WO2008068675A2 - Secure matching of dna profiles - Google Patents

Secure matching of dna profiles Download PDF

Info

Publication number
WO2008068675A2
WO2008068675A2 PCT/IB2007/054835 IB2007054835W WO2008068675A2 WO 2008068675 A2 WO2008068675 A2 WO 2008068675A2 IB 2007054835 W IB2007054835 W IB 2007054835W WO 2008068675 A2 WO2008068675 A2 WO 2008068675A2
Authority
WO
WIPO (PCT)
Prior art keywords
party
feature
dna
related data
encryption
Prior art date
Application number
PCT/IB2007/054835
Other languages
French (fr)
Other versions
WO2008068675A3 (en
Inventor
Alphons A. M. L. Bruekers
Stefan Katzenbeisser
Pim T. Tuyls
Original Assignee
Koninklijke Philips Electronics N.V.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Koninklijke Philips Electronics N.V. filed Critical Koninklijke Philips Electronics N.V.
Publication of WO2008068675A2 publication Critical patent/WO2008068675A2/en
Publication of WO2008068675A3 publication Critical patent/WO2008068675A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • H04L9/3073Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves involving pairings, e.g. identity based encryption [IBE], bilinear mappings or bilinear pairings, e.g. Weil or Tate pairing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/008Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/26Testing cryptographic entity, e.g. testing integrity of encryption key or encryption algorithm

