A secure computational method using homomorphic encryption between two entities without a trusted third party.
A secure calculation method using homomorphic encryption between two entities addresses the exposure and cost issues in existing methods by encrypting presence ratios and obfuscating results, ensuring confidentiality and reducing costs.
Patent Information
- Authority / Receiving Office
- FR · FR
- Patent Type
- Applications
- Current Assignee / Owner
- AMPERE SAS
- Filing Date
- 2024-12-20
- Publication Date
- 2026-06-26
AI Technical Summary
Existing methods for calculating driving scores in usage-based insurance expose driving data and score calculation functions to potential attacks and require costly computing resources, especially when using homomorphic encryption with trusted third parties.
A secure calculation method using homomorphic encryption between two entities, where one entity holds the data and the other the calculation function, without a trusted third party, by performing homomorphic encryption of presence ratios and obfuscating results to protect confidentiality.
Enables efficient calculation of driving scores while ensuring the confidentiality of both the data and the score calculation function, reducing computational costs and eliminating the need for specialized circuits.
Smart Images

Figure 00000000_0000_ABST
Abstract
Description
Title of the invention: A secure calculation method using homomorphic encryption between two entities without a trusted third party technical field
[0001] The object of the present invention relates to the domain of secure computing using homomorphic encryption between two entities without a trusted third party. Prior techniques
[0002] Usage-based insurance (UBI), in order to be personalized, requires calculating a driving score based on driving data such as speed, acceleration, braking, etc., which is collected from the vehicles of owners who have taken out this type of insurance policy. This data is personal data that must be protected, and in particular, must not be transmitted to the insurer.
[0003] Furthermore, the score calculation function itself must be protected, as it is the intellectual property of the insurer calculating the scores.
[0004] Currently, vehicle driving data is encrypted during transmission from the car to the manufacturer's servers and then to the servers of a trusted third party responsible for calculating the score. The insurer transmits the score calculation function to the trusted third party, which calculates the insured's score and communicates it to the insurer. However, the driving data is decrypted on the servers of the party responsible for calculating the score in order to enable the calculation and thus becomes exposed to potential attacks. Furthermore, the trusted third party, which has access to both the insured's driving data and the score calculation function, must be perfectly reliable.
[0005] Homomorphic encryption techniques are known in the prior art. These techniques allow data to be encrypted by a first user and transmitted in encrypted form to a second user who can perform mathematical operations on the encrypted data without decrypting it. This type of encryption is generally used in the fields of finance and healthcare. For example, one could imagine a car manufacturer encrypting all of its data and transmitting it to an insurer, who would calculate an encrypted score and send it back to the manufacturer for decryption. However, this method does not effectively protect the definition of the calculation function from the manufacturer. Indeed, the manufacturer would have access to the score in plaintext and could potentially reconstruct the definition of the score calculation function through statistical analysis, for example.Furthermore, the homomorphic encryption of the entire data set of . The processing and calculations performed on this encrypted data by the insurer are very costly in terms of computing resources and could not be applied as is due to the volume of data to be processed. Furthermore, this processing would require the use of specialized circuits known as "garbled circuits," which represent a significant cost. Description of the invention
[0006] The proposed invention aims to enable two entities, one holding the data and the other the definition of the function to be calculated, to perform an efficient calculation of this function without going through a trusted third party and while protecting the confidentiality of the data and the definition of the function.
[0007] The invention relates to a secure calculation method implemented by first and second computer devices adapted to communicate with each other through a communication network, the first computer device comprising a plaintext database containing data to be protected associated with identifiers, a scoring function allowing the calculation of a score from the data in the database of the first computer device, the scoring function being defined by conversion tables having one or more data types as dimensions among the data in the database and a set of coefficients defining a linear combination of metrics, each coefficient being associated with one of the conversion tables.
