WO2018174063A1 - Collating system, method, device, and program - Google Patents

Abstract

Provided is a system which, when collating binary vector information, has desired resistance to a hill-climbing attack by an attacker colluding with a decryptor of at least a three-party model. A collating system provided with: a collating device that, as the data for discriminating by a verification device whether or not the encrypted distance of a first and a second vector found by synthesizing the computed value of a binary first vector for registration that is encrypted with an encryption key extracted by a registration request device and the computed value of a binary second vector for collation that is encrypted with an encryption key extracted by a collation request device is less than or equal to a predetermined threshold value, finds data in which a value derived by subtracting a non-negative value less than or equal to the threshold value from the distance and having a random number operated thereon is encrypted with the encryption keys, and transmits the data, together with a hash value found from the random number, as a query to the verification device; and a verification device for decrypting the encrypted data with a decryption key and determining whether there is a set in which the hash value of the decrypted value and the hash value of the query are equal.

Description

Verification system, method, apparatus and program

(Description of related applications)
The present invention is based on the priority claim of Japanese Patent Application No. 2017-054406 (filed on Mar. 21, 2017), the entire contents of which are incorporated herein by reference. Shall.
The present invention relates to a verification system, method, apparatus, and program.

Services such as cloud computing services that manage data using computer resources connected to communication networks are widely used. Since this type of service manages highly confidential data, it is necessary to guarantee the security of the data. In a network environment, research and development of a technique for managing data in an encrypted state and performing search, statistical processing, and the like without decrypting the data is being performed. In addition, biometric authentication technology that realizes highly secure authentication using authentication information based on characteristics (biological information) of a living body such as a vein has attracted attention. In the biometric authentication technology, a template is created based on biometric information for registration, and the created template is stored in a database.

In the biometric authentication technology, the authentication target is accepted when the authentication biometric information created based on the biometric subject to authentication and the template stored in the database are similar (or coincident). In the biometric authentication technique, the authentication target is not accepted when the biometric information for authentication and the template are not similar (or matched). The biometric information for authentication acquired by a sensor or the like changes little by little even when the biometric information for the same person as the biometric information for registration is extracted. Even if a plurality of pieces of biometric information for authentication are created from a single living body, the plurality of pieces of biometric information for authentication do not always match each other. When measuring whether or not biometric information is similar using a certain distance function, the distance between the plurality of pieces of biometric information for authentication created from the same living body is short. On the other hand, the distance between a plurality of pieces of authentication biometric information created from different living bodies is long. The biometric authentication technology collates the template stored in the database with the authentication information created for the authentication target by using the above characteristics. For example, fingerprints, veins, etc. are examples of biometric information, and are data that does not change throughout life. The damage caused when biometric information is leaked outside the verification system is significant. For this reason, the biometric information is one piece of information that requires confidentiality. Therefore, even if a template, which is encrypted data generated based on biometric information for registration, leaks to the outside of the verification system, a template-protective biometric authentication technique that prevents the biometric information from leaking to the outside of the verification system is important. .

Securing biometric authentication performed only by the server and client cannot prevent an attacker with a template from trying to authenticate offline. In addition, the space for biometric information has a size that allows brute force. For this reason, an attacker having a template can restore the registered biological information. Therefore, as a secret biometric authentication method that prevents biometric information from leaking even if a template leaks, a third party (referred to as a “decryptor” or “decryption device”) that manages the secret key in addition to the server and client. A three-party model of a secure biometric authentication method that uses the Internet has been proposed. For the secret biometric authentication of the three-party model, for example, Patent Document 1 is referred to.

The notation such as the encryption algorithm used in this specification will be described. First, public key cryptography will be described. The public key cryptosystem is represented by three algorithms (Gen, Enc, Dec): key generation, encryption, and decryption.

The key generation algorithm (indicated as “Gen”) outputs a public key pk and a secret key sk based on the security parameter 1 ^ κ.
(pk, sk) ← Gen (1 ^ κ)

The encryption algorithm (indicated as “Enc”) receives the public key pk and plaintext m and outputs ciphertext c.
c ← Enc (pk, m)

The decryption algorithm (denoted as “Dec”) receives the secret key sk and ciphertext c, and outputs a decryption result m ′.
m '← Dec (sk, c)

Note that in this specification, pk and sk of Enc (pk, m) and Dec (sk, c) are omitted and Enc (m) and Dec (c) may be abbreviated, as is clear from the context. Yes (abbreviated in the drawing). Homomorphic encryption is public key cryptography that can calculate the ciphertext of the operation result of plaintext from a plurality of ciphertexts. For example, ciphertext Enc (m ₁ + ... + m corresponding to the sum of plaintexts without using a secret key from ciphertext Enc (m ₁ ), ..., Enc (m _m ) of plaintext m ₁ , ..., m _n What can calculate _n ) is called "additive homomorphic encryption".

FIG. 1 is a diagram for explaining an example of related technology of a three-party model biometric authentication system (see, for example, the ciphertext matching system disclosed in Patent Document 1). Note that the registration request device 10 and the verification request device 20 on the client 11 side may be the same device. In the system of FIG. 1, the preparation phase is as follows.

The decryption apparatus 50 generates a key and generates a public key (pk) and a secret key (sk) of the homomorphic encryption. The decryption device 50 transmits the public key to the registration request device 10, the verification request device 20, and the server 12. The decoding device 50 is also referred to as a “verification device” when verifying the presence / absence of similarity (match) between the biometric information for verification and the biometric information for registration based on the decoding result as well as the decoding.

In the system of FIG. 1, the registration phase is as follows.

The registration requesting device 10 generates registration data Enc (pk, Z) obtained by encrypting the feature vector Z of biometric information for registration using the public key pk. The registration requesting apparatus 10 transmits registration data Enc (pk, Z) to the server 12. The server 12 registers the registration data Enc (pk, Z) in the storage device 30.

In the system of FIG. 1, the verification phase is as follows.

The collation requesting device 20 generates collation data Enc (pk, Z ′) obtained by encrypting the feature vector Z ′ of the biometric information for collation using the public key pk. The verification requesting device 20 transmits the verification data Enc (pk, Z ′) to the server 12. If the registration requester and the verification requester are the same person, the distance between the two feature vectors Z and Z 'is close, and the distance between the feature vectors Z and Z' of different persons is long.

The collation device 40 of the server 12 utilizes the homomorphism of the encryption algorithm and encrypts the encrypted distance data Enc (pk, d (Z, Z ')) is calculated. Here, d (a, b) represents the distance between a and b. The server 12 transmits a query including the encrypted distance data Enc (pk, d (Z, Z ′)) to the decryption device 50.

The decryption device 50 decrypts the encrypted distance data Enc (pk, d (Z, Z ')) using the secret key sk, and obtains a decryption result d (Z, Z'). The decoding result d (Z, Z ′) indicates distance information. The decoding device 50 confirms whether or not the decoding result d (Z, Z ′) is equal to or less than a predetermined threshold value t. As a result of the confirmation, when the decryption result d (Z, Z ′) is equal to or smaller than the threshold value t, the decryption device 50 transmits an acceptance (OK) to the server 12. On the other hand, when the decryption result d (Z, Z ′) is larger than the threshold t, the decryption device 50 transmits a rejection (no 受 good: NG) to the server 12. The server 12 outputs an acceptance to the verification requesting device 20 if the response of the decryption device 50 is OK, and outputs an unacceptance to the verification requesting device 20 if the response of the decryption device 50 is NG.

In Patent Document 1, the input data to be concealed is encrypted using an encryption key, and a registration data generation unit that outputs registration data, and the registration data is uniquely stored in the ciphertext storage unit. A storage device for storing identifiers for identification in the identifier storage unit so that the correspondence can be recognized, a data verification request generating unit for encrypting input data to be verified using an encryption key and outputting verification data, and registration A distance calculation unit that outputs encrypted distance data using an encryption key from the data and verification data, a decryption unit that decrypts the encrypted distance data using a decryption key and generates distance data, and a random number from the distance data A score calculation unit that generates a score using, and a determination unit that outputs a matching result from the score, and relates to the distance between the data Z used during registration and the data Z ′ used during matching Also output information, the ciphertext verification system is disclosed which is adapted information about the data does not leak.

In Patent Document 2, the registration information of a user encrypted using an encryption algorithm that can calculate the Hamming distance in an encrypted state is stored between the registration information and the verification information encrypted using the encryption algorithm. The calculation result of the Hamming distance is converted so as to include the Hamming distance between the verification information and the user, and the Hamming distance between the verification information and another person different from the user, and the input verification information and the converted registration information Based on the comparison result of the Hamming distance between the collation information and the user included in the calculated Hamming distance, the Hamming distance between the collation information and another person different from the user, and a preset threshold value included in the calculated Hamming distance A method for determining whether or not input collation information is illegal is disclosed.

Further, in Patent Document 3, when a vector data A = (a1, a2,...) Is encrypted with homomorphic encryption in a secret biometric authentication system / secret tag search system using homomorphic encryption, each component ai is Encryption is performed to generate encryption vector data E (A) = (E (a1), E (a2),...), And two encryption vector data E (A) = (E (a1), E (a2) , ...) and E (B) = (E (b1), E (b2), ...) are calculated with encryption (the Hamming distance is an example of the distance). Are homomorphically encrypted, encryption vector data E (A) = (E (a1), E (a2),...), E (B) = (E (b1), E (b2),. ) And the like, and there is a problem that the calculation of the secret distance requires a lot of calculation time, and a configuration that reduces both the size of the encryption vector data and the time of the secret distance calculation is disclosed. Yes.

Also, Patent Document 4 describes a technology in which the size of the template does not depend on the parameter of the range of the acceptable range and the load on the third party is small. However, in this method, the distance from the biometric information that is a target to be compared with the registered biometric information is disclosed to a third party. It is known that a malicious third party can perform an attack (hill climbing attack) by using the distance obtained at the time of collation.

The main safety of confidential biometric authentication is as follows.

A) Unrecoverable feature:
This refers to the property that the original biological information cannot be restored from the template.

B) Impersonation attack resistance This means that a query that can be accepted cannot be created even if eavesdropping on communication between templates and past servers and clients.

[Retransmission attack, which is an attack to wiretap data sent in the past and send it as it is, is a kind of spoofing attack. A scheme that does not have resend attack resistance does not have spoof attack resistance.

The method of accepting by sending the same value (for example, 0 ciphertext) to any template may not have the resistance to spoofing attacks.

Also, a method capable of restoring the feature quantity can perform authentication using the restored feature quantity. For this reason, it is not resistant to spoofing attacks.

In this specification, a semi-honest attacker is assumed as the attacker. That is, the attacker always operates according to the algorithm indicated by the method, and tries to take more information from the obtained information.

If the attacker can obtain the biometric information and distance (distance between the registration and verification feature vectors) used for authentication (verification), the biometric information registered by, for example, a hill climbing attack can be restored. Hill climbing attacks are well-known attack methods in the biometrics field.

For example, in FIG. 1, when an attacker selects biometric information used for authentication (collation) and obtains the distance between the collation biometric information and the registered biometric information, it is known that a hill climbing attack is possible. ing. A first distance d (Z, Z ′) (Z is a feature vector extracted from biometric information for registration) with respect to the feature vector Z ′ generated using a certain feature vector Z ′ is obtained. Next, a second distance d (Z, Z ″) with the feature vector Z of the registered biometric information with respect to Z ″ obtained by modifying a part of the feature vector Z ′ (for example, inverted by 1 bit) is obtained. When the second distance d (Z, Z ″) is smaller than the first distance d (Z, Z ′), the modification brings the feature vector Z ″ closer to the feature vector Z of the registered biometric information. Means that. On the other hand, when the second distance d (Z, Z ″) is larger than the first distance d (Z, 'Z ′), the feature vector Z ″ becomes the feature vector of the registered biometric information by the modification. It means that it was away from Z. It is known that by repeating such an action, it is possible to restore the feature vector Z from the registered data (or the feature vector Z ′ from the authentication (collation) data) with a relatively small amount of calculation. .

2A to 2C are diagrams schematically illustrating an example of the above-described hill climbing attack (assuming that biological information is two-dimensional coordinates). As illustrated in FIGS. 2A to 2C, when an attacker selects biometric information used for authentication (verification) and obtains a distance between the biometric information for verification and the registered biometric information, the attacker is authenticated ( Registered biological information can be restored by repeating (collation). At the first time, the attacker selects biometric information with a circle as biometric information for authentication (collation), authenticates with the registered biometric information, and obtains distance = 5 from the registered biometric information ( FIG. 2A). For the second time, it is assumed that the attacker selects biometric information with a circle as the authentication data, authenticates the registered data, and obtains a distance = 3 from the registered biometric information (FIG. 2B). As a result, as shown in FIG. 2C, the attacker can restore the registered biometric information.

Also, since the decryptor can calculate the distance, it is vulnerable to a hill climbing attack by an attacker colluding with the decryptor. The decryptor determines an authentication result (acceptance, non-acceptance) from the distance between the registered biometric information and the biometric information to be verified. An attacker who can know the distance obtained by the decryptor and the biological information used for authentication (collation) can restore the registered biological information. This is the case when an attacker colluding with a decryptor tries to authenticate (verify) by pretending to be a client. For this reason, it can be said that it is a realistic attack.

Also, if the server can manipulate the distance, it is vulnerable to hill climbing attacks by attackers colluding with the server. In this case, the server can try collation (authentication) by manipulating the distance. As a result, an attacker who can know the biological information used for collation can restore the registered biological information. The space of the distance between the registered biometric information and the feature vector of the verification biometric information is narrower than the biometric information space and is easier to hit than the biometric information. The distance between the registered biometric information and the biometric feature vector can be calculated by trying the collation by manipulating the distance. For example, the registered biometric information and the matching biometric information are obtained by querying a decryptor (for example, the decryption device 50 in FIG. 1) such as Enc (distance + a) or Enc (distance * a) and confirming whether or not the decryption is accepted. It is possible to know the distance between feature vectors. This is the case when an attacker colluding with the server pretends to be a client and tries authentication. Therefore, it can be said that this attack collocated with the server is a realistic attack.

In Non-Patent Document 1,
・ Security against attackers colluding with servers and users,
・ Security against attackers colluding with decryptors and users,
・ Safety that eavesdroppers cannot impersonate users,
A method that satisfies all three safety points has been proposed. The disclosure of Non-Patent Document 1, the feature vector X = the registered biometric information _{[x 1, ..., x n} ] with verification biometric information feature vector _{Y = [y 1, ...,} y n] distance D (Euclidean Distance (Square) is divided into D = D ₁ + D ₂ .

D = d _E ² (X, Y) = Σ <i = 1, n> (xi-yi) ^ 2 = Σ <i = 1, n> xi ^ 2-2Σ <i = 1, n> xiyi + Σ <i = 1, n> yi ^ 2 = D1 + D2
… (1)

However,
D ₁ = Σ <i = 1, n> xi ^ 2 (2)
D ₂ =-2Σ <i = 1, n> xiyi + Σ <i = 1, n> yi ^ 2… (3)

However, in the above formulas (1) to (3), Σ <i = 1, n> represents the summation operation from 1 to n of the index i, and ^ is a power operator.

