WO2015088448A1

WO2015088448A1 - Method for matching probabilistic encrypted data

Info

Publication number: WO2015088448A1
Application number: PCT/SG2014/000590
Authority: WO
Inventors: Hwee Hwa Pang; Xuhua DING
Original assignee: Singapore Management University
Priority date: 2013-12-11
Filing date: 2014-12-10
Publication date: 2015-06-18
Also published as: SG11201506331SA

Abstract

Determining if a first encrypted data of a first data value is equal to a second encrypted data of a second data value. Comprising: a first cyclic group; a second cyclic group including a first element. Applying an operation to the first cyclic group to map its elements to an element in the second cyclic group. Randomly selecting a second element from the first cyclic group; producing the first encrypted data by mapping the second element and the first data value into one or more elements of the first cyclic group. Randomly selecting a third element from the first cyclic group; producing the second encrypted data by mapping the third element and the second data value into one or more elements of the first cyclic group. Applying the operation to the first encrypted data and the second encrypted data to obtain a fourth element in the second cyclic group, wherein the fourth element is equal to the first element when the first data value is equal to the second data value.

Description

METHOD FOR MATCHING PROBABILISTIC ENCRYPTED DATA

FIELD OF THE INVENTION

[0001] The present invention relates to a new method for matching probabilistic encrypted data.

BACKGROUND

[0002] Typically in Information Technology (IT) outsourcing, a user may delegate the data storage and query processing functions to an un-trusted third-party server. This gives rise to the need to safeguard and ensure the privacy of the database as well as the user queries being sent to the database.

[0003] A method of preserving data privacy is by applying a deterministic encryption scheme to the data record values before storing them in the un-trusted servers. Therefore the un-trusted servers only see the encrypted data record values and never see the actual data record values. However, this method of preserving data privacy is not secure. For example, it allows other parties to deduce whether two data record values are the same.

[0004] Concerns over data control and protection may be mitigated if a probabilistic encryption scheme is applied to the data record values before they are stored in the un-trusted servers. In doing so, multiple encryptions of one data record value can produce different encrypted values. However, the obvious challenge would then be how to match probabilistic encryption data when that very one data record can produce different encrypted values?

[0005] The object of the invention is thus to overcome the above problems and provide a new method for matching probabilistic encryption data.

SUMMARY OF INVENTION

[0006] According to a first aspect of the invention, a method for determining whether a first encrypted data of a first data value is equal to a second encrypted data of a second data value is described, the method comprising the steps of composing a first cyclic group, the first cyclic group comprising a plurality of elements; and composing a second cyclic group, the second cyclic group comprising a plurality of elements including a first element. The method further comprises the step of applying a mathematical operation to the first cyclic group to map elements of the first cyclic group to one of the elements in the second cyclic group. The method further comprises the steps of randomly selecting a second element from the first cyclic group; and producing the first encrypted data by mapping the second element and the first data value into one or more elements of the first cyclic group. The method further comprises the steps of randomly selecting a third element from the first cyclic group; and producing the second encrypted data by mapping the third element and the second data value into one or more elements of the first cyclic group. The method further comprises the step of performing a test condition by applying the mathematical operation to the first encrypted data and the second encrypted data to obtain a fourth element in the second cyclic group, wherein the fourth element is equal to the first element when the first data value is equal to the second data value.

[0007] Preferably, the method further comprises the steps of randomly selecting integers to form a secret key; and generating a token, the token being a function of the secret key. Wherein the step of producing the first encrypted data comprises the step of mapping the second element, the first data value and the secret key into one or more elements of the first cyclic group. Wherein the step of producing the second encrypted data comprises the step of mapping the third element, the second data value and the secret key into one or more elements of the first cyclic group. Wherein the step of performing a test condition comprises the step of applying the mathematical operation to the first encrypted data, the second encrypted data and the token.

[0008] Preferably, the mathematical operation is a bilinear mapping operation.

[0009] Preferably, the first element is an identity element of the second cyclic group.

