US20170293913A1 - System and methods for validating and performing operations on homomorphically encrypted data - Google Patents
System and methods for validating and performing operations on homomorphically encrypted data Download PDFInfo
- Publication number
- US20170293913A1 US20170293913A1 US15/468,621 US201715468621A US2017293913A1 US 20170293913 A1 US20170293913 A1 US 20170293913A1 US 201715468621 A US201715468621 A US 201715468621A US 2017293913 A1 US2017293913 A1 US 2017293913A1
- Authority
- US
- United States
- Prior art keywords
- data
- encrypted
- transaction
- cardholder data
- confidential
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3829—Payment protocols; Details thereof insuring higher security of transaction involving key management
-
- A—HUMAN NECESSITIES
- A61—MEDICAL OR VETERINARY SCIENCE; HYGIENE
- A61B—DIAGNOSIS; SURGERY; IDENTIFICATION
- A61B5/00—Measuring for diagnostic purposes; Identification of persons
- A61B5/72—Signal processing specially adapted for physiological signals or for diagnostic purposes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/08—Payment architectures
- G06Q20/10—Payment architectures specially adapted for electronic funds transfer [EFT] systems; specially adapted for home banking systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3821—Electronic credentials
- G06Q20/38215—Use of certificates or encrypted proofs of transaction rights
-
- G—PHYSICS
- G16—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
- G16H—HEALTHCARE INFORMATICS, i.e. INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR THE HANDLING OR PROCESSING OF MEDICAL OR HEALTHCARE DATA
- G16H10/00—ICT specially adapted for the handling or processing of patient-related medical or healthcare data
- G16H10/40—ICT specially adapted for the handling or processing of patient-related medical or healthcare data for data related to laboratory analysis, e.g. patient specimen analysis
-
- G—PHYSICS
- G16—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
- G16H—HEALTHCARE INFORMATICS, i.e. INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR THE HANDLING OR PROCESSING OF MEDICAL OR HEALTHCARE DATA
- G16H10/00—ICT specially adapted for the handling or processing of patient-related medical or healthcare data
- G16H10/60—ICT specially adapted for the handling or processing of patient-related medical or healthcare data for patient-specific data, e.g. for electronic patient records
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0407—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
- H04L63/0414—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden during transmission, i.e. party's identity is protected against eavesdropping, e.g. by using temporary identifiers, but is known to the other party or parties involved in the communication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/008—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3093—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving Lattices or polynomial equations, e.g. NTRU scheme
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/08—Payment architectures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q2220/00—Business processing using cryptography
Definitions
- This disclosure relates to homomorphically encrypted data systems and methods, and more specifically, to validation of, and performing operations on, homomorphically encrypted confidential data without decryption of the confidential data, such as financial data.
- a non-transient computer-readable medium containing computer-readable instructions which when executed by a computer processor perform the method of: receiving a transaction request to complete a financial transaction, with at least a portion of the request encrypted according to a homomorphic encryption scheme, and the transaction request comprising confidential cardholder data including an account number, non-confidential cardholder data and transaction data; retrieving one or more sets of encrypted comparison cardholder data encrypted according to a homomorphic encryption scheme; comparing the confidential cardholder data to each set of the comparison cardholder data using one or more homomorphic operations to determine which set of comparison cardholder data matches the confidential cardholder data and validating the confidential cardholder data; generating an encrypted indicator indicating authorization or rejection of the request to complete the financial transaction based upon at least the validation of the confidential cardholder data; and forwarding the encrypted indicator indicating authorization or rejection of the request to complete the financial transaction to a party seeking authorization to complete the financial transaction, wherein the confidential cardholder data is never decrypted during the method.
- FIG. 1 is a diagram of a secure computing environment according to an embodiment of the present invention
- FIG. 2 is a diagram of a remote device according to an embodiment of the present invention.
- FIG. 3 is a diagram of a data system according to an embodiment of the present invention.
- FIG. 4 is a diagram of a key authority system according to an embodiment of the present invention.
- FIG. 5 is a diagram of another data system according to an embodiment of the present invention.
- FIGS. 6A-6J show equations for performing computations according to an embodiment of the present invention
- FIG. 7 is a table of data used in an example for an embodiment of the present invention.
- FIGS. 8 and 9 show testing parameters and results of tests conducted
- FIG. 10 is a diagram of a four-party credit card transaction system
- FIG. 11 is a diagram of a payment processing chain according to an embodiment of the present invention.
- FIG. 12 is a diagram of a secure payment processing system according to an embodiment of the present invention.
- FIG. 13 is a chart showing secret key size reduction according to an embodiment of the present invention.
- FIG. 14 is a chart showing ciphertext size reduction and obviating a flatten function
- FIG. 15 shows pseudocode for a ciphertext multiplication operation
- FIG. 16 is a table of example parameter selection according to an embodiment of the present invention.
- FIGS. 17A-17G show expressions/equations according to an embodiment of the present invention.
- the homomorphic encryption/decryption operations executed on confidential data may be performed as shown in FIGS. 1-5 and FIGS. 6A-6J .
- Key generation may be performed at a secure system, such as the key authority system 36 .
- Public keys 68 may be pre-loaded onto the remote devices 20 containing the confidential information (such as a credit card, remote sensor, etc.) prior to deployment of remote devices 20 .
- public keys 68 may be made available to the remote devices 20 via a network resource (such as a public cloud), which may be configured to require credential verification or authorization (e.g., user name and password) to access public keys 68 .
- the encryption engines 62 on board the remote devices 20 , and in the data system 120 may be configured to implement the homomorphic encryption techniques discussed below.
- the decryption engine 104 at the key authority system 36 may be configured to implement the homomorphic decryption techniques discussed below.
- the calculation engine 88 at the data systems 22 , 120 may be configured to implement the computational techniques discussed below, including the storage and processing of equations, calculation parameters, upper/lower bounds, and intermediate/accumulated results.
- Matrices of rings are defined as A M ⁇ N , where A ij ⁇ R q and M, N are the matrix dimensions.
- I l ⁇ l represents the identity matrix of rings.
- Row vectors are represented as [a b], where a and b are the vector elements.
- Column vectors on the other hand are represented as [a; b].
- the parameters of the cryptographic scheme are n, the degree of the number field; q, the modulus; ⁇ k and ⁇ c , the standard deviation of the discrete Gaussian error distribution in the keyspace and ciphertext space, respectively; l ⁇ log q ⁇ that governs the number of ring elements in a ciphertext.
- a bit decompose function BD takes an l-bit input integer, then outputs a row vector with size l containing the bit decomposition of this integer.
- BD polynomial
- BD takes an input polynomial of size n, where each coefficient is an i-bit integer, then outputs an l-sized row vector of polynomials (each of size n) containing the bit decomposition of each coefficient of the input polynomial, yielding a matrix of size l ⁇ n.
- BD (Matrix of polynomials) takes an input matrix of polynomials of size x ⁇ y (each polynomial is of size n with integer coefficients), then outputs a matrix of polynomials expanded by a factor l in the column dimension, yielding a matrix of size x ⁇ yl, where each consecutive l elements along the row contain the bit representation of each coefficient of each of the input polynomials.
- a bit decompose Inverse function BDI( ) is the inverse of the bit decompose function BD( ).
- the BDI( ) function groups consecutive l coefficients along a row (the coefficients don't need to be binary), and outputs the integer corresponding to those l bits.
- the BDI( ) function can be defined as multiplying the expanded matrix of polynomials ⁇ x ⁇ yl from the right by the matrix ⁇ yl ⁇ y defined in the equation of FIG. 6A . (The polynomial dimension n is omitted from this point forward for clarity).
- the method and system may employ a RLWE (Ring Learning With Errors) cryptographic scheme, and the general principles of such scheme will now be described.
- RLWE Ring Learning With Errors
- this scheme is not particularly limiting and other suitable polynomial-based fully homomorphic cryptographic schemes may be used.
- any gaps in the below would be well understood by those skilled in cryptography in view of the known art.
- the system and method is configured to generate keys, encrypt information, and decrypt information.
- the key generator is configured to implement a Keygen (1 ⁇ ) function as follows.
- a polynomial t ⁇ D R q , ⁇ k is chosen.
- the encryption engine 62 is configured to implement an Enc(pk, ⁇ ) function as follows.
- the message space is R q .
- a uniform vector r N ⁇ 1 is sampled where each coefficient in the polynomials in r sampled from ⁇ 0,1 ⁇ , E N ⁇ 2 ⁇ D R q , ⁇ c N ⁇ 2 .
- the plaintext polynomial ⁇ R q is encrypted by calculating the expression in FIG. 17B . As shown in FIG. 14 , this is advantageous over prior techniques that use C N ⁇ N , as the encryption engine 62 results in smaller ciphertext by a theoretical factor of l times.
- the decryption engine 104 is configured to implement a Dec(sk, C) function as follows. Given the ciphertext C, the plaintext ⁇ R q is restored by multiplying C by the secret-key s according to the expression in FIG. 17C .
- the first l coefficients in the first term of the expression in FIG. 17C are in the form ⁇ , 2 ⁇ , . . . , 2 l-1 ⁇ .
- the element at location i ⁇ [0, l ⁇ 1] is in the form ⁇ 2 i +error. That is, the most significant bit of each entry carries a single bit from the number ⁇ assuming that error ⁇ q/2 and there is theoretically no wrap-around mod q as may be found in prior techniques.
- the addition operator implements an ADD(C, D) function to add two ciphertexts C N ⁇ 2 and D N ⁇ 2 by performing the entry-wise addition C N ⁇ 2 +D N ⁇ 2 .
- the multiplication operator and bitwise decomposition function implement a MULT(C, D) function to multiply two ciphertexts C N ⁇ 2 and D N ⁇ 2 by performing the bitwise decomposition function (or BD) on one ciphertext and then executing the multiplication, as BD(C N ⁇ 2 ) ⁇ D N ⁇ 2 .
- the multiplication is asymmetric in the input ciphertexts C and D. That is, the components of D are treated as a whole, whereas the components of C are broken up into their bit-wise decompositions.
- the multiplication is correct, as discussed below, and gives a slow noise-growth rate.
- control logic may be configured to implement accumulative multiplications, as shown in FIG. 15 and as may be required by various contemplated implementations.
- n can be set to be smaller, for the same security level ⁇ .
- a smaller n can result in a error j (B,n,q) that is smaller, leading to an even smaller q, and so on.
- Suitable parameters are obtained by solving both the above inequalities in FIGS. 17F and 17G together.
- FIG. 16 summarizes an example of such a parameter selection.
- an NTRU variant of the encryption scheme is used to reduce computational complexity and to speedup operations, as will be detailed below.
- the encryption system works as follows.
- a key generation function, Keygen (1 ⁇ ), requires the choosing of two polynomials ⁇ 1 ⁇ 1 , g (1 ⁇ 1) ⁇ D R q , ⁇ k such that (a) f is invertible in the ring R q ; and (b) f ⁇ 1 (mod 2). This can be done by sampling the polynomial f from the distribution D R q , ⁇ k until it satisfies conditions (a) and (b).
- the public key pk and the private (secret) key sk can be computed from the equation shown in FIG. 6B .
- Enc(pk, m) the message space is R q .
- a plain text polynomial ⁇ R q is encrypted by evaluating the equation of FIG. 6C , where S l ⁇ 1 , E l ⁇ 1 ⁇ D R q , ⁇ c l ⁇ 1 are sampled from a discrete Gaussian distribution with standard deviation ⁇ c .
- This encryption function can be implemented at the encryption engine 62 .
- Dec(sk, C) Concerning the decryption function, Dec(sk, C), for a given the ciphertext C, the plaintext ⁇ R q is restored by multiplying C by the secret-key ⁇ using the equation of FIG. 6D .
- This decryption function can be implemented at the decryption engine 104 .
- the l polynomials in the first term of the last line are in the form ⁇ f, 2 ⁇ f, . . . , 2 l ⁇ 1 ⁇ f.
- the element at location i ⁇ [0, l ⁇ 1] is in the form ⁇ 2 i +error. That is, the most significant bit of each entry carries a single bit from each coefficient in ⁇ assuming that error ⁇ q/2 and there is no wrap-around mod q as is found in the prior art.
- “ ⁇ ” can be fully recovered from C which can then be multiplied by ⁇ ⁇ 1 to recover ⁇ .
- the l ring elements in the ciphertext facilitate and manage noise growth in homomorphic operations (in particular, homomorphic multiplication) as described below.
- homomorphic operations for input ciphertexts C l ⁇ 1 and D l ⁇ 1 ⁇ R q l ⁇ 1 encrypting ⁇ 1 and ⁇ 2 respectively, homomorphic operations are defined as follows. For an addition operation, ADD(C, D), to add two ciphertexts C l ⁇ 1 and D l ⁇ 1 , the output is C l ⁇ 1 +D l ⁇ 1 , which is an entry-wise addition. For a multiplication operation, MULT(C, D), to multiply two ciphertexts C l ⁇ 1 and D l ⁇ 1 , output is BD(C l ⁇ 1 ) ⁇ D l ⁇ 1 .
- the addition and multiplication operations can be implemented at the calculation engine 88 .
- error ⁇ (B, n, q) denotes how much the error grows when evaluating a function f on ciphertexts in Rq with an initial error of magnitude B.
- n may be set smaller for the same security level ⁇ .
- the new error ⁇ (B, n, q) is smaller, leading to an even smaller q, and so on.
- Optimal parameters can be obtained by solving the above inequalities of FIGS. 6F and 6G together.
- the table of FIG. 7 summarizes an example parameter selection.
- the encryption scheme according to the present embodiments does not use the flatten operation introduced by the GSW scheme.
- a flattened ciphertext (Ctxt) takes up a large memory space. It also needs considerable computation time to combine entries and decompose them back into bits (or even decompose them into groups of “m” bits for a higher radix Bit Decompose operator).
- the encryption scheme according to the present invention does not use a flatten operation, it does not have single bits representing ciphertexts. Rather, ciphertexts are represented as packed numbers mod q. To multiply ciphertexts, it is advantageous to use the fast NTT algorithm to speed up the ciphertext multiplication operation, as opposed to using regular polynomial circular convolution.
- the encryption scheme according to the present embodiment decrypts the most significant bit from all 1 polynomials in the ciphertext, as opposed to decrypting only a single bit from a single polynomial in the ciphertext. In this way 1 bits, one from each polynomial, can be decrypted. These bits are combined back into the encrypted polynomial using the formula shown in FIG. 6H .
- One area of application for an embodiment of the homomorphic encryption system is financial transactions, particularly credit card transactions. Attacks on credit card information have escalated tremendously in recent years, with major breaches resulting in millions of client record being exposed. Once exposed, the client information may be resold (e.g. on the dark web), used for fraudulent transactions, particularly card not present (CNP) transactions, or used for direct attacks on Point-of-Sale (POS) systems.
- CNP card not present
- POS Point-of-Sale
- the system may encrypt the credit card information from the point at which it is acquired and never decrypt the ciphertext even at the authentication step.
- Major credit card companies such as VISATM and MasterCardTM, structure bank card transactions in what is called the four-party model.
- the parties in this model are the cardholder 1500 , the merchant 1510 (the service provider), the payment processor 1520 (the acquirer), and the card issuer 1540 .
- the credit card company (payment brand) 1530 all as shown in FIG. 10 .
- the transaction starts when the cardholder 1500 , who wishes to purchase something, uses his credit card information on an online merchant or presents his credit card 1505 to the merchant 1510 at the store.
- the merchant 1510 online or using the point of sale system, acquires and encrypts the credit card information and sends it 1515 to the payment processor 1520 over the network.
- the encryption at the merchant may be done at the POS terminal or may be done using an application installed on the merchant's systems using the public encryption key.
- the payment processor 1520 then decrypts the credit card information and forwards it 1525 to the card issuer 1530 for authorization.
- the merchant 1510 charges the credit card and provides the service or product to the cardholder 1500 once the credit card authorization is received.
- the payment processor 1520 reimburses the merchant for the service, after that, the card issuer 1530 pays back the payment processor 1520 within 24 or 48 hours.
- a tokenized system may be utilized between the payment processor and the merchant to eliminate the need for the merchant to store the cardholder information.
- the merchant stores only a token corresponding to either the cardholder account or to the individual transactions.
- Information such as cardholder and transaction data, as well as internal fees, such as network and interchange fees, may be passed 1545 between the payment processor 1520 and credit card company 1540 , or between 1555 the card issuer 1530 and credit card company 1540 , or both, either as required during the transaction, or after the transaction.
- Point of Sale System When the cardholder presents his card at the merchant store, his/her card is swiped in a credit card machine or a card reader that transfers this information to a computer. There may be some points in the system where this card information is not encrypted for some time before sending it to the payment processor. At this point, malware installed in the system can gather this information and send it back to the attacker. To address this vulnerability, credit card information must be encrypted the moment it is read using the card reader. This way, malware will not be able to gather card information using this method.
- P2PE point to point encryption
- P2PE uses 3DES or AES for encryption which may be considered safe for the time being but may not be secure against quantum computers in the future.
- Payment Processor When the payment processor receives the encrypted credit card information from the merchant, it decrypts it and sends it in plaintext to the card issuer for authentication. This is a clear point of weakness. Any malware installed in the payment processor system, or any attacker who broke the secure channel between the payment processor and the card issuer, can gather the credit card information while being in plaintext form. To address this vulnerability, credit card information should never be decrypted at any point. Additionally, in the case of a tokenized system, the presence of the secure vault which translates the transaction into a token and vice versa. This vault stores all the cardholder information and their corresponding tokens. If this vault is hacked, valuable information will be at risk.
- the card issuer has two points of vulnerability: 1) it receives the client credit card information in plaintext. This exposes it to the possibility of attack; and 2) the card issuer database of credit card information for all its clients sits in a secure server in plaintext to compare it to the incoming card information. This is the largest security threat on credit card information. This is because an attack on this secure database will result in the loss of all credit card information.
- FIG. 11 there is presented an embodiment of the present invention which is a change in the credit card authorization system that may provide a much higher level of security than current systems.
- the embodied system may be based on encrypting the credit card information at the POS system using quantum secure Fully Homomorphic Encryption (FHE) which is based on lattice based cryptography.
- FHE Quantum secure Fully Homomorphic Encryption
- the need for FHE is based on the need for both homomorphic addition and multiplication operations on encrypted data. If only one type of operation is required, somewhat homomorphic encryption may be used.
- the encrypted credit card information may be compared against credit card database data (e.g. sets of cardholder data for various cardholders held in a database) at the card issuer which may also be encrypted using the same FHE encryption.
- the system may eliminate any possible attacks on credit card information, either in the network, or in the database servers because they may all be encrypted using a quantum secure FHE encryption scheme.