In the decoding device 50, when the distance D between the vectors X and Y is 0 or is equal to or smaller than a predetermined threshold t, the biometric information for verification is accepted as being identical or similar to the biometric information for registration. According to Non-Patent Document 1, in FIG. 1, even if the verification requesting device 20 (client) sends a ciphertext having a value of 0 as the distance D2, the verification biometric information is identical or similar to the registration biometric information. It will not be accepted. This is due to the following reason.

The verification requesting device 20 (client) calculates D ₂ that is one of the divided distances, and sends the encrypted D ₂ to the verification device 40 (server). This matching device 40 (server), and D _2, which is encrypted and held at collating unit 40 (server) side, calculating the sum of D ₁ of the encrypted data which is the other divided distance This is because the encrypted data of the distance D between the vectors X and Y is calculated by Since the verification requesting device 20 (client) does not know the value of D ₁ that is the other of the divided distances, D ₂ (= − that satisfies the distance D ₁ + D ₂ = D = 0 of the vectors X and Y is satisfied. D ₁ ) cannot be calculated and transmitted to the verification device 40 (server).

FIG. 3 is a diagram for explaining an operation sequence of the system based on Non-Patent Document 1. First, the outline of the operation of each algorithm of Modified-Elgamal encryption will be described. The key generation algorithm first receives a security parameter 1 ^ κ as input.

Next, a group G whose order is a prime number q of κ bits and its generation source g are generated.
x∈Fq = {0,1,…, q-1}… (4)
Choose at random,
h = g ^ x… (5)
And

Finally, the public key pk = (g, h = g ^ x) and the secret key sk = x are output.

The encryption algorithm first receives the public key pk and message m as input.

Next, random number r∈Fq (6)
Choose at random.

next,
C [0] = g ^ r,… (7)
C [1] = h ^ r · g ^ m… (8)
Calculate

Finally, the ciphertext C = (C [0], C [1]) is output.

The decryption algorithm first receives the secret key sk = x and the ciphertext C = (C [0], C [1]) as inputs.

Next, as a decryption result,
M = C [1] / (C [0] ^ x)… (9)
Is output.

Ciphertext of a message m
Enc (pk, m) = (C [0], C [1]) = (g ^ r, h ^ r ・ g ^ m)… (10)
Whereas
Dec (sk, (C [0], C [1])) = C [1] / (C [0] ^ x) = g ^ m… (11)
It becomes.

The decryption algorithm may return g ^ m instead of message m. If Modified-Elgamal cipher is used, ciphertext corresponding to addition of plaintext or constant multiplication can be calculated with encryption.

In case of addition, ciphertext of public key pk = (g, h = g ^ x) and two messages m and m '
C = Enc (pk, m) = (C [0], C [1]) = (g ^ r, h ^ r ・ g ^ m)… (12)
as well as,
C '= Enc (pk, m') = (C '[0], C' [1]) = (g ^ r ', h ^ r' ・ g ^ m ')… (13)
Whereas
(C [0] ・ C '[0], C [1] ・ C' [1]) = (g ^ {r + r '}, h ^ {r + r'} ・ g ^ {m + m ' }) = Enc (pk, m + m ')… (14)
Holds.

In the case of a constant multiple,
Public key pk = (g, h = g ^ x),
Arbitrary constant z and ciphertext c = Enc (pk, m) = (C [0], C [1]) = (g ^ r, h ^ r ・ g ^ m)
Whereas
(C [0] ^ z, C [1] ^ z) = (g ^ {zr}, h ^ {zr} ・ g ^ {zm}) = Enc (pk, zm)… (15)
Holds.

That is, for Enc (pk, x) = C, Enc (pk, x ') = C', integer z
Add
Add (C, C ') = (C [0] ・ C' [0], C [1] ・ C '[1])… (16)
Scalar operation
Scl (z, C) = (C [0] ^ z, C [1] ^ z)… (17)
And
Add (C, C ') = Enc (pk, x + x' mod q)… (18)
Scl (z, C) = Enc (pk, zx mod q)… (19)
Holds. However,
x + x 'mod q,
zx mod q
Is the result of calculating x + x ′, zx on the field Fq.

Referring to FIG. 3, as a preparation, for example, the verification device 50 generates a public key pk and a secret key sk using the security parameter 1 ^ κ, and publishes the public key pk (S100).

The distance between registered data (n-dimensional vector) and collation data (n-dimensional vector): d _E ² (X, Y) is divided as described above.

The registration requesting device 10 uses the registration data X = [x1,..., Xn] as a template,
Encrypted data of n elements x _i (i = 1, ..., n)
Enc (pk, x ₁ ), Enc (pk, x ₂ ),…, Enc (pk, x _n )… (20)
And the sum of the squares of n elements x _i Σ <i = 1, n> x _i ^ 2
Enc (pk, Σ <i = 1, n> x _i ^ 2)… (21)
Is transmitted to the storage device 30 (S101).

The storage device 30
Enc (pk, x _i ) (i = 1,…, n), and Enc (pk, Σ <i = 1, n> x _i ^ 2) = Enc (pk, D ₁ )
Is stored in correspondence with the registered identifier Id (Identity) or the like.

When collation data Y = [y ₁ ,..., Y _n ] is collated, the collation request device 20 transmits a collation request to the collation device 40 (S102).

Based on the user ID, the verification device 40 stores the registered template from the storage device 30:
Enc (pk, x ₁ ),…, Enc (pk, x _n )
And Enc (pk, Σ <i = 1, n> x _i ^ 2) = Enc (pk, D ₁ )
Is acquired (S103).

The collation device 40 generates a random number S (S104), and the registered template
Enc (pk, x _i ) (i = 1,…, n)… (22)
Encryption data that is multiplied by S with a scalar operation rule
Enc (pk, Sx ₁ ),…, Enc (pk, Sx _n )… (23)
And encrypted data with public key pk of random number S
Enc （pk, S）… (24)
And the encrypted data is transmitted to the verification requesting device 20 (S105). The collation device 40 preferably selects a different number each time as the random number SεF _q = {0, 1,..., Q−1}. The collation device 40 does not transmit the encryption data (second template) Enc (pk, D ₁ ) related to Σ <i = 1, n> x _i ^ 2 = D _{1 to the} collation requesting device 20.

The verification requesting device 20 calculates Σ <i = 1, n> y _i ^ 2 from the verification data Y = [y ₁ ,..., Y _n ]. The collation request unit 20, the random number _{R 0,} R _1, to produce a ... R _t. The verification requesting device 20 performs a scalar operation Scl (Σ <i = 1, n> y _i ^ 2, Enc (pk, S)) on the received Enc (pk, S).
Enc (pk, SΣ <i = 1, n> y _i ^ 2)… (25)
Is generated.

Further, the collation requesting device 20 performs a scalar operation on the elements {y _i } of the collation vector for the n {Enc (pk, Sxi)} i (i = 1,..., N) received from the collation device 40.
Scl ((-2y _i ), Enc (pk, Sx _i )) (i = 1, ..., n)
Enc (pk, (-2y _i ) Sx _i ) = Enc (pk, -2Sx _i y _i ) (i = 1,…, n)… (26)
Ask for.

Then, the verification requesting device 20 performs a homomorphic encryption addition operation.
Enc (pk, -2S (Σ <i = 1, n> x _i y _i ))… (27)
Seeking
Enc (pk, S × (Σ <i = 1, n> y _i ^ 2))… (28)
Homomorphic addition with
Enc (pk, S {(Σ <i = 1, n> y _i ^ 2) -2 (Σ <i = 1, n> x _i y _i )}) = Enc (pk, SD ₂ )… (29)
Ask for.

In addition, the verification requesting device 20 generates random numbers R ₀ , R ₁ ,..., R _t and encrypts them with the public key pk.
Enc (pk, R _δ ) (δ = 0,1,…, t)… (30)
Is generated.

Furthermore, the verification requesting device 20 performs a scalar operation on δ (= 0, 1,..., T) on Enc (pk, S),
Enc (pk, Sδ)… (31)
Calculate

The verification requesting device 20
Homomorphism from Enc (pk, R _δ ) (δ = 0,1, ..., t), Enc (pk, SD ₂ ) and Enc (pk, Sδ) (δ = 0,1, ..., t) Using these properties, keep these encrypted,
Enc (pk, R _δ + SD ₂ −Sδ) (δ = 0,1,…, t)… (32)
Calculate

In addition, collation request unit 20, the random number R _0, R _1, ..., hash value of R _t
H (R ₀ ), H (R ₁ ),..., H (R _t ) (33)
Are transmitted as a response to the verification device 40 (S116).

In other words, collation requesting device 20 includes a challenge from the verification device 40, a vector Y = the crosscheck biometric information _{[y 1, ..., y n} ] each element {y _i} of (i = 1, ..., n ) to based, and the registered biometric dividing the distance D of the vector Y of the vector X and the crosscheck biometric information of the information _{(D = D 1 + D 2} ) was divided value D _2, the random number R _0, R _1, ..., based on the R _t, As a response,
Enc (pk, R ₀ + S (D ₂ −0)), Enc (pk, R ₁ + S (D ₂ −1)), ..., Enc (pk, R _t + S (D ₂ −t)) and hash values H (R ₀ ), H (R ₁ ),..., H (R _t ) are transmitted to the verification device 40.

The collation device 40 performs a scalar operation on the random number S on the template Enc (pk, D ₁ ) of the storage device 30 to obtain Enc (pk, SD ₁ ) (34).
Ask for.

The verification device 40 receives a response from the verification request device 20.
Enc (pk, R ₀ + S (D ₂ −0)),
Enc (pk, R ₁ + S (D ₂ −1)),…
Enc (pk, R _t + S (D ₂ -t))
When,
Enc (pk, SD ₁ ) and
From the above, using the homomorphism while encrypting these,
Enc (pk, R ₀ + S (D ₁ + D ₂ −0)),
_{Enc (pk, R 1 + S} (D 1 + D 2 -1)), ...,
Enc (pk, R _t + S (D ₁ + D ₂ −t))
… (35)
Is calculated. However,
d _E ² (X, Y) = D ₁ + D _2- = D… (36)

Furthermore, the verification device 40
Enc (pk, R ₀ + S (D ₁ + D ₂ −0)),
_{Enc (pk, R 1 + S} (D 1 + D 2 -1)), ...,
Hash value transmitted as a response from the verification requesting device 20 with Enc (pk, R _t + S (D ₁ + D ₂ −t))
H (R ₀ ), H (R ₁ ), ..., H (R _t )
At the same time, it is transmitted to the verification device 50 as a query (S117).

In the verification device 50, the encrypted data of the query from the verification device 40:
Enc (pk, R ₀ + S (D-0)),
Enc (pk, R ₁ + S (D-1)), ...
Enc (pk, R _t + S (D-t))
Are decrypted using the secret key (sk) (S118).

z ₀ = R ₀ + S (D-0) <-Dec (sk, Enc (pk, R ₀ + S (D-0)))
z ₁ = R ₁ + S (D-1) <-Dec (sk, Enc (pk, R ₁ + S (D-1))) ...,
z _t = R _t + S (D−t) <-Dec (sk, Enc (pk, R _t + S (D−t)))
… (37)

In the verification device 50, the hash value
H (R ₀ + S (D-0)),
H (R ₁ + S (D-1)), ...
H (R _t + S (D-t))
… (38)
Is calculated.

And in the verification apparatus 50,
H (R ₀ + S (D−0)) = H (R ₀ ),
H (R ₁ + S (D−1)) = H (R ₁ ),.
H (R _t + S (D−t)) = H (R _t )
… (39)
It is checked whether there is any one that satisfies (S119). If there is nothing to satisfy, it will be rejected.

If the distance D between the registered biometric information vector X and the matching biometric information vector Y is less than or equal to the threshold t,
D-0 = 0,
D-1 = 0, ...
Dt = 0
… (40)
Either of the above holds.

Therefore, for any S, R ₀ , R ₁ ,..., Rt, one of the following holds.
R ₀ + S (D−0) = R ₀ ,
R ₁ + S (D−0) = R ₁ ,...
R _t + S (D−0) = R _t ,
… (41)

By using independent random numbers as S, R ₀ ,..., R _t , R ₀ + S (D−0), R ₁ + S (D−0),..., R _t + S (D−0) and H ( Leakage of distance D from R ₀ ), H (R ₁ ),..., H (R _t ) is avoided.

JP 2016-1111594 A JP 2016-131335 A JP 2014-126865 A International Publication No. 2012/114454

The following is an analysis of related technologies.

As described above, when disclosing the distance to the decryptor, the biometric information registered by the hill climbing attack can be restored if the attacker obtains the biometric information and distance used for authentication.

In Non-Patent Document 1, multi-value vectors are targeted as biological information.

A method that handles binary vector type biometric information and is resistant to hill climbing attacks by attackers colluding with decryptors has not been proposed yet.

Furthermore, no technique has yet been proposed that is resistant to hill climbing attacks by attackers colluding with the server.

That is, an authentication system that does not disclose the distance to the decryptor and that the server cannot operate the distance between the registered biometric information and the collated biometric information has not been proposed yet.

The present invention provides a system, an apparatus, a method, and a program that are resistant to at least a hill climbing attack by an attacker who collaborates with a decryptor of a three-party model when collating binary vector information. Is one of the purposes.

Another object of the present invention is to provide a system, apparatus, method, and program for disabling the operation of the distance between registered biometric information and collation biometric information by a three-part model server in addition to the above-described object. It is in.

According to one aspect of the present invention, the verification system encrypts the first calculation result and the second calculation result relating to the elements of the binary first vector for registration from the registration requesting device with the encryption key, respectively. A storage device that receives and stores the encrypted data, and upon receiving a verification request from the verification requesting device, the encrypted data obtained by the calculation with the first random number while the encrypted data of the first calculation result is encrypted Obtained by calculation with a collation device to be transmitted to the collation request device, and the encrypted data transmitted from the collation device, with the encrypted data encrypted and with the elements of the binary second vector for collation The verification request device that transmits the encrypted data to the verification device, and a verification device are provided. Based on the encrypted data transmitted from the verification requesting device and the encrypted data of the second calculation result, the verification device encrypts the first vector and the second vector while encrypting them. Generating encrypted data having a value based on a distance and a predetermined arithmetic expression relating to at least the first random number and the second random number; and a non-negative integer value whose distance is equal to or less than a predetermined threshold (t); If they match, a hash value of the value taken by the arithmetic expression is generated, and the generated encrypted data and the hash value are transmitted as a query to the verification device. The verification device receives the query transmitted from the verification device, decrypts the encrypted data of the query with a decryption key, calculates a hash value of a decrypted value, and among the hash values of the query, the decryption It is determined whether or not there is a value equal to the hash value of the value, and acceptance or non-acceptance is determined.

