Patent Application
20220171835
The present invention relates to a linear sketch system, authentication method, program, and recording medium.
Personal authentication is a means to confirm identity between a registered person and a person to be authenticated, which is performed by comparing information about a registered person stored in advance, with information about a person to be authenticated obtained for each authentication performed.
In biometric authentication, for example, a physical feature or the like such as face, fingerprint, and iris is used for authentication. More specifically, data called a feature value is extracted from a living body and used for authentication. A feature value extracted from a living body differs slightly for each extraction. Therefore, when authentication is executed, the feature value extracted from a registered person and a feature value extracted from a person to be authenticated are compared, and when they are is found to be information close enough, the authentication is successful.
Compared with authentication performed by what is memorized by a user such as a password, or what is possessed by a user such as an IC (Integrated Circuit) card, biometric authentication has an advantage of higher convenience because the biometric authentication does not require active preparation by a user, such as memorizing a password or possessing an IC card to enter authentication information. Further, biometric authentication, since authentication information thereof is difficult to be used by other people, has an advantage of high security.
With advancement in a technology such as a feature value extraction method, biometric authentication has been increasingly used as a means of personal authentication in recent years.
On the other hand, the biometric authentication has a disadvantage in that biometric information, which is invariant throughout life, cannot be changed when it is leaked.
Hence, biometric authentication schemes that can store biometric information in a secret manner and determine an authentication result with the biometric information kept secret is being actively researched.
Furthermore, in order to take advantage of merits of the biometric authentication, a method is desirable that does not require a user of anything other than biometric information such as memorization or possession.
One of such biometric authentication techniques is a fuzzy signature, which is disclosed in NPL (Non-Patent Literature) 1 and so forth. The fuzzy signature is executed by a client and a server as follows.
More specifically, the fuzzy signature includes:
(1.1) a key generation algorithm to be executed by a client at a time of registration;
(1.2) a signature algorithm executed by the client at a time of authentication; and
(1.3) a verification algorithm performed by the server at the time of authentication.
The following describes each algorithm.
Parameter κ and fuzzy data x are inputted to the key generation algorithm KeyGenfs, which generates and outputs a public key (verification key) vk.
KeyGenfs(1κ,x)→vk (1)
Fuzzy data x′ and message m are inputted to the signature algorithm Signfs, which outputs a signature σ.
Signfs(x′,m)→σ (2)
The verification key vk, message m, and signature σ are inputted to the verification algorithm Verifyfs, which outputs OK (good (OKAY)) or NG (no good) as a signature verification result.
Verifyfs(vk,m,σ)→OK or NG (3)
With respect to
a domain X of fuzzy data;
a distance function d on X (d:X×X→R)(where R is a real number); and
a threshold θ, a signature verification will be OK, when a correctly constructed fuzzy signature scheme is used, and when verification is performed using a verification key vk generated by the key generation algorithm from the fuzzy data xϵX, on a signature a which is generated for a message m, using fuzzy data x′ϵX that is close enough to fuzzy data x.
That is, regarding any message m and fuzzy data x and x′ satisfying d (x, x′)≤θ,
the following is assumed to hold.
KeyGenfs(1κ,x)→vk (4)
Assuming a result of executing the signature algorithm Signfs as follows:
Signfs(x′,m)→σ (5)
Then, as a result of the verification algorithm Verifyfs, the following holds.
Verifyfs(vk,m,σ)→OK (6)
The fuzzy signature is a signature scheme that uses fuzzy data extracted from an information source inclusive of fuzziness to give a signature and generate a key used to verify a signature. A typical example of fuzzy data is a biometric feature value, but the application of fuzzy signature is not limited to biometrics. Another example is password authentication that allows typos (misspelling, erroneous input, clerical error, and mis-conversion while typing). Fuzzy signature is also useful for an authentication that uses authentication information that normally does not allow for ambiguity, such as an integrated circuit (IC) card and a password, when the authentication information is exchanged via a communication channel including a noise.
An implementation method of fuzzy signature is disclosed, for example, in PTL (Patent literature) 1, PTL 2, NPL (Non-Patent Literature) 1, and NPL 2 and so forth.
In particular, NPL 2 discloses a general configuration method that combines a linear sketch and a digital signature having key linearity. Before explaining a general configuration method, linear sketch and digital signature having key linearity are explained.
Linear sketch is an algorithm including;
(2.1) keyed sketch algorithm; and
(2.2) key difference recovery algorithm.
The following describes each algorithm.
Key k and fuzzy data x are inputted to a keyed sketch algorithm KeyedSketch, which outputs a sketch s.
KeyedSketch(k,x)→s (7)
Two sketches s and s′ are inputted to a key difference recovery algorithm DiffRec, which outputs a value Δk.
