WO2018099577A1 - Système et procédé de fourniture d'autorité collective décentralisée pour le partage de données sensibles - Google Patents

Système et procédé de fourniture d'autorité collective décentralisée pour le partage de données sensibles Download PDF

Info

Publication number
WO2018099577A1
WO2018099577A1 PCT/EP2016/079649 EP2016079649W WO2018099577A1 WO 2018099577 A1 WO2018099577 A1 WO 2018099577A1 EP 2016079649 W EP2016079649 W EP 2016079649W WO 2018099577 A1 WO2018099577 A1 WO 2018099577A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
server
servers
encrypted
public key
Prior art date
Application number
PCT/EP2016/079649
Other languages
English (en)
Inventor
Bryan Ford
Jean-Pierre Hubaux
Patricia EGGER
Jean-Louis Raisaro
Zhicong HUANG
Original Assignee
Ecole Polytechnique Federale De Lausanne (Epfl)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ecole Polytechnique Federale De Lausanne (Epfl) filed Critical Ecole Polytechnique Federale De Lausanne (Epfl)
Priority to PCT/EP2016/079649 priority Critical patent/WO2018099577A1/fr
Publication of WO2018099577A1 publication Critical patent/WO2018099577A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/008Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/46Secure multiparty computation, e.g. millionaire problem
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/76Proxy, i.e. using intermediary entity to perform cryptographic operations

