KR20230109526A - Device and method for multi-factor authentication using bitwise fully homomorphic envryption - Google Patents

Abstract

A biometric based multi-factor authentication system and authentication device are disclosed. The biometric-based multi-factor authentication system includes a first terminal that transmits a registration request message including a first cryptogram corresponding to first biometric data of a user to a server, and a second cryptogram corresponding to second biometric data of a user. A second terminal transmits an authentication request message to the server, registers the biometric data of the user in response to the registration request message received from the first terminal, and responds to the authentication request message received from the second terminal and the server performing authentication for the user by performing an authentication operation on the first cipher text and the second cipher text through a bitwise operation.

Description

Multi-factor authentication device and method using bit-based full homomorphic encryption

The present invention relates to a multi-factor authentication method, and more particularly, to an apparatus and method for biometric-based multi-factor authentication using bit-based fully homomorphic encryption.

Recently, a cloud-based service technology in which a cloud acts as an agent for a service desired by a user is rapidly increasing. However, by sharing the user's data with the cloud, a problem regarding the user's data privacy arises. Correspondingly, with homomorphic encryption, the server does not obtain any information about the user's data, but only performs the query requested by the user. The cloud returns the result value to the user, and the user can obtain the result value without exposing personal information.

In the present invention, an apparatus or methodology capable of diagnosing whether authentication is possible by comparing the degree of similarity between stored biometric-based data and newly entered biometric-based data using an algorithm based on logic gates while preserving user data privacy through homomorphic encryption deals with

Multi-factor authentication is an element known only to the user, such as a password (knowledge-based), an element possessed only by the user, such as a hardware token (possession-based), and an element unique to the user, such as biometric information (attribute-based). It refers to an access control method that authenticates a user by combining two or more authentication methods among authentication factors such as repeated actions of a person, method of using a device (action-based), and specific location (location-based) such as GPS or mobile communication. . Security can be further strengthened through this authentication method that combines authentication factors belonging to different methods.

A technical problem to be achieved by the present invention is to provide a multi-factor authentication apparatus and method using bit-based fully homomorphic encryption capable of protecting user data privacy.

In a biometric based multi-factor authentication system according to an embodiment of the present invention, a first terminal that transmits a registration request message including a first cryptogram corresponding to a user's first biometric data to a server, and a user's second biometric data A second terminal that transmits an authentication request message including a corresponding second cipher text to the server, registers the user's biometric data in response to the registration request message received from the first terminal, and receives from the second terminal and the server performing authentication for the user in response to a received authentication request message, wherein the server performs an authentication operation through a bitwise operation on the first cipher text and the second cipher text.

An authentication device according to an embodiment of the present invention includes a registration unit configured to register a user by receiving a registration request message including a first cryptogram corresponding to first biometric data of a user from a first terminal, and the second and an authentication unit configured to receive an authentication request message including a second ciphertext corresponding to second biometric data of the user from a terminal and perform authentication of the user, wherein the authentication unit includes the first ciphertext and the first ciphertext in units of bits. 2 XOR operation unit for performing an exclusive OR (XOR) operation on the corresponding bits included in the ciphertext, an addition operation unit for performing an addition operation on the XOR operation result, the result of the addition operation to the first binary code or the first binary code 2 It includes a division operation unit for performing a division operation divided by the number of bits included in the binary code, and a comparison operation unit for deriving an authentication result by performing a comparison operation between the result of the division operation and a predetermined reference value.

In the case of the multi-factor authentication apparatus and method according to an embodiment of the present invention, there is an effect of securely authenticating sensitive biometric data without disclosing it to anyone.

In addition, the cloud may output an encrypted matching result by performing a matching algorithm without decryption. Accordingly, since the service can be provided to the user without separate consent for data use, concerns over data privacy can be legally resolved.

A detailed description of each drawing is provided in order to more fully understand the drawings cited in the detailed description of the present invention.
1 is a diagram for explaining a process of performing an exclusive OR operation on two ciphertexts.
2 is a flowchart for explaining plaintext binary division.
3 is a diagram for explaining a real number representation for bitwise homomorphic encryption.
4 illustrates an authentication system according to one embodiment of the present invention.
FIG. 5 is a conceptual diagram for explaining an authentication operation performed in the authentication system shown in FIG. 4 .
FIG. 6 is a functional block diagram of a first terminal shown in FIG. 4 .
FIG. 7 is a functional block diagram of a second terminal shown in FIG. 4 .
8 is a functional block diagram of the server shown in FIG. 4;

Specific structural or functional descriptions of the embodiments according to the concept of the present invention disclosed in this specification are only illustrated for the purpose of explaining the embodiments according to the concept of the present invention, and the embodiments according to the concept of the present invention may be embodied in many forms and are not limited to the embodiments described herein.