DiffRec(s,s′)→Δk (8)
With respect to a fuzzy data domain X;
a distance function d on X (d:X×X→R); and
a threshold θ, a correctly constructed linear sketch scheme, when two sketches s and s′ generated from two sufficiently close fuzzy data x, x′ϵX are inputted to the key difference recovery algorithm DiffRec, outputs, as Δk, a difference between the two keys k and k′ which are used to generate the two sketches s and s′.
That is, if
d(x,x′)≤θ (9)
is satisfied, then with respect to
KeyedSketch(k,x)→s (10)
and
KeyedSketch(k′,x′)→s′ (11)
the following holds.
DiffRec(s,s′)→Δk(=k−k′) (12)
Digital signature includes;
(3.1) key generation algorithm;
(3.2) signature algorithm; and
(3.3) verification algorithm.
The following describes each algorithm.
A security parameter κ is inputted to a key generation algorithm KeyGends, which generates and outputs a secret key (signature key) sk and a public key (verification key) vk.
KeyGends(1κ)→(sk,vk) (13)
A signature key sk and a message m are inputted to the signature algorithm Signds, which outputs a signature σ.
Signds(sk,m)→σ (14)
The verification key vk, message m, and signature σ are inputted to the verification algorithm Verifyds, which outputs OK or NG as a signature verification result.
Verifyds(vk,m,σ)→OK or NG (15)
In a case where a correctly constructed digital signature scheme is used, a signature σ generated for a certain message m using a secret key sk generated by the key generation algorithm KeyGends when verified using a corresponding public key vk, results in OK.
That is, with respect to any m and
KeyGends(1κ)→(sk,vk) (16)
letting an execution result of the signature algorithm as follows
Signds(sk,m)→σ (17),
the following holds.
Verifyds(vk,m,σ)→OK (18)
Furthermore, in a case where a digital signature scheme has key linearity, there is a key difference verification algorithm MK that determines whether or not a difference Δsk of the two private keys sk and sk′ corresponding to two input public keys vk and vk′, respectively, is equal to the other input value.
That is, with respect to
KeyGends(1κ)→(sk,vk) (19)
and
KeyGends(1κ)→(sk′,vk′) (20)
letting a difference between the two private keys sk and sk′ corresponding to the two input public keys vk and vk′, respectively, be
Δsk=sk−sk′ (21)
the following holds.
MK(vk,vk′,Δsk)→OK (22)
As a signature algorithm having the key linearity, Schnorr signature, Elgamal signature, DSA (Digital Signature Algorithm), ECDSA (Elliptic Curve Digital Signature Algorithm) and so forth are known. For example, in Schnorr, Elgamal, and DSA signatures, a positive integer less than p is randomly chosen as a secret key sk for a generator g of a group Gp whose rank is a prime number p, and a public key is defined as;
vk=g
sk (23)
In this case, with respect to two key pairs (sk, gsk) and (sk′, gsk′)
Δsk=sk−sk′ (24)
satisfies the following.
g
sk
/g
sk′
=g
Δsk (25)
That is, MK (vk, vk′, Δsk) outputs OK when
vk/vk′=g
Δsk (26)
That is, MK (vk, vk′, Δsk) outputs OK, when a difference log(vk/vk′) (log is a logarithmic function with g as a base) of the two secret keys sk and sk′ corresponding to the public keys vk and vk′, respectively, is equal to the other input value ask.
Using the linear sketch and the digital signature having key linearity described above, the fuzzy signature can be configured as follows.
A security parameter κ and fuzzy data x are inputted to a key generation algorithm KeyGends.
A secret key skds and a public key vkds are calculated by entering the security parameter κ into the key generation algorithm KeyGends in the digital signature scheme.
KeyGends(1κ)→(skds,vkds) (27)
Next, a sketch s is computed by entering a secret key skds and fuzzy data x to KeyedSketch, a keyed sketch algorithm of a linear sketch method.
KeyedSketch(skds,x)→s (28)
Next, a verification key vkfs, which is a combination of a public key vkds and a sketch s, is outputted.
vk
fs=(s,vkds) (29)
This vkfs is the public key (verification key) vk in Expression (1) above.
Fuzzy data x′ and message m are inputted to the signature algorithm Signfs.
A private key sk′ds and public key vk′ds are calculated by entering the security parameter κ into the key generation algorithm KeyGends in the digital signature scheme.
KeyGends(1κ)→(sk′ds,vk′ds) (30)
Next, a secret key sk′ds and fuzzy data x′ are inputted to KeyedSketch, a keyed sketch algorithm of the linear sketch scheme, to compute a sketch s′.
KeyedSketch(sk′ds,x′)→s′ (31)
Next, a signature σds is computed by entering the secret key sk′ds and the message m into the signature algorithm Signds, a digital signature scheme.
Signds(sk′ds,m)→σds (32)
Next, a signature σfs is outputted by combining the public key vk′ds, the sketch s′ and the signature σds.
σfs=(vk′ds,s′,σds) (33)
This σfs is the signature σ in Expression (2).
The public key vkds, message m and signature σ are inputted to the verification algorithm Verifyfs (Expression (3)).
