阅读说明：本技术 一种基于特征脸的隐私身份认证方法 (Privacy identity authentication method based on characteristic face ) 是由 游林 朱强 丁颖 于 2021-07-22 设计创作，主要内容包括：本发明属于人脸识别领域,公开了一种基于特征脸的隐私身份认证方法,核心实现步骤包括：1.第三方计算特征模板；2.图像预处理；3.图像生成Paillier公私钥；4.加密图像；5.第三方计算加密图像特征；6.生成Witness与Statement；7.生成CRS；8.用户生成证明；9.验证者验证证明；10.返回验证结果。本发明基于特征脸算法与同态加密算法,可信第三方在密文域上计算用户图像的特征值,却无法获取到用户的真实特征值,从根源上杜绝了生物特征信息被滥用、盗用的风险；实现了用户的隐私身份认证。(The invention belongs to the field of face recognition, and discloses a privacy identity authentication method based on a characteristic face, which comprises the following core implementation steps: 1. calculating a feature template by a third party; 2. preprocessing an image; 3. generating a Paillier public and private key by the image; 4. encrypting the image; 5. calculating the characteristics of the encrypted image by a third party; 6. generating Witness and State; 7. generating a CRS; 8. a user generates a proof; 9. verifying and proving by a verifier; 10. and returning a verification result. Based on the characteristic face algorithm and the homomorphic encryption algorithm, a trusted third party calculates the characteristic value of the user image in a ciphertext domain, but cannot acquire the real characteristic value of the user, so that the risk of abusing and embezzling the biological characteristic information is radically eliminated; the privacy identity authentication of the user is realized.)

1. A privacy identity authentication method based on a characteristic face is characterized by comprising the following steps:

step 1: calculating a feature template by a trusted third party;

step 2: constructing an encryption system;

and step 3: sending a Statement;

and 4, step 4: sending the encrypted image and the public key;

and 5: calculating a face characteristic value;

step 6: solving a linear equation;

and 7: calculating an intermediate value;

and 8: returning a ciphertext Witness;

and step 9: generating a CRS;

step 10: decrypting the Witness;

step 11, step 12: transmitting CRS;

step 13: sending the proof;

step 14: verifying and proving;

step 15: and returning a verification result.

2. The privacy identity authentication method based on the characteristic face according to claim 1, wherein the step 1 comprises the following specific steps:

step 1.1: carrying out preprocessing operation on the face image;

step 1.2: converting the face image into a column vector: the picture after graying is a matrix, each row of the matrix is connected together to form a vector, and the vector is converted into a column vector;

step 1.3: converting all pictures in the data set into vectors to obtain a matrix, carrying out zero-averaging processing on the matrix, and averaging all human faces in corresponding dimensions to obtain an average face vector; subtracting the vector from each face vector to complete zero equalization processing;

step 1.4: combining the images subjected to zero-mean processing to obtain a matrix, and obtaining a covariance matrix of a PCA algorithm through the matrix; calculating eigenvalues and eigenvectors of the covariance matrix, and selecting the largest n eigenvectors as an eigenface template;

3. the method for privacy identity authentication based on the characteristic face according to claim 2, wherein the step 2 comprises:

step 2.1: firstly, preprocessing an image;

step 2.2: solving the inverse element of an output image A in the image preprocessing stage to generate a new image matrix A';

step 2.3: solving image hash;

step 2.4: constructing a public and private key of a user;

step 2.5: encrypting the personal image;

the specific steps of step 2.1 are as follows:

step 2.1.1: firstly, acquiring a face image;

step 2.1.2: carrying out gray processing on the face image;

step 2.1.3: then, the face image is reset to be converted into an image with a fixed size;

step 2.1.4: carrying out noise reduction processing on the image; eliminating noise interference generated by the surrounding environment or equipment when the image is acquired;

step 2.1.5: carrying out histogram equalization processing on the image;

the specific steps of step 2.2 are as follows:

the image corresponding inverse element is obtained according to the formula f '(x, y) — 255-f (x, y), and a new image a' is generated. Wherein f (x, y) is a pixel value of the coordinate (x, y) on the original image; f' (x, y) is the pixel value of the new image at coordinate (x, y);

the specific steps of step 2.3 are as follows:

carrying out Hash operation on the original image and the newly generated image; according to a formula of Y-Hash (X), solving a Hash value of the image X, wherein Y is the output of a Hash function;

hash operation is respectively carried out on A and A' to generate Y₁＝Hash(A),Y₂＝Hash(A')；

The specific steps of step 2.4 are as follows:

constructing a public and private key of the user according to the Paillier algorithm and the image hash value in the step 2.3; wherein the large prime number p is a prime number which is greater than A and closest to A, the large prime number q is a prime number which is greater than A 'and closest to A', and satisfies gcd (pq, (p-1) (q-1)) ═ 1;

according to a formula lambda ═ lcm (p-1, q-1), calculating the least common multiple lambda of p-1 and q-1;

calculating N according to a formula N as p.q;

randomly selecting an integer g and satisfying gcd (L (g)^λmodN²),N)＝1

Wherein mod represents the operation of taking the modulus, and gcd represents the operation of solving the maximum common multiple; g represents the set {0,1,2,3, …, N²-1} l (u) u-1/N;

finally, obtaining a public key (g, N) and a private key (p, q);

the step 2.5 comprises the following specific steps:

encrypting each pixel value of the image according to a public key pair (g, N) generated by a Paillier algorithm:

G(x,y)＝g^f(x,y)r^NmodN²

f (x, y) represents a pixel value of the preprocessed image at coordinates (x, y); r is a random number representing an element of the set {0,1,2, …, N } that is co-prime with N; g (x, y) is represented as an encrypted value of the original image under coordinates (x, y);

the encrypted image is converted into a vector form, the encrypted image is a matrix, each row of the matrix is connected together to form a vector, and the vector is converted into a column vector.

