Method for carrying out secure computation based on homomorphic encryption between two entities without trusted third parties
The method allows secure, cost-effective calculation of usage-based insurance scores by encrypting and obfuscating data and functions between two entities, addressing computational inefficiencies and vulnerabilities in existing systems.
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- AMPERE SAS
- Filing Date
- 2025-12-19
- Publication Date
- 2026-06-25
AI Technical Summary
Existing homomorphic encryption methods for usage-based insurance are computationally expensive and require a trusted third party, exposing driving data and scoring calculation functions to vulnerabilities, while specialized garbled circuits incur significant costs.
A method enabling two entities to perform secure calculations without a trusted third party by using homomorphic encryption to encrypt and transmit statistical values, obfuscate results, and mask scores, ensuring confidentiality of both data and calculation functions.
Ensures confidentiality of driving data and scoring functions by preventing either entity from accessing plaintext data or calculation methods, reducing computational overhead and eliminating the need for costly garbled circuits.
Smart Images

Figure EP2025088479_25062026_PF_FP_ABST
Abstract
Description
[0001] DESCRIPTION
[0002] TITLE: Secure computation method using homomorphic encryption between two entities without a trusted third party
[0003] technical field
[0004] The object of the present invention relates to the domain of secure computing by homomorphic encryption between two entities without a trusted third party.
[0005] Previous techniques
[0006] Usage-based insurance (UBI) requires, in order to be personalized, the calculation of a driving score based on driving data such as speed, acceleration, braking, etc., which is collected from the vehicles of owners who have taken out this type of insurance policy. This data is personal and must be protected; in particular, it must not be transmitted to the insurer.
[0007] Furthermore, the scoring calculation function itself must be protected, as it is the intellectual property of the insurer calculating the scores.
[0008] Currently, vehicle driving data is encrypted during transmission from the car to the manufacturer's servers and then to the servers of a trusted third party responsible for calculating the score. The insurer transmits the scoring calculation function to the trusted third party, which calculates the insured's score and communicates it to the insurer. However, the driving data is decrypted on the servers of the third party responsible for calculating the score, thus becoming vulnerable to potential attacks. Furthermore, the trusted third party, which has access to both the insured's driving data and the scoring calculation function, must be completely reliable.
[0009] Homomorphic encryption techniques are known from prior art. These techniques allow a first user to encrypt data and transmit it in encrypted form to a second user who can then perform mathematical operations on the encrypted data without decrypting it. This type of encryption is generally used in finance and healthcare. For example, one could imagine a car manufacturer encrypting all its data and transmitting it to an insurer, who would calculate an encrypted score and send it back to the manufacturer for decryption. However, this method does not effectively protect the definition of the calculation function from the manufacturer. The manufacturer would still have access to the score in plaintext and could potentially trace it back to the definition of the scoring function through statistical analysis, for instance.Furthermore, the homomorphic encryption of all driving data and the calculations performed on this encrypted data by the insurer are very computationally expensive and could not be implemented as is due to the sheer volume of data to be processed. Moreover, these processes would require the use of specialized "garbled circuits," which represent a significant cost.
[0010] Description of the invention
[0011] The proposed invention aims to enable two entities, one holding the data and the other the definition of the function to be calculated, to perform an efficient calculation of this function without going through a trusted third party and while protecting the confidentiality of the data and the definition of the function.
[0012] The invention relates to a secure calculation method implemented by first and second computer devices adapted to communicate with each other through a communication network, the first computer device comprising a plaintext database containing data to be protected associated with identifiers, a scoring function allowing the calculation of a score from the data in the database of the first computer device, the scoring function being defined by conversion tables having one or more data types as dimensions among the data in the database and a set of coefficients defining a linear combination of metrics, each coefficient being associated with one of the conversion tables.
