WO2018099577A1 - System and method for providing a collective decentralized authority for sharing sensitive data - Google Patents

System and method for providing a collective decentralized authority for sharing sensitive data Download PDF

Info

Publication number
WO2018099577A1
WO2018099577A1 PCT/EP2016/079649 EP2016079649W WO2018099577A1 WO 2018099577 A1 WO2018099577 A1 WO 2018099577A1 EP 2016079649 W EP2016079649 W EP 2016079649W WO 2018099577 A1 WO2018099577 A1 WO 2018099577A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
server
servers
encrypted
public key
Prior art date
Application number
PCT/EP2016/079649
Other languages
French (fr)
Inventor
Bryan Ford
Jean-Pierre Hubaux
Patricia EGGER
Jean-Louis Raisaro
Zhicong HUANG
Original Assignee
Ecole Polytechnique Federale De Lausanne (Epfl)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ecole Polytechnique Federale De Lausanne (Epfl) filed Critical Ecole Polytechnique Federale De Lausanne (Epfl)
Priority to PCT/EP2016/079649 priority Critical patent/WO2018099577A1/en
Publication of WO2018099577A1 publication Critical patent/WO2018099577A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/008Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/46Secure multiparty computation, e.g. millionaire problem
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/76Proxy, i.e. using intermediary entity to perform cryptographic operations