Next, the public key vk′ds, message m, and signature σds are inputted to the verification algorithm Verifyds, a digital signature scheme, and it is confirmed that OK is output.
Verifyds(vk′ds,m,σds)→OK (34)
Next, the sketch s and sketch s′ are inputted to DiffRec, a linear sketch-based key difference recovery algorithm, to obtain the key difference Δskds.
DiffRec(s,s′)→Δskds (35)
Next, it is verified that the key difference verification algorithm MK outputs OK for the public keys vkds and vk′ds, and the key difference Δskds.
MK(vkds,vk′ds,Δskds)→OK (36)
When both Expression (34) and Expression (36) above are confirmed OK, OK is outputted (corresponding to OK in Expression (3)), and when any one of Expression (34) and Expression (36) above is NG, NG (corresponding to NG in Expression (3)) is output.
NPL 1 and NPL 2 disclose how to configure a linear sketch. It is also disclosed that a fuzzy signature can be constructed by combining the disclosed linear sketch with a digital signature scheme having key linearity, such as Schnorr signature or the like. Both schemes are schemes for the following parameters.
d((x1, . . . ,xn),(x′1, . . . ,x′n))=max|(xi−x′i) (i=1, . . . ,n) (37)
However, many features extracted from fingerprints, irises, or the like cannot be matched using Loo distance, and deal with the following parameters, for example.
d((x1, . . . ,xn),(x′1, . . . ,x′1))=sum|(xi−x′i)| (i=1, . . . ,n) (38)
That is, the feature value for such a parameter cannot be used as it is in the fuzzy signature scheme disclosed in NPL 1 and NPL 2.
In PTL 3, there is disclosed that in the technology of NPL 1 and NPL 2, processing of determining whether or not two biometric data are sufficiently similar corresponds to implementing by threshold processing for “L ∞ distance” between features extracted from the biometric. Further, there is disclosed a problem that in many biometric schemes such as fingerprint, vein, face, iris, the distance between features is defined by Hamming distance (L1 distance) or the like and thus the fuzzy signature based on the above technique cannot be realized. To address this problem, PTL 3 discloses a method (invention) that realizes the fuzzy signature using various types of features by transforming features on an Lp distance space for any p to vectors on an Loo distance space. The method disclosed in PTL 3 can be used, for example, to convert features for determining similarity based on an L1 distance to features for determining similarity based on an Loo distance.
An analysis of related technologies is presented below.
As described above, it is not possible to directly apply the methods of related technologies such as the above NPL 1 and NPL 2 to data such as biometric feature values where distance between feature values, such as fingerprints and irises, is defined by a Hamming distance (L1 distance).
Although it is possible to combine a technique disclosed in PTL 3 or the like with techniques of related technologies such as PTL 1 and PTL 2, the technique disclosed in PTL 3 is asymptotic transformation, which generates a large error when a dimension (n) of a vector is large. That is, an accuracy in biometric authentication is reduced.
Therefore, it is desired to construct a linear sketch scheme based on a Hamming distance to determine similarity for data such as biometric feature values extracted from a fuzzy data source, without recourse to the transformation technique disclosed in PTL 3 or the like.
Therefore, it is a main object of the present invention to provide a linear sketch system, a generation apparatus, a reconstruction apparatus, an authentication method, and a program and a recording medium, each enabling to judge similarity of data such as a biometric feature extracted from a fuzzy data source based on a Hamming distance.
According to an aspect of a present invention, there is provided a linear sketch system including a generation apparatus and a reconstruction apparatus.
The generation apparatus includes: a key input part that receives a key; a fuzzy data input part that receives fuzzy data; a key conversion part that converts the key to an encoded key by using an encoding function of an error correcting code; and a sketch generation part that generates a sketch by applying a first composite transformation on the fuzzy data and the encoded key.
The reconstruction apparatus includes: a sketch input part that receives a first sketch generated based on a first key and first fuzzy data, and a second sketch generated based on a second key and second fuzzy data; a sketch composition part that generates a composite sketch by applying a second composite transformation on the first sketch and the second sketch; and a key-difference reconstruction part that calculates, based on the composite sketch, a difference between the first key and the second key used respectively for generating the first sketch and the second sketch.
According to an aspect of the present invention, there is provided a generation apparatus including a key input part that receives a key; a fuzzy data input part that receives fuzzy data; a key conversion part that converts the key to an encoded key by using an encoding function of an error correcting code; and a sketch generation part that generates a sketch by applying a first composite transformation on the fuzzy data and the encoded key.
According to an aspect of the present invention, there is provided a reconstruction apparatus including: a sketch input part that receives, from a generation apparatus, a first sketch generated based on a first key and first fuzzy data, and a second sketch generated based on a second key and second fuzzy data, wherein the generation apparatus converts a received key to an encoded key by using an encoding function of an error correcting code and generates a sketch by applying a first composite transformation on fuzzy data and the encoded key; a sketch composition part that generates a composite sketch by applying a second composite transformation on the first sketch and the second sketch; and
a key-difference reconstruction part that calculates, based on the composite sketch, a difference between the first key and the second key used respectively for generating the first sketch and the second sketch.