Definitions

  • the present invention relates to the field of cryptography, more particularly to the field of decentralized and collective cryptography for privacy-conscious data sharing.
  • Duan et al. provide a practical framework for privacy -preserving data mining.
  • a method of sharing private and/or sensitive data from a plurality of data providers with a data user includes the steps of providing a first data set and encrypting the first data set at a terminal of a first data provider with a collective public key, providing a second data set and encrypting the second data set at a terminal of a second data provider with the collective public key, the encrypting being based on a homomorphic encryption scheme, sending the encrypted data from the first and second data provider terminals to a server from a plurality of servers, the plurality of servers forming together a collective and decentralized authority for sharing and computing on at least one of private and sensitive data, and decentralized aggregating the encrypted data of the first and second data providers by the plurality of servers, based on the homomorphic encryption scheme, to compute a first encrypted aggregated data set.
  • the method further preferably includes the steps of modifying the encryption of the first encrypted aggregated data set from the encryption based on the collective public key to an encryption based on the public key of the data user, the modifying performed collectively with the plurality of servers, to generate a second encrypted aggregated data set; sending the second encrypted aggregated data set to the data user; and decrypting the second encrypted aggregated data set at the data user terminal with the private key of the data user.
  • a system for sharing private and/or sensitive data from a plurality of data providers with a data user is provided, the data user having a private key and a public key.
  • the system includes a plurality of terminals, each terminal associated with a respective data provider, a plurality of servers, the plurality of servers forming together a collective and decentralized authority for sharing and computing on at least one of private and sensitive data, and a data user terminal of a data user.
  • a first terminal of a first data provider is configured to provide a first data set, to encrypt the first data set with a collective public key based on a
  • a second terminal of a second data provider is configured to provide a second data set, to encrypt the second data set with the collective public key based on the homomorphic encryption scheme, and to send second encrypted data to a server of the plurality of servers.
  • the plurality of servers are configured to at least one of group and aggregate in a decentralized fashion the encrypted data of the first and second data providers based on the homomorphic encryption scheme, to compute a first encrypted aggregated data set, to collectively modify the encryption of the first encrypted aggregated data set from the encryption based on the collective public key to an encryption based on the public key of the data user, to generate a second encrypted aggregated data set, and to send the second encrypted aggregated data set to a terminal of the data user, and the data user terminal is configured to decrypt the second encrypted aggregated data set with the private key of the data user.
  • a system including a plurality of servers for sharing private and/or sensitive data from a plurality of data providers with a data user terminal of a data user is provided, the data user having a private key and a public key, the plurality of servers forming together a collective and decentralized authority for sharing and computing on at least one of private and sensitive data.
  • a first terminal of a first data provider is configured to provide a first data set, to encrypt the first data set with a collective public key based on a homomorphic encryption scheme, and to send first encrypted data to a server of the plurality of servers
  • a second terminal of a second data provider is configured to provide a second data set, to encrypt the second data set with the collective public key based on the homomorphic encryption scheme, and to send second encrypted data to a server of the plurality of servers.
  • the plurality of servers are configured to group and/or aggregate in a decentralized fashion the encrypted data of the first and second data providers based on the homomorphic encryption scheme to compute a first encrypted aggregated data set, to collectively modify the encryption of the first encrypted aggregated data set from the encryption based on the collective public key to an encryption based on the public key of the data user to generate a second encrypted aggregated data set, and to send the second encrypted aggregated data set to the terminal of the data user, and the data user terminal decrypts the second encrypted aggregated data set with the private key of the data user.
  • FIG. 1 shows a schematic representation for an exemplary system 100 to provide for a collective and decentralized authority CA, according to one aspect of the present invention
  • FIG. 2 shows a flow chart illustrating the different elements of a method 200 described below that can be performed on system 100;
  • FIG. 3 shows a schematic representation of method 300 when the data providers receive a query from a data user; and (00016)
  • FIG. 4 shows a schematic representation of an exemplary computer system, using two servers as the collective authority, according to another aspect of the present invention.
  • a system 100 is provided for sharing private and/or sensitive data from a plurality of data providers DPi to DP n , for example but not limited to a first and second data provider DPi, DP2, with one or more data users DUi to DUk which will ultimately receive data from the data providers DP, for example one data user DUi. Also, a corresponding method is provided.
  • Data user DUi has a private key and a public key for data decryption and encryption, respectively.
  • System 100 includes a plurality of terminals, each terminal associated with a respective data provider DPi to DP n , a plurality of servers Si to S m , the plurality of servers forming together a collective and decentralized authority CA for sharing and computing on at least one of private and sensitive data, and a data user terminal of a data user DUi.
  • the collective authority is associated with a collective public key K which is defined as a cryptographic public key made from the aggregation of the public keys of all the servers Si to S m that form the collective authority CA.
  • Ki denominates a public key from server Si and we use additive notation the collective public key K for encryption corresponds to Ki + ... + K m where m is the number of servers in the collective authority CA.
  • a data provider DP is defined to be one or more entities that provide data to the system 100 for privacy-conscious data sharing, in other words, entities that are willing to share their data.
  • a data provider DP can also hold, store, or otherwise have access to the data of several entities.
  • data providers DP can include terminals, computers, workstations, mobile phones, smart phones, tablets, databases, or any other electronic communication and data processing device that is operated by data providers DP.
