Abstract: A method, computer program product, and system for providing verification processes associated with a commitment-based authentication protocol are described. A request by a user for access to one or more resources is received, and a presentation policy is transmitted to the user indicating required credentials. A commitment to a revocation handle is received, including an indication of an associated Sigma protocol executed by the user. A challenge value selected from a challenge value set associated with the associated Sigma protocol is transmitted to the user. Based on the selected challenge value, a presentation token and a value parameter that is distinct from the presentation token are received from the user. Based on a determination as to whether the presentation token and value parameter are valid in accordance with the associated Sigma protocol, access for the user to the one or more resources is granted to the user or prevented.

Abstract: One of n?2 servers, connectable via a network, implements a cryptographic protocol using a secret key K which is shared between the n servers, and includes first and second server compartments. The first is connectable to the network, adapted to implement the cryptographic protocol, and stores a current key share of the secret key K. The second is inaccessible from the network in the operation of the server, stores a set of master keys, and is adapted, for each of successive time periods, to unilaterally generate a new key share of the secret key K and to supply it to the first as the current key share for that time period. The new key share includes a random share of a predetermined value p which is shared between the n servers, and the random share includes a function of the set of master keys.

Abstract: Effecting reissue in a data processing system of a cryptographic credential certifying a set of attributes, the credential being initially bound to a first secret key stored in a first processing device. A backup token is produced using the first device and comprises a commitment to said set of attributes and proof data permitting verification that the set of attributes in said commitment corresponds to the set of attributes certified by said credential. At a second processing device, a second secret key is stored and blinded to produce a blinded key. A credential template token produced from the backup token and the blinded key is sent to a credential issuer where said verification is performed using the proof data and the credential template token is used to provide a reissued credential, certifying said set of attributes, to the second device, the reissued credential being bound to the second secret key.

Abstract: A method for deriving a verification token from a credential may be provided. The credential may be a set of attributes certified by an issuer to a user using a public key of the issuer. The method may comprise generating the verification token out of the credential and binding the verification token to a context string, wherein the verification token may comprise at least one commitment. A commitment may be a blinded version of an attribute. The method may also comprise generating an opening key for the verification token enabling a generation of a confirmation for a validity of the attribute.

Abstract: A system of ??2 servers is provided. The server system comprises an access control server for communication with user computers via a network and controlling access by the user computers to a resource in dependence on authentication of user passwords associated with respective user IDs, and a set of authentication servers for communication with the access control server via the network. In this system, at least each authentication server stores a respective key-share Ki of a secret key K which is shared between a plurality of the ? servers. The access control server is adapted, in response to receipt from a user computer of a user ID and an input password, to produce a hash value h via a first hash function operating on the input password. The access control server blinds the hash value h to produce a blinded hash value u, and sends the blinded hash value u via the network to at least a subset of the set of authentication servers.

Abstract: A user computer generates a secret cryptographic key through communication with a server. A secret user value is provided at the user computer. A secret server value is provided at the server with a check value which encodes the secret user value and a user password. In response to input of an input password, the user computer encodes the secret user value and the input password to produce a first value corresponding to said check value, and communicates the first value to the server. The server compares the first value and check value to check whether the input password equals the user password. If so, the server encodes the first value and secret server value to produce a second value and communicates the second value to the user computer. The user computer generates the secret cryptographic key by encoding the second value, the input password and the secret user value.

Abstract: Systems and methods are provided for proving plaintext knowledge of a message m, encrypted in a ciphertext, to a verifier computer. The method includes, at a user computer, encrypting the message m via a predetermined encryption scheme to produce a ciphertext u, and generating a plurality l of challenges ci, i=1 to l, dependent on the ciphertext u. For each challenge ci, the user computer generates a cryptographic proof ?2i comprising that challenge ci and a zero-knowledge proof of plaintext knowledge of the message m encrypted in the ciphertext u. The user computer sends the ciphertext u and the l proofs ?2i to the verifier computer. Each challenge ci is constrained to a predetermined challenge space C permitting identification, by searching the challenge space C, of an element ci? such that the message m can be obtained via a decryption operation using the ciphertext u, the element ci?, and a decryption key of said encryption scheme.

