合補助装置50に出力する(ステップB8)。
1.ランダムにsを選び、C=Enc(pk,F(d(D,D’)))^{R}・Enc(pk,s)を計算し、照合補助装置50に出力する。 When receiving the verification data, the verification auxiliary request unit 43 of the data verification device 40 generates a verification auxiliary request as follows and outputs it to the verification auxiliary device 50 (step B8).
1. S is selected at random, C = Enc (pk, F (d (D, D ′))) ^ {R} · Enc (pk, s) is calculated and output to the verification assisting device 50.
 ここで、ステップ1は、Cの平文をランダムにすることにより、照合補助装置50に照合結果を知らせないために行われる。照合補助装置50に照合結果を知らせてもよい場合、ステップ1を省略してもよい。 Here, Step 1 is performed so as not to notify the verification result to the verification assistant device 50 by randomizing the plaintext of C. When the verification result may be notified to the verification auxiliary device 50, step 1 may be omitted.
 照合補助装置50の総合結果補助部53は、照合補助要求を受信すると、秘密鍵skを入力として、次のように総合結果Pを生成し、データ照合装置40へ出力する(ステップB9)。すなわち、総合結果補助部53は、秘密鍵skを用いて暗号文Cを復号し、復号結果を総合結果Pとしてデータ照合装置40へ出力する。 When receiving the verification assistance request, the overall result auxiliary unit 53 of the verification auxiliary device 50 receives the secret key sk, generates the overall result P as follows, and outputs it to the data verification device 40 (step B9). That is, the overall result auxiliary unit 53 decrypts the ciphertext C using the secret key sk, and outputs the decrypted result to the data collating device 40 as the overall result P.
 データ照合装置40の判定部44は、総合結果Pを受信すると、次のように判定して、判定結果を出力する(ステップB10)。すなわち、判定部44は、P=sの場合、認証データDと被認証データD’がマッチしたと判定し、それ以外の場合、認証データDと被認証データD’はマッチしないと判定する。 When receiving the comprehensive result P, the determination unit 44 of the data verification device 40 determines as follows and outputs the determination result (step B10). That is, the determination unit 44 determines that the authentication data D and the authenticated data D ′ match when P = s, and determines that the authentication data D and the authenticated data D ′ do not match otherwise.
 本実施形態では、記憶装置30に登録されているデータは暗号データである。また、照合フェーズにおいて照合要求装置20から送付されるデータはいずれも暗号文である。したがって、記憶装置30、データ照合装置40に対して、登録された認証データDおよび被認証データD’に関する情報は一切洩れない。 In this embodiment, the data registered in the storage device 30 is encrypted data. All data sent from the verification requesting device 20 in the verification phase is a ciphertext. Therefore, the information regarding the registered authentication data D and the authenticated data D ′ is not leaked to the storage device 30 and the data verification device 40.
 さらに、照合補助装置50に対しても、照合要求装置20およびデータ照合装置40が乱数を用いることにより、登録された認証データDおよび被認証データD’に関する情報を一切漏らさない。 Furthermore, the verification requesting device 20 and the data verification device 40 also use the random numbers for the verification assisting device 50 so that no information regarding the registered authentication data D and authenticated data D ′ is leaked.
 本実施形態では、データが2要素から構成され、それぞれ1次元ユークリッド距離、2次元ユークリッド距離を指標として照合を行う場合を説明したが、データが3要素以上から構成される場合にも容易に適用可能である。また、指標とするユークリッド距離が3次元以上の場合にも容易に適用可能である。 In the present embodiment, the case has been described in which data is composed of two elements, and collation is performed using each of the one-dimensional Euclidean distance and the two-dimensional Euclidean distance as an index. However, the present invention can be easily applied to a case where data is composed of three or more elements. Is possible. Further, the present invention can be easily applied when the Euclidean distance as an index is three-dimensional or more.
 上記実施形態に係る認証システムは、一例として、タイプと2次元座標と角度を要素とするマニューシャを用いた生体認証に対して適用することができる。具体的には、データ登録フェーズにおける入力データと、暗号文照合フェーズにおける入力データを、指紋や静脈などから取得した生体情報(マニューシャ)とする。これにより、生体情報を秘匿したまま、記憶装置に格納された暗号化された生体データと、照合要求装置から創出された暗号化された生体データが同一人物から採取されたものであるか否かを、2つの入力データのユークリッド距離が一定数以下となるかどうかにより判定することが可能となる。特に、生体情報は、常に安定して同一のデータが取得できるわけではないことが知られている。一方、同一人物から取得されるデータは類似している(各要素のユークリッド距離が小さいデータが取得できる)と仮定することができる。したがって、本発明に係る照合システムは、生体認証に対して好適に適用し得る。 As an example, the authentication system according to the above embodiment can be applied to biometric authentication using a minutiae whose elements are a type, a two-dimensional coordinate, and an angle. Specifically, the input data in the data registration phase and the input data in the ciphertext collation phase are biometric information (maneuver) acquired from a fingerprint or a vein. Whether or not the encrypted biometric data stored in the storage device and the encrypted biometric data created from the verification requesting device are collected from the same person while keeping the biometric information secret Can be determined based on whether the Euclidean distance between the two input data is equal to or less than a certain number. In particular, it is known that biometric information cannot always stably acquire the same data. On the other hand, it can be assumed that data acquired from the same person is similar (data with a small Euclidean distance of each element can be acquired). Therefore, the verification system according to the present invention can be suitably applied to biometric authentication.
