• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    The disclosure relates in particular to a secure distributed storage method, a secure access method to distributed storage, and devices, systems, computer programs and storage media for implementing such methods.
    公开号:FR3021777A1
    申请号:FR1455041
    申请日:2014-06-03
    公开日:2015-12-04
    发明作者:Alain Patey;Herve Chabanne;Julien Bringer
    申请人:Morpho SA;
    IPC主号:
    专利说明:

    [0001] The invention relates to the field of distributed storage of confidential data, and subsequent access to the confidential data thus stored. The invention relates in particular to the situation in which the confidential data are biometric data, and wherein the subsequent access is intended to verify whether a candidate biometric data corresponds to one of the biometric data stored in a distributed manner. Distributed storage is likely to be advantageous for many reasons. For example, there are very reliable and very low cost storage solutions in the cloud (sometimes called "cloud" in French), and it can be economically useful to store confidential data on servers in a cloud. The fact of distributing the confidential data is likely to allow in particular to increase their availability. Thus, if the confidential data are stored redundantly, the temporary loss or unavailability of one of the servers used does not compromise (thanks to redundant information available elsewhere) access to confidential data. However, confidential data is, by definition, confidential, while distributed storage solutions (whether in the cloud or elsewhere, including internally in a company) are often insecure. Third parties (hackers, government or foreign governments, subcontractors of the distributed storage provider, distributed storage provider itself, users of the user entity in the case of internal distributed storage at the user entity, etc.) are likely to access stored data without authorization. It is therefore useful to protect access to these data, but the known solutions make access much longer and are therefore penalizing.
    [0002] The invention therefore aims to improve the situation. One aspect of the invention relates to a method for the secure storage on N servers of confidential data, the method comprising: a) obtaining, by an electronic circuit for obtaining a recording device, confidential data, / b / obtaining, by an electronic circuit for extracting the recording device, an approximate short representation of the confidential data from said confidential data, / c / obtaining, by a circuit electronic sharing of the recording device, N shares of the confidential data with a threshold t such that at least t parts are necessary to reconstruct the confidential data, and N short parts of the approximate short representation 15 with a threshold t such that at least t short parts are needed to reconstruct the approximate short representation, / d / a transmission, by a transmitter of the recording device, of each of these N parts and each of these N short parts to a respective server among the N servers, in order to store them there.
    [0003] This method is advantageous in that it makes it possible to store the confidential data in a secure manner, that is to say without any of the servers being able to access it or reconstituting it from the information to which it has access. even when combined with information to which at most 1 other servers (among the N servers) have access.
    [0004] This method is also advantageous in that it stores, for each part of the confidential data, an associated short share, which allows for a faster identification of the confidential data stored in a distributed manner during a process aimed at accessing such confidential data. confidential data.
    [0005] Another aspect of the invention relates to a method of secure access, by an access device, to confidential data stored in a distributed and secure manner on N servers, the method comprising: / e / obtaining, by an access device sharing electronic circuit, N short parts of a short representation approximated to a confidential data to which access is desired, with a threshold t such that at least t short parts are necessary to reconstitute the approximated short representation, / f / a transmission, by an issuer of the access device, of each of these N short portions to a respective server among the N servers, / g / a distributed calculation, by calculation circuits of the N servers, shares of the distances between the approximated short representation and each of the K approximate short representations stored distributed on the N servers, 15 / h / one transmission, by one em of each server used, to a receiver of the access device, portions corresponding to the short representations whose distance to the approximated short representation is less than a determined threshold, / i / a obtaining, by an electronic circuit for obtaining the access device, from the shares received in the previous step, the corresponding confidential data. This method is advantageous in particular in that it allows a quick but secure identification of the confidential data stored in a distributed manner. Rapid identification results in particular from the use of approximate short representations. Regarding the performance (speed, bandwidth used, etc.), the access device does not need to download the entire database that is the set of K * N parts K confidential data stored in distributed on the N servers, and can search on a much smaller and relevant number of confidential data. The access device may for this purpose set up a very elaborate identification algorithm (chosen from among the most powerful but therefore often the most complex of the state of the art) which would be too costly (in calculations and / or bandwidth) if performed at the level of the units. The use of distance-based filtering (for example a Hamming distance) has a very low computational cost and a low bandwidth cost. Thus, according to one possible implementation, the approximate short representations occupy 32 bytes each, and each server must send each other server only 290 bytes per confidential data stored in a distributed manner.
    [0006] Another aspect of the invention relates to a storage device for secure storage on N servers of confidential data, the recording device being arranged to implement a secure distributed storage method according to an aspect of the invention. invention.
    [0007] Another aspect of the invention relates to a system for secure access, by an access device, to confidential data stored in a distributed and secure manner on N servers, the secure access system comprising the access device and the N servers. The secure access system 20 is arranged to implement a secure access method according to one aspect of the invention. Another aspect of the invention relates to a computer program comprising a sequence of instructions which, when executed by a processor, cause the processor to implement a method according to one aspect of the invention. Another aspect of the invention relates to a computer-readable non-transit storage medium, said medium storing a computer program according to one aspect of the invention.
    [0008] Other aspects, objects, and advantages of the invention will become apparent upon reading the description of some of its embodiments. The invention will also be better understood with the aid of the drawings, in which: FIG. 1 illustrates a system according to a possible embodiment of the invention; FIG. 2 illustrates a distributed storage method according to a possible embodiment of the invention; FIG. 3 (divided into FIG. 3A and FIG. 3B) illustrates a secure access method according to a possible embodiment of the invention. According to a first embodiment, a secure distributed storage method, on N servers SRV1, SRVi, SRVN, of confidential data, comprises a SENSE obtaining, by an electronic obtaining circuit BIO_SENSOR of a recording device ENR_STAT, confidential data FGPRNk. The data is confidential in that it is not expected to be known to any (or determinable by) any of the N servers (taken individually) or any unauthorized third party. According to one possible implementation, the servers are physical servers of any appropriate type. Each confidential data is, according to one possible implementation, a biometric data item (for example a fingerprint, an iris capture, or even a face image), or even a combination of several biometric data (face plus fingerprint, or several fingerprints corresponding to different fingers of the same individual, or fingerprint plus iris). According to one possible implementation, the confidential data is an IrisCode of 512 bytes, as described in particular in John Daugman, "How Iris Recognition Works", IEEE Trans. Syst. Circuits Video Techn. (TCSV) 14 (1): 21-30 (2004).
