Abstract: Embodiments of the invention relate to a computer-implemented method for generating verification keys of a public-key signature scheme in a distributed network. The method comprises performing, by a subset of the nodes of a first subnetwork of nodes, a first distributed key generation protocol, the first distributed key generation protocol being configured to generate jointly a verification key for the first subnetwork and a plurality of corresponding secret key shares for the nodes of the first subnetwork. The method further comprises a step of performing, for a second subnetwork, by a subset of the plurality of nodes of the first subnetwork, a second distributed key generation protocol, the second distributed key generation protocol being configured to generate jointly a verification key of the second subnetwork and a plurality of corresponding secret key shares for the nodes of the second subnetwork.

Abstract: The present disclosure relates to a method method for performing a disjunctive proof for two relations R0 and R1. The relation R0 is between an instance set X0 and a witness set W0 and defines a language L(R0) containing those elements x0?X0 for which there exists a witness w0 that is related to x0 in accordance with R0. The relation R1 is between an instance set X1 and a witness set W1 and defining a language L(R1) containing those elements x1?X1 for which there exists a witness w1 that is related to x1 in accordance with R1. For proving knowledge of a witness wb of at least one of instances x0 and x1, where b is 0 or 1, of the respective relations R0 and R1, the prover may generate using a bijective function a challenge from a simulated challenge c1-b.

Abstract: An example operation may include one or more of receiving a request to create a second blockchain in a network that includes a first blockchain, sending a message to one or more validating peer nodes in the network, the one or more validating peer nodes corresponding to a subset of validating peer nodes of the network that have access to the first blockchain, the message requesting authorization for the second blockchain, analyzing responses to the message from the subset of validating peer nodes, and authorizing creation of the second blockchain based on the analyzed responses.

Abstract: According to an embodiment of a first aspect of the invention, there is a distributed network comprising a plurality of network nodes. Each of the plurality of network nodes is linked to a first node identity of a plurality of first node identities. Each of the plurality of first node identities comprises a first verification key of a public-key signature scheme. The distributed network is configured to perform a key shuffling step adapted to perform an unlinkable one-to-one mapping between the plurality of first node identities and a plurality of second node identities. Each of the plurality of second node identities comprises a second verification key of a public-key signature scheme. The distributed network is configured to perform a consensus protocol with a subset of the plurality of second node identities. Further aspects of the invention relate to a corresponding computer-implemented method, a network node and a computer program product.

Abstract: A method and system configured to produce a cryptographic signature on a message, under a key, at a user computer wherein the key is shared between the user computer, which stores a first key-share, and an authentication computer, which stores a second key-share and a first authentication value. The user computer encodes the message to produce a blinded message, produces the first authentication value from a user password and a secret value, and produces a second authentication value by encoding the first authentication value and a nonce. The authentication computer uses the nonce to determine if the first authentication value is correct and, if so, encodes the blinded message using the second key-share to produce a partial signature. The user computer produces a signature on the message under the key by encoding the partial signature and the message using the first key-share and an unblinding function.

Abstract: The invention relates to a method for performing a multi-party electronic computation using a plurality of evaluating computer systems. The cryptographic security of the multi-party computation is implemented using lattice-based cryptography. Each evaluating computer system receives from each user of a plurality of users an individual input share of an input chosen by the respective user. Furthermore, each evaluating computer system receives from the user a commitment to the received individual input share and an opening information. Each evaluating computer system checks the commitments received to the individual input shares and generates a first lattice-based zero-knowledge proof that all the commitments received are valid commitments to input shares. Each evaluating computer system publishes the first lattice-based zero-knowledge proof. Thus, a verifier may be enabled to verify that all commitments are valid commitments to input shares.

Abstract: An example operation may include one or more of receiving a request to create a second blockchain in a network that includes a first blockchain, sending a message to one or more validating peer nodes in the network, the one or more validating peer nodes corresponding to a subset of validating peer nodes of the network that have access to the first blockchain, the message requesting authorization for the second blockchain, analyzing responses to the message from the subset of validating peer nodes, and authorizing creation of the second blockchain based on the analyzed responses.

