Converter (Pseudonymization)

The Converter receives blinded tables from the Data Source and splits them up and evaluates the pseudonym generation obliviously on each split column.

Note that the attribute values are hidden from the Converter as they are encrypted by the Data Source towards the Data Lake.

Input: Blinded Table

    let converted_split_tables = split_conversion(
        converter_context,
        bpk_lake,
        ek_lake,
        blinded_table,
        randomness,
    );

Output: Obliviously Converted & Split Tables

Data Lake

The Data Lake receives the obliviously pseudonymized split tables from the converter and can recover the unlinkable pseudonyms and data values. Note that the total set of data values at the Data Lake is the same as at the Data Source, but each data item is now associated to a unique pseudonym.

let pseudonymized_tables =
        finalize_conversion(lake_context, converted_split_tables);

Pseudonymized Tables

Given a subset of the attributes stored in the Data Lake a non-transitive join of these attributes can be initiated by the Data Lake by first blinding the respective attribute columns towards the requestin Data Processor and then sending the blinded columns to the Converter.

let join_table_selection = ["Address", "Date of Birth"];
let blinded_tables = prepare_join_conversion(
        lake_context,
        bpk_processor,
        ek_processor,
        join_table_selection,
        randomness,
    );

Converter (Join)

The join conversion proceeds analogously to the original pseudonym creation for the converter. Again, blinded tables are obliviously processed and then sent to their intended receiver.

Input: Blinded Tables

    let converted_tables = join_conversion(
        converter_context,
        bpk_processor,
        ek_processor,
        blinded_tables,
        randomness,
    );

Output: Converted Tables

Data Processor

Like the Data Lake during initial pseudonymization, the Data Processor can recover the converted pseudonyms and encrypted data values. Note that the pseudonyms attached to the different data items are now shared between the finalized joined tables, but are different from the pseudonyms linked to the same data items at the Data Lake. This allows linking data items for the purpose of the request while preserving the unlinkability to other data items that originally belong to the same identifier.

        let joined_tables =
          finalize_conversion(processor_context, converted_tables);

Identity	Date of Birth	Address	Favourite Color

Data Source

Converter (Pseudonymization)

Data Lake

Pseudonymized Tables

Converter (Join)

Data Processor

Joined Table