Abstract: A system and method are disclosed for secure multi-party computations. The system performs operations including establishing an API for coordinating joint operations between a first access point and a second access point related to performing a secure prediction task in which the first access point and the second access point will perform private computation of first data and second data without the parties having access to each other's data. The operations include storing a list of assets representing metadata about the first data and the second data, receiving a selection of the second data for use with the first data, managing an authentication and authorization of communications between the first access point and the second access point and performing the secure prediction task using the second data operating on the first data.

Abstract: A fluid and cup dispensing apparatus includes a body having an interior cavity to hold cups and a fluid bottle; a door pivotally attached to the body, the door having an opening into a shelf to hold a single cup; a cup container secured within the interior cavity to hold the cups; a reservoir to removably receive the fluid bottle such that the fluid bottle is inverted and open, the reservoir having a tube extending to a position above the shelf; a control system with a power source to activate cup and fluid dispensing; and a button to activate the control system; the control system activates opening of the cup container to drop the single cup; and the control system activates fluid flow through the tube.

Abstract: A method and apparatus for implementing portions of a provisional signature scheme are disclosed. In one embodiment, the method comprises creating a provisional signature by performing an operation on a message and completing the provisional signature to create a final signature on the message. Such a scheme may be used for server assisted signature schemes, designated confirmer signature schemes and blind signature schemes.

Abstract: A method and apparatus for implementing portions of a provisional signature scheme are disclosed. In one embodiment, the method comprises creating a provisional signature by performing an operation on a message and completing the provisional signature to create a final signature on the message. Such a scheme may be used for server assisted signature schemes, designated confirmer signature schemes and blind signature schemes.

Abstract: A method and apparatus for implementing portions of a provisional signature scheme are disclosed. In one embodiment, the method comprises creating a provisional signature by performing an operation on a message and completing the provisional signature to create a final signature on the message. Such a scheme may be used for server assisted signature schemes, designated confirmer signature schemes and blind signature schemes.

Abstract: A signature {Sig, {Qi}} is generated on a message M by a signer Et in a hierarchical system including the entities E0, E1, . . . , Et, each entity Ei (i>0) being a child of Ei?1. Here Sig = S t + s t ? P M = ? i = 1 t ? s i - 1 ? P i , where: each Si is a secret key of Ei; each si is a secret of Si; PM is a public function of M; each Pi is a public function of the ID's of all entities Ej such that 1?j?i; each Qi=siP0 where P0 is public. The verifier confirms that e ^ ? ( P 0 , Sig ) e ^ ? ( Q t , P M ) ? ? i ? ? ? e ^ ? ( Q i - 1 , P i ) = V , where: the product ?iê(Qi?1,Pi) is taken over all integers i in a proper subset of the integers from 1 to t inclusive; ê is a bilinear non-degenerate mapping; V can be ê(Q0,Pi0) where i0 is predefined (e.g. 1), or V can be another expression is a verifier is part of the hierarchical system.

Abstract: Methods are provided for encoding and decoding a digital message between a sender and a recipient in a system including a plurality of private key generators (“PKGs”). The PKGs include at least a root PKG and n lower-level PKG in the hierarchy between the root PKG and the recipient. A root key generation secret is selected and is known only to the root PKG. A root key generation parameter is generated based on the root key generation secret. A lower-level key generation secret is selected for each of the n lower-level PKGs, wherein each lower-level key generation secret is known only to its associated lower-level PKG. A lower-level key generation parameter also is generated for each of the n lower-level PKGs using at least the lower-level key generation secret for its associated lower-level private key generator. The message is encoded to form a ciphertext using at least the root key generation parameter and recipient identity information associated with the recipient.

Abstract: An (n,k,r,t)-exclusive set system over a set U includes elements Sƒ each of corresponds to a polynomial ƒ(u) in one or more coordinates of u?U. The polynomial is zero on U\Sƒ but is not zero on Sƒ. In some embodiments, an asymptotically low key complexity k is provided.