Definitions

  • the invention relates to the field of matching of DNA profiles and more specifically to secure matching of DNA profiles based on a data encryption scheme.
  • DNA (Desoxyribo-Nucleic Acid) is found in basically every cell of a living organism and determines in great extent the physical characteristics of the living organism, e.g. the gender and color of the eyes and hair. In humans, DNA consists of long strands of about 3 billion nucleotides for which only 4 different nucleotides, labeled A, C, G and T, are used.
  • a chromosome is a large macromolecule into which DNA is normally packaged in a cell.
  • the major part of human DNA is organized in 22 pairs of chromosomes where, for each pair, one chromosome originates from the father and the other chromosome from the mother.
  • the chromosomes in a pair are homologous, meaning that they have the same structure.
  • one chromosome out of every pair of mother chromosomes and one chromosome out of every pair of father chromosomes is passed to a descendant, but errors may occur. Small parts of chromosomes may be changed, deleted or inserted. These modifications are called mutations. Moreover, errors may be made in the analysis of the DNA.
  • the positions in the DNA are called locus (singular) or loci (plural).
  • DNA code occupying a given locus is called allele. Evaluation of a particular locus in a pair of chromosomes therefore results in two alleles. For practical reasons, each allele from the set of all possible alleles for a particular locus may be coded by an integer.
  • the DNA-related data typically comprises pairs of alleles for a predefined set of loci. It was found that in some parts of the DNA short sequences of nucleotides
  • STRs Short Tandem Repeat
  • STR loci selected on different chromosomes are statistically independent. In Europe 10 specific STR loci are used. In the US and Canada a different set of loci is defined. Both sets have a small number of loci in common that enable comparison at a lower level of reliability.
  • the DNA-related data of a human contains valuable information which can be utilized for authentication purposes.
  • the DNA encodes also sensitive information, e.g. mutations pointing to inherited diseases, which is considered critical to the privacy of a person and must be protected from unauthorized access.
  • a method of testing similarity of a first DNA-related data to a second DNA-related data under encryption based on a feature-based encryption scheme in conjunction with a secure two-party computation scheme is provided.
  • Using a feature-based encryption scheme allows encrypting the first DNA- related data and the second DNA-related data and thus protecting privacy of individuals, from which the first DNA-related data and the second DNA-related data is obtained.
  • Employing a secure two-party computation scheme allows testing similarity of the first DNA-related data to the second DNA-related data. The outcome of this comparison, i.e. the test result, may be made available to an authorized party. If the test result is negative, no information about the first DNA-related data and the second DNA-related data is revealed. If the test result is positive, only limited information about the first DNA-related data and the second DNA-related data may be revealed to an authorized party.
  • Fig. IA shows a flowchart of an exemplary implementation of the method comprising steps of the first-party method performed by a first party
  • Fig. IB shows a flowchart of an exemplary implementation of the second- party method comprising steps of the second-party method performed by a second party
  • Fig. 2A schematically shows a block diagram of an exemplary embodiment of the system comprising a first-party subsystem
  • Fig. 2A schematically shows a block diagram of an exemplary embodiment of the system comprising a second-party subsystem.
  • the objective of secure two-party computation is to jointly compute the value flx, y) of a function/, hereinafter also referred to as a result, where x is a first input of a first party and y is a second input of a second party. While the result/x, y) may be known to one or to both parties, the second party does not obtain viable information on the first input x and the first party does not obtain viable information on the second input y.
  • the first input is based on a first party DNA- related data and the second input is based on the second party DNA-related data.
  • the function/ is defined in such a way that the result/x, y) allows obtaining information on similarity of the first DNA-related data to the second DNA-related data. Both parties know the function/ However, the two parties do not need to reveal their respective inputs to each other.
  • the secure two-party computation scheme may be based on a homomorphic encryption scheme, as illustrated in the description of the implementations of the method, or on Yao's secure two-party computation scheme.
  • the Yao's protocol for secure two-party computation is described by A. Yao in an article entitled “How to generate and exchange secrets" in Proc. 25 th Annual Symposium on the Foundations of Computer Science, pages 162-167, 1986, hereinafter referred to as Yao's paper.
  • the feature-based encryption scheme may be, but is not limited to, one of the following: a public key encryption scheme, an identity based encryption scheme, and a onetime pad encryption scheme.
  • Figs. IA and IB show flowcharts of exemplary implementations MA and MB of the method, hereinafter referred to as a first party method MA and a second party method MB.
  • the first party method MA and the second party method MB implement a test protocol involving the first party and the second party.
  • steps Al, AC and A4 which are performed by the first party.
  • steps Bl, B2 and BC which are performed by the second party.
  • the two parties exchange data with each other.
  • the first party method MA and the second party method MB are designed to obtain information on similarity of a first DNA-related data to a second DNA-related data.
  • the first DNA related data comprises a plurality of N A features ⁇ a ⁇ , ⁇ 2 , ..., CI NA ⁇ , e.g. alleles corresponding to a set of loci in a first DNA sample
  • the second DNA related data comprises a plurality of N B features ⁇ bi, ..., b N ⁇ ⁇ , e.g. alleles corresponding to a set of loci in a second DNA sample.
  • the features may be organized e.g. as a vector, where each component corresponds to a locus.
  • the first party After performing the steps of the first-party method MA and of the second-party method MB, the first party obtains information on similarity of the first plurality of features to the second plurality of features. If the test outcome is positive, information revealed to the first party about the second plurality of features is limited and depends on a detailed implementation. If the test outcome is negative, no viable information about the second DNA-related data is revealed to either party.
  • Fig. IA shows a flowchart of an exemplary implementation of the first-party method MA comprising steps performed by the first party, i.e. implementing a first party protocol.
  • the first party obtains the first plurality of features ⁇ a ⁇ , ai, ..., CI NA ⁇ and a feature based encryption operator E of the feature-based encryption scheme.
  • the method MA comprises: a first first-party step Al for obtaining at least one random number r, e.g. generating at least one random number r, and for encrypting the at least one random number r using the feature-based encryption operator E of the feature-based encryption scheme based on at least one feature at from the first plurality of features ⁇ a ⁇ , ⁇ 2 , ...
  • e k E(a k ,r) of the at least one random number r; and making the at least one feature-based encryption ek available to the second party, e.g. sending the at least one feature-based encryption ek to the second party; a secure computation first-party step AC for securely computing, in collaboration with a second party, a result R based on a first party input comprising the at least one random number r; and a fourth first-party step A4 for evaluating the computed result R to obtain information on similarity of the first DNA-related data to the second DNA-related data.
  • the information may be made available to an authorized party.
  • Fig. IB shows a flowchart of an exemplary implementation of the second- party method MB comprising steps performed by the second party, i.e. implementing a second party protocol.
  • the second party obtains the second plurality of features ⁇ bi, ..., b N ⁇ and a feature-based decryption operator D of the feature-based encryption scheme.
  • the at least one random number r and the at least one feature-based decryption are identical.
  • the result, computed based on the at least one random number r and the at least one feature-based decryption dij c may carry this information to the first party.
  • the first party evaluates the result in the fourth first-party step and may learn that the at least one feature ⁇ * and the at least one feature bi are identical.
  • the feature-based encryption scheme is a public key encryption scheme.
  • each feature belongs to a range of values.
  • Each value x from the range of values is provided with a different pair of keys: a public key pk(x) and a secret key sk(x).
  • the first party uses the public key pk(a), corresponding to a feature ⁇ from the first plurality of features, to encrypt a random number r, thereby obtaining a feature-based encryption e of the random number r.
  • the second party decrypts the feature-based encryption e using the secret key sk(b), corresponding to a feature b from the second plurality of features, thereby obtaining a feature-based decryption d of the feature-based encryption e. If the features a and b are identical, then the feature-based decryption d and the random number r are identical.
  • the feature-based encryption scheme is an identity-based encryption scheme, whose encryption operator is E ID and whose decryption operator is ⁇ P .
  • the identities are based on features.
  • the first party may encrypt a random number r based on a first identity defined by a feature a from the first plurality of features, thereby creating a feature-based encryption e of the random number r.
  • the second party may decrypt the feature-based encryption e of the random number r based on a second identity defined by a feature b from the second plurality of features, thereby obtaining a feature-based decryption d of the feature-based encryption e. If the features a and b are identical, then the feature-based decryption d and the random number r are identical.
  • the first DNA-related data is based on a Short Tandem Repeat sequence based on a first DNA sample and the second DNA-related data is based on a Short Tandem Repeat sequence based on a second DNA sample.
  • Each feature of the first plurality of features and of the second plurality of features is an allele comprising an STR number. The features are labeled by their respective loci labels.
  • an identity based public key encryption scheme is used.
  • An identity-based encryption operator of the identity based public key encryption scheme corresponds to a public key.
  • An identity-based decryption operator of the identity based public key encryption scheme corresponds to a secret key.
  • the skilled person will understand that the identity based public key encryption scheme may be replaced with another suitable feature-based encryption scheme, e.g. with the described public key encryption scheme.
  • the identity based public key encryption scheme is used to illustrate implementations of the method and should not be construed as limiting the scope of the claims.
  • the methods are used for identity testing of DNA profiles e.g. in forensic applications.
  • a first party e.g. a law enforcement office, whishes to determine if a first DNA sample, e.g. a sample obtained at a crime scene, matches a second DNA sample, e.g. a sample obtained from a second party such as a suspect.
  • the input to the method comprises a common input, a private input of the first party, and a private input of the second party.
  • the common input comprises B, name of the second party, a master public key pk ⁇ of an identity based public key encryption scheme, and a public key pkA of a homomorphic encryption scheme.
  • the private input of the first party comprises a first feature vector ⁇ i , ⁇ 2 , ..., ⁇ 2 #> comprising 2N alleles based on the first DNA sample, and a secret key SU A corresponding to the public key pkA.
  • the alleles ⁇ 2z-1 and ⁇ 2 correspond to one locus and are arranged e.g. in the non- decreasing order.
  • the private input of the second party comprises a second feature vector bi, ..., b2N> comprising 2N alleles based on the second DNA sample.
  • the alleles ⁇ 2z-1 and bi l correspond to one locus and are arranged e.g. in the non- decreasing order. The same sequence of loci is used to obtain the first and the second feature vector.
  • the first party obtains a random number r t and encrypts the random number r t using the identity based encryption operator E ⁇ corresponding to the master public key pks and using the identity i?
  • denotes a concatenation operator.
  • the vector of identity- based encryptions ⁇ e ⁇ , e 2 , ..., e 2 #> is made available to the second party.
  • the secure computation step AC is implemented using the homomorphic encryption scheme. This is done in two first- party steps A2 and A3.
  • the vector of homomorphic encryptions ⁇ h ⁇ , A 2 , ..., h2N> is made available to the second party.
  • the second party obtains the vector of identity-based encryptions ⁇ e ⁇ , e 2 , ..., e 2 #> and the vector of homomorphic encryptions ⁇ h ⁇ , hi, ⁇ ⁇ ⁇ , h2N> from the first party; from an authority, for each k e ⁇ 1 , ... , 2N] , the second party obtains a secret key St corresponding to the master public key pks for the identity i?
  • the secure computation step BC is implemented using the homomorphic encryption scheme. This is done in two second-party steps B3 and B4.
  • the second party encrypts the identity-based decryptions ⁇ 4 using the homomorphic encryption operator E" k .
  • the second party makes the value V available to the first party. This concludes the secure computation second-party step BC.
  • the second party may compute, utilizing the homomorphic property of the homomorphic encryption operator, a value defined as
  • V E" Iy r, , z, ...Z 1 ), where the coefficients r, , may be random numbers, predetermined numbers, or numbers selected by the user. In an implementation of the method MB, all coefficients are identical.
  • the first party decrypts the value Fusing the homomorphic decryption operator Df k thereby obtaining a result
  • the secure two-party computation scheme is implemented based on Yao's protocol for secure two-party computation described in Yao's paper.
  • Yao's protocol allows computing the result for any computable function/in a secure manner, without revealing the first party input based on the first DNA-related data to the second party and without revealing the second party input based on the second DNA-related data to the first party.
  • Yao's protocol for secure two-party computation is described in Yao's paper and may be used in implementations MA and MB of the method. The use of Yao's protocol for secure two-party computation for identity testing is now described.
  • the symbol ⁇ denotes the Boolean AND operator.
  • the first variable IA of the function/ is the vector of random numbers ⁇ r ⁇ , r 2 , ..., r2#> and the second variable IB of the function/is the vector of identity-based decryptions ⁇ d ⁇ , J 2 , ..., d2N>-
  • the first first-party step Al may be included in the secure computation first-party step AC.
  • the first second-party step Bl and the second second-party step B2 may be included in the secure computation second-party step BC.
  • the first party method MA and the second party method MB are used for paternity testing.
  • a first party e.g. an agent acting on behalf of a child, whishes to determine whether a first DNA sample obtained from the child matches a second DNA sample obtained from a potential father.
