Systems in financial institutions and systems for electronic commerce and the like need a high level of security. Therefore, these systems use advanced authentication techniques. Recently, techniques such as biometric authentication or the like based on biological information of the user have been used, in addition to password authentication based on a password specified by the user.
A system that uses biometric authentication reads biological information from the user at the time of authentication. Then, the system compares the read biological information with template data, which is biological information registered in advance, so as to determine the degree of similarity therebetween. That is, the biological information read by the system is used as information to be authenticated (hereinafter “authentication object information”), and the template data is used as authentication information. If the authentication object information and the authentication information match within an acceptable tolerance, the authentication is determined to have succeeded. If not, the authentication is determined to have failed.
Examples of biological information include patterns of fingerprints, veins, iris, and the like. These types of biological information are unique to each individual and are unchangeable. Therefore, template data is managed with great care. For example, template data is encrypted and registered in an authentication server. However, if a mechanism is employed that decrypts the encrypted template data into the original template data at the time of authentication and compares biological information obtained from a user with the original template data, there is a risk of the decrypted template data and the obtained biological information being stolen by a malicious third party.
There has been proposed a method that, in order to reduce the above risk, compares encrypted data of biological information read from the user with encrypted template data without decrypting either the biological information or the template data, and calculates a Hamming distance between the biological information and the template data. This technique uses an exclusive-OR operation (hereinafter represented also by the symbol “^”) when encrypting data.
For example, a function that calculates an exclusive OR of an encryption key K and input information X, and a function in CTR (Counter) mode of Advanced Encryption Standard (AES) encryption may be used as a function EK(X) that encrypts data X with the encryption key K. Note that in place of the encryption key K serving as key information, random numbers generated by the encryption key K may be used for encryption. In the following description, such a function will be given by EK(X)=K^X, using the symbol “^”.
An expression EK(X1)^EK(X2)=(X1^K)^(X2^K)=X1^X2≡HV holds, where X1 is biological information read from the user, X2 is template data, K is an encryption key, and HV is a Hamming vector representing the difference between the biological information X1 and the template data X2. Accordingly, if the above operation is used, it is possible to evaluate the degree of match between the biological information and the template data while maintaining an encrypted state thereof, based on the length (Hamming distance) of the Hamming vector HV, and thus to reduce the risk of the biological information being leaked.
See, for example, Japanese Laid-open Patent Publication No. 2005-130384; and Haruki Ota, Yoshiji Sasano, and Fumiaki Sugaya, “Proposal of an iris identification scheme protecting privacy”, Computer Security Symposium 2003, pp. 163-168.
The proposed technique described above is designed for application to an authentication system that performs authentication between two parties, that is, between a terminal apparatus to which the user inputs biological information and an authentication server. Thus, the above-described technique is not designed for an authentication system that performs authentication between a terminal apparatus to which the user inputs biological information, a server (hereinafter, “calculation apparatus”) which stores encrypted template data, and a server (hereinafter, “determination apparatus”) that determines whether authentication is successful.
For example, consider a mechanism in which a terminal apparatus transmits encrypted biological information to a calculation apparatus and then the calculation apparatus generates distance information representing the difference between the biological information and template data while maintaining an encrypted state thereof. Note that, a determination apparatus determines whether authentication is successful based on distance information generated by the calculation apparatus. Further, in order to improve the security, the template data is encrypted twice with two encryption keys and stored in the calculation apparatus. One of the keys is stored in the terminal apparatus, while the other one of the keys is stored in the determination apparatus.
In the above case, registering template data in the calculation apparatus involves a process of encrypting the template data with the encryption key stored in the terminal apparatus, encrypting again the template data with the encryption key stored in the determination apparatus, and registering the template data in the calculation apparatus. That is, the determination apparatus registers data in the calculation apparatus in the end. Thus, there is a risk of data being fraudulently registered by the determination apparatus without being noticed by the terminal apparatus. For example, if data that makes a Hamming vector obtained by an exclusive-OR operation with the arbitrary biological information encrypted by the terminal apparatus sufficiently small is fraudulently registered, there arises a risk of authentication succeeding regardless of biological information input in the terminal apparatus.