METHOD AND SYSTEM FOR AUTHENTICATION BY CONFINED CIRCUITS

专利摘要:
An embodiment of the invention proposes a method and an associated system for authenticating a user, using the redundancy present between several images of a video, the method using confused circuits (garbled circuits) called variants, associated with the variant bits. between the images of the video and an invariant confusing circuit, associated with the invariant bits between the images of the video, so that the invariant confused circuit needs to be evaluated only once.
公开号:FR3054054A1
申请号:FR1656776
申请日:2016-07-13
公开日:2018-01-19
发明作者:Herve Chabanne；Constance Morel
申请人:Safran Identity and Security SAS；
IPC主号:

专利说明:

GENERAL TECHNICAL AREA
The present invention generally relates to the secure authentication of individuals, the authentication being carried out by comparison of data from an individual that one wishes to identify with data of the same nature from individuals listed, this data being stored in a base.
The invention applies in particular to the biometric authentication of an individual, in which the compared data of the individual and of the database are biometric information relating for example to the iris, or the shape of the face of the carrier.
STATE OF THE ART
In the field of authentication and biometrics for example, it is common to compare two data: enrollment data, previously enrolled, and test data, which is an image obtained from the person who wishes to authenticate. The individual is authenticated when the enrollment data corresponds to the test data with a sufficiently high level of similarity. We will speak in the following of correspondence between the data.
Biometric data being sensitive data, it should not be revealed during authentication. For this, it is possible to perform authentication using a multi-party secure calculation (known by the acronym SMC for Secure Multi-Party Computation, see reference [SMC] at the end of the description), which consists in performing a calculation between several participants each holding one or more inputs of a function to be calculated, so that the participants learn at the end of the calculation only the result of the calculation, and do not obtain any information on the inputs held by the other participants.
Among the SMC protocols, the Yao protocol (see reference [YAO] and reference [SAD] which implements such a protocol and reference [SNY] which presents it), which implements confusing circuits (called in English garbied circuits), offers an effective method. This method will be explained in the description.
Unfortunately, the implementation of a single comparison between the enrollment data and a single test data is not always sufficient to allow authentication, because the test data can be acquired in poor conditions and the comparison may then fail. even that the user who is seeking to authenticate actually corresponds to the enlisted user. It is then often necessary to give a chance or more to the user during a rejection. Video is used more and more to solve this problem.
The method consists in taking a short video instead of taking only a photo, selecting the best images of the video and then comparing one by one the selected images of the video with the enrollment data until a match is obtained.
Unfortunately, confused circuits cannot be reused to compare several data in succession. Indeed, as soon as the same circuit is used twice in succession, the entity executing it can then deduce certain input bits from the other party. Data confidentiality is no longer respected.
Consequently, the implementation of the Yao protocol from a test video instead of a single test image implies the use of a confusing circuit for each image of the video, which is too expensive in computing time, including for a remote server.
Some scientific articles (see reference [GE] and [GO]) present confusing reusable circuits but the proposed methods are not yet effective enough for practical cases. Indeed, these reusable circuits are based on asymmetric cryptography while the classic confused circuits are based on symmetric cryptography.
There is therefore a need to authenticate an individual from biometric data in a secure manner, and in a faster and less costly manner in terms of computation capacity than in the solutions already proposed.
PRESENTATION OF THE INVENTION
For this, the invention proposes a method of authenticating a user implemented using a system comprising:
a first client unit comprising a memory in which a biometric reference datum is stored,
a second client unit comprising means for acquiring at least one biometric test datum, and
a server, configured to generate confused circuits for evaluating functions, each confused circuit having as inputs a set of encryption keys of bits of input data of the function to be evaluated and for output the encryption keys corresponding to the bits of the result of the evaluated function, and in which the steps of calculating the function are broken down into elementary logical operations, each confused circuit further comprising a set of coding keys for each of the possible inputs and outputs of each logical operation elementary, the method comprising the comparison of a number C of test data acquired on the user by the second client unit with the reference data, said comparison comprising the calculation, by means of confused circuits, of a distance between the reference data and each test data, characterized in that the comparison includes the implementation of the following steps :
- from a set S comprising indices of the test data, such that the bit value of each test data associated with an index of the set S is invariant on all the C test data, the server breaks down the function to be evaluated in:
a sub-function f _s which includes all the logical operations whose output depends solely on input bits whose index belongs to said set S and generates for the evaluation of this sub-function f _s a single confused circuit called invariant, a sub -function f _s which includes all the logical operations of the function f not evaluated by the sub-function f _s and generates, for each of the C test data, a confused so-called variant circuit for the evaluation of the sub-function f _s ,
- the server randomly generates the coding keys for the single invariant confused circuit and for the C variant confused circuits,
- the server sends the confused circuits to one of the client units,
- the two client units recover from the server by unconscious transfer:
coding keys corresponding to the bit values of the inputs of the function to be evaluated as a function of the reference data and of the C test data respectively at their disposal, the first client unit recovering a set of keys relating to the biometric reference data and the second client unit retrieving a set of keys comprising a key for each bit associated with an index belonging to the set S and C keys for each bit associated with an index not belonging to S, and
- the client unit having received the confused circuits recovers the coding keys from the other client unit, and evaluates the function for each of the C test data, with the recovered keys as inputs, by executing the confused circuits,
- according to said evaluations of f, authentication or not of the user or of the object.
This takes advantage of the redundancy between the C biometric test data to limit the computing power and time.
The process can include the following features, taken alone or in combination:
the set of indices is determined in a prior step by the second client unit by analysis of the invariant bits between the C test data.
the set of indices comprises a fixed number of indices, the indices being chosen in any way, the second client unit applies a permutation to the bits of each invariant data between the C test data so that said indices of said invariant bits correspond to the indices of the set of indices, and the coding keys are retrieved for the permuted bits.
- the fixed number of indices of the set of indices is determined beforehand by a database analysis, the fixed number of indices of the set of indices being chosen to be less than the actual number of invariant bits between the C test data.
- the stages of decomposition of the function to be evaluated, generation of coding keys and sending of confused circuits to one of the customer units are implemented prior to the acquisition of test data or the application of permutation to said data.