  • a complicating factor of matching a child DNA-related data and a potential father DNA-related data is that half of the child's DNA originates from child's father and half of the child's DNA originates from child's mother. For each locus of the child, one allele originates from father's chromosome and the other allele originates from mother's chromosome. When no data from the mother is available, in principle, at least one allele of the father should match one allele of the child for each locus.
  • the DNA-related data of child's mother is not available.
  • the input to the first party method MA and the second party method MB comprises a common input, a private input of the first party, and a private input of the second party.
  • the common input comprises F, name of the second party, e.g. name of the potential father, a master public key pk ⁇ F of an identity based public key encryption scheme, and a public key pkc of a homomorphic encryption scheme.
  • the private input of the first party comprises a child feature vector ⁇ ci,i, C2,i ⁇ , ...
  • Each component of the child feature vector is a set comprising two alleles, one allele based on child's mother chromosome and another allele based on child's father chromosome.
  • the private input of the second party comprises a father feature vector ⁇ f ⁇ , ⁇ ,fi, ⁇ ), • • •, of length JV, corresponding to AHoci.
  • Each component of the father feature vector is a set comprising two alleles, one allele based on father's mother chromosome and another allele based on father's father chromosome.
  • the first party After termination of the test, the first party is not able to determine the features of the potential father feature vector when the test outcome is negative, i.e. when no match between the father DNA-related data and the child DNA-related data is found. In case of a match, the first party is not able to extract information about the father feature vector beyond that, which can be determined by inspecting the child feature vector.
  • the first party obtains a vector of 2N identity-based encryptions ⁇ ei,i, e 2 , ⁇ , ..., e ⁇ ,N, e 2 ,N> and sends the vector to the second party.
  • the secure computation first-party step AC is implemented using the homomorphic encryption scheme. This is done in two first-party steps A2 and A3.
  • the first party computes homomorphic encryptions E" kc (r[ k r 2 k ⁇ of the products rf k r 2 J k for 0 ⁇ ij ⁇ 4 and (z, j) ⁇ (0, 0).
  • the first party makes all homomorphic encryptions E" k (r ⁇ k r 2 k ) available to the second party
  • the second party obtains the vector of2N identity-based encryptions ⁇ ei,i, 62,1, • • ., £ ⁇ ,N, e 2 ,N> and all homomorphic encryptions
  • the second party decrypts the identity-based encryptions e ⁇ t k, e 2 ,k received from the first party using two identity-based decryption operators corresponding to the two keys S 1 ,*, S2,k, respectively, thereby computing four decryptions, d ⁇ t-
  • the secure computation step BC is implemented using the homomorphic encryption scheme. This is done in two second-party steps B3 and B4.
  • the second party encrypts the four decryptions d ⁇ t using the homomorphic encryption operator E H
  • first party method MA and the second party method MB can be extended to cope with a finite number of DNA sequencing errors and mutations.
  • the modifications to the first party method MA and the second party method MB for paternity testing are analogous to the modifications described in the case of identity testing.
  • the secure computation first-party step AC of the first party method MA and the secure computation second-party step BC of the second party method MB may be implemented based on Yao's protocol for secure two-party computation.
  • the symbol v denotes the Boolean OR operator.
  • the first variable IA of the function/ is the vector of random numbers ⁇ r 1;1 , r 2jl , ..., ⁇ 1 ⁇ , r2,N> and the second variable IB of the function is the vector of identity-based decryptions ⁇ Ji,i, J 1 , 2 , J 1 , 3 , J 1 , 4 , ..., J/v,i, J/v,2, J/v,3, J/v, 4 >.
  • first first-party step Al may be included in the secure computation first-party step AC.
  • first second-party step Bl and the second second-party step B2 may be included in the secure computation second-party step BC.
  • the DNA-related data of the child, the DNA-related data of child's father and the DNA-related data of child's mother are available.
  • the input to the first party method MA and the second party method MB comprises a common input, a private input of the first party, e.g. an agent acting on behalf of the child, and a private input of the second party, e.g. an agent representing child's parents, mother and father.
  • the common input comprises F, name of the second party, e.g. name of the potential father, a master public key pks of an identity based public key encryption scheme, and a public key pkc of a homomorphic encryption scheme.
  • the private input of the first party comprises a child feature vector ⁇ ci,i, C2,i ⁇ , ... , ⁇ ci,#, C2,N ⁇ > of length N, corresponding to N loci, and a secret key skc corresponding to the public key pkc.
  • Each component of the child feature vector is a set comprising two alleles, one allele based on child's mother chromosome and another allele based on child's father chromosome.
  • the private input of the second party comprises a father feature vector of length JV, corresponding to AHoci.
  • Each component of the father feature vector is a set comprising two alleles, one allele based on father's mother chromosome and another allele based on father's father chromosome.
  • the private input of the second party further comprises a mother feature vector ⁇ mi,i, m 2il ⁇ , ..., Jm 1 , ⁇ ⁇ , m2,jv ⁇ > of length N, corresponding to ⁇ Hoci.
  • Each component of the mother feature vector is a set comprising two alleles, one allele based on mother's mother chromosome and another allele based on mother's father chromosome. The same sequence of loci is used to obtain the father, the mother and the child feature vectors.
  • the first party After termination of the test, in case of a mismatch the first party is not able to extract information about feature vectors of the mother or of the father. In case of a match, the first party does not learn any further information beyond that, which can be determined by inspecting the child feature vector.
  • the first first-party step Al for each k e ⁇ 1 , ...
  • ⁇ W Efk s ( F W k ⁇ c 2 ⁇ r i,k, F )
  • Z ⁇ , k ,M Ef ks (M ⁇ k ⁇ c i k ,r i k M )
  • e 2 k M E ⁇ s (M 11 k 11 C 2 k ' r i k M )
  • the first party makes a vector of 4N identity-based encryptions ⁇ e ⁇ , ⁇ , F , e 2 , ⁇ ,F, e ⁇ , ⁇ ,M > e 2,i,M, . .. , e ⁇ , N , F , e 2 ,N,F, e ⁇ , NM , e 2 ,N,M > available to the second party.
  • the secure computation first-party step is implemented using the homomorphic encryption scheme. This is done in two first-party steps A2 and A3.
  • the first party computes homomorphic encryptions E" kc ((V 1 k F + r 2 k M ) '(V 1 k M + r 2 k F ) J ) for 0 ⁇ i,j ⁇ 16 and
  • E ⁇ c (( r ⁇ ,k,F + r 2,k,M)'(n,k,M + r 2,k, F ) J ) available to the second party.
  • the second party obtains the vector of 4N identity-based encryptions ⁇ e hhF , e 2 , ⁇ ,F, e hhM , e 2 , ⁇ M , . ..
  • the second party receives from authorities four secret keys s hk ,F, S 2 ,U,F, s ⁇ , k , M , s 2 ,k,M, for the identities F
  • the second second-party step B2 for each k ⁇ ⁇ 1 , ...
  • the secure computation step BC is implemented using the homomorphic encryption scheme. This is done in two second-party steps B3 and B4.
  • the third second-party step B3 for each k ⁇ ⁇ 1 , ... , N) , the second party computes 16 values X 1 ⁇ , ..., x ⁇ ,k by summing each possible pair, the pair comprising one decryption from the set Ak and one decryption from the set Bk.
  • the second party further homomorphically encrypts each value using the homomorphic encryption scheme.
  • first party method MA and the second party method MB can be extended to cope with a finite number of DNA sequencing errors and mutations.
  • the modifications to the first party method MA and the second party method MB for paternity testing are analogous to the modifications described in the case of identity testing.
  • the secure computation first-party step AC of the first party method MA and the secure computation second-party step BC of the second party method MB may be implemented based on Yao's protocol for secure two-party computation.
  • V !i is a multiple Boolean OR operator.
  • the first variable IA of the function/is the vector of random numbers ⁇ r ⁇ ,k,F > r 2,k,F ⁇ ,k,M > r 2,k,M an d tne second variable IB of the function/is the vector of sets of identity-based decryptions ⁇ A k ,B k >f 1 for computing the 16 values X 1 ⁇ , ..., x ⁇ ,k for each k € ⁇ 1, ..., N ⁇ , as described in step B3.
  • first first-party step Al may be included in the secure computation first-party step AC.
  • first second-party step Bl and the second second-party step B2 may be included in the secure computation second-party step BC.
  • the order of steps is not mandatory, the skilled person may change the order of some steps or perform some steps concurrently using threading models, multi- processor systems or multiple processes without departing from the concept as intended by the present invention.
  • two or more steps of the first party method MA and/or the second party method MB of the current invention may be combined into one step.
  • a step of the first party method MA and/or the second party method MB of the current invention may be split into a plurality of steps.
  • a system for testing similarity of a first DNA-related data to a second DNA-related data under encryption based on a feature-based encryption scheme in conjunction with a secure two-party computation scheme is provided.
  • Fig. 2A schematically shows a block diagram of an exemplary embodiment of the system SA, also referred to as a first party subsystem SA, wherein the first DNA-related data comprises a first plurality of features, the system comprising: a first first-subsystem unit UAl for obtaining at least one random number and for encrypting the at least one random number using the feature-based encryption operator of the feature-based encryption scheme based on at least one feature from the first plurality of features, thereby creating at least one feature-based encryption of the at least one random number; and making the at least one feature-based encryption available to the second party, e.g.
  • the exemplary embodiment of the first party subsystem SA further comprises: an input connector INA for receiving input data; an output connector OUTA for outputting output data; a memory unit MEMA for storing the input data received from external devices via the input connector INA and for storing data computed by the units of the system SA; and a memory bus BUSA for connecting the units of the system SA.
  • Fig. 2B schematically shows a block diagram of an exemplary embodiment of the system SB, also referred to as a second party subsystem SB, wherein the second DNA- related data comprises a second plurality of features, the system comprising: a first second-party unit UB 1 for obtaining, from a first party, at least one feature-based encryption of at least one random number; a second second-party unit UB2 for decrypting the at least one feature-based encryption using the feature-based decryption operator of the feature-based encryption scheme based on at least one feature from the second plurality of features, thereby obtaining at least one feature-based decryption of the at least one feature-based encryption; and a secure computation second-party unit UBC for securely computing, in collaboration with the first party, a result based on the second party input comprising the at least one feature-based decryption of the at least one feature-based encryption.
  • a first second-party unit UB 1 for obtaining, from a first party, at least one feature-based encryption of
  • the exemplary embodiment of the second party subsystem SB further comprises: an input connector INB for receiving input data; an output connector OUTB for outputting output data; a memory unit MEMB for storing the input data received from external devices via the input connector INA and for storing data computed by the units of the system SB; and a memory bus BUSB for connecting the units of the system SB.
  • the skilled person will understand that other embodiments of the system are also possible. It is possible, among other things, to redefine the units of the system and to redistribute their functions.
  • the first party subsystem SA and the second party subsystem SB may be connected to each other, e.g. via a network such as, but not limited to, a local area network, a world area network and the Internet.
  • the first party subsystem SA and the second party subsystem SB are implemented together in one test system further comprising a first terminal unit for communicating with a first party and a second terminal unit for communicating with a second party.
  • the units of the system may be implemented using a processor. Normally, their functions are performed under control of a software program product. During execution, the software program product is normally loaded into a memory, like a RAM, and executed from there. The program may be loaded from a background memory, like a ROM, hard disk, or magnetic and/or optical storage, or may be loaded via a network like Internet. Optionally an application specific integrated circuit may provide the described functionality.
  • a computer program product for instructing a processing unit to execute steps of the first-party method MA and/or of the second-party method MB when the product is run on a computer.
  • Modifications and variations thereof, of the system and/or of the computer program product, which correspond to the described modifications of the first-party method MA and/or of the second-party method MB and variations thereof, can be carried out by a skilled person on the basis of the present description. It should be noted that the above-mentioned embodiments illustrate rather than limit the invention and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim.
  • the word “comprising” does not exclude the presence of elements or steps not listed in a claim or in the description.
  • the word “a” or “an” preceding an element does not exclude the presence of a plurality of such elements.
  • the invention can be implemented by means of hardware comprising several distinct elements and by means of a programmed computer. In the system claims enumerating several units, several of these units can be embodied by one and the same item of hardware or software.
  • the usage of the words first, second and third, et cetera does not indicate any ordering. These words are to be interpreted as names.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Theoretical Computer Science (AREA)
  • Mathematical Physics (AREA)
  • Physics & Mathematics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Optimization (AREA)
  • Computing Systems (AREA)
  • Mathematical Analysis (AREA)
  • General Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Measuring Or Testing Involving Enzymes Or Micro-Organisms (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention relates to a method (MA; MB) of testing similarity of a first DNA-related data to a second DNA-related data under encryption based on a feature-based encryption scheme in conjunction with a secure two-party computation scheme is provided. Employing a secure two-party computation scheme allows testing similarity of the first 5 DNA-related data to the second DNA-related data. The outcome of this comparison, i.e. the test result, may be made available to an authorized party. If the test result is negative, no information about the first DNA-related data and the second DNA-related data is revealed. If the test result is positive, only limited information about the first DNA-related data and the second DNA-related data may be revealed to an authorized party.

