Technologies for transferring ownership of a compute device include a data broker device to receive a provenance verification key of the compute device from a manufacturer device, receive attestation data of the compute device, and verify a provenance of the compute device based on the attestation data. The attestation data is indicative of one or more security attributes of the compute device. The data broker device updates a block chain with an acknowledgment of an assignment of the compute device to the data broker device, wherein the block chain identifies each transaction associated with ownership of the compute device.

Systems and methods are provided for proving plaintext knowledge of a message m, encrypted in a ciphertext, to a verifier computer. The method includes, at a user computer, encrypting the message m via a predetermined encryption scheme to produce a ciphertext u, and generating a plurality l of challenges c.sup.i, i=1 to l, dependent on the ciphertext u. For each challenge c.sup.i, the user computer generates a cryptographic proof Π.sub.2.sup.i comprising that challenge c.sup.i and a zero-knowledge proof of plaintext knowledge of the message m encrypted in the ciphertext u. The user computer sends the ciphertext u and the l proofs Π.sub.2.sup.i to the verifier computer. Each challenge c.sup.i is constrained to a predetermined challenge space C permitting identification, by searching the challenge space C, of an element c.sup.i″ such that the message m can be obtained via a decryption operation using the ciphertext u, the element c.sup.i″, and a decryption key of said encryption scheme.

Methods and systems are provided for authenticating a message μ, at a user computer of a group signature scheme, to a verifier computer. The method includes, at the user computer, storing a user id m for the user computer and a user signing key which comprises a signature on the user id m under a secret key of a selectively-secure signature scheme. The user id m is an element of a predetermined subring, isomorphic to .sub.q[x]/(g(x)), of a ring R=.sub.q[x]/(f(x)), where f(x) and g(x) are polynomials of degree deg(f) and deg(g) respectively such that deg(f)>deg(g)>1. The method includes, at the user computer, generating a first cryptographic proof Π.sub.1 comprising a zero-knowledge proof of knowledge of the user signing key and including the message μ in this proof of knowledge. The user computer sends the message μ and a group signature, comprising the first proof Π.sub.1, to the verifier computer.

Certain examples described herein relate to zero knowledge attestation systems and methods. In one example method, a computing entity obtains query data over at least one network from a messaging service. A query defined by the query data is matched against private data for the computing entity. A use-limited private-public key pair is obtained for the query and an identifier is generated or the computing entity using the public key. A query result package is then generated based on a match for the query. The query result package includes the generated identifier and acts as a zero knowledge attestation. The computing entity obtains content associated with the query that is addressed to the identifier uses the private key of the private-public key pair to authenticate communications that relate to the query.

A system and method for onboarding and managing assets in a decentralized identity network is disclosed. The method may include receiving an authorization proof from a member of a team of an enterprise to access an asset in the decentralized identity network. The method may further include validating the member of the team through a set of validator nodes. The method may further include provisioning the asset on the decentralized identity network. The method may further include onboarding the provisioned asset on the decentralized identity network. The method may further include generating a set of derived credentials of the onboarded asset. The method may further include validating a user access request corresponding to at least one of owners of an application and user to access the asset. The method may further include dynamically validating an employee access request from an employee and the unique asset DID to access the asset.

The instant disclosure illustrates how the privacy and security of activities occurring on distributed ledger-based networks (DLNs) can be enhanced with the use of zero-knowledge proofs (ZKPs) that can be used to verify the validity of at least some aspects of the activities without private information related to the activities necessarily being revealed publicly. Methods and systems that are directed at facilitating the tracking and recovery of assets stolen on ZKP-enabled DLNs while preserving the confidentiality of the tokens are presented herein.

A user of a blockchain network may obtain credentials for the user from an issuer, the credentials based on one or more attributes of the user, wherein the issuer is selected from one or more authorized issuers, and wherein the credentials include a signature on the one or more attributes and a secret key; generate an operation composed of a payload and a second signature; compute a commitment to a public key of the issuer; prove, using a one-out-of-many proof, that the commitment is a valid commitment to a public key of one of the authorized issuers; prove, using a zero-knowledge proof, proof of knowledge of the signature and the credentials under the public key of the issuer; and prove, using a proof of knowledge, of values of the signed secret key and attributes.

A method for authenticating a prover to a verifier, the prover being provided with a proving key paired to a verification key registered with the verifier, wherein the proving key can be obtained by transforming a protected key and a secret (S) using a transformation (E), characterized in that the prover stores the protected key and does not store the corresponding proving key nor the corresponding verification key in clear, with the exception of storage in transient memory.

A system for supporting Enhanced Privacy Identification (EPID) is provided. The system may include a host processor operable to communicate with a remote requestor, where the host processor needs to perform signature revocation checking in accordance with EPID. To perform signature revocation checking, the host processor has to perform either a sign or verify operation. The host processor may offload the sign/verify operation onto one or more associated hardware acceleration coprocessors. A programmable coprocessor may be dynamically configured to perform the desired number of sign/verify functions in accordance with the requirements of the current workload.

A security engine may be selected from a plurality of security engines to apply one or more security mechanisms to a section of source code of an application. In some cases, the section of source code may be identified by one or more security mechanism identifiers included in the source code. The security engine may generate machine-readable code that corresponds to the section of source code for which the one or more security mechanisms are to be applied. The machine-readable code may be executed on a plurality of computing devices. In one implementation, applying the security mechanisms to the section of source code may include producing zero-knowledge proofs of knowledge for the section of source code.