4. The privacy identity authentication method based on the characteristic face according to claim 3, wherein the step 3 comprises the following specific steps:

the server calculates the first n maximum feature templates (X) according to the step 1₁,X₂,X₃,…,X_n) (feature vector) in which each parameter X_iAll are m-dimensional characteristic face templates; adding the values in each characteristic template, and then carrying out rounding operation to convert the values into integer values, thereby obtaining n integers (Y)₁,Y₂,Y₃,…,Y_n)；

N integers (Y)₁,Y₂,Y₃,…,Y_n) Send to the verifier in a secret way as a Statement in zero-knowledge proof;

the step 4 comprises the following specific steps:

the user sends the encrypted column vector and a public key pair (g, N) generated by the Paillier algorithm to a trusted third party;

the step 5 comprises the following specific steps:

after receiving the column vector of the encrypted image of the user and the public key of the user, the trusted third party calculates a face ciphertext characteristic value (theta'₁,θ′₂,θ′₃,…,θ′_n)；

The feature vector of the user is calculated according to the following formula:

wherein Γ represents data of a face vector, Ψ represents a vector formed by the mean value of the dimensionality of the face vector, namely an average face, at the initial stage of calculation of the PCA algorithm;

given the encrypted face image cryptograph and the public key of the user, the face feature value (theta ') in the form of the cryptograph is obtained according to the addition homomorphism of the Paillier algorithm'₁,θ′₂,θ′₃,…,θ′_n)。

5. The method for privacy identity authentication based on the characteristic face according to claim 4, wherein the step 6 comprises the following specific steps:

according to the characteristic of the characteristic face algorithm, the input face image is represented by the following formula: theta₁·X₁+θ₂·X₃+θ₃·X₃+…+θ_n·X_n≈Y

Wherein (theta)₁,θ₂,θ₃,…,θ_n) Is a cleartext face characteristic value, (X)₁,X₂,X₃,…,X_n) Each parameter X in_iAll the face templates are m-dimensional feature face templates, and Y is an m-dimensional input plaintext face vector;

then the local n m-dimensional characteristic face templates (X)₁,X₂,X₃,…,X_n) Each feature template X_iIs added and then an integer is taken, and all values in the vector Y are added and then an integer is taken to obtain an integer Y', thereby approximately converting the equation into theta₁·Y₁+θ₂·Y₂+θ₃·Y₃+…+θ_n·Y_n≈Y'，

Wherein the integer Y_iFor the ith feature template X_iAdding all the values and then rounding, wherein the integer Y' is the plain text form of the face column vector and then rounding;

the ciphertext integer Z may be computed from the left side of the equation, i.e.: theta₁·Y₁+θ₂·Y₂+θ₃·Y₃+…+θ_n·Y_nZ, where Z is expressed as the addition of all pixel values within the face image, i.e., Y 'is approximately equal to Z and Y' -Z | < δ, δ being a very small real number;

the step 7 comprises the following specific steps:

according to the formula theta₁·Y₁+θ₂·Y₂+θ₃·Y₃+…+θ_n·Y_nZ, the intermediate secret hidden value (C ') is calculated by utilizing additive homomorphism of Paillier algorithm'₁,C′₂,C′₃,…,C′_nZ'); wherein C is in the form of plaintext_i＝θ_i·Y_i，(C′₁,C′₂,C′₃,…,C′_nZ') are in ciphertext form, (Y)₁,Y₂,Y₃,…,Y_n) Stored locally in clear text form;

6. the method for privacy identity authentication based on the characteristic face according to claim 5, wherein the step 8 comprises the following specific steps:

the trusted third party calculates Witness in the zero knowledge proof by adopting a homomorphic encryption technology according to ciphertext face information and a public key sent by a user;

sending the Witness of the ciphertext to the user;

wherein the Witness ciphertext is (theta'₁,θ′₂,θ′₃,…,θ′_n,C′₁,C′₂,C′₃,…,C′_n,Z')；

The step 9 comprises the following specific steps:

the trusted third party adopts zero knowledge proof technology to theta₁·Y₁+θ₂·Y₂+θ₃·Y₃+…+θ_n·Y_nProcessing the Z; statement (Y)₁,Y₂,Y₃,…,Y_n) Is a fixed value; different users use different facial images and different Witness is generated, that is, different facial images are usedThe trusted third party is converted into the Algebraic Circuit according to the equation, the Algebraic Circuit is converted into R1CS, the Algebraic Circuit is converted into the QAP/QSP according to R1CS, and finally the Zk-SNARKs problem is solved, and meanwhile, random numbers are selected according to the equation structure to generate Common Reference String (CRS);

CRS is as follows:

the trusted third party randomly selects alpha, beta, gamma and delta,τ is defined as (α, β, δ, x), and CRS is calculated as ([ σ ═ y ═ c₁]₁,[σ₂]₂)，

Wherein, [ x ]]₁Is expressed as g^x，[x]₂Is denoted by h^xG, h are both groups G₁,G₂A generator of [ a ]]₁·[b]₂＝[a·b]_T＝e(g,h)^a·b。

7. The method for privacy identity authentication based on the characteristic face according to claim 6, wherein the step 10 comprises the following specific steps:

and the user receives the ciphertext Witness sent by the trusted third party, and decrypts according to the private key (p, q) of the user to obtain the plaintext Witness.

The steps 11 and 12 comprise the following specific steps:

the credible third party generates a corresponding CRS according to the step 9, and sends the CRS to the verifier and the user in a plaintext open manner;

the step 13 comprises the following specific steps:

after receiving CRS sent by a trusted third party, a user selects a corresponding random numberAnd the calculation is carried out according to the plaintext Witness to prove that pi is ([ A ]]₁,[C]₁,[B]₂)，

Wherein a in the above equation_iWhere i ∈ l +1, l +2, …, m is Witness obtained by the user (prover) to the third party, and Witness is (θ'₁,θ′₂,θ′₃,…,θ′_n,C′₁,C′₂,C′₃,…,C′_n,Z')；

The calculated proof pi ═ a ([ a ]]₁,[C]₁,[B]₂) And sending to the verifier.

