Abstract: Embodiments of the invention relate to a distributed network which comprises a replicated computing cluster. The replicated computing cluster comprises a plurality of nodes, wherein each of the plurality of nodes of the replicated computing cluster is configured to run a replica and each of the replicas is configured to run one or more computational units. The replicated computing cluster is configured to perform consecutive consensus rounds to reach a consensus on a sequence of payloads and to perform consecutive processing rounds comprising a consecutive processing of the sequence of payloads in a deterministic and replicated manner. The replicated computing cluster is further configured to perform consecutive computations of a random seed for each of the payloads of the sequence of payloads and to use the random seed of a respective payload of the sequence of payloads to provide randomness to the payload.

Abstract: Method for redistribution of a (n,t)-secret sharing of a secrets from a set of dealers to a set of receivers. The method comprises performing by each of at least the threshold number t of dealers, —creating a (n?,t?)-secret sharing of its respective secret share, —creating a set of ciphertexts comprising for each receiver one encrypted sub-share of the n1 secret sub-shares of its respective secret share and being encrypted with respect to a public encryption key of the respective receiver. The public encryption key is a key of a public-key encryption scheme. —generating a non-interactive zero-knowledge proof that the set of ciphertexts jointly contain a redistribution of its secret share—broadcasting a dealing to the set of receivers, the dealing comprising the set of ciphertexts for the set of receivers and the corresponding non-interactive zero-knowledge proof.

Abstract: According to an embodiment of a first aspect of the invention, there is provided a computer-implemented method for operating a distributed network. The distributed network comprises a plurality of nodes. The network comprises one or more subnets. The method comprises steps of running a set of computational units and assigning each of the computational units to one of the plurality of subnets according to a subnet-assignment, thereby creating an assigned subset of the set of computational units for each of the subnets. The method further comprises running on each node of the plurality of subnets the assigned subset of the computational units, wherein the computational units are configured to execute computations in a deterministic manner, thereby replicating the assigned subsets of the computational units on replicas across the respective subnet.

Abstract: According to an embodiment of a first aspect of the invention, there is provided a computer-implemented method for operating a distributed network. The distributed network comprises a plurality of subnets embodied as replicated computing clusters. The method further comprises migrating a computational unit from a first subnet of the plurality of subnets to a second subnet of the plurality of subnets. The migrating comprises signalling to the first and the second subnet a computational unit of the first subnet as migrant computational unit that shall be migrated. The migrating further comprises transferring the migrant computational unit from the first subnet to the second subnet, installing the migrant computational unit on the second subnet and activating and running the migrant computational unit on the second subnet. Further aspects of the invention relate to a corresponding distributed network, a node, a computer program product and a software architecture.

Abstract: According to an embodiment of a first aspect of the invention, there is provided a distributed network comprising a plurality of subnets. Each of the plurality of subnets comprises a changeable set of nodes. The network is configured to generate for each of the plurality of subnets, by a distributed key generation protocol, an individual static verification key of a public-key signature scheme and a first set of corresponding secret key shares for a first set of nodes of the respective subnet. The network is further configured to redistribute, for each of the plurality of subnets, by a secret-redistribution protocol, the secret key shares of the respective first set of secret key shares to a second set of nodes of the respective subnet, thereby creating a second set of secret key shares corresponding to the same static verification key of the respective subnet.

Abstract: Embodiments of the invention relate to a computer-implemented method for generating verification keys of a public-key signature scheme in a distributed network. The method comprises performing, by a subset of the nodes of a first subnetwork of nodes, a first distributed key generation protocol, the first distributed key generation protocol being configured to generate jointly a verification key for the first subnetwork and a plurality of corresponding secret key shares for the nodes of the first subnetwork. The method further comprises a step of performing, for a second subnetwork, by a subset of the plurality of nodes of the first subnetwork, a second distributed key generation protocol, the second distributed key generation protocol being configured to generate jointly a verification key of the second subnetwork and a plurality of corresponding secret key shares for the nodes of the second subnetwork.