    [0009] According to another implementation, the confidential data are documents, for example photographs, or text-type documents. The recording device ENR_STAT can be in one piece or comprise several separate modules (the electronic obtaining circuit BIO_SENSOR can thus be integrated or on the contrary constitute a separate module connected to another module of the recording device ENR_STAT) . According to one possible implementation, the recording device ENR_STAT is a biometric enrollment station (which may be for example a dedicated electronic device, which may take the form of a kiosk, or a conventional computer suitably programmed). The electronic circuit of obtaining is a biometric sensor BIO_SENSOR. The obtaining SENSE then comprises obtaining a confidential data consisting of a biometric data such as a fingerprint FGPRNk. According to another embodiment, the recording device is a personal computer, for example a laptop or desktop, a tablet, a smartphone (sometimes called smart mobile phone in French), or a smart card. The electronic obtaining circuit is then a processor of the personal computer, coupled to a memory storing a computer program allowing a user to select one of the documents stored on the personal computer. Obtaining then comprises obtaining confidential data consisting of a selected document (which may have been previously created on the same personal computer or be loaded). The method according to the first embodiment comprises obtaining EXTR, by an electronic extraction circuit EXTR_C of the recording device ENR_STAT, an approximate short representation S _FGPRNk of the confidential data FGPRNk from said confidential data FGPRNk. The electronic extraction circuit EXTR_C is for example a dedicated electronic circuit 30 such as an FPGA, an ASIC, a PAL (or any other configurable electronic component), or even a completely customized electronic component. According to another possible implementation, the electronic extraction circuit comprises both a processor and an associated memory (for example RAM, EEPROM, Flash, ROM, magnetic memory, optical memory, etc.), the associated memory storing a suitable program (when executed by the processor) to extract an approximate short representation S_FGPRNk of the confidential data FGPRNk from said confidential data FGPRNk. According to one possible implementation, the confidential data is a document, and the approximate short representation is an indexation of this document, for example a list of relevant elements extracted from this document. According to one possible implementation, the confidential data is a text document and the indexing is a list of the most frequent keywords appearing in the text document (or a list of words selected according to more elaborate rules than the only frequency 'appearance). These keywords can each be represented by a condensate (for example by application of a cryptographic hash function such as SHA-1), or by any arbitrary value easier to handle than the keyword itself ( whose length is likely to be larger and variable). According to one possible implementation, the confidential data is a photograph and the indexing relies on a form recognition by an appropriate electronic circuit. For example, if a human face, automobile, tree, and / or house are detected in the photograph, the indexing may include a list of identifiers of the various detected elements such as 0x0001 for a human face, 0x0002 for a automobile, 0x0003 for a tree and 0x0004 for a house. According to one possible implementation, the confidential data is a biometric data item (for example a fingerprint). The EXTR obtaining of an approximate short representation S_FGPRNk of the biometric data FGPRNk from said biometric data FGPRNk consists in extracting a short binary string. Similarly, in the case where the confidential data is for example a biometric data representing an iris, the obtaining of the approximated short representation consists, for example, of extracting a set of 128 bits from the Iris encodings (IrisCodes) among those located in the least often masked parts of the iris (as described for example in Julien Bringer, Melanie Favre, Herve Chabanne, and 3021777 8 Alain Patey, Faster secure computation for biometric identification using filtering, In Anil K. Jain, Arun Ross, Salil Prabhakar, and Jaihie Kim, editors, ICB, pp. 257-264, IEEE, 2012). It is thus possible to extract bits corresponding to distant pixels eyelids and eyelashes so that in general it is not a disturbed datum, preferably pixels that are chosen so as not to be too close to avoid that they are too correlated (so that they are more discriminating). The method according to the first embodiment comprises a SHR obtaining, by a sharing electronic circuit SHR_C of the recording device ENR_STAT, N parts FGPRN1, k, FGPRN2, k, FGPRNi, k, FGPRNN, k of the confidential data. FGPRNk with a threshold t such that at least t parts are needed to reconstitute the confidential data FGPRNk. The obtaining SHR also integrates a obtaining, by the SHR_C sharing circuit, of N short parts S_FGPRN1, k, S_FGPRN2, k, S_FGPRNi, k, S_FGPRNN, k of the approximate short representation S_FGPRNk with a threshold t such that at least t short parts are needed to reconstruct the approximated short representation S FGPRNk. The sharing electronic circuit SHR_C is, for example, a dedicated electronic circuit such as an FPGA, an ASIC, a PAL (or any other configurable electronic component), or even a completely customized electronic component. According to another possible implementation, the sharing electronic circuit comprises both a processor and an associated memory (for example RAM, EEPROM, Flash, ROM, magnetic memory, optical memory, etc.), the associated memory storing a suitable program (when executed by the processor) to share the confidential data FGPRNk in N parts and to share the short representation S_FGPRNk approximated in N short parts. The sharing electronic circuit SHR_C thus implements a so-called secret sharing technique, making it possible to protect this secret (the confidential data). Thus, a single server (or a few) can not learn anything about the confidential data from the elements it (s) has itself (themselves), whereas if the number of 3021777 9 servers meeting exceeds a certain threshold (at least t servers), these servers can fully restore the confidential data that was shared. This technique makes it possible to protect the data in the event of an attacker's access to one (or a few, less than the threshold) of the 5 servers, this attacker then not being able to discover the confidential data by exploiting the data present on the data. Attacked servers. In this context, it is possible, using so-called multiparty secure computing protocols (known by the acronym SMC or secure multi-party computation in English, or even under the acronym MPC), to make calculations on the data. shared. Depending on the types of calculations, servers can perform these calculations locally on the data or need to interact with other servers. The results obtained by the servers are then shares of the actual result that the servers do not access until they share their shares, like the initial data.
