The present invention relates to a matching system, a method, an apparatus, and a non-transitory medium storing program.
For example, services for managing data by using computer resources connected to communication networks, such as cloud computing services, are widely used. Since highly confidential data is managed in this kind of service, security of the data needs to be guaranteed. Research and development have been conducted on techniques for managing encrypted data and performing, for example, search or statistical processing on the encrypted data in a network environment. In addition, biometric authentication techniques have attracted attention. In these techniques, high-security authentication is realized by using biometric information (biometric feature(s)) extracted from a biometric characteristic such as veins.
In biometric authentication techniques, a template is created based on biometric information, and the created template is stored in a database as a credential. In the biometric authentication techniques, when authentication information created based on an authentication target biometric characteristic is similar to (or matches) a template stored in the database, the authentication target is accepted. In the biometric authentication technique, when the authentication information is not similar to (does not match) any one of templates, the authentication target is not accepted. Even when a plurality of items of authentication information are created from a single biometric characteristic, these items of authentication information do not necessarily identical to each other. However, by using a certain distance function, the distance between each pair of these items of authentication information is short. In contrast, when a plurality of items of authentication information are created from different biometric characteristics, a distance between each pair of items of authentication information is long. In the biometric authentication techniques, by using these properties, matching between the templates stored in the database and authentication information created by an authentication target is verified. For example, fingerprints, veins, etc. are examples of biometric characteristics and are considered as lifelong data. Leakage of biometric information to outside of the corresponding matching system results in a significant damage. Thus, confidentiality of biometric information needs to be guaranteed. Therefore, template-protection technique in which no biometric information is leaked to outside even if a template is leaked to outside of the corresponding matching system is important.
In addition, in a biometric authentication technique, as is the case with other authentication techniques, it is necessary to prevent a different person from impersonating a person whose authentication information has been registered (namely, “spoofing”). For example, an authentication scheme in which authentication succeeds with transmission of a specific value to a matching system, does not have sufficient resistance against spoofing. In addition, in an authentication technique, there is also a risk of eavesdropping (interception) of information being communicated. In an authentication technique, spoofing needs to be prevented even if information being communicated is eavesdropped. For example, an authentication scheme in which authentication succeeds with retransmitting data which was transmitted by a legitimate client before does not have sufficient resistance against spoofing.
For example, PTL 1 discloses a method and an apparatus that perform processing for: converting registered information of a user that has been encrypted by using an encryption algorithm capable of calculating a Hamming distance in an encrypted state so that a calculation result of a Hamming distance between the registered information and matching information that has been encrypted by using the encryption algorithm includes a Hamming distance between the matching information and the user and a Hamming distance between the matching information and another person different from the user; calculating a Hamming distance between an input matching information and the transformed registered information; and determining whether the input matching information is incorrect based on a comparison result between a predetermined threshold and the Hamming distance between the matching information and the user and the Hamming distance between the matching information and the another person different from the user included in the calculated Hamming distance.
In PTL 2, in a secure biometric authentication system and a secure tag search system using a homomorphic encryption, when vector data A=(a1, a2, . . . ) is encrypted by a homomorphic encryption, each component ai is encrypted to generate encrypted vector data E(A)=(E(a1), E(a2), . . . ), and a distance (for example, the Hamming distance) between the encrypted vector data E(A)=(E(a1), E(a2), . . . ) and encrypted vector data E(B)=(E(b1), E(b2), . . . ) is calculated with the encrypted data being kept in an encrypted state. PTL 2 states that, when each component of the vector data is encrypted by using a homomorphic encryption in this way, the encrypted vector data E(A)=(E(a1), E(a2), . . . ), E(B)=(E(b1), E(b2), . . . ), etc. result in a large size and a considerable amount of calculation time is needed for secure distance calculation. PTL 2 discloses a configuration of reducing both the size of the encrypted vector data and the time needed for the secure distance calculation.
PTL 3 discloses a method for easily canceling encrypted information in an encryption processing system using a homomorphic encryption. PTL 3 discloses a method including: acquiring a first polynomial by converting first data by using a first transformation polynomial; acquiring a second polynomial by converting a formula obtained based on a random number corresponding to the first data and second data by using a second transformation polynomial; acquiring a random polynomial by converting the random number by using at least one of the first and second transformation polynomials; encrypting the first polynomial, the second polynomial, and the random number polynomial by using a homomorphic encryption scheme to acquire the encrypted first polynomial, the encrypted second polynomial, and the encrypted random number polynomial; and performing matching between the first and second data by using the encrypted first polynomial, the encrypted second polynomial, and the encrypted random number polynomial.
In addition, PTL 4 discloses a technique using a more general homomorphic encryption scheme in a system in which intervention of a trusted third party is introduced.
In addition, PTL 5 discloses a technique in which a template size does not depend on a parameter having a width in an acceptable range and load on a third party is small. However, in this scheme, a distance between registered biometric information and matching target biometric information is revealed to the third person. A malicious third person can conduct an attack (a hill-climbing attack) by using the distance obtained in the matching processing.
In addition, NPL 1 proposes a scheme that satisfies all of the following three security properties, which are security against an attacker who colludes with a server and a user, security against an attacker who colludes with a decryptor and a user, and security against an eavesdropper who impersonates a user.
The following describes notation for an encryption algorithm, etc. used in the present description. First, public key encryption will be described. A public key encryption scheme is expressed by three algorithms (Gen, Enc, Dec) of key generation, encryption, and decryption.
Based on a security parameter 1{circumflex over ( )}κ, the key generation algorithm (which will be referred to as “Gen”) outputs a public key pk and a secret key sk based on a security parameter 1{circumflex over ( )}κ.
On input of the public key pk and a plaintext m, the encryption algorithm (which will be referred to as “Enc”) outputs a ciphertext c.
On input of the secret key sk and the ciphertext c, the decryption algorithm (which will be referred to as “Dec”) outputs a decryption result m′.
For example, when obvious from a context, pk and sk could be omitted in the present description, drawings, etc. Homomorphic encryption is public key encryption that enables, from ciphertexts of a plurality of plaintexts, calculation of a ciphertext corresponding to an operation result of the plaintexts. For example, “additive homomorphic encryption” enables, from ciphertexts Enc(m1), . . . , Enc(mm) of plaintexts m1, . . . , mn, calculation of a ciphertext Enc(m1+ . . . +mn) corresponding to a sum of the plaintexts without using a secret key.
The following gives analysis of the related technologies.
PTLs 2 and 3 have a problem in resistance against spoofing attacks by eavesdroppers. In addition, PTLs 2, 3, and 5 need somewhat homomorphic encryption or pairing calculation. The somewhat homomorphic encryption has problems in that the processing load for calculation is heavier than that of an additive homomorphic encryption and requires a stronger assumption, for example.
In addition, in the disclosure of NPL 1, the present inventors have found that, when biometric information is a binary vector (a binary code string), protection (resistance) against spoofing attacks by eavesdroppers, etc. needs to be improved. In addition, the present inventors have found a technique applicable to 1:N authentication, which will be proposed below.
A principal object of the present invention is to provide a matching system, a method, a matching apparatus, and a non-transitory medium, each enabling to avoid leakage, spoofing, etc. regarding matching between binary vectors and enhance security.
According to an aspect of the present invention, a matching system includes:
According to another aspect of the present invention, there is provided a matching method, including:
According to another aspect of the present invention, there is provided a matching apparatus including:
According to still another aspect of the present invention, there is provided a program causing a computer of a matching apparatus to perform processing comprising
According to the present invention, there is provided a non-transitory computer-readable recording medium such as a semiconductor storage such as a computer-readable recording medium in which the above program is stored (for example, a RAM (random access memory), a ROM (read-only memory), or an EEPROM (electrically erasable and programmable ROM)), an HDD (hard disk drive), a CD (compact disc), or a DVD (digital versatile disc).
The present invention can avoid leakage of a binary vector, spoofing, etc. regarding matching between binary vectors and enhance security. Still other features and advantages of the present invention will become readily apparent to those skilled in this art from the following detailed description in conjunction with the accompanying drawings where only exemplary embodiments of the invention are shown and described, simply by way of illustration of the best mode contemplated of carrying out this invention. As will be realized, the invention is capable of other and different embodiments, and its several details are capable of modifications in various obvious respects, all without departing from the invention. Accordingly, the drawing and description are to be regarded as illustrative in nature, and not as restrictive.
<Basic Mode>
In the case of 1:N authentication, in response to a matching request from the matching request apparatus 120, the matching apparatus 140 generates random numbers (for example, ai, bi, and ri in
The matching request apparatus 120 generates encrypted data (for example, Enc(SΣi (1−2xi)yi) in
Based on encrypted data (Enc(Σixi) in
the encrypted data (for example, Enc(SΣi (1−2xi)yi) in
the random number(s) (for example, S in
Based on a value (dH (X, Y)) obtained by decrypting the encrypted data (for example, Enc(dH (X, Y)) in
the verification apparatus 150 determines whether a count number of mismatched elements between the second binary vector (Y) and the first binary vector (X) is less than or equal to a predetermined number. The verification apparatus 150 outputs a verification result (acceptance or rejection). The verification apparatus 150 may transmit the verification result (acceptance or rejection) to the matching apparatus 140 as a response to the query, and the matching apparatus 140 may transmit the verification result (acceptance or rejection) to the matching request apparatus 120.
A registration request apparatus 110 transmits at least one of encrypted data (Enc(xi) (i=1, . . . , n)) of individual elements {xi} (i=1, . . . , n) of the registration target first binary vector X and the first evaluated values (operation results) of the individual elements (for example, Enc(1−2xi) (i=1, . . . , n) in
The registration request apparatus 110 and the matching request apparatus 120 may constitute a client for registration and a client for authentication, respectively. The registration and authentication clients may be integrally formed as a single unit (apparatus) that performs both the registration and matching. Alternatively, the registration and authentication clients may be separately formed as different units (apparatuses) that perform the registration and matching, respectively. The storage apparatus 130 and the matching apparatus 140 may be formed respectively as servers (a database server and an authentication server) that perform registration and matching processing in response to a request from a client. The storage apparatus 130 and the matching apparatus 140 may be integrally formed as a single server.
<First Mode>
According to a mode of the present invention, with reference to
Σ[i=1 to n]O(i)=O(1)+ . . . +O(n)
The matching apparatus 140 may generate, in response to a matching request from the matching request apparatus 120, a random number (S) and obtain second encrypted data (Enc(pk, S(1−2xi)), . . . , Enc(pk, S(1−2xn))) by multiplying the first encrypted data (Enc(pk, (1−2xi))) (i=1, . . . , n) by the random number S through a scalar operation with the first encrypted data being kept in an encrypted state. The matching apparatus 140 may transmit the second encrypted data (Enc(pk, S(1−2xi)), . . . , Enc(pk, S(1−2xn))) to the matching request apparatus 120.
The matching request apparatus 120 calculates third encrypted data (Enc(pk, SΣ[i=1 to n] (1−2xi)yi)), which is a sum of values obtained by multiplying the second encrypted data (Enc(pk, S(1−2xi)), . . . , Enc(pk, S(1−2xn))) transmitted from the matching apparatus 140 by the individual elements {yi}(i=1, . . . , n) of the registration target n-dimensional second binary vector Y=[y1, . . . , yn] through a scalar operation. The matching request apparatus 120 transmits the third encrypted data (Enc(pk, SΣ[i=1 to n] (1−2xi)yi)) to the matching apparatus 140.
The matching apparatus 140 calculates the fourth encrypted data (Enc(pk, Σ[i=1 to n] (1−2xi)yi)) by removing the random number (S) from the third encrypted data (Enc(pk, SΣ[i=1 to n] (1−2xi)yi)) transmitted from the matching request apparatus 120. Specifically, the matching apparatus 140 calculates the fourth encrypted data (Enc(pk, Σ[i=1 to n] (1−2xi)yi)) by multiplying the third encrypted data by the reciprocal (S{circumflex over ( )}(−1)) of the random number (S) ({circumflex over ( )} denotes an exponentiation operator) through a scalar operation. As a result, the random number (S) is removed from the third encrypted data. The matching apparatus 140 obtains encrypted data (=Enc(pk, dH (X, Y))=Enc(pk, (Σ[i=1 to n]xi)+(Σ[i=1 to n] (1−2xi)yi)) of the distance between the first and second binary vectors by adding the fourth encrypted data (Enc(pk, Σ[i=1 to n] (1−2xi)yi)) and the fifth encrypted data (Enc(pk, Σ[i=1 to n]xi)) registered in the storage apparatus 130 (homomorphic addition) with the encrypted data being kept in an encrypted state. Next, the matching apparatus 140 transmits the encrypted data (=Enc(pk, dH (X, Y)) of the distance between the first and second binary vectors to the verification apparatus 150 as a query.
The verification apparatus 150 decrypts the encrypted data (Enc(pk, dH (X, Y))) by using a secret key (sk) (Dec(sk, Enc(pk, dH (X, Y)))). Next, the verification apparatus 150 outputs acceptance or rejection based on the comparison between the Hamming distance (dH (X, Y)) between the first and second binary vectors obtained as a result of the decryption and a threshold t (dH (X, Y))<=t).
<First Mode: Variation 1>
Alternatively, according to the mode of the present invention, with reference to
The matching apparatus 140 generates, in response to a matching request from the matching request apparatus 120, a random number (S), and calculates third encrypted data (Enc(pk, S(1−2x1)), . . . , Enc(pk, S(1−2xn))) by performing a scalar operation of the first encrypted data and the random number (S) with the first encrypted data being kept in an encrypted state. Next, the matching apparatus 140 transmits the third encrypted data to the matching request apparatus 120.
The matching request apparatus 120 calculates fourth encrypted data (Enc(pk, SΣ[i=1 to n] (1−2xi)yi)), which is a sum of values obtained by multiplying each element of the third encrypted data transmitted from the matching apparatus 140, with each element being kept in an encrypted state, by each element of the registration target second binary vector through a scalar operation. The matching request apparatus 120 transmits the fourth encrypted data to the matching apparatus 140. The subsequent processing of the matching apparatus 140 and the verification apparatus 150 is the same as that in the above first mode.
<First Mode: Variation 2>
Alternatively, according to the mode of the present invention, with reference to
The matching apparatus 140 calculates, in response to a matching request from the matching request apparatus 120, first encrypted data (Enc(pk, (1−2xi)), . . . , Enc(pk, (1−2xn))) and second encrypted data (Enc(pk, Σ[i=1 to n]xi)) of the first calculated values (1−2xi) (i=1, . . . , n), and the second calculated value (Σ[i=1 to n] xi) on individual elements {xi} of the first binary vector with the encrypted data (Enc(pk, xi)) (i=1, . . . , n) of the individual elements {xi} of the first binary vector being kept in an encrypted state. The matching apparatus 140 also generates a random number (S) and calculates the third encrypted data (Enc(pk, S(1−2xi)), . . . , Enc(pk, S(1−2xn))) by performing a scalar operation of multiplication of the random number (S) to the first encrypted data (Enc(pk, (1−2xi)), . . . , Enc(pk, (1−2xn)). Next, the matching apparatus 140 transmits the third encrypted data (Enc(pk, S(1−2x1)), . . . , Enc(pk, S(1−2xn))) to the matching request apparatus 120.
The matching request apparatus 120 calculates the fourth encrypted data (Enc(pk, SΣ[i=1 to n] (1−2xi)yi)), which is a sum of values obtained by multiplying individual elements of the third encrypted data (Enc(pk, S(1−2xi))) (i=1, . . . , n) transmitted from the matching apparatus 140 by individual elements {yi} (i=1, . . . , n) of the matching target second binary vector Y=[yi, . . . , yn] using a scalar operation with the third encrypted data being kept in an encrypted state. Next, the matching request apparatus 120 transmits the fourth encrypted data (Enc(pk, SΣ[i=1 to n] (1−2xi)yi)) to the matching apparatus 140. The subsequent processing of the matching apparatus 140 and the verification apparatus 150 is the same as that in the above first mode.
<Second Mode>
According to a second mode of the present invention, a first transformation function f1 that is applied to a registration target n-dimensional binary vector X=[x1, . . . , xn] is preset in the registration request apparatus 110, and a second transformation function f2 that is applied to a matching target n-dimensional binary vector Y=[yi, . . . , yn] is preset in the matching request apparatus 120.
For example, the first transformation function f1 is given as,
A=f1(X)=FX+d
where A is an n-dimensional transformed value vector, F is an n×n transformation matrix in which a transformation coefficient {ai,j} (i=1, . . . , n, j=1, . . . , n) is an element in i-th row and j-th column of the matrix, and d is an n-dimensional vector (offset) with transformation coefficients {ai,n+1} (i=1, . . . , n).
For example, the second transformation function f2 is given as,
B=f2(Y)=EY
where B is an n-dimensional transformed value vector and E is an n×n transformation matrix in which a transformation coefficient {bi,j} (i=1, . . . , n, j=1, . . . , n) is an element in i-th row and j-th column of the matrix. In the registration request apparatus 110, the first transformation function f1 may be implemented as a subroutine that uses the binary vector X as an input parameter and the transformed value vector A as an output parameter. In the matching request apparatus 120, the second transformation function f2 may be implemented as a subroutine that uses the binary vector Y as an input parameter and the transformed value vector B as an output parameter. The second mode will hereinafter be described with reference to
The registration request apparatus 110 calculates the transformed value vector [A1, . . . , An] by applying the first transformation function f1 to the registration target binary vector X.
