CA2426794C - Method and system for processing a request of a customer - Google Patents
Method and system for processing a request of a customer Download PDFInfo
- Publication number
- CA2426794C CA2426794C CA002426794A CA2426794A CA2426794C CA 2426794 C CA2426794 C CA 2426794C CA 002426794 A CA002426794 A CA 002426794A CA 2426794 A CA2426794 A CA 2426794A CA 2426794 C CA2426794 C CA 2426794C
- Authority
- CA
- Canada
- Prior art keywords
- originator
- entity
- request
- information
- computation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
- 238000000034 method Methods 0.000 title claims abstract description 43
- 238000012545 processing Methods 0.000 title claims abstract description 13
- 238000004590 computer program Methods 0.000 claims description 12
- 238000010276 construction Methods 0.000 claims description 11
- 230000000875 corresponding effect Effects 0.000 claims 3
- 230000001186 cumulative effect Effects 0.000 claims 1
- 239000003795 chemical substances by application Substances 0.000 description 41
- 230000006870 function Effects 0.000 description 20
- 238000012546 transfer Methods 0.000 description 13
- 238000004891 communication Methods 0.000 description 9
- 238000004422 calculation algorithm Methods 0.000 description 7
- 230000008901 benefit Effects 0.000 description 4
- 230000003993 interaction Effects 0.000 description 4
- 230000002452 interceptive effect Effects 0.000 description 3
- YTAHJIFKAKIKAV-XNMGPUDCSA-N [(1R)-3-morpholin-4-yl-1-phenylpropyl] N-[(3S)-2-oxo-5-phenyl-1,3-dihydro-1,4-benzodiazepin-3-yl]carbamate Chemical compound O=C1[C@H](N=C(C2=C(N1)C=CC=C2)C1=CC=CC=C1)NC(O[C@H](CCN1CCOCC1)C1=CC=CC=C1)=O YTAHJIFKAKIKAV-XNMGPUDCSA-N 0.000 description 2
- 238000011156 evaluation Methods 0.000 description 2
- 239000012634 fragment Substances 0.000 description 2
- 244000035744 Hura crepitans Species 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000003044 adaptive effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000005611 electricity Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000009474 immediate action Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/465—Distributed object oriented systems
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Computer And Data Communications (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention provides a method and system for processing securely an originator request of a customer. This originator request can be sent to at least one first entity. The method for processing the originator request comprises the steps of a) sending from the customer the originator request to the or each first entity; b) connecting the or each first entity to a computation entity; c) adding by the or each first entity, on receipt of the originator request, information concerning the originator request thereby forming a first-modified request; d) sending at least part of the first modified request to at least the computation entity; e) having received at least part of the first-modified request by the computation entity deriving a computation-entity result from the atleast part of the first-modified request; f) sending at least part of the computation-entity result to the or each first entity; g) having received at least part of the computation-entity result by the or each first entity deriving therefrom a first-entity ressult and forwarding it at least in part; and h) having received at least part of the first-entity result by the customer deriving therefrom a customer result.
Description
2 PCT/IBO1/01988 METHOD AND SYSTEM FOR PROCESSING
A REQUEST OF A CUSTOMER
TECHNICAL FIELD
The present invention relates to a method and system for processing a request of a customer.
More particularly, the invention relates to cryptographic security of mobile agents.
BACKGROUND OF THE INVENTION
Tn the increasingly networked world, mobile code .is a programming .paradigm that becomes more and more important. It provides a flexible way to structure cooperative computation in distributed systems. At present, the Internet is full of mobile code fragments; such as Java applets, which represent only a simple form of mobile code.
Mobile agents are mobile code that acts autonomously on behalf of a user for continuous collecting, filtering, and processing of information. They combine the benefits of the agent paradigm, such as reacting to a changing environment and autonomous operation, with the features of remote code execution; they operate in computer networks and are capable of moving from server to server as necessary to full their goals. Important applications include mobile computing, where bandwidth is limited or users are disconnected, data retrieval from large repositories, and configuration management of software and networks. The vision of mobile agents roaming the Internet may soon become reality as the paradigm is incorporated in large-scale applications.
Mobile code is to be understood as a program that is produced by one entity, called the originator, and is subsequently transferred to a entity, the host, immediately before it is executed by the host. In other words, no manual intervention, such as performing an installation or running a setup routine, is required on behalf of the host;
mobile code comes ready to run. Moreover, mobile agents are capable of continued, autonomous operation disconnected from the originator and migrate freely to other hosts during their lifetime. Such agents have also been called itinerant agents. Mobile code is exposed to various security threats: a malicious host may examine the code, try to learn the secrets carried by an agent, and exploit this knowledge in its interaction with the agent to gain an unfair advantage. A host might also try to manipulate the result of a computation.
There are at least two security problems that arise in the area of mobile code: (1) protecting the host from malicious code and (2) protecting the code from malicious hosts.
The first problem has received considerable attention because of the imminent threat of computer viruses and Trojan horses. Current solutions are to run mobile code in a so-called sandbox with fine-grained access control and to apply code signing for exploiting a trust relation with the code producer.
Protecting mobile code was deemed impossible by some mobile code researchers until T.
Sander and C. F. Tschudin realized that tools from theoretical cryptography could be useful to execute mobile code in an encrypted form on an untrusted host, as described in their article "Protecting mobile agents against malicious hosts, Mobile Agents and Security"
(G. Vigna, ed.), Lecture Notes in Computer Science, vol. 1419, Springer, 1998. Most protocols for so-called secure computation require several rounds of interaction, however, and are not applicable to achieve secrecy for mobile applications and integrity for their outputs. Sander and Tschudin concluded that only functions representable as polynomials can be computed securely in this manner. Subsequent work of Sander et al. extends this to all functions computable by circuits of logarithmic depth, as disclosed by T. Sander, A.
Young, and M.
Yung in "Non-interactive CryptoComputing for NC'", Proc. 40th IEEE Symposium on Foundations of Computer Science (FOCS), 1999.
A further form of code is active mobile code that performs some immediate action on the host. Thereby often information about the encrypted computation is leaked to the host whereby only the originator shall receive any output.
A basic problem with active mobile code is that a malicious host can observe the output of the computation and simply run the code again with a different input. The only existing defense for active mobile code against a malicious host uses trusted hardware. This has been proposed and entails running mobile code exclusively inside tamperproof hardware, encrypting it as soon as it leaves the trusted environment.
A REQUEST OF A CUSTOMER
TECHNICAL FIELD
The present invention relates to a method and system for processing a request of a customer.
More particularly, the invention relates to cryptographic security of mobile agents.
BACKGROUND OF THE INVENTION
Tn the increasingly networked world, mobile code .is a programming .paradigm that becomes more and more important. It provides a flexible way to structure cooperative computation in distributed systems. At present, the Internet is full of mobile code fragments; such as Java applets, which represent only a simple form of mobile code.
Mobile agents are mobile code that acts autonomously on behalf of a user for continuous collecting, filtering, and processing of information. They combine the benefits of the agent paradigm, such as reacting to a changing environment and autonomous operation, with the features of remote code execution; they operate in computer networks and are capable of moving from server to server as necessary to full their goals. Important applications include mobile computing, where bandwidth is limited or users are disconnected, data retrieval from large repositories, and configuration management of software and networks. The vision of mobile agents roaming the Internet may soon become reality as the paradigm is incorporated in large-scale applications.
Mobile code is to be understood as a program that is produced by one entity, called the originator, and is subsequently transferred to a entity, the host, immediately before it is executed by the host. In other words, no manual intervention, such as performing an installation or running a setup routine, is required on behalf of the host;
mobile code comes ready to run. Moreover, mobile agents are capable of continued, autonomous operation disconnected from the originator and migrate freely to other hosts during their lifetime. Such agents have also been called itinerant agents. Mobile code is exposed to various security threats: a malicious host may examine the code, try to learn the secrets carried by an agent, and exploit this knowledge in its interaction with the agent to gain an unfair advantage. A host might also try to manipulate the result of a computation.
There are at least two security problems that arise in the area of mobile code: (1) protecting the host from malicious code and (2) protecting the code from malicious hosts.
The first problem has received considerable attention because of the imminent threat of computer viruses and Trojan horses. Current solutions are to run mobile code in a so-called sandbox with fine-grained access control and to apply code signing for exploiting a trust relation with the code producer.
Protecting mobile code was deemed impossible by some mobile code researchers until T.
Sander and C. F. Tschudin realized that tools from theoretical cryptography could be useful to execute mobile code in an encrypted form on an untrusted host, as described in their article "Protecting mobile agents against malicious hosts, Mobile Agents and Security"
(G. Vigna, ed.), Lecture Notes in Computer Science, vol. 1419, Springer, 1998. Most protocols for so-called secure computation require several rounds of interaction, however, and are not applicable to achieve secrecy for mobile applications and integrity for their outputs. Sander and Tschudin concluded that only functions representable as polynomials can be computed securely in this manner. Subsequent work of Sander et al. extends this to all functions computable by circuits of logarithmic depth, as disclosed by T. Sander, A.
Young, and M.
Yung in "Non-interactive CryptoComputing for NC'", Proc. 40th IEEE Symposium on Foundations of Computer Science (FOCS), 1999.
A further form of code is active mobile code that performs some immediate action on the host. Thereby often information about the encrypted computation is leaked to the host whereby only the originator shall receive any output.
