Abstract: Systems and methods for cache optimization are disclosed. A request for a user interface is received from a first user device. The request includes a user key. An interface key corresponding to an interface template of the requested user interface is generated from the user key. The interface template of the requested user interface is loaded. The interface template includes one or more edge side include (ESI) identifiers in the interface template. An element key corresponding to a first ESI element associated with a first of the one or more ESI identifiers is generated from the user key. The first ESI element is loaded and positioned at a location within the interface template identified by the first of the one or more ESI identifiers. A complete user interface is provided to the first user device. The complete user interface includes the interface template having the first ESI element positioned therein.

Abstract: Systems and methods of matching identifiers between multiple datasets are described herein. A system can transmit a first identifier vector to a third party server. The first identifier vector can include a first identifier, first parameters, and second parameters. The system can receive, from the third party server, the first identifier vector encrypted based on a third-party encryption. The system can receive, from the third party server, a second identifier vector encrypted based on the third-party encryption associated with the third party server. The second identifier vector can include a second identifier, third parameters, and fourth parameters. The system can determine a correlation count between the first identifier vector and the second identifier vector. The system can determine that the first identifier corresponds to the second identifier based on the correlation count. The system can generate one identifier key for both the first identifier and the second identifier.

Abstract: A system and a method of connecting devices via a Wireless-Fidelity (Wi-Fi) network are provided. The method of communication-connecting an external device to an Access Point (AP) via a Wi-Fi network is performed by a device and includes operations of receiving device information of the external device from the external device that operates in an AP mode, accessing the external device that operates in the AP mode, by using the device information, and providing connection information relating to the AP to the external device, and wherein, when the connection information is provided to the external device, the external device terminates operating in the AP mode, and the external device then accesses the AP based on the connection information.

Abstract: A non-transitory computer readable storage medium has instructions executed by a processor to define a parent application executing on a secure runtime hardware resource. A state snapshot of the secure runtime hardware resource is maintained. A fork request for a child application to be derived from the parent application is received. An updated state snapshot of the state snapshot is formed. The child application is instantiated. Encrypted state is transferred from the parent application to the child application. The encrypted state is used to derive an encryption key shared by the parent application and the child application. The encrypted state in the child application is decrypted using the encryption key to spawn an independent child application operative as an additional secure runtime instance. The parent application on the secure runtime hardware resource and the child application operative as the additional secure runtime instance are executed independently.

Abstract: Techniques are provided for identifying and encrypting fields of an application object at an application layer in a multi-tenant cloud architecture, using an object metadata structure of the application object. Accordingly, transparent, per-tenant encryption capabilities are provided, while enabling transfer of encrypted object data between the application layer and a storage layer.

Abstract: Embodiments provide a method for facilitating sharing of digital documents between a sharing party and a relying party. The method includes receiving, by a processing system, an access request for accessing at least one attribute of a digital document. The access request is initiated at a relying party interface in a document sharing application. The method further includes sending, by the processing system, the access request to a sharing party interface in the document sharing application for approval of providing access to the at least one attribute of the digital document by the sharing party to the relying party. The method further includes, upon receiving the approval from the sharing party interface, generating a machine-readable encrypted code for the at least one attribute of the digital document. The method further includes sending the machine-readable encrypted code to the relying party interface.

Abstract: Described is a system for maintaining dual-party authentication requirements for data retention compliance in systems with remote access components. When administering a data retention policy, an operating system component may require a dual-party authentication mechanism to prevent data deletion, while a different authentication mechanism may control access to the remote access controller. Access to the remote access controller by a single privileged user, however, may enable overriding or compromising the retention lock compliance implemented by the operating system. Accordingly, the system may tie the dual-party authentication requirement to the remote access controller authentication mechanism.

Abstract: The invention relates to systems and methods for distributing market data. In one implementation, the system may generate a new encryption key at each market data update, and use that key to encrypt each market participant's data in that update before it is sent. Among other factors, characteristics of modern computer networks may cause participants to be sent (and to receive) their encrypted data in that update at different times. After the participants have all been sent their data in that update the system may then simultaneously transmit to those participants the key that will enable them to decipher their data. In an implementation, the key may be transmitted via a multicast transport protocol which can be used to ensure all recipients receive it at the same time. In this manner the invention may ensure that although participants receive their data in a given update at different times, they are unable to decipher that data until substantially the same time.

