RELATIONAL ENCRYPTION

Info

Publication number: 20170142109
Type: Application
Filed: May 17, 2016
Publication Date: May 18, 2017
Applicant: FUJITSU LIMITED (Kawasaki-shi)
Inventors: Avradip MANDAL (San Jose, CA), Arnab ROY (Santa Clara, CA), Hart MONTGOMERY (Redwood City, CA)
Application Number: 15/157,361

Abstract

A method includes receiving a first message that includes a first relational key element based on a first group element, and a second relational key element based on the first group element and raised to the power of a first plaintext value. The method also includes receiving a second message that includes a third relational key element based on a second group element, and a fourth relational key element based on the second group element and raised to the power of a second plaintext value. The method additionally includes comparing the first message to the second message without decryption of the first or second messages and, based on the comparison, determining that the first plaintext value and the second plaintext value are the same.

Description

Description

CROSS-REFERENCE TO RELATED APPLICATION

This application is a continuation-in-part of U.S. application Ser. No. 14/797,025, filed Jul. 10, 2015, which is a continuation-in-part of U.S. application Ser. No. 14/287,051, filed May 25, 2014, both of which are incorporated herein by reference.

FIELD

The embodiments discussed herein are related to relational encryption.

BACKGROUND

A form of user authentication may include biometric authentication. Biometric authentication generally includes measuring a biometric characteristic of a user that is unique to the user. The measured biometric characteristic, or a representation thereof, is then used as a basis of authenticating an identity of the user. Biometric characteristics may include a user's fingerprints, irises, veins, a section of deoxyribonucleic acid (DNA), and the like. Biometric authentication may have an advantage of allowing the user to be authenticated without having to remember a password. Because the biometric characteristic may be unchangeable, privacy is important in biometric authentication systems.

The subject matter claimed herein is not limited to embodiments that solve any disadvantages or that operate only in environments such as those described above. Rather, this background is only provided to illustrate one example technology area where some embodiments described herein may be practiced.

SUMMARY

One or more embodiments of the present disclosure may include a computer-implemented method that may include receiving at a server a first encrypted message from a first user device. The first encrypted message may include a first relational key element based on a first mathematical group element, and the first encrypted message may also include a second relational key element based on the first mathematical group element and raised to a power of a first plaintext value. The method may also include receiving at the server a second encrypted message from a second user device. The second encrypted message may include a third relational key element based on a second mathematical group element different from the first mathematical group element. The second encrypted message may also include a fourth relational key element based on the second mathematical group element and raised to a power of a second plaintext value. The method may additionally include comparing the first encrypted message to the second encrypted message using one or more processors of the server, without decryption of either the first encrypted message or the second encrypted message by the server. The method may also include determining by the one or more processors, based on the comparison, that the first plaintext value and the second plaintext value are the same. The method may additionally include, based on the first plaintext value and the second plaintext value being the same, the server authorizing the second user device to access restricted content.

The object and advantages of the embodiments will be realized and achieved at least by the elements, features, and combinations particularly pointed out in the claims.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory and are not restrictive of the claims.

BRIEF DESCRIPTION OF THE DRAWINGS

Example embodiments will be described and explained with additional specificity and detail through the use of the accompanying drawings in which:

FIG. 1 is a block diagram of an example operating environment;

FIG. 2 is a block diagram of an example biometric authentication environment;

FIG. 3 is a flow diagram of an example method of biometric authentication;

FIGS. 4A and 4B are a flow diagram of an example method of relational encryption;

FIG. 5 is a flow diagram of an example method of discovering a linearity relationship in a relational encryption scheme;

FIG. 6 is a flow diagram of an example method of detecting a proximity in a relational encryption scheme;

FIG. 7 is a flow diagram of an example method of key generation of a relational linearity encryption scheme;

FIG. 8 is a flow diagram of an example method of encrypting a first plaintext vector using a relational linearity encryption scheme;

FIG. 9 is a flow diagram of an example method of generating keys of a relational proximity encryption scheme;

FIG. 10 is a flow diagram of an example method of encrypting a first plaintext vector using a relational proximity encryption scheme;

FIG. 11 is a flow diagram of an example method of decrypting a first linearity ciphertext;

FIG. 12 is a flow diagram of another example method of decrypting a first linearity ciphertext;

FIG. 13 is a block diagram of another example operating environment;

FIG. 14 is a flow diagram of an example method of encrypting non-uniformly distributed data using a relational encryption scheme;

FIG. 15 is a flow diagram of an example method of processing non-uniformly distributed data;

FIG. 16 is a block diagram of another example operating environment;

FIG. 17 is a flow diagram of an example method of utilizing a relational encryption scheme; and

FIGS. 18A and 18B are a flow diagram of an example method of initializing and utilizing a relational encryption scheme,

all arranged in accordance with at least one embodiment described herein.

DESCRIPTION OF EMBODIMENTS

A challenge of biometric authentication may be that a user may not change a biometric characteristic used as a basis for authentication. For example, the user may register a biometric template including biometric data describing one or more unique characteristics of the user such as a fingerprint of the user or an iris pattern of the user. If the biometric template is compromised, then the user may not be able to change the unique characteristics described by the biometric template. Thus, once compromised, another biometric template may be registered or a biometric template of another biometric characteristic may be registered. For at least this reason, biometric authentication systems may benefit from a strong privacy guarantee. For real life biometric data, the biometric data may be highly non-uniform.

In some biometric authentication systems various approaches have been implemented to attempt to provide a secure biometric authentication system. For example, some biometric authentication systems implement a “feature transformation approach,” a “biometric cryptosystem approach,” and/or a “homomorphic encryption approach.” However, each of these approaches provides limited privacy and security due at least partially to the communication of information such as biometric templates, the client-specific keys, public keys, and the like, each of which may be compromised.

Accordingly, some embodiments discussed herein relate to privacy-preserving biometric authentication. The privacy-preserving biometric authentication may be based upon relational encryption. The relational encryption may enable an authenticator to discover relationships between ciphertexts without enabling the authenticator to recover the plaintext or to generate a fraudulent ciphertext having particular relationships with a genuine ciphertext. For example, an example embodiment includes a method of biometric authentication. The method may include receiving a registration input. The registration input may include a first biometric template of a user. The first biometric template may be representative of unique features of a biometric characteristic of the user. The method may include generating a first linearity ciphertext and a first proximity ciphertext according to a relational encryption scheme. The method may include communicating the first linearity ciphertext and the first proximity ciphertext to an authentication server. The method may include receiving a challenge input. The challenge input may include a second biometric template. The second biometric template may be representative of the one or more unique features of the biometric characteristic of the user. The method may include generating a second linearity ciphertext and a second proximity ciphertext according to the relational encryption scheme. The method may include communicating the second linearity ciphertext and the second proximity ciphertext to the authentication server. The authentication server may discover a linearity relationship between the first and second linearity ciphertexts and detect a proximity between the first and second proximity ciphertexts. The method may include receiving a signal indicative of an authentication decision from the authentication server. The authentication decision may be based on the presence or absence of the linearity relationship and/or proximity.

In some embodiments, the underlying data may first be subjected to processing prior to generating the linearity or the proximity ciphertext. For example, the underlying data may be subject to a linear extractor which may provide a level of randomness in the underlying plaintext.

Embodiments of the present disclosure will be explained with reference to the accompanying drawings.

FIG. 1 illustrates a block diagram of an example operating environment 100, arranged in accordance with at least one embodiment described herein. In the operating environment 100 relational encryption may be performed. Relational encryption may include a cryptographic primitive which enables a first entity 152 to determine one or more relationships among two or more ciphertexts provided by a second entity 150. In particular, the relational encryption enables the first entity 152 to discover a linearity relationship between two or more of the ciphertexts and to detect a proximity between two or more of the ciphertexts. Additionally, the relational encryption may not allow the first entity 152 to recover the plaintexts from the ciphertexts or to construct a fraudulent ciphertext having a particular relationship with a particular, genuine ciphertext.

The relational encryption may be implemented in various environments. For example, the relational encryption may be implemented in a social environment in which individuals wish to keep their locations private, but a semi-trusted service may enable detection of proximity between the locations. Additionally, the relational encryption may be implemented in an image comparison environment. The proximity may be detected between images from a database to determine similarity between the images. Privacy of the images may be maintained. Users may search the images using relational encryption without being exposed to the images on the database. Additionally still, the relational encryption may be implemented in a private data storage environment. A user may encrypt its data and communicate the encrypted data to a database. Analytics (e.g., storage, clustering, etc.) may be performed on the encrypted data without a risk of the encrypted data being decrypted.

For example, the second entity 150 may receive a first plaintext vector 142A and a second plaintext vector 142B (generally, plaintext vector 142 or plaintext vectors 142). The plaintext vectors 142 may include any set of data such as biometric templates, locational information, etc. The second entity 150 may communicate a first ciphertext, which includes an encrypted version of the first plaintext vector 142A, to the first entity 152. Later, the second entity 150 may communicate a second ciphertext, which includes an encrypted version of the second plaintext vector 142B, to the first entity 152. The first entity 152 may discover whether there is a linearity relationship between the first ciphertext and the second ciphertext and may detect a proximity between the first ciphertext and the second ciphertext. The proximity may be in terms of Hamming distance in some embodiments.

However, the relational encryption may not allow the first entity 152 to construct the plaintext vectors 142 from the first and second ciphertexts. Moreover, the relational encryption may not allow the first entity 152 to construct a third ciphertext that includes a particular linearity relationship and/or a particular proximity with the first ciphertext and/or the second ciphertext. FIG. 1 depicts embodiments including two plaintext vectors 142 and, accordingly, two ciphertexts. In some embodiments more than two plaintext vectors 142 and, accordingly, more than two ciphertexts may be included in the operating environment 100.

The relational encryption may include one or more relational keys. The relational keys may be similar to public and/or signature keys and may be provided to or generated by the first entity 152. The relational keys may enable determination of the relationships between the ciphertext, but may not allow decryption of the ciphertext or recovery of the plaintext vectors 142. Additionally, the relational keys may not allow construction of ciphertext having a particular relationship with a particular ciphertext.

In some embodiments, the relational encryption may be defined according to a relational encryption scheme for a relation that includes a tuple of algorithms. The algorithms may include a key generation algorithm, a first encryption algorithm, a first decryption algorithm, a second encryption algorithm, a second decryption algorithm, and a verification algorithm. The relation may be defined as a subset of three sets. Additionally, the relation and the algorithms may satisfy one or more correctness conditions. For example, the relation may satisfy example correctness conditions:

R⊂X×Y×Z

(pkx,skx,pky,sky,skR)←KeyGen(1^λ)

cx←EncX(pkx,x)

cy←EncY(pky,y)

b←Verify(skR,cx,cy,z)

b≅R(x,y,z)

In the correctness conditions, R represents the relation. The operator C represents a subset operator. The parameters X, Y, and Z represent sets. The parameter x represents the first plaintext vector 142A. The parameter y represents the second plaintext vector 142B. KeyGen represents a key generation algorithm. EncX represents a first encryption algorithm. EncY represents a second encryption algorithm. Verify represents a verification algorithm. The operator ← represents an output operator. The parameter pkx represents a first public key. The parameter pky represents a second public key. The parameter skx represents a first secret key. The parameter sky represents a second secret key. The parameter skR represents a relational secret key. The parameter cx represents a first ciphertext. The parameter cy represents a second ciphertext. The parameter b represents an output by the verification algorithm. The parameter λ represents a security parameter. The parameter z represents a particular value that may be chosen by a verifier entity. The operator ≅ represents a congruency operator. In the correctness conditions, the output from the verification algorithm is congruent with the relation with an overwhelming probability.

The relational encryption scheme may be secure in the sense that the relational keys may not allow construction of a ciphertext having a particular relationship with a particular ciphertext and may not allow recovery of the plaintext vectors 142 from the particular ciphertext. For example, the relational encryption scheme may be secure if the following expressions hold:

- 1. Let Kx(1^λ) be an algorithm that runs KeyGen (1^λ), then takes the output (pkx, skx, pky, sky, skR) and outputs (pkx, skx). Then (Kx, EncX, DecX) is IND-CPA secure.
- 2. Let Ky(1^λ) be an algorithm that runs KeyGen (1^λ), then takes the output (pkx, skx, pky, sky, skR) and outputs (pky, sky). Then (Ky, EncY, DecY) is IND-CPA secure.
- 3. Let KR(1^λ) be an algorithm that runs KeyGen (1^λ), then takes the output (pkx, skx, pky, sky, skR) and outputs (pkx, skx, skR). Then EncX(pkx, ) and EncY (pky, ) are one-way functions given a knowledge of skR.
  In the above expressions, pkx, skx, pky, sky, skR, KeyGen, EncX( ), λ, and EncY( ) are as described above. DecX represents a first decryption algorithm. DecY represents a second decryption algorithm. Kx( ), Ky( ), and KR( ) are as described in the expressions. The symbol  indicates any value. The term “IND-CPA” represents shorthand for indistinguishability under chosen-plaintext attack. In some other embodiments, (Ky, EncY, DecY) and/or (Kx, EncX, DecX) may be secure according to another computational security metric such as indistinguishability under chosen ciphertext attack (e.g., IND-CCA1 or IND-CCA2) or any other suitable security metric.

Additionally, in some embodiments, the relational encryption scheme may include a relational linearity encryption scheme. The relational linearity encryption scheme may define a relation according to an example linearity relationship expression:

R={(x,y,z)|x+y=zx,y,zεF_Pⁿ}

In the linearity relationship expression, R, x, y, and z are as described above. The operator ε represents a membership operator. The operator | represents a such that operator. The operator represents a logical conjunction operator. The parameter F represents a field. The superscript n may generally represent a dimension of the field. The dimension of the field may include a length of one or more of the keys as discussed elsewhere herein. The subscript p represents a base-number of the field. For example, in F₃¹⁰the field includes a dimension of 10 and a base-number of three. The base-number of three indicates each element of the field is a zero, one, or two.

Additionally, in some embodiments, the relational encryption scheme may include a relational proximity encryption scheme that defines a relation according to an example proximity expression:

R_δ={(x,y)dist(x,y)≦δx,yεF_p^k}

In the proximity expression, R, x, , ε, and y are as described above. Parameter δ represents a distance that defines closeness. An operator dist represents a Hamming distance. As in the linearity relationship expression, the parameter F represents a field. However, the field in the proximity expression may include a different dimension than the field in the linearity relationship expression. The dimension of the field in the proximity expression may be related to a linear error correcting code.

The relational encryption schemes discussed herein may be implemented in the operating environment 100 of FIG. 1. The relational encryption scheme may enable the second entity 150 to communicate encrypted information to the first entity 152 and allow the first entity 152 to discover a linearity relationship among the encrypted information and/or determine a proximity between the encrypted information.

The operating environment 100 may include a user device 102 associated with the second entity 150 and an authentication server 140 associated with the first entity 152. The user device 102 and the authentication server 140 may be implemented in the operating environment 100 to perform the relational encryption.

The user device 102 and the authentication server 140 may generally include any computing device that enables generation and communication of information and/or data (e.g., ciphertext, keys, plaintext vectors 142, etc.) related to relational encryption via a network 107. Some examples of the user device 102 may include a mobile phone, a scanning device, a smartphone, a tablet computer, a laptop computer, a desktop computer, a set-top box, or a connected device (e.g., a smartwatch, smart glasses, a smart pedometer, or any other connected device). Some examples of the authentication server 140 may include a hardware server or another processor-based computing device configured to function as a server.

The network 107 may be wired or wireless. The network 107 may include numerous configurations including a star configuration, token ring configuration, or other configurations. Furthermore, the network 107 may include a local area network (LAN), a wide area network (WAN) (e.g., the Internet), and/or other interconnected data paths across which multiple devices may communicate. In some instances, the network 107 may include a peer-to-peer network. The network 107 may also be coupled to or include portions of a telecommunications network for sending data in a variety of different communication protocols. In some instances, the network 107 includes BLUETOOTH® communication networks or a cellular communications network for sending and receiving data including via short messaging service (SMS), multimedia messaging service (MMS), hypertext transfer protocol (HTTP), direct data connection, wireless application protocol (WAP), e-mail, etc.

The user device 102 may include a relational encrypt/decrypt module (enc/dec module) 110, a processor 124A, a memory 122A, and a communication unit 126A. The enc/dec module 110, the processor 124A, the memory 122A, and the communication unit 126A may be coupled via a bus 120A. The authentication server 140 may include a relational authentication module 108, a processor 124B, a memory 122B, and a communication unit 126B. The relational authentication module 108, the processor 124B, the memory 122B, and the communication unit 126B may be coupled via a bus 120B.