8. The method for privacy identity authentication based on the characteristic face according to claim 7, wherein the step 14 comprises the following specific steps:

after receiving the user (prover) certification, the verifier resolves the certification pi ═ ([ a ]]₁,[C]₁,[B]₂) (ii) a And verifying whether the following equation is established or not by combining the Statement sent to the client by the trusted third party:

wherein a in the above equation_iI ∈ 0,1,2,3, …, l is Statement sent by the trusted third party to the verifier secret, and Statement is (Y)₁,Y₂,Y₃,…,Y_n)；

If the equation passes the verification, namely the two sides of the equation are equal, the user is a legal user authenticated by the trusted third party; and if the equation verification is not passed, the user is an illegal user.

9. The method for privacy identity authentication based on the characteristic face according to claim 8, wherein the step 15 comprises the following specific steps:

the verifier performs corresponding processing according to the equation verification result of step 14:

if the user is verified to be a legal user, returning authentication success to the user; if the verification fails, returning verification failure to the user;

10. the method for private identity authentication based on a eigenface according to claim 9, wherein in the step 15, when performing identity authentication, the verifier performs aggregated verification of the proofs of a plurality of provers; the method comprises the following specific steps:

the verifier initializes four elements (a, B, C, D) to have zero values and aggregates them using the following formula:

wherein it proves that pi ═ A_i]₁,[B_i]₂,[C_i]₁) I e {1,2,3, …, N } represents the proofs issued to the verifier for i users;

finally, whether the following equation holds is verified:

if the equation is established, the identities of the N users are legal users, otherwise, the illegal users exist in the aggregated certificate, and the equation cannot be verified.

Technical Field

The invention belongs to the field of face recognition, and particularly relates to a privacy identity authentication method based on a characteristic face.

Background

The eigenface method is an ancient human face recognition algorithm. The core technology of the algorithm is a PCA algorithm, which is a linear dimensionality reduction method and mainly carries out dimensionality reduction on unstructured data such as image data and text data. The eigenface method is used for face recognition and proposed by Sirovich and Kirby. Matthew Turk and Alex Pentland subsequently proposed more sophisticated feature face recognition methods.

Zero knowledge proofs were proposed by s.gold Wasser, s.micali and c.rackoff in the beginning of the 80's 20 th century. A zero knowledge proof means that the prover can convince the verifier that some argument is correct without providing the verifier with any useful information. The zero-knowledge proof is mainly divided into two ways of interactive proof and non-interactive proof. Since both parties may cheat in the interactive zero-knowledge proof, a non-interactive zero-knowledge proof is generally adopted.

In a traditional face recognition scene, a verifier acquires face information of a prover in real time through equipment, then calculates face features of the prover through an artificial intelligence correlation technique, and finally obtains a closest distance to a known image by adopting a clustering method (nearest neighbor or k-nearest neighbor, etc.). This method, however, has certain drawbacks. The following disadvantages are mainly present: firstly, the risk of abuse and leakage of face data exists. Secondly, the prover can pass the system verification even if the face of the prover is changed by AI.

Disclosure of Invention

The invention aims to provide a privacy identity authentication method based on a characteristic face, and aims to solve the technical problems of risks of face information abuse, leakage, counterfeiting and the like in the prior art.

In order to solve the technical problems, the specific technical scheme of the privacy identity authentication method based on the characteristic face is as follows:

a privacy identity authentication method based on a characteristic face comprises the following steps:

step 1: calculating a feature template by a trusted third party;

step 2: constructing an encryption system;

and step 3: sending a Statement;

and 4, step 4: sending the encrypted image and the public key;

and 5: calculating a face characteristic value;

step 6: solving a linear equation;

and 7: calculating an intermediate value;

and 8: returning a ciphertext Witness;

and step 9: generating a CRS;

step 10: decrypting the Witness;

step 11, step 12: transmitting CRS;

step 13: sending the proof;

step 14: verifying and proving;

step 15: and returning a verification result.

Further, the step 1 comprises the following specific steps:

step 1.1: carrying out preprocessing operation on the face image;

step 1.2: converting the face image into a column vector: the picture after graying is a matrix, each row of the matrix is connected together to form a vector, and the vector is converted into a column vector;

step 1.3: converting all pictures in the data set into vectors to obtain a matrix, carrying out zero-averaging processing on the matrix, and averaging all human faces in corresponding dimensions to obtain an average face vector; subtracting the vector from each face vector to complete zero equalization processing;

step 1.4: combining the images subjected to zero-mean processing to obtain a matrix, and obtaining a covariance matrix of a PCA algorithm through the matrix; calculating eigenvalues and eigenvectors of the covariance matrix, and selecting the largest n eigenvectors as an eigenface template;

further, the step 2 comprises:

step 2.1: firstly, preprocessing an image;

step 2.2: solving the inverse element of an output image A in the image preprocessing stage to generate a new image matrix A';

step 2.3: solving image hash;

step 2.4: constructing a public and private key of a user;

step 2.5: encrypting the personal image;

the specific steps of step 2.1 are as follows:

step 2.1.1: firstly, acquiring a face image;

step 2.1.2: carrying out gray processing on the face image;

step 2.1.3: then, the face image is reset to be converted into an image with a fixed size;

step 2.1.4: carrying out noise reduction processing on the image; eliminating noise interference generated by the surrounding environment or equipment when the image is acquired;

step 2.1.5: carrying out histogram equalization processing on the image;

the specific steps of step 2.2 are as follows:

the image corresponding inverse element is obtained according to the formula f '(x, y) — 255-f (x, y), and a new image a' is generated. Wherein f (x, y) is a pixel value of the coordinate (x, y) on the original image; f' (x, y) is the pixel value of the new image at coordinate (x, y);

the specific steps of step 2.3 are as follows:

carrying out Hash operation on the original image and the newly generated image; according to a formula of Y-Hash (X), solving a Hash value of the image X, wherein Y is the output of a Hash function;

hash operation is respectively carried out on A and A' to generate Y₁＝Hash(A),Y₂＝Hash(A')；