A basic problem with active mobile code is that a malicious host can observe the output of the computation and simply run the code again with a different input. The only existing defense for active mobile code against a malicious host uses trusted hardware. This has been proposed and entails running mobile code exclusively inside tamperproof hardware, encrypting it as soon as it leaves the trusted environment.
-3-US Patent No. 6,026,374 is related to a system and method using of a trusted third party to provide a description of an information product to potential buyers without disclosing the entire contents of the information products, which might compromise the interests of the seller. The buyer trusts the third party to give an accurate description of the information that is for sale, while the seller trusts the third party not to reveal an excessive amount of the information product's content. The system can include a seller of information products, a buyer of such products, and a trusted third party summarizer, each operating as a node in a communications network, such as the Internet. A disadvantage of this system and method is that the third party has to be a trusted one and that this third party gets information and learns about everything. This could be dangerous if said third party gets cracked.
Moreover, several messages are necessary to process the request of the buyer.
SUMMARY AND ADVANTAGES OF THE INVENTION
The invention provides a method and system for processing securely an originator request of a customer, i.e. the request being initiated by the customer. This originator request is sent within a mobile code or agent to at least one first entity. The method for processing the originator request comprises the steps of a) sending from the customer, i.e. form the customer's device, the originator request to the or each first entity; b) connecting the or each first entity to a computation entity; c) adding by the or each first entity, on receipt of the originator request, information concerning the originator request thereby forming a first-modified request; d) sending at least part of the first-modified request to at least the computation entity; e) having received at least part of the first-modified request by the computation entity deriving a computation-entity result from the at least part of the first-modified request; f) sending at least part of the computation-entity result to the or each first entity; g) having received at least part of the computation-entity result by the or each first entity deriving therefrom a first-entity result and forwarding it at least in part; and h) having received at least part of the first-entity result by the customer deriving therefrom a customer result.
It is an advantage that only the customer learns the result of the calculation, whereby other entities or hosts learn nothing at all except results which are designated to them. The mobile code or agent comprising the originator request is sent around a network to several entities
Moreover, several messages are necessary to process the request of the buyer.
SUMMARY AND ADVANTAGES OF THE INVENTION
The invention provides a method and system for processing securely an originator request of a customer, i.e. the request being initiated by the customer. This originator request is sent within a mobile code or agent to at least one first entity. The method for processing the originator request comprises the steps of a) sending from the customer, i.e. form the customer's device, the originator request to the or each first entity; b) connecting the or each first entity to a computation entity; c) adding by the or each first entity, on receipt of the originator request, information concerning the originator request thereby forming a first-modified request; d) sending at least part of the first-modified request to at least the computation entity; e) having received at least part of the first-modified request by the computation entity deriving a computation-entity result from the at least part of the first-modified request; f) sending at least part of the computation-entity result to the or each first entity; g) having received at least part of the computation-entity result by the or each first entity deriving therefrom a first-entity result and forwarding it at least in part; and h) having received at least part of the first-entity result by the customer deriving therefrom a customer result.
It is an advantage that only the customer learns the result of the calculation, whereby other entities or hosts learn nothing at all except results which are designated to them. The mobile code or agent comprising the originator request is sent around a network to several entities
-4-whereby the code or at least fragments thereof can be securely executed without any additional client hardware at the first entity. Security is obtained through the computation entity that is a generic independent entity. This independent entity can be a computation service that performs an encrypted computation on behalf of the mobile agent, but does not learn anything about the encrypted computation. The independent entity can serve many different applications whereby nothing about its usage is necessary to know before deploying it. Privacy as well as authenticity for the mobile agents can be achieved.
Moreover, the computation service itself does not learn anything about the computation, assumed it does not collude with the code originator or the first entity.
The independent entity may be universal rather than bound to a particular service or to an application context. For example, secure computation servers can be set up and operated by independent entities.
The method and system may be based on software and commodity hardware and therefore may be less expensive to build and operate than any solution involving specialized hardware.
A cryptographic operation can be applied to the mobile agent comprising the request or a result. Thus, integrity for the mobile agent can be advantageously guaranteed.
When the originator request is formed by applying an encrypted circuit construction, then the advantage occurs that a secure computation of the request can be achieved and the originator of that request can define how much information an entity shall receive.
The originator request may comprise a function in encrypted form. This is advantageous, because then other entities processing the originator request can not derive useful information therefrom except results which are designated to those entities.
The originator request, the first-modified request, the computation-entity result, and the first-entity result may comprise an encrypted part. This is advantageous, because then sensitive information is protected and is not readable as plaintext.
Moreover, the computation service itself does not learn anything about the computation, assumed it does not collude with the code originator or the first entity.
The independent entity may be universal rather than bound to a particular service or to an application context. For example, secure computation servers can be set up and operated by independent entities.
The method and system may be based on software and commodity hardware and therefore may be less expensive to build and operate than any solution involving specialized hardware.
A cryptographic operation can be applied to the mobile agent comprising the request or a result. Thus, integrity for the mobile agent can be advantageously guaranteed.
When the originator request is formed by applying an encrypted circuit construction, then the advantage occurs that a secure computation of the request can be achieved and the originator of that request can define how much information an entity shall receive.
The originator request may comprise a function in encrypted form. This is advantageous, because then other entities processing the originator request can not derive useful information therefrom except results which are designated to those entities.
The originator request, the first-modified request, the computation-entity result, and the first-entity result may comprise an encrypted part. This is advantageous, because then sensitive information is protected and is not readable as plaintext.
-5-The originator request may comprise an offer or any other legal instrument. It may also comprises purchase information or customer information, such as the address for delivering or the credit card number for financial transactions.
The first entity comprises a web server offering a service or goods. This service can merely be everything including sale, lease, license, or financing transaction.
The first-entity result may comprise a customer information concerning acceptance of the originator request. This is advantageous, because then the first-entity can deliver its service or goods immediately and initiate the necessary transactions.
The customer result may comprise the first-entity information concerning acceptance of the originator request. The customer therefore knows that its originator request will be fulfilled and no further actions are necessary.
DESCRIPTION OF THE DRAWINGS
Preferred embodiments of the invention are described in detail below, by way of example only, with reference to the following schematic drawings.
FIG.1 shows an illustration of a communication flow according to the present invention.
FIG. 2 shows a more detailed illustration of a communication flow.
FIG. 3 shows another illustration of a communication flow.
The drawings are provided for illustrative purpose only and do not necessarily represent practical examples of the present invention to scale.
The first entity comprises a web server offering a service or goods. This service can merely be everything including sale, lease, license, or financing transaction.
The first-entity result may comprise a customer information concerning acceptance of the originator request. This is advantageous, because then the first-entity can deliver its service or goods immediately and initiate the necessary transactions.
The customer result may comprise the first-entity information concerning acceptance of the originator request. The customer therefore knows that its originator request will be fulfilled and no further actions are necessary.
DESCRIPTION OF THE DRAWINGS
Preferred embodiments of the invention are described in detail below, by way of example only, with reference to the following schematic drawings.
FIG.1 shows an illustration of a communication flow according to the present invention.
FIG. 2 shows a more detailed illustration of a communication flow.
FIG. 3 shows another illustration of a communication flow.
The drawings are provided for illustrative purpose only and do not necessarily represent practical examples of the present invention to scale.
-6 DESCRIPTION OF THE INVENTION
With general reference to the figures the features of a method and system for processing a request of a customer using cryptographic functions is described in more detail below. When referring to the word customer, it appears obvious that a device, such as a computer or mobile appliance, used by the customer is meant.
A defining element of a mobile code or agent computation is that it proceeds autonomously and independently of the originator of the code. The secure mobile agent computation is modeled in principle as depicted in Fig. 1, whereby the boxes are labeled according to the description below.
There are a code originator O, and l hosts, hereinafter referred to as entities Hl, ..., H~, on which the mobile agent, hereinafter short agent, runs.
Fig. 1 shows a network, such as the Internet, whereby the code originator O is connected to a first entity HI, that is further connected to a second entity HZ . The second entity HZ is connected to an entity labeled with H; that further has a connection to an entity labeled with H;+~, whereby several other entities are possible in-between as indicated by the dotted line.
The entity H,+z is connected to an entity labeled with H~ that in the following is connected back to the code originator O. Each of the entities H~, Hz, ..., H;, H;+,, HI
is connected to a computing entity T.
The code originator O as well as each entity H,, HZ, ..., H;, H;+I, H, sends and receives only a single message, that comprises the agent. The message that the code originator O sends to the first entity H, is denoted by mo and the message that a further entity H;
sends to H~+1 by m; for j = 1, ..., L-1, and the message that the last entity H~ returns to the code originator O is denoted by m~.
Fig. 2 depicts a more detailed illustration of the communication flow as shown in Fig. 1. The code originator O, that here is a customer O, is connected to the first entity, here labeled with H, that further is connected to the computing entity T. The method for .processing an originator request OR, e.g. a price request including a threshold for a product, of the customer O runs as follows. The customer O sends the originator request OR to the first entity H. This _7_ is indicated by the arrow labeled With fnoR. The first entity H offers sevexal products to a particular price. The first entity H connects to the computation entity T and adds, on receipt of , the originator request OR, information I concerning the originator request OR, e.g. its price willing to accept, thereby forming a first-modified request FMR. This first-modified request FMR is sent to the computation entity T as indicated by the arrow labeled with rnFMR. If the computation entity T has received the first-modified request FMR it derives therefrom a computation-entity result CER without learning anything from this computation.