The processors 124A and 124B are referred to generally herein as the processor 124 or the processors 124, the memories 122A and 122B are referred to generally herein as the memory 122, the communication units 126A and 126B are referred to generally herein as the communication unit 126 or the communication units 126, and the buses 120A and 120B are referred to generally herein as the bus 120 or the buses 120.

The processors 124 may include an arithmetic logic unit (ALU), a microprocessor, a general-purpose controller, or some other processor array to perform computations and privacy preservation. The processors 124 may be coupled to the buses 120 for communication with the other components (e.g., 108, 110, 122, and 126). The processors 124 generally process data signals and may include various computing architectures including a complex instruction set computer (CISC) architecture, a reduced instruction set computer (RISC) architecture, or an architecture implementing a combination of instruction sets. In FIG. 1 the user device 102 and the authentication server 140 may each include a single processor 124. However, the user device 102 and/or the authentication server 140 may include multiple processors. Other processors, operating systems, and physical configurations may also be possible.

The memory 122 may be configured to store instructions and/or data that may be executed by one or more of the processors 124. The memory 122 may be coupled to the buses 120 for communication with the other components. The instructions and/or data may include code for performing the techniques or methods described herein. The memory 122 may include a DRAM device, an SRAM device, flash memory, or some other memory device. In some embodiments, the memory 122 also includes a non-volatile memory or similar permanent storage device and media including a hard disk drive, a floppy disk drive, a CD-ROM device, a DVD-ROM device, a DVD-RAM device, a DVD-RW device, a flash memory device, or some other mass storage device for storing information on a more permanent basis.

The communication units 126 may be configured to transmit and receive data to and from one or more of the user device 102 and/or the authentication server 140. The communication unit 126 may be coupled to the buses 120. In some embodiments, the communication unit 126 includes a port for direct physical connection to the network 107 or to another communication channel. For example, the communication unit 126 may include a USB, SD, CAT-5, or similar port for wired communication with the components of the operating environment 100 of FIG. 1. In some embodiments, the communication unit 126 includes a wireless transceiver for exchanging data via communication channels using one or more wireless communication methods, including IEEE 802.11, IEEE 802.16, BLUETOOTH®, or another suitable wireless communication method.

In some embodiments, the communication unit 126 includes a cellular communications transceiver for sending and receiving data over a cellular communications network including via SMS, MMS, HTTP, direct data connection, WAP, e-mail, or another suitable type of electronic communication. In some embodiments, the communication unit 126 includes a wired port and a wireless transceiver. The communication unit 126 may also provide other connections to the network 107 for distribution of files and/or media objects using standard network protocols including transmission control protocol/internet protocol (TCP/IP), HTTP, HTTP secure (HTTPS), and simple mail transfer protocol (SMTP), etc.

The enc/dec module 110 may be configured to set up a relational encryption scheme such as the relational encryption scheme defined above or having one or more of the characteristics discussed above. The enc/dec module 110 may then receive the plaintext vectors 142, encrypt the plaintext vectors 142, and communicate the ciphertexts to the authentication sever 140 via the network 107. Additionally, the enc/dec module 110 may be configured to decrypt ciphertext in order to construct one or more of the plaintext vectors 142. In embodiments in which the enc/dec module 110 is configured to perform encryption and/or decryption processes, the enc/dec module 110 may perform the encryption and/or decryption processes using the encryption/decryption algorithms and/or the encryption/decryption keys discussed herein.

In some embodiments in which the enc/dec module 110 is configured to set up the relational encryption scheme, the enc/dec module 110 may be configured to communicate one or more relational secret keys and/or one or more verification algorithms to the relational authentication module 108 of the authentication server 140. In other embodiments, the relational authentication module 108 may locally generate the relational secret keys and/or the verification algorithms and/or may obtain the relational secret keys or the verification algorithms from another source.

The relational authentication module 108 may be configured to receive the ciphertexts, the relational secret keys, the verification algorithms, or some combination thereof from the enc/dec module 110 or another source. The relational authentication module 108 may then discover a linearity relationship between ciphertexts and/or may detect a proximity between the ciphertexts. The relational authentication module 108 may use the relational secret keys and/or the verification algorithms to discover the linearity relationship and to detect the proximity between the ciphertext.

In the operating environment 100 of FIG. 1, the enc/dec module 110 may include a linearity encrypt/decrypt module 112, a proximity encrypt/decrypt module 114, a communication module 116, and a setup module 144. Additionally, the relational authentication module 108 may include a server communication module 134, a linearity authentication module 132, and a proximity authentication module 128. In some embodiments, the setup module 144 or a module configured to perform one or more operations attributed to the setup module 144 may be included in the relational authentication module 108.

The enc/dec module 110, the linearity encrypt/decrypt module 112, the proximity encrypt/decrypt module 114, the communication module 116, the setup module 144, the relational authentication module 108, the server communication module 134, the linearity authentication module 132, and the proximity authentication module 128 may be referred to collectively as the relational modules. One or more of the relational modules may be implemented as software including one or more routines configured to perform one or more operations described herein. The relational modules may include a set of instructions executable by the processors 124 to provide the functionality described herein. In some instances, the relational modules may be stored in or at least temporarily loaded into the memory 122 and may be accessible and executable by one or more of the processors 124. One or more of the relation modules may be adapted for cooperation and communication with one or more of the processors 124 via one or more of the buses 120.

Referring generally to the relational modules, the communication module 116 and/or the server communication module 134 may be configured to handle communications between the enc/dec module 110 or the relational authentication module 108, respectively, and other components of the user device 102 or the authentication server 140 (e.g., 122, 124, and 126). The communication module 116 and/or the server communication module 134 may be configured to send and receive data, via the communication unit 126, to and from the user device 102 or the authentication server 140. In some instances, the communication module 116 and/or the server communication module 134 may cooperate with the other relational modules to receive and/or forward, via the communication unit 126, data from the user device 102 or the authentication server 140.

The linearity encrypt/decrypt module 112 may be configured to perform one or more operations associated with encrypting the plaintext vectors 142 to construct linearity ciphertexts and/or associated with decrypting linearity ciphertexts. The linearity authentication module 132 may be configured to perform one or more operations associated with the linearity ciphertexts. For example, the linearity authentication module 132 may be configured to discover a linearity relationship between two or more of the linearity ciphertexts.

The proximity encrypt/decrypt module 114 may be configured to perform one or more operations associated with encrypting the plaintext vectors 142 to construct proximity ciphertext and/or associated with decrypting proximity ciphertext. The proximity authentication module 128 may be configured to perform one or more operations associated with the proximity ciphertext. For example, the proximity authentication module 128 may be configured to detect a proximity between two or more proximity ciphertexts.

The setup module 144 may be configured to generate one or more keys (e.g., public keys, secret keys, relational secret keys) and/or one or more algorithms (e.g., encryption algorithms, decryption algorithms, and verification algorithms). The setup module 144 may then communicate one or more of the keys and algorithms to the relational authentication module 108 via the communication module 116 and the server communication module 134 or to the linearity encrypt/decrypt module 112 and the proximity encrypt/decrypt module 114.

In the following sections, a relational linearity encryption scheme is described followed by a relational proximity encryption scheme. The relational linearity encryption scheme is described with reference to bit vectors then with reference to p-ary vectors. In each of the descriptions, the setup module 144 generates keys, which is described first. Using the keys, one of the linearity encrypt/decrypt module 112 or the proximity encrypt/decrypt module 114 performs an encryption, which is described next. Ciphertexts (e.g., linearity ciphertext or proximity ciphertexts) may then be communicated to one of the linearity authentication module 132 and the proximity authentication module 128 where a linearity relationship is discovered or a proximity is detected. Finally, decryptions of the ciphertexts that may be performed by the linearity encrypt/decrypt module 112 or the proximity encrypt/decrypt module 114 are described.

Relational Linearity Encryption Schemes

In one or more operations included in discovering a linearity relationship between ciphertexts, the setup module 144 may output keys that may be based at least partially on a base-number of elements of the plaintext vectors 142 and/or the ciphertexts. For example, the base-number of the elements may include two (e.g., a binary or bit vector). Accordingly, the plaintext vectors 142 and the ciphertexts may include elements that include either a zero or a one. Alternatively, the base-number of the elements may include three (e.g., tri-ary vectors). Accordingly, the plaintext vectors 142 and the ciphertexts may include elements that include a zero, a one, or a two. Generally, the base-number may be represented by a variable “p” (e.g., a p-ary vector). The p-ary vectors may include elements that may include a zero, a one . . . a p−2, and a p−1. The relational linearity encryption schemes are slightly different based on whether the plaintext vectors 142 and/or the ciphertexts are bit vectors or p-ary vectors. The relational linearity encryption scheme of bit vectors is discussed first, which is followed by the relational linearity encryption scheme of p-ary vectors.

In the relational linearity encryption scheme of bit vectors and of p-ary vectors, the setup module 144 may be configured to generate keys of the relational linearity encryption scheme. In the depicted embodiment, the setup module 144 may generate a first linearity secret key, a second linearity secret key, a first linearity public key, a second linearity public key, and a linearity relational secret key (collectively, “linearity keys”). The linearity keys may be used to encrypt the plaintext vectors 142 to generate linearity ciphertexts, to decrypt the linearity ciphertexts, and to discover a linearity relationship between the linearity ciphertexts.

For example, the first linearity public key may be used by the linearity encrypt/decrypt module 112 to encrypt the first plaintext vector 142A to generate a first linearity ciphertext. The first linearity ciphertext may be communicated to the authentication server 140 by the communication module 116, where it may be stored as a registration ciphertext 130. The second linearity public key may be used by the linearity encrypt/decrypt module 112 to encrypt the second plaintext vector 142B to generate a second linearity ciphertext. The second linearity ciphertext may be communicated to the authentication server 140 by the communication module 116. The linearity relational secret key may be used at the authentication server 140, in particular by the linearity authentication module 132, to discover a linearity relationship between the second linearity ciphertext and the first linearity ciphertext, which is stored as the registration ciphertext 130.

The first and second linearity secret keys may be used by the linearity encrypt/decrypt module 112 to decrypt one or more of the linearity ciphertexts. For example, a first linearity ciphertext may be decrypted using a first secret key. Additionally, the first and second linearity secret keys may be used by the setup module 144 to generate the relational linearity key. Some additional details of the linearity keys and the above operations are provided below for bit vectors and for p-ary vectors.

Bit Vector Relational Linearity Encryption Scheme

In embodiments in which bit vectors are implemented, the linearity keys may be generated for a security parameter. Generally, the security parameter as used herein may refer to a key length. To generate the keys, the setup module 144 may generate three bilinear groups of a prime order. The prime order may be exponential in the security parameter. The setup module 144 may sample a first generator of a first bilinear group of the three bilinear groups and sample a second generator of a second bilinear group of the three bilinear groups.

The setup module 144 may generate the first linearity secret key by randomly sampling a particular number of elements from a set of integers. The set of integers may include zero to a value of the prime order minus one. The setup module 144 may generate the second linearity secret key by randomly sampling the particular number of elements from the set of integers.

The setup module 144 may define the first linearity public key. The first linearity public key may include an element that is the first generator. The first linearity public key may further include one or more other elements that include the first generator raised to the power of a corresponding element of the first linearity secret key. In some embodiments, the element that is the first generator may be the first element of the first linearity public key, which may not be accounted for in the correspondency between the elements of the first linearity public key and the first linearity secret key. For example, in these and other embodiments, the “sixth” element (e.g., accounting for the first element) of the first linearity public key may include the first generator raised to the power of the fifth element of the first linearity secret key. Throughout this application, a similar convention may be implemented for correspondency between elements.

The setup module 144 may define the second linearity public key. The second linearity public key may include an element that is the second generator. The second linearity public key may further include one or more other elements that may include the second generator raised to the power of a corresponding element of the second linearity secret key. In some embodiments, the element that is the second generator may be the first element of the second linearity public key, which may not be accounted for in the correspondency between the elements of the second linearity public key and the second linearity secret key.

The setup module 144 may define the linearity relational secret key. Each element of the linearity relational secret key may include a sum of the corresponding element of the second linearity secret key and the corresponding element of the first linearity secret key. For example, a fifth element of the linearity relational secret key may include a sum of a fifth element of the first linearity secret key and a fifth element of the second linearity secret key.

In some embodiments, generation of the linearity keys may be according to example linearity bit vector key expressions:

$\begin{matrix} Given λ, generate G_{1}, G_{2}, G_{T} of q \\ g_{0} \leftarrow G_{1} \\ h_{0} \leftarrow G_{2} \\ pkxlin := g_{0}, {〈 g_{i} 〉}_{i = 1}^{n}; where (g_{i} = g_{0}^{a_{i}}) \\ pkylin := h_{0}, {〈 h_{i} 〉}_{i = 1}^{n}; where (h_{i} = h_{0}^{b_{i}}) \\ skxlin : {〈 a_{i} 〉}_{i = 1}^{n} = random_\in Z_{q} \\ skylin : {〈 b_{i} 〉}_{i = 1}^{n} = random_\in Z_{q} \\ skRlin := \sum_{i = 1}^{n} a_{i} b_{i} \\ g_{i} = g_{0}^{a_{i}} \\ h_{i} = h_{0}^{b_{i}} \end{matrix}$

In the linearity bit vector key expressions, ← and λ are generally as described above. In addition, in the linearity bit vector key expressions, pkxlin represents a first linearity public key, skxlin represents a first linearity secret key, pkylin represents a second linearity public key, skylin represents a second linearity secret key, and skRlin represents a relational linearity key. Additionally, the parameters pkxlin, skxlin, pkylin, skylin, and skRlin may represent at least a linearity portion of the output of the key generation algorithm (KeyGen) discussed above.

The parameter G₁represents a first bilinear group. The parameter G₂represents a second bilinear group. The parameter G_Trepresents a third bilinear group. The parameter q represents a prime order. The parameter g₀represents a first generator and an element of the first linearity public key. The parameter h₀represents a second generator and an element of the second linearity public key. The parameter g_irepresents other elements of the first linearity public key. The parameter h_irepresents other elements of the second linearity public key. The parameter n represents a particular number (e.g., the particular number of elements). The parameter i represents an indexing variable. In the linearity bit vector key expressions, the indexing variable includes the range from one to the particular number. The parameter Z_qrepresents a set of integers including zero up to one less than the prime order. The parameter a_irepresents an element of the first linearity secret key. The element of the first linearity secret key may be the random value of the set of integers. The parameter b_irepresents an element of the second linearity secret key. The element of the second linearity secret key may be the random value of the set of integers. The operator represents a shorthand notation. For example, b_t=1ⁿrepresents b₁, b₂, . . . b_n.

The linearity encrypt/decrypt module 112 may encrypt the plaintext vectors 142. The linearity encrypt/decrypt module 112 may receive the plaintext vectors 142. Additionally or alternatively, the communication module 116 may receive the plaintext vectors 142 and communicate the plaintext vectors 142 to the linearity encrypt/decrypt module 112.

The plaintext vectors 142 may include a member of a first field. The first field may include elements of zero and one and a dimension of the particular number. The elements of a field may be determined by the base-number of the elements. For instance, in bit vectors the first field may include elements of zero and one, while in p-ary vectors, a field may include elements of zero, one . . . p−1.

The linearity encrypt/decrypt module 112 may sample a random number from the set of integers. The linearity encrypt/decrypt module 112 may then construct the first linearity ciphertext and the second linearity ciphertext. The first linearity ciphertext may include a first element that is the first generator raised to the power of the random number. The first linearity ciphertext may further include one or more elements that include a corresponding element of the first linearity public key raised to a linearity encryption power. The linearity encryption power for the first linearity ciphertext may include the random number multiplied by negative one raised to the power of a corresponding element of the first plaintext vector 142A. In some embodiments, the first element of the first linearity ciphertext may not be accounted for in the correspondencies.

The second linearity ciphertext may include a first element that is the second generator raised to the power of the random number. The second linearity ciphertext may further include one or more elements that include a corresponding element of the second linearity public key raised to the linearity encryption power. The linearity encryption power for the second linearity ciphertext may include the random number multiplied by negative one raised to the power of a corresponding element of the second plaintext vector 142B. In some embodiments, the first element of the second linearity ciphertext may not be accounted for in the correspondencies.

