Techniques are provided for delegating evaluation of pseudorandom functions to a proxy. A delegator delegates evaluation of a pseudorandom function to a proxy, by providing a trapdoor to the proxy based on a secret key k and a predicate P using an algorithm T, wherein the predicate P defines a plurality of values for which the proxy will evaluate the pseudorandom function, wherein the plurality of values comprise a subset of a larger domain of values, and wherein the trapdoor provides an indication to the proxy of the plurality of values. A proxy evaluates a pseudorandom function delegated by a delegator by receiving a trapdoor from the delegator that provides an indication of a plurality of values to be evaluated, wherein the plurality of values comprise a subset of a larger domain of values; and evaluating an algorithm C on the trapdoor to obtain the pseudorandom function value for each of the plurality of values. The trapdoor can be provided to the proxy using a Gordreich, Goldwasser, Micali (GGM) binary tree representation.

In a decryption apparatus according to an embodiment, a holding device pre-holds a verification formula. A determination device performs a calculation based on the verification formula read from the holding device by substituting, into the verification formula, the part of the re-encrypted data received from a re-encryption apparatus and the public key of a re-encryption key generation apparatus and the private key of the decryption apparatus, to determine whether or not the verification formula holds true. An output device outputs verification success when a result of the determination indicates that the verification formula holds true.

A system and method for exchanging identity information and for correlating protected data across independent data systems connected through a network is disclosed. The system contains connectors in communication with protected data systems which house the protected data. Data is correlated between the protected data systems through coincident authentication of both systems by a user. Messages are exchanged which allow the identity exchange system to correlate data based on a session identifier from an authenticated session on one of the protected data systems.

There is provided a method of an electronic device for providing a one-time proof of knowledge about a one-time signing key to a server without revealing the one-time signing key. The method comprises computing a hash as a hash function from the one-time signing key, and transmitting, to the server, the computed hash, an identity associated with the electronic device and a hash path of the hash. There is also provided a method of a server of a signing authority for issuing a time stamp signature. The method comprises receiving a message from an electronic device, the message including a hash, an identity associated with the electronic device and a hash path of the hash, checking whether the hash corresponds to a one-time signing key for a root hash included in a public certificate associated with the identity, checking whether an index corresponding to the hash path from the one-time signing key to the root hash corresponds to a correct time slot, and determining it to be proven that the electronic device is in possession of the correct one-time signing key when the checks are fulfilled. Electronic devices, servers, and computer programs are also disclosed.

An infrastructure delivery platform provides a RSA proxy service as an enhancement to the TLS/SSL protocol to off-load, from an edge server to an external cryptographic server, the decryption of an encrypted pre-master secret. The technique provides forward secrecy in the event that the edge server is compromised, preferably through the use of a cryptographically strong hash function that is implemented separately at both the edge server and the cryptographic server. To provide the forward secrecy for this particular leg, the edge server selects an ephemeral value, and applies a cryptographic hash the value to compute a server random value, which is then transmitted back to the requesting client. That server random value is later re-generated at the cryptographic server to enable the cryptographic server to compute a master secret. The forward secrecy is enabled by ensuring that the ephemeral value does not travel on the wire.

A Radio Frequency Identification (RFID) system including an RFID reader and a reader proxy authenticates itself to a verification authority. The proxy receives a proxy challenge from a verification authority and determines a proxy response based on the proxy challenge and a proxy key known to the proxy. The proxy response is then sent to the verification authority along with an identifier for the reader. The reader then authenticates an RFID tag by sending a tag response to the verification authority, which determines whether the reader is authentic based on the authenticity of the proxy response.

A method of encrypting information using a computational tag may include, by a mobile electronic device, detecting a computational tag within a near field communication range of the mobile electronic device, identifying a document to be encrypted by the mobile electronic device, transmitting the document to the computational tag by the mobile electronic device, receiving, from the computational tag, an encrypted document, wherein the encrypted document comprises an encrypted version of the document that was to be encrypted, and storing the encrypted document in a memory of the mobile electronic device.

A third party system generates a public-private key pair, the public key of the key pair being an encryption key, and the private key of the key pair being a decryption key. The third party system publishes the encryption key as a DNS record of a third party system. The third party system receives a request to sign a message on behalf of a domain owner, the message to be sent to a recipient, and accesses an encrypted delegated private key published by the domain owner via a DNS record of the domain owner, the encrypted delegated private key encrypted using the encryption key. The third party system decrypts the encrypted delegated private key using the decryption key, and generates a signature for the message using the delegated private key. The third party system sends the signature and the message to the recipient.

An example technique may include controlling receiving, by a second node from a first node in a wireless network, a request to offload authentication of the first node with the core network to the second node, controlling receiving, by the second node from the first node, data to be forwarded to the core network, performing, by the second node based on the request, an authentication with the core network on behalf of the first node while the first node is not connected with the second node, and controlling forwarding the received data from the second node to the core network while the first node is not connected with the second node.

A request to establish an encrypted media stream is received, by an edge server, for a Web Real-Time Communication (WebRTC) communication session between a first browser, and a second browser or gateway. The edge server is a boundary device between a first network and a second network. The edge server retrieves a tenant identifier for the encrypted media stream. The tenant identifier can identify a specific company or enterprise. In response to receiving the tenant identifier for the encrypted media stream for the WebRTC communication session, a list of one or more Quality-of-Service (QoS) parameters associated with the tenant is retrieved. For example, the list of QoS parameters may be based on a Service Level Agreement (SLA). The edge server dynamically sends a message to configure the second network to support the list of one or more QoS parameters associated with the tenant.