- the cardholder data from the consumer 1610 (the primary account number (PAN)) is captured by the online transaction data entry (or at the POS), the data is encrypted using a public-key Fully Homomorphic Encryption (FHE) scheme.
- FHE Fully Homomorphic Encryption
- the credit card number (except for the first digit and the last 4 digits), month, year, and CVV numbers may be encrypted using the FHE public encryption key published by the credit card company.
- the name of the cardholder and the first digit and the last 4 digits of the credit card number may be encrypted using the regular encryption schemes.
- the merchant 1620 then sends the encrypted PAN to the acquirer/payment processor 1630 .
- the payment processor 1630 forwards the encrypted PAN to the appropriate payment brand 1640 using the credit card first digit (e.g., VisaTM, MasterCardTM, American ExpressTM, etc.).
- the payment brand 1640 then forwards the encrypted PAN to the card issuer 1650 (issuing bank) using the next five digits (BIN: Bank Identification Number).
- the card issuer 1650 may use the cardholder name and last 4 credit card digits to narrow down the credit card entries in the database that match this information.
- Each entry in the narrowed down list may be enumerated, compared against the encrypted PAN using FHE algorithms, and the encrypted matching indicator will be multiplied by the number corresponding to each entry in the list.
- the encrypted result from each entry may all be added together to get a final result.
- the final result may encrypt the number of the matching account, the numbers corresponding to all other accounts will be multiplied by ‘0’ (due to mismatch), which will nullify the result.
- the encrypted result is sent back to the payment brand 1640 , which decrypts it and sends the final result, which is a single digit corresponding to the matching account, back to the card issuer 1650 to verify that the card is not reported lost or stolen, and that the account has the appropriate amount of credit/funds available to pay for the transaction.
- the card entries may be ordered by most frequently used and the rest of the entries may be ignored once a hit is found to reduce the verification time.
- the issuer 1650 If approved, the issuer 1650 generates an authorization number and routes this number back along with a card-specific FHE encrypted PAN to the payment brand 1640 .
- the payment brand 1640 the forwards the authorization code and the encrypted PAN back to the acquirer/processor 1630 .
- the acquirer/processor 1630 accesses a secure vault 1660 to retrieve/generate a token corresponding to the encrypted PAN.
- the secure vault 1660 may also be FHE encrypted except for the tokens.
- the acquirer/processor 1630 returns the token back to the merchant 1620 .
- the merchant may retain the token long term in a merchant database 1670 for the processing of returns, retrieval requests or chargebacks, as well as for business intelligence reasons such as analysis of consumer buying behavior and creation of marketing programs.
- This embodiment is an example of a centralized system where only one entity, the credit card company 1640 , owns the secret decryption key and distributes public encryption keys.
- Another embodiment is a decentralized system where each card issuer 1650 holds its own secret decryption key and that the POS systems recognize which card issuer the credit card belongs to and encrypts the card's information using the appropriate public encryption key corresponding to this card issuer.
- This decentralized system may need another entity which is solely responsible for decrypting the encrypted comparison result. This may be required to decouple the card issuer servers holding the encrypted credit card information from the servers which hold the valuable secret decryption key.
- Another embodiment is the use of FHE multiparty computation. Different secret keys will be generated for each user and the public key will be stored in the credit card itself. The cardholder data will be encrypted by the user's public key and may be sent to the system for matching against other accounts. Multiple secret decryption keys will be required to decrypt the final result. Additionally, with multiple keys, each party may be limited to decryption only of the information associated with their key, and not be capable of decrypting any other information, improving overall security of the data.
- the system may be applied on multiple different levels: the first version is a full system where information is encrypted from the origin and never decrypted at any point in the system.
- the second version is a partial system where, in order to accommodate the current payment systems, and to reduce the risk of data attacks, at the payment processor, after card information decryption, card information can be re-encrypted using FHE before sending to the card issuer. This may reduce the possibility of attacks but there is a brief moment in time where data is in the clear between information decryption and re-encryption where data can reside in the device memory vulnerable to attacks. However, the credit card database at the card issuer may always remain encrypted using FHE.
- the system also supports online transactions using online payment systems using credit cards or PayPal or other online transaction services where payment information may be encrypted on the client PC prior sending over the Internet.
- credit cards consist of the following key information: Bank name (Front); Credit card number of 13-19 digits (Front); Credit card expiry date (Front); Cardholder name (Front); and Card Verification Value (CVV) (Back).
- the credit card number consists of a leading 6-digit Bank Identifier Number (BIN), also known as an Issuer Identifier Number (IIN), and a 6- to 12-digit account number, and a single digit checksum number.
- BIN Bank Identifier Number
- IIN Issuer Identifier Number
- the terminating 3 digits of the account number and the checksum number are encrypted with the same FHE scheme but using a different key which may be given to specific parties for decryption.
- Other cards based on a BIN or IIN such as debit cards, reward cards, and merchant-specific cards may also be used and have an equivalent numbering system.
- the following fields may be encrypted using quantum secure lattice-based Fully Homomorphic Encryption (FHE): the middle 3-9 digits of the credit card number (e.g. the secure portion of the account number), the expiry date and the CVV number.
- FHE Quantum secure lattice-based Fully Homomorphic Encryption
- the remaining items in the credit card may be encrypted using the same encryption scheme but with one or more different public/secret key pairs.
- a proper key management system is crucial for the overall security of the system.
- the other keys may be used by intermediate parties to decrypt the needed fields.
- the remaining fields may be encrypted using an FHE scheme, no homomorphic operations may be applied to them. Every character of the remaining fields may be encoded in adjacent coefficients in the same polynomial.
- the remaining fields are: bank name, cardholder name, and the first 6 digits (BIN number) and last 4 digits of the credit card number.
- biometric e.g. fingerprint
- rotating or variable CVV numbers rotating or variable CVV numbers
- one-time card numbers may all be validated and authentication via the present method and system, and, in some cases, without any substantive changes.
- Fully homomorphic encryption permits addition and multiplication operations on encrypted data to generate an encrypted result, which, when decrypted, gives the correct result if the same set of operations were applied on unencrypted data.
- the XNOR operation can be re-written to make it suitable for the embodied encryption scheme.
- each individual bracket consists only of Ctxt addition/subtraction operation which is implementable using the embodied encryption scheme.
- the middle digits (for this example, 6 digits for a 16-digit card number are assumed) of the credit card number are first converted into bits where each bit is then encrypted using FHE encryption. The same process is performed for the expiry date and the CVV number. These encrypted bits are then sent on the network along with the cardholder name, bank name, BIN number, and last 4 digits of the credit card to the payment processor which then forwards them to the appropriate card issuer.
- the encrypted indicator either ‘0’ or ‘1’ can then be multiplied by a number corresponding to the order of this entry against the reduced list.
- this encrypted indicator which encrypts the order of the matching account in the reduced list, needs to be decrypted using the secret decryption key available at the credit card company (or on a separate secure server owned by the card issuer in the case of decentralized scheme). After decryption, only a single digit is returned which corresponds to the order of the matching account in the reduced list.
- the sensitive bits for the input card and for each of the matching accounts are partitioned into “k” parts, where “k” corresponds to the number of processors (e.g. GPUs) available in each machine and each part is sent to a different GPU.
- Each GPU may be enumerated by a number ranging from 0 to k ⁇ 1.
- the result from each GPU may be rotated by a number of polynomial slots corresponding to its GPU number by multiplying by a polynomial with a 1 shifted to the corresponding location.
- all the results are added. This will produce a result where k slots of the encrypted polynomial each has a bit corresponding to a match or non-match for the corresponding bits.
- the quantum-secure, lattice-based FHE scheme used for this system may be computationally intensive.
- GPUs graphical processing units
- Each GPU is capable of supporting a number of transactions per second.
- large transaction companies like VISATM and MasterCardTM each may require up to 4000 transactions per second
- many GPU cards are required.
- a multi-server environment may be implemented that can be scaled to serve any level of demand.
- This may also be directed to the benefit of the user and/or merchant as well, such as by matching data in the request to a merchant rewards program, either by extracting the data from the request, or by matching it in a list. This reduces the need for multiple transactions and separate processing, potentially leading to greater transaction efficiency. Further extensions and variations may only be limited by data bandwidth and processing time requirements.
- any encrypted data may be validated and authenticated against any set of encrypted data without the need for decryption. Changes in the data formats, data structure, or even the data itself may be more easily accommodated, since decryption information need not be shared.
- Homomorphic encryption does not natively provide data integrity.
- Hackers may be able tamper with the encrypted data by apply their mathematical operations on the data while at rest or in motion. This may affect the result of the manipulated data and may change the result to something that may aid the hacker in an attack. For example, applying a homomorphic OR operation on the final encrypted flag with an encrypted “1” which will make the result always a “1” or “Transaction Granted”.
- the protection of data integrity from the modification of unauthorized parties may be provided by applying extra mathematical machinery to provide a tamper resistant credit card authentication system.
- a Hash-based Message Authentication Code HMAC
- HMAC Hash-based Message Authentication Code
- the system may support encrypting a credit card CVV number that is periodically changing over time.
- the system may homomorphically encrypt the CVV number generator key and store it in the bank database.
- mathematical operations are applied homomorphically on the CVV generator key to generate the new valid CVV number to be matched against the customer credit card to be verified.
- the full system according to an embodiment is shown in FIG. 12 .
- the authentication process may take place when the payment processor 1710 sends the credit card information to the card issuer.
- the card issuer may have a front-end server 1720 that accepts incoming requests.
- This front-end server 1720 may be connected to a network of GPU machine farms 1730 that send frequent updates to the front-end server 1720 about its occupancy (if it is free or not).
- the front-end server 1720 may check its server table for a free machine 1740 , and fetch its corresponding IP address. This IP address is then sent back to the payment processor 1710 .
- the payment processor 1710 then connects to this free computing node 1740 and sends the cardholder card information to it.
- the computing node 1740 may fetch from the database the data of the credit cards which match the cardholder name and the last four digits. The authentication process may then take place on that GPU on this specific machine 1740 . The result of the authentication operation may then be sent to the credit card company 1750 for decryption. The decrypted authentication digit may then be sent back to the card issuer 1710 to indicate the final result.
- This system may be implemented to ease the network connection requirements for the front-end server 1720 and to distribute it on all the computing nodes 1730 .
- FIG. 1 shows a networked computer system embodying various aspects of the present invention for use with confidential data.
- a plurality of remote devices 20 are connected to a data system 22 via a wide-area network 24 .
- the remote devices 20 may include devices such as wearable devices 26 , terminals 28 , terminals 30 , and the like.
- Wearable devices 26 may include devices such as special-purpose devices, smart-watches, wearable computers, smart clothing, and similar.
- Wearable devices 26 may include, but are not limited to, sensors such as global positioning system (GPS) receivers, and similar.
- Terminals 28 and terminals 30 may include devices such as smartphones, tablet computers, desktop/laptop computers, and similar.
- wearable devices 26 , terminals 28 , and terminals 30 are not contemplated to limit the present invention. Functionality of these devices 26 - 30 may overlap. Wearable devices 26 and terminals 28 collect data directly from users and may do so without the need for manual input by users. Wearable devices 26 and terminals 28 may allow for manual input by a user 32 (e.g., typing or selecting) of data. Terminals 30 may require some form of manual input by personnel 34 to enter data related to users 32 .
- the remote devices 20 may be configured to collect data.
- the wide-area network 24 may include one or a combination of data networks, such as a local-area network, a wireless network, a cellular network, an intranet, a virtual private network (VPN), and the Internet.
- data networks such as a local-area network, a wireless network, a cellular network, an intranet, a virtual private network (VPN), and the Internet.
- VPN virtual private network
- the data system 22 may include one or more computers, which may be known as servers, configured with program code that is stored in memory and is executed by one or more processors to perform homomorphic calculations on data collected from the remote devices 20 , as discussed in detail below.
- the system may further include a key authority system 36 and analyst terminals 38 .
- the key authority system 36 stores one or more cryptographic keys, such as one or more private (secret) keys for a fully homomorphic asymmetric cryptographic scheme, such as a ring-learning with errors (RWLE) or NTRU homomorphic encryption scheme.
- the key authority system 36 includes one or more servers configured to store such private keys and restrict the use of the private keys to authorized users.
- Each private key controlled by the key authority system 36 may correspond to a public key that is distributed to the remote devices 20 .
- Data encrypted by the remote devices 20 could be decrypted by users with access to the respective private key, although this is not central to the present embodiment.
- the results of homomorphic calculations performed on encrypted data may be decrypted by users with access to the respective private key. It is contemplated that a large number of remote devices 20 may share the same public key and thus form a large and continuous source of data for homomorphic calculations that do not require the decryption of the data. Rather, the private key may only be needed for the decryption of calculation results.
- any number of public-private key pairs may be used. It may be advantageous to segment devices 20 into different sets, according to device type or other factor, by providing such devices with different public keys. Different sets or types of devices 20 may be given different public keys based on other factors, such as the group/organization, device manufacturer, etc. Further, for a device 20 that collects multiple types of data, each type of data may be assigned to a different public key for encryption by that public key. Again, this may reduce exposure of user data. For sake of clarity, the examples discussed herein reference a single public-private key pair, but it should be noted that the present invention contemplates various public-private key pairs.
- collaboration and computation using a set of data is limited to a set of encrypted data that is able to be decrypted by the same private key.
- limiting the system to a single private key may be advantageous.
- Analyst terminals 38 may include devices such as smartphones, tablet computers, desktop/laptop computers, and similar operable by analysts 40 such as administrators, researchers, and the like. Analyst terminals 38 may initiate homomorphic calculations performed at the data system 22 and may have the encrypted results of such calculations decrypted by the private key held by the key authority system 36 . Plaintext results of the calculations may then be outputted at the analyst terminals 38 for further calculation and study.
- the private key can be provided to decrypt calculation results in various ways, depending on specific requirements of various implementations according to the present invention.
- Encrypted results of calculations may be transmitted to the key authority system 36 for decryption at the key authority system 36 , with the decrypted plaintext results (DR) 42 of the calculations being transmitted to one or more analyst terminals 38 for output via a secure channel 44 , such as a secure subnetwork, a VPN operating through the wide-area network 24 , or similar network that offers increased security. Additionally, or alternatively, such a secure channel 44 may be used to transmit the private key from the key authority system 36 to the analyst terminals 38 to decrypt calculation results at one or more analyst terminals 38 .
- the secure channel 44 need not be limited to network communications.
- analyst terminals 38 may be situated at physically secure locations, thereby offering a physical aspect to the secure channel 44 , if the private key or encrypted data is to be transmitted over a network.
- the secure channel 44 may be mainly or exclusively physical and the private key or encrypted data can be copied onto physical key cards, memory sticks, or similar devices that can be used to manually convey the private key or encrypted data to the analyst terminals 38 .
- data may be continually collected by the remote devices 20 , encrypted at the remote devices 20 , and transmitted to the data system 22 as encrypted data (ED) 50 .
- ED encrypted data
- any device transmitting data to the data system 22 may be configured to encrypt its data prior to transmission.
- the data system 22 may store the encrypted data 50 for as long as desired.
- an analyst terminal 38 may be used to select a set of data for analysis and to configure a calculation to be performed on the selected set of data.
- This information may be sent by the analyst terminal 38 to the data system 22 as a calculation command (CC) 52 that triggers the data system 22 to perform the calculation on the selected encrypted data, according to a homomorphic technique, without decrypting the data to obtain encrypted results 54 .
- the encrypted results 54 of the calculation may then be transmitted to the analyst terminal 38 .
- the analyst terminal 38 may then obtain decrypted results 42 using the secure channel 44 to communicate with the key authority system 36 .
- data may not be decrypted during the performance of calculations.
- User privacy may be improved and it is contemplated that more users may volunteer their data to be used in studies knowing that their data is better protected.
- opportunities for man-in-the-middle and other types of attacks may be mitigated due to the data and calculation results being transmitted in encrypted form and due to tight control of the private key.
- the remote devices 20 such as wearable devices 26 , terminals 28 , terminals 30 , data system 22 , terminals 38 , remote devices 130 and other components may be specifically general purposes devices or devices made specific to a chosen application.
- FIG. 2 shows an example remote device 20 .
- the remote device 20 may include a sensor 60 and/or input device, an encryption engine 62 , and a network interface 64 .
- the remote device 20 may further include memory (e.g., RAM, hard-drive, solid-state drive, etc.) for storing captured data 66 , a public key 68 , and encrypted data 50 .
- the remote device 20 may also include a processor configured to execute the encryption engine 62 and control operations of the remote device 20 .
- the sensor and/or input device 60 may be configured to capture data of an individual.
- Example input devices include a keyboard or touchscreen, for manual entry of data.
- An input device may be used together with a sensor, such that the collected data includes manually inputted data as well as directly measured data.
- the type and nature of the data captured is not particularly limited.
- the encryption engine 62 may be configured to apply the public key 68 to encrypt the captured data 66 to generate encrypted data 50 .
- the encryption engine 62 may be configured to perform fully homomorphic encryption as discussed above.
- the network interface 64 may be configured to communicate encrypted data 50 to the network 24 and specifically to the data system 22 ( FIG. 1 ). After the encrypted data 50 has been transmitted to the data system 22 , it may be deleted to save memory.
- FIG. 3 shows an example of the data system 22 .
- the data system 22 may include a network interface 80 , a data accumulator 82 , a query constructor 84 , a user interface 86 , and a calculation engine 88 .
- the data system 22 may further include memory (e.g., RAM, hard-drive, solid-state drive, etc.) for storing encrypted data 50 , encrypted calculation results (ER) 54 , data 90 , and authorizations 92 .
- the data system 22 may also include a processor configured to execute the data accumulator 82 , the query constructor 84 , the user interface 86 , and the calculation engine 88 and to control operations of the data system 22 . It is noted that no encryption key need be stored at the data system 22 , as the data system 22 performs its calculations on encrypted data.
- the network interface 80 may be configured to receive data and commands from the network 24 .
- the network interface 80 may be configured to receive encrypted data 50 and commands from the remote devices 20 .
- the network interface 80 may be configured to receive calculation commands from analyst terminals 38 .
- the data accumulator 82 may be configured to control the capture of encrypted data 50 from the plurality of remote devices 20 .
- the data accumulator 82 may be configured to periodically interrogate each remote device 20 for new encrypted data, receive such encrypted data in response, and store such encrypted data 50 in memory at the data system 22 .
- the data accumulator 82 may be configured to reference the authorizations 92 as a condition for collecting data.
- the query constructor 84 may be configured to receive calculation commands from analyst terminals 38 .
- a calculation command triggers commencement of a calculation by the calculation engine 88 .