In some embodiments, the linearity encrypt/decrypt module 112 may encrypt the plaintext vectors 142 according to example linearity bit vector encryption expressions:

m1=m1_i_i=1ⁿεF₂ⁿ

m2=m2_i_i=1ⁿεF₂ⁿ

$m 1 = {〈 m 1_{i} 〉}_{i = 1}^{n} \in F_{2}^{n}$ $m 2 = {〈 m 2_{i} 〉}_{i = 1}^{n} \in F_{2}^{n}$ $cx := g_{0}^{r}, {〈 g_{i}^{{(- 1)}^{m 1_{i}} r} 〉}_{i = 1}^{n}$ $cy := h_{0}^{r}, {〈 h_{i}^{{(- 1)}^{m 2_{i}} r} 〉}_{i = 1}^{n}$

In the linearity bit vector encryption expressions, , cx, cy, g₀, h₀, g_i, h_i, i, and n are as described above. In addition, in the linearity bit vector encryption expressions, the parameter cx represents a first linearity ciphertext and the parameter cy represents a second linearity ciphertext. The parameter m1 represents the first plaintext vector 142A. The parameter m1_irepresents an element of the first plaintext vector 142A. The parameter m2 represents the second plaintext vector 142B. The parameter m2_irepresents an element of the second plaintext vector 142B. The parameter F represents a first field. The subscript 2 next to the field represents the base-number of the first field. The superscript n next to the first field represents the dimension of the first field.

The linearity bit vector encryption expressions may define the first encryption algorithm (EncX) and the second encryption algorithm (EncY) discussed above. For example, the first encryption algorithm may be defined as: given the first plaintext vector 142A and the first linearity public key, the first encryption algorithm samples the random number and constructs the first linearity ciphertext as

$cx = g_{0}^{r}, {〈 g_{i}^{{(- 1)}^{m 1_{i}} r} 〉}_{i = 1}^{n} .$

Likewise, the second encryption algorithm may be defined as: given the first plaintext vector 142A and the second linearity public key, the second encryption algorithm samples the random number and constructs the second linearity ciphertext as

$cy = h_{0}^{r}, {〈 h_{i}^{{(- 1)}^{m 2_{i}} r} 〉}_{i = 1}^{n} .$

The first linearity ciphertext and the second linearity ciphertext may be communicated to the linearity authentication module 132. Additionally or alternatively, the first linearity ciphertext and the second linearity ciphertext may be communicated to the authentication server via the network 107. The server communication module 134 may receive the first linearity ciphertext and the second linearity ciphertext and communicate the first linearity ciphertext and the second linearity ciphertext to the linearity authentication module 132.

In some embodiments, the first linearity ciphertext may be communicated to the linearity authentication module 132 prior to communication of the second linearity ciphertext. The linearity authentication module 132 may store the first linearity ciphertext in the memory 122B as the registration ciphertext 130. After communicating the first linearity ciphertext, the second linearity ciphertext may be communicated to the linearity authentication module 132. Additionally, the setup module 144 may communicate the relational linearity key to the linearity authentication module 132.

In some embodiments in which relational encryption are used for authentication the first linearity ciphertext may be stored as the registration ciphertext 130. The registration ciphertext 130 may be used as a basis of comparison against the second linearity ciphertext or any other subsequent linearity ciphertext. In other embodiments implementing relational encryption, the first linearity ciphertext may not be stored as the registration ciphertext 130. For example, the first linearity ciphertext and the second linearity ciphertext may analyze without storing them or may both be stored.

The linearity authentication module 132 may be configured to discover a linearity relationship between the first linearity ciphertext and the second linearity ciphertext. To discover the linearity relationship, the linearity authentication module 132 may define a particular vector. The particular vector may be a member of the first field. An authentication problem determined by the linearity authentication module 132 may be to decide if the particular vector is the sum of the first plaintext vector 142A and the second plaintext vector 142B.

The linearity authentication module 132 may calculate a first value as a pairing function of the first element (e.g., the first generator raised to the power of the random number) of the first linearity ciphertext and the first element (e.g., the second generator raised to the power of the random number) of the second linearity ciphertext raised to the power of the linearity relational secret key.

The linearity authentication module 132 may also calculate a second value as a product of the pairing function of each element of the first linearity ciphertext and a corresponding element in the second linearity ciphertext of the second linearity ciphertext raised to the power of negative one raised to the power of a corresponding element of the particular vector.

The linearity authentication module 132 may determine whether the first value is equal to the second value. In response to the first value being equal to the second value, the linearity authentication module 132 may conclude that the first linearity ciphertext is linearly related to the second linearity ciphertext and the defined vector.

In some embodiments, the linearity authentication module 132 discovers the linearity relationship between the first linearity ciphertext and the second linearity ciphertext according to example linearity bit vector verification expressions:

$z = {〈 z_{i} 〉}_{i = 1}^{n} \in F_{2}^{n}$ ${cx}_{0} := g_{0}^{r}$ ${cx}_{i} := {〈 g_{i}^{(- 1) m 1_{i_{r}}} 〉}_{i = 1}^{n}$ $cx := {cx}_{0}, {〈 {cx}_{i} 〉}_{i = 1}^{n}$ ${cy}_{0} := h_{0}^{r}$ ${cy}_{i} := {〈 h_{i}^{(- 1) m 1_{i_{r}}} 〉}_{i = 1}^{n}$ $cy := {cy}_{0}, {〈 {cy}_{i} 〉}_{i = 1}^{n}$ ${e ({cx}_{0}, {cy}_{0})}^{skR} \overset{?}{=} \prod_{i = 1}^{n} {e ({cx}_{i}, {cy}_{i})}^{{(- 1)}^{z_{i}}}$

In the linearity bit vector verification expressions, , cx, cy, g₀, h₀, g_i, h_i, n, F, skR, and r are as described above. The parameter cx₀represents a first element of the first linearity ciphertext. The parameter cy₀represents a first element of the second linearity ciphertext. The parameter cx_irepresents other elements of the first linearity ciphertext. The parameter cy represents other elements of the second linearity ciphertext. The parameter z represents the particular vector. The parameter z_irepresents an element of the particular vector. The operator e represents a pairing function. The pairing function may be related to the bilinear groups. The operator Π represents a product operator. The linearity bit vector verification expressions may define the verification algorithm (Verify) discussed above. For example, the verification algorithm may be defined as checking the equality

${e ({cx}_{0}, {cy}_{0})}^{skR} \overset{?}{=} \prod_{i = 1}^{n} {e ({cx}_{i}, {cy}_{i})}^{{(- 1)}^{z_{i}}}$

given the ciphertexts, the particular vector, and the relational linearity key.

Additionally, in some embodiments, the linearity encrypt/decrypt module 112 may decrypt the first and/or second linearity ciphertexts. The linearity encrypt/decrypt module 112 may determine each element of a resulting plaintext vector 142 based on values of the linearity ciphertext. For example, a value may be determined for each element of a first plaintext vector (e.g., the first plaintext vector 142A) that is constructed by decrypting the first linearity ciphertext.

For each element, the linearity encrypt/decrypt module 112 may determine whether: (1) a corresponding element in the first linearity ciphertext is equal to the first element of the first linearity ciphertext raised to a corresponding element of the first linearity secret key; (2) the corresponding element in the first linearity ciphertext is equal to the first element of the first linearity ciphertext raised to negative one multiplied by the corresponding element of the first linearity secret key; or (3) the corresponding element in the first linearity ciphertext is equal to another value.

In response to the corresponding element in the first linearity ciphertext being equal to the first element of the first linearity ciphertext raised to the corresponding element of the first linearity secret key (e.g., (1) from the immediately preceding paragraph), the linearity encrypt/decrypt module 112 may set the element of the first plaintext vector 142A to zero. In response to the corresponding element in the first linearity ciphertext being equal to the first element of the first linearity ciphertext raised to negative one multiplied by the corresponding element of the first linearity secret key (e.g., (2) from the immediately preceding paragraph), the linearity encrypt/decrypt module 112 may set the element of the first plaintext vector 142A to one. In response to the corresponding element in the first linearity ciphertext being equal to another value (e.g., (3) from the immediately preceding paragraph), the linearity encrypt/decrypt module 112 may return an error. The second linearity ciphertext may be similarly decrypted using the second linearity secret key and the second linearity ciphertext.

In some embodiments, the linearity encrypt/decrypt module 112 may decrypt the linearity ciphertexts according to example linearity bit vector decryption expressions:

$m 1_{i} := {\begin{matrix} 0, & if {cx}_{i} = {cx}_{0}^{a_{i}} \\ 1, & if {cx}_{i} = {cx}_{0}^{- a_{i}} \\ ⊥, & else \end{matrix}}$ $m 2_{i} := {\begin{matrix} 0, & if {cy}_{i} = {cy}_{0}^{b_{i}} \\ 1, & if {cy}_{i} = {cy}_{0}^{- b_{i}} \\ ⊥, & else \end{matrix}}$

In the linearity bit vector decryption expressions, cx_i, cy_i, cx₀, cy₀, b_i, m1_i, and m2_iare as above. The parameter ⊥ represents an error.

The linearity bit vector decryption expressions may define the first decryption algorithm (DecX) and the second decryption algorithm (DecY) discussed above. For example, the first decryption algorithm may be defined as: given the first linearity ciphertext and the first linearity secret key, the first decryption algorithm may construct the first plaintext vector 142 bit by bit according to an expression:

$m 1_{i} := {\begin{matrix} 0, & if {cx}_{i} = {cx}_{0}^{a_{i}} \\ 1, & if {cx}_{i} = {cx}_{0}^{- a_{i}} \\ ⊥, & else \end{matrix}}$

Likewise, the second decryption algorithm may be defined as: given the second linearity ciphertext and the second linearity secret key, the second decryption algorithm may construct the second plaintext vector 142B bit by bit according to an expression:

$m 2_{i} := {\begin{matrix} 0, & if {cy}_{i} = {cy}_{0}^{b_{i}} \\ 1, & if {cy}_{i} = {cy}_{0}^{- b_{i}} \\ ⊥, & else \end{matrix}}$

P-Ary Vector Relational Linearity Encryption Scheme

In embodiments in which p-ary vectors are implemented (e.g., the plaintext vectors 142 and/or the ciphertexts are p-ary vectors), the linearity keys may be generated for a security parameter. To generate the keys, the setup module 144 may generate three bilinear groups of a prime order. The prime order may be exponential in the security parameter and equal to one modulo the base-number (p). Accordingly, in these embodiments, a subgroup may exist in the set of integers with zero omitted. The subgroup may have the order of the base-number. The setup module 144 may select an arbitrary generator of the subgroup.

The setup module 144 may sample the first generator and the second generator. The first generator may be sampled from the first bilinear group and the second generator may be sampled from the second bilinear group. The first linearity secret key and the second linearity secret key may be generated as described above with reference to embodiments implementing bit vectors.

The setup module 144 may define the first linearity public key, which may include an element that is the first generator. The first linearity public key may further include one or more other elements that include the first generator raised to the power of a corresponding element of the first linearity secret key. Additionally, an element of the first linearity public key may include the arbitrary generator. In some embodiments, the first element of the first linearity public key may be the arbitrary generator and the second element of the first linearity public key may be the first generator. The first and second elements of the second linearity public key may not be accounted for in the correspondencies.

The setup module 144 may define the second linearity public key. The second linearity public key may include an element that is the second generator. The second linearity public key may further include one or more other elements that may include the second generator raised to the power of a corresponding element of the second linearity secret key. Additionally, an element of the second linearity public key may include the arbitrary generator. In some embodiments, the first element of the second linearity public key may be the arbitrary generator and the second element of the second linearity public key may be the second generator. The first and second elements of the second linearity public key may not be accounted for in the correspondencies.

The setup module 144 may define the linearity relational secret key. Each element of the linearity relational secret key may include a sum of the corresponding element of the second linearity secret key and the corresponding element of the first linearity secret key.

In some embodiments, generation of the linearity keys may be according to example linearity p-ary vector key expressions:

$Given : λ, generate G_{1}, G_{2}, G_{T}, of q exponential in the$ $λ and equal to 1 (\mod p)$ $J_{p} \subseteq Z_{q}^{*}$ $ϖ \leftarrow J_{p}$ $g_{0} \leftarrow G_{1}$ $h_{0} \leftarrow G_{2}$ $pkxlin := ϖ, g_{0}, {〈 g_{i} 〉}_{i = 1}^{n}; where (g_{i} = g_{0}^{a_{ι}})$ $pkylin := ϖ, h_{0}, {〈 h_{i} 〉}_{i = 1}^{n}; where (h_{i} = h_{0}^{b_{ι}})$ $skxlin := {〈 a_{i} 〉}_{i = 1}^{n} = random_\in Z_{q}$ $skylin := {〈 b_{i} 〉}_{i = 1}^{n} = random_\in Z_{q}$ $skRlin := \sum_{i = 1}^{n} a_{i} b_{i}$ $g_{i} = g_{0}^{a_{ι}}$ $h_{i} = h_{0}^{b_{ι}}$

In the linearity p-ary vector key expressions, , g₀, h₀, g_i, h_i, a_i, b_i, i, n, Z, F, skR, r, G₁, G₂, G_T, q, pkxlin skxlin pkylin skylin skRlin, ←, and λ are generally as described above. The parameters pkxlin, skxlin pkylin skylin, and skRlin may represent at least a linearity portion output of the key generation algorithm discussed above.

The parameter p represents the base-number. The parameter J_prepresents a subgroup of order p. The parameter ω represents an arbitrary generator. The operator mod represents the modulo function. The “*” next to Z represents that zero is omitted from the set of integers.

The linearity encrypt/decrypt module 112 may receive the plaintext vectors 142. Additionally or alternatively, the communication module 116 may receive the plaintext vectors 142 and may communicate the plaintext vectors 142 to the linearity encrypt/decrypt module 112. The plaintext vectors 142 may include a member of a second field. The second field may include elements having a value of zero up to a value of the base-number minus one (e.g., 0, 1, . . . p−1).

The linearity encrypt/decrypt module 112 may sample a random number from the set of integers. The linearity encrypt/decrypt module 112 may then construct the first linearity ciphertext and the second linearity ciphertext. The first linearity ciphertext may include a first element that is the first generator raised to the power of the random number. Additionally, the first linearity ciphertext may include one or more other elements including a corresponding element of the first linearity public key raised to a linearity encryption power. The linearity encryption power for the first linearity ciphertext may include the random number multiplied by the arbitrary generator raised to the power of a corresponding element of the first plaintext vector 142A. In some embodiments, the first element of the first linearity ciphertext may not be accounted for in the correspondencies.

The second linearity ciphertext may include a first element that is the second generator raised to the power of the random number. Additionally, the second linearity ciphertext may include one or more other elements including a corresponding element of the second linearity public key raised to a linearity encryption power. The linearity encryption power for the second linearity ciphertext may include the random number multiplied by the arbitrary generator raised to the power of a corresponding element of the second plaintext vector 142B. In some embodiments, the first element of the second linearity ciphertext may not be accounted for in the correspondencies.

In some embodiments, the linearity encrypt/decrypt module 112 may encrypt the plaintext vectors 142 according to example linearity p-ary vector encryption expressions:

$m 1 = {〈 m 1_{i} 〉}_{i = 1}^{n} \in F_{2}^{n}$ $m 2 = {〈 m 2_{i} 〉}_{i = 1}^{n} \in F_{2}^{n}$ $cx := g_{0}^{r}, {〈 g_{i}^{{(- 1)}^{m 1_{i}} r} 〉}_{i = 1}^{n}$ $cy := h_{0}^{r}, {〈 h_{i}^{{(- 1)}^{m 2_{i}} r} 〉}_{i = 1}^{n}$

In the linearity p-ary vector encryption expressions, , m1, m1_i, m2, m2_i, cx, cy, g₀, h₀, g_i, h_i, i, and n are as described above. The parameter F represents a second field. The subscript p next to the second field represents the base-number of the second field. The superscript n next to the second field represents the dimension of the second field. The dimension of the second field may be the particular number.

The linearity p-ary vector encryption expressions may define the first encryption algorithm (EncX) and the second encryption algorithm (EncY) discussed above. For example, the first encryption algorithm may be defined as: given the first plaintext vector 142A and the first linearity public key, the first encryption algorithm samples the random number and constructs the first linearity ciphertext as cx=g₀^r,

$cx = g_{0}^{r}, {〈 g_{i}^{{(- 1)}^{m 1_{i}} r} 〉}_{i = 1}^{n} .$

_i=1ⁿ. Likewise, the second encryption algorithm may be defined as: given the first plaintext vector 142A and the second linearity public key, the second encryption algorithm samples the random number and constructs the second linearity ciphertext as cy=h₀^r,

$cy = h_{0}^{r}, {〈 h_{i}^{{(- 1)}^{m 2_{i}} r} 〉}_{i = 1}^{n} .$

_i=1ⁿ.

The first linearity ciphertext and the second linearity ciphertext may be communicated to the linearity authentication module 132. Additionally or alternatively, the first linearity ciphertext and the second linearity ciphertext may be communicated to the authentication server via the network 107. The server communication module 134 may receive the first linearity ciphertext and the second linearity ciphertext and communicate the first linearity ciphertext and the second linearity ciphertext to the linearity authentication module 132.

