A privacy protection identity authentication method and system based on zero-knowledge proof

By employing a privacy-preserving identity authentication method based on zero-knowledge proofs, a binary face feature extraction model and a fuzzy extractor are trained using a convolutional neural network. Combined with threshold multi-party secure computation, this method solves the problems of biometric storage security and privacy leakage during the verification process in face recognition systems, achieving irreversible storage, multi-factor verification, and zero information leakage.

CN122157319APending Publication Date: 2026-06-05SHUAN COMMERCIAL CRYPTOTECHNOLOGY (GUANGZHOU) CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
SHUAN COMMERCIAL CRYPTOTECHNOLOGY (GUANGZHOU) CO LTD
Filing Date
2025-12-25
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing facial recognition systems suffer from problems such as insufficient security of biometric data storage, vulnerability of single-factor authentication to attacks, and privacy leaks during the authentication process. Furthermore, traditional methods cannot ensure that data remains encrypted during computation.

Method used

A privacy-preserving identity authentication method based on zero-knowledge proof is adopted. A binary face feature extraction model is trained by a convolutional neural network, and a fuzzy extractor and threshold multi-party secure computation are combined to achieve irreversible storage of features and multi-factor verification, ensuring zero information leakage in the verification process.

Benefits of technology

It achieves irreversible storage of biometric features, constructs a dual security defense line of physical and logical security, ensures zero information leakage during the verification process, supports flexible updates, has anti-replay attack capabilities, and improves system fault tolerance and environmental adaptability.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure BDA0005759878310000051
    Figure BDA0005759878310000051
  • Figure BDA0005759878310000061
    Figure BDA0005759878310000061
  • Figure BDA0005759878310000062
    Figure BDA0005759878310000062
Patent Text Reader

Abstract

The application relates to network security and identity authentication, and provides a privacy protection identity authentication method and system based on zero-knowledge proof. A convolutional neural network is trained through a standard face data set to obtain a face detection, alignment and binary feature extraction model; a fuzzy extractor is used to convert high-dimensional binary features into high-entropy key shares and auxiliary data, and the high-entropy key shares and the auxiliary data are secret shared with a random key of a client. During authentication, the client restores the key shares, executes threshold Schnorr signature generation challenge signature with no less than t-1 signature nodes, and completes authentication after verification of the server. The scheme does not need to store original biological feature data, and realizes decentralized, multi-factor, high-security and anti-single-point-failure identity authentication.
Need to check novelty before this filing date? Find Prior Art

Description

(I) Technical Field

[0001] This invention relates to the field of biometric authentication security technology, specifically to a privacy-preserving identity authentication method and system based on zero-knowledge proof. (II) Background Technology

[0002] With the rapid development of information technology and the widespread adoption of the internet, facial recognition technology, with its significant advantages such as non-contact nature, high recognition accuracy, and convenience, has become one of the most widely used technologies in the field of biometric identification. This technology has been applied on a large scale in various fields, including identity authentication, security monitoring, financial payments, mobile device unlocking, and public safety management, greatly improving user experience and operational efficiency. However, its widespread application has brought increasingly serious challenges to privacy and system security. These issues not only relate to the protection of personal information but also directly affect society's trust in and acceptance of this technology.

[0003] Currently, facial recognition systems face a fundamental challenge: for authentication, the system must collect and store users' biometric data (usually facial feature templates). Unlike passwords, which can be changed at any time, resetting facial features is cumbersome. Once this highly sensitive biometric data is stolen or leaked by malicious attackers, users face the risk of short-term or long-term identity theft. Most systems tend to store users' facial feature templates on centralized servers or databases, making these databases high-value targets for cyberattacks. Furthermore, although what is stored is the feature template rather than the original image, advanced reverse engineering techniques can recover the original or approximate facial image from the feature template, leading to actual leakage of privacy information.

[0004] Existing systems often lack collaborative verification with other auxiliary data during identity verification, making system security rely solely on the single factor of facial recognition. This means that no additional security layer is added beyond the face. The system is therefore vulnerable to spoofing attacks, easily spoofed faces such as high-resolution photos, video playback, or 3D masks—the so-called "liveness detection" challenge. Traditional liveness detection techniques are easily bypassed by new spoofing methods. Furthermore, existing facial recognition applications lack deep integration with multi-factor authentication (MFA), rarely combining it deeply and in real-time with other security factors such as location information, timestamps, behavioral patterns, or hardware keys, making it difficult to provide a second layer of security when faces are spoofed.

[0005] Furthermore, during facial recognition verification, the user's original facial image or feature data often needs to be transmitted between the client and server or processed locally, increasing the possibility of privacy leaks during transmission and processing. In the process of feature data transmission, without end-to-end encryption or a secure channel, attackers could intercept the data through man-in-the-middle attacks. More importantly, in some application scenarios, facial feature matching calculations occur in environments where users cannot fully trust them. Traditional methods cannot ensure that data is also encrypted during the calculation process (i.e., privacy-preserving computation is lacking). This means that even if the data is encrypted during storage and transmission, it is still exposed at the moment of decryption and matching. (III) Summary of the Invention

[0006] To address the aforementioned shortcomings, this invention aims to propose an innovative privacy-preserving identity authentication method and system based on zero-knowledge proof, which solves prominent problems in traditional face recognition systems such as security of facial biometric storage, defects in single-factor authentication, and privacy leakage during the authentication process.