Description

Secure matching of DNA profiles
FIELD OF THE INVENTION
The invention relates to the field of matching of DNA profiles and more specifically to secure matching of DNA profiles based on a data encryption scheme.
BACKGROUND OF THE INVENTION
DNA (Desoxyribo-Nucleic Acid) is found in basically every cell of a living organism and determines in great extent the physical characteristics of the living organism, e.g. the gender and color of the eyes and hair. In humans, DNA consists of long strands of about 3 billion nucleotides for which only 4 different nucleotides, labeled A, C, G and T, are used.
A chromosome is a large macromolecule into which DNA is normally packaged in a cell. The major part of human DNA is organized in 22 pairs of chromosomes where, for each pair, one chromosome originates from the father and the other chromosome from the mother. The chromosomes in a pair are homologous, meaning that they have the same structure. In the complex process of reproduction, in principle, one chromosome out of every pair of mother chromosomes and one chromosome out of every pair of father chromosomes is passed to a descendant, but errors may occur. Small parts of chromosomes may be changed, deleted or inserted. These modifications are called mutations. Moreover, errors may be made in the analysis of the DNA. The positions in the DNA are called locus (singular) or loci (plural). A viable
DNA code occupying a given locus is called allele. Evaluation of a particular locus in a pair of chromosomes therefore results in two alleles. For practical reasons, each allele from the set of all possible alleles for a particular locus may be coded by an integer. The DNA-related data typically comprises pairs of alleles for a predefined set of loci. It was found that in some parts of the DNA short sequences of nucleotides
(e.g. 4 or 5 nucleotides) repeat a number of times and that the number of repetitions varies largely over the population. Although the numbers of repetitions differ, the DNA subsequences in front and after the repetition are constant. This phenomenon is called a Short Tandem Repeat (STR) and is ideal for identification. STRs appear at different loci in the DNA. STR loci selected on different chromosomes are statistically independent. In Europe 10 specific STR loci are used. In the US and Canada a different set of loci is defined. Both sets have a small number of loci in common that enable comparison at a lower level of reliability. The DNA-related data of a human contains valuable information which can be utilized for authentication purposes. On the other hand, the DNA encodes also sensitive information, e.g. mutations pointing to inherited diseases, which is considered critical to the privacy of a person and must be protected from unauthorized access.
The privacy problem associated with DNA matching has not been sufficiently addressed yet. In practice, a "separation of duties" principle is employed, where the laboratories performing the actual DNA sequencing and testing receive anonymous samples and report back only the results of their investigation. However, this is an insufficient level of protection, as there is the possibility of colluding parties.
The paper by P. Bohannon et al entitled "Cryptographic Approaches to Privacy in Forensic DNA Databases", in Public Key Cryptography 2000, Springer Lecture Notes in Computer Science vol. 1751, 2000, pages 373-390, describes using cryptographic principles for the protection of DNA samples. However, the methods described in this paper do not perform matching DNA profiles under encryption. In addition, these methods cannot be used for secure paternity checks.
SUMMARY OF THE INVENTION
It would be advantageous to have a method of testing similarities of DNA samples such that the information comprised in the DNA samples is protected.
To address this concern, in an aspect of the invention, a method of testing similarity of a first DNA-related data to a second DNA-related data under encryption based on a feature-based encryption scheme in conjunction with a secure two-party computation scheme is provided.
Using a feature-based encryption scheme allows encrypting the first DNA- related data and the second DNA-related data and thus protecting privacy of individuals, from which the first DNA-related data and the second DNA-related data is obtained. Employing a secure two-party computation scheme allows testing similarity of the first DNA-related data to the second DNA-related data. The outcome of this comparison, i.e. the test result, may be made available to an authorized party. If the test result is negative, no information about the first DNA-related data and the second DNA-related data is revealed. If the test result is positive, only limited information about the first DNA-related data and the second DNA-related data may be revealed to an authorized party.
This and other aspects of the invention will become apparent from and will be elucidated with respect to the implementations and embodiments described hereinafter and with reference to the accompanying drawings, wherein:
Fig. IA shows a flowchart of an exemplary implementation of the method comprising steps of the first-party method performed by a first party; and
Fig. IB shows a flowchart of an exemplary implementation of the second- party method comprising steps of the second-party method performed by a second party; Fig. 2A schematically shows a block diagram of an exemplary embodiment of the system comprising a first-party subsystem; and
Fig. 2A schematically shows a block diagram of an exemplary embodiment of the system comprising a second-party subsystem.
DETAILED DESCRIPTION OF EMBODIMENTS
The objective of secure two-party computation is to jointly compute the value flx, y) of a function/, hereinafter also referred to as a result, where x is a first input of a first party and y is a second input of a second party. While the result/x, y) may be known to one or to both parties, the second party does not obtain viable information on the first input x and the first party does not obtain viable information on the second input y.
In the method of the invention, the first input is based on a first party DNA- related data and the second input is based on the second party DNA-related data. The function/is defined in such a way that the result/x, y) allows obtaining information on similarity of the first DNA-related data to the second DNA-related data. Both parties know the function/ However, the two parties do not need to reveal their respective inputs to each other.
Various secure two-party computation schemes are described in the literature. The secure two-party computation scheme may be based on a homomorphic encryption scheme, as illustrated in the description of the implementations of the method, or on Yao's secure two-party computation scheme. The Yao's protocol for secure two-party computation is described by A. Yao in an article entitled "How to generate and exchange secrets" in Proc. 25th Annual Symposium on the Foundations of Computer Science, pages 162-167, 1986, hereinafter referred to as Yao's paper. The skilled person will understand that other secure two-party computation schemes may be also used by the method of the invention The feature-based encryption scheme may be, but is not limited to, one of the following: a public key encryption scheme, an identity based encryption scheme, and a onetime pad encryption scheme.
Figs. IA and IB show flowcharts of exemplary implementations MA and MB of the method, hereinafter referred to as a first party method MA and a second party method MB. The first party method MA and the second party method MB implement a test protocol involving the first party and the second party. In the first-party method MA, there are three steps Al, AC and A4 which are performed by the first party. In the second-party method MB, there are three steps Bl, B2 and BC which are performed by the second party. The two parties exchange data with each other.
The first party method MA and the second party method MB are designed to obtain information on similarity of a first DNA-related data to a second DNA-related data. The first DNA related data comprises a plurality of NA features {a\, α2, ..., CINA } , e.g. alleles corresponding to a set of loci in a first DNA sample, and the second DNA related data comprises a plurality of NB features {bi, ..., b }, e.g. alleles corresponding to a set of loci in a second DNA sample. The features may be organized e.g. as a vector, where each component corresponds to a locus. After performing the steps of the first-party method MA and of the second-party method MB, the first party obtains information on similarity of the first plurality of features to the second plurality of features. If the test outcome is positive, information revealed to the first party about the second plurality of features is limited and depends on a detailed implementation. If the test outcome is negative, no viable information about the second DNA-related data is revealed to either party.
Fig. IA shows a flowchart of an exemplary implementation of the first-party method MA comprising steps performed by the first party, i.e. implementing a first party protocol. The first party obtains the first plurality of features {a\, ai, ..., CINA } and a feature based encryption operator E of the feature-based encryption scheme. In an implementation, the method MA comprises: a first first-party step Al for obtaining at least one random number r, e.g. generating at least one random number r, and for encrypting the at least one random number r using the feature-based encryption operator E of the feature-based encryption scheme based on at least one feature at from the first plurality of features {a\ , α2, ... , aN } , thereby creating at least one feature-based encryption ek = E(ak,r) of the at least one random number r; and making the at least one feature-based encryption ek available to the second party, e.g. sending the at least one feature-based encryption ek to the second party; a secure computation first-party step AC for securely computing, in collaboration with a second party, a result R based on a first party input comprising the at least one random number r; and a fourth first-party step A4 for evaluating the computed result R to obtain information on similarity of the first DNA-related data to the second DNA-related data. The information may be made available to an authorized party.
Fig. IB shows a flowchart of an exemplary implementation of the second- party method MB comprising steps performed by the second party, i.e. implementing a second party protocol. The second party obtains the second plurality of features {bi, ..., bN } and a feature-based decryption operator D of the feature-based encryption scheme. In an implementation, the method MB comprises: a first second-party step Bl for obtaining, from a first party, at least one feature-based encryption βk of at least one random number r; a second second-party step B2 for decrypting the at least one feature-based encryption βk using the feature-based decryption operator D of the feature-based encryption scheme based on at least one feature bj from the second plurality of features {bi, ..., bN } , thereby obtaining at least one feature-based decryption dl k = D{bnek) of the at least one feature-based encryption e*; and a secure computation second-party step BC for securely computing, in collaboration with the first party, a result R based on the second party input comprising the at least one feature-based decryption
Figure imgf000007_0001
of the at least one feature-based encryption βk.
If the features a.k and bj are identical then the at least one random number r and the at least one feature-based decryption