[0008] The process comprises, for a given identifier, the steps of: - initialization including a structure definition step in which the first computer device receives from the second computer device a structure of the conversion tables including the number of cells in each conversion table and the index values of each conversion table so as to allow the first computer device to determine indices of each conversion table corresponding to the values of the plaintext database data that are associated with the conversion table and the identifier, - determination of the indices, carried out after the initialization step, - calculation of presence ratios for all cells in all tables conversion from the determined indices, - homomorphic encryption of the calculated attendance ratios, - transmission of the encrypted attendance ratios to the second computer system, - calculation of the score calculation function from the numerical attendance ratios and the content of each index cell i of each conversion table by the homomorphic linear combination of metrics using the associated set of coefficients, - Obfuscation of the results of the encrypted homomorphic calculation, including a sub-step of score masking adapted to preserve the confidentiality of the score and a sub-step of score obfuscation adapted to preserve the confidentiality of the score calculation function, - transmission of the scrambled results to the first computer system, - deciphering the scrambled results, in order to obtain a masked score in plain text, - transmission of the masked score in plain text to the second computer system, and - processing the masked score in plain text so as to obtain the score value without masking.
[0009] For example, the set of coefficients corresponds to a weighting of the metrics.
[0010] Advantageously, the score scrambling substep includes adding zero ciphers randomly drawn from a set of homomorphic zero ciphers previously transmitted by the first computing device.
[0011] For example, the score masking substep includes adding a random unsigned integer.
[0012] For example, the initialization step includes a step of choosing a homomorphic encryption technology to be used for the rest of the process.
[0013] According to one feature, the initialization step includes a step of generation by the first computing device of a secret key for homomorphic encryption and decryption according to the homomorphic encryption technology chosen.
[0014] According to another feature, the initialization step includes a generation step by the first computing device of a large predetermined number K of zero ciphers using the generated secret key and a transmission step of the generated K zero ciphers to the second computing device.
[0015] For example, the initialization step includes a step of transmission by the second computer device to the first computer device of a set of filtering conditions associated with the data and a step of filtering the data by the first computer device according to the set of filtering conditions transmitted by the second computer device.
[0016] For example, the step of processing the masked score in plain text includes removing the masking of the score.
[0017] According to another aspect, the invention relates to a computer program product comprising code instructions for the execution of a process as defined above. Brief description of the drawings
[0018] Other objects, features and advantages of the invention will become apparent from the following description, given solely by way of non-limiting example, and made with reference to the accompanying drawings in which:
[0019] [Fig.1] schematically represents a computer network according to an example of an embodiment of the invention;
[0020] [Fig.2] is a general scheme for calculating a score;
[0021] [Fig.3] is a flowchart of a secure calculation process according to an example of realization of the invention; and
[0022] [Fig.4] is a diagram of the distribution of the steps of the process of [Fig.3] between two computer devices of the network [Fig. 1] Detailed description of at least one embodiment
[0023] Fig. 1 schematically represents a computer network 100 adapted for the implementation of a secure computing process according to the invention, which is detailed further below.
[0024] The computer network 100 comprises a first computer device 102, a second computer device 104, and a communication network 106 adapted for communication between the first and second computer devices 102, 104. The first and second computer devices 102, 104 are adapted to communicate with each other via the communication network 106. Communication between the first and second computer devices 102, 104 is secured according to current standards for digital telecommunications.
[0025] The first computing device 102 is adapted to homomorphically encrypt plaintext data (e.g., an array of plaintext data) to generate homomorphically encrypted data (e.g., an array of encrypted data). The encrypted data can be sent from the first computing device 102 to the second computing device 104 for processing, without the second computing device 104 having to decrypt the encrypted data from the first computing device 102.
[0026] According to the method of the invention, the encrypted data of the first computer device 102 is not decrypted by the second computer device 104 before, during, or after the processing of the encrypted data. The second computer device 104 does not possess the decryption key for the data and does not have knowledge of (or access to) the plaintext data of the first computer device 102. Furthermore, as described below, the method according to the invention does not encrypt and transmit all the data used for calculating the score, but transmits statistical values obtained based on the data and which are encrypted.
[0027] For example, the first computer device 102 is a server of a first entity, referred to as Alice in the remainder of the description. In an example application relating to insurance, detailed later, Alice may be a motor vehicle manufacturer or a motor vehicle service provider.
[0028] According to the example illustrated in [Fig. 1], the first computer device 102 includes a plaintext database 108. For example, the database 108 may include time-based driving data for a large number of vehicles (for example, on the order of 100,000 vehicles per day with 10,000 lines of data per vehicle).
[0029] The first computer device 102 is adapted to perform calculations from the data in the database 108 in order to obtain clear results 110 which are stored in a processed database 109 of the first computer device 102.
