Abstract: A unique transaction key (Tk) is established amongst multiple entities using a common hardware security module (HSM) with a common HMAC key (HK) and transaction scheme name (T). The transaction key (Tk) can be used for various cryptographic functions (e.g. encryption, MAC, HMAC, key management) with one or more messages at the transaction or session level.

Abstract: In one arrangement, a non-transitory computer readable media having computer-executable instructions embodied therein that, when executed by at least one processor of a computing system, cause the computing system to process an electronic transaction using a schema. The schema includes a first unique entity object identifier identifying a sender, a second unique entity object identifier identifying a receiver, and a first transaction object identifier identifying the transaction. The first transaction object identifier is located at a top level of a hierarchy of a plurality of transaction object identifiers. The schema further includes transaction information comprising the first unique entity object identifier, the second unique entity object identifier, and the unique transaction object identifier.

Abstract: An example method includes receiving an encrypted biometric enrollment data and user identifier data. The encrypted biometric enrollment data includes at least one biometric enrollment sample from a user encrypted using an encryption key. The encryption key is generated based on a user secret and the user identifier is associated with the user. The user identifier is matched with a stored user secret. A decryption key is generated based on the stored user secret. The encrypted biometric enrollment data is decrypted using the decryption key. The at least one biometric enrollment sample is retrieved from the decrypted biometric enrollment data. The at least one biometric enrollment sample is processed using a biometric processing algorithm to generate a biometric reference template. A biometric reference template identifier uniquely identifying the biometric reference template is generated. An encryption key is generated based on the stored user secret and encrypts an enrollment confirmation message.

Abstract: Systems and methods for establishing an arbitration agreement for an agreement. A method includes creating, by a first computing system associated with a first party, an ArbitrationInformation attribute comprising the arbitration agreement. The method includes signing, by the first computing system, the ArbitrationInformation attribute with the first computing system's digital signature; creating, by the first computing system, a first SignedData message comprising the ArbitrationInformation attribute and information indicative of the agreement; and transmitting, by the first computing system, the first SignedData message to a second computing system associated with a second party different than the first party and on a different network node than the first party.

Abstract: A method includes receiving a consensus agreement rule (“CAR”) comprising identities of a first party and second party; receiving a first SignedData message comprising first content and a first digital signature; creating a second SignedData message comprising a second digital signature of the second party on a hash of the second content and an acceptance indication; verifying, based on the acceptance indication and based on the identities on the CAR matching the identities on the signatures, that the second party accepted the terms of the agreement; and transmitting the second SignedData message to a trusted party for posting to a distributed ledger, wherein the terms of the agreement are kept private while the second SignedData message is posted to the distributed ledger, and wherein the terms of the agreement are formatted as a smart contract whose execution causes a transfer of value in response to a fulfillment of a condition.

Abstract: A method for gesture-based multi-factor authentication includes mapping a gesture password to a first substitution string, generating a cryptographic key using the first substitution string as an input to a password authenticated key exchange protocol, encrypting a challenge response with the cryptographic key to generate an encrypted challenge response, and transmitting, to a relying party computing system, a first authentication message comprising the encrypted challenge response and a user identifier identifying a user.

Abstract: A method comprises receiving a first user request to access or modify a first application, the first user request comprising a first object identifier (OID), the first OID identifying a first role of the first user. The method further includes determining whether the first OID is equivalent to a first application-specific role, and in response to determining that the first OID is equivalent to the first application-specific role, authorizing the first user request.

Abstract: Systems and methods relating to settlement of securities without revealing ownership including the end owner are described. In some implementations, ownership or control of a security may be managed by using group membership technology to revoke the signing rights of the seller and adding signing rights to the buyer. Group membership with group signatures allow for one group public key and a plurality of private keys, where each private key is associated with a group member. Signatures create by different group members are indistinguishable to verifiers but a group manager is able to determine which member has signed, link member signatures, implement controls and/or limits, and revoke and add signatory capability when needed. In some implementations, revocation of signatory capability is done with the cooperation of a Digital Certificate Authority.

Abstract: Systems and methods relating to settlement of securities without revealing ownership including the end owner are described. In some implementations, ownership or control of a security may be managed by using group membership technology to revoke the signing rights of the seller and adding signing rights to the buyer. Group membership with group signatures allow for one group public key and a plurality of private keys, where each private key is associated with a group member. Signatures create by different group members are indistinguishable to verifiers but a group manager is able to determine which member has signed, link member signatures, implement controls and/or limits, and revoke and add signatory capability when needed. In some implementations, revocation of signatory capability is done with the cooperation of a Digital Certificate Authority.

Abstract: A system, method, and apparatus for carrying out a value transfer is provided. A method includes receiving, by a computing system of a financial institution, a de-signcrypted value transfer message including terms of a value transfer from an account of a sending party to an account of a merchant, wherein a receiving party desires to make a purchase from the merchant and the value transfer is a payment from the sending party account to the merchant account; and one or more spending limitations on the desired purchase, wherein the payment is contingent on the desired purchase meeting the spending limitations. The method then includes verifying the authenticity of the de-signcrypted message using a public key of the sending party and a private key of the financial institution; and dispersing funds according to the terms of the value transfer.