  • data providers DP can be for example but not limited to prospective or actual patients, people with medical insurance, hospitals, research institutions, doctors and nurses.
  • data providers DP can be tax payers or tax paying entities, such as corporations that are willing to share data with a data user DU.
  • a data user DU is defined as an entity that wants to use the data provided by the data providers DP.
  • Data user DU is the one that can provide all data providers with a query indicating what research will be undertaken by the collective authority CA on data that will be provided by data providers DPi to DP n .
  • Data user DU is also the entity that will receive the encrypted output of the computation made by collective authority CA that includes the plurality of servers Si to S m , and is the only entity that will be able to decrypt it.
  • the data user DU could be a medical or pharmaceutical researcher.
  • the tax application field it could be a tax authority.
  • a server S is defined as an entity taking part in the decentralized collective authority CA, which includes a plurality of servers Si to Sm. Its role in system 100 is to contribute to the distributed and secure computations on encrypted data.
  • a server S could be located at a hospital, research institution, university, etc. It can also be a set of cloud servers that are not under control of either data provider DP and data user DU.
  • Decentralized aggregating is defined as a method step or an action within system 100 of aggregating encrypted data among the decentralized collective authority CA that can be formed by the plurality of servers Si to S m , as further explained below.
  • Grouping attributes are defined as categorical attributes belonging to data providers or the entities whose data is held by a data provider. Data providers can be grouped together according to these attributes. In the medical application field, examples of grouping attributes can be gender, age category, ethnicity, etc. In the tax application field, aggregating attributes can be different categorical entries of a tax form. Aggregating attributes are defined as numerical attributes belonging to data providers DP or the entities whose data is held, stored, or otherwise made available by a data provider DP. These attributes will be aggregated, for example according to the grouping attributes, if these exist. In the medical application field, aggregating attributes can take binary values indicating the presence or absence of a disease, treatments or specific genomic variations.
  • sensitive and/or private data or information mi to m n is associated with data providers DPi to DP n , respectively, each of which can be located in multiple databases, memory devices, or terminals that may be held in different geographical locations.
  • Computations can be made by multiple servers, for example but not limited to generic computing devices referred to as servers, shown as servers Si to S m .
  • These servers Si to Sm form the collective and decentralized authority CA and allow the trust that any entity must have in system 100 to be split amongst all of the servers Si to Sm. This means that data user DUi to DUk does not need to trust any given server Si to S m as it only needs to trust that there exists at least one honest or semi-honest server.
  • a data user for example DUi, can send a query Qi to any one of the servers Si to Sm.
  • the server that receives query Qi will broadcast query Qi to all the other servers from the plurality of servers in the collective authority CA.
  • the plurality of servers Si to S m will send the query Qi to a subset of the data providers DPi to DP n in such a way that all data providers DPi to DP n receive the query.
  • all data providers DPi to DP n that participate in the query should have received the query Qi.
  • Each data provider DPi to DP n will then find, enter, or otherwise make available its data relevant to the query Qi, and encrypt the data under the collective public key K of collective authority CA as explained further below, and send the encrypted data back to exactly one of the servers from the plurality of servers Si to S m .
  • the servers Si to S m will then compute on the encrypted data they have received from the data providers DPi to DP n . Once each server Si to S m of collective authority CA has done this computation, all servers Si to S m will aggregate their results, still using encrypted data. Once all the data has been aggregated, a result to the query exists in encrypted form, as the first encrypted aggregated data.
  • the first encrypted aggregated data as an aggregated result must be transformed into a ciphertext that can be decrypted by that data user DUi, i.e., it must be encrypted under the public key of the data user DUi. This is referred to as key switching, or as a modification of the encryption.
  • the new ciphertext for example a query result encrypted under the public key of the data user DUi, the second encrypted aggregated data, is sent to the data user DUi who can decrypt the second encrypted aggregated data using its private key.
  • system 100 is configured to preserve confidentiality of the data coming from the n data providers DP, and the data is always in encrypted form and cannot be decrypted unless every single one of the server Si to S m decides to collude and decrypt.
  • Semi-honest signifies that the server will follow the method, but may also perform other types of computations to gather information based on the data.
  • system 100 is configured to guarantee integrity of the computations on the encrypted data, more precisely the computations on the encrypted data can be verified without revealing anything about the underlying data.
  • System 100 and corresponding method can be used for many different application fields, in the context of secure sharing of at least one of private and sensitive data from a plurality of data providers DP.
  • one application field is that of a medical data query.
  • a health care provider, research institution, university, pharmaceutical company as a data user DU would like to perform a survey and obtain separate answers for patients in different groups, the individual patients and/or hospitals being the data providers DP.
  • a survey can be made including grouping and aggregating attributes.
  • the grouping attributes can characterize each data provider or entity represented by a data provider, e.g., by demographics. They are categorical variables that can take multiple values.
  • the aggregating attributes are the survey questions, the answers to which can be binary values.
  • the grouping attributes might be age and gender where age can take values 1 through 5, corresponding to [0-20], [21-40], [41-60], [61-80], [81 and above] and gender can take values 1 or 2, corresponding to male and female, respectively.
  • a female in the 61-80 age category's grouping attributes would be 2 (2 nd gender group) and 4 (4 th age group). If there are 2 questions in the survey, each of which can take answers yes (1) or no (0) and this
  • participant's answers are "yes” and "yes”, her aggregating attributes would be 1 and 1.
  • Her survey response would therefore be (2, 4, 1, 1).
  • system 100 can be used for secure national or international census and polling.
  • the grouping attributes could be demographic descriptions of each person/household such as age category, education, religion or income.