[0007] The first aspect of this invention discloses a privacy-preserving identity authentication method based on zero-knowledge proof. It includes:

[0008] The system collects relevant publicly available standard face datasets via the network and transmits the face datasets to the face training unit; wherein, the face datasets include the training set, validation set, and test set of the face recognition model.

[0009] The face training unit uses the face dataset to train corresponding face detection, face alignment, and face feature extraction models closely related to face recognition security enhancement methods through a convolutional neural network.

[0010] The described face feature extraction model differs from traditional floating-point feature values. This face feature extraction model uses an improved ArcFace loss function, combined with binarization constraints. It inputs a face dataset for convolutional neural network binarization perception training, and finally performs linear dynamic quantization mapping to obtain a binarized face feature extraction model. Only after passing liveness detection during the registration or login stage can the subsequent registration or login process be executed. The face image information is input into the face feature extraction model to finally obtain stable binarized high-dimensional face feature values.

[0011] The aforementioned binarized high-dimensional facial feature values ​​are input into a fuzzy extractor as registration information. Through operations with generated random numbers and hashing, unique and irreversible auxiliary data and a high-entropy key are generated. This auxiliary data is stored in a secure storage device. Then, during login, a new set of binarized high-dimensional facial feature values ​​is input into the fuzzy extractor, combined with the previously securely stored facial auxiliary data, to recover the corresponding facial key X.c .

[0012] After recovering the key, in order to complete identity authentication without directly exposing the key and to prevent replay attacks, this invention further performs a digital signature verification process based on threshold multi-party computation (MPC). Specifically, during the registration phase: the client recovers the corresponding face key, which is used as the key share X. c Then the client generates a random complete key X and a public key, and randomly generates higher-order coefficients a2, ..., a2. t-1 Combined with client share X c Construct the split key X polynomial:

[0013] f(z) = a t-1 z t-1 +…+a1z+X(mod U)

[0014] Where a0 = X, f(1) = X c Then solve a1 inversely:

[0015] a1 = X c -X-(a2+…+a t-1 (mod U)

[0016] Where U is the order of the cyclic group generated by the base point G.

[0017] After obtaining the complete partition polynomial, the key X is split into n private key shares X using Shamir secret sharing. i X of the client c One public key Y is allocated to a specific user, while the remaining public key Y and key fragments are distributed together via a secure transmission channel to n-1 partially trusted server nodes S1, S2, ..., S... n-1 Distributed storage is used. n represents the total number of copies in the threshold signature.

[0018] Verification and identification phase: The login client initiates an authentication request to the server. The server generates a challenge value e containing a timestamp and a random factor, and sends the challenge value to the login client. The login client then uses the recovered high-entropy key X. c As a private key share, if the client key share X c If recovery fails and a login failure message is displayed, and multiple verification attempts fail, the login account will be locked, and the user will be allowed to log in again after a limited time. A warning message will be sent to the user. The user can dynamically implement a key change policy to ensure account security. If the key share X cRecovery successful. Based on the challenge value, the client then collaborates with at least t-1 of the pre-set n-1 signature server nodes to run a threshold Schnorr signature protocol. In this threshold Schnorr signature protocol, the login client and the t signature server nodes first perform distributed random number generation. Each party calculates a temporary random number component and exchanges commitments to synthesize a global public commitment R (Nonce). Subsequently, each participant, based on the global public commitment R, the challenge value e, and their respective key share X,... i (The client holds the high-entropy key X for recovery) c The server node, holding a pre-allocated share of private key, calculates a partial signature. The login client's valid partial signature, along with the designated aggregation node, collects valid partial signatures from the t-1 signature server nodes, performs linear aggregation operations, and generates a complete digital signature S for the challenge value. During this process, the recovered high-entropy client key share X... c The private key shares of each server node are not fully transmitted or reconstructed in the network, ensuring key privacy. Finally, the server receives the complete digital signature and verifies it using S·G=R+e·Y. If the verification passes, it is determined that the current logged-in user's biometrics match the registration information and that the user holds a valid private key credential, thus completing user authentication and granting the corresponding system login permissions. If the verification fails, a login failure message is responded to. If multiple verification failures occur, the logged-in user is locked, and the local client circuit breaks subsequent verification interface requests to prevent invalid requests from continuously reporting to the server. The user is only allowed to log in again after a time limit, and a warning message is sent to the user. The user can dynamically implement a key change policy to ensure account security.

[0019] The aforementioned user-dynamic key update strategy involves, after a user undergoes facial recognition or other system-recognized identity verification, binding their account based on their identity information, re-executing the facial registration process, and generating a new key share X using their face. c The system updates the client key share X with auxiliary data P, a new random master key X, and other information. c And the corresponding MPC node key share on the server side, enabling users to dynamically change keys.

[0020] A second aspect of this invention discloses a privacy-preserving identity authentication system based on zero-knowledge proofs. It includes:

[0021] Acquisition module: used to acquire the corresponding face recognition dataset via the network and transmit the face recognition dataset to the unit for training face detection, face alignment, and face feature extraction models; wherein, the face recognition dataset is a publicly available standard face dataset.

[0022] Acquisition module: It is used to input the face recognition dataset into the corresponding model training unit to obtain the corresponding face detection, face alignment, and face feature extraction models. Among them, the face feature extraction model is a binary face feature extraction model, not a traditional floating-point value face feature output model. In the registration stage or the recognition and verification stage, the face image is input into the face detection, face alignment, and face feature extraction models to obtain the binary face feature vector W or W'.

