WO2018174063A1 - Système, procédé, dispositif et programme de classement - Google Patents

Système, procédé, dispositif et programme de classement Download PDF

Info

Publication number
WO2018174063A1
WO2018174063A1 PCT/JP2018/011049 JP2018011049W WO2018174063A1 WO 2018174063 A1 WO2018174063 A1 WO 2018174063A1 JP 2018011049 W JP2018011049 W JP 2018011049W WO 2018174063 A1 WO2018174063 A1 WO 2018174063A1
Authority
WO
WIPO (PCT)
Prior art keywords
encrypted data
verification
random number
value
vector
Prior art date
Application number
PCT/JP2018/011049
Other languages
English (en)
Japanese (ja)
Inventor
春菜 肥後
寿幸 一色
Original Assignee
日本電気株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電気株式会社 filed Critical 日本電気株式会社
Publication of WO2018174063A1 publication Critical patent/WO2018174063A1/fr

Links

Images

Definitions

  • the present invention is based on the priority claim of Japanese Patent Application No. 2017-054406 (filed on Mar. 21, 2017), the entire contents of which are incorporated herein by reference. Shall.
  • the present invention relates to a verification system, method, apparatus, and program.
  • the authentication target is accepted when the authentication biometric information created based on the biometric subject to authentication and the template stored in the database are similar (or coincident).
  • the authentication target is not accepted when the biometric information for authentication and the template are not similar (or matched).
  • the biometric information for authentication acquired by a sensor or the like changes little by little even when the biometric information for the same person as the biometric information for registration is extracted. Even if a plurality of pieces of biometric information for authentication are created from a single living body, the plurality of pieces of biometric information for authentication do not always match each other.
  • the distance between the plurality of pieces of biometric information for authentication created from the same living body is short.
  • the distance between a plurality of pieces of authentication biometric information created from different living bodies is long.
  • the biometric authentication technology collates the template stored in the database with the authentication information created for the authentication target by using the above characteristics. For example, fingerprints, veins, etc. are examples of biometric information, and are data that does not change throughout life. The damage caused when biometric information is leaked outside the verification system is significant. For this reason, the biometric information is one piece of information that requires confidentiality.
  • a template-protective biometric authentication technique that prevents the biometric information from leaking to the outside of the verification system is important.
  • the notation such as the encryption algorithm used in this specification will be described.
  • public key cryptography will be described.
  • the public key cryptosystem is represented by three algorithms (Gen, Enc, Dec): key generation, encryption, and decryption.
  • the key generation algorithm (indicated as “Gen”) outputs a public key pk and a secret key sk based on the security parameter 1 ⁇ ⁇ . (pk, sk) ⁇ Gen (1 ⁇ ⁇ )
  • the encryption algorithm receives the public key pk and plaintext m and outputs ciphertext c. c ⁇ Enc (pk, m)
  • the decryption algorithm receives the secret key sk and ciphertext c, and outputs a decryption result m ′.
  • Enc (m) and Dec (c) are omitted and Enc (m) and Dec (c) may be abbreviated, as is clear from the context. Yes (abbreviated in the drawing).
  • Homomorphic encryption is public key cryptography that can calculate the ciphertext of the operation result of plaintext from a plurality of ciphertexts. For example, ciphertext Enc (m 1 + ...
  • FIG. 1 is a diagram for explaining an example of related technology of a three-party model biometric authentication system (see, for example, the ciphertext matching system disclosed in Patent Document 1). Note that the registration request device 10 and the verification request device 20 on the client 11 side may be the same device. In the system of FIG. 1, the preparation phase is as follows.
  • the decryption apparatus 50 generates a key and generates a public key (pk) and a secret key (sk) of the homomorphic encryption.
  • the decryption device 50 transmits the public key to the registration request device 10, the verification request device 20, and the server 12.
  • the decoding device 50 is also referred to as a “verification device” when verifying the presence / absence of similarity (match) between the biometric information for verification and the biometric information for registration based on the decoding result as well as the decoding.
  • the registration phase is as follows.
  • the registration requesting device 10 generates registration data Enc (pk, Z) obtained by encrypting the feature vector Z of biometric information for registration using the public key pk.
  • the registration requesting apparatus 10 transmits registration data Enc (pk, Z) to the server 12.
  • the server 12 registers the registration data Enc (pk, Z) in the storage device 30.
  • the verification phase is as follows.
  • the collation requesting device 20 generates collation data Enc (pk, Z ′) obtained by encrypting the feature vector Z ′ of the biometric information for collation using the public key pk.
  • the verification requesting device 20 transmits the verification data Enc (pk, Z ′) to the server 12. If the registration requester and the verification requester are the same person, the distance between the two feature vectors Z and Z 'is close, and the distance between the feature vectors Z and Z' of different persons is long.
  • the collation device 40 of the server 12 utilizes the homomorphism of the encryption algorithm and encrypts the encrypted distance data Enc (pk, d (Z, Z ')) is calculated.
  • d (a, b) represents the distance between a and b.
  • the server 12 transmits a query including the encrypted distance data Enc (pk, d (Z, Z ′)) to the decryption device 50.
  • the decryption device 50 decrypts the encrypted distance data Enc (pk, d (Z, Z ')) using the secret key sk, and obtains a decryption result d (Z, Z').
  • the decoding result d (Z, Z ′) indicates distance information.
  • the decoding device 50 confirms whether or not the decoding result d (Z, Z ′) is equal to or less than a predetermined threshold value t. As a result of the confirmation, when the decryption result d (Z, Z ′) is equal to or smaller than the threshold value t, the decryption device 50 transmits an acceptance (OK) to the server 12.
  • the decryption device 50 transmits a rejection (no ⁇ good: NG) to the server 12.
  • the server 12 outputs an acceptance to the verification requesting device 20 if the response of the decryption device 50 is OK, and outputs an unacceptance to the verification requesting device 20 if the response of the decryption device 50 is NG.
  • the input data to be concealed is encrypted using an encryption key, and a registration data generation unit that outputs registration data, and the registration data is uniquely stored in the ciphertext storage unit.
  • a storage device for storing identifiers for identification in the identifier storage unit so that the correspondence can be recognized, a data verification request generating unit for encrypting input data to be verified using an encryption key and outputting verification data, and registration A distance calculation unit that outputs encrypted distance data using an encryption key from the data and verification data, a decryption unit that decrypts the encrypted distance data using a decryption key and generates distance data, and a random number from the distance data
  • the ciphertext verification system is disclosed which is adapted information about the data does not leak.
  • the registration information of a user encrypted using an encryption algorithm that can calculate the Hamming distance in an encrypted state is stored between the registration information and the verification information encrypted using the encryption algorithm.
  • the calculation result of the Hamming distance is converted so as to include the Hamming distance between the verification information and the user, and the Hamming distance between the verification information and another person different from the user, and the input verification information and the converted registration information