 なお、上記の特許文献および非特許文献の全開示内容は、本書に引用をもって繰り込み記載されているものとする。本発明の全開示(請求の範囲を含む)の枠内において、さらにその基本的技術思想に基づいて、実施形態の変更・調整が可能である。また、本発明の全開示の枠内において種々の開示要素(各請求項の各要素、各実施形態の各要素、各図面の各要素などを含む)の多様な組み合わせ、ないし、選択が可能である。すなわち、本発明は、請求の範囲を含む全開示、技術的思想にしたがって当業者であればなし得るであろう各種変形、修正を含むことは勿論である。特に、本書に記載した数値範囲については、当該範囲内に含まれる任意の数値ないし小範囲が、別段の記載のない場合でも具体的に記載されているものと解釈されるべきである。 It should be noted that the entire disclosure contents of the above patent documents and non-patent documents are incorporated herein by reference. Within the scope of the entire disclosure (including claims) of the present invention, the embodiment can be changed and adjusted based on the basic technical concept. Further, various combinations or selections of various disclosed elements (including each element of each claim, each element of each embodiment, each element of each drawing, etc.) are possible within the scope of the entire disclosure of the present invention. is there. That is, the present invention of course includes various variations and modifications that could be made by those skilled in the art according to the entire disclosure including the claims and the technical idea. In particular, with respect to the numerical ranges described in this document, any numerical value or small range included in the range should be construed as being specifically described even if there is no specific description.
 なお、本発明において、下記の形態が可能である。
[形態1]
 上記第1の視点に係る照合システムのとおりである。
[形態2]
 前記暗号化部は、加法準同型性を有する暗号化方式に基づいて暗号化を行う、形態1に記載の照合システム。
[形態3]
 前記暗号化部は、Paillier暗号に基づいて暗号化を行う、形態2に記載の照合システム。
[形態4]
 前記照合用情報生成部は、前記多項式として、独立変数と前記認証データの距離が前記閾値以内であるときにゼロとなる多項式を生成する、形態1ないし3のいずれか一に記載の照合システム。
[形態5]
 前記暗号化部は、さらに、前記公開鍵により前記認証データの2乗を暗号化して前記第3のノードに送信し、
 前記記憶部は、さらに、暗号化された前記認証データの2乗を保持し、
 前記距離計算部は、暗号化された前記認証データおよび暗号化された前記認証データの2乗を前記第3のノードから取得して、前記被認証データと前記認証データとの距離を前記公開鍵により暗号化したまま算出する、形態2ないし4のいずれか一に記載の照合システム。
[形態6]
 前記認証データおよび前記被認証データは、n次元の要素を含み、
 前記距離計算部は、前記被認証データと前記認証データとのn次元ユークリッド距離を、前記公開鍵により暗号化したまま算出する、形態5に記載の照合システム。
[形態7]
 前記認証データおよび前記被認証データは、複数の要素を含み、
 前記距離計算部は、各要素について前記距離を暗号化したまま算出し、
 前記照合用情報生成部は、各要素について前記多項式を生成し、
 前記照合用データ生成部は、各要素について前記照合用データを生成し、
 前記照合部は、前記秘密鍵と前記複数の要素について生成された照合用データとを用いて、前記被認証データを前記認証データと照合する、形態1ないし6のいずれか一に記載の照合システム。
[形態8]
 上記第2の視点に係るノードのとおりである。
[形態9]
 前記暗号化部は、加法準同型性を有する暗号化方式に基づいて暗号化を行う、形態8に記載のノード。
[形態10]
 前記暗号化部は、Paillier暗号に基づいて暗号化を行う、形態9に記載のノード。
[形態11]
 前記多項式は、独立変数と前記認証データの距離が前記閾値以内であるときにゼロとなる多項式である、形態8ないし10のいずれか一に記載のノード。
[形態12]
 前記暗号化部は、さらに、前記公開鍵により前記認証データの2乗を暗号化して前記第2のノードに送信し、
 前記距離計算部は、暗号化された前記認証データおよび暗号化された前記認証データの2乗を前記第3のノードから取得して、前記被認証データと前記認証データとの距離を前記公開鍵により暗号化したまま算出する、形態9ないし11のいずれか一に記載のノード。
[形態13]
 前記認証データおよび前記被認証データは、n次元の要素を含み、
 前記距離計算部は、前記被認証データと前記認証データとのn次元ユークリッド距離を、前記公開鍵により暗号化したまま算出する、形態12に記載のノード。
[形態14]
 前記認証データおよび前記被認証データは、複数の要素を含み、
 前記距離計算部は、各要素について前記距離を暗号化したまま算出し、
 前記照合用データ生成部は、各要素について生成された前記多項式を用いて、各要素について前記照合用データを生成して前記第2のノードに送信する、形態8ないし13のいずれか一に記載のノード。
[形態15]
 第1のノード、第2のノードおよび第3のノードを備えた照合システムにおける照合方法であって、
 前記第2のノードが、公開鍵と秘密鍵の対を生成し、前記公開鍵を第1のノードに送信する工程と、
 前記第1のノードが、前記公開鍵により認証データを暗号化して前記第3のノードに送信する工程と、
 前記第3のノードが、暗号化された前記認証データを保持する工程と、
 前記第1のノードが、前記認証データと照合される被認証データを受信すると、暗号化された前記認証データを前記第3のノードから取得して、前記被認証データと前記認証データとの距離を前記公開鍵により暗号化したまま算出する工程と、
 前記第3のノードが、前記被認証データと前記認証データの距離の閾値をパラメータとして含む多項式を生成して前記第1のノードに送信する工程と、
 前記第1のノードが、前記多項式に前記距離を代入して前記公開鍵により暗号化した値を、照合用データとして生成して前記第2のノードに送信する工程と、
 前記第2のノードが、前記秘密鍵と前記照合用データに基づいて、前記被認証データを前記認証データと照合する工程と、を含む、照合方法。
[形態16]
 上記第3の視点に係る照合方法のとおりである。
[形態17]
 前記第1のノードは、加法準同型性を有する暗号化方式に基づいて暗号化を行う、形態16に記載の照合方法。
[形態18]
 前記第1のノードは、Paillier暗号に基づいて暗号化を行う、形態17に記載の照合方法。
[形態19]
 前記多項式は、独立変数と前記認証データの距離が前記閾値以内であるときにゼロとなる多項式である、形態16ないし18のいずれか一に記載の照合方法。
[形態20]
 前記第1のノードが、さらに、前記公開鍵により前記認証データの2乗を暗号化して前記第3のノードに送信する工程を含み、
 前記第1のノードは、暗号化された前記認証データおよび暗号化された前記認証データの2乗を前記第3のノードから取得して、前記被認証データと前記認証データとの距離を前記公開鍵により暗号化したまま算出する、形態17ないし19のいずれか一に記載の照合方法。
[形態21]
 前記認証データおよび前記被認証データは、n次元の要素を含み、
 前記第1のノードは、前記被認証データと前記認証データとのn次元ユークリッド距離を、前記公開鍵により暗号化したまま算出する、形態20に記載の照合方法。
[形態22]
 前記認証データおよび前記被認証データは、複数の要素を含み、
 前記第1のノードは、各要素について前記距離を暗号化したまま算出し、
 前記照合用データ生成部は、各要素について生成された前記多項式を用いて、各要素について前記照合用データを生成して前記第2のノードに送信する、形態16ないし21のいずれか一に記載の照合方法。
[形態23]
 上記第4の視点に係るプログラムのとおりである。
[形態24]
 加法準同型性を有する暗号化方式に基づいて暗号化する処理を、前記コンピュータに実行させる、形態23に記載のプログラム。
[形態25]
 Paillier暗号に基づいて暗号化する処理を、前記コンピュータに実行させる、形態24に記載のプログラム。
[形態26]
 前記多項式は、独立変数と前記認証データの距離が前記閾値以内であるときにゼロとなる多項式である、形態23ないし25のいずれか一に記載のプログラム。
[形態27]
 前記公開鍵により前記認証データの2乗を暗号化して前記第3のノードに送信する処理と、
 暗号化された前記認証データおよび暗号化された前記認証データの2乗を前記第3のノードから取得して、前記被認証データと前記認証データとの距離を前記公開鍵により暗号化したまま算出する処理と、を前記コンピュータに実行させる、形態24ないし26のいずれか一に記載のプログラム。
[形態28]
 前記認証データおよび前記被認証データは、n次元の要素を含み、
 前記被認証データと前記認証データとのn次元ユークリッド距離を、前記公開鍵により暗号化したまま算出する処理を、前記コンピュータに実行させる、形態27に記載のプログラム。
[形態29]
 前記認証データおよび前記被認証データは、複数の要素を含み、
 各要素について前記距離を暗号化したまま算出する処理と、