Abstract: In a broadcast encryption scheme, an optimal or near-optimal set covering CV(f,P) is computed for a set P of privileged users and at most a predefined number f of revoked users (“free riders”). The covering consists of elements of a predefined set cover CC(U) for the set of all users U. The covering is computed by finding optimal or near-optimal coverings for privileged users for CC(U) elements that are proper subsets of U. More particularly, possible assignments of free riders to the subsets are examined, and an assignment is selected to fit an optimality criterion for the total set covering. In some embodiments, only “meeting point” elements of CC(U) are fully examined. A meeting point is an element containing at least two “immediate child” elements each of which contains a revoked user. An immediate child of a “parent” element is a proper subset of the parent with no intermediate elements (no elements containing the child as a proper subset and itself being a proper subset of the parent).

Abstract: A protocol for closing all active communication links between one device (110.1) and one or more other devices in a group provides that the first device sets up the group by generating an input to a predefined function (e.g. one-way function) according to some random distribution, computing the output of the one-way function, and sharing the output value with all other devices in the group. Then to close all communication links, the first device broadcasts the stored input to all other devices in the group. The other devices may check that the one-way function applied to this input results in the shared output value, and if so, close the communication link.

Abstract: In a network, a router uses some secret information combined with a cryptographic process in determination of a subnet's routing prefix. Several methods are disclosed, including using an IP suffix for prefix generation and for decryption, maintaining a pool of pseudo prefixes at the router, using public key encryption and symmetric key encryption.

Abstract: A certification authority (CA, 120) generates decryption key data (K?Fj) for each set (F) in the complement cover (804) for a plurality of digital certificates. The CA encrypts all or a portion of the validity proof data (cj(i)) for each digital certificate (140.i) for each time period j for which the validity proof is to be provided. For each certificate, the decryption can be performed with decryption keys (Kij) that can be obtained from the decryption key data (K?Fj) for any set containing the certificate. The CA distributes the encrypted portions of the validity proof data to prover systems that will provide validity proofs in the periods j. To perform certificate re-validation in a period j, the CA constructs the complement cover for the set of the revoked certificates, and distributes the decryption key data (K?Fj) for the sets in the complement cover.

Abstract: Using a password (?), a client (C) computes part (H1(<C,?C>) of the password verification information of a server (S), and together they use this information to authenticate each other and establish a cryptographic key (K?), possibly using a method resilient to offline dictionary attacks. Then over a secure channel based on that cryptographic key, the server sends an encryption (EE<C,?>(sk)) of a signing key (sk) to a signature scheme for which the server know a verification key (pk). The encryption is possibly non-malleable and/or includes a decryptable portion (E<C,?>(sk)) and a verification portion (H8(sk)) used to verify the decrypted value obtained by decrypting the decryptable portion. The signing key is based on the password and unknown to the server. The client obtains the signing key using the password, signs a message, and returns the signature to the server.

Abstract: Methods are provided for encoding and decoding a digital message between a sender and a recipient in a system including a plurality of private key generators (“PKGs”). The PKGs include at least a root PKG and n lower-level PKG in the hierarchy between the root PKG and the recipient. A root key generation secret is selected and is known only to the root PKG. A root key generation parameter is generated based on the root key generation secret. A lower-level key generation secret is selected for each of the n lower-level PKGs, wherein each lower-level key generation secret is known only to its associated lower-level PKG. A lower-level key generation parameter also is generated for each of the n lower-level PKGs using at least the lower-level key generation secret for its associated lower-level private key generator. The message is encoded to form a ciphertext using at least the root key generation parameter and recipient identity information associated with the recipient.