    [0010] A possible secret sharing scheme is that described in Adi Shamir, How to share a secret, Common. ACM, 22 (11): 612-613, 1979. This scheme is based on the evaluation and interpolation of polynomials. It is assumed that the data that the client wishes to share belongs to a finite field Fq of characteristic p. Each of the SRVi servers is assigned an element ui belonging to Fq, so that all the elements ui are distinct and non-zero. The points ui are public. For simplicity, we can for example ask ui = i for i = 1 ... N. The sharing of a data x by the recording device ENR_STAT is carried out as follows. The recording device ENR_STAT (more precisely, its electronic sharing circuit SHR_C) 25 randomly chooses a polynomial P of degree t-1 on Fq such that P (0) = x. The recording device ENR_STAT calculates the parts xi = P (ui), for i = 1 ... N. Each xi thus represents a part of x. Other sharing schemes are obviously possible. The method according to the first embodiment comprises a transmission TRN, by an XMIT transmitter of the recording device ENR STAT, of each (FGPRNi, k) of these N parts FGPRN1, k, FGPRN2, k, FGPRNi, k, FGPRNN , k and each (S_FGPRNi, k) of these N short parts S_FGPRN1, k, S_FGPRN2, k, S_FGPRNi, k, S_FGPRNN, k to a respective server SRVi among the N servers SRV1, SRVi, SRVN, in order to store there. At the end of the process, one thus obtains a distributed storage on N servers. By repeating the process K times for K different confidential data, the method obviously allows to store K confidential data. In FIG. 1, the sharing electronic circuit SHR_C and the electronic extraction circuit EXTR_C are integrated in a single circuit containing a processor (shared) and a memory storing a program 10 for implementing the sharing functions and a program for implementing the extraction functions. However, the two circuits can also be completely separate. A second embodiment relates to a method of secure access, by an access device AUTH_STAT, to confidential data stored in a distributed and secure manner on N servers SRV1, SRVi, SRVN. According to one possible implementation, the confidential data stored in a distributed and secure manner on the N servers SRV1, SRVi, SRVN are done according to a method according to the first embodiment, or according to any method able to initialize the N servers of the same way as a method according to the first embodiment. According to one possible implementation, the access device AUTH_STAT is an authentication station (which may take the form of a dedicated electronic device, or a conventional computer suitably programmed and equipped with a biometric sensor). A user wishing to authenticate is presented to the authentication station. The method biometrically captures the user. This capture can be carried out in a manner similar to that of the step of obtaining SENSE of the corresponding enrollment method. This biometric capture is said to correspond to a biometric fingerprint of the user that the user has previously captured during an enrollment phase, having led to the distributed storage of this prior biometric fingerprint on the N servers. This is at least what the secure access process aims to establish. The method then performs an extraction of an approximate short representation (hereinafter referred to as the first approximate short representation) corresponding to the captured biometric imprint. According to another possible implementation, the access device is a personal computer, for example a laptop or desktop, a tablet, a smartphone (sometimes called smart mobile phone in French), or a smart card. A user wishes to search, from the access device, a confidential document stored in a distributed manner on the N servers on the basis of a given indexing. The method 10 according to the second embodiment proceeds to an input of an approximate short representation (for example, an indexing) corresponding to the confidential data sought. This approximate short representation is referred to below as the second short approximate representation. Indexing is for example a series of keywords entered freely by the user (for example using a keyboard) or selected from a list of keywords, or (in a way easier to handle when a distance measurement), a series of condensates obtained from each of these key words (for example condensates calculated using a cryptographic hashing algorithm such as SHA-1 or any other appropriate cryptographic hashing algorithm ), or a series of pointers or indexes or other numerical values each associated with one of the keywords. Indexing used in distributed logging and secure access processes is of the same type (so that identification based on indexing is likely to work), that is, two confidential data. The identical ones used during registration (on the one hand) and secure access (on the other hand) have the same approximate short representations. According to one possible implementation, the access device AUTH_STAT and the recording device ENR_STAT are integrated within one and the same device. According to another embodiment, these are distinct devices 30 or even devices of different types. A method according to the second embodiment comprises a SHR 'acquisition, SHR_C' sharing electronic circuit (of similar type SHR_C sharing circuit previously described, or even identical) of the access device AUTH_STAT N short parts S_FGPRN'1, k ', S_FGPRN'2, k', S_FGPRN'N, k 'of an approximate short representation S_FGPRN'k' of confidential data to which access is desired, with a threshold t such that minus t short parts are needed to reconstruct the approximate short representation S_FGPRN'k. The approximate short representation S_FGPRN'k corresponds for example to an approximate short representation of fingerprint. It may be more generally the first approximated short representation mentioned above, or the second aforementioned approximate short representation.
    [0011] A method according to the second embodiment comprises a transmission TRN ', by a transmitter XMIT' of the access device AUTH_STAT, of each (S_FGPRN'i, k,) of these N short parts S_FGPRN'ix, S_FGPRN'2, k ', S_FGPRN'N, k' to a respective server SRVi among the N servers SRV1, SRVi, SRVN. Each SRVi server thus receives a short share of which it is expected to search for one or more potentially short share (s) among those it has stored. According to one possible implementation, a method according to the second embodiment comprises a DET determination, at least partially local to each SRVi server, by a calculation circuit PROC; of each server SRVi, K distances measured between the short part S_FGPRN'i, k 'received by this server SRVi and K short shares S_FGPRNo, S_FGPRNi, 2, S_FGPRNi, K that this server SRVi has previously stored. Increased security results in particular from the determination at least partially local to each server of the relevant distances, which means that the information held by each server is not (at least not entirely) shared with other servers, which reduces thus the risks of attacks. More specifically, with regard to security, thanks to the proposed method, the servers never individually have access in clear to the confidential data of other servers, or even to the corresponding approximate short representations, but only at distances, corresponding to filter scores. Only the access device has, at the end of the process, access to confidential data.
    [0012] According to one possible implementation, the short shares are associated with confidential data comprising several biometric fingerprints. Each short share includes, according to one possible implementation, several short sub-shares. According to one possible implementation, the distance measure (analyzing itself as a measure of similarity calculated in order to filter the data stored in a distributed manner and thus identify the most relevant) is for each short part a series of distance measurements. (for each subpart, associated with separate biometric fingerprints) followed by a combination of these measures (eg, sum, sum of squares, maximum / minimum, etc.). According to one possible implementation, the access method is arranged so that the servers do not reveal the intermediate results (measurement of distances before their combination), but only the result of the combination.
    [0013] The electronic calculating circuit PROC; is for example a dedicated electronic circuit such as an FPGA, an ASIC, a PAL (or any other configurable electronic component), or even a completely customized electronic component. According to another possible implementation, the electronic calculation circuit comprises both a processor and an associated memory (for example RAM, EEPROM, Flash, ROM, magnetic memory, optical memory, etc.), the associated memory storing a suitable program (when executed by the processor) to calculate the relevant distance (if necessary by using other servers among the N servers). The fact that the determination is at least partially local means that this determination notably involves the use of sensitive data which is local (ie which is stored directly in the SRVi server, and does not leave the SRVi server, thereby preserving the confidentiality its content vis-à-vis third-party entities such as other servers). Data is sensitive if access to this data is likely (possibly in combination with access to other data) to reveal confidential data. The electronic calculating circuit PROC; thus determines the distance of the short part subjected to each of the short parts stored in the SRVi server, which makes it possible to carry out a filter on the basis of the distance criterion (Hamming distance, other Euclidean distance, scalar product, etc. .). A method according to the second embodiment comprises a distributed calculation, by calculation circuits PROCi, PROCi, PROCN (of the aforementioned type) of the N servers SRV1, SRVi, SRVN, distances (actually, parts of the distances) between the approximate short representation S_FGPRN'k 'and each of K approximated short representations S FGPRNi, S_FGPRN2, S_FGPRNK stored distributed on the N servers SRV1, SRVi, SRVN. For example, the distances between the approximated short representation S_FGPRN'k 'and each of the K approximate short representations S_FGPRNi, S_FGPRN2, S_FGPRNK are computed on the basis of the N * K parts of distances measured at the previous optional step (DET determination). . Thus, based on the distance shares between the short portions composing the approximated short representations, the method is able to determine the distance between the approximated short representations. This distributed computing step requires sharing between the servers only information relating to distances (for example the distance between the approximate short representations), and not directly information stored in these servers. This limits the leakage of exploitable information by potential attackers. For example, in one possible implementation, the distance of two approximated short representations is defined as the sum of the distances of the respective parts of these two approximate short representations. According to one possible implementation, the distributed computing consists of transmitting all the shares of distances between parts (each held by a respective server) to an entity (for example the access device AUTH STAT) which adds them all together and returns the result to each server. According to another possible implementation, the SRVi servers exchange the shares of distances between parts that they have calculated so that each can determine the distance (of the two approximate short representations) resulting therefrom. According to one possible implementation, the measure of distance shares between short parts is secured according to the protocol described in Takashi 3021777 Nishide and Kazuo Ohta, Multiparty computation for interval, equality, and comparison without bit-decomposition protocol, In Tatsuaki Okamoto Xiaoyun Wang, editors, Public Key Cryptography, volume 4450 of Lecture Notes in Computer Science, pp. 343-360, Springer, 2007. In particular, this protocol can be used after calculating distance shares. Rather than uniting the shares and looking at what distances are small enough, it is possible to continue to make secure calculations on the shares, which at best disclose the information that the distance between the short representations is (or not ) less than or equal to the threshold.
