Partitioned information storage systems with controlled retrieval

US 5,956,400 A
Filed: 07/19/1996
Issued: 09/21/1999
Est. Priority Date: 07/19/1996
Status: Expired due to Term

First Claim

Patent Images

1. A method for transforming an input data object to an output data object, involving a sender, a mapper and a receiver, while hiding from the said receiver the correspondence between the said input data object and the said output data object, the method comprising the steps of:

the said sender sending a first message to the mapper, the said first message containing the input data object consisting of a first piece of data and a second piece of data and a third piece of data, the said second piece of data identifying the first piece of data and the said third piece of data identifying the said receiver;

the said mapper responding to the said first message by constructing the said output object consisting of a fourth piece of data and a fifth piece of data, the said fourth piece of data being constructed by applying a first transformation method to the said first piece of data so that the said fourth piece of data and the said first piece of data are substantially uncorrelated, and the said fifth piece of data identifying the said fourth piece of data and being constructed by applying a second transformation method to the said second piece of data so that the said fifih piece of data and the said second piece of data are substantially uncorrelated,the said mapper sending the said output object in a second message to the receiver identified in the said third piece of data; and

the said receiver responding to the said second message by accepting it.

View all claims

20 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An information storage system includes one or more information update terminals, a mapper, one or more partial-databases, and one or more query terminals, exchanging messages over a set of communication channels. An identifier-mapping mechanism provides (to an update terminal) a method for delegating control over retrieval of the data stored at the partial-databases to one or more mappers, typically operated by one or more trusted third parties. Update terminals supply information, that is stored in fragmented form by the partial-databases. Data-fragment identifiers and pseudonyms are introduced, preventing unauthorized de-fragmentation of information--thus providing compliance to privacy legislation--while at the same time allowing query terminals to retrieve (part of) the stored data or learn properties of the stored data. The mapper is necessarily involved in both operations, allowing data access policies to be enforced and potential abuse of stored information to be reduced. Introduction of multiple mappers acts to distribute information retrieval control among multiple trusted third parties. Introducing so-called `groupers` increases the efficiency of data retrieval for a common set of queries and further reduces potential abuse of information.

232 Citations

54 Claims

1. A method for transforming an input data object to an output data object, involving a sender, a mapper and a receiver, while hiding from the said receiver the correspondence between the said input data object and the said output data object, the method comprising the steps of:
- the said sender sending a first message to the mapper, the said first message containing the input data object consisting of a first piece of data and a second piece of data and a third piece of data, the said second piece of data identifying the first piece of data and the said third piece of data identifying the said receiver;
  
  the said mapper responding to the said first message by constructing the said output object consisting of a fourth piece of data and a fifth piece of data, the said fourth piece of data being constructed by applying a first transformation method to the said first piece of data so that the said fourth piece of data and the said first piece of data are substantially uncorrelated, and the said fifth piece of data identifying the said fourth piece of data and being constructed by applying a second transformation method to the said second piece of data so that the said fifih piece of data and the said second piece of data are substantially uncorrelated,the said mapper sending the said output object in a second message to the receiver identified in the said third piece of data; and
  
  the said receiver responding to the said second message by accepting it.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. In the method of claim 1, the mapper furthermore retaining the correspondence between the said input data object and the said output data object.
  - 3. In the method of claim 1, the said sender furthermore constructing the said first piece of data by applying a third transformation method to a sixth piece of data so that the said first piece of data and the said sixth piece of data are substantially uncorrelated, the said first transformation method reversing the said third transformation method.
  - 4. In the method of claim 3, the said sender furthermore padding the said sixth piece of data with a first piece of piece of random data before the said third transformation method and the said mapper removing the said first piece of piece of random data after the said first transformation method.
  - 5. In the method of claim 3, the said first transformation method being only known to the said mapper.
  - 6. In the method of claim 5, the said third transformation method being public key encryption with a first public cryptographic key of the said mapper and the said first transformation method being public-key decryption with a first secret cryptographic key of the said mapper, corresponding to the said first public cryptographic key.
  - 7. In the method of claim 3, the said sender furthermore constructing the said sixth piece of data by applying a fourth transformation method to a seventh piece of data so that the said sixth piece of data and the said seventh piece of data are substantially uncorrelated;
    - and the said receiver constructing an eighth piece of data by applying a fifth transformation method to the said fourth piece of data, the said fifth transformation method reversing the said fourth transformation method.
  - 8. In the method of claim 7, the said sender furthermore padding the said seventh piece of data with a second piece of piece of random data before the said fourth transformation method and the said receiver removing the said second piece of piece of random data after the said fifth transformation method.
  - 9. In the method of claim 7, the said fifth transformation method being only known to the said receiver.
  - 10. In the method of claim 9, the said fourth transformation method being public key encryption with a second public cryptographic key of the said receiver and the said fifth transformation method being public-key decryption with a second secret cryptographic key of the said receiver, corresponding to the said second public cryptographic key.
  - 11. In the method of claim 7, furthermore hiding from the sender the correspondence between the said input data object and the said output data object by:
    - the said mapper constructing the said fourth piece of data by first applying the said first transformation to the said first piece of data and secondly applying a sixth transformation method to the result of the said first transformation method; and
      