[0030] The first computer device 102 is adapted to encrypt the plaintext results 110 of the processed database 109 with a secret key 112 using one or more homomorphic encryption schemes.
[0031] It is worth recalling that a homomorphic cryptographic system allows mathematical operations to be performed on previously encrypted data instead of plaintext data. Thus, for a given calculation, it becomes possible to encrypt the data, perform certain calculations associated with the given calculation using the encrypted data, and decrypt them, obtaining the same result as if the given calculation had been performed directly with the plaintext data.
[0032] The homomorphic encryption of the plaintext results 110 generates encrypted data 114.
[0033] The computer device 102 transmits the encrypted data 114 to the second computer device 104, via the communication network 106, for processing and in particular for calculations in the homomorphic domain with a calculation function known only by the second computer device 104 and to which the computer device 102 does not have access.
[0034] The communication network 106 can be the internet network or another wired and / or wireless communication network.
[0035] The second computing device 104 may be, for example, a remote server, a cloud-based computing system, or any other type of device data processing which is remote from the first computer device 102 and which is adapted to perform calculations particularly in the homomorphic domain.
[0036] The result of the homomorphic computation obtained by the second computing device 104 (indicated in [Fig. 1] as an encrypted result 118) can then be sent from the second computing device 104 to the first computing device 102 via the communication network 106. The first computing device 102 receives the encrypted result 118. The first computing device 102 is configured to decrypt the encrypted result 118 with the secret key 112 using one or more homomorphic decryption schemes.
[0037] The decryption result shown on [Fig.1] as a plaintext result 120 is then transmitted from the first computer device 102 to the second computer device 104 via the communication network 106 which thus obtains the plaintext result 120 without having had knowledge of the plaintext data of the database 108.
[0038] The protection of the confidentiality of the calculation function implemented on the second computer device 104 is achieved by a secure calculation method according to the invention which is described later.
[0039] The second computer device 104 is operated by a second entity, referred to as Bob in the remainder of the description. In the usage insurance application example introduced earlier, Bob could be an insurance company.
[0040] In this example, Alice holds time-based vehicle driving data linked to identifiers, such as vehicle identification numbers (VINs), telephone numbers, or traction battery identification numbers. This data must be protected because Alice does not want to share it with Bob.
[0041] Bob alone knows the parameters defining a driving score calculation function. This score calculation function is defined, for example, by conversion tables ("lookup tables"), accompanied by a set of coefficients, each coefficient of which is associated with one of the conversion tables.
[0042] This function makes it possible to obtain a score linked to the data to be protected from Alice, for example a score linked to driving data in order to offer a personalized insurance rate based on the calculated score. Bob wants to keep the definition of the driving score calculation function secret.
[0043] In a known manner, conversion tables denoted Tj allow data to be converted into metrics denoted p^. The score is obtained by linear combinations of the metrics pj5 defined by coefficients Wj forming the set of coefficients mentioned above.
[0044]
[0045]
[0046]
[0047]
[0048]
[0049]
[0050]
[0051]
[0052]
[0053]
[0054]
[0055]
[0056] Figure [Fig.2] presents a general scheme for calculating a score from conversion tables and data to be protected, based on a set of coefficients Wj. Mathematically, we write: X = M .. / Eq.l) Where x is the array of data to be protected, for a particular identifier, over the set of indices from 1 to r. Each Xt is a row in the data array and includes several numerical quantities, here called data 1, data 2, etc., which correspond to driving parameters, for example (speed, acceleration, etc.). Advantageously, a data filtering step can be used according to a data filtering function defined by the following expression: ye [o, sizt^Tj) -1] if cond ( x ) - OK (Ecl- Or: NaN Otherwise q>j is the data filtering function, y are the indices in the conversion tables for the data x, Tj is the conversion table with index j, and cond(x) is a condition relating to the data x. Such a data filtering function allows us to exclude rows from the table of personal temporal data that do not meet the condition cond(x). Invalidated data can be represented by the acronym NaN, for "Not A Number". The conditions cond(x) are, for example, intervals of values considered for the calculation of the score, such as intervals of vehicle speed, travel time, geographical position, etc. The data filtering function identifies and returns the index y of the cell corresponding to the data x in the jth conversion table. The index is the cell number in the conversion table corresponding to the closest values for the input data in the table, with the table being flattened for its numbering. We can construct an index vector by grouping values obtained using the following expression: Y — ro / x (Eq-^) The index vector Yjj consists of all the indices of all the conversion tables Tj for the data Xt of the index t of the data table X-