Abstract: Methods, components and systems for implementing secure and efficient broadcast encryption schemes with configurable and practical tradeoffs among a pre-broadcast transmission bandwidth t, a key storage cost k, and a key derivation cost c, in which the schemes use subtree difference and key decomposition to generate secondary keys, use the secondary keys to encrypt the broadcast and generate ciphertexts, and use the RSA encryption scheme to implement derivability between the primary keys and the secondary keys. To decrypt the broadcast, a privileged user uses one of its primary keys to derive a secondary key, which is used to decrypt the broadcast. The product of key derivation costc and the key storage cost k is at most (2a?log a?2)loga n, when n is the number of users, 1?b?log n, a=2b, and revoked users r<n/3.

Abstract: A method and apparatus for obtaining access to services of service providers. In one embodiment, the method comprises requesting a desired service through a foreign service provider. (101), generating a hash tree and generating a digital signature on a root value of the hash tree (102), sending the digital signature and the root value to the foreign service provider (103), providing one or more tokens to the foreign service provider with the next packet if the foreign service provider accepts the signature (105) and continuing to use the service while the foreign service provider accepts token (107).

Abstract: A server (120) uses a password (?) to construct a multiplicative group (ZN*) with a (hidden) smooth order subgroup (<x?>), where the group order (P?) depends on the password. The client (110) uses its knowledge of the password to generate a root extraction problem instance (z) in the group and to generate data (y) allowing the server to construct a discrete logarithm problem instance (y?) in the subgroup. The server uses its knowledge of the group order to solve the root extraction problem, and solves the discrete logarithm problem efficiently by leveraging the smoothness of the subgroup. A shared key (sk) can be computed as a function of the solutions to the discrete logarithm and root extraction problem instances. In some embodiments, in an oblivious transfer protocol, the server queries the client (at 230) for data whose position in a database (210) is defined by the password. The client provides (240) such data without knowing the data position associated with the server's query.

Abstract: A method for generating a network address, called a multi-key cryptographically generated address (MCGA), enables the network address to be claimed and defended by multiple network devices. The network address can be generated by (a) obtaining a cryptographically generated identifier using public keys corresponding to the network devices, and (b) applying an address generation function to the cryptographically generated identifier. The address generation function may be a one-way coding function or cryptographic hash of the public keys from all hosts that will advertise or claim the right to use the address. A message that claims authority over the MCGA may include an encrypted digest of the message which is encrypted using the private key of the sender. Authentication of the sender may be achieved by obtaining a test digest from the message using the digest function, decrypting the encrypted digest, and comparing the decrypted digest to the test digest.

Abstract: A method allows Internet Protocol version 6 (IPv6) nodes that use Mobile IPv6 for mobility management, or DHCP for address provisioning, to securely claim and defend their network addresses themselves or through proxies using the SEND protocol. The network node may also sign and verify a message that claims and defends a network address. The network address to be claimed and defended may be either autoconfigured or obtained from a server using the DHCPv6 protocol. If the MCGA is generated by a mobile IPv6 node as a mobile IPv6 home address, the MCGA can be securely proxied by the mobile IPv6 home agent after the mobile node has left the home link. However, if the MCGA is generated as a mobile IPv6 care-of address by a mobile IPv6 node while on a foreign subnet, the MCGA can be securely proxied by the current or new access router, before the mobile node arrives on the link and after it has left the link, respectively.

Abstract: Authentication of elements (e.g. digital certificates 140) as possessing a pre-specified property (e.g. being valid) or not possessing the property is performed by (1) assigning a distinct integer pi to each element, and (2) accumulating the elements possessing the property or the elements not possessing the property using a P-th root u1/P (mod n) of an integer u modulo a predefined composite integer n, where P is the product of the integers associated with the accumulated elements. Alternatively, authentication is performed without such accumulators but using witnesses associated with such accumulators. The witnesses are used to derive encryption and/or decryption keys for encrypting the data evidencing possession of the property for multiple periods of time. The encrypted data are distributed in advance. For each period of time, decryption keys are released which are associated with that period and with the elements to be authenticated in that period of time.