According to an aspect of the present invention, there is provided an authentication method including:
on a sketch generation side, converting a received key to an encoded key by using an encoding function of an error correcting code; and
generating a sketch by applying a first composite transformation on fuzzy data and the encoded key; and
on a reconstruction side, receiving a first sketch generated based on a first key and first fuzzy data and a second sketch generated based on a second key and second fuzzy data;
generating a composite sketch by applying a second composite transformation on the first sketch and the second sketch, and
calculating a difference between the first key and the second key used respectively for generating the first sketch and the second sketch based on the composite sketch.
According to an aspect of the present invention, there is provided a program causing a computer to perform processing including:
receiving a key;
receiving fuzzy data;
transforming the key to an encoded key by using an encoding function of an error correcting code; and
generating a sketch by applying a first composite transformation on the fuzzy data and the encoded key.
According to an aspect of the present invention, there is provided a program to cause the computer to perform processing including:
a program causing a computer to perform processing comprising:
receiving a first sketch generated based on a first key and first fuzzy data from a generation apparatus that transforms a received key to an encoded key by using an encoding function of an error correcting code and generates a sketch by applying a first composite transformation on received fuzzy data and the encoded key;
receiving a second sketch generated based on a second key and second fuzzy data from the generation apparatus;
generating a composite sketch by applying a second composite transformation on the first sketch and the second sketch; and
calculating a difference between the first key and the second key used respectively for generating the first sketch and the second sketch based on the composite sketch.
According to the present invention, a computer readable storage medium (such as RAM (Random Access Memory), ROM (Read Only Memory), or EEPROM (Electrically Erasable and Programmable ROM (Electrically Erasable and Programmable ROM), or a non-transitory computer readable recording medium such as HDD (Hard Disk Drive), CD (Compact Disc), or DVD (Digital Versatile Disc). (non-transitory computer readable recording medium)) are provided.
According to the present invention, it is possible to realize a linear sketch system that makes similarity judgment about data such as a biometric feature extracted from a fuzzy data source based on a Hamming distance.
An example embodiment of the present invention will be described in detail with reference to drawings. In each drawing and in each example embodiment described in the description, the same sign is given to similar components and the explanation thereof is omitted as appropriate.
A linear sketch system of the present invention has a generation apparatus that generates a sketch by composing an encoded key, which is obtained by encoding the key by error correction codes, and fuzzy data, and a reconstruction apparatus that outputs a result of a linear transformation of two keys by decoding two sketches composited by error correction codes when two fuzzy data are sufficiently close to each other.
In each of the following example embodiments, as a not limiting example, linear sketch system implementations for following parameters will be described.
d((x1, . . . ,xn),(x′1, . . . ,x′n))=(Number of index i where xi≠x′i among i=1, . . . ,n) (39)
Even if it is not fuzzy data for the above parameters, there may be a case where it is possible to convert them to fuzzy data for the above parameters.
For example, an n-dimensional vector where each component is a real number can be converted to fuzzy data contained in this domain by rounding each elements after multiplying with a constant number.
In each of the following embodiments, an error correcting code with linearity (referred to as “a linear code” in the following) are used as a configuration element. First, a linear code will be described.
Error correcting code includes:
(5.1) Encoding algorithm; and
(5.2) Decoding algorithm.
Each algorithm is outlined below.
When a message m is inputted to an encoding algorithm Encode, it generates and outputs a code word c.
Encode(m)→c (40)
When the code word c is inputted to a decoding algorithm Decode, message m is output.
Decode(c)→m (41)
In an error-correcting code scheme in which the message m consists of M blocks, the code word c consists of C blocks (M<C), and D blocks are allowed to be erroneous, provided that correctly constructed, with respect to the code word c which is generated by the encoding algorithm Encode from the message m, the original message m can be reconstructed when any code word c′, for which the number of blocks among the C blocks that are different from the code word c is D (D<C) blocks or less, is inputted to the decoding algorithm Decode.
That is, for any message m of M blocks assume;
Encode(m)→c (42)
Then, for any code word c′ for which the number of blocks different from code word c is D blocks or less, the following holds.
Decode(c′)→m (43)
Furthermore, in a case of an error-correcting code capable of allowing erasure correction, if the total number of errors and erasure blocks is D blocks or less, the code can be correctly decoded.
Using the linear code, it is possible to calculate a code word corresponding to a result of a linear operation for each block of those messages from two code words. That is, for example, for
Encode(m)→c and Encode(m′)→c′ (44)
letting a block-wise sum of code word c and code word c′ be denoted as
Δc=c+c′ (45)
then a block-wise sum of message m and message m′ is obtained as a result of decoding Δc.