To discover the linearity relationship, the linearity authentication module 132 may define a particular vector. The particular vector may be a member of a second field. The particular vector may be defined as a sum of the first plaintext vector 142A and the second plaintext vector 142B. The linearity authentication module 132 may calculate a first value as a pairing function of the first element (e.g., the first generator raised to the power of the random number) of the first linearity ciphertext and the first element (e.g., the second generator raised to the power of the random number) of the second linearity ciphertext raised to the power of the linearity relational secret key.

The linearity authentication module 132 may also calculate a second value as a product of the pairing function of each element of the first linearity ciphertext and a corresponding element of the second linearity ciphertext raised to the power of the arbitrary generator raised to the power of a product of negative one and a corresponding element of the particular vector.

The linearity authentication module 132 may determine whether the first value is equal to the second value. In response to the first value being equal to the second value, the linearity authentication module 132 may conclude that the first linearity ciphertext is linear to the second linearity ciphertext.

In some embodiments, the linearity authentication module 132 discovers the linearity relationship between the first linearity ciphertext and the second linearity ciphertext according to example linearity p-ary vector verification expressions:

$z = {〈 z_{i} 〉}_{i = 1}^{n} \in F_{p}^{n}$ ${cx}_{0} := g_{0}^{r}$ ${cx}_{i} := {〈 g_{i}^{(- 1) m 1_{i_{r}}} 〉}_{i = 1}^{n}$ $cx := {cx}_{0}, {〈 {cx}_{i} 〉}_{i = 1}^{n}$ ${cy}_{0} := h_{0}^{r}$ ${cy}_{i} := {〈 h_{i}^{(- 1) m 1_{i_{r}}} 〉}_{i = 1}^{n}$ $cy := {cy}_{0}, {〈 {cy}_{i} 〉}_{i = 1}^{n}$ ${e ({cx}_{0}, {cy}_{0})}^{skR} \overset{?}{=} \prod_{i = 1}^{n} {e ({cx}_{i}, {cy}_{i})}^{ϖ^{z_{i}}}$

In the linearity p-ary vector verification expressions the parameters and operators are as described above.

The linearity p-ary vector verification expressions may define the verification algorithm (Verify) discussed above. For example, the verification algorithm may be defined as checking the equality

${e ({cx}_{0}, {cy}_{0})}^{skR} \overset{?}{=} \prod_{i = 1}^{n} {e ({cx}_{i}, {cy}_{i})}^{ϖ^{z_{i}}}$

given the ciphertexts, the particular vector, and the relational linearity key.

Additionally, in some embodiments, the linearity encrypt/decrypt module 112 may decrypt the first and/or second linearity ciphertexts. The linearity encrypt/decrypt module 112 may determine each element of a resulting plaintext vector 142 based on values of the linearity ciphertext. For example, a value may be determined for each element of a first plaintext vector (e.g., the first plaintext vector 142A) that is constructed by decrypting the first linearity ciphertext.

To decrypt the ciphertext, a particular element value may be determined. The particular element value may be bounded by a polynomial in the security parameter. Additionally, the particular element value may be a member of a field having elements including the base-number. For each element of the first plaintext vector 142A, the linearity encrypt/decrypt module 112 may determine whether there exists a particular element value such that a corresponding element in the first linearity ciphertext is equal to the first element of the first linearity ciphertext raised to a product of the arbitrary generator raised to the particular element value and corresponding element of the first linearity secret key.

In response to a particular element value existing such that the corresponding element in the first linearity ciphertext is equal to the first element of the first linearity ciphertext raised to the product of the arbitrary generator raised to the particular element value and corresponding element of the first linearity secret key, the linearity encrypt/decrypt module 112 may set the element to the particular element value.

In response to no such particular element value existing, the linearity encrypt/decrypt module 112 may output an error. The second linearity ciphertext may be similarly decrypted using the second linearity secret key and the second linearity ciphertext.

In some embodiments, the linearity encrypt/decrypt module 112 may decrypt the linearity ciphertexts according to the linearity p-ary vector decryption expressions:

$m 1_{i} := {\begin{matrix} μ, & if {cx}_{i} = {cx}_{0}^{ϖ^{μ_{a_{i}}}} for some μ \in F_{p} \\ ⊥, & if no such μ exists \end{matrix}}$ $m 2_{i} := {\begin{matrix} μ, & if {cy}_{i} = {cy}_{0}^{ϖ^{μ_{b_{i}}}} for some μ \in F_{p} \\ ⊥, & if no such μ exists \end{matrix}}$

In the linearity p-ary vector decryption expressions, cx_i, cy_i, cx₀, cy₀, a_i, b_i, m1_i, and m2_iare as above. The parameter ⊥ represents an error. The parameter μ represents the particular element value.

The linearity p-ary vector decryption expressions may define the first decryption algorithm (DecX) and the second decryption algorithm (DecY) discussed above. For example, the first decryption algorithm may be defined as: given the first linearity ciphertext and the first linearity secret key, the first decryption algorithm may construct the first plaintext vector 142A bit by bit according to an expression:

$m 1_{i} := {\begin{matrix} μ, & if {cx}_{i} = {cx}_{0}^{ϖ^{μ_{a_{i}}}} for some μ \in F_{p} \\ ⊥, & if no such μ exists \end{matrix}}$

Likewise, the second decryption algorithm may be defined as: given the second linearity ciphertext and the second linearity secret key, the second decryption algorithm may construct the second plaintext vector 142B bit by bit according to an expression:

$m 2_{i} := {\begin{matrix} μ, & if {cy}_{i} = {cy}_{0}^{ϖ^{μ_{b_{i}}}} for some μ \in F_{p} \\ ⊥, & if no such μ exists \end{matrix}}$

Relational Proximity Encryption Scheme

A relational proximity encryption scheme may be used to determine a closeness between proximity ciphertexts. In some embodiments, the proximity may be provided in terms of a Hamming distance. In the relational proximity encryption scheme, the setup module 144 generates keys. Using the keys the proximity encrypt/decrypt module 114 performs an encryption and/or a decryption of the plaintext vectors 142. Proximity ciphertexts may then be communicated to the proximity authentication module 128 where a proximity between the proximity ciphertexts may be detected.

For example, the setup module 144 may generate an output of a chosen-plaintext attack (CPA) key generation algorithm and a linearity key generation algorithm. For example, the setup module 144 may run the linearity keys as described elsewhere herein. The CPA key generation algorithm may output a CPA public key and a CPA secret. The linearity key generation algorithm may output the pkxlin, skxlin, pkylin, skylin, and skRlin discussed above.

Additionally, the setup module 144 may choose an error correcting code (ECC). The ECC may be a linear error correcting code scheme. The ECC may include a length, a rank, and a distance. Additionally, the ECC may also include an ECC encoding operator (ENCODE) and an ECC decoding operator (DECODE). The setup module 144 may then generate a first proximity secret key, a second proximity secret key, a first proximity public key, a second proximity public key, and a proximity relational secret key (collectively, “proximity keys”). The proximity keys are used in the relational encryption to encrypt the plaintext vectors 142 to generate proximity ciphertexts, decrypt the proximity ciphertexts, and to detect a proximity between the proximity ciphertexts.

The first proximity secret key may be defined based on the CPA secret key and the first linearity secret key. The second proximity secret key may be defined based on the CPA secret key and the second linearity secret key. The first proximity public key may be defined based on the ENCODE, the DECODE, the CPA public key, and the first linearity public key. The second proximity public key may be defined based on the ENCODE, the DECODE, the CPA public key, and the second linearity public key. The proximity relational secret key may be defined based on the CPA secret key and the linearity relational secret key.

In some embodiments, the setup module 144 may generate the proximity keys according to example proximity key generation expressions:

(pkCPA,skCPA)←KeyGenCPA

(pkxlin,pkylin,skxlin,skylin,skRlin)←KeyGenLinear

pkxprox:=(ENCODE,DECODE,pkcpa,pkxlin,X)

pkyprox:=(ENCODE,DECODE,pkcpa,pkylin,X)

skxprox:=(skCPA,skxlin)

skyprox:=(skCPA,skylin)

skRprox:=(skCPA,skRlin)

XεZ₂^m/4×n

In the proximity key generation expressions, pkxlin, pkylin, skxlin, skylin, skRlin, ←, Z, m, and n are as above. The parameter pkCPA represents a CPA public key. The parameter pkCPA represents a CPA secret key. The parameter KeyGenCPA represents a CPA key generation algorithm. The parameter pkxprox represents a first proximity public key. The parameter pkyprox represents a second proximity public key. The parameter skxprox represents a first proximity secret key. The parameter skyprox represents a second proximity secret key. The parameter skRprox represents a proximity relational secret key. Additionally, the parameters pkxprox, skxprox, pkyprox, skyprox, and skRprox may represent at least a proximity portion of the output of the key generation algorithm (KeyGen) discussed above. The parameter X represents a linear extractor. While a specific iteration is described above, any linear extractor may be used.

The first proximity public key may be used by the proximity encrypt/decrypt module 114 to encrypt the first plaintext vector 142A to generate a first proximity ciphertext. The proximity encrypt/decrypt module 114 may receive the plaintext vectors 142. Additionally or alternatively, the communication module 116 may receive the plaintext vectors 142 and communicate the plaintext vectors 142 to the proximity encrypt/decrypt module 114. The plaintext vectors 142 may include a member of the first or second fields.

The proximity encrypt/decrypt module 114 may sample a proximity random number from a third field. The third field may include a base-number and a dimension that may be the rank of the ECC. The proximity encrypt/decrypt module 114 may then construct the first proximity ciphertext and the second proximity ciphertext. Each of the first proximity ciphertext and the second proximity ciphertext may include two parts. The first part of the first proximity ciphertext may include a CPA encryption algorithm receiving as inputs the CPA public key and a sum of the first plaintext vector 142A and ENCODE receiving the proximity random number as an input. The second part of the first proximity ciphertext may include the first linearity encryption algorithm that receives the first linearity public key and the proximity random number.

The first part of the second proximity ciphertext may include a CPA encryption algorithm receiving as inputs the CPA public key and a sum of the second plaintext vector 142B and ENCODE receiving the proximity random number as an input. The second part of the second proximity ciphertext may include the second linearity encryption algorithm that receives as inputs the second linearity public key and the proximity random number.

In some embodiments, the proximity ciphertexts may be generated according to example proximity encryption expressions:

cxp1:=EncCPA(pkcpa,m1+ENCODE(r))

cxp2:=EncXLinear(pkxlin,X·r)

cxp:=(cxp1,cxp2)

cyp1:=EncCPA(pkcpa,m2+ENCODE(r))

cyp2:=EncYLinear(pkylin,X·r)

cyp:=(cyp1,cyp2)

In the proximity encryption expression, ENCODE, m1, m2, pkcpa, pkxlin, and pkylin are as described above. The EncCPA represents the CPA encryption algorithm. The parameter cxp1 represents a first part of a first proximity ciphertext. The parameter cxp2 represents a second part of the first proximity ciphertext. The parameter cxp represents the first proximity ciphertext. The parameter cyp1 represents a first part of a second proximity ciphertext. The parameter cyp2 represents a second part of the second proximity ciphertext. The parameter cyp represents the second proximity ciphertext. The parameter EncXLinear represents a first linearity encryption algorithm. The parameter EncYLinear represents a second linearity encryption algorithm.

The first proximity ciphertext may be communicated to the authentication server 140 by the communication module 116, where it may be stored as the registration ciphertext 130. The second proximity public key may be used by the proximity encrypt/decrypt module 114 to encrypt the second plaintext vector 142B to generate a second proximity ciphertext. The second proximity ciphertext may be communicated to the authentication server 140 by the communication module 116. The proximity relational secret key may be used at the authentication server 140, in particular by the proximity authentication module 128, to detect the proximity between the second proximity ciphertext and the first proximity ciphertext, which is stored as the registration ciphertext 130.

The proximity authentication module 128 may be configured to detect proximity between the first proximity ciphertext and the second proximity ciphertext. To detect the proximity, the proximity authentication module 128 may access the DECODE, which may be available in public key information. The proximity authentication module 128 may also recover a randomness sum for the first proximity ciphertext. The randomness sum for the first proximity ciphertext may be defined as the DECODE that receives as input a CPA decryption algorithm that further receives as inputs the CPA secret key and a sum of the first part of the first proximity ciphertext and the CPA decryption algorithm that receives as inputs the CPA secret key and the first part of the second proximity ciphertext.

If the DECODE returns an error then the proximity authentication module 128 may return a rejection. Additionally, the proximity authentication module 128 may output the linearity verification algorithm that receives as inputs the linearity relational secret key, the first part of the second proximity ciphertext, the second part of the second proximity ciphertext, and the randomness sum.

Thus, the proximity verification algorithm may be defined to receive the first proximity ciphertext, the second proximity ciphertext, and the proximity secret key. The proximity verification algorithm may recover the randomness sum and output either a rejection or the linearity verification algorithm that receives as inputs the linearity relational secret key, the first part of the second proximity ciphertext, the second part of the second proximity ciphertext, and the randomness sum. For example, the proximity authentication module 128 may perform one more operations according to example proximity verification algorithms:

$Z_{rs} := DECODE (DecCPA (skcpa, cx 1 + DecCPA (skcpa, cy 1)) Output = {\begin{matrix} reject, if DECODE returns ⊥ \\ VerifyLinear (skRlin, cx 2, cy 2, X \cdot Z) \end{matrix}}$

In the proximity verification algorithm, skcpa, cx1, cx2, cy1, cy2, ⊥, skRlin, X, and DECODE are as described above. The parameter Output indicates an output of the proximity authentication module 128. The parameter Z_rsrepresents the randomness sum. The parameter DecCPA represents the CPA decryption algorithm. The VerifyLinear represents the linearity verification algorithm.

The relational proximity encryption scheme described herein may be secure if the following conditions are true:

- ECC is a (n, k, 2δ) linear error correction scheme
- (KeyGenCPA, EncCPA, DecCPA) is a IND-CPA secure encryptionscheme
- (KeyGenLinear, EncXLinear, DecXLinear, EncYLinear, EncYLinear, VerifyLinear) is a relational encyptionscheme for linearity in F₂^k
  In the conditions, KeyGenCPA, EncCPA, DecCPA, KeyGenLinear, EncXLinear, EncXLinear, DecXLinear, EncYLinear, DecYLinear, VerifyLinear, and F are as described above. ECC represents the ECC. The parameter n represents the length, k represents the rank and 2δ represents the distance.

FIG. 2 illustrates a block diagram of a biometric authentication system (biometric system) 200, arranged in accordance with at least one embodiment described herein. The biometric system 200 may be included in or include an example of the operating environment 100 of FIG. 1 in which an authentication service is provided. In the biometric system 200 authentication of a user 206 may be performed by the authentication server 140. In the biometric system 200, the relational encryption discussed with reference to FIG. 1 may be used to authenticate the identity of the user 206.

The authentication service may include a registration process and an authentication process. The registration process may include obtaining information and data from the user 206 that may be used in the authentication process. The authentication process may occur later in time (e.g., subsequent to the registration process). In the authentication process, the identity of the user 206 may be authenticated using one or more of the relational encryption operations discussed with reference to FIG. 1. Generally, the identity of the user 206 may be authenticated by discovering linearity between a first linearity ciphertext and a second linearity ciphertext and detecting the proximity between a first proximity ciphertext and a second proximity ciphertext as described herein. The first linearity ciphertext and the first proximity ciphertext may be provided by the user 206 in the form of a first biometric template. The first biometric template may be included in the first plaintext vector 142A of FIG. 1 and/or the registration input 232 of FIG. 2.

The user 206 and/or an imposter 222 (discussed below) may include an individual that has one or more biometric characteristics. The biometric characteristics may include one or more unique features. For example, the biometric characteristics may include a fingerprint of the user 206 that includes patterns of ridges and/or furrows. The user 206 may be associated with the user device 102 in some embodiments. For example, the user 206 may own or regularly operate the user device 102. In some embodiments, the user 206 may not be specifically associated with the user device 102. For example, the user device 102 may be publicly accessible to multiple users including the user 206. In some embodiments, the imposter 222 may include an entity that supplies input that may represent biometric characteristics.

In some embodiments, the user device 102 may include a sensor 298. The sensor 298 may include a hardware device, for instance, that is configured to measure or otherwise capture a biometric characteristic used to authenticate the user 206. When the biometric characteristic of the user 206 is measured or otherwise captured, the user device 102 may generate the biometric template. The biometric template may be representative of the biometric characteristic and may include at least some of the unique features of the biometric characteristic of the user 206. The biometric template may include a graphical representation and/or algorithmic representation of the biometric characteristic, for example.

