Abstract: A first computing device transfers first and second commitments to a second computing device. The first commitment is for private data and a first random number and the second commitment is for second and third random numbers. The method includes producing a result by evaluating a predicate and a first support function of a garbled circuit. The result includes a first part and a second part, referred to as the predicate result. The method includes transferring the result to the second computing device; receiving a second challenge from the second computing device; and producing a second response from a second support function using the second challenge. The method includes transferring the second response to the second computing device. The predicate result over the private data is true if a result of a check function is equal to a third commitment of the first part and the second response.

Abstract: A computer-implemented method of securing communications sent by a first user to a second user may include receiving, by a first user from a trusted third party, at least one public cryptographic value corresponding to the first user and at least one private cryptographic value corresponding to the first user, providing, by the first user to a second user, a plurality of values corresponding to an identification device identified by an identifier, deriving, by the first user, a shared key, using the at least one private cryptographic value of the first user, and at least one of the plurality of values corresponding to the identification device identified by the identifier and protecting communications sent by the first user to the second user with the shared key.

Abstract: Efficient cross-site attack prevention, in which web pages are stored on a site, the web pages being organized into entry pages that do not accept input, and protected pages that are not entry pages. A request is received from a user application to receive a requested web page, the request including a referrer string indicative of a referring web page, and identification data. It is determined whether the requested web page is an entry page or a protected page, and it is further determined, if the requested web page is determined to be a protected page, if the user application is authorized based upon the identification data, and if the referring web page is stored on the site based upon the referrer string.

Abstract: Implementations of the present disclosure are directed to sharing data in a supply chain, the data corresponding to an item having a tag associated therewith. Methods include storing item-level data in a computer-readable repository, determining endpoint data, the endpoint data indicating a location of the item-level data, determining a random number from the tag, the random number unique to the item, selecting a first integer and a second integer, generating a first public key based on the first integer and a semi-public key based on the second integer, generating an identifier based on the first public key and the random number, generating a key based on the semi-public key and the random number, encrypting the endpoint data using the key to provide encrypted endpoint data, defining a tuple comprising the identifier and the encrypted endpoint data, and transmitting the tuple over a network for storage in a persistent storage device.

Abstract: Implementations of the present disclosure include methods, systems, and computer-readable storage mediums for receiving an encrypted first data set from a first entity, storing the encrypted first data set in computer-readable memory, receiving an encrypted second data set from a second entity, storing the encrypted second data set in computer-readable memory, receiving public encryption information associated with the encrypted first data set and the encrypted second data set, storing the public encryption information in computer-readable memory, and processing, using the one or more processors, the encrypted first data set and the encrypted second data set to provide the set intersection, wherein an advantage of a first adversary in guessing data elements of the encrypted first data set is negligible in a security parameter.

Abstract: Disclosed is a protocol for a fault-tolerant, private distributed aggregation model that allows a data consumer to calculate unbounded statistics (weighted sums) over homomorphically encrypted sensitive data items from data producers. The data consumer can choose to calculate over an arbitrary subset of all available data items, thus providing fault tolerance; i.e., failing data producers do not prevent the statistics calculation. A key-managing authority ensures differential privacy before responding to the data consumer's decryption request for the homomorphically encrypted statistics result, thus preservation the data's producer's privacy. Security against malicious data consumers is provided along with aggregator obliviousness, differential privacy in a unidirectional communication model between data producers and data consumers.

Abstract: Various embodiments of systems and methods to securely disseminate events in publish/subscribe network are described herein. One or more subscribers are authorized to receive events from a publisher through an authorize protocol carried out between the publisher, a trusted party and the one or more subscribers. A security token specific to a product associated with an event is provided, by the publisher, to the authorized one or more subscribers. Further, the event is encrypted using a public key of the trusted party, a security key of the publisher and a secret key of the publisher. The encrypted event is disseminated, by the publisher, in a publish/subscribe network. Furthermore, the encrypted event is received by the authorized one or more subscribers. The encrypted event is decrypted using the security token and an authorization key by the authorized one or more subscribers.

Abstract: Implementations of the present disclosure include methods, systems, and computer-readable storage mediums for receiving an encrypted first data set from a first entity, storing the encrypted first data set in computer-readable memory, receiving an encrypted second data set from a second entity, storing the encrypted second data set in computer-readable memory, receiving public encryption information associated with the encrypted first data set and the encrypted second data set, storing the public encryption information in computer-readable memory, and processing, using the one or more processors, the encrypted first data set and the encrypted second data set to provide the set intersection, wherein an advantage of a first adversary in guessing data elements of the encrypted first data set is negligible in a security parameter.

Abstract: A method and system to automatically monitor business collaborations. Collaboration participants can formally express obligations about their expected behavior during the collaboration in business terms, then automatically monitor processes carrying out the collaboration using the formulated obligations. The method and system extends existing service oriented monitoring standards and architecture, specifically, with additional business oriented metrics and plug-in components that allow the monitoring system to calculate business parameters from measurements of multiple services.