  • Aggregating attributes can be the number of people living in each household, the number of rooms in the household or other attributes taking binary or other numerical values, for example yes or no questions.
  • the aggregating attributes can also be presented as multiple- choice questions.
  • System 100 allows a private version of the traditional Word Count example of the MapReduce model.
  • the grouping attributes are the words that are to be counted. As they are encrypted they will remain confidential.
  • the aggregating attributes are the number of such words, i.e., the counts. These too remain confidential until the data user decrypts the second encrypted aggregated data set, i.e. once the data users DU have received and decrypted the data for a respective query Q.
  • the "Map" phase of MapReduce is the Distributed Deterministic Hashing and the "Reduce” phase is the Private Aggregation.
  • a set of m servers Si, ..., S m and n data providers DPi, ..., DP n are provided. Together, servers Si, ..., S m form a collective authority CA. The goal is to enable sensitive data sharing while preserving the privacy of n data providers DPi, ..., DP n .
  • a respective data user DU will create a query Q and send to all data providers DP that are participating in the query, via the collective authority CA.
  • the query Q can either be in clear or encrypted under each public key of the data provider DP. It is assumed that the public keys of the data providers are known to the data users or can be obtained through standard Public Key Infrastructure (PKI). If the query is encrypted, the data providers DP will decrypt it using their private keys. Data providers DU will send their data responses, encrypted under the collective public key, to one of the servers.
  • the encryption scheme that uses the collective public key K has homomorphic properties.
  • Enc(aml+bm2) aEnc(ml) + bEnc(m2), where the function Enc() is a homomorphic encryption function.
  • the method is explained with reference to the ElGamal encryption scheme on elliptic curves as one such example of a homomorphic encryption scheme. See Taher Elgamal, "A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms," IEEE Transactions on Information Theory, Vol. 31 (4), pp. 469-472, 1985, this publication being herewith incorporated by reference.
  • a data provider DP communicates only with the servers Si, ..., S m of collective authority CA, and does not directly communicate with other data providers DP, thus preserving its anonymity with respect to any one of the other data providers.
  • the method includes the step ST1 of encryption under the collective public key K, step ST2 of local aggregation, the step ST3 of shuffling, the step ST4 of distributed deterministic hashing, a step ST5 of private aggregation, a step ST6 of key switching, and a step ST7 of decryption using the private key of a data user, these method steps being performed by system 100.
  • Steps ST2 to ST4 are optional steps, and are therefore indicated in dotted lines in FIG 2.
  • servers Si have chosen public cryptographic parameters. For illustrative purposes, an additive and commutative group G and a generator of that group, e.g., an elliptic curve with a base point B. More precisely, each server Si knows the group G and knows the base point B and these are the same for each server.
  • the first step of method 200 is the encryption of the data under the collective public key K, at step ST 1.
  • K can be computed by any distributed key generation algorithm. Generically, it is assumed that data provider DPj, hereinafter referred to as data provider j, is willing to share some information or data mj.
  • This ciphertext tuple is then sent to one of the servers S of the collective authority CA.
  • the first transformation consists of switching the encryption of a message using the collective key K to one using a public key Ui. This is used in the Key Switching step ST6.
  • the public keys of the data providers DP, servers S, and data user DU are assumed to be known and can be used for this purpose, but it is also possible to use standard PKI.
  • the second transformation is used in step ST4 consists in switching between, for example, the probabilistic ElGamal encryption scheme to a deterministic encryption scheme. These transformations are described below as a non-limiting example, using the additive ElGamal over elliptic curve notation.
  • step ST6 of method 200 also referred to as the step of modifying the encryption in the method, is performed as follows.
  • Each server i will generate a fresh random nonce for data provider 1 which we denote vy and, in a collective and sequential manner, modify the ciphertext tuple as described below.
  • each server will partially and sequentially modify the ciphertext as follows and then send their modified ciphertexts to the next server in the CA.
  • the respective server i stores the ephemeral key ⁇ and computes (C i , C 2jl ) using
  • the method 200 can include a step of shuffling ST3.
  • This step is optional, and an exemplary shuffling protocol that can be used in this step is described by Andrew Neff. C. A. Neff, "A verifiable secret shuffle and its application to e-voting," in Proceedings of the 8th ACM conference on Computer and Communications Security. ACM, 2001, pp. 1 16-125, this reference being herewith incorporated by reference.
  • Step ST3 can take as input a number of sequences of ElGamal ciphertext pairs, corresponding to a number of sequences of encrypted messages, and produces a shuffled number of sequences of ElGamal pairs.
  • the output sequence corresponds to the same sequence of encrypted messages, in a different order and re-randomized, i.e., with different randomization terms. The difference between the input and output is indistinguishable from randomness.
  • method 200 can perform a step ST4 of distributed deterministic hashing.
  • This step is also optional, and can be considered another type of encryption in a broad sense.
  • each server i will generate a short-term secret Si.
  • Si will be the same for each data provider j for a given short time period.
  • the reason we move from a probabilistic encryption scheme to a deterministic encryption scheme is in order to enable the comparison of ciphertexts. In fact, with deterministic encryption, the same plaintext will be mapped to the same ciphertext.
  • the collective short-term secret is denoted by s— Sl ' . . . Sm.
  • each server will partially and sequentially modify the ciphertext as follows.
  • Ci,i C ⁇ i ⁇ si (4)
  • Step ST2 is an optional step of method 200 that consists in homomorphically summing all ciphertexts held by each data provider, when possible. Thus a data provider will send only one, potentially aggregate, response to the collective authority CA.
  • Step ST5 or Private Aggregation, consists in the collective authority
  • Step ST7 of method 200 consists in the data user decrypting the query result for each group, in other words decrypting the second encrypted aggregated data set.
  • rB, m+rU an ElGamal pair
  • U the public key of the data user
  • the proofs can be used to guarantee that each server did the Distributed Deterministic Hashing protocol of step ST4 correctly.
  • server i used the correct ki to remove its ElGamal contribution, when relevant, and similarly that the server i used the same Si for each data provider j for a given query Q.
  • a step is performed by method 200 that allows certain entities to verify the correctness of the proofs of any server, for example by a supervisory authority.