Afterwards, the computation-entity result CER is sent back to the first entity H as indicated by the arrow labeled with m~ER. If the first entity H has received the computation-entity result CER it derives therefrom a first-entity result FER and forwards this back to the customer O as indicated by the arrow labeled with mFEa. The customer O is able to derive from the first-entity result FER a customer result CR. This customer result CR provides the information to the customer O whether or not his originator request OR has been fulfilled. The first entity H
knows form the first-entity result FER whether or not its offer is acceptable to the customer O.
The originator xequest OR may contain information about the customer O, i~e.
address, credit card information, which allows the first entity H to deliver the requested product immediately.
In the embodiment described above, the mobile agent visits several vendor sites and compares offers. The originator request OR does not only be based on price, but can also include other attributes. The originator or customer O wants to maintain the privacy of his preferences, but a shop has an interest to learn the buyer's strategy as well as information about other vendor's offers. For complex offers where the price is determined individually for each customer based on its needs, such as in the insurance market, the vendor wants to keep its method of calculating the price secret. All these requirements can be fulfilled by the described scheme for secure mobile code. .
In another embodiment, a shopping agents is traveling around the network and collects offers from several vendors or entities H,, Hz, :.., H~, H;+1, Hr, whereby a prior agreement on the data format of the offers is helpful.
Fig. 3 shows another embodiment using the same or like parts as shown in Figs.
1 and 2. The difference is the code originator O sends directly to each entity HI, Hz~ ..., H, its originator _g_ request OR, whereby the originator request OR can be the same or different to each entity H,, HZ, ..., Hl.
In a further embodiment an electronic negotiation is described. The electronic negotiation between a buyer and a single vendor can take place using the scheme for secure mobile code that visits a single host or entity H. Typically, the vendor would act as the originator O and download an applet to the buyer's browser (as is already quite common on the Internet). The applet is executed using the help of the computation entity T by the buyer and the offer is displayed to the buyer. The vendor may obtain some information as well, which it would have to spell out clearly in a "privacy statement" accompanying the applet.
Auctions with generalized bidding strategies present an interesting application area for secure mobile agents. Bidding agents can implement a complex strategy being a function of time and other participants' behavior, which gives the bidder more flexibility compared to traditional single-parameter auctions based purely on price. As the value of the lots is interrelated, a bidder is interested to define his bidding behavior as dynamically as possible, for example making the valuation of a lot depend on other winning bids that he observed in the previous rounds. If the bidders can express their strategies as a computable function, then one may construct a circuit to compute the auction function, i.e., the outcome of the auction, with the strategies as the private inputs of all participants. This would require an auction agent that visits each bidder only once. However, in the likely case that the bidders are unable to express their strategies mathematically, each round of the auction could also be performed securely by an auction applet that visits each bidder once and returns to the auctioneer.
There it outputs the winning bids or the end of the auction if the bids did not exceed the minimum increment.
If the scheme for secure mobile computing is used, then there is no single entity H,, H2, ..., H~, H;+~, HI that sees all bids (like the auctioneer, its computer system, or its operators).
Generalized auctions are common in electricity markets, equities trading, bandwidth auctions, and transportation exchanges, and bidders often have preferences over combination of items.
In the following, implementation details are described.
Computation: Let the state of the mobile agent be an element of a set X . Its initial state xo is determined by O. Let the input by H; be an element of a set Y and the output to H; an element of Z;. The agent computation on the entity H; is represented by two functions g;: XxY~->X and h;: XxY~-~Z~
that determine the new state x~ = g~ (xJ-1, y~) of the agent and the output z~
= h~ (x~-1, y; ). O
obtains the final state ~ = xl E X of the agent. The functions g; and h; are known to all entities H,, ..., Hl.
A mobile computing scheme comprises 2l + 2 algorithms Ao, A1, ..., A~, B,, ..., Bl, and D such that for all j = 1, ..., l and xo E X, y; E Y~, and with mo =Ao(xo) rrcl =A~(m~-1, yi) for j = 1, ..., l z~ = B~(m~-l, y;) for j = 1, ..., L
~ = D(mt) the following two conditions Correctness and Privacy hold.
Correctness: ~ = gt(xt i, yt) and z~ = h~(x;-i, yl) for j = 1, ..., Z using x~' _ ~~'(-..(g2(gl(xo~yO~yz)...)~yi') for j' = 1, ...,1-1.
Privacy: The inputs; outputs, and the computations of all entities remain hidden from the originator and from all other entities, except for what follows from their outputs. O learns only ~ but nothing else about any y; than what follows from xo and ~, and similarly, H; learns only z; but nothing about xo and y;~ for j' < j than what follows from z; and y; .
For simplicity reasons, the above scheme assumes that the order in which the agent visits all entities is fixed. It is extended to allow for the sequence to depend on z; by introducing a function ~c : Z; ->{ 1, ..., l} and sending the agent to H,~~Z~~ from H;. In the case of mobile code applications with a single host, i.e. the first entity H only, the function g yields O's output ~
and h gives H's output z.
A computation entity T, that can be a generic secure computation service, is provided. This computation entity T is on-line and connected to all entities H~, ..., HI or hosts running agent applications and is at their disposal for securing agent computations. The computation entity T
itself does not gain any information about the computation, no matter how it behaves, under the assumptions that (1) the computation entity T does not collude with the originator against any entity, and (2) the computation entity T does not collude with any entity against the originator or against any other entity. All computations proceed with minimal or no interaction. The scheme is generic and not bound to any particular application. Hence the service of the computation entity T might be offered as a public service for "secure mobile agent computation" on the Internet. Clients or customers who use this service in the role of O
or H (e.g., for comparison shopping) do not have to fear that the computation entity T has "second thoughts" trying to violate their privacy (e.g., of customer profiling and collecting marketing data). Moreover, the computation entity T itself has an interest to maintain its reputation as a security provider.
The scheme is based on functions in encrypted form. For example, encrypting a binary digital circuit realizes the part of the agent computation. This can be realized by an encrypted circuit construction as described in the following.
Encrypted circuit construction The encrypted circuit construction of Yao, as introduced by A. C. Yao in his article "How to generate and exchange secrets" at Proc. 27th IEEE Symposium on Foundations of Computer Science (FOCS), 1986, pp. 162-167, is an interactive protocol for secure function evaluation between two parties or entities. This is described for a binary function g(~, ~) and parties Alice (with input x) and Bob (with input y). Bob receives the output z = g(x, y) but 'learns nothing else and Alice learns nothing at all.
Let (x 1, ..., x,tx ), (y i , ..., y,~y ), and (z i , :.., zn~ ) denote the binary representations of x, y, and z, respectively, and let C denote a polynomial-sized binary circuit computing g.
The components of Yao's construction are (1) a first algorithm construct that Alice uses to construct an encrypted circuit, (II) a transfer protocol between Alice and Bob, and (III] a second algorithm evaluate allowing Bob to retrieve g(x, y). More precisely, these procedures are as follows.
(n The probabilistic first algorithm construct(C) takes the circuit as input and outputs the tuple where ~ may be viewed as an encrypted version of the nx + ny input circuit C(~, ~) and where ~, ~', and '~ denote lists of so called key pairs ~ _ (L1>o~Li>0~...,(L~tx>o~L~tx,i) ~ _ (K1>o~ K1>~)~ ..., (Kny>o~ Kny>1) '~ _ (Ui>o~ Ui>i)~ ..., (Unz,o~ Um>l) corresponding to x, y, and z, respectively.
In order to.cornpute C(x, y) from the encryption ~ , Bob needs one "key" for each input bit: L;,v corresponds to input bit x, _ 'b and K~,6 corresponds to input bit y; = b. The keys U;,o and U,>~
represent the output bits of the encrypted circuit, i.e., if evaluation ,produces U;>b , then the output bit .~l is set to b.
The particular method in which ~ is encrypted ensures that for every gate in the circuit, given two keys representing its input bits, the key representing the resulting output bit can be readily computed, but no information is revealed about which cleartext bit it represents.
(II) Alice and Bob engage in a protocol for oblivious transfer, for example, as disclosed by S.
Even, O. Goldreich and A. Lempel in "A randomized protocol for signing contract", Communications of the ACM 28 (1985), 637-647 or by G. Brassard, C. Crepeau, and J.-M.
Robert in "Information-theoretic reductions among disclosure problems", Proc~
27th IEEE
Symposium on Foundations of Computer Science (FOCS), 1986. This is an interactive two-party protocol for a sender with input two messages »ao and m, and a chooser with input a bit 6. At the end, the chooser receives mQ but does not learn anything about m~~ 1, and the sender has no information about 6.
More precisely, Alice acts as the sender and Bob obtains for every bit y; of his input the value K; = Ka,y; but learns nothing about K~,y;~ 1. At the same time, Alice learns nothing about y;.
In addition, Alice computes the keys representingx as L~ = Lt,x; for i = 1, ..., nx and sends ~, Li, ..., L;IX, '~ to Bob.
(111) The second algorithm evaluate(~,Li, ..., L;lx, Ki, ..., KnY) takes as inputs the encrypted circuit, a representation of x, and a representation of y by the respective keys. It outputs the keys Ui, ..., U;tZ from which Bob can recover z, and if Alice and Bob obey the protocol, then z = g(x~ y) Implementing the first and second algorithms construct and evaluate can be achieved by pseudo-random functions, as for example proposed by O. Goldreich, S.
Goldwasser, and S.
Micali in "How to construct random functions", Journal of the ACM 33 (1986), no. 4, 792-807, which are realized in practice by block ciphers. Block ciphers are very fast cryptographic primitives, even if implemented in software.