According to another aspect of the present invention, encrypted data obtained by encrypting a first calculation result and a second calculation result relating to elements of a binary first vector for registration from a registration requesting device with an encryption key, respectively. Is provided that is connected to a storage device that receives and stores the data. When receiving the verification request from the verification requesting device, the verification device transmits the encrypted data obtained by the calculation with the first random number while encrypting the encrypted data of the first calculation result to the verification requesting device. One means,
The verification request device that receives the transmitted encrypted data and transmits the encrypted data obtained by the calculation with the binary second vector element for verification to the verification device while encrypting the encrypted data A second means for receiving the encrypted data from:
Based on the encrypted data transmitted from the verification requesting device and the encrypted data of the second calculation result, the distance between the first vector and the second vector is kept at least as encrypted. Generating encrypted data of a value based on a predetermined arithmetic expression relating to the first random number and the second random number;
A third means for generating a hash value of a value taken by the arithmetic expression when the distance matches a non-negative integer value equal to or less than a predetermined threshold;
A fourth means for transmitting the generated encrypted data and the hash value as the query to the verification device;
Decrypting the encrypted data of the query with a decryption key to calculate a hash value of a decrypted value, and determining whether there is a hash value equal to the hash value of the decrypted value among the hash values of the query, And a fifth means for receiving a verification result from the verification device for determining acceptance or non-acceptance.

According to still another aspect of the present invention, encrypted data obtained by encrypting a first calculation result and a second calculation result related to elements of a binary first vector for registration from a registration requesting device with an encryption key is provided. A first step of receiving and storing in a storage device;
When the collation device receives a collation request from the collation requesting device, the encryption data obtained by the operation with the first random number is transmitted to the collation requesting device while the encrypted data of the first calculation result is encrypted. And the process of
The verification requesting device receives the encrypted data transmitted from the verification device, and encrypts the encrypted data obtained by calculation with the binary second vector element for verification while encrypting the encrypted data. A third step of transmitting to the verification device;
Based on the cipher data transmitted from the collation requesting device and the cipher data of the second calculation result, the collation device encrypts the first vector and the second vector while encrypting them. Generating encrypted data having a value based on a distance and a predetermined arithmetic expression relating to at least the first random number and the second random number;
When the distance matches a non-negative integer value equal to or less than a predetermined threshold value, a hash value of the value taken by the arithmetic expression is generated,
A fourth step of transmitting the generated encrypted data and the hash value as a query to the verification device;
The verification device receives the query transmitted from the verification device, decrypts the encrypted data of the query with a decryption key, calculates a hash value of a decrypted value, and among the hash values of the query, the decryption And a fifth step of determining whether or not there is a value equal to the hash value of the value and determining acceptance or non-acceptance.

According to still another aspect of the present invention, encrypted data obtained by encrypting the first calculation result and the second calculation result relating to the elements of the binary first vector for registration from the registration requesting device with an encryption key is obtained. To a computer connected to a storage device that receives and stores,
A first process for receiving the verification request from the verification requesting device and transmitting the encrypted data obtained by the calculation with the first random number while encrypting the encrypted data of the first calculation result to the verification requesting device;
The verification request device that receives the transmitted encrypted data and transmits the encrypted data obtained by the calculation with the binary second vector element for verification to the verification device while encrypting the encrypted data A second process for receiving the encrypted data from:
Based on the encrypted data transmitted from the verification requesting device and the encrypted data of the second calculation result, the distance between the first vector and the second vector is kept at least as encrypted. Generating encrypted data of a value based on a predetermined arithmetic expression relating to the first random number and the second random number;
A third process of generating a hash value of a value taken by the arithmetic expression when the distance matches a non-negative integer value equal to or less than a predetermined threshold;
A fourth process of transmitting the generated encrypted data and the hash value as the query to the verification device;
Decrypting the encrypted data of the query with a decryption key to calculate a hash value of a decrypted value, and determining whether there is a hash value equal to the hash value of the decrypted value among the hash values of the query, A fifth process of receiving a verification result from the verification device for determining acceptance or non-acceptance;
And a computer-readable program recording medium storing the program.

According to the present invention, a computer-readable recording medium storing the above program is a semiconductor storage, such as a RAM (Random Access Memory), a ROM (Read Only Memory), or an EEPROM (Electrically, Erasable and Programmable ROM), an HDD, etc. (Hard Disk Drive), CD (Compact Disk), DVD (Digital Versatile Disk) and other non-transitory media.

According to one aspect of the present invention, when collating binary vector information, for example, it is possible to provide resistance to a hill climbing attack by an attacker colliding with a decryptor of a three-party model. Moreover, according to the other form of this invention, in addition to the said effect, operation of the distance of registration biometric information and collation biometric information by the server of a three-part model can be made impossible further.

It is a figure explaining the three-part model of related technology. It is a figure explaining a hill climbing attack. It is a figure explaining a hill climbing attack. It is a figure explaining a hill climbing attack. It is a figure explaining the operation | movement sequence of the three-part model of a distance division | segmentation system based on a nonpatent literature 1 indication. It is a figure explaining the example of the spoofing of a binary vector in FIG. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a probability diagram schematically illustrating a system configuration of a first exemplary embodiment of the present invention. It is a figure explaining an example of the operation | movement sequence of illustrative 1st Embodiment of this invention. It is a figure explaining an example of an apparatus configuration of a 1st exemplary embodiment of the present invention. It is a figure explaining the preparation phase in illustrative 1st Embodiment of this invention. It is a figure explaining the registration phase in illustrative 1st Embodiment of this invention. It is a figure explaining the collation phase in exemplary 1st Embodiment of this invention. It is a figure explaining exemplary 2nd Embodiment of this invention. It is a figure explaining an example of the operation | movement sequence of illustrative 2nd Embodiment of this invention. It is a figure explaining the registration phase in illustrative 2nd Embodiment of this invention. It is a figure explaining exemplary 3rd Embodiment of this invention.

Embodiments of the present invention will be described. First, the problem from which the present invention was created will be described by taking, as an example, a case where a binary vector is collated by the collation system described with reference to FIG.

As described above, Non-Patent Document 1 deals with multi-value vectors as biological information. A technique that handles binary vector type biometric information and has resistance to hill climbing attacks by an attacker who collaborates with a decryptor has not been proposed yet. FIG. 4 is a diagram for explaining an example of impersonation when a binary vector is handled in the system described with reference to FIG. Although not particularly limited, the Modified-Elgamal encryption algorithm is used in FIG. 4 as in FIG.

Since the hamming distance of the binary vector can be calculated by the same method as the Euclidean distance of the multi-value vector, the multi-value vector type biological information described with reference to FIG. 3 is collated by the Euclidean distance d _E ² (X, Y). The system seems to be able to handle binary vector type biological information.

Binary vector
For each element xi of X = [x ₁ ,…, x _n ] ∈ {0,1} ⁿ ,
x _i ^ 2 = x _i (i = 1,…, n)… (42)
Holds.

Enc (pk, x _i ^ 2) = Enc (pk, x _i )… (43)
The verification requesting device 20 received in step S105
Enc (pk, Sx _i ) (i = 1,…, n)… (44)
From
Enc (pk, Sx _i ^ 2) (i = 1,…, n)… (45)
Can be calculated.

That is, the verification requesting device 20
Enc (pk, SΣ <i = 1, n> x _i ^ 2) = Enc (pk, SD ₁ )… (46)
Can be calculated.

Based on Enc (pk, S), the verification requesting device 20
Enc (pk, R ₀ + S (CD ₁ -0)),
Enc (pk, R ₁ + S (CD ₁ -1)), ...
Enc (pk, R _t + S (CD ₁ -t))
… (47)
When,
Hash value
H (R ₀ ), H (R ₁ ),..., H (R _t )
… (48)
Is transmitted to the verification device 40 (S116A). However, C is an integer equal to or less than t (for example, 0).

As described above, the collation device 40 obtains Enc (pk, SD ₁ ) by performing a scalar operation on the random number S on the template Enc (pk, D ₁ ) of the storage device 30. The verification device 40 sends a response from the verification request device 20:
Enc (pk, R ₀ + S (CD ₁ -0)),
Enc (pk, R ₁ + S (CD ₁ -1)), ...
Enc (pk, R _t + S (CD ₁ -t)),
Encrypted data Enc (pk, SD ₁ )
From the above, using the homomorphism while encrypting these,
Enc (pk, R ₀ + S (CD ₁ -0 + D ₁ )) = Enc (pk, R ₀ + S (C-0)),
Enc (pk, R ₁ + S (CD ₁ -1 + D ₁ )) = Enc (pk, R ₁ + S (C-1)), ...
_{Enc (pk, R t + S} (CD 1 -t + D 1)) = Enc (pk, R t + S (Ct))
… (49)
Calculate the hash value
H (R ₀ ), H (R ₁ ), ..., H (R _t )
… (50)
At the same time, the query is transmitted to the verification device 50 (S117A).

In the verification device 50, the encrypted data of the query from the verification device 40
Enc (pk, R ₀ + S (C-0)),
Enc (pk, R ₁ + S (C-1)), ...
Enc (pk, R _t + S (Ct))
Is decrypted using the secret key (sk) (S118A).
z ₀ = R ₀ + S (C-0) <-Dec (sk, Enc (pk, R ₀ + S (C-0)))
z ₁ = R ₁ + S (C-1) <-Dec (sk, Enc (pk, R ₁ + S (C-1))) ...,
z _t = R _t + S (Ct) <-Dec (sk, Enc (pk, R _t + S (Ct)))
… (51)

In the verification device 50, the hash value of the decrypted value
H (R ₀ + S (C-0)),
H (R ₁ + S (C-1)), ...
H (R _t + S (C-t))
… (52)
Is calculated.

The verification device 50
H (R ₀ + S (C-0)) = H (R ₀ ),
H (R ₁ + S (C−1)) = H (R ₁ ),.
H (R _t + S (C−t)) = H (R _t )
… (53)
It is checked whether or not there is a satisfying condition (S119A).

Here, if the verification requesting device 20 sets C = 0, for example,
H (R ₀ + S (C-0)) = H (R ₀ )
… (54)
Is always true. The same applies to C = 1 and C = t. Therefore, impersonation is possible.

In step S105 of FIG. 4, if the verification device 40 does not transmit Enc (pk, S) as a challenge, the verification request device 20 generates Enc (pk, R _δ + S (CD ₁ -δ)). Cannot impersonate and cannot impersonate.

According to the present invention, it is possible to avoid the above-mentioned impersonation by using a method in which the encrypted data of the random number S is not independently transmitted in the challenge transmitted from the verification device to the verification request device in the distance division verification system. Yes.

According to the basic form of the present invention, the registration requesting device (110 in FIGS. 5 and 11) includes an element (xi) of a binary first vector (X = [x1,..., Xn]) for registration. A first encryption result ((1-2xi) (i = 1,... N)) and a second calculation result (Σ <i = 1, n> xi = D ₁ ) encrypted with encryption keys. The data is transmitted to the storage device (130 in FIGS. 5 and 11) and stored in the storage device (130 in FIGS. 5 and 11).

When the collation device (140 in FIGS. 5 and 11) receives the collation request from the collation request device (120 in FIGS. 5 and 11), the first random number remains encrypted with the encrypted data of the first calculation result. The encrypted data obtained by the calculation is transmitted to the verification requesting device (120 in FIGS. 5 and 11).

The verification requesting device (120 in FIGS. 5 and 11) is an element of a binary second vector for verification while the encrypted data transmitted from the verification device (140 in FIGS. 5 and 11) is encrypted. The encrypted data obtained by the calculation is transmitted to the verification device (140 in FIGS. 5 and 11).

The collation device (140 in FIGS. 5 and 11), based on the cipher data transmitted from the collation request device (120 in FIGS. 5 and 11) and the cipher data in the second calculation result, A value based on a predetermined arithmetic expression regarding the distance (D) between the first vector and the second vector and at least the first random number (S) and the second random number (R) while being encrypted. Generate encrypted data. The collation device (140 in FIGS. 5 and 11) further determines the value that the arithmetic expression takes when the distance (D) matches a non-negative integer value (δ) that is equal to or less than a predetermined threshold (t). The hash value is generated, and the generated encrypted data and the hash value are transmitted as a query to the verification device (150 in FIGS. 5 and 11).

The verification device (150 in FIGS. 5 and 11) calculates the hash value of the decrypted value by decrypting the encrypted data of the query transmitted from the verification device (140 in FIGS. 5 and 11) with a decryption key, It is determined whether there is a hash value equal to the hash value of the decrypted value among the hash values of the query, and accept or reject is determined. Hereinafter, exemplary implementations will be described with reference to the drawings. Although not particularly limited, the binary vector type biological information may be an iris (IrisCode), a palm print (CompetitiveCode), or the like.

<First Embodiment>
FIG. 5 is a diagram for explaining a first exemplary embodiment of the present invention. FIG. 5 schematically illustrates the configuration of the verification system 100 according to the first exemplary embodiment. Referring to FIG. 5, the registration request device 110, the verification request device 120, the storage device 130, the verification device 140, and the verification device 150 are the registration request device 10, the verification request device 20, the storage device 30, the verification device 40, FIG. Although it corresponds to each verification device 50, the data to be processed and transmitted / received are different.

As shown in FIG. 5, the registration requesting device 110 generates a first random number (S). The registration requesting device 110 further generates a plurality (t + 1) of second random numbers (R ₀ , R ₁ ,..., R _t ). However, t is a predetermined threshold value used for determining the degree of coincidence.

In addition, the registration requesting device 110 has a plurality of (for example, t + 1) second random numbers (R ₀ , R ₁ ,..., R _t ) hash values (H (R ₀ ), H (R ₁ ),. (R _t )) is generated. As the hash function H (), a hash function having homomorphism is preferably used in order to conceal the distance.

For a generator k of a group G whose prime is q with κ bits, as a hash function H (),
H (x) = k ^ x… (55)
May be used. In addition, for the public key (g, h) in Modified Elgamal encryption,
k = g or k = h… (56)
May be used.

If k = g or k = h, the hash value can be calculated using only the public key of Modified Elgamal encryption.

When using an elliptic Elgamal cipher as an additive homomorphic cipher, as a hash function H (),
H (x) = x (*) K (57)
May be used. For public keys (G, H)
K = G and K = H
It is good.

If K = G or K = H, the hash value can be calculated using only the public key (the elliptic Elgamal cipher is also outlined in paragraph 0144 below).

In the first exemplary embodiment shown in FIG. 5, the distance (a first binary vector for registration and a second second vector for verification) by the server 102 (storage device 130, verification device 140). (Distance) can also be prevented.

The registration requesting device 110 includes the first calculation result (1-2xi) of the elements of the binary first vector (X = [x1,..., Xn]) encrypted with the public key (pk), and the first 2 calculation result (Σ <i = 1, n> xi = D ₁ ), and the result obtained by multiplying the first calculation result (1-2xi) by the first random number (S) is the public key ( n encrypted data encrypted with pk):
Enc (pk, S (1-2x ₁ )), Enc (pk, S (1-2x ₂ )), ..., Enc (pk, S (1-2x _n ))… (58)
(First template) is generated.