- a calculation command may include parameters specifying a set of the encrypted data 50 on which to conduct a calculation as well as parameters specifying the nature of the calculation.
- the query constructor 84 may be configured to provide to the analyst terminals 38 a summary of the encrypted data 50 available for calculation.
- the query constructor 84 may be configured to reference the authorizations 92 as a condition for using elements of encrypted data 50 in calculations.
- the user interface 86 may be configured to receive commands and data from remote devices 20 , analyst terminals 38 , or other devices and to output information about the encrypted data 50 .
- the user interface 86 may be configured to receive data 90 that is not necessarily encrypted.
- Data 90 may also include associations to the encrypted data 50 , such that elements of encrypted data 50 may be linked to the data 90 that is considered useful for designing studies.
- an association of data 90 to encrypted data 50 may include a unique identifier, such as a hash or serial number, of the user in both the encrypted data 50 and the data 90 .
- the unique identifier in the encrypted data 50 in plaintext form, such as via an unencrypted metadata field attached to the encrypted data 50 , a file name, or an unencrypted database field in association with encrypted data 50 stored in a database.
- the user interface 86 may be configured to receive commands to control authorizations 92 that are granted by users or other individuals to, for example, analysts at terminals 38 .
- Authorizations 92 may include data indicative of the consent to collect and store encrypted data 50 and consent to make encrypted data 50 available to the calculation engine 88 .
- authorizations 92 may include one or more many-to-many mappings that map users to data and further to individuals or organizations, such that each (or his/her legal representative) can give consent to provide any type of data to any individual or organization.
- Authorizations 92 may also include time windows for consent, such that consent is automatically withdrawn after expiry of a selected time.
- the user interface 86 may include an authentication system, such as a username and password log-in authentication system, for verifying that users who modify data 90 and authorizations 92 are authorized to make such changes.
- an authentication system such as a username and password log-in authentication system
- the calculation engine 88 may be configured to perform homomorphic calculations on encrypted data 50 according to received parameters defining the set of encrypted data 50 and the calculations to perform.
- the calculation engine 88 outputs encrypted results 54 that are transmitted via the network interface to the key authority system 36 or the analyst terminal 38 .
- the calculation engine 88 can be configured to perform any suitable calculation in the encrypted domain.
- Such calculations are contemplated to include addition, multiplication, discrete calculations, continuous calculations, comparisons using relational operations, combinations of such, and similar. Further, such calculations may be modeled as polynomial series. To achieve this, the calculation engine 88 may be configured as described below.
- FIG. 4 shows an example key authority system 36 .
- the key authority system 36 may include a network interface 100 , an authorization processor 102 , and a decryption engine 104 .
- the key authority system 36 may further include memory (e.g., RAM, hard-drive, solid-state drive, etc.) for storing encrypted calculation results 54 , a private key 106 , and decrypted results 42 .
- the private key 106 corresponds to the public key 68 ( FIG. 2 ) stored in the remote devices 20 .
- the key authority system 36 may also include a processor configured to execute the authorization processor 102 and the decryption engine 104 , as well as to control operations of the key authority system 36 .
- the network interface 100 may be configured to receive encrypted results 54 from analyst terminals 38 via the secure channel 44 ( FIG. 1 ). The network interface 100 may be further configured to transmit the decrypted results 42 to analyst terminals 38 . Alternatively, or additionally, the network interface 100 may be configured to transmit the private key 106 to the analyst terminals 38 via the secure channel 44 .
- the authorization processor 102 may be configured to restrict access to the key authority system 36 to authorized users.
- the authorization processor 102 may include an authentication system, such as a username and password log-in authentication system or an electronic credential verification system, for verifying users who attempt to access the decrypted results 42 or the private key 106 or both.
- the decryption engine 104 may be configured to apply the private key 106 to decrypt the encrypted calculation results 54 to generate the decrypted results 42 .
- the decryption engine 104 may be configured to perform homomorphic decryption as discussed herein.
- FIG. 5 shows a data system 120 according to an embodiment.
- the data system 120 may include components discussed herein, such as data system 22 .
- the description for such components can be referenced with like reference numerals indicating like components. For sake of clarity, only differences will be discussed in detail.
- the data system 120 may replace the data system 22 in the system of FIG. 1 .
- the data system 120 may be configured to generate alerts based on calculations performed on encrypted data 50 received from remote devices 20 .
- the data system 120 may transmit these alerts via the network 24 to remote devices 130 ( FIG. 1 ) operated by professionals who may act on such alerts. It is contemplated that generated alerts remain in the encrypted domain.
- alerts may be routed through the key authority system 36 for decryption prior to being transmitted to the relevant remote devices 130 in plaintext form.
- privacy may be enhanced by having the plaintext form of the alert be a general indication of the nature of the alert (e.g., a text alert) rather than specific numerical values, as it is contemplated that recipients of alerts may have background knowledge of the specific condition and perhaps knowledge of specific alert trigger values.
- remote devices 130 may be provided with the private key to decrypt received alerts.
- the data system 120 may include alert triggers 122 executable by a processor and configurable by authorized users.
- the alert triggers 122 and the calculation engine 88 may perform comparisons between encrypted results 54 and encrypted alert conditions 124 stored in memory and configurable by authorized users.
- Encrypted alert conditions 124 may be initially received in unencrypted form via the network interface 80 before being encrypted by an encryption engine 62 using the same public key 68 that encrypts the data at the remote devices 20 .
- Encrypted alert conditions 124 may be applied to data represented by the encrypted results 54 and alert triggers 122 issue alerts for data that meet the conditions.
- Such alerts may be configured to be transmitted via the network interface 80 and the network 24 to remote devices 130 of selected authorized users, such as professionals.
- Alerts may be communicated via the key authority system 36 for centralized decryption prior to being forwarded to the selected authorized users in plaintext form.
- the remote devices 130 may store the private key 106 and may be configured with a decryption engine 104 to decrypt the alerts.
- a professional may set an alert condition 124 for a user, identified by data 90 , using a equation homomorphically evaluated in the encrypted domain by the calculation engine 88 using data continuously collected by a wearable device 26 .
- the encrypted alert condition 124 may be a particular maximum, minimum, or interval, if met or exceeded, causes the alert trigger 122 to send an electronic alert message to remote devices 130 operated by a professional who may be otherwise be unaware of the specific alert conditions.
- the specific evaluation and the values evaluated may remain in the encrypted domain, so as to improve privacy.
- the alert triggers 122 may be evaluated on a periodic basis or upon detecting new encrypted data 50 .
- the alert triggers 122 may store information concerning delivery of the alert, such as network addresses (e.g., email addresses, phone numbers, etc.) of the destination remote devices 130 that are to receive the alerts.
- network addresses e.g., email addresses, phone numbers, etc.
- Various components of the data systems 22 , 120 , and specifically the calculation engine 88 may be implemented as one or more hardware devices. Such hardware devices may be configured to implement the computational techniques discussed herein using only hardware or by using hardware that executes program code.
- a suitable hardware device may be configured to implement the computational techniques discussed herein using, for example, Chinese Remainder Theorem (CRT), Number Theoretic Transform (NTT), one or more memory blocks, one or more memory interfaces, matrix multiplications, matrix additions, or a combination of such.
- CTR Chinese Remainder Theorem
- NTT Number Theoretic Transform
- One such suitable hardware device to achieve this is a Graphics Processing Unit (GPU).
- Other examples of suitable hardware device include a field-programmable gate array (FPGA) and an application-specific integrated circuit (ASIC).
- FIG. 9 summarizes performance results of the homomorphic operations for the present invention compared to Khedr, A., Gulak, G., and Vaikuntanathan, V.
- SHIELD Scalable Homomorphic Implementation of Encrypted Data-Classifiers, Cryptology ePrint Archive, Report 2014/838, 2014 (http://eprint.iacr.org/2014/838.pdf) shown in FIG. 9 at “Khedr 2014”; Lauter, K., Lopez-Alt, A., and Naehrig, M. Private Computation on Encrypted Genomic Data. Tech.
- a 104 times speedup may be achieved by distributing computations on GPU cores. This resulted in an overall 6085 times speedup for the multiplication operation compared to “LBos 2014” and a 286 times speedup compared to “Lauter 2014”.
- the present invention may be advantageously scalable across multiple GPU cards. Experiments were made using four GPU cards connected to the same computer to measure loss in performance due to cross-GPU communication. By partitioning large problems into small ones, computations can be scheduled among all four GPUs to obtain a speedup of 3.946 times, which indicates that communication overhead was reduced.
- the encryption scheme described herein may be used in privacy-preserving machine learning applications, in privacy-preserving data mining including privacy-preserving data clustering applications, and in general secure computations on financial or other confidential data.
- the calculation engine 88 may be configured to perform homomorphic calculations related to privacy-preserving machine learning applications, in privacy-preserving data mining including privacy-preserving data clustering applications on encrypted data.
- the present invention can be used to encrypt all data measured by wearable and portable devices prior to uploading such data to the cloud. This can be very useful to help researchers conduct research on confidential data, in a manner that preserves privacy.
- these devices can store public encryption keys produced by a centralized entity, which is also responsible for the control and distribution of private/secret keys to facilities where computation results/alerts are to be decrypted.
- Wearable/portable devices need only encrypt the captured data, and the modest processing power that is known in these kinds of devices is not a significant hindrance to implementation. Since performance of the encryption function is not necessarily time critical, embedded processors can encrypt measured data within seconds instead of milliseconds and still have acceptable performance.
Landscapes
- Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Finance (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- Strategic Management (AREA)
- General Business, Economics & Management (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Medical Informatics (AREA)
- Public Health (AREA)
- General Health & Medical Sciences (AREA)
- General Engineering & Computer Science (AREA)
- Life Sciences & Earth Sciences (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Computer Hardware Design (AREA)
- Primary Health Care (AREA)
- Mathematical Physics (AREA)
- Artificial Intelligence (AREA)
- Software Systems (AREA)
- Epidemiology (AREA)
- Animal Behavior & Ethology (AREA)
- Evolutionary Computation (AREA)
- Biophysics (AREA)
- Pathology (AREA)
- Biomedical Technology (AREA)
- Heart & Thoracic Surgery (AREA)
- Molecular Biology (AREA)
- Surgery (AREA)
- Physiology (AREA)
- Veterinary Medicine (AREA)
- Data Mining & Analysis (AREA)
- Psychiatry (AREA)
- Pure & Applied Mathematics (AREA)
- Mathematical Optimization (AREA)
Abstract
Description
- This disclosure relates to homomorphically encrypted data systems and methods, and more specifically, to validation of, and performing operations on, homomorphically encrypted confidential data without decryption of the confidential data, such as financial data.
- Privacy of sensitive personal information is an increasingly important topic as more personal data is transmitted and shared, particular via the use of wireless transmissions and cloud data services. Privacy issues arise due to the fear of having a security breach on cloud servers or due to the fear that the service providers themselves misuse this sensitive information. Standard encryption schemes try to address these concerns by devising encryption schemes that are harder to break, yet they do not solve the possible misuse of this sensitive data by the service providers themselves.
- While privacy of confidential and personal data, such as financial data, is a paramount concern, access to this data for legitimate purposes, such as to execute a financial transaction, is also needed.
- Accordingly, there is a need for improvement in the art.
- According to an embodiment of the invention, there is provided a method of processing a secure financial transaction, comprising: receiving a transaction request to complete a financial transaction, with at least a portion of the request encrypted according to a homomorphic encryption scheme, and the transaction request comprising confidential cardholder data including an account number, non-confidential cardholder data and transaction data; retrieving one or more sets of encrypted comparison cardholder data encrypted according to a homomorphic encryption scheme; comparing the encrypted confidential cardholder data to each set of the encrypted comparison cardholder data using one or more homomorphic operations to determine which set of comparison cardholder data matches the confidential cardholder data and validating the confidential cardholder data; generating an encrypted indicator indicating authorization or rejection of the request to complete the financial transaction based upon at least the validation of the confidential cardholder data; and forwarding the encrypted indicator indicating authorization or rejection of the request to complete the financial transaction to a party seeking authorization to complete the financial transaction, wherein the confidential cardholder data is never decrypted during the method.
- According to a further embodiment of the invention, there is provided a non-transient computer-readable medium containing computer-readable instructions which when executed by a computer processor perform the method of: receiving a transaction request to complete a financial transaction, with at least a portion of the request encrypted according to a homomorphic encryption scheme, and the transaction request comprising confidential cardholder data including an account number, non-confidential cardholder data and transaction data; retrieving one or more sets of encrypted comparison cardholder data encrypted according to a homomorphic encryption scheme; comparing the confidential cardholder data to each set of the comparison cardholder data using one or more homomorphic operations to determine which set of comparison cardholder data matches the confidential cardholder data and validating the confidential cardholder data; generating an encrypted indicator indicating authorization or rejection of the request to complete the financial transaction based upon at least the validation of the confidential cardholder data; and forwarding the encrypted indicator indicating authorization or rejection of the request to complete the financial transaction to a party seeking authorization to complete the financial transaction, wherein the confidential cardholder data is never decrypted during the method.
- Other aspects and features according to the present application will become apparent to those ordinarily skilled in the art upon review of the following description of embodiments of the invention in conjunction with the accompanying figures.
- The drawings illustrate, by way of example only, embodiments of the present disclosure.
-
FIG. 1 is a diagram of a secure computing environment according to an embodiment of the present invention; -
FIG. 2 is a diagram of a remote device according to an embodiment of the present invention; -
FIG. 3 is a diagram of a data system according to an embodiment of the present invention; -
FIG. 4 is a diagram of a key authority system according to an embodiment of the present invention; -
FIG. 5 is a diagram of another data system according to an embodiment of the present invention; -
FIGS. 6A-6J show equations for performing computations according to an embodiment of the present invention; -
FIG. 7 is a table of data used in an example for an embodiment of the present invention; -
FIGS. 8 and 9 show testing parameters and results of tests conducted; -
FIG. 10 is a diagram of a four-party credit card transaction system; -
FIG. 11 is a diagram of a payment processing chain according to an embodiment of the present invention; -
FIG. 12 is a diagram of a secure payment processing system according to an embodiment of the present invention; -
FIG. 13 is a chart showing secret key size reduction according to an embodiment of the present invention; -
FIG. 14 is a chart showing ciphertext size reduction and obviating a flatten function; -
FIG. 15 shows pseudocode for a ciphertext multiplication operation; -
FIG. 16 is a table of example parameter selection according to an embodiment of the present invention; and -
FIGS. 17A-17G show expressions/equations according to an embodiment of the present invention. - Like reference numerals indicate like or corresponding elements in the drawings.
- Although financial applications form the basis of the inventive examples discussed herein, the inventive techniques discussed have application to other forms of confidential data. In this context, the different devices and parties involved in data acquisition, storage, and analysis may be reconsidered as appropriate for the type of confidential data being processed.
- Homomorphic Encryption/Decryption
- The homomorphic encryption/decryption operations executed on confidential data may be performed as shown in
FIGS. 1-5 andFIGS. 6A-6J . Key generation may be performed at a secure system, such as thekey authority system 36.Public keys 68 may be pre-loaded onto theremote devices 20 containing the confidential information (such as a credit card, remote sensor, etc.) prior to deployment ofremote devices 20. Alternatively, or additionally,public keys 68 may be made available to theremote devices 20 via a network resource (such as a public cloud), which may be configured to require credential verification or authorization (e.g., user name and password) to accesspublic keys 68. Theencryption engines 62 on board theremote devices 20, and in thedata system 120, may be configured to implement the homomorphic encryption techniques discussed below. Thedecryption engine 104 at thekey authority system 36 may be configured to implement the homomorphic decryption techniques discussed below. Thecalculation engine 88 at thedata systems - Regarding notation for the below discussion, for an odd prime number q, the ring Z/qZ (or Zq) with the interval (−q/2, q/2)∩Z is identified. The notation [x]q denotes reducing x modulo q. The examples discussed herein use polynomial rings defined by the quotient polynomials R=Z[X]/Φm(X), where Φm(X)=xn+1 is the irreducible mth cyclotomic polynomial, in which n is a power of 2 and m=2n. Let Rq=R/qR. Any type of multiplication including matrix and polynomial multiplication is denoted herein by the multiplication operator ‘ ·’. Rounding up to the nearest integer is denoted by |a|. Matrices of rings are defined as AM×N, where Aij εRq and M, N are the matrix dimensions. Il×l represents the identity matrix of rings. Row vectors are represented as [a b], where a and b are the vector elements. Column vectors on the other hand are represented as [a; b].
- The parameters of the cryptographic scheme are n, the degree of the number field; q, the modulus; σk and σc, the standard deviation of the discrete Gaussian error distribution in the keyspace and ciphertext space, respectively; l┌log q┐ that governs the number of ring elements in a ciphertext. The setting of these parameters depends on the security level λ (e.g., λ=80 or 128 bits) as well as the complexity of functions contemplated to evaluate on ciphertexts.
- A bit decompose function BD (integer) takes an l-bit input integer, then outputs a row vector with size l containing the bit decomposition of this integer. (Note that the letter “l” referred to herein, including the figures, is a lowercase script letter “L”.) Similarly, BD (polynomial) takes an input polynomial of size n, where each coefficient is an i-bit integer, then outputs an l-sized row vector of polynomials (each of size n) containing the bit decomposition of each coefficient of the input polynomial, yielding a matrix of size l×n. Finally, BD (Matrix of polynomials) takes an input matrix of polynomials of size x×y (each polynomial is of size n with integer coefficients), then outputs a matrix of polynomials expanded by a factor l in the column dimension, yielding a matrix of size x×yl, where each consecutive l elements along the row contain the bit representation of each coefficient of each of the input polynomials. For example, the bit decompose of the input polynomial matrix Bx×y×n is BD (Bx×y×n)=βx×yl×n. It is noted that despite the fact that the polynomial coefficients of matrix βx×yl×n are single bit values, the storage requirement of matrix β in CPU or GPU memory is not equal to x×yl×n bits. This is due to the fact that the smallest addressable unit of memory is a byte (i.e., Byte Addressable). Hence, β requires x×yl×n bytes of storage. This results in the further observation that the storage requirement of βx×yl×n is at least 8 times the storage requirement of Bx×y×n.
- A bit decompose Inverse function BDI( ) is the inverse of the bit decompose function BD( ). The BDI( ) function groups consecutive l coefficients along a row (the coefficients don't need to be binary), and outputs the integer corresponding to those l bits. Mathematically, the BDI( ) function can be defined as multiplying the expanded matrix of polynomials βx×yl from the right by the matrix αyl×y defined in the equation of
FIG. 6A . (The polynomial dimension n is omitted from this point forward for clarity). Hence Bx×y=BDI (βx×yl)=βx×yl·αyl×y. - Ring Learning with Errors (RLWE) Based Encryption Scheme
- The method and system may employ a RLWE (Ring Learning With Errors) cryptographic scheme, and the general principles of such scheme will now be described. However, this scheme is not particularly limiting and other suitable polynomial-based fully homomorphic cryptographic schemes may be used. Moreover, any gaps in the below would be well understood by those skilled in cryptography in view of the known art.
