Abstract: A method for performing data analytics on outsourced data may include generating, by a data owner, a binary tree representing data from the data owner, where each node of the binary tree is associated with an identity that represents a data element or an interval of data elements, computing, by the data owner, an identity token and encrypting the identity token for each of the identities in the binary tree, generating a range query token using an identity selected by a data analyst and a secret key input by the data owner and computing a decryption key for the selected identity, and analyzing the data, by the data analyst, by comparing the computed decryption key for the selected identity with each of the encrypted identities.

Abstract: A method for performing data analytics on outsourced data may include receiving, at a data analyst, cipher text representing data from a data owner such that the data remains hidden from the data analyst, generating a query token using a constant provided by the data analyst such that the constant remains hidden from the data owner, and analyzing the cipher text using the query token.

Abstract: Embodiments include a system for processing logical clock values according to a secure maximum operation. The system may include a communication unit and a processing unit. The communication unit may be configured to receive an encrypted first value of a logical clock, send an encrypted blinded difference, receive an encrypted blinded maximum value, and receive a maximum value. The processing unit may be configured to access an encrypted second value of the logical clock, generate the encrypted blinded difference between the first value and the second value, provide an encrypted blinded first value and an encrypted blinded second value in an oblivious transfer protocol, and generate an encrypted maximum value from the encrypted blinded maximum value.

Abstract: A method and a system for privacy-preserving SNA. A plurality of vertices of a first subgraph of a graph is encrypted with a first key of a commutatively encryption scheme. A plurality of vertices of a second subgraph encrypted with a second key of the commutatively encryption scheme are received and encrypted commutatively with the first key. A plurality of commutatively encrypted vertices of the first subgraph and a plurality of commutatively encrypted vertices of the second subgraph are used for computing centrality metrics preserving the privacy of the graph and its structure.

Abstract: A method for tracing an item may include encrypting item information using an identity-based encryption scheme with a batch number for an item as an encryption key and communicating the encrypted item information for storage on a radio frequency identification (RFID) tag for attachment to the item.

Abstract: Techniques are described for mediated secure computation. A unique identifier value may be assigned to each one of a plurality of nodes included in a network. An encrypted portion of a logical circuit may be received at a server from each of the nodes, the logical circuit including one or more gates, each gate associated with one or more logical input wires and one or more logical output wires, the logical circuit associated with a function, wherein each encrypted portion is encrypted based on a random number value that is common to the plurality of nodes and unknown at the server. A result may be obtained based on executing the logical circuit, based on combining the encrypted portions of the logical circuit received at the server.

Abstract: A method of automatically generating peer groups of entities includes receiving data for a plurality of characteristic parameters about a number of entities and defining a number of peer groups, k, to be generated. A minimum number of entities, m, to be assigned to each peer group is defined, and k initial cluster values are defined around which to group the entities according to the data for the entity's characteristic parameters. Each entity is assigned to a peer group associated with a particular initial cluster center value, and it is ensured that the number of entities assigned to each peer group is greater than the minimum number, m.

Abstract: Efficient cross-site attack prevention, in which web pages are stored on a site, the web pages being organized into entry pages that do not accept input, and protected pages that are not entry pages. A request is received from a user application to receive a requested web page, the request including a referrer string indicative of a referring web page, and identification data. It is determined whether the requested web page is an entry page or a protected page, and it is further determined, if the requested web page is determined to be a protected page, if the user application is authorized based upon the identification data, and if the referring web page is stored on the site based upon the referrer string.

Abstract: An embodiment includes a system with a processing unit and a communication unit. The processing unit is configured: to compute a first reference point of a data point that represents a private data item and has a first distance value to the data point, wherein the first distance value is less than a threshold value, to compute a second reference point of the data point different from the first reference point with a second distance value to the data point, wherein the second distance value is less than the threshold value, and to generate hidden reference points from the reference points. The communication unit is configured to send the hidden reference points and distance values to a system.

Abstract: An embodiment may include a system having a communication unit and a processing unit. The communication unit may be configured to receive an encrypted private value of a party, the encrypted private value being generated from a private value with a public-key encryption system and a public key, to send an encrypted blinded result to the party, and to receive a blinded result generated from the encrypted blinded result. The processing unit may be configured to compute a result of a function, the function having as input the private value, to blind the result of the function to generate the encrypted blinded result, and to compute the result by unblinding the blinded result.