Abstract: In some aspects, an apparatus for encoding data for delivery to or for decoding data retrieved from a storage medium comprises a memory device and at least one hardware processor. The memory device is configured to store at least one parameter associated with at least one cryptographic protocol, the at least one parameter comprising one or more of a first cryptographic scheme, a first cryptographic key operation, a first cryptographic key length, and first cipher directives. The hardware processor is configured to generate a first frame comprising a first field for one parameter selected from the first cryptographic scheme, the first cryptographic key operation, the first cryptographic key length, and the first cipher directives and excluding fields for non-selected parameters, wherein the first frame is associated with the data delivered to or retrieved from the storage medium.

Abstract: Technologies for accelerated QUIC packet processing include a computing device having a network controller. The computing device programs the network controller with an encryption key associated with a QUIC protocol connection. The computing device may pass a QUIC packet to the network controller, which encrypts a payload of the QUIC packet using the encryption key. The network controller may segment the QUIC packet into multiple segmented QUIC packets before encryption. The network controller transmits encrypted QUIC packets to a remote host. The network controller may receive encrypted QUIC packets from a remote host. The network controller decrypts the encrypted payload of received QUIC packets and may evaluate an assignment function with an entropy source in the received QUIC packets and forward the received QUIC packets to a receive queue based on the assignment function. Each receive queue may be associated with a processor core. Other embodiments are described and claimed.

Abstract: Methods, systems, and devices for data processing are described. Some database systems may support differential privacy for encrypted data. For example, a database may store user data as ciphertext. A system may receive a statistical query for the user data and may identify a relevant differential privacy mechanism. The system may transform the query to operate on encrypted data while including a noisification function based on the mechanism. The system may execute the transformed query at the database, involving adding noise to the query result according to the noisification function without decrypting the data. For example, the system may leverage homomorphic encryption techniques to inject the noise while the data remains encrypted. The database may return the noisified, encrypted query results, which the system may decrypt for statistical analysis. By applying differential privacy on the encrypted data, the system may avoid exposing any private user information throughout the process.

Abstract: A method including obtaining a data query request sent by a client terminal; obtaining first query request data based on the data query request; duplicating the first query request data to obtain second query request data; embedding identifier information of the client terminal as watermark information into the second query request data to obtain watermarked query request data; and feeding the watermarked query request data back to the client terminal. The techniques of the present disclosure solve the problem of failure to track leakage during data breach.

Abstract: A network device may receive network traffic for an application. The network device may determine a first classification for the network traffic according to a first classification technique. The first classification may identify the network traffic as relating to a particular application or an unknown application. The network device may determine a second classification for the network traffic according to a second classification technique. The second classification may identify the network traffic as relating to an unknown application of a particular type and identity. The network device may process, based on whether the first classification identifies the network traffic as relating to the particular application or the unknown application, the network traffic according to a first security policy associated with the particular application or a second security policy associated with the unknown application of the particular type and identity.

Abstract: Systems, methods, and devices for executing a task on database data in response to a trigger event are disclosed. A method includes executing a transaction on a table comprising database data, wherein executing the transaction comprises generating a new table version. The method includes, in response to the transaction being fully executed, generating a change tracking entry comprising an indication of one or more modifications made to the table by the transaction and storing the change tracking entry in a change tracking stream. The method includes executing a task on the new table version in response to a trigger event.

Abstract: Providing smart contracts including secrets encrypted with oracle-provided encryption keys using thresholding cryptosystems is disclosed. In one example, a contract creator encrypts sensitive data necessary for executing a smart contract into ciphertext with multiple symmetric cryptographic keys using a threshold cryptosystem, such that a subset of at least size R of the symmetric cryptographic keys are required to decrypt the ciphertext. The symmetric cryptographic keys are encrypted into wrappers using a public cryptographic key of a contract executor. Envelopes are generated using public cryptographic keys of corresponding contract oracles, where the envelopes include the wrappers encrypted using the public cryptographic keys, and policies that specify condition(s) precedent and are authenticated using the public cryptographic keys. The smart contract, including the envelopes, the ciphertext, and R, is then deployed to the contract executor.

Abstract: A processing system includes a first processing circuit including a first PLC configured to receive a red signal, a plurality of first processors operated by the first PLC to process the red signal, and a first hypervisor configured to control operation of the first processors. The processing system includes a second processing circuit physically separated from the first processing circuit that includes a second PLC configured to receive a black signal, a plurality of second processors operated by the second PLC to process the black signal, and a second hypervisor configured to control operation of the second processors. The processing system includes a configuration controller configured to identify an operation to be performed by at least one of the first or second processing circuit and cause at least one of the corresponding first hypervisor or second hypervisor to allocate respective first processors or second processors to perform the operation.