Figure imgf000007_0002
are identical. The result, computed based on the at least one random number r and the at least one feature-based decryption dijc, may carry this information to the first party. The first party evaluates the result in the fourth first-party step and may learn that the at least one feature α* and the at least one feature bi are identical.
In some implementations of the first party method MA and the second party method MB, the feature-based encryption scheme is a public key encryption scheme. In this scheme each feature belongs to a range of values. Each value x from the range of values is provided with a different pair of keys: a public key pk(x) and a secret key sk(x). In the first first-party step Al, the first party uses the public key pk(a), corresponding to a feature α from the first plurality of features, to encrypt a random number r, thereby obtaining a feature-based encryption e of the random number r. In the second second-party step B2, the second party decrypts the feature-based encryption e using the secret key sk(b), corresponding to a feature b from the second plurality of features, thereby obtaining a feature-based decryption d of the feature-based encryption e. If the features a and b are identical, then the feature-based decryption d and the random number r are identical.
In some implementations of the first party method MA and the second party method MB, the feature-based encryption scheme is an identity-based encryption scheme, whose encryption operator is EID and whose decryption operator is ∑P . The identities are based on features. For example, the first party may encrypt a random number r based on a first identity defined by a feature a from the first plurality of features, thereby creating a feature-based encryption e of the random number r. The second party may decrypt the feature-based encryption e of the random number r based on a second identity defined by a feature b from the second plurality of features, thereby obtaining a feature-based decryption d of the feature-based encryption e. If the features a and b are identical, then the feature-based decryption d and the random number r are identical.
In some implementations of the first party method MA and the second party method MB, the first DNA-related data is based on a Short Tandem Repeat sequence based on a first DNA sample and the second DNA-related data is based on a Short Tandem Repeat sequence based on a second DNA sample. Each feature of the first plurality of features and of the second plurality of features is an allele comprising an STR number. The features are labeled by their respective loci labels.
In the implementations of the first party method MA and the second party method MB described hereinafter, an identity based public key encryption scheme is used. An identity-based encryption operator of the identity based public key encryption scheme corresponds to a public key. An identity-based decryption operator of the identity based public key encryption scheme corresponds to a secret key. The skilled person will understand that the identity based public key encryption scheme may be replaced with another suitable feature-based encryption scheme, e.g. with the described public key encryption scheme. The identity based public key encryption scheme is used to illustrate implementations of the method and should not be construed as limiting the scope of the claims.
In some implementations of the first party method MA and the second party method MB, the methods are used for identity testing of DNA profiles e.g. in forensic applications. A first party, e.g. a law enforcement office, whishes to determine if a first DNA sample, e.g. a sample obtained at a crime scene, matches a second DNA sample, e.g. a sample obtained from a second party such as a suspect.
In some implementations of the first party method MA and the second party method MB, the input to the method comprises a common input, a private input of the first party, and a private input of the second party. The common input comprises B, name of the second party, a master public key pkβ of an identity based public key encryption scheme, and a public key pkA of a homomorphic encryption scheme. The private input of the first party comprises a first feature vector <αi , α2, ..., α2#> comprising 2N alleles based on the first DNA sample, and a secret key SUA corresponding to the public key pkA. For each i e {1, ..., N), the alleles α2z-1 and α2, correspond to one locus and are arranged e.g. in the non- decreasing order. The private input of the second party comprises a second feature vector bi, ..., b2N> comprising 2N alleles based on the second DNA sample. For each i e { 1 , ..., N}, the alleles ό2z-1 and bil correspond to one locus and are arranged e.g. in the non- decreasing order. The same sequence of loci is used to obtain the first and the second feature vector.
In the first first-party step Al , for each k e { 1 , ... , 2N) , the first party obtains a random number rt and encrypts the random number rt using the identity based encryption operator E^ corresponding to the master public key pks and using the identity i?||£||α£- Hereinafter, || denotes a concatenation operator. Thereby, the first party obtains an identity- based encryption ek = E^ (B \\ k \\ ak,rk) of the random number rt. The vector of identity- based encryptions <e\, e2, ..., e2#> is made available to the second party.
In an implementation of the first-party method MA, the secure computation step AC is implemented using the homomorphic encryption scheme. This is done in two first- party steps A2 and A3. In the second first-party step A2, for each k e { 1 , ... , 2N) , the first party encrypts the random number rt using the homomorphic encryption operator E"k corresponding to the public key pk.A, thereby computing a homomorphic encryption K = E≠A (r k) of the random number n,. The vector of homomorphic encryptions <h\, A2, ..., h2N> is made available to the second party. In the first second-party step Bl, the second party obtains the vector of identity-based encryptions <e\, e2, ..., e2#> and the vector of homomorphic encryptions <h\, hi, ■ ■ ■, h2N> from the first party; from an authority, for each k e { 1 , ... , 2N] , the second party obtains a secret key St corresponding to the master public key pks for the identity i?||£||&£.
In the second second-party step B2, the second party decrypts the 2N identity- based encryptions et obtained from the first party using the identity based decryption operator ∑yD corresponding to the secret key Sk, thereby computing 2N identity-based decryptions dk = D1D{sk,ek) .
In an implementation of the second-party method MB, the secure computation step BC is implemented using the homomorphic encryption scheme. This is done in two second-party steps B3 and B4. In the third second-party step B3 , for each k e { 1 , ... , 2N] , the second party encrypts the identity-based decryptions <4 using the homomorphic encryption operator E"k . Thereby, the second party computes 2N homomorphically encrypted identity-based decryptions gk = E H A (dk) .
In the fourth second-party step B4, the second party computes a value V = E" (rZ) where Z = ∑k_χ zk and where Zk = dk - n for each k = 1, 2, ... , N, using the homomorphic encryptions ht and the homomorphically encrypted identity-based decryptions gk, and utilizing the homomorphic property of the homomorphic encryption operator, r is a random number obtained, e.g. generated, by the second party. The second party makes the value V available to the first party. This concludes the secure computation second-party step BC.
In the third first-party step A3, the first party obtains the value V and decrypts the value Fusing the homomorphic decryption operator corresponding to the secret key SUA, thereby computing the result R = Dfk (V) = rZ . This concludes the secure computation first- party step AC. In the fourth first-party step A4, the first party evaluates the result R = rZ. IfR
= 0 then, with overwhelming probability, zt = 0 and thus <4 = n for each k e { 1 , ... , 2N] . The negligible uncertainty results from the fact that most encoding schemes use a modular arithmetic. Thus, it may be possible that the sum of non-zero values yields zero. Because dk = DID(sk,B Il k Il bk,E™ (B \\ k \\ ak,rk)) , the allele at of the first feature vector and the allele bt of the second feature vector are identical for each k e { 1 , ... , 2N] . Hence, if R = 0 the outcome of the test is positive: the first feature vector and the second feature vector are identical. On the other hand, if R ≠ 0 then the outcome of the test is negative. In addition, since R = rZ is randomly distributed, the result reveals no viable information on the second feature vector to the first party. The first party may make the test outcome available to an authorized party.
In an implementation, the second party may compute, utilizing the homomorphic property of the homomorphic encryption operator, a value defined as
V = E" Iy r, , z, ...Z1 ), where the coefficients r, , may be random numbers, predetermined numbers, or numbers selected by the user. In an implementation of the method MB, all coefficients are identical. Computing the value may be implemented by having homomorphic encryptions of products of random numbers r\, ..., r2# of degrees m = 1, ..., n - 1, computed by the first party and made available to the second party in the second first- party step A2. In the fourth first-party step A4, the first party decrypts the value Fusing the homomorphic decryption operator Dfk thereby obtaining a result
R = V _ rk k zk ...zk . If R = 0 then, with overwhelming probability, at most n - 1 respective alleles of the first feature vector and of the second feature vector are different, while the remaining 2N- n + 1 respective alleles of the first feature vector and of the second feature vector are identical, which means that up to n mismatched alleles are tolerated. The outcome of the test is positive: a match is found. If R ≠ 0 then the outcome of the test is negative. The described implementation is thus able to cope with a finite number of DNA sequencing errors and/or mutations. In an implementation of the method, the secure two-party computation scheme is implemented based on Yao's protocol for secure two-party computation described in Yao's paper. Yao's protocol allows computing the result for any computable function/in a secure manner, without revealing the first party input based on the first DNA-related data to the second party and without revealing the second party input based on the second DNA-related data to the first party. A detailed implementation of Yao's protocol for secure two-party computation is described in Yao's paper and may be used in implementations MA and MB of the method. The use of Yao's protocol for secure two-party computation for identity testing is now described.
In the secure computation first-party step AC and the secure computation second-party step BC, the first and the second party engage in Yao's secure two-party computation to securely compute the result R defined by a Boolean- valued function R = f(IA, IB) = (rl = Ci1) A (V2 = d2) A ... A (r2N = d2N) , where, for each k & { 1 , ... , 2N) , a Boolean- valued expression (<4 = rt), is equal to 1, i.e. is true, when the random number rt and the identity-based decryption <4 are identical, and is equal to 0, i.e. false, otherwise. The symbol Λ denotes the Boolean AND operator. The first variable IA of the function/is the vector of random numbers < r\, r2, ..., r2#> and the second variable IB of the function/is the vector of identity-based decryptions < d\, J2, ..., d2N>-