the two client units form a single client terminal, or alternatively the server and one of the two client units form a single entity, and in which the other client unit receives the confused circuits,
the server also sends to the client unit a table of concordance of the outputs of each confused circuit, so that the client unit which evaluates the function f can know the value of the output keys of the evaluation.
- in a variant, the method comprises a step during which the client unit having evaluated the function sends the evaluation output keys to the server and the server deduces therefrom, from the concordance table of the outputs of each circuit confused, function assessments f.
- the data are binary iris codes,
the function to be evaluated comprises the calculation of the normalized Hamming distance between the reference biometric data and each of the C test biometric data and includes the comparison of this distance with a threshold.
- the invariant confused circuit is evaluated only once for the C test data.
The invention also provides a system for authenticating individuals, comprising:
- a first client unit comprising a memory,
a second client unit comprising means for acquiring at least one test datum, and
a server, configured to generate confused circuits for evaluating functions, each confused circuit having as inputs a set of encryption keys of bits of input data of the function to be evaluated and for output the encryption keys corresponding to the bits of the result of the evaluated function, and in which the steps of calculating the function are broken down into elementary logical operations, each confused circuit further comprising a set of coding keys for each of the possible inputs and outputs of each logical operation elementary, the system being characterized in that it is configured to implement the method as described above.
The invention also proposes a server, comprising a computer adapted to generate confused circuits for evaluating a function comprising the comparison of a reference data to a plurality C of test data, the server being characterized in that it is suitable for, from a set S comprising indices of test data, such that the bit value of each test data associated with an index of the set S is invariant on all the C test data, decompose the function to be evaluated into:
a sub-function f _s which includes all the logical operations whose output depends solely on input bits whose index belongs to said set S, and a sub-function f _s which includes all the logical operations of the function f non evaluated by the sub-function f _s , and to generate a single confused circuit called invariant for the evaluation of the sub-function f _s , and for each of the C test data, a confused circuit known as variant for the evaluation of the subfunction f _s .
The invention also provides a computer program product, comprising code instructions for implementing a method comprising the generation of confused circuits for evaluating a function comprising the comparison of a reference datum with a plurality C of test data, said generation comprising: from a set S comprising indices of test data, such that the bit value of each test data associated with an index of the set S is invariant over all the C test data, the breakdown of the function to be evaluated into:
a sub-function f _s which includes all the logical operations whose output depends solely on input bits whose index belongs to said set S, and a sub-function f _s which includes all the logical operations of the function f non evaluated by the sub-function f _s , and the generation:
- a single confused circuit called invariant for the evaluation of the sub-function f _s , and,
- for each of the C test data, of a confused so-called variant circuit for the evaluation of the sub-function f _s , when it is executed by a computer.
PRESENTATION OF THE FIGURES
Other characteristics, objects and advantages of the invention will emerge from the description which follows, which is purely illustrative and not limiting, and which should be read with reference to the appended drawings, in which:
FIG. 1 illustrates a system for authenticating a user with a client unit,
FIGS. 2a to 2e illustrate an exemplary embodiment of a confused circuit,
FIG. 3 illustrates a breakdown into elementary operations of a function to be evaluated, where the function is also a normalized Hamming distance followed by a comparison of the result of the Hamming distance at a threshold,
FIG. 4 illustrates a simplified diagram of a decomposition of the function into two sub-functions, each associated with a confused circuit,
- Figures 5 and 6 detail two variants of a method according to the invention.
DETAILED DESCRIPTION
Referring to Figure 1, there is shown a system for authenticating a user. The system includes a first client unit 10, a server 20 and a second client unit 30.
The first client unit 10 and the second client unit 30 can be formed by the same client terminal, such as a smartphone.
The client units 10, 30 and the server 20 can communicate with each other either directly, for example by radio frequency signal, or by means of a network 40.
The client units 10, 30 are in the form of a high-performance mobile telephone such as a smartphone, or even a digital tablet, or even a computer.
Each client unit 10, 30 comprises a calculation unit 12, 32 provided in particular with a memory 14, 34 and a computer 16, 36.
Each client unit 10.30 can either be used by a legitimate user, to whom it belongs, i.e. a non-fraudulent user, or else by a malicious user, i.e. a fraudulent user . This fraudulent user can either be a person or a digital entity.
The memory 14, 34 may be in the form of a flash memory, or else of a read-only memory, type ROM, or even of a random access memory RAM. The memory 14, 34 can also be in the form of a so-called external storage, configured to be physically connected to the computing unit 12, 32, for example by a USB port.
The computer 16, 36 is a microprocessor, a processor, or a microcontroller able to perform calculations and in particular to implement cryptographic calculations. The computer 16, 36 is in particular configured to execute lines of code from a computer program.
The first client unit 10 includes in its memory at least one biometric datum b relating to the user which can be legitimately authenticated.
Advantageously, the second client unit 30 comprises means for acquiring biometric data 38, called "test". These means 38 make it possible to acquire biometric data from an iris or a face for example. We can cite for example an image sensor coupled to a software module for extracting biometric data.
The biometric data acquisition means 38 can be integrated into the client unit 30 or external, but connectable to the latter. Acquisition devices are known for this, wired to a computer.
The acquisition means 38 are suitable for acquiring a raw image of a biometric feature which is then processed to obtain a biometric datum which can be used for the implementation of an authentication. The term “biometric data” therefore means data that can be directly used in an authentication process. The raw image processing methods are known and will not be detailed here.
The server 20 also comprises a calculation unit 22 provided in particular with a memory 24 and a computer 26. The server 20 is typically a doud server, that is to say a remote server.
The memory 24 can be in the form of a flash memory, or else of a read-only memory, type ROM, or even of a random access memory RAM. The memory 14 can also be in the form of a so-called external storage, configured to be physically connected to the computing unit 22, for example by a USB port.
The computer 26 is a microprocessor, a processor, or a microcontroller able to perform calculations and in particular to generate confused circuits and to generate random keys for each bit value. The computer 26 is notably configured to execute lines of codes from a computer program.
The three processing units 12, 22, 32 advantageously include remote communication interfaces 11, 21, 31 for sending and receiving data, in particular by the network 40.
Network 40 is either an internet, wired (Ethernet) or wireless (Wi-Fi) network, or a GPRS, EDGE, 3G or 4G or other telephone network, or a local area network, or a radio frequency signal network. The communication interfaces 11, 21, 31 are adapted to allow communication according to the network 40 concerned.
The two client units 10, 30 can be part of the same entity.
The server 20 can be the same entity as one of the two clients 10 or 30.
