With the wide-spreading cloud computing, there has recently been a rapid expansion of services based on the user data stored in computational resources connected to networks. Such services more often involve opportunities to deal with sensitive user data. Therefore, it is becoming important to assure users that their data is securely managed. Under such circumstances, research and development are actively promoted for techniques to manage data that remains encrypted in open network environments and to perform searches, statistical processing, and the like on the data without decrypting it.
In addition, crimes are more frequently occurring that exploit the vulnerability of personal authentication based on passwords or magnetic cards. Thus, more secure biometric authentication techniques using biological features such as fingerprints or veins are drawing attention. Biometric authentication requires a template related to biometric information to be stored in a database in order to verify authentication information. Biometric information such as fingerprints or veins is the data that is basically unchanged through one's lifetime. Biometric information requires highest-level security protection because serious damages will occur if such information is leaked. Thus, impersonation or the like must be prevented even when the template is leaked.
Accordingly, it is becoming important to have a template protection type biometric authentication technique which performs authentication with the template information concealed.
For example, PTL 1 discloses a method for performing biometric authentication by representing fingerprint data as points on a polynomial expression, adding random points to the points to conceal the fingerprint data, and using the concealed data as a template.
However, the method of PTL 1 is known to be problematic concerning whether the biometric information still remains protected with adequate strength after biometric authentication is repeated many times.
NPL 1 discloses a method for protecting biometric information by masking a template stored in a database with a random Bose-Chaudhuri-Hocquenghem (BCH) code word. According to NPL 1, biometric information Z and secret information S are used to generate a template for biometric authentication. FIG. 5 is a diagram based on FIG. 2 in NPL 1, with the feature extraction, statistical analysis, quantization, and the like shown in FIG. 2 in NPL 1 omitted. The enrollment of the template is performed as described below.
(1) Input the secret information S to an encoder (enc), perform error correcting coding (ECC) and generate a code word C. For ECC, binary BCH codes with parameters (K, s, d) are used, where K denotes the length of the code words, s the number of information symbols, and d the number of errors that can be corrected.
(2) Calculate an exclusive OR between C and Z, namely W2=C(+)Z (where (+) represents a bitwise exclusive OR operation (bitwise XOR)).
(3) Input S to a cryptographic (one-way) hash function H, such as Secure Hash Algorithm (SHA)-1, and obtain a hash value H(S).
(4) Store W2 and H(S) as template information in a database (DB).
Verification of whether the template generated through the above steps (1) to (4) and another piece of biometric information Z′ have been obtained from the same person is performed as described below.
(1) Calculate an exclusive OR between Z′ and W2, namely C′=W2(+)Z′=C(+)(Z(+)Z′).
(2) Input C′ to a decoder (DEC), perform error-correcting decoding of the BCH code and calculate S′.
(3) Input S′ to a cryptographic (one-way) hash function H, such as SHA-1 and calculate a hash value H(S′).
(4) Read H(S) from the DB and check whether H(S)=H(S′) is satisfied. If H(S)=H(S′) is satisfied, it is determined that the template and the biometric information Z′ were taken from the same person. If H(S)=H(S′) is not satisfied, it is determined that the template and the biometric information Z′ were taken from different persons.
The above-described method is not dependent on how the biometric information Z is obtained. Therefore, in general, the method can be regarded as a method for checking whether an encrypted text has been obtained by encrypting data that falls within a certain Hamming distance from the presented data, without decrypting concealed (encrypted) data.