[0013] The process includes, for a given identifier, the following steps: initialization, including a structure definition step in which the first computer device receives from the second computer device a structure of the conversion tables comprising the number of cells in each conversion table and the index values of each conversion table so as to allow the first computer device to determine indices for each conversion table corresponding to the values of the plaintext database data associated with the conversion table and the identifier; determination of the indices, carried out after the initialization step; calculation of presence ratios of all cells in all conversion tables from the determined indices; homomorphic encryption of the calculated presence ratios; and transmission of the encrypted presence ratios to the second computer device.Calculation of the score calculation function from the encrypted attendance ratios and the content of each index cell i of each conversion table by the homomorphic linear combination of metrics using the associated set of coefficients; obfuscation of the results of the encrypted homomorphic calculation including a score masking substep adapted to preserve the confidentiality of the score and a score obfuscation substep adapted to preserve the confidentiality of the score calculation function; transmission of the obfuscated results to the first computing device; decryption of the obfuscated results to obtain a masked score in plaintext; transmission of the masked score in plaintext to the second computing device; and processing of the masked score in plaintext to obtain the unmasked score value.
[0014] For example, the set of coefficients corresponds to a weighting of the metrics.
[0015] Advantageously, the score scrambling substep includes adding randomly drawn zeros from a set of homomorphic zeros previously transmitted by the first computing device.
[0016] For example, the score masking substep includes adding a random unsigned integer.
[0017] For example, the initialization step includes a step to choose a homomorphic encryption technology to use for the rest of the process.
[0018] According to one characteristic, the initialization step includes a generation step by the first computing device of a secret key for homomorphic encryption and decryption based on the chosen homomorphic encryption technology.
[0019] According to another feature, the initialization step includes a generation step by the first computing device of a large predetermined number K of zero ciphers using the generated secret key and a transmission step of the generated K zero ciphers to the second computing device.
[0020] For example, the initialization step includes a step where the second computing device transmits a set of filtering conditions associated with the data to the first computing device, and a step where the first computing device filters the data according to the set of filtering conditions transmitted by the second computing device. For example, the step of processing the masked score in plain text includes removing the score masking.
[0021] According to another aspect, the invention relates to a computer program product comprising code instructions for the execution of a process as defined above.
[0022] Brief description of the drawings
[0023] Other objects, features and advantages of the invention will become apparent from the following description, given solely by way of non-limiting example, and made with reference to the accompanying drawings in which:
[0024] [Fig 1] schematically represents a computer network according to an example of an embodiment of the invention;
[0025] [Fig 2] is a general scheme for calculating the score;
[0026] [Fig 3] is a flowchart of a secure calculation method according to an example of an embodiment of the invention; and
[0027] [Fig 4] is a diagram of the distribution of the steps of the process of [Fig 3] between two computer devices of the network of [Fig 1]
[0028] Detailed description of at least one embodiment
[0029] Figure 1 schematically represents a computer network 100 adapted for the implementation of a secure computing process according to the invention which is detailed later.
[0030] The computer network 100 comprises a first computer device 102, a second computer device 104, and a communication network 106 adapted for communication between the first and second computer devices 102, 104. The first and second computer devices 102, 104 are adapted to communicate with each other via the communication network 106. Communication between the first and second computer devices 102, 104 is secured according to current digital telecommunications standards.
[0031] The first computing device 102 is adapted to homomorphically encrypt plaintext data (e.g., an array of plaintext data) to generate homomorphically encrypted data (e.g., an array of encrypted data). The encrypted data can be sent from the first computing device 102 to the second computing device 104 for processing, without the second computing device 104 having to decrypt the encrypted data from the first computing device 102.
[0032] According to the method of the invention, the encrypted data of the first computer device 102 is not decrypted by the second computer device 104 before, during, or after the processing of the encrypted data. The second computer device 104 does not possess the decryption key for the data and has no knowledge of (or access to) the plaintext data of the first computer device 102. Furthermore, as described later, the method according to the invention does not encrypt and transmit all the data used for calculating the score, but transmits statistical values obtained based on the data, which are encrypted.
[0033] For example, the first IT device 102 is a server for a first entity, called Alice in the rest of the description. In an example application related to insurance, detailed later, Alice could be a motor vehicle manufacturer or a motor vehicle service provider.
[0034] According to the example illustrated in Figure 1, the first computer device 102 includes a plaintext database 108. For example, the database 108 may include time-based driving data for a large number of vehicles (for example, on the order of 100,000 vehicles per day with 10,000 lines of data per vehicle).