Abstract: A method for hash chain migration includes detecting a version update of an object that includes a hash chain that stores fields of the object. Sub chains are identified from the hash chain. Migration sub chains are generated from the plurality of sub chains using a plurality of processes. Container blocks are generated from the plurality of migration sub chains. A migration chain is generated from the plurality of container blocks. The object is accessed using the migration chain.

Abstract: For communicating securely between electronic devices using symmetric key encryption, a first electronic device transfers to a second electronic device metadata with positional information which indicates the position of a first cryptographic key in a cryptographic key hierarchy. The second electronic device derives the first cryptographic key by way of a one-way function from a second cryptographic key stored in the second electronic device, using the positional information received from the first electronic device. Subsequently, the first electronic device and the second electronic device communicate data securely with symmetric key encryption using the first cryptographic key.

Abstract: An access management system (AMS) is disclosed that includes SSO capabilities for providing users secure access to protected resources within an enterprise using encryption keys generated by a client application. The AMS receives a request from a client application for a user to access a protected resource. In certain examples, the request comprises a client application identifier, a session identifier and a client public encryption key. The AMS determines if the session identifier points to a valid session and upon determining that the session identifier corresponds to a valid session, transmits information associated with the valid session to the client application. In certain examples, the information associated with the valid session is encrypted using the client public encryption key. Based on information associated with the valid session received from the client application, the AMS determines whether to grant or deny a user access to a protected resource within the enterprise.

Abstract: A network appliance can maintain an active set indicating active backends for a load balanced network service. To monitor the health of the backends, the network appliance can transmit a network packet to a backend that is one of the active backends in the active set and can receive a response packet responsive to the network packet. An invariant hash can be calculated from the response packet using fields that are the same when the response is a normal response (e.g. not an error response) from a healthy backend. If the packet indicates an error or is otherwise indicative of a problem, the network appliance can determine, using the invariant hash, that the response packet does not match an expected result associated with the backend. Based on the error, the number of network packets resulting in errors, etc., the backend can be removed from the active set.

Abstract: Described herein is a computer implemented method for configuring a receiving system to receive data from a sending system. The method comprises receiving an integration creation request from a client application. In response, a specific integration user account is created with credentials which provide access to the receiving system. The credentials are communicated to the client application. In addition, an integration record comprising details in respect of the integration is created, stored, and associated with the specific integration user account.

Abstract: Systems and methods for securing blockchain and other cryptographically signed ledgers are disclosed. Client devices with arrays of physical-unclonable-function devices are respond to challenges from a server. Characteristics of the arrays are stored by the server during a secure enrollment process. Subsequently, the server issues challenges to the clients and receives responses generated by the clients from characteristics of portions of the arrays specified by the challenges. The challenge responses are used to authenticate the clients and are also used as cryptographic private keys for signing transaction blocks. Public keys corresponding to the private keys are generated allowing signed transaction blocks to be validated as well as allowing clients originating the transactions to be authenticated by other clients. Ternary PUF characterization schemes are used to achieve acceptable authentication error rates.

Abstract: The present disclosure relates to a system for providing an anonymous and obfuscated communication over a virtual, modular and distributed satellite communication network.

Abstract: Methods, systems, and devices for wireless communications are described that improve privacy in wireless communications, such as communications by a user equipment (UE), which may in some cases be a vehicle UE. For example, various vehicle-to-everything (V2X) transmissions may be unencrypted, and a vehicle may be expected to periodically change one or more identifiers it uses for various communication services. Privacy may be enhanced, for example, via encryption key roll-over, as well as roll-over of one or more other identifiers associated with a UE that may potentially be used by an observer to track the UE. The UE may transmit a message that includes an updated lower layer identifier (e.g., a layer-2 (L2) identifier) to another UE in a V2X unicast communications link, which may trigger a change in identifiers of a set of identifiers and an updated security context. All or a portion of the message may be encrypted.

Abstract: A non-transitory computer readable storage medium has instructions executed by a processor to receive an original collection of symbols. A single use coding function is applied to the original collection of symbols to form a new collection of symbols. Encryption keys associated with a user are formed. The new collection of symbols is encrypted to form a recoded encrypted symbol file stored at a network accessible memory location. A distributed ledger entry with a data control signature is formed using the single use coding function encrypted with a private key. The distributed ledger entry is written to a distributed ledger. The distributed ledger entry is accessed. The recoded encrypted symbol file is read from the network accessible memory location. The data control signature and a symmetric key are used to convert the recoded encrypted symbol file to the original collection of symbols.