Definitions

  • the present invention relates to the field of cryptography, more particularly to the field of decentralized and collective cryptography for privacy-conscious data sharing.
  • Duan et al. provide a practical framework for privacy -preserving data mining.
  • a method of sharing private and/or sensitive data from a plurality of data providers with a data user includes the steps of providing a first data set and encrypting the first data set at a terminal of a first data provider with a collective public key, providing a second data set and encrypting the second data set at a terminal of a second data provider with the collective public key, the encrypting being based on a homomorphic encryption scheme, sending the encrypted data from the first and second data provider terminals to a server from a plurality of servers, the plurality of servers forming together a collective and decentralized authority for sharing and computing on at least one of private and sensitive data, and decentralized aggregating the encrypted data of the first and second data providers by the plurality of servers, based on the homomorphic encryption scheme, to compute a first encrypted aggregated data set.
  • the method further preferably includes the steps of modifying the encryption of the first encrypted aggregated data set from the encryption based on the collective public key to an encryption based on the public key of the data user, the modifying performed collectively with the plurality of servers, to generate a second encrypted aggregated data set; sending the second encrypted aggregated data set to the data user; and decrypting the second encrypted aggregated data set at the data user terminal with the private key of the data user.
  • a system for sharing private and/or sensitive data from a plurality of data providers with a data user is provided, the data user having a private key and a public key.
  • the system includes a plurality of terminals, each terminal associated with a respective data provider, a plurality of servers, the plurality of servers forming together a collective and decentralized authority for sharing and computing on at least one of private and sensitive data, and a data user terminal of a data user.
  • a first terminal of a first data provider is configured to provide a first data set, to encrypt the first data set with a collective public key based on a
  • a second terminal of a second data provider is configured to provide a second data set, to encrypt the second data set with the collective public key based on the homomorphic encryption scheme, and to send second encrypted data to a server of the plurality of servers.
  • the plurality of servers are configured to at least one of group and aggregate in a decentralized fashion the encrypted data of the first and second data providers based on the homomorphic encryption scheme, to compute a first encrypted aggregated data set, to collectively modify the encryption of the first encrypted aggregated data set from the encryption based on the collective public key to an encryption based on the public key of the data user, to generate a second encrypted aggregated data set, and to send the second encrypted aggregated data set to a terminal of the data user, and the data user terminal is configured to decrypt the second encrypted aggregated data set with the private key of the data user.
  • a system including a plurality of servers for sharing private and/or sensitive data from a plurality of data providers with a data user terminal of a data user is provided, the data user having a private key and a public key, the plurality of servers forming together a collective and decentralized authority for sharing and computing on at least one of private and sensitive data.
  • a first terminal of a first data provider is configured to provide a first data set, to encrypt the first data set with a collective public key based on a homomorphic encryption scheme, and to send first encrypted data to a server of the plurality of servers
  • a second terminal of a second data provider is configured to provide a second data set, to encrypt the second data set with the collective public key based on the homomorphic encryption scheme, and to send second encrypted data to a server of the plurality of servers.
  • the plurality of servers are configured to group and/or aggregate in a decentralized fashion the encrypted data of the first and second data providers based on the homomorphic encryption scheme to compute a first encrypted aggregated data set, to collectively modify the encryption of the first encrypted aggregated data set from the encryption based on the collective public key to an encryption based on the public key of the data user to generate a second encrypted aggregated data set, and to send the second encrypted aggregated data set to the terminal of the data user, and the data user terminal decrypts the second encrypted aggregated data set with the private key of the data user.
  • FIG. 1 shows a schematic representation for an exemplary system 100 to provide for a collective and decentralized authority CA, according to one aspect of the present invention
  • FIG. 2 shows a flow chart illustrating the different elements of a method 200 described below that can be performed on system 100;
  • FIG. 3 shows a schematic representation of method 300 when the data providers receive a query from a data user; and (00016)
  • FIG. 4 shows a schematic representation of an exemplary computer system, using two servers as the collective authority, according to another aspect of the present invention.
  • a system 100 is provided for sharing private and/or sensitive data from a plurality of data providers DPi to DP n , for example but not limited to a first and second data provider DPi, DP2, with one or more data users DUi to DUk which will ultimately receive data from the data providers DP, for example one data user DUi. Also, a corresponding method is provided.
  • Data user DUi has a private key and a public key for data decryption and encryption, respectively.
  • System 100 includes a plurality of terminals, each terminal associated with a respective data provider DPi to DP n , a plurality of servers Si to S m , the plurality of servers forming together a collective and decentralized authority CA for sharing and computing on at least one of private and sensitive data, and a data user terminal of a data user DUi.
  • the collective authority is associated with a collective public key K which is defined as a cryptographic public key made from the aggregation of the public keys of all the servers Si to S m that form the collective authority CA.
  • Ki denominates a public key from server Si and we use additive notation the collective public key K for encryption corresponds to Ki + ... + K m where m is the number of servers in the collective authority CA.
  • a data provider DP is defined to be one or more entities that provide data to the system 100 for privacy-conscious data sharing, in other words, entities that are willing to share their data.
  • a data provider DP can also hold, store, or otherwise have access to the data of several entities.
  • data providers DP can include terminals, computers, workstations, mobile phones, smart phones, tablets, databases, or any other electronic communication and data processing device that is operated by data providers DP.
  • data providers DP can be for example but not limited to prospective or actual patients, people with medical insurance, hospitals, research institutions, doctors and nurses.
  • data providers DP can be tax payers or tax paying entities, such as corporations that are willing to share data with a data user DU.
  • a data user DU is defined as an entity that wants to use the data provided by the data providers DP.
  • Data user DU is the one that can provide all data providers with a query indicating what research will be undertaken by the collective authority CA on data that will be provided by data providers DPi to DP n .
  • Data user DU is also the entity that will receive the encrypted output of the computation made by collective authority CA that includes the plurality of servers Si to S m , and is the only entity that will be able to decrypt it.
  • the data user DU could be a medical or pharmaceutical researcher.
  • the tax application field it could be a tax authority.
  • a server S is defined as an entity taking part in the decentralized collective authority CA, which includes a plurality of servers Si to Sm. Its role in system 100 is to contribute to the distributed and secure computations on encrypted data.
  • a server S could be located at a hospital, research institution, university, etc. It can also be a set of cloud servers that are not under control of either data provider DP and data user DU.
  • Decentralized aggregating is defined as a method step or an action within system 100 of aggregating encrypted data among the decentralized collective authority CA that can be formed by the plurality of servers Si to S m , as further explained below.
  • Grouping attributes are defined as categorical attributes belonging to data providers or the entities whose data is held by a data provider. Data providers can be grouped together according to these attributes. In the medical application field, examples of grouping attributes can be gender, age category, ethnicity, etc. In the tax application field, aggregating attributes can be different categorical entries of a tax form. Aggregating attributes are defined as numerical attributes belonging to data providers DP or the entities whose data is held, stored, or otherwise made available by a data provider DP. These attributes will be aggregated, for example according to the grouping attributes, if these exist. In the medical application field, aggregating attributes can take binary values indicating the presence or absence of a disease, treatments or specific genomic variations.
  • sensitive and/or private data or information mi to m n is associated with data providers DPi to DP n , respectively, each of which can be located in multiple databases, memory devices, or terminals that may be held in different geographical locations.
  • Computations can be made by multiple servers, for example but not limited to generic computing devices referred to as servers, shown as servers Si to S m .
  • These servers Si to Sm form the collective and decentralized authority CA and allow the trust that any entity must have in system 100 to be split amongst all of the servers Si to Sm. This means that data user DUi to DUk does not need to trust any given server Si to S m as it only needs to trust that there exists at least one honest or semi-honest server.
  • a data user for example DUi, can send a query Qi to any one of the servers Si to Sm.
  • the server that receives query Qi will broadcast query Qi to all the other servers from the plurality of servers in the collective authority CA.
  • the plurality of servers Si to S m will send the query Qi to a subset of the data providers DPi to DP n in such a way that all data providers DPi to DP n receive the query.
  • all data providers DPi to DP n that participate in the query should have received the query Qi.
  • Each data provider DPi to DP n will then find, enter, or otherwise make available its data relevant to the query Qi, and encrypt the data under the collective public key K of collective authority CA as explained further below, and send the encrypted data back to exactly one of the servers from the plurality of servers Si to S m .
  • the servers Si to S m will then compute on the encrypted data they have received from the data providers DPi to DP n . Once each server Si to S m of collective authority CA has done this computation, all servers Si to S m will aggregate their results, still using encrypted data. Once all the data has been aggregated, a result to the query exists in encrypted form, as the first encrypted aggregated data.
  • the first encrypted aggregated data as an aggregated result must be transformed into a ciphertext that can be decrypted by that data user DUi, i.e., it must be encrypted under the public key of the data user DUi. This is referred to as key switching, or as a modification of the encryption.
  • the new ciphertext for example a query result encrypted under the public key of the data user DUi, the second encrypted aggregated data, is sent to the data user DUi who can decrypt the second encrypted aggregated data using its private key.
  • system 100 is configured to preserve confidentiality of the data coming from the n data providers DP, and the data is always in encrypted form and cannot be decrypted unless every single one of the server Si to S m decides to collude and decrypt.
  • Semi-honest signifies that the server will follow the method, but may also perform other types of computations to gather information based on the data.
  • system 100 is configured to guarantee integrity of the computations on the encrypted data, more precisely the computations on the encrypted data can be verified without revealing anything about the underlying data.
  • System 100 and corresponding method can be used for many different application fields, in the context of secure sharing of at least one of private and sensitive data from a plurality of data providers DP.
  • one application field is that of a medical data query.
  • a health care provider, research institution, university, pharmaceutical company as a data user DU would like to perform a survey and obtain separate answers for patients in different groups, the individual patients and/or hospitals being the data providers DP.
  • a survey can be made including grouping and aggregating attributes.
  • the grouping attributes can characterize each data provider or entity represented by a data provider, e.g., by demographics. They are categorical variables that can take multiple values.
  • the aggregating attributes are the survey questions, the answers to which can be binary values.
  • the grouping attributes might be age and gender where age can take values 1 through 5, corresponding to [0-20], [21-40], [41-60], [61-80], [81 and above] and gender can take values 1 or 2, corresponding to male and female, respectively.
  • a female in the 61-80 age category's grouping attributes would be 2 (2 nd gender group) and 4 (4 th age group). If there are 2 questions in the survey, each of which can take answers yes (1) or no (0) and this
  • participant's answers are "yes” and "yes”, her aggregating attributes would be 1 and 1.
  • Her survey response would therefore be (2, 4, 1, 1).
  • system 100 can be used for secure national or international census and polling.
  • the grouping attributes could be demographic descriptions of each person/household such as age category, education, religion or income.