  • the comparison result of the Hamming distance between the collation information and the user included in the calculated Hamming distance the Hamming distance between the collation information and another person different from the user, and a preset threshold value included in the calculated Hamming distance
  • a method for determining whether or not input collation information is illegal is disclosed.
  • Patent Document 4 describes a technology in which the size of the template does not depend on the parameter of the range of the acceptable range and the load on the third party is small.
  • the distance from the biometric information that is a target to be compared with the registered biometric information is disclosed to a third party. It is known that a malicious third party can perform an attack (hill climbing attack) by using the distance obtained at the time of collation.
  • the main safety of confidential biometric authentication is as follows.
  • A) Unrecoverable feature This refers to the property that the original biological information cannot be restored from the template.
  • the method of accepting by sending the same value (for example, 0 ciphertext) to any template may not have the resistance to spoofing attacks.
  • a method capable of restoring the feature quantity can perform authentication using the restored feature quantity. For this reason, it is not resistant to spoofing attacks.
  • a semi-honest attacker is assumed as the attacker. That is, the attacker always operates according to the algorithm indicated by the method, and tries to take more information from the obtained information.
  • the biometric information registered by, for example, a hill climbing attack can be restored.
  • Hill climbing attacks are well-known attack methods in the biometrics field.
  • a first distance d (Z, Z ′) (Z is a feature vector extracted from biometric information for registration) with respect to the feature vector Z ′ generated using a certain feature vector Z ′ is obtained.
  • a second distance d (Z, Z ′′) with the feature vector Z of the registered biometric information with respect to Z ′′ obtained by modifying a part of the feature vector Z ′ (for example, inverted by 1 bit) is obtained.
  • the modification brings the feature vector Z ′′ closer to the feature vector Z of the registered biometric information.
  • the second distance d (Z, Z ′′) is larger than the first distance d (Z, 'Z ′)
  • the feature vector Z ′′ becomes the feature vector of the registered biometric information by the modification. It means that it was away from Z. It is known that by repeating such an action, it is possible to restore the feature vector Z from the registered data (or the feature vector Z ′ from the authentication (collation) data) with a relatively small amount of calculation. .
  • FIGS. 2A to 2C are diagrams schematically illustrating an example of the above-described hill climbing attack (assuming that biological information is two-dimensional coordinates).
  • FIGS. 2A to 2C when an attacker selects biometric information used for authentication (verification) and obtains a distance between the biometric information for verification and the registered biometric information, the attacker is authenticated ( Registered biological information can be restored by repeating (collation).
  • the decryptor can calculate the distance, it is vulnerable to a hill climbing attack by an attacker colluding with the decryptor.
  • the decryptor determines an authentication result (acceptance, non-acceptance) from the distance between the registered biometric information and the biometric information to be verified.
  • An attacker who can know the distance obtained by the decryptor and the biological information used for authentication (collation) can restore the registered biological information. This is the case when an attacker colluding with a decryptor tries to authenticate (verify) by pretending to be a client. For this reason, it can be said that it is a realistic attack.
  • the server can manipulate the distance, it is vulnerable to hill climbing attacks by attackers colluding with the server.
  • the server can try collation (authentication) by manipulating the distance.
  • an attacker who can know the biological information used for collation can restore the registered biological information.
  • the space of the distance between the registered biometric information and the feature vector of the verification biometric information is narrower than the biometric information space and is easier to hit than the biometric information.
  • the distance between the registered biometric information and the biometric feature vector can be calculated by trying the collation by manipulating the distance.
  • the registered biometric information and the matching biometric information are obtained by querying a decryptor (for example, the decryption device 50 in FIG.
  • Non-Patent Document 1 ⁇ Security against attackers colluding with servers and users, ⁇ Security against attackers colluding with decryptors and users, ⁇ Safety that eavesdroppers cannot impersonate users, A method that satisfies all three safety points has been proposed.
  • the biometric information for verification is accepted as being identical or similar to the biometric information for registration.
  • the verification requesting device 20 sends a ciphertext having a value of 0 as the distance D2
  • the verification biometric information is identical or similar to the registration biometric information. It will not be accepted. This is due to the following reason.
  • the verification requesting device 20 calculates D 2 that is one of the divided distances, and sends the encrypted D 2 to the verification device 40 (server).
  • FIG. 3 is a diagram for explaining an operation sequence of the system based on Non-Patent Document 1. First, the outline of the operation of each algorithm of Modified-Elgamal encryption will be described.
  • the key generation algorithm first receives a security parameter 1 ⁇ ⁇ as input.
  • the encryption algorithm first receives the public key pk and message m as input.
  • the decryption algorithm may return g ⁇ m instead of message m. If Modified-Elgamal cipher is used, ciphertext corresponding to addition of plaintext or constant multiplication can be calculated with encryption.
  • the verification device 50 generates a public key pk and a secret key sk using the security parameter 1 ⁇ ⁇ , and publishes the public key pk (S100).
  • d E 2 (X, Y) The distance between registered data (n-dimensional vector) and collation data (n-dimensional vector): d E 2 (X, Y) is divided as described above.
  • the collation request device 20 transmits a collation request to the collation device 40 (S102).
  • the collation request unit 20 the random number R 0, R 1, to produce a ... R t.
  • Enc (pk, S ⁇ ⁇ i 1, n> y i ⁇ 2)... (25) Is generated.
  • Scl ((-2y i ), Enc (pk, Sx i )) (i 1, ..., n)
  • the verification requesting device 20 performs a homomorphic encryption addition operation.
  • collation request unit 20 the random number R 0, R 1, ..., hash value of R t H (R 0 ), H (R 1 ),..., H (R t ) (33) are transmitted as a response to the verification device 40 (S116).
  • hash values H (R 0 ), H (R 1 ),..., H (R t ) are transmitted to the verification device 40.
  • the collation device 40 performs a scalar operation on the random number S on the template Enc (pk, D 1 ) of the storage device 30 to obtain Enc (pk, SD 1 ) (34). Ask for.
  • the verification device 40 receives a response from the verification request device 20.
  • the verification device 40 Enc (pk, R 0 + S (D 1 + D 2 ⁇ 0)), Enc (pk, R 1 + S (D 1 + D 2 -1)), ..., Hash value transmitted as a response from the verification requesting device 20 with Enc (pk, R t + S (D 1 + D 2 ⁇ t)) H (R 0 ), H (R 1 ), ..., H (R t ) At the same time, it is transmitted to the verification device 50 as a query (S117).
  • the encrypted data of the query from the verification device 40 Enc (pk, R 0 + S (D-0)), Enc (pk, R 1 + S (D-1)), ... Enc (pk, R t + S (D-t)) Are decrypted using the secret key (sk) (S118).
  • z 0 R 0 + S (D-0) ⁇ -Dec (sk, Enc (pk, R 0 + S (D-0)))
  • z 1 R 1 + S (D-1) ⁇ -Dec (sk, Enc (pk, R 1 + S (D-1)))
  • z t R t + S (D ⁇ t) ⁇ -Dec (sk, Enc (pk, R t + S (D ⁇ t))) ...
  • the hash value H (R 0 + S (D-0)), H (R 1 + S (D-1)), ... H (R t + S (D-t)) ... (38) Is calculated.
  • the biometric information registered by the hill climbing attack can be restored if the attacker obtains the biometric information and distance used for authentication.
  • Non-Patent Document 1 multi-value vectors are targeted as biological information.