In addition, the registration request device 110
D ₁ -δ (δ = 0,…, t)… (59)
A plurality of (for example, t + 1) pieces of encrypted data obtained by encrypting a value obtained by multiplying each by a first random number (S) and a value obtained by adding a second random number (R _δ ) with a public key (pk):
Enc (pk, S (D ₁ -0) + R ₀ ),
Enc (pk, S (D ₁ -1) + R ₂ ),…,
Enc (pk, S (D ₁ -t) + R _t )… (60)
And a hash value of t + 1 second random numbers (R _δ ) using a homomorphic hash function H ():
H (R ₀ ), H (R ₁ ),…, H (R _t )… (61)
Is generated. A hash value {(Enc (pk, S (D ₁ -δ) + R _δ ), H (R _δ )), (δ = 0,..., t + 1 sets of encrypted data and the second random number (R _δ ) , t) is the second template.

The registration requesting device 110 includes a first template (Enc (pk, S (1-2x _i ))) (i = 1,..., N) and a second template (Enc (pk, S (D ₁ − (δ) + R _δ ), H (R _δ )) and (δ = 0,..., t) are transmitted to the storage device (130).

When the storage device 130 receives the first template and the second template transmitted from the registration requesting device 110, the storage device 130 generates a registration identifier and stores it in correspondence with the registration identifier Id.

When the verification device 140 receives the verification request from the verification request device 120, the verification device 140 generates a third random number (S ′), and from the storage device 130,
First template: Enc (pk, S (1-2x _i )) (i = 1, ..., n)
Second template: Enc (pk, S (D ₁ -0) + R ₀ ), Enc (pk, S (D ₁ -1) + R ₁ ), ..., Enc (pk, S (D ₁ -t) + R _t ), and hash values: H (R ₀ ), H (R ₁ ), ..., H (R _t )
To get.

The verification device 140 uses the encrypted data of the first template:
Enc (pk, S (1-2x _i )) (i = 1,…, n)… (62)
In contrast, n pieces of encrypted data obtained by performing a scalar operation on the third random number (S ′):
Enc (pk, SS '(1-2x _i )) (i = 1,…, n)… (63)
Is generated and sent to the verification requesting device 120 as a challenge. The verification device 140 preferably selects a different third random number (S ′) each time.

The verification requesting device 120 includes the element (yi) of the binary second vector (Y = [y1,..., Yn)) and the encrypted data transmitted as a challenge from the verification device 140:
Enc (pk, SS '(1-2x _i )) (i = 1,…, n)
The result of multiplying with:
Enc (pk, SS '(1-2x _i ) y _i ) (i = 1,…, n)… (64)
Of the sum (Σ <i = 1, n>) of the divided value (D ₂ ) of the Hamming distance (D) of the first vector X and the second vector Y:
Enc (pk, SS '(Σ <i = 1, n> (1-2xi) y _i )) = Enc (pk, SS' D ₂ )… (65)
Is transmitted to the verification device 140 as a response.

The verification device 140 transmits the encrypted data transmitted as a response from the verification request device 120:
Enc (pk, SS 'D ₂ )
The third random number (S ′) is removed (removed) from the encrypted data (Enc (pk, SS ′ D ₂ )), and the Hamming distance between the first vector X and the second vector Y ( division value D) (D ₂₎ about the encrypted data:
Enc (pk, SD ₂ )… (66)
Ask for.

The collation device 140 encrypts data related to the division value (D ₂ ) of the Hamming distance (D):
Enc (pk, SD ₂ )
And a plurality (for example, t + 1) of encrypted data of the second template
Enc (pk, S (D ₁ -δ) + R _δ ), (δ = 0,…, t)… (67)
Based on the above, the first random number (S) is converted into the difference (D−δ) between the distance D between the first vector X and the second vector Y and the non-negative integer value (δ) with these being encrypted. (S (D-δ)) multiplied by the second random number (R _δ ) and the value (S (D-δ) + R _δ ) multiplied by the fourth random number (b _δ ) Value to be:
b _δ (S (D-δ) + R _δ ) (δ = 0,…, t)… (68)
Encrypted data:
Enc (pk, b _δ (S (D-δ) + R _δ )) (δ = 0,…, t)… (69)
Is generated.

Here, the third random number (S ′) is removed from the encrypted data (Enc (pk, SD ₁ )) and the encrypted data (Enc (pk, SS′D ₂ )) sent as a response from the verification requesting device 120. The cipher data obtained by homomorphically adding the obtained value (Enc (pk, SD ₂ )) is the Hamming distance D (= D ₁ + D ₂₎ between the binary first vector X and the binary second vector Y. ) Encryption data (Enc (pk, SD)).

D = D ₁ + D ₂
D ₁ = Σ <i = 1, n> x _i
D ₂ = Σ <i = 1, n> (1-2x _i ) y _i + Σ <i = 1, n> x _i
… (70)

In addition, the collation device 140 uses the second random number (R _δ ) (δ = 0,..., T) hash value of the second template:
H (R ₀ ), H (R ₁ ),…, H (R _t )
For the second random number (R _δ ), the fourth random number (b _δ ) (δ = 0,..., T) is calculated by performing a scalar operation using the homomorphism of the hash function H (). A plurality (for example, t + 1) hash values of the obtained values:
H (b _δ R _δ ) (δ = 0,…, t) (71)
Is generated.

Here, the input (key) b _δ R _δ of the hash function H () is the distance D in the encrypted data (Enc (pk, b _δ (S (D−δ) + R _δ ), δ = 0,..., T)). Equation (function) f:
f (D) = b _δ (S (D-δ) + R _δ ) (72)
, F (δ) when D = δ.

The encrypted data of the above formula (69) and the hash value of the formula (71) are transmitted as a query to the verification device 150.

The verification device 150 receives the encrypted data of the query received from the verification device:
Enc (pk, b _δ (S (D-δ) + R _δ )), (δ = 0,…, t)
Is decrypted with the secret key (sk) and the hash value of the decrypted value (b _δ (S (D−δ) + R _δ )):
H (b _δ (S (D-δ) + R _δ ) (73)
Calculate The verification device 150 determines whether or not there is a set that satisfies the condition that the hash value (H (b _δ (S (D−δ) + R _δ ))) is equal to the hash value (H (b _δ R _δ )) of the query. To check.

The verification device 150 accepts the query when there is a set that satisfies the condition, and determines that the query is not accepted when there is no set that satisfies the condition.

FIG. 6 is a diagram illustrating an operation sequence of the embodiment described with reference to FIG. In this embodiment, an n-dimensional binary vector
X = [x ₁ , .., x _n ] ∈ {0,1} ⁿ … (74)
Y = [y ₁ , .., y _n ] ∈ {0,1} ⁿ … (75)
For example, the Hamming distance d _H (X, Y) is divided as follows.

D = d _H (X, Y) = Σ <i = 1, n> x _i -2Σ <i = 1, n> x _i y _i + Σ <i = 1, n> y _i
= Σ <i = 1, n> x _i + Σ <i = 1, n> (1-2x _i ) y _i … (76)

D ₁ = Σ <i = 1, n> x _i (77)
D ₂ = Σ <i = 1, n> (1-2x _i ) y _i (78)
D ₁ does not depend on the value of the matching vector Y.

A hash function having homomorphism is preferably used for concealing the distance. When using elliptic Elgamal cryptography as an encryption method (algorithm) having additive homomorphism, the public key (= (G, P) (G is the base point of the elliptic curve E (K) on the finite field K, P = x ( *) G, x is a secret key))
H (z) = z (*) P (79)
And it is sufficient.

First, an overview of processing in each phase will be described. The collation system 100 according to the first exemplary embodiment of the present invention uses a homomorphic encryption method having homomorphism for addition and scalar calculation. For convenience of explanation, the above-mentioned Modified Elgamal encryption is used as the encryption method. Alternatively, elliptic Elgamal encryption or Paillier encryption may be used.

The elliptic Elgamal cipher is defined for a group on an elliptic curve over a finite field.

<Key generation>: Receives elliptic curve parameters a, b, p, q and base point G on the elliptic curve as input, public key pk = (G, H = x (*) G), and secret Output key sk = x. However, the message space is a field Fq = {0, 1,..., Q−1}. In general, a prime number of 128 bits or more is selected for q.

<Encryption>: Public key pk and message m∈Fq are received as input, random number r∈F _q is selected, and ciphertext C = (C [0], C [1]) (80)
Is output. However,
C [0] = r (*) G,… (81)
C [1] = (m (*) G) (+) (r (*) H)… (82)
That is,
C [1] = (m + rx) (*) G… (83)
Meet.

<Decryption>: Secret key sk and ciphertext
C = (C [0], C [1])… (84)
As input,
M = C [1] (-) (sk (*) C [0])… (85)
Is output. That is,
C [1] (-) (sk (*) C [0]) = (m + rx) (*) G (-) x (*) (r (*) G) = m (*) G… (86 )
Meet. The decryption algorithm may return m (*) G instead of the message m.

In the above algorithms, the following notation is used.

Adding points A and B on an elliptic curve: A (+) B
Subtraction of points A and B on an elliptic curve: A (-) B
Z times point A on the elliptic curve: z (*) A
… (87)

Referring to FIG. 6, for example, the generation of the public key pk and the secret key sk (S100) in the preparation phase is as described above. The public key pk is also delivered to the storage device 130.

The registration requesting device 110 generates a first random number (S) when registering the binary vector X = [x ₁ , .., x _n ] ∈ {0,1} ⁿ , and further, for example, t + 1 second random number _{(R 0, R 1, ...} , R t) of the individual to generate a second random number _{(R 0, R 1, ...} , R t) hash value _{(H (R 0), H} ( R ₁ ),..., H (R _t )) are generated. As described above, a hash function having homomorphism is used for hiding the distance. The first calculation result (1-2x _i ) of the elements of the binary first vector (X = [x ₁ ,..., X _n ]) and the second calculation result Σ <i = 1, n> x _i = D ₁ is calculated, and the first random number (S) is multiplied by the first calculation result (1-2x _i ), and the encrypted data (first) is encrypted with the public key (pk). Template) (Enc (pk, S (1-2x ₁ )), Enc (pk, S (1-2x ₂ )), ..., Enc (pk, S (1-2x _n ))) and D _1- Encrypted data obtained by encrypting the value obtained by calculating the first random number (S) and the value obtained by adding the second random number (R _δ ) to δ (δ = 0,..., t) with the public key (pk). And the second random number hash value H (R _δ ) (second template):
{Enc (pk, S (D ₁ -0) + R ₀ ), H (R ₀ )},
{Enc (pk, S (D ₁ -1) + R ₂ ), H (R ₁ )},…,
{Enc (pk, S (D ₁ -t) + R _t ), H (R _t )}
Is generated. The registration request device 110
First template: Enc (pk, S (1-2x _i )) (i = 1,…, n)… (88)
When,
Second template: {Enc (pk, S (D ₁ -δ) + R _δ ), H (R _δ )} (δ = 0, ..., t) (89)
Are transmitted to the storage device 130 (S121).

The storage device 130 receives the first template transmitted from the registration requesting device 110:
Enc (pk, S (1-2x ₁ )),
Enc (pk, S (1-2x ₂ )),…,
Enc (pk, S (1-2x _n ))) and
Second template:
{Enc (pk, S (D ₁ -0) + R ₀ ), H (R ₀ )},
{Enc (pk, S (D ₁ -1) + R ₂ ), H (R ₁ )},…,
{Enc (pk, S (D ₁ -t) + R _t ), H (R _t )}
Are stored in correspondence with the registration identifier Id (S122).

When the verification device 140 receives the verification request (including the verification identifier Id) from the verification request device 120 (S123), the encrypted data stored in association with the Id from the storage device 130:
Enc (pk, S (1-2x ₁ )),
Enc (pk, S (1-2x ₂ )),…,
Enc (pk, S (1-2x _n )))
When,
{Enc (pk, S (D ₁ -0) + R ₀ ), H (R ₀ )},
{Enc (pk, S (D ₁ -1) + R ₂ ), H (R ₁ )},…,
{Enc (pk, S (D ₁ -t) + R _t ), H (R _t )}
Is received (S124).

Furthermore, the collation device 140 generates a third random number S ′ (S125). Then, the collation device 140 performs the scalar operation Scl (S ′, Enc (pk, S (1-2x _i ))) (i = 1,..., N) of the third random number S ′.
Enc (pk, SS '(1-2x _i )) (i = 1,…, n)… (90)
Is transmitted to the verification requesting device 120 (S126). The verification device 140 does not transmit the encrypted data of the random number S ′ to the verification request device 120.

The verification requesting device 120 receives Y = [y ₁ , .., y _n ] ∈ {0,1} ⁿ from the verification device 140.
Enc (pk, SS '(1-2x _i )) (i = 1,…, n)
From the scalar operation Scl (y _i , Enc (pk, SS '(1-2x _i ))),
Enc (pk, SS '(1-2x _i ) y _i ) (i = 1,…, n)… (91)
Ask for. The verification requesting device 120 adds these n (i = 1 to n),
Σ <i = 1, n> Enc (pk, SS '(1-2x _i ) y _i ) = Enc (pk, SS' (Σ <i = 1, n> (1-2x _i ) y _i )) = Enc (pk, SS 'D ₂ )… (92)
Calculate The verification requesting device 120 transmits Enc (pk, SS ′ D ₂ ) to the verification device 140 (S127).

The collation device 140 does not transmit Enc (pk, SS ′) to the collation request device 120. Therefore, the verification requesting device 120 cannot calculate Enc (pk, SS ′ D ₁ ). For this reason, the client cannot impersonate the Hamming distance.

The collation device 140 performs a scalar operation on the reciprocal number S ′ ^ (− 1) of the random number S ′ with respect to Enc (pk, SS ′ D ₂ ) transmitted from the collation request device 120.
Scl (S '^ (-1), Enc (pk, SS' D ₂ ))… (93)
by doing,
Enc (pk, S D ₂ )… (94)
Is calculated.

The verification device 140 uses this Enc (pk, S D ₂ ) and the template registered in the storage device 130.
Enc (pk, S (D ₁ -δ) + R _δ ) (δ = 0,…, t)… (95)
Is obtained by multiplying the difference D-δ from the non-negative integer value δ (δ = 0,..., T) with respect to the Hamming distance D of the first and second vectors by the first random number S. S to (D-δ), the second random number value obtained by adding the _{R δ S (D-δ)} + R δ encrypted data (t + 1 pieces):
Enc (pk, S (D-δ) + R _δ ) (δ = 0,…, t)… (96)
(Where D = D ₁ + D ₂ ).

Furthermore, the collation device 140 generates a random number b _δ (δ = 0,..., T), and the expression (96)
Enc (pk, S (D-δ) + R _δ ) (δ = 0,…, t)
In contrast, a plurality of (eg, t + 1) pieces of encrypted data are obtained by performing a scalar operation on the random number b _δ (δ = 0,..., T).
Enc (pk, b _δ (S (D-δ) + R _δ )) (δ = 0,…, t)… (97)
Ask for.