[0057]
[0058]
[0059]
[0060]
[0061]
[0062]
[0063]
[0064]
[0065]
[0066]
[0067]
[0068]
[0069]
[0070] As mentioned previously, each metric is associated with a conversion table Tj, and the result of applying this conversion is the metric Zj for the index t, which can be written as: „ _ [T^Y^ *YJt*NaN <ecl-4> 0, A otherwise In the example in [Fig. 2], the conversion table is a two-dimensional table that provides a metric based on the values of two input data. This illustration is not limiting; the invention applies identically regardless of the number of dimensions of the conversion tables. The metrics are then averaged over all indices t, i.e., for the jth metric Pj: uz (Eq.5) FJ N J Jt where Nj is the number of elements for which Yjjtest is different from NaN. The score is then a linear combination of these averaged metrics, a combination defined by the coefficients Wj: Score = where np is the number of metrics for the score. According to a particular application case, all the Wj coefficients are equal to 1. It should be noted that it is irrelevant whether the metrics are averaged over the entire time horizon of the data (i.e. over the entire index of a data table) before calculating a linear combination, or whether a linear combination of the non-averaged metrics is performed directly by adapting the coefficients of the combination. However, this scoring system raises confidentiality issues: - if it is implemented by the entity holding the data, then the confidentiality of the scoring function is not ensured; - if it is implemented by the entity holding the scoring function, then data confidentiality is not ensured; - if the data holder only transmits the indices Yet and the scoring function holder implements the rest of the calculations, the scoring function holder has information very close to the data. We will now describe, with reference to [Fig.3], a secure method for calculating a score of 200 according to an example of an embodiment of the invention. The proposed method is implemented by a computer network 100 as described previously. The proposed method finds a particularly interesting application in the field of usage-based insurance. Thus, in the context of In the example mentioned earlier, the secure calculation method 200 allows Alice and Bob to calculate driving scores without going through a trusted third party while protecting the confidentiality of Alice's data and Bob's score calculation function.
[0071] The process 200 begins with an initialization step 201.
[0072] The initialization step 201 includes a structure definition step 201a, in which the first computer device 102 receives from the second computer device 104 a structure of the conversion tables Tj used for calculating the scoring function, including the number of cells in each conversion table Tj and the index values of each conversion table Tj, so as to allow the first computer device 102 to determine indices Yj t of each conversion table Tj corresponding to the values of the data in the plaintext database 108 that are associated with the conversion table Tj. According to the proposed method, the first computer device 102 does not have access to the cell values of the conversion tables Tj, thus preserving the confidentiality of the scoring function.Thus, transmitting only information relating to the structure of the Tj conversion tables helps to protect the score calculation function.
[0073] For example, the initialization step 201 includes a step for choosing a homomorphic encryption technology to be used for the remainder of the process. The chosen homomorphic encryption is a linearly homomorphic encryption scheme. It supports, at a minimum, homomorphic additions and multiplications by constants. Examples include Torus Learning With Errors (TLWE), Fully Homomorphic Encryption Over the Torus (TFHE), the Paillier cryptosystem, Brakerski-Gentry-Vaikuntanathan, the El Gamal cipher in its additive form, the BGN (Boneh-Goh-Nissim) cipher, etc.
[0074] For example, the initialization step 201 includes a generation step by the first computing device 102 of the secret key 112 for homomorphic encryption and decryption according to the homomorphic encryption technology chosen.
[0075] According to the embodiment, the initialization step 201 may include a step of generation by the first computing device 102 of a large predetermined number K of zeros encrypted by homomorphic encryption using the generated secret key 112, and a step of transmission of the generated zero-encrypted K to the second computing device 104.
[0076] Optionally, the initialization step may include a step of transmission by the second computer device 104 to the first computer device 102 of a set of filtering conditions associated with the personal data temporal followed by a step of filtering temporal personal data by the first computer device 102 according to the set of filtering conditions transmitted.
[0077] After the initialization step 201, the process continues with a step 202 of determining the indices Yj>t corresponding to the indices of the value tables Tj as a function of the driving data associated with an identifier.