[0010] According to a second aspect of the invention, a method for determining which probabilistically encrypted values in a first set is equal to the probabilistically encrypted values in a second set is described, the method comprising the steps of extracting a first data value from the first set; and extracting a second data value from the second set. The method further comprises the step of determining whether a first encrypted data of the first data value is equal to a second encrypted data of the second data value by using the method as described in the first aspect of the invention. [0011] According to a third aspect of the invention, a method for determining which probabilistically encrypted values in a first table is equal to the probabilistically encrypted values in a second table is described, the method comprising the steps of extracting a first record from the first table, the first record having a first attribute with a first data value; and extracting a second record from the second table, the second record having a second attribute with a second data value. The method further comprises the step of determining whether a first encrypted data of the first data value is equal to a second encrypted data of the second data value by using the method as described in the first aspect of the invention.

[0012] According to a fourth aspect of the invention, a system for determining whether a first encrypted data of a first data value is equal to a second encrypted data of a second data value is described, the system comprising a client machine. The client machine is configured to compose a first cyclic group, the first cyclic group comprising a plurality of elements; and compose a second cyclic group, the second cyclic group comprising a plurality of elements including a first element. The client machine is further configured to apply a mathematical operation to the first cyclic group to map elements of the first cyclic group to one of the elements in the second cyclic group; randomly select a second element from the first cyclic group; and produce the first encrypted data by mapping the second element and the first data value into one or more elements of the first cyclic group. The client machine is further configured to randomly select a third element from the first cyclic group; and produce the second encrypted data by mapping the third element and the second data value into one or more elements of the first cyclic group. The system further comprises a server, the server configured to receive the first encrypted data and the second encrypted data from the client machine; and perform a test condition by applying the mathematical operation to the first encrypted data and the second encrypted data to obtain a fourth element in the second cyclic group, wherein the fourth element is equal to the first element when the first data value is equal to the second data value.

[0013] Preferably, the client machine is further configured to randomly select integers to form a secret key; and generate a token, the token being a function of the secret key. The client machine is further configured to produce the first encrypted data by mapping the second element, the first data value and the secret key into one or more elements of the first cyclic group; and produce the second encrypted data by mapping the third element, the second data value and the secret key into one or more elements of the first cyclic group. [0014] Preferably, the server is further configured to receive the token from the client machine; and apply the mathematical operation to the first encrypted data, the second encrypted data and the token to obtain a fourth element in the second cyclic group, wherein the fourth element is equal to the first element when the first data value is equal to the second data value.

[0015] Preferably, the mathematical operation is a bilinear mapping operation.

[0016] Preferably, the first element is an identity element of the second cyclic group.

[0017] The invention will now be described in detail with reference to the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

[0018] The accompanying figures illustrate disclosed embodiment(s) and serve to explain principles of the disclosed embodiment(s). It is to be understood, however, that these drawings are presented for purposes of illustration only, and not for defining limits of the application.

[0019] Figure 1 is a flow chart that depicts a method for determining whether two probabilistically encrypted values are equal in accordance with a preferred embodiment of the invention.

[0020] Figure 2 is a flow chart that depicts a method for determining which probabilistically encrypted values in a first set of values match with the probabilistically encrypted values in a second set of values in accordance with a preferred embodiment of the invention.

[0021] Figure 3 is a flow chart that depicts a equijoin method to discover pairs of records from two tables, whose attribute value in a record in the first table matches with an attribute value in a record in the second table.

[0022] Figure 4 depicts a system for implementing the method in accordance with a preferred embodiment of the invention. [0023] Exemplary, non-limiting embodiments of the present application will now be described with references to the_above-mentioned figures.

DETAILED DESCRIPTION

[0024] Figure 1 shows a method for determining whether two probabilistically encrypted values are equal.

[0025] Referring to step 101 in figure 1, two cyclic groups G and G_T with bilinear mapping e: G x G→ GT are composed. G is the first cyclic group and GT is the second cyclic group. The bilinear mapping operation is applied to the first cyclic group G, so as to map elements of the first cyclic group G to one of the elements in the second cyclic group GT. The group structure G has prime order p. The group structure G has a plurality of elements, among which is a generator g_\. As gi is the generator, therefore Gi = {g_l5 g\², g\³, gi^p} and gi^p = 1, where 1 is the identity element of G. The group structure Gj also has a plurality of elements and 1 is also the identity element of GT. For any integers a and b, e(gi^a, g!^b) = e(g_l5 gi)^ab.