[0023] Fuzzy extraction module: It is used to receive the binary face feature vector W or W' output by the binary face feature extraction model obtained by the acquisition module, where W or W' belongs to {0, 1} V (where V is the length of the feature vector). In the registration stage: Based on the Fuzzy Extractor algorithm, the binary face feature vector W is processed to generate a stable key share X c and the publicly available auxiliary data P; In the recognition and verification stage: Based on the Fuzzy Extractor algorithm, the binary face feature vector W' is combined with the auxiliary data P in the registration stage to recover the key X c '.

[0024] Threshold multi-party secure computing Schnorr signature module: In the registration stage: The client generates a random key X as the main secret, and divides and distributes it to n - 1 server signature nodes through the secret sharing algorithm. Among them, the client accounts for one share as the face key X c ; In the recognition and verification stage: Use the X of the fuzzy extraction module c ', combine and sign the timestamp, authentication message M, public key Y, and complete commitment, and then coordinate any t (where t < n) of the signature nodes, including the client signature node, to execute the threshold Schnorr signature protocol based on multi-party secure computing (MPC), and finally output the aggregated Schnorr signature S to complete the decentralized identity authentication.

[0025] Compared with the prior art, the present invention has the following beneficial effects:

[0026] 1. Binary de-identification of original biometric features, with irreversible and non-stored features, enhancing the essential security of data:

[0027] The decoupling of physical attributes and irreversible entropy loss mean that binarization is not merely a format conversion, but also an effective compression of non-critical biometric information. By filtering out physical attributes such as texture, skin color, and background, biometric features are transformed from sensory attributes into a pure digital logical sequence. This mapping exhibits strong nonlinearity and information entropy compression, and is mathematically irreversible. Even if the binarized vector W is leaked, it is impossible to reconstruct the original human image with biometric identification significance. The feature template "zero storage" mechanism destroys the plaintext feature W in memory immediately after the system completes the calculation during registration or verification, leaving only auxiliary data P. Since the auxiliary data serves only as a "path guide" for noise alignment rather than a feature backup, attackers cannot reconstruct the original feature template from the stored digital fragments, fundamentally eliminating the risk of illegal cloning, credential stuffing, or reverse engineering of biometric information.

[0028] 2. Utilize multi-factor validation of auxiliary data to construct a dual security defense line of physical and logical security:

[0029] The auxiliary data P is not a single storage credential, but a composite structure consisting of error correction and verification components, random salt values, and blinding parameters. During verification, the system not only requires that the binary facial feature W' legally acquired through liveness detection maintains a physical similarity to the original template within a minimal Hamming distance, but also that this feature successfully matches the verification components in the auxiliary data P to reconstruct the correct key factor. This strong logical binding between "held auxiliary data" and "inherent biometrics" constitutes de facto multi-factor verification, significantly raising the barrier to identity forgery.

[0030] 3. Zero information leakage and zero knowledge loss during the verification process:

[0031] By deeply integrating fuzzy extractors and zero-knowledge proofs, critical biometric information and confidential data are ensured to remain protected throughout the entire lifecycle of identity authentication. Sensitive fragmentation localization and zero computational leakage: During signature verification, the key share X... c It is always stored in a local secure area, requiring no transmission over the network or reconstruction at any central node. Through threshold MPC collaboration, each participant only needs to output a partial signature. Due to the existence of local private random numbers in MPC, the partial signature appears as a pseudo-random sequence. Even if an attacker intercepts all publicly available signature components, they cannot reverse-engineer the key share X through mathematical inverse operations. c The zero-knowledge nature of the interaction logic is achieved through authentication logic based on the zero-knowledge proof principle. The client (user) proves to the server (the server) that they possess a legitimate biometric key share by submitting a signature component that satisfies the Schnorr constraint, without needing to present the key share X throughout the entire verification process. cThe verifier can obtain either the original facial features or any original facial detail. This "proof of knowledge, not disclosure of value" mechanism ensures that the verifier can only obtain a logical result of "authentication passed or failed," and cannot obtain any substantial biometric data that can be used for identity cloning.

[0032] 4. Supports flexible updates, ensuring the resettlement and security of biometric authentication identities:

[0033] Overcoming the security limitations of immutable biometrics, traditional facial recognition solutions face the risk of permanent identity invalidation and irreversibility once the feature template is leaked, due to the uniqueness of biometrics. This invention utilizes a fuzzy extraction architecture, allowing users to generate entirely new identity credentials logically unrelated to historical data through a re-registration process, while maintaining unchanged biometrics. This addresses the pain point of "exposure equals invalidation" in biometrics, ensuring the resettable nature of user identities. Balancing ease of updates with replay protection, this invention supports identity changes triggered by regular online re-entry, providing biometric authentication with security similar to "password modification." The newly generated credentials are algebraically isolated from the old data, and combined with Schnorr signature technology using threshold MPC, it ensures that expired auxiliary information cannot be used to forge new signature verification. This mechanism achieves extremely high forward security without increasing user complexity, effectively blocking replay attack paths targeting expired credentials.