 前記照合用データ生成部は、各要素について生成された前記多項式を用いて、各要素について前記照合用データを生成して前記第2のノードに送信処理と、を前記コンピュータに実行させる、形態23ないし28のいずれか一に記載のプログラム。 In the present invention, the following modes are possible.
[Form 1]
It is as the collation system which concerns on the said 1st viewpoint.
[Form 2]
The collation system according to aspect 1, wherein the encryption unit performs encryption based on an encryption method having additive homomorphism.
[Form 3]
The collation system according to mode 2, wherein the encryption unit performs encryption based on Paillier encryption.
[Form 4]
The collation system according to any one of aspects 1 to 3, wherein the collation information generation unit generates a polynomial that becomes zero when the distance between the independent variable and the authentication data is within the threshold as the polynomial.
[Form 5]
The encryption unit further encrypts the square of the authentication data with the public key and transmits it to the third node,
The storage unit further holds the square of the encrypted authentication data,
The distance calculation unit acquires the encrypted authentication data and the square of the encrypted authentication data from the third node, and calculates the distance between the authentication target data and the authentication data as the public key. 5. The collation system according to any one of forms 2 to 4, wherein calculation is performed with encryption performed by the method.
[Form 6]
The authentication data and the data to be authenticated include an n-dimensional element,
The collation system according to mode 5, wherein the distance calculation unit calculates an n-dimensional Euclidean distance between the data to be authenticated and the authentication data while being encrypted with the public key.
[Form 7]
The authentication data and the data to be authenticated include a plurality of elements,
The distance calculation unit calculates the distance while encrypting each element,
The verification information generation unit generates the polynomial for each element,
The verification data generation unit generates the verification data for each element,
The verification system according to any one of modes 1 to 6, wherein the verification unit uses the secret key and verification data generated for the plurality of elements to verify the data to be authenticated with the authentication data. .
[Form 8]
As in the node according to the second viewpoint.
[Form 9]
The node according to mode 8, wherein the encryption unit performs encryption based on an encryption method having additive homomorphism.
[Mode 10]
The node according to mode 9, wherein the encryption unit performs encryption based on Paillier encryption.
[Form 11]
The node according to any one of forms 8 to 10, wherein the polynomial is a polynomial that becomes zero when the distance between the independent variable and the authentication data is within the threshold.
[Form 12]
The encryption unit further encrypts the square of the authentication data with the public key and transmits it to the second node,
The distance calculation unit acquires the encrypted authentication data and the square of the encrypted authentication data from the third node, and calculates the distance between the authentication target data and the authentication data as the public key. The node according to any one of forms 9 to 11, wherein the node is calculated while encrypted according to the above.
[Form 13]
The authentication data and the data to be authenticated include an n-dimensional element,
The node according to mode 12, wherein the distance calculation unit calculates an n-dimensional Euclidean distance between the data to be authenticated and the authentication data while being encrypted with the public key.
[Form 14]
The authentication data and the data to be authenticated include a plurality of elements,
The distance calculation unit calculates the distance while encrypting each element,
The collation data generation unit generates the collation data for each element using the polynomial generated for each element, and transmits the collation data to the second node. Nodes.
[Form 15]
A verification method in a verification system comprising a first node, a second node, and a third node, comprising:
The second node generates a public / private key pair and transmits the public key to the first node;
The first node encrypts authentication data with the public key and transmits it to the third node;
The third node holding the encrypted authentication data;
When the first node receives data to be authenticated that is collated with the authentication data, the encrypted authentication data is acquired from the third node, and the distance between the data to be authenticated and the authentication data Calculating with encryption using the public key;
The third node generates a polynomial including a threshold value of a distance between the data to be authenticated and the authentication data as a parameter and transmits the generated polynomial to the first node;
