Patents by Inventor Mathias Kohler
Mathias Kohler has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 10437821Abstract: Methods and apparatus, including computer program products, are provided for split query optimization. In some example embodiments, a method may include: determining, for a query comprising a plurality of operations, a first workload distribution between a first data store and a second data store, the first workload distribution indicating that a first portion of the query is to be performed at the first data store and a second portion of the query is to be performed at the second data store; and determining, based at least on the first workload distribution, a second workload distribution, the determining of the second workload distribution includes pushing down, to the first portion of the query, a first operation from the second portion of the query such that the first operation is performed at the first data store instead of at the second data store.Type: GrantFiled: October 26, 2016Date of Patent: October 8, 2019Assignee: SAP SEInventors: Benny Goerzig, Mathias Kohler, Florian Kerschbaum
-
Patent number: 10162858Abstract: Methods, systems, and computer-readable storage media for optimizing query processing in encrypted databases. In some implementations, actions include receiving a query that is to be used to query an encrypted database, generating a plurality of query plans based on the query, each query plan including a local query and one or more remote queries, the local query being executable at a client-side and the one or more remote queries being executable at a server-side, selecting an optimal query plan from the plurality of query plans, providing one or more remote queries of the optimal query plan to the server-side for execution, receiving one or more remote results, and processing a local query of the optimal query plan and the one or more remote results to provide a final query result.Type: GrantFiled: July 31, 2013Date of Patent: December 25, 2018Assignee: SAP SEInventors: Florian Kerschbaum, Patrick Grofig, Martin Haerterich, Mathias Kohler, Andreas Schaad, Axel Schroepfer, Walter Tighzert
-
Publication number: 20180113905Abstract: Methods and apparatus, including computer program products, are provided for split query optimization. In some example embodiments, a method may include: determining, for a query comprising a plurality of operations, a first workload distribution between a first data store and a second data store, the first workload distribution indicating that a first portion of the query is to be performed at the first data store and a second portion of the query is to be performed at the second data store; and determining, based at least on the first workload distribution, a second workload distribution, the determining of the second workload distribution includes pushing down, to the first portion of the query, a first operation from the second portion of the query such that the first operation is performed at the first data store instead of at the second data store.Type: ApplicationFiled: October 26, 2016Publication date: April 26, 2018Inventors: Benny Goerzig, Mathias Kohler, Florian Kerschbaum
-
Patent number: 9607161Abstract: Methods, systems, and computer-readable storage media for selecting columns for re-encryption in join operations. In some implementations, actions include determining a first column and a second column to be joined, receiving a first key corresponding to the first column and a second key corresponding to the second column, receiving a first rank associated with the first key and a second rank associated with the second key, selecting the second column for re-encryption based on the first rank and the second rank, and providing the first column, the second column, and the first key for performing a join operation, the second column being re-encrypted based on the first key.Type: GrantFiled: February 25, 2015Date of Patent: March 28, 2017Assignee: SAP SEInventors: Martin Haerterich, Florian Kerschbaum, Patrick Grofig, Mathias Kohler, Andreas Schaad, Axel Schroepfer, Walter Tighzert
-
Patent number: 9547720Abstract: Methods, systems, and computer-readable storage media for enforcing access control in encrypted query processing. Implementations include actions of obtaining a set of user groups based on the user credential and a user group mapping, obtaining a set of relations based on the query, obtaining a set of virtual relations based on the set of user groups and the set of relations, receiving a first rewritten query based on the set of virtual relations and a query rewriting operation, encrypting the first rewritten query to provide an encrypted query, and transmitting the encrypted query to at least one server computing device over a network for execution of the encrypted query over access controlled, encrypted data.Type: GrantFiled: December 24, 2014Date of Patent: January 17, 2017Assignee: SAP SEInventors: Isabelle Hang, Florian Kerschbaum, Martin Haerterich, Mathias Kohler, Andreas Schaad, Axel Schroepfer, Walter Tighzert
-