[0034] 5. Possesses resistance to application-layer DoS / DDoS attacks, ensuring high system availability:

[0035] Client-side pre-verification achieves load shaving. Before initiating authentication, this invention first attempts to recover the key share X locally on the client side. c If feature matching fails, the client will directly block subsequent signature calculations and network requests. This "request pre-filtering" mechanism ensures that only legitimate requests that pass local verification can reach the server, saving server computing power and bandwidth resources at the source and effectively mitigating application-layer DoS / DDoS attacks. Multi-level frequency control enhances defense resilience: the system sets a dynamic retry threshold, and immediately triggers a local circuit breaker and alerts after the number of failures exceeds the limit. This mechanism achieves immediate response to illegal high-frequency requests without relying on server intervention, significantly enhancing the system's availability under extreme attack scenarios.

[0036] 6. Eliminate single point of failure risk and improve system fault tolerance:

[0037] Thanks to the (t,n) threshold signature mechanism, the system's security no longer relies on any single node. Even if an attacker compromises t-1 server nodes, or some nodes fail due to hardware malfunctions, the system can still guarantee that the key is not leaked and the authentication process remains uninterrupted. This distributed architecture eliminates the "single point of failure" of traditional centralized databases, greatly enhancing the system's survivability in extreme environments.

[0038] 7. Strong environmental adaptability and characteristic fault tolerance:

[0039] The strong environmental adaptability and feature fault tolerance are attributed to the error correction mechanism of the fuzzy extractor. This invention solves the "instability" problem of biometrics while ensuring security. The system can tolerate environmental noise such as light and angle during biometric acquisition. Precise error correction is achieved through error correction codes, ensuring accurate recovery of the unique key share X even when there are slight deviations in the features. c This not only reduces the system's false rejection rate but also avoids frequent re-registration due to feature fluctuations, balancing high security with user-friendliness.

[0040] The privacy-preserving identity authentication method based on zero-knowledge proof in this invention has the technical effects of preventing the leakage of important information during the verification process, supporting dynamic identity updates, and preventing replay attacks and identity forgery, providing more comprehensive and efficient security for the application of facial biometrics. (iv) Description of the attached drawings

[0041] To more clearly illustrate the technical solutions in the embodiments of the present invention, the accompanying drawings used in the embodiments will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0042] Figure 1 This is a flowchart illustrating a privacy-preserving identity authentication method based on zero-knowledge proof disclosed in an embodiment of the present invention;

[0043] Figure 2 This is a schematic diagram of the structure of a privacy-preserving identity authentication system based on zero-knowledge proof provided in an embodiment of the present invention. (V) Detailed Implementation

[0044] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0045] Example 1

[0046] Please see Figure 1 , Figure 1 This is a flowchart illustrating a privacy-preserving identity authentication method based on zero-knowledge proof disclosed in an embodiment of the present invention. The execution entity of the method described in this embodiment is an execution entity composed of software and / or hardware. This execution entity can receive relevant information via wired and / or wireless means and can send certain instructions. It may also have certain processing and storage functions. This execution entity can control multiple devices, such as remote physical servers or cloud servers and related software, or local hosts or servers and related software that perform related operations on devices located in a certain location. In some scenarios, it can also control multiple storage devices, which may be placed in the same location as the device or in different locations.

[0047] S101: A unit used to collect the corresponding face recognition dataset via a network connection and transmit the face recognition dataset to a training model for face detection, face alignment, and face feature extraction; wherein the face recognition dataset is a publicly available standard face dataset.

[0048] The core of this invention lies in using a fuzzy extractor technique combined with face binarization features and threshold multi-party secure computation of Schnorr signatures to achieve secure feature storage and fault-tolerant verification.

[0049] S102: During the user registration phase, the system first obtains the facial images of legitimate users through liveness detection. After facial image preprocessing such as face detection and alignment, the facial images are input into a dynamically quantized binarized facial feature extraction model to extract and quantize discrete and stable binary W, which is the original facial feature template. The specific binarization process includes:

[0050] 1. The binarized perception training model in the training phase adopts an improved ArcFace loss function combined with binarization constraints.

[0051] (1) Design of training loss function

[0052] ArcFace Loss Function (Basic):

[0053]

[0054] in:

[0055] Formula parameter characters Character Explanation M Batch size s Feature scaling factor, typically set to 64 m The angular boundary parameter is typically set to 0.5. θ yi ]]> The angle between the i-th sample and its true label θ j ]] The angle between the i-th sample and other labels j [[ L a ]]> ArcFace loss function

[0056] Binarization of constraint loss function:

[0057]

[0058] Formula parameter characters Character Explanation W Model weight matrix sign(·) Sign function λ The balancing hyperparameter is typically set to 0.01. μ The balancing hyperparameter is typically set to 0.001. ‖·‖ F ]]> Frobenius norm <![CDATA[L b ]]> Quantization-perceived loss function

[0059] Quantization-perceived loss function:

[0060]

[0061] Total loss function:

[0062] L = L a +α·L b +β·L q in:

[0063] Formula parameter characters Character Explanation γ Weighting coefficients for quantified perceptual loss Q(·) Quantization function α The weighting coefficient is usually set to 0.01. β The weighting factor is usually set to 0.05. <![CDATA[L q ]]> Quantization-perceived loss function L Total loss function

[0064] (2) Binarization approximation of forward propagation

[0065] Symbolic function definition:

[0066]

[0067] Backpropagation approximation of the straight-through estimator (STE):

[0068]

[0069] Where Ι(·) is the indicator function.