Abstract: A network device may decrypt a record received from a source device and associated with an encrypted session. The network device may process the decrypted record. The network device may encrypt the record to generate an encrypted payload. The network device may store an entry in a retransmission mapping that includes a decryption key used to decrypt the record and an encryption key used to encrypt the record. The network device may transmit the encrypted payload in a first TCP packet toward the destination device. The network device may receive retransmitted data and may determine, based on the record entry, that the retransmitted data is associated with the record. The network device may decrypt, using the decryption key, the retransmitted data and may re-encrypt, using the encryption key, the decrypted record. The network device may transmit, toward the destination device, the encrypted payload in a second TCP packet.

Abstract: A microcontroller comprising a first integrated circuit configured to receive power from a power supply comprising a second integrated circuit via at least one power input terminal and wherein at least one communication terminal provides for communication between the microcontroller and the power supply, wherein the microcontroller is configured to provide for encrypted communication between the power supply and the microcontroller based on a pre-shared encryption key, the encrypted communication configured to provide for authentication of the identity of the power supply and, if the power supply passes the authentication, the microcontroller is configured to operate in a normal mode and receive said power from the power supply, and if the power supply fails authentication, the microcontroller is configured to enter a tamper mode.

Abstract: Provided is a method for proving authenticity of a device with the aid of a proof of authorization of the device, wherein the proof of authorization is provided in a first step and the integrity of identity details of the proof of authorization can be checked on the basis of a digital signature of a proof of authorization issuer, and wherein the proof of authorization has an item of hardware authentication information, and affiliation of the proof of authorization to the device is proved in a second step by means of a hardware secret of the device associated with the hardware authentication information. Two-factor authentication is therefore enabled, which authentication ties authentication of the device, in particular, to the fact that a hardware-specific secret is used for the check.

Abstract: A system and method for extending data protection of data elements of a data packet beyond a TLS tunnel termination point by using encryption keys established when the TLS tunnel was established. The system and method include authenticating a client device to establish a shared secret. The system and method include receiving a data packet comprising a data element and an object identifier associated with the data element, the data element encrypted with a first content-specific key associated with the shared secret, the data packet encrypted with a session key. The system and method include decrypting the data packet using the session key to recover a decrypted data packet. The system and method include determining an existence of an object identifier in the decrypted data packet. The system and method include decrypting the data element of the decrypted data packet using a second content-specific key associated with the object identifier.

Abstract: System and methods of the disclosed subject matter provide segregating, at a memory storage coupled to a multitenant database system, first tenant data of a first tenant from at least second tenant data of a second tenant, based on a first tenant identifier. A first encryption key associated with the first tenant may be retrieved from a key cache memory based on the first tenant identifier, to encrypt one or more fragments of the first tenant data. The fragments of the first tenant data may be encrypted based on the retrieved encryption key. Non-encrypted header information may be generated for each of the encrypted fragments of the first tenant data, where the header information may have metadata including the first tenant identifier. The encrypted fragments of the first tenant data and the corresponding non-encrypted header information may be stored in the immutable storage.

Abstract: An example operation may include one or more of determining, by a supply-chain node, a plurality of assets of the supply-chain node, generating, by the supply-chain node, key-value pairs for each asset of the plurality of the assets, forming, by the supply-chain node, asset matching rules for matching the plurality of the assets of the supply chain node to assets from another supply-chain node, and creating a plurality of aliases for the plurality of assets of the supply-chain node based on the key-value pairs and the matching rules.

Abstract: Embodiments of the present disclosure provide a solution that guarantees authenticity and integrity on the signaling exchange between mobile roaming networks that trust each other. According to at least one example embodiment, a network element located on a sending mobile network may be configured to generate a signaling message that includes one or more protected data fields, calculate a hash value for each of the one or more protected data fields, combine each of the calculated hash values together using an exclusive OR (XOR) operation resulting in a combined hash value. The network element may be further configured to calculate an authentication code based on the combined hash value and a key, add an authentication field to the signaling message, the authentication field storing the authentication code, and send the signaling message to a transporting network.

Abstract: There is provided an encrypted message search technique making it difficult to, at the time of searching for a message in a state of being encrypted, guess content of the search and a result of the search.