Patent number: 9537838Abstract: Methods, systems, and computer-readable storage media for proxy re-encryption of encrypted data stored in a first database of a first server and a second database of a second server. Implementations include actions of receiving a first token at the first server from a client-side computing device, providing a first intermediate re-encrypted value based on a first encrypted value and the first token, transmitting the first intermediate re-encrypted value to the second server, receiving a second intermediate re-encrypted value from the second server, the second intermediate re-encrypted value having been provided by encrypting the first encrypted value at the second server based on a second token, providing the first encrypted value as a first re-encrypted value based on the first intermediate re-encrypted value and the second intermediate re-encrypted value, and storing the first re-encrypted value in the first database.Type: GrantFiled: December 22, 2014Date of Patent: January 3, 2017Assignee: SAP SEInventors: Isabelle Hang, Florian Kerschbaum, Mathias Kohler, Martin Haerterich, Florian Hahn, Axel Schroepfer, Walter Tighzert, Andreas Schaad
-
Publication number: 20160357869Abstract: Methods, systems, and computer-readable storage media for enforcing access control in encrypted query processing. Implementations include actions of obtaining a set of user groups based on the user credential and a user group mapping, obtaining a set of relations based on the query, obtaining a set of virtual relations based on the set of user groups and the set of relations, receiving a first rewritten query based on the set of virtual relations and a query rewriting operation, encrypting the first rewritten query to provide an encrypted query, and transmitting the encrypted query to at least one server computing device over a network for execution of the encrypted query over access controlled, encrypted data.Type: ApplicationFiled: December 24, 2014Publication date: December 8, 2016Inventors: Isabelle Hang, Florian Kerschbaum, Martin Haerterich, Mathias Kohler, Andreas Schaad, Axel Schroepfer, Walter Tighzert
-
Publication number: 20160182467Abstract: Methods, systems, and computer-readable storage media for proxy re-encryption of encrypted data stored in a first database of a first server and a second database of a second server. Implementations include actions of receiving a first token at the first server from a client-side computing device, providing a first intermediate re-encrypted value based on a first encrypted value and the first token, transmitting the first intermediate re-encrypted value to the second server, receiving a second intermediate re-encrypted value from the second server, the second intermediate re-encrypted value having been provided by encrypting the first encrypted value at the second server based on a second token, providing the first encrypted value as a first re-encrypted value based on the first intermediate re-encrypted value and the second intermediate re-encrypted value, and storing the first re-encrypted value in the first database.Type: ApplicationFiled: December 22, 2014Publication date: June 23, 2016Inventors: Isabelle Hang, Florian Kerschbaum, Mathias Kohler, Martin Haerterich, Florian Hahn, Axel Schroepfer, Walter Tighzert, Andreas Schaad
-
Patent number: 9342707Abstract: Methods, systems, and computer-readable storage media for selecting columns for selecting encryption to perform an operator during execution of a database query. Implementations include actions of determining a current encryption type of a column that is to be acted on during execution of the database query, the column storing encrypted data, determining a minimum encryption type for performance of the operator on the column, selecting a selected encryption type based on the current encryption type, the minimum encryption type, and a budget associated with the column, and performing the operator based on the selected encryption type.Type: GrantFiled: November 6, 2014Date of Patent: May 17, 2016Assignee: SAP SEInventors: Florian Kerschbaum, Martin Haerterich, Isabelle Hang, Mathias Kohler, Andreas Schaad, Axel Schroepfer, Walter Tighzert
-
Publication number: 20160132692Abstract: Methods, systems, and computer-readable storage media for selecting columns for selecting encryption to perform an operator during execution of a database query. Implementations include actions of determining a current encryption type of a column that is to be acted on during execution of the database query, the column storing encrypted data, determining a minimum encryption type for performance of the operator on the column, selecting a selected encryption type based on the current encryption type, the minimum encryption type, and a budget associated with the column, and performing the operator based on the selected encryption type.Type: ApplicationFiled: November 6, 2014Publication date: May 12, 2016Inventors: Florian Kerschbaum, Martin Haerterich, Isabelle Hang, Mathias Kohler, Andreas Schaad, Axel Schroepfer, Walter Tighzert
-