The following describes how to use the encrypted circuit construction for realizing secure mobile code computation with a single or first entity. The extension to multiple entities is considered after that.
The computation entity T publishes the public key of an encryption scheme. The corresponding encryption and decryption operations are denoted by ET(~) and DT(~), respectively. All entities can communicate over secure authenticated links, which could be realized by using standard public-key encryption and digital signatures.
The basic scheme is that O constructs an encrypted circuit ~ computing the two values ~ and z.
The code originator O sends ~ to the first entity H, but encrypts all keys in ,~ for T and does not include the key pairs in '~ which correspond to ~ (denoted by '~X) so that the first entity H will not learn anything about ~. Next, the first entity H selects from ~C the encrypted keys representing y and invokes the computation entity T to decrypt them in a single round of interaction. Then, the first entity H evaluates the circuit and obtains z; it also returns the keys in the circuit output representing ~ to O, who can determine ~ from this.
Let C be the binary circuit computing (~, z) _ (g(x, y), h(x, y)) from the same inputs with fax +
ny input bits xl, ...,xnx,yl, ...,yny and nx + nZ output bits ~1,...,~nx, zi, ..., znZ, slightly _13_ modifying the notation from the previous section. The scheme proceeds in five steps 1) to 5), as described in the following.
1) O chooses a string id that uniquely identifies the computation, e.g., containing the name of O, a description of g and h, and a sequence counter. O invokes construct(C7 and obtains (~, ~, ~C, '~) as above with 1.~ consisting of rax + nZ key pairs in total. 'fix denotes the pairs in '~ with indices l, ..., nx and 2GZ denotes those with indices nx + 1, ..., nx + nZ.
For i = 1, ..., ny and b E X0,1 ~ , it computes Kt,b = ET(id ~~ i ~~ Kt,b).
Let x denote the list of pairs of all such K. Then O lets Li = Li,x; as above for i = 1, ..., nx and sends id, ~ , Li, ..., L;,x, ~C , '~
to the first entity H.
2) The first entity H sets K, = K=, y; for i = 1, ..., n,, to be the encryptions representing its input y and sends them to the computation entity T along with id.
3) The computation entity T decrypts Ki for i = 1, ..., rzy and verifies that the ith decrypted string contains the identifier id and index i. If all checks are successful, the computation entity T returns the decrypted keys Ki, ..., K;ZY to the first entity H.
4) The first entity H invokes the second algorithm evaluate(~,Li, ...,Lnx,Ki,...,Kny) and obtains Ui , ..., UnX+"z . Then, the first entity H determines .z = (z i , ..., z,tZ ) such that Unx+~,z; = U;,X+~ for i = l, ..., fZZ and forwards the remaining values Ui, ..., U;tx to the code originator O.
5) The code originator O determines its output ~ _ (~1, ..., ~nx) such that TII,~; =171 for i = 1, ..., lZx.
For increased security, the computation entity T should use a public-key cryptosystem that is secure against adaptive chosen-ciphertext attacks, which means non-malleable, as described by D. Dolev, C. Dwork, and M. Naor in "Non-malleable cryptography", SIAM
Journal on Computing 30 (2000), no. 2, 391-437. The code originator O and the first entity H should also commit to their inputs. In a practical system, all of these can be realized in the so-called "random oracle model" as described, for example, by M. Bellaxe and P. Rogaway in "Random oracles are practical: A paradigm for designing efficient protocols", Proc. 1 st ACM
Conference on Computer and Communications Security, 1993. using a secure hash function.
In this case, the public-key encryption scheme and the pseudo-random functions for circuit encryption can be implemented with discrete logarithms based on the hardness of the Diffie-Hellman problem, as described by M. Naor and O. Reingold in "Number-theoretic constructions of efficient pseudo-random functions", Proc. 38th IEEE Symposium on Foundations of Computer Science (FOCS), 1997.
In the following, an extension of the above-described method is disclosed in order to achieve a general mobile computing scheme with multiple entities H,, ..., Hl, as indicated in Fig. 1.
The generalization is the natural one in which each entity executes steps 2) to 4) of the basic scheme above and sends the agent to the next entity afterwards.
Thereby, the code originator O prepares one encrypted circuit ~ for each entity Hl, ..., He and incorporates the encrypted state x; _, from w-pinto ~~~ for j > I. This is achieved by using the output keys Ui 1~, ..., Uri ~ l~from ~~~1~ for decrypting a hidden representation of the inputs to In a symmetric cryptosystem with encryption and decryption operations under key k denoted by E,~(~) and D~;(~), respectively, the cryptosystem includes sufficient redundancy such that given a potential key U and a ciphertext c one can determine with high probability whether c results from an encryption under U. The modifications to the scheme are as follows.
l a) The code originator O obtains ~~~, ~v>, ~'u>, buy ~d ,~v~, for j = I , ..., l in the same way as for ~ above. However, the code originator O selects the values L; = L~,x_~lt only for ~~l>. The identifier in the jth stage is set to id ~~ j. The code originator O also prepares two encryptions EUC-n(L~o) and EU~-u(L~1) t, o ~, i for each j > 1 and i = 1, ..., nx , and randomly ,permutes them before assigning them to V~'o and V~'i ;call the list of such pairs ~~~.
Then, the code originator O sends id, Li, ..., Lnx, ~~'~, ~G~'~, llz ~l~ and ~~~, ~C~~, liZ ~~, ~ v~ fox j = 2, ..., l to the first entity H, within a single message.
2a) For j > 1, when H; runs step 2 of the basic scheme, is receives Z~ ~~ and Ui~ 1~, ..., Un~' 1~
from H; _ 1, which has before evaluated ~Um>.
Each entity interprets each Ut~ 1~ as a symmetric key to E, determines which one of the ciphertexts Vi'o and Vi'i it decrypts, and then decrypts the one that .matches. This yields K~~, an oblivious representation of the ith bit in the current state x; of the agent. Those keys are then used to evaluate ~~~.
3a) When H; has obtained its output from evaluating ~~~, it forwards all data that it has received from H; _ ,, together with Uiv~, ..., Un~~ to HJ + , . At the end of the circle, H~ returns U;~n to the code originator O.
The computation entity T generates the code In a variation where the roles of O and T are switched, the computation entity T generates the encrypted circuit. Because it is trusted to follow the protocol one does not have to add a costly zero-knowledge proof for correctness of the whole circuit. Therefore, the operations of the other entities and the corresponding proofs ensuring robustness become much simpler. The computation entity T has to know g and h for constructing the circuit, but it may obtain a description of C from O in a first protocol message.
A three-party oblivious transfer protocol is used, as introduced by M. Naor, B. Pinkas, and R.
Summer in "Privacy preserving auctions and mechanism design", Proc. 1st ACM
Conference on Electronic Commerce, 1999, in which the role of the chooser is separated among the chooser and a third party, called the receiver. Compared to the standard notion of oblivious transfer, the receiver gets the output message ynaspecified by the chooser, who itself learns nothing. This so-called "proxy" oblivious transfer can be realized using three message flows:
from chooser to receiver and from receiver to sender and back.
The protocol uses also a one-round implementation of standard oblivious transfer between two parties, which can be realized using the method of C. Cachin, J.
Camenisch, J. Kilian, and J. Miiller, published in their article "One-round secure computation and secure autonomous mobile agents", at Proc. 27th International Colloquium on Automata, Languages and Programming (ICALP) (U. Montanari, J. P. Rolim, and E. Welzl, eds.), Lecture Notes in Computer Science, vol. 1853, Springer, July 2000, pp. 512-523.
As in the basic scheme the component of a encrypted circuit construction is applied. The protocol is described for the basic case of mobile code with a, single entity H. Suppose O
employs a public-key encryption scheme with encryption and .decryption operations denoted by Eo(~) and D~(~), respectively. O starts the computation as the chooser in nx parallel three-party oblivious transfers, one for each bit of x. It sends these hidden choices to H, who acts as the receiver in the three-party oblivious transfers, together with C
and Eo(~). H
forwards the appropriate data to T, who acts as the sender; it will send the key pairs L in the three-party oblivious transfer. Furthermore, H also prepares its input to ny parallel one-round oblivious transfers (playing the role of the chooser), one for each bit of y.
It sends these to T, together with the descriptions of C and Eo(~); T will send the key pairs K in the one-round oblivious transfers.
T invokes construct(C) to obtain ~ and the key pairs ~ , ,~ , and '~ . It replies to H withEo('~x), ~, '~Z and the final flows in all oblivious transfer protocols.
From this, H can determine the keys Li, ...,Lnx representing x and the keys Ki, :..,Lny representing y. It .runs evaluate(, Li, ...,Lnz,Ki,...,K;ty) to obtain Ui, ..., U;lx.,_,lZas above.
Then it determines its output z from Uix+1, ..., Unx.,_,~,and from '~z, and it forwards Ui, ..., U;~x together with Eo('~x)to O. This enables O to obtain its output ~.
The following shows an extension of the protocol from a single host or first entity Hl to l hosts H,, ..., Hi. The protocol starts as before for the first host. However, the steps for H2, ..., Hi are slightly different: three-party oblivious transfer and encryption under Eo are not used.
Instead, T encrypts the keys ~~~ in the input of ~~> and representing the state x~-1 of the agent under the output keys in '~~-1> from ~~-1> as before ?~~~. The keys '~~-1~ can be stored by T
between step j - 1 and step j or they can be sent along with the protocol flow and are transmitted to T via H~ _ 1 and H~, whereby they are encrypted byET(~). In addition, the last host obtains ~.Gx encrypted with Eo(~) from T and forwards this to O as above.