[0026] In step 102, a client machine chooses random integers σ, σι and σ₂ in the range

[l ..p] and computes g₂ = g^, where g₂ is an element of G. g₂ is used to give a safeguarded form of secret value σ to the server. The server needs g₂ to compute the test condition. The server cannot get the actual value of σ without doing a discrete log operation, which is a hard computational problem.

[0027] In step 103, the client machine stores σ, σι and σ₂ as a secret key, and releases p, gj and g₂ to the un-trusted server as a public key.

[0028] In step 104, the client machine randomly selects integers λι, λ₂, KA and TA in the range [l ...p], and randomly selects element x from the first cyclic group G. The client machine adds KA and TA to the secret key.

[0029] In step 105, for a first data value u, the client machine uses the secret key to generate encrypted data A having eight components i.e. A = (Aj, A₂, A₃, A₄, A₅, A₆, A₇, A₈), where A_x =

A_Q = e(x, x)^UlXU+Ci2. One skilled in the art will appreciate that encrypted data A does not necessarily need eight components and the eight components described here is used as an illustration for the preferred embodiment.

[0030] In step 106, the client machine randomly selects integers μ_1; μ_2ι κ¾ and TB in the range [l ...p], and randomly selects element y from the first cyclic group G. The client machine adds κ¾ and TB to the secret key.

[0031] In step 107, for a second data value v, the client machine uses the secret key to generate encrypted data B having eight components i.e. B = (B_{l s} B₂, B₃, B , B₅, B₆, B₇, B ), where B₁ = y"i , B₂ = , B₃ = . ^ _B^ = _{y Bs = y}a _{B(> = y} /^K _{B ? Β η =} g^^{lK B}, B_s = β(γ, γ ^σιΧν+σ2. One skilled in the art will appreciate that encrypted data B does not necessarily need eight components and the eight components described here is used as an illustration for the preferred embodiment.

[0032] In step 108, the client machine then deposits encrypted data A and encrypted data B in un-trusted server.

[0033] To test whether first data value u and second data value v are equal, in step 109, the client machine generates a token τ_ΑΒ = (κ_Β/τ_Α,—κ_Α/τ_Β) , and sends token τ_ΑΒ to the un- trusted server. The token is a function of the secret key (as the secret key comprises of

[0034] In step 1 10, the un-trusted server then applies bilinear mappings to components of encrypted data A and encrypted data B to result in the test condition — ^e^^Al ^g-L_/TD = 1 to determine whether first

>l₈·β₈-^1■ _e(A₁ ^■β 52)·e(A₇,β₆ ^{¾ τΛ})^■ _e(B₇ '^{¾ τβ}, l₆)^■ _e(yl₂ ^■β₂-¹,A₅ ^■β₅)

data value u and second data value v are equal. is an element m GT and 1 is the

identity element of Gj. The test condition involves applying bilinear mappings to components of encrypted data A, components of encrypted data B, token ¾_Band g₂. = 1, then

Α_Ά-Β^-β{Α_ί-Β^,₉₂)·β{Α₇,Β₆ ^ΚΒ,τΑ)·β{Β₇ ,A₆ye(A₂-B₂ A₅-B₅

first data value u and second data value v are equal.

[0036] The components of the denominator of the test condition works out to be:-

= e(5i, )^AlXCT = e(#i,y)^Al = e{g_2>y)^

= e(g_llXy^ = e<jgZ,x)-K = e{g₂,x)-^ e(A₂ ^■ B₂ A_S

= eigf.xyY*-^ = e g₂,xy ^^~^ = e(g_z,x ^^■ e{g₂,y ¹^

[0037] Therefore, the denominator of the test condition works out to be:- e{x,x)^^xu+^^■ e{y,yY^ ^v-^^■ e(g₂,x)^x^^■ e(g₂,y)^~^^■ e(g₂,y)** · e(jg_2lx)^~^

