EP3535924A1

EP3535924A1 - Secure distributed data processing

Info

Publication number: EP3535924A1
Application number: EP16920471.6A
Authority: EP
Inventors: Wenxiu DING; Zheng Yan
Original assignee: Nokia Technologies Oy
Current assignee: Nokia Technologies Oy
Priority date: 2016-11-04
Filing date: 2016-11-04
Publication date: 2019-09-11
Also published as: CN110089071A; WO2018082008A1; EP3535924A4; CN110089071B

Abstract

According to an example aspect of the present invention, there is provided an apparatus comprising at least one processing core, at least one memory including computer program codes, the at least one memory and the computer program codes being configured to, with the at least one processing core, cause the apparatus at least to receive, from at least one data provider, at least one ciphertext, the at least one ciphertext comprising a first ciphertext, perform a mathematical manipulation of the first ciphertext to modify the first ciphertext without decrypting the first ciphertext, the mathematical manipulation being selected in the apparatus in dependence of a mathematical operation to be performed on plaintext underlying the first ciphertext, obtain a second ciphertext from the modified first ciphertext by performing a cryptographic operation, wherein at least one number is randomly generated and used in masking plaintext underlying the second ciphertext, and provide the second ciphertext to an access control node.

Description

SECURE DISTRIBUTED DATA PROCESSING

FIELD

The present invention pertains to the field of secure data processing and/or controlling access to data.

BACKGROUND

Cloud computing services provide off-site opportunities for individuals and corporations. For example， cloud storage service enables off-site storage of data sets in a flexible manner in a data center， reducing the need for users of the cloud service to obtain their own storage hardware， for example for archiving purposes. Data centers may be protected against natural events， such as earthquakes， increasing reliability of data storage therein.
A further example of a cloud service is a cloud processing service， wherein a user is given access to processor resources at a computer or computing grid. This may be useful， for example where a user needs access to high-capacity computing intermittently， and obtaining actual high-capacity computing hardware would be wasteful as the hardware would mostly be unused， since the need is only intermittent. For example， so-called “big data” may be collected from internet-of-things， IoT， applications and processed in a cloud service. Such data may be encrypted while communicated to the cloud and/or when stored in the cloud.
Consumers may use cloud services to back up their data， for example during operating system updates of their devices， such as computers， smartphones and laptops. Some smart devices are configured to automatically upload images captured by users to a cloud storage service.
While useful， cloud services present high risk to users. Personal information may accidentally， or purposefully， be stored on a cloud storage service. Such personal information may become vulnerable to theft， unauthorised modification or eavesdropping either during transit to or from the cloud storage service， or while in the cloud storage service. The cloud service provider may be untrusted or only partially trusted. Furthermore， the cloud service may be distributed between several data centers， and customer data may be communicated between such data centers to balance load between the centers. Such communication presents additional risk of eavesdropping.
As it relates to cloud processing services， risks are also present. Where a user seeks to analyse medical patient data， for example， not only the data itself but also its processing is highly confidential by its intrinsic nature. Similar considerations apply to other confidential data that may be processed， such as corporate， financial， personal or military data. For example， analysing stealth-defeating radar may comprise complex processing of plural radar signals and their combinations. Clearly， such signal processing is secret due to its nature.
Further， controlling access to encrypted data stored in a cloud service presents challenges. Symmetric encryption， for example， requires for each data user to have a copy of the key used to encrypt the data， in order to be able to successfully decrypt it.
SUMMARY OF THE INVENTION
The invention is defined by the features of the independent claims. Some specific embodiments are defined in the dependent claims.
According to a first aspect of the present invention， there is provided an apparatus comprising at least one processing core， at least one memory including computer program codes， the at least one memory and the computer program codes being configured to， with the at least one processing core， cause the apparatus at least to receive， from at least one data provider， at least one ciphertext， the at least one ciphertext comprising a first ciphertext， perform a mathematical manipulation of the first ciphertext to modify the first ciphertext without decrypting the first ciphertext， the mathematical manipulation being selected in the apparatus in dependence of a mathematical operation to be performed on plaintext underlying the first ciphertext， obtain a second ciphertext from the modified first ciphertext by performing a cryptographic operation， wherein at least one number is randomly generated and used in masking plaintext underlying the second ciphertext， and provide the second ciphertext to an access control node.
Various embodiments of the first aspect comprise at least one feature from the following bulleted list：
● the apparatus is further configured to receive， from the access control node， a third ciphertext， the third ciphertext being derived from the second ciphertext， and to perform a second mathematical manipulation， on the third ciphertext， to reverse the masking and to obtain a fourth ciphertext
● the apparatus is further configured to provide the fourth ciphertext to a data requesting party
● the apparatus is configured to， by performing the mathematical manipulation and the second mathematical manipulation， modify plaintext underlying the first ciphertext to thereby perform the mathematical operation selected from the following list： an addition operation， a subtraction operation， a multiplication operation， a sign acquisition operation， a comparison operation， an equivalence test operation and a variance operation on the plaintext underlying the first ciphertext
● the apparatus is configured to store a public key-private key pair of a public key cryptosystem， and to employ the public key of the apparatus in the cryptographic operation
● the apparatus is configured to provide the fourth ciphertext to the data requesting party using a secured connection
● the apparatus is configured to perform mathematical manipulations on more than one of the at least one ciphertext
● the apparatus is configured to operate in a cloud service data center.
According to a second aspect of the present invention， there is provided an apparatus comprising at least one processing core， at least one memory including computer program code， the at least one memory and the computer program code being configured to， with the at least one processing core， cause the apparatus at least to receive， from a data service provider， a first ciphertext， partially decrypt the first ciphertext to obtain a second ciphertext， using a secret key of the apparatus from a public key-secret key pair of the apparatus， generate a variable， encrypt the second ciphertext using the variable as key and provide the encrypted second ciphertext to the data service provider， encrypt the variable using an attribute-based encryption mechanism， and process a request received from a data requesting party for access to information underlying the first ciphertext and the second ciphertext.
Various embodiments of the second aspect comprise at least one feature from the following bulleted list：
● the apparatus is， responsive to a decision to grant access to the data requesting party， configured to instruct the data service provider to provide the data requesting party with the requested data in encrypted form
● the apparatus is configured to process a plurality of requests for access to the information underlying the first ciphertext and the second ciphertext， the plurality of requests being received in the apparatus from a plurality of data requesting parties， and to simultaneously perform access control concerning the information underlying the first ciphertext and the second ciphertext relating to the plurality of data requesting parties
● the apparatus is configured to perform the simultaneous access control based on attribute-based access policies
● the apparatus is further configured to， responsive to the decision to grant access to the data requesting party， configured to provide the data requesting party a decryption key enabling the data requesting party to decrypt the variable
● the apparatus is not configured to directly provide the data requesting party with an encrypted version of the variable
● the apparatus is configured to act as an access controlling server in a distributed data processing system.
According to a third aspect of the present invention， there is provided a method comprising receiving， in an apparatus， from at least one data provider， at least one ciphertext， the at least one ciphertext comprising a first ciphertext， performing a mathematical manipulation of the first ciphertext to modify the first ciphertext without decrypting the first ciphertext， the mathematical manipulation being selected in the apparatus in dependence of a mathematical operation to be performed on plaintext underlying the first ciphertext， obtaining a second ciphertext from the modified first ciphertext by performing a cryptographic operation， wherein at least one number is randomly generated and used in masking plaintext underlying the second ciphertext， and providing the second ciphertext to an access control node.
Various embodiments of the third aspect comprise at least one feature from the preceding bulleted list laid out in connection with the first aspect.
According to a fourth aspect of the present invention， there is provided a method comprising receiving， in an apparatus from a data service provider， a first ciphertext， partially decrypting the first ciphertext to obtain a second ciphertext， using a secret key of the apparatus from a public key-secret key pair of the apparatus， generating a variable， encrypting the second ciphertext using the variable as a key and providing the encrypted second ciphertext to the data service provider， encrypting the variable using an attribute-based encryption mechanism， and processing a request， received from a data requesting party， for access to information underlying the first ciphertext and second ciphertext.
Various embodiments of the fourth aspect comprise at least one feature from the preceding bulleted list laid out in connection with the second aspect.
According to a fifth aspect of the present invention， there is provided an apparatus comprising means for receiving， in an apparatus， from at least one data provider， at least one ciphertext， the at least one ciphertext comprising a first ciphertext， means for performing a mathematical manipulation of the first ciphertext to modify the first ciphertext without decrypting the first ciphertext， the mathematical manipulation being selected in the apparatus in dependence of a mathematical operation to be performed on plaintext underlying the first ciphertext， means for obtaining a second ciphertext from the modified first ciphertext by performing a cryptographic operation， wherein at least one number is randomly generated and used in masking plaintext underlying the second ciphertext， and means for providing the second ciphertext to an access control node.
According to a sixth aspect of the present invention， there is provided an apparatus comprising means for receiving， in an apparatus from a data service provider， a first ciphertext， means for partially decrypting the first ciphertext to obtain a second ciphertext， using a secret key of the apparatus from a public key-secret key pair of the apparatus， means for generating a variable， encrypting the second ciphertext using the variable as a key and providing the encrypted second ciphertext to the data service provider， means for encrypting the variable using an attribute-based encryption mechanism， and means for processing a request， received from a data requesting party， for access to information underlying the first ciphertext and second ciphertext.
According to a seventh aspect of the present invention， there is provided a non-transitory computer readable medium having stored thereon a set of computer readable instructions that， when executed by at least one processor， cause an apparatus to at least receive， in an apparatus， from at least one data provider， at least one ciphertext the at least one ciphertext comprising a first ciphertext， perform a mathematical manipulation of the first ciphertext to modify the first ciphertext without decrypting the first ciphertext， the mathematical manipulation being selected in the apparatus in dependence of a mathematical operation to be performed on plaintext underlying the first ciphertext， obtain a second ciphertext from the modified first ciphertext by performing a cryptographic operation， wherein at least one number is randomly generated and used in masking plaintext underlying the second ciphertext， and provide the second ciphertext to an access control node.
According to an eighth aspect of the present invention， there is provided a non-transitory computer readable medium having stored thereon a set of computer readable instructions that， when executed by at least one processor， cause an apparatus to at least receive， in an apparatus from a data service provider， a first ciphertext， partially decrypting the first ciphertext to obtain a second ciphertext， using a secret key of the apparatus from a public key-secret key pair of the apparatus， generate a variable， encrypt the second ciphertext using the variable as a key and provide the encrypted second ciphertext to the data service provider， encrypt the variable using an attribute-based encryption mechanism， and process a request， received from a data requesting party for access to information underlying the first ciphertext and second ciphertext.
According to a ninth aspect of the present invention， there is provided a computer program configured to cause a method in accordance with at least one of the third and fourth aspects to be performed.