[A1, . . . ,An]T=f1[x1, . . . ,xn]T
where superscript T is a transpose operator.
The registration request apparatus 110 generates, as first templates, encrypted data Enc(pk, A1), . . . , Enc(pk, A1) by encrypting the first transformed values Ai (i=1, . . . , n) by using a public key (pk). The registration request apparatus 110 transmits the encrypted data Enc(pk, A1), . . . , Enc(pk, An) to the storage apparatus 130. In addition, the registration request apparatus 110 also transmits encrypted data (Enc(pk, x1), . . . , Enc(pk, x1)) obtained by encrypting individual elements {xi} (i=1, . . . , n) of the first binary vector X=[x1, . . . , xa] by using the public key (pk) to the storage apparatus 130.
On reception of a matching request from the matching request apparatus 120, the matching apparatus 140 gets the encrypted data (Enc(pk, A1), . . . , Enc(pk, A1)) of the first transformed values from the storage apparatus 130. In addition, the matching apparatus 140 gets the encrypted data (Enc(pk, x1), . . . , Enc(pk, x1)) from the storage apparatus 130. The matching apparatus 140 obtains encrypted data (Enc(pk, Σ[i=1 to n] xi)) of a sum of individual elements {xi} of the first binary vector X=[x1, . . . , x11]. In addition, the matching apparatus 140 generates a random number (S) and obtains encrypted data (Enc(pk, SA1), . . . , Enc(pk, SA1)) by multiplying the random number (S) to individual elements of the encrypted data (Enc(pk, A1), . . . , Enc(pk, A1)) of the first transformed values through a scalar operation. Next, the matching apparatus 140 transmits the calculated encrypted data (Enc(pk, SA1), . . . , Enc(pk, SAn)) to the matching request apparatus 120.
The matching request apparatus 120 calculates the second transformed values (B1, . . . , B11) by applying the second transformation function f2 to an extracted matching target n-dimensional binary vector Y=[y1, . . . , yn]. Next, the matching request apparatus 120 performs calculation of the encrypted data Enc(pk, SAi) (i=1, . . . , n) received from the matching apparatus 140 in an encrypted state and the second transformed values (Bi) (i=1, . . . , n). Specifically, the matching request apparatus 120 multiplies the n first transformed values (transformed vector) [A1, . . . , An] by the random number to obtain values [SA1, . . . , SAn] and obtains encrypted data (Enc(pk, Σ[i=1 to n] SAi Bi)) of a sum of values obtained by multiplying the values [SA1, . . . , SAn] by elements of the second transformed values (transformation vector) [B1, . . . , Bn]. Next, the matching request apparatus 120 transmits the encrypted data (Enc(pk, Σ[i=1 to n]SAiBi)) to the matching apparatus 140 as a response.
The matching apparatus 140 performs a scalar operation of a reciprocal (S{circumflex over ( )}(−1)) of the random number (S) to the response (encrypted data) (Enc(pk, Σ[i=1 to n] SAi Bi)) to remove the random number (S) from the response. Namely, the matching apparatus 140 obtains encrypted data (Enc(pk, Σ[i=1 to n]Ai Bi)) which is a sum of values obtained by multiplying elements of the n first transformed values (transformed vector) [A1, . . . , An] by elements of the second transformed values (transformed vector) [B1, . . . , Bn] (encrypted data of an inner product of the vectors A and B). The matching apparatus 140 obtains encrypted data by addition of the encrypted data (Enc(pk, Σ[i=1 to n]Ai Bi)) and the encrypted data (second template) (Enc(pk, Σ[i=1 to n] xi)) registered in the storage apparatus 130 in an encrypted state. The encrypted data is encrypted data Enc(pk, dH (X, Y)) of a Hamming distance dH (X, Y) between the vectors X and Y.
The n(n+1) transformation coefficients {ai,j} (i=1, . . . , n, j=1, . . . , n+1) corresponding to the first transformation function f1 and the n{circumflex over ( )}2 transformation coefficients {bi,j} (i, j=1, . . . , n) corresponding to the second transformation function f2 are set so that the first and second transformed values Ai and Bi (i=1, . . . , n) satisfy Σ[i=1 to n]AiBi=Σ[i=1 to n] (1−2xi)yi.
That is, a value (Σ[i=1 to n]Ai Bi+Σ[i=1 to n]xi) obtained by addition of an inner product of the vectors A and B and Σ[i=1 to n] xi is given as
Σ[i=1 to n](1−2xi)yi+Σ[i=1 to n]xi
which corresponds to a Hamming distance dH (X, Y) between the vectors X and Y. Namely, Σ[i=1 to n]AiBi is a first divided value of the Hamming distance dH (X, Y) between the binary vectors X and Y, and Σ[i=1 to n]xi is a second divided value of the Hamming distance dH (X, Y).
The matching apparatus 140 transmits the encrypted data Enc(pk, dH (X, Y)) of the Hamming distance dH (X, Y) between the vectors X and Y to the verification apparatus 150.
The verification apparatus 150 decrypts the encrypted data Enc(pk, dH (X, Y)) by using a secret key sk. If the decrypted Hamming distance dH (X, Y) between the vectors X and Y is less than or equal to a threshold t, the verification apparatus 150 determines acceptance.
<Second Mode: Variation 1>
Alternatively, according to the mode of the present invention, with reference to
The storage apparatus 130 obtains the encrypted data (Enc(pk, xi)) (i=1, . . . , n) of individual elements {xi} (i=1, . . . , n) of the first binary vector X=[x1, . . . , xn] and obtains the encrypted data (Enc(pk, Σ[i=1 to n] xi)) of a sum of individual elements {xi} of the first binary vector X=[x1, . . . , xn]. In addition, the storage apparatus 130 has means for calculating encrypted data Enc(pk, Ai) (i=1, . . . , n) of n first transformed values {Ai} (i=1, . . . , n) by applying the first transformation function f1 to the first binary vector X with the individual elements {xi} (i=1, . . . , n) of the first binary vector X in an encrypted state. The storage apparatus 130 holds the encrypted data (Enc(pk, Ai) (i=1, . . . , n)) of the n first transformed values and the encrypted data (Enc(pk, Σ[i=1 to n]xi)) of a sum of the elements of the first binary vector.
On reception of a matching request from the matching request apparatus 120, the matching apparatus 140 obtains the encrypted data of the n first transformed values from the storage apparatus 130 and generates a random number (S). The matching apparatus 140 obtains encrypted data (Enc(pk, SAi) (i=1, . . . , n)) by multiplying the random number S to the individual elements of the encrypted data of the n first transformed values through a scalar operation. Next, the matching apparatus 140 transmits the encrypted data (Enc(pk, SAi) (i=1, . . . , n)) to the matching request apparatus 120.
The matching request apparatus 120 obtains n second transformed values (transformed vector) [B1, . . . , Bn] by applying the second transformation function f2 to a matching target n-dimensional second binary vector Y=[y1, . . . , yn]. In addition, the matching request apparatus 120, by performing a scalar operation of the encrypted data (Enc(pk, SAi)) (i=1, . . . , n) in an encrypted state, which has been received from the matching apparatus 140, obtains encrypted data Enc(pk, SAi Bi) (i=1, . . . , n) which is a multiplication result of the second transformed values (Bi) to a result of multiplying the first transformed value (Ai) by the random number (S). The matching request apparatus 120 transmits a sum of these encrypted data (Enc(pk, Σ[i=1 to n]SAiBi)) to the matching apparatus 140, as a response.
The matching apparatus 140 multiplies a reciprocal of the random number S to the response (Enc(pk, Σ[i=1 to n] SAi Bi)) through a scalar operation to remove the random number S from the response. Namely, the matching apparatus 140 obtains encrypted data (Enc(pk, Σ[i=1 to n]Ai Bi)) of a sum of values obtained by multiplying the n first transformed values (transformed vector) [A1, . . . , An] by the second transformed values (transformed vector) [B1, . . . , Bn] (encrypted data of the inner product of the vectors A and B). The matching apparatus 140 calculates addition of the encrypted data (Enc(pk, Σ[i=1 to n]Ai Bi)) of the inner product of the vectors A and B and the encrypted data (second template) (Enc(pk, Σ[i=1 to n]xi)) registered in the storage apparatus 130 (homomorphic addition). The following equation holds.
(Σ[i=1 to n]AiBi)+(Σ[i=1 to n]xi)=(Σ[i=1 to n](1−2xi)yi)+(Σ[i=1 to n]xi)
Namely, addition of the encrypted data (Enc(pk, Σ[i=1 to n]Ai Bi)) and the encrypted data (second template) (Enc(pk, Σ[i=1 to n]xi)) is equal to the encrypted data of the Hamming distance dH (X, Y) between the binary vectors X and Y. The matching apparatus 140 transmits the encrypted data of the Hamming distance between the binary vectors X and Y to the verification apparatus 150. The verification apparatus 150 decrypts the encrypted data of the Hamming distance between the binary vectors X and Y by using a secret key sk. The verification apparatus 150 determines whether the decrypted value (Hamming distance) is less than or equal to a threshold t. If the decrypted value is less than or equal to the threshold t, the verification apparatus 150 determines acceptance. If the decrypted value is over the threshold t, the verification apparatus 150 determines rejection.
<Second Mode: Variation 2>
Alternatively, according to a further mode of the present invention, with reference to
On reception of a matching request from the matching request apparatus 120, the matching apparatus 140 gets the encrypted data (Enc(pk, xi))(i=1, . . . , n) of the individual elements {xi} of the first binary vector X=[x1, . . . , xn] from the storage apparatus 130 and obtains the encrypted data (Enc(pk, Σ[i=1 to n] xi)) of a sum of the elements {xi} of the first binary vector X. It is noted that the storage apparatus 130 may be configured to obtain the encrypted data (Enc(pk, Σ[i=1 to n] xi)) of a sum of the individual elements {xi} of the first binary vector X.
The matching apparatus 140 includes means that obtains encrypted data Enc(pk, Ai) (i=1, . . . , n) of the n first transformed values {Ai} (i=1, . . . , n) by applying the first transformation function f1 to the encrypted data (Enc(pk, xi)) (i=1, . . . , n) of individual elements {xi} of the first binary vector X=[x1, . . . , xn]. In addition, the matching apparatus 140 generates a random number (S) and obtains the encrypted data Enc(pk, SAi) (i=1, . . . , n) by performing a scalar operation of the random number (S) to the individual elements of the encrypted data of the n first transformed values. Next, the matching apparatus 140 transmits the encrypted data Enc(pk, SAi) (i=1, . . . , n) to the matching request apparatus 120.
The matching request apparatus 120 calculates the n second transformed values (transformed vector) [B1, . . . , Bn] by applying the second transformation function f2 to a matching target n-dimensional second binary vector Y=[yi, . . . , yn]. The matching request apparatus 120 performs a scalar operation to the encrypted data Enc(pk, SAi) (i=1, . . . , n) in an encrypted state which is received from the matching apparatus 140 to obtain encrypted data Enc(pk, SAi Bi) (i=1, . . . , n) of a result of multiplication of the second transformed values (Bi) (i=1, . . . , n) to the encrypted data Enc(pk, SAi) (i=1, . . . , n). Next, the matching request apparatus 120 transmits a sum (Enc(pk, Σ[i=1 to n] SAi Bi)) of the encrypted data (Enc(pk, SAi Bi)) (i=1, . . . , n) to the matching apparatus 140 as a response. The subsequent processing of the matching apparatus 140 and the verification apparatus 150 is the same as that in the above second mode.
<Second Mode (First Mode): Variation 3>
Alternatively, according to a further mode of the present invention, with reference to
On reception of a matching request from the matching request apparatus 120, the matching apparatus 140 gets the encrypted data (Enc(pk, xi)) (i=1, . . . , n) of the individual elements of the n-dimensional first binary vector from the storage apparatus 130 and obtains the encrypted data (Enc(pk, Σ[i=1 to n] xi)) of a sum of individual elements {xi} of the first binary vector X. It is noted that the storage apparatus 130 may be configured to calculate the encrypted data (Enc(pk, Σ[i=1 to n] xi)) of a sum of the individual elements {xi} of the first binary vector X=[x1, . . . , xn]. The matching apparatus 140 generates a first group of transformation coefficients {ai,j} (i=1, . . . , n, j=1, . . . , n+1) of the first transformation function f1. The matching apparatus 140 obtains the encrypted data Enc(pk, Ai) (i=1, . . . , n) of the n first transformed values {Ai} (i=1, . . . , n) based on the first group of n(n+1) transformation coefficients {ai,j} (i=1, . . . , n, j=1, . . . , n+1) and the encrypted data of the individual elements {xi} of the first binary vector X=[x1, . . . , xn]. In addition, the matching apparatus 140 generates a random number (S) and performs a scalar operation of the random number (S) to individual elements of the encrypted data Enc(pk, Ai) (i=1, . . . , n) of the n first transformed values {Ai} (i=1, . . . , n) to obtain encrypted data Enc(pk, SAi) (i=1, . . . , n). Next, the matching apparatus 140 transmits the encrypted data Enc(pk, SAi) (i=1, . . . , n) to the matching request apparatus 120. In addition, the matching apparatus 140 transmits a second group of n×n transformation coefficients {bi,j}(i, j=1, . . . , n) used to generate the first group of n(n+1)transformation coefficients {ai,j} (i=1, . . . , n, j=1, . . . , n+1) to the matching request apparatus 120.
The matching request apparatus 120 calculates the n second transformed values (B1, . . . , Bn), which are a result of an operation in which the second transformation function f2 including the second group of n×n transformation coefficients {bi,j} (i, j=1, . . . , n) transmitted from the matching apparatus 140 is applied to a matching target n-dimensional second binary vector Y=[y1, . . . , yn]. The matching request apparatus 120 performs a scalar operation to the encrypted data Enc(pk, SAi) (i=1, . . . , n) in an encrypted state which is received from the matching apparatus 140 to obtain encrypted data (Enc(pk, SAi Bi)) (i=1, . . . , n) of a result of multiplication of the second transformed values (Bi) (i=1, . . . , n) to the encrypted data Enc(pk, SAi) (i=1, . . . , n). Next, the matching request apparatus 120 transmits a sum (Enc(pk, Σ[i=1 to n] SAi Bi)) of these encrypted data (Enc(pk, SAi Bi)) (i=1, . . . , n) to the matching apparatus 140 as a response. The subsequent processing of the matching apparatus 140 and the verification apparatus 150 is the same as that in the above second mode.
<Third Mode>
According to a third mode of the present invention, with reference to
On reception of a matching request from a matching request apparatus 120, the matching apparatus 140 generates first to third random numbers (bi, ai, and ri) (i=1, . . . , n). The matching request apparatus 120 transmits encrypted data of the first random number {bi}(i=1, . . . , n) to the matching request apparatus 120. The matching request apparatus 120 performs a scalar operation of individual elements {yi} of a matching target binary vector Y=[yi, . . . , yn] to the encrypted data (Enc(pk, bi)) (i=1, . . . , n) of the first random number {bi}, to obtain second encrypted data (Enc(pk, bi (2yi−1))) (i=1, . . . , n). Next, the matching request apparatus 120 transmits the second encrypted data (Enc(pk, bi (2yi−1))) (i=1, . . . , n) to the matching apparatus 140.
Based on the second encrypted data (Enc(pk, bi (2yi−1))) (i=1, . . . , n) from the matching request apparatus 120,
The verification apparatus 150 obtains a first decryption result (za) and a second decryption results (zb) by decrypting the third encrypted data (Enc(pk, ai (2xi−1))) and the fourth encrypted data (Enc(pk, bi ri (2yi−1))) by using a secret key (sk). The verification apparatus 150 calculates hash values (H(zazb)) of the product of the first and second decryption results. Next, the verification apparatus 150 determines whether a count number of mismatched elements between the hash values H((za zb)) and the hash values (H(ai bi ri)) received from the matching apparatus 140 is less than or equal to a predetermined value. If the number of mismatched elements is less than or equal to the predetermined value, the verification apparatus 150 determines acceptance. Otherwise, the verification apparatus 150 determines rejection.
