Privacy-Preserving Biometric Authentication
Abstract
A system for using biometric data to authenticate a subject as an individual whose biometric data has been previously obtained. A second transducer has a digital electronic signal output characterizing a biometric of the subject; a second computing facility to receive the digital electronic signal; and an array of servers. These components implement processes including causing generating of shards from the digital electronic signal and distributing of the generated shards to the array of servers; causing storing of the generated shards and performing of a data exchange process using a subset of the generated shards to develop information relating to authentication of the subject; and causing processing of the authentication information in a verification process to indicate whether the subject is authenticated as the individual. A related enrollment system is also provided.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A system for using biometric data to authenticate a subject as an individual whose biometric data has been previously obtained using a first transducer coupled to a first computing facility, the system having computing components comprising:
a second transducer having a digital electronic signal output that characterizes a biometric of the subject; a second computing facility, coupled to the second transducer, configured to receive from the second transducer the digital electronic signal; and an array of servers; the second computing facility, the array of servers, and a computer-readable medium encoded with instructions, which upon execution by the foregoing computing components, establish computer processes comprising:
causing, by the second computing facility, generating of shards from the digital electronic signal and distributing of the generated shards to the array of servers;
causing, by a subset of the array of servers, storing of the generated shards and performing of a data exchange process using a subset of the generated shards to develop information relating to authentication of the subject, and
causing, by the subset of the array of servers, processing of the authentication information in a verification process to indicate whether the subject is authenticated as the individual.
2 . A system according to claim 1 , wherein the computer processes further comprise causing generation of a key of the subject using the authentication information.
3 . A system according to claim 2 , wherein causing the processing of the authentication information includes causing development of a signed message using the key and causing the signed message to be used in the verification process.
4 . A system according to claim 1 , wherein the computer processes further comprise causing a third computing facility to perform the verification process.
5 . A system according to claim 4 , wherein the third computing facility is the same as the second computing facility.
6 . A system according to claim 1 , wherein the computer processes comprise causing the second computing facility to perform the verification process.
7 . A system according to claim 1 , wherein the computer processes comprise causing generation of a signed message using the authentication information.
8 . A system according to claim 1 , wherein the computer processes further comprise receiving, by a third computing facility, the information relating to authentication of the subject.
9 . A system according to claim 1 , wherein the computer processes further comprise, receiving, by the second computing facility, the information relating to authentication of the subject.
10 . A system for using biometric data to authenticate a subject as an individual whose biometric data has been previously obtained using a first transducer coupled to a first computing facility, the system having computing components comprising:
a second transducer having a digital electronic signal output that characterizes a biometric of the subject; a second computing facility, coupled to the second transducer, configured to receive from the second transducer the digital electronic signal; and an array of servers; the second computing facility, the array of servers, and a computer-readable medium encoded with instructions, which upon execution by the foregoing computing components, establish computer processes comprising:
causing, by the second computing facility, generating of shards from the digital electronic signal and distributing of the generated shards to the array of servers;
receiving and storing by the array of servers the generated shards;
performing, by a subset of the array of servers, a data exchange process using a subset of the generated shards to develop information relating to authentication of the subject; and
causing the subset of the array of servers to transmit the information developed, wherein the developed information is configured to cause generation of an output value indicating whether the subject is authenticated as the individual.
11 . A system according to claim 10 , wherein the computer processes are performed under conditions wherein the computing components are configured as information-sharing restricted with respect to a set of items of information selected from the group consisting of the output value, the digital electronic signal, the individual's biometric data, the subject's biometric, and the generated shards.
12 . A system according to claim 10 , wherein causing by the second computing facility further includes causing encoding of the digital electronic signal, so that the generated shards are also encoded.
13 . A system according to claim 12 , wherein causing encoding includes causing use of a neural net to achieve encoding.
14 . A system according to claim 12 , wherein causing encoding includes causing representation of the digital electronic signal as a set of vectors in a metric space.
15 . A system according to claim 14 , wherein performing the data exchange process, using the subset of the generated shards to develop information relating to authentication of the subject, includes computing a set of distances in the metric space.
16 . A system according to claim 10 , wherein the data exchange process includes a multiparty computation wherein none of the servers in the server array obtains intermediate values of the multiparty computation.
17 . A system according to claim 10 , wherein a selected group of the array of servers causes generation of new shards based on the generated shards.
18 . A system according to claim 10 , wherein, a share is revocable by a revocation process that includes the data exchange process.
19 . A system according to claim 18 , wherein, upon revocation of the shard, generation of a new shard does not require the individual re-engage with the first transducer.