[0035] The first computer device 102 is adapted to perform calculations from the data in the database 108 in order to obtain clear results 1 10 which are stored in a processed database 109 of the first computer device 102.
[0036] The first computer device 102 is adapted to encrypt the plaintext results 1 10 of the processed database 109 with a secret key 1 12 using one or more homomorphic encryption schemes.
[0037] Recall that a homomorphic cryptographic system allows mathematical operations to be performed on previously encrypted data instead of plaintext data. Thus, for a given calculation, it becomes possible to encrypt the data, perform certain calculations associated with the given calculation using the encrypted data, and decrypt them, obtaining the same result as if the given calculation had been performed directly with the plaintext data.
[0038] Homomorphic encryption of the plaintext results 1 10 generates encrypted data 1 14.
[0039] The computer device 102 transmits the encrypted data 1 14 to the second computer device 104, via the communication network 106, for processing and in particular for calculations in the homomorphic domain with a calculation function known only by the second computer device 104 and to which the computer device 102 does not have access.
[0040] The communication network 106 can be the internet network or another wired and / or wireless communication network.
[0041] The second computing device 104 can be, for example, a remote server, a cloud-based computing system, or any other type of data processing device that is remote from the first computing device 102 and is suitable for performing calculations, particularly in the homomorphic domain.
[0042] The result of the homomorphic computation obtained by the second computing device 104 (indicated in Figure 1 as a cipher result 1 18) can then be sent from the second computing device 104 to the first computing device 102 via the communication network 106. The first computing device 102 receives the cipher result 1 18. The first computing device 102 is configured to decrypt the cipher result 1 18 with the secret key 1 12 using one or more homomorphic decryption schemes.
[0043] The decryption result shown in Figure 1 as a plaintext result 120 is then transmitted from the first computer device 102 to the second computer device 104 via the communication network 106 which thus obtains the plaintext result 120 without having had knowledge of the plaintext data of the database 108.
[0044] The protection of the confidentiality of the calculation function implemented on the second computer device 104 is achieved by a secure calculation method according to the invention which is described later.
[0045] The second computer device 104 is operated by a second entity, referred to as Bob in the rest of the description. In the usage insurance application example introduced earlier, Bob could be an insurance company.
[0046] In this example, Alice possesses time-based vehicle driving data linked to identifiers, such as vehicle identification numbers (VINs), phone numbers, or traction battery identification numbers. This data needs to be protected because Alice does not want to share it with Bob.
[0047] Bob alone knows the parameters defining a driving score calculation function. This score calculation function is defined, for example, by conversion tables ("lookup tables"), accompanied by a set of coefficients, each coefficient of which is associated with one of the conversion tables.
[0048] This function allows for obtaining a score linked to Alice's data that needs to be protected, for example, a score related to driving data, in order to offer a personalized insurance rate based on the calculated score. Bob wants to keep the definition of the driving score calculation function secret.
[0049] As is known, conversion tables, denoted Tj, allow the conversion of data into metrics, denoted pj. The score is obtained through linear combinations of the pj metrics, defined by coefficients Wj, which form the set of coefficients mentioned previously. Figure 2 presents a general scheme for calculating the score from conversion tables and the data to be protected, based on a set of coefficients Wj.
[0050] Mathematically, we write:
[0051] X = { J te [ i, T ] (Eq. l )
[0052] Where X is the array of data to be protected, for a particular identifier, over the set of indices from 1 to r. Each X t is a line in the data table and includes several numerical values, here called data 1, data 2, etc., which correspond to driving parameters, for example (speed, acceleration, etc.)
[0053] Advantageously, a data filtering step can be used according to a data filtering function defined as follows: y G [0, size(Tj) — 1] if cond x) = OK NaN otherwise a data filtering function, s indices in the conversion tables for the x data,
[0054] • Tj is the index j conversion table, and
[0055] • cond(x) is a condition relating to the data x.
[0056] Such a data filtering function allows us to discard rows from the table of personal temporal data that do not meet the condition cond(x). Invalidated data can be represented by the acronym NaN for "Not A Number".
[0057] The conditions cond(x) are, for example, intervals of values considered for the calculation of the score, such as intervals of vehicle speed, travel time, geographical position, etc.
