FILTERING ENCRYPTED DATA USING INDEXES

US 20180307763A1
Filed: 04/24/2017
Published: 10/25/2018
Est. Priority Date: 04/24/2017
Status: Active Grant

First Claim

Patent Images

1. A method for storing encrypted data, comprising:

storing a first ciphertext associated with a first plaintext in a data field of a database;

storing a second ciphertext associated with a second plaintext in the data field, wherein the first plaintext and the second plaintext are different;

generating a first index for the first plaintext and a second index for the second plaintext using an indexing function, wherein an index value of the first index and an index value of the second index are the same;

determining a set of index values associated with the first plaintext using the indexing function, wherein the set of index values comprises the index value of the first index and the second index; and

identifying, for a set of ciphertexts stored in the data field, all indexes with index values included in the determined set of index values.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

During an encryption process, a database system may generate an index value based on the plaintext to be encrypted, an encryption key, a data field-specific salt, or a combination thereof. The database may store the index value in an index associated with the ciphertext output of the encryption process. In some cases, the database may receive a query specifying a plaintext value for filtering on a data field, where the database may return data objects with the specified plaintext value in the given data field. The database may compute a set of index values associated with the specified plaintext, and may identify indexes with index values included in the set of index values and associated with the given data field. The database may decrypt the ciphertexts associated with the identified indexes to check if they match the specified plaintext.

16 Citations

View as Search Results

20 Claims

1. A method for storing encrypted data, comprising:
- storing a first ciphertext associated with a first plaintext in a data field of a database;
  
  storing a second ciphertext associated with a second plaintext in the data field, wherein the first plaintext and the second plaintext are different;
  
  generating a first index for the first plaintext and a second index for the second plaintext using an indexing function, wherein an index value of the first index and an index value of the second index are the same;
  
  determining a set of index values associated with the first plaintext using the indexing function, wherein the set of index values comprises the index value of the first index and the second index; and
  
  identifying, for a set of ciphertexts stored in the data field, all indexes with index values included in the determined set of index values.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, further comprising:
    - decrypting the first ciphertext and the second ciphertext based at least in part on identifying that the index value of the first index and the second index is included in the determined set of index values.
  - 3. The method of claim 2, wherein the first ciphertext and the second ciphertext are decrypted within the database.
  - 4. The method of claim 1, further comprising:
    - receiving a query request message including a request to filter on the first plaintext for the data field, wherein determining the set of index values is based at least in part on the query request message.
  - 5. The method of claim 1, further comprising:
    - adjusting a selectivity of the indexing function, wherein the selectivity comprises a ratio between a quantity of the identified indexes and a total quantity of the set of ciphertexts stored in the data field.
  - 6. The method of claim 1, further comprising:
    - storing a third ciphertext associated with a third plaintext in the data field, wherein the first plaintext and the third plaintext are the same; and
      
      generating a third index for the third plaintext using the indexing function, wherein an index value of the third index is different than the index value of the first index.
  - 7. The method of claim 6, wherein the indexing function is based at least in part on a set of encryption keys, wherein the first index is generated based at least in part on a first encryption key of the set of encryption keys and the third index is generated based at least in part on a second encryption key of the set of encryption keys.
  - 8. The method of claim 1, further comprising:
    - storing a fourth ciphertext associated with a fourth plaintext in a second data field of the database; and
      
      generating a fourth index for the fourth plaintext using a different indexing function than the indexing function used to generate the first index and second index.
  - 9. The method of claim 8, wherein the data field has an associated first salt value and the second data field has an associated second salt value, wherein the indexing function used to generate the first index and second index is based at least in part on the first salt value and the different indexing function used to generate the fourth index is based at least in part on the second salt value.
  - 10. The method of claim 1, wherein the indexing function is a secure hash function.
  - 11. The method of claim 1, wherein generating the first index for the first plaintext is based at least in part on a first message authentication code (MAC) associated with the first plaintext, and wherein generating the second index for the second plaintext is based at least in part on a second MAC associated with the second plaintext.
  - 12. The method of claim 1, wherein the index value is a numeric value.

13. An apparatus for storing encrypted data, in a system comprising:
- a processor;
  
  memory in electronic communication with the processor; and
  
  instructions stored in the memory and operable, when executed by the processor, to cause the apparatus to;
  
  store a first ciphertext associated with a first plaintext in a data field of a database;
  
  store a second ciphertext associated with a second plaintext in the data field, wherein the first plaintext and the second plaintext are different;
  
  generate a first index for the first plaintext and a second index for the second plaintext using an indexing function, wherein an index value of the first index and an index value of the second index are the same;
  
  determine a set of index values associated with the first plaintext using the indexing function, wherein the set of index values comprises the index value of the first index and the second index; and
  
  identify, for a set of ciphertexts stored in the data field, all indexes with index values included in the determined set of index values.
- View Dependent Claims (14, 15, 16)
- - 14. The apparatus of claim 13, wherein the instructions are further executable by the processor to:
    - decrypt the first ciphertext and the second ciphertext based at least in part on identifying that the index value of the first index and the second index is included in the determined set of index values.
  - 15. The apparatus of claim 13, wherein the instructions are further executable by the processor to:
    - receive a query request message including a request to filter on the first plaintext for the data field, wherein determining the set of index values is based at least in part on the query request message.
  - 16. The apparatus of claim 13, wherein the instructions are further executable by the processor to:
    - adjust a selectivity of the indexing function, wherein the selectivity comprises a ratio between a quantity of the identified indexes and a total quantity of the set of ciphertexts stored in the data field.

17. A non-transitory computer readable medium storing code for storing encrypted data, the code comprising instructions executable by a processor to:
- store a first ciphertext associated with a first plaintext in a data field of a database;
  
  store a second ciphertext associated with a second plaintext in the data field, wherein the first plaintext and the second plaintext are different;
  
  generate a first index for the first plaintext and a second index for the second plaintext using an indexing function, wherein an index value of the first index and an index value of the second index are the same;
  
  determine a set of index values associated with the first plaintext using the indexing function, wherein the set of index values comprises the index value of the first index and the second index; and
  
  identify, for a set of ciphertexts stored in the data field, all indexes with index values included in the determined set of index values.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer-readable medium of claim 17, wherein the instructions are further executable by the processor to:
    - decrypt the first ciphertext and the second ciphertext based at least in part on identifying that the index value of the first index and the second index is included in the determined set of index values.
  - 19. The non-transitory computer-readable medium of claim 17, wherein the instructions are further executable by the processor to:
    - receive a query request message including a request to filter on the first plaintext for the data field, wherein determining the set of index values is based at least in part on the query request message.
  - 20. The non-transitory computer-readable medium of claim 17, wherein the instructions are further executable by the processor to:
    - adjust a selectivity of the indexing function, wherein the selectivity comprises a ratio between a quantity of the identified indexes and a total quantity of the set of ciphertexts stored in the data field.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Hersans, Alexandre

Granted Patent

US 10,594,490 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/2228   Indexing structures

H04L 9/3236   using cryptographic hash fu...

H04L 9/3242   involving keyed hash functi...

FILTERING ENCRYPTED DATA USING INDEXES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

16 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

FILTERING ENCRYPTED DATA USING INDEXES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links