The specific steps of step 2.4 are as follows:

constructing a public and private key of the user according to the Paillier algorithm and the image hash value in the step 2.3; wherein the large prime number p is a prime number which is greater than A and closest to A, the large prime number q is a prime number which is greater than A 'and closest to A', and satisfies gcd (pq, (p-1) (q-1)) ═ 1;

according to a formula lambda ═ lcm (p-1, q-1), calculating the least common multiple lambda of p-1 and q-1;

calculating N according to a formula N as p.q;

randomly selecting an integer g and satisfying gcd (L (g)^λmodN²),N)＝1

Wherein mod represents the operation of taking the modulus, and gcd represents the operation of solving the maximum common multiple; g represents the set {0,1,2,3, …, N²-1} l (u) u-1/N;

finally, obtaining a public key (g, N) and a private key (p, q);

the step 2.5 comprises the following specific steps:

encrypting each pixel value of the image according to a public key pair (g, N) generated by a Paillier algorithm:

G(x,y)＝g^f(x,y)r^N mod N²

f (x, y) represents a pixel value of the preprocessed image at coordinates (x, y); r is a random number representing an element of the set {0,1,2, …, N } that is co-prime with N; g (x, y) is represented as an encrypted value of the original image under coordinates (x, y);

the encrypted image is converted into a vector form, the encrypted image is a matrix, each row of the matrix is connected together to form a vector, and the vector is converted into a column vector.

Further, the step 3 comprises the following specific steps:

the server calculates the first n maximum feature templates (X) according to the step 1₁,X₂,X₃,…,X_n) (feature vector) in which each parameter X_iAll are m-dimensional characteristic face templates; adding the values in each characteristic template, and then carrying out rounding operation to convert the values into integer values so as to obtain n integers (Y)₁,Y₂,Y₃,…,Y_n)；

N integers (Y)₁,Y₂,Y₃,…,Y_n) Send to the verifier in a secret way as a Statement in zero-knowledge proof;

the step 4 comprises the following specific steps:

the user sends the encrypted column vector and a public key pair (g, N) generated by the Paillier algorithm to a trusted third party;

the step 5 comprises the following specific steps:

after receiving the column vector of the encrypted image of the user and the public key of the user, the trusted third party calculates a face ciphertext characteristic value (theta'₁,θ′₂,θ′₃,…,θ′_n)；

Calculating the characteristic value of the user according to the following formula:

wherein Γ represents data of a face vector, Ψ represents a vector formed by the mean value of the dimensionality of the face vector, namely an average face, at the initial stage of calculation of the PCA algorithm;

giving the encrypted face image ciphertext and the public key of the user, and solving the face characteristic value (theta ') in the form of the ciphertext according to the addition homomorphism of the Paillier algorithm'₁,θ′₂,θ′₃,…，θ′_n)。

Further, the step 6 comprises the following specific steps:

according to the characteristic of the characteristic face algorithm, the input face image is represented by the following formula:

θ₁·X₁+θ₂·X₃+θ₃·X₃+…+θ_n·X_n≈Y

wherein (theta)₁,θ₂,θ₃,…,θ_n) Is a cleartext face characteristic value, (X)₁,X₂,X₃,…,X_n) Each parameter X in_iAll the face templates are m-dimensional feature face templates, and Y is an m-dimensional input plaintext face column vector;

the trusted third party then maps the local n m-dimensional feature face templates (X)₁,X₂,X₃,…,X_n) Each feature template X_iIs added and then an integer is taken, and all values in the vector Y are added and then an integer is taken to obtain an integer Y', thereby approximately converting the equation into theta₁·Y₁+θ₂·Y₂+θ₃·Y₃+…+θ_n·Y_n≈Y'，

Wherein the integer Y_iFor the ith feature template X_iAdding all the values and then rounding, wherein the integer Y' is the plain text form of the face column vector and then rounding;

the ciphertext integer Z may be computed from the left side of the equation, i.e.: theta₁·Y₁+θ₂·Y₂+θ₃·Y₃+…+θ_n·Y_nZ, where Z is expressed as the addition of all pixel values within the face image, i.e., Y 'is approximately equal to Z and Y' -Z | < δ, δ being a very small real number;

the step 7 comprises the following specific steps:

according to the formula theta₁·Y₁+θ₂·Y₂+θ₃·Y₃+…+θ_n·Y_nZ, the intermediate secret hidden value (C ') is calculated by utilizing additive homomorphism of Paillier algorithm'₁,C′₂,C′₃,…,C′_nZ'); wherein C is in the form of plaintext_i＝θ_i·Y_i，(C′₁,C′₂,C′₃,…,C'_nZ') are in ciphertext form, (Y)₁,Y₂,Y₃,…,Y_n) Storing in a local plaintext form;

further, the step 8 comprises the following specific steps:

the trusted third party calculates Witness in the zero knowledge proof by adopting a homomorphic encryption technology according to ciphertext face information and a public key sent by a user;

sending the Witness of the ciphertext to the user;

wherein the Witness ciphertext is (theta'₁,θ′₂,θ′₃,,θ′_n,C′₁,C′₂,C′₃，…，C′_n，Z)；

The step 9 comprises the following specific steps:

the trusted third party adopts zero knowledge proof technology to theta₁·Y₁+θ₂·Y₂+θ₃·Y₃+…+θ_n·Y_nProcessing the Z; statement (Y)₁,Y₂,Y₃,…,Y_n) Is a fixed value; different users use different face images to generate different Witness (theta'₁,θ′₂,θ′₃,…,θ′_n,C′₁,C′₂,C′₃，…，C′_nZ') can be trustedThe three parties are converted into Algebraic Circuit according to the equation, the Algebraic Circuit is converted into R1CS, the Algebraic Circuit is converted into QAP/QSP according to R1CS, and finally the Zk-SNARKs problem is solved, and meanwhile, random numbers are selected according to the equation structure of the step 6 to generate Common Reference String (CRS);