Embodiments according to the concept of the present invention can apply various changes and can have various forms, so the embodiments are illustrated in the drawings and described in detail in this specification. However, this is not intended to limit the embodiments according to the concept of the present invention to specific disclosed forms, and includes all modifications, equivalents, or substitutes included in the spirit and scope of the present invention.

Terms such as first or second may be used to describe various components, but the components should not be limited by the terms. The above terms are used only for the purpose of distinguishing one component from another, e.g. without departing from the scope of rights according to the concept of the present invention, a first component may be termed a second component and similarly a second component may be termed a second component. A component may also be referred to as a first component.

It is understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, but other elements may exist in the middle. It should be. On the other hand, when a component is referred to as “directly connected” or “directly connected” to another component, it should be understood that no other component exists in the middle. Other expressions describing the relationship between components, such as "between" and "directly between" or "adjacent to" and "directly adjacent to", etc., should be interpreted similarly.

Terms used in this specification are only used to describe specific embodiments, and are not intended to limit the present invention. Singular expressions include plural expressions unless the context clearly dictates otherwise. In this specification, terms such as "comprise" or "having" are intended to indicate that there is a feature, number, step, operation, component, part, or combination thereof described in this specification, but one or more other features It should be understood that it does not preclude the possibility of the presence or addition of numbers, steps, operations, components, parts, or combinations thereof.

Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which the present invention belongs. Terms such as those defined in commonly used dictionaries should be interpreted as having a meaning consistent with the meaning in the context of the related art, and unless explicitly defined in this specification, it should not be interpreted in an ideal or excessively formal meaning. don't

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings. However, the scope of the patent application is not limited or limited by these examples. Like reference numerals in each figure indicate like elements.

First, a description (or definition) of symbols used to explain the present invention and a (Fully) Homomorphic Encryption function will be described.

represents the length of the array (vector), and the ciphertext (c) is bit of is expressed as Here, c _i means that one plaintext (x _i ) bit is encrypted. Plain text too bit of can be expressed as Enc means encryption and Dec means decryption. The term bitwise means to apply a specific operation to each of the elements of each array.

Also, HE is a mark for distinguishing between homomorphic encryption gates (which may mean functions or algorithms) and general gates. Each element of the ciphertext is LWE (Learning With Errors) or RLWE (Ring Learning With Errors) based ciphertext, and noise is added to each sampled element. When an operation is performed between ciphertexts, the output ciphertext is output with more noise than the existing ciphertext, and if the ciphertext contains more than a certain level of noise, it is difficult to obtain an accurate value even if the ciphertext is decrypted. Therefore, in general, fully homomorphic encryption gates require bootstrapping to remove noise after operation.

for example, means that the AND operation is performed on the two input cipher bits a[0] and b[0], noise generated during the operation is removed by bootstrapping, and the returned cipher bit value is stored in the 0th element of c array. means to do

Bit-based iris authentication system scenario

(1) Exclusive OR of two ciphertexts

1 is a diagram for explaining a process of performing an exclusive OR (XOR) operation on two ciphertexts. The exclusive OR of the two ciphertexts may mean an operation for finding the number of bits of the first ciphertext (C _X ) that are located in the same position as the second ciphertext (C _Y ) to be newly verified but have different values. In other words, it may refer to an operation for finding the number of cases in which the values of bits corresponding to each other in two ciphertexts are different from each other. Here, the first cryptogram (C _X ) may mean a registered iris code, and the second cryptogram (C _Y ) may mean a new iris code to be verified. The XOR operation outputs Enc(0) if the two cipher bits are the same for the two iris cipher bits C _X , C _Y , and Enc (1) if the two cipher bits are different. Accordingly, the number of bits having different values may be equal to the number of Enc(1) in the operation result.

In addition, although iris data is exemplarily described as biometric data in the present specification, the present invention is not limited thereto. That is, the biometric data may mean fingerprint data, vein data, and the like in addition to iris data.