- The system and method is configured to generate keys, encrypt information, and decrypt information.
- The key generator is configured to implement a Keygen (1λ) function as follows. A polynomial t←DR
q ,σk is chosen. The secret key becomes sk=s2×1←[1; −t] εRq 2. The public key is pk=A1×2=[b a], based on a uniform sample a←Rq, e←DRq ,σk , set b=a·t+e. It is noted that the expression inFIG. 17A holds. - As shown in
FIG. 13 , this is advantageous over a known secret key sk=v=PO2(s) based on a powers-of-two expansion such as PO2(x) defined as [x, 2x, . . . , 2l-1x]. Hence, the key generator generates smaller secret keys by a theoretical factor of l times. - The
encryption engine 62 is configured to implement an Enc(pk, μ) function as follows. The message space is Rq. A uniform vector rN×1 is sampled where each coefficient in the polynomials in r sampled from {0,1}, EN×2←DRq ,σc N×2. The plaintext polynomial μεRq is encrypted by calculating the expression inFIG. 17B . As shown inFIG. 14 , this is advantageous over prior techniques that use CN×N, as theencryption engine 62 results in smaller ciphertext by a theoretical factor of l times. - The
decryption engine 104 is configured to implement a Dec(sk, C) function as follows. Given the ciphertext C, the plaintext μεRq is restored by multiplying C by the secret-key s according to the expression inFIG. 17C . - This is advantageous over prior techniques that implement Dec(sk, C)=CN×N·vN×1, as the
decryption engine 104 requires the performance of fewer operations a theoretical factor of l times. - It is noted that the first l coefficients in the first term of the expression in
FIG. 17C are in the form μ, 2μ, . . . , 2l-1μ. This means that the element at location iε[0, l−1] is in the form μ·2i+error. That is, the most significant bit of each entry carries a single bit from the number μ assuming that error <q/2 and there is theoretically no wrap-around mod q as may be found in prior techniques. - It is now possible to perform operations on ciphertext without first decrypting the ciphertext. For input ciphertexts CN×2 and DN×2εRq N×2 encrypting μ1 and μ2 respectively, homomorphic operations are implemented as follows.
- The addition operator implements an ADD(C, D) function to add two ciphertexts CN×2 and DN×2 by performing the entry-wise addition CN×2+DN×2.
- The multiplication operator and bitwise decomposition function implement a MULT(C, D) function to multiply two ciphertexts CN×2 and DN×2 by performing the bitwise decomposition function (or BD) on one ciphertext and then executing the multiplication, as BD(CN×2)·DN×2.
- As shown in
FIG. 14 , this is advantageous over prior techniques that define MULT(C, D)=FLATTEN(CN×N·DN×N), where FLATTEN(A) is defined as BD(BDI(A)). The present technique requires fewer operations by a theoretical factor of at least l times. - Correctness of the above homomorphic addition should readily apparent to those skilled in the art. The multiplication is asymmetric in the input ciphertexts C and D. That is, the components of D are treated as a whole, whereas the components of C are broken up into their bit-wise decompositions. The multiplication is correct, as discussed below, and gives a slow noise-growth rate.
- The correctness of the multiplication operation should readily apparent to those skilled in the art in view of the expression in
FIG. 18D , in which matrix dimensions are removed for clarity. In the last line of the manipulation of expression inFIG. 18D , it is apparent that the encryption of μ=μ2·μ1. - Correct decryption depends on the ciphertext noise being bounded. Thus, it is important to understand how homomorphic operations increase ciphertext noise. Taking C as a fresh ciphertext, it is apparent that homomorphic addition of v ciphertexts increases the noise by a factor of v in the worst case. In various contemplated implementations, since the coefficients of the error polynomials are contemplated to follow a Gaussian distribution, the factor is closer to O(√{square root over (ν)}).
- It is further apparent that homomorphic multiplication of two ciphertexts C=Enc(μ1) and D=Enc(μ2) with error magnitudes B1 and B2, respectively, increases the error to O(B1·∥μ2∥2+B2·nlog q) in the worst case, and O(B1·∥μ2∥1+B2·√{square root over (nlog(q))}) in various contemplated implementations. Here, ∥μ∥1 denotes the l1 norm of the message polynomial μ. It is advantageous that error dependence on the two ciphertexts is asymmetric, as evident from the above.
- To multiply ν ciphertexts the order of multiplication is contemplated to play a role in error. In techniques described herein, input μ will typically be 0 or 1, meaning that the growth is simply additive with respect to B1. Thus, it is advantageous to multiply ν ciphertexts with (the same) error level B through an accumulator-like function as shown in
FIG. 15 , rather than using a binary tree of multiplications, which tends to grow error at superpolynomial rates. The resulting error growth is O(B·vn log (q)) in the worst case, and O(B·√{square root over (vnlog(q))}) in various contemplated implementations. Hence, the control logic may be configured to implement accumulative multiplications, as shown inFIG. 15 and as may be required by various contemplated implementations. - For example, reference is now made to the expression in
FIG. 17E , in which x1, . . . , xν are v-tuples of input encrypted bits, y1, . . . , yν are v-tuples of bits in some set S, and operation(xl⊕yl) represents binary XNOR between bits xi and yi. Since the form of the expression inFIG. 17E stipulates that exactly one of the terms may survive (F=1 when x1, . . . , xν εS, otherwise F=0), the small total error growth can result, even though the component computing based on the expression inFIG. 17E may not be able to determine precisely which term will survive. - It is apparent that noise grows to O(B·vn log q·|S|) in the worst case, or O(B·√{square root over (vn log (q)|S|)}) in various contemplated implementations. This is in contrast to O(B·√{square root over ((n log (q))log(ν)|S|)}) when using the known Brakerski-Gentry-Vaikuntanathan encryption scheme, implemented in IBM HElib. Indeed, such expressions, as in the expression in
FIG. 17E , are far from atypical, and they occur quite naturally in evaluating decision trees and PIR-like functions as will be discussed further below. - Another source of improvement afforded by the presently disclosed techniques is evident from the error term B1·∥μ2∥1+B2·n log q. When multiplication is performed using an accumulator, as shown in
FIG. 15 , B2 represents the smaller error in the fresh ciphertexts Ci, and B1 represents the larger error in the accumulated ciphertext Caccum. If Ci encrypts μ2=0, then the larger error term B1 disappears from the error expression. - This error reduction is also apparent from the expression in
FIG. 17E . When evaluating each of the products in the expression inFIG. 17E , the error can be seen to grow proportional not to ν, the total number of multiplications, but rather with k, the longest continuous chain of 1's starting from the end. It is contemplated that this is because the last time a zero is encountered in the multiplication chain, the error is reduced, by the observation above. Assuming that S is an expected set, the expected length of a continuous chain of trailing 1's is Σi=1 νi·2i<2. In other words, the multiplicative factor of ν disappears from the error expression as well, and error growth becomes close to O(B·√{square root over (n log(q)|S|)}). This is substantially the same effect as if |S| ciphertexts were added. - Further, when ƒ is taken as a function to be evaluated, for example, the expression in
FIG. 17E , the errorj(B,n,q) denotes how much the error grows when evaluating the function ƒ on ciphertexts in Rq with an initial error of magnitude B. For correct decryption, it is expected that the expression inFIG. 17F holds. Since errors tend to grow slower using the present techniques, q can be set to be correspondingly smaller to meet a security level equivalent to that of prior techniques. Following the analysis of Lindner and Peikert, for a security level of λ bits, it is expected that the following expression holds: -
n>log q(λ+110)/7.2 (7) - Because log q in the present techniques is smaller, n can be set to be smaller, for the same security level λ. In turn, a smaller n can result in a errorj(B,n,q) that is smaller, leading to an even smaller q, and so on. Suitable parameters are obtained by solving both the above inequalities in
FIGS. 17F and 17G together.FIG. 16 summarizes an example of such a parameter selection. - NTRU Based FHE Scheme
- As an alternative to the RLWE-based FHE scheme, in some examples of the invention, an NTRU variant of the encryption scheme is used to reduce computational complexity and to speedup operations, as will be detailed below. The encryption system works as follows.
- A key generation function, Keygen (1λ), requires the choosing of two polynomials ƒ1×1, g(1×1)←DR
q ,σk such that (a) f is invertible in the ring Rq; and (b) f≡1 (mod 2). This can be done by sampling the polynomial f from the distribution DRq ,σk until it satisfies conditions (a) and (b). - The public key pk and the private (secret) key sk can be computed from the equation shown in
FIG. 6B . - For the encryption function, Enc(pk, m), the message space is Rq. A plain text polynomial μεRq is encrypted by evaluating the equation of
FIG. 6C , where Sl×1, El×1←DRq ,σc l×1 are sampled from a discrete Gaussian distribution with standard deviation σc. This encryption function can be implemented at theencryption engine 62. - Concerning the decryption function, Dec(sk, C), for a given the ciphertext C, the plaintext μεRq is restored by multiplying C by the secret-key ƒ using the equation of
FIG. 6D . This decryption function can be implemented at thedecryption engine 104. - With reference to
FIG. 6D , the l polynomials in the first term of the last line are in the form μf, 2 μf, . . . , 2 l−1 μf. This means that the element at location iε[0, l−1] is in the form μƒ·2i+error. That is, the most significant bit of each entry carries a single bit from each coefficient in μƒ assuming that error <q/2 and there is no wrap-around mod q as is found in the prior art. As such, “샔 can be fully recovered from C which can then be multiplied by ƒ−1 to recover μ. - In addition to the ability to recover the message polynomial μ, the l ring elements in the ciphertext facilitate and manage noise growth in homomorphic operations (in particular, homomorphic multiplication) as described below.
- Regarding homomorphic operations, for input ciphertexts Cl×1 and Dl×1εRq l×1 encrypting μ1 and μ2 respectively, homomorphic operations are defined as follows. For an addition operation, ADD(C, D), to add two ciphertexts Cl×1 and Dl×1, the output is Cl×1+Dl×1, which is an entry-wise addition. For a multiplication operation, MULT(C, D), to multiply two ciphertexts Cl×1 and Dl×1, output is BD(Cl×1)·Dl×1. The addition and multiplication operations can be implemented at the
calculation engine 88. - The correctness of the above homomorphic addition and homomorphic multiplication should be apparent to those skilled in the art in view of this disclosure. It is clear that the multiplication operation is asymmetric in the input ciphertexts C and D. That is, the components of D are treated as a whole, whereas the components of C are broken up into their “bit-wise decompositions”. It is shown below that this multiplication method is correct and gives a slow noise-growth rate.
- The correctness of the multiplication operation is evident from the decryption operation shown in
FIG. 6E , in which matrix dimensions are removed for clarity. Note that the last line shown inFIG. 6E is the encryption of μ=μ2·μi·ƒ. Note also that BD (Cl×1)·BDI(Il×l)=Il×l·Cl×1=Cl×1. - Concerning noise analysis, taking C as a fresh ciphertext, the following observations can be made in view of the operation shown in
FIG. 6E . Homomorphic addition of v ciphertexts increases the noise by a factor of v, in the worst case. In some implementations, since the coefficients of the error polynomials follow a Gaussian distribution, the factor is closer to O(√{square root over (ν)}). In addition, homomorphic multiplication of two ciphertexts C=Enc(μ1) and D=Enc(μ2) with error magnitudes B1 and B2, respectively, increases the error to O(B1·∥μ2∥1+B2n log(q)) in the worst case, and O(B1·∥μ2∥1+B2√{square root over (n log(q))}) in various contemplated applications. Here, ∥μ2∥1 denotes the l1 norm of the message polynomial μ. As can be seen, error dependence on the two ciphertexts is asymmetric. - Regarding the setting of parameters, taking f to be a function that is being evaluated and that computes the multiplication of v ciphertexts, errorƒ(B, n, q) denotes how much the error grows when evaluating a function f on ciphertexts in Rq with an initial error of magnitude B. For correct decryption, the equation of
FIG. 6F should be satisfied. - Since error in accordance with the present invention may grow slower than in some known schemes and since there may be no need for a chain of moduli to control the noise growth, q can be set to be correspondingly smaller for the same security level afforded by such known schemes. For a security level of λ bits, the equation of
FIG. 6G should be satisfied. - Because log q according to the present invention may be smaller relative to known schemes, n may be set smaller for the same security level λ. In turn, with a smaller n, the new errorƒ(B, n, q) is smaller, leading to an even smaller q, and so on. Optimal parameters can be obtained by solving the above inequalities of
FIGS. 6F and 6G together. The table ofFIG. 7 summarizes an example parameter selection. - In addition, the encryption scheme according to the present embodiments does not use the flatten operation introduced by the GSW scheme. A flattened ciphertext (Ctxt) takes up a large memory space. It also needs considerable computation time to combine entries and decompose them back into bits (or even decompose them into groups of “m” bits for a higher radix Bit Decompose operator). Further, since the encryption scheme according to the present invention does not use a flatten operation, it does not have single bits representing ciphertexts. Rather, ciphertexts are represented as packed numbers mod q. To multiply ciphertexts, it is advantageous to use the fast NTT algorithm to speed up the ciphertext multiplication operation, as opposed to using regular polynomial circular convolution. The encryption scheme according to the present embodiment decrypts the most significant bit from all 1 polynomials in the ciphertext, as opposed to decrypting only a single bit from a single polynomial in the ciphertext. In this
way 1 bits, one from each polynomial, can be decrypted. These bits are combined back into the encrypted polynomial using the formula shown inFIG. 6H . - Types of encrypted confidential data that can be collected and homomorphic calculations that can be performed thereon are now discussed. Specific data/calculations discussed below include analysis of financial transaction data, particularly credit card data, and evaluation of relational operations. Although some of the examples discussed pertain to specific data, it is noted that some computations can be used for other types of data (e.g., relational operations). Further, it is noted that the examples discussed below are not limiting and other examples within the scope of the present invention are contemplated.
- Financial Transactions
- One area of application for an embodiment of the homomorphic encryption system is financial transactions, particularly credit card transactions. Attacks on credit card information have escalated tremendously in recent years, with major breaches resulting in millions of client record being exposed. Once exposed, the client information may be resold (e.g. on the dark web), used for fraudulent transactions, particularly card not present (CNP) transactions, or used for direct attacks on Point-of-Sale (POS) systems.
- These attacks happen because credit card information, either in the databases or for the client, are present in a plain text format at some point in the credit card authorization process. According to an embodiment of the present invention, the system may encrypt the credit card information from the point at which it is acquired and never decrypt the ciphertext even at the authentication step.
- Payment Processing
- Major credit card companies, such as VISA™ and MasterCard™, structure bank card transactions in what is called the four-party model. The parties in this model are the
cardholder 1500, the merchant 1510 (the service provider), the payment processor 1520 (the acquirer), and thecard issuer 1540. In addition, there is potentially a fifth party which is the credit card company (payment brand) 1530 all as shown inFIG. 10 . - The transaction starts when the
cardholder 1500, who wishes to purchase something, uses his credit card information on an online merchant or presents hiscredit card 1505 to themerchant 1510 at the store. Themerchant 1510, online or using the point of sale system, acquires and encrypts the credit card information and sends it 1515 to thepayment processor 1520 over the network. The encryption at the merchant may be done at the POS terminal or may be done using an application installed on the merchant's systems using the public encryption key. Thepayment processor 1520 then decrypts the credit card information and forwards it 1525 to thecard issuer 1530 for authorization. Themerchant 1510 charges the credit card and provides the service or product to thecardholder 1500 once the credit card authorization is received. Thepayment processor 1520 reimburses the merchant for the service, after that, thecard issuer 1530 pays back thepayment processor 1520 within 24 or 48 hours. A tokenized system may be utilized between the payment processor and the merchant to eliminate the need for the merchant to store the cardholder information. The merchant stores only a token corresponding to either the cardholder account or to the individual transactions. - Information, such as cardholder and transaction data, as well as internal fees, such as network and interchange fees, may be passed 1545 between the
payment processor 1520 andcredit card company 1540, or between 1555 thecard issuer 1530 andcredit card company 1540, or both, either as required during the transaction, or after the transaction. - There are multiple points of vulnerability in this credit card system that may allow attackers to steal credit card information.
- Point of Sale System (POS): When the cardholder presents his card at the merchant store, his/her card is swiped in a credit card machine or a card reader that transfers this information to a computer. There may be some points in the system where this card information is not encrypted for some time before sending it to the payment processor. At this point, malware installed in the system can gather this information and send it back to the attacker. To address this vulnerability, credit card information must be encrypted the moment it is read using the card reader. This way, malware will not be able to gather card information using this method. Currently, point to point encryption (P2PE) is used to securely transmit credit card information from the POS system to the payment processor, which then decrypts it to send to the card issuer for verification. P2PE uses 3DES or AES for encryption which may be considered safe for the time being but may not be secure against quantum computers in the future.
- Payment Processor: When the payment processor receives the encrypted credit card information from the merchant, it decrypts it and sends it in plaintext to the card issuer for authentication. This is a clear point of weakness. Any malware installed in the payment processor system, or any attacker who broke the secure channel between the payment processor and the card issuer, can gather the credit card information while being in plaintext form. To address this vulnerability, credit card information should never be decrypted at any point. Additionally, in the case of a tokenized system, the presence of the secure vault which translates the transaction into a token and vice versa. This vault stores all the cardholder information and their corresponding tokens. If this vault is hacked, valuable information will be at risk.
- The card issuer has two points of vulnerability: 1) it receives the client credit card information in plaintext. This exposes it to the possibility of attack; and 2) the card issuer database of credit card information for all its clients sits in a secure server in plaintext to compare it to the incoming card information. This is the largest security threat on credit card information. This is because an attack on this secure database will result in the loss of all credit card information.
- These vulnerabilities may be solved if all the credit card information in the database and also the incoming card information in plaintext were encrypted and were compared while in ciphertext.
- According to an embodiment as shown in
FIG. 11 , there is presented an embodiment of the present invention which is a change in the credit card authorization system that may provide a much higher level of security than current systems. The embodied system may be based on encrypting the credit card information at the POS system using quantum secure Fully Homomorphic Encryption (FHE) which is based on lattice based cryptography. The need for FHE is based on the need for both homomorphic addition and multiplication operations on encrypted data. If only one type of operation is required, somewhat homomorphic encryption may be used. Once the card information is encrypted at the online website or at the POS, there may not be a need to decrypt at any point afterwards. The encrypted credit card information may be compared against credit card database data (e.g. sets of cardholder data for various cardholders held in a database) at the card issuer which may also be encrypted using the same FHE encryption. - Thus, the system may eliminate any possible attacks on credit card information, either in the network, or in the database servers because they may all be encrypted using a quantum secure FHE encryption scheme.