    [0014] A method according to the second embodiment comprises a transmission TRN "(decomposing into p * NN transmissions of parts, NN being between t and N, the value NN = N being advantageous), by an XMIT transmitter; SRVi used (between t and N servers for each confidential data), to a receiver RCV AUTH_STAT access device, parts FGPRNi, ki, FGPRNi, ki, FGPRNi, kp corresponding to short representations S_FGPRNk1, S_FGPRNki, S_FGPRNkp dont the distance to the approximate short representation S_FGPRN'k 'is lower (or equal) to a determined threshold The p parts FGPRNi, ki, FGPRNi, ki, FGPRNi, kp correspond to the short representations S_FGPRNk1, S_FGPRNki, S_FGPRNkp in the sense that each these parts can be used (in combination with at least t-1 other parts corresponding to t-1 indices i different) to reconstitute the respective confidential data FGPRNki, FGPRNki, FGPRNkp whose representations short S_FGPRNk1, S_FGPRNki, S_FGPRNkp are the short representations. The method 25 comprises a possibly distinct identification step IDTF, among all the short representations, short representations S_FGPRNk1, S_FGPRNki, S_FGPRNkp whose distance is less (or equal) to said threshold. This threshold may be zero. In this case, only portions of confidential data whose approximate short representations are strictly equal to that which is sought are transmitted. If the threshold (necessarily positive or zero) is strictly greater than zero, then a potentially larger set of confidential data shares is transmitted, which is appropriate in the case of a biometric authentication (because the probability that two captures the same biometric fingerprint is strictly equal is usually very small). A method according to the second embodiment comprises a GEN FGPRN obtaining, by an electronic obtaining circuit GEN_FGPRN_C of the access device AUTH_STAT, from the shares received in the previous step FGPRNi, ki, FGPRNi, ki, FGPRN1, kp, FGPRN2, k1, FGPRN2, ki, FGPRN2, kp, FGPRNN, ki, FGPRNN, ki, FGPRNN, kp, corresponding confidential data FGPRNk1, FGPRNN, FGPRNkp. It is of course not necessary to transmit the N shares for each confidential data item. According to one possible implementation, only t shares are transmitted for each confidential data item. According to another embodiment, the method transmits a number of parts between t + 1 and N. The electronic obtaining circuit GEN_FGPRN is for example a dedicated electronic circuit such as an FPGA, an ASIC, a PAL (or any another configurable electronic component), or even a completely custom electronic component. According to another possible implementation, the electronic obtaining circuit comprises both a processor and an associated memory (for example RAM, EEPROM, Flash, ROM, magnetic memory, optical memory, etc.), the associated memory storing a suitable program (when executed by the processor) to generate the relevant confidential data based on the received shares (the FGPRNi, ki, FGPRN2, k1, FGPRNN, ki shares for generating the confidential data FGPRNk1, and so on right now). In order thus to generate (or reconstitute) a confidential data item x (for example FGPRNk1) from at least t parts obtained according to the aforementioned Shamir scheme, the obtaining electronic circuit uses the Lagrange interpolation, which makes it possible to recover the polynomial P used for the sharing of x. The electronic gain circuit then finds x by evaluating P at 0. This second embodiment is advantageous compared with the state of the art, in particular in that the operations necessary for a conventional identification calculation, although theoretically achievable using secure multiparty computing techniques, generate computational and bandwidth cost between the servers too high to be practical (at least for current applications). The second embodiment simultaneously takes into account the constraints of SMC and the nature of the confidential data by using filtering techniques during the identification of the confidential data (s).
    [0015] The operations in the "shared domain" are thus reduced essentially to a distance calculation (avoiding to communicate all the intermediate results). In FIG. 1, the sharing electronic circuit SHR_C 'and the electronic obtaining circuit GEN_FGPRN are integrated in a single circuit 10 containing a processor (shared) and a memory storing a program for implementing the sharing functions. and a program for implementing the obtaining functions. However, the two circuits can also be completely separate. In this same figure, the receiver RCV and the transmitter XMIT 'are one and the same circuit (such as the electronics 15 of a network card), but of course it is possible to use separate circuits. According to a third embodiment, the distributed calculation D_CALC of a secure access method according to the second embodiment comprises a DET determination, by a calculation circuit PROC; of each server SRVi, K shares of distances measured between: the short part S_FGPRN'i, k ,, received by this server SRVi, of the confidential data to which an access is desired, and K short parts S_FGPRNo, S_FGPRNi, 2 , S_FGPRNix that this SRVi server has previously stored.
    [0016] 25 N * K distance shares are thus determined (K parts of distances per server). The method measures the distance between the approximated short representation S_FGPRN'k 'of the confidential data to which access is desired and a short representation S_FGPRNi stored distributed on the N servers SRV1, SRVi, SRVN by combining (for example by summing ), among said N * K parts of distances, the N parts of distances respectively measured by each SRVi server between: 3021777 18 the short part S_FGPRN; j of the short representation S_FGPRNi stored on this server SRVi and the corresponding short part S_FGPRN'i, k, of said approximated short representation received by this server SRVi.
    [0017] According to a fourth embodiment, the distributed calculation D_CALC of a secure access method according to the second embodiment comprises a DET determination, by a calculation circuit PROC; of each server SRVi, K parts of distances measured between: the short part S_FGPRN'i, k ,, received by this server SRVi, of the confidential data to which an access is desired, and K short parts S_FGPRNo, S_FGPRNi, 2 , S_FGPRNix that this SRVi server has previously stored. N * K distance shares are thus determined (K distances per server). The method performs a secure comparison between a threshold and the measured distance between the approximated short representation S_FGPRN'k 'of the confidential data to which access is desired and a short representation S_FGPRNi stored distributed on the N servers SRV1, SRVi, SRVN. The distance is measured by applying a secure protocol (for example the Takashi Nishide and Kazuo Ohta protocol) for distance calculation at N parts of distances, among said N * K parts of distances, said N parts of distances being the measured distances respectively by each SRVi server between: the short portion S_FGPRN; j of the short representation S_FGPRNi stored on this server SRVi and the corresponding short part S_FGPRN'i, k, of said approximated short representation received by this server SRVi. This fourth embodiment is advantageous in particular in that it allows only the parts of the result of the comparison to be collected. Servers can learn the list of candidates but not the distances.