(2) Addition operation between encrypted data

The addition operation algorithm is an algorithm that performs an addition operation between encrypted data.

[Addition operation algorithm]

In plain text, addition can be constructed through a full-adder. Likewise, if this is used, addition between ciphertexts can be designed with the same principle as the gate of a full adder, and this is the same as the above addition operation algorithm.

Through the process of the addition operation algorithm, the homomorphic encryption addition result value is returned. In the addition operation algorithm, the gates (operations) of HE.AND, HE.OR, and HE.XOR are bootstrapping gates that remove noise generated during operation for two input values input to the gate. admit.

Using the addition operation algorithm, the addition operation (∑) is performed on the resultant value res = Enc (0,1,1,0,1,1,1,0,...) of the XOR operation on the two iris cryptographic bits. applied bit by bit.

(3) Dividing the result of the addition operation by the number of iris cryptographic bits

By dividing the value obtained by the homomorphic encryption addition algorithm by the number of cryptographic bits N of the iris, the matching result value of the two irises can be obtained. Since the iris code is encrypted in bit units, the number N of encrypted bits of the iris may be equal to the number of bits constituting the iris code.

The isomorphic division operation at this time can apply a division method between plaintext and ciphertext. 2 is a flowchart for explaining plaintext binary division. Referring to FIG. 2, first, Q and M are the lengths of the arrays, respectively. Suppose we divide the in-divisor and the divisor, Q, by M. Also, the length of A is and all elements are 0 make a vector

Repeat until it becomes 0. First, the two arrays, Q and A, are combined (Q|A), and a shift operation is performed to the right by 1 bit. length left at Q|A which is Let the bit be Q, and the right Store as many bits as A. A is compared with M, and if A is less than M, 0 is stored in Q[0], and in the opposite case, 1 is stored, and the value of AM is stored in the A array. and, Subtract the value of by 1.

And, the value stored in Q is the quotient of Q divided by M, and it is returned.

The following division operation algorithm is a division operation algorithm of data encrypted by homomorphic encryption.

[Division operation algorithm]

Referring to the division operation algorithm, since the value of the ciphertext is unknown, a simple comparison or if assumption cannot be performed as in the plaintext. In the division operation algorithm , , corresponds to Q, M, and A in FIG. 2 and is a cipher text. First of all, the simple comparison process can be solved through the homomorphic comparison comparison function (line 7 of the division operation algorithm). The second if assumption is HomCompS( ) is Enc (0) or Enc (1), is Enc(1), and the value (d) obtained by taking bootsNOT from this value becomes the Q[0] value in FIG. Likewise, if HomCompS( ) is Enc(0), which becomes the Q[0] value in FIG. In the situation of Enc(0), the value of bootsNOT is taken, that is, Enc(1) and Applying the bootsAND operation bit by bit, The value comes out, and the opposite situation ( ) is Enc(1), so the value taken from bootsNOT, Enc(0) and By applying the bootsAND operation bit by bit, Enc(0) is obtained. Through this, the ciphertext is set, and By repeating as many times as possible, the quotient can be extended to the range of real numbers.

Also, in the ciphertext, unlike in the plaintext, the sign cannot be known, so an additional operation must be performed. In line 15 of the division operation algorithm, the divisor ( ) and the dividend ( ), the bootsXOR operation is performed between the sign bits of the same sign, Enc (0), save to In the first line, both the divisor and the dividend are converted to positive, and the division continues in the situation of having a positive value, get value Take the 2's complement of this value Store the value and, as mentioned before, if both inputs have the same sign = Since Enc(1) takes bootsNOT this and Take bootsAND bit by bit of get

Similarly, Enc(1) with the opposite sign take the bootsAND bit by bit of get Finally, when these two values are added, the final result becomes

In addition, in the division operation algorithm, Homabs is a homomorphic encryption function outputting an absolute value, HomRShift is a homomorphic encryption function outputting a left shift operation result, and HomCompS is a homomorphic encryption function outputting a comparison (less than (<) operation result) , HomSubt is a homomorphic encryption function that outputs a subtraction operation result, HomTwosComp is a homomorphic encryption function that outputs a 2's complement, and HomAdd is a homomorphic encryption function that outputs an addition operation result.