BRIEF DESCRIPTION OF THE DRAWINGS

FIGURE 1 illustrates an example system in accordance with at least some embodiments of the present invention；
FIGURE 2 illustrates signalling in accordance with at least some embodiments of the present invention；
FIGURE 3 illustrates an example apparatus capable of supporting at least some embodiments of the present invenuon；
FIGURE 4 illustrates signalling in accordance with at least some embodiments of the present invention；
FIGURE 5 is a flow graph of a method in accordance with at least some embodiments of the present invention， and
FIGURE 6 is a second flow graph of a method in accordance with at least some embodiments of the present invention.
EMBODIMENTS
At least some embodiments of the present invention enable secured and distributed processing and dissemination of data stored in a server， such as a cloud server， which may comprise a data service provider. A data service provider and access control server may co-operate in performing a computation on encrypted data and providing a result of the computation to a data requesting party that meets at least one criterion of an attribute-based encryption， ABE， scheme. In the process， advantageously neither the data service provider nor the access control server gains access to the data， or the computation result， in plaintext form whereby security and privacy of the data owner is protected.
FIGURE 1 illustrates an example system in accordance with at least some embodiments of the present invention. The system comprises data service provider 120， which may comprise a cloud data storage data center or cloud data center system， for example. Data service provider 120 may also comprise a cloud processing service provider. A cloud data center system may comprise a plurality of data centers， with load balancing arranged in a suitable manner between individual data centers comprised in the plurality. In general， data service provider 120 may be configured to store data and provide some computation services. Data service provider 120 may be seen as curious-but-honest in a trust model of the present invention， in other words， this entity may be curious about user data but nonetheless follow design of system protocols strictly. Further， since a trust and reputation mechanism may be used with at least some embodiments of the present invention the data service provider 120， as well as other nodes， will in these cases have an incentive to behave dependably.
The system of FIGURE 1 further comprises at least one access control server 130. Access control server 130 may comprise a processing-enabled computing entity， such as， for example， a data center， data center system， server， server farm or indeed an individual networked computer such as a desktop or a laptop. In general， access control server 130 may be configured to provide data computation services and/or data access control to users. In the model described herein， there may exist several access control servers， ACS， 130 that are operated by different entities， such as medical institutions， schools， and/or banks. Different ACSs 130 may deal with different kinds of data， for example health-related data， student records and financial information. Hence， a user may freely choose an ACS he trusts for service consumption. This may enhance user security. The ACS may be seen as a trusted entity in the trust model of the present invention.
The system of FIGURE 1 further comprises at least one data provider 110. Data provider， DP， 110 may comprise a data owner， such as， for example， a consumer， corporation or government entity， for example. For example， data provider 110 may generate the data. Data may be provided by an X-ray device or body scanner where data provider 110 is a medical entity， such as a clinic or hospital. Data may be generated in an industrial process or a design tool where data provider 110 is a corporate entity， such as a manufacturer or engineering company. Data may be generated in a radar or flight control facility where data provider 110 is a government entity， such as a military or aviation authority. Data provider 110 may be configured to provide data in encrypted form to data service provider 120. In some embodiments， DP 110 may be a user and the data may comprise digital photographs taken with the user’s mobile device.
The system of FIGURE 1 further comprises data requester， DR， 140. Data requester 140 may comprise an entity authorised by data provider 110 to access， at least partly， data owned and/or generated by data provider 110. Data requester 140 may need the data of data provider 110 in a processed form. Data requester 140 may be the same entity as data provider 110， or it may be another entity. There may be plural data requesters， not all of which are known beforehand. Data or computation results may be provided to data requesters， also known as data requesting parties， in encrypted format.
Overall， data provider 110， data service provider 120， access control server 130 and data requester 140 may be seen as roles or functions that may be assumed and performed by different kinds of entities. As indicated above， data provider 110 and data requester 140 may be one and the same. On the other hand， at least in some embodiments data service provider 120 and access control server 130 are not physically the same entity. In detail， data service provider 120 need not be explicitly trusted by data provider 110， while access control server 130 may be trusted by data provider 110.
Networked connections interconnect the entities described above to each other. In detail， connection 112 enables data provider 110 to transmit ciphertext to data service provider 120. Connection 142 enables communication between data requester 140 and data service provider 120. Connection 123 enables communication between access control server 130 and data service provider 120. Finally， connection 143 enables communication between data requester 140 and access control server 130. The connections may be wired or， at least partly， wireless， connections， where applicable.
FIGURE 2 illustrates signalling in accordance with at least some embodiments of the present invention. Like numbering denotes like structure as in FIGURE 1. The following notation may be employed：
TABLE 1：
The system may initially call a key generation algorithm to complete setup of the encryption keys. An example key generation algorithm is KeyGen， described below. If multiple ACSs are employed in the system， each ACS may negotiate a Diffie-Hellman key PK with the DSP and publish this key to its customers. In addition， the ACS that is responsible for access control may call Setup^ABE (λ， U) to generate the public parameters PK′and master secret key MSK′of the ABE algorithm. Then it may also publish PK′to its service consumers.
In phase 112， data provider 110 provides his data to DSP 120， in encrypted format， which is known as ciphertext. DSP 120 responsively stores the ciphertext. DSP 120 may determine a mathematical operation to be performed securely on the encrypted data， without completely decrypting it. DSP 120 may select a mathematical manipulation to be performed on the ciphertext， and perform the selected mathematical manipulation. For example， where the operation to be performed on the encrypted data， that is， on the plaintext， is addition， the mathematical manipulation to be performed on the ciphertext may comprise multiplication， due to additive homomorphism. The mathematical manipulation performed on the ciphertext may have an effect on the plaintext underlying the ciphertext without reversing the encryption， in other words， DSP 120 does not thereby gain access to the plaintext by performing the mathematical manipulation. DP 110 may encrypt their personal data before uploading it to DSP. It may directly recall EncTK to encrypt data m_i (Unless otherwise specified，
DSP 120 may randomly generate at least one number and use it to mask the plaintext underlying the ciphertext. Randomly generating may comprise randomly and/or pseudo-randomly generating， for example. Masking the plaintext may comprise， for example， performing a second mathematical manipulation of the ciphertext， which does not reverse the encryption， but modifies the underlying plaintext in a way DSP 120 knows. For example， a value in the plaintext may be multiplied by a first number and incremented with a second number， such that even on case the encryption is reversed， the party reversing the encryption will only gain access to the masked plaintext and not the actual plaintext. Terminologically， the masked plaintext may be referred to as ciphertext. DSP 120 may perform a re-encryption operation， for example a proxy re-encryption operation， to enable ACS 130 to reverse the encryption of the ciphertext.
In phase 123， DSP 120 provides the ciphertext， as modified by DSP 120， to ACS 130. ACS 130 may be enabled to reverse the encryption of the ciphertext， to obtain the masked plaintext. ACS 130 may reverse the encryption， for example， using a secret key of a public key-secret key pair of ACS 130. Further， ACS 130 may participate in performing access controlling relating to the data by generating an encryption key ck， encrypting the masked plaintext with the generated encryption key and ciphering the generated encryption key ck using， for example， an attribute-based encryption， ABE， mechanism. ACS 130 may further process the data to obtain a middle processed result orwhich depends on the mathematical operation and is encrypted under the generated key PK_ck ＝ g^ck chosen by ACS 130. ACS 130 may encrypt ck using ABE to get CK′.