<Third Mode; Variation 1>
According to a variation of a third mode, with reference to
On reception of a matching request from the matching request apparatus 120, the matching apparatus 140 generates the first to third random numbers (bi, ai, and ri) (i=1, . . . , n). In addition, the matching apparatus 140 receives the encrypted data (Enc(pk, xi)) (i=1, . . . , n) from the storage apparatus 130 and generates first encrypted data (Enc(pk, (2xi−1))) (i=1, . . . , n) through a scalar operation and an additive homomorphic operation with the encrypted data (Enc(pk, xi)) (i=1, . . . , n) being kept in an encrypted state. The matching apparatus 140 transmits encrypted data (Enc(pk, bi)) (i=1, . . . , n) of the first random number {bi} (i=1, . . . , n) to the matching request apparatus 120. The matching request apparatus 120 obtains second encrypted data (Enc(pk, bi(2yi−1))) (i=1, . . . , n) by performing a scalar operation of an operation result (2yi−1) (i=1, . . . , n) of each of elements {yi} of a matching target binary vector Y=[yi, . . . , yn] to the encrypted data (Enc(pk, bi)) (i=1, . . . , n) of the first random number. Next, the matching request apparatus 120 transmits the second encrypted data (Enc(pk, bi(2yi−1))) (i=1, . . . , n) to the matching apparatus 140. The subsequent processing of the matching apparatus 140 and the verification apparatus 150 is the same as that in the above third mode. Alternatively, the storage apparatus 130 may receive the encrypted data (Enc(pk, xi)) (i=1, . . . , n) from the registration request apparatus 110, generate the first encrypted data (Enc(pk, (2xi−1))) (i=1, . . . , n) through a scalar operation and an additive homomorphic operation with the encrypted data (Enc(pk, xi)) (i=1, . . . , n) being kept in an encrypted state, and hold the resultant data as registered data.
<Third Mode: Variation 2>
In variation 2 of the third mode of the present invention, with reference to
The storage apparatus 130 includes means that generates random numbers (ci) (i=1, . . . , n) (ci∈Fq) for the respective encrypted data (Enc(pk, (2xi−1))) (i=1, . . . , n) of the first calculated values of the individual elements {xi} (i=1, . . . , n) of the first binary vector X=[xi, . . . , xn] and generates encrypted data (Enc(pk, ci (2xi−1))) (i=1, . . . , n) obtained by performing a scalar operation of each random number ci (i=1, . . . , n) to the encrypted data (Enc(pk, (2xi−1))) (i=1, . . . , n). In addition, the storage apparatus 130 includes means that generates hash values (H(ci{circumflex over ( )}2)) of the squares (ci{circumflex over ( )}2) of the respective random number ci. The storage apparatus 130 transmits the encrypted data (Enc(pk, ci (2xi−1))) (i=1, . . . , n) obtained by multiplying each random number ci (i=1, . . . , n) to the encrypted data (Enc(pk, (2xi−1))) (i=1, . . . , n) through a scalor operation and the hash values (H(ci{circumflex over ( )}2)) (i=1, . . . , n) to the verification apparatus 150.
The verification apparatus 150 decrypts the encrypted data (Enc(pk, ci (2xi−1))) (i=1, . . . , n) transmitted from the storage apparatus 130 by using a secret key (sk) and obtains hash values (H(zi{circumflex over ( )}2)) of the individual decrypted values (zi). The verification apparatus 150 determines whether the hash values (H(zi{circumflex over ( )}2) of the individual decrypted values (zi) match the respective hash values (H(ci{circumflex over ( )}2)) transmitted from the storage apparatus 130. For example, if there is any mismatched hash value, the verification apparatus 150 determines rejection. Only when all the hash values match their respective hash values, the verification apparatus 150 determines acceptance. If the verification result from the verification apparatus 150 indicates acceptance, the storage apparatus 130 holds the encrypted data of the first calculated values.
<Fourth Mode>
In a fourth mode of the present invention, with reference to
On reception of a matching request from the matching request apparatus 120, the matching apparatus 140 generates first and second random numbers (bi and ai) (i=1, . . . , n). The matching apparatus 140 transmits encrypted data (Enc(pk, bi)) (i=1, . . . , n) obtained by encrypting the first random number {bi} (i=1, . . . , n) by using the public key (pk) to the matching request apparatus 120.
The matching request apparatus 120 obtains encrypted data (Enc(pk, (2yi−1))) (i=1, . . . , n) by encrypting calculated values (2yi−1) (i=1, . . . , n) about individual elements {yi} of a matching target binary vector Y=[yi, . . . , yn] by using the public key (pk). In addition, the matching request apparatus 120 calculates second encrypted data (Enc(pk, bi(2yi−1))) (i=1, . . . , n) by multiplying the encrypted data Enc(pk, bi) (i=1, . . . , n) of the first random number {bi} in an encrypted state to the encrypted data (Enc(pk, (2yi−1))) (i=1, . . . , n). Next, the matching request apparatus 120 transmits the second encrypted data (Enc(pk, bi (2yi−1))) (i=1, . . . , n) to the matching apparatus 140.
The matching apparatus 140 multiplies the generated second random numbers {ai} (i=1, . . . , n) and the first encrypted data (Enc(pk, (2xi−1))) (i=1, . . . , n) transmitted from storage apparatus 130, to obtain encrypted data (Enc(pk, ai(2xi−1))) (i=1, . . . , n). The matching apparatus 140 multiplies the encrypted data (Enc(pk, ai(2xi−1))) (i=1, . . . , n) and the second encrypted data (Enc(pk, bi (2yi−1))) (i=1, . . . , n) transmitted from the matching request apparatus 120, for example, in an encrypted state (a multiplicative homomorphic operation), to obtain encrypted data (Enc(pk, aibi (2xi−1)(2yi−1))). In addition, the matching apparatus 140 generates hash values (H(ai bi)) of products (ai bi) (i=1, . . . , n) of the first and second random numbers. Next, the matching apparatus 140 transmits the calculated encrypted data (Enc(pk, aibi (2xi−1)(2yi−1))) and the hash values (H(ai bi)) to the verification apparatus 150. In this transmission of the encrypted data (Enc(pk, aibi (2xi−1)(2yi−1))) and the hash values (H(ai bi)) (i=1, . . . , n), the matching apparatus 140 may shuffle the sequence relating to the index i.
The verification apparatus 150 decrypts the encrypted data (Enc(pk, aibi (2xi−1)(2yi−1))) (i=1, . . . , n) by using a secret key (sk) to obtain decryption results (zi) (i=1, . . . , n). The verification apparatus 150 calculates hash values (H(zi)) of the decrypted values (zi) (i=1, . . . , n). The verification apparatus 150 determines whether a count number of mismatched elements between the hash values (H(zi)) (i=1, . . . , n) and the hash values (H(ai bi)) (i=1, . . . , n) received from the matching apparatus 140 is less than or equal to a predetermined value.
For example, if the number of mismatched elements is less than or equal to the predetermined value, the verification apparatus 150 determines acceptance. Otherwise, the verification apparatus 150 determines rejection.
<Fourth Mode: Variation>
In a variation of the fourth mode of the present invention, with reference to
The storage apparatus 130 includes means that generates random numbers (ci) (i=1, . . . , n) (ci∈Fq) for the respective encrypted data (Enc(pk, (2xi−1))) (i=1, . . . , n) of the first calculated values of the individual elements x of the first binary vector X=[x1, . . . , xn] and generates the encrypted data (Enc(pk, ci (2xi−1))) (i=1, . . . , n) by multiplying the encrypted data Enc(pk, ci) of the random numbers (ci) to the encrypted data (Enc(pk, (2xi−1))) (i=1, . . . , n). In addition, the storage apparatus 130 includes means that generates hash values H(ci{circumflex over ( )}2) of the squares of the respective random numbers (ci). The storage apparatus 130 transmits the encrypted data (Enc(pk, ci (2xi−1))) (i=1, . . . , n) and the hash values (H(ci{circumflex over ( )}2))(i=1, . . . , n) to the verification apparatus 150.
The verification apparatus 150 decrypts the encrypted data (Enc(pk, ci (2xi−1))) (i=1, . . . , n) transmitted from the storage apparatus 130 by using a secret key (sk). Next, the verification apparatus 150 calculates hash values (H(zi{circumflex over ( )}2)) (i=1, . . . , n) of the decrypted values (zi) of the encrypted data (Enc(pk, ci (2xi−1))) (i=1, . . . , n). The verification apparatus 150 determines whether the hash values (H(zi{circumflex over ( )}2)) (i=1, . . . , n) match the respective hash values (H(ci{circumflex over ( )}2)) (i=1, . . . , n) transmitted from the storage apparatus 130. For example, if there is any mismatched hash value, the verification apparatus 150 determines rejection. Only when all the hash values match their respective hash values, the verification apparatus 150 determines acceptance. If the verification result outputted from the verification apparatus 150 indicates acceptance, the storage apparatus 130 holds the encrypted data (Enc(pk, (2xi−1))) (i=1, . . . , n) of the first calculated values.
A comparative example will hereinafter be described before description of example embodiments of the present invention.
First, an operation of an individual algorithm of Modified-Elgamal encryption will be described. First, the key generation algorithm receives a security parameter 1{circumflex over ( )}κ as input data.
Next, a group G whose order is a x-bit prime q and its generator g are generated. Next, x∈Fq={0, 1, . . . , q−1} is randomly selected, and h=g{circumflex over ( )}κ is set ({circumflex over ( )} denotes an exponentiation operator).
Finally, a public key pk=(g, h=g{circumflex over ( )}κ) and a secret key sk=x are outputted.
First, the encryption algorithm receives the public key pk and a message m as input data.
Next, a random number r is randomly selected r∈Fq.
Next, C[0]=g{circumflex over ( )}r and C[1]=h{circumflex over ( )}r·g{circumflex over ( )}m are calculated.
Finally, a ciphertext C=(C[0], C[1]) is outputted.
First, the decryption algorithm receives the secret key sk=x and the ciphertext C=(C[0], C[1]) as input data.
Next, as a decryption result, M=C[1]/(C[0]{circumflex over ( )}κ) is outputted.
For a ciphertext of a certain message m,
Enc(pk,m)=(C[0],C[1])=(g{circumflex over ( )}r,h{circumflex over ( )}r·g{circumflex over ( )}m),
the following relationship holds.
Dec(sk,(c[0],c[1]))=c[1]/(c[0]{circumflex over ( )}x)=g{circumflex over ( )}m
The decryption algorithm may output g{circumflex over ( )}m, instead of the message m. Use of the Modified-Elgamal encryption enables calculation of ciphertexts in an encrypted state corresponding to addition of plaintexts or enables calculation of a ciphertext in an encrypted state corresponding to multiplication of a plaintext by a constant.
In the case of addition, when a public key pk=(g, h=g{circumflex over ( )}κ), and ciphertexts of two messages m and m′ are given as,
C=Enc(pk,m)=(C[0],C[1])=(g{circumflex over ( )}r,h{circumflex over ( )}r·g{circumflex over ( )}m), and
C′=Enc(pk,m′)=(C′[0],C′[1])=(g{circumflex over ( )}r′,h{circumflex over ( )}r′·g{circumflex over ( )}m′),
the following holds.
(C[0]·C′[0],C[1]·C′[1])=(g{circumflex over ( )}{r+r′},h{circumflex over ( )}{r+r′}·g{circumflex over ( )}{m+m′})=Enc(pk,m+m′)
In the case of multiplication by constant, when the public key pk=(g, h=g{circumflex over ( )}κ), an arbitrary constant=z, and a ciphertext c=Enc(pk, m)=(c[0], c[1])=(g{circumflex over ( )}r, h{circumflex over ( )}r·g{circumflex over ( )}m), the following holds
(c[0]{circumflex over ( )}z,c[1]{circumflex over ( )}z)=(g{circumflex over ( )}{zr},h{circumflex over ( )}{zr}·g{circumflex over ( )}{zm})=Enc(pk,zm)
That is, for Enc(pk, x)=C, Enc(pk, x′)=C′, and an integer z, if addition and scalor operation are defined as
Add(C,C′)=(C[0]·C′[0],C[1]·C′[1]) and
Scl(z,C)=(C[0]{circumflex over ( )}z,C[1]{circumflex over ( )}z),
the following holds.
Add(C,C′)=Enc(pk,x+x′ mod q), and
Scl(z,C)=Enc(pk,zx mod q)
where “x+x′ mod q” and “zx mod q” are results obtained by calculating x+x′ and zx on a field Fq.
The following comparative example is based on the disclosure of NPL 1.
The registration target data is expressed as an n-dimensional vector X=[x1, . . . , xn]∈{0, 1, . . . , l}n
where n denotes a predetermined value (a natural number) and xi (i=1, . . . , n) is any value (for example, an integer) from 0 to 1.
The target data to be matched (authenticated) is given as Y=[y1, . . . , yn]∈{0, 1, . . . , l}n
where {yi} (i=1, . . . , n) is any value (for example, an integer) from 0 to 1.
The processing in the matching system is basically divided into
The following distance: dE2 (X, Y) between the registered data (an n-dimensional vector) and the matching target data (an n-dimensional vector) is divided as follows.
Regarding the registered data X=[x1, . . . , xn], a registration request apparatus 110 transmits the following data as a template to a storage apparatus 130:
the encrypted data
Enc(pk, xi) (i=1, . . . , n) of the n elements xi (i=1, . . . , n); and
the encrypted data
of a sum
of the squares of the n elements xi (S101).
The storage apparatus 130 stores
Enc(pk, xi) (i=1, . . . , n), and
in association with a registration identifier Id (Identity), etc.
The matching request apparatus 120, when the matching target data Y=[y1, . . . , yn] is to be matched, transmits a matching request to a matching apparatus 140 (S102).
The matching apparatus 140 obtains the registered template Enc(pk, x1), . . . , Enc(pk, xn), and
from the storage apparatus 130 based on a user ID (S103).
The matching apparatus 140 generates a random number S (S104), creates encrypted data
Enc(pk,Sx1), . . . ,Enc(pk,Sxn)
by multiplying the random number S to the registered template Enc(pk, xi) (i=1, . . . , n) though a scalar operation, and transmits the created encrypted data to the matching request apparatus 120 (S105).
Preferably, each time, the matching apparatus 140 selects a different number as the random number
S∈Fq={0,1, . . . ,q−1}.
The matching apparatus 140 does not transmit the encrypted data
(a second template) of
to the matching request apparatus 120.
From the matching target data Y=[y1, . . . , yn], the matching request apparatus 120 calculates
Next, the matching request apparatus 120, by performing a scalar operation to the received Enc(pk, S),
generates
More specifically, it is assumed that the encrypted data of the random number S that the matching request apparatus 120 has received is given as
Enc(pk,S)=C=(g{circumflex over ( )}r,g{circumflex over ( )}S·h{circumflex over ( )}r)=(C[0],C[1]) (6)
For Enc(pk, S)=C=(C[0], C[1]), the matching request apparatus 120 calculates the following.
This is equivalent to
in Expression (5).
In addition, the matching request apparatus 120 multiplies, through a scalor operation, each of elements {yi} of the matching target vector to n {Enc(pk, Sxi)}i (i=1, . . . , n) received from the matching apparatus 140:
Scl((−2yi),Enc(pk,Sxi))(i=1, . . . ,n)
and obtains the following n encrypted data.
Enc(pk,(−2yi)Sxi)=Enc(pk,−2Sxiyi)(i=1, . . . ,n) (8)
The matching request apparatus 120 performs an additive operation of the homomorphic encryption to obtain
Next, the matching request apparatus 120 performs a homomorphic addition of the above and
to obtain
and transmit the obtained encrypted data to the matching apparatus 140 (S106).
The matching apparatus 140 performs a scalar operation of a reciprocal of S (S{circumflex over ( )}(−1)=S{circumflex over ( )}(q−2) mod q) to the received encrypted data Enc(pk, SD2)
Scl(S{circumflex over ( )}(−1),Enc(pk,SD2)) (12)
Based on the following relationship,
Scl(S{circumflex over ( )}(−1),Enc(pk,SD2))=Enc(pk,S{circumflex over ( )}(−1)SD2)=Enc(pk,D2) (13)
the matching apparatus 140 calculates
From the registered templates
the matching apparatus 140 performs an additive homomorphic operation to obtain the encrypted data of the distance dE2 (X, Y) as follows.
The matching apparatus 140 transmits the encrypted data Enc(pk, dE2(X, Y)) to the verification apparatus 150 (S107).
The verification apparatus 150 decrypts the encrypted data Enc(pk, dE2 (X, Y)) of the distance by using the secret key sk to obtain
Dec(sk,Enc(pk,dE2(X,Y)))=dE2(X,Y).
Next, the verification apparatus 150 determines whether the distance dE2(X, Y) is less than or equal to a predetermined threshold=t (S108). In the Modified-Elgamal encryption, the decryption result is g{circumflex over ( )}(dE2(X, Y)), and whether this matches any one of g{circumflex over ( )}0, g{circumflex over ( )}1, . . . , and g{circumflex over ( )}t is determined.
The verification apparatus 150 may transmit the verification result (acceptance/rejection) to the matching apparatus 140 (S109).
The Hamming distance between binary vectors can be calculated by the same method used to calculate a Euclidean distance between multivalued vectors. Thus, a system in which the above multivalued-vector-type biometric information is matched by using the Euclidean distance dE2 (X, Y) seems to be capable of handling binary-vector-type biometric information.