  • such step could provide a message or notification, for example in the form of a web page, bulletin board, email message, that includes all of the ciphertexts and the corresponding proofs.
  • step SMI the data user DU sends its query Q, including the grouping and aggregating attributes, to any one of the servers S in the collective authority CA.
  • This server broadcasts this information in a step SM2 to all the other servers.
  • the servers can send the information the data providers in a step SM3.
  • the data providers gather the data relative to the query Q, also referred to as a data set, for two data providers the first and second data set, in a step SM4.
  • data users can enter the data set with respect to query Q, or that data set can be automatically gathered from a data storage device of data users.
  • the encryption is performed, as explained with respect to method 200 that is schematically shown in FIG. 2.
  • the data providers DP encrypt their information using the collective key K of collective authority CA in step ST1.
  • the ElGamal encryption will be the tuple (rB, A + rK) where B is a public base point and r is a fresh random number chosen by data provider X. If a data provider has several encrypted entries, it can aggregate them before proceeding to the next steps, as shown with step ST2 of method 200. This aggregation is optional and is referred to as Local Aggregation. It utilizes the homomorphic properties of the encryption scheme. Thereafter, each data provider will send its information back to the collective authority.
  • the collective authority CA will use the cryptographic shuffle in order to break the link between the data providers and their data, with the optional step ST3. Moreover, if the grouping attributes are encrypted, the probabilistic encryption of the grouping attributes will be collectively transformed into deterministic encryptions as described previously in the Distributed Deterministic Hashing protocol, with the step ST4. Once this is done, each data provider will have a deterministic encryption of its grouping attributes.
  • the servers of the collective authority CA can produce cryptographic zero-knowledge proofs of correctness that ensure that they have computed correctly.
  • each server can now group the data of the data providers based on these deterministically encrypted grouping attributes if they were initially encrypted or based on the clear text grouping attributes if not.
  • the servers will aggregate the encrypted aggregating attributes using the homomorphic properties of the cryptosystem in step ST4.
  • each server will send its aggregated aggregating attributes and corresponding grouping attributes to the next server in the collective authority CA, to generate the first encrypted aggregated data set in step ST5. It can be assumed, for this step, that the servers are organized in a loop or circuit, and the attributes can be passed around from server to server of the collective authority. This happens until the end of the loop.
  • the last server in the loop has deterministically encrypted groups, along with the corresponding aggregated information relative to the query (per group).
  • the probabilistic encryption of the aggregating and grouping attributes will go through the collective key switching protocol in step ST6 in order to be transformed into a probabilistic encryption of the same results under the public key of the data user.
  • This step transforms the first encrypted aggregated data set into a second encrypted aggregated data set.
  • the data user can decrypt the grouping attributes and the corresponding aggregated aggregating attributes in order to obtain the result of its query for each group.
  • Another aspect of the method is the removal or addition of one or more servers S to the collective authority CA, to enable a dynamic collective authority CA.
  • adding or removing a server S from collective authority CA is desired.
  • adding more servers to CA strengthens the privacy guarantees.
  • removing the cheating server from the collective authority CA can preserve privacy guarantees.
  • any data provider DP that stored data encrypted using the previous collective key K pre v must perform some steps of a protocol to have its data encrypted under the new collective key Knew.
  • Data encryption under the new collective key Knew is necessary for the system to work with the new collective authority CA resulting from the addition/removal of the
  • K pre v Ki + . . .
  • Knew Ki + . . . + Km-i. (00045)
  • Knew Ki + . . . + Km-i. (00045)
  • the server S m is added/removed to/from the collective authority CA
  • the encryption of data of the data providers DP under the previous key K pre v must be updated to account for the new collective key Knew.
  • Ci, C 2 (rB,m + rK pre v)
  • its encryption is updated by adding/removing the contribution of to the encryption.
  • the added/removed server Sm multiplies Ci by its private key k m and adds/removes the result to/from C2
  • a potentially dishonest dealer can share the secret of server S m , say km, among the m - 1 remaining servers in such a way that any t honest servers can reconstruct k m but any subset of t-1 servers learn nothing about k m .
  • the security of the scheme is guaranteed as long as t of m servers are honest instead of 1 in an anytrust model.
  • This secret sharing must be done for all servers when they join the collective authority CA. In this way, when server S m is being removed from the collective authority VA, the corresponding private key can be reconstructed and the computations shown above can be done by the remaining servers Si, .. ., Sm-i of the collective authority CA.
  • FIG. 4 shows a schematic representation of an exemplary computer system 100, implemented with different hardware devices, using two servers Si and S2 as the collective authority CA, according to another aspect of the present invention.
  • the use of only two servers S for collective authority is only exemplary, and many more servers can be used.
  • Data user DU is connected via a local intranet to network N to access and communicate with servers of collective authority CA.
  • there are three data providers DPi to DP3 that are each connected via an intranet, mobile network, or wireless network INi to IN3 to a network N.
  • Network N can be used by servers Si and S2 to pass data among each other.
  • Data provider DPi is shown to be a tablet with a subscriber identity module (SIM), and data provider DP2 is shown to be a smart phone with another SIM. Moreover, data provider DP3 is connected to a local database, and is shown to be a laptop computer. Data providers DPi to DP3, data user DU, and servers Si to S2 are equipped with hardware processors to perform data processing, and are also equipped with local storage memory. Also, a non-transitory computer readable medium can be provided, the computer readable medium having computer instructions recorded thereon. The computer instructions can be configured to perform methods 200, 300, when executed by hardware processors of the devices of system 100.
  • SIM subscriber identity module
  • data provider DP3 is connected to a local database, and is shown to be a laptop computer.
  • Data providers DPi to DP3, data user DU, and servers Si to S2 are equipped with hardware processors to perform data processing, and are also equipped with local storage memory.
  • a non-transitory computer readable medium can be provided, the