ACS 130 provides the ciphered masked plaintextorto DSP 120 in phase 132. DSP 120 may responsively remove the masking of the plaintext， without reversing the ciphering， resulting in a ciphertext that is an encrypted version of plaintext， the plaintext being a result of the mathematical operation performed on the original plaintext. This may be signified by the notationorRemoving the masking of the ciphered plaintext may comprise performing a mathematical manipulation on the ciphered masked plaintext. Examples of such mathematical manipulations are known from homomorphic encryption schemes.
Data requester， DR， 140 may request the result of the mathematical operation from ACS 130 in phase 143. In the requesting， DR 140 may provide its attribute information， enabling ACS 130 to control access to the data using the attribute-based mechanism， which may leverage， for example， a trust value of DR 140. The trust value may take an integer value， for example， and/or be acquired from a reputation server.
Responsive to ACS 130 verifying DR 140 is to be granted access to the data， ACS 130 may provide， in phase 133， to DR 140 the encryption key used in phase 123 by ACS 130 in encrypting the generated encryption key ck. ACS 130 may also signal to DSP 120 to provide the data to DR 140. DSP 120 may responsively provide the ciphertext of the unmasked plaintext to DR 140， for example using a secured connection. DSP 120 may also provide to DR 140 the encrypted version of generated encryption key ck. DR 140 may then use key ck to obtain the unmasked plaintext.
As described above， the process of FIGURE 2 results in the unmasked plaintext to be made available to DR 140， such that DSP 120 or ACS 130 do not gain access to it in the process. Further， the mathematical operation is performed on the plaintext in the process. Details of possible mathematical operations will be given herein below.
FIGURE 3 illustrates an example apparatus capable of supporting at least some embodiments of the present invention. Illustrated is device 300， which may comprise， or be comprised in， for example， a DP 110， DSP 120， ACS 130 and/or DR 140 of FIGURE 1 or FIGURE 2. Comprised in device 300 is processor 310， which may comprise， for example， a single-or multi-core processor wherein a single-core processor comprises one processing core and a multi-core processor comprises more than one processing core. Processor 310 may comprise more than one processor. A processing core may comprise， for example， a Cortex-A8 processing core manufactured by ARM Holdings or a Steamroller processing core produced by Advanced Micro Devices Corporation. Processor 310 may comprise at least one Qualcomm Snapdragon and/or Intel Xeon processor. Processor 310 may comprise at least one application-specific integrated circuit， ASIC. Processor 310 may comprise at least one field-programmable gate array， FPGA. Processor 310 may be means for performing method steps in device 300. Processor 310 may be configured， at least in part by computer instructions， to perform actions.
Device 300 may comprise memory 320. Memory 320 may comprise random-access memory and/or permanent memory. Memory 320 may comprise at least one RAM chip. Memory 320 may comprise solid-state， magnetic， optical and/or holographic memory， for example. Memory 320 may be at least in part accessible to processor 310. Memory 320 may be at least in part comprised in processor 310. Memory 320 may be means for storing information. Memory 320 may comprise computer instructions that processor 310 is configured to execute. When computer instructions configured to cause processor 310 to perform certain actions are stored in memory 320， and device 300 overall is configured to run under the direction of processor 310 using computer instructions from memory 320， processor 310 and/or its at least one processing core may be considered to be configured to perform said certain actions. Memory 320 may be at least in part comprised in processor 310. Memory 320 may be at least in part external to device 300 but accessible to device 300.
Device 300 may comprise a transmitter 330. Device 300 may comprise a receiver 340. Transmitter 330 and receiver 340 may be configured to transmit and receive， respectively， information in accordance with at least one cellular or non-cellular standard. Transmitter 330 may comprise more than one transmitter. Receiver 340 may comprise more than one receiver. Transmitter 330 and/or receiver 340 may be configured to operate in accordance with global system for mobile communication， GSM， wideband code division multiple access， WCDMA， 5G， long term evolution， LTE， IS-95， wireless local area network， WLAN， Ethernet and/or worldwide interoperability for microwave access， WiMAX， standards， for example.
Device 300 may comprise a near-field communication， NFC， transceiver 350. NFC transceiver 350 may support at least one NFC technology， such as NFC， Bluetooth， Wibree or similar technologies.
Device 300 may comprise user interface， UI， 360. UI 360 may comprise at least one of a display， a keyboard， a touchscreen， a vibrator arranged to signal to a user by causing device 300 to vibrate， a speaker and a microphone. A user may be able to operate device 300 via UI 360， for example to manage or request data.
Device 300 may comprise or be arranged to accept a user identity module 370. User identity module 370 may comprise， for example， a subscriber identity module， SIM， card installable in device 300. A user identity module 370 may comprise information identifying a subscription of a user of device 300. A user identity module 370 may comprise cryptographic information usable to verify the identity of a user of device 300 and/or to facilitate encryption of communicated information and billing of the user of device 300 for communication effected via device 300.
Processor 310 may be furnished with a transmitter arranged to output information from processor 310， via electrical leads internal to device 300， to other devices comprised in device 300. Such a transmitter may comprise a serial bus transmitter arranged to， for example， output information via at least one electrical lead to memory 320 for storage therein. Alternatively to a serial bus， the transmitter may comprise a parallel bus transmitter. Likewise processor 310 may comprise a receiver arranged to receive information in processor 310， via electrical leads internal to device 300， from other devices comprised in device 300. Such a receiver may comprise a serial bus receiver arranged to， for example， receive information via at least one electrical lead from receiver 340 for processing in processor 310. Alternatively to a serial bus， the receiver may comprise a parallel bus receiver.
Device 300 may comprise further devices not illustrated in FIGURE 3. For example， where device 300 comprises a smartphone， it may comprise at least one digital camera. Some devices 300 may comprise a back-facing camera and a front-facing camera， wherein the back-facing camera may be intended for digital photography and the front- facing camera for video telephony. Device 300 may comprise a fingerprint sensor arranged to authenticate， at least in part， a user of device 300. In some embodiments， device 300 lacks at least one device described above. For example， some devices 300 may lack a NFC transceiver 350 and/or user identity module 370.
Processor 310， memory 320， transmitter 330， receiver 340， NFC transceiver 350， UI 360 and/or user identity module 370 may be interconnected by electrical leads internal to device 300 in a multitude of different ways. For example， each of the aforementioned devices may be separately connected to a master bus internal to device 300， to allow for the devices to exchange information. However， as the skilled person will appreciate， this is only one example and depending on the embodiment various ways of interconnecting at least two of the aforementioned devices may be selected without departing from the scope of the present invention.
Literature has a number of studies on privacy-preserving data aggregation， mainly in the area of Wireless Sensor Networks (WSNs) and smart metering [5-8， 10-12] . Some previous work [5， 6] on data aggregation assumed a trusted aggregator， and hence cannot protect user privacy from a distrusted or semi-trusted aggregator. Castelluccia et al. proposed a simple and provably secure encryption scheme that allows efficient additive aggregation of encrypted data [5] ， in which an aggregator holds the sum of secret shares of all data providers for final decryption. Based on this work， Li et al. employed a novel key management scheme to obtain data sum [6] . Low aggregation error can further be achieved by leveraging a ring-based interleaved grouping technology [11] . Shi et al. [7， 8] also studied encrypted data aggregation in the presence of a distrusted aggregator. The aggregator splits a secret key s₀ into additive shares among a set of users (say s₀ ＝ ∑_i s_i)， and s_i is issued to user i. Then each user applies its secret share to blind its private data. Hence， the aggregator can only obtain the sum of user data but nothing else through decryption with s₀. Joye and Libert [12] proposed a practical scheme that can overcome this weakness to accommodate large plaintext spaces. However， the above schemes have a major drawback that they are not tolerant of user absence or failure. Thus， they are not applicable for data aggregation where the number of data providers is not fixed or the provider is absent sometime
Some existing constructions are resilient to user failure and compromise by adopting a binary tree structure [8] . Wang et al. investigated how two non-colluding servers can leverage proxy re-encryption to jointly compute arithmetic functions over the ciphertexts of multiple users for addition and multiplication without learning the inputs or intermediate results [1] . But this scheme needs to solve the problem of discrete logarithm， which also seriously restricts the length of the input data. Therefore， it is not suitable for those scenarios where there are many data providers and the size of provided data is big. That is， it cannot support big data processing.