  • Aggregating attributes can be the number of people living in each household, the number of rooms in the household or other attributes taking binary or other numerical values, for example yes or no questions.
  • the aggregating attributes can also be presented as multiple- choice questions.
  • System 100 allows a private version of the traditional Word Count example of the MapReduce model.
  • the grouping attributes are the words that are to be counted. As they are encrypted they will remain confidential.
  • the aggregating attributes are the number of such words, i.e., the counts. These too remain confidential until the data user decrypts the second encrypted aggregated data set, i.e. once the data users DU have received and decrypted the data for a respective query Q.
  • the "Map" phase of MapReduce is the Distributed Deterministic Hashing and the "Reduce” phase is the Private Aggregation.
  • a set of m servers Si, ..., S m and n data providers DPi, ..., DP n are provided. Together, servers Si, ..., S m form a collective authority CA. The goal is to enable sensitive data sharing while preserving the privacy of n data providers DPi, ..., DP n .
  • a respective data user DU will create a query Q and send to all data providers DP that are participating in the query, via the collective authority CA.
  • the query Q can either be in clear or encrypted under each public key of the data provider DP. It is assumed that the public keys of the data providers are known to the data users or can be obtained through standard Public Key Infrastructure (PKI). If the query is encrypted, the data providers DP will decrypt it using their private keys. Data providers DU will send their data responses, encrypted under the collective public key, to one of the servers.
  • the encryption scheme that uses the collective public key K has homomorphic properties.
  • Enc(aml+bm2) aEnc(ml) + bEnc(m2), where the function Enc() is a homomorphic encryption function.
  • the method is explained with reference to the ElGamal encryption scheme on elliptic curves as one such example of a homomorphic encryption scheme. See Taher Elgamal, "A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms," IEEE Transactions on Information Theory, Vol. 31 (4), pp. 469-472, 1985, this publication being herewith incorporated by reference.
  • a data provider DP communicates only with the servers Si, ..., S m of collective authority CA, and does not directly communicate with other data providers DP, thus preserving its anonymity with respect to any one of the other data providers.
  • the method includes the step ST1 of encryption under the collective public key K, step ST2 of local aggregation, the step ST3 of shuffling, the step ST4 of distributed deterministic hashing, a step ST5 of private aggregation, a step ST6 of key switching, and a step ST7 of decryption using the private key of a data user, these method steps being performed by system 100.
  • Steps ST2 to ST4 are optional steps, and are therefore indicated in dotted lines in FIG 2.
  • servers Si have chosen public cryptographic parameters. For illustrative purposes, an additive and commutative group G and a generator of that group, e.g., an elliptic curve with a base point B. More precisely, each server Si knows the group G and knows the base point B and these are the same for each server.
  • the first step of method 200 is the encryption of the data under the collective public key K, at step ST 1.
  • K can be computed by any distributed key generation algorithm. Generically, it is assumed that data provider DPj, hereinafter referred to as data provider j, is willing to share some information or data mj.
  • This ciphertext tuple is then sent to one of the servers S of the collective authority CA.
  • the first transformation consists of switching the encryption of a message using the collective key K to one using a public key Ui. This is used in the Key Switching step ST6.
  • the public keys of the data providers DP, servers S, and data user DU are assumed to be known and can be used for this purpose, but it is also possible to use standard PKI.
  • the second transformation is used in step ST4 consists in switching between, for example, the probabilistic ElGamal encryption scheme to a deterministic encryption scheme. These transformations are described below as a non-limiting example, using the additive ElGamal over elliptic curve notation.
  • step ST6 of method 200 also referred to as the step of modifying the encryption in the method, is performed as follows.
  • Each server i will generate a fresh random nonce for data provider 1 which we denote vy and, in a collective and sequential manner, modify the ciphertext tuple as described below.
  • each server will partially and sequentially modify the ciphertext as follows and then send their modified ciphertexts to the next server in the CA.
  • the respective server i stores the ephemeral key ⁇ and computes (C i , C 2jl ) using
  • the method 200 can include a step of shuffling ST3.
  • This step is optional, and an exemplary shuffling protocol that can be used in this step is described by Andrew Neff. C. A. Neff, "A verifiable secret shuffle and its application to e-voting," in Proceedings of the 8th ACM conference on Computer and Communications Security. ACM, 2001, pp. 1 16-125, this reference being herewith incorporated by reference.
  • Step ST3 can take as input a number of sequences of ElGamal ciphertext pairs, corresponding to a number of sequences of encrypted messages, and produces a shuffled number of sequences of ElGamal pairs.
  • the output sequence corresponds to the same sequence of encrypted messages, in a different order and re-randomized, i.e., with different randomization terms. The difference between the input and output is indistinguishable from randomness.
  • method 200 can perform a step ST4 of distributed deterministic hashing.
  • This step is also optional, and can be considered another type of encryption in a broad sense.
  • each server i will generate a short-term secret Si.
  • Si will be the same for each data provider j for a given short time period.
  • the reason we move from a probabilistic encryption scheme to a deterministic encryption scheme is in order to enable the comparison of ciphertexts. In fact, with deterministic encryption, the same plaintext will be mapped to the same ciphertext.
  • the collective short-term secret is denoted by s— Sl ' . . . Sm.
  • each server will partially and sequentially modify the ciphertext as follows.
  • Ci,i C ⁇ i ⁇ si (4)
  • Step ST2 is an optional step of method 200 that consists in homomorphically summing all ciphertexts held by each data provider, when possible. Thus a data provider will send only one, potentially aggregate, response to the collective authority CA.
  • Step ST5 or Private Aggregation, consists in the collective authority
  • Step ST7 of method 200 consists in the data user decrypting the query result for each group, in other words decrypting the second encrypted aggregated data set.
  • rB, m+rU an ElGamal pair
  • U the public key of the data user
  • the proofs can be used to guarantee that each server did the Distributed Deterministic Hashing protocol of step ST4 correctly.
  • server i used the correct ki to remove its ElGamal contribution, when relevant, and similarly that the server i used the same Si for each data provider j for a given query Q.
  • a step is performed by method 200 that allows certain entities to verify the correctness of the proofs of any server, for example by a supervisory authority.
  • such step could provide a message or notification, for example in the form of a web page, bulletin board, email message, that includes all of the ciphertexts and the corresponding proofs.
  • step SMI the data user DU sends its query Q, including the grouping and aggregating attributes, to any one of the servers S in the collective authority CA.
  • This server broadcasts this information in a step SM2 to all the other servers.
  • the servers can send the information the data providers in a step SM3.
  • the data providers gather the data relative to the query Q, also referred to as a data set, for two data providers the first and second data set, in a step SM4.
  • data users can enter the data set with respect to query Q, or that data set can be automatically gathered from a data storage device of data users.
  • the encryption is performed, as explained with respect to method 200 that is schematically shown in FIG. 2.
  • the data providers DP encrypt their information using the collective key K of collective authority CA in step ST1.
  • the ElGamal encryption will be the tuple (rB, A + rK) where B is a public base point and r is a fresh random number chosen by data provider X. If a data provider has several encrypted entries, it can aggregate them before proceeding to the next steps, as shown with step ST2 of method 200. This aggregation is optional and is referred to as Local Aggregation. It utilizes the homomorphic properties of the encryption scheme. Thereafter, each data provider will send its information back to the collective authority.
  • the collective authority CA will use the cryptographic shuffle in order to break the link between the data providers and their data, with the optional step ST3. Moreover, if the grouping attributes are encrypted, the probabilistic encryption of the grouping attributes will be collectively transformed into deterministic encryptions as described previously in the Distributed Deterministic Hashing protocol, with the step ST4. Once this is done, each data provider will have a deterministic encryption of its grouping attributes.
  • the servers of the collective authority CA can produce cryptographic zero-knowledge proofs of correctness that ensure that they have computed correctly.
  • each server can now group the data of the data providers based on these deterministically encrypted grouping attributes if they were initially encrypted or based on the clear text grouping attributes if not.
  • the servers will aggregate the encrypted aggregating attributes using the homomorphic properties of the cryptosystem in step ST4.
  • each server will send its aggregated aggregating attributes and corresponding grouping attributes to the next server in the collective authority CA, to generate the first encrypted aggregated data set in step ST5. It can be assumed, for this step, that the servers are organized in a loop or circuit, and the attributes can be passed around from server to server of the collective authority. This happens until the end of the loop.
  • the last server in the loop has deterministically encrypted groups, along with the corresponding aggregated information relative to the query (per group).
  • the probabilistic encryption of the aggregating and grouping attributes will go through the collective key switching protocol in step ST6 in order to be transformed into a probabilistic encryption of the same results under the public key of the data user.
  • This step transforms the first encrypted aggregated data set into a second encrypted aggregated data set.
  • the data user can decrypt the grouping attributes and the corresponding aggregated aggregating attributes in order to obtain the result of its query for each group.
  • Another aspect of the method is the removal or addition of one or more servers S to the collective authority CA, to enable a dynamic collective authority CA.
  • adding or removing a server S from collective authority CA is desired.
  • adding more servers to CA strengthens the privacy guarantees.
  • removing the cheating server from the collective authority CA can preserve privacy guarantees.
  • any data provider DP that stored data encrypted using the previous collective key K pre v must perform some steps of a protocol to have its data encrypted under the new collective key Knew.
  • Data encryption under the new collective key Knew is necessary for the system to work with the new collective authority CA resulting from the addition/removal of the
  • K pre v Ki + . . .
  • Knew Ki + . . . + Km-i. (00045)
  • Knew Ki + . . . + Km-i. (00045)
  • the server S m is added/removed to/from the collective authority CA
  • the encryption of data of the data providers DP under the previous key K pre v must be updated to account for the new collective key Knew.
  • Ci, C 2 (rB,m + rK pre v)
  • its encryption is updated by adding/removing the contribution of to the encryption.
  • the added/removed server Sm multiplies Ci by its private key k m and adds/removes the result to/from C2
  • a potentially dishonest dealer can share the secret of server S m , say km, among the m - 1 remaining servers in such a way that any t honest servers can reconstruct k m but any subset of t-1 servers learn nothing about k m .
  • the security of the scheme is guaranteed as long as t of m servers are honest instead of 1 in an anytrust model.
  • This secret sharing must be done for all servers when they join the collective authority CA. In this way, when server S m is being removed from the collective authority VA, the corresponding private key can be reconstructed and the computations shown above can be done by the remaining servers Si, .. ., Sm-i of the collective authority CA.
  • FIG. 4 shows a schematic representation of an exemplary computer system 100, implemented with different hardware devices, using two servers Si and S2 as the collective authority CA, according to another aspect of the present invention.
  • the use of only two servers S for collective authority is only exemplary, and many more servers can be used.
  • Data user DU is connected via a local intranet to network N to access and communicate with servers of collective authority CA.
  • there are three data providers DPi to DP3 that are each connected via an intranet, mobile network, or wireless network INi to IN3 to a network N.
  • Network N can be used by servers Si and S2 to pass data among each other.
  • Data provider DPi is shown to be a tablet with a subscriber identity module (SIM), and data provider DP2 is shown to be a smart phone with another SIM. Moreover, data provider DP3 is connected to a local database, and is shown to be a laptop computer. Data providers DPi to DP3, data user DU, and servers Si to S2 are equipped with hardware processors to perform data processing, and are also equipped with local storage memory. Also, a non-transitory computer readable medium can be provided, the computer readable medium having computer instructions recorded thereon. The computer instructions can be configured to perform methods 200, 300, when executed by hardware processors of the devices of system 100.
  • SIM subscriber identity module
  • data provider DP3 is connected to a local database, and is shown to be a laptop computer.
  • Data providers DPi to DP3, data user DU, and servers Si to S2 are equipped with hardware processors to perform data processing, and are also equipped with local storage memory.
  • a non-transitory computer readable medium can be provided, the

