Abstract: Some embodiments are directed to a public-key encryption device (20) and a private-key decryption device (10). The public-key encryption device is configured to compute a second public-key matrix (u), the second public-key matrix (u) having fewer matrix elements than the first public-key matrix (b) of the private-key decryption device. This reduces computation and bandwidth requirements at the side of the public-key encryption device.

Abstract: In one embodiment, an apparatus includes a network interface to receive a sequence of data packets from a remote device responsively to a data transfer request, the received sequence including received data blocks, and packet processing circuitry to read cryptographic parameters from a memory in which the parameters were registered by a processing unit, the cryptographic parameters including an initial cryptographic key and initial value, compute a first cryptographic key responsively to the initial cryptographic key and initial value, cryptographically process a first block responsively to the first cryptographic key, compute an updated value responsively to the initial value and a size of the first block, compute a second cryptographic key responsively to the initial cryptographic key and the updated value, cryptographically process a second block of the received data blocks responsively to the second cryptographic key, and write the cryptographically processed first and second block to the memory.

Abstract: A method of implementing a revocable threshold hierarchical identity-based signature scheme may include receiving an identifier associated with a user. A first secret key based on the identifier may be generated. A string and the identifier may be directed to be posted on a block of a blockchain. A second secret key may be generated using the string, the first secret key, and the identifier. The block that includes the string and the identifier may be signed using the second secret key. A message may be signed using the second secret key to generate a signature. The signature may be provided to a device. The signature may be verifiable by the device using the string and the identifier obtained from the block by the device.

Abstract: A first intermediate key management system (KMS) server of a distributed KMS receives a key lookup service (KLS) query from a KMS client for determining an identity of KMS server(s) that are capable of performing a first operation with a first managed key. The first intermediate KMS server is one of the intermediate KMS servers of the distributed KMS. The first KMS server determines the identity of one or more of the KMS servers that are capable of performing the first operation with the first managed key. The first KMS server transmits a KLS response to the KMS client that includes the identity of the KMS server(s) that are capable of performing the first operation with the first managed key.

Abstract: Systems and methods described herein relate to techniques that allow for multiple parties to jointly generate or jointly agree upon the parameters for generation of a smart contract, such as a verification key. Execution of the smart contract may be performed by a third party, for example, a worker node on a blockchain network. Techniques described herein may be utilised as part of a protocol in which parties of a smart contract share powers of a secret in a manner that allows each party to determine an identical common reference string, agree on parameters for a smart contract, agree and/or make proportionate contributions the smart contract, and combinations thereof. The smart contract may be published to a blockchain network (e.g., Bitcoin Cash). The protocol may be a zero-knowledge protocol.

Abstract: A unit verification method to be performed on a unit under test (UUT) comprises connecting a verification device to the UUT. The verification device applies a set of challenge signals to the UUT and then measures the responses of the UUT to the challenge signals. The responses of the UUT are based on the challenge signals and the physical properties of the UUT. A registration key is generated based on the measured responses and is stored. The registration key is unique to the UUT.

Abstract: Described are automated systems and methods for providing a template design for a public-key infrastructure (PKI) system. For example, certain infrastructure information and stored PKI information can be processed to determine a PKI template, which can specify the configuration for a proposed PKI hierarchy. A configurable representation of the proposed PKI hierarchy can be generated and presented to the user, which can facilitate review, modification, and further customization of the proposed PKI hierarchy. Aspects of the present disclosure can also determine costs associated with the proposed PKI hierarchy, and can create and deploy the proposed PKI hierarchy.

Abstract: There is provided a chatbot system including a plurality of user terminals, a chatbot, and a chat server. The chatbot includes a memory and a processor configured to create a message from data which is acquired from an external service, receive, as an input, a list including a user ID of a user terminal which has utilization authority for the data, generate a policy-equipped ciphertext by an encryption algorithm of ciphertext policy attribute-based encryption, and transmit the policy-equipped ciphertext to the chat server, and each of the user terminals includes a memory and a processor configured to receive a policy-equipped ciphertext from the chat server and decrypt the policy-equipped ciphertext using an attribute-equipped secret key which is generated on the basis of a user ID of the user terminal.

Abstract: The system and method of the present disclosure includes creation and management of audit chains, which are distributed ledgers serving a native translation of non-native statements. The system and method further includes the application of audit chains to zk-audits, in which the provider of a service, e.g., a centralized token exchange, proves correct behavior to its clients without revealing private data.

Abstract: A system includes a memory device and a processor, operatively coupled to the memory device, to perform operations including receiving a request to provide a post-secrets-provisioning service with respect to a device, in response to receiving the request, determining whether to authorize the request, in response to authorizing the request, obtaining a set of secrets data corresponding to the device, and providing the post-secrets-provisioning service by performing a cryptographic function utilizing the set of secrets data.

Abstract: This application describes methods, mediums, and systems for verifying a device for use in a messaging system. Using the device verification procedures described, a messaging system can securely authorize new devices to send and receive encrypted messages on behalf of a user, preferably without the need to share a private encryption key between the users' different devices. The application describes several techniques that can be used to provide such a system, including distributing a computer-perceptible code that encodes encryption information between a secondary device and a primary device. This allows the information to be distributed without intervention by a server. Other techniques provide unique ways to build and reverify authorized device lists, distribute encryption keys in chat channels, ensure that lists of authorized devices are distributed in the correct order and remain valid for an appropriate amount of time, add new devices to an ongoing or new conversation, and more.