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un procédé de partage de données privées et/ou sensibles entre une pluralité de fournisseurs de données et un utilisateur de données, l'utilisateur de données ayant une clé privée et une clé publique, le procédé comprenant les étapes consistant à fournir un premier ensemble de données et à crypter le premier ensemble de données au niveau d'un terminal d'un premier fournisseur de données avec une clé publique collective, fournir un deuxième ensemble de données et crypter le deuxième ensemble de données au niveau d'un terminal d'un deuxième fournisseur de données avec la clé publique collective, envoyer les données cryptées à un serveur parmi la pluralité de serveurs, la pluralité de serveurs formant ensemble une autorité collective et décentralisée, agréger de façon décentralisée les données cryptées des premier et deuxième fournisseurs de données par la pluralité de serveurs, selon un schéma de cryptage homomorphe, pour calculer un premier ensemble de données agrégées cryptées, modifier le cryptage du premier ensemble de données agrégées cryptées à partir du cryptage basé sur la clé publique collective en un cryptage basé sur la clé publique de l'utilisateur de données pour produire un deuxième ensemble de données agrégées cryptées.
PCT/EP2016/079649 2016-12-02 2016-12-02 Système et procédé de fourniture d'autorité collective décentralisée pour le partage de données sensibles WO2018099577A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2016/079649 WO2018099577A1 (fr) 2016-12-02 2016-12-02 Système et procédé de fourniture d'autorité collective décentralisée pour le partage de données sensibles