In the case of the individual elements xi of the binary vector X=[x1, . . . , xn]∈{0,1}n, the following holds.
xi{circumflex over ( )}2=xi(i==1, . . . ,n) (16)
Thus, Enc(pk, Sxi{circumflex over ( )}2) can be calculated from {Enc(pk, Sxi)} received in S106 in
As described above, the matching apparatus 140 performs a scalar operation of a reciprocal S{circumflex over ( )}(−1) of S to Enc(pk, SD2) transmitted from the matching request apparatus 120 to calculate Enc(pk, D2), calculates Enc(pk, D1)+Enc(pk, D2) by performing an additive homomorphic operation, and transmits the result to the verification apparatus 150 as the encrypted distance Enc(pk, dE2 (X, Y)). In the case of the binary-vector type biometric information,
if xi∈{0,1},xi{circumflex over ( )}2=xi.
Thus, in the matching request apparatus 120, the encrypted data Enc(pk, Sxi) received from the matching apparatus 140 matches Enc(pk, Sxi{circumflex over ( )}2).
In addition, with reference to
and transmits the result to the matching apparatus 140.
Namely, the matching request apparatus 120 obtains Enc(pk, cS) by performing a scalar operation Scl(c, Enc(pk, S)).
Furthermore, since the following holds,
the following is calculated.
Next, from the following scalar operation
the following is calculated.
By adding the above Expression (21) to Enc(pk, cS) in an encrypted state, the following is calculated.
The matching apparatus 140 handles
transmitted from the matching request apparatus 120, as Enc(pk, SD2) transmitted from the matching request apparatus 120 and calculates Enc(pk, D2) by performing a scalar operation of a reciprocal of S{circumflex over ( )}(−1) of S to the encrypted data. Next, by performing an additive homomorphic operation, the matching apparatus 140 transmits a sum of Enc(pk, D2) and Enc(pk, D1) to the verification apparatus 150 as an encrypted distance Enc(pk, dE2 (X, Y)).
In this case, Enc(pk, dE2(X, Y)) that the matching apparatus 140 transmits to the verification apparatus 150 is given as follows.
The verification apparatus 150 decrypts Enc(pk, dE2(X, Y)) by using the secret key sk. The verification apparatus 150 determines whether the decryption result (g{circumflex over ( )}c) matches any one of g{circumflex over ( )}0, g{circumflex over ( )}1, . . . , and g{circumflex over ( )}t (t is a threshold) and outputs the determination result as a verification result (acceptance if the decryption result (g{circumflex over ( )}c) matches any one of g{circumflex over ( )}0, g{circumflex over ( )}1, . . . , and g{circumflex over ( )}t).
Thus, by selecting c that is less than or equal to t in the matching request apparatus 120, the distance between the registered biometric information X and the biometric information Y used in authentication is calculated as follows.
D1+D2=c<=t (24)
Thus, in the example in
As described above, when the biometric information is a binary vector, an eavesdropper can impersonate an arbitrary user.
Irises (iris codes), palm prints (competitive codes), etc. are widely known as binary-vector-type biometric information having a very low error rate. Whether two items of biometric information have been extracted from the same person is determined by the Hamming distance between the two items of biometric information. Namely, if the Hamming distance is less than or equal to a threshold, the two items of biometric information are determined to have been extracted from the same person. Otherwise, the two items of biometric information are determined to have been extracted from different persons. Hereinafter, some example embodiments will be described with reference to drawings.
X=[x1, . . . ,xn]∈{0,1}n and
Y=[y1, . . . ,yn]∈{0,1}n
is divided as follows.
As described above, D1 does not depend on the values of the matching target vector Y.
A public key and a secret key are generated (S10) in the preparation phase as described above.
Based on the binary vector X=[x1, . . . , xn]∈{0, 1}, the registration request apparatus 110 transmits the following encrypted data to the storage apparatus 130 (S11).
The storage apparatus 130 holds the encrypted data
in association with a registration identifier Id.
The matching apparatus 140 receives a matching request from the matching request apparatus 120 (S12). The matching apparatus 140 receives the encrypted data Enc(pk, 1−2xi), . . . , Enc(pk, 1−2x1) stored in association with the Id from the storage apparatus 130 (S13). The matching apparatus 140 generates a random number S (S14).
Next, by performing a scalar operation Scl(S, Enc(pk, 1−2xi)) (i=1, . . . n) by using the random number S, the matching apparatus 140 calculates the following encrypted data.
Enc(pk,S(1-2xi))(i=1, . . . ,n) (30)
The matching apparatus 140 transmits the encrypted data Enc(pk, S(1-2xi)) (i=1, . . . , n) to the matching request apparatus 120 (S15).
From Y=[y1, . . . , yn]∈{0, 1}n and the encrypted data Enc(pk, S(1−2xi)) (i=1, . . . , n) received from the matching apparatus 140, the matching request apparatus 120 performs a scalar operation Scl(yi, Enc(pk, S(1−2xi))), to calculate the following encrypted data.
Enc(pk,S(1-2xi)yi)(i=1, . . . ,n) (31)
Next, by adding these encrypted data, the matching request apparatus 120 calculates the following encrypted data.
The matching request apparatus 120 transmits Enc(pk, SD2) to the matching apparatus 140 (S16).
The matching apparatus 140 does not transmit Enc(pk, S) to the matching request apparatus 120. Thus, the matching request apparatus 120 cannot calculate the following encrypted data.
Thus, the client cannot falsify the Hamming distance.
The matching apparatus 140 performs a scalor operation of the reciprocal S{circumflex over ( )}(−1) of the random number S to the encrypted data
transmitted from the matching request apparatus 120.
The matching apparatus 140 consequently calculates the following encrypted data.
The matching apparatus 140 adds the following template (36) registered in the storage apparatus 130 to Enc(pk, D2) in Expression (35).
to calculate the following encrypted Hamming distance.
Enc(pk,dH(X,Y))=Enc(pk,D1)+Enc(pk,D2) (37)
The matching apparatus 140 transmits the encrypted Hamming distance Enc(pk, dH(X, Y)) to the verification apparatus 150 (S17).
The verification apparatus 150 decrypts Enc(pk, dH (X, Y)) by using the secret key sk. The verification apparatus 150 determines whether the decryption result (dH (X, Y)) matches any one of g{circumflex over ( )}0, g{circumflex over ( )}1, . . . , and g{circumflex over ( )}t (t is a threshold) (S18). The verification apparatus 150 outputs the determination result as the verification result (acceptance if the decryption result matches any one of g{circumflex over ( )}0, g{circumflex over ( )}1, . . . , and g{circumflex over ( )}t) (S19).
The registration request apparatus 110 includes a registration target information extraction unit 111, a template generation unit 112, and a communication unit 113.
The storage apparatus 130 includes, in addition to a storage apparatus that holds information, an operation part that processes the information. Namely, the storage apparatus 130 includes an identifier management unit 131, a registration target data generation unit 132, a registered data storage unit 133, a registered data search unit 134, and a communication unit 135.
The matching request apparatus 120 includes a matching request generation unit 121, a matching target information extraction unit 122, a response generation unit 123, and a communication unit 124.
The matching apparatus 140 includes a registered data acquisition unit 141, a random number generation unit 142, an encrypted data generation unit 143, an encrypted distance calculation unit 144, a query generation unit 145, and a communication unit 146.
The verification apparatus 150 includes a key generation unit 151, a decryption key storage unit 152, a query determination unit 153, a verification result generation unit 154, and a communication unit 155.
For example, the registration request apparatus 110 and the storage apparatus 130, the storage apparatus 130 and the matching apparatus 140, the matching request apparatus 120 and the matching apparatus 140, and the matching apparatus 140 and the verification apparatus 150 may be connected to each other via respective communication units (each of which includes a transmitter (an interface) and a receiver (an interface) not illustrated) of these apparatuses and a communication network (for example, a local area network (LAN) or a wide area network (WAN)). Alternatively, at least two of the registration request apparatus 110, the storage apparatus 130, the matching apparatus 140, the matching request apparatus 120, and the verification apparatus 150 may be implemented in a single unit, and these apparatuses may be connected to each other by a bus (an inter-apparatus bus or an intra-apparatus bus) in the unit. For example, the verification apparatus 150 generates an encryption key and a decryption key based on a homomorphic encryption scheme, and the registration request apparatus 110, the storage apparatus 130, the matching apparatus 140, and the matching request apparatus 120 are configured to be able to obtain the public key (the encryption key) disseminated by the verification apparatus 150.
In the matching system 100, the registration request apparatus 110 and the matching request apparatus 120 may collectively be referred to as a “first node”. In the matching system 100, the storage apparatus 130 and the matching apparatus 140 may collectively be referred to as a “second node”. In addition, in the matching system 100, the verification apparatus 150 may be referred to as a “third node”. For example, the registration request apparatus 110 and the matching request apparatus 120 may be configured as a client apparatus, and the storage apparatus 130 and the matching apparatus 140 may be configured as a server apparatus. In addition, the verification apparatus 150 may be configured as a decryption apparatus that is connected to the server apparatus.
An operation in the matching system 100 according to the present example embodiment will be described. Processing in the matching system 100 according to the first example embodiment of the present invention will be described.
The processing in the matching system 100 is basically divided into:
First, an outline of the processing in the individual phase will be described. In the matching system 100 according to the first example embodiment of the present invention, a homomorphic encryption scheme having a homomorphic property in addition and a scalar operation is used. For convenience of description, as the encryption scheme, the Modified-Elgamal encryption described above is used. Alternatively, elliptic Elgamal encryption or Paillier encryption may be used.
The elliptic Elgamal encryption is defined to a group on an elliptic curve on a finite field.
<Key Generation>: Parameters a, b, p, and q of an elliptic curve and a base point G on the elliptic curve are received as input data, and a public key pk=G, H=x(*)G and a secret key sk=x are outputted. A message space is a field Fq=0, 1, . . . , q−1. In general, a prime equal to or more than 128 bits is selected as q.
<Encryption>: The public key pk and a message m∈Fq are received as input data, a random number r∈Fq is selected, and the following ciphertext is outputted.
C=(C[0]=R(*)G,C[1]=(m(*)G)(+)(r(*)H)) (38)
Namely, the following is satisfied.
C[1]=(m+rx)(*)G (39)
<Decryption>: The secret key sk and the ciphertext C=(C[0], C[1]) are received as input data, and the following M is outputted.
M=C[1](−)(sk(*)C[0]). (40)
Namely, the following relationship is satisfied.
C[1](−)(sk(*)C[0])=(m+rx)(*)G(−)x(*)(r(*)G)=m(*)G (41)
The decryption algorithm may return m(*)G, instead of the message m.
In each of the above algorithms, the following notation is used.
Addition of points A and B on an elliptic curve: A(+)B
Subtraction of a point B from a point A and on an elliptic curve: A(−)B
Multiplication of a point A on an elliptic curve by z: z(*)A
In the preparation phase, mainly, a public key and a secret key are generated by using a security parameter 1{circumflex over ( )}κ.
In the registration phase, mainly, a template is created by encrypting an extracted registration target vector by using the public key (encryption key) generated in the preparation phase and is stored.
In the matching phase, mainly, a distance between a newly extracted matching target vector and a single registered vector is calculated by using the secret key (decryption key) generated in the preparation phase.
Next, processing that the matching system 100 performs in the individual phases described above will be described in detail.
The key generation unit 151 in the verification apparatus 150 receives a security parameter and generates an encryption key (a public key) pk and a decryption key (a secret key) sk by using the received security parameter, for example, in accordance with the key generation algorithm (step A1). The generated encryption key and decryption key are compliant with a public key encryption scheme (for example, the Modified-Elgamal encryption) having a homomorphic property of addition and scalar multiplication.
The key generation unit 151 disseminates the generated encryption key pk in the matching system 100 (step A2).
The key generation unit 151 stores the generated decryption key sk in the decryption key storage unit 152 (step A3).
The processing that the matching system 100 according to the present example embodiment performs in the preparation phase is, as a matter of course, not limited to the mode illustrated as an example in
The registration target information extraction unit 111 in the registration request apparatus 110 extracts biometric information
X=[x[1], . . . ,x[n]]
(which will be referred to as a “registration target vector”) from a registration target biometric characteristic (step B1). Herein, the notation x[i] (i=1, . . . , n) in which the suffix i of xi (i=1, . . . , n) is included in a bracket will be used, simply for clarification of operational expressions.
Next, the template generation unit 112 in the registration request apparatus 110 generates the following n templates obtained by encrypting 1−2xi(i=1, . . . , n) by using the encryption key pk (step B2).
Enc(pk,1-2x[1]), . . . ,Enc(pk,1-2x[n]) (42)
The ciphertexts calculated in step B2 will also be referred to as “first templates”.
Next, the template generation unit 112 in the registration request apparatus 110 generates a single template by encrypting x[1]+, . . . +x[n] by using the encryption key pk (step B3).
Enc(pk,x[1]+, . . . +x[n]) (43)
The ciphertext calculated in step B3 will also be referred to as a “second template”.
Enc(pk,1−2x[1])(=CT[1]),
. . . ,
Enc(pk,1−2x[n])(=C1[n]),
Enc(pk,x[1]+,+x[n])(CC1) (44)
In the Modified-Elgamal encryption, the template generation unit 112 selects a plurality of values rr1[1], . . . , r1[n] and rr1 from Zq.
The template generation unit 112 reads the generator g and the value h from the public key pk and creates the following ciphertexts for the binary vector X.
(g{circumflex over ( )}{r1[1]},g{circumflex over ( )}{1−2x[1]}×h{circumflex over ( )}{r1[1]})=(C1[1][0],C1[1][1])(=C1[1])
. . . ,
(g{circumflex over ( )}{r1[n]},g{circumflex over ( )}{1−2x[n]}×h{circumflex over ( )}{r1[n]})=(C1[n][0],C1[n][1])(=C1[n])}})
(g{rr1},g{x[1]+ . . . +x[n]}×h{rr1}))=(CC1[0],CC1[1])(=CC1) (45)
Next, the template generation unit 112 in the registration request apparatus 110 combines the first templates and the second template to create the following template (step B4).
(C1[1], . . . ,C1[n],CC1) (46)
The communication unit 113 in the registration request apparatus 110 transmits the template
(C1[1], . . . ,C1[n],CC1)
to the storage apparatus 130 (step B5).
The communication unit 135 in the storage apparatus 130 receives the template
(C1 [1], . . . , C1 [n], CC1) from the registration request apparatus 110 (step B6).
The identifier management unit 131 in the storage apparatus 130 determines a unique registration identifier id for the template received from the registration request apparatus 110 (step B7).
The communication unit 135 in the storage apparatus 130 transmits the registration identifier id to the registration request apparatus 110 (step B8).
Next, the communication unit 113 in the registration request apparatus 110 receives the registration identifier id from the storage apparatus 130 (step B9).
The registration request apparatus 110 displays the received registration identifier id on a user interface (UI) such as a display (step B10). Alternatively, the registration request apparatus 110 may store the received registration identifier id in an IC (integrated circuit) card such as an employee card or an identifier card.
Next, the registration target data generation unit 132 in the storage apparatus 130 combines the template and the registration identifier id as registration target data (step B11).
(C1[1], . . . ,C1[n],CC1,id) (47)
The registration target data generation unit 132 stores the registration target data in the registered data storage unit 133 in the storage apparatus 130 (step B12).
The processing that the matching system 100 according to the present example embodiment performs in the registration phase is not limited to the mode illustrated as an example in
The matching request apparatus 120 receives an identifier (which will be referred to as a “matching identifier”) of a matching (authentication) target (step C1).
Next, the matching request generation unit 121 in the matching request apparatus 120 generates a matching request including the received matching identifier (step C2).
The communication unit 124 in the matching request apparatus 120 transmits the matching request to the matching apparatus 140 (step C3).
The communication unit 146 in the matching apparatus 140 receives the matching request from the matching request apparatus 120 (step C4).
Next, the registered data acquisition unit 141 in the matching apparatus 140 generates a registered data request including the matching identifier included in the matching request transmitted from the matching request apparatus 120 (step C5).
The communication unit 146 in the matching apparatus 140 transmits the registered data request to the storage apparatus 130 (step C6).
Next, the communication unit 135 in the storage apparatus 130 receives the registered data request from the matching apparatus 140 (step C7).
The registered data search unit 134 in the storage apparatus 130 determines the registered data (which will also be referred to as a “target template”) including the matching identifier included in the registered data request (step C8) from the registered data stored in the registered data storage unit 133.
The communication unit 135 in the storage apparatus 130 transmits the template:
Enc(pk,1−2x[1])(=C1[1]),
. . . ,
Enc(pk,1−2x[n])(=C1[n])
Enc(pk,x[1]+ . . . +x[n])(=CC1) (48)
to the matching apparatus 140 (step C9).
The communication unit 146 in the matching apparatus 140 receives the template from the storage apparatus 130 (step C10).
The random number generation unit 142 in the matching apparatus 140 generates an integer (a random number) S∈Fq in accordance with a pseudo random number generation procedure (step C11).
Preferably, the random number generation unit 142 generates a different random number S each time a matching request is made.
Next, the encrypted data generation unit 143 in the matching apparatus 140 using an additive homomorphic scalar operation rule, for the n first templates:
Enc(pk,1−2x[1])(=CT[1]),
. . . ,
Enc(pk,1−2x[n])(=C1[n])
performs a scalor operation of S: Scl(S, Enc(pk, 1−2x[1])), . . . , Scl(S, Enc(pk, 1−2x[n])),
to generate n encrypted data (which will also be referred to as “challenge”) (step C12).