As a specific example, the number 12 (ie, N=12) becomes 1100 ₍₂₎ when converted to binary, and 1 and 0 are entered into the circuit in the form of 1/8 and -1/8 while shifting by 1 bit. will enter Using this method, the part corresponding to the random mask in the LWE type ciphertext can be made 0 (ie, a becomes 0 in b = a s + e of the LWE sample), so the result value in the form of Noiseless Trivial is returned. It is possible.

The isomorphic division operation is performed using the encrypted value of the plaintext converted in this way and the encrypted addition result value.

The following is a description of homomorphic encryption functions used for division operations.

The following algorithm is an algorithm for a comparison function.

[Large comparison (small comparison) algorithm]

Referring to the comparison algorithm, the ciphertext and by comparing go It is an algorithm that returns Enc(1) if less than, and returns Enc(0) if greater. in other words, , Enc(1), otherwise Enc(0).

The following algorithm is an algorithm of a subtraction operation function.

[Subtraction Algorithm]

The subtraction operation is a homomorphic addition operation, that is, at This can be easily obtained by converting to 2's complement. That is, the input Between If HomTwosComp (2's complement) is taken (first line), subtraction can be performed using the addition gate. in other words, HomTwosComp( ) can be summarized as

(4) Comparison operation for authentication decision

A comparison operation is performed with a reference value (or threshold value) included in the evaluation function (Eval) to determine whether the resultant value obtained by division is the same user as the registered user. The comparison operation function used at this time is the same as the following algorithm, which isomorphically compares the ciphertext a and the reference value b, returns Enc(1) if a is less than or equal to b, and returns Enc(0) if it is greater. That is, if Dec(a) ≤ Dec(b), Enc(1), and vice versa, Enc(0).

[Comparison comparison (less than or equal comparison) algorithm]

In the above algorithm, Gates play the same role as MUX gates in plaintext. according to the value of or outputs Depending on embodiments, the comparison (less than or equal to) algorithm may be replaced with the above-described comparison (less than or equal to) algorithm.

If the resultant value obtained through the above process is smaller than or equal to the reference value, it can be determined that the iris of the registered user is greater than the iris of the registered user. Here, the result derived through the comparison operation, that is, Enc(1) or Enc(0), can be decrypted into plain text through a decryption process using the user's private key, and authentication can be determined according to the decryption result.

Hereinafter, a real number representation for bitwise homomorphic encryption will be described.

3 is a diagram for explaining a real number representation for bitwise homomorphic encryption.

In a method using a conventional integer-based homomorphic encryption scheme, an encryption algorithm is performed after multiplying real data by a specific value to make an integer. However, there is a disadvantage that an error occurs due to this. However, in the present invention, a range of real significant digits can be flexibly determined using a bit-based homomorphic encryption technique. Specifically, encrypted real data may be expressed as shown in FIG. 3 .

Specifically, first, the indexes of the array of plaintext and/or ciphertext are reversed. That is, the rightmost bit becomes the most significant bit.

In general, the length of the input bits , an array of ciphertext , element of array , from index 0 up to Allocate as much as the fractional part of the real data, index from until as much as is assigned to the integer part of the real data. the last, most significant bit second (index ) bit as the sign bit to represent real numbers.

The above-described real number expression technique may be applied to at least biometric data having real values. However, in the case of biometric data having an integer value rather than a real number, the application of the above real number expression technique may be excluded.

4 illustrates an authentication system according to an embodiment of the present invention, and FIG. 5 is a conceptual diagram for explaining an authentication operation performed in the authentication system shown in FIG. 4 .

Referring to FIGS. 4 and 5 , the authentication system 10 includes a first terminal 100 , a second terminal 200 , and a server 300 . The first terminal 100, the second terminal 200, and the server 300 may be implemented as a computing device including at least a processor and/or a memory. In addition, the first terminal 100 and the server 300 and the second terminal 200 and the server 300 may exchange data and/or signals through a predetermined wired or wireless communication network.

The first terminal 100 may register the user's biometric information with the server 300 through communication with the server 300 .

Specifically, the first terminal 100 may register the user's biometric data by encrypting the user's biometric data and then transmitting a registration request message including the encrypted text of the biometric data to the server 300 . At this time, at least one of identification information for identifying the user, an evaluation function, and a reference value (or threshold value) that may be included in the evaluation function may be transmitted together. Depending on the embodiment, the reference value (or threshold value) may also be transmitted in an encrypted state using the user's private key.