Two variants E, F of an authentication method will be described. This process uses the similarities between several images from a video to avoid calculating on redundant data.
In the context of the present invention, the first client unit 10 has in memory a basic biometric datum b. For the following description, we will take the example of iris reference data, obtained from an iris image (the biometric line). The second client unit 30 has the possibility of acquiring a video of the biometric feature - for example the iris of a user who wishes to be authenticated. By video, we mean a succession of images captured less than ten hundredths of a second apart. From this video is selected and extracted a set of C images, or more generally C biometric data called test data. These data all belonging to the same user, they include similarities and in particular a set of bits in common.
The confused circuits (aarbied circuit} of the Yao protocol
Unconscious transfers
The Yao protocol implements unconscious transfers (known in English as “oblivious transfers”), which are operations of calculation between two PI and P2 units.
In this type of operation, PI has a list of N elements indexed X ,, and P2 knows the number N of elements in the list and chooses an index i between 1 and N. By unconscious transfer, P2 retrieves the i ^eme element of PI, that is to say the element of PI indexed by i.
PI does not learn any information about the index of the element recovered by P2.
P2 does not collect any information on the other elements of the list held by PI.
The reference [Ra] presents the principle of unconscious transfers.
Confused circuits
The Yao protocol also implements confusing circuits (known in English as "garbled circuits"). Figures 2a to 2e illustrate an embodiment of such a confusing circuit.
A confused circuit, a diagram of which is shown by way of example in FIG. 2a, is an encrypted binary circuit obtained from a Boolean circuit representing a function f to be evaluated, this circuit being broken down into a succession of elementary logic gates ( AND or XOR for example). The diagram of the Boolean circuit illustrated in FIG. 2a only includes the elementary function "AND", which has two inputs x and y, each of which can take the binary value 0 or 1, and an output z, which can also take the binary value 0 or 1.
Traditionally, each logical gate is assigned a truth or concordance table, establishing the logical link between the outputs and the inputs. The truth table of the “AND” logic function is illustrated by way of example in FIG. 2b.
To ensure the security of the evaluation of the function f, each possible input and each output of each elementary logic gate are encrypted by the creator of the confused circuit (here the server
20), by means of pairs of random encryption keys, corresponding to the two possible Boolean values, specific to each input or output. In FIG. 2c, for example, the binary values 0 and 1 that x can take have been replaced by corresponding keys kg and k £, and likewise for the values taken by y and z.
This makes it possible to obtain a concordance table where the binary values of inputs and outputs are replaced by encryption keys.
The outputs of each logic gate are then encrypted by the encryption keys of the values of the corresponding inputs, to obtain an encrypted or confused truth table (“garbted”) in FIG. 2d.
For example, in the case of the AND function, the encryption key kg corresponding to the value 0 of z appears in all cases where x and y are not equal to 1. On the other hand, this key kg is not encrypted in the same way according to the values taken by x and y: in fact, if x and y are both equal to 0, the kg key is encrypted using the kg and kg keys: this encrypted key is noted Enc _tXt y (kg) .
^{υ κ} θ ' ^κ ο
Finally, we remove the input keys from the table, and the keys obtained for each output are randomly reordered as in Figure 2e, the encrypted and scrambled truth table thus obtained is what is truly called the confused circuit .
In order to be able to evaluate the function f of the circuit from the encryption keys, a concordance table T between the encryption keys of the result of the function that is evaluated and the corresponding values of the bits is generated by the creator of the circuit.
Yao Protocol
Finally, the Yao protocol is a secure calculation method in which several parties wish to perform a calculation from data they have, without communicating with each other the content of this data.
To do this, one of the parties (here the server 20) creates a confused circuit for evaluating a function f, as described above, as well as pairs of encryption keys (one for the binary value 0 and one for binary value 1) for each of the input and output bits of the logic gates of the circuit. The creator of the confused circuit also generates a concordance table T between the encryption keys of the result of the function and the result itself.
The creator of the confused circuit then sends the confused circuit, and the encryption keys of the bits of the input data belonging to the creator, to the other party. In other words, the server 20 sends the confused circuit to only one of the two client units. If the server 20 and the client unit 10 (or 30 respectively) are the same entity, the confused circuit is sent to the client unit 30 (or 10 respectively)
Thus, for each input bit x of the creator of the circuit equal to 0 (respectively 1), the creator sends only the encryption key kg (respectively k ^). As these keys are random, the user of the confused circuit cannot obtain any information on the corresponding bits of the data held by the creator.
In addition, the user of the confused circuit recovers from the creator, by unconscious transfer, the keys corresponding to the bits of the input data of the function which they possess.
Thus, for each bit y of input of the user, the creator prepares a list with two elements made up of kg and kg and the index chosen by the user for the unconscious transfer is the value of the bit y.
The use of the unconscious transfer method allows the creator to obtain no information on the bit values of the data of the user of the circuit.
Finally, the user of the confused circuit can evaluate the function using the keys he has obtained in order to obtain the output keys corresponding to the result of the evaluation of the function f. Either the creator of the confused circuit sends the concordance table T to the user who deduces the result of the function. Either the user sends the creator of the confused circuit the exit key (s) and the creator of the confused circuit deduces the result of the function using the concordance table.
Identification by iris binary codes
The iris biometric data comprises two vectors IC = (I, M) of bits of length L, where L is generally 2048. This is called binary iris codes (called IrisCode, see reference [IRIS]). The vector I corresponds to the acquired image (for example by the acquisition means 38) and the vector M is a mask which corresponds to the reliable bits of the first vector I. Furthermore, a bit of the vector M which is equal to 0 represents a erasure (eyelash, blur, area hidden by the eyelid, etc.). If a bit of the mask M is 0, by convention the bit associated with the image is also set to 0.
To compare two binary iris codes (Ii, MJ and (I ₂ , M ₂ ), a normalized Hamming distance NHD is commonly used:
N HD ((/ _1; MJ, (/ ₂ M ₂ )) =
HW ((I ₁ xorI ₂ ) and (M ₁ and M ₂ ))
HW (M ₁ andM ₂ )
Where for any vector a, HW (a) represents the Hamming weight of a.
This NHD normalized Hamming distance is then compared to a threshold t. If the standardized distance NHD is less than the threshold t, it is an authentication; otherwise it is a rejection.
We call f the function of calculating this Hamming distance and comparing it to the threshold t. The function f is broken down into a series of elementary Boolean operations and can therefore be used in the context of a confused circuit as described above.
For practical floating point reasons, the NHD <t comparison is performed with the following inequality:
2 ^m . HWÇÇpxorl ^ andÇM ^ ndM ^ <2 ^m .t.HW (M ₁ andM ₂ )
With 2 ^m which is chosen to ensure that 2 ^m t is an integer.