The collation device 140 further performs a scalar operation from the random number b _δ and the hash value H (R _δ ) of R _δ (δ = 0,..., T) using the homomorphism of the hash function H ().
H (b _δ R _δ ) (δ = 0, ..., t) (98)
Calculate

The collation device 140 uses the encrypted data Enc (pk, b _δ (S (D−δ) + R _δ )) in equation (97) and the hash value H (b _δ R _δ ) (δ = 0) in equation (98). ,..., T) are transmitted as queries to the verification device 150 (S128). Note that the collation device 140 uses the encrypted data Enc (pk, b _δ (S (D−δ) + R _δ )) in Expression (97) and the hash value H (b _δ R _δ ) in Expression (98) ( The t + 1) group may be transmitted by performing random substitution on the order of transmission to the verification device 150 with respect to δ (= 0,..., t), for example.

The verification device 150 uses the encrypted data transmitted as a query from the verification device 140.
Enc (pk, b _δ (S (D-δ) + R _δ )) (δ = 0, ..., t) is decrypted using the secret key sk,
z _δ = Dec (sk, Enc (pk, b _δ (S (D-δ) + R _δ ))) = b _δ (S (D-δ) + R _δ ) (δ = 0,…, t)… (99)
Is obtained (S129).

The verification device 150 further includes a hash value of the decrypted value.
H (b _δ (S (D-δ) + R _δ )) (δ = 0,…, t)… (100)
Ask for. The hash function H () is the same as the hash function H () used in the storage device 130 and the collation device 140 of the server 102.

The verification device 150, the hash value H of the decoded value _{(b δ (S (D-} δ) + R δ)) (δ = 0, ..., t) and, transmitted as a query hash value H (b _[delta] R _[delta] ) (Δ = 0, ..., t)
H (b ₀ (S (D-0) + R ₀ )) = H (b ₀ R ₀ ),
H (b ₁ (S (D-1) + R ₁ )) = H (b ₁ R ₁ ), ...,
H (b _t (S (Dt) + R _t )) = H (b _t R _t )
… (101)
It is checked whether there is a set satisfying (S130).

The verification device 150 accepts if there is one that satisfies the above equation, and rejects if there is no one that satisfies the above equation. The verification result (acceptance, rejection) in the verification device 150 is transmitted to the verification device 140 and the verification request device 120 (S131).

<Apparatus configuration of the first embodiment>
FIG. 7 is a diagram illustrating an example of the configuration of each device according to the first exemplary embodiment. The collation system 100 includes an information processing system such as a computer system. The collation system 100 according to the first exemplary embodiment includes a registration request device 110, a storage device 130, a collation request device 120, a collation device 140, and a verification device 150.

The registration request device 110 includes a registration information extraction unit 111, a template generation unit 112, and a communication unit 113.

The storage device 130 includes a storage device that stores information, and also includes a calculation unit that processes information. That is, the storage device 130 includes an identifier management unit 131, a registration data generation unit 132, a registration data storage unit 133, a registration data search unit 134, and a communication unit 135.

The verification request device 120 includes a verification request generation unit 121, a verification information extraction unit 122, a response generation unit 123, and a communication unit 124.

The collation device 140 includes a registration data acquisition unit 141, a random number generation unit 142, an encrypted data generation unit 143, an encrypted distance calculation unit 144, a query generation unit 145, and a communication unit 146.

The verification device 150 includes a key generation unit 151, a decryption key storage unit 152, a query verification unit 153, a verification result output unit 154, and a communication unit 155. The query verification unit 153 includes a decryption unit 1531, a hash value generation unit 1532, and a match determination unit 1533.

For example, between the registration request device 110 and the storage device 130, between the storage device 130 and the verification device 140, between the verification request device 120 and the verification device 140, and between the verification device 140 and the verification device 150, a communication unit (not shown) Communication connection between transmitter (interface) and receiver (interface)) and communication network (for example, local network (Local Area Network: LAN) or wide area network (Wide Area Network: WAN)) It is good also as a structure. Alternatively, among the registration request device 110, the storage device 130, the verification device 140, the verification request device 120, and the verification device 150, a plurality of devices are mounted in one unit, and each device is connected to a bus (inter-device bus or device). It is good also as a structure couple | bonded by an internal bus. In addition, the registration request device 110, the storage device 130, the verification device 140, and the verification request device 120 include a public key published by the verification device 150 (for example, a pair of an encryption key and a decryption key of the homomorphic encryption method created by the verification device 150). Among the above-mentioned encryption keys).

In the verification system 100, the registration request device 110 and the verification request device 120 may be collectively represented as “first node”. In the verification system 100, the storage device 130 and the verification device 140 may be collectively referred to as “second node”. In the verification system 100, the verification device 150 may be represented as “third node”. For example, the registration request device 110 and the verification request device 120 may be configured as a client device, the storage device 130 and the verification device 140 as a server device, and the verification device 150 as a decryption device connected to the server device.

The operation of the verification system 100 according to the present embodiment will be described. Processing in the collation system 100 according to the first exemplary embodiment of the present invention will be described.

Although not particularly limited, the processing in the matching system 100 is, for example,
・ Preparation phase,
・ Registration phase, and
-It may include a verification phase.

FIG. 8 is a flowchart illustrating an example of processing executed by the verification system 100 according to the first exemplary embodiment in the preparation phase. With reference to FIG. 8, the process which the collation system 100 which concerns on this embodiment performs in a preparation phase is demonstrated.

The key generation unit 151 in the verification device 150 receives the security parameter, and generates an encryption key (public key) pk and a decryption key (secret key) sk using the received security parameter, for example, according to a key generation algorithm. (Step A1). The generated public key and decryption key conform to a public key cryptosystem (for example, ModifiedModElgamal cipher) having homomorphism with respect to addition and scalar multiplication.

The key generation unit 151 discloses the generated public key pk in the verification system 100 (step A2).

The key generation unit 151 stores the generated decryption key sk in the decryption key storage unit 152 (step A3).

Of course, in the verification system 100 according to the present embodiment, the processing executed in the preparation phase is not limited to the mode illustrated in FIG.

FIG. 9 is a flowchart illustrating an example of processing executed by the verification system 100 according to the first exemplary embodiment in the registration phase. With reference to FIG. 9, the process which the collation system 100 which concerns on 1st Embodiment performs in a registration phase is demonstrated.

The registration information extraction unit 111 in the registration request device 110 receives biometric information (also referred to as “registration vector”) from a biometric subject to registration.
X = [x [1],…, x [n]]
Is extracted (step B1). Incidentally, as in the first embodiment, merely for clarity arithmetic _{expressions, x i (i = 1,} ..., n) notation was subscript i in the square brackets x [i] (i = 1 , ..., n).

Next, the template generation unit 112 in the registration request apparatus 110 generates a random number SεFq (B2-1).

The template generation unit 112 outputs the first calculation result (1-2x [i]) of the elements of the binary registration vector (X = [x ₁ ,..., X _n ]) and the second calculation result Σ <i = 1, n> x [i] = D1, and the first random number (S) is multiplied by the first calculation result (1-2x [i]) to obtain the public key (pk) Encrypted data encrypted with (first template):

Enc (pk, S (1-2x [1])), Enc (pk, S (1-2x [2])), ..., Enc (pk, S (1-2x [n]))) (B2-2).

Further, the template generation unit 112 generates a plurality of second random numbers (R [0], R [1],..., R [t]) (B3-1). Note that the processing in step B3-1 may be performed in step B2-1.

The template generation unit 112 performs hash operation values of a plurality of (for example, t + 1) second random numbers (R [0], R [1],..., R [t]):
H (R [0]), H (R [1]),..., H (R [t]) are generated (B3-2).

The template generation unit 112 multiplies D1 (= Σ <i = 1, n> x [i]) − δ (δ = 0,..., T) by the first random number (S), A set of encryption data obtained by encrypting a value obtained by adding the random number (R [δ]) of the public key (pk) and the hash value H (R [δ]) of the second random number (second template):
{Enc (pk, S (D ₁ -0) + R [0]), H (R [0])},
{Enc (pk, S (D ₁ -1) + R [1]), H (R [1])},…,
{Enc (pk, S (D ₁ -t) + R [t]), H (R [t])} is generated (B3-3).

The template generation unit 112 includes a first template (Enc (pk, S (1-2x [i])) (i = 1,..., N)) and a second template ({Enc (pk, S (D ₁ -δ) + R [δ]), H (R [δ])} (δ = 0,..., t)) are generated (B4) and stored in the storage device 130 via the communication unit 113. Transmit (B5).

The storage device 130 receives the first template and the second template transmitted from the registration request device 110 (B6), generates a registration identifier Id in the identifier management unit 131 (B7), and uses the registration identifier Id as the registration request device. 110. The registration data generation unit 132 stores {first template, second template, registration identifier Id} in the registration data storage unit 133.

Enc (pk, S (1-2x [1]]) (represented as = C1 [1])… (102-1)
…,
Enc (pk, S (1-2x [n]]) (represented as = C1 [n])… (102-n)
Enc (pk, S (D ₁ -0) + R [δ]) (= C2 [1])… (103-1)
…,
Enc (pk, S (D ₁ -t) + R [t]) (represented as = C2 [t])… (103-t)

In Modified-Elgamal cryptography, template generator 112 a plurality of number rr1 [1] from the _{Z q, ..., r1 [n} ], and to select the rr1.

The template generation unit 112 reads the generation source g and the value h from the public key pk, and creates the following ciphertext regarding the binary vector X.

(g ^ {r1 [1]}, g ^ {S (1-2x [1])} × h ^ {r1 [1]}) = (C1 [1] [0], C1 [1] [1] ) (= C1 [1])… (104-1)
…,
(g ^ {r1 [n]}, g ^ {S (1-2x [n])} × h ^ {r1 [n]}) = (C1 [n] [0], C1 [n] [1] ) (= C1 [n])… (104-n)

Next, the communication unit 113 of the registration request device 110 receives the registration identifier id from the storage device 130 (step B9).

The registration request device 110 displays the received registration identifier id on a user interface (UI) such as a display (step B10). Alternatively, the registration request device 110 may store the received registration identifier id in an IC (integrated_circuit) card such as an employee ID card or an identifier card.

Next, the registration data generation unit 132 in the storage device 130 generates registration data (B11).

The template corresponding to the registration identifier Id is stored in the registration data storage unit 133 in the storage device 130 (step B12).

In addition, the process which the collation system 100 which concerns on this embodiment performs in a registration phase is not limited to the aspect illustrated in FIG. For example, step B11 and step B12 may be executed prior to step B8. That is, the storage device 130 may store the registration data in the registration data storage unit 133 before transmitting the registration identifier id to the registration request device 110.

Next, the verification phase process executed by the verification system 100 according to the first embodiment will be described with reference to FIG.

The collation requesting device 120 receives an identifier (referred to as “collation identifier”) possessed by the collation (authentication) (step C1).

Next, the verification request generator 121 in the verification request device 120 generates a verification request including the received verification identifier (step C2).

The communication unit 124 of the verification requesting device 120 transmits a verification request to the verification device 140 (step C3).

The communication unit 146 of the verification device 140 receives the verification request from the verification request device 120 (step C4).

Next, the registration data acquisition unit 141 in the verification device 140 generates a registration data request including the verification identifier included in the verification request transmitted from the verification request device 120 (step C5).

The communication unit 146 of the verification device 140 transmits a registration data request to the storage device 130 (step C6).

Next, the communication unit 135 of the storage device 130 receives a registration data request from the verification device 140 (step C7).

The registration data search unit 134 in the storage device 130 includes registration data (also referred to as “target template”) including a verification identifier included in the registration data request among one or a plurality of registration data stored in the registration data storage unit 133. (Step C8).

The communication unit 135 of the storage device 130 includes the template:
Enc (pk, S (1-2x [1])),
Enc (pk, S (1-2x [2])), ...,
Enc (pk, S (1-2x [n])),
Enc (pk, S (D ₁ -0) + R [0]),
Enc (pk, S (D ₁ -1) + R [1]),
Enc (pk, S (D ₁ -2) + R [2]),…,
Enc (pk, S (D ₁ -t) + R [t]) and multiple (eg, t + 1) hash values:
H (R [0]), H (R [1]), ..., H (R [t])
Is transmitted to the verification device 140 (step C9).

The communication unit 146 of the verification device 140 receives the target template from the storage device 130 (step C10).

The random number generation unit 142 of the verification device 140 generates an integer (random number) S′εFq according to a pseudo-random number generation procedure (step C11).

The random number generator 142 preferably generates a different random number S ′ every time a collation request is made.

Next, the cipher data generation unit 143 in the collation device 140 calculates n first templates of the above formulas (102-1) to (102-n) from an additive homomorphic scalar operation rule:
Enc (pk, S (1-2x [1])) (= C1 [1])
…,
Enc (pk, S (1-2x [n])) (= C1 [n])
S 'scalar operation on Scl (S', Enc (pk, S (1-2x [1]))), ..., Scl (S, Enc (pk, S (1-2x [n])))
Therefore, n encrypted data (also called “challenge”):
Enc (pk, SS '(1-2x [1])) (denoted as C3 [1])… (105-1)
...
Enc (pk, SS '(1-2x [n])) (denoted as C3 [n])… (105-n)
Is generated (step C12).

The communication unit 146 of the verification device 140 transmits the encrypted data (C3 [1],..., C3 [n]) to the verification request device 120 (step C13).

The verification requesting device 120 receives the encrypted data (C3 [1],..., C3 [n]) transmitted by the verification device 140 in step C13 (step C14).

Next, the collation information extraction unit 122 in the collation requesting device 120 generates a collation vector (second vector) from the biometric subject to be authenticated.
Y = (y [1], y [2],…, y [n])… (106)
Is extracted (step C15).

Next, the response generation unit 123 in the verification requesting device 120 performs the challenge:
Enc (pk, SS '(1-2x [1])) (C3 [1]), ...
, Enc (pk, SS '(1-2x [n])) (C3 [n])… (107)
Scalar operation of element y [i] of second vector Y = (y [1], y [2], ..., y [n])
Scl (y [i], Enc (pk, SS '(1-2x [i]))) (i = 1,…, n)… (108)
By
Enc (pk, SS '(1-2x [i]) y [i])) (i = 1,…, n)… (109)
Is generated.

Then, the response generation unit 123 uses the additive homomorphism,
Enc (pk, Σ <i = 1, n> SS '(1-2x [i]) y [i]) = Enc (pk, SS'D2) (= CC3)… (110)
Is generated (step C16).

Next, the communication unit 124 of the verification requesting device 120 transmits the response CC2 to the verification device 140 (step C17).

Next, the verification device 140 receives the response from the verification request device 120.
Enc (pk, SS'D ₂ ) (= CC3)
Is received (step C18).

Next, the encryption distance calculation unit 144 of the verification device 140 performs the reciprocal S ′ ^ (− 1 of the random number S ′ with respect to Enc (pk, SS′D2) (= CC3) transmitted from the verification request device 120. ) Scalar operation
Scl (S '^ (-1), Enc (pk, SS' D ₂ ))… (111)
by doing,
Enc (pk, SD ₂ )… (112)
Is calculated.

The encryption distance calculation unit 144 of the collation device 140 adds the second template Enc (pk, S (D ₁ -δ) + R [registered in the storage device 130 to the encrypted data Enc (pk, SD ₂ ). δ]) (δ = 0, ..., t)
Enc (pk, S (D-δ) + R [δ]) (δ = 0,…, t)… (113)
Ask for.