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

A method of sharing private and/or sensitive data from plurality of data providers to a data user, the data user having a private key and a public key, the method comprising the steps of providing a first data set and encrypting the first data set at a terminal of a first data provider with a collective public key, providing a second data set and encrypting the second data set at a terminal of a second data provider with the collective public key, sending the encrypted data to a server from the plurality of servers, the plurality of servers forming together a collective and decentralized authority, decentralized aggregating the encrypted data of the first and second data providers by the plurality of servers, based on the homomorphic encryption scheme, to compute a first encrypted aggregated data set, modifying the encryption of the first encrypted aggregated data set from the encryption based on the collective public key to an encryption based on the public key of the data user to generate a second encrypted aggregated data set.

Description

SYSTEM AND METHOD FOR PROVIDING A COLLECTIVE
DECENTRALIZED AUTHORITY FOR SHARING SENSITIVE DATA
FIELD OF THE INVENTION
(0001) The present invention relates to the field of cryptography, more particularly to the field of decentralized and collective cryptography for privacy-conscious data sharing.
BACKGROUND
(0002) Research effort has been put into components useful for privacy-preserving data sharing and secure multi-party computation. For example, Duan et al. provide a practical framework for privacy -preserving data mining. Duan Y., Canny J., Zhan J., "Efficient privacy-preserving association rule mining: P4P style." In Computational Intelligence and Data Mining, 2007. CIDM 2007. IEEE Symposium on 2007, March 1, pp. 654-660. They consider a server and a number of privacy peers who help the server with the computations and who provide privacy. As it is a server-based system, it is prone to weakest-link security in that if the server fails, the system fails. Furthermore, they assume a weak adversary model in which all entities follow protocol, i.e., are semi-honest.
(0003) Other authors have described building blocks for implementing statistical computing on distributed health data and implement several common statistical algorithms. See for example, M. A. Hailemichael, K. Y. Yigzaw, and J. G. Bellika, "Emnet: a system for privacy-preserving statistical computing on distributed health data", in Proceedings of the 13th Scandinavian Conference on Health Informatics. IEEE, 2015. However, they also consider a relatively weak adversary model where the health institutions in charge of storing and computing are fully trusted. Furthermore, they do not make use of any cryptographic tools, only some basic blinding. Zamani et al. present a secure multi-party computation that protects against a malicious adversary corrupting a fraction of the parties involved. M.
Zamani, M. Movahedi, and J. Saia, "Millions of millionaires: Multiparty computation in large networks." IACR Cryptology ePrint Archive, vol. 2014, p. 149, 2014. In their work, the values are shared among parties using verifiable secret sharing and the computations are split into components that can be performed by different quorums. Thus patients are not masters of their own data. Maffei et al. introduce a cryptographic system that protects the secrecy and integrity of data outsourced to a cloud with respect to both an untrusted server and malicious clients. M. Maffei, G. Malavolta, M. Reinert, and D. Schroder, "Privacy and access control for outsourced personal records", in Security and Privacy (SP), 2015 IEEE Symposium. IEEE, 2015, pp. 341-358. As in many applications, they consider a central storage (the cloud) for all the data. Moreover, Khan et al. built a P2P network that supports integrity and confidentiality labeling of data. S. M. Khan and K. W. Hamlen, "Penny: Secure,
decentralized data management." International Journal of Network Security, vol. 16, no. 5, pp. 340-354, 2014. Their system permits peers to publish data without revealing their ownership of the data. However, there is no possibility of using the data for studies. Further effort has been put into privately computing disease risks. See for example, J. W. Bos, K. Lauter, and M. Naehrig, "Private predictive analysis on encrypted medical data," Journal of biomedical informatics, vol. 50, pp. 234-243, 2014. Although these methods are important, they are only predictive and therefore are different from the aspects of the present invention.
(0004) Despite all the above-described advances in the field of privacy preserving data sharing, still further improvements and novel solutions are desired that enable secure computations on sensitive data with trust distributed among multiple entities and data spread across multiple data providers while preserving the privacy of the data providers willing to share data.
SUMMARY
(0005) According to one aspect of the present invention, a method of sharing private and/or sensitive data from a plurality of data providers with a data user is provided, the data user having a private key and a public key. Preferably, the method includes the steps of providing a first data set and encrypting the first data set at a terminal of a first data provider with a collective public key, providing a second data set and encrypting the second data set at a terminal of a second data provider with the collective public key, the encrypting being based on a homomorphic encryption scheme, sending the encrypted data from the first and second data provider terminals to a server from a plurality of servers, the plurality of servers forming together a collective and decentralized authority for sharing and computing on at least one of private and sensitive data, and decentralized aggregating the encrypted data of the first and second data providers by the plurality of servers, based on the homomorphic encryption scheme, to compute a first encrypted aggregated data set.
(0006) In addition, the method further preferably includes the steps of modifying the encryption of the first encrypted aggregated data set from the encryption based on the collective public key to an encryption based on the public key of the data user, the modifying performed collectively with the plurality of servers, to generate a second encrypted aggregated data set; sending the second encrypted aggregated data set to the data user; and decrypting the second encrypted aggregated data set at the data user terminal with the private key of the data user.
(0007) According to another aspect of the present invention, a system for sharing private and/or sensitive data from a plurality of data providers with a data user is provided, the data user having a private key and a public key. Preferably, the system includes a plurality of terminals, each terminal associated with a respective data provider, a plurality of servers, the plurality of servers forming together a collective and decentralized authority for sharing and computing on at least one of private and sensitive data, and a data user terminal of a data user. Moreover, preferably, a first terminal of a first data provider is configured to provide a first data set, to encrypt the first data set with a collective public key based on a
homomorphic encryption scheme, and to send first encrypted data to a server of the plurality of servers, and a second terminal of a second data provider is configured to provide a second data set, to encrypt the second data set with the collective public key based on the homomorphic encryption scheme, and to send second encrypted data to a server of the plurality of servers.
(0008) In addition, preferably, the plurality of servers are configured to at least one of group and aggregate in a decentralized fashion the encrypted data of the first and second data providers based on the homomorphic encryption scheme, to compute a first encrypted aggregated data set, to collectively modify the encryption of the first encrypted aggregated data set from the encryption based on the collective public key to an encryption based on the public key of the data user, to generate a second encrypted aggregated data set, and to send the second encrypted aggregated data set to a terminal of the data user, and the data user terminal is configured to decrypt the second encrypted aggregated data set with the private key of the data user.
(0009) According to yet another aspect of the present invention, a system including a plurality of servers for sharing private and/or sensitive data from a plurality of data providers with a data user terminal of a data user is provided, the data user having a private key and a public key, the plurality of servers forming together a collective and decentralized authority for sharing and computing on at least one of private and sensitive data. Preferably, a first terminal of a first data provider is configured to provide a first data set, to encrypt the first data set with a collective public key based on a homomorphic encryption scheme, and to send first encrypted data to a server of the plurality of servers, and a second terminal of a second data provider is configured to provide a second data set, to encrypt the second data set with the collective public key based on the homomorphic encryption scheme, and to send second encrypted data to a server of the plurality of servers. (00010) Moreover, preferably, the plurality of servers are configured to group and/or aggregate in a decentralized fashion the encrypted data of the first and second data providers based on the homomorphic encryption scheme to compute a first encrypted aggregated data set, to collectively modify the encryption of the first encrypted aggregated data set from the encryption based on the collective public key to an encryption based on the public key of the data user to generate a second encrypted aggregated data set, and to send the second encrypted aggregated data set to the terminal of the data user, and the data user terminal decrypts the second encrypted aggregated data set with the private key of the data user.
(0001 1) The above and other objects, features and advantages of the present invention and the manner of realizing them will become more apparent, and the invention itself will best be understood from a study of the following description with reference to the attached drawings showing some preferred embodiments of the invention.
BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS
(00012) The accompanying drawings, which are incorporated herein and constitute part of this specification, illustrate the presently preferred embodiments of the invention, and together with the general description given above and the detailed description given below, serve to explain features of the invention.
(00013) FIG. 1 shows a schematic representation for an exemplary system 100 to provide for a collective and decentralized authority CA, according to one aspect of the present invention;
(00014) FIG. 2 shows a flow chart illustrating the different elements of a method 200 described below that can be performed on system 100;
(00015) FIG. 3 shows a schematic representation of method 300 when the data providers receive a query from a data user; and (00016) FIG. 4 shows a schematic representation of an exemplary computer system, using two servers as the collective authority, according to another aspect of the present invention.
(00017) Herein, identical reference numerals are used, where possible, to designate identical elements that are common to the figures. Also, the images are simplified for illustration purposes and may not be depicted to scale.
BRIEF DESCRIPTION OF THE SEVERAL EMBODIMENTS
(00018) As shown schematically in FIG. 1, a system 100 is provided for sharing private and/or sensitive data from a plurality of data providers DPi to DPn, for example but not limited to a first and second data provider DPi, DP2, with one or more data users DUi to DUk which will ultimately receive data from the data providers DP, for example one data user DUi. Also, a corresponding method is provided. Data user DUi has a private key and a public key for data decryption and encryption, respectively. System 100 includes a plurality of terminals, each terminal associated with a respective data provider DPi to DPn, a plurality of servers Si to Sm, the plurality of servers forming together a collective and decentralized authority CA for sharing and computing on at least one of private and sensitive data, and a data user terminal of a data user DUi. Moreover, the collective authority is associated with a collective public key K which is defined as a cryptographic public key made from the aggregation of the public keys of all the servers Si to Sm that form the collective authority CA. In the case where Ki denominates a public key from server Si and we use additive notation, the collective public key K for encryption corresponds to Ki + ... + Km where m is the number of servers in the collective authority CA.
(00019) For description purposes, the above terminology will be used. It is noted that the terminology used is only exemplary, and shall not be in any way limiting the scope of what one of ordinary skill in the art of encryption would understand from these descriptive elements. For example, a data provider DP is defined to be one or more entities that provide data to the system 100 for privacy-conscious data sharing, in other words, entities that are willing to share their data. A data provider DP can also hold, store, or otherwise have access to the data of several entities. As a non-limiting example, data providers DP can include terminals, computers, workstations, mobile phones, smart phones, tablets, databases, or any other electronic communication and data processing device that is operated by data providers DP. Within this specification, as a non-limiting example, reference is made to an application in the medical field, where medical data from data providers DP would benefit data users DU from sharing, but the medical data must remain confidential in order to protect the privacy of those who the data pertains to. In this medical application field, data providers DP can be for example but not limited to prospective or actual patients, people with medical insurance, hospitals, research institutions, doctors and nurses. In the field of taxation, data providers DP can be tax payers or tax paying entities, such as corporations that are willing to share data with a data user DU.
(00020) A data user DU is defined as an entity that wants to use the data provided by the data providers DP. Data user DU is the one that can provide all data providers with a query indicating what research will be undertaken by the collective authority CA on data that will be provided by data providers DPi to DPn. Data user DU is also the entity that will receive the encrypted output of the computation made by collective authority CA that includes the plurality of servers Si to Sm, and is the only entity that will be able to decrypt it. In the medical application field, the data user DU could be a medical or pharmaceutical researcher. In the tax application field, it could be a tax authority.