Abstract: Embodiments include a system for processing logical clock values according to a secure maximum operation. The system may include a communication unit and a processing unit. The communication unit may be configured to receive an encrypted first value of a logical clock, send an encrypted blinded difference, receive an encrypted blinded maximum value, and receive a maximum value. The processing unit may be configured to access an encrypted second value of the logical clock, generate the encrypted blinded difference between the first value and the second value, provide an encrypted blinded first value and an encrypted blinded second value in an oblivious transfer protocol, and generate an encrypted maximum value from the encrypted blinded maximum value.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for retrieving, from computer-readable memory, a set, the set including a plurality of elements, adding, using a computing device, elements of the set to a Bloom filter, the Bloom filter including a plurality of bits, and encrypting, using the computing device, each bit of the plurality of bits of the Bloom filter to provide an encrypted Bloom filter, encrypting being achieved using homomorphic, public key encryption. Implementations are further directed to performing operations on the encrypted Bloom filter, and performing private set intersection (PSI) using the encrypted Bloom filter.

Abstract: A system and method for protecting a software program from unauthorized modification or exploitation. A software security mechanism according to the present invention is difficult for a hacker or cracker to detect and/or defeat, but does not impose excessive runtime overhead on the host software program. The present invention further comprises a system and method for automating the injection of a software security mechanism according to the present invention into a host software program.

Abstract: The present disclosure is directed to systems and methods including accessing a first private value, generating a first intermediate value based on the first private value, receiving a second intermediate value that is based on a second private value, generating a first comparison value based on the second intermediate value, receiving over the network a second comparison value that is based on the first intermediate value, comparing the first comparison value and the second comparison value to generate a result, and displaying the result, the result indicating that the first private is greater than the second private value when the first comparison value is less than the second comparison value, and the result indicating that the first private value is less than or equal to the second private value when the first comparison value is greater than the second comparison value.

Abstract: A comprehensive security architecture for a virtual organization (VO) is disclosed. The comprehensive security architecture uses the same security mechanism or substantially similar security mechanisms to control access to VO infrastructure services as it uses to control access to resource services. Infrastructure services are services used to change the state of the VO and to change membership in the VO. Resource services (e.g. processing a purchase order) are services used in furtherance of achieving the objectives of the VO (e.g. build an aircraft). A security mechanism prevents a service call from accessing the service called until the security mechanism has decided to authorize or deny the service call. A security mechanism may decide to authorize or deny the service call based on details of the service call, a set of role-based access policies, and attributes from the caller's credentials including the caller's role in the VO.

Abstract: Various embodiments of systems and methods to securely disseminate events in publish/subscribe network are described herein. One or more subscribers are authorized to receive events from a publisher through an authorize protocol carried out between the publisher, a trusted party and the one or more subscribers. A security token specific to a product associated with an event is provided, by the publisher, to the authorized one or more subscribers. Further, the event is encrypted using a public key of the trusted party, a security key of the publisher and a secret key of the publisher. The encrypted event is disseminated, by the publisher, in a publish/subscribe network. Furthermore, the encrypted event is received by the authorized one or more subscribers. The encrypted event is decrypted using the security token and an authorization key by the authorized one or more subscribers.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for retrieving, from computer-readable memory, a set, the set including a plurality of elements, adding, using a computing device, elements of the set to a Bloom filter, the Bloom filter including a plurality of bits, and encrypting, using the computing device, each bit of the plurality of bits of the Bloom filter to provide an encrypted Bloom filter, encrypting being achieved using homomorphic, public key encryption. Implementations are further directed to performing operations on the encrypted Bloom filter, and performing private set intersection (PSI) using the encrypted Bloom filter.

Abstract: A system according to an example embodiment may include an identifier unit and a modifier unit. The identifier unit may be configured to identify an assignment type of an assignment of a variable in a part of a program code. The assignment type of the assignment may be different from an assignment type of a further assignment of the variable in a further part of the program code. The modifier unit may be configured to add to the further part of the program code an assignment of a dummy variable having the assignment type of the assignment of the variable.

Abstract: A method for performing data analytics on outsourced data may include generating, by a data owner, a binary tree representing data from the data owner, where each node of the binary tree is associated with an identity that represents a data element or an interval of data elements, computing, by the data owner, an identity token and encrypting the identity token for each of the identities in the binary tree, generating a range query token using an identity selected by a data analyst and a secret key input by the data owner and computing a decryption key for the selected identity, and analyzing the data, by the data analyst, by comparing the computed decryption key for the selected identity with each of the encrypted identities.

Abstract: Implementations of the present disclosure are directed to sharing data in a supply chain, the data corresponding to an item having a tag associated therewith. Methods include determining a random number from the tag, the random number being unique to the item, selecting a first integer and a second integer, generating a first public key based on the first integer and a semi-public key based on the second integer, generating an identifier based on the first public key and the random number, generating a key based on the semi-public key and the random number, encrypting the data using the key to provide encrypted data, defining a tuple comprising the identifier and the encrypted data, and transmitting the tuple over a network for storage in a persistent storage device.

Abstract: In one general aspect, a method, including executing instructions recorded on a non-transitory computer-readable storage media using at least one processor, includes encrypting data using a commutative order-preserving encryption scheme. The commutative order-preserving encryption scheme includes a unique fixed key and a regular keyed cryptographic hash function, where the cryptographic hash function includes a domain greater than the unique fixed key.