-^^■ e(g₂,y)^x-^

[0038] The numerator of the test condition works out to be:-

= e(x, xy^{i u+a ■} e(x,

[0039] Therefore, the test condition works out to be:- e(x^) ^lXU+ff2-e(x ^{CTl(u_ )}- yo ^{_CTl ^}

e(x,x)^CTi^xu+c2-e(y, )-^CTi^xl;-⁽'2 e(5₂,_%)^¾-^{1+ l2-}'"i^_'^u2-e 5₂,y) ^li^{+ l2_}'"i^_'^I'2

[0040] When first data value u and second data value v are equal, e x, yy^^{u v}^ — e(x, y)^Gl(^ = ° = 1 , where 1 is the identity element of G_T. Therefore, if test condition = 1 holds, un-

trusted server determines that first data value u is equal to second data value v.

[0041] This encryption method is advantageous as it is probabilistic. This is because integers and λ₂ as well as element x are randomly selected each time first data value u is encrypted, and integers μι and μ₂ as well as element y are randomly selected each time second data value v is encrypted. Therefore, for data value u or v, encrypted at different times, the encrypted data A and B will be different. Despite the fact that every encryption of first data value u and second data value v will generate different encrypted data A and B, the test

,.₊.

condition = 1 will always

deteraiine correctly whether first data value u is equal to second data value v. This is due to the specific structure of the test condition, encrypted data A and B and token τ_ΑΒ, which results in the condition e{x, yy^^u~v^ = 1 , so that integer σ_{1 ;} element x and element y will be neutralized when first data value u is equal to second data value v.

[0042] Another advantage of the encryption method is that the un-trusted server can perform the test condition only after receiving token τ_ΑΒ from the client machine.

[0043] Figure 2 shows a method for determining which probabilistically encrypted values in a first set of values U = {u_it u₂, ··· ,½}, match with the probabilistically encrypted values in a second set of values V = v^, v₂, · · · , v_m}.

[0044] Referring to step 201 in figure 2, two cyclic groups G and Gx with bilinear mapping e: G x G→ GT are composed. G is the first cyclic group and G-r is the second cyclic group. The bilinear mapping operation is applied to the first cyclic group G, so as to map elements of the first cyclic group G to one of the elements in the second cyclic group GT. The group structure G has prime order p. The group structure G has a plurality of elements, among which is a generator gj. As gi is the generator, therefore Gi = {gi, gi², gi³, ..., gi^p} and gi^p = 1 , where 1 is the identity element of G. The group structure GT also has a plurality of elements and 1 is also the identity element of G - For any integers a and b, e(g₁ ^a, g_! ^b) = e(g_ls g ^ab.

[0045] In step 202, a client machine chooses random integers σ, σ] and σ₂ in the range

[l ...p] and computes g₂ = g^, where g₂ is an element of G. g₂ is used to give a safeguarded form of secret value σ to the server. The server needs g₂ to compute the test condition. The server cannot get the actual value of σ without doing a discrete log operation, which is a hard computational problem.

[0046] In step 203, the client machine stores σ, σι and σ₂ as a secret key, and releases p, gi and g₂ to the un-trusted server as a public key.

[0047] In step 204, for the first set of values U— _i, u₂, · · · , _m}, the client machine randomly selects integers A and XA in the range [1...p]. The client machine adds KA and XA to the secret key.

[0048] In step 205, for every value Ui of U, the client machine randomly selects integers λ_1;1 and λί_;2 ίη the range [l ...p], and randomly selects element x, from the first cyclic group G.

[0049] In step 206, for every value Uj of U, the client machine generates encrypted data = A_iil, A_li2, A_ii3, A_lA, A_iiS, A_ii6, Ai_i7t A_lfi ^') , where A _l =

, A_ii3 = σ_ι Μί+σ₂ ,x+ z . _ . _ a . _ σ/κ„ . _ i,i^X A xi i» 2 ' ',4 ^{— ' x}l ' i,5 ~~ ^xi ? -"1,6 ~ ^xi J ⁿl,7 ~ til '

■^i,8 ^{= e}(^i^i)^{Cl X}"^i+a2 - One skilled in the art will appreciate that encrypted data A; does not necessarily need eight components and the eight components described here is used as an illustration for the preferred embodiment.