Secure Multi-party Computation， SMC， enables private data to be computed with a global function without leaking each individual input data. It also provides plausible solutions for such problems as privacy-preserving database query， intrusion detection and data mining [13] . For example， a method for financial analysis based on the SMC [14] can obtain important data from collected data by deploying three servers， but it introduces extra complexity and overhead.
Privacy-preserving data aggregation and SMC schemes described above do not take， in general， into consideration the scenario where there are multiple requesters that are unpredictable or unspecified before data collection and processing. A requester can be any number of authorized parties， rather than an evaluating server or a designated requester. None of the existing work above solves the problem of distributing the data processing or analyzing results to arbitrary number of unspecified authorized requesters at the same time while preserving the privacy of data providers and protecting the data processing or analyzing results. Moreover， the existing schemes mentioned above only work for encrypted data aggregation， and do not support other fundamental computing operations.
Some studies tried to improve the existing homomorphic encryption in order to support computations over encrypted data， an approach which may be referred to as secure data processing based on homomorphic encryption. Ayday et al. [10] proposed a privacy-preserving data aggregation scheme based on homomorphic encryption to obtain the sum of a number of collected encrypted data through a two-level decryption in which a decryption key is divided into two parts and shared by a proxy and a medical center. But this scheme cannot support multiparty access to the data processing results. Peter et al. [2] proposed an efficient outsourcing multiparty computation framework under multiple keys based on additive homomorphic encryption. However， this scheme can only support addition and multiplication， but not other operations. Moreover， a server can only access the final data processing result with the approval of data owners， which makes this scheme very complicated with regard to communication cost. The scheme proposed in the present document aims to realize， in at least some embodiments， more operations than addition and multiplication without data owner approval. The scheme in [15] can support multiparty access to evidence aggregation， but it is only applicable for addition operation and cannot support other computing operations. Liu et al. [3] proposed a framework for efficient outsourced data calculations with privacy preservation， which can deal with several types of operations， such as addition， multiplication， and division. But their framework cannot flexibly issue the access rights of data processing results to any number of eligible parties. Meanwhile， it cannot support multiplication of large amounts of data. At least some embodiments of the present invention support seven basic computing operations and realize fine-grained and flexible data access control on the data processing result for multiple authorized parties.
Cloud storage enables cloud users to upload their personal data to cloud for storage and further sharing. However， as described above it leads to challenges， since cloud users lose full control over their own data， which makes access control on cloud data significant. A number of solutions have been proposed to protect outsourced data stored in cloud servers.
Access Control List， ACL， is one of the most basic solutions， but its computation complexity grows linearly with the number of data groups or users [16， 17] . Symmetric Key Cryptography， SKC， is a typical way to protect the data， but it has high computation complexity in key management with bad flexibility. Public Key Cryptography， PKC， can be used by combining with SKC [17] . The data owner encrypts the original data with a symmetric key and then encrypts the key using PKC for each authorized data consumer. However， the cost for encrypting symmetric key is proportional to the number of consumers. Proxy Re-Encryption can also be adopted to manage data sharing in cloud [18， 19] . But it cannot support fine-grained access control. Role-Based Access Control， RBAC， can provide partial flexibility based on one level policy， which ensures that only the consumer with specified role can access the data. But these constructions [20， 21] cannot support multiple access policies based on various attribute structures.
Advanced fine-grained access control is expected to be solved by Attribute-Based Encryption， ABE. It has been widely applied in cloud storage management for achieving flexibility， scalability and fine-grained access control [22-25] . ABE enables these schemes to introduce multiple attributes for access judgement， which enhances cloud data security. Besides ABE， trust evaluation can also be applied to support access control with high efficiency. The combination of trust evaluation and ABE is presented in [26] ， but it neglects other attributes， such as， for example， role and department， only considering trust values. More attributes might be needed to guarantee data privacy and security in many application scenarios.
At least some embodiments of the present invention target to realize multiple operations over ciphertext processing in a privacy-preserving way and propose to further improve the security and flexibility of access control by integrating ABE based access control with homomorphic encryption， HE， based data processing.
FIGURE 4 illustrates signalling in accordance with at least some embodiments of the present invention. On the vertical axes are disposed， on the left， DP 110/DR 140 110 of FIGURE 1 and FIGURE 2， and on the right， DSP 120 and ACS 130 of FIGURE 1 and FIGURE 2. Time advances from the top toward the bottom. FIGURE 4 embodiments are directed to the case where， unlike in FIGURE 2， the DP 110 and DR 140 are the same entity， that is， the owner requests her own data.
In phase 410， DP 110 provides her data， in encrypted form， to DSP 120. In phase 420， DSP 120 performs the processing described above in connection with FIGURE 2 on the ciphertext received in DSP 120. This may comprise， for example， performing the mathematical manipulation selected in dependence of the mathematical operation that it is desired to perform on the plaintext underlying the ciphertext. Further， DSP 120 may， in phase 420， mask the plaintext， without reversing the encryption. In other words， DSP 120 may perform， at least partly， the mathematical operation on the plaintext and mask the plaintext， both without reversing the encryption.
In phase 430， DSP 120 may provide the processed ciphertext to ACS 130. ACS 130 may then， in phase 440， reverse the encryption， to obtain the masked plaintext. ACS 130 may further encrypt the masked plaintext using a randomly generated encryption key， and provide the thus encrypted ciphertext to DSP 120， in phase 450. ACS 130 may also provide a ciphered version of the randomly generated encryption key to DSP 120 in phase 450.
In phase 460， DSP 120 may reverse the masking， again without reversing the encryption， to obtain a ciphered un-masked plaintext. In phase 470， DR 140， being in this embodiment the DP 110， may request the data from ACS 130， applying an attribute-based mechanism. Responsively， ACS 130 may provide to DR 140 the encryption key used in phase 440 to encrypt the masked plaintext， in ciphered form. This is indicated in FIGURE 4 as phase 480. Further， ACS 130 may prompt， phase 490， DSP 120 to provide the ciphered version of the un-masked plaintext to DR 140. DSP complies and provides this to DR 140 in phase 4100.
Alternatively， ACS 130 may provide a ciphered version of the randomly generated encryption key to DSP 120 in phase 450， which may provide it further to DR 140 in phase 4100. ACS 130 may then simply provide the key used to encrypt the randomly generated encryption key to DR 140 in phase 480， to enable DR 140 to decipher the randomly generated encryption key， and to use the randomly generated encryption key to decrypt the ciphertext DR 140 receives from DSP 120， to thereby obtain the un-masked plaintext.
Paillier’s cryptosystem [27] is one of the most important additive homomorphic encryption systems. Suppose we have N encrypted data under same key pk， which can be presented as [m_i] _pk (i ＝ 1， 2， ... ， N) . The additive homomorphic encryption satisfies the following equation：
where D_sk () is the corresponding homomorphic decryption algorithm with secret key sk.
Key-Policy Attribute-Based Encryption， KP-ABE， [23] KP-ABE consists of four algorithms： Setup， Encrypt， KeyGen， and Decrypt.
· Setup^ABE (λ， U) → (PK′， MSK′) . This setup algorithm takes in the security parameter λ and the attribute universe description U. It outputs the public paramters PK′and a master secret key MSK′.
· Enc^ABE (M， γ， PK′) → CK′. This encryption algorithm takes in a message M， a set of attributes γ and the public parameters PK′. It outputs ciphertext CK′.
· This key generation algorithm takes in an access structureand the master secret key MSK′. It outputs a private key SK′.
· Dec^ABE (CK′， PK′， SK′) → M. This decryption algorithm takes in the ciphertext CK′， the public parameters PK′and the private key SK′. If the set of attributes satisfies the access treeembedded in the private key， it finally outputs the message M.