The first party evaluates the result R in the fourth first-party step A4. Hence, if R = I then, with overwhelming probability, the outcome of the test is positive: the first feature vector and the second feature vector are identical. On the other hand, if R = 0, then the outcome of the test is negative. The first party may make the test outcome available to an authorized party.
Optionally, the first first-party step Al may be included in the secure computation first-party step AC. Similarly, the first second-party step Bl and the second second-party step B2 may be included in the secure computation second-party step BC. In some implementations, the first party method MA and the second party method MB are used for paternity testing. A first party, e.g. an agent acting on behalf of a child, whishes to determine whether a first DNA sample obtained from the child matches a second DNA sample obtained from a potential father. Compared with the identity testing implementation, a complicating factor of matching a child DNA-related data and a potential father DNA-related data is that half of the child's DNA originates from child's father and half of the child's DNA originates from child's mother. For each locus of the child, one allele originates from father's chromosome and the other allele originates from mother's chromosome. When no data from the mother is available, in principle, at least one allele of the father should match one allele of the child for each locus.
In some implementations of the first party method MA and the second party method MB, the DNA-related data of child's mother is not available. The input to the first party method MA and the second party method MB comprises a common input, a private input of the first party, and a private input of the second party. The common input comprises F, name of the second party, e.g. name of the potential father, a master public key pk÷F of an identity based public key encryption scheme, and a public key pkc of a homomorphic encryption scheme. The private input of the first party comprises a child feature vector <{ci,i, C2,i } , ... , {cijf, C2,N}> of length N, corresponding to N loci, and a secret key skc corresponding to the public key pkc. Each component of the child feature vector is a set comprising two alleles, one allele based on child's mother chromosome and another allele based on child's father chromosome. The private input of the second party comprises a father feature vector <{fι,ι,fi,ι), • • •,
Figure imgf000013_0001
of length JV, corresponding to AHoci. Each component of the father feature vector is a set comprising two alleles, one allele based on father's mother chromosome and another allele based on father's father chromosome. The same sequence of loci is used to obtain vectors of the father and of the child. A match is found if there exist sequences of indices Z1, z2, ..., zV e {1, 2} and ji J2, ... JN G {1, 2} such that ch k = fJt k for each k = 1 , 2, ... , N.
After termination of the test, the first party is not able to determine the features of the potential father feature vector when the test outcome is negative, i.e. when no match between the father DNA-related data and the child DNA-related data is found. In case of a match, the first party is not able to extract information about the father feature vector beyond that, which can be determined by inspecting the child feature vector.
In the first first-party step Al , for each k e { 1 , ... , N} , the first party obtains two random number ri^ and r2^ and computes two identity-based encryptions el k = Efkp (F Il k (I cl k,rl k) and e2 k = Efkp (F \\ k \\ c2 k,r2 k) of these two random numbers. Thereby, the first party obtains a vector of 2N identity-based encryptions <ei,i, e2,ι, ..., eι,N, e2,N> and sends the vector to the second party.
In an implementation of the first-party method MA, the secure computation first-party step AC is implemented using the homomorphic encryption scheme. This is done in two first-party steps A2 and A3. In the second first-party step A2, for each k e { 1 , ... , N} , the first party computes homomorphic encryptions E"kc (r[kr2 k} of the products rfkr2 J k for 0 < ij ≤ 4 and (z, j) ≠ (0, 0). The first party makes all homomorphic encryptions E"k (rγ kr2 k) available to the second party
In the first second-party step Bl, the second party obtains the vector of2N identity-based encryptions <ei,i, 62,1, • • ., £\,N, e2,N> and all homomorphic encryptions
Ec (rUrik) for k e {1, ..., #}, 0 < 1,7 < 4 and (ij) ≠ (0, 0), from the first party. Further, for each k € { 1 , ... , N} , the second party receives from authorities two secret keys S1,*, S2^ for the identities F||k|J/i^ and F||k|J/2,£, respectively.
In the second second-party step B2, for each k <≡ { 1 , ... , N} , the second party decrypts the identity-based encryptions eιtk, e2,k received from the first party using two identity-based decryption operators corresponding to the two keys S1,*, S2,k, respectively, thereby computing four decryptions,
Figure imgf000013_0002
d^t- In an implementation of the second-party method MB, the secure computation step BC is implemented using the homomorphic encryption scheme. This is done in two second-party steps B3 and B4.
In the third second-party step B3, for each k e { 1 , ... , N) , the second party encrypts the four decryptions
Figure imgf000014_0001
d^t using the homomorphic encryption operator EH
In the fourth second-party step B4, the second party computes, utilizing the homomorphic property of the homomorphic encryption operator E"k , a value V = E"kc (rZ)
where Z = ^ _ zk and r is a random number. For each k e {1, ..., N), the homomorphic
encryptions E"kc (zk) of the terms zk = K* -1,Jt)(^2,* -ruk)(d 3,k - r Uk)(d - rl k)(dUk -r)(d2 k - r2 k)(d3 lc -r^k){dΛ k - r2 k) are computed using the homomorphic encryptions of the four decryptions
Figure imgf000014_0002
d^, the homomorphic encryptions of r{kr2\ for each 0 < i,j < 4 and (i,f) ≠ (0, 0), and utilizing the homomorphic property of the homomorphic encryption operator E"k . The second party makes the value V available to the first party. This concludes the secure computation second- party step BC.
In the third first-party step A3, the first party obtains the value V = E"k (rZ) and continues the secure computation first party step AC decrypting the value Fusing the homomorphic decryption operator D" of the homomorphic encryption scheme, thereby computing a result R = rZ . This concludes the secure computation first-party step AC In the fourth first-party step A4, the first party evaluates the result R. If R = 0 then, with overwhelming probability, the outcome of the test is positive: a match is found. If R ≠ 0, the outcome of the test is negative: no match is found. The first party may make the test outcome available to an authorized party. The skilled person will appreciate that described implementation of the first party method MA and the second party method MB can be extended to cope with a finite number of DNA sequencing errors and mutations. The modifications to the first party method MA and the second party method MB for paternity testing are analogous to the modifications described in the case of identity testing. Alternatively, the secure computation first-party step AC of the first party method MA and the secure computation second-party step BC of the second party method MB may be implemented based on Yao's protocol for secure two-party computation.
In the secure computation first-party step AC and the secure computation second-party step BC, the first and the second party engage in Yao's secure two-party computation to securely compute the result R defined by a Boolean- valued function R = f(IA, IB) = Z1 Λ z2 Λ ... A ZN , where, for each k <≡ { 1 , ... , N} , zk = (d = ru) v {d = ru) v (J3^ = r1>Jt) v (</4>Jt = r1>Jt) v (di k = rl k) y {d2 k = r2 k) v (d3 lc = r2 k) v {dA k = r2 k).
The symbol v denotes the Boolean OR operator. The first variable IA of the function/is the vector of random numbers < r1;1, r2jl, ..., ^1 ^, r2,N> and the second variable IB of the function is the vector of identity-based decryptions <Ji,i, J1 ,2, J1 ,3, J1 ,4, ..., J/v,i, J/v,2, J/v,3, J/v,4>.
The first party evaluates the result R in the fourth first-party step A4. Hence, if R = I then, with overwhelming probability, the outcome of the test is positive: a match is found. On the other hand, if R = 0 then the outcome of the test is negative: no match is found. The first party may make the test outcome available to an authorized party.
Optionally, the first first-party step Al may be included in the secure computation first-party step AC. Similarly, the first second-party step Bl and the second second-party step B2 may be included in the secure computation second-party step BC.
In some implementations of the first party method MA and the second party method MB, the DNA-related data of the child, the DNA-related data of child's father and the DNA-related data of child's mother are available. The input to the first party method MA and the second party method MB comprises a common input, a private input of the first party, e.g. an agent acting on behalf of the child, and a private input of the second party, e.g. an agent representing child's parents, mother and father. The common input comprises F, name of the second party, e.g. name of the potential father, a master public key pks of an identity based public key encryption scheme, and a public key pkc of a homomorphic encryption scheme. The private input of the first party comprises a child feature vector <{ci,i, C2,i } , ... , {ci,#, C2,N}> of length N, corresponding to N loci, and a secret key skc corresponding to the public key pkc. Each component of the child feature vector is a set comprising two alleles, one allele based on child's mother chromosome and another allele based on child's father chromosome. The private input of the second party comprises a father feature vector
Figure imgf000015_0001
of length JV, corresponding to AHoci. Each component of the father feature vector is a set comprising two alleles, one allele based on father's mother chromosome and another allele based on father's father chromosome. The private input of the second party further comprises a mother feature vector <{mi,i, m2il}, ..., Jm1 ,ΛΓ, m2,jv}> of length N, corresponding to ΛHoci. Each component of the mother feature vector is a set comprising two alleles, one allele based on mother's mother chromosome and another allele based on mother's father chromosome. The same sequence of loci is used to obtain the father, the mother and the child feature vectors.
A match is found if there exist sequences of indices
Figure imgf000016_0001
i2, ..., /jv e {1, 2} and 1,72, ...JN e {1, 2} such that either cl k = fh k and c2 k = mJt k or cl k = mlt Jc and c2 k = fJt Jc for each £ = 1, 2, ..., N.
After termination of the test, in case of a mismatch the first party is not able to extract information about feature vectors of the mother or of the father. In case of a match, the first party does not learn any further information beyond that, which can be determined by inspecting the child feature vector. In the first first-party step Al , for each k e { 1 , ... , N] , the first party obtains four random number r\χF, r2,k,F, r\χM, and r2,k,M, and encrypts the random numbers using the identity-based encryption operator E^ of the identity based public key encryption scheme, thereby obtaining identity-based encryptions el k F = E^ (F \\ k \\ cl k,rl k F) ,
<W = Efks (F W k \\ c2^ri,k,F) , Zχ,k,M = Efks (M \\ k \\ ci k,ri k M) , and e2 k M = E≠s (M 11 k 11 C 2 k ' ri k M ) ■ Further, the first party makes a vector of 4N identity-based encryptions < e\,\,F, e2,ι,F, e\,\,M> e2,i,M, . .. , e\,N,F, e2,N,F, e\,NM, e2,N,M> available to the second party.