The encryption distance calculation unit 144 of the verification device 140 further obtains a random number b [δ] (δ = 0,..., T) from Enc (pk, S (D−δ) + R [δ], and performs a scalar calculation. By doing so, multiple (eg, t + 1) encrypted data
Enc (pk, b [δ] (S (D-δ) + R [δ])) (δ = 0,…, t)… (114)
Ask for.

The encryption distance calculation unit 144 of the verification device 140 uses the homomorphism of the hash function H () from the hash value H (R [δ]) and the random number b [δ] (δ = 0,..., T). , B [δ] by performing a scalar operation on the hash value H (R [δ]), t + 1 hash values
H (b [δ] R [δ]) (δ = 0, ..., t) (115)
Calculate

The query generation unit 145 of the verification device 140 performs t + 1 pieces of encrypted data of the above formula (112):
Enc (pk, b [δ] (S (D-δ) + R [δ])) (δ = 0, ..., t),
T + 1 hash values of the above formula (113):
H (b [δ] R [δ]) (δ = 0,…, t)
Are generated and transmitted to the verification device 150 via the communication unit 146 (step C21).

The verification device 150 receives the query via the communication unit 155 (step C22).

The decryption unit 1531 of the verification device 150 uses the encrypted data of the query:
Enc (pk, R [0] + S (D-0)),
Enc (pk, R [1] + S (D-1)), ...
Enc (pk, R [t] + S (Dt))
Are decrypted using the secret key (sk) to obtain a plurality of (for example, t + 1) decrypted values z [0],..., Z [t] (step C23).

z [δ] = b [δ] (S (D-δ) + R [δ]) <-Dec (sk, Enc (pk, b [δ] (S (D-δ) + R [δ])) , (δ = 0,…, t)
… (116)

The hash value generation unit 1532 of the verification device 150 uses the hash values of t + 1 decrypted values z [0], ..., z [t].
H (b [δ] (S (D-δ) + R [δ])) (δ = 0,…, t)… (117)
Is calculated (step C24).

The match determination unit 1533 of the verification apparatus 150 uses a plurality (t + 1) of decrypted values z [0],..., Z [t] hash values H (b [δ] (S (D−δ) + R [δ]). )) (Δ = 1,..., T) and the hash value H (b [δ] R [δ]) of the query (δ = 0,.
H (b [0] (S (D-0) + R [0])) = H (R [0])… (118-1)
H (b [1] (S (D-1) + R [1])) = H (R [1])… (118-2)
, ...,
H (b [t] (S (Dt) + R [t])) = H (R [t]) (118-t)
Among these, it is checked whether or not there is an established one (C25).

Based on the determination result of the match determination unit 1533, the verification result output unit 154 rejects if there is no set that satisfies the condition among t + 1 sets of conditions, and if there is one set that satisfies the condition, (The Hamming distance is any one of 0 to t), a verification result to be accepted is generated and output via the communication unit 155.

According to the present embodiment, the challenge transmitted from the verification device 140 to the verification request device 120 includes the encrypted data of a single random number (S) calculated for the elements of the first vector for registration. (Random number (S) alone encrypted data is not sent as a challenge). For this reason, the tolerance with respect to the spoofing attack by the collation request | requirement apparatus 120 grade | etc., Can be improved. Furthermore, the distance D (distance between the binary first vector and the second vector) cannot be calculated by the collation device 140, the verification device 150, or the like in the server 102. That is, the operation of the distance between the registered biometric information and the verification biometric information by the three-part model server is disabled. For this reason, the place which contributes to the tolerance improvement with respect to the impersonation attack, hill climbing attack, etc. which were mentioned above is very large.

<Second Embodiment>
FIG. 11 is a diagram for explaining a second embodiment of the present invention. Referring to FIG. 11, the configuration of the verification system 100 according to the second exemplary embodiment is the same as the configuration of the verification system 100 according to the first exemplary embodiment described with reference to FIG. 5 (however, The processes in the registration request device 110, the verification request device 120, the storage device 130, the verification device 140, and the verification device 150 are different. Below, it demonstrates centering around difference.

The registration requesting device 110 encrypts the first operation result of the elements of the binary first vector (X = [x1,..., Xn]) with the public key (pk):
Enc (pk, (1-2x _i ))) (i = 1,…, n)
And encrypted data obtained by encrypting the second calculation result (Σ <i = 1, n> x _i = D ₁ ) with the public key (pk):
Enc (pk, Σ <i = 1, n> x _i ) = Enc (pk, D ₁ ))
Is transmitted to the storage device 130.

The storage device 130 encrypts data (Enc (pk, (1-2x _i )) transmitted from the registration request device 110.
(I = 1, ..., n)) and the second calculation result (Enc (pk, Σ <i = 1, n> x _i ) = Enc (pk, D ₁ )) as the first and second templates Collectively, store in association with the registration identifier Id.

When the verification device 140 receives the verification request from the verification request device 120, the verification device 140 generates a first random number (S) and stores the first template from the storage device 130:
Enc (pk, 1-2x _i ) (i = 1,…, n)
And the second template:
Enc (pk, D ₁ )
To get.

The collation device 140 then encrypts the first template encrypted data (encrypted data obtained by calculating the first random number (S) while encrypting Enc (pk, (1-2xi):
Enc (pk, S (1-2x _i )) (i = 1,…, n)… (119)
Is sent to the verification requesting device 120 as a challenge.

The verification requesting device 120 uses the element (yi) (i = 1,..., N) of the binary second vector (Y = [y ₁ ,..., Y _n ]).
And encrypted data sent as a challenge
Enc (pk, S (1-2x _i )) (i = 1,…, n)
Operation result with:
Enc (pk, S (1-2x _i ) y _i )
) (Σ <i = 1, n>), the encrypted data of the division value of the Hamming distance D of the first vector (X) and the second vector (Y):
Enc (pk, S (Σ <i = 1, n> (1-2x _i ) yi)) = Enc (pk, SD ₂ )… (120)
Asking. The verification requesting device 120 transmits the encrypted data Enc (pk, SD ₂ ) to the verification device 140 as a response.

When the verification device 140 receives the encrypted data (Enc (pk, S D ₂ )) of the response from the verification request device 120, the homomorphic addition with the second template (Enc (pk, SD ₁ )):
Enc (pk, SD ₁ ) + Enc (pk, SD ₂ ) = Enc (pk, SD)… (121)
Thus, encryption data (Enc (pk, SD)) related to the Hamming distance (D) between the first vector (X) and the second vector (Y) is calculated.

The verification device 140 creates a second random number (R) and encrypts the encrypted data with the public key (pk):
Enc (pk, R)… (122)
Is generated. The collation device 140 uses the encrypted data (Enc (pk, SD)) related to the Hamming distance (D) between the first vector (X) and the second vector (Y) and the encrypted data (Enc) of the second random number (R). Homomorphic addition with (pk, R)):
Enc (pk, SD) + Enc (pk, R) = Enc (pk, SD + R)
By encryption data for query:
Enc (pk, SD + R)… (123)
Create

Further, the collation device 140 uses the first random number (S) and the second random number (R) for the non-negative integer value δ in the range from 0 to the threshold t, and uses the arithmetic (SD + R) finds the value Sδ + R using the same algorithm as the hash value for the query:
H (Sδ + R) (δ = 0, .., t)… (124)
Ask for. In the second embodiment, the hash function H () need not have homomorphism as in the first embodiment.

Input of the hash function H (): Sδ + R is an arithmetic expression of the Hamming distance D in the encrypted data of the query:
f (D) = SD + R (125)
Corresponds to the value f (δ) when D = δ.

The verification device 140 transmits the encrypted data (Enc (pk, SD + R)) regarding the distance (D) and the hash value H (Sδ + R) (δ = 0,... T) to the verification device 150 as a query. .

The verification device 150 uses a hash value of the decrypted value SD + R obtained by decrypting the encrypted data Enc (pk, SD + R) with the decryption key (sk):
H (SD + R)… (126)
Calculate

The verification device 150, regarding the hash value H (SD + R) of the decrypted value SD + R, a plurality (t + 1) of hash values transmitted as a query from the verification device 140:
H (Sδ + R) (δ = 0, ... t) (127)
Out of
H (SD + R) = H (Sδ + R) (128)
Check if there is something that holds. The verification device 150 may be configured to accept if there is a match, and to determine non-acceptance if there is no match.

According to the second exemplary embodiment, when binary vector biometric information is handled, a collation system that does not disclose the distance to a decryptor (verification device) can be realized.

The collation system 100 according to the second exemplary embodiment uses a homomorphic encryption method having homomorphism for addition and scalar calculation. For convenience of explanation, the above-mentioned Modified Elgamal encryption is used as the encryption method. Alternatively, elliptic Elgamal encryption or Paillier encryption may be used.

FIG. 12 is a diagram for explaining the operation sequence of the second embodiment described with reference to FIG. In FIG. 12, the generation of the public key pk and the secret key sk (S100) in the preparation phase is as described with reference to FIG.

Registration request unit 110, a binary vector _{X = [x 1, ..,} x n] ∈ {0,1} n elements for a first calculation result of _{(1-2x i) (i = 1} , ..., n ) Encrypted first template:
Enc (pk, 1-2x ₁ ),…,
Enc (pk, 1-2x _n )… (129)
And a second template obtained by encrypting the first calculation result (Σ <i = 1, n> x _i ):
Enc (pk, Σ <i = 1, n> x _i )… (130)
Is transmitted to the storage device 130 (S141).

The storage device 130 includes first and second templates:
Enc (pk, 1-2x _i ) (i = 1,…, n)
Enc (pk, Σ <i = 1, n> x _i ) = Enc (pk, D ₁ )
Is stored in correspondence with the registration identifier id.

When the verification device 140 receives the verification request (including the registration identifier id) from the verification request device 120 (S142), the first template corresponding to the registration identifier id from the storage device 130:
Enc (pk, 1-2x _i ) (i = 1, ..., n) and the second template:
Enc (pk, D ₁ ) is read (S143).

The collation device 140 generates a first random number (S) (S144), and uses a scalar operation rule for the first and second templates.
Enc (pk, S (1-2x _i )) (i = 1,…, n)… (131)
Produces further
Enc (pk, SD ₁ )… (132)
Is generated.

The collation device 140 is encrypted data:
Enc (pk, S (1-2x ₁ )), ...,
Enc (pk, S (1-2x _n ))… (133)
Is transmitted to the verification requesting device 120 (S145).

The verification requesting device 120 has Y = [y ₁ , .., y _n ] ∈ {0,1} ⁿ and the encrypted data received from the verification device 140:
From Enc (pk, S (1-2x _i )) (i = 1, ..., n), scalar operation Scl (y _i , Enc (pk, S (1-2x _i )))
Enc (pk, S (1-2x _i ) y _i ) (i = 1,…, n)… (134)
And adding these n (i = 1 to n)
Σ <i = 1, n> Enc (pk, S (1-2x _i ) y _i )
= Enc (pk, S (Σ <i = 1, n> (1-2x _i ) y _i ))
= Enc (pk, SD ₂ )… (135)
Calculate The verification requesting device 120 transmits Enc (pk, SD ₂ ) to the verification device 140 (S146).

The verification device 140 does not transmit the encrypted data of the first random number (S) alone to the verification request device 120. Therefore, the verification requesting device 120 cannot calculate Enc (pk, SD ₁ ). For this reason, the client cannot impersonate the Hamming distance.

The collation device 140 adds homomorphism with the second template (Enc (pk, SD ₁ )) to Enc (pk, SD ₂ ) transmitted from the collation request device 120:
Enc (pk, SD ₁ ) + Enc (pk, SD ₂ ) = Enc (pk, SD)… (136)
Thus, the encryption data (Enc (pk, SD)) relating to the distance (D) between the first and second vectors is calculated.

The collation device 140 creates a second random number (R) (S147). The verification device 140 generates encrypted data (Enc (pk, R)) obtained by encrypting the second random number (R) with the public key (pk). Then, the verification device 140 performs homomorphic addition of the encrypted data (Enc (pk, SD)) regarding the distance (D) and the encrypted data (Enc (pk, R)) of the second random number (R) to obtain a query. Encryption data
Enc (pk, SD + R)… (137)
Create The collation device 140 uses a first random number (S) and a second random number (R) for a value (non-negative integer) δ in the range from 0 to a threshold t, and uses a calculation method regarding the distance of the encrypted data in the query ( The value Sδ + R (the value when D is δ in the arithmetic expression (SD + R)) is obtained by the same algorithm as SD + R), and the hash value of the value:
H (Sδ + R)… (138)
Ask for. The verification device 140 transmits the encrypted data Enc (pk, SD + R) regarding the distance (D) and the hash value H (Sδ + R) (δ = 0,... T) to the verification device 150 as the query ( S148).

The verification device 150 decrypts the encrypted data Enc (pk, SD + R) with the decryption key (sk) (S149).
z = Dec (Enc (SD + R)) = SD + R… (139)
Next, the verification device 150 decrypts the encrypted data Enc (pk, SD + R):
z = SD + R
Hash value:
H (z) = H (SD + R)… (140)
Calculate The verification device 150 then receives t + 1 hash values received from the verification device 140:
H (Sδ + R) (δ = 0, ... t) (141)
Is checked to see if there is any equal to H (SD + R) (S150). As a result of the check, if there is H (Sδ + R) equal to H (SD + R), the verification device 150 determines acceptance or non-acceptance if there is no equal pair. The verification result (acceptance, rejection) in the verification device 150 is transmitted to the verification device 140 and the verification request device 120 (S151).

<Apparatus configuration of the second embodiment>
The configuration of each device of the exemplary second embodiment is the same as that of the first embodiment described with reference to FIG. The operation of the verification system 100 according to the second embodiment is different from the first embodiment in the process of the registration phase.

FIG. 13 is a flowchart illustrating an example of processing executed by the verification system 100 according to the first exemplary embodiment in the registration phase. With reference to FIG. 13, the process which the collation system 100 which concerns on 2nd Embodiment performs in a registration phase is demonstrated.

The registration information extraction unit 111 in the registration request device 110 receives biometric information (referred to as “registration vector”) from the biometric subject to registration.
X = [x [1],…, x [n]]… (142)
Is extracted (step B1). As in the first embodiment, the notation x [i] (i = 1, i, i) ..., n)

Next, the template generation unit 112 in the registration request device 110 encrypts 1-2xi (i = 1,..., N) using the public key pk and n ciphertexts.
Enc (pk, 1-2x [1]), ..., Enc (pk, 1-2x [n]) ... (143)
Is generated. The encrypted data generated in step B2 is referred to as a first template.

Next, the template generation unit 112 in the registration request apparatus 110 generates a ciphertext obtained by encrypting x [1] +,... + X [n] using the public key pk (step B3).
Enc (pk, x [1] +,… + x [n])… (144)

The encrypted data generated in step B3 is called a second template.

Enc (pk, 1-2x [1]) (represented as = C1 [1])… (145-1)
…,
Enc (pk, 1-2x [n]) (= C1 [n])… (145-n)
Enc (pk, x [1] +… + x [n]) (represented as CC1)… (146)

In Modified-Elgamal cryptography, template generator 112 a plurality of number rr1 [1] from the _{Z q, ..., r1 [n} ], and to select the rr1.