Abstract: A comprehensive security architecture for a virtual organization (VO) is disclosed. The comprehensive security architecture uses the same security mechanism or substantially similar security mechanisms to control access to VO infrastructure services as it uses to control access to resource services. Infrastructure services are services used to change the state of the VO and to change membership in the VO. Resource services (e.g. processing a purchase order) are services used in furtherance of achieving the objectives of the VO (e.g. build an aircraft). A security mechanism prevents a service call from accessing the service called until the security mechanism has decided to authorize or deny the service call. A security mechanism may decide to authorize or deny the service call based on details of the service call, a set of role-based access policies, and attributes from the caller's credentials including the caller's role in the VO.

Abstract: A system according to an example embodiment may include an identifier unit and a modifier unit. The identifier unit may be configured to identify an assignment type of an assignment of a variable in a part of a program code. The assignment type of the assignment may be different from an assignment type of a further assignment of the variable in a further part of the program code. The modifier unit may be configured to add to the further part of the program code an assignment of a dummy variable having the assignment type of the assignment of the variable.

Abstract: A system to contribute to creating a substring of a string may include a communication unit and a processing unit. The communication unit may be configured to receive an encrypted representation of a second share of the string. The string may be identical to the second share of the string combined with a first share of the string. The communication unit may be configured to send a rearranged representation of the encrypted representation of the second share of the string to a further system. The processing unit may be configured to rearrange a representation of the encrypted representation of the second share of the string using a first share of a start value of the substring. The start value may be identical to the first share of the start value added to a second share of the start value.

Abstract: A system for contributing to a concatenation of a first string and a second string may include a communication unit to receive an encrypted representation of a second share of the second string, the second string being identical to the second share of the second string combined with a first share of the second string and to send a rearranged representation of the encrypted representation of the second share of the second string to a second system. The system may further include a processing unit to rearrange a representation of the encrypted representation of the second share of the second string using a length value of a first share of the first string, the first string being identical to the first share of the first string combined with a second share of the first string.

Abstract: A method and system to automatically monitor business collaborations. Collaboration participants can formally express obligations about their expected behavior during the collaboration in business terms, then automatically monitor processes carrying out the collaboration using the formulated obligations. The method and system extends existing service oriented monitoring standards and architecture, specifically, with additional business oriented metrics and plug-in components that allow the monitoring system to calculate business parameters from measurements of multiple services.

Abstract: A system architecture and algorithm for automatically generating, installing and enforcing access control policies that correspond to an agreed specification of collaboration. A collaboration member enforces its access control policies using a dedicated access controller separate from a workflow engine. In one embodiment, each access control policy contains extensions which can direct an access controller to selectively enable or disable various access control policies upon authorization of an access request.

Abstract: Disclosed embodiments include a computer-implemented first method for providing the blinded result of a subtraction of a first split value of a first system from a second split value of the first system for a comparison. Furthermore, a computer-implemented second method is disclosed for computing a comparison of the blinded result of the subtraction provided by the first system with a result of a subtraction of a blinded first split value of a second system from a blinded second split value of the second system. Computer-implemented further methods for providing a contribution to the comparison of the split values are disclosed. The further methods involve a third system and a fourth system.

Abstract: A method and system for a source participant assessing trustworthiness of a destination participant through one or more neighboring participants in a collaborative environment. The method comprises modeling all of the participants as network nodes and relationships between the participants as network paths and identifying a set of the network nodes and the network paths representing the neighboring participants that connects the network node of the source participant to the network node of the destination participant. Each of the network nodes of the neighboring participants as identified has a trust rating with best result, the trust rating is a relative measurement of feedback ratings. The trust rating of a first one of the network nodes of the neighboring participants as identified is computed with the feedback ratings between the first one of the network nodes and others of the network nodes directly connected to the first one of the network nodes.

Abstract: An embodiment includes a first system for computing a contribution to a greater-than comparison of a first private value and a second private value. The first system includes: an accessing unit configured to access the first private value; a processor unit configured to compute a first encrypted value by encrypting the first private value, compute a decrypted value by decrypting a third encrypted value, and compute a contribution to a result of the greater-than comparison by checking a relation between the decrypted value and a modulus value; and a communication unit configured to send the first encrypted value to a second system and to receive the third encrypted value.