Abstract: Methods and systems are provided for authenticating a message ?, at a user computer of a group signature scheme, to a verifier computer. The method includes, at the user computer, storing a user id m for the user computer and a user signing key which comprises a signature on the user id m under a secret key of a selectively-secure signature scheme. The user id m is an element of a predetermined subring, isomorphic to q[x]/(g(x)), of a ring R=q[x]/(f(x)), where f(x) and g(x) are polynomials of degree deg(f) and deg(g) respectively such that deg(f)>deg(g)>1. The method includes, at the user computer, generating a first cryptographic proof ?1 comprising a zero-knowledge proof of knowledge of the user signing key and including the message ? in this proof of knowledge. The user computer sends the message ? and a group signature, comprising the first proof ?1, to the verifier computer.

Abstract: Methods and apparatus are provided for generating a secret cryptographic key of a user computer connectable to a server via a network. A secret user value is provided at the user computer. A secret server value is provided at the server with a check value which encodes the secret user value and a user password. The user computer encodes the secret user value and an input password to produce a first value corresponding to said check value, and communicates the first value to the server. The server compares the first and the check values to check whether the input password equals the user password. If so, the server encodes the first and the secret server values to produce a second value and communicates the second value to the user computer. The user computer generates the secret cryptographic key by encoding the second value, the input password and the secret user value.

Abstract: Embodiments include methods for managing encrypted files by storing a user password hash including a predetermined function of the user password associated with that user ID and the secret keys. Aspects also include, in response to receipt from a user computer of an input password and a the user ID for a required encrypted file, communicating with authentication servers to implement a key-reconstruction protocol in which each server computes first and second hash values for the required encrypted file. The file management server uses the first hash values to compute an input password hash including the predetermined function of the input password and the secret keys, checks if the input password hash matches the user password hash for the received user ID, and reconstructs the encryption key for the required encrypted file.

Abstract: A method for a re-issuance of an attribute-based credential of an issuer of the attribute-based credential for a user may be provided. The user is holding backup values derived from a first credential previously obtained from the issuer, wherein the first credential is built using at least a first value of at least one authentication pair. The method comprises receiving by the issuer from the user a set of values derived from the backup values comprising a second value of the at least one authentication pair, validating by the issuer that the second value is a valid authentication answer with respect to the first value and whether the set of values was derived from a valid first credential, and providing by the issuer a second credential to the user based on the first set of values.

Abstract: The invention performs anonymous read/write accesses of a set of user devices to a server. Write accesses of the user devices of the set comprise generating an encrypted file by an anonymous encryption scheme; computing a pseudorandom tag; indexing the encrypted file with the tag as user set index of the user set and writing the encrypted file and the associated tag to the a storage system of the server. Read accesses of the user devices of the set comprise downloading tag data corresponding to a plurality of tags from the server, the tag data enabling the user devices of a respective set to recognize so-called “own” tags computed by one of the user devices of the respective set of user devices; determining the own tags among the plurality of tags; reading one or more encrypted files associated to the own tags; and decrypting the encrypted files.

Abstract: A method and system configured to produce a cryptographic signature on a message, under a key, at a user computer wherein the key is shared between the user computer, which stores a first key-share, and an authentication computer, which stores a second key-share and a first authentication value. The user computer encodes the message to produce a blinded message, produces the first authentication value from a user password and a secret value, and produces a second authentication value by encoding the first authentication value and a nonce. The authentication computer uses the nonce to determine if the first authentication value is correct and, if so, encodes the blinded message using the second key-share to produce a partial signature. The user computer produces a signature on the message under the key by encoding the partial signature and the message using the first key-share and an unblinding function.