Abstract: Systems and methods for providing exception failover augmented, homomorphic encrypted (HE) distributing, end-to-endpoint persistent encryption, and distributed HE domain non-decrypting, privacy-protective biometric processing are provided. Some configurations may include generating HE biometric feature data, based on homomorphic encrypting the biometric feature data. Some configurations determine an exception status of the HE biometric feature data between exception and non-exception. Systems and methods may include performing a HE domain, non-decrypting biometric classifying of the HE biometric feature data.

Abstract: A method may include collecting from each of multiple endpoint devices a set of anonymized interactions of the corresponding endpoint device with other endpoint devices. Each anonymized interaction in the set of anonymized interactions may be based on an ephemeral unique identifier of another endpoint device involved in a corresponding anonymized interaction with the corresponding endpoint device. The method may include, for each endpoint device, resolving identities of the other endpoint devices with which the corresponding endpoint device has interacted from the corresponding set of anonymized interactions.

Abstract: The invention relates to a method for transferring data in a publish-subscribe system (100) comprising a key distribution server (200) and a plurality of communication devices (101, 102, 103, 104) which can be coupled to the key distribution server (200) and which comprise at least one server device and a number of client devices.

Abstract: Embodiments describe systems and methods for analyzing digital certificates. A computer-implemented can include identifying a plurality of digital certificates, individual digital certificates of the plurality of digital certificates including respective internal information. External information associated with the individual digital certificates can be determined, the external information not contained within the respective digital certificate. The external information can be updated in a database with additional external information that is collected on a periodic basis. A query can be run against the database to identify one or more vulnerable digital certificates associated with a client based on the internal information and the external information. A notification can be sent to the client regarding the one or more vulnerable digital certificates.

Abstract: An authentication method of a prover by a verifier includes: performing at least once, an enrollment process by an enrollment center computer; and subsequent to performing the enrollment process, performing an on demand authentication process including: receiving at a verifier computer from the prover, a prover authentication request sent from the prover computer device which includes the prover identity and a preferred ZKP protocol identifier; looking up a prover's public key in the database via the identity; the verifier sending a selected ZKP protocol identifier to the prover computer device; commencing a round of authentication by receiving a commitment generated according to the selected ZKP protocol; and repeating the step of commencing a round of authentication until the verifier computer accepts or rejects the prover's identity. A zkMFA method of authentication and an authentication system for authenticating a prover by a verifier are also described.

Abstract: An industrial automation system device includes: a secure communication processing unit for communicating securely with a further trusted industrial automation system device; and a pre-shared secret module including a pre-shared secret, the pre-shared secret including shared asymmetric key pair generation data. The secure communication processing unit: derives a shared asymmetric key pair including a shared secret key and a shared public key from the shared asymmetric key pair generation data, derives a shared certificate including the shared public key, signs the shared certificate with the derived shared secret key, and generates a device asymmetric key pair including a device secret key and a device public key.

Abstract: The invention provides an information processing apparatus, method, and security protocol for secure storage and transfer of data using two-level encryption by combining RSA and AES keys. The apparatus includes circuitry (100) configured to receive encryption request, encrypt the data to generate first encryption data. The encryption of the data is based on an AES user key (103) and the received encryption request. The circuitry is further configured to encrypt the first encryption data to generate second encryption data, decrypt the second encryption data to generate first decryption data. The decryption of the second encryption data is based on a company AES key (107). The circuitry (100) is further configured to decrypt the first decryption data to generate the original data. The decryption of the first decryption data is based on an AES user key (103), and the second decryption data corresponds to the transmitted data.

Abstract: Techniques for subscriber revocation in a publish-subscribe network using attribute-based encryption (ABE) are disclosed, including: generating a tree data structure including leaf nodes representing subscribers, subtrees of the tree data structure representing subsets of subscribers having different likelihoods of ABE key revocation; generating ABE keys associated with edges in the tree data structure; assigning ABE keys to the leaf nodes, each leaf node being assigned a subset of the ABE keys associated with edges that form a path from a root node to the leaf node; based at least on a revocation record that indicates one or more revoked subscribers, determining a minimal subset of ABE keys that covers all non-revoked subscribers; and encrypting a payload using an encryption policy requiring at least one ABE key in the minimal subset of the ABE keys, to obtain a ciphertext that is not accessible to the one or more revoked subscribers.

Abstract: A system manages access to an asset using a separate physical cryptographically-secure key device. A memory stores a public key as an unalterable record. An access configuration controller reads the public key from the memory to control the access to the asset. The public key is cryptographically paired with a private key securely recorded in the separate physical cryptographically-secure key device. The access configuration controller receives an access control change instruction signed by the private key and verifies a valid signing of the access control change instruction by the private key using the public key read from the memory. A storage system secured by the access configuration controller stores access authorization records managing access to the asset. The access configuration controller alters access authorization records according to the access control change instruction, responsive to verification of the valid signing of the access control change instruction.