[0070]

[0071] S103: Binarization implementation during the inference phase:

[0072] (1) Dynamic quantification process

[0073] First, dynamic range analysis is performed on the input features of each layer. The minimum and maximum values ​​of the current batch of data are calculated to determine suitable quantization parameters. Second, linear quantization mapping is performed. Floating-point feature values ​​are linearly mapped to the integer range of 0-255. This process requires calculating scaling factors and zero-point offsets. Finally, convolution operations are performed in the integer domain. An 8-bit integer convolution kernel is used to perform convolution calculations with an 8-bit integer input, and the result is temporarily stored as a 32-bit integer.

[0074] Quantization parameter calculation:

[0075]

[0076] in:

[0077]

[0078]

[0079] 8-bit integer quantization:

[0080]

[0081] Integer convolution operation:

[0082] Y int32 =CorvInteger(X int8 W int8 ,b int8 )

[0083] Inverse quantization:

[0084] Y flout =(Y int32 -b int32 )×scale X ×scale w

[0085]

[0086] (2) Feature binarization process

[0087] First, a 512-dimensional floating-point feature vector is obtained in the last layer of the model. These features have been extracted through multiple convolutional and pooling layers and contain rich face discrimination information. Second, a sign function is applied to binarize the features. Specifically, each feature element is compared with zero: elements greater than zero are mapped to +1, and elements less than or equal to zero are mapped to 0.

[0088] Floating-point feature vectors:

[0089] f∈V 512

[0090] Binarization process:

[0091] b = sign(f) ∈ {0, 1} 512

[0092] ONNX Sign node definition:

[0093]

[0094] in:

[0095]

[0096] S104: After quantization, the process moves to the fuzzy extractor stage. In this embodiment, the fuzzy extractor's generation function Gen(W) is used during the registration stage. The quantized feature template W is taken as input, and a high-entropy key share X is output. cAnd auxiliary data P containing publicly available, irreversible facial information. Key share X c A high degree of randomness and entropy (e.g., a 256-bit encryption key) is used for subsequent data signing and authentication; while the public auxiliary data P is not the feature template W itself, but serves to realize the key share X during the verification phase. c Fault-tolerant recovery.

[0097] The fuzzy extractor process, specifically, includes the following underlying error correction coding preprocessing: During the registration phase, a binary face feature vector W is first obtained. The feature vector W is then encoded and calculated using a preset error correction code protocol (BCH code) to generate a corresponding error correction verification component P1, which is also an auxiliary data component. This step provides fault-tolerant redundancy for the original features through mathematical encoding, used to correct bit-flip noise generated during biometric data acquisition in subsequent verification and recognition stages.

[0098] W→BCH encoding→P1

[0099] Key share and auxiliary data residual component generation: Using the feature vector W, the generation function Gen(W) is executed, employing a one-way hash mapping. The feature vector W is used as the input to the original entropy source, and the Argon2 cryptographic hash function is called, combined with a randomly generated salt value (Nonce), to generate an intermediate digest vector D through a one-way mapping.

[0100] W, randomly generated salt value → Argon2 → intermediate summary vector D

[0101] Randomized Blinded Locking (XOR): The system generates a random number and performs a bitwise XOR operation to blind the intermediate digest vector D with the random number, ultimately extracting a key share X with high randomness. c Encapsulation and Output: The error correction and verification component P1, the blinding parameters, and the relevant salt values ​​are encapsulated in a structured manner, and finally the public auxiliary data P is output.

[0102] The auxiliary data P of the irreversible face information, because W has undergone hashing and randomization, and the error correction and verification component P1 only contains redundant verification information, even if the key share X c Even with the leakage of auxiliary data P, it is impossible to reverse-engineer the original feature vector W and the original face image information.

[0103] S105: The client then combines the key share X c Using Shamir secret sharing, a random key X is split into n private key shares X. i The key share X is partitioned using a polynomial of order t-1. c =f(1), random master key X = f(0), randomly generate a2, ..., at-1 :

[0104] f(z) = a t-1 z t-1 +·+a1z+X(mod U)

[0105] Where a0 = X, f(1) = X c Then solve a1 inversely:

[0106] a1 = X c -X-(a2+…+a t-1 (mod U)

[0107] in:

[0108] Formula parameter characters Character Explanation U The order of the cyclic group generated by the G base point <![CDATA[a t-1 ,…,a1]]> polynomial coefficients

[0109] After determining the polynomial, the client calculates n corresponding fragments:

[0110] X1 = X c =f(1),X2=f(2),…,X n =f(n)

[0111] Then, the public key Y and the key fragments are distributed together through a secure channel to n-1 partially trusted server nodes S1, S2, ..., S... n-1 In distributed storage, the client holds one share of the key X. c However, client X c X is not stored; it is only restored during verification and recognition. c .

[0112] The publicly available auxiliary data P can be stored in a non-sensitive form in a proprietary database or on a user's private device without strict confidentiality. Only storage devices that have passed security verification can access the corresponding auxiliary data. By introducing a fuzzy extractor, the facial biometric templates W and W' are destroyed after use and do not remain in memory or the system. The stored auxiliary data P cannot be directly used to reverse engineer the original feature template W or the key share X. c And the master key X.