Abstract: Systems and methods provide for secure and efficient token generation, management, transfer, and authentication services in a biometric data environment. Various embodiments relate to a method performed by a processor of an authentication computing system. An example method includes receiving an update biometric reference sample and a user identifier, retrieving a previous biometric reference template record in a storage location based on the user identifier. The previous biometric reference template record includes a template record identifier uniquely identifying the previous biometric reference template record and a previous biometric reference template generated using a previous biometric reference sample.

Abstract: Various embodiments relate methods performed by a processor of a computing system. An example method includes receiving an agreement associated with a signing party. A hash of the agreement is generated. A biometric sample captured from a signing party is received. Each of a hash of the agreement and the biometric sample is signcrypted using each of a signing party public/private key pair associated with the signing party, and a recipient public key of a recipient public/private key pair to generate a biometrics-based electronic signature token. A smart contract based on the agreement is generated. The smart contract includes the terms of the agreement, and the biometric-based electronic signature token, the biometric-based electronic signature token providing biometric-based pre-authorization by the signing party of a payment to be initiated by the smart contract in response to detecting performance of at least one of the terms of the agreement.

Abstract: Systems, methods, and apparatuses of creating a repair token for a distributed ledger are provided. A method includes identifying an error in the distributed ledger, the error associated with a first block on the distributed ledger, creating a repair token including content of the first block and a correction to the error, digitally signing and timestamping the repair token, and publishing the repair token to a repair token ledger.

Abstract: Systems and methods for verifying an identity of a user include a method that includes receiving, by a computing system, a biometric electronic signature token (BEST), the BEST comprising a first biometric sample captured from a signing party and a record, receiving, by the computing system, a second biometric sample captured from the user, generating, by the computing system, a biometric reference template based on biometric data extracted from the second biometric sample, comparing, by the computing system, the biometric reference template to the first biometric sample, and responsive to the biometric reference template matching the first biometric sample, determining, by the computing system, that the user matches the signing party.

Abstract: A method of generating a biometric electronic signature authenticated key exchange (“BESAKE”) token. The method begins when a biometric sample captured from a signing party is received. A secret knowledge factor is received. An encryption key is generated using the secret knowledge factor as an input to a password authenticated key exchange protocol. The biometric sample is encrypted with the encryption key. The BESAKE token is generated and includes the encrypted biometric sample and a signing party identifier associated with the secret knowledge factor. The BESAKE token can be verified using a decryption key generated using a stored knowledge factor as an input to the password authenticated key exchange protocol. The secret knowledge factor is retrieved based on the signing party identifier. The identity of the signing party can be authenticated by decrypting the biometric sample from the BESAKE token using the decryption key and matching the decrypted biometric sample.

Abstract: An example method includes receiving a quantum-resistant double signature (QSDS) message. The QSDS message is generated by digitally signing a quantum SignerInfo (qSignerInfo) attribute of a Quantum Signed Data (QSignedData) message using a private key of a signing party computing system using a quantum-vulnerable signature algorithm. The method then includes verifying the digital signature on the QSDS message, identifying the qSignerInfo attribute in a SignedAttributes value of the QSDS message, transmitting the SignedAttributes value to a QSDS processing computing system, and receiving, from the QSDS processing computing system, a verification notification for the QSignedData message.

Abstract: Systems and methods are described for leveraging group signature technology to allow a group manager to set up rules that govern what requires consensus between members of the group. Consensus may require a plurality or a majority of signers using their individual private keys to use a group public key associated with the group. Group membership with group signatures allow for one group public key and a plurality of private keys, where each private key is associated with a group member.

Abstract: Methods and systems are described for generating and accessing a digital wallet including a random data encryption key (DK) and locked with a wallet password. A method includes the following steps done by a hardware security module (HSM): generating a wallet password based on an identifier (ID) generated by a database server and a keyed-hash message authentication code (HMAC) key element generated by the HSM; generating the digital wallet including the DK; locking the digital wallet with the wallet password; transmitting the digital wallet to the database server without the wallet password; destroying the wallet password and the HMAC key; receiving a password request message including the ID and the encrypted HMAC key from the database server; regenerating the wallet password using the ID and the HMAC key; digitally signing and encrypting the regenerated wallet password; and transmitting the digitally signed and encrypted regenerated wallet password to the database server.

Abstract: Various embodiments relate to a method performed by a processor of a computing system. An example method includes receiving a digitally signed cross-border payment message, the digitally signed cross-border payment message generated by digitally signing a first hash of a cross-border payment message with a first financial institution private key. A first financial institution public key is retrieved, the first financial institution public key of a public/private key pair that includes the first financial institution private key. The first financial institution public key is verified that it is associated with a first financial institution. A second hash of the cross-border payment message is generated.

Abstract: Various embodiments relate to a method performed by a processor of a computing system. An example method includes generating a symmetric content encryption key. Content is encrypted using the content encryption key to generate cipher text. A hash of the cipher text is generated. Each of the hash and the content encryption key is signcrypted using each of a signcrypting party public key, a signcrypting party private key and a recipient public key to generate a signcrypted envelope message. The cipher text is embedded in a component of the signcrypted envelope message. The signcrypted envelope message is transmitted to a recipient. The recipient can designcrypt the signcrypted envelope message using each of the recipient public key, a recipient private key, and the signcrypting party public key to retrieve the content encryption key and hash of the cipher text. The recipient can decrypt the cipher text using the content encryption key.