Decode(Δc)=m+m′ (46)
A linear code can be configured to make the first M blocks of a code word composed of C blocks, as a message itself. Such a configuration scheme is specifically called as “systematic code”.
In a linear code where each block is B bits, a message is an M-dimensional vector with each element being B bits or less, a code word is a C-dimensional vector with each element being B bits or less, and operations c+c′ and m+m′ described above are performed with a modulo 2B.
In a linear code where each block is B bits, a message m is recovered by a reconstruction algorithm from a series of C blocks for which the number of different blocks is D or less, by comparing with C block code word c generated by a coding algorithm from the of message m of M blocks.
Therefore, in a linear code where each block is one bit, the operations c+c′ and m+m′ described above become an exclusive OR (Exclusive OR: XOR, i.e., 0+0=1+1=0, 0+1=1+0=1).
In an error correcting code, where each block is one bit, a message m is reconstructed by the reconstruction algorithm from c′, for which the number of different bits is D bits or less, compared with a C-bit code word c generated by the coding algorithm from M-bit message m. That is, the message m is reconstructed by the reconstruction algorithm from c′ whose Hamming distance from c is D or less. That is, the message m is reconstructed by the reconstruction algorithm from c′ whose Hamming distance from c is D or less.
As a linear code, BCH (Bose-Chaudhuri-Hocquenghem code) code, Reed-Solomon code, and LDPC (Low-Density Parity-Check code) code and so forth are known. Reed-Solomon code and LDPC code allows erasure correction.
By using the linear sketch system of the present invention in the configuration of a fuzzy signature scheme, it is possible to handle data such as a biometric feature for which similarity judgment is performed based on a Hamming distance, to achieve a fuzzy signature without loss of accuracy. The following is a more detailed description based on several example embodiments.
In the present example embodiment, fuzzy data is data such as a biometric (biometric) feature or the like extracted from a fuzzy source and is assumed to be an n-dimensional vector for which each element has a value of 0 or 1.
In the present example embodiment, it is desirable to use a linear code for the following parameters.
The generation apparatus 110 comprises a key input part 111, a fuzzy data input part 112, a key conversion part 113, and a sketch generation part 114. The reconstruction apparatus 120 includes a first sketch input part 121, a second sketch input part 122, a sketch composition part 123, and a key-difference reconstruction part. The generation apparatus 110 and the reconstruction apparatus 120 may each include a computer that includes a processor that executes instructions stored in a memory and an input/output interface, such as a network interface, so that the processor executes a program to implement processing of each part of the apparatus. The generation apparatus 110 and the reconstruction apparatus 120 are mutually communicatively connected via a network 130 (wired LAN (Local Area Network) or wireless LAN, or WAN (Wide Area Network), or mobile communication network, etc.). It is noted that the generation apparatus 110 and the reconstruction apparatus 120 may be implemented in the same apparatus and communicatively connected.
The generation apparatus 110 receives a received key k (M bits) from the key input part 111 and a received fuzzy data x from the fuzzy data input part 112 (Step A1). The key input part 111 receives, for example, the key vkfs of the above Expression (29). The generation apparatus 110 may receive the key vkfs from an apparatus (not shown) that executes the key generation algorithm of (4.1) above. The fuzzy data input part 112 may be used to receive a feature value such as biometric data or the like obtained from a sensor (not shown) as fuzzy data x.
A key conversion part 113 of the generation apparatus 110 executes an error correcting code encoding algorithm (Encode) with the key k received from the key input part 111 as input and obtains an encoded key c (C bits) as an execution result (Step A2).
Encode(k)→c (47)
Next, a sketch generation part 114 of the generation apparatus 110 calculates bit-wise exclusive logical OR (bit-wise xor) of the fuzzy data x (C bits) received from the fuzzy data input part 112 in step A1 and the encoded key c obtained in step A2, and outputs it as a sketch s (Step A3).
s=x xor c. (48)
A first sketch input part 121 of the reconstruction apparatus 120 receives an input first sketch s, and a second sketch input part 122 receives an input second sketch s′ (step B1). Although the first sketch input part 121 and the second sketch input part 122 are illustrated as separate units in
Next, the sketch composition part 123 of the reconstruction apparatus 120 calculates bitwise exclusive logical OR of the first sketch s and the second sketch s′ received in step B1 to obtain a composited sketch t (step B2).
t=s xor s′ (49)
Next, the key-difference reconstruction part 124 of the reconstruction apparatus 120 supplies the composite sketch t calculated in step B2 to the error correcting code decoding algorithm Decode, causes to execute the algorithm Decode, and output a decoded result Δ (step B3).
Decode(t)→Δ (50)
The following confirms that the linear sketch system according to the present example embodiment works correctly.