[0058] The data filtering function identifies and returns the index y of the cell corresponding to the data x in the j eme conversion table. The index is the cell number of the conversion table corresponding to the closest values for the input data of the table, the table being flattened for its numbering.
[0059] We can construct an index vector by grouping values obtained using the following expression:
[0060] Yj, t = <pjm (Eq-3)
[0061] The YJ index vector i t consists of all the indices of all the conversion tables Tj for the data Xt of the index t of the data table X.
[0062] As mentioned previously, each metric is associated with a conversion table Tj, and the result of applying this conversion is the metric Zj for the index t, which can be written as:
[0063] In the example in Figure 2, the conversion table is a two-dimensional table that provides a metric based on the values of two input data. This illustration is not limiting; the invention applies identically regardless of the number of dimensions of the conversion tables.
[0064] The metrics are then averaged over all indices t, i.e., pj:
[0065] (Eq.5) where Nj is the number of elements for which Yj, t is different from NaN.
[0066] The score is then a linear combination of these averaged metrics, a combination defined by the coefficients Wj: where n M is the number of metrics for the score. According to a particular application case, all Wj coefficients are equal to 1.
[0067] It should be noted that it is irrelevant whether the metrics are averaged over the entire time horizon of the data (i.e. over the entire index of a data table) before calculating a linear combination, or whether a linear combination of the non-averaged metrics is performed directly by adapting the coefficients of the combination.
[0068] However, this scoring calculation raises confidentiality issues: if it is implemented by the entity holding the data, then the confidentiality of the scoring function is not guaranteed; if it is implemented by the entity holding the scoring function, then the confidentiality of the data is not guaranteed; if the data holder only transmits the Yj indices t and that the holder of the scoring function implements the rest of the calculations, the holder of the scoring function has information very close to the data.
[0069] We will now describe, with reference to figure 3, a secure method for calculating a score of 200 according to an example of an embodiment of the invention.
[0070] The proposed method is implemented by a computer network 100 as described previously. The proposed method finds a particularly interesting application in the field of usage-based insurance. Thus, in the context of the example mentioned earlier, the secure calculation method 200 allows Alice and Bob to calculate driving scores without going through a trusted third party, while protecting the confidentiality of Alice's data and Bob's score calculation function.
[0071] Process 200 begins with an initialization step 201.
[0072] The initialization step 201 includes a structure definition step 201a, in which the first computer device 102 receives from the second computer device 104 a structure of the conversion tables Tj used for the calculation of the scoring function, including the number of cells in each conversion table Tj and the index values of each conversion table Tj, so as to enable the first computer device 102 to determine indices Yj, tEach conversion table Tj corresponds to the values of the plaintext database 108 that are associated with the conversion table Tj. According to the proposed method, the first computer device 102 does not have access to the values of the cells in the conversion tables Tj, thus preserving the confidentiality of the scoring function. Therefore, transmitting only the information relating to the structure of the conversion tables Tj protects the scoring function.
[0073] For example, initialization step 201 includes a step to choose a homomorphic encryption technology to be used for the rest of the process. The chosen homomorphic encryption is a linearly homomorphic encryption scheme. At a minimum, it supports homomorphic additions and multiplications by constants. Examples of homomorphic encryptions that can be used include Torus Learning With Errors (TLWE), Fully Homomorphic Encryption Over the Torus (TFHE), the Paillier cryptosystem, Brakerski-Gentry-Vaikuntanathan, the El Gamal cipher in its additive form, the BGN (Boneh-Goh-Nissim) cipher, etc.
[0074] For example, the initialization step 201 includes a generation step by the first computing device 102 of the secret key 1 12 for homomorphic encryption and decryption according to the chosen homomorphic encryption technology.
[0075] According to the embodiment, the initialization step 201 may include a step of generation by the first computing device 102 of a large predetermined number K of zeros encrypted by homomorphic encryption using the generated secret key 1 12, and a step of transmission of the generated zero-encrypted K to the second computing device 104.
[0076] Optionally, the initialization step may include a step of transmission by the second computer device 104 to the first computer device 102 of a set of filtering conditions associated with temporal personal data followed by a step of filtering the temporal personal data by the first computer device 102 according to the set of filtering conditions transmitted.