Enc(pk,S(1−2x[1]))(C2[1]),
. . .
Enc(pk,S(1−2x[n]))(C2[n]) (49)
That is, for
C1[1]=(g{circumflex over ( )}{r1[1]},g{circumflex over ( )}{(1−2x[1])}×h{circumflex over ( )}{r1[1]})=(C1[1][0],C1[1][1]),
(C1[1][0]{circumflex over ( )}S,C1[1][1]{circumflex over ( )}S)=C2[1] is obtained.
For C1[n]=(g{circumflex over ( )}{r1[n]},g{circumflex over ( )}{(1−2x[n])}×h{circumflex over ( )}{r1[n]})=(C1[n][0],C1[n][1])(=C1[n]),
(C1[n][0]{circumflex over ( )}S,C1[n][1]{circumflex over ( )}S)=C2[n] is obtained. (50)
The communication unit 146 in the matching apparatus 140 transmits the encrypted data (C2[1], . . . , C2[n]) to the matching request apparatus 120 (step C13).
The matching request apparatus 120 receives the encrypted data transmitted from the matching apparatus 140 in step C13 (step C14).
Next, the matching target information extraction unit 122 in the matching request apparatus 120 extracts a matching target vector
Y=(y[1],y[2], . . . ,y[n])
from the authentication target biometric characteristic (step C15).
Next, the response generation unit 123 in the matching request apparatus 120, using a scalar operation and an addition of an additive homomorphic operation, from
Enc(pk,S(1−2x[1]))(C2[1]),
. . . ,
Enc(pk,S(1−2x[n]))(C2[n])
generates the following encrypted response (step C16).
(denoted as CC2)
That is, the response generation unit 123 in the matching request apparatus 120 generates Enc(pk, S(1−2x[1])y[1]) using a scalar operation Scl(y[1], Enc(pk, S(1−2x[1]))). Likewise, the response generation unit 123 generates Enc(pk, S(1−2x[n])y[n]) using Scl(y[n], Enc(pk, S(1−2x[n]))). Next, by adding these responses, the response generation unit 123 generates
Enc(pk,S((1−2x[1])y[1]+, . . . ,+(1−2x[n])y[n]))(=CC2).
Next, the communication unit 124 in the matching request apparatus 120 transmits the response CC2 to the matching apparatus 140 (step C17).
Next, the matching apparatus 140 receives the response CC2 from the matching request apparatus 120 (step C18).
Next, the encrypted distance calculation unit 144 in the matching apparatus 140 performs a scalar operation on Enc(pk, S((1−2x[1])y[1]+, . . . , (1−2x[n])y[n])) by using S{circumflex over ( )}−1 as follows.
Scl(S{circumflex over ( )}(−1),Enc(pk,S((1−2x[1])y[1]+, . . . ,(1−2x[n])y[n])))
As a result, the encrypted distance calculation unit 144 obtains the following encrypted data.
Enc(pk,((1−2x[1])y[1]+, . . . ,(1−2x[n])y[n])) (52)
From this encrypted data and the second template Enc(pk, x[1], . . . , x[n])=Enc(pk, D1) received from the storage apparatus 130, the encrypted distance calculation unit 144 obtains an encrypted Hamming distance.
Next, the query generation unit 145 in the matching apparatus 140 generates a query including the encrypted distance Enc(pk, dH (X, Y)) (step C20).
The communication unit 146 in the matching apparatus 140 transmits the query to the verification apparatus 150 (step C21).
Next, the communication unit 155 in the verification apparatus 150 receives the query Enc(pk, f) from the matching apparatus 140 (step C24).
Next, the query determination unit 153 in the verification apparatus 150 decrypts the encrypted distance Enc(pk, dH (X, Y)) in the query by using the secret key sk.
Dec(sk,Enc(pk,dH(X,Y)))=g{circumflex over ( )}{dH(X,Y)} (54)
Next, the verification result generation unit 154 in the verification apparatus 150 compares dH (X, Y) with the threshold t (step C23). The verification result generation unit 154 determines whether g{circumflex over ( )}{dH(X, Y)} matches any one of g{circumflex over ( )}0, g{circumflex over ( )}1, and g{circumflex over ( )}t. If g{circumflex over ( )}{dH(X, Y)} matches any one of g{circumflex over ( )}0, g{circumflex over ( )}1, and g{circumflex over ( )}t, the verification result generation unit 154 determines dH (X, Y)<=t and generates a verification result indicating acceptance. Otherwise, the verification result generation unit 154 determines dH (X, Y)>t and generates a verification result indicating rejection (step C24).
The verification apparatus 150 outputs the calculated verification result (step C25).
The processing that the matching system 100 according to the present example embodiment performs in the matching phase is not limited to the mode illustrated as an example in
In addition, in the matching system 100 according to the first example embodiment, even when authentication is performed on the same registered vector, the processing using a random number selected in step C11 in
In particular, the encrypted data (challenge) transmitted from the matching apparatus 140 to the matching request apparatus 120 does not include encrypted data Enc(pk, S) of a random number S. Thus, from the encrypted data Enc(pk, S(1−2x[1])), . . . , Enc(pk, S(1−2x[n])) transmitted from the matching apparatus 140 to the matching request apparatus 120, the matching request apparatus 120 cannot calculate
Enc(pk,(x[1]+ . . . +x[n])),
Enc(pk,S((x[1]+ . . . +x[n]))).
Thus, a Hamming distance between X and Y cannot be falsified, and no eavesdropper can impersonate a user.
In addition, the data received by the verification apparatus 150 having a secret key is a ciphertext of a Hamming distance between a registered vector and a matching target vector, and values of the registered vector and matching target vector are not disclosed. Thus, in the matching system 100 according to the first example embodiment, the verification apparatus can calculate a distance between the registered vector and the matching target vector, in such a condition wherein values other than a distance between the registered vector and matching target vector are not leaked to apparatuses other than the apparatuses that extract the respective vectors.
In addition, the matching system 100 according to the first example embodiment can be modified so that a Hamming distance between a registered vector and a matching target vector is not disclosed to the verification apparatus 150 having a decryption key. For example, by applying the same method as discussed in NPL 1, the matching system 100 can be modified to a scheme in which the verification apparatus 150 having the decryption key (secret key) cannot calculate the Hamming distance between the registered vector and the matching target vector. In the scheme in which the distance between the registered vector and the matching target vector is not disclosed to the verification apparatus 150 having the decryption key, since the verification apparatus 150 having the decryption key is prevented from calculating values of the registered vector even in a special situation, higher security can be achieved.
<Variation 1>
The registration request apparatus 110 transmits, as templates, Enc(pk, x1), . . . , Enc(pk, xn) to the storage apparatus 130, instead of Enc(pk, (1−2xi)), . . . , Enc(pk, (1−2xn)) (S11A).
By performing an additive homomorphic scalar operation and an addition operation on Enc(pk, x1), . . . , Enc(pk, xn), the storage apparatus 130 calculates and holds the following encrypted data (S11B).
Enc(pk,(1−2xi)), . . . ,Enc(pk,(1−2xn)) (55)
Enc(pk,xi+, . . . ,+xn) (56)
On reception of a matching request from the matching request apparatus 120 (S12), the matching apparatus 140 obtains
Enc(pk,(1−2xi)), . . . ,Enc(pk,(1−2xn)) and
Enc(pk, xi+, . . . , +xn) from the storage apparatus 130 (S13). Since the subsequent processing is the same as that in
In
The registration target data generation unit 132 in the storage apparatus 130 calculates
Enc(pk,(1−2xi))=C1[1],
. . . ,
Enc(pk,(1−2xn))=C1[n] and Enc(pk,xi+, . . . ,+xn)=CC1
from Enc(pk, xi), . . . , Enc(pk, xn),
generates registration target data in association with a registration identifier id,
(C1[1], . . . , C1[n], CC1, id), and stores the registration target data in the registered data storage unit 133. According to variation 1, the registration request apparatus 110 has less processing load.
<Variation 2>
As in variation 1, the registration request apparatus 110 transmits, as templates, Enc(pk, xi), . . . , Enc(pk, xn) to the storage apparatus 130 (S11A).
The storage apparatus 130 holds the templates.
Enc(pk,xi), . . . ,Enc(pk,xn) (57)
On reception of a matching request from the matching request apparatus 120 (S12), the matching apparatus 140 obtains Enc(pk, x1), . . . Enc(pk, x1) from the storage apparatus 130 (S13A) and performs an additive homomorphic scalar operation and an addition operation to calculate
Enc(pk,(1−2xi)), . . . ,Enc(pk,(1−2x1)) and Enc(pk,xi+, . . . ,+xn)
(S13B).
Since the subsequent processing is the same as that in
While the first example embodiment described with reference to
Since the individual elements of the registration target vector X=[x1, . . . , xn]∈{0,1} are binary values, each of Enc(pk, S(1−2xi)), . . . Enc(pk, S(1−2xn)) is any one of the following data.
Enc(pk,S),Enc(pk,−S) (58)
By giving only two tries for an arbitrary value z, Enc(pk, Sz) can be transmitted to the matching apparatus 140. The matching apparatus 140 handles Enc(pk, Sz) received from the matching request apparatus 120 as Enc(pk, D2) and transmits Enc(pk, Sz+D1) obtained by adding Enc(pk, Sz) and Enc(pk, D1) to the verification apparatus 150.
In this case, if the following relationship (59) is established,
the verification apparatus 150 determines acceptance.
Thus, according to the second example embodiment, instead of transmitting encrypted data Enc(pk, S(1−2xi)) (i=1, . . . , n) obtained by multiplication of a random number to registered templates which are transmitted from the matching apparatus 140 to the matching request apparatus 120, the matching apparatus 140 transmits a transformed value Ai of the registration vector as a challenge to the matching request apparatus 120, which is an element of a first transformed value vector A obtained by transforming the registration target binary vector X=[x1, . . . , xn] in accordance with a certain transformation formula and takes a value other than binary values, wherein an operation result of A with a second transformed vector B obtained by transforming a matching target binary vector Y=[y1, . . . , yn] (an inner product A·B), generates
The matching request apparatus 120 calculates Enc(pk, SΣ[i=1 to n]Ai·Bi) by performing an additive homomorphic operation of the encrypted data Enc(pk, Ai) of the transformed value Ai and the transformed value Bi related the matching target binary vector Y=[y1, . . . , yn] and transmits Enc(pk, SΣ[i=1 to n] Ai·Bi) to the matching apparatus 140. Enc(pk, SΣ[i=1 to n] Ai·Bi) is equivalent to the following encrypted data.
When the biometric information is a binary vector, spoofing attacks can be avoided. This feature according to the second example embodiment will be described below.
When the registration target vector is X=[x1, . . . , xn]∈{0,1}n and the matching target vector Y=[y1, . . . , yn]∈{0,1}n, A1, . . . , An, and B1, . . . , Bn satisfying the following relationship are calculated.
The number of constraint equations is n(n+1), which is a sum of n{circumflex over ( )}2 about the coefficients of the individual xi and yi and n about the individual yi. An unknown number is n(2n+1).
((a1,1,·a1,2, . . . ,a1,n+1,·a2,1, . . . ,an,n+1),(b1,1,b1,2, . . . ,b1,n,b2,1, . . . ,bn,n)) (65)
If bi,j (i=1, . . . , n, j=1, . . . , n) are fixed, the number of unknowns is n(n+1) as follows.
(a1,1,·a1,2, . . . ,a1,n+1,·a2,1, . . . ,an,n+1) (66)
Since (number of unknowns)>=(number of constraint equations), there is a solution. In particular, if the individual bi,j (i=1, . . . , n, j=1, . . . , n) are fixed, the individual ai,j (i=1, . . . , n, j=1, . . . , n+1) are uniquely determined.
According to the present example embodiment, the matching apparatus 140 transmits Enc(pk, SAi) (i=1, . . . , n) to the matching request apparatus 120. The matching request apparatus 120 transmits the following encrypted data to the matching apparatus 140.
For ease of description, an example in which a two-dimensional registration target vector XT=[x1,x2]∈{0,1}2 and a two-dimensional matching target vector Y=[yi,y2]∈{0,1}2 are used will be described. In these vectors, T denotes a transpose operator. The above formulas (62) and (63) can be expressed by using the following transformation matrixes.
The above formula (64) is given as follows.
By solving this, the individual coefficients are given as follows.
a1,1=−2b2,2·L,a1,2=2b2,1·L,a1,3=(b2,2−b2,1)L,
a2,1=2b1,2·L,a2,2=−2b1,1·L,a2,3=(b1,1−b1,2)L, (71)
where L is a reciprocal of a determinant of
Thus, it is possible to express as follows.
In the above expression, when b1,1=b2,2=1, b1,2=b2,1=0, the following formula (74) holds.
This corresponds to a case in which n=2 according to the first example embodiment.
As a simple specific example, a case in which q=13 (message space: Fq) will be described. Assuming that
(b1,1,b1,2,b2,1,b2,2)=(1,3,3,7)
L=(−2)−1=1111 mod 13=6. (75)
(According to Fermat's little theorem, if q is a prime, g{circumflex over ( )}(q−1)=1 mod q, g·g{circumflex over ( )}(q−2)=1 mod q. Thus, the inverse is given as follows)
g{circumflex over ( )}(−1)=g{circumflex over ( )}(q−2)mod q (76)
Thus, the following satisfies the constraint equations.
(a1,1,a1,2,a1,3,a2,1,a2,2,a2,3)=(−84,36,24,26,−12,−12)mod 13=(7,10,11,10,11) (77)
In this case, A1 and A2 vary depending per values (0, 0), (0, 1), (1, 0), (1, 1) of (x1, x2) (see (b) and (c) in
(a1,1,·a1,2, . . . ,a1,n+1,·a2,1, . . . ,an,n+1).
Other aspects of the basic configuration are the same as those according to the first example embodiment illustrated in
The template generation unit 112 generates, as first templates, the following encrypted data (B2).
Enc(pk,A1), . . . ,Enc(pk,An) (79)
In addition, the template generation unit 112 generates, as a second template, the following encrypted data (B3).
Enc(pk,x1), . . . ,Enc(pk,xn) (80)
The template generation unit 112 combines these templates (B4) and transmits the combined template to the storage apparatus 130 (B5).
As described above, the second example embodiment assumes that the n(n+1) transformation coefficients
(a1,1,·a1,2, . . . ,a1,n+1,·a2,1, . . . ,an,n+1)
are preset in the registration request apparatus 110. In addition, the n{circumflex over ( )}2 transformation coefficients
(b1,1,b1,2, . . . ,b1,n,b2,1, . . . ,bn,n)
are preset in the matching request apparatus 120.
The transformed value generation unit 114 in the registration request apparatus 110 calculates transformed values (Ai, . . . , An) based on the binary vector XT=[x1, . . . , x]∈{0,1}n extracted by the registration target information extraction unit 111 and the preset transformation coefficients
(a1,1,a1,2, . . . ,a1,n+1,a2,1, . . . ,an,n+1).
Next, the template generation unit 112 in the registration request apparatus 110 generates, as the first templates, the following encrypted data of Ai(i=1, . . . , n).
Enc(pk,A1), . . . ,Enc(pk,An) (81)
In addition, the template generation unit 112 generates, as the second templates, the following encrypted data.
Enc(pk,x1), . . . ,Enc(pk,xn) (82)
Next, the template generation unit 112 in the registration request apparatus 110 generates the following template from the first and second templates.
(Enc(pk,A1), . . . ,Enc(pk,A),Enc(pk,x) . . . ,Enc(pk,x)) (83)
The template generation unit 112 transmits the generated template to the storage apparatus 130 via the communication unit 113 (S21).
When the storage apparatus 130 receives the template, the identifier management unit 131 generates a registration identifier id and the registration target data generation unit 132 associates the template with the registration identifier id and stores the following resultant data in the registered data storage unit 133.
((Enc(pk,A1), . . . ,Enc(pk,An),Enc(pk,x1) . . . ,Enc(pk,xn)),id) (84)
When the communication unit 146 in the matching apparatus 140 receives a matching request from the matching request apparatus 120 (S22), the registered data acquisition unit 141 receives
((Enc(pk,A1), . . . ,Enc(pk,An),Enc(pk,x1) . . . ,Enc(pk,xn)),id)
from the storage apparatus 130 (S23A).
The matching apparatus 140 generates encrypted data Enc(pk, Σ[i=1 to n]xi) of a sum of the elements {xi} with Enc(pk, x1), . . . , Enc(pk, xn) being kept in an encrypted state (S23B).
The random number generation unit 142 in the matching apparatus 140 generates a random number S∈Fq (S24)
Next, the random number generation unit 142 performs a scalar operation of the random number S to the encrypted data Enc(pk, A1), Enc(pk, An) of the transformed values to calculate
Enc(pk,SA1), . . . ,Enc(pk,SAn) (85)
The random number generation unit 142 transmits the calculated encrypted data to the matching request apparatus 120 via the communication unit 146 (S25).