Abstract: An aspect of the invention relates to a distributed network comprising a plurality of network nodes. The distributed network is configured to perform a method for reaching a consensus on a sequence of values in an advantageous manner. The method performs consecutive notarization rounds. The notarization rounds comprise steps of creating value proposals to be added to the sequence, communicating the value proposals to a notarization subset of the plurality of nodes and performing a validity check of received value proposals. The notarization rounds may comprise further steps of executing individual notarization signatures on a subset of the value proposals that are valid. The notarization rounds may further comprise performing a consistency check of the value proposals and executing consistency signatures on a subset of the value proposals. The method may further comprise a finality procedure to finalize a value proposal once a predefined finality rule set has been fulfilled.

Abstract: According to an embodiment of a first aspect of the invention, there is provided a distributed network comprising a plurality of nodes. Each of the plurality of nodes is configured to run one or more computational units comprising its own unit state. The network is configured to individually execute, by an execution subset of the plurality of nodes, s set of execution messages in a deterministic manner, thereby mutating the unit states of one or more of the computational units of the execution subset. The network is further configured to regularly make, by the nodes of the execution subset, a read snapshot of the unit states of the one or more computational units of the execution subset and to provide, by one or more nodes of the execution subset, user access to the read snapshot. Further aspects of the invention relate to a corresponding computer-implemented method, a node, a computer program product and a software architecture.

Abstract: According to an embodiment of a first aspect of the invention, there is provided a distributed network comprising a plurality of subnets. Each of the plurality of subnets comprises a plurality of nodes. The network is configured to run a set of computational units and to assign each of the computational units to one of the plurality of subnets according to a subnet-assignment, thereby creating an assigned subset of the set of computational units for each of the subnets. The network is further configured to run on each node of the plurality of subnets the assigned subset of the computational units and to replicate the assigned subsets of the computational units across the respective subnets. The network is further configured to exchange unit-to-unit messages between the computational units via a messaging protocol based on the subnet-assignment. Further aspects of the invention relate to a corresponding computer-implemented method, a node, a computer program product and a software architecture.

Abstract: An aspect of the invention relates to a computer-implemented method for charging and paying for a use of resources of a distributed network. The distributed network comprises a plurality of nodes, wherein each of the plurality of nodes is configured to run one or more computational units. The one or more computational units comprise one or more application units for providing application services to users of the distributed network. The embodied method comprises steps of running, by each user of the network, one or more local user gas accounts at one or more of the application units and processing, via the local user gas accounts, payments for the use of the resources of the distributed network. Further aspects relate to a distributed network, a node of a distributed network and a corresponding computer program product.

Abstract: According to an embodiment of a first aspect of the invention, there is a distributed network comprising a plurality of network nodes. Each of the plurality of network nodes is linked to a first node identity of a plurality of first node identities. Each of the plurality of first node identities comprises a first verification key of a public-key signature scheme. The distributed network is configured to perform a key shuffling step adapted to perform an unlinkable one-to-one mapping between the plurality of first node identities and a plurality of second node identities. Each of the plurality of second node identities comprises a second verification key of a public-key signature scheme. The distributed network is configured to perform a consensus protocol with a subset of the plurality of second node identities. Further aspects of the invention relate to a corresponding computer-implemented method, a network node and a computer program product.

Abstract: Methods and systems are provided for demonstrating authorization to access a resource to a verifier computer controlling access to the resource. The method comprises, at a user computer, storing an attribute credential certifying a set of attributes; and communicating with a revocation authority computer to obtain an auxiliary credential, bound to the attribute credential, certifying a validity status for each attribute in the attribute credential. The method further comprises, at the user computer, communicating with the verifier computer to prove possession of the attribute credential and the auxiliary credential such that the verifier computer can determine whether at least one attribute in the attribute credential, certified as valid by the auxiliary credential, satisfies an access condition for the resource.

Abstract: Methods and systems are provided for demonstrating authorization to access a resource to a verifier computer controlling access to the resource. The method comprises, at a user computer, storing an attribute credential certifying a set of attributes; and communicating with a revocation authority computer to obtain an auxiliary credential, bound to the attribute credential, certifying a validity status for each attribute in the attribute credential. The method further comprises, at the user computer, communicating with the verifier computer to prove possession of the attribute credential and the auxiliary credential such that the verifier computer can determine whether at least one attribute in the attribute credential, certified as valid by the auxiliary credential, satisfies an access condition for the resource.