- The cardholder data from the consumer 1610 (the primary account number (PAN)) is captured by the online transaction data entry (or at the POS), the data is encrypted using a public-key Fully Homomorphic Encryption (FHE) scheme. The credit card number (except for the first digit and the last 4 digits), month, year, and CVV numbers may be encrypted using the FHE public encryption key published by the credit card company. The name of the cardholder and the first digit and the last 4 digits of the credit card number may be encrypted using the regular encryption schemes. The
merchant 1620 then sends the encrypted PAN to the acquirer/payment processor 1630. - The
payment processor 1630 forwards the encrypted PAN to theappropriate payment brand 1640 using the credit card first digit (e.g., Visa™, MasterCard™, American Express™, etc.). Thepayment brand 1640 then forwards the encrypted PAN to the card issuer 1650 (issuing bank) using the next five digits (BIN: Bank Identification Number). - The
card issuer 1650 may use the cardholder name and last 4 credit card digits to narrow down the credit card entries in the database that match this information. Each entry in the narrowed down list may be enumerated, compared against the encrypted PAN using FHE algorithms, and the encrypted matching indicator will be multiplied by the number corresponding to each entry in the list. The encrypted result from each entry may all be added together to get a final result. The final result may encrypt the number of the matching account, the numbers corresponding to all other accounts will be multiplied by ‘0’ (due to mismatch), which will nullify the result. The encrypted result is sent back to thepayment brand 1640, which decrypts it and sends the final result, which is a single digit corresponding to the matching account, back to thecard issuer 1650 to verify that the card is not reported lost or stolen, and that the account has the appropriate amount of credit/funds available to pay for the transaction. The card entries may be ordered by most frequently used and the rest of the entries may be ignored once a hit is found to reduce the verification time. - If approved, the
issuer 1650 generates an authorization number and routes this number back along with a card-specific FHE encrypted PAN to thepayment brand 1640. Thepayment brand 1640 the forwards the authorization code and the encrypted PAN back to the acquirer/processor 1630. - The acquirer/
processor 1630 accesses asecure vault 1660 to retrieve/generate a token corresponding to the encrypted PAN. Note that thesecure vault 1660 may also be FHE encrypted except for the tokens. - The acquirer/
processor 1630 returns the token back to themerchant 1620. The merchant may retain the token long term in amerchant database 1670 for the processing of returns, retrieval requests or chargebacks, as well as for business intelligence reasons such as analysis of consumer buying behavior and creation of marketing programs. - This embodiment is an example of a centralized system where only one entity, the
credit card company 1640, owns the secret decryption key and distributes public encryption keys. Another embodiment is a decentralized system where eachcard issuer 1650 holds its own secret decryption key and that the POS systems recognize which card issuer the credit card belongs to and encrypts the card's information using the appropriate public encryption key corresponding to this card issuer. This decentralized system may need another entity which is solely responsible for decrypting the encrypted comparison result. This may be required to decouple the card issuer servers holding the encrypted credit card information from the servers which hold the valuable secret decryption key. - Another embodiment is the use of FHE multiparty computation. Different secret keys will be generated for each user and the public key will be stored in the credit card itself. The cardholder data will be encrypted by the user's public key and may be sent to the system for matching against other accounts. Multiple secret decryption keys will be required to decrypt the final result. Additionally, with multiple keys, each party may be limited to decryption only of the information associated with their key, and not be capable of decrypting any other information, improving overall security of the data.
- The system may be applied on multiple different levels: the first version is a full system where information is encrypted from the origin and never decrypted at any point in the system.
- The second version is a partial system where, in order to accommodate the current payment systems, and to reduce the risk of data attacks, at the payment processor, after card information decryption, card information can be re-encrypted using FHE before sending to the card issuer. This may reduce the possibility of attacks but there is a brief moment in time where data is in the clear between information decryption and re-encryption where data can reside in the device memory vulnerable to attacks. However, the credit card database at the card issuer may always remain encrypted using FHE.
- The system also supports online transactions using online payment systems using credit cards or PayPal or other online transaction services where payment information may be encrypted on the client PC prior sending over the Internet.
- According to an embodiment, credit cards consist of the following key information: Bank name (Front); Credit card number of 13-19 digits (Front); Credit card expiry date (Front); Cardholder name (Front); and Card Verification Value (CVV) (Back). The credit card number consists of a leading 6-digit Bank Identifier Number (BIN), also known as an Issuer Identifier Number (IIN), and a 6- to 12-digit account number, and a single digit checksum number. The terminating 3 digits of the account number and the checksum number are encrypted with the same FHE scheme but using a different key which may be given to specific parties for decryption. Other cards based on a BIN or IIN, such as debit cards, reward cards, and merchant-specific cards may also be used and have an equivalent numbering system.
- In an embodiment, the following fields may be encrypted using quantum secure lattice-based Fully Homomorphic Encryption (FHE): the middle 3-9 digits of the credit card number (e.g. the secure portion of the account number), the expiry date and the CVV number. These fields may never be decrypted at any point in the verification process. They may always be in the ciphertext (Ctxt) form.
- The remaining items in the credit card may be encrypted using the same encryption scheme but with one or more different public/secret key pairs. A proper key management system is crucial for the overall security of the system. The other keys may be used by intermediate parties to decrypt the needed fields. Though the remaining fields may be encrypted using an FHE scheme, no homomorphic operations may be applied to them. Every character of the remaining fields may be encoded in adjacent coefficients in the same polynomial. The remaining fields are: bank name, cardholder name, and the first 6 digits (BIN number) and last 4 digits of the credit card number.
- These remaining fields may be in plaintext (Ptxt) form at some points in the verification process. They help identify the credit card company (first digit) and well as narrow down the credit card entries in the card issuer credit card database (last four digits+Cardholder name). This choice narrows down the probable matching cards to just a few. Additionally, by partitioning the fields, the system may accommodate future changes to the credit card number system, such as the 8-digit and alphanumerical BIN proposals developed by the International Organization for Standardization (ISO).
- Additionally, further fields may be included in the transaction request and handled without disruption as, since the data is not decrypted, the actual source and content of the data is not significant, only the ability to validate and authenticate it. Thus, developments such as biometric (e.g. fingerprint) identification, rotating or variable CVV numbers, and one-time card numbers may all be validated and authentication via the present method and system, and, in some cases, without any substantive changes.
- As mentioned earlier, some fields in the credit card information may never be decrypted at any time in the verification process. Performing the credit card authentication using these encrypted items uses the properties of the FHE encryption scheme.
- Fully homomorphic encryption permits addition and multiplication operations on encrypted data to generate an encrypted result, which, when decrypted, gives the correct result if the same set of operations were applied on unencrypted data.
- To perform blind matching between two single bits x and y, it is possible to apply the XNOR binary operation on these two bits z=
x⊕y . To implement the XNOR operator homomorphically, it needs to be broken down into addition and multiplication operations, specifically, z=x⊕y =xy+x y . - To match multiple-bit inputs, x=xix2 . . . xn and y=y1y2 . . . yn, this can simply be done by matching the corresponding, same-order, individual bits, and multiplying the result of the individual bit matching together z=zi×z2× . . . ×zn. Where the final result z is a single bit indicating if x is equal to y or not.
- Implementing the XNOR operation using
x⊕y =xy+x y is used for other homomorphic encryption schemes which support multiplying multiple accumulator Ctxts (Ctxts that encrypts the result of previous Ctxt multiplications). This multiple accumulator multiplication is not suitable for the embodied encryption scheme since the parameter values are set to be as small as possible, while keeping the security level constant, that it supports multiplying an accumulator only with either fresh Ctxts, or Ctxts that are results from Ctxt addition/subtraction operations. This may reduce the memory and network usage of the Ctxts, and may also speedup Ctxt operations. - To address this, the XNOR operation can be re-written to make it suitable for the embodied encryption scheme. The XNOR is reformulated to be z=
x⊕y =(1−x−y)(1−x−y) and applying this formula on x and y will result in z=1 only when x=y. This addresses the system requirements, since for multi-bit inputs x and y, the matching bit z equals z=(1−x1−y1)(1−x1−y1)(1−x2−y2)(1−x2−y2) . . . (1−xn−yn)(1−xn−yn). Now each individual bracket consists only of Ctxt addition/subtraction operation which is implementable using the embodied encryption scheme. - Secure relational operation where z=1 if x>y, and z=0 otherwise is also possible using the FHE encryption scheme using the secure relational operations as discussed above in
FIGS. 6I and 6J . This can be very useful to also be able to check if the amount needed for the credit card transaction “y” is exceeds the credit limit for this account “x” (or exceeds the account limit in case of a debit card). - According to an embodiment, in performing the secure credit card authentication, the middle digits (for this example, 6 digits for a 16-digit card number are assumed) of the credit card number are first converted into bits where each bit is then encrypted using FHE encryption. The same process is performed for the expiry date and the CVV number. These encrypted bits are then sent on the network along with the cardholder name, bank name, BIN number, and last 4 digits of the credit card to the payment processor which then forwards them to the appropriate card issuer. The card issuer will then receive this information, and using the cardholder name and last 4 digits of the card number, it will narrow down the search to just a few possible matching accounts (due to the match in the name and the last 4 digits) and the corresponding encrypted information will be fetched. Secure authentication is then applied between the incoming encrypted information and the possible matching accounts. The authentication operation done on the non-matching accounts will result in an encrypted indicator which is z=0. The matching account, if all the bits of the credit card number, expiry date, and CVV numbers match (and possibly BIN number if used), and if the requested transaction amount is less than the account balance or limit, an encrypted indicator of z=1 will be generated. The encrypted indicator, either ‘0’ or ‘1’ can then be multiplied by a number corresponding to the order of this entry against the reduced list. To decrypt this final result and to get a confirmation for this transaction, this encrypted indicator, which encrypts the order of the matching account in the reduced list, needs to be decrypted using the secret decryption key available at the credit card company (or on a separate secure server owned by the card issuer in the case of decentralized scheme). After decryption, only a single digit is returned which corresponds to the order of the matching account in the reduced list.
- In another embodiment, the sensitive bits for the input card and for each of the matching accounts are partitioned into “k” parts, where “k” corresponds to the number of processors (e.g. GPUs) available in each machine and each part is sent to a different GPU. Each GPU may be enumerated by a number ranging from 0 to k−1. The result from each GPU may be rotated by a number of polynomial slots corresponding to its GPU number by multiplying by a polynomial with a 1 shifted to the corresponding location. When the results are available from each GPU, all the results are added. This will produce a result where k slots of the encrypted polynomial each has a bit corresponding to a match or non-match for the corresponding bits. After decryption, if all the bits are non-zero, this means that this account is a match. When a matching account is found, it may be put at the top of the list in the database to make matching time faster in the next times, also the remaining accounts may be ignored.
- The quantum-secure, lattice-based FHE scheme used for this system may be computationally intensive. To speed up the homomorphic operations, graphical processing units (GPUs) are used alongside the CPUs in the system. Each GPU is capable of supporting a number of transactions per second. To achieve high transactions per second required by large transaction companies like VISA™ and MasterCard™ (each may require up to 4000 transactions per second), many GPU cards are required. To realize such a performance throughput, a multi-server environment may be implemented that can be scaled to serve any level of demand.
- Furthermore, while the above embodiment presents a simple matching of the credit card in the transaction request against a list of account names and numbers to determine the presence of a valid account, other lists and types of validation may also take place. For example, there may be a separate list of stolen/lost cards and cardholder data against which the transaction request may be compared as well. In that case, the card number may be valid, but the authentication denied, if the card also appears on the stolen/lost list. A similar process may also be used for other validation and authentication lists, such as blacklisted countries for transaction, while remaining compliant with laws regarding disclosure of such information.
- This may also be directed to the benefit of the user and/or merchant as well, such as by matching data in the request to a merchant rewards program, either by extracting the data from the request, or by matching it in a list. This reduces the need for multiple transactions and separate processing, potentially leading to greater transaction efficiency. Further extensions and variations may only be limited by data bandwidth and processing time requirements.
- Effectively, any encrypted data may be validated and authenticated against any set of encrypted data without the need for decryption. Changes in the data formats, data structure, or even the data itself may be more easily accommodated, since decryption information need not be shared.
- Homomorphic encryption does not natively provide data integrity. Hackers may be able tamper with the encrypted data by apply their mathematical operations on the data while at rest or in motion. This may affect the result of the manipulated data and may change the result to something that may aid the hacker in an attack. For example, applying a homomorphic OR operation on the final encrypted flag with an encrypted “1” which will make the result always a “1” or “Transaction Granted”. The protection of data integrity from the modification of unauthorized parties may be provided by applying extra mathematical machinery to provide a tamper resistant credit card authentication system. As an example, without limitation, a Hash-based Message Authentication Code (HMAC) can be appended to the encrypted message to provide the required authentication of the message integrity.
- In addition, as an extra security protection layer to the credit card transaction, the system may support encrypting a credit card CVV number that is periodically changing over time. The system may homomorphically encrypt the CVV number generator key and store it in the bank database. When a new customer credit card is to be verified and purchase authorized, mathematical operations are applied homomorphically on the CVV generator key to generate the new valid CVV number to be matched against the customer credit card to be verified.
- For example, other forms of static or quasi-static private identification data which required both confidential/encrypted treatment and validation and authentication for a request, may be used within this system and method. Not only bank debit cards (similar data structure to credit cards), but other private identification which is typically found in a card or similar format may be used. As with credit cards, the data deemed confidential and the data which may be shared as cleartext depends on the decisions of the governing body responsible for the identification data, e.g. the government in the case of a passport.
- The full system according to an embodiment is shown in
FIG. 12 . The authentication process may take place when thepayment processor 1710 sends the credit card information to the card issuer. The card issuer may have a front-end server 1720 that accepts incoming requests. This front-end server 1720 may be connected to a network ofGPU machine farms 1730 that send frequent updates to the front-end server 1720 about its occupancy (if it is free or not). When the front-end server 1720 receives a request, it may check its server table for afree machine 1740, and fetch its corresponding IP address. This IP address is then sent back to thepayment processor 1710. Thepayment processor 1710 then connects to thisfree computing node 1740 and sends the cardholder card information to it. When thecomputing node 1740 gets that information, it may fetch from the database the data of the credit cards which match the cardholder name and the last four digits. The authentication process may then take place on that GPU on thisspecific machine 1740. The result of the authentication operation may then be sent to thecredit card company 1750 for decryption. The decrypted authentication digit may then be sent back to thecard issuer 1710 to indicate the final result. This system may be implemented to ease the network connection requirements for the front-end server 1720 and to distribute it on all thecomputing nodes 1730. - According to a more general embodiment,
FIG. 1 shows a networked computer system embodying various aspects of the present invention for use with confidential data. A plurality ofremote devices 20 are connected to adata system 22 via a wide-area network 24. Theremote devices 20 may include devices such aswearable devices 26,terminals 28,terminals 30, and the like.Wearable devices 26 may include devices such as special-purpose devices, smart-watches, wearable computers, smart clothing, and similar.Wearable devices 26 may include, but are not limited to, sensors such as global positioning system (GPS) receivers, and similar.Terminals 28 andterminals 30 may include devices such as smartphones, tablet computers, desktop/laptop computers, and similar. Features that mutually distinguish theremote devices 20 such aswearable devices 26,terminals 28, andterminals 30 are not contemplated to limit the present invention. Functionality of these devices 26-30 may overlap.Wearable devices 26 andterminals 28 collect data directly from users and may do so without the need for manual input by users.Wearable devices 26 andterminals 28 may allow for manual input by a user 32 (e.g., typing or selecting) of data.Terminals 30 may require some form of manual input by personnel 34 to enter data related tousers 32. - The
remote devices 20 may be configured to collect data. - The wide-
area network 24 may include one or a combination of data networks, such as a local-area network, a wireless network, a cellular network, an intranet, a virtual private network (VPN), and the Internet. - The
data system 22 may include one or more computers, which may be known as servers, configured with program code that is stored in memory and is executed by one or more processors to perform homomorphic calculations on data collected from theremote devices 20, as discussed in detail below. - The system may further include a
key authority system 36 andanalyst terminals 38. - The
key authority system 36 stores one or more cryptographic keys, such as one or more private (secret) keys for a fully homomorphic asymmetric cryptographic scheme, such as a ring-learning with errors (RWLE) or NTRU homomorphic encryption scheme. Thekey authority system 36 includes one or more servers configured to store such private keys and restrict the use of the private keys to authorized users. - Each private key controlled by the
key authority system 36 may correspond to a public key that is distributed to theremote devices 20. Data encrypted by theremote devices 20 could be decrypted by users with access to the respective private key, although this is not central to the present embodiment. According to the present embodiment, the results of homomorphic calculations performed on encrypted data may be decrypted by users with access to the respective private key. It is contemplated that a large number ofremote devices 20 may share the same public key and thus form a large and continuous source of data for homomorphic calculations that do not require the decryption of the data. Rather, the private key may only be needed for the decryption of calculation results. - Any number of public-private key pairs may be used. It may be advantageous to
segment devices 20 into different sets, according to device type or other factor, by providing such devices with different public keys. Different sets or types ofdevices 20 may be given different public keys based on other factors, such as the group/organization, device manufacturer, etc. Further, for adevice 20 that collects multiple types of data, each type of data may be assigned to a different public key for encryption by that public key. Again, this may reduce exposure of user data. For sake of clarity, the examples discussed herein reference a single public-private key pair, but it should be noted that the present invention contemplates various public-private key pairs. Further, it is important to note that collaboration and computation using a set of data is limited to a set of encrypted data that is able to be decrypted by the same private key. Hence, to facilitate wide-ranging collaboration and computation, limiting the system to a single private key may be advantageous. -
Analyst terminals 38 may include devices such as smartphones, tablet computers, desktop/laptop computers, and similar operable byanalysts 40 such as administrators, researchers, and the like.Analyst terminals 38 may initiate homomorphic calculations performed at thedata system 22 and may have the encrypted results of such calculations decrypted by the private key held by thekey authority system 36. Plaintext results of the calculations may then be outputted at theanalyst terminals 38 for further calculation and study. - The private key can be provided to decrypt calculation results in various ways, depending on specific requirements of various implementations according to the present invention. Encrypted results of calculations may be transmitted to the
key authority system 36 for decryption at thekey authority system 36, with the decrypted plaintext results (DR) 42 of the calculations being transmitted to one ormore analyst terminals 38 for output via asecure channel 44, such as a secure subnetwork, a VPN operating through the wide-area network 24, or similar network that offers increased security. Additionally, or alternatively, such asecure channel 44 may be used to transmit the private key from thekey authority system 36 to theanalyst terminals 38 to decrypt calculation results at one ormore analyst terminals 38. Thesecure channel 44 need not be limited to network communications. For example,analyst terminals 38 may be situated at physically secure locations, thereby offering a physical aspect to thesecure channel 44, if the private key or encrypted data is to be transmitted over a network. Alternatively, thesecure channel 44 may be mainly or exclusively physical and the private key or encrypted data can be copied onto physical key cards, memory sticks, or similar devices that can be used to manually convey the private key or encrypted data to theanalyst terminals 38. - In operation, data may be continually collected by the
remote devices 20, encrypted at theremote devices 20, and transmitted to thedata system 22 as encrypted data (ED) 50. In general, any device transmitting data to thedata system 22 may be configured to encrypt its data prior to transmission. Thedata system 22 may store theencrypted data 50 for as long as desired. At any time, ananalyst terminal 38 may be used to select a set of data for analysis and to configure a calculation to be performed on the selected set of data. This information may be sent by theanalyst terminal 38 to thedata system 22 as a calculation command (CC) 52 that triggers thedata system 22 to perform the calculation on the selected encrypted data, according to a homomorphic technique, without decrypting the data to obtainencrypted results 54. Theencrypted results 54 of the calculation may then be transmitted to theanalyst terminal 38. Theanalyst terminal 38 may then obtain decryptedresults 42 using thesecure channel 44 to communicate with thekey authority system 36. - Advantageously, data may not be decrypted during the performance of calculations. User privacy may be improved and it is contemplated that more users may volunteer their data to be used in studies knowing that their data is better protected. In addition, opportunities for man-in-the-middle and other types of attacks may be mitigated due to the data and calculation results being transmitted in encrypted form and due to tight control of the private key.