The communication pattern is the same as in the basic scheme: there is one message from O
to Hl, one from each H; _ 1 to H; and one from H~ to O, plus one communication flow between each host and the computation entity T. Robustness can be added by using non-malleable public-key encryption schemes and non-interactive zero-knowledge proofs.
However, the result will be much more practical because zero-knowledge proofs are not needed for the potentially large encrypted circuit. Moreover, the encrypted circuit construction can be implemented by a block cipher instead of public-key operations.
Any disclosed embodiment may be combined with one or several of the other embodiments shown and/or described. This is also possible for one or more features of the embodiments.
The present invention can be realized in hardware, software, or a combination of hardware and software. Any kind of computer system - or other apparatus adapted for carrying out the method described herein - is suited. A typical combination of hardware and software could be a general purpose computer system with a computer program that, when being loaded and executed, controls the computer system such that it carries out the methods described herein.
The present invention can also be embedded in a computer program product, which comprises all the features enabling the implementation of the methods described herein, and which -when loaded in a computer system - is able to carry out these methods.
Computer program means or computer program in the present context mean any expression, in any language, code or notation, of a set of instructi~ns intended to cause a system having an inf~rmation processing capability to perform a particular function either directly or after either or both of the following a) conversion to another language, code or notation;
b) reproduction in a different material form.
With general reference to the figures the features of a method and system for processing a request of a customer using cryptographic functions is described in more detail below. When referring to the word customer, it appears obvious that a device, such as a computer or mobile appliance, used by the customer is meant.
A defining element of a mobile code or agent computation is that it proceeds autonomously and independently of the originator of the code. The secure mobile agent computation is modeled in principle as depicted in Fig. 1, whereby the boxes are labeled according to the description below.
There are a code originator O, and l hosts, hereinafter referred to as entities Hl, ..., H~, on which the mobile agent, hereinafter short agent, runs.
Fig. 1 shows a network, such as the Internet, whereby the code originator O is connected to a first entity HI, that is further connected to a second entity HZ . The second entity HZ is connected to an entity labeled with H; that further has a connection to an entity labeled with H;+~, whereby several other entities are possible in-between as indicated by the dotted line.
The entity H,+z is connected to an entity labeled with H~ that in the following is connected back to the code originator O. Each of the entities H~, Hz, ..., H;, H;+,, HI
is connected to a computing entity T.
The code originator O as well as each entity H,, HZ, ..., H;, H;+I, H, sends and receives only a single message, that comprises the agent. The message that the code originator O sends to the first entity H, is denoted by mo and the message that a further entity H;
sends to H~+1 by m; for j = 1, ..., L-1, and the message that the last entity H~ returns to the code originator O is denoted by m~.
Fig. 2 depicts a more detailed illustration of the communication flow as shown in Fig. 1. The code originator O, that here is a customer O, is connected to the first entity, here labeled with H, that further is connected to the computing entity T. The method for .processing an originator request OR, e.g. a price request including a threshold for a product, of the customer O runs as follows. The customer O sends the originator request OR to the first entity H. This _7_ is indicated by the arrow labeled With fnoR. The first entity H offers sevexal products to a particular price. The first entity H connects to the computation entity T and adds, on receipt of , the originator request OR, information I concerning the originator request OR, e.g. its price willing to accept, thereby forming a first-modified request FMR. This first-modified request FMR is sent to the computation entity T as indicated by the arrow labeled with rnFMR. If the computation entity T has received the first-modified request FMR it derives therefrom a computation-entity result CER without learning anything from this computation.
Afterwards, the computation-entity result CER is sent back to the first entity H as indicated by the arrow labeled with m~ER. If the first entity H has received the computation-entity result CER it derives therefrom a first-entity result FER and forwards this back to the customer O as indicated by the arrow labeled with mFEa. The customer O is able to derive from the first-entity result FER a customer result CR. This customer result CR provides the information to the customer O whether or not his originator request OR has been fulfilled. The first entity H
knows form the first-entity result FER whether or not its offer is acceptable to the customer O.
The originator xequest OR may contain information about the customer O, i~e.
address, credit card information, which allows the first entity H to deliver the requested product immediately.
In the embodiment described above, the mobile agent visits several vendor sites and compares offers. The originator request OR does not only be based on price, but can also include other attributes. The originator or customer O wants to maintain the privacy of his preferences, but a shop has an interest to learn the buyer's strategy as well as information about other vendor's offers. For complex offers where the price is determined individually for each customer based on its needs, such as in the insurance market, the vendor wants to keep its method of calculating the price secret. All these requirements can be fulfilled by the described scheme for secure mobile code. .
In another embodiment, a shopping agents is traveling around the network and collects offers from several vendors or entities H,, Hz, :.., H~, H;+1, Hr, whereby a prior agreement on the data format of the offers is helpful.
Fig. 3 shows another embodiment using the same or like parts as shown in Figs.
1 and 2. The difference is the code originator O sends directly to each entity HI, Hz~ ..., H, its originator _g_ request OR, whereby the originator request OR can be the same or different to each entity H,, HZ, ..., Hl.
In a further embodiment an electronic negotiation is described. The electronic negotiation between a buyer and a single vendor can take place using the scheme for secure mobile code that visits a single host or entity H. Typically, the vendor would act as the originator O and download an applet to the buyer's browser (as is already quite common on the Internet). The applet is executed using the help of the computation entity T by the buyer and the offer is displayed to the buyer. The vendor may obtain some information as well, which it would have to spell out clearly in a "privacy statement" accompanying the applet.
Auctions with generalized bidding strategies present an interesting application area for secure mobile agents. Bidding agents can implement a complex strategy being a function of time and other participants' behavior, which gives the bidder more flexibility compared to traditional single-parameter auctions based purely on price. As the value of the lots is interrelated, a bidder is interested to define his bidding behavior as dynamically as possible, for example making the valuation of a lot depend on other winning bids that he observed in the previous rounds. If the bidders can express their strategies as a computable function, then one may construct a circuit to compute the auction function, i.e., the outcome of the auction, with the strategies as the private inputs of all participants. This would require an auction agent that visits each bidder only once. However, in the likely case that the bidders are unable to express their strategies mathematically, each round of the auction could also be performed securely by an auction applet that visits each bidder once and returns to the auctioneer.
There it outputs the winning bids or the end of the auction if the bids did not exceed the minimum increment.
If the scheme for secure mobile computing is used, then there is no single entity H,, H2, ..., H~, H;+~, HI that sees all bids (like the auctioneer, its computer system, or its operators).
Generalized auctions are common in electricity markets, equities trading, bandwidth auctions, and transportation exchanges, and bidders often have preferences over combination of items.
In the following, implementation details are described.
Computation: Let the state of the mobile agent be an element of a set X . Its initial state xo is determined by O. Let the input by H; be an element of a set Y and the output to H; an element of Z;. The agent computation on the entity H; is represented by two functions g;: XxY~->X and h;: XxY~-~Z~
that determine the new state x~ = g~ (xJ-1, y~) of the agent and the output z~
= h~ (x~-1, y; ). O
obtains the final state ~ = xl E X of the agent. The functions g; and h; are known to all entities H,, ..., Hl.
A mobile computing scheme comprises 2l + 2 algorithms Ao, A1, ..., A~, B,, ..., Bl, and D such that for all j = 1, ..., l and xo E X, y; E Y~, and with mo =Ao(xo) rrcl =A~(m~-1, yi) for j = 1, ..., l z~ = B~(m~-l, y;) for j = 1, ..., L
~ = D(mt) the following two conditions Correctness and Privacy hold.
Correctness: ~ = gt(xt i, yt) and z~ = h~(x;-i, yl) for j = 1, ..., Z using x~' _ ~~'(-..(g2(gl(xo~yO~yz)...)~yi') for j' = 1, ...,1-1.
Privacy: The inputs; outputs, and the computations of all entities remain hidden from the originator and from all other entities, except for what follows from their outputs. O learns only ~ but nothing else about any y; than what follows from xo and ~, and similarly, H; learns only z; but nothing about xo and y;~ for j' < j than what follows from z; and y; .
For simplicity reasons, the above scheme assumes that the order in which the agent visits all entities is fixed. It is extended to allow for the sequence to depend on z; by introducing a function ~c : Z; ->{ 1, ..., l} and sending the agent to H,~~Z~~ from H;. In the case of mobile code applications with a single host, i.e. the first entity H only, the function g yields O's output ~
and h gives H's output z.
A computation entity T, that can be a generic secure computation service, is provided. This computation entity T is on-line and connected to all entities H~, ..., HI or hosts running agent applications and is at their disposal for securing agent computations. The computation entity T
itself does not gain any information about the computation, no matter how it behaves, under the assumptions that (1) the computation entity T does not collude with the originator against any entity, and (2) the computation entity T does not collude with any entity against the originator or against any other entity. All computations proceed with minimal or no interaction. The scheme is generic and not bound to any particular application. Hence the service of the computation entity T might be offered as a public service for "secure mobile agent computation" on the Internet. Clients or customers who use this service in the role of O
or H (e.g., for comparison shopping) do not have to fear that the computation entity T has "second thoughts" trying to violate their privacy (e.g., of customer profiling and collecting marketing data). Moreover, the computation entity T itself has an interest to maintain its reputation as a security provider.