Let s be a first sketch generated by the generation apparatus 110 from the key k (first key) and fuzzy data x (first fuzzy data).
s=x xor Encode(k) (51)
Let s′ be a second sketch generated by the generation apparatus 110 from the key k′ (second key) and the fuzzy data x′ (second fuzzy data).
s′=x′ xor Encode(k′) (52)
The generation apparatus 110 enters the generated first and second sketches s and s′ as the first and second sketches, respectively, into the reconstruction apparatus 120 via a communication means such as a network 130, for example.
The sketch composition part 123 of the reconstruction apparatus 120 (step B2) performs the following calculation:
Since a linear code is used, where each block is one bit, Expression (53) can be expressed as
t=(x xor x′)xor Encode(k xor k′) (54)
Furthermore, if a hamming distance between x and x′ is less than or equal to an error correction capability D of the linear code, then the Hamming distance between Encode (k xor k′) and t is also less than or equal to D.
The reason is that the following holds
and a Hamming distance between Encode (k xor k′) and t is equal to a Hamming distance between x and x′.
Therefore, k xor k′ is reconstructed by executing the reconstruction algorithm Decode (t) for t, a Hamming distance between t and the code word Encode (k xor k′) of k xor k′ is equal to or less than D. That is, a result Δ of Decode(t) is k xor k′.
Decode((x xor x′)xor Encode(k xor k′))→k xor k′ (56)
That is, in step B3 of
According to the above described present example embodiment, by error correcting and decoding a composite sketch, which is a bitwise exclusive OR of first and second sketches, each of which is a bitwise exclusive OR of an encoded key and fuzzy data, a difference between the keys calculated by bitwise exclusive OR can be calculated.
In the present example embodiment, it is preferred to use a linear code for following parameters.
The generation apparatus 210 includes a key input part 211, a fuzzy data input part 212, a random number acquisition part 215, a key conversion part 213, and a sketch generation part 214. The reconstruction apparatus 220 includes a first sketch input part 221, a second sketch input part 222, a sketch composition part 223, an extended key-difference reconstruction part 225, and a key-difference reconstruction part 224. The generation apparatus 210 and the reconstruction apparatus 220 may each include a computer including a processor that executes instructions stored in a memory and an input/output interface, such as a network interface, so that the processor executes a program to implement processing of each part of the apparatus. The generation apparatus 210 and the reconstruction apparatus 220 are mutually communicatively connected via a network 230 (wired LAN (Local Area Network) or wireless LAN, WAN (Wide Area Network), mobile communication network, etc.). It is noted that the generation apparatus 210 and the reconstruction apparatus 220 may be implemented in the same apparatus and communicatively connected.
A key input part 211 of the generation apparatus 210 receives a received key k (B bit), and a fuzzy data input part 212 receives received fuzzy data x (Step C1).
Next, a random number acquisition part 215 of the generation apparatus 210 acquires M−1 random numbers whose length is greater than or equal to a size of the key (e.g., B bits) (Step C2). In the present example embodiment, any method can be used as a method of acquiring random numbers. For example, random numbers may be generated internally in the generation apparatus 210, or random numbers may be generated outside the generation apparatus 210 and entered into the generation apparatus 210. The generated random numbers can be expressed as
r
2
, . . . ,r
M (57)
Next, a key conversion part 213 of the generation apparatus 210 lines up the key k received in step C1 and the M−1 random numbers r2, . . . , rM obtained in step C2 (e.g., k, r2, . . . , rM), and generates an M-block series (B×M bits) consisting of the key k and the M−1 random numbers ri (i=2, . . . , M).
Then, the key conversion part 213 enters a series of M blocks (B×M bits) into the error correcting code encoding algorithm (Encode) and executes the algorithm (Encode) to obtain, as a result, an encoded key c consisting of C blocks (Step C3).
Encode(k,r2, . . . ,rM)→c=(c1, . . . ,cC) (58)
It is noted that the order of the k and M−1 random numbers is not limited to the above and may be arranged in any order.
Next, a sketch generation part 214 of the generation apparatus 210 calculates a block-by-block (block-wise) addition result (or subtraction result) of the C-bit fuzzy data x received in step C1, where each component consists of 0 or 1, and the encoded key c obtained in step C3:
x+c=(x1+c1, . . . ,xC+cC) (59)
and output the result as a sketch s (C block(s), B×C bits) (Step C4).
A first sketch input part 221 of the reconstruction apparatus 220 receives a first sketch s=(s1, . . . , sC) supplied from the generation apparatus 210, and a second sketch input part 222 receives a second sketch s′=(s′1, . . . , s′C) supplied from the generation apparatus 210 (Step D1). Although the first sketch input part 221 and the second sketch input part 222 are illustrated as separate units in
Next, the sketch composition part 223 of the reconstruction apparatus 220 calculates a subtraction (or addition) result for each component of the first sketch s=(s1, . . . , sC) and the second sketch s′=(s′1, . . . , s′C) received in step D1, to obtain a composited sketch t (Step D2).
t=(s1−s′1, . . . ,sC−s′C) (60)
Next, the extended key-difference reconstruction part 225 of the reconstruction apparatus 220 enters the value t calculated in step D2 into the decoding algorithm (Decode) of the error correcting code and executes the algorithm (Decode) to obtain:
Decode(t)→(Δ1, . . . ,ΔM) (61)
Next, a key-difference reconstruction part 224 of the reconstruction apparatus 220 outputs the first component Δ1 of the value calculated in step D3 (step D4). It is noted that if the key k is placed in the i-th block (i is any one of i=2, . . . , or C) in step C3, the i-th component Δi is output.