- In other applications, the
remote devices 20 such aswearable devices 26,terminals 28,terminals 30,data system 22,terminals 38,remote devices 130 and other components may be specifically general purposes devices or devices made specific to a chosen application. -
FIG. 2 shows an exampleremote device 20. Theremote device 20 may include asensor 60 and/or input device, anencryption engine 62, and anetwork interface 64. Theremote device 20 may further include memory (e.g., RAM, hard-drive, solid-state drive, etc.) for storing captureddata 66, apublic key 68, andencrypted data 50. Theremote device 20 may also include a processor configured to execute theencryption engine 62 and control operations of theremote device 20. - The sensor and/or
input device 60 may be configured to capture data of an individual. Example input devices include a keyboard or touchscreen, for manual entry of data. An input device may be used together with a sensor, such that the collected data includes manually inputted data as well as directly measured data. The type and nature of the data captured is not particularly limited. - The
encryption engine 62 may be configured to apply thepublic key 68 to encrypt the captureddata 66 to generateencrypted data 50. Theencryption engine 62 may be configured to perform fully homomorphic encryption as discussed above. - The
network interface 64 may be configured to communicateencrypted data 50 to thenetwork 24 and specifically to the data system 22 (FIG. 1 ). After theencrypted data 50 has been transmitted to thedata system 22, it may be deleted to save memory. -
FIG. 3 shows an example of thedata system 22. Thedata system 22 may include anetwork interface 80, adata accumulator 82, aquery constructor 84, auser interface 86, and acalculation engine 88. Thedata system 22 may further include memory (e.g., RAM, hard-drive, solid-state drive, etc.) for storingencrypted data 50, encrypted calculation results (ER) 54,data 90, andauthorizations 92. Thedata system 22 may also include a processor configured to execute thedata accumulator 82, thequery constructor 84, theuser interface 86, and thecalculation engine 88 and to control operations of thedata system 22. It is noted that no encryption key need be stored at thedata system 22, as thedata system 22 performs its calculations on encrypted data. - The
network interface 80 may be configured to receive data and commands from thenetwork 24. Thenetwork interface 80 may be configured to receiveencrypted data 50 and commands from theremote devices 20. Thenetwork interface 80 may be configured to receive calculation commands fromanalyst terminals 38. - The data accumulator 82 may be configured to control the capture of
encrypted data 50 from the plurality ofremote devices 20. The data accumulator 82 may be configured to periodically interrogate eachremote device 20 for new encrypted data, receive such encrypted data in response, and store suchencrypted data 50 in memory at thedata system 22. The data accumulator 82 may be configured to reference theauthorizations 92 as a condition for collecting data. - The query constructor 84 may be configured to receive calculation commands from
analyst terminals 38. A calculation command triggers commencement of a calculation by thecalculation engine 88. A calculation command may include parameters specifying a set of theencrypted data 50 on which to conduct a calculation as well as parameters specifying the nature of the calculation. The query constructor 84 may be configured to provide to the analyst terminals 38 a summary of theencrypted data 50 available for calculation. The query constructor 84 may be configured to reference theauthorizations 92 as a condition for using elements ofencrypted data 50 in calculations. - The
user interface 86 may be configured to receive commands and data fromremote devices 20,analyst terminals 38, or other devices and to output information about theencrypted data 50. Specifically, theuser interface 86 may be configured to receivedata 90 that is not necessarily encrypted.Data 90 may also include associations to theencrypted data 50, such that elements ofencrypted data 50 may be linked to thedata 90 that is considered useful for designing studies. For example, an association ofdata 90 toencrypted data 50 may include a unique identifier, such as a hash or serial number, of the user in both theencrypted data 50 and thedata 90. It may be beneficial to include the unique identifier in theencrypted data 50 in plaintext form, such as via an unencrypted metadata field attached to theencrypted data 50, a file name, or an unencrypted database field in association withencrypted data 50 stored in a database. - The
user interface 86 may be configured to receive commands to controlauthorizations 92 that are granted by users or other individuals to, for example, analysts atterminals 38.Authorizations 92 may include data indicative of the consent to collect and storeencrypted data 50 and consent to makeencrypted data 50 available to thecalculation engine 88. In applications,authorizations 92 may include one or more many-to-many mappings that map users to data and further to individuals or organizations, such that each (or his/her legal representative) can give consent to provide any type of data to any individual or organization.Authorizations 92 may also include time windows for consent, such that consent is automatically withdrawn after expiry of a selected time. - The
user interface 86 may include an authentication system, such as a username and password log-in authentication system, for verifying that users who modifydata 90 andauthorizations 92 are authorized to make such changes. - The
calculation engine 88 may be configured to perform homomorphic calculations onencrypted data 50 according to received parameters defining the set ofencrypted data 50 and the calculations to perform. Thecalculation engine 88 outputsencrypted results 54 that are transmitted via the network interface to thekey authority system 36 or theanalyst terminal 38. Thecalculation engine 88 can be configured to perform any suitable calculation in the encrypted domain. - Such calculations are contemplated to include addition, multiplication, discrete calculations, continuous calculations, comparisons using relational operations, combinations of such, and similar. Further, such calculations may be modeled as polynomial series. To achieve this, the
calculation engine 88 may be configured as described below. -
FIG. 4 shows an examplekey authority system 36. Thekey authority system 36 may include anetwork interface 100, anauthorization processor 102, and adecryption engine 104. Thekey authority system 36 may further include memory (e.g., RAM, hard-drive, solid-state drive, etc.) for storing encrypted calculation results 54, aprivate key 106, and decryptedresults 42. Theprivate key 106 corresponds to the public key 68 (FIG. 2 ) stored in theremote devices 20. Thekey authority system 36 may also include a processor configured to execute theauthorization processor 102 and thedecryption engine 104, as well as to control operations of thekey authority system 36. - The
network interface 100 may be configured to receiveencrypted results 54 fromanalyst terminals 38 via the secure channel 44 (FIG. 1 ). Thenetwork interface 100 may be further configured to transmit the decryptedresults 42 toanalyst terminals 38. Alternatively, or additionally, thenetwork interface 100 may be configured to transmit theprivate key 106 to theanalyst terminals 38 via thesecure channel 44. - The
authorization processor 102 may be configured to restrict access to thekey authority system 36 to authorized users. Theauthorization processor 102 may include an authentication system, such as a username and password log-in authentication system or an electronic credential verification system, for verifying users who attempt to access the decryptedresults 42 or theprivate key 106 or both. - The
decryption engine 104 may be configured to apply theprivate key 106 to decrypt the encrypted calculation results 54 to generate the decrypted results 42. Thedecryption engine 104 may be configured to perform homomorphic decryption as discussed herein. -
FIG. 5 shows adata system 120 according to an embodiment. Thedata system 120 may include components discussed herein, such asdata system 22. The description for such components can be referenced with like reference numerals indicating like components. For sake of clarity, only differences will be discussed in detail. According to an embodiment, thedata system 120 may replace thedata system 22 in the system ofFIG. 1 . - The
data system 120 may be configured to generate alerts based on calculations performed onencrypted data 50 received fromremote devices 20. Thedata system 120 may transmit these alerts via thenetwork 24 to remote devices 130 (FIG. 1 ) operated by professionals who may act on such alerts. It is contemplated that generated alerts remain in the encrypted domain. As such, alerts may be routed through thekey authority system 36 for decryption prior to being transmitted to the relevantremote devices 130 in plaintext form. In such case, privacy may be enhanced by having the plaintext form of the alert be a general indication of the nature of the alert (e.g., a text alert) rather than specific numerical values, as it is contemplated that recipients of alerts may have background knowledge of the specific condition and perhaps knowledge of specific alert trigger values. Alternatively,remote devices 130 may be provided with the private key to decrypt received alerts. - The
data system 120 may includealert triggers 122 executable by a processor and configurable by authorized users. The alert triggers 122 and thecalculation engine 88 may perform comparisons betweenencrypted results 54 andencrypted alert conditions 124 stored in memory and configurable by authorized users. Encryptedalert conditions 124 may be initially received in unencrypted form via thenetwork interface 80 before being encrypted by anencryption engine 62 using the samepublic key 68 that encrypts the data at theremote devices 20. Encryptedalert conditions 124 may be applied to data represented by theencrypted results 54 and alert triggers 122 issue alerts for data that meet the conditions. Such alerts may be configured to be transmitted via thenetwork interface 80 and thenetwork 24 toremote devices 130 of selected authorized users, such as professionals. Alerts may be communicated via thekey authority system 36 for centralized decryption prior to being forwarded to the selected authorized users in plaintext form. Alternatively, theremote devices 130 may store theprivate key 106 and may be configured with adecryption engine 104 to decrypt the alerts. For example, a professional may set analert condition 124 for a user, identified bydata 90, using a equation homomorphically evaluated in the encrypted domain by thecalculation engine 88 using data continuously collected by awearable device 26. The encryptedalert condition 124 may be a particular maximum, minimum, or interval, if met or exceeded, causes thealert trigger 122 to send an electronic alert message toremote devices 130 operated by a professional who may be otherwise be unaware of the specific alert conditions. Advantageously, the specific evaluation and the values evaluated may remain in the encrypted domain, so as to improve privacy. - The alert triggers 122 may be evaluated on a periodic basis or upon detecting new
encrypted data 50. The alert triggers 122 may store information concerning delivery of the alert, such as network addresses (e.g., email addresses, phone numbers, etc.) of the destinationremote devices 130 that are to receive the alerts. - Various components of the
data systems calculation engine 88, may be implemented as one or more hardware devices. Such hardware devices may be configured to implement the computational techniques discussed herein using only hardware or by using hardware that executes program code. A suitable hardware device may be configured to implement the computational techniques discussed herein using, for example, Chinese Remainder Theorem (CRT), Number Theoretic Transform (NTT), one or more memory blocks, one or more memory interfaces, matrix multiplications, matrix additions, or a combination of such. One such suitable hardware device to achieve this is a Graphics Processing Unit (GPU). Other examples of suitable hardware device include a field-programmable gate array (FPGA) and an application-specific integrated circuit (ASIC). - Tests were conducted on a system constructed according to the present invention.
FIG. 8 details the test system used.FIG. 9 summarizes performance results of the homomorphic operations for the present invention compared to Khedr, A., Gulak, G., and Vaikuntanathan, V. SHIELD: Scalable Homomorphic Implementation of Encrypted Data-Classifiers, Cryptology ePrint Archive,Report 2014/838, 2014 (http://eprint.iacr.org/2014/838.pdf) shown inFIG. 9 at “Khedr 2014”; Lauter, K., Lopez-Alt, A., and Naehrig, M. Private Computation on Encrypted Genomic Data. Tech. Rep, MSR-TR-2014-93, June 2014 shown inFIG. 9 at “Lauter 2014”; and LBos, J. W., Lauter, K., and Naehrig, M. Private predictive analysis on encrypted medical data, In Journal of biomedical informatics, Elsevier Inc., 2014, pp. 234-243 shown inFIG. 9 at “LBos 2014”. The results reported for “Lauter 2014” are for larger parameters with larger circuit depth, as the circuit depth used to test the present invention is higher than in “Lauter 2014” with the chosen parameters. As can be seen, a CPU implementation of the present invention may achieve a 58 times speedup for a multiplication operation as compared to “LBos 2014”. By additionally exploring the parallelizable properties of the present invention, a 104 times speedup may be achieved by distributing computations on GPU cores. This resulted in an overall 6085 times speedup for the multiplication operation compared to “LBos 2014” and a 286 times speedup compared to “Lauter 2014”. - The present invention may be advantageously scalable across multiple GPU cards. Experiments were made using four GPU cards connected to the same computer to measure loss in performance due to cross-GPU communication. By partitioning large problems into small ones, computations can be scheduled among all four GPUs to obtain a speedup of 3.946 times, which indicates that communication overhead was reduced.
- Additionally, according to an embodiment, the encryption scheme described herein may be used in privacy-preserving machine learning applications, in privacy-preserving data mining including privacy-preserving data clustering applications, and in general secure computations on financial or other confidential data. For example, the
calculation engine 88 may be configured to perform homomorphic calculations related to privacy-preserving machine learning applications, in privacy-preserving data mining including privacy-preserving data clustering applications on encrypted data. - Numerous advantages may be apparent from the above description of the present invention. Concerning wearable and portable devices and the “Internet of Things” (IoT), the present invention can be used to encrypt all data measured by wearable and portable devices prior to uploading such data to the cloud. This can be very useful to help researchers conduct research on confidential data, in a manner that preserves privacy. As discussed, these devices can store public encryption keys produced by a centralized entity, which is also responsible for the control and distribution of private/secret keys to facilities where computation results/alerts are to be decrypted. Wearable/portable devices need only encrypt the captured data, and the modest processing power that is known in these kinds of devices is not a significant hindrance to implementation. Since performance of the encryption function is not necessarily time critical, embedded processors can encrypt measured data within seconds instead of milliseconds and still have acceptable performance.
- The present invention may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. Certain adaptations and modifications of the invention will be obvious to those skilled in the art. Therefore, the presently discussed embodiments are considered to be illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than the foregoing description and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein.
