An approach is provided for managing data duplication in cloud computing. A method comprising, sending from a first device to a data center, data encrypted with a data encryption key for storing the encrypted data at the data center; encrypting the data encryption key according to an attribute-based encryption (ABE) scheme by using identity as an attribute in a deduplication policy for the data; issuing to a second device, a personalized secret attribute key which is derived from a public key of the second device according to the attribute-based encryption (ABE) scheme, wherein the personalized secret attribute key is to be used for decrypting the encrypted data encryption key at the second device, in combination with the policy.

Plurality of users share a common key while permitting change of members sharing the common key and computational complexity required for key exchange is reduced. R.sub.i and c.sub.i are computed based on a twisted pseudo-random function in a first key generation step. sid is generated based on a target-collision resistant hash function and (sid, R.sub.α, R.sub.β) is transmitted to communication devices U.sub.i in a session ID generation step. T.sub.1 and T′ are computed based on a pseudo-random function in a representative second key generation step. T.sub.j is computed based on the pseudo-random function in a general second key generation step. k′ is computed based on the twisted pseudo-random function and T′.sub.j is computed with respect to each j in a third key generation step. K.sub.1.sup.l and k.sub.1 are computed in a first session key generation step. A common key K.sub.2 is generated based on the pseudo-random function in a second session key generation step.

A master key update apparatus (400) acquires a master public key mpk including a basis B and a master secret key msk including a basis B* which is different from the basis B included in the master public key mpk. The master key update apparatus (400) updates the basis B included in the master public key mpk with updating information upk so as to generate a new master public key mpk′, and updates the basis B* included in the master secret key msk with the updating information upk so as to generate a new master secret key msk′.

A first network node (100; 200) is configured to, —compute a first shared key (245) to protect confidentiality from the first identity of the second network node and the local key material to protect confidentiality of the first network node, —compute a second shared key (246) to protect integrity from the second identity of the second network node and the local key material to protect integrity of the first network node, —encrypt a message using the first shared key, and —compute a first message authentication code over the message using the second shared key.

This document describes a system and method for generating two types of session keys for encoding digital communications between two devices. In particular, the first type of session key possesses escrow properties whereby a trusted third party will be able to generate the first type of session key to decode the digital communications between the two devices while the second type of session key does not possess escrow properties.

A system for supporting Enhanced Privacy Identification (EPID) is provided. The system may include a host processor operable to communicate with a remote requestor, where the host processor needs to perform signature revocation checking in accordance with EPID. To perform signature revocation checking, the host processor has to perform either a sign or verify operation. The host processor may offload the sign/verify operation onto one or more associated hardware acceleration coprocessors. A programmable coprocessor may be dynamically configured to perform the desired number of sign/verify functions in accordance with the requirements of the current workload.

One embodiment provides a system that facilitates schematized access control in a content centric network. During operation, the system generates, by a content producing device, a secret key for a user based on a schema, wherein the schema is a regular expression which corresponds to one or more names and allows a user access to content associated with the names, wherein a name is a hierarchically structured variable length identifier that includes contiguous name components ordered from a most general level to a most specific level. The system receives an interest with a name that corresponds to the schema. The system encrypts a payload of a responsive content object based on the interest name. The system transmits the responsive content object with the encrypted payload to the user, which allows the user to decrypt the encrypted payload with the secret key.

A cryptographic system is provided comprising multiple configuration servers (200, 201, 202) arranged to configure multiple network devices (300, 350, 360) for key sharing. Each configuration server comprising a computation unit (220) arranged to compute local key material for the network device from root key material specific to the configuration server and the network device identity number of the network device that is being configured. At least two configuration servers of the multiple configuration servers provide computed local key material to said network device. The network devices are configured to determine a shared key with any one of multiple network devices. A network device comprises a shared key unit (330) arranged to derive a shared key from another network device's identity number and at least two of the multiple local key materials of the network device.

A method for providing encrypted information by an information entity to one or more operating entities, the information entity having a database for storing encrypted information and the one or more operating entities being configured to operate on the encrypted information, wherein the encrypted information is stored encrypted with an encryption key known to the one or more operating entities includes performing, by an operating entity, a request on the encrypted information, wherein plaintext information to be stored encrypted is provided in tuples, each having ID information, one or more fields with field information specifying the fields, and values, wherein at least the values are encrypted with non-deterministic order preserving encryption with at least one encryption key such that each plaintext value is encrypted into a set of encrypted values, and wherein the set of encrypted values is partitioned into a left set and a right set.

Plurality of users share a common key while permitting change of members sharing the common key and computational complexity required for key exchange is reduced. R.sub.i and c.sub.i are computed based on a twisted pseudo-random function in a first key generation step. sid is generated based on a target-collision resistant hash function and (sid, R.sub.α, R.sub.β) is transmitted to communication devices U.sub.i in a session ID generation step. T.sub.1 and T′ are computed based on a pseudo-random function in a representative second key generation step. T.sub.j is computed based on the pseudo-random function in a general second key generation step. k′ is computed based on the twisted pseudo-random function and T′.sub.j is computed with respect to each j in a third key generation step. K.sub.1.sup.1 and k.sub.1 are computed in a first session key generation step. A common key K.sub.2 is generated based on the pseudo-random function in a second session key generation step.