Abstract: Computer-implemented methods for privacy attribute based credentials include issuing a privacy-preserving attribute-based credential, which is signed with a private key and has a unique credential handle; updating an accumulator in a tamperproof log to incorporate the credential handle; and facilitating providing access to a service in response to a zero-knowledge proof that the accumulator contains the credential handle. The methods also include generating revocation conditions and initial revocation information; submitting the initial revocation information and the revocation conditions to the tamperproof log; revoking a credential by adding a credential handle of the credential to the initial revocation information; and submitting the updated revocation information to the tamperproof log. Further, the methods include writing to the tamperproof log an audit token that contains an encrypted credential handle, which is encrypted by an auditor's public key that is published on the tamperproof log.

Abstract: Embodiments of the present invention may provide the capability for performing public-key encryption with proofs of plaintext knowledge using a lattice-based scheme that provides improved efficiency over conventional techniques. For example, in an embodiment, a computer-implemented method of verifying encryption may comprise generating a ciphertext, derived from a plaintext, via an encryption scheme, proving validity of the ciphertext, wherein the proof includes at least one challenge value, and using a decryption procedure that recovers a plaintext by choosing at least one additional challenge value at random from a challenge space.

Abstract: A method, computer program product, and system for providing verification processes associated with a commitment-based authentication protocol are described. A request by a user for access to one or more resources is received, and a presentation policy is transmitted to the user indicating required credentials. A commitment to a revocation handle is received, including an indication of an associated Sigma protocol executed by the user. A challenge value selected from a challenge value set associated with the associated Sigma protocol is transmitted to the user. Based on the selected challenge value, a presentation token and a value parameter that is distinct from the presentation token are received from the user. Based on a determination as to whether the presentation token and value parameter are valid in accordance with the associated Sigma protocol, access for the user to the one or more resources is granted to the user or prevented.

Abstract: A method for a re-issuance of an attribute-based credential of an issuer of the attribute-based credential for a user may be provided. The user is holding backup values derived from a first credential previously obtained from the issuer, wherein the first credential is built using at least a first value of at least one authentication pair. The method comprises receiving by the issuer from the user a set of values derived from the backup values comprising a second value of the at least one authentication pair, validating by the issuer that the second value is a valid authentication answer with respect to the first value and whether the set of values was derived from a valid first credential, and providing by the issuer a second credential to the user based on the first set of values.

Abstract: The present disclosure relates to a method method for performing a disjunctive proof for two relations R0 and R1. The relation R0 is between an instance set X0 and a witness set W0 and defines a language L(R0) containing those elements x0?X0 for which there exists a witness w0 that is related to x0 in accordance with R0. The relation R1 is between an instance set X1 and a witness set W1 and defining a language L(R1) containing those elements x1?X1 for which there exists a witness w1 that is related to x1 in accordance with R1. For proving knowledge of a witness wb of at least one of instances x0 and x1, where b is 0 or 1, of the respective relations R0 and R1, the prover may generate using a bijective function a challenge from a simulated challenge c1-b.

Abstract: The invention relates to a method for performing a multi-party electronic computation using a plurality of evaluating computer systems. The cryptographic security of the multi-party computation is implemented using lattice-based cryptography. Each evaluating computer system receives from each user of a plurality of users an individual input share of an input chosen by the respective user. Furthermore, each evaluating computer system receives from the user a commitment to the received individual input share and an opening information. Each evaluating computer system checks the commitments received to the individual input shares and generates a first lattice-based zero-knowledge proof that all the commitments received are valid commitments to input shares. Each evaluating computer system publishes the first lattice-based zero-knowledge proof. Thus, a verifier may be enabled to verify that all commitments are valid commitments to input shares.