  • the present invention provides a system, an apparatus, a method, and a program that are resistant to at least a hill climbing attack by an attacker who collaborates with a decryptor of a three-party model when collating binary vector information. Is one of the purposes.
  • Another object of the present invention is to provide a system, apparatus, method, and program for disabling the operation of the distance between registered biometric information and collation biometric information by a three-part model server in addition to the above-described object. It is in.
  • the verification system encrypts the first calculation result and the second calculation result relating to the elements of the binary first vector for registration from the registration requesting device with the encryption key, respectively.
  • a storage device that receives and stores the encrypted data, and upon receiving a verification request from the verification requesting device, the encrypted data obtained by the calculation with the first random number while the encrypted data of the first calculation result is encrypted Obtained by calculation with a collation device to be transmitted to the collation request device, and the encrypted data transmitted from the collation device, with the encrypted data encrypted and with the elements of the binary second vector for collation
  • the verification request device that transmits the encrypted data to the verification device, and a verification device are provided.
  • the verification device Based on the encrypted data transmitted from the verification requesting device and the encrypted data of the second calculation result, the verification device encrypts the first vector and the second vector while encrypting them. Generating encrypted data having a value based on a distance and a predetermined arithmetic expression relating to at least the first random number and the second random number; and a non-negative integer value whose distance is equal to or less than a predetermined threshold (t); If they match, a hash value of the value taken by the arithmetic expression is generated, and the generated encrypted data and the hash value are transmitted as a query to the verification device.
  • the verification device receives the query transmitted from the verification device, decrypts the encrypted data of the query with a decryption key, calculates a hash value of a decrypted value, and among the hash values of the query, the decryption It is determined whether or not there is a value equal to the hash value of the value, and acceptance or non-acceptance is determined.
  • encrypted data obtained by encrypting a first calculation result and a second calculation result relating to elements of a binary first vector for registration from a registration requesting device with an encryption key respectively.
  • the verification device transmits the encrypted data obtained by the calculation with the first random number while encrypting the encrypted data of the first calculation result to the verification requesting device.
  • the verification request device that receives the transmitted encrypted data and transmits the encrypted data obtained by the calculation with the binary second vector element for verification to the verification device while encrypting the encrypted data
  • encrypted data obtained by encrypting a first calculation result and a second calculation result related to elements of a binary first vector for registration from a registration requesting device with an encryption key is provided.
  • the collation device receives a collation request from the collation requesting device, the encryption data obtained by the operation with the first random number is transmitted to the collation requesting device while the encrypted data of the first calculation result is encrypted.
  • the process of The verification requesting device receives the encrypted data transmitted from the verification device, and encrypts the encrypted data obtained by calculation with the binary second vector element for verification while encrypting the encrypted data.
  • a third step of transmitting to the verification device Based on the cipher data transmitted from the collation requesting device and the cipher data of the second calculation result, the collation device encrypts the first vector and the second vector while encrypting them.
  • Generating encrypted data having a value based on a distance and a predetermined arithmetic expression relating to at least the first random number and the second random number; When the distance matches a non-negative integer value equal to or less than a predetermined threshold value, a hash value of the value taken by the arithmetic expression is generated,
  • the verification device receives the query transmitted from the verification device, decrypts the encrypted data of the query with a decryption key, calculates a hash value of a decrypted value, and among the hash values of the query, the decryption And a fifth step of determining whether or not there is a value equal to the has
  • encrypted data obtained by encrypting the first calculation result and the second calculation result relating to the elements of the binary first vector for registration from the registration requesting device with an encryption key is obtained.
  • the verification request device that receives the transmitted encrypted data and transmits the encrypted data obtained by the calculation with the binary second vector element for verification to the verification device while encrypting the encrypted data
  • a computer-readable recording medium storing the above program is a semiconductor storage, such as a RAM (Random Access Memory), a ROM (Read Only Memory), or an EEPROM (Electrically, Erasable and Programmable ROM), an HDD, etc. (Hard Disk Drive), CD (Compact Disk), DVD (Digital Versatile Disk) and other non-transitory media.
  • a RAM Random Access Memory
  • ROM Read Only Memory
  • EEPROM Electrically, Erasable and Programmable ROM
  • HDD etc.
  • HDD etc.
  • CD Compact Disk
  • DVD Digital Versatile Disk
  • FIG. 1 is a probability diagram schematically illustrating a system configuration of a first exemplary embodiment of the present invention. It is a figure explaining an example of the operation
  • Embodiments of the present invention will be described. First, the problem from which the present invention was created will be described by taking, as an example, a case where a binary vector is collated by the collation system described with reference to FIG.
  • Non-Patent Document 1 deals with multi-value vectors as biological information.
  • a technique that handles binary vector type biometric information and has resistance to hill climbing attacks by an attacker who collaborates with a decryptor has not been proposed yet.
  • FIG. 4 is a diagram for explaining an example of impersonation when a binary vector is handled in the system described with reference to FIG. Although not particularly limited, the Modified-Elgamal encryption algorithm is used in FIG. 4 as in FIG.
  • the multi-value vector type biological information described with reference to FIG. 3 is collated by the Euclidean distance d E 2 (X, Y). The system seems to be able to handle binary vector type biological information.
  • Enc (pk, x i ⁇ 2) Enc (pk, x i )... (43)
  • the verification requesting device 20 Enc (pk, R 0 + S (CD 1 -0)), Enc (pk, R 1 + S (CD 1 -1)), ... Enc (pk, R t + S (CD 1 -t)) ... (47)
  • Hash value H (R 0 ), H (R 1 ),..., H (R t ) ... (48) Is transmitted to the verification device 40 (S116A).
  • C is an integer equal to or less than t (for example, 0).
  • the collation device 40 obtains Enc (pk, SD 1 ) by performing a scalar operation on the random number S on the template Enc (pk, D 1 ) of the storage device 30.
  • the verification device 40 sends a response from the verification request device 20: Enc (pk, R 0 + S (CD 1 -0)), Enc (pk, R 1 + S (CD 1 -1)), ...
  • Enc (pk, R t + S (CD 1 -t + D 1)) Enc (pk, R t + S (Ct)) ... (49)
  • H (R 0 ), H (R 1 ), ..., H (R t ) ... (50) At the same time, the query is transmitted to the verification device 50 (S117A).
  • the encrypted data of the query from the verification device 40 Enc (pk, R 0 + S (C-0)), Enc (pk, R 1 + S (C-1)), ... Enc (pk, R t + S (Ct)) Is decrypted using the secret key (sk) (S118A).
  • z 0 R 0 + S (C-0) ⁇ -Dec (sk, Enc (pk, R 0 + S (C-0)))
  • z 1 R 1 + S (C-1) ⁇ -Dec (sk, Enc (pk, R 1 + S (C-1)))
  • z t R t + S (Ct) ⁇ -Dec (sk, Enc (pk, R t + S (Ct))) ...
  • the hash value of the decrypted value H (R 0 + S (C-0)), H (R 1 + S (C-1)), ... H (R t + S (C-t)) ... (52) Is calculated.