A step in which the first node substitutes the distance into the polynomial and encrypts a value encrypted with the public key as verification data and transmits the data to the second node;
The second node includes a step of comparing the authentication target data with the authentication data based on the secret key and the verification data.
[Form 16]
It is as the collation method which concerns on the said 3rd viewpoint.
[Form 17]
The collation method according to mode 16, wherein the first node performs encryption based on an encryption method having additive homomorphism.
[Form 18]
The collation method according to mode 17, wherein the first node performs encryption based on Paillier encryption.
[Form 19]
The collation method according to any one of modes 16 to 18, wherein the polynomial is a polynomial that becomes zero when the distance between the independent variable and the authentication data is within the threshold.
[Form 20]
The first node further includes encrypting the square of the authentication data with the public key and transmitting to the third node;
The first node acquires the encrypted authentication data and the square of the encrypted authentication data from the third node, and discloses the distance between the authentication target data and the authentication data. 20. The collation method according to any one of forms 17 to 19, wherein the calculation is performed while encrypted with a key.
[Form 21]
The authentication data and the data to be authenticated include an n-dimensional element,
The collation method according to mode 20, wherein the first node calculates an n-dimensional Euclidean distance between the data to be authenticated and the authentication data while being encrypted with the public key.
[Form 22]
The authentication data and the data to be authenticated include a plurality of elements,
The first node calculates the distance while encrypting each element,
The collation data generation unit generates the collation data for each element using the polynomial generated for each element, and transmits the collation data to the second node. Collation method.
[Form 23]
The program is related to the fourth viewpoint.
[Form 24]
The program according to mode 23, which causes the computer to execute processing for encryption based on an encryption method having additive homomorphism.
[Form 25]
The program according to mode 24, which causes the computer to execute processing for encryption based on Paillier encryption.
[Form 26]
The program according to any one of forms 23 to 25, wherein the polynomial is a polynomial that becomes zero when the distance between the independent variable and the authentication data is within the threshold.
[Form 27]
A process of encrypting the square of the authentication data with the public key and transmitting it to the third node;
Obtaining the encrypted authentication data and the square of the encrypted authentication data from the third node, and calculating the distance between the data to be authenticated and the authentication data encrypted with the public key The program according to any one of forms 24 to 26, which causes the computer to execute a process to perform.
[Form 28]
The authentication data and the data to be authenticated include an n-dimensional element,
The program according to aspect 27, causing the computer to execute a process of calculating an n-dimensional Euclidean distance between the authentication data and the authentication data while being encrypted with the public key.
[Form 29]
The authentication data and the data to be authenticated include a plurality of elements,
A process of calculating the distance for each element with encryption;
The collation data generation unit generates the collation data for each element using the polynomial generated for each element, and causes the second node to perform transmission processing on the computer. Thirty-eighth program.
10  登録データ生成装置
11  暗号化部
20  照合要求装置
21  照合要求部
22  距離計算部
23  照合用データ生成部
30  記憶装置
31  記憶部
32  識別子管理部
40  データ照合装置
41  照合用情報生成部
42  照合用情報送付部
43  照合補助要求部
44  判定部
50  照合補助装置
51  鍵生成部
52  照合補助部
53  総合結果補助部
54  照合部
100、200、300 ノード DESCRIPTION OF SYMBOLS 10 Registration data generation apparatus 11 Encryption part 20 Verification request apparatus 21 Verification request part 22 Distance calculation part 23 Verification data generation part 30 Storage device 31 Storage part 32 Identifier management part 40 Data verification apparatus 41 Verification information generation part 42 Verification Information sending unit 43 Collation assistance request unit 44 Judgment unit 50 Collation assistance device 51 Key generation unit 52 Collation assistance unit 53 Overall result assistance unit 54 Collation units 100, 200, 300 Nodes

