Abstract: An information storage system includes one or more information update terminals, a mapper, one or more partial-databases, and one or more query terminals, exchanging messages over a set of communication channels. An identifier-mapping mechanism provides (to an update terminal) a method for delegating control over retrieval of the data stored at the partial-databases to one or more mappers, typically operated by one or more trusted third parties. Update terminals supply information, that is stored in fragmented form by the partial-databases. Data-fragment identifiers and pseudonyms are introduced, preventing unauthorized de-fragmentation of information--thus providing compliance to privacy legislation--while at the same time allowing query terminals to retrieve (part of) the stored data or learn properties of the stored data. The mapper is necessarily involved in both operations, allowing data access policies to be enforced and potential abuse of stored information to be reduced.

Abstract: Cryptographic methods and apparatus for payment and related transaction systems are disclosed that allow some kinds of tracing under some conditions and make substantially infeasible other kinds of tracing under other conditions.

Abstract: Cryptographic methods and apparatus for payment and related transaction systems are disclosed that allow some kinds of tracing under some conditions and make substantially infeasible other kinds of tracing under other conditions.

Abstract: Cryptographic methods and apparatus for payment and related transaction systems are disclosed that allow some kinds of tracing under some conditions and make substantially infeasible other kinds of tracing under other conditions.

Abstract: Cryptographic methods and apparatus for forming (102) and verifying (103) private signatures and proofs (203,204, 207, and 209) are disclosed. Such a signature convinces the intended recipient that it is a valid undeniable or designated-confirmer signature. And such a proof convinces the intended recipient, just as any cryptographic proof. Even though the signatures and proofs are convincing to the intended recipient, they are not convincing to others who may obtain them.Unlike previously known techniques for convincing without transferring the ability to convince others, those disclosed here do not require interaction--a signature or proof can simply be sent as a single message. Because the intended recipient can forge the signatures and proofs, they are not convincing to others; but since only the intended recipient can forge them, they are convincing to the intended recipient.

Abstract: One or more roadside collection stations (RCS) communicate over a short-range, high speed bidirectional microwave communication link with one or more in-vehicle units (IVU) associated with one or more respectively corresponding vehicles in one or more traffic lanes of a highway. At least two up-link (IVU to RCS) communication sessions and at least one downlink (RCS to IVU) communication session are transacted in real time during the limited duration of an RCS communication footprint as the vehicle travels along its lane past a highway toll plaza. Especially efficient data formatting and processing is utilized so as to permit, during this brief interval, computation of the requisite toll amount and a fully verified and cryptographically secured (preferably anonymous) debiting of a smart card containing electronic money. Preferably an untraceable electronic check is communicated in a cryptographically sealed envelope with opener.

Abstract: Cryptographic methods and apparatus for issuing (101), endorsing (102), and verifying (103, 104) compact endorsement signatures are disclosed. Such signatures allow an endorser to provide a public-key verifiable signature on a chosen message more efficiently than if the endorser were to make a public key signature, since the endorser needs only to perform conventional cryptographic operations and has to store less data per signature than required by previously known endorsement schemes.A hierarchy of compression functions takes a plurality of one-time signatures into the value upon which the public key signature is formed. Each endorsement uses up one of the one-time signatures and provides a subset of inputs to the compression hierarchy sufficient to allow its evaluation. Preparation for subsequent endorsements is made by pre-evaluating one-time signatures and saving only some of the intermediate values of the compression hierarchy.

Abstract: Cryptographic methods and apparatus for signing (101), receiving (102), verifying (103), and confirming (104) designated-confirmer signatures are disclosed. Such a signature (11) convinces the receiver that the confirmer can convince others that the signer issued the signature. Thus, more protection is provided to the recipient of a signature than with prior art zero-knowledge or undeniable signature techniques, and more protection is provided to the signer than with prior art self-authenticating signatures.A designated confirmer signature is formed in a setting where the signer creates and issues a public key (201) and the confirmer also creates and issues a public key (202). Should the confirmer offer a confirmation (13), the verifier is convinced that the signature was issued by the signer. Such confirmation can itself be, for example, self-authenticating, unconvincing to other parties, or designated confirmer.

Abstract: A tamper-resistant part is disclosed that can conduct transactions with an external system through a moderating user-controlled computer or that can on other occasions be brought into direct connection with the external system. In the moderated configuration, the moderating computer is able to ensure that certain transactions with the external system are unlinkable to each other. In the unmoderated configuration the tamper-resistant part can also ensure the unlinkability of certain transactions. Also testing configurations are disclosed that allow improper functioning of the tamper-resistant part, such as that which could link transactions, to be detected by user-controlled equipment. Another testing configuration can detect improper functioning of an external system that could, for instance, obtain linking information from a tamper-resistant part.