The above operation confirms that the linear sketch system of the second example embodiment works correctly.
Let s be the sketch generated from the key k and fuzzy data x by the generation apparatus 210. That is, the sketch s can be expressed by the following expression:
s=(x1, . . . ,xC)+Encode(k,r2, . . . ,rM) (62)
Let s′ be the sketch generated from the key k′ and fuzzy data x′ by the generation apparatus 210. That is, s′ can be expressed by the following expression.
s′=(x′1, . . . ,x′C)+Encode(k′,r′2, . . . ,r′M) (63)
When entering s and s′ into the reconstruction apparatus 220, as the first and second sketches, respectively, the following expression is calculated in step D2
Since the linear code are used, Expression (64) can be expressed as,
Furthermore, if a Hamming distance between x and x′ is less than or equal to the error correction capability D of the linear code, then (x1−x′1, . . . , xC−x′C)
is a vector consisting of zeros of C-D or more and ones of D or less.
Therefore, the number of blocks that are different from Encode(k−k′, r2−r′2, . . . , rM−r′M) and t is less than or equal to D.
Accordingly, a result of Decode(t) in step D3 is
(Δ1, . . . ,ΔM)=(k−k′,r2−r′2, . . . ,rM−r′M) (66)
That is, it can be confirmed that the difference between two keys k and k′: k−k′, is correctly calculated in step D4.
According to the present example embodiment, since encoded key and fuzzy data are composited by block-by-block addition or subtraction, the reconstruction apparatus can correctly calculate a difference between the keys calculated by subtraction.
In a third example embodiment of this invention, it is preferred to use a linear systematic code capable of allowing erasure correction for following parameters.
A configuration of a linear sketch system according to the third example embodiment is equal to the configuration of a linear sketch system 200 (
Next, an operation of each apparatus in this system will be described in detail.
An operation of the generation apparatus 210 of the linear sketch system 200 differs only in step C4 from the operation of the linear sketch system of the second example embodiment described with reference to
Encode(k,r2, . . . ,rM)→c (67)
respectively, satisfy the following:
c
1
=k,c
2
=r
2
, . . . ,c
M
=r
M (68)
In the present example embodiment, step C4 in
A sketch generation part 214 of the generation apparatus 210 generates n=C−1 bits of fuzzy data, where each component consists of 0 or 1, received in step C1
x=(x1, . . . ,xC-1)
and the second and subsequent blocks (c2, . . . , cC) of the encoded key obtained in step C3, and calculate a block-wise sum of
(x1+c2, . . . ,xC-1+cC) (69)
to output as sketch s ((C−1) block=B×(C−1) bits) (Step C4).
The operation of the reconstruction apparatus 220 of the linear sketch system 200 according to the present example embodiment differs only in step D2 from the operation of the reconstruction apparatus 220 of the linear sketch system of the second example embodiment described with reference to
In the present example embodiment, step D2 operates as follows.
A sketch composition part 223 of the reconstruction apparatus 220 calculates a component-wise difference between the first sketch
s=(s1, . . . ,sC-1)
received in step D1 and the second sketch
s′=(s′1, . . . ,s′C-1)
to obtain a composited sketch(Step D2).
t=(s1−s′1, . . . ,sC-1−s′C-1) (70)
It is evident that this operation allows the linear sketch system according to the present example embodiment to work correctly, since the linear sketch system of the second example embodiment works correctly.
This is because the sketch in the linear sketch system according to the present example embodiment is defined as that in which one block is lost from the sketch in the linear sketch system according to the second example embodiment above.
Furthermore, the error correcting code used by the linear sketch system according to the present example embodiment allows erasure correction, because the number of acceptable error blocks is one block more than the number of acceptable error blocks in the error correcting code used by the linear sketch system according to the second example embodiment.
According to the present example embodiment, in addition to an effect of the linear sketch system according to the second example embodiment, the effect is that it is possible to prevent leakage of a key from a sketch more securely. The reason for this is that in step C4 of
A fourth example embodiment of the present invention is obtained by adding an additional configuration and a corresponding operation to the second example embodiment.