Claims (10)

  1.  第1のノード、第2のノードおよび第3のノードを備え、
     前記第1のノードは、公開鍵により認証データを暗号化して前記第3のノードに送信する暗号化部と、
     前記認証データと照合される被認証データを受信すると、暗号化された前記認証データを前記第3のノードから取得して、前記被認証データと前記認証データとの距離を前記公開鍵により暗号化したまま算出する距離計算部と、
     前記第3のノードから取得した多項式に前記距離を代入して前記公開鍵により暗号化した値を、照合用データとして生成して前記第2のノードに送信する照合用データ生成部と、を有し、
     前記第2のノードは、前記公開鍵と秘密鍵の対を生成し、前記公開鍵を第1のノードに送信する鍵生成部と、
     前記秘密鍵と前記照合用データに基づいて、前記被認証データを前記認証データと照合する照合部と、を有し、
     前記第3のノードは、暗号化された前記認証データを保持する記憶部と、
     前記多項式として、前記認証データと前記被認証データの距離の閾値をパラメータとして含む多項式を生成する照合用情報生成部と、を有する、照合システム。     Comprising a first node, a second node and a third node;
    The first node encrypts authentication data with a public key and transmits the encrypted data to the third node;
    When the data to be authenticated that is collated with the authentication data is received, the encrypted authentication data is obtained from the third node, and the distance between the data to be authenticated and the authentication data is encrypted with the public key A distance calculation unit to calculate as is,
    A verification data generation unit that generates a value encrypted by the public key by substituting the distance into the polynomial acquired from the third node as verification data and transmits the verification data to the second node. And
    The second node generates a pair of the public key and the secret key, and transmits the public key to the first node;
    A collation unit that collates the data to be authenticated with the authentication data based on the secret key and the collation data;
    The third node includes a storage unit that stores the encrypted authentication data;
    A collation system comprising: a collation information generating unit that generates a polynomial that includes a threshold value of a distance between the authentication data and the data to be authenticated as a parameter as the polynomial.
  2.  前記暗号化部は、加法準同型性を有する暗号化方式に基づいて暗号化を行う、請求項1に記載の照合システム。 The verification system according to claim 1, wherein the encryption unit performs encryption based on an encryption method having additive homomorphism.
  3.  前記暗号化部は、Paillier暗号に基づいて暗号化を行う、請求項2に記載の照合システム。 The verification system according to claim 2, wherein the encryption unit performs encryption based on Paillier encryption.
  4.  前記照合用情報生成部は、前記多項式として、独立変数と前記認証データの距離が前記閾値以内であるときにゼロとなる多項式を生成する、請求項1ないし3のいずれか1項に記載の照合システム。 The collation according to any one of claims 1 to 3, wherein the collation information generation unit generates a polynomial that becomes zero when the distance between the independent variable and the authentication data is within the threshold as the polynomial. system.
  5.  前記暗号化部は、さらに、前記公開鍵により前記認証データの2乗を暗号化して前記第3のノードに送信し、
     前記記憶部は、さらに、暗号化された前記認証データの2乗を保持し、
     前記距離計算部は、暗号化された前記認証データおよび暗号化された前記認証データの2乗を前記第3のノードから取得して、前記被認証データと前記認証データとの距離を前記公開鍵により暗号化したまま算出する、請求項2ないし4のいずれか1項に記載の照合システム。     The encryption unit further encrypts the square of the authentication data with the public key and transmits it to the third node,
    The storage unit further holds the square of the encrypted authentication data,
    The distance calculation unit acquires the encrypted authentication data and the square of the encrypted authentication data from the third node, and calculates the distance between the authentication target data and the authentication data as the public key. The collation system according to any one of claims 2 to 4, wherein the collation system calculates the data while encrypting it.
  6.  前記認証データおよび前記被認証データは、n次元の要素を含み、
     前記距離計算部は、前記被認証データと前記認証データとのn次元ユークリッド距離を、前記公開鍵により暗号化したまま算出する、請求項5に記載の照合システム。     The authentication data and the data to be authenticated include an n-dimensional element,
    The collation system according to claim 5, wherein the distance calculation unit calculates an n-dimensional Euclidean distance between the data to be authenticated and the authentication data while being encrypted with the public key.
  7.  前記認証データおよび前記被認証データは、複数の要素を含み、
     前記距離計算部は、各要素について前記距離を暗号化したまま算出し、
     前記照合用情報生成部は、各要素について前記多項式を生成し、
     前記照合用データ生成部は、各要素について前記照合用データを生成し、
     前記照合部は、前記秘密鍵と前記複数の要素について生成された照合用データとを用いて、前記被認証データを前記認証データと照合する、請求項1ないし6のいずれか1項に記載の照合システム。     The authentication data and the data to be authenticated include a plurality of elements,
    The distance calculation unit calculates the distance while encrypting each element,
    The verification information generation unit generates the polynomial for each element,