Some examples of the sensor 298 may include: a fingerprint scanner; a camera configured to capture an image of an iris; a device configured to measure DNA; a heart rate monitor configured to capture heart rate; a wearable electromyography sensor configured to capture electrical activity produced by skeletal muscles; or any other sensor 298 configured to measure or otherwise capture a biometric characteristic.

In the illustrated biometric system 200, the sensor 298 is included in the user device 102. In other embodiments, the sensor 298 may be communicatively coupled to the user device 102 or a processor included therein. For example, the sensor 298 may be configured to communicate a signal to the user device 102 via a network such as the network 107 of FIG. 1. Although only one sensor 298 is depicted in FIG. 2, in some embodiments the user device 102 may include one or more sensors 298.

The enc/dec module 110 may generate the first linearity ciphertext and the first proximity ciphertext from the registration input 232. The enc/dec module 110 may then communicate the first linearity ciphertext and the first proximity ciphertext as registration data 234 to the authentication server 140.

The relational authentication module 108 may store the first linearity ciphertext and the first proximity ciphertext as the registration ciphertext 130. The registration ciphertext 130 may be associated with the user 206. For example, the user 206 may have associated therewith a user identifier. The registration ciphertext 130 may be stored in the memory 122B in some embodiments.

The enc/dec module 110 may then receive a first challenge input 236A or a second challenge input 236B (generally, challenge input 236). The first challenge input 236A and the second challenge input 236B may be an attempt by the user 206 or the imposter 222 to have their identity authenticated. The first challenge input 236A and/or the second challenge input 236B may include a second biometric template read by the sensor 298, for instance. The second biometric template may be representative of the unique features of the biometric characteristic of the user 206 or the imposter 222.

The enc/dec module 110 may generate the second linearity ciphertext and the second proximity ciphertext from the challenge input 236. The enc/dec module 110 may then communicate the second linearity ciphertext and the second proximity ciphertext as challenge data 238 to the authentication server 140.

The relational authentication module 108 may receive the challenge data 238. The relational authentication module 108 may then retrieve the registration ciphertext 130 for the user 206.

The relational authentication module 108 may determine a linearity relationship between the first linearity ciphertext stored as the registration ciphertext 130 and the second linearity ciphertext received from the user device 102. Additionally, the relational authentication module 108 may determine a proximity relationship between the first proximity ciphertext stored as the registration ciphertext 130 and the second proximity ciphertext received from the user device 102.

In response to the first linearity ciphertext having a linearity relationship with the second linearity ciphertext and there being a particular proximity between the first proximity ciphertext and the second proximity ciphertext, the authentication server 140 may determine that an approximate similarity exists between the first biometric template and the second biometric template.

Thus, if the first challenge input 236A that is provided by the user 206 is the basis of the second linearity ciphertext and the second proximity ciphertext, then there may be a linearity relationship between the first linearity ciphertext and the second linearity ciphertext and there may be a proximity between the first proximity ciphertext and the second proximity ciphertext.

However, if the second challenge input 236B that is provided by the imposter 222 is the basis of the second linearity ciphertext and second proximity ciphertext, then there may not be a linearity relationship between the first linearity ciphertext and the second linearity ciphertext and there may not be a proximity between the first proximity ciphertext and the second proximity ciphertext.

Based on the linear relation and/or the proximity, the relational authentication module 108 may make an authentication decision. For example, the relational authentication module 108 may determine whether the challenge data 238 originates at the user 206 or the imposter 222. The relational authentication module 108 may communicate an authentication signal 242 based on discovery of the linearity relationship and/or detection of the proximity. The enc/dec module 110 may receive the authentication signal 242.

Modifications, additions, or omissions may be made to the biometric system 200 without departing from the scope of the present disclosure. Specifically, embodiments depicted in FIG. 2 include one user 206, one user device 102, and one authentication server 140. However, the present disclosure applies to the biometric system 200 that may include one or more users 206, one or more user devices 102, one or more authentication servers 140, or any combination thereof.

Moreover, the separation of various components in the embodiments described herein is not meant to indicate that the separation occurs in all embodiments. It may be understood with the benefit of this disclosure that the described components may be integrated together in a single component or separated into multiple components. For example, in some embodiments, the enc/dec module 110 and/or one or more functionalities attributed thereto may be performed by a module on the authentication server 140.

The relational authentication module 108 and/or the enc/dec module 110 may include code and routines for biometric authentication. In some embodiments, the relational authentication module 108 and/or the enc/dec module 110 may act in part as a thin-client application that may be stored on the user device 102 or another computing device, and in part as components that may be stored on the authentication server 140, for instance. In some embodiments, the relational authentication module 108 and/or the enc/dec module 110 may be implemented using hardware including a field-programmable gate array (FPGA) or an application-specific integrated circuit (ASIC). In some other instances, the relational authentication module 108 and/or the enc/dec module 110 may be implemented using a combination of hardware and software.

FIG. 3 is a flow diagram of an example method 300 of biometric authentication, arranged in accordance with at least one embodiment described herein. The method 300 may be performed in a biometric authentication system such as may be implemented in the biometric system 200 of FIG. 2 or in the operating environment 100 of FIG. 1. The method 300 may be programmably performed in some embodiments by the authentication server 140 described herein. The authentication server 140 may include or may be communicatively coupled to a non-transitory computer-readable medium (e.g., the memory 122B of FIG. 1) having stored thereon or encoded therein programming code or instructions that are executable by a processor to perform or control performance of the method 300. Additionally or alternatively, the authentication server 140 may include a processor (e.g., the processor 124B of FIG. 1) that is configured to execute computer instructions to perform or control performance of the method 300. Although illustrated as discrete blocks, various blocks may be divided into additional blocks, combined into fewer blocks, or eliminated, depending on the desired implementation.

The method 300 may begin at block 302. At block 302, a first linearity ciphertext may be received. The first linearity ciphertext may represent a first biometric template encrypted using a relational linearity encryption scheme. At block 304, a first proximity ciphertext may be received. The first proximity ciphertext may represent the first biometric template encrypted using a relational proximity encryption scheme.

At block 306, the first linearity ciphertext and the first proximity ciphertext may be stored as a registration ciphertext. At block 308, a linearity relational secret key and a proximity relational secret key may be received. At block 310, a second proximity ciphertext may be received. The second proximity ciphertext may represent a second biometric template encrypted using the relational proximity encryption scheme. At block 312, a second linearity ciphertext may be received. The second linearity ciphertext may represent the second biometric template encrypted using the relational linearity encryption scheme.

At block 314, a linearity relationship between the first linearity ciphertext and the second linearity ciphertext may be discovered using a linearity relational secret key. At block 316, a proximity between the first proximity ciphertext and the second proximity ciphertext may be detected using a proximity relational secret key. The proximity may be determined in terms of a Hamming distance. At block 318, an identity of a user may be authenticated based upon the proximity and the linearity relationship.

For any of the procedures and methods disclosed herein, the functions performed in the processes and methods may be implemented in differing order. Furthermore, the outlined steps and operations are only provided as examples, and some of the steps and operations may be optional, combined into fewer steps and operations, or expanded into additional steps and operations without detracting from the disclosed embodiments.

FIGS. 4A and 4B are a flow diagram of an example method 400 of relational encryption, arranged in accordance with at least one embodiment described herein. The method 400 may be performed in a biometric authentication system such as may be implemented in the biometric system 200 of FIG. 2 or in the operating environment 100 of FIG. 1. The method 400 may be programmably performed in some embodiments by the user device 102 described herein. The user device 102 may include or may be communicatively coupled to a non-transitory computer-readable medium (e.g., the memory 122A of FIG. 1) having stored thereon or encoded therein programming code or instructions that are executable by a processor to perform or control performance of the method 400. Additionally or alternatively, the user device 102 may include a processor (e.g., the processor 124A of FIG. 1) that is configured to execute computer instructions to perform or control performance of the method 400. Although illustrated as discrete blocks, various blocks may be divided into additional blocks, combined into fewer blocks, or eliminated, depending on the desired implementation.

With reference to FIG. 4A, the method 400 may begin at block 402. At block 402, keys of a relational linearity encryption scheme may be generated. The keys of the relational linearity encryption scheme may be generated for a security parameter. At block 403, first non-uniformly distributed data may be randomized to an appropriate level of randomness as a first plaintext vector. The non-uniformly distributed data may be biometric data. The appropriate level of randomness is described in greater detail below. At block 404, the first plaintext vector may be encrypted using the relational linearity encryption scheme. Encrypting the first plaintext vector may generate a first linearity ciphertext representative of the first plaintext vector. At block 406, keys of a relational proximity encryption scheme may be generated. The keys of the relational proximity encryption scheme may be generated for the security parameter. At block 408, the first plaintext vector may be encrypted using the relational proximity encryption scheme. Encrypting the first plaintext vector using the relational proximity encryption scheme may generate a first proximity ciphertext representative of the first plaintext vector. At block 410, the first linearity ciphertext and the first proximity ciphertext may be communicated to an authentication server.

At block 411, second non-uniformly distributed data may be randomized to the appropriate level of randomness as a second plaintext vector. The non-uniformly distributed data may be biometric data. The appropriate level of randomness is described in greater detail below. At block 412, the second plaintext vector may be encrypted using the relational linearity encryption scheme. Encrypting the second plaintext vector may generate a second linearity ciphertext representative of the second plaintext vector. With reference to FIG. 4B, at block 414, the second plaintext vector may be encrypted using the relational proximity encryption scheme. Encrypting the second plaintext vector using the relational proximity encryption scheme may generate a second proximity ciphertext. At block 416, the second linearity ciphertext and the second proximity ciphertext may be communicated to the authentication server. At block 418, the keys of the relational linearity encryption scheme generated at block 402 may be communicated to the authentication server. The keys may include a relational linearity key and a relational proximity key.

At block 420, an authentication signal may be received from the authentication server. The authentication signal may be indicative of a linearity relationship between the first linearity ciphertext and the second linearity ciphertext discovered using the relational linearity key and of a proximity between the first proximity ciphertext and the second proximity ciphertext detected using the relational proximity key. In some embodiments, the first plaintext vector may include a first biometric template received as registration input from a user. Additionally, the second plaintext vector may include a second biometric template received as challenge input. In these and other embodiments, the authentication signal may indicate whether the second biometric template originated at the user.

FIG. 5 is a flow diagram of an example method 500 of discovering a linearity relationship in a relational encryption scheme, arranged in accordance with at least one embodiment described herein. The method 500 may be performed in a biometric authentication system such as may be implemented in the biometric system 200 of FIG. 2 or in the operating environment 100 of FIG. 1. The method 500 may be programmably performed in some embodiments by the authentication server 140 described herein. The authentication server 140 may include or may be communicatively coupled to a non-transitory computer-readable medium (e.g., the memory 122B of FIG. 1) having stored thereon or encoded therein programming code or instructions that are executable by a processor to perform or control performance of the method 500. Additionally or alternatively, the authentication server 140 may include a processor (e.g., the processor 124B of FIG. 1) that is configured to execute computer instructions to perform or control performance of the method 500. Although illustrated as discrete blocks, various blocks may be divided into additional blocks, combined into fewer blocks, or eliminated, depending on the desired implementation.

The method 500 may begin at block 502. At block 502, a particular vector may be defined. The particular vector may include a member of a first field. The first field may include elements of zero and one and a dimension of a particular number that is a length of linearity secret keys. Additionally or alternatively, the particular vector may include a member of a second field. The second field may include elements of zero to one less than a base-number and a dimension of the particular number.

At block 504, a first value may be calculated. The first value may be calculated as a pairing function of a first element of a first linearity ciphertext and a first element of a second linearity ciphertext raised to the power of a linearity relational secret key. At block 506, a second value may be calculated. In some embodiments, the second value may be a product of the pairing function of each element of the first linearity ciphertext and a corresponding element of the second linearity ciphertext raised to the power of negative one raised to the power of a corresponding element of the particular vector. In some embodiments, the second value may be calculated as a product of the pairing function of each element of the first linearity ciphertext and a corresponding element in the second linearity ciphertext raised to the power of an arbitrary generator raised to the power of a product of negative one and a corresponding element of the particular vector. The arbitrary generator may be selected from a subgroup of a set of integers with zero omitted.

At block 508, it may be determined whether the first value is equal to the second value. In response to the first value being equal to the second value (“Yes” at block 508), the method 500 may proceed to block 510. At block 510, it may be concluded that the first linearity ciphertext is linear to the second linearity ciphertext. In response to the first value not equaling the second value (“No” at block 518), the method 500 may proceed to block 512. At block 512, an error may be output, which may indicate that the first linearity ciphertext is not linear to the second linearity ciphertext.

FIG. 6 is a flow diagram of an example method 600 of detecting a proximity, arranged in accordance with at least one embodiment described herein. The method 600 may be performed in a biometric authentication system such as may be implemented in the biometric system 200 of FIG. 2 or in the operating environment 100 of FIG. 1. The method 600 may be programmably performed in some embodiments by the authentication server 140 described herein. The authentication server 140 may include or may be communicatively coupled to a non-transitory computer-readable medium (e.g., the memory 122B of FIG. 1) having stored thereon or encoded therein programming code or instructions that are executable by a processor to perform or control performance of the method 600. Additionally or alternatively, the authentication server 140 may include a processor (e.g., the processor 124B of FIG. 1) that is configured to execute computer instructions to perform or control performance of the method 600. Although illustrated as discrete blocks, various blocks may be divided into additional blocks, combined into fewer blocks, or eliminated, depending on the desired implementation.

The method 600 may begin at block 602. At block 602, a DECODE may be accessed from public key information. At block 604, a randomness sum may be recovered. The randomness sum may be received for a first proximity ciphertext. The randomness sum for the first proximity ciphertext may be defined as the DECODE that receives as input a CPA decryption algorithm that further receives as inputs (a) a CPA secret key and (b) a sum of a first part of the first proximity ciphertext and a CPA decryption algorithm that receives as inputs a CPA secret key and a first part of a second proximity ciphertext.

At block 606, a rejection may be output in response to the DECODE returning an error. At block 608, a linearity verification algorithm may otherwise be output. The linearity verification algorithm may receive as inputs a linearity relational secret key, the first part of the second proximity ciphertext, the second part of the second proximity ciphertext, and the randomness sum.

FIG. 7 is a flow diagram of an example method 700 of key generation of a relational linearity encryption scheme, arranged in accordance with at least one embodiment described herein. The method 700 may be performed in a biometric authentication system such as may be implemented in the biometric system 200 of FIG. 2 or in the operating environment 100 of FIG. 1. The method 700 may be programmably performed in some embodiments by the user device 102 described herein. The user device 102 may include or may be communicatively coupled to a non-transitory computer-readable medium (e.g., the memory 122A of FIG. 1) having stored thereon or encoded therein programming code or instructions that are executable by a processor to perform or control performance of the method 700. Additionally or alternatively, the user device 102 may include a processor (e.g., the processor 124A of FIG. 1) that is configured to execute computer instructions to perform or control performance of the method 700. Although illustrated as discrete blocks, various blocks may be divided into additional blocks, combined into fewer blocks, or eliminated, depending on the desired implementation.

The method 700 may begin at block 702. At block 702, bilinear groups may be generated. In some embodiments, the bilinear groups may be of a prime order. The prime order may be exponential in a security parameter. Additionally or alternatively, the prime order or may be exponential in the security parameter and equal to one module a base-number (p). For example, in embodiments in which a plaintext vector includes bit vectors, the prime order may be exponential in the security parameter. In embodiments in which the plaintext vectors include p-ary vectors, the prime order may be exponential in the security parameter and equal to one module the base-number (p).

At block 704, generators may be sampled. For example, a first generator may be sampled from a first bilinear group and a second generator may be sampled from a second bilinear group. At block 706, linearity secret keys may be generated. For example, a first linearity secret key and a second linearity secret key may be generated by randomly sampling a particular number of elements from a set of integers. The set of integers may include zero to one less than the prime order.

At block 708, linearity public keys may be defined. For example, a first linearity public key may include an element that is the first generator and one or more other elements that are the first generator raised to the power of a corresponding element of the first linearity secret key. In some embodiments, the first linearity public key may further include an arbitrary generator. The arbitrary generator may be selected from a subgroup of the set of integers with zero omitted. Additionally, a second linearity public key may be defined. The second linearity public key may include an element that is the second generator and one or more other elements that are the second generator raised to the power of a corresponding element of the second linearity secret key. In some embodiments, the second linearity public key may further include an element that is the arbitrary generator.

At block 710, a linearity relational secret key may be defined. Each element of the linearity relational secret key may include a sum of a corresponding element of the second linearity secret key and a corresponding element of the first linearity secret key.