(00021) A server S is defined as an entity taking part in the decentralized collective authority CA, which includes a plurality of servers Si to Sm. Its role in system 100 is to contribute to the distributed and secure computations on encrypted data. In the medical application field, a server S could be located at a hospital, research institution, university, etc. It can also be a set of cloud servers that are not under control of either data provider DP and data user DU. Decentralized aggregating is defined as a method step or an action within system 100 of aggregating encrypted data among the decentralized collective authority CA that can be formed by the plurality of servers Si to Sm, as further explained below.
(00022) Grouping attributes are defined as categorical attributes belonging to data providers or the entities whose data is held by a data provider. Data providers can be grouped together according to these attributes. In the medical application field, examples of grouping attributes can be gender, age category, ethnicity, etc. In the tax application field, aggregating attributes can be different categorical entries of a tax form. Aggregating attributes are defined as numerical attributes belonging to data providers DP or the entities whose data is held, stored, or otherwise made available by a data provider DP. These attributes will be aggregated, for example according to the grouping attributes, if these exist. In the medical application field, aggregating attributes can take binary values indicating the presence or absence of a disease, treatments or specific genomic variations.
(00023) As shown in FIG. 1, sensitive and/or private data or information mi to mn is associated with data providers DPi to DPn, respectively, each of which can be located in multiple databases, memory devices, or terminals that may be held in different geographical locations. Computations can be made by multiple servers, for example but not limited to generic computing devices referred to as servers, shown as servers Si to Sm. These servers Si to Sm form the collective and decentralized authority CA and allow the trust that any entity must have in system 100 to be split amongst all of the servers Si to Sm. This means that data user DUi to DUk does not need to trust any given server Si to Sm as it only needs to trust that there exists at least one honest or semi-honest server.
(00024) A data user, for example DUi, can send a query Qi to any one of the servers Si to Sm. The server that receives query Qi will broadcast query Qi to all the other servers from the plurality of servers in the collective authority CA. Next, the plurality of servers Si to Sm will send the query Qi to a subset of the data providers DPi to DPn in such a way that all data providers DPi to DPn receive the query. At this point, all data providers DPi to DPn that participate in the query should have received the query Qi. Each data provider DPi to DPn will then find, enter, or otherwise make available its data relevant to the query Qi, and encrypt the data under the collective public key K of collective authority CA as explained further below, and send the encrypted data back to exactly one of the servers from the plurality of servers Si to Sm. The servers Si to Sm will then compute on the encrypted data they have received from the data providers DPi to DPn. Once each server Si to Sm of collective authority CA has done this computation, all servers Si to Sm will aggregate their results, still using encrypted data. Once all the data has been aggregated, a result to the query exists in encrypted form, as the first encrypted aggregated data. Before this result is sent back to the data user DUi who issued the query Qi, the first encrypted aggregated data as an aggregated result must be transformed into a ciphertext that can be decrypted by that data user DUi, i.e., it must be encrypted under the public key of the data user DUi. This is referred to as key switching, or as a modification of the encryption. Once this transformation or modification is done, the new ciphertext, for example a query result encrypted under the public key of the data user DUi, the second encrypted aggregated data, is sent to the data user DUi who can decrypt the second encrypted aggregated data using its private key.
(00025) In a situation where at least one server out of the plurality of servers Si to Sm is honest or semi-honest, system 100 is configured to preserve confidentiality of the data coming from the n data providers DP, and the data is always in encrypted form and cannot be decrypted unless every single one of the server Si to Sm decides to collude and decrypt. Semi-honest signifies that the server will follow the method, but may also perform other types of computations to gather information based on the data. In addition, system 100 is configured to guarantee integrity of the computations on the encrypted data, more precisely the computations on the encrypted data can be verified without revealing anything about the underlying data.
(00026) System 100 and corresponding method can be used for many different application fields, in the context of secure sharing of at least one of private and sensitive data from a plurality of data providers DP. For example, as discussed above, one application field is that of a medical data query. For example, a health care provider, research institution, university, pharmaceutical company as a data user DU would like to perform a survey and obtain separate answers for patients in different groups, the individual patients and/or hospitals being the data providers DP. For this, a survey can be made including grouping and aggregating attributes. The grouping attributes can characterize each data provider or entity represented by a data provider, e.g., by demographics. They are categorical variables that can take multiple values. In this context, the aggregating attributes are the survey questions, the answers to which can be binary values. As an example, the grouping attributes might be age and gender where age can take values 1 through 5, corresponding to [0-20], [21-40], [41-60], [61-80], [81 and above] and gender can take values 1 or 2, corresponding to male and female, respectively. When responding to a query of this sort, a female in the 61-80 age category's grouping attributes would be 2 (2nd gender group) and 4 (4th age group). If there are 2 questions in the survey, each of which can take answers yes (1) or no (0) and this
participant's answers are "yes" and "yes", her aggregating attributes would be 1 and 1. Her survey response would therefore be (2, 4, 1, 1).
(00027) As another example, system 100 can be used for secure national or international census and polling. In this application field, the grouping attributes could be demographic descriptions of each person/household such as age category, education, religion or income. Aggregating attributes can be the number of people living in each household, the number of rooms in the household or other attributes taking binary or other numerical values, for example yes or no questions. The aggregating attributes can also be presented as multiple- choice questions.
(00028) Moreover, another example would be a cryptographic word count. System 100 allows a private version of the traditional Word Count example of the MapReduce model. In this case, the grouping attributes are the words that are to be counted. As they are encrypted they will remain confidential. The aggregating attributes are the number of such words, i.e., the counts. These too remain confidential until the data user decrypts the second encrypted aggregated data set, i.e. once the data users DU have received and decrypted the data for a respective query Q. In system 100, the "Map" phase of MapReduce is the Distributed Deterministic Hashing and the "Reduce" phase is the Private Aggregation. These steps are explained further below.
(00029) Next, different steps of the method are explained that can be performed on system 100. As shown in FIG. 1 and discussed above, a set of m servers Si, ..., Sm and n data providers DPi, ..., DPn are provided. Together, servers Si, ..., Sm form a collective authority CA. The goal is to enable sensitive data sharing while preserving the privacy of n data providers DPi, ..., DPn. In this context, there is also a set of k data users DUi, ..., DUk that can provide respective queries Q and receive the corresponding aggregate answers. These are entities who would like to obtain some information about the combined responses of the n data providers. A respective data user DU will create a query Q and send to all data providers DP that are participating in the query, via the collective authority CA. The query Q can either be in clear or encrypted under each public key of the data provider DP. It is assumed that the public keys of the data providers are known to the data users or can be obtained through standard Public Key Infrastructure (PKI). If the query is encrypted, the data providers DP will decrypt it using their private keys. Data providers DU will send their data responses, encrypted under the collective public key, to one of the servers. The encryption scheme that uses the collective public key K has homomorphic properties. This means that any linear combination of ciphertexts is the same as the linear combination of the plaintexts that is then encrypted: Enc(aml+bm2) = aEnc(ml) + bEnc(m2), where the function Enc() is a homomorphic encryption function. The method is explained with reference to the ElGamal encryption scheme on elliptic curves as one such example of a homomorphic encryption scheme. See Taher Elgamal, "A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms," IEEE Transactions on Information Theory, Vol. 31 (4), pp. 469-472, 1985, this publication being herewith incorporated by reference. Also, a data provider DP communicates only with the servers Si, ..., Sm of collective authority CA, and does not directly communicate with other data providers DP, thus preserving its anonymity with respect to any one of the other data providers.
(00030) Next, the method of encryption 200 that is performed with system 100 is explained in more detail, as schematically represented in FIG. 2. The method includes the step ST1 of encryption under the collective public key K, step ST2 of local aggregation, the step ST3 of shuffling, the step ST4 of distributed deterministic hashing, a step ST5 of private aggregation, a step ST6 of key switching, and a step ST7 of decryption using the private key of a data user, these method steps being performed by system 100. Steps ST2 to ST4 are optional steps, and are therefore indicated in dotted lines in FIG 2. We distribute the trust that any entity must have in system 100 among a number of servers Si, hereinafter referenced as server i. This means that instead of needing to trust only one server, any entity must only trust one server among m. In the following passages, it is assumed servers Si have chosen public cryptographic parameters. For illustrative purposes, an additive and commutative group G and a generator of that group, e.g., an elliptic curve with a base point B. More precisely, each server Si knows the group G and knows the base point B and these are the same for each server.
(00031) The first step of method 200 is the encryption of the data under the collective public key K, at step ST 1. In this step, each server i that takes part in the collective authority CA generates a private key ki and computes the corresponding public key Ki as Ki = ki B. Each server i then computes the collective public key as K = Ki + ... + Km. K can be computed by any distributed key generation algorithm. Generically, it is assumed that data provider DPj, hereinafter referred to as data provider j, is willing to share some information or data mj. Data provider DPj generates a random number and ElGamal encrypts mj so as to produce a probabilistic ciphertext tuple (Ci j,C2j) = ( Β, mj + Κ). This ciphertext tuple is then sent to one of the servers S of the collective authority CA. At this point, generically, there are two transformations that can be applied to the ciphertext tuple by the CA. The first transformation consists of switching the encryption of a message using the collective key K to one using a public key Ui. This is used in the Key Switching step ST6. The public keys of the data providers DP, servers S, and data user DU are assumed to be known and can be used for this purpose, but it is also possible to use standard PKI. The second transformation is used in step ST4 consists in switching between, for example, the probabilistic ElGamal encryption scheme to a deterministic encryption scheme. These transformations are described below as a non-limiting example, using the additive ElGamal over elliptic curve notation.
(00032) The key switching protocol performed by step ST6 of method 200, also referred to as the step of modifying the encryption in the method, is performed as follows. Each server i will generate a fresh random nonce for data provider 1 which we denote vy and, in a collective and sequential manner, modify the ciphertext tuple as described below. Note that in what follows the collective fresh nonce for data provider 1 is vi = νι,ι + ... + vm,i and we assume here that the public key Ui from data user 1 is known to each server of the collective authority CA. Starting from (Ci j,C2j) = ( Β, m, + Κ), each server will partially and sequentially modify the ciphertext as follows and then send their modified ciphertexts to the next server in the CA. When server i receives the modified ciphertext (Cl i_1, C2,i-i ) from server i-1 , where we denote (Clj0, C2,o) = (0, C2j), the respective server i stores the ephemeral key Β and computes (C i, C2jl) using
Cu = + v lB (1) and
C2,i = ¾_! - (rj B)ki + vuUj = 2ii_t - rj Kj + vuUj (2) Finally, the last server of collective authority CA that receives the modified ciphertext removes Β from the left hand side of the ciphertext tuple. Once all of these computations are done, a new ciphertext is obtained, corresponding to the data mj encrypted under the public key Ui, (CX final, C2 inal) = (viB, mj + viUi) of data user Ui from the original ciphertext (Ci j, C2j) = ( Β, mj + Κ), corresponding to the same data mj encrypted under the collective key K. At this point the ciphertext X finaX, C2 inal) can be decrypted only by data user 1 who has the private key ui. This is done for each one of the grouping and attributes, producing the second encrypted aggregated data set.
(00033) Moreover, the method 200 can include a step of shuffling ST3. This step is optional, and an exemplary shuffling protocol that can be used in this step is described by Andrew Neff. C. A. Neff, "A verifiable secret shuffle and its application to e-voting," in Proceedings of the 8th ACM conference on Computer and Communications Security. ACM, 2001, pp. 1 16-125, this reference being herewith incorporated by reference. Step ST3 can take as input a number of sequences of ElGamal ciphertext pairs, corresponding to a number of sequences of encrypted messages, and produces a shuffled number of sequences of ElGamal pairs. The output sequence corresponds to the same sequence of encrypted messages, in a different order and re-randomized, i.e., with different randomization terms. The difference between the input and output is indistinguishable from randomness.