The scheme is based on functions in encrypted form. For example, encrypting a binary digital circuit realizes the part of the agent computation. This can be realized by an encrypted circuit construction as described in the following.
Encrypted circuit construction The encrypted circuit construction of Yao, as introduced by A. C. Yao in his article "How to generate and exchange secrets" at Proc. 27th IEEE Symposium on Foundations of Computer Science (FOCS), 1986, pp. 162-167, is an interactive protocol for secure function evaluation between two parties or entities. This is described for a binary function g(~, ~) and parties Alice (with input x) and Bob (with input y). Bob receives the output z = g(x, y) but 'learns nothing else and Alice learns nothing at all.
Let (x 1, ..., x,tx ), (y i , ..., y,~y ), and (z i , :.., zn~ ) denote the binary representations of x, y, and z, respectively, and let C denote a polynomial-sized binary circuit computing g.
The components of Yao's construction are (1) a first algorithm construct that Alice uses to construct an encrypted circuit, (II) a transfer protocol between Alice and Bob, and (III] a second algorithm evaluate allowing Bob to retrieve g(x, y). More precisely, these procedures are as follows.
(n The probabilistic first algorithm construct(C) takes the circuit as input and outputs the tuple where ~ may be viewed as an encrypted version of the nx + ny input circuit C(~, ~) and where ~, ~', and '~ denote lists of so called key pairs ~ _ (L1>o~Li>0~...,(L~tx>o~L~tx,i) ~ _ (K1>o~ K1>~)~ ..., (Kny>o~ Kny>1) '~ _ (Ui>o~ Ui>i)~ ..., (Unz,o~ Um>l) corresponding to x, y, and z, respectively.
In order to.cornpute C(x, y) from the encryption ~ , Bob needs one "key" for each input bit: L;,v corresponds to input bit x, _ 'b and K~,6 corresponds to input bit y; = b. The keys U;,o and U,>~
represent the output bits of the encrypted circuit, i.e., if evaluation ,produces U;>b , then the output bit .~l is set to b.
The particular method in which ~ is encrypted ensures that for every gate in the circuit, given two keys representing its input bits, the key representing the resulting output bit can be readily computed, but no information is revealed about which cleartext bit it represents.
(II) Alice and Bob engage in a protocol for oblivious transfer, for example, as disclosed by S.
Even, O. Goldreich and A. Lempel in "A randomized protocol for signing contract", Communications of the ACM 28 (1985), 637-647 or by G. Brassard, C. Crepeau, and J.-M.
Robert in "Information-theoretic reductions among disclosure problems", Proc~
27th IEEE
Symposium on Foundations of Computer Science (FOCS), 1986. This is an interactive two-party protocol for a sender with input two messages »ao and m, and a chooser with input a bit 6. At the end, the chooser receives mQ but does not learn anything about m~~ 1, and the sender has no information about 6.
More precisely, Alice acts as the sender and Bob obtains for every bit y; of his input the value K; = Ka,y; but learns nothing about K~,y;~ 1. At the same time, Alice learns nothing about y;.
In addition, Alice computes the keys representingx as L~ = Lt,x; for i = 1, ..., nx and sends ~, Li, ..., L;IX, '~ to Bob.
(111) The second algorithm evaluate(~,Li, ..., L;lx, Ki, ..., KnY) takes as inputs the encrypted circuit, a representation of x, and a representation of y by the respective keys. It outputs the keys Ui, ..., U;tZ from which Bob can recover z, and if Alice and Bob obey the protocol, then z = g(x~ y) Implementing the first and second algorithms construct and evaluate can be achieved by pseudo-random functions, as for example proposed by O. Goldreich, S.
Goldwasser, and S.
Micali in "How to construct random functions", Journal of the ACM 33 (1986), no. 4, 792-807, which are realized in practice by block ciphers. Block ciphers are very fast cryptographic primitives, even if implemented in software.
The following describes how to use the encrypted circuit construction for realizing secure mobile code computation with a single or first entity. The extension to multiple entities is considered after that.
The computation entity T publishes the public key of an encryption scheme. The corresponding encryption and decryption operations are denoted by ET(~) and DT(~), respectively. All entities can communicate over secure authenticated links, which could be realized by using standard public-key encryption and digital signatures.
The basic scheme is that O constructs an encrypted circuit ~ computing the two values ~ and z.
The code originator O sends ~ to the first entity H, but encrypts all keys in ,~ for T and does not include the key pairs in '~ which correspond to ~ (denoted by '~X) so that the first entity H will not learn anything about ~. Next, the first entity H selects from ~C the encrypted keys representing y and invokes the computation entity T to decrypt them in a single round of interaction. Then, the first entity H evaluates the circuit and obtains z; it also returns the keys in the circuit output representing ~ to O, who can determine ~ from this.
Let C be the binary circuit computing (~, z) _ (g(x, y), h(x, y)) from the same inputs with fax +
ny input bits xl, ...,xnx,yl, ...,yny and nx + nZ output bits ~1,...,~nx, zi, ..., znZ, slightly _13_ modifying the notation from the previous section. The scheme proceeds in five steps 1) to 5), as described in the following.
1) O chooses a string id that uniquely identifies the computation, e.g., containing the name of O, a description of g and h, and a sequence counter. O invokes construct(C7 and obtains (~, ~, ~C, '~) as above with 1.~ consisting of rax + nZ key pairs in total. 'fix denotes the pairs in '~ with indices l, ..., nx and 2GZ denotes those with indices nx + 1, ..., nx + nZ.
For i = 1, ..., ny and b E X0,1 ~ , it computes Kt,b = ET(id ~~ i ~~ Kt,b).
Let x denote the list of pairs of all such K. Then O lets Li = Li,x; as above for i = 1, ..., nx and sends id, ~ , Li, ..., L;,x, ~C , '~
to the first entity H.
2) The first entity H sets K, = K=, y; for i = 1, ..., n,, to be the encryptions representing its input y and sends them to the computation entity T along with id.
3) The computation entity T decrypts Ki for i = 1, ..., rzy and verifies that the ith decrypted string contains the identifier id and index i. If all checks are successful, the computation entity T returns the decrypted keys Ki, ..., K;ZY to the first entity H.
4) The first entity H invokes the second algorithm evaluate(~,Li, ...,Lnx,Ki,...,Kny) and obtains Ui , ..., UnX+"z . Then, the first entity H determines .z = (z i , ..., z,tZ ) such that Unx+~,z; = U;,X+~ for i = l, ..., fZZ and forwards the remaining values Ui, ..., U;tx to the code originator O.
5) The code originator O determines its output ~ _ (~1, ..., ~nx) such that TII,~; =171 for i = 1, ..., lZx.
For increased security, the computation entity T should use a public-key cryptosystem that is secure against adaptive chosen-ciphertext attacks, which means non-malleable, as described by D. Dolev, C. Dwork, and M. Naor in "Non-malleable cryptography", SIAM
Journal on Computing 30 (2000), no. 2, 391-437. The code originator O and the first entity H should also commit to their inputs. In a practical system, all of these can be realized in the so-called "random oracle model" as described, for example, by M. Bellaxe and P. Rogaway in "Random oracles are practical: A paradigm for designing efficient protocols", Proc. 1 st ACM
Conference on Computer and Communications Security, 1993. using a secure hash function.
In this case, the public-key encryption scheme and the pseudo-random functions for circuit encryption can be implemented with discrete logarithms based on the hardness of the Diffie-Hellman problem, as described by M. Naor and O. Reingold in "Number-theoretic constructions of efficient pseudo-random functions", Proc. 38th IEEE Symposium on Foundations of Computer Science (FOCS), 1997.
In the following, an extension of the above-described method is disclosed in order to achieve a general mobile computing scheme with multiple entities H,, ..., Hl, as indicated in Fig. 1.
The generalization is the natural one in which each entity executes steps 2) to 4) of the basic scheme above and sends the agent to the next entity afterwards.
Thereby, the code originator O prepares one encrypted circuit ~ for each entity Hl, ..., He and incorporates the encrypted state x; _, from w-pinto ~~~ for j > I. This is achieved by using the output keys Ui 1~, ..., Uri ~ l~from ~~~1~ for decrypting a hidden representation of the inputs to In a symmetric cryptosystem with encryption and decryption operations under key k denoted by E,~(~) and D~;(~), respectively, the cryptosystem includes sufficient redundancy such that given a potential key U and a ciphertext c one can determine with high probability whether c results from an encryption under U. The modifications to the scheme are as follows.
l a) The code originator O obtains ~~~, ~v>, ~'u>, buy ~d ,~v~, for j = I , ..., l in the same way as for ~ above. However, the code originator O selects the values L; = L~,x_~lt only for ~~l>. The identifier in the jth stage is set to id ~~ j. The code originator O also prepares two encryptions EUC-n(L~o) and EU~-u(L~1) t, o ~, i for each j > 1 and i = 1, ..., nx , and randomly ,permutes them before assigning them to V~'o and V~'i ;call the list of such pairs ~~~.
Then, the code originator O sends id, Li, ..., Lnx, ~~'~, ~G~'~, llz ~l~ and ~~~, ~C~~, liZ ~~, ~ v~ fox j = 2, ..., l to the first entity H, within a single message.
2a) For j > 1, when H; runs step 2 of the basic scheme, is receives Z~ ~~ and Ui~ 1~, ..., Un~' 1~
from H; _ 1, which has before evaluated ~Um>.