[0050] In step 207, for the second set of values V = {v₁₍ v₂, · ·· , v_n}, the client machine randomly selects integers KB and τ_Β in the range [1 ...p]. The client machine adds ¾ and xe to the secret key. [0051] In step 208, for every value Vj of V, the client machine randomly selects integers uj_j and μ_ϋ;2 in the range [1 ...p], and randomly selects element _¾ from the first cyclic group G.

[0052] In step 209, for every value j of V, the client machine generates encrypted data

B = (β/,ι, Bj ₂, Bj _3l Bj ₄, Bj _S, Bj ₆, Bj , B_{i 8}) , where B_j = y^^'1 , B_ji2 = g^² , B ₃ =

Bj _Q = e .,y )^AIXVJ^+TT2. One skilled in the art will appreciate that encrypted data Bj does not necessarily need eight components and the eight components described here is used as an illustration for the preferred embodiment.

[0053] In step 210, the client machine then deposits encrypted data Ai for U and encrypted data B_j for V in the un-trusted server.

[0054] To test whether u, of U and Vj of V are equal, in step 21 1, the client machine ... generates a token x_AB = —Α¾/τ_β), and sends token τ_ΑΒ to the un-trusted server. The token is a function of the secret key (as the secret key comprises of κ_Α, κ_Β, x_A, τ_Β).

[0055] In step 212, the un-trusted server then applies bilinear mappings to components of encrypted data Aj and encrypted data B_j to result in the test condition

= 1, for every u; oi U and v, of V, to determine whether u, of U matches Vj of V. :— -— J- ——k Ζ_Ϊ is an element in GT and 1 is the identity element of Gj. The test condition involves applying bilinear mappings to components of encrypted data A,-, components of encrypted data Bj, token ¾_Band g₂.

[0057] The components of the denominator of the test condition works out to be:- e(_ _w · B ,g ,x^^■ yj" )

= e (g^x^)^■ {g₂,y_} ^Hi = e g^x^^■ eig^y ^

= e(£ii,yj -^lXa = 9l,yj ⁱ = e(g_2>yj ⁱ

e(A_ii2 ^■ (x_ty)°)

[0058] Therefore, the denominator of the test condition works out to be

= eC ,^¹*¹¹^^2■ e( _/,y__/r°^ix,,J-^<¾ ' ^β(0₂,^χ _ί)^{Ηι+λί,2~μ}'·^1~μ'·^2■ e(g_2lyj)^Xi'^i+Xi^-^

[0059] The numerator of the test condition works out to be:-

[0060] Therefore, the test condition works out to be:-

[0061] When w, is equal to v , then e^ yy)⁰¹^^1-^⁵ = e(x_if yy)° = 1, where 1 is the identity element of G . Therefore, if test condition Ϊ— r ' . ' ; = 1 holds, un-trusted server will determine that Uj matches Vj.

[0062] This encryption method is advantageous as it is probabilistic. This is because integers λ,_;ι and j_;2 as well as element x, are randomly selected each time w, is encrypted, and integers and u_j;2 as well as element ¾· are randomly selected each time ν· is encrypted. Therefore, for «, and v_j, encrypted at different times, the encrypted data A, and Bj will be different. Despite the fact that every encryption of w, and v, will result in different encrypted data Aj and B_j, the test condition :— i— ' . ^{' '} i = 1 will always determine correctly whether «,· is equal to ν₇·. This is due to the specific structure of the test condition, encrypted data Aj and Bj and token x_AB, which results in the condition e x_i, _/)^ai(-^Ui_v^ = 1, so that integer σ_1> element x, and element ¾ will be neutralized when «,· is equal to v_j.

[0063] Another advantage of the encryption method is that the un-trusted server can perform the test condition only after receiving token τ_ΑΒ from the client machine. Further still, token T_AB can only be used for discovering matching values across U and V specifically, and cannot be used for other sets of values. .