Abstract: Methods and systems are provided for demonstrating authorization to access a resource to a verifier computer controlling access to the resource. The method comprises, at a user computer, storing an attribute credential certifying a set of attributes; and communicating with a revocation authority computer to obtain an auxiliary credential, bound to the attribute credential, certifying a validity status for each attribute in the attribute credential. The method further comprises, at the user computer, communicating with the verifier computer to prove possession of the attribute credential and the auxiliary credential such that the verifier computer can determine whether at least one attribute in the attribute credential, certified as valid by the auxiliary credential, satisfies an access condition for the resource.

Abstract: A method for controlling access to a resource of an owner of the resource is provided. The owner can be a user of a resource computer system. The access control can be based on social network data of a social network system and/or on an owner token relating to the owner or a requester token relating to a requester requesting access to the resource and an access control policy. The owner token and the requester token can be received by the system to determine by the social networking system whether access to the resource is to be granted based on the content of the owner token and the requester token. A social network identity of the owner and a social network identity of the requester may only be determinable by the social network system.

Abstract: Respective cryptographic shares of password data, dependent on a user password, are provided at n authentication servers. A number t1?n of the password data shares determine if the user password matches a password attempt. Respective cryptographic shares of secret data, enabling determination of a username for each verifier server, are provided at n authentication servers. A number t2?t1 of the shares reconstruct the secret data. For a password attempt, the user computer communicates with at least t1 authentication servers to determine if the user password matches the password attempt and, if so, the user computer receives at least t2 secret data shares from respective authentication servers. The user computer uses the secret data to generate, with T?t1 of said t1 servers, a cryptographic token for authenticating the user computer to a selected verifier server, secret from said at least T servers, under said username.

Abstract: Respective cryptographic shares of password data, dependent on a user password, are provided at n authentication servers. A number t1?n of the password data shares determine if the user password matches a password attempt. Respective cryptographic shares of secret data, enabling determination of a username for each verifier server, are provided at n authentication servers. A number t2?t1 of the shares reconstruct the secret data. For a password attempt, the user computer communicates with at least t1 authentication servers to determine if the user password matches the password attempt and, if so, the user computer receives at least t2 secret data shares from respective authentication servers. The user computer uses the secret data to generate, with T?t1 of said t1 servers, a cryptographic token for authenticating the user computer to a selected verifier server, secret from said at least T servers, under said username.

Abstract: Respective cryptographic shares of password data, dependent on a user password, are provided at n authentication servers. A number t1?n of the password data shares determine if the user password matches a password attempt. Respective cryptographic shares of secret data, enabling determination of a username for each verifier server, are provided at n authentication servers. A number t2?t1 of the shares reconstruct the secret data. For a password attempt, the user computer communicates with at least t1 authentication servers to determine if the user password matches the password attempt and, if so, the user computer receives at least t2 secret data shares from respective authentication servers. The user computer uses the secret data to generate, with T?t1 of said t1 servers, a cryptographic token for authenticating the user computer to a selected verifier server, secret from said at least T servers, under said username.

Abstract: Respective cryptographic shares of password data, dependent on a user password, are provided at n authentication servers. A number t1?n of the password data shares determine if the user password matches a password attempt. Respective cryptographic shares of secret data, enabling determination of a username for each verifier server, are provided at n authentication servers. A number t2?t1 of the shares reconstruct the secret data. For a password attempt, the user computer communicates with at least t1 authentication servers to determine if the user password matches the password attempt and, if so, the user computer receives at least t2 secret data shares from respective authentication servers. The user computer uses the secret data to generate, with T?t1 of said t1 servers, a cryptographic token for authenticating the user computer to a selected verifier server, secret from said at least T servers, under said username.

Abstract: Respective cryptographic shares of password data, dependent on a user password, are provided at n authentication servers. A number t1?n of the password data shares determine if the user password matches a password attempt. Respective cryptographic shares of secret data, enabling determination of a username for each verifier server, are provided at n authentication servers. A number t2?t1 of the shares reconstruct the secret data. For a password attempt, the user computer communicates with at least t1 authentication servers to determine if the user password matches the password attempt and, if so, the user computer receives at least t2 secret data shares from respective authentication servers. The user computer uses the secret data to generate, with T?t1 of said t1 servers, a cryptographic token for authenticating the user computer to a selected verifier server, secret from said at least T servers, under said username.