FIG. 8 is a flow diagram of an example method 800 of encrypting a first plaintext vector using a relational linearity encryption scheme, arranged in accordance with at least one embodiment described herein. The method 800 may be performed in a biometric authentication system such as may be implemented in the biometric system 200 of FIG. 2 or in the operating environment 100 of FIG. 1. The method 800 may be programmably performed in some embodiments by the user device 102 described herein. The user device 102 may include or may be communicatively coupled to a non-transitory computer-readable medium (e.g., the memory 122A of FIG. 1) having stored thereon or encoded therein programming code or instructions that are executable by a processor to perform or control performance of the method 800. Additionally or alternatively, the user device 102 may include a processor (e.g., the processor 124A of FIG. 1) that is configured to execute computer instructions to perform or control performance of the method 800. Although illustrated as discrete blocks, various blocks may be divided into additional blocks, combined into fewer blocks, or eliminated, depending on the desired implementation.

The method 800 may begin at block 802. At block 802, a random number may be a sampled. The random number may be sampled from a set of integers. At block 804, a first linearity ciphertext may be constructed. A first element of the first linearity ciphertext may be a first generator raised to the power of the random number. Additionally, one or more other elements of the first linearity ciphertext may include a corresponding element of a first linearity public key raised to a linearity encryption power. In some embodiments, the linearity encryption power includes a product of the random number and negative one raised to the power of a corresponding element of the first plaintext vector. In some embodiments, the linearity encryption power includes a product of the random number and an arbitrary generator raised to the power of a corresponding element of the first plaintext vector.

FIG. 9 is a flow diagram of an example method 900 of generating keys of a relational proximity encryption scheme, arranged in accordance with at least one embodiment described herein. The method 900 may be performed in a biometric authentication system such as may be implemented in the biometric system 200 of FIG. 2 or in the operating environment 100 of FIG. 1. The method 400 may be programmably performed in some embodiments by the user device 102 described herein. The user device 102 may include or may be communicatively coupled to a non-transitory computer-readable medium (e.g., the memory 122A of FIG. 1) having stored thereon or encoded therein programming code or instructions that are executable by a processor to perform or control performance of the method 900. Additionally or alternatively, the user device 102 may include a processor (e.g., the processor 124A of FIG. 1) that is configured to execute computer instructions to perform or control performance of the method 900. Although illustrated as discrete blocks, various blocks may be divided into additional blocks, combined into fewer blocks, or eliminated, depending on the desired implementation.

The method 900 may begin at block 902. At block 902, an ECC may be chosen. The ECC may include a length, a rank in a same order of a security parameter, and a selected minimum distance. At block 904, a key generator algorithm of a CPA secure encryption scheme may be run. The CPA secure encryption scheme may output a CPA public key and a CPA secret key. At block 906, a relational linearity key generation algorithm may be run. The relational linearity key generation algorithm may output a first linear public key, a second linear public key, a first linear secret key, a second linear secret key, and a relational linear secret key.

At block 907, proximity public keys may be defined. For example, a first proximity public key may be defined based on an ENCODE, a DECODE, the CPA public key, and the first linear public key. Additionally, a second proximity public key may be defined based on the ENCODE, the DECODE, the CPA public key, and the second linear public key. At block 908, proximity secret keys may be defined. For example, a first proximity secret key may be defined based on the CPA secret key and the first linear secret key. In addition, a second proximity secret key may be defined based on the CPA secret key and the second linear secret key. At block 910, a proximity relational secret key may be defined. For example, the proximity relational secret key may be defined based on the CPA secret key and the relational linear secret key.

FIG. 10 is a flow diagram of an example method 1000 of encrypting a first plaintext vector using the relational proximity encryption scheme, arranged in accordance with at least one embodiment described herein. The method 1000 may be performed in a biometric authentication system such as may be implemented in the biometric system 200 of FIG. 2 or in the operating environment 100 of FIG. 1. The method 1000 may be programmably performed in some embodiments by the user device 102 described herein. The user device 102 may include or may be communicatively coupled to a non-transitory computer-readable medium (e.g., the memory 122A of FIG. 1) having stored thereon or encoded therein programming code or instructions that are executable by a processor to perform or control performance of the method 1000. Additionally or alternatively, the user device 102 may include a processor (e.g., the processor 124A of FIG. 1) that is configured to execute computer instructions to perform or control performance of the method 1000. Although illustrated as discrete blocks, various blocks may be divided into additional blocks, combined into fewer blocks, or eliminated, depending on the desired implementation.

The method 1000 may begin at block 1002. At block 1002, a proximity random number may be sampled. The proximity random number may be sampled from a third field. The third field may include a base-number and a dimension that is a rank of an ECC. At block 1004, a first part of a first proximity ciphertext may be defined. The first part may be defined as a CPA encryption algorithm that receives as inputs a CPA public key and a sum of a first plaintext vector and an ENCODE receiving the proximity random number as an input.

At block 1006, a second part of the first proximity ciphertext may be defined. The second part may be defined as a first linearity encryption algorithm that receives a first linearity public key and the proximity random number as inputs.

FIG. 11 is a flow diagram of an example method 1100 of decrypting a first linearity ciphertext, arranged in accordance with at least one embodiment described herein. The method 1100 may be performed in a biometric authentication system such as may be implemented in the biometric system 200 of FIG. 2 or in the operating environment 100 of FIG. 1. The method 1100 may be programmably performed in some embodiments by the user device 102 described herein. The user device 102 may include or may be communicatively coupled to a non-transitory computer-readable medium (e.g., the memory 122A of FIG. 1) having stored thereon or encoded therein programming code or instructions that are executable by a processor to perform or control performance of the method 1100. Additionally or alternatively, the user device 102 may include a processor (e.g., the processor 124A of FIG. 1) that is configured to execute computer instructions to perform or control performance of the method 1100. Although illustrated as discrete blocks, various blocks may be divided into additional blocks, combined into fewer blocks, or eliminated, depending on the desired implementation.

The method 1100 may begin at block 1102. At block 1102, it may be determined whether a particular element value exists such that a corresponding element in a first linearity ciphertext is equal to a first element of the first linearity ciphertext raised to a product of an arbitrary generator raised to the particular element value and a corresponding element of a first linearity secret key. In response to the particular element value existing (“Yes” at block 1102), the element may be set to the particular element value. In response to the particular element not existing (“No” at block 1102), an error may be output.

FIG. 12 is a flow diagram of another example method 1200 of decrypting a first linearity ciphertext, arranged in accordance with at least one embodiment described herein. The method 1200 may be performed in a biometric authentication system such as may be implemented in the biometric system 200 of FIG. 2 or in the operating environment 100 of FIG. 1. The method 1200 may be programmably performed in some embodiments by the user device 102 described herein. The user device 102 may include or may be communicatively coupled to a non-transitory computer-readable medium (e.g., the memory 122A of FIG. 1) having stored thereon or encoded therein programming code or instructions that are executable by a processor to perform or control performance of the method 1200. Additionally or alternatively, the user device 102 may include a processor (e.g., the processor 124A of FIG. 1) that is configured to execute computer instructions to perform or control performance of the method 1200. Although illustrated as discrete blocks, various blocks may be divided into additional blocks, combined into fewer blocks, or eliminated, depending on the desired implementation.

The method 1200 may begin at block 1202. At block 1202, it may be determined whether a corresponding element in a first linearity ciphertext is equal to a first element of a first linearity ciphertext raised to a corresponding element of a first linearity secret key. In response to the corresponding element in the first linearity ciphertext being equal to the first element of the first linearity ciphertext raised to the corresponding element of a first linearity secret key (“Yes” at block 1202), the method 1200 may proceed to block 1208. At block 1208, the element of the first plaintext vector may be set to zero.

In response to the corresponding element in the first linearity ciphertext not being equal to the first element of the first linearity ciphertext raised to the corresponding element of the first linearity secret key (“No” at block 1202), the method 1200 may proceed to block 1204. At block 1204, it may be determined whether the corresponding element in the first linearity ciphertext is equal to the first element of the first linearity ciphertext raised to negative one multiplied by the corresponding element of the first linearity secret key. In response to the corresponding element in the first linearity ciphertext being equal to the first element of the first linearity ciphertext raised to negative one multiplied by the corresponding element of the first linearity secret key (“Yes” at block 1204), the method 1200 may proceed to block 1210. At block 1210, the element of the first plaintext vector may be set to one. In response to the corresponding element in the first linearity ciphertext not being equal to the first element of the first linearity ciphertext raised to negative one multiplied by the corresponding element of the first linearity secret key (“No” at block 1204), the method may proceed to block 1206. At block 1206, it may be determined whether the corresponding element in the first linearity ciphertext is equal to another value. In response to the corresponding element in the first linearity ciphertext being equal to another value (“Yes” at block 1206), the method 1200 may proceed to block 1212. At block 1212, an error may be returned.

Non-Uniformly Distributed Data

In some embodiments, the present disclosure may also provide relational encryption for underlying data, such as biometric data, which may not be uniformly random. The underlying data may be non-uniformly distributed and/or may have correlations. By way of non-limiting example, a larger subset of the population in the United States may have brown eyes compared to blue eyes, or in other words, the eye color may be non-uniformly distributed across the population. In like manner, an individual with blue eyes may be more likely to have light colored hair than dark colored hair, or in other words, there may exist a correlation between blue eyes and light colored hair. Because of the lack of randomness (including correlations) in biometric data, the present disclosure may include provision to effectively randomize underlying biometric data prior to using the relational encryption scheme described in the present disclosure.

The appropriate level of randomness may depend on a number of characteristics of the data, including entropy of the data, noise threshold, domain of the data, etc. For convenience in describing these characteristics, the example of the biometric characteristic of fingerprints will be used, but any underlying data may be used, including non-biometric data. In some embodiments, the appropriate level of randomness may be achieved by the dot product of X and r, or the dot product of the underlying data r and the matrix X. The matrix X may be a strong linear extractor as known in the art. The characteristics may be inputs in deriving the matrix X. In some embodiments the linear extractor may be used to reduce the original size of the data to one fourth the original size to randomize the data to an appropriate level. The appropriate level of randomness may be dependent on the security parameter λ. For example, if the security parameter indicates that eighty bits of security are needed, the level of randomness may need eighty bits of randomized data after processing using a strong linear extractor on the raw data. As another example, if the security parameter indicates that one hundred and twenty eight bits of security are needed, the level of randomness may need one hundred and twenty eight bits of randomized data after processing using a strong linear extractor on the raw data.

The characteristic of entropy of the data may refer to the overall variability or randomness inherent in the data itself. By way of example, fingerprints have a certain amount of variability or randomness inherent in the distribution of fingerprints in the human population, which may be referred to as the entropy of the biometric characteristic. As the entropy of the data increases, the amount of processing to arrive at the appropriate level of randomness may be reduced.

The characteristic of noise threshold may refer to the amount of variability present when reading or acquiring the underlying data. Again using the example of fingerprints, when taking a scan or reading of a fingerprint, there may be some noise or variation in gathering the reading of the fingerprint. Stated another way, each time a reading is taken for a given individual, the exact same biometric data may not be generated, and in fact, the biometric characteristic of the individual may vary slightly such that even in a perfect system there may be some minor variation in the biometric data between two samplings. This may be referred to as the noise threshold. If the noise threshold is high, the system may generate frequent false positives, permitting incorrect data to match the underlying data. Using the fingerprint example, too many fingerprints that are similar but not the same may be recognized as authentic. In contrast, if the noise threshold is low, the system may generate frequent false negatives. Using the fingerprint example, the same person taking a second reading may not be found authentic. As the noise threshold increases, the amount of processing to arrive at an appropriate level of randomness may decrease.

Another characteristic may include the domain of the data, or the mathematical space in which the underlying data resides. Using the example of the fingerprints, the biometric data may be converted into a bit stream or p-nary vector. For example, a given fingerprint may be represented by a bit stream of three hundred and twenty bits. The format and length of the domain may be related to other factors, for example, the noise level and the noise threshold. In some embodiments, a minimum size or vector length of underlying data may be required. As the size and complexity of the domain of the underlying data increases, the amount of processing may decrease.

The appropriate level of randomness may be proportional to a desired security level of the data. As the desired security level increases, the appropriate level of randomness may increase. The desired security level may dictate what the security parameter λ may represent. For example, for a higher desired security level the security parameter may include one hundred and twenty eight bits of security.

FIG. 13 is a block diagram of another example operating environment. The network 107, the communication module 116, the setup module 144, the memory 122A, the processor 124A, the communication unit 126A, the first entity 150, the second entity 152, the authentication server 140 may be the same as described in FIG. 1. A user device 1302 may be similar to the user device 102, but maybe modified to include a relational encrypt/decrypt module 1310. A linearity encrypt module 1312 and a proximity encrypt module 1314 may be similar to the linearity encrypt/decrypt module 112 and the proximity encrypt/decrypt module 114, although they may not be configured to decrypt any ciphertexts. In some embodiments using non-uniformly distributed data, the methods and processes described in the present disclosure may be modified to omit any decryption steps. The relational encrypt/decrypt module 1310 may be similar to the relational encrypt/decrypt module 110, but may be modified to include a randomizing module 1320.

The randomizing module 1320 may be implemented as software including one or more routines configured to perform one or more operations described herein. The randomizing module 1320 may include a set of instructions executable by the processors 124 to provide the functionality described herein. In some instances, the randomizing module 1320 may be stored in or at least temporarily loaded into the memory 122 and may be accessible and executable by one or more of the processors 124. The randomizing module 1320 may be adapted for cooperation and communication with one or more of the processors 124 over a bus.

The randomizing module 1320 may be configured to randomize underlying data which may be non-uniformly distributed to an appropriate level of randomness such that the randomized data may be used in a relational encryption scheme as described in the present disclosure. In some embodiments, this may include the randomizing module 1320 utilizing a linear extractor 1325 to extract an appropriately randomized plaintext from non-uniformly distributed data. The linear extractor 1325 may be a strong linear extractor. The linear extractor 1325 may be implemented as a series of mathematical steps or operations as known in the art.

By way of example, the user device 1302 may receive biometric data to be used in a relational encryption scheme in accordance with the present disclosure. The biometric data may be non-uniformly distributed and thus, prior to encrypting the underlying data the biometric data may be processed at the randomizing module 1320 using the linear extractor 1325 to arrive at an appropriate level of randomness as a plaintext vector. The plaintext vector may then be encrypted by the linearity encrypt module 1312 and the proximity encrypt module 1314.

FIG. 14 is a flow diagram of an example method 1400 of encrypting non-uniformly distributed data using a relational encryption scheme. The method 1400 may be performed in an authentication system such as may be implemented in the biometric system 200 of FIG. 2, in the operating environment 100 of FIG. 1, or the operating environment 1300 of FIG. 13. The method 1200 may be programmably performed in some embodiments by the user device 102 of FIG. 1 or the user device 1302 of FIG. 13. The user device 102 or the user device 1302 may include or may be communicatively coupled to a non-transitory computer-readable medium (e.g., the memory 122A of FIG. 1 or FIG. 13) having stored thereon or encoded therein programming code or instructions that are executable by a processor to perform or control performance of the method 1400. Additionally or alternatively, the user device 102 or the user device 1302 may include a processor (e.g., the processor 124A of FIG. 1 or FIG. 13) that is configured to execute computer instructions to perform or control performance of the method 1400. Although illustrated as discrete blocks, various blocks may be divided into additional blocks, combined into fewer blocks, or eliminated, depending on the desired implementation.

At block 1410, a user device may receive biometric data or other non-uniformly distributed data. This may be received using one or more sensors, detectors, etc. At block 1420, the biometric data may be processed to a level of randomness as a plaintext vector. Block 1420 may be further explained in FIG. 15. At block 1430, the plaintext vector may be encrypted using a relational linearity encryption scheme as described in the present disclosure, resulting in a linearity ciphertext. At block 1440, the plaintext vector may be encrypted using a relational proximity encryption scheme as described in the present disclosure, resulting in a proximity ciphertext.

At block 1450, the linearity and proximity ciphertexts may be communicated to an authentication server. Once the linearity and proximity ciphertext have been communicated to the authentication server, the authentication server may perform a comparison and determination as described herein to determine if there is a relation between the ciphertexts and a reference ciphertext. If the server determines that there is a relation, the authentication server may communicate an authentication to the user device. In some embodiments, this may be based on a desired security level to which the underlying data has been appropriately randomized. At block 1460, the user device may receive the authentication from the authentication server indicating that there was

FIG. 15 is a flow diagram of an example method 1500 of processing non-uniformly distributed data. The method 1500 may be a substitution or expansion of block 1420 of FIG. 14. For example, after block 1410 of FIG. 14 method 1500 may be implemented and then return to block 1440 of FIG. 14. The method 1500 may be performed in an authentication system such as may be implemented in the biometric system 200 of FIG. 2, in the operating environment 100 of FIG. 1, or the operating environment 1300 of FIG. 13. The method 1500 may be programmably performed in some embodiments by the user device 102 of FIG. 1 or the user device 1302 of FIG. 13. The user device 102 or the user device 1302 may include or may be communicatively coupled to a non-transitory computer-readable medium (e.g., the memory 122A of FIG. 1 or FIG. 13) having stored thereon or encoded therein programming code or instructions that are executable by a processor to perform or control performance of the method 1500. Additionally or alternatively, the user device 102 or the user device 1302 may include a processor (e.g., the processor 124A of FIG. 1 or FIG. 13) that is configured to execute computer instructions to perform or control performance of the method 1500. Although illustrated as discrete blocks, various blocks may be divided into additional blocks, combined into fewer blocks, or eliminated, depending on the desired implementation. For example, blocks 1510 and 1520 may be performed simultaneously or may be omitted.