In an implementation of the first-party method MA, the secure computation first-party step is implemented using the homomorphic encryption scheme. This is done in two first-party steps A2 and A3.
In the second first-party step A2, for each k e { 1 , ... , N] , the first party computes homomorphic encryptions E"kc ((V1 k F + r2 k M) '(V1 k M + r2 k F)J) for 0 < i,j ≤ 16 and
(i,j) ≠ (0, 0). The first party makes all homomorphic encryptions
Ec ((rι,k,F + r2,k,M)'(n,k,M + r2,k,F)J) available to the second party. In the first second-party step Bl, the second party obtains the vector of 4N identity-based encryptions < ehhF, e2,\,F, ehhM, e2,\M, . .. , ehNyF, e2,N,F, ehNM, e2,N,M> and all homomorphic encryptions E H c ((rl k F + r2 k M)'(rl k M + r2 k F)J) for k e {1, ..., N), 0 < i,j ≤ U and (i,j) ≠ (0, 0). Further, for each k <≡ {1, ..., N), the second party receives from authorities four secret keys shk,F, S2,U,F, s\,k,M, s2,k,M, for the identities F||k|J/u, F\\k\\f2,k, M\\k\\mhk, M\\k\\ni2,k, respectively. In the second second-party step B2, for each k <≡ { 1 , ... , N) , the second party decrypts the encryptions e\χF, e,i,k,F received from the first party using two identity-based decryption operators corresponding to the two secret keys s\ ^F, S2,k,F, thereby obtaining a set of four identity-based decryptions: Ak = {a\,k, ai,k, a^,k, a<\,k)- The second party further decrypts each of the encryptions e\χM, ei,k,u received from the first party using two identity- based decryption operators corresponding to the two secret keys s\χu, S2,k,M, thereby obtaining a set of four identity-based decryptions: Bk =
Figure imgf000017_0001
In an implementation of the second-party method MB, the secure computation step BC is implemented using the homomorphic encryption scheme. This is done in two second-party steps B3 and B4. In the third second-party step B3 , for each k <≡ { 1 , ... , N) , the second party computes 16 values X1^, ..., xιβ,k by summing each possible pair, the pair comprising one decryption from the set Ak and one decryption from the set Bk. The second party further homomorphically encrypts each value
Figure imgf000017_0002
using the homomorphic encryption scheme. In the fourth second-party step B4, the second party computes, utilizing the homomorphic property of the homomorphic encryption operator E"kc , a value V = E"kc (rZ) ,
where Z = ^ _ zk and r is a random number. For each k e {1, ..., N), the homomorphic
encryptions of the terms zk = JX=1Oα - (rl k F + r2 k M))(xl k - (rl k M + r2 k P)) are computed using the homomorphic encryptions of 16 value X1^, ..., xιβ,k, the homomorphic encryptions of (ri k F + r2 k M)'(rl k M + r2 k F)J for each 0 ≤ i,j ≤ 16 and (i,j) ≠ (0, 0), and utilizing the homomorphic property of the homomorphic encryption operator E"kc . The second party makes the value V available to the first party. This concludes the secure computation second- party step BC.
In the third first-party step A3, the first party receives the value V = E"kc (rZ) and decrypts the received value using the homomorphic decryption operator D"kc of the homomorphic encryption scheme, thereby computing a result R = rZ . This concludes the secure computation first-party step AC.
In the fourth first-party step A4 the first party evaluates the result R. If R = O then, with overwhelming probability, the outcome of the test is positive: a match is found. If R ≠ 0, the outcome of the test is negative: no match is found. The first party may make the test outcome available to an authorized party.
The skilled person will appreciate that described implementation of the first party method MA and the second party method MB can be extended to cope with a finite number of DNA sequencing errors and mutations. The modifications to the first party method MA and the second party method MB for paternity testing are analogous to the modifications described in the case of identity testing.
Alternatively, the secure computation first-party step AC of the first party method MA and the secure computation second-party step BC of the second party method MB may be implemented based on Yao's protocol for secure two-party computation. In the secure computation first-party step AC and the secure computation second-party step BC, the first and the second party engage in Yao's secure two-party computation to securely compute the result R defined by a Boolean- valued function R = f(IA,IB) = Z1 A z2 Λ ... Λ ZN , where, for each k e {1, ..., N},
zt
Figure imgf000018_0001
= (rι,k,M ~ r2,k,p))) ■ τhe operator V !!i is a multiple Boolean OR operator. The first variable IA of the function/is the vector of random numbers < rι,k,F >r 2,k,F Λ,k,M >r 2,k,M
Figure imgf000018_0002
and tne second variable IB of the function/is the vector of sets of identity-based decryptions < Ak,Bk >f=1 for computing the 16 values X1^, ..., xιβ,k for each k € {1, ..., N}, as described in step B3.
The first party evaluates the result R in the fourth first-party step A4. Hence, if R = I then, with overwhelming probability, the outcome of the test is positive: a match is found. On the other hand, if R = 0 then the outcome of the test is negative: no match is found. The first party may make the test outcome available to an authorized party.
Optionally, the first first-party step Al may be included in the secure computation first-party step AC. Similarly, the first second-party step Bl and the second second-party step B2 may be included in the secure computation second-party step BC.
In the described implementations of the first party method MA and/or the second party method MB, the order of steps is not mandatory, the skilled person may change the order of some steps or perform some steps concurrently using threading models, multi- processor systems or multiple processes without departing from the concept as intended by the present invention. Optionally, two or more steps of the first party method MA and/or the second party method MB of the current invention may be combined into one step. Optionally, a step of the first party method MA and/or the second party method MB of the current invention may be split into a plurality of steps.
It is appreciated that any two or more of the above-mentioned embodiments of the system may be combined in any useful way.
In a further aspect of the invention, a system for testing similarity of a first DNA-related data to a second DNA-related data under encryption based on a feature-based encryption scheme in conjunction with a secure two-party computation scheme is provided.
Fig. 2A schematically shows a block diagram of an exemplary embodiment of the system SA, also referred to as a first party subsystem SA, wherein the first DNA-related data comprises a first plurality of features, the system comprising: a first first-subsystem unit UAl for obtaining at least one random number and for encrypting the at least one random number using the feature-based encryption operator of the feature-based encryption scheme based on at least one feature from the first plurality of features, thereby creating at least one feature-based encryption of the at least one random number; and making the at least one feature-based encryption available to the second party, e.g. sending the at least one feature-based encryption to the second party; - a secure computation first-subsystem unit UAC for securely computing, in collaboration with a second party, a result based on a first party input comprising the at least one random number; and a fourth first-subsystem unit UA4 for evaluating the computed result to obtain information on similarity of the first DNA-related data to the second DNA-related data. The exemplary embodiment of the first party subsystem SA further comprises: an input connector INA for receiving input data; an output connector OUTA for outputting output data; a memory unit MEMA for storing the input data received from external devices via the input connector INA and for storing data computed by the units of the system SA; and a memory bus BUSA for connecting the units of the system SA.
Fig. 2B schematically shows a block diagram of an exemplary embodiment of the system SB, also referred to as a second party subsystem SB, wherein the second DNA- related data comprises a second plurality of features, the system comprising: a first second-party unit UB 1 for obtaining, from a first party, at least one feature-based encryption of at least one random number; a second second-party unit UB2 for decrypting the at least one feature-based encryption using the feature-based decryption operator of the feature-based encryption scheme based on at least one feature from the second plurality of features, thereby obtaining at least one feature-based decryption of the at least one feature-based encryption; and a secure computation second-party unit UBC for securely computing, in collaboration with the first party, a result based on the second party input comprising the at least one feature-based decryption of the at least one feature-based encryption. The exemplary embodiment of the second party subsystem SB further comprises: an input connector INB for receiving input data; an output connector OUTB for outputting output data; a memory unit MEMB for storing the input data received from external devices via the input connector INA and for storing data computed by the units of the system SB; and a memory bus BUSB for connecting the units of the system SB.
The skilled person will understand that other embodiments of the system are also possible. It is possible, among other things, to redefine the units of the system and to redistribute their functions. The first party subsystem SA and the second party subsystem SB may be connected to each other, e.g. via a network such as, but not limited to, a local area network, a world area network and the Internet. In an embodiment of the system, the first party subsystem SA and the second party subsystem SB are implemented together in one test system further comprising a first terminal unit for communicating with a first party and a second terminal unit for communicating with a second party.
The units of the system may be implemented using a processor. Normally, their functions are performed under control of a software program product. During execution, the software program product is normally loaded into a memory, like a RAM, and executed from there. The program may be loaded from a background memory, like a ROM, hard disk, or magnetic and/or optical storage, or may be loaded via a network like Internet. Optionally an application specific integrated circuit may provide the described functionality.
In a further aspect of the invention, a computer program product for instructing a processing unit to execute steps of the first-party method MA and/or of the second-party method MB when the product is run on a computer is provided. Modifications and variations thereof, of the system and/or of the computer program product, which correspond to the described modifications of the first-party method MA and/or of the second-party method MB and variations thereof, can be carried out by a skilled person on the basis of the present description. It should be noted that the above-mentioned embodiments illustrate rather than limit the invention and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim or in the description. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention can be implemented by means of hardware comprising several distinct elements and by means of a programmed computer. In the system claims enumerating several units, several of these units can be embodied by one and the same item of hardware or software. The usage of the words first, second and third, et cetera does not indicate any ordering. These words are to be interpreted as names.