[0064] Figure 3 shows a method for performing an equality join (or equijoin) on two tables. An equijoin is one of the most common operations in a relational Database Management System. An equijoin on two tables is able to determine if an attribute in a record in the first table is equal in value to an attribute in a record in the second table. Assume first table R = fa, r₂, and second table S = {s_x, s₂,••- , s_n} . Each record in R (rj) has attribute u with attribute value . ΐί. Each record in S (s_j) has attribute v with attribute value Sj. v. The equijoin method involves discovering pairs of R and S records, whose attribute value u in a record in R matches with attribute value v in a record in S.

[0065] Referring to step 301 in figure 3, two cyclic groups G and GT with bilinear mapping e: G x G→ GT are composed. G is the first cyclic group and GT is the second cyclic group. The bilinear mapping operation is applied to the first cyclic group G, so as to map elements of the first cyclic group G to one of the elements in the second cyclic group G - The group structure G has prime order p. The group structure G has a plurality of elements, among which is a generator g^ As gi is the generator, therefore Gj = {gi, g^, % , g\^p} and g_! ^P = 1, where 1 is the identity element of G. The group structure GT also has a plurality of elements and 1 is also the identity element of GT. For any natural numbers a and b, e(g!^a, gi^b) = e(g_l5 gi)^ab-

[0066] In step 302, a client machine chooses random integers σ, σι and σ₂ in the range

[l ...p] and computes g₂ = gj^a, where g₂ is an element of G. g₂ is used to give a safeguarded form of secret value σ to the server. The server needs g₂ to compute the test condition. The server cannot get the actual value of σ without doing a discrete log operation, which is a hard computational problem.

[0067] In step 303, the client machine stores σ, σι and σ₂ as a secret key, and releases p, gi and g₂ to the un-trusted server as a public key.

[0068] In step 304, for the first table of records R = fa, r₂, · · · , r_m}, the client machine randomly selects integers KA and XA in the range [1...p]. The client machine adds KA and XA to the secret key.

[0069] In step 305, for attribute value r_t. u in each record r_t of R, the client machine randomly selects integers λ^ι and λ,_>2 in the range [1 ...p], and randomly selects element ,- from the first cyclic group G. [0070] In step 306, for attribute value r_{. u in each record of /?, the client machine generates encrypted data Ai = ( ,i_< ^ ' ^D' ^t ' ^5' ^,6> ^i,7' ^i,8) » where -4_i(1 = x^^'1 ,

4 _ „^Ai.2 4 _ lWi-U+ffi , ^lU¾ 4 _ _r. _ _γσ . _ σ/ 4. _ ^Λι,2— i χ J ^Λι,3 — ^xi 2 ? ^[, - ^χι ^Λι,5 ^{— x}i ^■> ⁿl,6 ^{— x}i ^■> ^Λ1,7 ^—

^^l'^{l Ti4}, A_{i S}— e (Xi, _i)^CIlXri'u+cf2. One skilled in the art will appreciate that encrypted data Ai does not necessarily need eight components and the eight components described here is used as an illustration for the preferred embodiment.

[0071] In step 307, for the second table of records S = {¾, ¾_< ^•••, s_n}, the client machine randomly selects integers ¾ and Τβ ίη the range [l ...p]. The client machine adds KB and TB to the secret key.

[0072] In step 308, for attribute value sj. v in each record Sj of S, the client machine randomly selects integers Ujj and Uj ₂ in the range [1...p], and randomly selects element jy, from the first cyclic group G.

[0073] In step 309, for attribute value Sj. v in each record Sj of S, the client machine i ₁ generates encrypted data B_j = . = y_j ^J' ,

g^'^{1 B} , Bj_>8 = e yj, y^)^{ai Sj V+az} . One skilled in the art will appreciate that encrypted data B_j does not necessarily need eight components and the eight components described here is used as an illustration for the preferred embodiment.

[0074] In step 310, the client machine then deposits the encrypted data A, for each record r_t of R and encrypted data B_j for each record Sj of S in the un-trusted server.