The values of Enc(pk, Ai) (i=1, . . . , n) vary depending on a combination of the values of (x1, . . . xn). Thus, it is difficult for attackers to estimate Enc(pk, S) from Enc(pk, S·Ai) (i=1, . . . , n) transmitted from the matching apparatus 140 to the matching request apparatus 120, making it difficult to conduct spoofing attacks.
The response generation unit 123 in the matching request apparatus 120 calculates the following formula (86) from {bi,j} (i, j=1, . . . , n) and a binary vector Y=[y1, . . . , yn]∈{0,1}n extracted by the matching target information extraction unit 122.
By using an additive homomorphic addition and a scalar operation, the response generation unit 123 in the matching request apparatus 120 performs a scalar operation Scl(Bi, Enc(pk, SAi)) (i=1, . . . , n) in an encrypted state of data (challenge) Enc(pk, Ai) (i=1, . . . , n) received from the matching apparatus 140, to calculate the following encrypted data
Enc(pk,SA1·B1), . . . ,Enc(pk,SAn·Bn) (87)
By adding these items of encrypted data in an encrypted state, the response generation unit 123 calculates:
The response generation unit 123 in the matching request apparatus 120 transmits
to the matching apparatus 140 via the communication unit 124 as a response to the challenge (S26).
The encrypted distance calculation unit 144 in the matching apparatus 140 applies a scalar operation of the reciprocal S{circumflex over ( )}(−1)(S{circumflex over ( )}(q−2) mod q) of the random number S to
to calculate the following encrypted data.
where the following holds.
From the calculated Di and the second template received from the storage apparatus 130, the encrypted distance calculation unit 144 in the matching apparatus 140 calculates the encrypted data of a Hamming distance between the binary vectors X and Y with the encrypted data being kept in an encrypted state.
The matching apparatus 140 transmits the encrypted data Enc(pk, dH (X, Y)) of the Hamming distance between the binary vectors X and Y to the verification apparatus 150 (S27). The verification apparatus 150 decrypts the encrypted data Enc(pk, dH (X, Y)) using the secret key sk (Dec(sk, Enc(pk, dH (X, Y)))), determines whether the decrypted result is less than or equal to a threshold t (S28), and outputs a verification result (S29).
<Variation 1>
The registration request apparatus 110 has the same configuration as that illustrated in
The communication unit 135 in the storage apparatus 130 receives the first templates from the registration request apparatus 110. The registration target data generation unit 132 stores the first template in the registered data storage unit 133 in association with a registration identifier id given by the identifier management unit 131.
In addition, the registration target data generation unit 132 in the storage apparatus 130 generates the encrypted data
of a sum of the elements {xi} from the encrypted data of n elements x1, . . . , x1 of the n-dimensional binary vector X
Enc(pk,xi), . . . ,Enc(pk,xn) (93)
in an encrypted state.
The registration target data generation unit 132 in the storage apparatus 130 calculates, from the group of transformation coefficients
(a1,1,·a1,2, . . . ,a1,n+1,·a2,1, . . . ,an,n+1)
which are set in the storage apparatus 130, the encrypted data
Enc(pk,A1), . . . ,Enc(pk,An)
of the transformed values A1, . . . , An with n elements x1, . . . , xn of the n-dimensional binary vector X in an encrypted state (S21B).
Enc(pk, ai,j xj) (j=1, . . . , n) is calculated by performing a scalar operation Scl(ai,j, Enc(pk, xj)) (j=1, . . . , n) on the encrypted data Enc(pk, xj). In addition, the registration target data generation unit 132 in the storage apparatus 130 calculates Enc(pk, ai,n+1) and adds these encrypted data in an encrypted state, to calculate encrypted data Enc(pk, Ai) (i=1, . . . , n). The registration target data generation unit 132 stores the calculated encrypted data Enc(pk, Ai) (i=1, . . . , n) in the registered data storage unit 133 (S21B).
Enc(pk,A1)=Enc(pk,a1,1·x1)+, . . . ,Enc(pk,a1,n·xn)+Enc(pk,a1,n+1)
. . . ,
Enc(pk,An)=Enc(pk,an,1·x1)+, . . . ,Enc(pk,an,n·xn)+Enc(pk,an,n+1) (94)
When the matching apparatus 140 receives a matching request from the matching request apparatus 120, the registered data acquisition unit 141 receives Enc(pk, A1), . . . , Enc(pk, An) and the encrypted data (second template)
of
from the storage apparatus 130 (S23).
The random number generation unit 142 in the matching apparatus 140 generates a random number S (S24). Next, the encrypted data generation unit 143 calculates Enc(pk, SA1), . . . , Enc(pk, SAn) by performing an additive homomorphic scalar operation and transmits the calculated encrypted data to the matching request apparatus 120 via the communication unit 146 (S25).
The response generation unit 123 in the matching request apparatus 120 calculates from the set n{circumflex over ( )}2 transformation coefficients
(b1,1,b1,2, . . . ,b1,n,b2,1, . . . ,bn,n)
and the binary vector
Y=[y1, . . . ,yn]∈{0,1}n
extracted by the matching target information extraction unit 122,
The response generation unit 123 in the matching request apparatus 120 calculates by performing a scalar operation and an addition operation based on Enc(pk, SA1), . . . , Enc(pk, SAn) transmitted from the matching apparatus 140 and the transformed values B1, . . . , Bn.
The response generation unit 123 transmits the calculated encrypted data to the matching apparatus 140 via the communication unit 124 as a response (S26). Since the subsequent operation sequence is the same as that in
<Variation 2>
In the above variation 1, the storage apparatus 130 generates the encrypted data Enc(pk, Ai) (i=1, . . . , n) of the transformed values A1, . . . A1 from the first templates Enc(pk, xi) (i=1, . . . , n) transmitted from the registration request apparatus 110. In variation 2, the matching apparatus 140 creates the encrypted data Enc(pk, Ai) (i=1, . . . , n) of the transformed values A1, . . . , An, when a challenge is created. The basic configuration of variation 2 is the same as that according to the first example embodiment illustrated in
As in the first example embodiment, the registration request apparatus 110 transmits the encrypted data Enc(pk, xi) (i=1, . . . , n) (first templates) of the n elements {xi} (i=1, . . . , n) of the n-dimensional binary vector X to the storage apparatus 130 (S21).
The storage apparatus 130 holds the first and second templates in association with a registration id.
On reception of a matching request from the matching request apparatus 120 (S22), the registered data acquisition unit 141 in the matching apparatus 140 receives the encrypted data Enc(pk, x1), . . . , Enc(pk, xn) of the n elements {xi} of the n-dimensional binary vector X from the storage apparatus 130 (S23A).
The encrypted data generation unit 143 in the matching apparatus 140 generates encrypted data
of a sum of the elements {xi} with Enc(pk, xi), . . . , and Enc(pk, xn) being kept in an encrypted state (S23A).
The encrypted data generation unit 143 in the matching apparatus 140 generates the encrypted data Enc(pk, A1), . . . , Enc(pk, An) of the transformed values A1, . . . , An from the encrypted registered data Enc(pk, x1), . . . , Enc(pk, xn) of the n elements x1, . . . , xn and the set group of transformation coefficients (a1,1, ·a1,1, . . . , a1,n+1, a2,1, . . . , an,n+1) (S24B).
Enc(pk,A1)=Enc(pk,a1,1·x1)+, . . . ,+a1,nEnc(pk,a1,n·xn)+Enc(pk,a1,n+1)
. . . ,
Enc(pk,An)=Enc(pk,an,1·x1)+, . . . ,+an,nEnc(pk,an,n·xn)+Enc(pk,an,n+1) (97)
The matching apparatus 140 generates a random number S (S24), calculates
Enc(pk,SA1), . . . ,Enc(pk,SAn)
using an additive homomorphic scalar operation, and transmits Enc(pk, SA1), . . . , Enc(pk, SAn) to the matching request apparatus 120 via the communication unit 146 (S25).
The matching request apparatus 120 calculates from the set n{circumflex over ( )}2 transformation coefficients
(b1,1,b1,2, . . . ,b1,n,b2,1, . . . ,bn,n)
and the binary vector
In addition, from Enc(pk, SA1), . . . , Enc(pk, SAn) and the transformed values B1, . . . , Bn, the matching request apparatus 120 calculates the following encrypted data.
As a response, the matching request apparatus 120 transmits the encrypted data to the matching apparatus 140 (S26). Since the subsequent operation is the same as that according to variation 1 in
<Variation 3>
In variation 3, the transformation coefficients
(a1,1,·a1,1, . . . ,a1,n+1,a2,1, . . . ,an,n+1)
are not preset in the registration request apparatus 110. The n{circumflex over ( )}2 transformation coefficients
(b1,1,b1,2, . . . ,b1,n,b2,1, . . . ,bn,n)
are not preset in the matching request apparatus 120, either.
In variation 3, each time a challenge is created, the matching apparatus 140 creates the transformation coefficients {ai, j} (i=1, . . . , n, j=1, . . . , n+1).
The encrypted data generation unit 143 calculates the transformed values A1, . . . , A1, based on the encrypted data Enc(pk, xi) (i=1, . . . , n) of the n elements xi obtained by the registered data acquisition unit 141 and the created transformation coefficients {ai, j}(i=1, . . . , n, j=1, . . . , n+1) and transmits encrypted data to the matching request apparatus 120 as a challenge.
When transmitting a challenge to the matching request apparatus 120, the matching apparatus 140 transmits the transformation coefficients (a second group of transformation coefficients) {bi,j} (i, j=1, . . . , n) used for calculation of the transformation coefficients (a first group of transformation coefficients) {ai,j} (i=1, . . . , n, j=1, n+1) to the matching request apparatus 120.
The transformation coefficient generation unit 147 in the matching apparatus 140 generates the transformation coefficients {ai,j}(i=1, . . . , n, j=1, . . . , n+1) each time a challenge is generated (C11A).
The encrypted data generation unit 143 in the matching apparatus 140 generates the encrypted data Enc(pk, A1), . . . , ENc(pk, An) of the transformed values with the elements {xi} being kept in an encrypted state, based on the transformation coefficients {ai, j} (i=1, . . . , n, j=1 . . . , n+1) and Enc(pk, xi), . . . , Enc(pk, xn) (C11B).
The random number generation unit 142 in the matching apparatus 140 generates a random number S and performs a scalar operation of the random number S to the encrypted data of the transformed values, to generate encrypted data Enc(pk, SA1), . . . , ENc(pk, SAn) (C12). The matching apparatus 140 transmits the generated encrypted data Enc(pk, SA1), . . . , ENc(pk, SA1) and the n{circumflex over ( )}2 transformation coefficients {bi,j} (i, j=1, . . . , n) to the matching request apparatus 120 (C13).
The storage apparatus 130 holds the first templates in association with a registration identifier id.
On reception of a matching request from the matching request apparatus 120 (S22), the registered data acquisition unit 141 in the matching apparatus 140 receives the encrypted data Enc(pk, xi), . . . , Enc(pk, xn) of the n elements {xi} of the binary vector X from the storage apparatus 130 (S23).
The encrypted data generation unit 143 in the matching apparatus 140 generates the encrypted data
of a sum of the n elements {xi} of the binary vector X with the encrypted data being kept in an encrypted state Enc(pk, x1), . . . , Enc(pk, xn) of the n elements {xi} of the binary vector X (S23A).
The transformation coefficient generation unit 147 in the matching apparatus 140 generates the transformation coefficients {ai,j}(i=1, . . . , n, j=1, . . . , n+1) each time it generates a challenge (S24A). Thus, there may be a case where the transformation coefficients vary on a per a challenge basis. The transformation coefficients {ai,j} (i=1, n, j=1, . . . , n+1) are calculated based on {bi,j} (i=1, . . . , n). The transformation coefficient generation unit 147 in the matching apparatus 140 may set different values for the transformation coefficients {bi,j} (i=1, . . . , n) each time it generates a challenge.
The encrypted data generation unit 143 in the matching apparatus 140, based on the transformation coefficients {ai,j} (i=1, . . . , n, j=1, . . . , n+1) and the registered encrypted data Enc(pk, x1), . . . , Enc(pk, xn) with Enc(p, xi)(i=1, . . . , n) being kept in an encrypted state, generates
Enc(pk,A1), . . . ,ENc(pk,An) (100)
(S24B)
The random number generation unit 142 in the matching apparatus 140 generates a random number S (S24), calculates Enc(pk, SA1), . . . , ENc(pk, SAn), and transmits Enc(pk, SA1), . . . , Enc(pk, SAn) and the n{circumflex over ( )}2 transformation coefficients {bi, j} (i, j=1, . . . , n) to the matching request apparatus 120 (S25).
The matching request apparatus 120 calculates the following formula (101) from the n{circumflex over ( )}2 transformation coefficients
(b1,1,b1,2, . . . ,b1,n,b2,1, . . . ,bn,n)
transmitted from the matching apparatus 140 and the binary vector
The matching request apparatus 120 calculates, based on Enc(pk, SA1), . . . , Enc(pk, SAI) and the transformed values B1, . . . , Bn,
Next, the matching request apparatus 120 transmits this encrypted data to the matching apparatus 140 as a response (S26). Since the processing in which the matching apparatus 140 transmits a query when receiving the response as expressed in the above formula (102) (S27) and the processing that the verification apparatus 150 performs when receiving the query from the matching apparatus 140 (S28 and S29) are the same as those according to variation 2, description thereof will be omitted.
As in the first example embodiment, according the second example embodiment and the individual variations, the registration request apparatus 110 may generate the encrypted data
of a sum of the n elements {xi} of the registration target n-dimensional binary vector X and transmit the encrypted data to the storage apparatus 130.
According to the above first and second example embodiments, a decryptor receives and decrypts a ciphertext of a distance and determines whether the distance is less than or equal to a threshold t. When the Modified-Elgamal encryption is used and the decryption algorithm outputs Dec(sk, Enc(pk, m))=g{circumflex over ( )}m, in stead of a message, the decryptor determines whether the decrypted value matches any one of 1, g, g{circumflex over ( )}2, g{circumflex over ( )}3, . . . , and g{circumflex over ( )}t.
When the elliptic Elgamal encryption is used and the decryption algorithm outputs Dec(sk, Enc(pk, m))=m(*)G, in stead of a message, the decryptor may determine whether the decrypted value matches any one of O, G, 2(*)G, 3(*)G, . . . , and t(*)G. When the decryption algorithm outputs a message, the decryptor may determine whether the decrypted value matches any one of 0, 1, 2, 3, . . . , and t.
In the matching (authentication) processing, if y1, . . . , yi−1, yi+1, . . . , yn=0 and yi=α are used as y1, . . . , yn, the following Hamming distance is calculated.
This is because the following relationship holds if an individual xi (i=1, . . . , n) is assumed to take 0 or 1 with a probability of about 50%.
By setting α to satisfy the following relationship,
acceptance is outputted with a probability of about 50% based on the values of xi. In addition, from a result of acceptance/rejection determined by the verification apparatus 150, a value of xi can be determined. Namely, when the verification apparatus 150 determines acceptance, xi=1. When the verification apparatus 150 determines rejection, xi=0.
Thus, if an attacker repeats this try on each i=1, . . . , n, the attacker is able to know the registered biometric information x1, . . . , xn. Thus, in the first and second example embodiments, 1:N authentication cannot be performed. A third example embodiment is configured to handle 1:N authentication.
In addition, the third example embodiment includes a function of determining whether values other than 0 or 1 have been inputted as the matching target vector Y=[yi, . . . , yn] in the matching phase.
In addition, as described below, whether xi=yi can be determined by using (2yi−1).
(2xi−1)(2yi−1) assumes
1 if xi=yi and yi is 0 or 1;
−1 if yi=0 and xi=1 or if yi=1 and xi=0; and
a value other than 1 and −1 if yi is a value other than 0 or 1.
The count number of i where xi=yi does not hold (the count number of mismatches between the elements xi and yi in the same index number of the vectors X and Y) may be set as the Hamming distance dH(X, Y).
The matching apparatus 140 includes a hash value generation section 148 in addition to the configuration illustrated in
On reception of a matching request from the matching request apparatus 120, the registered data acquisition unit 141 in the matching apparatus 140 receives encrypted data {Enc(pk, (2xi−1))} (i=1, . . . , n) stored in the storage apparatus 130 in association with the registration identifier id.
The random number generation unit 142 in the matching apparatus 140 generates random numbers ai, bi, and ri.
The encrypted data generation unit 143 in the matching apparatus 140 transmits the encrypted data Enc(pk, bi) (i=1, . . . , n) of the random number bi (i=1, . . . , n) to the matching request apparatus 120. The encrypted data transmitted to the matching request apparatus 120 does not depend on the registered data (template). Thus, 1:N authentication can be performed.
The response generation unit 123 in the matching request apparatus 120 generates, from Enc(pk, (2xi−1)) received from the storage apparatus 130, Enc(pk, bi (2yi)−1) (i=1, . . . , n) transmitted from the matching request apparatus 120, and the random numbers ai, bi, and ri, the following encrypted data.
Enc(pk,ai(2xi−1))(i=1, . . . ,n),
Enc(pk,biri(2yi−1))(i=1, . . . ,n) (108)
The hash value generation section 148 calculates the following hash values of the products ai bi ri (mod q) of the random numbers ai, bi, and ri(i=1, . . . , n).