[0078] In the next step 203, the first computer device 102 calculates presence ratios 0j4 of all the cells of all the conversion tables Tj from the indices Yj>t determined in step 202. The presence ratios correspond to the occupancy rate of each cell of the value tables Tj.
[0079] The calculation of the 0j4 attendance ratios is carried out using the following equations:
[0080] =}| (Eq.7A)
[0081] (Eq.7B)
[0082] a _ (Eq.7C)
[0083] where:
[0084] N - is the occurrences of the ith cell of the jth conversion table Tj appearing in the data to be protected, and
[0085] Nj is the sum of all occurrences on the conversion table Tj.
[0086] Thanks to the use of attendance ratios, the proposed process allows a reduction significant of the volume of data to be encrypted by the first computer device 102. Indeed, rather than encrypting all the data to be protected before transmitting it to the second computer device, the method according to the invention proposes to calculate presence ratios within the conversion tables Tj and to transmit these ratios to the second computer device, thus considerably limiting the encryption calculations to be implemented and the amount of data transmitted.
[0087] The calculation process continues with a step 204 of homomorphic encryption of the calculated Ojj presence ratios, followed by a step 205 of transmission of the encrypted Ojj presence ratios to the second computer device 104.
[0088] After receiving the encrypted attendance ratios 0j4, the second computer device 104 calculates in the homomorphic domain the score calculation function from the encrypted attendance ratios 0j4, the content of each index cell i of each conversion table Tj and the set of coefficients Wj (step 206).
[0089] For example, the numerical metrics are expressed by the following equation:
[0090] Enc(uEnAf)^ (Eq'8)
[0091] where:
[0092] 6 •) SOnt 'CS rati°s de présence ôj4 chiffrés.
[0093] Equation 8 expresses the fact that each metric j is obtained by summing over the entire index of the conversion table], the product of each cell of the conversion table and the corresponding presence ratio.
[0094] The numerical score can then be obtained using the following equation:
[0095] pzxv”" j / J UEq-9) LJ Enc^score) ^Z^.^WjEn&Li ,]y 7 J " * J JJ
[0096] After homomorphic computation step 206, the second computing device 104 scrambles the results of the encrypted homomorphic computation (step 207). The scrambling step includes a score-masking substep, which preserves the confidentiality of the score, and a score-scrambling substep, which preserves the confidentiality of the score calculation function. Specifically, the score-masking substep aims to hide the plaintext score from Alice, and the score-scrambling substep aims to keep the internal calculations of the score calculation function secret.
[0097] For example, the score masking substep includes applying a random mask chosen according to the homomorphic encryption scheme used. For example, a random unsigned integer can be used in the case of a TLWE encryption.
[0098] The score scrambling substep includes applying a scrambling method chosen according to the homomorphic encryption scheme used. For example, adding a random combination of ciphertext zeros can be used in the case of a TLWE cipher.
[0099] For example, the cipher zeros in the combination can be randomly drawn from the set of zero ciphers transmitted during step 201 by the first computing device 102. This feature protects the confidentiality of the scoring function. Indeed, without this addition, the first computing device 102 could obtain information related to the scoring function in the cipher domain, which would give it information that could allow it to recover the scoring function. By adding the cipher zeros, the first computing device can no longer determine the scoring function.
[0100] For example, the mask applied to the result of the encrypted homomorphic computation can correspond to a random unsigned integer whose size depends on the parameters of the chosen homomorphic encryption. Masking the result of the encrypted homomorphic computation protects the confidentiality of the score, since once decrypted by the first computing device, the score remains masked.
[0101] The scrambling step thus makes it possible to protect both the score calculation function and the score itself.
[0102] The process then continues with a step 208 of transmitting the scrambled results to the first computer device 102, followed by a step 209 of deciphering the scrambled results by the first computer device 102. During deciphering, the encrypted zeros inserted in the score in step 207 disappear, and the first computer device 102 obtains the masked score in plain text.
[0103] The first computer device 102 then transmits the masked score in plain text to the second computer device 104 (step 210).
[0104] The process 200 ends with a step 211 of processing the masked score in plain text, carried out by the second computer device 104, by removing the mask applied in the scrambling step, so as to obtain the score value without masking.