The template generation unit 112 reads the generation source g and the value h from the public key pk, and creates the following ciphertext regarding the binary vector X.

(g ^ {r1 [1]}, g ^ {1-2x [1]} × h ^ {r1 [1]}) = (C1 [1] [0], C1 [1] [1]) (= C1 [1])… (147-1)
…,
(g ^ {r1 [n]}, g ^ {1-2x [n]} × h ^ {r1 [n]}) = (C1 [n] [0], C1 [n] [1]) (= C1 [n])}})… (147-n)
(g ^{rr1} , g ^{{ x [1] +… + x [n]}} × h ^{rr1} )) = (CC1 [0], CC1 [1]) (= CC1)… (148)

Next, the template generation unit 112 in the registration requesting apparatus 110 collects the first template and the second template into a template (C1 [1],..., C1 [n], CC1) (step B4).

The communication unit 113 of the registration request device 110 is a template
(C1 [1],…, C1 [n], CC1)… (149)
Is transmitted to the storage device 130 (step B5).

The communication unit 135 of the storage device 130 receives the template from the registration request device 110 (step B6).

The identifier management unit 131 in the storage device 130 determines a registration identifier id that is an identifier unique to the template received from the registration requesting device 110 (step B7).

The communication unit 135 of the storage device 130 transmits the registration identifier id to the registration request device 110 (step B8).

Next, the communication unit 113 of the registration request device 110 receives the registration identifier id from the storage device 130 (step B9).

Next, the registration data generation unit 132 in the storage device 130 generates registration data (B11).
A template corresponding to the registration identifier Id is stored in the registration data storage unit 133 in the storage device 130 (step B12).

In the collation phase, the processing in step C19-25 in FIG. 10 is different from that in the first embodiment.

In step C19, the verification device 140 generates a second random number (R) and generates encrypted data (Enc (pk, R)) obtained by encrypting the second random number (R) with the public key (pk). Also, encryption data (Enc (pk, SD)) and encryption data of the second random number (R) regarding the Hamming distance (D) between the first vector (X) for registration and the second vector Y for verification ( Enc (pk, R)) is homomorphically added to create encrypted data for query (Enc (pk, SD + R)).

In step C20, the collation device 140 uses the first random number (S) and the second random number (R) for the non-negative integer value δ that is equal to or less than the threshold t, and uses the arithmetic (SD for the distance D in the encrypted data of the query) A value Sδ + R is calculated by the same algorithm as + R), and a hash value H (Sδ + R) of the value is obtained.

In step C21, the collation device 140 includes the encrypted data Enc (pk, SD + R) relating to the Hamming distance (D) between the first vector (X) for registration and the second vector Y for collation, and the hash value H (Sδ + R) (δ = 0,... T) is transmitted as the query to the verification device 150, and in step C22, the verification device 150 receives the query.

In step C23, the verification device 150 decrypts the encrypted data Enc (pk, SD + R) with the decryption key (sk).

In step C24, the verification device 150 calculates a hash value (H (SD + R)) of the decrypted value SD + R.

In step C25, it is checked whether there is a query hash value (H (Sδ + R) (δ = 0,... T) that is equal to the calculated hash value (H (SD + R)). In some cases, accept and decide not to accept if there is no equal set, according to the second embodiment, in a system for matching binary vector type information, collaborate with a three-party model decryptor. It is possible to provide resistance against hill climbing attacks by attackers.

<Third Embodiment>
As shown in FIG. 14, the verification device 140 may be mounted on a computer device (system) 200. Referring to FIG. 14, a computer apparatus 200 such as a server computer includes a processor (CPU (Central Processing Unit), data processing apparatus) 201, a semiconductor memory (for example, RAM (Random Access Memory), ROM (Read Only Memory), or A storage device 202 including at least one of an EEPROM (Electrically Erasable and Programmable ROM), an HDD (Hard Disk Drive), a CD (Compact Disc), a DVD (Digital Versatile Disc), a display device 203, and a communication interface 204 It has. The communication interface 204 is communicatively connected to the registration request device 110, the verification request device 120, the storage device 130, and the verification device 150. The storage device 202 stores a program that realizes the function of the collation device 140 described in the above embodiment, and the processor 201 reads out and executes the program, so that the function of the collation device 140 in the embodiment is performed. It may be realized. Alternatively, the storage device 202 and, for example, the registration data storage unit 133 of the storage device 130 shown in FIG. 7 are the same storage device, and the processor 201 uses the identifier management unit 131 and the registration data generation unit 132 of the storage device 130 shown in FIG. The processing of the registration data search unit 134 may be further executed. The computer device 200 may be implemented as a cloud server provided to a client as a cloud service.

The registration request device 110 may also be implemented as a computer device 200 that is program-controlled as shown in FIG. The collation requesting device 120 of the above embodiment may also be implemented as the computer device 200. The registration request device 110 and the verification request device 120 may be separate computer systems, or may be configured to perform registration and verification at the same location. Programs that realize the functions of the registration request device 110 and the verification request device 120 shown in FIGS. 5 and 11 are stored in the storage device 202, and the processor 201 reads out and executes the programs so that each of the above-described programs is executed. You may make it implement | achieve the registration request | requirement apparatus 110 and the collation request | requirement apparatus 120 of embodiment. The processor 201 of the registration request device 110 and the verification request device 120 acquires biometric information such as a fingerprint from a sensor (not shown) via the communication interface 204, and uses binary feature vectors X and Y respectively from the acquired biometric information. You may make it extract. Needless to say, the verification apparatus 150 of the embodiment may be realized by a program executed on a computer, as in FIG.

It should be noted that the disclosures of Patent Documents 1-4 and Non-Patent Document 1 described above are incorporated herein by reference. Within the scope of the entire disclosure (including claims) of the present invention, the embodiments and examples can be changed and adjusted based on the basic technical concept. Various combinations or selections of various disclosed elements (including each element of each claim, each element of each embodiment, each element of each drawing, etc.) are possible within the scope of the claims of the present invention. . That is, the present invention of course includes various variations and modifications that could be made by those skilled in the art according to the entire disclosure including the claims and the technical idea.

10, 110 Registration request device 100 Collation system 102 Server 111 Registration information extraction unit 112 Template generation unit 113 Communication unit 114 Conversion value generation unit 20, 120 Verification request device 121 Verification request generation unit 122 Verification information extraction unit 123 Response generation unit 124 Communication Units 30, 130 storage device 131 identifier management unit 132 registration data generation unit 133 registration data storage unit 134 registration data search unit 135 communication unit 136 random number generation unit 137 encryption data generation unit 138 hash value generation unit 40, 140 collation device 141 registration data Acquisition unit 142 Random number generation unit 143 Encryption data generation unit 144 Encryption distance calculation unit 145 Query generation unit 146 Communication unit 147 Conversion coefficient generation unit 148 Hash value generation unit 50, 150 Verification device 151 Key generation unit 152 Decryption key storage unit 153 Query Validation Unit 154 verification result output unit 155 communication unit 156 registration data check unit 200 computer system (computer device)
201 Processor 202 Storage Device 203 Display Device 204 Communication Interface 1531 Decoding Unit 1532 Hash Value Generation Unit 1533 Match Determination Unit

Claims (20)