Abstract: Some embodiments are directed to an electronic cryptographic device arranged to determine a cryptographic key. The cryptographic device can include a physically unclonable function (PUF) arranged to produce a first noisy bit string during the enrollment phase and a second noisy bit string during the reconstruction phase, and a statistical unit arranged to execute a statistical test for verifying correct functioning of the physical unclonable function. The statistical test computes a statistical parameter for the physical unclonable function using helper data. The statistical test determines correct functioning if the statistical parameter satisfies a criterion of the statistical test.

Abstract: Techniques are provided for deduplicating encrypted data. For example, a device has data to store in an encrypted state within a remote data store. A key is used to encrypt the data to create encrypted data. The data is hashed to create hashed data and the encrypted data is hashed to create hashed encrypted data. A probabilistic data structure of the data is generated. The key is encrypted based upon the data to create an encrypted key. The encrypted data is transmitted to the remote data store, along with metadata comprising the hashed data, the hashed encrypted data, the probabilistic data structure, and the encrypted key. The metadata may be used to implement deduplication for subsequent requests, to store data within the remote data store, with respect to the encrypted data.

Abstract: An image processing apparatus includes a setting unit and a communication control unit to execute HTTP communication to an external apparatus. The setting unit sets whether to use a proxy server. The communication control unit controls, in a case where Hypertext Transfer Protocol (HTTP) communication to the external apparatus on a personal area network is performed, executing the HTTP communication to the external apparatus by other than the proxy server, even if use of the proxy server is set.

Abstract: [Problem] To allow addition of new functions to an optical module at a low cost. [Solution] An optical transceiver 11a includes a CPU 21 configured to perform download control of a program for executing an additional function to be newly added to the optical transceiver 11a, a wireless transmitting and receiving device 22 configured to receive, in accordance with the download control, the program from a terminal device 13 that stores various programs, and a memory unit 23 configured to store the program that is received. The CPU 21 is configured to perform, by interrupting a monitoring and control signal from a transmission device 12, control to write data related to transmission and reception processing of a Tx 25a and a Rx 26a in accordance with execution of the programs stored in the memory unit 23 in a storage area at a specific address of an EEPROM 24.

Abstract: There is provided mechanisms for transmission of timestamp information. A method is performed by a transmitter device. The method comprises obtaining a first timestamp. The method comprises inserting a protected representation of the first timestamp in a payload field of a message. The message is a precision time protocol message. The method comprises timestamping the message by inserting a second timestamp in a timestamp field of the message. The method comprises transmitting the timestamped message to a receiver device. There is also provided mechanisms for reception of protected timestamp information. A method is performed by a receiving device.

Abstract: A machine learning method includes: obtaining first teacher data, which includes first encrypted words and corresponding search word information including one or more second encrypted words to be used for search, the first encrypted words being generated such that the first encrypted word includes a code sequence different from other encrypted words even though both of the first encrypted words and the other encrypted words have been generated from a same word; obtaining a group of words from among the first encrypted words by using a trapdoor scheme; generating second teacher data by using one encrypted word included in the obtained group to replace a rest of the obtained group of words; and performing, on the basis of the second teacher data, machine learning of a parameter to determine, in response to receiving of one or more encrypted words, one or more encrypted words to be used for search.

Abstract: Aspects of the present disclosure disclose provide systems and methods for updating, or patching, encrypted image files located at a remote location. More specifically, a content update package that includes encrypted information is received and decrypted. Based on the content update package, a first portion of data in an encrypted image file is located, where the first portion data is to be decrypted and updated based on data in the content update package. The updated data may then be encrypted, verified, and stored. When the updating, or patching, process is complete, the file version located at the remote location is the same as the latest file version. In addition, the updating, or patching, process may be split between multiple operating systems.

Abstract: Embodiments described herein are directed to implementing compliance settings by a computing device for bringing the computing device into compliance with a configuration scenario. For instance, a computing device may receive, from a server, configuration information describing compliance settings for implementing by the computing device to bring the computing device into compliance with a configuration scenario. Moreover, the computing device may identify a state machine indicated by the configuration information that describes a configuration process for implementing the compliance settings and execute the state machine to configure the computing device with the compliance settings.