  • step S105 of FIG. 4 if the verification device 40 does not transmit Enc (pk, S) as a challenge, the verification request device 20 generates Enc (pk, R ⁇ + S (CD 1 - ⁇ )). Cannot impersonate and cannot impersonate.
  • the present invention it is possible to avoid the above-mentioned impersonation by using a method in which the encrypted data of the random number S is not independently transmitted in the challenge transmitted from the verification device to the verification request device in the distance division verification system. Yes.
  • the data is transmitted to the storage device (130 in FIGS. 5 and 11) and stored in the storage device (130 in FIGS. 5 and 11).
  • the collation device (140 in FIGS. 5 and 11) receives the collation request from the collation request device (120 in FIGS. 5 and 11), the first random number remains encrypted with the encrypted data of the first calculation result.
  • the encrypted data obtained by the calculation is transmitted to the verification requesting device (120 in FIGS. 5 and 11).
  • the verification requesting device (120 in FIGS. 5 and 11) is an element of a binary second vector for verification while the encrypted data transmitted from the verification device (140 in FIGS. 5 and 11) is encrypted.
  • the encrypted data obtained by the calculation is transmitted to the verification device (140 in FIGS. 5 and 11).
  • the collation device (140 in FIGS. 5 and 11) further determines the value that the arithmetic expression takes when the distance (D) matches a non-negative integer value ( ⁇ ) that is equal to or less than a predetermined threshold (t).
  • the hash value is generated, and the generated encrypted data and the hash value are transmitted as a query to the verification device (150 in FIGS. 5 and 11).
  • the verification device calculates the hash value of the decrypted value by decrypting the encrypted data of the query transmitted from the verification device (140 in FIGS. 5 and 11) with a decryption key, It is determined whether there is a hash value equal to the hash value of the decrypted value among the hash values of the query, and accept or reject is determined.
  • the binary vector type biological information may be an iris (IrisCode), a palm print (CompetitiveCode), or the like.
  • FIG. 5 is a diagram for explaining a first exemplary embodiment of the present invention.
  • FIG. 5 schematically illustrates the configuration of the verification system 100 according to the first exemplary embodiment.
  • the registration request device 110, the verification request device 120, the storage device 130, the verification device 140, and the verification device 150 are the registration request device 10, the verification request device 20, the storage device 30, the verification device 40, FIG. Although it corresponds to each verification device 50, the data to be processed and transmitted / received are different.
  • the registration requesting device 110 generates a first random number (S).
  • the registration requesting device 110 further generates a plurality (t + 1) of second random numbers (R 0 , R 1 ,..., R t ).
  • t is a predetermined threshold value used for determining the degree of coincidence.
  • the registration requesting device 110 has a plurality of (for example, t + 1) second random numbers (R 0 , R 1 ,..., R t ) hash values (H (R 0 ), H (R 1 ),. (R t )) is generated.
  • a hash function having homomorphism is preferably used in order to conceal the distance.
  • H (x) k ⁇ x...
  • the hash value can be calculated using only the public key of Modified Elgamal encryption.
  • the hash value can be calculated using only the public key (the elliptic Elgamal cipher is also outlined in paragraph 0144 below).
  • the distance (a first binary vector for registration and a second second vector for verification) by the server 102 (storage device 130, verification device 140). (Distance) can also be prevented.
  • a hash value ⁇ (Enc (pk, S (D 1 - ⁇ ) + R ⁇ ), H (R ⁇ )), ( ⁇ 0,..., t + 1 sets of encrypted data and the second random number (R ⁇ ) , t) is the second template.
  • the storage device 130 When the storage device 130 receives the first template and the second template transmitted from the registration requesting device 110, the storage device 130 generates a registration identifier and stores it in correspondence with the registration identifier Id.
  • Second template Enc (pk, S (D 1 -0) + R 0 ), Enc (pk, S (D 1 -1) + R 1 ), ..., Enc (pk, S (D 1 -t
  • the verification device 140 transmits the encrypted data transmitted as a response from the verification request device 120: Enc (pk, SS 'D 2 )
  • the third random number (S ′) is removed (removed) from the encrypted data (Enc (pk, SS ′ D 2 )), and the Hamming distance between the first vector X and the second vector Y ( division value D) (D 2) about the encrypted data: Enc (pk, SD 2 )... (66) Ask for.
  • the third random number (S ′) is removed from the encrypted data (Enc (pk, SD 1 )) and the encrypted data (Enc (pk, SS′D 2 )) sent as a response from the verification requesting device 120.
  • a plurality (for example, t + 1) hash values of the obtained values: H (b ⁇ R ⁇ ) ( ⁇ 0,..., t) (71) Is generated.
  • the encrypted data of the above formula (69) and the hash value of the formula (71) are transmitted as a query to the verification device 150.
  • the verification device 150 determines whether or not there is a set that satisfies the condition that the hash value (H (b ⁇ (S (D ⁇ ) + R ⁇ ))) is equal to the hash value (H (b ⁇ R ⁇ )) of the query. To check.
  • the verification device 150 accepts the query when there is a set that satisfies the condition, and determines that the query is not accepted when there is no set that satisfies the condition.
  • FIG. 6 is a diagram illustrating an operation sequence of the embodiment described with reference to FIG.
  • an n-dimensional binary vector X [x 1 , .., x n ] ⁇ ⁇ 0,1 ⁇ n ...
  • Y [y 1 , .., y n ] ⁇ ⁇ 0,1 ⁇ n ... (75)
  • the Hamming distance d H (X, Y) is divided as follows.
  • y i 78
  • D 1 does not depend on the value of the matching vector Y.
  • a hash function having homomorphism is preferably used for concealing the distance.
  • the collation system 100 uses a homomorphic encryption method having homomorphism for addition and scalar calculation.
  • a homomorphic encryption method having homomorphism for addition and scalar calculation.
  • Modified Elgamal encryption is used as the encryption method.
  • elliptic Elgamal encryption or Paillier encryption may be used.
  • the elliptic Elgamal cipher is defined for a group on an elliptic curve over a finite field.
  • the generation of the public key pk and the secret key sk (S100) in the preparation phase is as described above.
  • the public key pk is also delivered to the storage device 130.
  • a hash function having homomorphism is used for hiding the distance.
  • Enc (pk, S (1-2x 1 )), Enc (pk, S (1-2x 2 )), ..., Enc (pk, S (1-2x n ))) and D 1- Encrypted data obtained by encrypting the value obtained by calculating the first random number (S) and the value obtained by adding the second random number (R ⁇ ) to ⁇ ( ⁇ 0,..., t) with the public key (pk).
  • H (R ⁇ ) (second template): ⁇ Enc (pk, S (D 1 -0) + R 0 ), H (R 0 ) ⁇ , ⁇ Enc (pk, S (D 1 -1) + R 2 ), H (R 1 ) ⁇ ,..., ⁇ Enc (pk, S (D 1 -t) + R t ), H (R t ) ⁇ Is generated.
  • the storage device 130 receives the first template transmitted from the registration requesting device 110: Enc (pk, S (1-2x 1 )), Enc (pk, S (1-2x 2 )),..., Enc (pk, S (1-2x n ))) and Second template: ⁇ Enc (pk, S (D 1 -0) + R 0 ), H (R 0 ) ⁇ , ⁇ Enc (pk, S (D 1 -1) + R 2 ), H (R 1 ) ⁇ ,..., ⁇ Enc (pk, S (D 1 -t) + R t ), H (R t ) ⁇ Are stored in correspondence with the registration identifier Id (S122).
  • the verification device 140 When the verification device 140 receives the verification request (including the verification identifier Id) from the verification request device 120 (S123), the encrypted data stored in association with the Id from the storage device 130: Enc (pk, S (1-2x 1 )), Enc (pk, S (1-2x 2 )),..., Enc (pk, S (1-2x n ))))
  • H (R 0 ) ⁇ ⁇ Enc (pk, S (D 1 -1) + R 2 )
  • H (R 1 ) ⁇ H (R 1 ) ⁇
  • H (R t ) ⁇ H (R t ) ⁇ Is received (S124).
  • Enc (pk, SS '(1-2x i )) (i 1,..., n)
  • the collation device 140 does not transmit Enc (pk, SS ′) to the collation request device 120. Therefore, the verification requesting device 120 cannot calculate Enc (pk, SS ′ D 1 ). For this reason, the client cannot impersonate the Hamming distance.
  • the collation device 140 performs a scalar operation on the reciprocal number S ′ ⁇ ( ⁇ 1) of the random number S ′ with respect to Enc (pk, SS ′ D 2 ) transmitted from the collation request device 120. Scl (S ' ⁇ (-1), Enc (pk, SS' D 2 ))... (93) by doing, Enc (pk, S D 2 )... (94) Is calculated.