Each entity interprets each Ut~ 1~ as a symmetric key to E, determines which one of the ciphertexts Vi'o and Vi'i it decrypts, and then decrypts the one that .matches. This yields K~~, an oblivious representation of the ith bit in the current state x; of the agent. Those keys are then used to evaluate ~~~.
3a) When H; has obtained its output from evaluating ~~~, it forwards all data that it has received from H; _ ,, together with Uiv~, ..., Un~~ to HJ + , . At the end of the circle, H~ returns U;~n to the code originator O.
The computation entity T generates the code In a variation where the roles of O and T are switched, the computation entity T generates the encrypted circuit. Because it is trusted to follow the protocol one does not have to add a costly zero-knowledge proof for correctness of the whole circuit. Therefore, the operations of the other entities and the corresponding proofs ensuring robustness become much simpler. The computation entity T has to know g and h for constructing the circuit, but it may obtain a description of C from O in a first protocol message.
A three-party oblivious transfer protocol is used, as introduced by M. Naor, B. Pinkas, and R.
Summer in "Privacy preserving auctions and mechanism design", Proc. 1st ACM
Conference on Electronic Commerce, 1999, in which the role of the chooser is separated among the chooser and a third party, called the receiver. Compared to the standard notion of oblivious transfer, the receiver gets the output message ynaspecified by the chooser, who itself learns nothing. This so-called "proxy" oblivious transfer can be realized using three message flows:
from chooser to receiver and from receiver to sender and back.
The protocol uses also a one-round implementation of standard oblivious transfer between two parties, which can be realized using the method of C. Cachin, J.
Camenisch, J. Kilian, and J. Miiller, published in their article "One-round secure computation and secure autonomous mobile agents", at Proc. 27th International Colloquium on Automata, Languages and Programming (ICALP) (U. Montanari, J. P. Rolim, and E. Welzl, eds.), Lecture Notes in Computer Science, vol. 1853, Springer, July 2000, pp. 512-523.
As in the basic scheme the component of a encrypted circuit construction is applied. The protocol is described for the basic case of mobile code with a, single entity H. Suppose O
employs a public-key encryption scheme with encryption and .decryption operations denoted by Eo(~) and D~(~), respectively. O starts the computation as the chooser in nx parallel three-party oblivious transfers, one for each bit of x. It sends these hidden choices to H, who acts as the receiver in the three-party oblivious transfers, together with C
and Eo(~). H
forwards the appropriate data to T, who acts as the sender; it will send the key pairs L in the three-party oblivious transfer. Furthermore, H also prepares its input to ny parallel one-round oblivious transfers (playing the role of the chooser), one for each bit of y.
It sends these to T, together with the descriptions of C and Eo(~); T will send the key pairs K in the one-round oblivious transfers.
T invokes construct(C) to obtain ~ and the key pairs ~ , ,~ , and '~ . It replies to H withEo('~x), ~, '~Z and the final flows in all oblivious transfer protocols.
From this, H can determine the keys Li, ...,Lnx representing x and the keys Ki, :..,Lny representing y. It .runs evaluate(, Li, ...,Lnz,Ki,...,K;ty) to obtain Ui, ..., U;lx.,_,lZas above.
Then it determines its output z from Uix+1, ..., Unx.,_,~,and from '~z, and it forwards Ui, ..., U;~x together with Eo('~x)to O. This enables O to obtain its output ~.
The following shows an extension of the protocol from a single host or first entity Hl to l hosts H,, ..., Hi. The protocol starts as before for the first host. However, the steps for H2, ..., Hi are slightly different: three-party oblivious transfer and encryption under Eo are not used.
Instead, T encrypts the keys ~~~ in the input of ~~> and representing the state x~-1 of the agent under the output keys in '~~-1> from ~~-1> as before ?~~~. The keys '~~-1~ can be stored by T
between step j - 1 and step j or they can be sent along with the protocol flow and are transmitted to T via H~ _ 1 and H~, whereby they are encrypted byET(~). In addition, the last host obtains ~.Gx encrypted with Eo(~) from T and forwards this to O as above.
The communication pattern is the same as in the basic scheme: there is one message from O
to Hl, one from each H; _ 1 to H; and one from H~ to O, plus one communication flow between each host and the computation entity T. Robustness can be added by using non-malleable public-key encryption schemes and non-interactive zero-knowledge proofs.
However, the result will be much more practical because zero-knowledge proofs are not needed for the potentially large encrypted circuit. Moreover, the encrypted circuit construction can be implemented by a block cipher instead of public-key operations.
Any disclosed embodiment may be combined with one or several of the other embodiments shown and/or described. This is also possible for one or more features of the embodiments.
The present invention can be realized in hardware, software, or a combination of hardware and software. Any kind of computer system - or other apparatus adapted for carrying out the method described herein - is suited. A typical combination of hardware and software could be a general purpose computer system with a computer program that, when being loaded and executed, controls the computer system such that it carries out the methods described herein.
The present invention can also be embedded in a computer program product, which comprises all the features enabling the implementation of the methods described herein, and which -when loaded in a computer system - is able to carry out these methods.
Computer program means or computer program in the present context mean any expression, in any language, code or notation, of a set of instructi~ns intended to cause a system having an inf~rmation processing capability to perform a particular function either directly or after either or both of the following a) conversion to another language, code or notation;
b) reproduction in a different material form.
Claims (18)
1. A method of processing an originator request (m) of an originator (O) by one or more entities (H), utilising a computation entity (T), with the originator (O), each said entity (H) and the computation entity (T) being on a network and the method comprising:
a) the originator (O) .cndot. by executing a construct method of an encrypted circuit construction generating an encrypted circuit value (C), a set of first-input keys (L), a set of second-input keys (K), a first set of output keys (U x) and a second set of output keys (U z), .cndot. selecting from the set of first-input keys (L) a subset of first-input keys (L i) corr-sponding to an originator-input (id), .cndot. deriving from the set of second-input keys (K) a set of encrypted second-input-keys (K) by applying an encryption operation (E T) with a public key of the computation entity (T), .cndot. forming said originator request (m) comprising the encrypted circuit value (C), the subset of first-input keys (L'i), the set of encrypted second-input-keys (K), and the second set of output keys (U z), .cndot. and sending said originator request (in) to each said entity (H);
b) each said entity (H) upon receiving said originator request (m) selecting from said set of encrypted second-input-keys (K) a subset of encrypted second-input keys (K) correspond-ing to an entity input (y) to thereby form a respective first-modified request (FMR) compris-ing at least said subset of encrypted second-input keys (K) ;
c) each said entity (H) sending said first-modified request (FMR) to the computation en-tity (T);
d) said computation entity (T) deriving from the first-modified request (FMR) by a de-cryption operation as a computation-entity result (CER) a decrypted subset of second-input keys (K) and sending said subset of second-input keys (K)to the respective entity (H);
e) each said entity (H) having received said subset of second-input keys (K), applying an evaluate method of the encrypted circuit construction using the encrypted circuit value (C), the subset of first-input keys (L'i), said subset of second-input keys (K), and the second set of output keys (U'z), resulting in a first set of computation-output keys (U'x) and a second set of computation-output keys (U'z) thereby obtaining as an entity result (FER) an entity output (z) corresponding to the first set of computation output keys (U'z) and the second set of out-put keys (U z) and sending the first set of computation-output keys to the originator (O);
f) said originator (O) having received the first set of computation-output keys (U'x) obtaining as an a originator result (CR) an originator output (.xi.) corresponding to the second set of computation-output keys (U'x) and the first set of output keys (U x).
a) the originator (O) .cndot. by executing a construct method of an encrypted circuit construction generating an encrypted circuit value (C), a set of first-input keys (L), a set of second-input keys (K), a first set of output keys (U x) and a second set of output keys (U z), .cndot. selecting from the set of first-input keys (L) a subset of first-input keys (L i) corr-sponding to an originator-input (id), .cndot. deriving from the set of second-input keys (K) a set of encrypted second-input-keys (K) by applying an encryption operation (E T) with a public key of the computation entity (T), .cndot. forming said originator request (m) comprising the encrypted circuit value (C), the subset of first-input keys (L'i), the set of encrypted second-input-keys (K), and the second set of output keys (U z), .cndot. and sending said originator request (in) to each said entity (H);
b) each said entity (H) upon receiving said originator request (m) selecting from said set of encrypted second-input-keys (K) a subset of encrypted second-input keys (K) correspond-ing to an entity input (y) to thereby form a respective first-modified request (FMR) compris-ing at least said subset of encrypted second-input keys (K) ;
c) each said entity (H) sending said first-modified request (FMR) to the computation en-tity (T);
d) said computation entity (T) deriving from the first-modified request (FMR) by a de-cryption operation as a computation-entity result (CER) a decrypted subset of second-input keys (K) and sending said subset of second-input keys (K)to the respective entity (H);
e) each said entity (H) having received said subset of second-input keys (K), applying an evaluate method of the encrypted circuit construction using the encrypted circuit value (C), the subset of first-input keys (L'i), said subset of second-input keys (K), and the second set of output keys (U'z), resulting in a first set of computation-output keys (U'x) and a second set of computation-output keys (U'z) thereby obtaining as an entity result (FER) an entity output (z) corresponding to the first set of computation output keys (U'z) and the second set of out-put keys (U z) and sending the first set of computation-output keys to the originator (O);
f) said originator (O) having received the first set of computation-output keys (U'x) obtaining as an a originator result (CR) an originator output (.xi.) corresponding to the second set of computation-output keys (U'x) and the first set of output keys (U x).