CRS is as follows:

the trusted third party randomly selects alpha, beta, gamma and delta,τ is defined as (α, β, δ, x), and CRS is calculated as ([ σ ═ y ═ c₁]₁,[σ₂]₂)，

Wherein, [ x ]]₁Is expressed as g^x，[x]₂Is denoted by h^xG, h are both groups G₁,G₂A generator of [ a ]]₁·[b]₂＝[a·b]_T＝e(g,h)^a·b。

Further, the step 10 includes the following specific steps:

and the user receives the ciphertext Witness sent by the trusted third party, and decrypts according to the private key (p, q) of the user to obtain the plaintext Witness.

The steps 11 and 12 comprise the following specific steps:

the credible third party generates a corresponding CRS according to the step 9, and sends the CRS to the verifier and the user in a plaintext open manner;

the step 13 comprises the following specific steps:

after receiving CRS sent by a trusted third party, a user selects a corresponding random numberRoot of Chinese angelicaAccording to the clear text Witness calculation, pi ═ ([ A)]₁,[C]₁,[B]₂)，

Wherein a in the above equation_iWhere i ∈ l +1, l +2, …, m is Witness obtained by the user (prover) to the third party, and Witness is (θ'₁,θ′₂,θ′₃,…,θ′_n,C′₁,C′₂,C′₃，…，C′_n，Z′)；

The calculated proof pi ═ a ([ a ]]₁,[C]₁,[B]₂) And sending to the verifier.

Further, the step 14 includes the following specific steps:

after receiving the user (prover) certification, the verifier resolves the certification pi ═ ([ a ]]₁,[C]₁,[B]₂) (ii) a And verifying whether the following equation is established or not by combining the Statement sent to the client by the trusted third party:

wherein a in the above equation_iI ∈ 0,1,2,3, …, l is Statement sent by the trusted third party to the verifier in secret, and Statement in this embodiment of the present application is (Y)₁,Y₂,Y₃,…,Y_n)；

If the equation passes the verification, namely the two sides of the equation are equal, the user is a legal user authenticated by the trusted third party; and if the equation verification is not passed, the user is an illegal user.

Further, the step 15 includes the following specific steps:

the verifier performs corresponding processing according to the equation verification result of step 14:

if the user is verified to be a legal user, returning authentication success to the user; if the verification fails, returning verification failure to the user;

further, in the step 15, when performing identity authentication, the verifier may perform aggregate verification on the proofs of multiple provers; the method comprises the following specific steps:

the verifier initializes four elements (a, B, C, D) to have zero values and aggregates them using the following formula:

wherein it proves that pi ═ A_i]₁,[B_i]₂,[C_i]₁) I e {1,2,3, …, N } represents the proof issued to the verifier by the ith user;

finally, whether the following equation holds is verified:

if the equation is established, the identities of the N users are legal users, otherwise, the illegal users exist in the aggregated certificate, and the equation cannot be verified.

The privacy identity authentication method based on the characteristic face has the following advantages that:

compared with the prior art, the privacy identity authentication method based on the characteristic face is provided, and a formula theta is used₁·Y₁+θ₂·Y₂+θ₃·Y₃+…+θ_n·Y_nImplementing privacy identity authentication, using zero knowledge proof techniques to verify that the equation holds. Finally, on the basis of the Groth2016 zero-knowledge algorithm, the identity aggregation verification method is realizedFormula (I), multiple users can be verified with only one calculation, and the storage space requires only 4 elements. Any information related to the user (prover) is hidden in the process. That is, the verifier and the trusted third party do not need to store any information of the user, so that the user information is not abused and stolen. The identity of the user can be verified to be legal through the proof sent by the user, but the verifier does not know the real identity of the user, the verifier does not locally store the real identity information of the user, and useful information cannot be acquired from the proof pi, so that privacy identity authentication is realized. Therefore, the embodiment can ensure that the real identity information of the user (prover) cannot be leaked, and can also ensure that the validity verification of the identity is not influenced, and finally, the verification efficiency is also improved.

Drawings

FIG. 1 is a sequence diagram of the present invention;

FIG. 2 is a flow chart of the present invention for a user to build an encryption system locally;

FIG. 3 is a flow chart of a user at an image pre-processing stage according to the present invention;

fig. 4 is a flow chart of the verifier performing aggregated verification on a plurality of users in the present invention;

FIG. 5 is a core flow diagram of the present invention;

Detailed Description

In order to better understand the purpose, structure and function of the present invention, a privacy identity authentication method based on a characteristic face according to the present invention is described in further detail below with reference to the accompanying drawings.

According to a first aspect of the embodiments of the present application, there is provided a privacy identity authentication method based on a characteristic face, including: the user locally performs image preprocessing operation on the acquired face image, such as: graying, resizing, noise reduction, etc.; and meanwhile, according to the processed image, calculating the inverse element of the image to generate an inverse image. Calculating a hash value by utilizing the two images to construct a public and private key pair of a Paillier algorithm; and encrypting each element in the image by using a public key of a Paillier algorithm, converting the encrypted face image into a column vector form, and finally sending the encrypted vector and the public key to a trusted third party.