FIG. 3 illustrates an overall diagram for two binary codes of iris 1 and 2 in which the i ^th coordinated bit of the vectors is represented in square brackets. The circuit is broken down into sub-boxes called: AND for the Boolean operation "and", XOR for the Boolean operation of "or exclusive", HW to calculate the weight of Hamming, CMP for the comparison and MULT for the multiplication. In the present case, as 2 ^m t is known, the multiplication can also be replaced by additions. Such circuits (MULT, HW, CMP, etc.) are known and are presented in the reference [KSS].
Thus, the function f comprises a succession of AND and XOR gates. To calculate f, it suffices to enter the values {0; 1} bits of the coordinates of the input vectors I and M.
The output given by the function f can correspond to 1 if the inequality is verified, in which case the correspondence is verified and the authentication validated; the output can correspond to 0 otherwise.
Face authentication
In the case of biometric data obtained from a face image, each face image is processed in order to obtain exploitable biometric data (for example by identifying positions of the characteristic points of the face), and the function f to be evaluated. with confused circuits GC is the Euclidean distance calculated between the biometric data obtained from the enrollment image and each biometric data obtained from each test image, followed by a comparison with a threshold.
Similarities between the images in the video
In order to simplify the explanation of the methods, the following notations are introduced: one wishes to evaluate the function f between a biometric datum b of reference stored in the first client unit 10, and C biometric test data b'i ... b ' _c , where C is a positive integer strictly greater than 1.
The function f is therefore evaluated with the inputs (b ' _x , ..., b' _c ) and b to obtain f (b, b ' _x ), ..., f (b, b' _c ). Each input biometric data b, b ', is a vector of L bits b'j = (bj [1], ..., bj [L]) with i going from 1 to C.
In the case of an iris binary code with image and mask, we have 10 b'j = (fi, Mj), where J and Mi are vectors of L bits.
Like the C data b ', come from the same video, they have similarities, that is to say that there are a certain number of bits which have the same value on the C data b' ,.
We thus define the set S of invariant indices, defined by:
S = [ie [1..L] | yj ₁ , j ₂ e [l..c] ² , b ' _7l [t] = b' ₇₂ [i]}
We also define the set S of variant indices, defined by
S = [1 .. L] S
For the binary codes of iris, we therefore have: s = {ie [1 .. L] I VÂJ2 e [1 .. C] ² , 1 _7i [i] = I ₇₂ [i] and M _7i [i] = M _7z [t]}
Since L = 2048, we also have:
S = [1..2048] S
As the two sets form a partition of the input indices (ie sus = [l..L] etsns = 0), the normalized Hamming distance can be decomposed in the following form, for two binary codes iris (/ ₂ M ₂ ):
NHD (fa, MJ, (I ₂ , M ₂ )) = NHD _NU m
NHD
NUM (("(/ ₂ m ₂ ))
NHO ^ M ^ MJ
NHD _num
NHDmM, MJ _s + NHDmM, MJ _s -
With NHD _num ((Λ, Μ,), (/ ₂ , M ₂ )) = HWfa ₁ xorI ₂ ') and (M ₁ and M ₂ )), NHD _DEN (M _lt M2) = HWfafandMJ, NHD _num (...) _s , NHD _den (...) _s being NHD _den (... ') for the indices of S, and evaluation of NHD _NUM faJ, NHD _NUM (...) sr NHD _den (...) s being NHD _den (... ') for the indices of S. evaluation of NHD _num (..J,
As for any index i of S, we have Vj _lf j ₂ e [1 .. C] ² , I _7i [i] = I ₇₂ [i] and _{M 7l} [i] = M ₇ - ₂ [i], we are assured that NHD _num (fa.Mjf), fa.fa)) and
ΝΗΰ _ΟΕΝ (Μ _{} ι} , Μ _{} ζ} ) ₅ are independent of j _{2 and} j ₁ . In practice, one of the two iris codes used in NHD is the enlisted iris code (I _b , M _b ), so we are sure that for vy e [1..C], / VHD _WUM ((/ _b , M _b ), (/ ₇ M ₇ ) ^ and
NHD _DEN (M _b , Mf) _s are independent of j.
It is therefore possible to decompose the function f (which is here a function of NHD and t) to be evaluated into two sub-functions f _s and f _s , one concerning the inputs and outputs which are unchanged on the C biometric data. and the other concerning inputs and outputs whose value is not identical for all the C data. The bits of b are inputs distributed over the two sub-functions f _s and f _Sr depending on whether or not the bit of b 'belongs to S, used in elementary calculation with the associated bit of b.
These two sub-functions are associated respectively: a confused circuit GC ^S called "invariant", associated with the function f _s , which is identical for the C data b '_1; ..., b ' _c (the evaluation of the denominator and the numerator of NHD for the entries belonging to S) and C confused circuits GC , ..., GCS called "variants", associated with C functions f _s , of which each one is specific to one of the C data b ' _x , ..., b' _c (the evaluation of the denominator and the numerator of NHD for the other entries), followed by the grouping of the results and the comparison with a threshold. There are thus C + l confused circuits to generate, but the C confused circuits GC [, ..., GC / to be evaluated for each datum have less complexity.
By minimizing the number of logic gates and minimizing the number of wires whose value depends on at least one input whose index belongs to S, the evaluation of confused circuits will be improved.
FIG. 4 illustrates a simplified diagram of what has been explained previously. The term wire denotes the inputs and outputs between elementary logic operations. The set of invariant wires is denoted W, and its complement W. The notations are specific to this figure. Here S = {2,4,5,6,7,8}.
Now, two variants of an authentication method will be described. These two variants each use the fact that part of the decomposition of f into elementary functions can remain invariant due to the similarities that may exist between the C data.
The first variant, illustrated in FIG. 5, makes it possible to minimize the number of confused circuits to be generated and therefore to be evaluated. But it is not possible to generate the confused circuits during a precalculation phase because they depend on the set S which itself depends on the biometric test data b ' _x , ..., b' _c of the customer unit 30.
The second variant, illustrated in FIG. 6, makes it possible to limit the number of confused circuits to be generated (without necessarily minimizing it). But compared to the first variant, the confused circuits can be pre-calculated before the acquisition of the biometric test data b ' _x , ..., b' _c by the client unit 30 because the confused circuits are independent of the biometric data test b ' _x , ..., b' _c of the client unit 30.
First variant
In a first step, El, the second client unit 30, from the biometric test data b ' _x , ..., b' _c determines the set S, by identifying the invariant bits between all the images. This step E1 can be preceded by a step EO of acquiring said data by the acquisition means 38.
In a second step E2, the second client unit 30 sends the set S relating to the invariant indices to the server 20 so that the latter can generate confused circuits as presented above.
In a third step E3, the server decomposes the function f into two sub-functions f _s and f _s to generate a confused invariant circuit GC ^S and to generate C variant confused circuits GC [, .... GC ^. To evaluate the function f for a biometric data b ', it is thus necessary to evaluate GC ^S and Gcf. We denote GCi the confused circuit composed of GC ^S and Gcf, with i going from 1 to C.
In a fourth step E4, concomitant with step E3, the server 20 randomly generates the coding keys k ^s , k ^, ..., k% for the C + 1 confused circuits.
In a fifth step E5, the server 20 sends the confused circuits to one of the two client units 10, 30. For reasons of clarity, it will be assumed that the server 20 sends them to the first client unit 10, but it can also alternately send them to the second client unit 30
Then, in a sixth step E6, the two client units 10, 30 recover from the server 20 by unconscious transfer the coding keys k _b , k _b > corresponding to the values of the bits of the inputs of the function f to be evaluated for each confused circuit .
Each client unit recovers the keys which relate to the biometric data at its disposal: the first client unit 10 recovers a set of keys k _b comprising a key associated with each bit of the data b; the second client unit 30 retrieves a set of keys k _b > comprising a key for each bit associated with an index belonging to S and C keys for each bit associated with an index belonging to S.
According to the example given above in which the data b comprises 2048 bits, the key set k _b comprises 2048 keys and the key set k _b > comprises 1 x | S | + C x | 5j keys, where | S | denotes the number of indices in the set S and | 5j denotes the number of indices in the set S. The key set k _b > therefore comprises a number of keys less than C x 2048 keys.