After block 1410 of FIG. 14, the method 1500 may begin at block 1510. At block 1510, the characteristics of the biometric data may be determined. This may include determining one or more of the entropy, noise threshold, and domain of the data. In some embodiments, this may be a pre-determined characteristic of the data that is retrieved from storage or from a third party. For example, the variability in distribution of fingerprints may be a known characteristic that is stored and retrieved if the received biometric data is a bit stream representing a fingerprint. In some embodiments, the characteristics may be determined once the biometric data is received, for example, the noise threshold may be based in part on the hardware, sensor or other data-capture technique used to gather the biometric data. The method 1500 may then proceed to block 1520.

At block 1520, the appropriate security level may be determined based on the security parameter A. The appropriate security level may be based on the sensitivity of the biometric data used, the application for which the authentication is implemented, etc. The method 1500 may then proceed to block 1530. At block 1530, the appropriate level of randomness may be determined for the biometric data. As described above, this may be based in part on one or more of the characteristics determined at block 1510 or the security parameter used in the determination at block 1520. In some embodiments, the appropriate level of randomness may be proportional to the security parameter. The method 1500 may then proceed to block 1540.

At block 1540, a strong linear extractor may be used to process the biometric data to the appropriate level of randomness as a plaintext vector. This may be mathematically represented as the operation of X·r. Once the biometric data has been randomized, the method 1500 may end by routing the process to block 1430 of FIG. 14.

Relational Encryption Scheme with a Limited Access Authentication Server

In one or more embodiments of the present disclosure, an authentication server may be limited in access to certain portions of information in an authentication or comparison process. In particular, the authentication server may verify that two encrypted plaintext values are the same without having access to the plaintext values or information from which the authentication server may derive the plaintext values. In these and other embodiments, an initialization process to derive relational keys for communicating parties may occur such that the authentication server need not be a trusted third party. Embodiments of the present disclosure may be beneficial in situations in which there is no trusted third party to generate public keys of the relational encryption scheme. In these and other embodiments, a trusted third party may not be entrusted with the generation of public keys. In some embodiments, the relational encryption scheme may be secure even if there is no trusted third party to run a setup phase of the relational encryption scheme.

FIG. 16 is a block diagram of another example operating environment 1600, in accordance with one or more embodiments of the present disclosure. The operating environment 1600 may include a first entity 152 utilizing a first user device 1602 and a second entity 150 utilizing a second user device 1604 and an authentication server 1640, all communicating via a network 107. The first entity 152, the second entity 150, and the network 107 may be similar or analogous to the first entity 152, the second entity 150, and the network 107 from FIG. 1. The authentication server 1640 may be similar or analogous to the authentication server 140 of FIG. 1, except that authentication server 1640 may have limited access to certain information. In these and other embodiments security of confidential information may be maintained even if the authentication server 1640 may not be a trusted third party. The first user device 1602 and the second user device 1604 may be similar or analogous to the first user device 102 of FIG. 1. For example, the first user device 1602 and the second user device 1604 may include a memory, a processor, a communication unit, etc., although not illustrated.

In some embodiments, the authentication server 1640 may receive a first encrypted message from the first user device 1602 and a second encrypted message from the second user device 1604. The authentication server may be configured to perform a comparison of the first encrypted message and the second encrypted message to determine whether a first plaintext value encrypted within the first encrypted message is the same as a second plaintext value encrypted within the second encrypted message. In these and other embodiments, the authentication server 1640 may not decrypt the first encrypted message and/or the second encrypted message. Additionally or alternatively, the authentication server 1640 may or may not be a trusted third party. In some embodiments, the relational encryption scheme may be secure even if there is no trusted third party to run a setup phase of the relational encryption scheme.

To initialize a relational encryption scheme with a limited access authentication server, relational keys may be obtained and/or generated for the first user device 1602 and the second user device 1604. The relational keys may include a first element of which the authentication server 1640 may be aware (either initially or permanently) and a second element of which the authentication serve 1640 may not be aware. In these and other embodiments, a first element of a first mathematical group may be selected and a second element of a second mathematical group may be selected. The first and second elements may be selected at random or may be repeatedly used for a given set of circumstances. For example, the authentication server 1640 may always use the same first and second elements of the first and second mathematical groups. The first and second elements may be public and known or obtained by the authentication server 1640, the first user device 1602, and the second user device 1604. Stated mathematically,

g←G₁

h←G₂

where parameter G₁represents a first mathematical group of order q (where q is the same as above), parameter G₂represents a second mathematical group of order q, g represents an element of the group G₁, and h represents an element of the group G₂. In some embodiments, the first element obtained from the first mathematical group (e.g., g) and the second element obtained from the second mathematical group (e.g., h) may be referred to as generators. In some embodiments, the groups G₁and G₂may include bilinear elements. For example, the groups G₁and G₂may not be ordinary mathematical groups, instead supporting the bilinear pairing operation:

e(G₁×G₂)=G_T

where e( . . . ) represents a pairing operation and G_Trepresents a third bilinear group. Additionally or alternatively, the groups G₁and G₂may conform to mathematical group axioms including closure, associativity, identity, and invertibility.

To further initialize the relational encryption scheme with a limited access authentication server, the authentication server 1640 may generate a first element of a first relational key for the first user device 1602 and a first element of a second relational key for the second user device 1604. In some embodiments, the authentication server 1640 may select or otherwise obtain two random integers. In these and other embodiments, the random integers may be selected between zero and one less than q. Stated mathematically, the authentication server may generate:

t←Z_q

u←Z_q

where Z_qis the same as above, and t and u are random integers selected from Z_q. To generate the first element of the first relational key for the first user device 1602, the authentication server 1640 may raise the first group element to the power of the first and the second random integers. To generate the first element of the second relational key for the second user device 1604, the authentication server 1640 may raise the second group element to the power of the second random integer. Stated mathematically, the authentication server 1640 generates g^tuas the first element of the first relational key for the first user device 1602 and generates h^uas the first element of the second relational key for the second user device 1604. The authentication server 1640 may provide the first element of the first relational key to the first user device 1602 and may provide the first element of the second relational key to the second user device 1604. In some embodiments, the authentication server 1640 may delete or otherwise remove the second random variable (e.g., u) after providing the first element of the first relational key and the first element of the second relational key to the first and second user devices 1602, 1604, respectively. In these and other embodiments, the authentication server 1640 may store a relationship of the first and second user device 1604 with the first random integer (e.g., t). For example, the pair of communicating user devices and the random integer may be stored in a table or database. Additionally or alternatively, the table or database may store that it was the second user device 1604 that did not receive a group element raised to the power of both random integers (e.g., denoting that the second user device 1604 was provided h^uwhile the first user device 1602 was provided g^tu).

To further initialize the relational encryption scheme with a limited access authentication server, the second elements of the first relational key and the second relational keys may be generated. Such generation may occur by and between the first user device 1602 and the second user device 1604 without input or interaction of the authentication server 1640. The first user device 1602 may select a third random integer, a, from Z_qand the second user device 1604 may select a fourth random integer, b, from Z_q. The second user device 1604 may raise the first group element to the power of the fourth random integer (e.g., g^b) and provide that to the first user device 1602. The first user device 1602 may raise the second group element to the power of the third random integer (e.g., h^a) and provide that to the second user device 1604. The first user device 1602 may derive the second element of the first relational key by further raising the first group element to the power of the third integer (e.g., g^ab). The second user device 1604 may derive the second element of the second relational key by further raising the second group element to the power of the fourth integer (e.g., h^ab). By such an exchange, the first user device 1602 may or may not be provided with the fourth random integer, b, and the second user device 1604 may or may not be provided with the third random integer, a, during the derivation of the second elements of the first and second relational keys. Additionally or alternatively, the authentication server 1640 may be unaware of the second elements of the first and second relational keys. Thus, the first user device 1602 may obtain the first relational key with the first element, g^tu, and the second element, g^ab. Additionally or alternatively, the second user device 1604 may obtain the second relational key with the first element, h^u, and the second element, h^ab.

After initialization, the first relational key for the first user device 1602 and the second relational key for the second user device 1604 may be utilized to allow the authentication server 1640 to verify whether a first encrypted plaintext value at the first user device 1602 and a second encrypted plaintext value at the second user device 1604 is the same. For example, the first user device 1602 may encrypt the first plaintext value using the first relational key. The first user device 1602 may obtain a fifth random integer (e.g., the integer r selected at random from Z_q) and may raise the first element of the first relational key to the power of the fifth random integer (e.g., g^tur) and may raise the second element of the first relational key to the power of the fifth random integer and the first plaintext value (e.g., g^abrl, where l is the first plaintext value). A first encrypted message may include the modified first relational key, e.g., a first element (g^tur) and a second element (g^abrl) The second user device 1604 may obtain a sixth random integer (e.g., the integer s selected at random from Z_q) and may raise the first element of the second relational key to the power of the sixth random integer (e.g., h^us) and may raise the second element of the second relational key to the power of the sixth random integer and the second plaintext value (e.g., h^absm, where m is the second plaintext value). A second encrypted message may include the modified second relational key, e.g., a first element (h^us) and a second element (h^absm).

After encrypting the first plaintext value into the first encrypted message, the first user device 1602 may provide the first encrypted message to the authentication server 1640. After encrypting the second plaintext value into the second encrypted message, the second user device 1604 may provide the second encrypted message to the authentication server 1640. The authentication server 1640 may compare the first encrypted message to the second encrypted message to determine whether the first plaintext value is the same as the second plaintext value. To perform such a comparison, the authentication server may perform a first pairing function operation on the first element of the first encrypted message and the second element of the second encrypted message, and may perform a second pairing function operation on the second element of the first encrypted message and the first element of the second encrypted message raised to the power of the first random integer obtained by the authentication server 1640 (e.g., t). If the outcome of the first and the second pairing function operations is the same, the authentication server 1640 may determine that the first plaintext value and the second plaintext value are the same. If the outcome of the first and the second pairing operations is not the same, the authentication server 1640 may determine that the first plaintext value and the second plaintext values are not the same. Stated mathematically, the authentication server may verify the equality:

$e (g^{tur}, h^{absm}) \overset{?}{=} e (g^{abrl}, {(h^{us})}^{t})$

where e( . . . ) is a pairing function and a, b, g, h, l, m, r, s, t, and u are the same as described above. In these and other embodiments, the authentication server 1640 may not be provided with the plaintext values and may or may not be provided with any security keys or authentication keys such that the authentication server 1640 may or may not be a trusted third party. Thus, the authentication server 1640 may be a limited access authentication server in some embodiments.

In some embodiments, the first and/or the second plaintext values (e.g., l and/or m) may be distinct and fixed values. In particular, in some embodiments, the first and/or the second plaintext values (e.g., l and/or m) may not be biometric data. The plaintext values may take any size, depending on the application in which the embodiment may be applied. For example, if the plaintext value is a bit stream defining an image, the value may be thousands, millions (or more), characters in length. In some embodiments, the value of q may be selected to be approximately the same order of magnitude as the size of the plaintext value. Additionally or alternatively, a hash function or other truncating function may be utilized to limit the size of the plaintext values. In these and other embodiments, a secure hash function may be utilized. If a hash function is used, the same hash function may be used by the first user device 1602 on the first plaintext value and by the second user device 1604 on the second plaintext value. Additionally or alternatively, if the plaintext values are hashed, q may be selected to be approximately the same order of magnitude as the size of the hashed plaintext value.

In some embodiments, operating the authentication server 1640 as a limited access authentication server may provide certain security benefits in a number of example cases.

Example 1

If the first user device 1602, the second user device 1604, and the authentication server 1640 are all honest, then all encryptions may be semantically secure, or in other words, knowledge of the encrypted message(s) and length of the plaintext values may not reveal any additional information on the plaintext values that may be feasibly extracted. Such semantic security also holds true for low entropy plaintext values (e.g., if the plaintext value is not uniformly random).

Example 2

If the first user device 1602 is adversarial, the plaintext value of the second user device 1604 may be semantically secure, and such semantic security also holds true for low entropy plaintext values.

Example 3

If the first user device 1602 is adversarial and the second user device 1604 is compromised (e.g., hacked) at some future time, encrypted messages from the second user device 1604 prior to being compromised may be semantically secure, and such semantic security also holds true for low entropy plaintext values.

Example 4

If the authentication server 1640 is adversarial, only comparisons between encrypted messages may be learned (e.g., that the plaintext values are the same or not the same, but not what the plaintext values are). For low entropy data, the encrypted plaintext values are secure but the comparisons may be learned.

Example 5

If the authentication server 1640 and the first user device 1602 are adversarial, then only comparisons between encrypted messages may be learned (e.g., that the plaintext values are the same or not the same). For low entropy data, the plaintext value of the second user device 1604 may not be secure because it may be subject to guessing attacks. For example, because of the limited number of possibilities in low entropy data and because the adversary may be aware of the plaintext value of the first user device 1602 and the result of the comparison at the authentication server 1640, a systematic guessing approach could be used to determine the plaintext value of the second user device 1604.

Example 6

If the authentication server 1640 and the first user device 1602 are adversarial and the second user device 1604 is compromised (e.g., hacked) in the future, encrypted messages from the second user device 1604 prior to being compromised may be semantically secure. For low entropy data, the plaintext value of the second user device 1604 may not be secure because it may be subject to guessing attacks. For each of the examples above, while the first user device 1602 is identified as being adversarial and security was described for the second user device 1604, the two are interchangeable and if the second user device 1604 were adversarial analogous security would be in place for the first user device 1602.

In some embodiments, when there are more than one pair of communicating user devices in the operating environment 1600, the removal of the second random integer (e.g., u) from the authentication server 1640 may facilitate security between different pairs of communicating user devices. For example, if the authentication server 1640 is compromised, which pair of communicating user devices is related to the comparison may be determined if the authentication server 1640 has not removed the second random integer.

An authentication server limited in access to certain portions of information in an authentication or comparison process may be used in a number of different settings or example scenarios. For example, the authentication server 1640 may allow the first user device 1602 to query the second user device 1604 whether it contains an image, document, file, or other piece of information that the first user device 1602 has without disclosing the information to the second user device 1604 or the authentication server 1640. In some embodiments, the first entity 152 and the second entity 150 may be the same entity operating different user devices or operating the same user device at different times. For example, the first entity 152 may be a user operating the first user device 1602 as a secure computer within a secure location or a secure network that has been authenticated and the second entity 150 may be the same user operating the second user device 1604 as a mobile device in another location or on another network. The authentication server 1640 may verify that the first user device 1602 and the second user device 1604 both contain the same plaintext value (e.g., a password or token) without the authentication server 1640 knowing the password or token. After verifying that both the first user device 1602 and the second user device 1604 have the same plaintext value, the authentication server 1640 may allow the second user device 1604 access to restricted content.

Modifications, additions, or omissions may be made to the example operating environment 1600 without departing from the scope of the present disclosure. Specifically, embodiments depicted in FIG. 16 include one authentication server 1640 and one pair of user devices (the first user device 1602 and the second user device 1604). However, the present disclosure applies to operating environments that may include any number of pairs of user devices, and any number of authentication servers.

FIG. 17 is a flow diagram of an example method 1700 of utilizing a relational encryption scheme, in accordance with one or more embodiments of the present disclosure. The method 1700 may be performed in an authentication system such as may be implemented in the system 200 of FIG. 2, in the operating environment 100 of FIG. 1, the operating environment 1300 of FIG. 13, or the operating environment 1600 of FIG. 16. The method 1700 may be programmably performed in some embodiments by the user device 102 of FIG. 1, the user device 1302 of FIG. 13, the first or second user devices 1602, 1604 or the authentication server 1640 of FIG. 16. The user device 102, the user device 1302, the first or second user devices 1602, 1604, and/or the authentication server 1640 may include or may be communicatively coupled to a non-transitory computer-readable medium having stored thereon or encoded therein programming code or instructions that are executable by a processor to perform or control performance of the method 1700. Additionally or alternatively, the user device 102, the user device 1302, the first or second user devices 1602, 1604, and/or the authentication server 1640 may include a processor that is configured to execute computer instructions to perform or control performance of the method 1700. Although illustrated as discrete blocks, various blocks may be divided into additional blocks, combined into fewer blocks, or eliminated, depending on the desired implementation.