H(aibiri) (109)
The query generation unit 145 generates a query including the encrypted data Enc(pk, ai (2xi−1)) and Enc(pk, bi ri (2yi−1)) (i=1, . . . , n), and the hash values H(ai bi ri) (i=1, . . . , n) and transmits the query to the verification apparatus 150 via the communication unit 146. H denotes a one-way hash function. In the transmission of the encrypted data Enc(pk, ai (2xi−1)) and Enc(pk, bi ri (2yi−1)) (i=1, . . . , n), the query generation unit 145 may shuffle the sequence relating to an index i.
A decryption section 1531 in the query determination unit 153 in the verification apparatus 150 decrypts the encrypted data Enc(pk, ai (2xi−1)) and Enc(pk, bi ri (2yi−1)) (i=1, . . . , n) by using the secret key sk and calculates the following.
za=Dec(sk,Enc(pk,ai(2xi−1)))
zb=Dec(sk,Enc(pk,biri(2yi−1))) (110)
In addition, a hash value generation section 1532 in the query determination unit 153 in the verification apparatus 150 calculates hash values H(za zb) of the products of za and zb.
A mismatching determination section 1533 in the query determination unit 153 in the verification apparatus 150 determines whether a count number of mismatched i between the calculated hash values H(zazb) and the hash values H(ai bi ri) received from the matching apparatus 140 is less than or equal to t.
If the count number of mismatches is less than or equal to t, the verification result generation unit 154 determines acceptance. Otherwise, the verification result generation unit 154 determines rejection.
zazb=aibiri(2xi−1)(2yi−1) (111)
za zb=aibiri, if yi is 0 or 1 and yi=xi;
zazb=−ai biri, if yi is 0 or 1 and yi≠xi; and
Za zb is a value other than ai bi ri or −ai bi ri, if yi is a value other than 0 or 1.
Thus, if the following relationship holds,
H(zazb)=H(aibiri) (112)
yi=xi and yi=0 or 1.
A case in which the following relationship does not hold (hash value H(zazb)≠H(aibiri)) is a case in which, while yi is 0 or 1, yi is not equal to xi or yi is a value other than 0 or 1.
Thus, when the count number of mismatches in the above Expression (112) regarding i=1, . . . , n is less than or equal to the threshold t, acceptance is determined.
Even when the product ai bi ri of the random numbers generated by the matching apparatus 140 are encrypted by using the public key pk and encrypted data of the product ai bi ri is transmitted to the verification apparatus 150, the verification apparatus 150 can decrypt the products by using the secret key sk. Accordingly, the hash value of ai bi ri is transmitted to the verification apparatus 150. It is difficult to reversely calculate an input u from a hash value v(v=H(u)). Thus, even when an attacker attempts eavesdropping, the attacker cannot read the content.
The encrypted data generation unit 143 in the matching apparatus 140 generates encrypted data Enc(pk, bi) (i=1, . . . , n) of the random numbers bi (i=1, . . . , n) (C12) and transmits the encrypted data to the matching request apparatus 120 (C13).
The matching request apparatus 120 receives Enc(pk, bi) (i=1, . . . , n) from the matching apparatus 140 (C14) and extracts the matching target vector
Y=[y1, . . . ,yn]∈{0,1}n
(C15). The response generation unit 123 performs a scalar operation using Enc(pk, bi) (i=1, . . . , n) received from the matching apparatus 140 to calculate Scl(2yi−1, Enc(bi))=Enc(bi (2yi−1)) (i=1, . . . , n) (C16). The matching request apparatus 120 transmits Enc(pk, bi (2yi−1)) (i=1, . . . , n) to the matching apparatus 140 (C17).
The matching apparatus 140 receives Enc(pk, bi (2yi−1)) (i=1, n) (C18) and generates
Enc(pk,ai(2xi−1))(i=1, . . . ,n) and
Enc(pk, bi ri (2yi−1)) (i=1, . . . , n) from Enc(pk, (2xi−1)) received from the storage apparatus 130, Enc(pk, bi (2yi−1)) (i=1, . . . , n) transmitted from the matching request apparatus 120, and the random numbers ai, bi, and ri (C19A). The hash value generation section 148 calculates the hash values H(ai bi ri) of the product ai bi ri (mod q) of the random numbers ai, bi, and ri (i=1, . . . , n) (C19B).
The query generation unit 145 generates a query including the encrypted data Enc(pk, ai(2xi−1)) and Enc(pk, bi ri (2yi−1)) (i=1, . . . , n) and the hash values H(ai bi ri) (i=1, . . . , n) (C20) and transmits the query to the verification apparatus 150 via the communication unit 146 (C21). H denotes a one-way hash function.
When the communication unit 155 in the verification apparatus 150 receives the query, the decryption section 1531 in the query determination unit 153 decrypts the encrypted data Enc(pk, ai (2xi−1)) and Enc(pk, bi ri (2yi−1)) (i=1, . . . , n) by using the secret key sk (C23A). That is, the decryption section 1531 in the query determination unit 153 calculates
za=Dec(sk,Enc(pk,ai(2xi−1))), and
Zb=Dec(sk,Enc(pk,biri(2yi−1))).
Next, the hash value generation section 1532 in the query determination unit 153 in the verification apparatus 150 calculates a hash value H(za zb) of a product of za and zb (C23B).
The mismatching determination section 1533 in the query determination unit 153 in the verification apparatus 150 determines whether a count number of mismatches i between the calculated hash value H(za zb) and the hash values H(ai bi ri) received from the matching apparatus 140 is less than or equal to t. If the count number of mismatches is less than or equal to t, the verification result generation unit 154 determines acceptance. Otherwise, the verification result generation unit 154 determines rejection (C24). Next, the verification result generation unit 154 outputs the verification result (C25).
On reception of a matching request from the matching request apparatus 120 (S32), the matching apparatus 140 receives the encrypted data Enc(pk, (2xi−1)) (i=1, . . . , n) stored in association with the Id from the storage apparatus 130 (S33).
The matching apparatus 140 generates random numbers ai, bi, and ri (S34). The matching apparatus 140 transmits encrypted data Enc(pk, bi) (i=1, . . . , n) of the random numbers bi (i=1, . . . , n) to the matching request apparatus 120 (S35).
The matching request apparatus 120 extracts the matching target vector Y=[yi, . . . , yn], calculates Enc(bi(2yi−1)) (i=1, . . . , n) from Enc(pk, bi) (i=1, . . . , n) received from the matching apparatus 140, and transmits the encrypted data to the matching apparatus 140 (S36).
The matching apparatus 140 generates encrypted data
Enc(pk,ai(2xi−1))(i=1, . . . ,n) and
Enc(pk, bi ri (2yi−1)) (i=1, . . . , n) from Enc(pk, bi(2yi−1)) (i=1, . . . , n) transmitted from the matching request apparatus 120, the encrypted data Enc(pk, (2xi−1)) transmitted from the storage apparatus 130, and the random numbers ai, bi, and ri.
The matching apparatus 140 also generates hash values H(ai bi ri). The matching apparatus 140 transmits these data to the verification apparatus 150 (S37).
The verification apparatus 150 decrypts the encrypted data Enc(pk, ai (2xi−1)) and Enc(pk, bi ri (2yi−1)) by using the secret key sk and calculates a hash value H(za zb) of a product of the decryption results za and zb (S38A).
The verification apparatus 150 determines whether a count number of mismatches i between the calculated hash value H(za zb) and the hash values H(aibiri) received from the matching apparatus 140 is less than or equal to t (S38B). If the count number of mismatches is less than or equal to t, the verification apparatus 150 determines acceptance. Otherwise, the verification apparatus 150 determines rejection. Next, the verification apparatus 150 outputs the detection result (acceptance/rejection) (S39).
<Variation 1>
On reception of a matching request from the matching request apparatus 120 (S32), the matching apparatus 140 receives the encrypted data Enc(pk, xi) (i=1, . . . , n) stored in association with the Id from the storage apparatus 130 (S33).
The matching apparatus 140 generates random numbers ai, bi, and ri(S34). The matching apparatus 140 calculates Enc(pk, 2xi−1) (i=1, . . . , n) with the encrypted data Enc(pk, xi) (i=1, . . . , n) being kept in an encrypted state. The matching apparatus 140 transmits the encrypted data Enc(pk, bi) (i=1, . . . , n) of the random numbers bi(i=1, . . . , n) to the matching request apparatus 120 (S35).
The matching request apparatus 120 extracts a matching target vector Y=[yi, . . . , yn], calculates Enc(pk, biyi) (i=1, . . . , n) from Enc(pk, bi) (i=1, . . . , n) received from the matching apparatus 140, and transmits the calculated encrypted data to the matching apparatus 140 (S36).
The matching apparatus 140 receives Enc(pk, bi yi) (i=1, . . . , n) from the matching request apparatus 120 and generates Enc(pk, bi(2yi−1)) (i=1, . . . , n) with Enc(pk, biyi) being kept in an encrypted state. The matching apparatus 140 generates Enc(pk, ai (2xi−1)) (i=1, . . . , n) from Enc(pk, (2xi−1)) and the random numbers ai and generates Enc(pk, bi ri(2yi−1)) (i=1, . . . , n) from Enc(pk, bi(2yi−1)) and the random number ri.
The matching apparatus 140 generates and transmits hash values H(ai bi ri) to the verification apparatus 150 (S37). The matching request apparatus 120 may extract a matching target vector Y=[y1, . . . , yn], generate Enc(pk, bi(2yi−1)) (i=1, . . . , n) from Enc(pk, bi) (i=1, . . . , n) received from the matching apparatus 140, and transmit the generated encrypted data to the matching apparatus 140.
The verification apparatus 150 decrypts the encrypted data Enc(pk, ai (2xi−1)) and Enc(pk, bi ri(2yi−1)) by using the secret key sk and calculates a hash value H(za zb) of a product of the decryption result za and zb (S38A).
The verification apparatus 150 determines whether a count number of mismatches i between the calculated hash values H(za zb) and the hash values H(ai bi ri) received from the matching apparatus 140 is less than or equal to t (S38B). If the count number of mismatches is less than or equal to t, the verification apparatus 150 determines acceptance. Otherwise, the verification apparatus 150 determines rejection. Next, the verification apparatus 150 outputs the detection result (acceptance/rejection) (S39).
<Variation 2>
In the variation 1 of the third example embodiment, on reception of the encrypted data Enc(pk, xi) (i=1, . . . , n) from the storage apparatus 130, the matching apparatus 140 calculates Enc(pk, 2xi−1) (i=1, . . . , n) with the encrypted data Enc(pk, xi) (i=1, . . . , n) being kept in an encrypted state. In variation 2, the storage apparatus 130, on reception of the encrypted data Enc(pk, xi) (i=1, . . . , n) of the elements {xi} (i=1, . . . , n) from the registration request apparatus 110 which extract the registration target vector X=[x1, . . . , xn], may be configured to calculate Enc(pk, 2xi−1) (i=1, . . . , n) with the encrypted data Enc(pk, xi) (i=1, . . . , n) being kept in an encrypted state and store the calculated encrypted data in the registered data storage unit 133.
<Variation 3>
In variation 3 of the third example embodiment, a function of checking whether individual data xi (i=1, . . . , n) of the registration target vector X=[x1, . . . , xn] is xi∈∈{0, 1} may be implemented.
The verification apparatus 150 includes a registered data check unit 156 including a decryption section 1561, a hash value generation section 1562, and a matching determination section 1563.
X=[x1, . . . ,xn]∈{0,1}n
calculates (2xi−1), . . . , (2x1−1) and by using the public key pk, calculates encrypted data (first templates)
Enc(pk,(2xi−1)), . . . ,Enc(pk,(2x1−1)) (113)
and transmits the encrypted data (first templates) to the storage apparatus 130 (S31).
The random number generation unit 136 in the storage apparatus 130 generates random numbers c1, . . . , cn (S31A).
The encrypted data generation unit 137 in the storage apparatus 130 performs a scalar operation Scl(ci, Enc(pk, (2xi−1))) to generate the following encrypted data.
Enc(pk,c1(2xi−1)), . . . ,Enc(pk,c1(2xn−1)) (114)
The hash value generation section 138 in the storage apparatus 130 calculates hash values H(c1{circumflex over ( )}2), . . . , H(cn{circumflex over ( )}2) by using a hash function H. The storage apparatus 130 transmits Enc(pk, c1(2xi−1)), . . . Enc(pk, cn(2xn−1)) and the hash values H(c1{circumflex over ( )}2), . . . , H(cn{circumflex over ( )}2) to the verification apparatus 150 via the communication unit 135 (S31B).
The decryption section 1561 in the verification apparatus 150 decrypts Enc(pk, cn (2xi−1)) (i=1, . . . , n) by using the secret key sk (S31C).
zi=Dec(sk,Enc(pk,ci(2xi−1)))=ci(2xi−1)(i=1, . . . ,n) (115)
Next, the hash value generation section 1562 in the verification apparatus 150 calculates hash values H(zi{circumflex over ( )}2) (i=1, . . . , n).
The matching determination section 1563 in the verification apparatus 150 determines whether the following holds, for all i from i=1 to n.
H(zi{circumflex over ( )}2)=H(ci{circumflex over ( )}2) (116)
If the above relationship holds, the matching determination section 1563 determines acceptance. If there is any i that does not satisfy H(zi{circumflex over ( )}2)=H(ci{circumflex over ( )}2), the matching determination section 1563 determines rejection (S31D).
The verification apparatus 150 notifies the storage apparatus 130 of the verification result (S31E).
If the verification result determined by the verification apparatus 150 is “acceptance” (Yes in S31F), the storage apparatus 130 stores Enc(pk, (2x1−1)), . . . , Enc(pk, (2xn−1)) in the registered data storage unit 133 in association with a registration identifier id (S31G).
The decryption section 1561 and the hash value generation section 1562 may commonly be used as the decryption section 1531 and the hash value generation section 1532 in the query determination unit 153.
Regarding zi=ci (2xi−1) (i=1, . . . , n),
zi=−ci if xi is 0,
zi=ci if xi is 1 (117)
Thus, when xi∈{0,1}, the hash values satisfy H(zi{circumflex over ( )}2)=H(ci{circumflex over ( )}2). When H(zi{circumflex over ( )}2)=H(ci{circumflex over ( )}2), . . . , H(zn{circumflex over ( )}2)=H(cn{circumflex over ( )}2), the verification apparatus 150 determines acceptance. In this case, the storage apparatus 130 stores Enc(pk, (2x1−1)), . . . , Enc(pk, (2xn−1)) in the registered data storage unit in association with a registration identifier id.
In contrast, when xi is not 0 or 1, zi=ci (2xi−1) is a value other than +ci or −ci.
H(zi2)≠H(ci2)
As a result, the verification apparatus 150 determines rejection.
The subsequent processing in the matching phase is the same as that described with reference to
The registration request apparatus 110 may generate Enc(pk, x1), . . . , Enc(pk, xn) from the binary vector X=[x1, . . . , xn]∈{0,1}n and transmit the encrypted data to the storage apparatus 130. The storage apparatus 130 may calculate Enc(pk, (2x1−1)), . . . , Enc(pk, (2xn−1)), generate random numbers c1, . . . , cn, and generate Enc(pk, c1(2xi−1)), . . . Enc(pk, cn(2xn−1)) from a scalar operation Scl(ci, Enc(pk, (2xi−1))). In this case, also in the first example embodiment, whether the individual data xi (i=1, . . . , n) of the registration target vector X=[x1, . . . , xn] is xi∈{0,1} can be checked.
According to the third example embodiment, the verification apparatus calculates a product of messages obtained by decrypting ciphertexts. Thus, encryption in which a product of decrypted values is not defined cannot be used. For example, the Modified-Elgamal encryption in which the decryption algorithm outputs Dec(sk, Enc(pk, m))=g{circumflex over ( )}m, not messages, or the ECElgamal encryption in which the decryption algorithm outputs Dec(sk, Enc(pk, m))=m(*)G, not messages, cannot be used. In the message space Fq in the Modified-Elgamal encryption and the ECElgamal encryption and the message space in the Paillier encryption, a product is defined on ZN={0, 1, . . . , N−1}. Thus, when the decryption algorithm outputs a message, the decryptor only needs to determine whether the decrypted value matches any one of 0, 1, 2, 3, . . . , and t. However, in the Modified-Elgamal encryption and ECElgamal encryption, generally, it is difficult to configure a decryption algorithm that outputs a message.
The first and second example embodiment can handle binary vectors as biometric information, have resistance against spoofing attacks, and do not need somewhat homomorphic encryption or pairing calculation. The above PTLs 2 and 3 are problematic in resistance against spoofing attacks and need somewhat homomorphic encryption or pairing calculation. In addition, PTL 5 is problematic in resistance against spoofing attacks and needs somewhat homomorphic encryption or pairing calculation.
The third example embodiment can handle binary vectors as biometric information and have resistance against spoofing attacks. In addition, the third example embodiment does not need somewhat homomorphic encryption or pairing calculation and is applicable to 1:N authentication.
