The present invention relates to a method for selective disclosure of confidential data of a first user to a second user of a blockchain (450). The first user is equipped with a deterministic hierarchical key portfolio (410) and selects a leaf of the tree of the portfolio as an emitter account. A secret key is derived from the chain code of this emitter account and the data to be disclosed are encrypted using this secret key. The first user transmits, by means of a first transaction, the data encrypted in this manner to a smart contract (430) which stores them in the blockchain. It transmits by means of a second transaction an access credit to the smart contract which stores it in connection with the pair formed by the emitter account of the first user and the receiver account of the second user. The second user transmits a third transaction to the smart contract from its receiver account (420). If the credit is not zero, the smart contract makes available to the receiver account the encrypted data stored in the blockchain in connection with the emitter account of the first user.

An example operation may include one or more of sending, by a user node, a document request comprising a document identifier (ID) to a document processor node connected over a blockchain, receiving, by the user node, a one-time pass-code from the document processor node based on the document ID, linking to the document using the one-time pass-code, and retrieving the document from a document owner node.

Systems and methods for providing a trusted keystore are disclosed. In one embodiment, in an information processing apparatus comprising at least one computer processor, a method for providing a trusted keystore may include: (1) selecting and storing a root Keyblock Protection Key (KBPK) in a trusted domain; (2) for each key class: creating a keyblock with a class KBPK; and storing the keyblock in an untrusted keystore in an unfrosted domain; (3) loading keyblocks to a trusted key manager in the trusted domain; (4) decrypting the keyblocks with an encryption class key; (5) verifying the keyblocks under a MAC class key; (6) loading class keyblocks to the trusted key manager from the untrusted keystore; (7) writing the keyblocks to the untrusted keystore; and (8) writing class keyblock MACs in a hierarchy to the untrusted keystore. A number of levels in the hierarchy is based on an amount of available storage in the trusted domain.

Provided are a container platform-oriented trusted software authorization and verification system and a method, the system including a public key infrastructure builder, a container image identity builder, a signature list builder, a container image verifier, a signature list and user certificates loader, and a container program verifier. The method is capable of conveniently authorizing container images and software running in the container, and verifying the container images and programs in the container at the right time, so as to ensure that container images running on the container platform are trusted, and the software running in the container is also trusted, thereby improving the security of the container platform.

A method for moderation in a permissioned blockchain using a hash-oriented scheme includes: storing a blockchain including a most recent block; receiving transaction data values; receiving a first reference value and a second reference value; generating a first hash value by hashing the first reference value; generating a block proof including the first hash value, a second hash value, a third reference value, and a block value; verifying a block header of the most recent block using the block proof; receiving a new block value; generating a new block header including the first reference value, the second reference value, a fourth reference value, and the new block value; generating a new block for the blockchain including the new block header and the transaction data values; and transmitting the new block to one or more additional nodes associated with the blockchain.

A method for determining a terminal ID from a message received from a terminal in a communication system avoids sending the terminal ID in the clear. In this system each terminal ID has an associated encryption key. A transmitted message comprises at least a Message Authentication Code (MAC), a n-bit hash, and encrypted message text. At least the terminal key and a nonce is used to generate the MAC, and neither the terminal ID or the terminal key are included in the transmitted message. An authentication broker stores the set of all (terminal ID, terminal key) pairs for the plurality of terminals in the communication system. The set of all terminal keys is grouped into at least two partitions, and on receipt of a message the authentication broker identifies the partition that includes the terminal key of the terminal that transmitted the received message using the n-bit hash (the search partition). The authentication broker then searches the search partition for the terminal key that authenticates the MAC to identify the terminal ID. In some embodiments the nonce is not included in the message but is known or obtainable by the terminal and the authentication broker. A partitioning function generates the «-bit hash from at least the nonce and a terminal key. In some embodiments the nonce is included in the received message and a partitioning function generates the n-bit hash by using the nonce to select n bits from the terminal ID. In some embodiments the partitions are arranged into hierarchical groups such as tree, and each node has a partition key, and the n-bit has is formed as the ordered set of MACs for the partition keys on the path from the root node to the leaf node partition that includes the terminal key.

Audio files and Video files are processed with a new level of security by first spotting parts thereof with a strong entropic impact, and treating these sensitive parts (e.g. human faces, secret gadgets) with equivocation generating ciphers that would withstand quantum computer cryptanalysis.

Technologies for key management of internet-of-things (IoT) devices include an IoT device, an authority center server, and a group management server. The IoT device is configured to authenticate with an authority center server via an offline communication channel, receive a group member private key as a function of the authentication with the authority center server, and authenticate with a group management server via a secure online communication channel using the group member private key. The IoT device is further configured to receive a group shared key as a function of the authentication with the group management server, encrypt secret data with the group shared key, and transmit the encrypted secret data to the group management server. Other embodiments are described herein.

The invention relates generally to cryptographic techniques for secure processing, transmission and exchange of data. It also relates to peer-to-peer distributed ledgers such as (but not limited to) the Bitcoin blockchain. In particular, it relates to control solutions for identifying, protecting, extracting, transmitting and updating data in a cryptographically controlled and secure manner. It also relates to system inter-operability and the ability to communicate data between different and distinct computing systems. The invention provides a computer implemented method (and corresponding systems) comprising the steps of identifying a set of first structure public keys comprising at least one public root key associated with a first structure of interest of an entity and one or more associated public sub-keys; deriving a deterministic association between the at least one public root key and the one or more associated public sub-keys; and extracting data from a plurality of transactions (TXs) from a blockchain. The data comprises data indicative of a blockchain transaction (Tx) between the first structure and at least one further structure; and a first structure public key associated with the first structure. The first structure public key is part of a cryptographic public/private key. The method includes the step of generating an output for the first structure of interest by matching at least part of the set of first structure public keys to the extracted transaction data using the deterministic association. The one or more public sub-keys is generated or determined using Elliptic Curve Cryptography (ECC) and a deterministic key (DK) that is based on a cryptographic hash of a message (M). The one or more public sub-keys is determined based on a scalar addition of an associated public parent key and the scalar multiplication of a deterministic key (DK) and a generator (G).

A pseudonym certificate management method, performed by a pseudonym certificate management apparatus interworking with an external server, may comprise: receiving, from the external server, a pseudonym certificate in a state locked based on a root value identifiable only by the external server; periodically receiving an unlocking key for the pseudonym certificate from the external server; activating the pseudonym certificate with the unlocking key; and when the activated pseudonym certificate is abnormal, deactivating the pseudonym certificate.