    [0018] According to a fifth embodiment, the K distances measured according to a secure access method according to one of the second to the fourth embodiments are K Hamming distances. A particular example of the fifth embodiment is detailed below. The method (comprising the aforementioned DET determination step) comprises, for the calculation of a Hamming distance between a short part S FGPRN'i, k, of the approximate short representation (S_FGPRN'k ') of the confidential data item. which access is desired and a short share S FGPRN; previously stored in an SRVi server, a secure distributed computing, by calculation circuits PROCi, PROC ;, PROCN of the N servers SRV1, SRVi, SRVN, of the product of said two short parts S_FGPRNi, i. The method comprises a local calculation, by a calculation circuit PROC; said server SRVi, twice said product of said two short portions S_FGPRN'i, k ,, S_FGPRNi, i. The method comprises a local calculation, by a calculation circuit PROC; said server SRVi, a sum of said two short portions S_FGPRN'i, w, S FGPRNi, i. The method comprises a local calculation, by a calculation circuit PROC; said SRVi server, the Hamming distance by subtracting said double of said product from said two short portions S_FGPRN'i, k ,, S_FGPRN; j at said sum of said two short portions S_FGPRN'i, k ,, S_FGPRN; J. This particular example of the fifth embodiment thus relies on a sharing method such that: - From a part xi of a confidential datum x and on the one hand yi from another confidential datum y , a server SRVi can calculate a part zi of z = x + y, without interactions with the other servers nor with the access device AUTH_STAT and without never having access to either x or y; Starting from a part xi of x and an integer n, the server SRVi can calculate a part zi of z = n * x (= x + x + ... + xn times), without interactions or with the other servers nor with the access device AUTH_STAT and without ever having access to x; From one hand xi of x and one hand yi of y, the server SRVi can calculate a part zi of z = x * y, interacting with the other servers, without interactions with the device. access AUTH_STAT and without knowing neither x nor y. The servers are not expected to obtain information about the confidential data they handle, and a method according to the invention gives them access only to parts of these data, and to results of calculations resulting from these shares. . R. Cramer, I. Damgard, and J. B. Nielsen. Secure Multiparty Computing and Sharing - An Information Theoretic Approach. Book Draft, 2012, provides details on secret sharing, the 10 SCM and techniques that can be used for addition and multiplication. This type of techniques was originally described in Michael Ben-Or, Shafi Goldwasser, Avi Wigderson, "Completeness Theorems for Non-Cryptographic Fault-Tolerant Distributed Computation", STOC 1988: 1-10. To compute a Hamming distance between two elements, it is customary to compute an exclusive (XOR) between the two elements. But according to one possible implementation, the elements whose Hamming distance separating them are to be determined are divided into bits, and each bit is represented by an element of a body (the body being of characteristic greater than or equal to the number of parts N, N being also the number of SRVi servers). In addition, the characteristic must also be larger than the maximum distance between two short representations. For example, for a 128-bit Hamming distance, the characteristic should be greater than 128. For example, the elements are approximate short representations of 128 bits, the 128 bits of an approximated short representation being divided into 128 individual bits, each represented by a byte. An approximate short representation is thus represented by a set of 128 bytes (each identifying an element of a body). It is often impossible to calculate an XOR between two elements by the conventional technique (consisting, when two corresponding bits are identical, of setting the output bit to 0, and when they are different, to set the output bit to 1 ). In the above example, the 128 bytes each represent an element of a body in which XOR does not operate in this way (a conventional XOR of bytes representing each bit gives no relevant information). According to one possible implementation, the method therefore implements the XOR by an alternative technique consisting (to calculate XOR b, a and b being two elements of a body) to perform the similar calculation: a + b-2 -a * b (+ and * designating respectively the law of addition and the law of multiplication of the body, and, designating the law of multiplication by a scalar). If a and b are equal (both represent bit 0 or both represent bit 1), a + b-2-a * b is zero, and if a and b represent two different bits (0 and 1 or 1 and 0), a + b-2-a * b 10 is equal to 1. The addition a + b does not pose any particular difficulty: it is preserved. For example, if the elements a and b multiplied are represented by polynomials, their addition (addition of polynomials) does not change the degree of the polynomial and poses no difficulty.
    [0019] But the multiplication a * b is more complex: it implies for determining each product a * b, an interactive mechanism involving servers other than the only server concerned (storing a and b). For example, if the multiplied elements are represented by polynomials, their multiplication is a polynomial of degree that can be different, which generally poses difficulties, solved by the interactive mechanism. By way of illustration, in a hypothesis where it is desired to work on 128 bits, the method may comprise the following phases. In an initial so-called sharing phase, the method, after having coded each "bit" i of 1 to 128 (seen as a 0 or a 1) of a short representation on an element xi (representing the respective bit) of the body considered, shares each element xi in N parts xii, ..., xiN distributed among the N different servers. In a distance calculation phase intended to determine the Hamming distance between x (represented by its parts xi) and y (represented by its 30 parts yi), for each coordinate i from 1 to 128, the server j calculates a part zij of zi = (xi + yi - 2 xi yi) using, for example, one of the abovementioned techniques (the sums are computed locally by the server j and the multiplications use interactions with all the other servers). Then the method 3021777 22 calculates a part of the sum of the zi, for i from 1 to 128. This gives a share of the Hamming distance (which is the sum of the bitwise XORs). The Hamming distance between x and y is obtained by calculating the sum of the Hamming distances between xi and yi for all i from 1 to 128.
    [0020] According to a sixth embodiment, the confidential data of a secure access method according to one of the second to fifth embodiments are biometric data. In one possible implementation, the biometric data whose approximate short representation S_FGPRN'k is extracted is a candidate biometric fingerprint that the method aims to authenticate. The method then comprises (after regeneration of the relevant biometric data by the obtaining electronic circuit GEN_FGPRN) a comparison of the candidate biometric fingerprint to each of the fingerprints of the set of biometric fingerprints generated from the received shares. If one of them is the right one, the user is authenticated, in the opposite case (if none of the biometric fingerprints correspond), it is not authenticated. According to another embodiment, the confidential data of a secure access method according to one of the second to fifth embodiments is a document (text, photograph, etc.). According to a possible implementation of this embodiment, the method displays (or displays) all the documents generated from the shares. The user can then select the one or those he was looking for.
    [0021] According to a seventh embodiment, an ENR_STAT recording device for secure distributed storage, on N servers SRV1, SRVi, SRVN, of confidential data, comprises an electronic obtaining circuit BIO_SENSOR of a confidential data FGPRNk.
    [0022] The recording device ENR_STAT comprises an electronic extraction circuit EXTR_C of an approximate short representation S FGPRNk of the confidential data FGPRNk from said confidential data FGPRNk.