Claims (20)
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/468,621 US20170293913A1 (en) | 2016-04-12 | 2017-03-24 | System and methods for validating and performing operations on homomorphically encrypted data |
US16/297,803 US12093939B2 (en) | 2016-04-12 | 2019-03-11 | System and methods for validating and performing operations on homomorphically encrypted data |
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201662321411P | 2016-04-12 | 2016-04-12 | |
US201662417490P | 2016-11-04 | 2016-11-04 | |
US15/468,621 US20170293913A1 (en) | 2016-04-12 | 2017-03-24 | System and methods for validating and performing operations on homomorphically encrypted data |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/297,803 Continuation US12093939B2 (en) | 2016-04-12 | 2019-03-11 | System and methods for validating and performing operations on homomorphically encrypted data |
Publications (1)
Publication Number | Publication Date |
---|---|
US20170293913A1 true US20170293913A1 (en) | 2017-10-12 |
Family
ID=59998250
Family Applications (4)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/468,621 Abandoned US20170293913A1 (en) | 2016-04-12 | 2017-03-24 | System and methods for validating and performing operations on homomorphically encrypted data |
US16/093,162 Active 2037-06-28 US11257076B2 (en) | 2016-04-12 | 2017-03-27 | System and methods for validating and performing operations on homomorphically encrypted data |
US16/297,803 Active US12093939B2 (en) | 2016-04-12 | 2019-03-11 | System and methods for validating and performing operations on homomorphically encrypted data |
US17/571,458 Active 2038-05-16 US12131319B2 (en) | 2016-04-12 | 2022-01-08 | System and methods for validating and performing operations on homomorphically encrypted data |
Family Applications After (3)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/093,162 Active 2037-06-28 US11257076B2 (en) | 2016-04-12 | 2017-03-27 | System and methods for validating and performing operations on homomorphically encrypted data |
US16/297,803 Active US12093939B2 (en) | 2016-04-12 | 2019-03-11 | System and methods for validating and performing operations on homomorphically encrypted data |
US17/571,458 Active 2038-05-16 US12131319B2 (en) | 2016-04-12 | 2022-01-08 | System and methods for validating and performing operations on homomorphically encrypted data |
Country Status (10)
Country | Link |
---|---|
US (4) | US20170293913A1 (en) |
EP (1) | EP3443706B1 (en) |
JP (1) | JP7165292B2 (en) |
KR (1) | KR102403295B1 (en) |
CN (1) | CN109314641B (en) |
CA (1) | CA3002582C (en) |
IL (1) | IL262352B (en) |
PH (1) | PH12018502196A1 (en) |
SG (1) | SG11201809010TA (en) |
WO (1) | WO2017177313A1 (en) |
Cited By (44)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180375639A1 (en) * | 2017-06-22 | 2018-12-27 | Microsoft Technology Licensing, Llc | Multiplication Operations on Homomorphic Encrypted Data |
CN109284627A (en) * | 2018-09-10 | 2019-01-29 | 中山大学 | A kind of reference prestige method and device based on block chain intelligence contract |
US10298385B2 (en) * | 2017-04-11 | 2019-05-21 | The Governing Council Of The University Of Toronto | Homomorphic processing unit (HPU) for accelerating secure computations under homomorphic encryption |
US10333698B2 (en) * | 2017-07-14 | 2019-06-25 | Raytheon Company | Entwined encryption and error correction |
WO2019139420A1 (en) * | 2018-01-11 | 2019-07-18 | 삼성전자주식회사 | Electronic device, server, and control method therefor |
US10404668B2 (en) * | 2016-07-14 | 2019-09-03 | Kontron Modular Computers S.A.S | Technique for securely performing an operation in an IoT environment |
US20190332814A1 (en) * | 2018-04-27 | 2019-10-31 | Nxp B.V. | High-throughput privacy-friendly hardware assisted machine learning on edge nodes |
KR102040120B1 (en) * | 2018-07-27 | 2019-11-05 | 주식회사 크립토랩 | Apparatus for processing approximate encripted messages and methods thereof |
US10541805B2 (en) | 2017-06-26 | 2020-01-21 | Microsoft Technology Licensing, Llc | Variable relinearization in homomorphic encryption |
WO2020032351A1 (en) * | 2018-08-07 | 2020-02-13 | 한국스마트인증 주식회사 | Method for establishing anonymous digital identity |
US10580225B2 (en) * | 2017-03-31 | 2020-03-03 | Toyota Motor Engineering & Manufacturing North America, Inc. | Privacy-aware signal monitoring systems and methods |
EP3618388A1 (en) * | 2018-08-30 | 2020-03-04 | Nagravision SA | Local decision making |
CN111061720A (en) * | 2020-03-12 | 2020-04-24 | 支付宝(杭州)信息技术有限公司 | Data screening method and device and electronic equipment |
CN111431922A (en) * | 2020-03-31 | 2020-07-17 | 中国建设银行股份有限公司 | Internet of things data encryption transmission method and system |
US10749665B2 (en) | 2017-06-29 | 2020-08-18 | Microsoft Technology Licensing, Llc | High-precision rational number arithmetic in homomorphic encryption |
WO2020167254A1 (en) * | 2019-02-13 | 2020-08-20 | Agency For Science, Technology And Research | Method and system for determining an order of encrypted inputs |
US20200294056A1 (en) * | 2019-03-12 | 2020-09-17 | Cox Communications, Inc. | Secured Analytics Using Encrypted Data |
US10812252B2 (en) | 2017-01-09 | 2020-10-20 | Microsoft Technology Licensing, Llc | String matching in encrypted data |
US20200357031A1 (en) * | 2019-05-10 | 2020-11-12 | Sap Se | Pooling requirements while preserving privacy |
WO2020245829A1 (en) * | 2019-06-05 | 2020-12-10 | Nitromia Ltd | Accelerated execution of applications with fully homomorphically encrypted input data |
WO2020248079A1 (en) * | 2019-06-13 | 2020-12-17 | Shield Crypto Systems Inc. | Secure information storage, transfer and computing |
US20210090077A1 (en) * | 2019-09-19 | 2021-03-25 | Bank Of America Corporation | System architectures for point-of-sale data obfuscation, data removal and data encryption |
CN112767153A (en) * | 2019-02-01 | 2021-05-07 | 创新先进技术有限公司 | Block chain transaction method and device, electronic equipment and storage medium |
EP3873023A1 (en) * | 2020-02-25 | 2021-09-01 | Thales Dis France Sa | Method for testing if a data element belongs to a list of reference data elements |
US20210376997A1 (en) * | 2020-05-27 | 2021-12-02 | Samsung Electronics Co., Ltd. | Artificial intelligence calculation semiconductor device and storage device comprising the same |
US20220020002A1 (en) * | 2020-07-17 | 2022-01-20 | Home Depot Product Authority, Llc | Post payment processing tokenization in merchant payment processing |
US20220094517A1 (en) * | 2020-09-18 | 2022-03-24 | Intel Corporation | Homomorphic encryption for machine learning and neural networks using high-throughput crt evaluation |
US11308233B2 (en) * | 2017-02-15 | 2022-04-19 | Wallix | Method for information retrieval in an encrypted corpus stored on a server |
CN114978518A (en) * | 2021-02-20 | 2022-08-30 | 南京如般量子科技有限公司 | Quantum-computation-resistant digital signature method and system based on quantum communication service station |
US20220318832A1 (en) * | 2021-03-31 | 2022-10-06 | Toast, Inc. | Optimized interchange code prediction system for processing credit card transactions |
US20220318862A1 (en) * | 2021-03-31 | 2022-10-06 | Toast, Inc. | Stochastic apparatus and method for estimating credit card type when predicting interchange code to process credit card transactions |
US11544389B2 (en) * | 2020-03-16 | 2023-01-03 | Acronis International Gmbh | Systems and methods for performing secure computing while maintaining data confidentiality |
US20230044776A1 (en) * | 2021-07-14 | 2023-02-09 | Siemens Healthcare Gmbh | Privacy preserving artificial intelligence based clinical decision support |
US20230081162A1 (en) * | 2021-08-24 | 2023-03-16 | Seoul National University R&Db Foundation | Method and apparatus for privacy preserving using homomorphic encryption with private variables |
US11641274B2 (en) * | 2019-03-22 | 2023-05-02 | Jpmorgan Chase Bank, N.A. | Systems and methods for manipulation of private information on untrusted environments |
CN116155509A (en) * | 2023-01-13 | 2023-05-23 | 海南大学 | Privacy protection method for wearable device data comparison |
CN116757698A (en) * | 2023-04-20 | 2023-09-15 | 广东盛迪嘉电子商务股份有限公司 | Encryption method and system for improving payment security performance |
US11775969B2 (en) | 2021-03-31 | 2023-10-03 | Toast, Inc. | Low latency bank card type prediction system for estimation of interchange codes during transaction processing |
US11799628B2 (en) | 2018-12-07 | 2023-10-24 | Crypto Lab Inc. | Apparatus and method for processing non-polynomial operation on encrypted messages |
US11818244B2 (en) | 2021-12-15 | 2023-11-14 | The Governing Council Of The University Of Toronto | Cryptographic processor for fully homomorphic encryption (FHE) applications |
US12002022B2 (en) | 2021-03-31 | 2024-06-04 | Toast, Inc. | Interchange code prediction system for processing credit card transactions |
CN118297593A (en) * | 2024-06-05 | 2024-07-05 | 福建米花信息科技有限公司 | Safety protection method and system for payment system |
US20240259181A1 (en) * | 2021-06-04 | 2024-08-01 | Zama Sas | Computational network conversion for fully homomorphic evaluation |
US12099997B1 (en) | 2020-01-31 | 2024-09-24 | Steven Mark Hoffberg | Tokenized fungible liabilities |
Families Citing this family (44)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10496994B2 (en) * | 2017-03-31 | 2019-12-03 | Ca, Inc. | Enhanced authentication with dark web analytics |
US10491373B2 (en) * | 2017-06-12 | 2019-11-26 | Microsoft Technology Licensing, Llc | Homomorphic data analysis |
US10554390B2 (en) * | 2017-06-12 | 2020-02-04 | Microsoft Technology Licensing, Llc | Homomorphic factorization encryption |
US20190005498A1 (en) * | 2017-06-29 | 2019-01-03 | Comenity Llc | Private label account number protection |
US11074997B2 (en) * | 2018-01-23 | 2021-07-27 | Statum Systems Inc. | Multi-modal encrypted messaging system |
US10893505B2 (en) | 2018-01-23 | 2021-01-12 | Statum Systems Inc. | Enhanced pager network |
KR102103731B1 (en) * | 2018-04-02 | 2020-05-29 | 서울과학기술대학교 산학협력단 | System for machine learning of encyrpted data using non-interactive communication |
US10693628B2 (en) | 2018-05-04 | 2020-06-23 | International Business Machines Corporation | Enabling distance-based operations on data encrypted using a homomorphic encryption scheme with inefficient decryption |
EP3806071B1 (en) * | 2018-05-25 | 2023-03-22 | Nippon Telegraph And Telephone Corporation | Secret collective approximation system, secret calculation device, secret collective approximation method, and program |
US11177935B2 (en) * | 2018-08-31 | 2021-11-16 | Microsoft Technology Licensing, Llc | Homomorphic evaluation of tensor programs |
US11444926B1 (en) * | 2018-10-15 | 2022-09-13 | Inpher, Inc. | Privacy-preserving efficient subset selection of features for regression models in a multi-party computation setting |
KR102297536B1 (en) * | 2018-12-07 | 2021-09-03 | 주식회사 크립토랩 | Apparatus for processing non-polynomial operation on encrypted messages and methods thereof |
US11469878B2 (en) * | 2019-01-28 | 2022-10-11 | The Toronto-Dominion Bank | Homomorphic computations on encrypted data within a distributed computing environment |
WO2020154769A1 (en) | 2019-02-01 | 2020-08-06 | Secure Logic Pty Ltd | System, method and computer readable medium for performing a transaction in relation to an identity centric dataset |
EP3616356B1 (en) | 2019-03-18 | 2021-03-10 | Advanced New Technologies Co., Ltd. | Preventing misrepresentation of input data by participants in a secure multi-party computation |
US11190336B2 (en) * | 2019-05-10 | 2021-11-30 | Sap Se | Privacy-preserving benchmarking with interval statistics reducing leakage |
US11005654B2 (en) * | 2019-05-14 | 2021-05-11 | Google Llc | Outsourcing exponentiation in a private group |
CN111835762A (en) * | 2019-07-11 | 2020-10-27 | 中国医学科学院阜外医院 | Hardware system based on asymmetric key algorithm |
CN110190946B (en) * | 2019-07-12 | 2021-09-03 | 之江实验室 | Privacy protection multi-organization data classification method based on homomorphic encryption |
WO2021019783A1 (en) * | 2019-08-01 | 2021-02-04 | 日本電信電話株式会社 | Proprietor identity confirmation system, terminal, and proprietor identity confirmation method |
WO2021019781A1 (en) * | 2019-08-01 | 2021-02-04 | 日本電信電話株式会社 | Owner identity confirmation system, authentication station server, and owner identity confirmation method |
US11431470B2 (en) * | 2019-08-19 | 2022-08-30 | The Board Of Regents Of The University Of Texas System | Performing computations on sensitive data while guaranteeing privacy |
US10839060B1 (en) * | 2019-08-27 | 2020-11-17 | Capital One Services, Llc | Techniques for multi-voice speech recognition commands |
KR102491894B1 (en) * | 2019-11-29 | 2023-01-27 | 고려대학교 산학협력단 | Device and method for logistic regression analysis operation of encrypted data using fully homomorphic encryption |
CN111125735B (en) * | 2019-12-20 | 2021-11-02 | 支付宝(杭州)信息技术有限公司 | Method and system for model training based on private data |
CN111259442B (en) * | 2020-01-15 | 2022-04-29 | 广西师范大学 | Differential privacy protection method for decision tree under MapReduce framework |
CN111245610B (en) * | 2020-01-19 | 2022-04-19 | 浙江工商大学 | Data privacy protection deep learning method based on NTRU homomorphic encryption |
CN111586685B (en) * | 2020-04-26 | 2022-05-03 | 重庆邮电大学 | Anonymous roaming authentication method based on lattices |
US11502820B2 (en) | 2020-05-27 | 2022-11-15 | International Business Machines Corporation | Privacy-enhanced decision tree-based inference on homomorphically-encrypted data |
JP7527866B2 (en) * | 2020-07-01 | 2024-08-05 | キヤノン株式会社 | PROGRAM, INFORMATION PROCESSING APPARATUS AND CONTROL METHOD |
US20230315875A1 (en) * | 2020-07-28 | 2023-10-05 | Geneial Llc | Secure data exchange |
WO2022051230A1 (en) * | 2020-09-05 | 2022-03-10 | Icu Medical, Inc. | Identity-based secure medical device communications |
CN112000940B (en) * | 2020-09-11 | 2022-07-12 | 支付宝(杭州)信息技术有限公司 | User identification method, device and equipment under privacy protection |
US11588617B2 (en) * | 2020-11-01 | 2023-02-21 | The Toronto-Dominion Bank | Validating confidential data using homomorphic computations |
KR20220078155A (en) | 2020-12-03 | 2022-06-10 | 삼성전자주식회사 | Crypto processor and method for operating the same, and electronic device including the same |
KR102467595B1 (en) * | 2021-01-18 | 2022-11-16 | 서울대학교산학협력단 | Method for Processing Dynamic Data Based on Homomorphic Encryption Which Carries Out Unlimited Arithmetic Operations Without Bootstrapping and Re-encryption of Control Data |
CN112925956B (en) * | 2021-03-25 | 2022-03-08 | 广西师范大学 | Internet of things large-scale time sequence data access control method |
JP7084067B1 (en) | 2021-03-26 | 2022-06-14 | 株式会社アクセル | Cryptographic equipment, cryptographic processing method, and cryptographic processing program |
US11636027B2 (en) * | 2021-07-21 | 2023-04-25 | Bank Of America Corporation | Homomorphic encryption-based testing computing system |
CN113660085B (en) * | 2021-08-13 | 2023-06-06 | 北方工业大学 | Quantum security multiparty calculation method based on quantum homomorphic encryption |
WO2023168099A2 (en) * | 2022-03-03 | 2023-09-07 | AiOnco, Inc. | Secure two-way messaging based on genetic information |
WO2024210231A1 (en) * | 2023-04-03 | 2024-10-10 | 엘지전자 주식회사 | Homomorphic encryption-based communication method and device therefor in communication system |
WO2024225497A1 (en) * | 2023-04-25 | 2024-10-31 | 엘지전자 주식회사 | Method for communication based on homomorphic encryption in communication system and device therefor |
CN117135000B (en) * | 2023-10-27 | 2024-02-02 | 深圳鼎智通讯有限公司 | POS machine dynamic data remote management method and system |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8712915B2 (en) * | 2006-11-01 | 2014-04-29 | Palo Alto Research Center, Inc. | System and method for providing private demand-driven pricing |
US20160072800A1 (en) * | 2014-09-03 | 2016-03-10 | Nantomics, Llc | Synthetic genomic variant-based secure transaction devices, systems and methods |
US20170053282A1 (en) * | 2015-08-21 | 2017-02-23 | Pitney Bowes Inc. | Fraud risk score using location information while preserving privacy of the location information |
US20170149557A1 (en) * | 2015-11-25 | 2017-05-25 | International Business Machines Corporation | Performing efficient comparison operations on encrypted data |
US10075288B1 (en) * | 2014-02-28 | 2018-09-11 | The Governing Council Of The University Of Toronto | Systems, devices, and processes for homomorphic encryption |
Family Cites Families (34)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7856100B2 (en) * | 2005-12-19 | 2010-12-21 | Microsoft Corporation | Privacy-preserving data aggregation using homomorphic encryption |
US8433925B2 (en) * | 2009-09-04 | 2013-04-30 | Gradiant | Cryptographic system for performing secure computations and signal processing directly on encrypted data in untrusted environments |
US8630422B2 (en) | 2009-11-10 | 2014-01-14 | International Business Machines Corporation | Fully homomorphic encryption method based on a bootstrappable encryption scheme, computer program and apparatus |
US8515058B1 (en) | 2009-11-10 | 2013-08-20 | The Board Of Trustees Of The Leland Stanford Junior University | Bootstrappable homomorphic encryption method, computer program and apparatus |
US20110137804A1 (en) * | 2009-12-03 | 2011-06-09 | Recursion Software, Inc. | System and method for approving transactions |
JP5573293B2 (en) | 2010-03-30 | 2014-08-20 | 富士通株式会社 | Authentication device, encryption device, token device, authentication method, and authentication program |
US8532289B2 (en) | 2010-08-16 | 2013-09-10 | International Business Machines Corporation | Fast computation of a single coefficient in an inverse polynomial |
WO2012149395A1 (en) * | 2011-04-29 | 2012-11-01 | International Business Machines Corporation | Fully homomorphic encryption |
WO2013067542A1 (en) * | 2011-11-03 | 2013-05-10 | Genformatic, Llc | Device, system and method for securing and comparing genomic data |
US20160365973A1 (en) * | 2012-10-30 | 2016-12-15 | Nederlandse Organisatie Voor Toegepast-Natuurwetenschappelijk Onderzoek Tno | Secure Distribution of Watermarked Content |
WO2014109828A2 (en) * | 2012-11-16 | 2014-07-17 | Raytheon Bbn Technologies Corp. | Method for secure substring search |
CN102970143B (en) * | 2012-12-13 | 2015-04-22 | 中国科学技术大学苏州研究院 | Method for securely computing index of sum of held data of both parties by adopting addition homomorphic encryption |
JP2014119486A (en) | 2012-12-13 | 2014-06-30 | Hitachi Solutions Ltd | Secret retrieval processing system, secret retrieval processing method, and secret retrieval processing program |
US9306738B2 (en) * | 2012-12-21 | 2016-04-05 | Microsoft Technology Licensing, Llc | Managed secure computations on encrypted data |
EP2755158A1 (en) * | 2013-01-09 | 2014-07-16 | Thomson Licensing | Method and device for privacy-respecting data processing |
WO2014177581A1 (en) * | 2013-04-30 | 2014-11-06 | Thomson Licensing | Threshold encryption using homomorphic signatures |