  • the verification device 140 uses this Enc (pk, S D 2 ) and the template registered in the storage device 130.
  • Enc (pk, b ⁇ (S (D- ⁇ ) + R ⁇ )) ( ⁇ 0,..., t)... (97) Ask for.
  • H (b ⁇ R ⁇ ) ( ⁇ 0, ..., t) (98)
  • the verification device 150 uses the encrypted data transmitted as a query from the verification device 140.
  • the verification device 150 further includes a hash value of the decrypted value.
  • H (b ⁇ (S (D- ⁇ ) + R ⁇ )) ( ⁇ 0,..., t)... (100) Ask for.
  • the hash function H () is the same as the hash function H () used in the storage device 130 and the collation device 140 of the server 102.
  • the verification device 150 accepts if there is one that satisfies the above equation, and rejects if there is no one that satisfies the above equation.
  • the verification result (acceptance, rejection) in the verification device 150 is transmitted to the verification device 140 and the verification request device 120 (S131).
  • FIG. 7 is a diagram illustrating an example of the configuration of each device according to the first exemplary embodiment.
  • the collation system 100 includes an information processing system such as a computer system.
  • the collation system 100 according to the first exemplary embodiment includes a registration request device 110, a storage device 130, a collation request device 120, a collation device 140, and a verification device 150.
  • the registration request device 110 includes a registration information extraction unit 111, a template generation unit 112, and a communication unit 113.
  • the storage device 130 includes a storage device that stores information, and also includes a calculation unit that processes information. That is, the storage device 130 includes an identifier management unit 131, a registration data generation unit 132, a registration data storage unit 133, a registration data search unit 134, and a communication unit 135.
  • the verification request device 120 includes a verification request generation unit 121, a verification information extraction unit 122, a response generation unit 123, and a communication unit 124.
  • the collation device 140 includes a registration data acquisition unit 141, a random number generation unit 142, an encrypted data generation unit 143, an encrypted distance calculation unit 144, a query generation unit 145, and a communication unit 146.
  • the verification device 150 includes a key generation unit 151, a decryption key storage unit 152, a query verification unit 153, a verification result output unit 154, and a communication unit 155.
  • the query verification unit 153 includes a decryption unit 1531, a hash value generation unit 1532, and a match determination unit 1533.
  • a communication unit (not shown) Communication connection between transmitter (interface) and receiver (interface)) and communication network (for example, local network (Local Area Network: LAN) or wide area network (Wide Area Network: WAN))
  • communication network for example, local network (Local Area Network: LAN) or wide area network (Wide Area Network: WAN)
  • LAN Local Area Network
  • WAN Wide Area Network
  • the registration request device 110, the storage device 130, the verification device 140, and the verification request device 120 include a public key published by the verification device 150 (for example, a pair of an encryption key and a decryption key of the homomorphic encryption method created by the verification device 150). Among the above-mentioned encryption keys).
  • the registration request device 110 and the verification request device 120 may be collectively represented as “first node”.
  • the storage device 130 and the verification device 140 may be collectively referred to as “second node”.
  • the verification device 150 may be represented as “third node”.
  • the registration request device 110 and the verification request device 120 may be configured as a client device, the storage device 130 and the verification device 140 as a server device, and the verification device 150 as a decryption device connected to the server device.
  • the processing in the matching system 100 is, for example, ⁇ Preparation phase, ⁇ Registration phase, and -It may include a verification phase.
  • FIG. 8 is a flowchart illustrating an example of processing executed by the verification system 100 according to the first exemplary embodiment in the preparation phase. With reference to FIG. 8, the process which the collation system 100 which concerns on this embodiment performs in a preparation phase is demonstrated.
  • the key generation unit 151 in the verification device 150 receives the security parameter, and generates an encryption key (public key) pk and a decryption key (secret key) sk using the received security parameter, for example, according to a key generation algorithm.
  • the generated public key and decryption key conform to a public key cryptosystem (for example, ModifiedModElgamal cipher) having homomorphism with respect to addition and scalar multiplication.
  • the key generation unit 151 discloses the generated public key pk in the verification system 100 (step A2).
  • the key generation unit 151 stores the generated decryption key sk in the decryption key storage unit 152 (step A3).
  • the processing executed in the preparation phase is not limited to the mode illustrated in FIG.
  • FIG. 9 is a flowchart illustrating an example of processing executed by the verification system 100 according to the first exemplary embodiment in the registration phase. With reference to FIG. 9, the process which the collation system 100 which concerns on 1st Embodiment performs in a registration phase is demonstrated.
  • the registration information extraction unit 111 in the registration request device 110 receives biometric information (also referred to as “registration vector”) from a biometric subject to registration.
  • biometric information also referred to as “registration vector”
  • X [x [1],..., x [n]] Is extracted (step B1).
  • the template generation unit 112 in the registration request apparatus 110 generates a random number S ⁇ Fq (B2-1).
  • the template generation unit 112 generates a plurality of second random numbers (R [0], R [1],..., R [t]) (B3-1). Note that the processing in step B3-1 may be performed in step B2-1.
  • the template generation unit 112 performs hash operation values of a plurality of (for example, t + 1) second random numbers (R [0], R [1],..., R [t]): H (R [0]), H (R [1]),..., H (R [t]) are generated (B3-2).
  • the storage device 130 receives the first template and the second template transmitted from the registration request device 110 (B6), generates a registration identifier Id in the identifier management unit 131 (B7), and uses the registration identifier Id as the registration request device. 110.
  • the registration data generation unit 132 stores ⁇ first template, second template, registration identifier Id ⁇ in the registration data storage unit 133.
  • template generator 112 a plurality of number rr1 [1] from the Z q, ..., r1 [n ], and to select the rr1.
  • the template generation unit 112 reads the generation source g and the value h from the public key pk, and creates the following ciphertext regarding the binary vector X.
  • the communication unit 113 of the registration request device 110 receives the registration identifier id from the storage device 130 (step B9).
  • the registration request device 110 displays the received registration identifier id on a user interface (UI) such as a display (step B10).
  • UI user interface
  • the registration request device 110 may store the received registration identifier id in an IC (integrated_circuit) card such as an employee ID card or an identifier card.
  • IC integrated_circuit
  • the registration data generation unit 132 in the storage device 130 generates registration data (B11).
  • the template corresponding to the registration identifier Id is stored in the registration data storage unit 133 in the storage device 130 (step B12).
  • step B11 and step B12 may be executed prior to step B8. That is, the storage device 130 may store the registration data in the registration data storage unit 133 before transmitting the registration identifier id to the registration request device 110.
  • the collation requesting device 120 receives an identifier (referred to as “collation identifier”) possessed by the collation (authentication) (step C1).
  • the verification request generator 121 in the verification request device 120 generates a verification request including the received verification identifier (step C2).