    [0023] The recording device ENR_STAT comprises an electronic sharing circuit SHR_C of the confidential data FGPRNk in N parts FGPRN1, k, FGPRN2, k, FGPRNi, k, FGPRNN, k with a threshold t such that at least t parts are necessary to reconstruct the confidential data 5 FGPRNk, and the approximate short representation S_FGPRNk in N short parts S_FGPRN1, k, S_FGPRN2, k, S_FGPRNi, k, S_FGPRNN, k with a threshold t such that at least t short parts are necessary for reconstruct the approximate short representation S_FGPRNk. The recording device ENR_STAT comprises an XMIT transmitter 10 arranged to transmit each FGPRNi, k of these N parts FGPRN1, k, FGPRN2, k, FGPRNi, k, FGPRNN, k and each S_FGPRNi, k of these N short parts S_FGPRN1, k , S_FGPRN2, k, S_FGPRNi, k, S_FGPRNN, k to a respective server SRVi among the N servers SRV1, SRVi, SRVN, in order to store them therein.
    [0024] The details of implementation of the method according to the first embodiment are transposed to the device according to the seventh embodiment and vice versa. According to an eighth embodiment, a secure access system, by an access device AUTH_STAT, to confidential data stored in a distributed and secure manner on N servers SRV1, SRVi, SRVN, comprises the access device AUTH_STAT and the N servers SRV1, SRVi, SRVN. The access device AUTH_STAT comprises an electronic sharing circuit SHR_C 'of an approximate short representation S_FGPRN'k' of a confidential datum to which access is desired in N short parts S FGPRN'i, k, S_FGPRN'2 , k ', S_FGPRN'N, k', with a threshold t such that at least t short parts are needed to reconstruct the approximated short representation S_FGPRN'k.
    [0025] The access device AUTH_STAT comprises a transmitter XMIT 'arranged to transmit each S_FGPRN'i, k, of these N short parts S_FGPRN'i, k ,, S_FGPRN'2, k', S FGPRN'N, k, to a respective server SRVi among the N servers SRV1, SRVi, SRVN.
    [0026] According to one possible implementation, each server SRVi comprises a calculation circuit PROC; arranged to determine, at least partially locally for each server SRVi, K parts of distances measured between the short part S_FGPRN'i, k, received and K short parts S_FGPRNi, i, 5 S FGPRNi, 2, S_FGPRNix than said server SRVi has previously stored. The N servers SRV1, SRV1, SRVN comprise calculation circuits PROCi, PROCi, PROCN arranged to implement a distributed calculation of the distance shares between the approximated short representation S_FGPRN'k 'and each of the K approximate short representations 10 S FGPRNi, S_FGPRN2, S_FGPRNK stored distributed on the N servers SRV1, SRVi, SRVN (for example on the basis of N * K distances measured by a calculation circuit PROCi). Each SRVi server includes an XMIT transmitter; arranged to transmit, to an RCV receiver of the access device AUTH_STAT, portions FGPRNi, ki, FGPRNi, ki, FGPRNi, kp corresponding to the short representations S_FGPRNk1, S_FGPRNki, S_FGPRNkp whose distance to the approximate short representation S_FGPRN'k ' is below a certain threshold. The access device AUTH_STAT comprises an electronic obtaining circuit GEN_FGPRN arranged to obtain, from the received parts FGPRNi, ki, FGPRNi, ki, FGPRNi, kp, FGPRN2, k1, FGPRN2, ki, - - FGPRN2, kp, FGPRNN, k1, --- FGPRNN, ki, FGPRNN, kp, corresponding confidential data FGPRNk1, FGPRNki, FGPRNkp. The details of implementation of the method according to the second embodiment are transposed to the device according to the eighth embodiment and vice versa. According to a ninth embodiment, the K distances measured by a secure access system according to the sixth embodiment are K Hamming distances. According to one possible implementation, the system comprises the following elements for calculating a Hamming distance between the short part S_FGPRN'i, k, and a short part S_FGPRN; previously stored in an SRVi server. PROCi, PROCi, PROCN calculation circuits of the N servers SRV1, SRVi, SRVN are arranged to perform a secure distributed calculation of the product of said two short parts S_FGPRN'i, k ,, S_FGPRN; J. A calculation circuit PROC; said server SRVi is arranged to perform a local calculation of twice said product of said two short portions S_FGPRNi, i. A calculating circuit PROC; said server SRVi is arranged to perform a local calculation of a sum of said two short parts S_FGPRN'ix, S_FGPRNi, i. A calculating circuit PROC; said server SRVi is arranged to perform a local calculation of the Hamming distance by subtracting said double of said product from said two short portions S_FGPRN'i, k ,, S_FGPRN; j at said sum of said two short portions S_FGPRN'i, k ,, S_FGPRN; J. Details of implementation of the method according to the fifth embodiment are transposed to the device according to the ninth embodiment and vice versa.
    [0027] According to a tenth embodiment, the confidential data of a secure access system according to one of the eighth or ninth embodiments are biometric data. The details of implementation of the method according to the sixth embodiment are transposed to the device according to the tenth embodiment and reciprocally. According to an eleventh embodiment, a computer program comprises a sequence of instructions which, when executed by a processor, causes the processor to implement a method according to one of the first to sixth embodiments. . This computer program can be written in any appropriate programming language, such as assembler, C language, Java language, etc.
    [0028] This eleventh embodiment essentially comprises two types of computer programs. It comprises on the one hand computer programs designed to implement a secure distributed storage method according to the first embodiment. According to one possible implementation, these programs are stored in a recording device ENR_STAT and are executed by a processor of this recording device ENR_STAT. It further includes computer programs for implementing a secure access method according to one of the second to sixth embodiments. According to one possible implementation, these programs are separated into a part stored in an access device AUTH_STAT (and intended to be executed by a processor of this access device AUTH_STAT) and a set of parts (which can be identical) each stored in an SRV server; respective (and intended to be executed by a processor of this server SRVi). According to a twelfth embodiment, a computer-readable non-transitory storage medium stores a computer program according to the eleventh embodiment. This storage medium is, for example, a RAM type memory saved by battery, or EEPROM, or ROM, or Flash, or a magnetic memory or an optical memory. The invention is not limited to the embodiments described above by way of non-limiting examples. For example, the third and fourth embodiments are obviously transposable to a secure access system according to the eighth embodiment.
    权利要求:
    Claims (12)
    [0001]
    REVENDICATIONS1. A method of secure distributed storage, on N servers (SRV1, SRVi, ... SRVN), of confidential data, the method comprising: / a / obtaining (SENSE), by an electronic obtaining circuit (BIO_SENSOR) of a device for recording (ENR_STAT), confidential data (FGPRNk), / b / obtaining (EXTR), by an electronic extraction circuit (EXTR_C) of the recording device (ENR_STAT), of a short representation approximated (S_FGPRNk) confidential data (FGPRNk) from said confidential data (FGPRNk), / c / a obtaining (SHR), by a sharing electronic circuit (SHR_C) of the recording device (ENR_STAT), N parts (FGPRN1, k, FGPRN2, k, FGPRNi, k, FGPRNN, k) of the confidential data (FGPRNk) with a threshold t such that at least t parts are necessary to reconstitute the confidential data (FGPRNk), and N short portions (S_FGPRN1, k, S_FGPRN2, k, S FGPRNi, k, S_FGPRNN, k) of the approximated short representation ( S_FGPRNk) with a threshold t such that at least t short parts are necessary to reconstruct the approximate short representation (S_FGPRNk), / d / a transmission (TRN), by a transmitter (XMIT) of the recording device (ENR_STAT), of each (FGPRNi, k) of these N parts (FGPRN1, k, FGPRN2, k, FGPRNi, k, FGPRNN, k) and of each (S_FGPRNi, k) of these N short parts (S_FGPRN1, k, S_FGPRN2, k, S_FGPRNi, k, S_FGPRNN, k) to a respective server (SRVi) among the N servers (SRV1, SRVi, SRVN), in order to store them there.