JP6371390B2 (en) * | 2013-07-15 | 2018-08-08 | ビザ インターナショナル サービス アソシエーション | Secure remote payment transaction processing |
US9722777B2 (en) * | 2013-08-01 | 2017-08-01 | Visa International Service Association | Homomorphic database operations apparatuses, methods and systems |
JP2015099961A (en) | 2013-11-18 | 2015-05-28 | 三菱電機株式会社 | Information delivery system, server device, information generating device, terminal device, information delivery method, and program |
US9524392B2 (en) * | 2013-11-30 | 2016-12-20 | Microsoft Technology Licensing, Llc | Encrypting genomic data for storage and genomic computations |
CN104700277A (en) * | 2013-12-05 | 2015-06-10 | 华为技术有限公司 | Electronic accounting method and device and terminal equipment |
US10719828B2 (en) * | 2014-02-11 | 2020-07-21 | Square, Inc. | Homomorphic passcode encryption |
JP6349841B2 (en) * | 2014-03-25 | 2018-07-04 | 富士通株式会社 | Ciphertext processing apparatus, ciphertext processing method, ciphertext processing program, and information processing apparatus |
US9503432B2 (en) * | 2014-04-04 | 2016-11-22 | Privacy Analytics Inc. | Secure linkage of databases |
GB2526059A (en) * | 2014-05-13 | 2015-11-18 | Ibm | Managing unlinkable identifiers for controlled privacy-friendly data exchange |
US10268834B2 (en) * | 2014-06-26 | 2019-04-23 | Telefonaktiebolaget Lm Ericsson (Publ) | Privacy-preserving querying mechanism on privately encrypted data on semi-trusted cloud |
CN105337736B (en) * | 2014-06-30 | 2018-10-30 | 华为技术有限公司 | Full homomorphism message authentication method, apparatus and system |
US10629296B2 (en) * | 2014-08-29 | 2020-04-21 | Nanthealth, Inc. | Mobile carrier-centric data record custodian systems and methods |
US9946970B2 (en) * | 2014-11-07 | 2018-04-17 | Microsoft Technology Licensing, Llc | Neural networks for encrypted data |
US10333696B2 (en) * | 2015-01-12 | 2019-06-25 | X-Prime, Inc. | Systems and methods for implementing an efficient, scalable homomorphic transformation of encrypted data with minimal data expansion and improved processing efficiency |
US9742556B2 (en) | 2015-08-25 | 2017-08-22 | International Business Machines Corporation | Comparison and search operations of encrypted data |
US10581812B2 (en) * | 2015-12-01 | 2020-03-03 | Duality Technologies, Inc. | Device, system and method for fast and secure proxy re-encryption |
US9900147B2 (en) * | 2015-12-18 | 2018-02-20 | Microsoft Technology Licensing, Llc | Homomorphic encryption with optimized homomorphic operations |
US10761877B2 (en) * | 2017-07-21 | 2020-09-01 | Intel Corporation | Apparatuses, methods, and systems for blockchain transaction acceleration |
-
2017
- 2017-03-24 US US15/468,621 patent/US20170293913A1/en not_active Abandoned
- 2017-03-27 JP JP2018554352A patent/JP7165292B2/en active Active
- 2017-03-27 US US16/093,162 patent/US11257076B2/en active Active
- 2017-03-27 SG SG11201809010TA patent/SG11201809010TA/en unknown
- 2017-03-27 WO PCT/CA2017/050382 patent/WO2017177313A1/en active Application Filing
- 2017-03-27 EP EP17781666.7A patent/EP3443706B1/en active Active
- 2017-03-27 KR KR1020187032522A patent/KR102403295B1/en active IP Right Grant
- 2017-03-27 CA CA3002582A patent/CA3002582C/en active Active
- 2017-03-27 CN CN201780035158.4A patent/CN109314641B/en active Active
-
2018
- 2018-10-12 PH PH12018502196A patent/PH12018502196A1/en unknown
- 2018-10-14 IL IL262352A patent/IL262352B/en unknown
-
2019
- 2019-03-11 US US16/297,803 patent/US12093939B2/en active Active
-
2022
- 2022-01-08 US US17/571,458 patent/US12131319B2/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8712915B2 (en) * | 2006-11-01 | 2014-04-29 | Palo Alto Research Center, Inc. | System and method for providing private demand-driven pricing |
US10075288B1 (en) * | 2014-02-28 | 2018-09-11 | The Governing Council Of The University Of Toronto | Systems, devices, and processes for homomorphic encryption |
US20160072800A1 (en) * | 2014-09-03 | 2016-03-10 | Nantomics, Llc | Synthetic genomic variant-based secure transaction devices, systems and methods |
US20170053282A1 (en) * | 2015-08-21 | 2017-02-23 | Pitney Bowes Inc. | Fraud risk score using location information while preserving privacy of the location information |
US20170149557A1 (en) * | 2015-11-25 | 2017-05-25 | International Business Machines Corporation | Performing efficient comparison operations on encrypted data |
Cited By (70)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10404668B2 (en) * | 2016-07-14 | 2019-09-03 | Kontron Modular Computers S.A.S | Technique for securely performing an operation in an IoT environment |
US10812252B2 (en) | 2017-01-09 | 2020-10-20 | Microsoft Technology Licensing, Llc | String matching in encrypted data |
US11308233B2 (en) * | 2017-02-15 | 2022-04-19 | Wallix | Method for information retrieval in an encrypted corpus stored on a server |
US11087568B2 (en) * | 2017-03-31 | 2021-08-10 | Toyota Motor Engineering & Manufacturing North America, Inc. | Privacy-aware signal monitoring systems and methods |
US10580225B2 (en) * | 2017-03-31 | 2020-03-03 | Toyota Motor Engineering & Manufacturing North America, Inc. | Privacy-aware signal monitoring systems and methods |
US10644877B2 (en) | 2017-04-11 | 2020-05-05 | The Governing Council Of The University Of Toronto | Configurable number theoretic transform (NTT) butterfly circuit for homomorphic encryption |
US10298385B2 (en) * | 2017-04-11 | 2019-05-21 | The Governing Council Of The University Of Toronto | Homomorphic processing unit (HPU) for accelerating secure computations under homomorphic encryption |
US20230086526A1 (en) * | 2017-04-11 | 2023-03-23 | The Governing Council Of The University Of Toronto | Method of Operation for a Configurable Number Theoretic Transform (NTT) Butterfly Circuit For Homomorphic Encryption |
US10715309B2 (en) | 2017-04-11 | 2020-07-14 | The Governing Council Of The University Of Toronto | Method of operation for a configurable number theoretic transform (NTT) butterfly circuit for homomorphic encryption |
US11870881B2 (en) * | 2017-04-11 | 2024-01-09 | The Governing Council Of The University Of Toronto | Method of operation for a configurable number theoretic transform (NTT) butterfly circuit for homomorphic encryption |
US11456856B2 (en) * | 2017-04-11 | 2022-09-27 | The Governing Council Of The University Of Toronto | Method of operation for a configurable number theoretic transform (NTT) butterfly circuit for homomorphic encryption |
US11196539B2 (en) * | 2017-06-22 | 2021-12-07 | Microsoft Technology Licensing, Llc | Multiplication operations on homomorphic encrypted data |
US20180375639A1 (en) * | 2017-06-22 | 2018-12-27 | Microsoft Technology Licensing, Llc | Multiplication Operations on Homomorphic Encrypted Data |
US10541805B2 (en) | 2017-06-26 | 2020-01-21 | Microsoft Technology Licensing, Llc | Variable relinearization in homomorphic encryption |
US10749665B2 (en) | 2017-06-29 | 2020-08-18 | Microsoft Technology Licensing, Llc | High-precision rational number arithmetic in homomorphic encryption |
US10333698B2 (en) * | 2017-07-14 | 2019-06-25 | Raytheon Company | Entwined encryption and error correction |
US12015703B2 (en) * | 2018-01-11 | 2024-06-18 | Samsung Electronics Co., Ltd. | Electronic device for user authentication, server, and control method therefor |
US20200389303A1 (en) * | 2018-01-11 | 2020-12-10 | Samsung Electronics Co., Ltd. | Electronic device, server, and control method therefor |
WO2019139420A1 (en) * | 2018-01-11 | 2019-07-18 | 삼성전자주식회사 | Electronic device, server, and control method therefor |
US20190332814A1 (en) * | 2018-04-27 | 2019-10-31 | Nxp B.V. | High-throughput privacy-friendly hardware assisted machine learning on edge nodes |
WO2020022598A1 (en) * | 2018-07-27 | 2020-01-30 | 주식회사 크립토랩 | Apparatus and method for performing approximation calculation on cryptograms |
KR102040120B1 (en) * | 2018-07-27 | 2019-11-05 | 주식회사 크립토랩 | Apparatus for processing approximate encripted messages and methods thereof |
US11115182B2 (en) | 2018-07-27 | 2021-09-07 | Crypto Lab Inc. | Apparatus for approximately processing encrypted messages and methods thereof |
WO2020032351A1 (en) * | 2018-08-07 | 2020-02-13 | 한국스마트인증 주식회사 | Method for establishing anonymous digital identity |
EP3618388A1 (en) * | 2018-08-30 | 2020-03-04 | Nagravision SA | Local decision making |
WO2020043890A1 (en) * | 2018-08-30 | 2020-03-05 | Nagravision S.A. | Local decision making |
US12100278B2 (en) * | 2018-08-30 | 2024-09-24 | Nagravision Sarl | Local decision making |
CN109284627A (en) * | 2018-09-10 | 2019-01-29 | 中山大学 | A kind of reference prestige method and device based on block chain intelligence contract |
US11799628B2 (en) | 2018-12-07 | 2023-10-24 | Crypto Lab Inc. | Apparatus and method for processing non-polynomial operation on encrypted messages |
CN112767153A (en) * | 2019-02-01 | 2021-05-07 | 创新先进技术有限公司 | Block chain transaction method and device, electronic equipment and storage medium |
WO2020167254A1 (en) * | 2019-02-13 | 2020-08-20 | Agency For Science, Technology And Research | Method and system for determining an order of encrypted inputs |
US11907952B2 (en) * | 2019-03-12 | 2024-02-20 | Cox Communications, Inc. | Secured analytics using encrypted data |
US20200294056A1 (en) * | 2019-03-12 | 2020-09-17 | Cox Communications, Inc. | Secured Analytics Using Encrypted Data |
US11641274B2 (en) * | 2019-03-22 | 2023-05-02 | Jpmorgan Chase Bank, N.A. | Systems and methods for manipulation of private information on untrusted environments |
US11631117B2 (en) * | 2019-05-10 | 2023-04-18 | Sap Se | Method, system, and non-transitory computer readable storage device for a pooling requirement while preserving privacy |
US20200357031A1 (en) * | 2019-05-10 | 2020-11-12 | Sap Se | Pooling requirements while preserving privacy |
WO2020245829A1 (en) * | 2019-06-05 | 2020-12-10 | Nitromia Ltd | Accelerated execution of applications with fully homomorphically encrypted input data |
WO2020248079A1 (en) * | 2019-06-13 | 2020-12-17 | Shield Crypto Systems Inc. | Secure information storage, transfer and computing |
US20220245262A1 (en) * | 2019-06-13 | 2022-08-04 | Shield Crypto Systems Inc. | Secure information storage, transfer and computing |
EP4026032A4 (en) * | 2019-06-13 | 2023-11-08 | Lorica Cybersecurity Inc. | Secure information storage, transfer and computing |
US20210090077A1 (en) * | 2019-09-19 | 2021-03-25 | Bank Of America Corporation | System architectures for point-of-sale data obfuscation, data removal and data encryption |
US12099997B1 (en) | 2020-01-31 | 2024-09-24 | Steven Mark Hoffberg | Tokenized fungible liabilities |
WO2021170411A1 (en) * | 2020-02-25 | 2021-09-02 | Thales Dis France Sa | Method for testing if a data element belongs to a list of reference data elements |
EP3873023A1 (en) * | 2020-02-25 | 2021-09-01 | Thales Dis France Sa | Method for testing if a data element belongs to a list of reference data elements |
CN111061720A (en) * | 2020-03-12 | 2020-04-24 | 支付宝(杭州)信息技术有限公司 | Data screening method and device and electronic equipment |
US11544389B2 (en) * | 2020-03-16 | 2023-01-03 | Acronis International Gmbh | Systems and methods for performing secure computing while maintaining data confidentiality |
CN111431922A (en) * | 2020-03-31 | 2020-07-17 | 中国建设银行股份有限公司 | Internet of things data encryption transmission method and system |
US11895219B2 (en) * | 2020-05-27 | 2024-02-06 | Samsung Electronics Co., Ltd. | Artificial intelligence calculation semiconductor device and storage device comprising the same |
US20210376997A1 (en) * | 2020-05-27 | 2021-12-02 | Samsung Electronics Co., Ltd. | Artificial intelligence calculation semiconductor device and storage device comprising the same |
US20220020002A1 (en) * | 2020-07-17 | 2022-01-20 | Home Depot Product Authority, Llc | Post payment processing tokenization in merchant payment processing |
WO2022015584A1 (en) * | 2020-07-17 | 2022-01-20 | Home Depot International, Inc. | Post payment processing tokenization in merchant payment processing |
US20220321321A1 (en) * | 2020-09-18 | 2022-10-06 | Intel Corporation | Homomorphic encryption for machine learning and neural networks using high-throughput crt evaluation |
US20220094517A1 (en) * | 2020-09-18 | 2022-03-24 | Intel Corporation | Homomorphic encryption for machine learning and neural networks using high-throughput crt evaluation |
US11777707B2 (en) * | 2020-09-18 | 2023-10-03 | Intel Corporation | Homomorphic encryption for machine learning and neural networks using high-throughput CRT evaluation |
US11405176B2 (en) * | 2020-09-18 | 2022-08-02 | Intel Corporation | Homomorphic encryption for machine learning and neural networks using high-throughput CRT evaluation |
CN114978518A (en) * | 2021-02-20 | 2022-08-30 | 南京如般量子科技有限公司 | Quantum-computation-resistant digital signature method and system based on quantum communication service station |
US11775969B2 (en) | 2021-03-31 | 2023-10-03 | Toast, Inc. | Low latency bank card type prediction system for estimation of interchange codes during transaction processing |
US12002022B2 (en) | 2021-03-31 | 2024-06-04 | Toast, Inc. | Interchange code prediction system for processing credit card transactions |
US11861666B2 (en) * | 2021-03-31 | 2024-01-02 | Toast, Inc. | Stochastic apparatus and method for estimating credit card type when predicting interchange code to process credit card transactions |
US20220318862A1 (en) * | 2021-03-31 | 2022-10-06 | Toast, Inc. | Stochastic apparatus and method for estimating credit card type when predicting interchange code to process credit card transactions |
US20220318832A1 (en) * | 2021-03-31 | 2022-10-06 | Toast, Inc. | Optimized interchange code prediction system for processing credit card transactions |
US11983731B2 (en) * | 2021-03-31 | 2024-05-14 | Toast, Inc. | Optimized interchange code prediction system for processing credit card transactions |
US20240259181A1 (en) * | 2021-06-04 | 2024-08-01 | Zama Sas | Computational network conversion for fully homomorphic evaluation |
US20230044776A1 (en) * | 2021-07-14 | 2023-02-09 | Siemens Healthcare Gmbh | Privacy preserving artificial intelligence based clinical decision support |
US12021967B2 (en) * | 2021-07-14 | 2024-06-25 | Siemens Healthineers Ag | Privacy preserving artificial intelligence based clinical decision support |
US20230081162A1 (en) * | 2021-08-24 | 2023-03-16 | Seoul National University R&Db Foundation | Method and apparatus for privacy preserving using homomorphic encryption with private variables |
US11818244B2 (en) | 2021-12-15 | 2023-11-14 | The Governing Council Of The University Of Toronto | Cryptographic processor for fully homomorphic encryption (FHE) applications |
CN116155509A (en) * | 2023-01-13 | 2023-05-23 | 海南大学 | Privacy protection method for wearable device data comparison |
CN116757698A (en) * | 2023-04-20 | 2023-09-15 | 广东盛迪嘉电子商务股份有限公司 | Encryption method and system for improving payment security performance |
CN118297593A (en) * | 2024-06-05 | 2024-07-05 | 福建米花信息科技有限公司 | Safety protection method and system for payment system |
Also Published As
Publication number | Publication date |
---|---|
IL262352B (en) | 2021-12-01 |
US20190205875A1 (en) | 2019-07-04 |
US12093939B2 (en) | 2024-09-17 |
EP3443706A4 (en) | 2019-09-25 |
US11257076B2 (en) | 2022-02-22 |
WO2017177313A1 (en) | 2017-10-19 |
SG11201809010TA (en) | 2018-11-29 |
IL262352A (en) | 2018-11-29 |
US12131319B2 (en) | 2024-10-29 |
KR20180127506A (en) | 2018-11-28 |
CA3002582C (en) | 2022-11-29 |
CN109314641A (en) | 2019-02-05 |
EP3443706B1 (en) | 2023-09-13 |
EP3443706A1 (en) | 2019-02-20 |
PH12018502196A1 (en) | 2019-09-16 |
KR102403295B1 (en) | 2022-05-27 |
JP2019514301A (en) | 2019-05-30 |
US20190182216A1 (en) | 2019-06-13 |
JP7165292B2 (en) | 2022-11-04 |
US20220129892A1 (en) | 2022-04-28 |
CA3002582A1 (en) | 2017-10-19 |
CN109314641B (en) | 2023-04-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US12093939B2 (en) | System and methods for validating and performing operations on homomorphically encrypted data | |
US10607017B2 (en) | Restricting access to sensitive data using tokenization | |
Nagaraju et al. | Trusted framework for online banking in public cloud using multi-factor authentication and privacy protection gateway | |
US9686251B2 (en) | Devices and techniques for controlling disclosure of sensitive information | |
Murugeshwari et al. | Data Mining with Privacy Protection Using Precise Elliptical Curve Cryptography. | |
CN111512590B (en) | Homomorphic encryption for password authentication | |
CN108170753B (en) | Key-Value database encryption and security query method in common cloud | |
Jones et al. | Information Security: A Coordinated Strategy to Guarantee Data Security in Cloud Computing | |
Bandaru et al. | Block chain enabled auditing with optimal multi‐key homomorphic encryption technique for public cloud computing environment | |
CN114144783B (en) | Cryptographic pseudonym mapping method, computer system, computer program and computer-readable medium | |
Ramprasath et al. | Protected data sharing using attribute based encryption for remote data checking in cloud environment | |
Punitha et al. | Secured Framework with a Hash Function-Enabled Keyword Search in Cloud Storage Services | |
Gagged et al. | Improved secure dynamic bit standard technique for a private cloud platform to address security challenges | |
Soliman | Big Data SAVE: Secure Anonymous Vault Environment | |
Rupa et al. | Study and improved data storage in cloud computing using cryptography | |
Melnyk et al. | Protection of data transmission in remote monitoring tools by anonymization. | |
Ojha et al. | A Method to Enhance Privacy Preservation in Cloud Storage through a Three-Layer Scheme for Computational Intelligence in Fog Computing. | |
Ekong et al. | Hybridized Cryptography and Cloud Folder Model (CFM) for Secure Cloud-Based Storage | |
Chen et al. | Multisensor-based Verification Mechanism with Encryption and Decryption on Fault-tolerant Databases. | |
Parisi et al. | Wallet Security | |
Ahmed et al. | Access Control and Encryption Techniques during Big Data Accessing Stage | |
Amalarethinam et al. | Context Aware Matrix-Based Symmetric Algorithm For Data Security In Public Cloud | |
Alrashidy | Protecting Sensitive Data on Cloud Service Provider | |
Mauth et al. | Data Privacy Issues in Distributed Security Monitoring Systems | |
Hussain et al. | A smart card based security extension for the bitcoin wallets |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: THE GOVERNING COUNCIL OF THE UNIVERSITY OF TORONTO Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:KHEDR, ALHASSAN;GULAK, GLENN;REEL/FRAME:042837/0707 Effective date: 20170531 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |
|
AS | Assignment |
Owner name: SHIELD CRYPTO SYSTEMS INC., CANADA Free format text: NUNC PRO TUNC ASSIGNMENT;ASSIGNOR:THE GOVERNING COUNCIL OF THE UNIVERSITY OF TORONTO;REEL/FRAME:057231/0496 Effective date: 20210702 |
|
AS | Assignment |
Owner name: LORICA CYBERSECURITY INC., CANADA Free format text: CHANGE OF NAME;ASSIGNOR:SHIELD CRYPTO SYSTEMS INC.;REEL/FRAME:061389/0197 Effective date: 20220712 |