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2016/079649 WO2018099577A1 (fr) 2016-12-02 2016-12-02 Système et procédé de fourniture d'autorité collective décentralisée pour le partage de données sensibles

Publications (1)

Publication Number Publication Date
WO2018099577A1 true WO2018099577A1 (fr) 2018-06-07

Family

ID=57590485

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2016/079649 WO2018099577A1 (fr) 2016-12-02 2016-12-02 Système et procédé de fourniture d'autorité collective décentralisée pour le partage de données sensibles

Country Status (1)

Country Link
WO (1) WO2018099577A1 (fr)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110213219A (zh) * 2018-12-06 2019-09-06 上海腾桥信息技术有限公司 一种数据安全共享系统及方法
US20210385086A1 (en) * 2019-04-29 2021-12-09 Google Llc Systems and methods for distributed verification of online identity
US20220014367A1 (en) * 2018-12-13 2022-01-13 Login Id Inc. Decentralized computing systems and methods for performing actions using stored private data
CN114221749A (zh) * 2021-12-13 2022-03-22 成都天府通金融服务股份有限公司 基于多类型服务器的秘钥统一管理方法及系统、电子设备
CN114218322A (zh) * 2021-12-13 2022-03-22 深圳市电子商务安全证书管理有限公司 基于密文传输的数据展示方法、装置、设备及介质
CN115801453A (zh) * 2023-01-30 2023-03-14 北京大数元科技发展有限公司 一种敏感数据互联网安全查询的系统
CN117411652A (zh) * 2022-07-08 2024-01-16 抖音视界有限公司 数据处理方法、电子设备及计算机可读存储介质

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6701435B1 (en) * 1998-08-20 2004-03-02 International Business Machines Corporation Cryptographic key generation system

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6701435B1 (en) * 1998-08-20 2004-03-02 International Business Machines Corporation Cryptographic key generation system

Non-Patent Citations (13)

* Cited by examiner, † Cited by third party
Title
"Network and Parallel Computing", vol. 1560, 1 January 1999, SPRINGER INTERNATIONAL PUBLISHING, Cham, ISBN: 978-3-540-76785-5, ISSN: 0302-9743, article MARKUS JAKOBSSON ET AL: "On Quorum Controlled Asymmetric Proxy Re-encryption", pages: 112 - 121, XP055392380, 032548, DOI: 10.1007/3-540-49162-7_9 *
ANDREW NEFF C ED - SAMATRI P (ED): "A verifiable secret shuffle and its application to e-voting", PROCEEDINGS OF THE 8TH. ACM CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY. (CCS-8). PHILADELPHIA, PA, NOV. 5 - 8, 2001; [ACM CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY], NEW YORK, NY : ACM, US, 5 November 2001 (2001-11-05), pages 116 - 125, XP058294630, ISBN: 978-1-58113-385-1, DOI: 10.1145/501983.502000 *
ANDREW NEFF; C. A. NEFF: "Proceedings of the 8th ACM conference on Computer and Communications Security", 2001, ACM, article "A verifiable secret shuffle and its application to e-voting", pages: 116 - 125
BENNY CHOR ET AL.: "26th Annual Symposium on Foundations of Computer Science", 1985, IEEE, article "Verifiable secret sharing and achieving simultaneity in the presence of faults", pages: 383 - 395
DUAN Y; CANNY J.; ZHAN J.: "Efficient privacy-preserving association rule mining: P4P style", COMPUTATIONAL INTELLIGENCE AND DATA MINING, 1 March 2007 (2007-03-01), pages 654 - 660
J. CAMENISCH; M. STADLER: "Proof systems for general statements about discrete logarithms", TECHNICAL REPORT, 1997
J. W. BOS; K. LAUTER; M. NAEHRIG: "Private predictive analysis on encrypted medical data", JOURNAL OF BIOMEDICAL INFORMATICS, vol. 50, 2014, pages 234 - 243
JAN CAMENISCH ET AL: "Proof systems for general statements about discrete logarithms", 1 January 1997 (1997-01-01), XP055148493, Retrieved from the Internet <URL:http://dx.doi.org/10.3929/ethz-a-006651937> DOI: 10.3929/ethz-a-006651937 *
M. A. HAILEMICHAEL; K. Y. YIGZAW; J. G. BELLIKA: "Proceedings of the 13th Scandinavian Conference on Health Informatics", 2015, IEEE, article "Emnet: a system for privacy-preserving statistical computing on distributed health data"
M. MAFFEI; G. MALAVOLTA; M. REINERT; D. SCHRODER: "Security and Privacy (SP), 2015 IEEE Symposium", 2015, IEEE, article "Privacy and access control for outsourced personal records", pages: 341 - 358
M. ZAMANI; M. MOVAHEDI; J. SAIA: "Millions of millionaires: Multiparty computation in large networks", IACR CRYPTOLOGY EPRINT ARCHIVE, vol. 2014, 2014, pages 149
S. M. KHAN; K. W. HAMLEN: "Penny: Secure, decentralized data management", INTERNATIONAL JOURNAL OF NETWORK SECURITY, vol. 16, no. 5, 2014, pages 340 - 354
TAHER ELGAMAL: "A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms", IEEE TRANSACTIONS ON INFORMATION THEORY, vol. 31, no. 4, 1985, pages 469 - 472