[0113] S106: In the recognition and verification phase, the system re-acquires the user's face image, extracts and quantizes it into a new feature template W'. Due to factors such as the acquisition environment, user pose, or expression, W' usually has slight differences from the originally stored W. This method uses the recovery function Rep(W',P) of the fuzz extractor for verification. The recovery function receives the new feature template W' and privately stored auxiliary data P as input, and attempts to recover the key share X. cThe fuzz extractor has inherent fault tolerance; as long as the distance d(W,W') between W' and the original W is less than a preset tolerance threshold T, the recovery function Rep(W',P) can successfully output the original key share X. c If the recovered key share is X times the key share at the time of registration... c If the authentication is successful when combined with subsequent verification technologies, the user's identity will be verified. If the authentication fails, a login failure message will be displayed. If the authentication fails multiple times, the user will be locked. The local client will circuit breaker to block subsequent verification interface requests to prevent invalid requests from being continuously reported to the server. The user will be allowed to log in again after a time limit and a warning message will be sent to the user. The user can dynamically implement a key change policy to ensure account security.

[0114] The aforementioned user-dynamic key update strategy involves, after a user undergoes facial recognition or other system-recognized identity verification, binding their account based on their identity information, re-executing the facial registration process, and generating a new key share X using their face. c The system updates the client key share X with auxiliary data P, a new random master key X, and other information. c And the corresponding MPC node key share on the server side, enabling users to dynamically change keys.

[0115] The method of this invention extracts the key share X exported by the face blur extractor. c The key share X directly used as the threshold Schnorr signature scheme c Multi-party secure computation (MPC) is used to achieve privacy-preserving identity verification, ensuring that feature matching and identity confirmation are completed while the data remains encrypted or segmented.

[0116] S107: During the identification and verification phase, the client recovers the key share X from the facial feature W' using the fuzz extractor Rep(W',P). c If recovery fails, authentication fails; if key share X is recovered... c The client generates a temporary private random number K. c Client-side computation and client-side commitment R c =K c ·G, will R c Send it to the server; send a verification request to the server.

[0117] S108: After receiving the verification request, the server generates signature information M containing timestamps, etc. Then, the system verifies the signature information on t-1 or more server nodes S. i Distributed blinding and commitments are performed between servers. Each server S... i Independently generate a random, temporary secret value k. i And calculate its corresponding commitment:

[0118] R i =k i ·G

[0119] in:

[0120] Formula parameter characters Character Explanation U The order of the cyclic group generated by the G base point G The generator of the cyclic group is the same as the G basis point described in S104.

[0121] The server-side commitment R is calculated by exchanging and calculating the server-side commitment R among multiple servers involved in the computation. s :

[0122]

[0123] Subsequently, the server will send the signature information M and the server commitment R. s The public key Y is sent to the client in response.

[0124] S109: Client-side global random commitment aggregation and client challenge value generation. The client receives the signature information M and the server commitment R from the server. s After obtaining the public key Y, perform the following operations:

[0125] 1. Synthetic Global Commitment R: The commitment R generated by the client using locally generated private random numbers. c With the received server-side aggregation commitment R s Perform a dot-matrix addition operation to obtain the globally random commitment for this signature:

[0126]

[0127] 2. Calculate the hash challenge value e c The client concatenates the global commitment R, the aggregate public key Y, and the message M containing the timestamp, and inputs the result into a one-way hash function to calculate the client's scalar challenge value e. c :

[0128] e c =Hash(R||Y||M)

[0129] S1010: Client-side partial signature generation. The client uses the key share X recovered locally by the fuzz extractor. c and local private random number K c Calculate the client partial signature S c :

[0130] S c =K c +e c ·X c ·λ c (mod U)

[0131] Where, λ cLet λ1 be the coefficient of the node in the current set of t nodes.

[0132] After the calculation is complete, the client will send a partial signature S. c Send back to the server to request the final signature aggregation.

[0133] S1011: Server-side distributed partial signature generation. The server receives S... c Then, the t-1 server nodes S that participated in the signing are triggered. i Perform the following operations:

[0134] 1. Independent Calculation of Share Signature: The server independently calculates the server-side challenge value e. s :

[0135] e s =Hash(R||Y||M)

[0136] Each server node S i Extract its stored private key share X i The Lagrange interpolation coefficients λ are dynamically calculated based on the set of participating nodes during the verification phase. i (used to transfer X) i (Mapped to the components of the full key X), and the previously generated temporary random secret value K. i Calculate the server-side partial signature S i :

[0137] S i =K i +e s ·λ i ·X i (mod U)

[0138] 3. Aggregate Server-Side Total Signature: The server aggregates the S signatures of all participating nodes. i Calculate the server-side aggregated signature S s :

[0139]

[0140] S1012: Final signature synthesis and validity verification. The server will synthesize the client's partial signature S. c Server-side aggregated signature S s The final synthesis yields the complete signature S:

[0141] S = S c +S s (mod U)

[0142] At this point, the system possesses a complete Schnorr signature pair (R, s). The verification node (or server-side authentication module) verifies whether the following equation holds true based on the aggregate public key Y stored during registration:

[0143] S·G=R+e S ·Y

[0144] If the equation holds: it proves that the client recovered the key share X. c Consistent with registration, and all server shares X i The system has participated in a valid calculation. At this point, the system determines that the user's identity is valid and authentication is successful. If the equation is not true, even if the client restores the correct X... c If sufficient server share cannot be obtained for cooperation, or X c If the key is tampered with during transmission, verification will fail. If verification fails, a login failure message will be displayed. If multiple attempts to recover fail, the login user will be locked out and only allowed a limited time before attempting to log in again. A warning message will be sent to the user. The user can dynamically implement a key change policy to ensure account security, similar to X described in S106. c The recovery failure mechanism is similar. This process conforms to the zero-knowledge proof property, that is, the client submits a partial signature S. c Without revealing the private key share X c In the case of the original biometric characteristics W, it proves to the server-side verification party that it has the "knowledge" to prove that it has a legitimate identity.