The generation apparatus 310 includes a fuzzy data transformation part 316 added to the configuration of the above described second example embodiment. That is, the generation apparatus 310 includes a key input part 211, a fuzzy data input part 212, a key conversion part 213, a sketch generation part 214, a random number acquisition part 215, and a fuzzy data transformation part 316. In the generation apparatus 310, the key input part 211, the fuzzy data input part 212, the key conversion part 213, the sketch generation part 214, and the random number acquisition part 215 are the same as those described in the second example embodiment above, respectively. The reconstruction apparatus 220 includes a first sketch input part 221, a second sketch input part 222, a sketch composition part 223, an extended key-difference reconstruction part 225, and a key-difference reconstruction part 224. These are the same as those described in the second example embodiment above.
The fuzzy data transformation part 316 of the generation apparatus 310 transforms each bit of the fuzzy data x=(x1, . . . , xC) received in step C1 by a hash function h, etc., respectively, to obtain the following (Step C3′).
z=(h(1,x1), . . . ,h(C,xC)) (71)
It is noted that a transformation method using a hash function, or the like is not limited to this method. For example, it may be simply expressed as:
h
x=(h(x1), . . . ,h(xc)) (72).
Also, for example, it may be expressed using a key kh that is stored separately, as follows:
hx=(h(kh,1,x1), . . . ,h(kh,c,xc)) (73).
It is evident that the linear sketch system in the present example embodiment works correctly by this operation, because the linear sketch system in the second and third example embodiments works correctly. This is because sketches in the linear sketch system according to the second and third example embodiments differ only in that the fuzzy data used to configure the sketches in the linear sketch system according to the second and third example embodiments are transformed by a deterministic function and because the number of different bits in the two fuzzy data coincides with the number of different blocks in the two transformed fuzzy data.
The above described present example embodiment has an effect that leakage of key and fuzzy data from a sketch can be more robustly prevented. The reason for this resides is that fuzzy data is extended by a hash function in step C3′ of
A fifth example embodiment of present invention is similar to the above described fourth example embodiment, but with an additional configuration and corresponding operation to the above described third example embodiment. In the fifth example embodiment of the present invention, it is preferred to use a linear systematic code that also allows erasure correction for following parameters.
The configuration of a linear sketch system according to the fifth example embodiment is equivalent to the linear sketch system 300 (
Next, an operation of each apparatus in the fifth example embodiment will be described.
The operation of generation apparatus 310 of the linear sketch system 300 according to the present example embodiment are the same as in step C4 of the linear sketch system according to the fourth example embodiment described with reference to
Encode(k,r2, . . . ,rM)→c (74)
satisfy the following conditions.
c
1
=k,c
2
=r
2
, . . . ,c
M
=r
M (75)
A sketch generation part 214 of generation apparatus 310 calculates a block-wise sum of a hash value of n=C−1 bits of fuzzy data, where each component consists of 0 or 1, received in step C1 of
z=(h_1, . . . ,h_C−1)=((h1,x1), . . . ,h(C−1,xC-1))
and the second and subsequent blocks (c2, . . . , cC) of encoded key obtained in step C3, where the block-wise sum is given as
(h_1+c2, . . . ,h_C−1+cC-1) (76)
and outputs the sum as sketch s ((C−1) block=B×(C−1) bits) (Step C4).
The generator 310 generates the first sketch s=(s1, . . . , sC-1) and the second sketch s′=(s′1, . . . , s′C-1).
An operation of the reconstruction apparatus 220 of the linear sketch system 300 according to the present example embodiment differ in processing of the sketch composition part 223 from the operation of the reconstruction apparatus 220 of the linear sketch system according to the fourth example embodiment described with reference to
In the present example embodiment, a sketch composition part 223 of the reconstruction apparatus 220 calculates difference between
the first sketch s=(s1, . . . , sC-1) and
the second sketch s′=(s′1, . . . , s′C-1)
for each component, to obtain a composite sketch
t=(s1−s′1, . . . ,sC-1−s′C-1) (77).
It is evident that the linear sketch system according to the present example embodiment works correctly, because this operation allows the linear sketch system according to the third and fourth example embodiments work correctly.
The linear sketch system according to each example embodiment of the present invention can be used as a component element of a fuzzy signature. In particular, since the linear sketch system according to each example embodiment of the present invention handles fuzzy data that is matched based on a Hamming distance, it can be utilized for a fuzzy signature using a biometric feature value, matching of which is carried out based on a Hamming distance.
The disclosures in the above PTLs 1-3 and NPLs 1 and 2 are incorporated herein by reference thereto. Variations and adjustments of the example embodiments and examples are possible within the bounds of the entire disclosure (including the claims) of the present invention and based on the basic technical concept of the present invention. Various combinations and selections of various disclosed elements (including elements in the claims, example embodiments, examples, drawings, etc.) are possible within the bounds of the claims the present invention. Namely, the present invention, as a matter of course, includes various variations and modifications that could be made by those skilled in the art according to the entire disclosure including the claims and the technical concept.
This application is a National Stage Entry of PCT/JP2019/006971 filed on Feb. 25, 2019, the contents of all of which are incorporated herein by reference, in their entirety.
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/JP2019/006971 | 2/25/2019 | WO | 00 |