Notably， Ciphertext-Policy Attribute-Based Encryption， CP-ABE， [28] may also be applied in implementing at least some embodiments of the present invention. Adopting CP-ABE saves efforts of key management， while applying KP-ABE may save computation cost of data encryption.
Homomorphic Re-Encryption System， HRES， supports privacy-preserving data processing. At least some embodiments of the present invention adopt HRES for data encryption， which is described in previous application [9] . Herein， a detailed introduction to HRES is provided.
Key Generation (KeyGen) ： Let k be a security parameter and p， q be two large primes， wherereturns the bit length of input data) . Due to the property of safe primes， there exist two primes p′and q′which satisfy that p ＝ 2p′+ 1， q ＝ 2q′+ 1. We compute n ＝ p *q and choose a generator g with orderλ ＝ 2p′q′， which can be chosen by selecting a random numberand computing g＝-z²ⁿ. The value λ can be used to decrypt the encrypted data， but we choose to conceal it and protect it from all involved parties. In HRES， we only use key pair (sk， g^sk) for data encryption and decryption. The DSP 120 and the ACS 130 generate their key pairs： (SK_DSP ＝ a， PK_DSP ＝ g^a) and (SK_ACS ＝ b， PK _ACS ＝ g^b) ， and then negotiate their Diffie-Hellman keyTo support encrypted data processing， PK is public to all involved parties. Cloud user i generates its key pair The public system parameters include {g， n， PK} .
First， an Original Encryption scheme is obtained from [29] . Encryption (Enc) ： Any user can encrypt its data with pk_i and random r ∈ [1， n/4] ， and send it to user i：
Decryption (Dec) ： Upon receiving the encrypted data， user i can directly decrypt it to obtain the original data：
Second， a Two-Level Decryption scheme that can flexibly support outsourced data processing is presented：
Encryption with Two Keys (EncTK) ： To flexibly support ciphertext process， we propose encrypting original data under the keys of two servers. Given message provided by user i， we first select random number r ∈ [1， n/4] and then encrypt it with PK. The ciphertext is generated as [m_i] ＝ [m_i] _PK ＝ {T_i， T_i′} ， where
T_i ＝ (1 + m_i *n) *PK^r mod n² and T_i′＝g^r mod n².
For ease of presentation， we use the notation [m_i] to denote the ciphertext of m_i encrypted with PK， which can only be decrypted under the cooperation of DSP 120 and ACS 130.
Partial Decryption with SK_DSP (PDec1) ： Once [m_i] is received by the DSP， algorithm PDec1 will be run to transfer it into another ciphertext that can be decrypted by the ACS as follows：
Partial Decryption with SK_ACS (PDec2) ： Once the encrypted data is received， the ACS can directly decrypt it with its own secret key as follows：
The two-level decryption can change its decryption order. In the process above， no entity alone can perform decryption to obtain the raw data.
In the following， the mathematical operations addition， subtraction， multiplication， sign acquisition， comparison， equivalent test and variance will be discussed. Data preparation at DSP refers to phase 420 of FIGURE 4 and the processing following phase 112 in FIGURE 2. Data process at ACS refers to phase 440 of FIGURE 4 and the processing following phase 123 of FIGURE 2. Additional process at DSP refers to phase 460 of FIGURE 4 and the processing following phase 132 of FIGURE 2.
Addition： this scheme aims to obtain the sum of all raw data： Note that the number of the data in Addition affects the length of the provided data. If we want to get the sum result of N pieces of data， it should guarantee that m_i ＜ n/N.
Data Preparation at DSP： Due to additive homomorphism， the DSP can directly multiply encrypted data one by one as following：
To realize group access control， it chooses two random numbers c₁ and c₂， and then computes as follows：
Mask ciphertext：
Call PDec1 to partially decrypt it：
Then DSP sendsto the ACS.
Data Process at ACS： The ACS calls the algorithm PDec2 with SK _ACS to finally decrypt the encrypted data to obtain c₁ (m + c₂) . And then the ACS chooses two random numbers ck and r to encrypt data as follows：
In order to support group access control， the ACS encrypts ck with ABE to obtain CK′ ＝ Enc^ABE (ck， γ， PK′) . Then the ACS sendsback to the DSP.
Additional Process at DSP： The DSP computes to obtain the final processed encrypted data with c′₁ ＝ (c₁) ^-1 mod n：
Data Access at DR： The DR that satisfies the access policy in ABE can decrypt CK′to obtain ck. The DSP sends the data packetto the DR in a secure way. Then the DR can decryptto obtain m.
Subtraction： This function aims to obtain the subtraction of some data with encrypted data [m_i] (i ＝ 1， ...， N) .
Data Preparation at DSP： The DSP first computesand It further calculatesand multiply them to obtain： Then the subsequent process is the same as that in Addition. Due to length and simplicity reasons， the details are not repeated here.
Multiplication： This function aims to obtain the product of all non-zero raw dataFor ease of presentation， we describe the details with two pieces of data ( [m₁] ， [m₂] ) . The DR wants to get the multiplication result m ＝ m₁ *m₂. The available number of the data in multiplication influences the length of raw data. If we need to get the product of N pieces of data， it must be guaranteed that the length of each raw datawhich is different from Addition.
Data Preparation at DSP： First， the DSP chooses two random numbers c₁， c₂ (the number of random numbers may be equal to that of provided data) . To mask each raw data from the ACS， the DSP does one exponentiation and one decryption with its own secret key by calling PDec1：
The data packet sent to the ACS is
Data Process at ACS： Upon receiving the data packet from the CSP， the ACS uses the algorithm PDec2 to decrypt the data：
c₁*m₁ ＝ T₁ ⁽¹⁾ / (T₁′ ⁽¹⁾ ) ^b，
c₂*m₂ ＝ T₂ ⁽¹⁾ / (T₂′ ⁽¹⁾) ^b.
It then chooses two random numbers ck and r， and encrypts c₁ *m₁ *c₂ *m₂ and ck as following：
CK′＝Enc^ABE (ck， γ， PK′) .
Finally， the ACS forwardsand CK′to the DSP.
Additional Process at DSP： The DSP further processes the data packet with c′₁ ＝ (c₁*c₂) ^-1 mod n and computes as following：
Data Access at DR： The DR that satisfies the access policy in ABE can decrypt CK′to obtain ck. The DSP sends the data packetto the DR in a secure way. Then the DR can decryptto obtain m.
Sign acquisition： We assume thatand that BIG is the largest raw data of m. Then the raw data is in the scope [-BIG， BIG] . DR wants to know the sign of raw data m₁ from [m₁] . Here， the DR targets to obtain the final sign indicator f.
Data Preparation at DSP： The DSP chooses a random number c₁ where It first encrypts “1” and then computes as follows：
[1] ＝ { (1+n) *PK^r′， g^r′}
Then it flips a coin s. Ifs ＝ -1； it computes as follows：
Otherwise， it calls PDec1 and computes： The DSP chooses one random number c₂， and then computes s′＝ c₂*s mod n. The data packet sent to the ACS is { (T₁ ⁽¹⁾ ， T₁′ ⁽¹⁾ ) ， s′} .
Data Process at ACS： Upon receiving the data packet from the DSP， the ACS decrypts (T₁ ⁽¹⁾ ， T₁′ ⁽¹⁾ ) with PDec2 to obtain raw data m′＝ (-1) ^s+1 *c₁ * (2 *m₁ + 1) mod n. The ACS compareswithIfit sets u ＝ 1； otherwise， u ＝ -1. The ACS chooses two random numbers r and ck， further computes as following：
Encrypt ck using ABE： CK′＝ Enc^ABE (ck， γ， PK′) . Finally， the ACS forwardsto DSP.
Additional Process at DSP： The DSP further process the data packet as following：
c₃ ＝ (c₂) ^-1mod n
The DR that satisfies the access policy in ABE can decrypt CK′to obtain ck. The DSP sends the data packetto the DR in a secure way. Then the DR can decryptto obtain f. Note： if f ＝ 1， m₁ ≥ 0； Otherwise， m₁ ＜ 0.
Comparison： Similar to the schemes above， DR wants to compare the raw data (m₁， m₂) based on their encrypted data. For ease of presentation， m₁ -m₂ is denoted as m_1-2.
Data Preparation at DSP： DSP first computes to get the subtraction of encrypted data：
(T， T′) ＝ {T₁ * (T₂) ^n-1， T₁′* (T₂′) ^n-1} ＝ [ (m₁ -m₂) ] .
The following steps are the same to that in Sign Acquisition. Through the cooperation of the DSP and the ACS， the DR finally gets the sign of m_1-2 ＝ m₁ -m₂. In the end， the DR can obtain the comparison result. If m_1-2 ≥ 0， m₁ ≥ m₂； otherwise， m₁ ＜ m₂.
Equivalent test： DR wants to know if m₁ is equal to m₂ with encrypted data ( [m₁] ， [m₂] ) . The DSP and the ACS directly interact with each other in two parallel computations of Comparison.
They compare m₁ and m₂ in two forms： 1) m_1-2 ＝ m₁ -m₂； 2) m_2-1 ＝ m₂ -m₁. Through the operations in Comparison， DSP can get two resultsand respectively. Then the DSP can obtain
Finally， the DR that satisfies the access policy in ABE can decrypt CK′to obtain ck. The DSP sends the data packetto the DR in a secure way. Then the DR can further decryptto obtain f. Note： if f ＝ 2， m₁ ＝ m₂； Otherwise， m₁ ≠ m₂.
Variance： In some scenarios， DR j may want to get the variance of some data according to provided encrypted data. In this presentation， we set N be the number of provided data andVariance function can be presented as whereis the average of m_i (i ＝ 1， ... ， N) . For ease of presentation， we assume there are three pieces of encrypted data (i.e.， N ＝ 3， which is shared with DR j) ： [m₁] ， [m₂] and [m₃] . In the process， DR targets to obtain
Data Preparation at DSP： First， the DSP obtainsthrough following steps：
[m⁺] ＝ (T， T′) ＝ [m₁] * [m₂] * [m₃] ，
[-m⁺] ＝ (T^n-1 ， (T′) ^n-1) ；
[N *m_i] ＝ [m_i] ^N for i ＝ 1， 2， 3；
[N *m_i -m⁺] ＝ [m_i] ^N * [-m⁺] for i ＝ 1， 2， 3；
Then the DSP partially decrypts the data with its secret key by calling PDec1 to obtain：
The DSP chooses three random numbers c₁， c₂， c₃， and computes to obtain：
Then the DSP send the three ciphertexts to the ACS.
In addition， DSP may be configured to store c₁ ²， c₂ ²， c₃ ².