  • the communication unit 124 of the verification requesting device 120 transmits a verification request to the verification device 140 (step C3).
  • the communication unit 146 of the verification device 140 receives the verification request from the verification request device 120 (step C4).
  • the registration data acquisition unit 141 in the verification device 140 generates a registration data request including the verification identifier included in the verification request transmitted from the verification request device 120 (step C5).
  • the communication unit 146 of the verification device 140 transmits a registration data request to the storage device 130 (step C6).
  • the communication unit 135 of the storage device 130 receives a registration data request from the verification device 140 (step C7).
  • the registration data search unit 134 in the storage device 130 includes registration data (also referred to as “target template”) including a verification identifier included in the registration data request among one or a plurality of registration data stored in the registration data storage unit 133. (Step C8).
  • the communication unit 135 of the storage device 130 includes the template: Enc (pk, S (1-2x [1])), Enc (pk, S (1-2x [2])), ..., Enc (pk, S (1-2x [n])), Enc (pk, S (D 1 -0) + R [0]), Enc (pk, S (D 1 -1) + R [1]), Enc (pk, S (D 1 -2) + R [2]),..., Enc (pk, S (D 1 -t) + R [t]) and multiple (eg, t + 1) hash values: H (R [0]), H (R [1]), ..., H (R [t]) Is transmitted to the verification device 140 (step C9).
  • the communication unit 146 of the verification device 140 receives the target template from the storage device 130 (step C10).
  • the random number generation unit 142 of the verification device 140 generates an integer (random number) S′ ⁇ Fq according to a pseudo-random number generation procedure (step C11).
  • the random number generator 142 preferably generates a different random number S ′ every time a collation request is made.
  • the communication unit 146 of the verification device 140 transmits the encrypted data (C3 [1],..., C3 [n]) to the verification request device 120 (step C13).
  • the verification requesting device 120 receives the encrypted data (C3 [1],..., C3 [n]) transmitted by the verification device 140 in step C13 (step C14).
  • the collation information extraction unit 122 in the collation requesting device 120 generates a collation vector (second vector) from the biometric subject to be authenticated.
  • Y (y [1], y [2],..., y [n])... (106) Is extracted (step C15).
  • the communication unit 124 of the verification requesting device 120 transmits the response CC2 to the verification device 140 (step C17).
  • the verification device 140 receives the response from the verification request device 120.
  • the verification device 150 receives the query via the communication unit 155 (step C22).
  • the decryption unit 1531 of the verification device 150 uses the encrypted data of the query: Enc (pk, R [0] + S (D-0)), Enc (pk, R [1] + S (D-1)), ... Enc (pk, R [t] + S (Dt)) Are decrypted using the secret key (sk) to obtain a plurality of (for example, t + 1) decrypted values z [0],..., Z [t] (step C23).
  • the verification result output unit 154 rejects if there is no set that satisfies the condition among t + 1 sets of conditions, and if there is one set that satisfies the condition, (The Hamming distance is any one of 0 to t), a verification result to be accepted is generated and output via the communication unit 155.
  • the challenge transmitted from the verification device 140 to the verification request device 120 includes the encrypted data of a single random number (S) calculated for the elements of the first vector for registration. (Random number (S) alone encrypted data is not sent as a challenge).
  • S random number
  • D distance between the binary first vector and the second vector
  • the distance D cannot be calculated by the collation device 140, the verification device 150, or the like in the server 102. That is, the operation of the distance between the registered biometric information and the verification biometric information by the three-part model server is disabled. For this reason, the place which contributes to the tolerance improvement with respect to the impersonation attack, hill climbing attack, etc. which were mentioned above is very large.
  • FIG. 11 is a diagram for explaining a second embodiment of the present invention.
  • the configuration of the verification system 100 according to the second exemplary embodiment is the same as the configuration of the verification system 100 according to the first exemplary embodiment described with reference to FIG. 5 (however, The processes in the registration request device 110, the verification request device 120, the storage device 130, the verification device 140, and the verification device 150 are different. Below, it demonstrates centering around difference.
  • Enc (pk, SD 1 ) + Enc (pk, SD 2 ) Enc (pk, SD)... (121)
  • Enc (pk, SD) related to the Hamming distance (D) between the first vector (X) and the second vector (Y) is calculated.
  • the verification device 140 creates a second random number (R) and encrypts the encrypted data with the public key (pk): Enc (pk, R)... (122) Is generated.
  • the hash function H () need not have homomorphism as in the first embodiment.
  • the verification device 150 uses a hash value of the decrypted value SD + R obtained by decrypting the encrypted data Enc (pk, SD + R) with the decryption key (sk): H (SD + R)... (126) Calculate
  • the verification device 150 may be configured to accept if there is a match, and to determine non-acceptance if there is no match.
  • a collation system that does not disclose the distance to a decryptor (verification device) can be realized.
  • the collation system 100 uses a homomorphic encryption method having homomorphism for addition and scalar calculation.
  • a homomorphic encryption method having homomorphism for addition and scalar calculation.
  • Modified Elgamal encryption is used as the encryption method.
  • elliptic Elgamal encryption or Paillier encryption may be used.
  • FIG. 12 is a diagram for explaining the operation sequence of the second embodiment described with reference to FIG. In FIG. 12, the generation of the public key pk and the secret key sk (S100) in the preparation phase is as described with reference to FIG.
  • the collation device 140 generates a first random number (S) (S144), and uses a scalar operation rule for the first and second templates.
  • Enc (pk, S (1-2x i )) (i 1,..., n)... (131)
  • the collation device 140 is encrypted data: Enc (pk, S (1-2x 1 )), ..., Enc (pk, S (1-2x n ))... (133) Is transmitted to the verification requesting device 120 (S145).
  • the verification device 140 does not transmit the encrypted data of the first random number (S) alone to the verification request device 120. Therefore, the verification requesting device 120 cannot calculate Enc (pk, SD 1 ). For this reason, the client cannot impersonate the Hamming distance.
  • Enc (pk, SD) relating to the distance (D) between the first and second vectors is calculated.
  • the collation device 140 creates a second random number (R) (S147).
  • the verification device 140 generates encrypted data (Enc (pk, R)) obtained by encrypting the second random number (R) with the public key (pk). Then, the verification device 140 performs homomorphic addition of the encrypted data (Enc (pk, SD)) regarding the distance (D) and the encrypted data (Enc (pk, R)) of the second random number (R) to obtain a query.
  • Encryption data Enc (pk, SD + R)... (137) Create The collation device 140 uses a first random number (S) and a second random number (R) for a value (non-negative integer) ⁇ in the range from 0 to a threshold t, and uses a calculation method regarding the distance of the encrypted data in the query (
  • S ⁇ + R the value when D is ⁇ in the arithmetic expression (SD + R)
  • the verification device 150 determines acceptance or non-acceptance if there is no equal pair.
  • the verification result (acceptance, rejection) in the verification device 150 is transmitted to the verification device 140 and the verification request device 120 (S151).
  • FIG. 13 is a flowchart illustrating an example of processing executed by the verification system 100 according to the first exemplary embodiment in the registration phase. With reference to FIG. 13, the process which the collation system 100 which concerns on 2nd Embodiment performs in a registration phase is demonstrated.