    The verification data generation unit generates the verification data for each element,
    The said collation part collates the said to-be-authenticated data with the said authentication data using the said secret key and the data for collation produced | generated about the said some element, The any one of Claim 1 thru | or 6 Matching system.
  8.  公開鍵と秘密鍵の対を生成する第2のノードから受信した前記公開鍵により、認証データを暗号化して第3のノードに送信する暗号化部と、
     前記認証データと照合される被認証データを受信すると、暗号化された前記認証データを前記第3のノードから取得して、前記被認証データと前記認証データとの距離を前記公開鍵により暗号化したまま算出する距離計算部と、
     前記第3のノードから取得した多項式に前記距離を代入して前記公開鍵により暗号化した値を、照合用データとして生成して前記第2のノードに送信する照合用データ生成部と、を備え、
     前記多項式は、前記認証データと前記被認証データの距離の閾値をパラメータとして含む、ノード。     An encryption unit that encrypts authentication data with the public key received from the second node that generates a public key and private key pair, and transmits the encrypted authentication data to the third node;
    When the data to be authenticated that is collated with the authentication data is received, the encrypted authentication data is obtained from the third node, and the distance between the data to be authenticated and the authentication data is encrypted with the public key A distance calculation unit that calculates as is,
    A verification data generation unit that generates a value encrypted with the public key by substituting the distance into the polynomial acquired from the third node, and generates the verification data and transmits the verification data to the second node; ,
    The polynomial is a node including a threshold value of a distance between the authentication data and the authentication data as a parameter.
  9.  第1のノードが、公開鍵と秘密鍵の対を生成する第2のノードから受信した前記公開鍵により、認証データを暗号化して第3のノードに送信する工程と、
     前記認証データと照合される被認証データを受信すると、暗号化された前記認証データを前記第3のノードから取得して、前記被認証データと前記認証データとの距離を前記公開鍵により暗号化したまま算出する工程と、
     前記第3のノードから取得した多項式に前記距離を代入して前記公開鍵により暗号化した値を、照合用データとして生成して前記第2のノードに送信する工程と、を含み、
     前記多項式は、前記認証データと前記被認証データの距離の閾値をパラメータとして含む、照合方法。     A first node encrypting authentication data with the public key received from the second node that generates a public key and private key pair and transmitting the encrypted data to the third node;
    When the data to be authenticated that is collated with the authentication data is received, the encrypted authentication data is obtained from the third node, and the distance between the data to be authenticated and the authentication data is encrypted with the public key The process of calculating as it is,
    Including substituting the distance into the polynomial obtained from the third node and encrypting the encrypted value using the public key as verification data and transmitting the verification data to the second node.
    The matching method, wherein the polynomial includes a threshold value of a distance between the authentication data and the data to be authenticated as a parameter.
  10.  公開鍵と秘密鍵の対を生成する第2のノードから受信した前記公開鍵により、認証データを暗号化して第3のノードに送信する処理と、
     前記認証データと照合される被認証データを受信すると、暗号化された前記認証データを前記第3のノードから取得して、前記被認証データと前記認証データとの距離を前記公開鍵により暗号化したまま算出する処理と、
     前記第3のノードから取得した多項式に前記距離を代入して前記公開鍵により暗号化した値を、照合用データとして生成して前記第2のノードに送信する処理と、を第1のノードに設けられたコンピュータに実行させ、
     前記多項式は、前記認証データと前記被認証データの距離の閾値をパラメータとして含む、プログラム。     A process of encrypting authentication data with the public key received from the second node that generates a public key and private key pair and transmitting the encrypted authentication data to the third node;
    When the data to be authenticated that is collated with the authentication data is received, the encrypted authentication data is obtained from the third node, and the distance between the data to be authenticated and the authentication data is encrypted with the public key Processing while calculating
    A process of substituting the distance into the polynomial obtained from the third node and generating a value encrypted with the public key as verification data and transmitting it to the second node. Run it on the computer provided,
    The polynomial program includes a threshold value of a distance between the authentication data and the authentication target data as a parameter.
PCT/JP2014/062820 2013-05-15 2014-05-14 Verification system, node, verification method, and program WO2014185450A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US14/787,848 US9910478B2 (en) 2013-05-17 2014-05-14 Collation system, node, collation method, and computer readable medium
JP2015517108A JPWO2014185450A1 (en) 2013-05-15 2014-05-14 Verification system, node, verification method and program