      the said receiver constructing the said eighth piece of data by first applying a seventh transformation method to the said fourth piece of data and secondly applying the said fifth transformation method to the result of the said seventh transformation method, and the said seventh transformation method reversing the said sixth transformation method.
  - 12. In the method of claim 11, the said mapper furthermore padding the said input of the said sixth transformation method with a third piece of piece of random data and the said receiver removing the said third piece of piece of random data from the said output of the said seventh transformation method.
  - 13. In the method of claim 11, the said seventh transformation method being only known to the said receiver.
  - 14. In the method of claim 11, the said sixth transformation method being public key encryption with a third public cryptographic key of the said receiver and the said seventh transformation method being public-key decryption with a third secret cryptographic key of the said receiver, corresponding to the said third public cryptographic key.
  - 15. In the method of claim 1, the mapper furthermore hiding from the said receiver the correspondence between the said input data object and the said output data object by sending the said second messages in batches, aggregated from processing a substantial number of the said input data objects.

16. A method for transforming an input data object to a set of output data objects, involving a sender, a mapper and a set of receivers, while hiding from each of the said receivers the correspondence between the input data object and each of the output data objects and between the output objects mutually, the method comprising the steps of:
- the said sender sending a first message to the mapper, the first message containing the input data object consisting of a first set of data-elements, each data-element of the said first set consisting of a first piece of data and a second piece of data and a third piece of data, the said second piece of data identifying the first piece of data and the said third piece of data identifying one of the said receivers;
  
  the said mapper responding to the said first message by constructing a second set of data-elements, the said second set having the same cardinality as the said first set, each data-element of the said second set being based on a different data-element of the said first set and each data-element of the said second set consisting of a fourth piece of data and a fifth piece of data, the said fourth piece of data being constructed by applying a first transformation method to the said first piece of data of the said data-element of the said first set so that the said fourth piece of data and the said first piece of data are substantially uncorrelated, and the said fifth piece of data identifying the said fourth piece of data and being constructed by applying a second transformation method to the said second piece of data of the said data-element of the said first set so that the said fifth piece of data and the said second piece of data are substantially uncorrelated;
  
  the said mapper sending each data-element of the said second set in a second message to the receiver identified in the said third piece of data of the said related data-element of the said first set; and
  