Claims

CLAIMS:
1. A method (MA; MB) of testing similarity of a first DNA-related data to a second DNA-related data under encryption based on a feature-based encryption scheme in conjunction with a secure two-party computation scheme.
2. A method (MA) of claim 1, wherein the first DNA-related data comprises a first plurality of features, the method (MA) comprising steps to be performed by a first party: a first first-party step (Al) for obtaining at least one random number and for encrypting the at least one random number using the feature-based encryption operator of the feature-based encryption scheme based on at least one feature from the first plurality of features, thereby creating at least one feature-based encryption of the at least one random number; and making the at least one feature-based encryption available to the second party; a secure computation first-party step (AC) for securely computing, in collaboration with a second party, a result based on a first party input comprising the at least one random number; and - a fourth first-party step (A4) for evaluating the computed result to obtain information on similarity of the first DNA-related data to the second DNA-related data.
3. A method (MB) of claim 1, wherein the second DNA-related data comprises a second plurality of features, the method (MB) comprising steps to be carried out by a second party: a first second-party step (Bl) for obtaining, from a first party, at least one feature-based encryption of at least one random number; a second second-party step (B2) for decrypting the at least one feature-based encryption using the feature-based decryption operator of the feature-based encryption scheme based on at least one feature from the second plurality of features, thereby obtaining at least one feature-based decryption of the at least one feature-based encryption; and a secure computation second-party step (BC) for securely computing, in collaboration with the first party, a result based on the second party input comprising the at least one feature-based decryption of the at least one feature-based encryption.
4. A method (MA; MB) of claim 1 wherein a feature-based encryption scheme is based on a public key encryption scheme.
5. A method (MA; MB) of claim 1 wherein the feature-based encryption scheme is based on an identity based encryption scheme.
6. A method (MA; MB) of claim 1 wherein the secure two-party computation scheme is based on a homomorphic encryption scheme.
7. A method (MA; MB) of claim 1 wherein the secure two-party computation scheme is based on Yao's protocol for secure two-party computation.
8. A method (MA; MB) of claim 1 wherein the first DNA-related data is based on a Short Tandem Repeat sequence describing a first DNA sample and the second DNA- related data is based on a Short Tandem Repeat sequence describing a second DNA sample.
9. Use of the method (MA; MB) of claim 1 for identity testing.
10. Use of the method (MA; MB) of claim 1 for paternity testing.
11. A system (SA; SB) for testing similarity of a first DNA-related data to a second DNA-related data under encryption based on a feature-based encryption scheme in conjunction with a secure two-party computation scheme.
12. A computer program product for instructing a processing unit to execute steps of the method (MA; MB) of claim 1 when the computer program product is run on a computer.
PCT/IB2007/054835 2006-12-05 2007-11-29 Secure matching of dna profiles WO2008068675A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP06125368.8 2006-12-05
EP06125368 2006-12-05

Publications (2)

Publication Number Publication Date
WO2008068675A2 true WO2008068675A2 (en) 2008-06-12
WO2008068675A3 WO2008068675A3 (en) 2008-08-07

Family

ID=39295592

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2007/054835 WO2008068675A2 (en) 2006-12-05 2007-11-29 Secure matching of dna profiles

Country Status (1)

Country Link
WO (1) WO2008068675A2 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2013145420A (en) * 2012-01-13 2013-07-25 Hitachi Ltd High-speed similarity retrieval processing system of encrypted data
GB2519826A (en) * 2013-10-30 2015-05-06 Barclays Bank Plc Transaction authentication
US10396984B2 (en) 2014-05-02 2019-08-27 Barclays Services Limited Apparatus and system having multi-party cryptographic authentication

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
ATALLAH ET AL.: "SECURE AND PRIVATE SEQUENCE COMPARISONS" PROCEEDINGS OF THE 2003 ACM WORKSHOP ON PRIVACY IN THE ELECTRONIC SOCIETY, October 2003 (2003-10), pages 39-44, XP002477986 NEW YORK *
PHILIP BOHANNON ET AL: "Cryptographic Approaches to Privacy in Forensic DNA Databases" PUBLIC KEY CRYPTOGRAPHY LECTURE NOTES IN COMPUTER SCIENCE;;LNCS, SPRINGER-VERLAG, BE, vol. 1751, 2004, pages 373-390, XP019000834 ISBN: 3-540-66967-1 cited in the application *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2013145420A (en) * 2012-01-13 2013-07-25 Hitachi Ltd High-speed similarity retrieval processing system of encrypted data
GB2519826A (en) * 2013-10-30 2015-05-06 Barclays Bank Plc Transaction authentication
GB2519826B (en) * 2013-10-30 2016-07-20 Barclays Bank Plc Transaction authentication
US10396984B2 (en) 2014-05-02 2019-08-27 Barclays Services Limited Apparatus and system having multi-party cryptographic authentication
US10491384B2 (en) 2014-05-02 2019-11-26 Barclays Services Limited Device for secure multi-party cryptographic authorization

Also Published As

Publication number Publication date
WO2008068675A3 (en) 2008-08-07

Similar Documents

Publication Publication Date Title
Raisaro et al. M ed C o: Enabling Secure and Privacy-Preserving Exploration of Distributed Clinical and Genomic Data
EP2895980B1 (en) Privacy-enhancing technologies for medical tests using genomic data
US9571268B2 (en) Method and system for homomorphicly randomizing an input
US11880831B2 (en) Encryption system, encryption key wallet and method
CN107196926B (en) Cloud outsourcing privacy set comparison method and device
Kang et al. Reality-preserving multiple parameter discrete fractional angular transform and its application to color image encryption
Ayday et al. Privacy-enhancing technologies for medical tests using genomic data
Ayday et al. Personal use of the genomic data: Privacy vs. storage cost
Franz et al. Towards secure bioinformatics services (short paper)
KR20210139344A (en) Methods and devices for performing data-driven activities
Perl et al. Fast confidential search for bio-medical data using bloom filters and homomorphic cryptography
Hamed et al. Comparative study for various DNA based steganography techniques with the essential conclusions about the future research
Popovici Aspects of DNA cryptography
Zhou et al. Secure scheme for locating disease-causing genes based on multi-key homomorphic encryption
WO2014030706A1 (en) Encrypted database system, client device and server, method and program for adding encrypted data
Raisaro et al. Medco: Enabling privacy-conscious exploration of distributed clinical and genomic data
CN112241537A (en) Longitudinal federated learning modeling method, system, medium and equipment
de Oliveira Neto et al. The design of a novel multiple-parameter fractional number-theoretic transform and its application to image encryption
Deuber et al. My genome belongs to me: controlling third party computation on genomic data
WO2008068675A2 (en) Secure matching of dna profiles
CN117077209B (en) Large-scale data hiding trace query method
CN112380404B (en) Data filtering method, device and system
Hidayat et al. Data encryption algorithm AES by using blockchain technology: a review
Majumdar et al. DNA based cloud storage security framework using fuzzy decision making technique
Sharma et al. An efficient hybrid approach for secure speech cryptography

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07849279

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase in:

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07849279

Country of ref document: EP

Kind code of ref document: A2