Data Process at ACS： Upon receiving the data from the DSP， the ACS directly decrypts to obtain raw data and then processes the data for DR j as follows： Decrypt to obtain：
C_i ＝ c_i (N *m_i -m⁺) for i ＝ 1， 2， 3；
Encrypt processed data with random number ck：
Encrypt ck using ABE： CK′＝ Enc^ABE (ck， γ， PK′) . Then the ACS sends them back to the DSP.
Additional Operation at DSP： The DSP first computes the reverse of C₁ ²， c₂ ²， c₃ ²， respectively： c′_i ＝ (c_i ²) ^-1 mod n² for i ＝ 1， 2， 3.
Then the DSP can prepare the final result：
Finally， can be sent to DR.
Data Access at DR： The DR that satisfies the access policy in ABE can decrypt CK′to obtain ck. The DSP sends the data packetto the DR in a secure way. Then the DR can decrypt it to obtainand finally get the variance of data：
M ＝ m/N³ ＝ ( (N *m₁ -m) ² + (N *m₂ -m) ² + (N *m₁ -m) ²) /N³.
As presented above， the decryption key ck chosen by ACS is encrypted using ABE， which helps achieve secure access to the data processing results. In at least some embodiments of the present invention， it is proposed to adopt trust level as a concrete example attribute. For a better presentation， we give a concrete application scenario： medical data management. Some case reports of patients can be used for further research and even be used to judge the potential disease. However， it is highly sensitive information， especially those infectious diseases. The user privacy and data security can be guaranteed through the schemes above. But how to further control the access to the final data processing results is still a significant open issue.
In order to enhance the security of processed result， we propose to employ multiple criteria to judge the access. Here， we further improve the attribute sets defined in [24] ， which concentrates on the access control of Personal Health Records (PHR) . In at least some embodiments of the present invention， focus is on the processed results but follows the definition in [24] . Different from the previous work， we add one more attribute： trust value.
Concretely， the processed result of cases may be used by doctors for diagnosis， or by a medical expert for disease study. Thus， we follow the classifications： organization (i.e.， hospital， research institution， etc. ) ， medical specialty (i.e.， internal medicine， general， neurology， etc. ) ， profession (physician， researcher， nurse， etc. ) ， and trust level. Trust level can be decided by the feedback of patients and the research impact， as described， for example， in papers [15] . We set the trust value to be some fixed numbers that indicate trust levels， such as ten integers： 1 to 10. The trust value is regarded as an attribute： TV＝i (i ＝ 1， … ， 10) ， which can be issued by a reputation center or ACS. If we set the trust threshold is 8 (TV≥8) ， then we can present a sample attribute based keys for users as shown in Table 2：
KP-ABE or CP-ABE can be easily applied to realize an access structure. More attributes can be added to achieve higher security and more fine-grained access control. The computation complexity is highly related to the number of attributes. Thus， it should be decided according to practical requirements.
As the number of trust values is not infinite， but some fixed numbers， thus the adoption of trust value would not incur much computation overhead. However， it can help improve the system performance， as it is a value dynamically generated based on the historical performance of a system entity. The higher the trust value is， the more information the user can obtain.
Besides the medical health data， some embodiments of the invention may be used in Pervasive Social Networking， PSN. Trust management is widely used in PSN to build trust relationship for data access control. It is easy to obtain a secure and motivated access control scheme for privacy-preserving data processing by integrating trust evaluation result with other attributes.
FIGURE 5 is a flow graph of a method in accordance with at least some embodiments of the present invention. The phases of the illustrated method may be performed in DSP 120， or in a control device configured to control the functioning thereof， when installed therein.
Phase 510 comprises receiving， in an apparatus， from at least one data provider， at least one ciphertext， the at least one ciphertext comprising a first ciphertext. Phase 520 comprises performing a mathematical manipulation of the first ciphertext to modify the first ciphertext without decrypting the first ciphertext， the mathematical manipulation being selected in the apparatus in dependence of a mathematical operation to be performed on plaintext underlying the first ciphertext. The mathematical operation may comprise addition or multiplication， for example， as laid out above. Phase 540 comprises obtaining a second ciphertext from the modified first ciphertext by performing a cryptographic operation， wherein at least one number is randomly generated and used in masking plaintext underlying the second ciphertext. The method may further comprise providing the second ciphertext to an access control node.
FIGURE 6 is a flow graph of a method in accordance with at least some embodiments of the present invention. The phases of the illustrated method may be performed in DSP 120， or in a control device configured to control the functioning thereof， when installed therein.
Phase 610 comprises receiving， in an apparatus from a data service provider， a first ciphertext. Phase 620 comprises partially decrypting the first ciphertext to obtain a second ciphertext， using a secret key of the apparatus from a public key-secret key pair of the apparatus. Partially decrypting to obtain a second ciphertext may comprise decrypting to obtain a masked plaintext. Phase 630 comprises generating a variable， encrypting the second ciphertext using the variable as key and providing the encrypted second ciphertext to the data service provider. Phase 640 comprises encrypting the variable using an attribute-based encryption mechanism. Finally， phase 650 comprises processing a request， received from a data requesting party， for access to information underlying the first ciphertext and second ciphertext. The variable may comprise any kind of bit or character sequence usable as encryption key. For example， the variable may comprise a 128 or 256 bit long binary value.
It is to be understood that embodiments of the invention disclosed are not limited to the particular structures， process steps， or materials disclosed herein， but are extended to equivalents thereof as would be recognized by those ordinarily skilled in the relevant arts. It should also be understood that terminology employed herein is used for the purpose of describing particular embodiments only and is not intended to be limiting.
Reference throughout this specification to one embodiment or an embodiment means that a particular feature， structure， or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus， appearances of the phrases “in one embodiment” or “in an embodiment” in various places throughout this specification are not necessarily all referring to the same embodiment. Where reference is made to a numerical value using a term such as， for example， about or substantially， the exact numerical value is also disclosed.
As used herein， a plurality of items， structural elements， compositional elements， and/or materials may be presented in a common list for convenience. However， these lists should be construed as though each member of the list is individually identified as a separate and unique member. Thus， no individual member of such list should be construed as a de facto equivalent of any other member of the same list solely based on their presentation in a common group without indications to the contrary. In addition， various embodiments and example of the present invention may be referred to herein along with alternatives for the various components thereof. It is understood that such embodiments， examples， and alternatives are not to be construed as de facto equivalents of one another， but are to be considered as separate and autonomous representations of the present invention.
Furthermore， the described features， structures， or characteristics may be combined in any suitable manner in one or more embodiments. In the preceding description， numerous specific details are provided， such as examples of lengths， widths， shapes， etc.， to provide a thorough understanding of embodiments of the invention. One skilled in the relevant art will recognize， however， that the invention can be practiced without one or more of the specific details， or with other methods， components， materials， etc. In other instances， well-known structures， materials， or operations are not shown or described in detail to avoid obscuring aspects of the invention.
While the forgoing examples are illustrative of the principles of the present invention in one or more particular applications， it will be apparent to those of ordinary skill in the art that numerous modifications in form， usage and details of implementation can be made without the exercise of inventive faculty， and without departing from the principles and concepts of the invention. Accordingly， it is not intended that the invention be limited， except as by the claims set forth below.
The verbs “to comprise” and “to include” are used in this document as open limitations that neither exclude nor require the existence of also un-recited features. The features recited in depending claims are mutually freely combinable unless otherwise explicitly stated. Furthermore， it is to be understood that the use of ″a″ or ″an″ ， that is， a singular form， throughout this document does not exclude a plurality.