  every receiver responding to the said second message by accepting it.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 17. In the method of claim 16, the mapper furthermore retaining the correspondence between the said input data object and the said output data objects.
  - 18. In the method of claim 16, the mapper furthermore retaining the correspondence between the said output data objects.
  - 19. In the method of claim 16, the said sender furthermore constructing the said first piece of data by applying a third transformation method to a sixth piece of data so that the said first piece of data and the said sixth piece of data are substantially uncorrelated, the said first transformation method reversing the said third transformation method.
  - 20. In the method of claim 19, the said sender furthermore padding the said sixth piece of data with a first piece of random data before the said third transformation method and the said mapper removing the said first piece of random data after the said first transformation method.
  - 21. In the method of claim 19, the said first transformation method being only known to the said mapper.
  - 22. In the method of claim 21, the said third transformation method being public key encryption with a first public cryptographic key of the said mapper and the said first transformation method being public-key decryption with a first secret cryptographic key of the said mapper, corresponding to the said first public cryptographic key.
  - 23. In the method of claim 19, the said sender furthermore constructing the said sixth piece of data by applying a fourth transformation method to a seventh piece of data so that the said sixth piece of data and the said seventh piece of data are substantially uncorrelated;
    - and the said receiver constructing an eighth piece of data by applying a fifth transformation method to the said fourth piece of data, the said fifth transformation method reversing the said fourth transformation method.
  - 24. In the method of claim 23, the said sender furthermore padding the said seventh piece of data with a second piece of random data before the said fourth transformation method and the said receiver removing the said second piece of random data after the said fifth transformation method.
  - 25. In the method of claim 23, the said fifth transformation method being only known to the said receiver.
  - 26. In the method of claim 25, the said fourth transformation method being public key encryption with a second public cryptographic key of the said receiver and the said fifth transformation method being public-key decryption with a second secret cryptographic key of the said receiver, corresponding to the said second public cryptographic key.
  - 27. In the method of claim 16, the mapper furthermore hiding from all parties except for the parties operating the said sender and the said mapper the correspondence between the said input data object and the said output data objects and between the said output data objects mutually by sending the said second messages in batches, aggregated from processing a substantial number of the said input data objects.

28. A method for storing an information record partitioned, involving update terminals, a mapper and partial-databases;
- updating the said stored information record, involving the said update terminals, the said mapper and the said partial-databases; and
  
  querying multiple of the said stored information records, involving query terminals and the said partial-databases, and being controlled by the said mapper;
  
  the storing of an information record comprising steps of;
  
  one of the said update terminals dividing the said information record into parts and constructing a first set of data-elements, the type of information record to be stored and the applied division being known to all parties, and each data-element of the said first set consisting of a first piece of data and a second piece of data and a third piece of data, the said first piece of data being constructed by applying a first transformation method to one of the said parts so that the said first piece of data and the said part are substantially uncorrelated, the said second piece of data identifying the said part and the said third piece of data identifying one of the said group of partial-databases;
  
  the said update terminal sending the said first set in a first message to the said mapper;
  
  the said mapper responding to the said first message by constructing a second set of data-elements, the second set having the same cardinality as the first set, each data-element of the said second set being based on a different data-element of the said first set and each data-element of the said second set consisting of a fourth piece of data and a fifth piece of data, the said fourth piece of data being constructed by applying a second transformation method to the said first piece of data of the said data-element of the said first set, the said second transformation method being only known to the said mapper and reversing the said first transformation method, and the said fifth piece of data identifying the said fourth piece of data and being constructed by applying a third transformation method to the said second piece of data of the said data-element of the said first set so that the said fifth piece of data and the said second piece of data are substantially uncorrelated, the said third transformation method being only known to the said mapper;
  
  the said mapper storing the correspondence between all the said second piece of data of the said first set;
  
  the said mapper sending each data-element of the said second set in a second message to the partial-database identified in the said third piece of data of the said related data-element of the said first set; and
  
  each of the said partial-databases responding to the said second message by accepting it and storing the said data-element; and
  
  the updating of a stored information record comprising steps of;
  
  one of the said update terminals dividing the said update information into update parts corresponding to the division of parts being performed during the storing of the said information record and constructing a third set of data-elements, each data-element of the said third set consisting of a sixth piece of data and a second piece of data and a third piece of data, the said sixth piece of data being constructed by applying the said first transformation method to one of the said update parts so that the said sixth piece of data and the said update part are substantially uncorrelated, the said second piece of data identifying the said part to be updated and the said third piece of data identifying the partial-databases where the part to be updated is stored;
  
  the said update terminal sending the said third set in a third message to the said mapper;
  
  the said mapper responding to the said third message by constructing a fourth set of data-elements, the fourth set having the same cardinality as the third set, each data-element of the said fourth set being based on a different data-element of the said third set and each data-element of the said fourth set consisting of a seventh piece of data and a fifth piece of data, the said seventh piece of data being constructed by applying the said second transformation method to the said sixth piece of data of the said data-element of the said third set, and the said fifth piece of data identifying the said fourth piece of data and being constructed by applying the said third transformation method to the said second piece of data of the said data-element of the said third set;
  
  the said mapper sending each data-element of the said fourth set in a fourth message to the partial-database identified in the said third piece of data of the said related data-element of the said third set; and
  
  each of the said partial-databases responding to the said fourth message by accepting it and updating the said fourth piece of data identified by the said fifth piece of data with the update information in the said seventh piece of data; and
  
  the querying of the said information records comprising steps of;
  
  one of the said query terminals constructing a first query over the said information records, the said query consisting of a set of sub-queries and a description, each of the said sub-queries being a query over information stored at one of the said partial-databases and the said description being interpretable by the mapper and describing how to construct the answer to the said first query based on the answers to the said sub-queries and also based on the said correspondence information stored by the mapper during the storing of the said information records;
  
  the said query terminal sending the said first query in a fifth message to the said mapper;
  
  the said mapper responding to the said fifth message by submitting each of the said sub-queries to the relating partial-database in a sixth message;
  
  each of the said partial-databases responding to the said sixth message by solving the said sub-query using the data-elements stored by the said partial-database and sending the resulting sub-query answer to the said mapper in a seventh message;
  
  the said mapper responding to each the said seventh message by accepting it, combining all the said sub-query answers and the said stored correspondence information to a query answer according to the said first description, and sending the said query answer to the said query terminal in an eighth message; and
  
  the said query terminal responding to the said eighth message by accepting it.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 29. In the method of claim 28, the said update terminal adding random padding to the input of the said first transformation method, before application of the said first transformation method, and the said mapper removing the said random padding from the output of the said second transformation method, after application of the said second transformation method.
  - 30. In the method of claim 28, the said first transformation method being public key encryption with a first public cryptographic key of the said mapper and the said second transformation method being public-key decryption with a first secret cryptographic key of the said mapper, corresponding to the said first public cryptographic key.
  - 31. In the method of claim 28, during the said storing of an information record, hiding each the said data part from all but the related update terminal and partial-database, by:
    - the said update terminal constructing the said first piece of data by first applying a fourth transformation method to the said data part so that the said data part and the result of the said fourth transformation method are substantially uncorrelated, and secondly applying to the result of the said fourth transformation method the said first transformation method, andeach of the said update terminals furthermore applying a fifth transformation method to the said fourth piece of data, the said fifth transformation method being only known to the said update terminal and reversing the said fourth transformation method, and storing the result of the said fifth transformation method instead of the said fourth piece of data.
  - 32. In the method of claim 31, during the said updating of a stored information record, hiding each the said update data part from all but the related update terminal and partial-database, by:
    - the said update terminal constructing the said sixth piece of data by first applying a fourth transformation method to the said update data part so that the said update data part and the result of the said fourth transformation method are substantially uncorrelated, and secondly applying to the result of the said fourth transformation method the said first transformation method, andeach of the said update terminals furthermore applying a fifth transformation method to the said seventh piece of data, the said fifth transformation method being only known to the said update terminal and reversing the said fourth transformation method, and updating the said stored fourth piece of data using the result of the said fifth transformation method instead of the said seventh piece of data.
  - 33. In the methods of claim 32, the said update terminal adding random padding to the input of the said fourth transformation method, before application of the said fourth transformation method;
    - and the said partial-database removing the said random padding from the output of the said fifth transformation method, after application of the said fifth transformation method.
  - 34. In the method of claim 32 the said fourth transformation method being public key encryption with a second public cryptographic key of the said partial-database and the said fifth transformation method being public-key decryption with a second secret cryptographic key of the said partial-database, corresponding to the said second public cryptographic key.
  - 35. In the method of claim 28, during the said querying of stored information records, furthermore the answers to a group of the said sub-query being referenced in another the said sub-query, the mapper supplying the said answers together with the said sub-query containing the references to the said relating partial-database, and the said relating partial-database using the said answers when solving the said query.
  - 36. In the method of claim 28, during the said querying of stored information records, the mapper furthermore controlling access to the said stored information records and information thereof by applying an access policy to the said query and declining the said query in case of a violation.
  - 37. In the method of claim 28, the number of data retrieval control parties being increased by:
    - replacing the said mapper by a mapper cascade;
      
      the first mapper of the said mapper cascade performing all functionality of the said replaced mapper; and
      
      during the storing of the said information records;
      
      all other mappers of the said mapper cascade only transforming the said fourth piece of data and the said fifth piece of data by applying the said second and third transformation method respectively and forwarding the result to the said partial update terminal via the neighboring mapper in the said mapper cascade, each the said second and third transformation method performed by a mapper in the said mapper cascade being only known to the said mapper; and
      
      the said update terminals constructing the said first piece of data by applying a cascade of first transformation method to the said information part, each first transformation method being related to a second transformation method performed by a mapper in the said mapper cascade, and the cascade of second transformation method as performed by the said mapper cascade reversing the said cascade of first transformation method; and
      
      during the updating of the said information records;
      
      all other mappers of the said mapper cascade only transforming the said seventh piece of data and the said fifth piece of data by applying the said second and third transformation method respectively and forwarding the result to the said partial update terminal via the neighboring mapper in the said mapper cascade, each the said second and third transformation method performed by a mapper in the said mapper cascade being only known to the said mapper; and
      
      the said update terminals constructing the said sixth piece of data by applying a cascade of first transformation method to the said update part, each first transformation method being related to a second transformation method performed by a mapper in the said mapper cascade, and the cascade of second transformation methods as performed by the said mapper cascade reversing the said cascade of first transformation method.

38. A method for introducing a pseudonym for an entity, involving a local terminal, a grouper, a first mapper and a matcher;
- updating a dossier on an entity using a pseudonym, involving a local terminal, a second mapper and a database; and
  
  , querying a dossier on an entity using a pseudonym, involving a local terminal, a grouper, the said second mapper and the said database;
  
  the introducing of the said pseudonym for the said entity comprising steps of;
  
  a local terminal obtaining a first piece of data containing information identifying the said entity and being interpretable by the said local terminal and by the said matcher;
  
  the said local terminal selecting a first pseudonym for the said entity, the said first pseudonym being previously unused and unique, the said first pseudonym and the said first piece of data being substantially uncorrelated, and the correspondence between the said first pseudonym and the said first piece of data being only known to the said local terminal;
  
  the said local terminal retaining the said first pseudonym and the said first piece of data and their correspondence;
  
  the said local terminal preparing a first message containing the said first pseudonym and a second piece of data, the said second piece of data being constructed by applying a first transformation method to the said first piece of data so that the said first piece of data and the said second piece of data are substantially uncorrelated, an inverse transformation method of the said first transformation method being only known to the said matcher;
  
  the said local terminal sending the said first message to the said first mapper;
  
  the said first mapper responding to the said first message by preparing a second message containing the said second piece of data and a second pseudonym, the said second pseudonym being constructed by applying a second transformation method to the said first pseudonym so that the said first pseudonym and the said second pseudonym are substantially uncorrelated, the said second transformation method being reproducible and only known to the said first mapper and the correspondence between the said first pseudonym and the said second pseudonym being only known to the said first mapper;
  
  the said first mapper sending the said second message to the said matcher;
  
  the said matcher responding to the said second message by constructing a third piece of data by applying a third transformation method to the said second piece of data, the said third transformation method reversing the said first transformation method and being only known to the said matcher;
  
  the said matcher retaining the identifying information of the said entity from the said third piece of data, retaining the said second pseudonym and retaining their correspondence;
  
  the said matcher searching, in all previously retained identifying information, for identifying information that matches the said received identifying information, the matching of identifying information being concluding that identifying information is related to the same entity;
  
  the said matcher preparing a third message containing a fourth piece of data containing all retained pseudonyms corresponding to retained identifying information matching the said received identifying information;
  
  the said matcher sending the said third message to the said first mapper;
  
  the said first mapper responding to the said third message by preparing a fourth message containing a fifth piece of data containing the same number of pseudonyms as the said fourth piece of data, each of the said pseudonyms of the said fifth piece of data being constructed by applying a fourth transformation method to a different pseudonym of the said fourth piece of data, the said fourth transformation method reversing the said second transformation method and being only known to the said first mapper;
  
  the said first mapper sending the said fourth message to the said grouper; and
  
  the said grouper responding to the said fourth message by retaining the correspondence between all pseudonyms of the said fifth piece of data; and
  
  the updating of a dossier on an entity comprising steps of;
  
  a local terminal obtaining information, interpretable by the said local terminal, identifying the said entity, and retrieving a third pseudonym corresponding to the said identifying information;
  
  the said local terminal preparing a fifth message containing the said third pseudonym and a sixth piece of data, the said sixth piece of data holding dossier update information, interpretable by the said database;
  
  the said local terminal sending the said fifth message to the said second mapper;
  
  the said second mapper responding to the said fifth message by preparing a sixth message containing the said sixth piece of data and a fourth pseudonym, the said fourth pseudonym being constructed by applying a fifth transformation method to the said third pseudonym so that the said third pseudonym and the said fourth pseudonym are substantially uncorrelated, the said fifth transformation method being reproducible and only known to the said second mapper and the correspondence between the said third pseudonym and the said fourth pseudonym being only known to the said second mapper;
  
  the said second mapper sending the said sixth message to the said database; and
  
  the said database responding to the said sixth message by using the update information from the said sixth piece of data to update the retained dossier information corresponding to the said fourth pseudonym, and retaining the result of the said update; and
  
  the querying of a dossier on an entity comprising steps of;
  
  a local terminal obtaining information, interpretable by the said local terminal, identifying the said entity, and retrieving a fifth pseudonym corresponding to the said identifying information;
  
  the said local terminal preparing a seventh message containing the said fifth pseudonym and a query, the said query being a query over dossier information on the said entity retained at the said database and the said query being interpretable by the said database;
  
  the said local terminal sending the said seventh message to the said grouper;
  
  the said grouper responding to the said seventh message by preparing an eighth message containing the said query and an seventh piece of data, the said seventh piece of data containing a set holding all pseudonyms retained by the said grouper and corresponding to the said fifth pseudonym;
  
  the said grouper sending the said eighth message to the said second mapper;
  
  the said second mapper responding to the said eighth message by preparing a ninth message containing the said query and a eighth piece of data, the said eighth piece of data containing the same number of pseudonyms as the said seventh piece of data, each of the said pseudonyms of the said eighth piece of data being constructed by applying the said fifth transformation method to a different pseudonym of the said seventh piece of data;
  
  the said second mapper sending the said ninth message to the said database;
  
  the said database responding to the said ninth message by preparing a tenth message containing a ninth piece of data, the said ninth piece of data holding an answer to the said query, the said answer being interpretable by the said local terminal and being the result of solving the query over all retained dossier information related to the pseudonyms of the said eighth piece of data;
  
  the said database sending the said tenth message to the said local terminal; and
  
  the said local terminal responding to the said tenth message by accepting it and processing the answer.
- View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54)
- - 39. In the method of claim 38, furthermore multiple local terminals introducing pseudonyms for entities;
    - updating dossiers on entities using pseudonyms; and
      
      querying dossiers on entities using pseudonyms involving the said grouper, the said first mapper, the said second mapper and the said database.
  - 40. In the method of claim 38, the matching of identifying information being related to the same entity being highly probable, and the matching of identifying information not being related to the same entity being highly improbable.
  - 41. In the method of claim 38, dossiers being retained for multiple different entities.
  - 42. In the method of claim 38, the said local terminal using multiple different pseudonyms for one entity.
  - 43. In the method of claim 38, the said first mapper furthermore retaining the correspondence between the said first pseudonym and the said second pseudonym and using this correspondence to mapping the pseudonyms in the said fourth piece of data to the pseudonyms in the said fifth piece of data instead of applying the said fourth transformation method.
  - 44. In the method of claim 38, the said second mapper furthermore retaining the correspondence between the said third pseudonym and the said fourth pseudonym, and using this correspondence in subsequent updates of dossiers and queries over dossier mapping the said third pseudonym to the said fourth pseudonym and mapping the pseudonyms in the said seventh piece of data to the pseudonyms in eighth piece of data instead of applying the said fifth transformation method.
  - 45. In the method of claim 38, during the introduction of the pseudonym, the said local terminal furthermore forcing involvement of the said first mapper, bythe said local terminal constructing the said second piece of data by first applying a sixth transformation method to the said first piece of data, an inverse transformation method of the said sixth transformation method being only known to the said first mapper, and secondly applying to the result thereof the said first transformation method;
    - andthe said first mapper, before preparing the said second message, furthermore applying a seventh transformation method to the said second piece of data, the said seventh transformation method reversing the said sixth transformation method and being only known to the said first mapper.
  - 46. In the method of claim 45, the said local terminal adding random padding to the input of the said first and sixth transformation method, before application of the said first and sixth transformation method;
    - the said first mapper removing the said random padding from the output of the said seventh transformation method, after application of the said seventh transformation method; and
      