Patent number: 9213764Abstract: Embodiments relate to processing encrypted data, and in particular to identifying an appropriate layer of encryption useful for processing a query. Such identification (also known as the onion selection problem) is achieved utilizing an adjustable onion encryption procedure. Based upon defined requirements of policy configuration, alternative resolution, and conflict resolution, the adjustable onion encryption procedure entails translating a query comprising an expression in a database language (e.g. SQL) into an equivalent query on encrypted data. The onion may be configured in almost arbitrary ways directing the onion selection. An execution function introduces an execution split to allow local (e.g. client-side) query fulfillment that may otherwise not be possible in a secure manner on the server-side. A searchable encryption function may also be employed, and embodiments accommodate aggregation via homomorphic encryption. Embodiments may be implemented as an in-memory column store database system.Type: GrantFiled: November 22, 2013Date of Patent: December 15, 2015Assignee: SAP SEInventors: Florian Kerschbaum, Martin Haerterich, Mathias Kohler, Isabelle Hang, Andreas Schaad, Axel Schroepfer, Walter Tighzert, Patrick Grofig
-
Publication number: 20150178507Abstract: Methods, systems, and computer-readable storage media for selecting columns for re-encrpytion in join operations. In some implementations, actions include determining a first column and a second column to be joined, receiving a first key corresponding to the first column and a second key corresponding to the second column, receiving a first rank associated with the first key and a second rank associated with the second key, selecting the second column for re-encryption based on the first rank and the second rank, and providing the first column, the second column, and the first key for performing a join operation, the second column being re-encrypted based on the first key.Type: ApplicationFiled: February 25, 2015Publication date: June 25, 2015Inventors: Martin Haerterich, Florian Kerschbaum, Patrick Grofig, Mathias Kohler, Andreas Schaad, Axel Schroepfer, Walter Tighzert
-
Publication number: 20150149427Abstract: Embodiments relate to processing encrypted data, and in particular to identifying an appropriate layer of encryption useful for processing a query. Such identification (also known as the onion selection problem) is achieved utilizing an adjustable onion encryption procedure. Based upon defined requirements of policy configuration, alternative resolution, and conflict resolution, the adjustable onion encryption procedure entails translating a query comprising an expression in a database language (e.g. SQL) into an equivalent query on encrypted data. The onion may be configured in almost arbitrary ways directing the onion selection. An execution function introduces an execution split to allow local (e.g. client-side) query fulfillment that may otherwise not be possible in a secure manner on the server-side. A searchable encryption function may also be employed, and embodiments accommodate aggregation via homomorphic encryption. Embodiments may be implemented as an in-memory column store database system.Type: ApplicationFiled: November 22, 2013Publication date: May 28, 2015Applicant: SAP AGInventors: FLORIAN KERSCHBAUM, MARTIN HAERTERICH, MATHIAS KOHLER, ISABELLE HANG, ANDREAS SCHAAD, AXEL SCHROEPFER, WALTER TIGHZERT, PATRICK GROFIG
-
Publication number: 20150149773Abstract: Embodiments provide ideal security, order-preserving encryption (OPE) of data of average complexity, thereby allowing processing of the encrypted data (e.g. at a database server in response to received queries). Particular embodiments achieve high encryption efficiency by processing plaintext in the order preserved by an existing compression dictionary already available to a database. Encryption is based upon use of a binary search tree of n nodes, to construct an order-preserving encryption scheme having ?(n) complexity and even O(n), in the average case. A probability of computationally intensive updating (which renders conventional OPE impractical for ideal security) is substantially reduced by leveraging the demonstrated tendency of a height of the binary search tree to be tightly centered around O(log n). An embodiment utilizing such an encryption scheme is described in the context of a column-store, in-memory database architecture comprising n elements.Type: ApplicationFiled: November 22, 2013Publication date: May 28, 2015Applicant: SAP AGInventors: FLORIAN KERSCHBAUM, AXEL SCHROEPFER, PATRICK GROFIG, ISABELLE HANG, MARTIN HAERTERICH, MATHIAS KOHLER, ANDREAS SCHAAD, WALTER TIGHZERT
-
Patent number: 9037860Abstract: Embodiments provide ideal security, order-preserving encryption (OPE) of data of average complexity, thereby allowing processing of the encrypted data (e.g. at a database server in response to received queries). Particular embodiments achieve high encryption efficiency by processing plaintext in the order preserved by an existing compression dictionary already available to a database. Encryption is based upon use of a binary search tree of n nodes, to construct an order-preserving encryption scheme having ?(n) complexity and even O(n), in the average case. A probability of computationally intensive updating (which renders conventional OPE impractical for ideal security) is substantially reduced by leveraging the demonstrated tendency of a height of the binary search tree to be tightly centered around O(log n). An embodiment utilizing such an encryption scheme is described in the context of a column-store, in-memory database architecture comprising n elements.Type: GrantFiled: November 22, 2013Date of Patent: May 19, 2015Assignee: SAP SEInventors: Florian Kerschbaum, Axel Schroepfer, Patrick Grofig, Isabelle Hang, Martin Haerterich, Mathias Kohler, Andreas Schaad, Walter Tighzert