1. A storage device that receives and stores encrypted data obtained by encrypting the first calculation result and the second calculation result with respect to the elements of the first binary vector for registration from the registration requesting device;
   When a verification request is received from the verification requesting device, the encrypted data obtained by the calculation with the first random number is transmitted to the verification requesting device while the encrypted data of the first calculation result stored in the storage device is encrypted. A matching device to
   The encrypted data transmitted from the verification device is received, and the encrypted data obtained by the calculation with the binary second vector element for verification is transmitted to the verification device while the encrypted data is encrypted. A verification requesting device;
   A verification device;
   With
   The verification device is
   Based on the encrypted data transmitted from the verification requesting device and the encrypted data of the second calculation result stored in the storage device, the first vector and the second Generating encrypted data having a value based on a vector distance and a predetermined arithmetic expression relating to at least the first random number and the second random number;
   When the distance matches a non-negative integer value equal to or less than a predetermined threshold, a hash value of a value that the arithmetic expression takes is generated,
   Send the generated encrypted data and the hash value as a query to the verification device,
   The verification device includes:
   Receiving the query transmitted from the verification device, decrypting the encrypted data of the query with a decryption key to calculate a hash value of a decrypted value, and among the hash values of the query, a hash value of the decrypted value and A collation system characterized by determining whether or not there is an equal thing and determining acceptance or non-acceptance.
2. Generating the first random number and a plurality of the second random numbers;
   A first template consisting of a first group of encrypted data obtained by encrypting an operation result obtained by calculating the first random number to the first operation result relating to the element of the first vector with the encryption key;
   A value obtained by further encrypting a value obtained by calculating the second random number to a value obtained by calculating the second operation result relating to the element of the first vector, the non-negative integer value, and the first random number is encrypted with the encryption key. A second template in which two groups of encrypted data are associated with a plurality of hash values of the second random numbers;
   Produces
   The registration requesting device for transmitting the first and second templates to the storage device;
   The collation system according to claim 1, wherein the storage device stores the first and second templates in a storage unit.
3. The verification device is
   When a verification request is received from the verification requesting device, a third random number is generated,
   Obtaining the first and second templates from the storage device;
   Generating a third group of cipher data obtained by calculating the third random number in the first group of cipher data of the first template and transmitting the generated data to the verification requesting device;
   The verification requesting device includes:
   The sum of the calculation results of the elements of the second vector and the third group of encrypted data transmitted from the verification device is related to the division value of the distance between the first vector and the second vector. As fourth encryption data,
   Sending the fourth encrypted data as a response to the verification device;
   The verification device is
   Based on the encrypted data obtained from the fourth encrypted data transmitted from the verification requesting device and the second group of encrypted data of the second template, the first vector is kept encrypted. And a difference between the distance between the second vector and the non-negative integer value, a value obtained by adding the second random number to a value obtained by calculating the first random number, and further calculating a fourth random number. A fifth group of encrypted data, which is encrypted data of the value of the arithmetic expression obtained by:
   The calculation value of the second random number and the fourth random number corresponding to each encrypted data of the fifth group of encrypted data, wherein the distance matches the non-negative integer value A hash value of the value taken by the expression,
   Produces
   Transmitting the query including a set of each encrypted data of the generated fifth group of encrypted data and the hash value corresponding to each encrypted data to the verification device;
   The verification device includes:
   The fifth group of encrypted data of the query received from the verification device is decrypted with the decryption key to calculate a hash value of the decrypted value, and the hash value of the decrypted value is equal to the hash value of the query Check whether the condition
   The collation system according to claim 2, wherein, when there is a set that satisfies the condition in the query, the query is accepted, and when there is no set that satisfies the condition, the query is not accepted.
4. The collation device applies the cipher data obtained by removing the third random number from the fourth cipher data transmitted as a response from the collation request device, and the second group of cipher data of the second template. The fourth random number is calculated while encrypting the encrypted data obtained by the same type operation to obtain the fifth group of encrypted data,
   A hash value of the operation value of the second random number and the fourth random number is obtained by a homomorphic operation of the hash value of the second random number of the second template and the fourth random number. The collation system according to claim 3.
5. A first group of encrypted data obtained by encrypting the first operation result of the element of the first vector with an encryption key, and second encrypted data obtained by encrypting the second operation result with an encryption key, The registration requesting device for transmitting to the storage device as a second template,
   The collation system according to claim 1, wherein the storage device stores the first and second templates transmitted from the registration requesting device.
6. The verification device is
   Upon receiving a verification request from the verification requesting device, the first random number is created, and the first template and the second template are acquired from the storage device,
   Transmitting the third group of encrypted data obtained by calculating the first random number to the first group of encrypted data of the first template to the verification requesting device;
   The verification requesting device includes:
   The sum of the calculation results of the elements of the second vector and the third group of encrypted data transmitted from the verification device is the first of the division values of the distance between the first vector and the second vector. 4 is obtained as encrypted data, and the fourth encrypted data is transmitted as a response to the verification device,
   When the verification device receives the fourth encrypted data from the verification request device, the verification device generates the second random number,
   From the encrypted data obtained by calculating the first random number on the second encrypted data of the second template and the fourth encrypted data, the first vector and the second vector are encrypted without being encrypted. The fifth encrypted data obtained by computing the distance of the kuttle, the first random number, and the second random number according to the arithmetic expression is created, and the first random number, the second random number, and the non-negative integer are created. From the numerical value, when the distance matches the non-negative integer value, obtain a hash value of the value that the arithmetic expression takes,
   Sending the fifth encrypted data and the hash value as the query to the verification device;
   The verification device includes:
   Decrypting the fifth encrypted data of the query received from the verification device with the decryption key to calculate a hash value of the decrypted value;
   The collation system according to claim 5, wherein if the hash value of the query equal to the hash value of the decrypted value exists, it is accepted, and if it does not exist, it is rejected.
7. A collation connected to a storage device that receives and stores encrypted data obtained by encrypting the first and second operation results with respect to elements of the first binary vector for registration from the registration requesting device with an encryption key. A device,
   A first means for receiving the verification request from the verification requesting device and transmitting the encrypted data obtained by the calculation with the first random number while encrypting the encrypted data of the first calculation result to the verification requesting device;
   The verification request device that receives the transmitted encrypted data and transmits the encrypted data obtained by the calculation with the binary second vector element for verification to the verification device while encrypting the encrypted data A second means for receiving the encrypted data from:
   Based on the encrypted data transmitted from the verification requesting device and the encrypted data of the second calculation result, the distance between the first vector and the second vector is kept at least as encrypted. Generating encrypted data of a value based on a predetermined arithmetic expression relating to the first random number and the second random number;
   A third means for generating a hash value of a value taken by the arithmetic expression when the distance matches a non-negative integer value equal to or less than a predetermined threshold;
   A fourth means for transmitting the generated encrypted data and the hash value as a query to a verification device;
   Decrypting the encrypted data of the query with a decryption key to calculate a hash value of a decrypted value, and determining whether there is a hash value equal to the hash value of the decrypted value among the hash values of the query, Fifth means for receiving a verification result from the verification device for determining acceptance or non-acceptance;
   A collation device characterized by comprising:
8. The storage device stores the first and second templates generated by the registration requesting device, and the first template is:
   The first random number, a plurality of the second random numbers, and the first operation result related to the elements of the first vector are encrypted with the encryption key, and the operation result obtained by calculating the first random number is encrypted. Including a group of encrypted data,
   The second template is
   A value obtained by further encrypting a value obtained by calculating the second random number to a value obtained by calculating the second operation result relating to the element of the first vector, the non-negative integer value, and the first random number is encrypted with the encryption key. Including two groups of encrypted data and a hash value of the second random number;
   The first means includes
   When a verification request is received from the verification request device, a third random number is created, and the first and second templates are acquired from the storage device,
   Generating a third group of cipher data obtained by calculating the third random number in the first group of cipher data of the first template and transmitting the generated data to the verification requesting device;
   The second means includes
   The sum of the calculation results of the elements of the second vector and the third group of encrypted data transmitted from the verification device is related to the division value of the distance between the first vector and the second vector. Obtaining the fourth encrypted data from the verification requesting device that transmits the fourth encrypted data as a response to the verification device;
   The third means includes
   Based on the encrypted data obtained from the fourth encrypted data transmitted from the verification requesting device and the second group of encrypted data of the second template, the first vector is kept encrypted. And a difference between the distance between the second vector and the non-negative integer value, a value obtained by adding the second random number to a value obtained by calculating the first random number, and further calculating a fourth random number. A fifth group of encrypted data that is encrypted data of the value of the arithmetic expression;
   When the distance is equal to the non-negative integer value corresponding to each encrypted data of the fifth group of encrypted data, the calculated value is the second random number and the fourth random number. A hash value of the value taken by the expression,
   Produces
   The fourth means includes
   Transmitting the query including a set of each cryptographic data of the fifth group of cryptographic data generated by the third means and the hash value to the verification device;
   The fifth means includes
   Whether the fifth group of encrypted data of the query is decrypted with the decryption key to calculate a hash value of the decrypted value, and whether or not the condition that the hash value of the decrypted value is equal to the hash value of the query is satisfied Checking, and receiving a verification result from the verification device that determines accepting when there is a set that satisfies the condition in the query, and determining that it is unacceptable when there is no set that satisfies the condition. The collation apparatus according to claim 7, wherein the collation apparatus is characterized.
9. The third means includes
   Obtained by performing a homomorphic operation on encrypted data obtained by removing the third random number from the fourth encrypted data transmitted as a response from the verification requesting device and the second group of encrypted data of the second template. The fourth random number is calculated while encrypting the encrypted data to obtain the fifth group of encrypted data,
   A hash value of the operation value of the second random number and the fourth random number is obtained by a homomorphic operation of the hash value of the second random number of the second template and the fourth random number. The verification device according to claim 8.
10. The storage device stores the first and second templates generated by the registration requesting device, and the first template is:
    A first group of encrypted data obtained by encrypting the first operation result of the elements of the first vector with an encryption key;
    The second template is
    Second encrypted data obtained by encrypting the second operation result of the element of the first vector with an encryption key;
    The first means includes
    Upon receipt of a collation request from the collation requesting device, the first random number is generated, the first template and the second template are acquired from the storage device, and the first group of ciphers of the first template is obtained. Transmitting the third group of encrypted data obtained by calculating the first random number to the data to the verification requesting device;
    The second means includes
    The sum of the calculation results of the elements of the second vector and the third group of encrypted data transmitted from the verification device is the first of the division values of the distance between the first vector and the second vector. 4 and receiving the fourth encrypted data from the verification requesting device that transmits the fourth encrypted data as a response to the verification device;
    The third means includes
    When the fourth encrypted data is received from the verification requesting device, the second random number is generated, and the first encrypted data obtained by calculating the first random number on the second encrypted data of the second template and the second From the encryption data of 4, the distance between the first vector and the second vector, the first random number, and the second random number are calculated according to the arithmetic expression while being encrypted. A hash value of a value that the arithmetic expression takes when the fifth encrypted data is created and the distance matches the non-negative integer value from the first random number, the second random number, and the non-negative integer value Seeking
    The fourth means includes
    Sending the fifth encrypted data and the hash value as the query to the verification device;
    The fifth means includes
    The fifth encrypted data of the query is decrypted with the decryption key to calculate a hash value of a decrypted value, and if the hash value of the query equal to the hash value of the decrypted value exists, it is accepted and does not exist The verification apparatus according to claim 7, wherein a verification result is received from the verification apparatus that determines non-acceptance.
11. First, the encrypted data obtained by encrypting the first calculation result and the second calculation result relating to the elements of the first binary vector for registration from the registration requesting device with the encryption key is received and stored in the storage device. Process,
    When the collation device receives a collation request from the collation requesting device, the encryption data obtained by the operation with the first random number is transmitted to the collation requesting device while the encrypted data of the first calculation result is encrypted. And the process of
    The verification requesting device receives the encrypted data transmitted from the verification device, and encrypts the encrypted data obtained by calculation with the binary second vector element for verification while encrypting the encrypted data. A third step of transmitting to the verification device;
    Based on the cipher data transmitted from the collation requesting device and the cipher data of the second calculation result, the collation device encrypts the first vector and the second vector while encrypting them. Generating encrypted data having a value based on a distance and a predetermined arithmetic expression relating to at least the first random number and the second random number;
    When the distance matches a non-negative integer value equal to or less than a predetermined threshold value, a hash value of the value taken by the arithmetic expression is generated,
    A fourth step of transmitting the generated encrypted data and the hash value as a query to a verification device;
    The verification device receives the query transmitted from the verification device, decrypts the encrypted data of the query with a decryption key, calculates a hash value of a decrypted value, and among the hash values of the query, the decryption A fifth step of determining whether there is a value equal to the hash value of the value and determining acceptance or non-acceptance;
    The collation method characterized by including.
12. In the first step,
    The registration requesting device generates the first random number and a plurality of the second random numbers, and calculates a calculation result obtained by calculating the first random number as the first calculation result related to an element of the first vector. A first template comprising a first group of encrypted data encrypted with the encryption key;
    A value obtained by further encrypting a value obtained by calculating the second random number to a value obtained by calculating the second operation result relating to the element of the first vector, the non-negative integer value, and the first random number is encrypted with the encryption key. Generating a second template in which two groups of encrypted data and the hash value of the second random number are associated with each other, and transmitting the second template to the storage device;
    The collation method according to claim 11, wherein the storage device stores the first and second templates in a storage unit.
13. In the second step,
    When receiving the verification request from the verification requesting device, the verification device creates a third random number, acquires the first and second templates from the storage device,
    Generating a third group of cipher data obtained by calculating the third random number in the first group of cipher data of the first template and transmitting the generated data to the verification requesting device;
    In the third step,
    The collation requesting device calculates the sum of the operation results of the second vector element and the third group of encrypted data transmitted from the collating device as the first vector and the second vector. As the fourth encrypted data related to the division value of the distance, and transmits the fourth encrypted data as a response to the verification device,
    In the fourth step,
    The collation device is based on the cipher data obtained from the fourth cipher data transmitted from the collation request device and the second group of cipher data of the second template, and encrypts them, A value obtained by adding the second random number to a value obtained by calculating the first random number to the difference between the distance between the first vector and the second vector and the non-negative integer value, and a fourth random number Encryption data of the fifth group, which is encryption data of the value of the arithmetic expression obtained by calculating
    A calculation value of the second random number and the fourth random number, and a hash value of a value taken by the calculation formula when the distance matches the non-negative integer value,
    Transmitting the query including a set of the hash data corresponding to each encrypted data of the generated fifth group of encrypted data to the verification device;
    In the fifth step,
    The verification device decrypts the encrypted data of the fifth group of the query received from the verification device with the decryption key to calculate a hash value of the decrypted value, and the hash value of the decrypted value and the hash of the query Check whether the condition is equal to the value,
    The collation method according to claim 12, wherein, in the query, accepting is performed when there is a set that satisfies the condition, and determining non-acceptance when there is no set that satisfies the condition.
14. In the fourth step,
    The collation device applies the cipher data obtained by removing the third random number from the fourth cipher data transmitted as a response from the collation request device, and the second group of cipher data of the second template. The fourth random number is calculated while encrypting the encrypted data obtained by the same type operation to obtain the fifth group of encrypted data,
    A hash value of the operation value of the second random number and the fourth random number is obtained by a homomorphic operation of the hash value of the second random number of the second template and the fourth random number. The collation method according to claim 13.
15. In the first step,
    The registration requesting device includes a first group of encrypted data obtained by encrypting the first operation result of the first vector element with an encryption key, and a second group obtained by encrypting a second operation result with the encryption key. Sending the encrypted data as the first and second templates to the storage device;
    The collation method according to claim 11, wherein the storage device stores the first and second templates transmitted from the registration requesting device.
16. In the second step,
    When the verification device receives a verification request from the verification request device, the verification device creates the first random number, acquires the first template and the second template from the storage device, and stores the first template in the first template. Transmitting the third group of encrypted data obtained by calculating the first random number to the first group of encrypted data to the verification requesting device;
    In the third step,
    The verification requesting device calculates the sum of the operation results of the elements of the second vector and the third group of encrypted data transmitted from the verification device, and calculates the sum of the first vector and the second vector. Obtained as fourth encrypted data of the distance division value, and transmits the fourth encrypted data as a response to the verification device;
    In the fourth step,
    When the verification device receives the fourth encrypted data from the verification requesting device, the verification device generates the second random number, and calculates the first random number for the second encrypted data of the second template. From the encrypted data and the fourth encrypted data, the calculation is performed by calculating the distance between the first vector and the second vector, the first random number, and the second random number while encrypting them. When the fifth encrypted data calculated according to the formula is created, and the distance matches the non-negative integer value from the first random number, the second random number, and the non-negative integer value, the calculation formula is Find the hash value of the value
    Sending the fifth encrypted data and the hash value as the query to the verification device;
    In the fifth step,
    The verification device includes:
    Decrypting the fifth encrypted data of the query received from the verification device with the decryption key to calculate a hash value of the decrypted value;
    The collation method according to claim 15, wherein if the hash value of the query that is equal to the hash value of the decrypted value exists, the query is accepted, and if it does not exist, non-acceptance is determined.
17. A computer connected to a storage device that receives and stores encrypted data obtained by encrypting the first calculation result and the second calculation result with respect to the elements of the first binary vector for registration from the registration requesting device with an encryption key. In addition,
    A first process for receiving the verification request from the verification requesting device and transmitting the encrypted data obtained by the calculation with the first random number while encrypting the encrypted data of the first calculation result to the verification requesting device;
    From the verification request device that receives the transmitted encrypted data and transmits the encrypted data obtained by the calculation with the binary second vector element for verification to the verification device while encrypting the encrypted data. A second process of receiving the encrypted data;
    Based on the encrypted data transmitted from the verification requesting device and the encrypted data of the second calculation result, the distance between the first vector and the second vector is kept at least as encrypted. Generating encrypted data of a value based on a predetermined arithmetic expression relating to the first random number and the second random number;
    A third process of generating a hash value of a value taken by the arithmetic expression when the distance matches a non-negative integer value equal to or less than a predetermined threshold;
    A fourth process of transmitting the generated encrypted data and the hash value as a query to a verification device;
    Decrypting the encrypted data of the query with a decryption key to calculate a hash value of a decrypted value, and determining whether there is a hash value equal to the hash value of the decrypted value among the hash values of the query, A fifth process of receiving a verification result from the verification device for determining acceptance or non-acceptance;
    A program that executes
18. The storage device stores the first and second templates generated by the registration requesting device, and the first template is:
    The first random number, a plurality of the second random numbers, and the first operation result related to the elements of the first vector are encrypted with the encryption key, and the operation result obtained by calculating the first random number is encrypted. Including a group of encrypted data,
    The second template is
    A value obtained by further encrypting a value obtained by calculating the second random number to a value obtained by calculating the second operation result relating to the element of the first vector, the non-negative integer value, and the first random number is encrypted with the encryption key. Two groups of encrypted data;
    Including a hash value of the second random number;
    The first process includes
    When a verification request is received from the verification request device, a third random number is created, and the first and second templates are acquired from the storage device,
    Generating a third group of cipher data obtained by calculating the third random number in the first group of cipher data of the first template and transmitting the generated data to the verification requesting device;
    The second process includes
    The sum of the calculation results of the elements of the second vector and the third group of encrypted data transmitted from the verification device is related to the division value of the distance between the first vector and the second vector. Obtaining the fourth encrypted data from the verification requesting device that transmits the fourth encrypted data as a response to the verification device;
    The third process includes
    Based on the encrypted data obtained from the fourth encrypted data transmitted from the verification requesting device and the second group of encrypted data of the second template, the first vector is kept encrypted. And a difference between the distance between the second vector and the non-negative integer value, a value obtained by adding the second random number to a value obtained by calculating the first random number, and further calculating a fourth random number. A fifth group of encrypted data that is encrypted data of the value of the arithmetic expression;
    When the distance is equal to the non-negative integer value corresponding to each encrypted data of the fifth group of encrypted data, the calculated value is the second random number and the fourth random number. A hash value of the value taken by the expression,
    Produces
    The fourth process includes
    Transmitting the query including a set of each encrypted data and the hash value of the fifth group of encrypted data generated by the third process to the verification device;
    The fifth process includes
    Each encrypted data of the fifth group of encrypted data of the query is decrypted with the decryption key to calculate a hash value of a decrypted value, and a condition that the hash value of the decrypted value and the hash value of the query are equal Check whether the condition is satisfied, and accept the verification result when there is a pair that satisfies the condition, and receive the verification result from the verification device that determines that the condition is not satisfied when the combination that satisfies the condition does not exist The program according to claim 17.
19. The third process includes
    Obtained by performing a homomorphic operation on encrypted data obtained by removing the third random number from the fourth encrypted data transmitted as a response from the verification requesting device and the second group of encrypted data of the second template. The fourth random number is calculated while encrypting the encrypted data to obtain the fifth group of encrypted data,
    A hash value of the operation value of the second random number and the fourth random number is obtained by a homomorphic operation of the hash value of the second random number of the second template and the fourth random number. The program according to claim 18.
20. The storage device stores the first and second templates generated by the registration requesting device, and the first template is:
    A first group of encrypted data obtained by encrypting the first operation result of the elements of the first vector with an encryption key;
    The second template is
    Second encrypted data obtained by encrypting the second operation result of the element of the first vector with an encryption key;
    The first process includes
    Upon receipt of a collation request from the collation requesting device, the first random number is generated, the first template and the second template are acquired from the storage device, and the first group of ciphers of the first template is obtained. Transmitting the third group of encrypted data obtained by calculating the first random number to the data to the verification requesting device;
    The second process includes
    The sum of the calculation results of the elements of the second vector and the third group of encrypted data transmitted from the verification device is the first of the division values of the distance between the first vector and the second vector. 4 and receiving the fourth encrypted data from the verification requesting device that transmits the fourth encrypted data as a response to the verification device;
    The third process includes
    When the fourth encrypted data is received from the verification requesting device, the second random number is generated, and the first encrypted data obtained by calculating the first random number on the second encrypted data of the second template and the second From the encryption data of 4, the distance between the first vector and the second vector, the first random number, and the second random number are calculated according to the arithmetic expression while being encrypted. A hash value of a value that the arithmetic expression takes when the fifth encrypted data is created and the distance matches the non-negative integer value from the first random number, the second random number, and the non-negative integer value Seeking
    The fourth process includes
    Sending the fifth encrypted data and the hash value as the query to the verification device;
    The fifth process includes
    The fifth encrypted data of the query is decrypted with the decryption key to calculate a hash value of a decrypted value, and if the hash value of the query equal to the hash value of the decrypted value exists, it is accepted and does not exist 18. The program according to claim 17, wherein a verification result is received from the verification device that determines non-acceptance.

Images