[0075] To perform an equijoin of R and S on their attributes u and v, in step 31 1, the client machine generates a token τ_ΑΒ — (κΒ/^τΑ_> ~ ^κΑ/^τΒ) , ^and sends token τ_ΑΒ to the un- trusted server. The token is a function of the secret key (as the secret key comprises of

^ΚΑ· ^ΚΒ> ^ΧΑ· Β)·

[0076] In step 312, the un-trusted server then applies bilinear mappings to components of encrypted data Aj and encrypted data B_j to result in the test condition 1 for each record

and each record S_j of S, to determine whether attribute value r_t. u matches attribute value Sj. v.

eiAi -Bj An-Bj i)

i— _Ϊ— ——¹— ' i is an element in GT and 1 is the identity element of G_T. The test condition involves applying bilinear mappings to the components of encrypted data Aj, the components of encrypted data B_j, token ¾and g₂.

then attribute value _/. u matches attribute value Sj. v.

[0078] The components of the denominator of the test condition works out to be:-

A ^■ B_j-£ = e(x_{il X} ⁱ™ⁱ⁺°² · e(y_j, y_jr^a÷^xvr^a* β =

e (si^¹)^■ e (g₂, yj ^^'1) = {g_2l x )^x^^■ e{g₂,_yjy^

[0079] Therefore, the denominator of the test condition works out to be:-

yj†*-**

·

= e ( _i, ¾;_i)^{ai ><ri}-^{u+02 ■} e(yj, yj) -^^XsJ ^v-^^■ e^ x^^H^^j^ . β (#₂, ^)^λί'^{1 +λί}·^{2 ~μ}Μ^~μ^

[0080] The numerator of the test condition works out to be:-

[0081] . Therefore, the test condition works out to be:-

e(x_£, y_;)° = 1 where 1 is the if test condition

1 holds, un-trusted server

will determine that r_£. u matches s . v.

[0083] This encryption method is advantageous as it is probabilistic. This is because integers λί,ι and λ|_;2 as well as element x,- are randomly selected each time r_£. u is encrypted, and integers and uj_;2 as well as element y_y are randomly selected each time Sj. v is encrypted. Therefore, for r_£. u or Sj. v encrypted at different times, the encrypted data A, and B_j will be different. Despite the fact that every encryption of r_£. u and Sj. v will result in different encrypted data Aj and B_j, the test condition = 1 will always determine

correctly whether r_t. u is equal to Sj . v. This is due to the specific structure of the test condition, encrypted data Aj and B_j and token τ_{Α Β} , which results in the condition e Xi, yj)^Gl^^ri'u~^si^'v^ = 1, so that integer σ_1ι element x, and element ¾ will be neutralized when r^ . u is equal to Sj . v.

[0084] Another advantage of the encryption method is that the un-trusted server can perform the equijoin only after receiving token x_AB from the client machine. Further still, token τ_ΑΒ can only be used for an equijoin of table R and table S on attribute u in R and attribute v in S. The token cannot be used to join R and S on any other attributes, nor for joining other tables.

[0085] Figure 4 shows a system for implementing the method in accordance with the preferred embodiment and shows the data exchange between client machine 401 and un- trusted server 402. As shown, client machine 401 sends p, gi and g₂ as a public key to un- trusted sever 402. This public key is stored in un-trusted server 402. Un-trusted server 402 requires this public key to perform the test condition. Client machine 401 does the encryption of data and stores encrypted data A and B in un-trusted server 402. To test whether two data values are equal, the token τ_{Α Β} = — ¾As) is ^{sent t0} un-trusted server 402 so that un- trusted server 402 can perform the test condition. If the test condition holds, un-trusted server 402 would have determined that the two data values are equal, all the while not being privy to the actual values of the two data values.

[0086] It will be apparent that various other modifications and adaptations of the application will be apparent to the person skilled in the art after reading the foregoing disclosure without departing from the spirit and scope of the application and it is intended that all such modifications and adaptations come within the scope of the appended claims.

[0087] In the application, unless specified otherwise, the terms "comprising",

"comprise", and grammatical variants thereof, are intended to represent "open" or "inclusive" language such that they include recited elements but also permit inclusion of additional, non- explicitly recited elements.

