interesting; don't understand the math. but...
so, i took quick glance at the thesis and realized that even with a math degree there were constructs discussed there that i'm not familiar with. so, even though i studied homomorphisms in my grad school days, i'll admit I don't understand the math and what it all implies. i'm sure one could read the referenced material and figure it out, but i'm not in the mood for intense math reading...
that said, can't the problem of storing PII already be solved with the technology that is already widely available? for example (a very crude one):
1. card holder (CH) wants to subscribe to merchant (MC) services for next 3 months at $X per month.
2. CH generates a Payment Authorization (PA) token by doing something like:
2a - write a message "I, CH, authorize MC to charge me X amount once per month, for May, Jun, and July"
2b - generate a random key, the longer the better. combine this random key with PII to create encryption key.
2c - encrypt the above message with encryption key.
2d - send the random key to card Issuer (IS) marked good only for MC, payment of $X once per month for May, Jun, and July only.
3. send PA token to MC. MC can then use this with the payment gateway (PG) by proving to PG that MC is indeed who they claim to be. PG passes the payment authorization request to the IS and since the IS knows my PII and the random key, they can decrypt it and see that I authorize the payment. IS tells PG everything is good; go ahead.
4. at the end of the month, IS sends CH a statement/bill for the charge.
If the PA token is stolen, it has the following properties:
1. it doesn't contain any PII
2. it's only valid for a limited time. (you can increase the random key length to make it harder to bruteforce so by the time a bruceforce succeeds, it's expired)
3. it's only usable to receive funds if you can prove you are MC to the PG
4. even if you decrypt the PA token after it has expired, the cleartext is worthless and the encryption key is just a random key that is no longer valid. no PII revealed.
5. PII is never transmitted at any step. It's already a shared secret between CH and IS and no one else needs to have it.
of course, if you can MIM intercept the communication between CH and IS, and spoof your identity as MC to the PG, i suppose you could still steal $$$. or, ultimately, if you hack CH and gain their PII, the floodgates are wide open. But, at least in this scheme, CH's PII is never copied and disseminated to multiple parties. You can't hack a MC or PG to gain CH's PII.
I didn't put a lot of thought into the above scheme, so i'm sure some experts can find a hole in it somewhere. Nonetheless, I think with more careful thought, the above scheme or something similar can be improved to plug any holes with currently available technology.
my point is, i think with today's technology, there should be a way to design a system where PII information isn't getting disseminated everywhere and no MC should ever have to store such PII. therefore, even without homomorphic encryption, massive PII compromise should already have been a thing of the past. i don't think we're full utilizing the technology that is already available.