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2013-102955 2013-05-15
JP2013102955 2013-05-15

Publications (1)

Publication Number Publication Date
WO2014185450A1 true WO2014185450A1 (en) 2014-11-20

Family

ID=51898426

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2014/062820 WO2014185450A1 (en) 2013-05-15 2014-05-14 Verification system, node, verification method, and program

Country Status (2)

Country Link
JP (1) JPWO2014185450A1 (en)
WO (1) WO2014185450A1 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016152130A1 (en) * 2015-03-23 2016-09-29 日本電気株式会社 Information processing system, node, authentication method and storage medium
JP2016224905A (en) * 2015-05-29 2016-12-28 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカPanasonic Intellectual Property Corporation of America Similar information search method, server device, and similar information search system
EP3182640A1 (en) 2015-12-14 2017-06-21 Panasonic Intellectual Property Corporation of America Search method, search device, search system, and program
EP3349392A1 (en) 2017-01-16 2018-07-18 Panasonic Intellectual Property Corporation of America Information processing method and information processing system
US10778431B2 (en) 2016-01-18 2020-09-15 Mitsubishi Electric Corporation Encrypted text conversion device, computer readable medium, and encryption text conversion method
US10826680B2 (en) 2015-06-18 2020-11-03 Nec Corporation Collation system, collation method, and non-transitory recording medium
US11101975B2 (en) 2016-12-02 2021-08-24 Nec Corporation Ciphertext matching system and ciphertext matching method
US11451368B2 (en) 2016-06-02 2022-09-20 Nec Corporation Encrypted information matching device, encrypted information matching method, and recording medium having encrypted information matching program stored thereon

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2008521025A (en) * 2004-11-16 2008-06-19 コーニンクレッカ フィリップス エレクトロニクス エヌ ヴィ Secure calculation of similarity measures
US20090310779A1 (en) * 2006-07-20 2009-12-17 Privylink Pte Ltd Method for generating cryptographic key from biometric data
WO2011052056A1 (en) * 2009-10-29 2011-05-05 三菱電機株式会社 Data processing device
WO2012056582A1 (en) * 2010-10-29 2012-05-03 株式会社日立製作所 Information authentication method and information authentication system
JP2012169908A (en) * 2011-02-15 2012-09-06 Kddi Corp Authentication system, authentication method, and program