According to a second aspect of the embodiments of the present application, there is provided a privacy identity authentication method based on a characteristic face, including: a trusted third party selects a face database locally at random, and trains a plurality of characteristic face templates X (characteristic vectors) according to a characteristic face method; calculating a Statement (Statement) according to the feature vector, and sending the Statement to the verifier in a secret form; a trusted third party acquires an encrypted column vector (in a face ciphertext form) sent to the trusted third party by a user (a prover) and a public key of the user; using a characteristic face method and a homomorphic encryption technology for an encrypted column vector of a user, projecting a ciphertext face image to a characteristic face subspace to obtain a ciphertext characteristic value (theta ') of the face'₁,θ′₂,θ′₃,…,θ′_n) (ii) a According to the characteristic face method, an input face image can be linearly represented by a characteristic template: theta₁·X₁+θ₂·X₂+θ₃·X₃+…+θ_n·X_nY is approximately distributed; wherein (theta)₁,θ₂,θ₃,,…θ_n) In the form of plain text of face feature vector (X)₁,X₂,X₃,…,X_n) Each parameter X in_iAll the face templates are m-dimensional feature face templates, and Y is a plaintext form of m-dimensional face column vectors; then the local n m-dimensional characteristic face templates (X)₁,X₂,X₃,…,X_n) Each feature template X_iAll values in vector Y are added and then integers are taken to obtain integer Y', thereby approximately converting the equation into theta₁·Y₁+θ₂·Y₂+θ₃·Y₃+…+θ_n·Y_nY', where the integer Y_iFor the ith feature template X_iAdding all the values and then rounding, wherein the integer Y' is the integer after adding the plaintext form of the face column vector; the ciphertext integer Z may be computed from the left side of the equation, i.e.: theta₁·Y₁+θ₂·Y₂+θ₃·Y₃+…+θ_n·Y_nZ transforms the equation into a zero-knowledge proof problem that verifies that the user has certain parameters, i.e., the user's identity isNo legal, in equation (Y)₁,Y₂,Y₃,…,Y_n) Locally calculated Statement. Then, the intermediate ciphertext hidden value (C) is homomorphically calculated by adopting the Paillier algorithm addition₁',C'₂,C₃',…,C'_nZ'); wherein C is in the form of plaintext_i＝θ_i·Y_i(ii) a The trusted third party then processes the processed data Witness, i.e.…C′_nZ is sent to the user.

According to a third aspect of the embodiments of the present application, there is provided a privacy identity authentication method based on a characteristic face, including: after receiving the ciphertext, the user (the prover) decrypts the ciphertext by using the private key to obtain plaintext Witness; the trusted third party generates Common Reference String (CRS) using a zero-knowledge proof algorithm according to the above equation structure, because the operation represented by the polynomial structure is not intended to calculate the result, but checks whether the process of this operation is correct in the case of the assignment of a variable already known to the prover; the trusted third party adopts a zero-knowledge proof algorithm (such as SONIC, PLONK and the like), generates Common Reference String (CRS) by using a random number according to the operation structure of the equation and publishes the CRS to the whole network, and after receiving the CRS, the user (prover) calculates by combining with local witness to generate a proof (marked as pi) and sends the proof to the verifier; the verifier receives CRS sent by a trusted third party and also carries out corresponding parameter calculation, meanwhile, the verifier can accept the proofs pi sent by a plurality of proofers, and the same Statement (Statement) can be used for carrying out one-to-one independent identity verification on the proofers; as long as the prover has the Witness generated by the trusted third party for the prover, a legal proof pi can be generated according to the CRS, so that the verifier believes that the user is a legal user; but the verifier does not know the real identity of the user and does not locally store the real identity information of the user, thereby realizing the privacy identity authentication.

According to a fourth aspect of the embodiments of the present application, there is provided a privacy identity authentication method based on a characteristic face, including: the zero knowledge proof algorithm of Jens Groth in 2016 in the paper On the Size of Pairing-based Non-interactive enterprises (hereinafter referred to as Groth2016) is improved, so that the scheme can realize the aggregated identity verification by adopting the algorithm; the proof pi sent by a plurality of proofers is obtained, and the verifier only needs to store 4 group elements locally to finish the aggregate verification, so that the storage overhead of the verifier is greatly reduced; the algorithm needs to verify in the verification phase that the following equation holds:

if the equation is established, the identities of the N users are all legal users, otherwise, if illegal users (users without authorization of a trusted third party) exist in the aggregated certificate, the equation cannot be verified; the specific construction process of the group elements (A, B, C, D) is as follows:

wherein, it proves that pi ═ ([ A ]_i]₁,[B_i]₂,[C_i]₁) I e {1,2,3, …, N } represents the proof issued by the ith user to the verifier.

Compared with the prior art, the privacy identity authentication method based on the characteristic face is provided, and a formula theta is used₁·Y₁+θ₂·Y₂+θ₃·Y₃+…+θ_n·Y_nImplementing privacy identity authentication, using zero knowledge proof techniques to verify that the equation holds. Finally, on the basis of a Groth2016 zero-knowledge algorithm, an identity aggregation verification mode is achieved, a plurality of users can be verified only through one-time calculation, and only 4 elements are needed in a storage space. Any information related to the user (prover) is hidden in the process. That is, the verifier and the trusted third party do not need to store any information of the user, so that the user information is not abused and stolen. The user's identity can be verified to be legitimate by the proof sent by the user,however, the verifier does not know the real identity of the user, and the verifier does not locally store the real identity information of the user and cannot acquire useful information from the proof pi, so that privacy identity authentication is realized. Therefore, the embodiment can ensure that the real identity information of the user (prover) cannot be leaked, and can also ensure that the validity verification of the identity is not influenced, and finally, the verification efficiency is also improved.

The steps of the present invention will be described in further detail with reference to fig. 1.

1. The trusted third party computes a feature template. The trusted third-party server selects a face database locally at random, and calculates a local characteristic face template according to a characteristic face algorithm, wherein the specific steps are as follows:

1.1, carrying out preprocessing operation on the face image. For example: operations such as size conversion, graying and the like;

1.2 converting the face image into a column vector: the picture after the graying processing is a matrix, each row of the matrix is connected together to form a vector, and the vector is converted into a column vector;

1.3 after all pictures in the data set are converted into vectors, a matrix can be obtained. And carrying out zero-averaging processing on the basis, namely averaging all the human faces in corresponding dimensions to obtain an average face vector. Subtracting the vector from each face vector to complete zero equalization processing;

1.4, combining the images subjected to zero mean processing to obtain a matrix, and obtaining a covariance matrix of a PCA algorithm through the matrix; calculating eigenvalues and eigenvectors of the covariance matrix, wherein the dimension of each eigenvector is consistent with the dimension of the original image, so that the eigenvectors can be regarded as an image, and the eigenvectors are so-called eigenfaces; we select the largest n eigenvectors as the eigenface template.