The second terminal 200 may perform an authentication operation for a user through communication with the server 300 . To this end, the second terminal 200 transmits an authentication request message including encrypted text for biometric data to the server 300 and receives an authentication result as a response thereto. In addition, the second terminal can confirm authentication by decrypting the authentication result with the user's private key.

The server 300, which may be called an authentication server, a cloud server, or an authentication device, registers a user by receiving a registration request message including encrypted biometric data from the first terminal 100, and In response to the authentication request message received from ), an authentication result may be transmitted to the second terminal.

FIG. 6 is a functional block diagram of a first terminal shown in FIG. 4 .

Referring to FIG. 6 , the first terminal 100 includes a biometric data acquisition unit 110 , a key generation unit 120 , and an encryption unit 130 . Depending on the embodiment, the first terminal 100 may further include a storage unit 140 . The first terminal 100 may register the user's biometric data with the server 300 through communication with the server 300 .

The biometric data acquisition unit 110 may acquire user's biometric data. For example, the biometric data acquisition unit 110 receives at least one of a user's iris image, vein image, face image, and user's voice data from an external photographing device (or recording device) and converts the received information into binary code. can be converted In this case, an external photographing device (or recording device) may be implemented as a part of the biometric data acquisition unit 110 . As another embodiment, biometric data may be previously stored in the first terminal 100 or the storage unit 140 .

In addition, the biometric data acquisition unit 110 may generate revocable templates (iris templates, fingerprint templates, face image templates, and voice templates) using a known template generation technique from the obtained binary code. Through the templated binary code, it is possible to solve the problem caused by leakage of the user's biometric information.

In addition, the biometric data acquisition unit 110 may convert a binary code expressed as a real number using the above-described real number expression technique, or may convert a templated binary code expressed as a real number using the above-described real number expression technique. However, when the binary code or the templated binary code is not a real number, that is, when there is no decimal part, this real number expression operation may be omitted.

The key generation unit 120 may generate a user's private key (or secret key) using a predetermined key generation algorithm. To this end, the key generation unit 120 receives basic information for key generation such as a password, password, PIN code, pattern, etc. from a user through a predetermined input interface, and generates a private key based on the received basic information. can do. In this case, the private key may refer to a key used in the process of encrypting plaintext into ciphertext and/or decrypting ciphertext into plaintext in the (complete) homomorphic encryption technique. That is, the private key can be generated by performing a predetermined key generation algorithm (eg, (perfect) homomorphic encryption key generation algorithm) that takes basic information such as a password, password, PIN code, or pattern as an input. The private key generated by the key generation unit 120 may be stored in the storage unit 140 .

The encryption unit 130 may generate ciphertext by encrypting the binary code or template (or templated binary code) generated by the biometric data acquisition unit 110 using the private key. Encryption by the encryption unit 130 may mean encryption using a (complete) homomorphic encryption technique. In addition, the encryption unit 130 may transmit a registration request message including the generated ciphertext to the server 300 . At this time, the encryption unit 130 may transmit at least one of the evaluation function, identification information for identifying the user, and a reference value (which may be included in the evaluation function) to the server 300 together with the registration request message. The evaluation function may refer to information about a function and/or an algorithm used while performing an authentication operation by the server 300 . Depending on the embodiment, the evaluation function or reference value may be stored in advance in the server 300, and in this case, an operation of transmitting the corresponding information to the server 300 may be omitted.

Depending on the embodiment, the reference value may be determined by the user. In this case, the key generator 120 may receive the reference value from the user during the process of receiving a password or the like or through a separate process.

The storage unit 140 may temporarily or non-temporarily store programs and software for performing the registration process by the first terminal 100 . In addition, the storage unit 140 includes biometric data acquired by the biometric data acquisition unit 110, binary code, template, password received by the key generator 120, PIN number, reference value, and key generator 120. ) The private key generated by the encryption unit 130, the ciphertext generated by the encryption unit 130, etc. may be temporarily or non-temporarily stored.

FIG. 7 is a functional block diagram of a second terminal shown in FIG. 4 .