20 . A system according to claim 18 , wherein the revocation process does not require communication between the computing facility and the array of servers.
21 . A system according to claim 18 , wherein the revocation process includes performing the data exchange process using a subset of the subset of generated shards from a subset of the array of servers.
22 . A system according to claim 10 , wherein the data exchange process involves communication among a selected group of servers from the array of servers.
23 . A system according to claim 10 , wherein performing the data exchange process includes separately processing, by each server, its generated shards of the individual along with its generated shards of the subject to generate a new set of shards, the new set of shards constituting the output value.
24 . A system according to claim 10 , wherein receiving and storing by the array of servers the generated shards includes receiving and storing message authentication codes for the shards and the data exchange process includes using the message authentication codes to confirm that the output value indicating whether the subject is authenticated as the individual is itself authentic.
25 . A system according to claim 10 , wherein receiving and storing by the array of servers the generated shards includes receiving and storing shards of Beaver triples distributed across the array of servers with the generated shards.
26 . A system according to claim 25 , wherein receiving and storing by the array of servers the generated shards includes receiving and storing message authentication codes for the Beaver triples.
27 . A system according to claim 10 , wherein receiving and storing by the array of servers the generated shards includes receiving and storing shards of a corresponding message authentication code key.
28 . A system according to claim 10 , wherein receiving and storing by the array of servers the generated shards includes receiving and storing shards of a random value.
29 . A system according to claim 10 , wherein receiving and storing by the array of servers the generated shards includes receiving and storing shards of a function that contributes to an authentication process.
30 . A system according to claim 10 , wherein receiving and storing by the array of servers the generated shards includes extracting a confident subset of a set of biometric values of the subject in the digital electronic signal.
31 . A system according to claim 10 , wherein receiving and storing by the array of servers a set of values to enable efficient subsequent generation of shards includes receiving and storing items selected from the group consisting of Beaver triples, authentication shares, message authentication code shards, random shards, other shards, and combinations thereof.
32 . A system according to claim 10 , wherein the data exchange process includes causing the array of servers to execute a multiparty computation algorithm to determine a blinded value, causing the array of servers to compute a corresponding shard, and to return, to the second computing facility, the computed shard along with values for the message authentication codes previously computed, causing the second computing facility to use the shard data to determine whether the subject is authenticated as the individual and to evaluate the message authentication codes.
33 . A system for securely enrolling biometric data of an individual for purposes of later authentication of a subject as the individual, the system having computing components comprising:
a first transducer having a digital electronic signal output that characterizes a biometric of the individual; a first computing facility, coupled to the first transducer, configured to receive from the first transducer, the digital electronic signal; an array of servers; and a second computing facility; the first computing facility, the array of servers, the second computing facility, and a computer-readable medium encoded with instructions, which upon execution by the foregoing computing components, establish computer processes comprising:
causing generating of original shards from the digital electronic signal;
distributing, across the array of servers, the generated original shards; and
causing the array of servers to store the generated original shards;
the generated original shards being stored under conditions wherein the generated original shards are revocable.
34 . A system according to claim 33 , wherein the first computing facility, the array of servers, and the second computing facility are configured to implement computer processes further comprising: causing generating of new shards based on the original shards.
35 . A system according to claim 34 , wherein generating new shards does not require communication between the first computing facility and the array of servers.
36 . A system according to claim 33 , wherein, in the computer processes implemented by the first computing facility, the array of servers, and the second computing facility, distributing, across the array of servers, the generated original shards further includes:
distributing the generated original shards across the array of servers along with helper information selected from the group consisting of Beaver triples, function secret shares, and combinations thereof, such helper information being available for use in later authentication of the subject; and causing the array of servers to store the helper information in association with the generated original shards.
37 . A system for securely enrolling biometric data of an individual for purposes of later authentication of a subject as the individual, the system having computing components comprising:
a first transducer having a digital electronic signal output that characterizes a biometric of the individual; a first computing facility, coupled to the first transducer, configured to receive from the first transducer, the digital electronic signal; an array of servers; and a second computing facility; the first computing facility, the array of servers, the second computing facility, and a computer-readable medium encoded with instructions, which upon execution by the foregoing computing components, establish computer processes comprising:
causing generating of original shards from the digital electronic signal;
distributing, across the array of servers, the generated original shards;
causing the array of servers to store the generated original shards; and
causing generating of new shards based on the original shards.
38 . A system according to claim 37 , wherein generating new shards does not require communication between the first computing facility and the array of servers.Join the waitlist — get patent alerts
Track US2024048555A1 — get alerts on status changes and closely related new filings.
We store only your email — no account needed. See our privacy policy.