In a seventh step E7, the second client unit 30 sends its coding keys to the first client unit 10. Since these are coded keys, the first client unit 10 ignores the masked value of the bit.
In a step E8, with all the keys, the first client unit 10 can evaluate with the aid of its calculation unit 12 the function f for each of the C data b '_1; ..., b ' _c and the data b.
For the C images, the invariant confused circuit GC ^S only has to be evaluated once and can be used for the C evaluations of the function f, thereby saving time and resources. The confusing variant circuits GCf, ..., GCf are also executed.
We obtain as output C coding keys k ^ = GC _t (nhd (k _b , k _b ^ <t).
Finally, in a step E9, it suffices to determine to which value the output keys correspond: for example 1 to say that the inequality is verified (authentication validated) and 0 to say that it is not verified (rejection) . As explained previously, step E9 comprises either the sending by the server of the concordance table to the client unit 10 to perform the conversion of the output keys, or the sending by the client unit 10 to the server so that the latter performs the conversion and obtains the result.
This method of implementing the method nevertheless requires an exchange between the client units 10, 30 and the server 20 in order to be able to implement authentication. In fact, the server 20 needs to know exactly S to build the confused circuits. Consequently, the server 20 cannot create the confused circuits during a so-called pre-calculation phase.
Second variant of the process
To this end, it is necessary to overcome the variability of the set S as defined above and which depends on the biometric data acquired b ' _x , ..., b' _c .
For this, in a prior step F1, carried out using a biometric database of the same kind as those which must be used in the process, a higher margin | S _max | the number of indices contained in the set S. This value | S _max | is stored in the memory 24 of the server 20 and will be used for the generation of the invariant confused circuit GC ^S and of confused variant circuits GCj, ..., GCj. For reasons of simplification, we thus consider that VîJ e [| Smax | + l..L] ² , Vjltj ₂ e [1..C] ² , 1 _7i [i] = I ₇₂ [i] and M _7l [i] = M _7z [t].
Alternatively, one can evaluate a lower margin | S _max | of the number of indices contained in the set S. We therefore have | 5 _ma% | = LI ^ τηαχ I
The description will be made for | S _max |.
As the creation of the confused circuits is done independently of the biometric test data b'i, the ordering of the indices belonging to S (or S) can be arbitrary. In this regard, the data b'i are permuted during a step F0 described below to guarantee that the indices of the invariant bits are in S.
In a next step F2, the upper margin | S _max | is stored in the memory 24 of the server 20.
The third step F3 is similar to step E3.
The fourth step F4 is similar to step E4.
The fifth step F5 is similar to step E5.
The sixth step F6 is similar to step E6, except that the coding keys k _b , k _b 'correspond to the values of the permuted bits of the inputs of the function f to be evaluated, denoted k _{n (b} yk _{n (b} ' y In particular, the step of implementing the permutation on the bits of the data (b '_1; ..., b' _c ) allows the second client unit to recover the keys corresponding to the correct sets S and S. The first client unit 10 retrieves a set of keys k _n ^ relating to the permuted bits of the reference biometric data b and the second client unit 30 retrieves a set of keys k _{n (b} 'y relating to the permuted bits of the test biometric data ( b '_1; ..., b' _c ), the set comprising a key for each of the bit indices belonging to S and C keys for each of the indices belonging to s.
The seventh step F7 is similar to step E7.
The eighth step F8 is similar to step E8.
The ninth step F9 is similar to step E9. Preferably, the concordance table T is sent with the confused circuits, so that the authentication can be done without exchange with the server 20 after acquisition of the test data.
In a similar way to E0, this variant includes a step F0 which can include an acquisition of the biometric test data b'i to b ' _c by the client unit 30.
Step F0 also includes the application, by the second client unit 30, of a permutation on the bits of this test biometric data (b ' _x , ..., b' _c ), as a function of the value of | S _max | calculated in step F1, so that the bits of the test biometric data are identical on the indices [| S _max | + 1..L].
This makes it possible to guarantee that the invariant bits between the data b'i to b'c are indeed in the set S and that the other bits are in the set s.
In this variant, the step F0 of acquiring the data is therefore carried out after the step F1. It can advantageously be performed after any of the steps F1 to F5, which are carried out in a so-called pre-calculation phase.
This second variant of the method is less efficient than the first in terms of computation time since the value | S _max |, respectively | S _max |, is chosen so as to be greater, respectively less, than the actual number of variant bits, respectively invariants. Nevertheless, it allows generation upstream of the confused circuits, independently of the biometric data bŸ ..., b ' _c , which makes it possible to speed up the authentication phase (if the pre-calculations are not taken into account ).
Case where the two client units are the same client terminal
This case is illustrated in Figures 5 and 6.
The terminal generally includes a confidence zone TZ and a non-confidence zone UZ. The confidence zone includes few means of calculation and little memory, unlike the non-confidence zone.
The confidence zone stores the biometric reference data b and the non-confidence zone will evaluate the function f by executing the confused circuits.
This is the trusted zone which receives the coding keys. Consequently, there is then a transfer from the acquisition means 38 to the confidence zone of the data b ' _x , ..., b' _c .
For the first variant of the method, there is a transfer of the bits of the data belonging to S and a transfer of the bits of the data belonging to S, so that the trusted zone recovers the appropriate keys.
For the second variant of the method, there is a transfer of the permuted data bits which belong to S and a transfer of the permuted data bits belonging to S.
Case where the server and one of the two client units are the same entity
To simplify, the server 20 and one of the two client units 10 are called "server" and the other client unit 30 which is not included in the server is called "client". The server creates the confused circuits and the client evaluates the confused circuits.
To obtain the set of keys for the input bits, the server sends the keys corresponding to its own inputs to the client. There is no need for unconscious transfers for these keys because the server created the confused circuits. The client, for its part, retrieves the keys that correspond to its own entries using unconscious transfers with the server, so that the latter cannot deduce the entries from the client.
REFERENCES [SMC]: Hazay, Carmit; Lindell, Yehuda: Efficient Secure Two-Party Protocols - Techniques and Constructions. Information Security and Cryptography. Springer, 2010.
[YAO]: A. C.-C. Yao. How to qenerate and exchanqe secrets (extended abstract). In FOCS, 1986.
[SAD]: A.-R. Sadeghi, T. Schneider, and I. Wehrenberg. Efficient Drivacv-preservinq face recognition. In ICISC, 2009.
[SNY]: Snyder, Peter: Yao's Garbled Circuits: Recent Directions and Implementations, 2014, [IRIS]: John Daugman "How iris recognition works", [KSS]: Kolesnikov, Vladimir; Sadeghi, Ahmad-Reza; Schneider,
Thomas: Improved Garbled Circuit Building Blocks and Applications to Auctions and Computing Minima. In: Cryptology and Network Security, 8th International Conference, CANS. 2009 [GE]: Gentry, Craig; Gorbunov, Sergey; Halevi, Shai; Vaikuntanathan, Vinod; Vinayagamurthy, Dhinakaran: How to Compress (ReusableJ Garbled Circuits. IACR Cryptology ePrint Archive, 2013: 687, 2013.
[GO]: Goldwasser, Shafi; Kalai, Yael Tauman; Popa, Raluca A .;
Vaikuntanathan, Vinod; Zeldovich, Nickolai: Reusable qarbled circuits and succinct functional encryption. In: Symposium on Theory of Computing Conference, STOC'13. pp. 555-564, 2013.
[Ra]: Rabin, Michael O .: How To Exchanqe Secrets with Oblivious
Transfer. Harvard University Technical Report 81, 1981.