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110213219A (zh) * 2018-12-06 2019-09-06 上海腾桥信息技术有限公司 一种数据安全共享系统及方法
US20220014367A1 (en) * 2018-12-13 2022-01-13 Login Id Inc. Decentralized computing systems and methods for performing actions using stored private data
US20210385086A1 (en) * 2019-04-29 2021-12-09 Google Llc Systems and methods for distributed verification of online identity
CN114221749A (zh) * 2021-12-13 2022-03-22 成都天府通金融服务股份有限公司 基于多类型服务器的秘钥统一管理方法及系统、电子设备
CN114218322A (zh) * 2021-12-13 2022-03-22 深圳市电子商务安全证书管理有限公司 基于密文传输的数据展示方法、装置、设备及介质
CN117411652A (zh) * 2022-07-08 2024-01-16 抖音视界有限公司 数据处理方法、电子设备及计算机可读存储介质
CN115801453A (zh) * 2023-01-30 2023-03-14 北京大数元科技发展有限公司 一种敏感数据互联网安全查询的系统
CN115801453B (zh) * 2023-01-30 2023-05-02 北京大数元科技发展有限公司 一种敏感数据互联网安全查询的系统

Similar Documents

Publication Publication Date Title
US11374736B2 (en) System and method for homomorphic encryption
Froelicher et al. Unlynx: a decentralized system for privacy-conscious data sharing
US11341269B2 (en) Providing security against user collusion in data analytics using random group selection
US10419404B2 (en) Enabling comparable data access control for lightweight mobile devices in clouds
Zhang et al. Secure smart health with privacy-aware aggregate authentication and access control in Internet of Things
CN111931253B (zh) 基于节点群的数据处理方法、系统、设备和介质
US10609000B2 (en) Data tokenization
Dong et al. Achieving an effective, scalable and privacy-preserving data sharing service in cloud computing
WO2018099577A1 (fr) Système et procédé de fourniture d&#39;autorité collective décentralisée pour le partage de données sensibles
Miao et al. Secure multi-server-aided data deduplication in cloud computing
US20190354714A1 (en) Health file access control system and method in electronic medical cloud
Fan et al. TraceChain: A blockchain‐based scheme to protect data confidentiality and traceability
CN104521178A (zh) 安全的多方云计算的方法和系统
Murugesan et al. Analysis on homomorphic technique for data security in fog computing
Fang et al. Encrypted scalar product protocol for outsourced data mining
Yang et al. Efficient and provably secure data selective sharing and acquisition in cloud-based systems
Cao et al. A Lightweight Fine‐Grained Search Scheme over Encrypted Data in Cloud‐Assisted Wireless Body Area Networks
Di Crescenzo et al. Efficient and private three-party publish/subscribe
Peng et al. A Secure Signcryption Scheme for Electronic Health Records Sharing in Blockchain.
He et al. A lightweight secure conjunctive keyword search scheme in hybrid cloud
Venukumar et al. A survey of applications of threshold cryptography—proposed and practiced
Li et al. An efficient privacy-preserving bidirectional friends matching scheme in mobile social networks
Dou et al. Efficient private subset computation
Yi et al. Distributed data possession provable in cloud
Shen et al. Verifiable privacy-preserving federated learning under multiple encrypted keys

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16816221

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16816221

Country of ref document: EP

Kind code of ref document: A1