-
Patent number: 9003204Abstract: Methods, systems, and computer-readable storage media for selecting columns for re-encryption in join operations. In some implementations, actions include determining a first column and a second column to be joined, receiving a first key corresponding to the first column and a second key corresponding to the second column, receiving a first rank associated with the first key and a second rank associated with the second key, selecting the second column for re-encryption based on the first rank and the second rank, and providing the first column, the second column, and the first key for performing a join operation, the second column being re-encrypted based on the first key.Type: GrantFiled: July 10, 2013Date of Patent: April 7, 2015Assignee: SAP SEInventors: Martin Haerterich, Florian Kerschbaum, Patrick Grofig, Mathias Kohler, Andreas Schaad, Axel Schroepfer, Walter Tighzert
-
Publication number: 20150039586Abstract: Methods, systems, and computer-readable storage media for optimizing query processing in encrypted databases. In some implementations, actions include receiving a query that is to be used to query an encrypted database, generating a plurality of query plans based on the query, each query plan including a local query and one or more remote queries, the local query being executable at a client-side and the one or more remote queries being executable at a server-side, selecting an optimal query plan from the plurality of query plans, providing one or more remote queries of the optimal query plan to the server-side for execution, receiving one or more remote results, and processing a local query of the optimal query plan and the one or more remote results to provide a final query result.Type: ApplicationFiled: July 31, 2013Publication date: February 5, 2015Applicant: SAP AGInventors: Florian Kerschbaum, Patrick Grofig, Martin Haerterich, Mathias Kohler, Andreas Schaad, Axel Schroepfer, Walter Tighzert
-
Publication number: 20150019879Abstract: Methods, systems, and computer-readable storage media for selecting columns for re-encryption in join operations. In some implementations, actions include determining a first column and a second column to be joined, receiving a first key corresponding to the first column and a second key corresponding to the second column, receiving a first rank associated with the first key and a second rank associated with the second key, selecting the second column for re-encryption based on the first rank and the second rank, and providing the first column, the second column, and the first key for performing a join operation, the second column being re-encrypted based on the first key.Type: ApplicationFiled: July 10, 2013Publication date: January 15, 2015Applicant: SAP AGInventors: Martin Haerterich, Florian Kerschbaum, Patrick Grofig, Mathias Kohler, Andreas Schaad, Axel Schroepfer, Walter Tighzert
-
Publication number: 20090198548Abstract: A computer-implemented method avoids policy-based deadlocks in execution of a workflow. The method includes receiving information describing a workflow. The workflow includes tasks, roles, site of tasks and security constraints related to the tasks. A data structure, representative of relationships between the tasks and the security constraints is automatically generated. An automated, design-time evaluation is performed using the data structure to determine a minimal number of resources to be assigned to the roles in order to execute the tasks of the workflow, and to avoid deadlock in execution of the tasks of the workflow as a result of security constraints.Type: ApplicationFiled: February 5, 2008Publication date: August 6, 2009Inventors: Mathias Kohler, Andreas Schaad
-
Patent number: 5983110Abstract: The invention relates to a method for operating a telecommunications system having a switching station (BS) and a plurality of internal subscriber stations (HA1, HA2, HA3, HA4) which are connected to it and with whose aid the switching station (BS) can simultaneously operate a limited number of channels of the same or a different type and is characterized in that the switching station (BS) reports to all the internal subscriber stations (HA1, HA2, HA3, HA4) by transmitting a respective busy signal that a channel of the appropriate type is not available, each internal subscriber station (HA1, HA2, HA3, HA4) is changed by the busy signal to a state in which it cannot initiate a connection being set up on the corresponding channel.Type: GrantFiled: April 18, 1997Date of Patent: November 9, 1999Assignee: Nokia Mobile Phones LimitedInventors: Mathias Kohler, Knut Haberland-Schlosser