INDUSTRIAL APPLICABILITY

At least some embodiments of the present invention find industrial application in facilitating secure data processing and distribution.
ACRONYMS LIST
ABE Attribute-based encryption
ACL Access control list
HE Homomorphic encryption
HRES Homomorphic re-encryption system
PKC Public key cryptography
RBAC Role-based access control
SMC Secure multi-party computation
SKC Symmetric key cryptography
REFERENCE SIGNS LIST

110	Data provider
120	Data service provider
130	Access control server
140	Data requester
300-370	Structure of the device illustrated in FIGURE 3
410-4100	Phases of signaling of FIGURE 4
510-530	Phases of the method of FIGURE 5
610-650	Phases of the method of FIGURE 6

CITATION LIST
[1] B. Wang， M. Li， S.S. Chow， and H. Li， ″A tale of two clouds： Computing on data encrypted under multiple keys， ″ in 2014 IEEE Conference on Communications and Network Security (CNS) ， pp. 337-345， 2014.
[2] A. Peter， E. Tews， and S. Katzenbeisser， “Efficiently outsourcing multiparty computation under multiple keys， ” IEEE Transactions on Information Forensics and Security (TIFS) ， vol. 8， no. 12， pp. 2046-2058， 2013.
[3] X. Liu， R. Choo， R. Deng， R. Lu， and J. Weng， “Efficient and privacy-preserving outsourced calculation of rational numbers， ” IEEE Transactions on Dependable and Secure Computing (TDSC) ， vol. PP， no. 99， pp. 1-1， 2016.
[4] X. Liu， R. Deng， W. Ding， R. Lu， and B. Qin， “Privacy-preserving outsourced calculation on floating point numbers， ” IEEE Transactions on Information Forensics and Security vol. 11， no. 11， pp. 2513 -2527， 2016.
[5] C. Castelluccia， A.C. Chan， E. Mykletun， and G. Tsudik， “Efficient and provably secure aggregation of encrypted data in wireless sensor networks， ” ACM Transactions on Sensor Networks (TOSN) ， vol. 5， no. 3， pp. 20， 2009.
[6] Q. Li， G. Cao， and T. La Porta， “Efficient and privacy-aware data aggregation in mobile sensing， ” IEEE Transactions on Dependable and Secure Computing (TDSC) ， vol. 11， no. 2， pp. 115-129， 2014.
[7] E. Shi， T. H. Chan， E. Rieffel， R. Chow， and D. Song， ″Privacy-preserving aggregation of time-series data， ″ in 18th Annual Network and Distributed System Security Symposium (NDSS) ， pp. 1-17， 2011.
[8] T. -H. H. Chan， E. Shi， and D. Song， ″Privacy-preserving stream aggregation with fault tolerance， ″ Financial Cryptography and Data Security， pp. 200-214： Springer， 2012.
[9] W. Ding， and Z. Yan， Secure Data Processing， Patent application， No. PCT/CN2016/087876， File Data 2016-06-30.
[10] E. Ayday， J. L. Raisaro， J. -P. Hubaux， and J. Rougemont， ″Protecting and evaluating genomic privacy in medical tests and personalized medicine， ″ in 12th ACM Workshop on Workshop on Privacy in the Electronic Society， pp. 95-106， 2013.
[11] Q. Li， and G. Cao， ″Efficient privacy-preserving stream aggregation in mobile sensing with low aggregation error， ″ in Privacy Enhancing Technologies， pp. 60-81， 2013.
[12] M. Joye， and B. Libert， ″A scalable scheme for privacy-preserving aggregation of time-series data， ″ Financial Cryptography and Data Security， pp. 111-125： Springer， 2013.
[13] Z. Yan， P. Zhang， and A. V. Vasilakos， “A survey on trust management for Internet of Things， ” Journal of Network and Computer Applications， vol. 42， pp. 120-134， 2014.
[14] D. Bogdanov， R. Talviste， and J. Willemson， ″Deploying secure multi-party computation for financial data analysis， ″Financial Cryptography and Data Security， pp. 57-64： Springer， 2012.
[15] Z. Yan， W. Ding， V. Niemi， and A. V. Vasilakos， “Two schemes of privacy-preserving trust evaluation， ” Future Generation Computer Systems (FGCS) ， vol. 62， pp. 175-189， 2015.
[16] M. Kallahalla， E. Riedel， R. Swaminathan， Q. Wang， and K. Fu， ″Plutus： Scalable secure file sharing on untrusted storage， ″ in FAST， pp.， 2003.
[17] E.-J. Goh， H. Shacham， N. Modadugu， and D. Boneh， ″SiRiUS： Securing Remote Untrusted Storage， ″ in NDSS， pp. 131 -145， 2003.
[18] Z. Yan， W. Ding， and H. Zhu， ″Ascheme to manage encrypted data storage with deduplication in cloud， ″ in International Conference on Algorithms and Architectures for Parallel Processing， pp. 547-561： Springer， 2015.
[19] C. Dong， G. Russello， and N. Dulay， ″Shared and searchable encrypted data for untrusted servers， ″ in IFIP Annual Conference on Data and Applications Security and Privacy， pp. 127-143， 2008.
[20] W. C. Garrison III， A. Shull， S. Myers， and A. J. Lee， “On the practicality of cryptographically enforcing dynamic access control policies in the cloud， ” in 2016 IEEE Symposium on Security and Privacy， 2016.
[21] Z. Tianyi， L. Weidong， and S. Jiaxing， ″An efficient role based access control system for cloud computing， ″ in IEEE 11th International Conference on Computer and Information Technology (CIT) ， pp. 97-102， 2011.
[22] S. Yu， C. Wang， K. Ren， and W. Lou， ″Achieving secure， scalable， and fine-grained data access control in cloud computing， ″ in 2010 proceedings IEEE INFOCOM， pp. 1-9， 2010.
[23] V. Goyal， O. Pandey， A. Sahai， and B. Waters， ″Attribute-based encryption for fine-grained access control of encrypted data， ″ in 13th ACM conference on Computer and communications security， pp. 89-98， 2006.
[24] M. Li， S. Yu， Y. Zheng， K. Ren， and W. Lou， “Scalable and secure sharing of personal health records in cloud computing using attribute-based encryption， ” IEEE Transactions on Parallel and Distributed Systems， vol. 24， no. 1， pp. 131-143， 2013.
[25] Z. Wan， J. E. Liu， and R. H. Deng， “HASBE： a hierarchical attribute-based solution for flexible and scalable access control in cloud computing， ” IEEE Transactions on Information Forensics and Security (TIFS) ， vol. 7， no. 2， pp. 743-754， 2012.
[26] Z. Yan， X. Li， M. Wang， and A. Vasilakos， “Flexible data access control based on trust and reputation in cloud computing， ” IEEE Transactions on Cloud Computing， vol. PP， no. 99， pp. 1-1， 2015.
[27] P. Paillier， ″Public-key cryptosystems based on composite degree residuosity classes， ″ in Advances in cryptology-EUROCRYPT’ 99， pp. 223-238， 1999.
[28] J. Bethencourt， A. Sahai， and B. Waters， ″Ciphertext-policy attribute-based encryption， ″ in 2007 IEEE Symposium on Security and Privacy (SP′07) ， pp. 321-334， 2007.
[29] E. Bresson， D. Catalano， and D. Pointcheval， ″A simple public-key cryptosystem with a double trapdoor decryption mechanism and its applications， ″ Advances in Cryptology-ASIACRYPT 2003， pp. 37-54： Springer， 2003.