权利要求:
Claims (15)
[1" id="c-fr-0001]
Claims
1. Method for authenticating a user implemented using a system comprising:
a first client unit (10) comprising a memory (14) in which is stored a biometric reference datum (b),
a second client unit (30) comprising means for acquiring at least one biometric test datum (b ′), and
- a server (20), configured to generate confused circuits (GC) for evaluating functions (f), each confused circuit (GC) having as inputs a set of encryption keys of bits of input data of the function (f) evaluating and outputting the encryption keys corresponding to the bits of the result of the function (f) evaluated, and in which the steps of calculating the function (f) are broken down into elementary logical operations, each circuit confused (GC) further comprising a set of keys (k) for coding each of the possible inputs and outputs of each elementary logic operation, the method comprising the comparison of a number C of test data (b ′ _x , .. ., b ' _c ) acquired on the user by the second client unit (30) at the reference datum (b), said comparison comprising the calculation, by means of confused circuits (GC), of a distance between the datum of reference (b) and each test data (b ' _x , ... , b ' _c ), characterized in that the comparison includes the implementation of the following steps:
- (E3, F3) from a set S comprising indices of the test data (b ' _x , ..., b' _c ), such as the value of the bit of each test data associated with an index of the set S is invariant on all C test data (b ' _x , ..., b' _c ), the server decomposes the function to be evaluated into:
a sub-function f _s which includes all the logical operations whose output depends solely on input bits whose index belongs to said set S and generates for the evaluation of this sub-function f _s a single confused circuit (GC ^S ) called invariant, a sub-function f _s which includes all the logical operations of the function f not evaluated by the sub-function f _s and generates, for each of the C test data (^, ..., b ' _c ), a confused circuit called variant (GCf, ..., GCf) for the evaluation of the sub-function f _s ,
- (E4, F4) the server (20) randomly generates the coding keys (kfkf ..., k%) for the single invariant confused circuit (GC ^S ) and for the C variant confused circuits (GCf, ... , GCf),
- (E5, F5) the server sends the confused circuits (CGGC ^s , GCf, ..., GCf ') to one of the client units (10, 30),
- (E6, F6) the two client units recover from the server (20) by unconscious transfer (OT):
coding keys (k _b , k _b C) corresponding to the values of the bits of the inputs of the function (f) to be evaluated as a function of the reference data (b) and of the C test data (b ') respectively at their disposal , the first client unit (10) retrieving a set of keys (k _b ) relating to the biometric reference data (b) and the second client unit (30) retrieving a set of keys (k _b ') comprising a key for each bit associated with an index belonging to the set S and C keys for each bit associated with an index not belonging to S, and
- (E7, F7) the client unit (10, 30) having received the confused circuits recovers the coding keys (k _b , k _b ,) from the other client unit (10, 30), and (E8, F8) evaluates the function (f) for each of the C test data, with the recovered keys as inputs, by executing the confused circuits (GC ^S , GCf, ..., GCf),
- (E9, F9) according to said evaluations of f, authentication or not of the user or of the object.
[2" id="c-fr-0002]
2. Method according to claim 1, in which the set (S) of indices is determined in a prior step (El) by the second client unit (30) by analysis of the invariant bits between the C test data (b ' _x ..... b ' _c ).
[3" id="c-fr-0003]
3. Method according to claim 1, in which the set (S) of indices comprises a fixed number of indices (LI-Snaxl) / the indices being chosen in any way, the second client unit (30) applies a permutation (n) to the bits of each data (b ',) invariant between the C test data so that said indices of said invariant bits correspond to the indices of the set of indices (S), and the coding keys are retrieved for swapped bits.
[4" id="c-fr-0004]
4. Method according to claim 3, in which the fixed number of indices of the set of indices (S) is determined beforehand by a database analysis, the fixed number of indices of the set of indices being chosen to be less than the actual number of invariant bits between the C test data.
[5" id="c-fr-0005]
5. Method according to one of claims 3 or 4, in which the steps of decomposing the function to be evaluated, of generating coding keys and of sending confused circuits to one of the client units are implemented beforehand. the acquisition of test data or the application of the permutation to said data.
[6" id="c-fr-0006]
6. Method according to any one of claims 1 to 5, wherein the two client units (10, 30) form a single client terminal.
[7" id="c-fr-0007]
7. Method according to any one of claims 1 to 5, in which the server (20) and one of the two client units (10, 30) form a single entity, and in which the other client unit (30, 10) receives confused circuits.
[8" id="c-fr-0008]
8. Method according to any one of the preceding claims, in which the server (20) also sends to the client unit (10, 30) a concordance table (T) of the outputs of each confused circuit (C), so the client unit (10, 30) which evaluates the function f can know the value of the evaluation output keys (/ cg _ut ).
[9" id="c-fr-0009]
9. Method according to one of claims 1 to 8, further comprising a step during which the client unit (10,30) having evaluated the function sends to the server (20) the evaluation output keys ( / c £ _ut ) ^and the server deduces therefrom, from the concordance table of the outputs of each confused circuit, the evaluations of the function f.
[10" id="c-fr-0010]
10. Method according to any one of the preceding claims, in which the data (b, b '_1; ..., b' _c ) are binary iris codes.
[11" id="c-fr-0011]
11. Method according to any one of the preceding claims, in which the function (f) to be evaluated comprises the calculation of normalized Hamming distance between the reference biometric data (b) and each of the C test data (b ' _x , ..., b ' _c ) and includes the comparison of this distance to a threshold (t).
[12" id="c-fr-0012]
12. Method according to any one of the preceding claims, in which the invariant confused circuit (GC ^S ) is evaluated only once for the C test data.
[13" id="c-fr-0013]
13. Individual authentication system, comprising:
- a first client unit (10) comprising a memory (14),
a second client unit (30) comprising means for acquiring at least one test datum (b ' _x , ..., b' _c ), and
- a server (20), configured to generate confused circuits (GC) for evaluating functions (f), each confused circuit (GC) having as inputs a set of encryption keys of bits of input data of the function (f) evaluating and outputting the encryption keys corresponding to the bits of the result of the function (f) evaluated, and in which the steps of calculating the function (f) are broken down into elementary logical operations, each circuit confused further comprising a set of key (k) for coding each of the possible inputs and outputs of each elementary logic operation, the system being characterized in that it is configured to implement the method according to one of claims 1 at 12.
[14" id="c-fr-0014]
14. Server (20), comprising a computer (26) adapted to generate confused circuits (GC) for evaluating a function (f) comprising the comparison of a reference datum with a plurality C of test data, the server (20) being characterized in that it is adapted for, from a set S comprising indices of test data, such as the value of the bit of each test data associated with an index of the set S is invariant on all C test data (b '_1; ..., b' _c ), decompose the function (f) to be evaluated into:
a sub-function f _s which includes all the logical operations whose output depends solely on input bits whose index belongs to said set S, and a sub-function f _s which includes all the logical operations of the function f non evaluated by the sub-function f _s , and to generate a single confused circuit (GC ^S ) called invariant for the evaluation of the sub-function f _s , and for each of the C test data (b '_1; ... , b ' _c ), a confused circuit called variant (GCj, for the evaluation of the sub-function f _s ,
[15" id="c-fr-0015]
15. Computer program product, comprising code instructions for implementing a method comprising the generation of confused circuits (GC) for evaluating a function (f) comprising the comparison of reference data to a plurality C of test data (b '_1; ..., b' _c ), said generation comprising:
from a set S comprising indices of test data, such that the value of the bit of each test data (b '_1; ..., b' _c ) associated with an index of the set S is invariant on all the C test data (b ' _x , ..., b' _c ), the decomposition of the function (f) to be evaluated in:
5 a sub-function f _s which includes all the logical operations whose output depends only on input bits whose index belongs to said set S, and a sub-function f _s which includes all the logical operations of the function f not - evaluated by the sub-function f _s ,
10 and the generation:
- of a single confused circuit (GC ^S ) called invariant for the evaluation of the sub-function f _s , and,
- for each of the C test data (b ' _x , ..., b' _c ), of a confused circuit called variant (GCf ..., GC ^) for the evaluation of the sub-function f _s ,
15 when executed by a computer (26).
3054 (
1/6
3054 (
xî‘0.1) ÿ‘0.1) Λ. y z ¥ ¥ 0 0 0 ^k s b / ⁷ FV j-, k: 0 1 0 i 0 0 AND 1 1 1
ζΡ, Ι)