[0077] After the initialization step 201, the process continues with a step 202 of determining the indices Yj, tcorresponding to the indices of the Tj value tables based on the driving data associated with an identifier.
[0078] In the next step 203, the first computer device 102 calculates presence ratios 0j,i of all cells in all conversion tables Tj from the indices Yj, t determined in step 202. The presence ratios correspond to the occupancy rate of each cell in the Tj value tables.
[0079] The calculation of the presence ratios ôj.i is carried out using the following equations:
[0080] N i,i = Ifct = O t e [l^ ÎI (Eq.7A) Or :
[0081] Nj i is the occurrences of the i eme case of the j eme Tj conversion table appearing in the data to be protected, and
[0082] Nj is the sum of all occurrences on the conversion table Tj.
[0083] Thanks to the use of presence ratios, the proposed method allows a significant reduction in the volume of data to be encrypted by the first computer device 102. Indeed, rather than encrypting all the data to be protected before transmitting it to the second computer device, the method according to the invention proposes to calculate presence ratios within the conversion tables Tj and to transmit these ratios to the second computer device, thus considerably limiting the encryption calculations to be implemented and the amount of data transmitted.
[0084] The calculation process continues with a step 204 of homomorphic encryption of the calculated presence ratios 0j,i, followed by a step 205 of transmission of the encrypted presence ratios 0j,i to the second computer device 104.
[0085] After receiving the encrypted attendance ratios 0j,i, the second computer device 104 calculates in the homomorphic domain the score calculation function from the encrypted attendance ratios 0j,i, the content of each index cell i of each conversion table Tj and the set of coefficients Wj (step 206).
[0086] For example, numerical metrics are expressed by the following equation: Or :
[0087] Enc(0j i) are the 0j,i attendance ratios in numerical form.
[0088] Equation 8 expresses the fact that each metric j is obtained by summing over the entire index of the conversion table j, the product of each cell of the conversion table and the corresponding presence ratio.
[0089] The numerical score can then be obtained using the equation
[0090] After homomorphic computation step 206, the second computing device 104 scrambles the results of the encrypted homomorphic computation (step 207). The scrambling step includes a score-masking substep, which preserves the confidentiality of the score, and a score-scrambling substep, which preserves the confidentiality of the scoring function. Specifically, the score-masking substep aims to hide the plaintext score from Alice, and the score-scrambling substep aims to keep the internal calculations of the scoring function secret. For example, the score-masking substep involves applying a random mask chosen according to the homomorphic encryption scheme used. For instance, a random unsigned integer might be used in the case of a TLWE cipher.
[0091] The score scrambling substep involves applying a scrambling method chosen according to the homomorphic encryption scheme used. For example, adding a random combination of ciphertext zeros can be used in the case of a TLWE cipher.
[0092] For example, the cipher zeros in the combination can be randomly drawn from the set of zero ciphers transmitted during step 201 by the first computing device 102. This feature protects the confidentiality of the scoring function. Indeed, without this addition, the first computing device 102 could obtain information related to the scoring function in the cipher domain, which would give it information that could allow it to recover the scoring function. By adding the cipher zeros, the first computing device can no longer determine the scoring function.
[0093] For example, the mask applied to the result of the encrypted homomorphic calculation can correspond to a random unsigned integer whose size depends on the parameters of the chosen homomorphic encryption. Masking the result of the encrypted homomorphic calculation protects the confidentiality of the score, since once decrypted by the first computer system, the score remains masked.
[0094] The scrambling step therefore protects both the score calculation function and the score itself.
[0095] The process then continues with step 208, which transmits the scrambled results to the first computer device 102, followed by step 209, which deciphers the scrambled results by the first computer device 102. During deciphering, the encrypted zeros inserted into the score in step 207 disappear, and the first computer device 102 obtains the scrambled score in plain text. The first computer device 102 then transmits the scrambled score in plain text to the second computer device 104 (step 210).
[0096] Process 200 ends with a step 21 1 of processing the masked score in plain text, carried out by the second computer device 104, by removing the mask applied in the scrambling step, so as to obtain the value of the score without masking.