Referring to FIG. 7 , the second terminal 200 includes a biometric data acquisition unit 210, a key generation unit 220, an encryption unit 230, and a decryption unit 240. Depending on the embodiment, the second terminal 200 may further include a storage unit 250 . The second terminal 200 may perform an authentication operation for a user through communication with the server 300 . Depending on the embodiment, the second terminal 200 may mean the same terminal as the first terminal 100 .

The biometric data acquisition unit 210 may obtain user's biometric data. For example, the biometric data acquisition unit 210 receives at least one of a user's iris image, vein image, face image, and user's voice data from an external photographing device (or recording device) and converts the received information into binary code. can be converted In this case, an external photographing device (or recording device) may be implemented as a part of the biometric data acquisition unit 210 .

In addition, the biometric data acquisition unit 210 may generate revocable templates (iris templates, fingerprint templates, face image templates, and voice templates) using a known template generation technique from the obtained binary code. Through the templated binary code, it is possible to solve the problem caused by leakage of the user's biometric information.

In addition, the biometric data acquisition unit 210 may convert a binary code expressed as a real number using the above-described real number expression technique, or may convert a templated binary code expressed as a real number using the above-described real number expression technique. However, when the binary code or the templated binary code is not a real number, that is, when there is no decimal part, this real number expression operation may be omitted.

The key generation unit 220 may generate a user's private key (or secret key) using a predetermined key generation algorithm. To this end, the key generator 220 receives basic information for key generation such as a password (PW) and PIN code from the user through a predetermined input interface, and generates a private key based on the received basic information. can In this case, the private key may refer to a key used in the process of encrypting plaintext into ciphertext and/or decrypting ciphertext into plaintext in the (complete) homomorphic encryption technique. The private key generated by the key generation unit 220 may be stored in the storage unit 250 .

At this time, if the password input by the user is different from the password input when registering the biometric data, the authentication process cannot proceed because the generated private key is different. That is, since the ciphertext encrypted using the different private key is different from the registered ciphertext, the authentication result by the server becomes authentication failure.

The encryption unit 230 may generate ciphertext by encrypting the binary code or template (or templated binary code) generated by the biometric data acquisition unit 210 using the generated private key. Encryption by the encryption unit 230 may mean encryption using a (complete) homomorphic encryption technique. Also, the encryption unit 230 may transmit an authentication request message including the generated cipher text to the server 300 . At this time, the encryption unit 130 may transmit identification information for identifying the user to the server 300 together with an authentication request message or through a separate operation.

The decryption unit 240 may receive an authentication result from the server 300 and decrypt the received result using a private key to confirm authentication. Specifically, the authentication result is Enc(1) or Enc(0). Therefore, the second terminal can check whether authentication has been performed by decoding the authentication result. If the decryption result is “1”, authentication is successfully completed, and if the decryption result is “0”, authentication is rejected. Depending on embodiments, specific values of the authentication result and/or the decryption result may be different. That is, this is because authentication may be successful when the decryption result is "0" according to the modification of the algorithm.

The storage unit 250 may temporarily or non-temporarily store programs and software for performing an authentication process by the second terminal 200 . In addition, the storage unit 250 includes the biometric data acquired by the biometric data acquisition unit 210, the binary code, the template, the password received by the key generator 220, the PIN number, the reference value, and the key generator 220. ), the ciphertext generated by the encryption unit 230, the decryption result by the decryption unit 240, etc. may be temporarily or non-temporarily stored.

8 is a functional block diagram of the server shown in FIG. 4;

Referring to FIG. 8 , a server 300, which may be referred to as an authentication server, includes a registration unit 310 and an authentication unit 320. Depending on the embodiment, the server 300 may further include a storage unit 330 .

The registration unit 310 may register the user's biometric data by storing the user's biometric data in the storage unit of the server 300 through communication with the first terminal 100 . Specifically, the registration unit 310 receives a registration request message received from the first terminal 100, and in response to the received registration request message, at least one of the user's biometric data (cipher text), identification information, an evaluation function, and a reference value. One may be stored in the storage unit 330 . Depending on the embodiment, the registration unit 310 may transmit a registration completion message to the first terminal 100 after registration is completed. Depending on the embodiment, the evaluation function and/or reference value received from the first terminal 100 may be previously stored in the storage unit 330 of the server 300 .

The authenticator 320 may perform an authentication operation for the user or the user's biometric data through communication with the second terminal 200 . Specifically, the authentication unit 320 may perform a predetermined authentication operation in response to an authentication request message received from the second terminal 200 and transmit an authentication result to the second terminal 200 .