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2008521025A (en) * 2004-11-16 2008-06-19 コーニンクレッカ フィリップス エレクトロニクス エヌ ヴィ Secure calculation of similarity measures
US20090310779A1 (en) * 2006-07-20 2009-12-17 Privylink Pte Ltd Method for generating cryptographic key from biometric data
WO2011052056A1 (en) * 2009-10-29 2011-05-05 三菱電機株式会社 Data processing device
WO2012056582A1 (en) * 2010-10-29 2012-05-03 株式会社日立製作所 Information authentication method and information authentication system
JP2012169908A (en) * 2011-02-15 2012-09-06 Kddi Corp Authentication system, authentication method, and program

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016152130A1 (en) * 2015-03-23 2016-09-29 日本電気株式会社 Information processing system, node, authentication method and storage medium
JP2016224905A (en) * 2015-05-29 2016-12-28 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカPanasonic Intellectual Property Corporation of America Similar information search method, server device, and similar information search system
US10826680B2 (en) 2015-06-18 2020-11-03 Nec Corporation Collation system, collation method, and non-transitory recording medium
EP3182640A1 (en) 2015-12-14 2017-06-21 Panasonic Intellectual Property Corporation of America Search method, search device, search system, and program
US10303893B2 (en) 2015-12-14 2019-05-28 Panasonic Intellectual Property Corporation Of America Search method, search device, search system, and program
US10778431B2 (en) 2016-01-18 2020-09-15 Mitsubishi Electric Corporation Encrypted text conversion device, computer readable medium, and encryption text conversion method
US11451368B2 (en) 2016-06-02 2022-09-20 Nec Corporation Encrypted information matching device, encrypted information matching method, and recording medium having encrypted information matching program stored thereon
US11101975B2 (en) 2016-12-02 2021-08-24 Nec Corporation Ciphertext matching system and ciphertext matching method
EP3349392A1 (en) 2017-01-16 2018-07-18 Panasonic Intellectual Property Corporation of America Information processing method and information processing system
US10649919B2 (en) 2017-01-16 2020-05-12 Panasonic Intellectual Property Corporation Of America Information processing method and information processing system

Also Published As

Publication number Publication date
JPWO2014185450A1 (en) 2017-02-23

Similar Documents

Publication Publication Date Title
Tanveer et al. RAMP-IoD: A robust authenticated key management protocol for the Internet of Drones
JP7127543B2 (en) Matching system, method, device and program
CN108352015B (en) Secure multi-party loss-resistant storage and encryption key transfer for blockchain based systems in conjunction with wallet management systems
WO2014185450A1 (en) Verification system, node, verification method, and program
WO2016203762A1 (en) Crypto-information creation device, crypto-information creation method, recording medium, and collation system
JP6229716B2 (en) Verification system, node, verification method and program
US9910478B2 (en) Collation system, node, collation method, and computer readable medium
JP6931247B2 (en) Ciphertext matching systems, methods, and programs
JP7259868B2 (en) system and client
Maitra et al. An enhanced multi‐server authentication protocol using password and smart‐card: cryptanalysis and design
JP6451938B2 (en) Ciphertext verification system, method, and program
JP6738061B2 (en) Ciphertext verification system, method, and recording medium
CN111786786A (en) Agent re-encryption method and system supporting equation judgment in cloud computing environment
JP6791263B2 (en) Ciphertext collation system and ciphertext collation method
WO2018174063A1 (en) Collating system, method, device, and program
JP7276423B2 (en) Cryptographic system, key generation device, key generation method, key generation program, and homomorphic arithmetic device
Altarawneh A strong combination of cryptographic techniques to secure cloud-hosted data
Buhari et al. Web applications login authentication scheme using hybrid cryptography with user anonymity
WO2017170780A1 (en) Cryptogram collation system, node device, cryptogram collation method, and program
CN110572256B (en) Anti-quantum computing asymmetric key management method and system based on asymmetric key pool and implicit certificate
KR102717212B1 (en) Secure, multi-agency, loss-proof storage and transfer of cryptographic keys for blockchain-based systems linked to wallet management systems
Divya et al. Security in data forwarding through elliptic curve cryptography in cloud
WO2016152130A1 (en) Information processing system, node, authentication method and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14798485

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2015517108

Country of ref document: JP

Kind code of ref document: A

WWE Wipo information: entry into national phase

Ref document number: 14787848

Country of ref document: US

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14798485

Country of ref document: EP

Kind code of ref document: A1