Abstract: Exemplary embodiments relate to techniques for improving the speed and rendering quality of an image (e.g., a JPEG), particularly in an end-to-end encrypted environment. The image may be analyzed on the sending-client side and the image data may be broken into a thumbnail and a full-quality image, where the full-quality image data relies on the thumbnail data to render a high-quality image. The image is uploaded to a blob store, and a message is sent to the receiving client with image information. At the recipient side, the JPEG image data is retrieved from the blob store and the thumbnail is first rendered. Subsequently, as the remainder of the image data is received at the receiving client, the image is updated. Consequently, images are rendered faster, and the thumbnail can be automatically downloaded so that a user can determine if they wish to download the full image.

Abstract: A method includes: federating, by a computer device, a proxy hardware security module from a physical hardware security module; storing, by the computer device, the proxy hardware security module; receiving, by the computer device, a first one of a plurality of periodic identifying communications from the physical hardware security module; and erasing, by the computer device, the proxy hardware security module as a result of the computer device not receiving a second one of the plurality of periodic identifying communications.

Abstract: In one embodiment, an apparatus comprises a processor to read a data line from memory in response to a read request from a VM. The data line comprises encrypted memory data. The apparatus also comprises a memory encryption circuit in the processor. The memory encryption circuit is to use an address of the read request to select an entry from a P2K table; obtain a key identifier from the selected entry of the P2K table; use the key identifier to select a key for the read request; and use the selected key to decrypt the encrypted memory data into decrypted memory data. The processor is further to make the decrypted memory data available to the VM. The P2K table comprises multiple entries, each comprising (a) a key identifier for a page of memory and (b) an encrypted address for that page of memory. Other embodiments are described and claimed.

Abstract: Provided is a system and method for confidential string-matching and confidential deep-packet inspection. The method includes: receiving encrypted ciphertexts from a first computing device; windowing a text corpus and applying a hash; performing binning and splitting on the corpus set of hashes; performing batching on the binned and split corpus set of hashes; determining match ciphertexts by evaluating a homomorphic encryption circuit between the encrypted ciphertexts and the batched corpus set of hashes; and communicating the match ciphertexts to the first computing device, the confidential string matching determinable by the first computing device by: decrypting the match ciphertexts, determining from the decryption output, if the hash value for each pattern window matches the hash value for any corpus windows and if the matched windows are adjacent in the corpus.

Abstract: A method performed by an AP may comprise initializing a CCC and increasing the CCC upon a change of at least one of a plurality of parameters of the AP. The plurality of parameters may include at least a high throughput (HT) Operation element, one or more Enhanced Distributed Channel Access (EDCA) parameters, or one or more operational mode parameters. The method may further comprise transmitting a frame, to at least one STA, wherein the frame includes an indication of the CCC, and the frame indicates that the at least one STA return from a power saving mode.

Abstract: Method and apparatus for virtualized environment where virtual computing instances interface a service platform operated on a physical computing apparatus are disclosed. A new virtual computing instance interfacing the service platform can be created, the created new virtual computing instance belonging to a class of virtual computing instances. At least one security credential is obtained from a storage of security credentials associated with the class of the new virtual computing instance. Data communicated with at least one further computing instance is secured based on the obtained at least one security credential.

Abstract: Embodiments of the present invention disclose a security processing method and a related device. The method may include: receiving, by a base station, security-processed target data sent by user equipment UE; sending, by the base station, security request information of the UE to a core network device; and receiving, by the base station, security response information returned by the core network device, where the security response information includes security parameter information of the UE and/or security-deprocessed target data. According to the present invention, during data transmission between the UE and the base station, not only data security can be ensured, but also low power consumption can be ensured.

Abstract: Example end marker sending methods are described. In one example method, a user plane gateway (UP GW) determines when to send an end marker based on trigger information, so as to sort one or more downlink data packets received on a target user plane path based on the end marker. The UP GW receives trigger information and an identifier (ID) of a source user plane path of user equipment (UE) that are sent by a control plane (CP) node, where the UP GW is located on the source user plane path. The UP GW sends an end marker to an access network (AN) node on the source user plane path based on the trigger information and the ID of the source user plane path.

Abstract: A method for sharing read access to a document stored on memory hardware. The method includes receiving a shared read access command from a sharor sharing read access to a sharee for a document stored on memory hardware in communication with the data processing hardware, and receiving a shared read access request from the sharee. The shared read access command includes an encrypted value and a first cryptographic share value based on a write key, a read key, a document identifier, and a sharee identifier. The method also includes multiplying the first and second cryptographic share values to determine a cryptographic read access value. The cryptographic read access value authorizes read access to the sharee for the document. The method also includes storing a read access token for the sharee including the cryptographic read access value and the encrypted value in a user read set of the memory hardware.