2. Constructing an encryption system:

the steps of the encryption system of the present invention are described in further detail with reference to fig. 2.

2.1 first of all, the image is preprocessed:

the image pre-processing step of the present invention is described in further detail with reference to fig. 3.

2.1.1, firstly, acquiring a face image;

2.1.2 carrying out gray processing on the face image;

2.1.3 resetting the size of the face image and converting the face image into an image with a fixed size;

2.1.4, carrying out noise reduction processing on the image; eliminating noise interference generated by the surrounding environment or equipment when the image is acquired; the conventional noises are: gaussian noise, salt and pepper noise, rayleigh noise, etc.; the commonly used image denoising methods include: an average filter, gaussian filter, median filter, etc.

2.1.5 histogram equalization processing is carried out on the image.

The basic principle of histogram equalization is: the gray values with a large number of pixels (namely, the gray values which mainly act on the picture) in the image are widened, and the gray values with a small number of pixels (namely, the gray values which do not mainly act on the picture) are merged, so that the contrast is increased, the image is clear, and the aim of enhancement is fulfilled.

2.2 solving the inverse element of the output image A in the image preprocessing stage to generate a new image matrix A'.

The image corresponding inverse element is obtained according to the formula f '(x, y) — 255-f (x, y), and a new image a' is generated. Wherein f (x, y) is a pixel value of the coordinate (x, y) on the original image; f' (x, y) is the pixel value of the new image at coordinate (x, y).

And 2.3, hashing the image.

Carrying out Hash operation on the original image and the newly generated image; according to a formula of Y-Hash (X), solving a Hash value of the image X, wherein Y is the output of a Hash function; the Hash function used in the present invention is SHA-512.

Hash operation is respectively carried out on A and A' to generate Y₁＝Hash(A),Y₂＝Hash(A')。

2.4 construct the public and private keys of the user.

Image hash value according to Paillier algorithm and 2.3Constructing a public and private key of the user; wherein the big prime number p is a prime number which is larger than A and is closest to A, the big prime number q is a prime number which is larger than A 'and is closest to A', and the conditions are satisfied

According to the formulaAnd calculating the minimum common multiple lambda of p-1 and q-1.

According to the formula N, p · q, N is calculated.

Randomly selecting an integer g satisfying

Wherein mod represents the operation of taking the modulus, and gcd represents the operation of solving the maximum common multiple; g represents the set {0,1,2,3, …, N²-1} l (u) u-1/N.

Finally, the public key is (g, N), and the private key is (p, q).

2.5 encrypting the personal image.

Encrypting each pixel value of the image according to a public key pair (g, N) generated by a Paillier algorithm:

f (x, y) represents a pixel value of the preprocessed image at coordinates (x, y); r is a random number, typically representing an element of the set 0,1,2, …, N that is co-prime with N; g (x, y) is represented as an encrypted value of the original image at coordinates (x, y).

The encrypted image is converted into a vector form, the encrypted image is a matrix, each row of the matrix is connected together to form a vector, and the vector is converted into a column vector.

3. Send Statement.

The server calculates the first n maximum feature templates (X) according to the step 1₁,X₂,X₃,…,X_n) (feature vector) in which each parameter X_iAll are m-dimensional characteristic face templates; adding the values in each characteristic template, and then carrying out rounding operation to convert the values into integer values so as to obtain n integers (Y)₁,Y₂,Y₃,…,Y_n)。

N integers (Y)₁,Y₂,Y₃,…,Y_n) The Statement, which is in zero knowledge proof, is sent to the verifier in a secret way.

4. The encrypted image and the public key are transmitted.

And the user sends the encrypted column vector and the public key pair (g, N) generated by the Paillier algorithm to the trusted third party.

5. And calculating the face characteristic value.

After receiving the column vector of the encrypted image of the user and the public key of the user, the trusted third party calculates a face ciphertext characteristic value (theta'₁,θ′₂,θ′₃,…,θ′_n)。

The feature vector of the user is calculated according to the following formula:

where Γ represents data of a face vector, and Ψ represents a vector formed by the mean of dimensions of the face vector at the initial stage of computation of the PCA algorithm, that is, an average face.

Because the Paillier algorithm has addition homomorphism, the human face characteristic value (theta ') in a cryptograph form can be obtained by giving the encrypted human face image cryptograph and the public key of the user'₁,θ′₂,θ′₃,…,θ′_n)。

6. And solving a linear equation.

According to the characteristic of the characteristic face algorithm, the input face image can be represented by the following formula:

θ₁·X₁+θ₂·X₃+θ₃·X₃+…+θ_n·X_n≈Y

wherein (theta)₁,θ₂,θ₃,…,θ_n) Is a cleartext face characteristic value, (X)₁,X₂,X₃,…,X_n) Each parameter X in_iAre all m-dimensional characteristic face templates, and Y is an m-dimensional input plaintext face vector.

Then the local n m-dimensional characteristic face templates (X)₁,X₂,X₃,…,X_n) Each feature template X_iIs added and then an integer is taken, and all values in the vector Y are added and then an integer is taken to obtain an integer Y', thereby approximately converting the equation into theta₁·Y₁+θ₂·Y₂+θ₃·Y₃+…+θ_n·Y_n≈Y'。

Wherein the integer Y_iFor the ith feature template X_iAnd adding all the values in the vector, and then rounding, wherein the integer Y' is the plain text form of the face column vector, and then rounding.