    [0002]
    2. A method for secure access, by an access device (AUTH_STAT), to confidential data stored in a distributed and secure manner on N servers (SRV1, SRVi, SRVN), the method comprising: / e / obtaining (SHR) '), by an electronic sharing circuit (SHR_C') of the access device (AUTH_STAT) of N short parts (S_FGPRN'ix, S FGPRN'2, k, S_FGPRN'N, k ') of a short representation 3021777 28 (S_FGPRN'k ') of a confidential data item to which access is desired, with a threshold t such that at least t short parts are necessary to reconstruct the approximated short representation (S_FGPRN'k), / f / a transmission (TRN '), by a transmitter (XMIT') of the access device 5 (AUTH STAT), of each (S_FGPRN'i, k,) of these N short parts S_FGPRN'2, k ', S_FGPRN'N, k ') to a respective server (SRV;) among the N servers (SRV1, SRV;, SRVN), / g / a distributed calculation (D_CALC), by calculation circuits (PROCi, PROCi, PROCN) of the N servers ( SRV1, SRV ;, SRVN), portions of the distances between the approximated short representation (S_FGPRN'k ') and each of K approximated short representations (S_FGPRNi, S_FGPRN2, S FGPRNK) stored distributed on the N servers (SRV1, SRV; , SRVN), / h / a transmission, by a transmitter (XMIT;) of each server (SRV) used, to a receiver (RCV) of the access device (AUTH_STAT), shares (FGPRNi, ki, FGPRNi , ki, FGPRNi, kp) corresponding to the short representations (S_FGPRNk1, S_FGPRNki, S_FGPRNkp) whose distance to the approximated short representation (S_FGPRN'k ') is less than a determined threshold, 20 / ij / a get (GEN_FGPRN), by an electronic obtaining circuit (GEN_FGPRN_C) of the access device (AUTH_STAT), from the parts received in the preceding step (FGPRNi, ki, FGPRNi, ki, FGPRN1, kp, FGPRN2, k1, -FGPRN2, ki, FGPRN2, kp, FGPRNN, ki, - FGPRNN, ki, - - FGPRNN, kp), corresponding confidential data (FGPRNki,. FGPRNki, FGPRNkp).
    [0003]
    3. Secure access method according to claim 2, wherein the distributed calculation (D_CALC) comprises a determination (DET), by a calculation circuit (PROCi) of each server (SRV;), of K parts of measured distances. between: the short part (S_FGPRN'i, k,), received by this server (SRV;), the confidential data to which access is desired, and 3021777 29 K short parts (S_FGPRNo, S_FGPRNi, 2, S_FGPRNi, K ) that this server (SRV;) has previously stored, ie a determination of N * K parts of distances, and wherein the method measures the distance between the approximated short representation (S_FGPRN'k ') of the confidential data to which a access is desired and a short representation (S_FGPRNi) stored distributed on the N servers (SRV1, SRV; SRVN) by combining, among said N * K parts of distances, the N parts of distances respectively measured by each server (SRV) ;) between: 10 the short share (S_FGPRNi, i) of the representative short time (S_FGPRNi) stored on this server (SRV;) and the corresponding short portion (S_FGPRN'i, k,) of said approximated short representation received by this server (SRV;). 15
    [0004]
    4. Secure access method according to claim 2, wherein the distributed calculation (D_CALC) comprises a determination (DET), by a calculation circuit (PROCi) of each server (SRV;), K parts of distances measured between : the short part (S_FGPRN'i, k,), received by this server (SRV;), of the confidential data to which access is desired, and K short parts (S_FGPRNo, S_FGPRNi, 2, S_FGPRNi, K) that this server (SRV;) has previously stored, ie a determination of N * K parts of distances, and in which the method performs a secure comparison between a threshold and the measured distance between the approximated short representation (S_FGPRN'k ') of the confidential data to which access is desired and a short representation (S_FGPRNi) distributed in a distributed manner on the N servers (SRV1, SRV; SRVN) by applying a secure distance calculation protocol to N parts of distances, among said N * K parts of distances, 30 said N distance shares being the distance shares respectively measured by each server (SRV;) between: the short part (S_FGPRNi, i) of the short representation (S_FGPRNi) stored on this server (SRV;) and the corresponding short part ( S_FGPRN'i, k,) of said approximated short representation received by this server (SRVi).
    [0005]
    5. Secure access method according to one of claims 2 to 4, wherein the K measured distances are K Hamming distances.
    [0006]
    6. secure access method according to one of claims 2 to 5, wherein the confidential data are biometric data. 10
    [0007]
    7. Recording device (ENR_STAT) for secure distributed storage, on N servers (SRV1, SRVi, SRVN), of confidential data, the recording device (ENR_STAT) comprising: an electronic obtaining circuit (BIO_SENSOR) of confidential data (FG P RNk), an electronic extraction circuit (EXTR_C) of an approximate short representation (S_FGPRNk) of the confidential data (FGPRNk) from said confidential data (FGPRNk), an electronic sharing circuit (SHR_C) of the confidential data (FGPRNk) in N parts (FGPRN1, k, FGPRN2, k, FGPRNi, k, FGPRNN, k) with a threshold t such that at least t parts are necessary to reconstitute the confidential data ( FGPRNk), and the short approximate representation (S_FGPRNk) in N short parts (S_FGPRN1, k, S_FGPRN2, k, S_FGPRNi, k, S_FGPRNN, k) with a threshold t such that at least t short parts are necessary to reconstruct the approximate short representation 25 (S_FGPRNk), a transmitter (XMIT) arranged to transmit each (FGPRNi, k) of these N parts (FGPRN1, k, FGPRN2, k, FGPRNi, k, FGPRNN, k) and each (S_FGPRNi, k) of these N short parts (S_FGPRN1, k , S_FGPRN2, k, S FGPRNi, k, S_FGPRNN, k) to a respective server (SRVi) among the N 30 servers (SRV1, SRVi, SRVN), in order to store them there.