(00034) Next, method 200 can perform a step ST4 of distributed deterministic hashing. This step is also optional, and can be considered another type of encryption in a broad sense. For this step, each server i will generate a short-term secret Si. In other words, Si will be the same for each data provider j for a given short time period. The reason we move from a probabilistic encryption scheme to a deterministic encryption scheme is in order to enable the comparison of ciphertexts. In fact, with deterministic encryption, the same plaintext will be mapped to the same ciphertext. The collective short-term secret is denoted by s— Sl ' . . . Sm. In order to avoid statistical attacks on the deterministic ciphertexts, we recommend the short- term secret Si to be different for each query. Starting from (Ci j,C2j) = ( Β, m, + Κ), in step ST4, each server will partially and sequentially modify the ciphertext as follows. When server i receives the modified ciphertext (C -i, C2,i-i) fr°m server i- 1 , where we denote ( ,o. C2i0) = (Ci j, C2j), it will compute (C , C2,i) using
Figure imgf000017_0001
and
Ci,i = C^i^si (4) Once these computations are done, we obtain the new ciphertext, corresponding to the data mj deterministically encrypted, C2 inai = mjs from the original ciphertext (Ci j, C2j) = (rjB, mj + Κ), corresponding to the same data mj probabilistically encrypted. In step ST4, this is done for each one of the grouping attributes. The security is ensured by choosing new secret keys for the deterministic encryption for each new query. This way, at each query, the same plaintexts will be mapped to different ciphertexts, enabling us to compare ciphertexts for the query round only. (00035) Step ST2, or Local Aggregation, is an optional step of method 200 that consists in homomorphically summing all ciphertexts held by each data provider, when possible. Thus a data provider will send only one, potentially aggregate, response to the collective authority CA.
(00036) Step ST5, or Private Aggregation, consists in the collective authority
homomorphically summing all of their encrypted responses. If there are grouping attributes involved, the summing happens for each group separately. This can be done efficiently by using a tree structure for the CA.
(00037) Step ST7 of method 200 consists in the data user decrypting the query result for each group, in other words decrypting the second encrypted aggregated data set. Given an ElGamal pair (rB, m+rU) where U is the public key of the data user, data user will use the corresponding private key u to decrypt the ciphertext set by computing
(rB)u = rU (5) and
m + rU— rU = m (6) This is done for each one of the grouping and aggregating attributes of the second encrypted aggregated data set. For steps ST4 and ST6, as long as one server remains honest or semi- honest, the plaintext mj cannot be decrypted. Furthermore, each step in ST2, ST3, ST4, ST5 and ST6 can be proved with cryptographic zero-knowledge proofs.
(00038) Using the cryptographic zero-knowledge proofs exemplarily described by Camenisch et al, it can be guaranteed that a computation coming from any server is correct, i.e., that this server followed protocol. J. Camenisch and M. Stadler, "Proof systems for general statements about discrete logarithms," Technical Report, No. 260, 1997, this publication being herewith incorporated by reference. If a server fails to produce a correct proof, it can be identified and potentially excluded from future computations. This can be performed by a separate step that redefines the centralized authority CA.
For example, the proofs can be used to guarantee that each server did the Distributed Deterministic Hashing protocol of step ST4 correctly. This means that server i used the correct ki to remove its ElGamal contribution, when relevant, and similarly that the server i used the same Si for each data provider j for a given query Q. Also, it is possible that a step is performed by method 200 that allows certain entities to verify the correctness of the proofs of any server, for example by a supervisory authority. For example, such step could provide a message or notification, for example in the form of a web page, bulletin board, email message, that includes all of the ciphertexts and the corresponding proofs.
(00039) Next, based on FIG. 3, the entire method 300 for sharing at least one of private and sensitive data is explained. First, in a step SMI the data user DU sends its query Q, including the grouping and aggregating attributes, to any one of the servers S in the collective authority CA. This server broadcasts this information in a step SM2 to all the other servers. Next, the servers can send the information the data providers in a step SM3.
(00040) Thereafter, the data providers gather the data relative to the query Q, also referred to as a data set, for two data providers the first and second data set, in a step SM4. In this step, data users can enter the data set with respect to query Q, or that data set can be automatically gathered from a data storage device of data users. Next, the encryption is performed, as explained with respect to method 200 that is schematically shown in FIG. 2. Using a homomorphic encryption scheme, for example but not limited to ElGamal, the data providers DP encrypt their information using the collective key K of collective authority CA in step ST1. For example, if data provider X's response to a query is A, the ElGamal encryption will be the tuple (rB, A + rK) where B is a public base point and r is a fresh random number chosen by data provider X. If a data provider has several encrypted entries, it can aggregate them before proceeding to the next steps, as shown with step ST2 of method 200. This aggregation is optional and is referred to as Local Aggregation. It utilizes the homomorphic properties of the encryption scheme. Thereafter, each data provider will send its information back to the collective authority.
(00041) If the grouping attributes are encrypted, the collective authority CA will use the cryptographic shuffle in order to break the link between the data providers and their data, with the optional step ST3. Moreover, if the grouping attributes are encrypted, the probabilistic encryption of the grouping attributes will be collectively transformed into deterministic encryptions as described previously in the Distributed Deterministic Hashing protocol, with the step ST4. Once this is done, each data provider will have a deterministic encryption of its grouping attributes. At each step of the method, the servers of the collective authority CA can produce cryptographic zero-knowledge proofs of correctness that ensure that they have computed correctly.
(00042) Next, each server can now group the data of the data providers based on these deterministically encrypted grouping attributes if they were initially encrypted or based on the clear text grouping attributes if not. For each group, the servers will aggregate the encrypted aggregating attributes using the homomorphic properties of the cryptosystem in step ST4. Thereafter, each server will send its aggregated aggregating attributes and corresponding grouping attributes to the next server in the collective authority CA, to generate the first encrypted aggregated data set in step ST5. It can be assumed, for this step, that the servers are organized in a loop or circuit, and the attributes can be passed around from server to server of the collective authority. This happens until the end of the loop. At this point, the last server in the loop has deterministically encrypted groups, along with the corresponding aggregated information relative to the query (per group). (00043) Next, the probabilistic encryption of the aggregating and grouping attributes will go through the collective key switching protocol in step ST6 in order to be transformed into a probabilistic encryption of the same results under the public key of the data user. This step transforms the first encrypted aggregated data set into a second encrypted aggregated data set. At this point, the data user can decrypt the grouping attributes and the corresponding aggregated aggregating attributes in order to obtain the result of its query for each group.
(00044) Another aspect of the method is the removal or addition of one or more servers S to the collective authority CA, to enable a dynamic collective authority CA. In certain circumstances, adding or removing a server S from collective authority CA is desired. On one hand, adding more servers to CA strengthens the privacy guarantees. On the other hand, in a case where a server misbehaves and is caught cheating, for example through the use of zero-knowledge proofs, removing the cheating server from the collective authority CA can preserve privacy guarantees. Next, the steps of a method are described that allow the system to adapt to the addition of a new server to the collective authority CA, and to adapt to the removal of a server form the collective authority CA. For the description below, server m designates the server that needs to be added or removed. Any data provider DP that stored data encrypted using the previous collective key Kprev must perform some steps of a protocol to have its data encrypted under the new collective key Knew. Data encryption under the new collective key Knew is necessary for the system to work with the new collective authority CA resulting from the addition/removal of the When adding to the collective authority CA that includes servers Si, . . . , Sm-i, the previous collective key is defined as Kprev = Ki + . . . + Km-i and the new collective key is defined as Knew = Ki + . . . + Km. When removing server Sm from collective authority CA including servers Si , . . . , Sm, the previous collective key is defined as Kprev = Ki + . . . + Km and the new collective key is defined as Knew = Ki + . . . + Km-i. (00045) When the server Sm is added/removed to/from the collective authority CA, the encryption of data of the data providers DP under the previous key Kprev must be updated to account for the new collective key Knew. In general, starting from a message m of a data provider DP encrypted under Kprev, (Ci, C2) = (rB,m + rKprev), its encryption is updated by adding/removing the contribution of to the encryption. The added/removed server Sm multiplies Ci by its private key km and adds/removes the result to/from C2
C2 = m + rKprev ± Cikm = m + rKprev ± rKm = m + rKnew (7) The result of these calculations is the new ciphertext tuple (Ct, C2) = (rB, m + rKnew) corresponding to the same message m encrypted under the new public key Knew of the collective authority CA. Similarly, to each step in ST2, ST3, ST4, ST5 and ST6, correct addition/removal of the server Sm can be proved and verified through zero-knowledge proofs. Therefore, it is possible to expand the collective authority CA and update the corresponding encryptions without needing to decrypt any of the ciphertexts. This protocol is time consuming, and consequently, it should only be performed when needed to expand/reduce the collective authority CA, for example if the strengthening of the privacy protection is required or if one or multiple servers of the collective authority misbehave.
(00046) If a data provider DP has an offline backup of its data in clear text, in a variant, it is possible that data provider DP can choose to directly re-encrypt the data with the new public key Knew of collective authority. In such circumstance, it is not necessary to execute the method steps of the protocol described above. This could enhance the performance of the system by reducing communication and computation cost and by distributing the workload between data providers DP and servers S. Nevertheless, it cannot be assumed that all data providers DP keep an offline unencrypted backup of their data or that SCrVCr being removed from the collective authority CA, would be willing to help in this process. (00047) In these circumstances, a threshold t (out of m - 1) of servers S of the collective authority CA can be used to reconstruct the secret key of that is being removed through the use of a (t, m - l)-verifiable secret sharing scheme. Such scheme is described in the publication from Benny Chor et al, "Verifiable secret sharing and achieving simultaneity in the presence of faults," 26th Annual Symposium on Foundations of Computer Science, IEEE, pages 383-395, 1985, this references being herewith incorporated by reference. In such a scheme, a potentially dishonest dealer can share the secret of server Sm, say km, among the m - 1 remaining servers in such a way that any t honest servers can reconstruct km but any subset of t-1 servers learn nothing about km. This weakens the threat to the collective authority CA but enhances the dynamics of the collective authority CA by enabling it to discard a server behaving badly. In fact, by using a (t, m-l)-verifiable secret sharing scheme, the security of the scheme is guaranteed as long as t of m servers are honest instead of 1 in an anytrust model. This secret sharing must be done for all servers when they join the collective authority CA. In this way, when server Sm is being removed from the collective authority VA, the corresponding private key can be reconstructed and the computations shown above can be done by the remaining servers Si, .. ., Sm-i of the collective authority CA.
(00048) FIG. 4 shows a schematic representation of an exemplary computer system 100, implemented with different hardware devices, using two servers Si and S2 as the collective authority CA, according to another aspect of the present invention. The use of only two servers S for collective authority is only exemplary, and many more servers can be used. In the example shown, there is one data user DU that provides for a query Q with grouping and aggregating attributes. Data user DU is connected via a local intranet to network N to access and communicate with servers of collective authority CA. Also, there are three data providers DPi to DP3 that are each connected via an intranet, mobile network, or wireless network INi to IN3 to a network N. Network N can be used by servers Si and S2 to pass data among each other. Data provider DPi is shown to be a tablet with a subscriber identity module (SIM), and data provider DP2 is shown to be a smart phone with another SIM. Moreover, data provider DP3 is connected to a local database, and is shown to be a laptop computer. Data providers DPi to DP3, data user DU, and servers Si to S2 are equipped with hardware processors to perform data processing, and are also equipped with local storage memory. Also, a non-transitory computer readable medium can be provided, the computer readable medium having computer instructions recorded thereon. The computer instructions can be configured to perform methods 200, 300, when executed by hardware processors of the devices of system 100. In an example, to send the data between data user DU and the collective authority CA, to send data between data providers DPi to DP3 to the CA, and to send data between servers Si and S2 the TCP/IP communication protocol can be used, or other network communication protocols, such as but not limited to UDP, IPX/SPX.
(00049) While the invention has been disclosed with reference to certain preferred embodiments, numerous modifications, alterations, and changes to the described embodiments, and equivalents thereof, are possible without departing from the sphere and scope of the invention. Accordingly, it is intended that the invention not be limited to the described embodiments, and be given the broadest reasonable interpretation in accordance with the language of the appended claims.