[0105] Thus, in the implementation of the process according to the invention: - the first computer system never has access to the content of the conversion tables, and therefore to the scoring function, - The first computer system never has access to the score in plain text, since the decrypted score is masked. Therefore, it has no information allowing it to reconstruct the scoring function. - the first computer system cannot derive the scoring function from the numerical score calculated by the second computer system, since this numerical score is protected by the insertion of encrypted zeros, - the second computer device never has access to the data to be protected from the first computer device, neither in plain text nor in encrypted form.
[0106] Thanks to the method according to the invention, only the sizes of the tables and the number of tables are known to the two entities, plus possibly the filtering conditions.
[0107] Figure 4 schematically presents the distribution of the different stages of the secure calculation process 200 between the first and second computer devices 102, 104. It should be noted that the same elements bear the same references from one figure to the other.
[0108] According to another aspect, the invention relates to a computer program product comprising code instructions for execution on the first and second computer devices 102, 104 of the secure computing method 200.
Claims
1. Demands A secure calculation method implemented by first and second computing devices (102, 104) adapted to communicate with each other through a communication network (106), the first computing device (102) comprising a plaintext database (108) containing data to be protected associated with identifiers, a scoring function for calculating a score from the data in the database (108) of the first computing device (102), the scoring function being defined by conversion tables (Tj) having one or more data types as dimensions from among the data in the database (108) and a set of coefficients (Wj) defining a linear combination of metrics, each coefficient (Wj) being associated with one of the conversion tables (Tj), characterized in that the method comprises, for a given identifier, the steps of: - initialization including a structure definition step in which the first computer device (102) receives from the second computer device (104) a structure of the conversion tables (Tj) including the number of cells of each conversion table (Tj) and the index values of each conversion table (Tj) so as to allow the first computer device (102) to determine indices (Yj>t) of each conversion table (Tj) corresponding to the values of the data in the plaintext database (108) which are associated with the conversion table (Tj) and the identifier, - determination of the indices (Yj>t), carried out after the initialization step, - calculation of presence ratios (Ojj) of all cells in all conversion tables (Tj) based on the determined indices (Yjjt), - homomorphic encryption of calculated presence ratios (Ojj), - transmission of the encrypted attendance ratios (Ojj) to the second computer system (104), - calculation of the score calculation function from the encrypted attendance ratios (0^) and the content of each index cell i of each conversion table (Tj) by the homomorphic linear combination of metrics using the associated set of coefficients (Wj), - scrambling of the results of the encrypted homomorphic calculation including a substep of score masking adapted to preserve the confidentiality of the score and a substep of score scrambling adapted to preserve the confidentiality of the score calculation function, - transmission of the scrambled results to the first computer device (102), - decryption of the scrambled results, so as to obtain a masked score in plain text, - transmission of the masked score in plain text to the second computer device (104), and - processing of the masked score in plain text so as to obtain the value of the score without masking.
2. A method according to claim 1, wherein the set of coefficients (Wj) corresponds to a weighting of the metrics.
3. A method according to claim 1 or 2, wherein the substep of scrambling the results of the scrambling step comprises adding zero ciphers randomly drawn from a set of homomorphic zero ciphers previously transmitted by the first computing device (102).
4. A method according to any one of claims 1 to 3, wherein the score-masking substep includes adding a random unsigned integer.
5. A method according to any one of claims 1 to 4, wherein the initialization step includes a step of choosing a homomorphic encryption technology to be used for the remainder of the method.
6. A method according to claim 5, wherein the initialization step includes a generation step by the first computing device (102) of a secret key (112) for homomorphic encryption and decryption according to the homomorphic encryption technology chosen.
7. A method according to claim 6, wherein the initialization step includes a step of generating by the first computing device (102) a large predetermined number K of zero ciphers using the generated secret key (112) and a step of transmitting the generated K zero ciphers to the second computing device (104).
8. A method according to any one of claims 1 to 7, wherein the initialization step comprises a step of transmission by the second computing device (104) to the first computing device (102) of a set of filtering conditions associated with the data and a step of filtering the data by the first computing device (102) according to the set of filtering conditions transmitted by the second computing device (104)
9. A method according to any one of claims 1 to 8, wherein the step of processing the masked score in plain text includes removing the masking of the score.
10. Product computer program comprising code instructions for carrying out a process according to any one of claims 1 to 9.