  • the registration information extraction unit 111 in the registration request device 110 receives biometric information (referred to as “registration vector”) from the biometric subject to registration.
  • X [x [1],..., x [n]]... (142) Is extracted (step B1).
  • the notation x [i] (i 1, i, i) ..., n)
  • the encrypted data generated in step B2 is referred to as a first template.
  • the template generation unit 112 in the registration request apparatus 110 generates a ciphertext obtained by encrypting x [1] +,... + X [n] using the public key pk (step B3). Enc (pk, x [1] +,... + x [n])... (144)
  • the encrypted data generated in step B3 is called a second template.
  • template generator 112 a plurality of number rr1 [1] from the Z q, ..., r1 [n ], and to select the rr1.
  • the template generation unit 112 reads the generation source g and the value h from the public key pk, and creates the following ciphertext regarding the binary vector X.
  • the template generation unit 112 in the registration requesting apparatus 110 collects the first template and the second template into a template (C1 [1],..., C1 [n], CC1) (step B4).
  • the communication unit 113 of the registration request device 110 is a template (C1 [1],..., C1 [n], CC1)... (149) Is transmitted to the storage device 130 (step B5).
  • the communication unit 135 of the storage device 130 receives the template from the registration request device 110 (step B6).
  • the identifier management unit 131 in the storage device 130 determines a registration identifier id that is an identifier unique to the template received from the registration requesting device 110 (step B7).
  • the communication unit 135 of the storage device 130 transmits the registration identifier id to the registration request device 110 (step B8).
  • the communication unit 113 of the registration request device 110 receives the registration identifier id from the storage device 130 (step B9).
  • the registration data generation unit 132 in the storage device 130 generates registration data (B11).
  • a template corresponding to the registration identifier Id is stored in the registration data storage unit 133 in the storage device 130 (step B12).
  • step C19-25 in FIG. 10 is different from that in the first embodiment.
  • step C19 the verification device 140 generates a second random number (R) and generates encrypted data (Enc (pk, R)) obtained by encrypting the second random number (R) with the public key (pk). Also, encryption data (Enc (pk, SD)) and encryption data of the second random number (R) regarding the Hamming distance (D) between the first vector (X) for registration and the second vector Y for verification ( Enc (pk, R)) is homomorphically added to create encrypted data for query (Enc (pk, SD + R)).
  • step C20 the collation device 140 uses the first random number (S) and the second random number (R) for the non-negative integer value ⁇ that is equal to or less than the threshold t, and uses the arithmetic (SD for the distance D in the encrypted data of the query)
  • S ⁇ + R is calculated by the same algorithm as + R), and a hash value H (S ⁇ + R) of the value is obtained.
  • step C23 the verification device 150 decrypts the encrypted data Enc (pk, SD + R) with the decryption key (sk).
  • step C24 the verification device 150 calculates a hash value (H (SD + R)) of the decrypted value SD + R.
  • accept and decide not to accept if there is no equal set according to the second embodiment, in a system for matching binary vector type information, collaborate with a three-party model decryptor. It is possible to provide resistance against hill climbing attacks by attackers.
  • a computer apparatus 200 such as a server computer includes a processor (CPU (Central Processing Unit), data processing apparatus) 201, a semiconductor memory (for example, RAM (Random Access Memory), ROM (Read Only Memory), or A storage device 202 including at least one of an EEPROM (Electrically Erasable and Programmable ROM), an HDD (Hard Disk Drive), a CD (Compact Disc), a DVD (Digital Versatile Disc), a display device 203, and a communication interface 204 It has.
  • CPU Central Processing Unit
  • data processing apparatus for example, RAM (Random Access Memory), ROM (Read Only Memory), or
  • a storage device 202 including at least one of an EEPROM (Electrically Erasable and Programmable ROM), an HDD (Hard Disk Drive), a CD (Compact Disc), a DVD (Digital Versatile Disc), a display device 203, and a communication interface 204 It has.
  • CPU Central Processing Unit
  • data processing apparatus for example, RAM (
  • the communication interface 204 is communicatively connected to the registration request device 110, the verification request device 120, the storage device 130, and the verification device 150.
  • the storage device 202 stores a program that realizes the function of the collation device 140 described in the above embodiment, and the processor 201 reads out and executes the program, so that the function of the collation device 140 in the embodiment is performed. It may be realized.
  • the storage device 202 and, for example, the registration data storage unit 133 of the storage device 130 shown in FIG. 7 are the same storage device, and the processor 201 uses the identifier management unit 131 and the registration data generation unit 132 of the storage device 130 shown in FIG.
  • the processing of the registration data search unit 134 may be further executed.
  • the computer device 200 may be implemented as a cloud server provided to a client as a cloud service.
  • the registration request device 110 may also be implemented as a computer device 200 that is program-controlled as shown in FIG.
  • the collation requesting device 120 of the above embodiment may also be implemented as the computer device 200.
  • the registration request device 110 and the verification request device 120 may be separate computer systems, or may be configured to perform registration and verification at the same location. Programs that realize the functions of the registration request device 110 and the verification request device 120 shown in FIGS. 5 and 11 are stored in the storage device 202, and the processor 201 reads out and executes the programs so that each of the above-described programs is executed. You may make it implement
  • the processor 201 of the registration request device 110 and the verification request device 120 acquires biometric information such as a fingerprint from a sensor (not shown) via the communication interface 204, and uses binary feature vectors X and Y respectively from the acquired biometric information. You may make it extract.
  • the verification apparatus 150 of the embodiment may be realized by a program executed on a computer, as in FIG.
  • Patent Documents 1-4 and Non-Patent Document 1 described above are incorporated herein by reference.
  • the embodiments and examples can be changed and adjusted based on the basic technical concept.
  • Various combinations or selections of various disclosed elements are possible within the scope of the claims of the present invention. . That is, the present invention of course includes various variations and modifications that could be made by those skilled in the art according to the entire disclosure including the claims and the technical idea.
  • Registration request device 100 Collation system 102 Server 111 Registration information extraction unit 112 Template generation unit 113 Communication unit 114 Conversion value generation unit 20, 120 Verification request device 121 Verification request generation unit 122 Verification information extraction unit 123 Response generation unit 124 Communication Units 30, 130 storage device 131 identifier management unit 132 registration data generation unit 133 registration data storage unit 134 registration data search unit 135 communication unit 136 random number generation unit 137 encryption data generation unit 138 hash value generation unit 40, 140 collation device 141 registration data Acquisition unit 142 Random number generation unit 143 Encryption data generation unit 144 Encryption distance calculation unit 145 Query generation unit 146 Communication unit 147 Conversion coefficient generation unit 148 Hash value generation unit 50, 150 Verification device 151 Key generation unit 152 Decryption key storage unit 153 Query Validation Unit 154 verification result output unit 155 communication unit 156 registration data check unit 200 computer system (computer device) 201 Processor 202 Storage Device 203 Display Device 204 Communication Interface 1531 Decoding Unit 1532 Hash Value Generation Unit 15