类似技术:

---

公开号 | 公开日 | 专利标题

---

FR3054054B1|2019-07-19|METHOD AND SYSTEM FOR AUTHENTICATION BY CONFINED CIRCUITS

---

EP2795831B1|2016-03-09|Biometric identification using filtering and secure multi party computation

---

FR3025339A1|2016-03-04|METHOD FOR USING A DEVICE FOR UNLOCKING ANOTHER DEVICE

---

EP1538508A1|2005-06-08|Method and apparatus for on-the-fly encryption and decryption

---

WO2014118257A1|2014-08-07|Method of xor homomorphic encryption and secure calculation of a hamming distance

---

EP3623975A1|2020-03-18|Method and system for electronic voting by biometric identification

---

CA2888103C|2020-07-21|Electronic signature method with ephemeral signature

---

WO2012156648A1|2012-11-22|Biometrically protected access to electronic devices

---

EP3239902B1|2018-12-05|Method for verifying an authentication or biometric identification

---

FR3054905B1|2019-10-18|KEY GENERATION METHOD AND ACCESS CONTROL METHOD

---

CA2867241C|2019-12-31|Method for encrypting a plurality of data in a secure set

---

EP3543966A1|2019-09-25|Data enrolment method for verifying an identity, and method for verifying identity

---

EP3200387B1|2020-06-10|Secure multi-party processing method protected against a malicious party

---

WO2009083528A1|2009-07-09|Method and system for generating stable biometric data

---

Xi et al.2016|FE-SViT: A SViT-based fuzzy extractor framework

---

EP3340096B1|2019-08-07|Method for configuring a cryptographic program intended for being run by a terminal

---

US20210211291A1|2021-07-08|Registration and verification of biometric modalities using encryption techniques in a deep neural network

---

EP3742699A1|2020-11-25|Method for strong authentication of an individual

---

Neethu2018|Revocable Session Key Generation Using Combined Fingerprint Template

---

WO2021240103A1|2021-12-02|Grouping of trajectories in the encrypted domain

---

Raj et al.2020|Securing Biometric Data over Cloud via Shamir’s Secret Sharing

---

Yassin et al.2014|A New Message Authentication Code Scheme Based on Feature Extraction of Fingerprint in Cloud Computing

---

Priscilla et al.2018|USAGE OF BIOINFORMATIC DATA FOR REMOTE AUTHENTICATION IN WIRELESS NETWORKS.