[0145] In summary, this privacy-preserving identity authentication method based on zero-knowledge proof has the technical advantages of not storing facial image privacy information, multi-factor verification, and preventing the leakage of important information during the verification process, thus providing a more comprehensive and efficient security guarantee for identity recognition.

[0146] Example 2

[0147] Please see Figure 2 , Figure 2 This is a schematic diagram of the structure of a privacy-preserving identity authentication system based on zero-knowledge proof disclosed in an embodiment of the present invention. Figure 2 As shown, publicly available privacy-preserving identity authentication systems based on zero-knowledge proofs include:

[0148] Acquisition module 21: used to acquire the corresponding face recognition dataset through network connection, and transmit the face recognition dataset to the unit for training face detection, face alignment and face feature extraction models; wherein, the face recognition dataset is a publicly available standard face dataset.

[0149] Acquisition module 22: It is used to input the corresponding model training unit for the face recognition dataset to obtain corresponding face detection, face alignment, and face feature extraction models. Among them, the face feature extraction model is a binary face feature extraction model, not a traditional floating-point value face feature output model. Then, in the registration and recognition verification stages, face information is input into the face detection, face alignment, and face feature extraction models to obtain a binary face feature vector W.

[0150] Fuzzy extraction module 23: It is used to receive the binary face feature vector W output by the binary face feature extraction model obtained by the training module, where W belongs to {0,1} V (where V is the length of the feature vector), and process the binary face feature vector W based on the FuzzyExtractor algorithm to generate a stable key share X c and public auxiliary data P.

[0151] Threshold multi-party secure computing Schnorr signature module 24: It is used for the client to use the random key X as the main secret, split and distribute it to n - 1 signature nodes through the secret sharing algorithm, where the client accounts for one share as X c ; and it is used to coordinate any t (where t < n) of the signature nodes, where the client accounts for one signature node key share as X c , and the remaining t - 1 are server signature nodes. Execute the threshold Schnorr signature protocol based on multi-party secure computing (MPC) to perform a collaborative signature operation on the authentication message M, and finally output the aggregated Schnorr signature S to complete decentralized identity authentication.

[0152] The technical effects corresponding to the above system solutions are mainly reflected in the following aspects:

[0153] First, no storage of face privacy information: The fuzzy extractor is used to convert unstable biometric features (faces) into high-entropy keys X and auxiliary data P, ensuring the uniqueness and irreversibility of identity credentials, avoiding the security risks brought by traditional face storage, and achieving the effect of accurate face verification without storing face privacy information.

[0154] Second, multi-factor verification: Face recognition verification requires the same person's face information W and auxiliary data P to participate in the verification simultaneously to recover the key X. The public auxiliary data P generated by the fuzzy extractor is introduced into the verification process as a collaborative verification factor for the face feature template W, thereby realizing the deep multi-factor fusion of the face recognition system. It solves the phenomenon that the existing face recognition systems only rely on the results of face feature matching, and adds a second layer of security guarantee in addition to the face.

[0155] Third, biometric fault tolerance: The design of the fuzzy extraction module solves the inherent noise and inaccuracy problems in the facial feature extraction process, ensuring that even if facial features collected at different times are slightly different, the same key share X can be stably recovered. c .

[0156] Fourth, high availability: Key X is distributed and managed through threshold multi-party computation, eliminating single points of failure.

[0157] Fifth, high efficiency and privacy protection: The threshold Schnorr signature protocol is used to achieve identity authentication. Compared with traditional multi-signature, the generated aggregate signature S is smaller and the verification efficiency is higher. At the same time, the key share is not disclosed during the authentication process, providing stronger privacy protection.

[0158] Sixth, decentralized authentication mechanism: The threshold signature module requires at least t nodes to collaborate to complete the signature, realizing a decentralized authentication process and enhancing the system's resistance to attacks and resilience.

[0159] Seventh, forward safety: due to K c and K i It is a temporary random number generated only once. Even if the signature is intercepted, an attacker cannot deduce the key X or share X from the known S and e. i .

[0160] In summary, the privacy-preserving identity authentication system based on zero-knowledge proof of this invention provides a more secure, efficient, fault-tolerant, and decentralized security guarantee for user identity authentication by combining three core technologies: binarized feature extraction, fuzzy extractor, and threshold Schnorr signature.