Landscapes

  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

L'invention concerne un système qui, lors du classement d'informations de vecteurs binaires, a une résistance souhaitée à une attaque par escalade de la part d'un d'attaquant qui s'entend avec un déchiffreur d'au moins un modèle à trois parties. Ledit système de classement comprend : un dispositif de classement qui, en tant que données permettant à un dispositif de vérification de distinguer si oui ou non la distance chiffrée d'un premier et d'un second vecteur trouvée par la synthèse de la valeur calculée d'un premier vecteur binaire pour un enregistrement qui est chiffré à l'aide d'une clé de chiffrement extraite par un dispositif de requête d'enregistrement et de la valeur calculée d'un second vecteur binaire pour un classement qui est chiffré à l'aide d'une clé de chiffrement extraite par un dispositif de requête de classement est inférieure ou égale à une valeur seuil prédéterminée, trouve des données dans lesquelles une valeur dérivée par soustraction d'une valeur non négative inférieure ou égale à la valeur seuil à partir de la distance et présentant un nombre aléatoire mis en œuvre sur celle-ci est chiffrée à l'aide des clés de chiffrement, et transmet les données, conjointement avec une valeur de hachage trouvée à partir du nombre aléatoire, en tant qu'interrogation au dispositif de vérification ; et un dispositif de vérification pour déchiffrer les données chiffrées à l'aide d'une clé de déchiffrement et pour déterminer s'il existe un ensemble dans lequel la valeur de hachage de la valeur déchiffrée et la valeur de hachage de l'interrogation sont égales.
PCT/JP2018/011049 2017-03-21 2018-03-20 Système, procédé, dispositif et programme de classement WO2018174063A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2017054406 2017-03-21
JP2017-054406 2017-03-21

Publications (1)

Publication Number Publication Date
WO2018174063A1 true WO2018174063A1 (fr) 2018-09-27

Family

ID=63585433

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2018/011049 WO2018174063A1 (fr) 2017-03-21 2018-03-20 Système, procédé, dispositif et programme de classement

Country Status (1)

Country Link
WO (1) WO2018174063A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220131698A1 (en) * 2020-10-23 2022-04-28 Visa International Service Association Verification of biometric templates for privacy preserving authentication
WO2022130528A1 (fr) * 2020-12-16 2022-06-23 日本電気株式会社 Système de vérification de récupération, système de collationnement, procédé de vérification de récupération, et support de stockage non temporaire lisible par ordinateur

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150365229A1 (en) * 2013-02-01 2015-12-17 Morpho Method of xor homomorphic encryption and secure calculation of a hamming distance
JP2016118984A (ja) * 2014-12-22 2016-06-30 富士通株式会社 情報処理方法、情報処理プログラムおよび情報処理装置
JP2016131335A (ja) * 2015-01-14 2016-07-21 富士通株式会社 情報処理方法、情報処理プログラムおよび情報処理装置

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150365229A1 (en) * 2013-02-01 2015-12-17 Morpho Method of xor homomorphic encryption and secure calculation of a hamming distance
JP2016118984A (ja) * 2014-12-22 2016-06-30 富士通株式会社 情報処理方法、情報処理プログラムおよび情報処理装置
JP2016131335A (ja) * 2015-01-14 2016-07-21 富士通株式会社 情報処理方法、情報処理プログラムおよび情報処理装置

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
HIGO, HARUNA ET AL.: "Privacy-preserving biometric authentication method of dealing with binary vector-type biometric information", SYMPOSIUM ON CRYPTOGRAPHY AND INFORMATION SECURITY, 2017, pages 1 - 7 *
ISSHIKI, TOSHIYUKI ET AL.: "Effective privacy-preserving biometric authentication method having resistance against hill-climbing attack", SYMPOSIUM ON CRYPTOGRAPHY AND INFORMATION SECURITY, January 2017 (2017-01-01), pages 1 - 7 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220131698A1 (en) * 2020-10-23 2022-04-28 Visa International Service Association Verification of biometric templates for privacy preserving authentication
US11546164B2 (en) * 2020-10-23 2023-01-03 Visa International Service Association Verification of biometric templates for privacy preserving authentication
US20230120343A1 (en) * 2020-10-23 2023-04-20 Visa International Service Association Verification of biometric templates for privacy preserving authentication
US11831780B2 (en) 2020-10-23 2023-11-28 Visa International Service Association Verification of biometric templates for privacy preserving authentication
WO2022130528A1 (fr) * 2020-12-16 2022-06-23 日本電気株式会社 Système de vérification de récupération, système de collationnement, procédé de vérification de récupération, et support de stockage non temporaire lisible par ordinateur

Similar Documents

Publication Publication Date Title
JP7127543B2 (ja) 照合システム、方法、装置及びプログラム
JP5562687B2 (ja) 第1のユーザによって第2のユーザに送信される通信の安全化
US8930704B2 (en) Digital signature method and system
US11063941B2 (en) Authentication system, authentication method, and program
JP7259868B2 (ja) システムおよびクライアント
JP6229716B2 (ja) 照合システム、ノード、照合方法およびプログラム
WO2014185450A1 (fr) Système et procédé de vérification, nœud et programme associés
US9910478B2 (en) Collation system, node, collation method, and computer readable medium
JP7231023B2 (ja) 照合システム、クライアントおよびサーバ
US10503915B2 (en) Encrypted text verification system, method and recording medium
JP6451938B2 (ja) 暗号文照合システム、方法、およびプログラム
JP6738061B2 (ja) 暗号文照合システム、方法、および記録媒体
Tbatou et al. A New Mutuel Kerberos Authentication Protocol for Distributed Systems.
KR101217491B1 (ko) 공개키 기반의 키워드 검색 방법
WO2018174063A1 (fr) Système, procédé, dispositif et programme de classement
JP5799635B2 (ja) 暗号データ検索システム、装置、方法及びプログラム
CN116055136A (zh) 一种基于秘密共享的多目标认证方法
Rasmussen et al. Weak and strong deniable authenticated encryption: on their relationship and applications
CN110572788B (zh) 基于非对称密钥池和隐式证书的无线传感器通信方法和系统
WO2017170780A1 (fr) Système de collation de cryptogramme, dispositif de nœud, procédé de collation de cryptogramme, et programme
Wang et al. CPPABK: conditional privacy-preserving authentication scheme for VANETs based on the key derivation algorithm
Nayyef et al. Attribute Based Authentication System using Homomorphic Encryption
Roy et al. Practical {Privacy-Preserving} Authentication for {SSH}
Rasmussen On the Relationship Between Weak and Strong Deniable Authenticated Encryption
Chen et al. Comments on three multi-server authentication protocols

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18771134

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18771134

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP