Graph encryption
First Claim
1. A method implemented using at least one computing device, the method comprising:
- generating a representation of unencrypted graph information, the unencrypted graph information describing relationships among entities within a graph, wherein the entities are represented by nodes in the graph;
encrypting the representation of the unencrypted graph information using one or more keys to produce encrypted graph information;
sending the encrypted graph information over a network to a remote storage system for storage by the remote storage system;
using the one or more keys to generate a token associated with a graph query, the graph query seeking specified information that correctly identifies connectivity of an individual node in the graph, the individual node representing an individual entity;
sending the token over the network to the remote storage system; and
receiving, over the network, a lookup result from the remote storage system that provides the specified information that correctly identifies the connectivity of the individual node, the lookup result being provided in response to the token,the specified information that correctly identifies the connectivity of the individual node being provided by the remote storage system without revealing the individual node to the remote storage system and without revealing the one or more keys to the remote storage system.
2 Assignments
0 Petitions
Accused Products
Abstract
A storage system stores information about a graph in an encrypted form. A query module can submit a token to the storage system to retrieve specified information about the graph, e.g., to determine the neighbors of an entity in the graph, or to determine whether a first entity is connected to a second entity, etc. The storage system formulates its reply to the token in a lookup result. Through this process, the storage system gives selective access to information about the graph to authorized agents, yet otherwise maintains the general secrecy of the graph from the perspective of unauthorized agents, including the storage system itself. A graph processing module can produce encrypted graph information by encrypting any representation of the graph, such as an adjacency matrix, an index, etc.
-
Citations
22 Claims
-
1. A method implemented using at least one computing device, the method comprising:
-
generating a representation of unencrypted graph information, the unencrypted graph information describing relationships among entities within a graph, wherein the entities are represented by nodes in the graph; encrypting the representation of the unencrypted graph information using one or more keys to produce encrypted graph information; sending the encrypted graph information over a network to a remote storage system for storage by the remote storage system; using the one or more keys to generate a token associated with a graph query, the graph query seeking specified information that correctly identifies connectivity of an individual node in the graph, the individual node representing an individual entity; sending the token over the network to the remote storage system; and receiving, over the network, a lookup result from the remote storage system that provides the specified information that correctly identifies the connectivity of the individual node, the lookup result being provided in response to the token, the specified information that correctly identifies the connectivity of the individual node being provided by the remote storage system without revealing the individual node to the remote storage system and without revealing the one or more keys to the remote storage system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 20)
-
-
12. A storage system comprising:
-
a storage device configured to store encrypted graph information, the encrypted graph information associated with a graph comprising a plurality of nodes, wherein the encrypted graph information is encrypted with one or more keys; computer readable instructions comprising; logic configured to receive a token associated with a graph query, the graph query seeking specified information from the encrypted graph information relating to connectivity of an individual node in the graph to one or more other nodes in the graph, logic configured to perform a lookup operation based on the token and the encrypted graph information to provide a lookup result, and logic configured to send the lookup result in response to the token, the lookup result correctly reflecting connectivity of the individual node to the one or more other nodes without revealing the individual node to the storage system and without revealing the one or more keys to the storage system; and one or more processing devices configured to execute the computer readable instructions. - View Dependent Claims (13, 14, 15, 16)
-
-
17. One or more computer readable memory devices or storage devices storing computer readable instructions which, when executed by one or more processing devices, cause the one or more processing devices to perform acts comprising:
processinq an input matrix to produce an output matrix, the input matrix including a plurality of input matrix elements representing nodes of a graph and the output matrix including a plurality of output matrix elements, wherein the processing comprises using at least one key to; determine locations of the output matrix elements in the output matrix, the locations of the output matrix elements comprising scrambled respective locations of corresponding input matrix elements in the input matrix, and determine values of the output matrix elements, the values of the output matrix elements comprising scrambled values of the corresponding input matrix elements, said processing having an effect of concealing the input matrix, wherein the scrambled respective locations comprise new random locations in the output matrix that are determined based on unscrambled locations of the input matrix elements, and wherein the scrambled values and the scrambled respective locations, when unscrambled with the at least one key, correctly indicate whether individual nodes of the graph are connected. - View Dependent Claims (18, 19, 21, 22)
Specification