Claims

1. A method of sharing private and/or sensitive data from plurality of data providers to a data user, the data user having a private key and a public key, the method comprising the steps of:
providing a first data set and encrypting the first data set at a terminal of a first data provider with a collective public key, providing a second data set and encrypting the second data set at a terminal of a second data provider with the collective public key, the encrypting being based on a homomorphic encryption scheme;
sending the encrypted data from the first and second data provider terminals to a server from the plurality of servers, the plurality of servers forming together a collective and decentralized authority for sharing and computing on at least one of private and sensitive data;
decentralized aggregating the encrypted data of the first and second data providers by the plurality of servers, based on the homomorphic encryption scheme, to compute a first encrypted aggregated data set;
modifying the encryption of the first encrypted aggregated data set from the encryption based on the collective public key to an encryption based on the public key of the data user, the modifying performed collectively with the plurality of servers, to generate a second encrypted aggregated data set;
sending the second encrypted aggregated data set to the data user; and decrypting the second encrypted aggregated data set at the data user terminal with the private key of the data user.
2. The method according to claim 1, further comprising the step of: collectively generating the collective public key with the plurality of servers.
3. The method according to claim 1 , wherein the plurality of servers includes a first server and a second server,
wherein the first server is associated with a first portion of the collective public key, and the second server is associated with a second portion of the collective public key, the first and second portion being independent, and
wherein the step of modifying the encrypting includes:
(i) partially decrypting by the first server the first encrypted aggregated data set with the first portion of the collective public key, and partially encrypting by the first server the first encrypted aggregated data set with the public key of the data user; and
(ii) partially decrypting by the second server a result of step (i) with the second portion of the collective public key, and partially encrypting the result of step (i) by the second server with the public key of the data user to generate the second encrypted aggregated data set.
4. The method according to claim 1, further comprising the step of: deterministic encrypting of the first and second data set by the plurality of servers by passing the first and second data set through each one of the plurality of servers, before the step of decentralized aggregating.
5. The method according to claim 4, wherein the first and second data sets includes grouping attributes and aggregating attributes,
wherein the deterministic encrypting includes: (i) partially decrypting the grouping attributes of the first and second data sets with a first secret associated with the first server, and multiplying a result of the partially decrypting of the first and second data sets with a first ephemeral secret, to generate partially deterministically encrypted data; and
(ii) partially decrypting the grouping attributes of the first and second data sets with a second secret associated with the second server, and multiplying a result of the partially decrypting of the first and second data sets with a second ephemeral secret, to generate deterministically encrypted data, after providing the partially deterministically encrypted data to the second server.
6. The method according to claim 1, further comprising the steps of: sending a query from the data user terminal of the data user to a server from the plurality of servers;
broadcasting the query from the server to remaining ones of the plurality of servers; and
sending the query to at least one of the first and second data provider terminals, wherein the step of providing the first and second data set is based on information of the query.
7. The method according to claim 1, further comprising the step of: establishing a cryptographic proof by each one of the plurality of servers, after the step of sending the encrypted data, the cryptographic proof guaranteeing an integrity of at least one of the step of the decentralized aggregating and the step of the modifying the encryption performed at the respective server.
8. The method according to claim 1, further comprising the step of:
cryptographic shuffling of the first and second data sets of the first and second data providers, respectively, collectively at the plurality of servers by using the collective public key.
9. The method according to claim 1, further comprising the step of: adding or removing a server to the plurality of servers that form the collective authority and updating an encryption by adding a contribution of the added or removed server to recompute the first encrypted aggregated data set based on the homomorphic encryption scheme.
10. A system for sharing private and/or sensitive data from plurality of data providers to a data user, the data user having a private key and a public key, the system comprising:
a plurality of terminals, each terminal associated with a respective data provider; a plurality of servers, the plurality of servers forming together a collective and decentralized authority for sharing and computing on at least one of private and sensitive data; and
a data user terminal of a data user, wherein
a first terminal of a first data provider is configured to provide a first data set, to encrypt the first data set with a collective public key based on a homomorphic encryption scheme, and to send first encrypted data to a server of the plurality of servers;
a second terminal of a second data provider is configured to provide a second data set, to encrypt the second data set with the collective public key based on the homomorphic encryption scheme, and to send second encrypted data to a server of the plurality of servers;
the plurality of servers are configured to aggregate in a decentralized fashion the encrypted data of the first and second data providers based on the homomorphic encryption scheme to compute a first encrypted aggregated data set, to collectively modify the encryption of the first encrypted aggregated data set from the encryption based on the collective public key to an encryption based on the public key of the data user to generate a second encrypted aggregated data set, and to send the second encrypted aggregated data set to a terminal of the data user; and
the data user terminal is configured to decrypt the second encrypted aggregated data set with the private key of the data user.
1 1. The system according to claim 10, wherein the plurality of servers are further configured to collectively generate the collective public key.
12. The system according to claim 10, wherein the plurality of servers include a first server and a second server,
wherein the first server is associated with a first portion of the collective public key, and the second server is associated with a second portion of the collective public key, the first and second portion being independent, and
wherein the first server is configured to partially decrypt the first encrypted aggregated data set with the first portion of the collective public key, and partially encrypt the first encrypted aggregated data set with the public key of the data user, and
wherein the second server is configured to partially decrypt a result of the partial encryption or decryption of the first server with the second portion of the collective public key, and partially encrypt the result of the partial encryption or decryption of the first server with the public key of the data user to generate the second encrypted aggregated data set.
13. The system according to claim 10, wherein the plurality of servers are further configured to:
deterministically encrypt the first and second data set by passing the first and second data set through each one of the plurality of servers, before the aggregating in the decentralized fashion by the plurality of servers.
14. The system according to claim 13, wherein the first and second data sets include grouping attributes and aggregating attributes, wherein
for the deterministic encrypting, the first server is configured to
(i) partially decrypt the grouping attributes of the first and second data sets with a first secret associated with the first server, and multiplying a result of the partially decrypting of the first and second data sets with a first ephemeral secret, to generate partially deterministically encrypted data; and
for the deterministic encrypting, the second server is configured to
(ii) partially decrypt the grouping attributes of the first and second data sets with a second secret associated with the second server, and multiplying a result of the partially decrypting of the first and second data sets with a second ephemeral secret, to generate deterministically encrypted data, after the first server provides the partially deterministically encrypted data to the second server.
15. The system according to claim 10, wherein the data user terminal is further configured to: send a query to a server from the plurality of servers,
wherein the server broadcasting the query to remaining ones of the plurality of servers, and the plurality of servers then send the query to at least one of the first and second data provider terminals, and
wherein the providing the first and second data set at the first and second data provider terminals, respectively, is based on information of the query.
16. The system according to claim 10, wherein each one of the plurality of servers is configured to establish a cryptographic proof, after the sending of the encrypted data by at least one of the first and second data provider terminals, the cryptographic proof guaranteeing an integrity of at least one of the decentralized aggregating by the plurality of servers, and the modifying the encryption performed at the respective server of the plurality of servers.
17. The system according to claim 10, wherein the plurality of servers are configured to collectively cryptographic shuffle the first and second data sets of the first and second data provider terminals, respectively, by using the collective public key.
18. The system according to claim 10, wherein the plurality of servers are configured to add or remove a server to expand or reduce the collective authority and to update an encryption by adding a contribution of the added or removed server to recompute the first encrypted aggregated data set based on the homomorphic encryption scheme.
19. A system including a plurality of servers for sharing private and/or sensitive data from plurality of data providers to a data user terminal of a data user, the data user having a private key and a public key, the plurality of servers forming together a collective and decentralized authority for sharing and computing on at least one of private and sensitive data,
a first terminal of a first data provider configured to provide a first data set, to encrypt the first data set with a collective public key based on a homomorphic encryption scheme, and to send first encrypted data to a server of the plurality of servers, and
a second terminal of a second data provider is configured to provide a second data set, to encrypt the second data set with the collective public key based on the homomorphic encryption scheme, and to send second encrypted data to a server of the plurality of servers,
wherein the plurality of servers are configured to aggregate in a decentralized fashion the encrypted data of the first and second data providers based on the homomorphic encryption scheme to compute a first encrypted aggregated data set, to collectively modify the encryption of the first encrypted aggregated data set from the encryption based on the collective public key to an encryption based on the public key of the data user to generate a second encrypted aggregated data set, and to send the second encrypted aggregated data set to the terminal of the data user, and
the data user terminal decrypts the second encrypted aggregated data set with the private key of the data user.
PCT/EP2016/079649 2016-12-02 2016-12-02 System and method for providing a collective decentralized authority for sharing sensitive data WO2018099577A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2016/079649 WO2018099577A1 (en) 2016-12-02 2016-12-02 System and method for providing a collective decentralized authority for sharing sensitive data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2016/079649 WO2018099577A1 (en) 2016-12-02 2016-12-02 System and method for providing a collective decentralized authority for sharing sensitive data