The authentication unit 320 may include an exclusive OR operation unit (XOR operation unit), an addition operation unit, a division operation unit, and a comparison operation unit.

The XOR operation unit performs an exclusive OR operation on the cipher text (first cipher text) corresponding to the biometric information of the registered user and the cipher text (second cipher text) corresponding to the biometric information of the user to be authenticated in units of bits, that is, the corresponding It can be performed on bits (bits in the same position). Here, the first cipher text may mean cipher text received from the first terminal 100 and stored in the storage unit 330 , and the second cipher text may mean cipher text received from the second terminal 200 . If the values of the bits of the first ciphertext and the bits of the second ciphertext are different from each other, the result of the XOR operation is Enc(1), and if the values of the bits of the first ciphertext and the bits of the second ciphertext are the same, the result of the XOR operation is It becomes Enc(0).

The addition operation unit may perform an addition operation on results of the XOR operation performed by the XOR operation unit. The result of the addition operation is a value obtained by adding the result of the XOR operation corresponding to each bit included in the first ciphertext and/or the second ciphertext. Of course, the addition operation is performed in the ciphertext state. After all, the result of the addition operation may mean the number of bits having different values among bits included in the first ciphertext and the second ciphertext.

The division operator may divide the result of the addition operation by the number of bits included in the binary code constituting the biometric data. At this time, in order to perform the division operation, the number of bits included in the binary code must be encrypted before proceeding. Since a detailed description has been given above, a detailed description thereof will be omitted. The result of the division operation by the division operation unit may mean a ratio of bits having different values among bits included in the binary code, and this may also be output in an encrypted state.

The comparison operation unit may compare a result of the division operation with a reference value and output a comparison result. For example, the comparison operation unit may determine whether the result of the division operation is less than or equal to the reference value through a predetermined algorithm. As another example, it may be determined whether the result of the division operation is less than the reference value, whether the result of the division operation is greater than the reference value, or whether the result of the division operation is greater than or equal to the reference value. The determination result may be transmitted to the second terminal 200 in an encrypted state.

A program or software for performing an authentication operation by a server may be stored in the storage unit 330 . In addition, the storage unit 330 may store ciphertext received by the registration unit, an evaluation function, a reference value, and data temporarily or non-temporarily generated while performing an authentication operation by the authentication unit 320 .

As described above, biometric authentication can be performed without a separate decryption process for encrypted data in the cloud using bit-wise fully homomorphic encryption. The cloud server may perform biometric authentication based on the encrypted data received from each user and provide the result to the user. Through this, while protecting user data privacy from the cloud, it is possible to provide a service that the cloud acts as an agent for a service desired by the user.

In addition, the present invention does not use complex protocols between the user and the cloud. The user encrypts the extracted and encoded iris information and transmits it to the cloud, and the cloud computes the biometric authentication vertex desired by the user through an encryption circuit and returns it to the user, and the user decrypts it to obtain a biometric authentication result.

Since the present invention uses a one-step n-factor authentication method, it is simpler and more secure than the existing n-step n-factor authentication method.

The device described above may be implemented as a hardware component, a software component, and/or a set of hardware components and software components. For example, devices and components described in the embodiments may include, for example, a processor, a controller, an arithmetic logic unit (ALU), a digital signal processor, a microcomputer, a field programmable array (FPA), It may be implemented using one or more general purpose or special purpose computers, such as a Programmable Logic Unit (PLU), microprocessor, or any other device capable of executing and responding to instructions. The processing device may execute an operating system (OS) and one or more software applications running on the operating system. A processing device may also access, store, manipulate, process, and generate data in response to execution of software. For convenience of understanding, there are cases in which one processing device is used, but those skilled in the art will understand that the processing device includes a plurality of processing elements and/or a plurality of types of processing elements. It can be seen that it can include. For example, a processing device may include a plurality of processors or a processor and a controller. Also, other processing configurations are possible, such as a parallel processor.

Software may include a computer program, code, instructions, or a combination of one or more of these, and may configure a processing device to operate as desired or process independently or collectively. You can command the device. Software and/or data may be any tangible machine, component, physical device, virtual equipment, computer storage medium or device, intended to be interpreted by or to provide instructions or data to a processing device. , or may be permanently or temporarily embodied in the transmitted signal wave. Software may be distributed on networked computer systems and stored or executed in a distributed manner. Software and data may be stored on one or more computer readable media.