Claims

1. A method for determining whether a first encrypted data of a first data value is equal to a second encrypted data of a second data value, the method comprising the steps of :- composing a first cyclic group, the first cyclic group comprising a plurality of elements; composing a second cyclic group, the second cyclic group comprising a plurality of elements including a first element;

applying a mathematical operation to the first cyclic group to map elements of the first cyclic group to one of the elements in the second cyclic group;

randomly selecting a second element from the first cyclic group;

producing the first encrypted data by mapping the second element and the first data value into one or more elements of the first cyclic group;

randomly selecting a third element from the first cyclic group;

producing the second encrypted data by mapping the third element and the second data value into one or more elements of the first cyclic group; and

performing a test condition by applying the mathematical operation to the first encrypted data and the second encrypted data to obtain a fourth element in the second cyclic group, wherein the fourth element is equal to the first element when the first data value is equal to the second data value.

2. The method of claim 1 further comprising the steps of randomly selecting integers to form a secret key; and generating a token, the token being a function of the secret key; and wherein the step of producing the first encrypted data comprises the step of mapping the second element, the first data value and the secret key into one or more elements of the first cyclic group; and

wherein the step of producing the second encrypted data comprises the step of mapping the third element, the second data value and the secret key into one or more elements of the first cyclic group; and

wherein the step of performing a test condition comprises the step of applying the mathematical operation to the first encrypted data, the second encrypted data and the token.

3. The method of claim 1 or claim 2 wherein the mathematical operation is a bilinear mapping operation.

4. The method of any one of the preceding claims wherein the first element is an identity element of the second cyclic group.

5. A method for determining which probabilistically encrypted values in a first set is equal to the probabilistically encrypted values in a second set, the method comprising the steps of :- extracting a first data value from the first set;

extracting a second data value from the second set; and

determining whether a first encrypted data of the first data value is equal to a second encrypted data of the second data value by using the method as claimed in any one of claims 1 to 4.

6. A method for determining which probabilistically encrypted values in a first table is equal to the probabilistically encrypted values in a second table, the method comprising the steps of :- extracting a first record from the first table, the first record having a first attribute with a first data value;

extracting a second record from the second table, the second record having a second attribute with a second data value; and

7. A system for determining whether a first encrypted data of a first data value is equal to a second encrypted data of a second data value, the system comprising :- a client machine, the client machine configured to :- compose a first cyclic group, the first cyclic group comprising a plurality of elements;

compose a second cyclic group, the second cyclic group comprising a plurality of elements including a first element;

apply a mathematical operation to the first cyclic group to map elements of the first cyclic group to one of the elements in the second cyclic group;

randomly select a second element from the first cyclic group; produce the first encrypted data by mapping the second element and the first data value into one or more elements of the first cyclic group;

randomly select a third element from the first cyclic group; and

produce the second encrypted data by mapping the third element and the second data value into one or more elements of the first cyclic group;

and a server, the server configured to :- receive the first encrypted data and the second encrypted data from the client machine; and

perform a test condition by applying the mathematical operation to the first encrypted data and the second encrypted data to obtain a fourth element in the second cyclic group, wherein the fourth element is equal to the first element when the first data value is equal to the second data value.

8. The system of claim 7 wherein the client machine is further configured to :- randomly select integers to form a secret key;

generate a token, the token being a function of the secret key;

produce the first encrypted data by mapping the second element, the first data value and the secret key into one or more elements of the first cyclic group; and

produce the second encrypted data by mapping the third element, the second data value and the secret key into one or more elements of the first cyclic group.

9. The system of claim 8 wherein the server is further configured to :- receive the token from the client machine;

apply the mathematical operation to the first encrypted data, the second encrypted data and the token to obtain a fourth element in the second cyclic group, wherein the fourth element is equal to the first element when the first data value is equal to the second data value.

10. The system of any one of claims 7 to 9 wherein the mathematical operation is a bilinear mapping operation.

11. The system of any one of claims 7 to 10 wherein the first element is an identity element of the second cyclic group.