    [0008]
    8. System for secure access, by an access device (AUTH_STAT), to confidential data stored in a distributed and secure manner on N 3021777 31 servers (SRV1, SRVi, SRVN), the secure access system comprising the device of access (AUTH_STAT) and the N servers (SRV1, SRVi, SRVN), the access device (AUTH_STAT) comprising: an electronic sharing circuit (SHR_C ') of an approximated short representation (S_FGPRN'k') of a confidential data to which an access is desired in N short parts (S_FGPRN'i, k ,, S_FGPRN'2, k ', S_FGPRN'N, k'), with a threshold t such that at least t short parts are necessary to reconstruct the approximate short representation (S_FGPRN'k), a transmitter (XMIT ') arranged to transmit each (S_FGPRN'i, k,) of these N short parts (S_FGPRN'i, k, S_FGPRN'2, k , S FGPRN'i, w, S_FGPRN'N, k ') to a respective server (SRVi) among the N servers (SRV1, SRVi, SRVN), the N servers (SRV1, SRVi, SRVN) comprising calculation circuits (PROCi, PROCi, PROCN) arranged to implement a distributed calculation of the portions of the distances between the approximated short representation (S_FGPRN'k ') and each of the K approximate short representations (S_FGPRNi, S_FGPRN2, S_FGPRNK) stored in distributed way on the 20 N servers (SRV1, SRVi, SRVN), each server (SRVi) comprising a transmitter (XMIT;) arranged to transmit, to a receiver (RCV) of the access device (AUTH_STAT), parts (FG PRNi, ki, ... FG P RNi, ki, ... FG PRNi, kp) corresponding to the short representations (S_FGPRNk1, S_FGPRNki, S_FGPRNkp) whose distance with the approximated short representation (S_FGPRN'k ') is less than a determined threshold, the access device (AUTH_STAT) comprising an electronic obtaining circuit (GEN FGPRN) arranged to obtain, from the received parts (FGPRNi, ki, FGPRNi, ki, FGPRNi, kp, FGPRN2, k1, FGPRN2 , ki, --- FGPRN2, kp, FGPRNN, k1, FGPRNN, ki, FGPRNN, kp), confidential data corresponding integers (FGPRNk1, FGPRNki, FGPRNkp). 3021777 32
    [0009]
    The secure access system of claim 8, wherein the K measured distances are K Hamming distances.
    [0010]
    10. Secure access system according to one of claims 8 or 9, wherein the confidential data are biometric data.
    [0011]
    A computer program comprising a sequence of instructions which, when executed by a processor, cause the processor to implement a method according to one of claims 1 to 6.
    [0012]
    A computer-readable non-transit storage medium, said medium storing a computer program according to claim 11.
    类似技术:
    公开号 | 公开日 | 专利标题
    EP2953291B1|2019-11-20|Secured distributed storage by multiparty calculation
    FR2925732A1|2009-06-26|GENERATION AND USE OF A BIOMETRIC KEY
    EP3270538A1|2018-01-17|Authentication method and system using confused circuits
    FR2925723A1|2009-06-26|IDENTIFICATION BASED ON DIGITAL BIOMETRIC DATA
    US20170012970A1|2017-01-12|Relational encryption
    EP2909963B1|2019-07-31|Electronic signature method with ephemeral signature
    EP3239902B1|2018-12-05|Method for verifying an authentication or biometric identification
    EP2973210B1|2019-12-04|Secure data processing method, and use in biometry
    WO2013189881A1|2013-12-27|Secure method of processing data
    CA2613884C|2016-12-20|Method for providing a secured communication between a user and an entity
    FR3054905B1|2019-10-18|KEY GENERATION METHOD AND ACCESS CONTROL METHOD
    CA2867241A1|2013-09-19|Method for encrypting a plurality of data in a secure set
    EP3200387B1|2020-06-10|Secure multi-party processing method protected against a malicious party
    JP6786884B2|2020-11-18|Relationship encryption
    WO2009083528A1|2009-07-09|Method and system for generating stable biometric data
    EP2891268B1|2016-09-28|Group signature using a pseudonym
    WO2012085215A1|2012-06-28|Method and system for multi-threshold multimodal authentication using secret sharing
    FR3064092A1|2018-09-21|METHOD FOR DIGITAL MESSAGING ASSOCIATING A MESSAGE TO A MATERIAL SUBJECT
    FR3012642A1|2015-05-01|PSEUDONYM SIGNATURE FOR CHIP CARD
    FR2975249A1|2012-11-16|METHOD, SERVER AND BIOMETRIC AUTHENTICATION SYSTEM
    WO2008132382A1|2008-11-06|Method for generating a variable from a biometric datum
    同族专利:
    公开号 | 公开日
    EP2953291B1|2019-11-20|
    FR3021777B1|2018-08-17|
    US20150347781A1|2015-12-03|
    EP2953291A1|2015-12-09|
    US9715595B2|2017-07-25|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    WO2008127309A2|2006-11-07|2008-10-23|Security First Corporation|Systems and methods for distributing and securing data|
    FR2984559A1|2011-12-20|2013-06-21|Morpho|IDENTIFICATION OF INDIVIDUALS BY SECURE CALCULATION|IT201600079563A1|2016-07-28|2018-01-28|Infocert S P A|METHOD OF AUTHENTICATION SAFE OF A REQUEST FOR A REMOTE SUPPLIER AND GENERATED IN A PERSONAL DEVICE WITH A BIFURCATION OF THE TRANSMISSION OF A MEANS OF AUTHENTICATION|
    IT201600079574A1|2016-07-28|2018-01-28|Infocert S P A|METHOD OF AUTHENTICATION SAFE OF A REQUEST FOR A REMOTE SUPPLIER AND GENERATED IN A PERSONAL DEVICE BY USING A DEPENDENT DISPOSABLE PASSWORD ALSO FROM THE REQUEST|
    JP6799012B2|2016-01-18|2020-12-09|日本電信電話株式会社|Concealment decision tree calculation system, equipment, method and program|
    WO2021119099A1|2019-12-09|2021-06-17|Badge Inc.|Privacy-preserving biometric authentication|
    KR20210097434A|2020-01-30|2021-08-09|주식회사 알체라|Biometric data distributed management system and biometrics method using the same|
    CN111523144B|2020-07-03|2020-10-16|支付宝信息技术有限公司|Method and device for performing secure operation aiming at private data of multiple parties|
    法律状态:
    2015-05-26| PLFP| Fee payment|Year of fee payment: 2 |
    2015-12-04| PLSC| Publication of the preliminary search report|Effective date: 20151204 |
    2016-05-26| PLFP| Fee payment|Year of fee payment: 3 |
    2017-05-23| PLFP| Fee payment|Year of fee payment: 4 |
    2018-05-25| PLFP| Fee payment|Year of fee payment: 5 |
    2019-05-22| PLFP| Fee payment|Year of fee payment: 6 |
    2020-05-20| PLFP| Fee payment|Year of fee payment: 7 |
    优先权:
    申请号 | 申请日 | 专利标题
    FR1455041|2014-06-03|
    FR1455041A|FR3021777B1|2014-06-03|2014-06-03|SECURE DISTRIBUTED STORAGE BY MULTIPARTITE CALCULATION|FR1455041A| FR3021777B1|2014-06-03|2014-06-03|SECURE DISTRIBUTED STORAGE BY MULTIPARTITE CALCULATION|
    EP15169132.6A| EP2953291B1|2014-06-03|2015-05-26|Secured distributed storage by multiparty calculation|
    US14/730,135| US9715595B2|2014-06-03|2015-06-03|Methods, systems, and devices for securing distributed storage|
    [返回顶部]