The method according to the embodiment may be implemented in the form of program instructions that can be executed through various computer means and recorded on a computer readable medium. The computer readable medium may include program instructions, data files, data structures, etc. alone or in combination. Program commands recorded on the medium may be specially designed and configured for the embodiment or may be known and usable to those skilled in computer software. Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks and magnetic tapes, optical media such as CD-ROMs and DVDs, and magnetic media such as floptical disks. - Includes hardware devices specially configured to store and execute program instructions, such as magneto-optical media, ROM, RAM, flash memory, etc. Examples of program instructions include high-level language codes that can be executed by a computer using an interpreter, as well as machine language codes such as those produced by a compiler. The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the embodiments, and vice versa.

Although the present invention has been described with reference to the embodiments shown in the drawings, this is only exemplary, and those skilled in the art will understand that various modifications and equivalent other embodiments are possible therefrom. For example, the described techniques may be performed in an order different from the method described, and/or components of the described system, structure, device, circuit, etc. may be combined or combined in a different form than the method described, or other components may be used. Or even if it is replaced or substituted by equivalents, appropriate results can be achieved. Therefore, the true technical protection scope of the present invention should be determined by the technical spirit of the attached claims.

100: first terminal
200: second terminal
300: server

Claims (9)

a first terminal that transmits a registration request message including a first cipher text corresponding to the user's first biometric data to the server;
a second terminal for transmitting an authentication request message including a second cipher text corresponding to the user's second biometric data to the server; and
The server registers biometric data of the user in response to the registration request message received from the first terminal and performs authentication of the user in response to an authentication request message received from the second terminal;
The server performs an authentication operation through a bit-wise operation on the first ciphertext and the second ciphertext.
A biometric based multi-factor authentication system. According to claim 1,
The first terminal encrypts a first binary code corresponding to the first biometric data using the user's private key to generate the first ciphertext;
wherein the second terminal encrypts a second binary code corresponding to the second biometric data using the user's private key to generate the second ciphertext;
A biometric based multi-factor authentication system. According to claim 2,
The private key is generated by performing a key generation algorithm that takes any one of a password, password, and pattern received from the user as an input,
A biometric based multi-factor authentication system. According to claim 2,
The server,
Performing an exclusive OR (XOR) operation on corresponding bits included in the first ciphertext and the second ciphertext in units of bits;
performing an addition operation on the result of the XOR operation;
Performing a division operation of dividing a result of the addition operation by the number of bits included in the first binary code or the second binary code;
Deriving an authentication result by performing a comparison operation of the result of the division operation with a predetermined reference value,
A biometric based multi-factor authentication system. According to claim 4,
The first ciphertext and the second ciphertext are generated using an encryption algorithm of a fully homomorphic encryption technique,
The second terminal decrypts the authentication result using the user's private key,
A biometric based multi-factor authentication system. According to claim 5,
The server encrypts the number of bits included in the first binary code or the second binary code and performs the division operation in an encrypted state.
A biometric based multi-factor authentication system. a registration unit receiving a registration request message including a first ciphertext corresponding to first biometric data of a user from a first terminal and registering the user; and
An authentication unit configured to receive an authentication request message including a second ciphertext corresponding to second biometric data of the user from the second terminal and perform authentication of the user;
The authentication unit,
an XOR operation unit performing an XOR operation on corresponding bits included in the first ciphertext and the second ciphertext in a bit-by-bit basis;
an addition operation unit that performs an addition operation on the result of the XOR operation;
a division operator performing a division operation by dividing the result of the addition operation by the number of bits included in the first binary code or the second binary code; and
Comprising a comparison operation unit for performing a comparison operation of the result of the division operation with a predetermined reference value to derive an authentication result,
authentication device. According to claim 7,
The first ciphertext is generated by encrypting a first binary code corresponding to the first biometric data using the user's private key;
The second ciphertext is generated by encrypting a second binary code corresponding to the second biometric data using the user's private key;
The first ciphertext and the second ciphertext are generated using an encryption algorithm of a fully homomorphic encryption technique,
authentication device. According to claim 8,
The division operation unit encrypts the number of bits included in the first binary code or the second binary code and performs the division operation in an encrypted state,
authentication device.

Images