      , the said database removing the said random padding from the output of the said third transformation method, after application of the said third transformation method.
  - 47. In the method of claim 45, the said sixth transformation method being public key encryption with a second public cryptographic key of the said first mapper and the said seventh transformation method being public-key decryption with a second secret cryptographic key of the said first mapper, corresponding to the said second public cryptographic key.
  - 48. In the method of claim 38, the said first transformation method being public key encryption with a first public cryptographic key of the said matcher and the said third transformation method being public-key decryption with a first secret cryptographic key of the said matcher, corresponding to the said first public cryptographic key.
  - 49. In the method of claim 38, during the updating and querying of dossiers, the said local terminal furthermore forcing involvement of the said second mapper, bythe said local terminal, before preparing the said fifth message, applying an eighth transformation method to the said sixth piece of data, an inverse transformation method of the said eighth transformation method being only known to the said second mapper;
    - andthe said second mapper, before preparing the said sixth message, furthermore applying a ninth transformation method to the said second piece of data, the said ninth transformation method reversing the said eighth transformation method and being only known to the said second mapper.
  - 50. In the method of claim 49, during the updating and querying of dossiers, the said local terminal furthermore hiding the said update information from the said second mapper, bythe said local terminal, before preparing the said fifth message, after applying said eighth transformation method to the said sixth piece of data, applying a tenth transformation to the result of the said eighth transformation method, an inverse transformation method of the said tenth transformation method being only known to the said database;
    - andthe said database, after receiving the said sixth message, furthermore applying an eleventh transformation method to the said sixth piece of data, the said eleventh transformation method reversing the said tenth transformation method and being only known to the said database.
  - 51. In the method of claim 50, the said local terminal adding random padding to the input of the said eighth and tenth transformation methods, before application of the said eighth and tenth transformation methods;
    - the said second mapper removing the said random padding from the output of the said ninth transformation method, after application of the said ninth transformation method; and
      
      , the said database removing the said random padding from the output of the said tenth transformation method, after application of the said tenth transformation method.
  - 52. In the method of claim 50, the said tenth transformation method being public key encryption with a fourth public cryptographic key of the said database and the said eleventh transformation method being public-key decryption with a fourth secret cryptographic key of the said database, corresponding to the said fourth public cryptographic key.
  - 53. In the method of claim 49, the said eighth transformation method being public key encryption with a third public cryptographic key of the said second mapper and the said ninth transformation method being public-key decryption with a third secret cryptographic key of the said second mapper, corresponding to the said third public cryptographic key.
  - 54. In the method of claim 38, the said query furthermore being interpretable by the said second mapper, and during the said querying of stored information records, the said second mapper furthermore controlling access to the said retained dossiers and information thereof, by applying an access policy to the said query and declining the said query in case of a violation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cufer Asset Ltd LLC (Intellectual Ventures LLC)
Original Assignee
Digicash
Inventors
Ferguson, Niels T., Schoenmakers, Berry, Voskuil, Erik W., Chaum, David
Primary Examiner(s)
Gregory, Bernarr E.

Application Number

US08/684,263
Time in Patent Office

1,159 Days
Field of Search

380/4, 380/9, 380/28, 380/49, 380/50, 380/59, 380/30, 380/23, 380/25, 395/186, 395/187.01, 395/188.01, 707/1
US Class Current

713/167
CPC Class Codes

H04L 63/0407   wherein the identity of one...

H04L 63/0428   wherein the data content is...

H04L 63/0442   wherein the sending and rec...

H04L 9/40   Network security protocols

Y10S 707/99931   Database or file accessing

Y10S 707/99939   Privileged access

Partitioned information storage systems with controlled retrieval

First Claim

20 Assignments

0 Petitions

Accused Products

Abstract

232 Citations

54 Claims

Specification

Use Cases

Quick Links

Others

Partitioned information storage systems with controlled retrieval

First Claim

20 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

232 Citations

54 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others