Abstract: A method and system configured to produce a cryptographic signature on a message, under a key, at a user computer wherein the key is shared between the user computer, which stores a first key-share, and an authentication computer, which stores a second key-share and a first authentication value. The user computer encodes the message to produce a blinded message, produces the first authentication value from a user password and a secret value, and produces a second authentication value by encoding the first authentication value and a nonce. The authentication computer uses the nonce to determine if the first authentication value is correct and, if so, encodes the blinded message using the second key-share to produce a partial signature. The user computer produces a signature on the message under the key by encoding the partial signature and the message using the first key-share and an unblinding function.

Abstract: Computer-implemented methods are provided for communicating message data from a sender computer to a receiver computer via a network. The sender computer encrypts the message data in dependence on a cryptographic key to produce a ciphertext, and establishes an access password for the ciphertext with a host computer connected to the network. The sender computer sends the ciphertext via the network to the host computer, and sends an email, containing the cryptographic key in cleartext, to the receiver computer via the network. The cryptographic key comprises a random cryptographic value which is independent of the access password. The host computer receives the ciphertext from the sender computer and stores the ciphertext in association with the access password. The receiver computer receives the email from the sender computer and sends an access request for the ciphertext, and an input password, to the host computer via the network.

Abstract: A method and system configured to produce a cryptographic signature on a message, under a key, at a user computer wherein the key is shared between the user computer, which stores a first key-share, and an authentication computer, which stores a second key-share and a first authentication value. The user computer encodes the message to produce a blinded message, produces the first authentication value from a user password and a secret value, and produces a second authentication value by encoding the first authentication value and a nonce. The authentication computer uses the nonce to determine if the first authentication value is correct and, if so, encodes the blinded message using the second key-share to produce a partial signature. The user computer produces a signature on the message under the key by encoding the partial signature and the message using the first key-share and an unblinding function.

Abstract: A system has ??2 servers. At least each of a set of authentication servers stores a key-share ski of secret key sk, shared between q of the ? servers, of a key-pair (pk, sk). An access control server sends an authentication value to a subset of the authentication servers. The authentication value was formed using a predetermined function of a first ciphertext for a user ID and a second ciphertext produced by encrypting a password attempt under public key pk using a homomorphic encryption algorithm. The authentication value decrypts to a predetermined value if the password attempt equals the user password for that user ID. Each authentication server in the subset produces a decryption share dependent on the authentication value using the key-share ski. The access control server uses decryption shares to determine if the authentication value decrypts to the predetermined value, if so permitting access to a resource.

Abstract: The invention performs anonymous read/write accesses of a set of user devices to a server. Write accesses of the user devices of the set comprise generating an encrypted file by an anonymous encryption scheme; computing a pseudorandom tag; indexing the encrypted file with the tag as user set index of the user set and writing the encrypted file and the associated tag to the a storage system of the server. Read accesses of the user devices of the set comprise downloading tag data corresponding to a plurality of tags from the server, the tag data enabling the user devices of a respective set to recognize so-called “own” tags computed by one of the user devices of the respective set of user devices; determining the own tags among the plurality of tags; reading one or more encrypted files associated to the own tags; and decrypting the encrypted files.

Abstract: A method for controlling access to a resource of an owner of the resource is provided. The owner can be a user of a resource computer system. The access control can be based on social network data of a social network system and/or on an owner token relating to the owner or a requester token relating to a requester requesting access to the resource and an access control policy. The owner token and the requester token can be received by the system to determine by the social networking system whether access to the resource is to be granted based on the content of the owner token and the requester token. A social network identity of the owner and a social network identity of the requester may only be determinable by the social network system.

Abstract: Computer-implemented methods for privacy attribute based credentials include issuing a privacy-preserving attribute-based credential, which is signed with a private key and has a unique credential handle; updating an accumulator in a tamperproof log to incorporate the credential handle; and facilitating providing access to a service in response to a zero-knowledge proof that the accumulator contains the credential handle. The methods also include generating revocation conditions and initial revocation information; submitting the initial revocation information and the revocation conditions to the tamperproof log; revoking a credential by adding a credential handle of the credential to the initial revocation information; and submitting the updated revocation information to the tamperproof log. Further, the methods include writing to the tamperproof log an audit token that contains an encrypted credential handle, which is encrypted by an auditor's public key that is published on the tamperproof log.