Claims

An apparatus comprising at least one processing core， at least one memory including computer program codes， the at least one memory and the computer program codes being configured to， with the at least one processing core， cause the apparatus at least to：

-receive， from at least one data provider， at least one ciphertext， the at least one ciphertext comprising a first ciphertext；

-perform a mathematical manipulation of the first ciphertext to modify the first ciphertext without decrypting the first ciphertext， the mathematical manipulation being selected in the apparatus in dependence of a mathematical operation to be performed on plaintext underlying the first ciphertext；

-obtain a second ciphertext from the modified first ciphertext by performing a cryptographic operation， wherein at least one number is randomly generated and used in masking plaintext underlying the second ciphertext， and

-provide the second ciphertext to an access control node.
The apparatus according to claim 1， wherein the apparatus is further configured to receive， from the access control node， a third ciphertext， the third ciphertext being derived from the second ciphertext， and to perform a second mathematical manipulation， on the third ciphertext， to reverse the masking and to obtain a fourth ciphertext.
The apparatus according to claim 2， wherein the apparatus is further configured to provide the fourth ciphertext to a data requesting party.
The apparatus according to any of claims 2 -3， wherein the apparatus is configured to， by performing the mathematical manipulation and the second mathematical manipulation， modify plaintext underlying the first ciphertext to thereby perform the mathematical operation selected from the following list： an addition operation， a subtraction operation， a multiplication operation， a sign acquisition operation， a comparison operation， an equivalence test operation and a variance operation on the plaintext underlying the first ciphertext.
The apparatus according to any preceding claim， wherein the apparatus is configured to store a public key-private key pair of a public key cryptosystem， and to employ the public key of the apparatus in the cryptographic operation.
The apparatus according to any of claims 3 -5， wherein the apparatus is configured to provide the fourth ciphertext to the data requesting party using a secured connection.
The apparatus according to any of claims 1 -6， wherein the apparatus is configured to perform mathematical manipulations on more than one of the at least one ciphertext.
The apparatus according to any preceding claim， wherein the apparatus is configured to operate in a cloud service data center.
An apparatus comprising at least one processing core， at least one memory including computer program code， the at least one memory and the computer program code being configured to， with the at least one processing core， cause the apparatus at least to： -

-receive， from a data service provider， a first ciphertext；

-partially decrypt the first ciphertext to obtain a second ciphertext， using a secret key of the apparatus from a public key-secret key pair of the apparatus；

-generate a variable， encrypt the second ciphertext using the variable as key and provide the encrypted second ciphertext to the data service provider；

-encrypt the variable using an attribute-based encryption mechanism， and

-process a request received from a data requesting party for access to information underlying the first ciphertext and the second ciphertext.
The apparatus according to claim 9， wherein the apparatus is， responsive to a decision to grant access to the data requesting party， configured to instruct the data service provider to provide the data requesting party with the requested data in encrypted form.
The apparatus according to claim 9 or 10， wherein the apparatus is configured to process a plurality of requests for access to the information underlying the first ciphertext and the second ciphertext， the plurality of requests being received in the apparatus from a plurality of data requesting parties， and to simultaneously perform access control concerning the information underlying the first ciphertext and the second ciphertext relating to the plurality of data requesting parties.
The apparatus according to claim 11， wherein the apparatus is configured to perform the simultaneous access control based on attribute-based access policies.
The apparatus according to any of claims 10 -12， wherein the apparatus is further configured to， responsive to the decision to grant access to the data requesting party， configured to provide the data requesting party a decryption key enabling the data requesting party to decrypt the variable.
The apparatus according to claim 13， wherein the apparatus is not configured to directly provide the data requesting party with an encrypted version of the variable.
The apparatus according to any of claims 9 -14， wherein the apparatus is configured to act as an access controlling server in a distributed data processing system.
A method comprising：

-receiving， in an apparatus， from at least one data provider， at least one ciphertext， the at least one ciphertext comprising a first ciphertext；

-performing a mathematical manipulation of the first ciphertext to modify the first ciphertext without decrypting the first ciphertext， the mathematical manipulation being selected in the apparatus in dependence of a mathematical operation to be performed on plaintext underlying the first ciphertext；

-obtaining a second ciphertext from the modified first ciphertext by performing a cryptographic operation， wherein at least one number is randomly generated and used in masking plaintext underlying the second ciphertext， and

-providing the second ciphertext to an access control node.
The method according to claim 16， further comprising receiving， from the access control node， a third ciphertext， the third ciphertext being derived from the second ciphertext， and performing a second mathematical manipulation， on the third ciphertext， to reverse the masking and to obtain a fourth ciphertext.
The method according to claim 17， further comprising providing the fourth ciphertext to a data requesting party.
The method according to any of claims 17 -18， further comprising， by performing the mathematical manipulation and the second mathematical manipulation， modifying plaintext underlying the first ciphertext to thereby perform the mathematical operation selected from the following list： an addition operation， a subtraction operation， a multiplication operation， a sign acquisition operation， a comparison operation， an equivalence test operation and a variance operation on the plaintext underlying the first ciphertext.
The method according to any of claims 16 -19， further comprising storing a public key-private key pair of a public key cryptosystem， and to employ the public key of the apparatus in the cryptographic operation.
The method according to any of claims 18 -20， further comprising providing the fourth ciphertext to the data requesting party using a secured connection.
The method according to any of claims 16 -21， wherein mathematical manipulations are performed on more than one of the at least one ciphertext.
The method according to any of claims 16 -22， comprising performing the method in a cloud service data center.
A method comprising：

-receiving， in an apparatus from a data service provider， a first ciphertext；

-partially decrypting the first ciphertext to obtain a second ciphertext， using a secret key of the apparatus from a public key-secret key pair of the apparatus；

-generating a variable， encrypting the second ciphertext using the variable as a key and providing the encrypted second ciphertext to the data service provider；

-encrypting the variable using an attribute-based encryption mechanism， and

-processing a request， received from a data requesting party， for access to information underlying the first ciphertext and second ciphertext.
The method according to claim 24， further comprising， responsive to a decision to grant access to the data requesting party， instructing the data service provider to provide the data requesting party with the requested data in an encrypted form.
The method according to claim 24 or 25， comprising processing a plurality of requests for access to the information underlying the first ciphertext and the second ciphertext， the plurality of requests being received in the apparatus from a plurality of data requesting parties， and to simultaneously perform access control concerning the information underlying the first ciphertext and the second ciphertext relating to the plurality of data requesting parties.
The method according to claim 26， comprising performing the simultaneous access control based on attribute-based access policies.
The method according to any of claims 25 -27， further comprising， responsive to the decision to grant access to the data requesting party， providing the data requesting party a decryption key enabling the data requesting party to decrypt the variable.
The method according to claim 28， not comprising directly providing the data requesting party with an encrypted version of the variable.
The method according to any of claims 24 -29， comprising acting as an access controlling server in a distributed data processing system.
An apparatus comprising：

-means for receiving， in an apparatus， from at least one data provider， at least one ciphertext， the at least one ciphertext comprising a first ciphertext；

-means for performing a mathematical manipulation of the first ciphertext to modify the first ciphertext without decrypting the first ciphertext， the mathematical manipulation being selected in the apparatus in dependence of a mathematical operation to be performed on plaintext underlying the first ciphertext；

-means for obtaining a second ciphertext from the modified first ciphertext by performing a cryptographic operation， wherein at least one number is randomly generated and used in masking plaintext underlying the second ciphertext， and

-means for providing the second ciphertext to an access control node.
An apparatus comprising：

-means for receiving， in an apparatus from a data service provider， a first ciphertext；

-means for partially decrypting the first ciphertext to obtain a second ciphertext， using a secret key of the apparatus from a public key-secret key pair of the apparatus；

-means for generating a variable， encrypting the second ciphertext using the variable as a key and providing the encrypted second ciphertext to the data service provider；

-means for encrypting the variable using an attribute-based encryption mechanism， and

-means for processing a request， received from a data requesting party， for access to information underlying the first ciphertext and second ciphertext.
A non-transitory computer readable medium having stored thereon a set of computer readable instructions that， when executed by at least one processor， cause an apparatus to at least：

-receive， in an apparatus， from at least one data provider， at least one ciphertext the at least one ciphertext comprising a first ciphertext；

-perform a mathematical manipulation of the first ciphertext to modify the first ciphertext without decrypting the first ciphertext， the mathematical manipulation being selected in the apparatus in dependence of a mathematical operation to be performed on plaintext underlying the first ciphertext；

-obtain a second ciphertext from the modified first ciphertext by performing a cryptographic operation， wherein at least one number is randomly generated and used in masking plaintext underlying the second ciphertext， and

-provide the second ciphertext to an access control node.
A non-transitory computer readable medium having stored thereon a set of computer readable instructions that， when executed by at least one processor， cause an apparatus to at least：

-receive， in an apparatus from a data service provider， a first ciphertext；

-partially decrypting the first ciphertext to obtain a second ciphertext， using a secret key of the apparatus from a public key-secret key pair of the apparatus；

-generate a variable， encrypt the second ciphertext using the variable as a key and provide the encrypted second ciphertext to the data service provider；

-encrypt the variable using an attribute-based encryption mechanism， and

-process a request， received from a data requesting party for access to information underlying the first ciphertext and second ciphertext.
A computer program configured to cause a method in accordance with at least one of claims 16 -30 to be performed.