[0097] Thus, in the implementation of the method according to the invention: the first computer device never has access to the content of the conversion tables, and therefore to the scoring function; the first computer device never has access to the score in plaintext, since the decrypted score is masked. It therefore has no information enabling it to retrieve the scoring function; the first computer device cannot retrieve the scoring function from the encrypted score calculated by the second computer device, since this encrypted score is protected by the insertion of encrypted zeros; the second computer device never has access to the data to be protected from the first computer device, neither in plaintext nor in encrypted form.
[0098] Thanks to the process according to the invention, only the sizes of the tables and the number of tables are known to the two entities, plus possibly the filtering conditions.
[0099] Figure 4 schematically presents the distribution of the different stages of the secure calculation process 200 between the first and second computer devices 102, 104. It should be noted that the same elements bear the same references from one figure to the other.
[0100] According to another aspect, the invention relates to a computer program product comprising code instructions for execution on the first and second computer devices 102, 104 of the secure computing method 200.
Claims
DEMANDS 1. A secure calculation method implemented by first and second computing devices (102, 104) adapted to communicate with each other through a communication network (106), the first computing device (102) comprising a plaintext database (108) containing data to be protected associated with identifiers, a scoring function for calculating a score from the data in the database (108) of the first computing device (102), the scoring function being defined by conversion tables (Tj) having one or more data types as dimensions from among the data in the database (108) and a set of coefficients (wj) defining a linear combination of metrics, each coefficient (wj) being associated with one of the conversion tables (Tj), characterized in that the method comprises, for a given identifier,steps of: initialization including a structure definition step in which the first computer device (102) receives from the second computer device (104) a structure of the conversion tables (Tj) including the number of cells of each conversion table (Tj) and the index values of each conversion table (Tj) so as to allow the first computer device (102) to determine indices (Yj, t ) of each conversion table (Tj) corresponding to the values of the plaintext database data (108) which are associated with the conversion table (Tj) and the identifier, determination of the indices (Yj, t ), performed after the initialization step, calculation of presence ratios (0j,i) of all cells of all conversion tables (Tj) from the indices (Yj, t ) determined, homomorphic encryption of the calculated presence ratios (9j,i), transmission of the encrypted attendance ratios (0j,i) to the second computer device (104), calculation of the score calculation function from the encrypted attendance ratios (0j,i) and the content of each index cell i of each conversion table (Tj) by the homomorphic linear combination of metrics using the associated set of coefficients (wj), scrambling of the results of the encrypted homomorphic calculation including a substep of score masking and a substep of score scrambling, transmission of the scrambled results to the first computer device (102), decryption of the scrambled results, so as to obtain a masked score in plain text, transmission of the masked score in plain text to the second computer device (104), and processing of the masked score in plain text so as to obtain the unmasked score value.
2. Method according to claim 1, wherein the set of coefficients (wj) corresponds to a weighting of the metrics.
3. Method according to claim 1 or 2, wherein the substep of scrambling the results of the scrambling step comprises adding ciphers of zero drawn randomly from a set of homomorphic ciphers of zero previously transmitted by the first computing device (102).
4. A method according to any one of claims 1 to 3, wherein the score-masking substep comprises adding a random unsigned integer.
5. A method according to any one of claims 1 to 4, wherein the initialization step includes a step of choosing a homomorphic encryption technology to be used for the rest of the method.
6. A method according to claim 5, wherein the initialization step comprises a generation step by the first computer device (102) of a secret key (112) for homomorphic encryption and decryption according to the homomorphic encryption technology chosen.
7. Method according to claim 6, wherein the initialization step includes a generation step by the first computing device (102) of a large predetermined number K of zero ciphers using the generated secret key (112) and a transmission step of the generated K zero ciphers to the second computing device (104).
8. A method according to any one of claims 1 to 7, wherein the initialization step comprises a step of transmission by the second computing device (104) to the first computing device (102) of a set of filtering conditions associated with the data and a step of filtering the data by the first computing device (102) according to the set of filtering conditions transmitted by the second computing device (104) 9. A method according to any one of claims 1 to 8, wherein the step of processing the masked score in plain text includes removing the masking of the score.
10. Product computer program comprising code instructions for the execution of a process according to any one of claims 1 to 9.