Abstract: A tamper-resistant part is disclosed that can conduct transactions with an external system through a moderating user-controlled computer or that can on other occasions be brought into direct connection with the external system. In the moderated configuration, the moderating computer is able to ensure that certain transactions with the external system are unlinkable to each other. In the unmoderated configuration, the tamper-resistant part can also ensure the unlinkability of certain transactions. Also testing configurations are disclosed that allow improper functioning of the tamper-resistant part, such as that which could link transactions, to be detected by user-controlled equipment. Another testing configuration can detect improper functioning of an external system that could, for instance, obtain linking information from a tamper-resistant part.

Abstract: Blind signature systems secure against chosen message attack are disclosed. Multiple candidate original messages can be accommodated. Each of plural candidates in the final signature can be marked by the party issuing the signature in a way that is unmodifiable by the party receiving the signatures. The exponents on the candidates in the final signature need not be predictable by either party. In some embodiments, these exponents are not at all or are only partly determined by the candidates in the signature shown. Single candidate signatures are also accommodated.

Abstract: Numbers standing for cash money can be spent only one time each, otherwise the account from which they were withdrawn would be revealed. More generally, a technique for issuing and showing blind digital signatures ensures that if they are shown responsive to different challenges, then certain information their signer ensures they contain will be revealed and can be recovered efficiently. Some embodiments allow the signatures to be unconditionally untraceable if shown no more than once. Extensions allow values to be encoded in the signatures when they are shown, and for change on unshown value to be obtained in a form that is aggregated and untraceable.

Abstract: A payer party obtains from a signer party by a blind signature system a first public key digital signature having a first value in a withdrawal transaction; the payer reduces the value of the first signature obtained from the first value to a second value and provides this reduced-value form of the signature to the signer in a payment transaction; the signer returns a second digital signature to the payer by a blind signature system in online consummation of the payment transaction; the paper derives from the first and the second signature a third signature having a value increased corresponding to the magnitude of the difference between the first and the second values.

Abstract: Cryptographic methods and apparatus for forming, checking, blinding, and unblinding of undeniable signatures are disclosed. The validity of such signatures is based on public keys and they are formed by a signing party with access to a corresponding private key, much as with public key digital signatures. A difference is that whereas public key digital signatures can be checked by anyone using the corresponding public key, the validity of undeniable signatures is in general checked by a protocol conducted between a checking party and the signing party. During such a protocol, the signing party may improperly try to deny the validity of a valid signature, but the checking party will be able to detect this with substantially high probability. In case the signing party is not improperly performing the protocol, the checking party is further able to determine with high probability whether or not the signature validly corresponds to the intended message and public key.

Abstract: A user controlled card computer C and communicating tamper-resistant part T are disclosed that conduct secure transactions with an external system S. All communication between T and S is moderated by C, who is able to prevent T and S from leaking any message or pre-arranged signals to each other. Additionally, S can verify that T is in immediate physical proximity. Even though S receives public key digital signatures through C that are checkable using public keys whose corresponding private keys are known only to a unique T, S is unable to learn which transactions involve which T. It is also possible for S to allow strictly limited messages to be communicated securely between S and T.

Abstract: Numbers standing for cash money can be spent only one time each, otherwise the account from which they were withdrawn would be revealed. More generally, a technique for issuing and showing blind digital signatures ensures that if they are shown responsive to different challanges, then certain information their signer ensures they contain will be revealed and can be recovered efficiently. Some embodiments allow the signatures to be unconditionally untraceable if shown no more than once. Extensions allow values to be encoded in the signatures when they are shown, and for change on unshown value to be obtained in a form that is aggregated and untraceable.

Abstract: The invention provides a cryptographic apparatus which may be "personalized" to its owner. The apparatus may be utilized by its owner to identify himself to an external computer system, to perform various financial transactions with an external system, and to provide various kinds of credentials to an external system. The apparatus, in one embodiment, is separable into a cryptographic device, packaged in a tamper resistant housing, and a personal terminal device. The cryptographic device includes interface circuitry to permit information exchange with the external system, a memory device for storage of data necessary to allow identification of the owner, and control logic for controlling the exchange of data with the external system to identify the owner. Certain data which must be utilized to perform the identification information exchange is stored in the memory device in encrypted form. The decryption of this data requires the entry of a secret ID, known to the owner.