---

CN113052044A|2021-06-29|Method, apparatus, computing device, and medium for recognizing iris image

---

WO2021167534A1|2021-08-26|Biometric template recognition system

同族专利:

---

公开号 | 公开日

---

IL253454D0|2017-09-28|

---

IL253454A|2019-09-26|

---

US20180019997A1|2018-01-18|

---

EP3270538B1|2018-09-26|

---

US10375066B2|2019-08-06|

---

EP3270538A1|2018-01-17|

---

FR3054054B1|2019-07-19|

引用文献:

---

公开号 | 申请日 | 公开日 | 申请人 | 专利标题

---

---

US7716484B1|2000-03-10|2010-05-11|Rsa Security Inc.|System and method for increasing the security of encrypted secrets and authentication|

---

US8972742B2|2009-09-04|2015-03-03|Gradiant|System for secure image recognition|

---

US8958552B2|2009-10-29|2015-02-17|Mitsubishi Electric Corporation|Data processing device|

---

US8515058B1|2009-11-10|2013-08-20|The Board Of Trustees Of The Leland Stanford Junior University|Bootstrappable homomorphic encryption method, computer program and apparatus|

---

US8539220B2|2010-02-26|2013-09-17|Microsoft Corporation|Secure computation using a server module|

---

US8488791B2|2010-09-22|2013-07-16|Alcatel Lucent|Securing two-party computation against malicious adversaries|

---

US8881295B2|2010-09-28|2014-11-04|Alcatel Lucent|Garbled circuit generation in a leakage-resilient manner|

---

US9077539B2|2011-03-09|2015-07-07|Microsoft Technology Licensing, Llc|Server-aided multi-party protocols|

---

FR2984559B1|2011-12-20|2015-10-23|Morpho|IDENTIFICATION OF INDIVIDUALS BY SECURE CALCULATION|

---

FR2992124B1|2012-06-18|2014-07-25|Morpho|SECURE DATA PROCESSING METHOD|

---

US9535658B2|2012-09-28|2017-01-03|Alcatel Lucent|Secure private database querying system with content hiding bloom filters|

---

WO2014108835A2|2013-01-08|2014-07-17|Bar-Ilan University|A method for providing security using secure computation|

---

US9055038B1|2013-02-04|2015-06-09|Stealth Software Technologies, Inc.|Apparatus, system, and method to garble programs|

---

WO2015112859A1|2014-01-24|2015-07-30|Indiscine, Llc|Systems and methods for personal omic transactions|

---

US10114851B2|2014-01-24|2018-10-30|Sachet Ashok Shukla|Systems and methods for verifiable, private, and secure omic analysis|

---

US9509665B2|2014-08-11|2016-11-29|Alcatel Lucent|Protecting against malicious modification in cryptographic operations|

---

FR3031641B1|2015-01-08|2017-01-13|Morpho|METHOD OF IDENTIFYING AN ENTITY|

---

EP3262551A4|2015-02-27|2018-10-31|Dyadic Security Ltd.|Asystem and methods for protecting keys using garbled circuits|

---

US9906511B1|2015-06-29|2018-02-27|Bar-Ilan University|Secure impersonation detection|

---

US10243738B2|2015-12-04|2019-03-26|Microsoft Technology Licensing, Llc|Adding privacy to standard credentials|

---

FR3054054B1|2016-07-13|2019-07-19|Safran Identity & Security|METHOD AND SYSTEM FOR AUTHENTICATION BY CONFINED CIRCUITS|FR3054054B1|2016-07-13|2019-07-19|Safran Identity & Security|METHOD AND SYSTEM FOR AUTHENTICATION BY CONFINED CIRCUITS|

---

US11194922B2|2018-02-28|2021-12-07|International Business Machines Corporation|Protecting study participant data for aggregate analysis|

---

US11044107B2|2018-05-01|2021-06-22|Analog Devices, Inc.|Device authentication based on analog characteristics without error correction|

---

US10749694B2|2018-05-01|2020-08-18|Analog Devices, Inc.|Device authentication based on analog characteristics without error correction|

---

US11210428B2|2018-06-06|2021-12-28|The Trustees Of Indiana University|Long-term on-demand service for executing active-secure computations|

---

CN110909356B|2018-09-18|2022-02-01|百度在线网络技术（北京）有限公司|Secure multiparty computing method, apparatus, device and computer readable medium|

---

US11245680B2|2019-03-01|2022-02-08|Analog Devices, Inc.|Garbled circuit for device authentication|

法律状态:
2017-06-20| PLFP| Fee payment|Year of fee payment: 2 |

---

2018-01-19| PLSC| Search report ready|Effective date: 20180119 |

---

2018-06-21| PLFP| Fee payment|Year of fee payment: 3 |

---

2020-06-23| PLFP| Fee payment|Year of fee payment: 5 |

---

2021-06-23| PLFP| Fee payment|Year of fee payment: 6 |

优先权:

---

申请号 | 申请日 | 专利标题

---

FR1656776A|FR3054054B1|2016-07-13|2016-07-13|METHOD AND SYSTEM FOR AUTHENTICATION BY CONFINED CIRCUITS|

---

FR1656776|2016-07-13|FR1656776A| FR3054054B1|2016-07-13|2016-07-13|METHOD AND SYSTEM FOR AUTHENTICATION BY CONFINED CIRCUITS|

---

EP17169099.3A| EP3270538B1|2016-07-13|2017-05-02|Authentication method and system using confused circuits|

---

IL253454A| IL253454A|2016-07-13|2017-07-12|Authentication method and system by garbled circuits|

---

US15/648,300| US10375066B2|2016-07-13|2017-07-12|Authentication method and system by garbled circuit|