At block 1710, a first mathematical group element and a second mathematical group element may be obtained. For example, an authentication server (e.g., the authentication server 1640 of FIG. 16) may select a first mathematical group element at random from a first group of q elements and a second mathematical group element at random from a second group of q elements, e.g., the authentication server may select g and h. In some embodiments, g and h may be the same for multiple pairs of communicating user devices.

At block 1720, a first encrypted message including a first plaintext value may be received. For example, a first user device (e.g., the first user device 1602 of FIG. 16) may transmit the first encrypted message to the authentication server. In some embodiments, the first encrypted message may include a first relational key of the first user device that may include two elements and is modified. For example, following the nomenclature above, the first user device may obtain a fifth random integer (e.g., the integer r selected at random from Z_q) and may raise the first element of the first relational key to the power of the fifth random integer (e.g., g^tur) and may raise the second element of the first relational key to the power of the fifth random integer and the first plaintext value (e.g., g^abrlwhere l is the first plaintext value). The first encrypted message may include the modified first relational key, e.g., a first element (e) and a second element (g^abrl).

At block 1730, a second encrypted massage including a second plaintext value may be received. For example, a second user device (e.g., the second user device 1604 of FIG. 16) may transmit the second encrypted message to the authentication server. In some embodiments, the second encrypted message may include a second relational key of the second user device that may include two elements and is modified. For example, following the nomenclature above, the second user device may obtain a sixth random integer (e.g., the integer s selected at random from Z_q) and may raise the first element of the second relational key to the power of the sixth random integer (e.g., h^us) and may raise the second element of the second relational key to the power of the sixth random integer and the second plaintext value (e.g., h^absm, where m is the second plaintext value). The second encrypted message may include the modified second relational key, e.g., a first element (h^us) and a second element (h^absm).

At block 1740, the first encrypted message may be compared with the second encrypted message without decryption of either the first encrypted message or the second encrypted message. For example, the authentication server may compare the first encrypted message with the second encrypted message without having access to the plaintext values within the encrypted messages. Such a comparison may be performed as explained above in the present disclosure, for example, by using one or more pairing function operations.

At block 1750, based on the comparison, a determination may be made that the first plaintext value and the second plaintext value are the same. For example, the authentication server may determine that the result of a first pairing function is the same as a second pairing function, the two pairing functions pairing various components of the first and the second encrypted messages as explained in the present disclosure. In some embodiments, based on the comparison being the same, some further action may be taken, such as granting a user device access to restricted content, or sending the determination to one or both of the user devices.

Accordingly, the method 1700 may utilize a relational encryption scheme. Modifications, additions, or omissions may be made to the method 1700 without departing from the scope of the present disclosure. For example, the operations of the method 1700 may be implemented in differing order. Additionally or alternatively, two or more operations may be performed at the same time. Furthermore, the outlined operations and actions are provided as examples, and some of the operations and actions may be optional, combined into fewer operations and actions, or expanded into additional operations and actions without detracting from the essence of the disclosed embodiments.

FIGS. 18A and 18B are a flow diagram of an example method 1800 of initializing and utilizing a relational encryption scheme, in accordance with one or more embodiments of the present disclosure. The method 1800 may be performed in an authentication system such as may be implemented in the system 200 of FIG. 2, in the operating environment 100 of FIG. 1, the operating environment 1300 of FIG. 13, or the operating environment 1600 of FIG. 16. The method 1800 may be programmably performed in some embodiments by the user device 102 of FIG. 1, the user device 1302 of FIG. 13, the first or second user devices 1602, 1604 or the authentication server 1640 of FIG. 16. The user device 102, the user device 1302, the first or second user devices 1602, 1604, and/or the authentication server 1640 may include or may be communicatively coupled to a non-transitory computer-readable medium having stored thereon or encoded therein programming code or instructions that are executable by a processor to perform or control performance of the method 1800. Additionally or alternatively, the user device 102, the user device 1302, the first or second user devices 1602, 1604, and/or the authentication server 1640 may include a processor that is configured to execute computer instructions to perform or control performance of the method 1800. Although illustrated as discrete blocks, various blocks may be divided into additional blocks, combined into fewer blocks, or eliminated, depending on the desired implementation. Reference may be made to certain mathematical variables in describing the method 1700 which may refer to the mathematical variables above.

At block 1805, first and second group elements may be obtained. For example, an authentication server (e.g., the authentication server 1640 of FIG. 16) may obtain a first group element at random from a first group and a second group element at random from a second group. The block 1805 may be similar or comparable to the block 1710.

At block 1810, first and second random integers are obtained. For example, the authentication server may randomly select two integers from Z_qas described above in the present disclosure.

At block 1815, the first group element raised to the power of the first and the second random integers may be transmitted to a first user device (e.g., the first user device 1602 of FIG. 16). For example, the authentication server may generate g^tuand may transmit that modified group element to the first user device. In these and other embodiments, the first group element raised to the power of the first and the second random integers may be a first element of a first relational key of the first user device.

At block 1820, the second group element raised to the power of the second random integer may be transmitted to a second user device (e.g., the second user device 1604 of FIG. 16). For example, the authentication server may generate h^uand may transmit that modified group element to the second user device. In these and other embodiments, the second group element raised to the power of the second random integer may be a first element of a second relational key of the second user device.

At block 1825, a third random integer may be obtained by the first user device and a fourth random integer may be obtained by the second user device. For example, the first user device may select the random integer a from Z_qand the second user device may select the random integer b from Z_q.

At block 1830, the second group element raised to the power of the third random integer may be transmitted from the first user device to the second user device. For example, the first user device may calculate and transmit h^ato the second user device.

At block 1835, the first group element raised to the power of the fourth random integer may be transmitted from the second user device to the first user device. For example, the second user device may calculate and transmit to the first user device.

At block 1840, a first relational key may be established. For example, the first user device may establish the first relational key to include two elements. The first relational key element may include the first group element raised to the power of the first and the second random integers selected by the authentication server, and the second relational key element may include the first group element raised to the power of the third random integer selected by the first user device and raised to the power of the fourth random integer selected by the second user device. For example, to determine the second element, the first user device may take g^btransmitted from the second user device and raise it to the power of a.

At block 1845, a second relational key may be established. For example, the second user device may establish the second relational key to include two elements. The first relational key element of the second relational key may include the second group element raised to the power of the second random integer selected by the authentication server. Additionally or alternatively, the second relational key element of the second relational key may include the second group element raised to the power of the third random integer selected by the first user device and raised to the power of the fourth random integer selected by the second user device. For example, to determine the second element, the second user device may take ha transmitted from the first user device and raise it to the power of b.

At block 1850, a first plaintext value (e.g., l) is relationally encrypted into a first encrypted message using the first relational key. For example, the first user device may obtain a fifth random integer from Z_q, r, and may raise the first element of the first relational key to the power of r and may raise the second element to the power of the fifth random integer and the first plaintext value. For example, the first encrypted message may include (g^tur,g^abrl).

At block 1855, a second plaintext value (e.g., m) is relationally encrypted into a second encrypted message using the second relational key. For example, the second user device may obtain a sixth random integer from Z_q, s, and may raise the first element of the second relational key to the power of s and may raise the second element to the power of the sixth random integer and the second plaintext value. For example, the second encrypted message may include (h^us, h^absm).

At block 1860, the first and the second encrypted messages may be transmitted to the authentication server. For example, the first user device may transmit the first encrypted message over a network (e.g., the network 107 of FIG. 16) to the authentication server and the second user device may transmit the second encrypted message over the network to the authentication server.

At block 1865, the first and the second encrypted messages may be compared without decryption of either the first or the second encrypted messages. For example, the authentication server may perform a first pairing operation on the first element of the first encrypted message and the second element of the second encrypted message. Continuing the example, the authentication server may perform a second pairing operation on the second element of the first encrypted message and the first element of the second encrypted message raised to the power of the second random integer. Stated mathematically, in some embodiments, the authentication server may verify the equality

$e (g^{tur}, h^{absm}) \overset{?}{=} e (g^{abrl}, {(h^{us})}^{t})$

At block 1870, based on the comparison, a determination may be made that the first plaintext value is the same as the second plaintext value. The block 1870 may be similar or comparable to the block 1750 of FIG. 17.

Accordingly, the method 1800 may initialize and/or utilize a relational encryption scheme. Modifications, additions, or omissions may be made to the method 1800 without departing from the scope of the present disclosure. For example, the operations of the method 1800 may be implemented in differing order. Additionally or alternatively, two or more operations may be performed at the same time. Furthermore, the outlined operations and actions are provided as examples, and some of the operations and actions may be optional, combined into fewer operations and actions, or expanded into additional operations and actions without detracting from the essence of the disclosed embodiments.

The embodiments described herein may include the use of a special-purpose or general-purpose computer including various computer hardware or software modules, as discussed in greater detail below.

Embodiments described herein may be implemented using computer-readable media for carrying or having computer-executable instructions or data structures stored thereon. Such computer-readable media may be any available media that may be accessed by a general-purpose or special-purpose computer. By way of example, and not limitation, such computer-readable media may include non-transitory computer-readable storage media including Random Access Memory (RAM), Read-Only Memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Compact Disc Read-Only Memory (CD-ROM) or other optical disk storage, magnetic disk storage or other magnetic storage devices, flash memory devices (e.g., solid state memory devices), or any other storage medium which may be used to carry or store desired program code in the form of computer-executable instructions or data structures and which may be accessed by a general-purpose or special-purpose computer. Combinations of the above may also be included within the scope of computer-readable media.

Computer-executable instructions comprise, for example, instructions and data which cause a general-purpose computer, special-purpose computer, or special-purpose processing device (e.g., one or more processors) to perform a certain function or group of functions. Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.

As used herein, the terms “module” or “component” may refer to specific hardware implementations configured to perform the operations of the module or component and/or software objects or software routines that may be stored on and/or executed by general-purpose hardware (e.g., computer-readable media, processing devices, etc.) of the computing system. In some embodiments, the different components, modules, engines, and services described herein may be implemented as objects or processes that execute on the computing system (e.g., as separate threads). While some of the system and methods described herein are generally described as being implemented in software (stored on and/or executed by general-purpose hardware), specific hardware implementations or a combination of software and specific hardware implementations are also possible and contemplated. In the present description, a “computing entity” may be any computing system as previously defined herein, or any module or combination of modulates running on a computing system.

All examples and conditional language recited herein are intended for pedagogical objects to aid the reader in understanding the disclosure and the concepts contributed by the inventor to furthering the art, and are to be construed as being without limitation to such specifically recited examples and conditions. Although embodiments of the present disclosure have been described in detail, it should be understood that the various changes, substitutions, and alterations could be made hereto without departing from the spirit and scope of the disclosure.

Claims

1. A computer-implemented method comprising:

receiving at a server a first encrypted message from a first user device, the first encrypted message including a first relational key element based on a first mathematical group element, and the first encrypted message including a second relational key element based on the first mathematical group element and raised to a power of a first plaintext value or numerical representation thereof;

receiving at the server a second encrypted message from a second user device, the second encrypted message including a third relational key element based on a second mathematical group element different from the first mathematical group element, and the second encrypted message including a fourth relational key element based on the second mathematical group element and raised to the power of a second plaintext value or numerical representation thereof;

comparing the first encrypted message to the second encrypted message using one or more processors of the server, without decryption of either the first encrypted message or the second encrypted message by the server;

based on the comparison, determining by the one or more processors that the first plaintext value and the second plaintext value are the same; and

based on the first plaintext value and the second plaintext value being the same, the server authorizing the second user device to access restricted content.

2. The method of claim 1, wherein the first user device and the second user device are operated by a same entity at different times.

3. The method of claim 1, further comprising:

obtaining the first mathematical group element as a random element of a first mathematical group; and

obtaining the second mathematical group element as a random element of a second mathematical group distinct from the first mathematical group.

4. The method of claim 3, wherein the first mathematical group includes bilinear elements.

5. The method of claim 1, wherein comparing the first encrypted message to the second encrypted message comprises:

performing a first pairing function operation on the first relational key element raised to a power of a first random integer and the fourth relational key element raised to a power of a second random integer and raised to the power of the second plaintext value;

performing a second pairing function operation on the second relational key element raised to the power of the first random integer and raised to the power of the first plaintext value and the third relational key element raised to the power of the second random integer; and

comparing the result of the first pairing function operation and the second pairing function operation.

6. The method of claim 1, wherein the first plaintext value includes a password.

7. The method of claim 1, wherein the first relational key element includes the first mathematical group element raised to a power of a third random integer selected by the server and raised to a power of a fourth random integer selected by the server, and the second relational key element includes the first mathematical group element raised to a power of a fifth random integer selected by the first user device and raised to a power of a sixth random integer selected by the second user device.

8. The method of claim 7, wherein the third relational key element includes the second mathematical group element raised to the power of the fourth random integer, and the fourth relational key element includes the second mathematical group element raised to the power of the fifth random integer and raised to the power of the sixth random integer.

9. A non-transitory computer readable medium containing instructions that, when executed by a processor, are configured to cause the processor to perform operations comprising:

receiving a first encrypted message from a first user device, the first encrypted message including a first relational key element based on a first mathematical group element, and the first encrypted message including a second relational key element based on the first mathematical group element and raised to a power of a first plaintext value or numerical representation thereof;

receiving a second encrypted message from a second user device, the second encrypted message including a third relational key element based on a second mathematical group element different from the first mathematical group element, and the second encrypted message including a fourth relational key element based on the second mathematical group element and raised to a power of a second plaintext value or numerical representation thereof;

comparing the first encrypted message to the second encrypted message without decryption of either the first encrypted message or the second encrypted message;

based on the comparison, determining that the first plaintext value and the second plaintext value are the same; and

based on the first plaintext value and the second plaintext value being the same, authorizing the second user device to access restricted content.

10. The non-transitory computer readable medium of claim 9, wherein the first user device and the second user device are a same entity at different times.

11. The non-transitory computer readable medium of claim 9, wherein the operations further comprise:

obtaining the first mathematical group element as a random element of a first mathematical group; and

obtaining the second mathematical group element as a random element of a second mathematical group distinct from the first mathematical group.

12. The non-transitory computer readable medium of claim 11, wherein the first mathematical group includes bilinear elements.

13. The non-transitory computer readable medium of claim 11, wherein the operation of comparing the first encrypted message to the second encrypted message comprises the operations of:

performing a first pairing function operation on the first relational key element raised to a power of a first random integer and the fourth relational key element raised to a power of a second random integer and raised to the power of the second plaintext value;

performing a second pairing function operation on the second relational key element raised to the power of the first random integer and raised to the power of the first plaintext value and the third relational key element raised to the power of the second random integer; and

comparing the result of the first pairing function operation and the second pairing function operation.

14. The non-transitory computer readable medium of claim 9, wherein the first plaintext value includes a password.

15. The non-transitory computer readable medium of claim 9, wherein the first relational key element includes the first mathematical group element raised to a power of a third random integer selected by the authentication server and raised to a power of a fourth random integer selected by the authentication server, and the second relational key element includes the first mathematical group element raised to a power of a fifth random integer selected by the first user device and raised to a power of a sixth random integer selected by the second user device.

16. The non-transitory computer readable medium of claim 15, wherein the third relational key element includes the second mathematical group element raised to the power of the fourth random integer, and the fourth relational key element includes the second mathematical group element raised to the power of the fifth random integer and raised to the power of the sixth random integer.

17. A method comprising:

obtaining by a first user device a first mathematical group element and a second mathematical group element;

receiving, at the first user device and from a server, the first mathematical group element raised to a power of a first random integer;

obtaining, by the first user device, a second random integer;

transmitting, by the first user device to a second user device, the second mathematical group element raised to a power of the second random integer;

receiving, at the first user device and from the second user device, the first mathematical group element raised to a power of a third random integer;

establishing a first relational key of the first user device, a first element of the first relational key including the first mathematical group element raised to the power of the first random integer, a second element of the first relational key including the first mathematical group element raised to the power of the second random integer and raised to the power of the third random integer;

relationally encrypting a first plaintext value by the first user device using the first relational key into a first message;

transmitting the first message from the first user device to the server; and

receiving access to restricted content from the server based on the first plaintext value of the first message being the same as a second plaintext value provided to the server by the second user device.

18. (canceled)

19. The method of claim 17, wherein relationally encrypting the first plaintext value includes:

obtaining a fourth random integer by the first user device;

raising the first element of the first relational key to the power of the fourth random integer; and

raising the second element of the first relational key to the power of the fourth random integer and the first plaintext value.

20. (canceled)