Publications (1)

Publication Number Publication Date
WO2018099577A1 true WO2018099577A1 (en) 2018-06-07

Family

ID=57590485

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2016/079649 WO2018099577A1 (en) 2016-12-02 2016-12-02 System and method for providing a collective decentralized authority for sharing sensitive data

Country Status (1)

Country Link
WO (1) WO2018099577A1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110213219A (en) * 2018-12-06 2019-09-06 上海腾桥信息技术有限公司 A kind of data safety shared system and method
US20210385086A1 (en) * 2019-04-29 2021-12-09 Google Llc Systems and methods for distributed verification of online identity
US20220014367A1 (en) * 2018-12-13 2022-01-13 Login Id Inc. Decentralized computing systems and methods for performing actions using stored private data
CN114221749A (en) * 2021-12-13 2022-03-22 成都天府通金融服务股份有限公司 Multi-type server-based key unified management method and system and electronic equipment
CN114218322A (en) * 2021-12-13 2022-03-22 深圳市电子商务安全证书管理有限公司 Data display method, device, equipment and medium based on ciphertext transmission
CN115801453A (en) * 2023-01-30 2023-03-14 北京大数元科技发展有限公司 System for security query of sensitive data internet
CN117411652A (en) * 2022-07-08 2024-01-16 抖音视界有限公司 Data processing method, electronic device and computer readable storage medium

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6701435B1 (en) * 1998-08-20 2004-03-02 International Business Machines Corporation Cryptographic key generation system

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6701435B1 (en) * 1998-08-20 2004-03-02 International Business Machines Corporation Cryptographic key generation system

Non-Patent Citations (13)

* Cited by examiner, † Cited by third party
Title
"Network and Parallel Computing", vol. 1560, 1 January 1999, SPRINGER INTERNATIONAL PUBLISHING, Cham, ISBN: 978-3-540-76785-5, ISSN: 0302-9743, article MARKUS JAKOBSSON ET AL: "On Quorum Controlled Asymmetric Proxy Re-encryption", pages: 112 - 121, XP055392380, 032548, DOI: 10.1007/3-540-49162-7_9 *
ANDREW NEFF C ED - SAMATRI P (ED): "A verifiable secret shuffle and its application to e-voting", PROCEEDINGS OF THE 8TH. ACM CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY. (CCS-8). PHILADELPHIA, PA, NOV. 5 - 8, 2001; [ACM CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY], NEW YORK, NY : ACM, US, 5 November 2001 (2001-11-05), pages 116 - 125, XP058294630, ISBN: 978-1-58113-385-1, DOI: 10.1145/501983.502000 *
ANDREW NEFF; C. A. NEFF: "Proceedings of the 8th ACM conference on Computer and Communications Security", 2001, ACM, article "A verifiable secret shuffle and its application to e-voting", pages: 116 - 125
BENNY CHOR ET AL.: "26th Annual Symposium on Foundations of Computer Science", 1985, IEEE, article "Verifiable secret sharing and achieving simultaneity in the presence of faults", pages: 383 - 395
DUAN Y; CANNY J.; ZHAN J.: "Efficient privacy-preserving association rule mining: P4P style", COMPUTATIONAL INTELLIGENCE AND DATA MINING, 1 March 2007 (2007-03-01), pages 654 - 660
J. CAMENISCH; M. STADLER: "Proof systems for general statements about discrete logarithms", TECHNICAL REPORT, 1997
J. W. BOS; K. LAUTER; M. NAEHRIG: "Private predictive analysis on encrypted medical data", JOURNAL OF BIOMEDICAL INFORMATICS, vol. 50, 2014, pages 234 - 243
JAN CAMENISCH ET AL: "Proof systems for general statements about discrete logarithms", 1 January 1997 (1997-01-01), XP055148493, Retrieved from the Internet <URL:http://dx.doi.org/10.3929/ethz-a-006651937> DOI: 10.3929/ethz-a-006651937 *
M. A. HAILEMICHAEL; K. Y. YIGZAW; J. G. BELLIKA: "Proceedings of the 13th Scandinavian Conference on Health Informatics", 2015, IEEE, article "Emnet: a system for privacy-preserving statistical computing on distributed health data"
M. MAFFEI; G. MALAVOLTA; M. REINERT; D. SCHRODER: "Security and Privacy (SP), 2015 IEEE Symposium", 2015, IEEE, article "Privacy and access control for outsourced personal records", pages: 341 - 358
M. ZAMANI; M. MOVAHEDI; J. SAIA: "Millions of millionaires: Multiparty computation in large networks", IACR CRYPTOLOGY EPRINT ARCHIVE, vol. 2014, 2014, pages 149
S. M. KHAN; K. W. HAMLEN: "Penny: Secure, decentralized data management", INTERNATIONAL JOURNAL OF NETWORK SECURITY, vol. 16, no. 5, 2014, pages 340 - 354
TAHER ELGAMAL: "A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms", IEEE TRANSACTIONS ON INFORMATION THEORY, vol. 31, no. 4, 1985, pages 469 - 472

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110213219A (en) * 2018-12-06 2019-09-06 上海腾桥信息技术有限公司 A kind of data safety shared system and method
US20220014367A1 (en) * 2018-12-13 2022-01-13 Login Id Inc. Decentralized computing systems and methods for performing actions using stored private data
US20210385086A1 (en) * 2019-04-29 2021-12-09 Google Llc Systems and methods for distributed verification of online identity
CN114221749A (en) * 2021-12-13 2022-03-22 成都天府通金融服务股份有限公司 Multi-type server-based key unified management method and system and electronic equipment
CN114218322A (en) * 2021-12-13 2022-03-22 深圳市电子商务安全证书管理有限公司 Data display method, device, equipment and medium based on ciphertext transmission
CN117411652A (en) * 2022-07-08 2024-01-16 抖音视界有限公司 Data processing method, electronic device and computer readable storage medium
CN115801453A (en) * 2023-01-30 2023-03-14 北京大数元科技发展有限公司 System for security query of sensitive data internet
CN115801453B (en) * 2023-01-30 2023-05-02 北京大数元科技发展有限公司 System for sensitive data internet security inquiry

Similar Documents

Publication Publication Date Title
US11374736B2 (en) System and method for homomorphic encryption
Froelicher et al. Unlynx: a decentralized system for privacy-conscious data sharing
US10419404B2 (en) Enabling comparable data access control for lightweight mobile devices in clouds
Zhang et al. Secure smart health with privacy-aware aggregate authentication and access control in Internet of Things
CN111931253B (en) Data processing method, system, device and medium based on node group
US10609000B2 (en) Data tokenization
Dong et al. Achieving an effective, scalable and privacy-preserving data sharing service in cloud computing
WO2018099577A1 (en) System and method for providing a collective decentralized authority for sharing sensitive data
US20190205568A1 (en) Providing security against user collusion in data analytics using random group selection
Miao et al. Secure multi-server-aided data deduplication in cloud computing
US20190354714A1 (en) Health file access control system and method in electronic medical cloud
Fan et al. TraceChain: A blockchain‐based scheme to protect data confidentiality and traceability
CN104521178A (en) Method and system for secure multiparty cloud computation
Murugesan et al. Analysis on homomorphic technique for data security in fog computing
Fang et al. Encrypted scalar product protocol for outsourced data mining
Yang et al. Efficient and provably secure data selective sharing and acquisition in cloud-based systems
Cao et al. A Lightweight Fine‐Grained Search Scheme over Encrypted Data in Cloud‐Assisted Wireless Body Area Networks
Di Crescenzo et al. Efficient and private three-party publish/subscribe
CN113204788A (en) Privacy protection method for fine-grained attribute matching
Peng et al. A Secure Signcryption Scheme for Electronic Health Records Sharing in Blockchain.
He et al. A lightweight secure conjunctive keyword search scheme in hybrid cloud
Venukumar et al. A survey of applications of threshold cryptography—proposed and practiced
Li et al. An efficient privacy-preserving bidirectional friends matching scheme in mobile social networks
Dou et al. Efficient private subset computation
Yi et al. Distributed data possession provable in cloud

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16816221

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16816221

Country of ref document: EP

Kind code of ref document: A1