2. The method according to claim 1, wherein there are a plurality of said entities (H) and said originator (O) sends said originator request (m) directly to each said entity (H) and re-ceives said entity result (FER) directly therefrom.
3. The method according to claim 1 wherein there is a plurality of said entities (H) and said originator (O) sends said originator request (m) to a first of said entities (H) and thereaf-ter the originator request (m) passes successively to each of the other said entities (H) to-gether with the entity results (FER) thereof and the cumulative entity results (FER) pass from the last sequential one of said entities (H) to said originator (0).
4. The method according to any of the preceding claims 1, 2 or 3, wherein the originator request (in) comprises one or more information of: an offer, an originator information, a pur-chase information.
5. The method according to any of the preceding claims 1, 2 or 3, wherein each entity (H) is selected to comprise a web server offering a service and/or originator information con-cerning acceptance of the originator request (m).
6. The method according to any of the preceding claims 1, 2 or 3, wherein the originator result (CR) comprises entity information concerning acceptance of the originator request (m).
7. The method according to any of the preceding claims 1, 2 or 3, wherein the originator request (in) comprises one or more information of: an offer, an originator information, a pur-chase information and each entity (H) is selected to comprise a web server offering a service and/or originator information concerning acceptance of the originator request (m).
8. The method according to any of the preceding claims 1, 2 or 3, wherein each entity (H) is selected to comprise a web server offering a service and/or originator information con-cerning acceptance of the originator request (m) and the originator result (CR) comprises en-tity information concerning acceptance of the originator request (m).
9. The method according to any of the preceding claims 1, 2 or 3, wherein the originator request (m) comprises one or more infon-nation of: an offer, an originator information, a pur-chase information and the originator result (CR) comprises entity infon-nation concerning ac-ceptance of the originator request (m).
10. The method according to any of the preceding claims 1, 2 or 3, wherein the originator request (in) comprises one or more information of: an offer, an originator information, a pur-chase information, each entity (H) is selected to comprise a web server offering a service and/or originator information concerning acceptance of the originator request (m) and the originator result (CR) comprises entity information concerning acceptance of the originator request (m).
11. A computer program product stored on a computer usable medium, comprising com-puter readable program means for causing a computer to perform a method according to any one of the preceding claims 1, 2 or 3.
12. A computer program product stored on a computer usable medium, comprising com-puter readable program means for causing a computer to perform a method according to any one of the preceding claims 1, 2 or 3, wherein the originator request (in) comprises one or more information of: an offer, an originator information, a purchase information.
13. A computer program product stored on a computer usable medium, comprising computer readable program means for causing a computer to perform a method according to any one of the preceding claims 1, 2 or 3, wherein each entity (H) is selected to comprise a web server offering a service and/or originator information concerning acceptance of the originator re-quest (m).
14. A computer program product stored on a computer usable medium, comprising computer readable program means for causing a computer to perform a method according to any one of the preceding claims 1, 2 or 3, wherein the originator request (m) comprises one or more in-formation of: an offer, an originator information, a purchase information and each entity (H) is selected to comprise a web server offering a service and/or originator information concern-ing acceptance of the originator request (m).
15. A computer program product stored on a computer usable medium, comprising computer readable program means for causing a computer to perform a method according to any one of the preceding claims 1, 2 or 3, wherein the originator result (CR) comprises entity informa-tion concerning acceptance of the originator request (m).
16. A computer program product stored on a computer usable medium, comprising computer readable program means for causing a computer to perform a method according to any one of the preceding claims 1, 2 or 3, wherein each entity (H) is selected to comprise a web server offering a service and/or originator information concerning acceptance of the originator re-quest (m) and the originator result (CR) comprises entity information concerning acceptance of the originator request (m).
17. A computer program product stored on a computer usable medium, comprising com-puter readable program means for causing a computer to perform a method according to any one of the preceding claims 1, 2 or 3, wherein the originator request (m) comprises one or more information of: an offer, an originator information, a purchase information and the originator result (CR) comprises entity information concerning acceptance of the originator request (m).
18. A computer program product stored on a computer usable medium, comprising com-puter readable program means for causing a computer to perform a method according to any one of the preceding claims 1, 2 or 3, wherein the originator request (in) comprises one or more information of: an offer, an originator information, a purchase information, each entity (H) is selected to comprise a web server offering a service and/or originator information con-cerning acceptance of the originator request (m) and the originator result (CR) comprises en-tity information concerning acceptance of the originator request (m).
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| EP00124061.3 | 2000-11-06 | ||
| EP00124061 | 2000-11-06 | ||
| PCT/IB2001/001988 WO2002037242A2 (en) | 2000-11-06 | 2001-10-24 | Method and system for processing a request of a customer |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CA2426794A1 CA2426794A1 (en) | 2002-05-10 |
| CA2426794C true CA2426794C (en) | 2009-10-06 |
Family
ID=8170289
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA002426794A Expired - Lifetime CA2426794C (en) | 2000-11-06 | 2001-10-24 | Method and system for processing a request of a customer |
Country Status (8)
| Country | Link |
|---|---|
| EP (1) | EP1368721A2 (en) |
| JP (1) | JP4336105B2 (en) |
| KR (1) | KR100582393B1 (en) |
| CN (1) | CN1478222A (en) |
| AU (1) | AU2002210814A1 (en) |
| CA (1) | CA2426794C (en) |
| IL (1) | IL155394A0 (en) |
| WO (1) | WO2002037242A2 (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8838950B2 (en) | 2003-06-23 | 2014-09-16 | International Business Machines Corporation | Security architecture for system on chip |
| CN1305261C (en) * | 2005-02-04 | 2007-03-14 | 南京邮电学院 | A mobile proxy safeguarding method similar to biological self-protection |
| DE102007001519B4 (en) * | 2007-01-10 | 2015-08-20 | Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. | Concept for allocating data rates to information signal providers in a network |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6026374A (en) * | 1996-05-30 | 2000-02-15 | International Business Machines Corporation | System and method for generating trusted descriptions of information products |
-
2001
- 2001-10-24 WO PCT/IB2001/001988 patent/WO2002037242A2/en active IP Right Grant
- 2001-10-24 CN CNA01818247XA patent/CN1478222A/en active Pending
- 2001-10-24 IL IL15539401A patent/IL155394A0/en unknown
- 2001-10-24 AU AU2002210814A patent/AU2002210814A1/en not_active Abandoned
- 2001-10-24 KR KR1020037006030A patent/KR100582393B1/en not_active IP Right Cessation
- 2001-10-24 EP EP01978722A patent/EP1368721A2/en not_active Withdrawn
- 2001-10-24 CA CA002426794A patent/CA2426794C/en not_active Expired - Lifetime
- 2001-10-24 JP JP2002539930A patent/JP4336105B2/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| JP2004513542A (en) | 2004-04-30 |
| CA2426794A1 (en) | 2002-05-10 |
| JP4336105B2 (en) | 2009-09-30 |
| AU2002210814A1 (en) | 2002-05-15 |
| CN1478222A (en) | 2004-02-25 |
| WO2002037242A3 (en) | 2003-10-16 |
| KR20030072348A (en) | 2003-09-13 |
| EP1368721A2 (en) | 2003-12-10 |
| IL155394A0 (en) | 2003-11-23 |
| KR100582393B1 (en) | 2006-05-22 |
| WO2002037242A2 (en) | 2002-05-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Algesheimer et al. | Cryptographic security for mobile code | |
| Naor et al. | Privacy preserving auctions and mechanism design | |
| EP0876722B1 (en) | Secure anonymous information exchange in a network | |
| Cachin | Efficient private bidding and auctions with an oblivious third party | |
| US6834272B1 (en) | Privacy preserving negotiation and computation | |
| WO2020051710A1 (en) | System and process for managing digitized security tokens | |
| CN113536379A (en) | Private data query method and device and electronic equipment | |
| US8117456B2 (en) | Network system, server and information terminal for list matching | |
| Skudnov | Bitcoin clients | |
| Cartlidge et al. | Multi‐party computation mechanism for anonymous equity block trading: A secure implementation of turquoise plato uncross | |
| Tate et al. | Mobile Agent Security Through Multi-Agent Cryptographic Protocols. | |
| US11538070B2 (en) | Blockchain-based system and method for peer-to-peer online advertising auction | |
| Karjoth | Secure mobile agent-based merchant brokering in distributed marketplaces | |
| US7844496B2 (en) | Method and system for processing a request of a customer | |
| CA2426794C (en) | Method and system for processing a request of a customer | |
| van der Merwe et al. | Electronic commerce with secure intelligent trade agents | |
| Chenli et al. | Fair 2 Trade: Digital Trading Platform Ensuring Exchange and Distribution Fairness | |
| Yi et al. | A secure agent-based framework for internet trading in mobile computing environments | |
| JP3784055B2 (en) | List matching method, network system, server and information terminal | |
| Yi et al. | Secure agent-mediated online auction framework | |
| Far et al. | Goodbye Bitcoin: A general framework for migrating to quantum-secure cryptocurrencies | |
| Hsu et al. | Scalable m+ 1st-price auction with infinite bidding price | |
| Hsu et al. | Publicly Verifiable M+ 1st‐Price Auction Fit for IoT with Minimum Storage | |
| Asharov et al. | Privacy-preserving portfolio pricing | |
| Aïmeur et al. | Blind sales in electronic commerce |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| EEER | Examination request | ||
| MKEX | Expiry |
Effective date: 20211025 |
|
| MKEX | Expiry |
Effective date: 20211025 |