Claims

1. A privacy-preserving identity authentication method based on zero-knowledge proof, characterized in that, Includes the following steps: The system collects relevant publicly available standard face datasets via the network and transmits the face datasets to the face training unit; wherein, the face datasets include the training set, validation set, and test set of the face recognition model. The face training unit uses the face dataset to train corresponding face detection, face alignment, and face feature extraction models closely related to face recognition security enhancement methods through a convolutional neural network. The face feature extraction model described therein differs from the traditional extraction model, which outputs a floating-point feature value array matrix. This face feature extraction model uses an improved ArcFace loss function and Hamming distance, combined with binarization constraints. It inputs a face dataset for convolutional neural network binarization dynamic perception training, and finally performs linear dynamic quantization mapping to obtain a binarized face feature extraction model. By inputting face image information into the face feature extraction model, a stable binarized high-dimensional face feature value array matrix is ​​finally obtained. During the registration process, a liveness detection is performed first. Only after the face is verified as legitimate is the binarized high-dimensional face feature value array matrix input into the fuzzy extractor. The binarized high-dimensional face feature value array matrix is ​​then processed with biometric random numbers to obtain a random process number. This number is then subjected to hashing and combination operations to obtain irreversible face auxiliary data and a high-entropy key share X. c The generated face-assisted data is stored in a local private secure location or in a remote secure storage unit, with the client key share X. c It is necessary to combine the secret sharing scheme (Shamir secret sharing) to split the client's random master key X into n private key shares X. i The partitioning polynomial satisfies the key share X c =f(1), random master key X = f(0); then distributed through a secure channel to n-1 partially trusted server nodes, with each client holding a share of the key, X. c Facial image information and client key share X c The master key X is not retained and is destroyed after use. During the verification process, a liveness detection is performed first. Only after the detection is valid is the new facial information input into the binarized facial feature extraction model to obtain a high-dimensional binary facial feature value array matrix. Combined with the corresponding facial auxiliary data stored in the registration, the key share X is recovered through the fuzzy extractor key recovery algorithm. c . After recovering the key, a digital signature verification process based on threshold multi-party computation (MPC) is performed, specifically including: the login client initiating an authentication request to the server, and the server generating signature information M including a timestamp and a partial commitment R. s Information such as the signature information M and the partial commitment R are included. s The public key Y is sent to the client terminal; the client terminal uses the information from the server's response to generate a client challenge value e. c Calculate the partial signature S c Then, the partial signature is sent to the server for final authentication. In the threshold Schnorr signature protocol, the login client and the t-1 signature server nodes first perform distributed random number generation. Each party calculates a temporary random number component and exchanges the signature value and commitment value, which are then combined with the partial signature S passed in by the client. c And client commitment R c A linear aggregation operation is performed to synthesize a complete signature S. During this process, the recovered high-entropy key and the private key shares of each server node are not fully transmitted or reconstructed in the network, ensuring key privacy. Subsequently, the system-preset public key Y is used to verify whether the following equation holds true for the complete digital signature S: S·G=R+e s If the equation holds true, the verification passes, and it is determined that the current logged-in user's biometrics match the registration information and that the user holds a valid private key credential, thereby completing the user's identity authentication and granting the corresponding system login permissions; otherwise, the verification fails.

2. The privacy-preserving identity authentication method based on zero-knowledge proof as described in claim 1, characterized in that, The fuzzy extractor includes a generation phase (Gen) and a recovery phase (Rep). The specific execution steps are as follows: In the generation phase (Gen): the binarized high-dimensional face feature value W from registration is used as input, and the fuzzy extractor generates a key share X through random number operations and hash operations. c And auxiliary data P, wherein the auxiliary data P is the combination information of W and the selected error correction codeword c; in the recovery phase (Rep): the new binarized high-dimensional face feature value W' collected at login and the stored face auxiliary data P are used as input; The fuzz extractor uses the error-correcting code decoding algorithm to eliminate the Hamming distance error between W and W', thereby restoring the original error-correcting codewords and secret value, and finally recovering the high-entropy key share X. c .

3. The privacy-preserving identity authentication method based on zero-knowledge proof as described in claim 1, characterized in that, The face feature extraction model employs an improved ArcFace loss function combined with binarization constraints. Specifically, during the training phase, a binarization regularization term is introduced based on the ArcFace angle cosine loss function to constrain the distribution of feature vectors to converge towards the binary state of {0,1}. The Hamming distance is used as part of the loss function for backpropagation optimization, minimizing the Hamming distance between face features of the same type and maximizing the Hamming distance between face features of different types.

4. The privacy-preserving identity authentication method based on zero-knowledge proof as described in claim 1, characterized in that, The high-entropy key is split and distributed using the Shamir secret sharing algorithm. The linear aggregation operation in the threshold Schnorr signature protocol is specifically as follows: the Lagrange coefficients of each node participating in the signature are calculated using the Lagrange interpolation formula; the partial signatures of each node are weighted and summed with their corresponding Lagrange coefficients, and the complete digital signature is calculated in the modulo domain.

5. A privacy-preserving identity authentication system based on zero-knowledge proof, characterized in that, include: The acquisition module is used to acquire standard face datasets via network connection, as well as to acquire face images during user registration and login. The training module is used to train a binary face feature extraction model using a face dataset, and the model outputs binary high-dimensional face feature values. The fuzzy extraction module is used to perform the generation and recovery phases of the fuzzy extractor; during registration, it generates auxiliary data and a high-entropy key share X based on the binarized feature values. c During verification, the key share X is recovered by combining auxiliary data. c The threshold signature module manages key share distribution and coordinates the client with at least t-1 of the n-1 signature server nodes to execute the threshold Schnorr signature protocol and generate the aggregated complete digital signature.

6. An electronic device, characterized in that, include: Memory, used to store computer programs; The processor is coupled to the memory; The processor executes the privacy-preserving identity authentication method based on zero-knowledge proof as described in any one of claims 1 to 4 by calling the computer program stored in the memory.

7. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a computer program, which, when executed by a processor, implements the privacy-preserving identity authentication method based on zero-knowledge proof as described in any one of claims 1 to 4.