A fourth example embodiment of the present invention will be described. The basic configuration according to the fourth example embodiment of the present invention is the same as that in
In the key generation in ElGamal encryption, a generator g corresponding to a group G (multiplicative group Z*q) whose order q (the bit number is a security parameter k) is a prime is selected. In addition, x is selected from {0, 1, . . . , q−1}, where h=g{circumflex over ( )}κ. Next, (h, g, q) is used as a public key, and x is used as a secret key. In the encryption, a random number r is randomly selected from {0, 1, . . . , q−1} for a plaintext m, and
ci=g{circumflex over ( )}r mod q and
c2=m·h{circumflex over ( )}r mod q
are calculated to obtain ciphertexts (c1, c2).
In the decryption, m=c2 (c1{circumflex over ( )}κ){circumflex over ( )}(−1) is set for the received ciphertexts. Herein, the ciphertexts of plaintexts m1, m2∈G are as follows.
Enc(pk,m1)=(g{circumflex over ( )}r1,m1·h{circumflex over ( )}r1),
Enc(pk,m2)=(g{circumflex over ( )}r2,m2·h{circumflex over ( )}r2)
Multiplication of these two ciphertexts gives
(g{circumflex over ( )}(r1+r2),(m1×m2)h{circumflex over ( )}(r1+r2))=Enc(pk,m1×m2).
Thus, the following holds.
Enc(pk,(m1×m2))=Enc(pk,m1)×Enc(pk,m2).
In the RSA encryption, a suitable positive integer e is selected, two large primes {p, q} are generated, and the public key {e, n} is generated by using a product n (=pq) and e. In addition, in the RSA encryption, d=e{circumflex over ( )}(−1) (mod(p−1)(q−1)) is used as the secret key. The encryption of a plaintext m is given as
c=m{circumflex over ( )}e mod n,
while the decryption is given as
m=c{circumflex over ( )}d mod n.
When the two ciphertexts
Enc(pk,m1)=m1{circumflex over ( )}e mod n and
Enc(pk,m2)=m2{circumflex over ( )}e mod n
of the two plaintexts m1, m2∈Z*n are multiplied by each other,
(m1×m2){circumflex over ( )}e mod n=Enc(pk,(m1×m2)).
Thus, the following holds.
Enc(pk,(m1×m2))=Enc(pk,m1)×Enc(pk,m2).
As illustrated in
The random number generation unit 142 in the matching apparatus 140 generates random numbers ai and bi.
The encrypted data generation unit 143 in the matching apparatus 140 transmits encrypted data Enc(pk, bi) (i=1, . . . , n) obtained by encrypting the random numbers bi (i=1, . . . , n) by using the public key pk to the matching request apparatus 120 (S45). The encrypted data transmitted to matching request apparatus 120 does not depend on the registered data (templates). Thus, 1:N authentication can be performed.
The response generation unit 123 in the matching request apparatus 120 encrypts the operation results (2yi−1) of the elements {yi} of the matching target vector Y=[y1, . . . , yn] by using the public key pk to generate Enc(pk, (2yi−1)) (i=1, . . . , n). The response generation unit 123 in the matching request apparatus 120 multiplies Enc(pk, bi) received from the matching apparatus 140 by Enc(pk, (2yi−1)) (i=1, . . . , n) with these encrypted data kept in an encrypted state (multiplicative homomorphic encryption) to generate Enc(pk, bi (2yi−1)). Next, the matching request apparatus 120 transmits Enc(pk, bi (2yi−1)) to the matching apparatus 140.
The matching apparatus 140 obtains encrypted data Enc(pk, ai) (i=1, . . . , n) by encrypting the random numbers ai (i=1, . . . , n) by using the public key pk and generates the following formula (118) from Enc(pk, (2xi−1)) and Enc(pk, bi (2yi−1)) from the matching request apparatus 120 by using multiplicative homomorphic encryption.
Enc(pk,aibi(2xi−1)(2yi−1))(i=1, . . . ,n) (118)
The hash value generation section 148 calculates a hash value of the products ai bi (mod q) of the random numbers ai and bi (i=1, . . . , n) as expressed by
H(aibi) (119)
The query generation unit 145 generates a query including the encrypted data Enc(pk, ai bi (2xi−1) (2yi−1)) (i=1, . . . , n) and the hash values H(ai bi) (i=1, . . . , n) and transmits the query to the verification apparatus 150 via the communication unit 146 (S47). H denotes a one-way hash function. In the transmission of the encrypted data Enc(pk, ai bi (2xi−1)(2yi−1)) (i=1, . . . , n), the query generation unit 145 may shuffle the sequence relating to the index i.
The decryption section 1531 in the query determination unit 153 in the verification apparatus 150 decrypts the encrypted data Enc(pk, aai bi (2xi−1)(2yi−1)) (i=1, . . . , n) by using the secret key sk.
zi=Dec(sk,Enc(pk,aibi(2xi−1)(2yi−1))(i=1, . . . ,n) (120)
The hash value generation section 1532 in the query determination unit 153 in the verification apparatus 150 further calculates hash values H(zi)(i=1, . . . , n) of zi.
The mismatching determination section 1533 in the query determination unit 153 in the verification apparatus 150 determines whether a count number of mismatched i between the calculated hash values H(zi) (i=1, . . . , n) and the hash values H(ai bi) received from the matching apparatus 140 is less than or equal to t.
If the count number of mismatches is less than or equal to t, the verification result generation unit 154 determines acceptance. Otherwise, the verification result generation unit 154 determines rejection.
zi=aibi(2xi−1)(2yi−1) (121)
where zi=aib, if yi is 0 or 1 and yi=xi;
zi=−aibi, if yi is 0 or 1 and yi≠x; and
zi is a value other than ai bi or −ai bi, if yi is a value other than 0 or 1.
Thus, when the following holds
H(zi)=H(aibi) (122)
yi=xi and yi=0 or 1.
Otherwise (hash values H(z)≠H(ai bi)), while yi is 0 or 1, yi≠xi or yi is a value other than 0 or 1.
When the count number of mismatches with xi is less than or equal to t, the verification result generation unit 154 determines acceptance.
On reception of a matching request from the matching request apparatus 120 (S42), the matching apparatus 140 receives the encrypted data Enc(pk, (2xi−1)) (i=1, . . . , n) stored in association with the Id from the storage apparatus 130 (S43).
The matching apparatus 140 generates random numbers ai and bi (S44). The matching apparatus 140 transmits encrypted data Enc(pk, bi) (i=1, . . . , n) of the random numbers bi (i=1, . . . , n) to the matching request apparatus 120 (S45).
The matching request apparatus 120 extracts a matching target binary vector Y=[yi, . . . , yn], obtains encrypted data Enc(pk, (2yi−1)) (i=1, . . . , n) of an operation results (2yi−1) of individual elements {yi}, and calculates Enc(pk, bi (2yi−1)) (i=1, . . . , n) based on the Enc(pk, bi) (i=1, . . . , n) received from the matching apparatus 140 and Enc(pk, (2yi−1)) (i=1, . . . , n), and transmits the calculated encrypted data to the matching apparatus 140 (S46).
The matching apparatus 140 generates Enc(pk, ai bi(2xi−1) (2yi−1)) (i=1, . . . , n) based on Enc(pk, bi(2yi−1)) (i=1, . . . , n) received from the matching request apparatus 120, Enc(pk, (2xi−1)) received from the storage apparatus 130, and the random numbers ai, bi and generates hash values H(ai bi) for transmission to the verification apparatus 150 (S47).
The verification apparatus 150 decrypts the encrypted data Enc(pk, ai bi r(2xi−1)(2yi−1)) by using the secret key sk and calculates a hash value H(zi) based on the decryption result zi (S48A).
The verification apparatus 150 determines whether a count number of mismatched i between the calculated hash values H(zi) and the hash values H(ai bi) received from the matching apparatus 140 is less than or equal to t (S48B). If the count number of mismatches is less than or equal to t, the verification apparatus 150 determines acceptance. Otherwise, the verification apparatus 150 determines rejection. Next, the verification apparatus 150 outputs the detection result (acceptance/rejection) (S49).
<Variation 1>
As in variation 3 of the third example embodiment, according to the fourth example embodiment, a function of checking whether the individual elements {xi} (i=1, . . . , n) of the registration target vector X=[x1, . . . , xn] is xi ∈{0, 1} may be implemented. The configuration according to a variation of the fourth example embodiment is the same as that of the storage apparatus 130 and the verification apparatus 150 in
Enc(pk,(2x1−1)), . . . ,Enc(pk,(2xn−1)) (123)
The random number generation unit 136 in the storage apparatus 130 generates random numbers c1, . . . , cn (S41A).
The encrypted data generation unit 137 in the storage apparatus 130 generates based on encrypted data Enc(pk, ci) (i=1, . . . , n) obtained by encrypting the random numbers c1, . . . , cn by using the public key pk and Enc(pk, (2xi−1)) (i=1, . . . , n), generates the following encrypted data.
Enc(pk,c1(2x1−1)), . . . ,Enc(pk,cn(2xn−1)) (124)
The hash value generation section 138 in the storage apparatus 130 calculates hash values H(c1{circumflex over ( )}2), . . . , H(cn{circumflex over ( )}2) by using a hash function H. The storage apparatus 130 transmits Enc(pk, c1(2x1−1)), . . . , Enc(pk, cn(2xn−1)) and the hash values H(c1{circumflex over ( )}2), . . . , H(cn{circumflex over ( )}2) to the verification apparatus 150 via the communication unit 135 (S41B).
The decryption section 1561 in the verification apparatus 150 decrypts Enc(pk, cn (2xi−1)) (i=1, . . . , n) by using the secret key sk (S41C).
zi=Dec(sk,Enc(pk,ci(2xi−1)))=ci(2xi−1)(i=1, . . . ,n) (125)
Next, the hash value generation section 1562 in the verification apparatus 150 calculates hash values H(zi{circumflex over ( )}2) (i=1, . . . , n).
If the following relationship holds for all i=1, . . . , n, the matching determination section 1563 in the verification apparatus 150 determines acceptance.
H(zi{circumflex over ( )}2)=H(ci{circumflex over ( )}2) (126)
If there is any i that does not satisfy H(zi{circumflex over ( )}2)=H(ci{circumflex over ( )}2), the matching determination section 1563 in the verification apparatus 150 determines rejection (S41D).
The verification apparatus 150 notifies the storage apparatus 130 of the verification result (S41E).
If the verification apparatus 150 determines “acceptance” as the verification result (Yes in S41F), the storage apparatus 130 stores Enc(pk, (2x1−1)), . . . , Enc(pk, (2x1−1)) in the registered data storage unit 133 in association with a registration identifier id (S41G).
The decryption section 1561 and the hash value generation section 1562 may commonly be used as the decryption section 1531 and the hash value generation section 1532 in the query determination unit 153.
zi=ci (2xi−1) (i=1, . . . , n) takes a value of
−ci, if xi is 0, while
ci if xi is 1, (127)
Thus, when xi∈{0,1}, the following relationship (128) is satisfied.
hash values H(zi{circumflex over ( )}2)=H(ci{circumflex over ( )}2) (128)
That is, when H(zi{circumflex over ( )}2)=H(ci{circumflex over ( )}2), . . . , H(zn{circumflex over ( )}2)=H(cn{circumflex over ( )}2) holds, the verification apparatus 150 determines acceptance. In this case, the storage apparatus 130 stores Enc(pk, (2x1−1)), . . . , Enc(pk, (2xn−1)) in the registered data storage unit in association with the registration identifier id. In contrast, when xi is not 0 or 1, zi=ci (2xi−1) is a value other than +ci and −ci. Namely, since H(zi2)≠H(ci2), the verification apparatus 150 determines rejection.
<Variation 2>
According to the fourth example embodiment, for example, when the verification apparatus 150 is able to acquire communication contents in steps S45 and S46 in
For example, the secret key and the public key of ElGamal encryption are set to x and (h, g, q), respectively, and the ciphertext of a plaintext m is set to (c1, c2). (c1{circumflex over ( )}t, c2) calculated for a random number t that is randomly selected from {0, 1, . . . , q−1} is the ciphertext of a plaintext m corresponding to a secret key x/t and a public key (h, g{circumflex over ( )}t, q). When the ElGamal encryption scheme is used, the matching apparatus 140 receives a matching request from the matching request apparatus 120 (S42). Each time the matching apparatus 140 receives a matching request, the matching apparatus 140 generates a different random number t. In step S45, the matching apparatus 140 transmits the ciphertext corresponding to the public key (h, g{circumflex over ( )}t, q) and the public key (h, g{circumflex over ( )}t, q).
The matching request apparatus 120 transmits the ciphertext corresponding to the public key (h, g{circumflex over ( )}t, q) received from the matching apparatus 140 to the matching apparatus 140 (S46).
By using t, the matching apparatus 140 can restore the ciphertext corresponding to the original public key (h, g, q) from the ciphertext received from the matching request apparatus 120 in step S46.
In the fourth example embodiment, the encryption scheme is not limited to multiplicative homomorphic encryption such as RSA encryption and ElGamal encryption. For example, a public key encryption scheme having an additive and multiplicative homomorphic property such as a somewhat homomorphic encryption scheme or C. Gentry's “Fully Homomorphic Encryption Using Ideal Lattices (see “In Symposium on Theroy of Computing—STOC 2009, ACM, 169-178, 2009) may be used.
As illustrated in
The registration request apparatus 110 according to each example embodiment described above may also be implemented on the computer system 10 with reference to
The disclosure of each of the above PTLs 1 to 5 and NPL 1 is incorporated herein by reference thereto. Variations and adjustments of the example embodiments and examples are possible within the scope of the overall disclosure (including the claims) of the present invention and based on the basic technical concept of the present invention. Various combinations and selections of various disclosed elements (including the elements in the claims, example embodiments, examples, drawings, etc.) are possible within the scope of the claims of the present invention. Namely, the present invention of course includes various variations and modifications that could be made by those skilled in the art according to the overall disclosure including the claims and the technical concept.
The above example embodiments can be described as, but not limited to, the following supplementary notes.
(Note 1)
A matching system, comprising:
Number | Date | Country | Kind |
---|---|---|---|
2016-243709 | Dec 2016 | JP | national |
The present application is a continuation of U.S. application Ser. No. 16/469,486 filed on Jun. 13, 2019, which is a National Stage of International Application No. PCT/JP2017/044769 filed Dec. 13, 2017, based upon and claims the benefit of the priority of Japanese patent application No. 2016-243709, filed on Dec. 15, 2016, the disclosure of which is incorporated herein in its entirety by reference thereto.
Number | Name | Date | Kind |
---|---|---|---|
9100185 | Yasuda et al. | Aug 2015 | B2 |
9614665 | Takenaka et al. | Apr 2017 | B2 |
9860060 | Sakemi et al. | Jan 2018 | B2 |
10211986 | Isshiki | Feb 2019 | B2 |
11212087 | Takemori | Dec 2021 | B2 |
20060171530 | Futa et al. | Aug 2006 | A1 |
20090249063 | Sakurai et al. | Oct 2009 | A1 |
20100080391 | Shah | Apr 2010 | A1 |
20120224693 | Lei | Sep 2012 | A1 |
20130318351 | Hirano et al. | Nov 2013 | A1 |
20140185794 | Yasuda | Jul 2014 | A1 |
20150381348 | Takenaka et al. | Dec 2015 | A1 |
20160099807 | Isshiki | Apr 2016 | A1 |
20160173275 | Yasuda | Jun 2016 | A1 |
20160204936 | Sakemi et al. | Jul 2016 | A1 |
20160269174 | Yasuda | Sep 2016 | A1 |
20170193032 | Kim | Jul 2017 | A1 |
20190034646 | Fujiwara | Jan 2019 | A1 |
20190207913 | Hwang et al. | Jul 2019 | A1 |
Number | Date | Country |
---|---|---|
2014-126865 | Jul 2014 | JP |
2016-12111 | Jan 2016 | JP |
2016-111594 | Jun 2016 | JP |
2016-114692 | Jun 2016 | JP |
2016-131335 | Jul 2016 | JP |
2016-167037 | Sep 2016 | JP |
2012114452 | Aug 2012 | WO |
WO-2012114452 | Aug 2012 | WO |
2014185447 | Nov 2014 | WO |
Entry |
---|
Haruna Higo, et al., “A Secure Biometric Authentication Scheme with Small Information Disclosure”, Symposium on Cryptography and Information Security (SCIS2016), The Institute of Electronics, Information and Communication Engineers, Jan. 19-22, 2016, pp. 1-8, Kumamoto, Japan. |
Haruna Higo, et al., “Secure Biometric Authentication Scheme for Binary Feature”, Abstracts of 2017 Symposium on Cryptography and Information Security (SCIS 2017), The Institute of Electronics Information and Communication Engineers, Jan. 24-27, 2017, pp. 1-8, Naha, Japan. |
International Search Report for PCT/JP2017/044769 dated Feb. 13, 2018 (PCT/ISA/210). |
Number | Date | Country | |
---|---|---|---|
20210367783 A1 | Nov 2021 | US |
Number | Date | Country | |
---|---|---|---|
Parent | 16469486 | US | |
Child | 17397431 | US |