Abstract: Examples of techniques for password-authenticated public key encryption and decryption are disclosed. In one example implementation according to aspects of the present disclosure, a computer-implemented for password-authenticated public key decryption may include generating, by a first user processing system, a public key and a secret key and further generating an authenticated public key using the public key and an authentication password. The method may also include transmitting, by the first user processing system, the authenticated public key to a second user processing system. Additionally, the method may include receiving, by the first user processing system, a ciphertext from the second user processing system. The method may further include decrypting, by the first user processing system, the ciphertext using at least one of the secret key and the authentication password to generate a data message.

Abstract: A method and system configured to produce a cryptographic signature on a message, under a key, at a user computer wherein the key is shared between the user computer, which stores a first key-share, and an authentication computer, which stores a second key-share and a first authentication value. The user computer encodes the message to produce a blinded message, produces the first authentication value from a user password and a secret value, and produces a second authentication value by encoding the first authentication value and a nonce. The authentication computer uses the nonce to determine if the first authentication value is correct and, if so, encodes the blinded message using the second key-share to produce a partial signature. The user computer produces a signature on the message under the key by encoding the partial signature and the message using the first key-share and an unblinding function.

Abstract: A method for a re-issuance of an attribute-based credential of an issuer of the attribute-based credential for a user may be provided. The user is holding backup values derived from a first credential previously obtained from the issuer, wherein the first credential is built using at least a first value of at least one authentication pair. The method comprises receiving by the issuer from the user a set of values derived from the backup values comprising a second value of the at least one authentication pair, validating by the issuer that the second value is a valid authentication answer with respect to the first value and whether the set of values was derived from a valid first credential, and providing by the issuer a second credential to the user based on the first set of values.

Abstract: A system has ??2 servers. At least each of a set of authentication servers stores a key-share ski of secret key sk, shared between q of the ? servers, of a key-pair (pk, sk). An access control server sends an authentication value to a subset of the authentication servers. The authentication value was formed using a predetermined function of a first ciphertext for a user ID and a second ciphertext produced by encrypting a password attempt under public key pk using a homomorphic encryption algorithm. The authentication value decrypts to a predetermined value if the password attempt equals the user password for that user ID. Each authentication server in the subset produces a decryption share dependent on the authentication value using the key-share ski. The access control server uses decryption shares to determine if the authentication value decrypts to the predetermined value, if so permitting access to a resource.

Abstract: A method and system configured to produce a cryptographic signature on a message, under a key, at a user computer wherein the key is shared between the user computer, which stores a first key-share, and an authentication computer, which stores a second key-share and a first authentication value. The user computer encodes the message to produce a blinded message, produces the first authentication value from a user password and a secret value, and produces a second authentication value by encoding the first authentication value and a nonce. The authentication computer uses the nonce to determine if the first authentication value is correct and, if so, encodes the blinded message using the second key-share to produce a partial signature. The user computer produces a signature on the message under the key by encoding the partial signature and the message using the first key-share and an unblinding function.

Abstract: Respective cryptographic shares of password data, dependent on a user password, are provided at n authentication servers. A number t1?n of the password data shares determine if the user password matches a password attempt. Respective cryptographic shares of secret data, enabling determination of a username for each verifier server, are provided at n authentication servers. A number t2?t1 of the shares reconstruct the secret data. For a password attempt, the user computer communicates with at least t1 authentication servers to determine if the user password matches the password attempt and, if so, the user computer receives at least t2 secret data shares from respective authentication servers. The user computer uses the secret data to generate, with T?t1 of said t1 servers, a cryptographic token for authenticating the user computer to a selected verifier server, secret from said at least T servers, under said username.

Abstract: Respective cryptographic shares of password data, dependent on a user password, are provided at n authentication servers. A number t1?n of the password data shares determine if the user password matches a password attempt. Respective cryptographic shares of secret data, enabling determination of a username for each verifier server, are provided at n authentication servers. A number t2?t1 of the shares reconstruct the secret data. For a password attempt, the user computer communicates with at least t1 authentication servers to determine if the user password matches the password attempt and, if so, the user computer receives at least t2 secret data shares from respective authentication servers. The user computer uses the secret data to generate, with T?t1 of said t1 servers, a cryptographic token for authenticating the user computer to a selected verifier server, secret from said at least T servers, under said username.