The ciphertext integer Z may be computed from the left side of the equation, i.e.: theta₁·Y₁+θ₂·Y₂+θ₃·Y₃+…+θ_n·Y_nZ. Where Z can be approximated as the addition of all pixel values within the face image, i.e., Y '≈ Z and Y' -Z | < δ, δ is a very small real number.

7. An intermediate value is calculated.

According to the formula theta₁·Y₁+θ₂·Y₂+θ₃·Y₃+…+θ_n·Y_nZ, the intermediate secret hidden value (C ') is calculated by utilizing additive homomorphism of Paillier algorithm'₁,C′₂,C′₃,…,C′'_nZ'); wherein C is in the form of plaintext_i＝θ_i·Y_i，(C′₁,C′₂,C′₃,…,C′_nZ') are in ciphertext form, (Y)₁,Y₂,Y₃,…,Y_n) Stored in local clear text form.

8. Returning the ciphertext Witness.

The trusted third party calculates Witness in the zero knowledge proof by adopting a homomorphic encryption technology according to ciphertext face information and a public key sent by a user;

sending the Witness of the ciphertext to the user;

wherein the Witness ciphertext is (theta'₁,θ′₂,θ′₃',…,θ′_n,C′₁,C′₂,C₃，…，C′_n，Z′)。

9. And generating the CRS.

The trusted third party adopts zero knowledge proof technology to theta₁·Y₁+θ₂·Y₂+θ₃·Y₃+…+θ_n·Y_nProcessing the Z; since the feature template used by the trusted third party is fixed, State element (Y)₁,Y₂,Y₃,…,Y_n) Must be a fixed value; different users use different facial images and different Witness is generated, that is, different facial images are usedTherefore, the trusted third party is converted into the Algebraic Circuit according to the equation, the Algebraic Circuit is converted into the R1CS, the R1CS is converted into the QAP/QSP, and finally the Zk-SNARKs problem is solved, and meanwhile, random numbers are selected according to the equation structure to generate Common Reference String (CRS); because the polynomial structure represents an operation, not for the purpose of calculating the result, but in the case of variable assignments already known to the prover, it is checked whether the course of this operation is correct.

This example uses the zero-knowledge proof of knowledge algorithm described by Jens Groth in 2016 in the paper On the Size of pair-based Non-interactive orientations (hereinafter referred to as Groth 2016); therefore, the present embodiment generates a Common Reference String (CRS) according to the algorithm and the structure of the equation in the paper, and the CRS is as follows:

the trusted third party randomly selects alpha, beta, gamma and delta,τ is defined as (α, β, δ, x), and CRS is calculated as ([ σ ═ y ═ c₁]₁,[σ₂]₂)，

Wherein, [ x ]]₁Is expressed as g^x，[x]₂Is denoted by h^xG, h are both groups G₁,G₂A generator of [ a ]]₁·[b]₂＝[a·b]_T＝e(g,h)^a·b。

10. The Witness is decrypted.

And the user receives the ciphertext Witness sent by the trusted third party, and decrypts according to the private key (p, q) of the user to obtain the plaintext Witness.

11. And 12, transmitting the CRS.

And the trusted third party generates a corresponding CRS according to the step 9, and sends the CRS to the verifier and the user in a plaintext public manner.

13. The proof is sent.

After receiving CRS sent by a trusted third party, a user selects a corresponding random numberAnd the calculation is carried out according to the plaintext Witness to prove that pi is ([ A ]]₁,[C]₁,[B]₂)

Wherein a in the above equation_iWhere i ∈ l +1, l +2, …, m is the Witness obtained by the user (prover) to the third party, and in this embodiment, the Witness is (θ'₁,θ′₂,θ′',…,θ′_n,C′₁,C′₂,C′₃，…，C′_n，Z′)。

The calculated proof pi ═ a ([ a ]]₁,[C]₁,[B]₂) And sending to the verifier.

14. And (5) verifying and proving.

After receiving the user (prover) certification, the verifier resolves the certification pi ═ ([ a ]]₁,[C]₁,[B]₂) (ii) a And verifying whether the following equation is established or not by combining the Statement sent to the client by the trusted third party.

Wherein a in the above equation_iI ∈ 0,1,2, …, l is Statement sent by the trusted third party to the verifier secret, and Statement in this embodiment is (Y)₁,Y₂,Y₃,…,Y_n)。

If the equation passes the verification, namely the two sides of the equation are equal, the user is a legal user authenticated by the trusted third party; and if the equation verification is not passed, the user is an illegal user.

15. And returning a verification result.

The verifier performs corresponding processing according to the equation verification result of step 14.

If the user is verified to be a legal user, returning authentication success to the user; and if the verification fails, returning the verification failure to the user.

Optionally, when performing identity authentication, the verifier may also perform aggregated verification on the proofs of multiple proofers; the proofs of a plurality of proofers are aggregated, whether the plurality of proofers are all legal users can be judged only by once verifying an equation, and meanwhile, the storage overhead of a verifier only needs 4 group elements.

Fig. 4 is a schematic structural diagram of verifier aggregate verification provided by the present embodiment; specifically, the verifier initializes four elements (a, B, C, D) to have a value of zero, and performs aggregation using the following formula:

wherein it proves that pi ═ A_i]₁,[B_i]₂,[C_i]₁) I e {1,2,3, …, N } represents the proof issued by the ith user to the verifier.

Finally, whether the following equation holds is verified:

if the equation is established, the identities of the N users are legal users, otherwise, the illegal users exist in the aggregated certificate, and the equation cannot be verified.

It is to be understood that the present invention has been described with reference to certain embodiments, and that various changes in the features and embodiments, or equivalent substitutions may be made therein by those skilled in the art without departing from the spirit and scope of the invention. In addition, many modifications may be made to adapt a particular situation or material to the teachings of the invention without departing from the essential scope thereof. Therefore, it is intended that the invention not be limited to the particular embodiment disclosed, but that the invention will include all embodiments falling within the scope of the appended claims.