In a personal authentication system using biometric information, biometric information of a person is acquired at the registration time, and information called feature data is extracted from the biometric information and then registered. The registered information is called a template. At the authentication time, biometric information is acquired from the person again, and feature data is extracted from the biometric information. The feature data is compared with the previously registered template to determine the identity of the person.
Assume that, in a system where a client and a server are coupled via a network, the server biometrically authenticates the user who is adjacent to the client. In this case, the server typically holds a template. At the authentication time, the client acquires biometric information of the user, extracts feature data from the biometric information, and transmits the feature data to the server. The server compares the feature data with the template to determine the identity of the user.
However, a template is information by which a person can be identified and therefore must be strictly managed as personal information, requiring high management cost. Further, there are many people who have inhibitions in registering a template in terms of privacy even if the template is strictly managed. Further, since the number of pieces of a single type of biometric information possessed by a single person is limited (for example, only ten fingers have fingerprints), the template cannot be easily changed, unlike a password or cipher key. If a template is leaked and may be counterfeited, a problem occurs that biometric authentication using the template cannot be used. Further, if the same biometric information is registered in a different system, the different system is also placed under danger.
For these reasons, there has been proposed the following method (called cancellable biometric authentication). That is, at the biometric information registration time, the client converts feature data using a given function (a kind of encryption) and a secret parameter (a kind of encryption key) possessed by the client and stores the converted feature data as a template in the server with the original information concealed. At the authentication time, the client newly extracts feature data of biometric information, converts the feature data using the same function and parameter, and transmits the converted feature data to the server, and the server receives the feature data and compares the feature data with the template with the feature data and the template converted.
According to this method, the client holds the conversion parameter secretly, sc the server cannot recognize the original feature data even at the authentication time, thereby protecting personal privacy. Even when the template is leaked, security can be maintained by changing the conversion parameter and generating and registering a template again. Further, in the case where the same biometric information is used in different systems, templates are converted using different parameters and registered, so leakage of one template can be prevent from reducing the security of the other systems.
The specific cancellable biometric authentication realization method depends on the type of biometric information or the comparison algorithm. Patent Document 1 describes a cancellable iris authentication realization method.
Patent Document 2 describes a realization method (hereafter referred to as correlation-constant random filtering) that is applicable to biometric authentication technology that, in the case where the feature data is an image, particularly, data represented by a two-dimensional array of luminance values (integers), determines whether two images are matched or not, on the basis of the maximum correlation value taking into account the mismatch between the two images.
Patent Document 3 and Non-Patent Document 1 disclose: the feature data (iris code) in iris authentication cannot be represented by only a simple bit string; a mask pattern is needed for representing a portion from which an iris pattern cannot be extracted at the time of imaging, such as an eyelid or a portion that reflects light; and in comparing two iris codes, the Hamming distance is not simply calculated but repeatedly calculated while one of the iris codes is cyclically shifted little by little, and the smallest value (the minimum Hamming distance) is compared with a threshold to determine whether the two iris codes are matched or not.