Abstract: There is provided a distributed computation system that establishes a consensus related to a computational value of a computational task, wherein the distributed computation system includes a plurality of computing nodes. The distributed computation system distributes the computational task to the plurality of computing nodes; each of a first set of computing nodes, from the plurality of computing nodes, performs a partial evaluation of the computational task, wherein the partial evaluations of the computational task are stored in a ledger arrangement; each of a second set of computing nodes from the plurality of computing nodes generate a computational value corresponding to each of the partial evaluations stored in the ledger arrangement and determine correctness proof of each of the computational value; and a third set of computing nodes from the plurality of computing nodes validates the correctness proof of each of the computational value to establish consensus related to the computational values.

Abstract: The disclosed exemplary embodiments include computer-implemented systems, devices, and processes that securely manage transfers of digital assets between computing devices using permissioned distributed ledgers. By way of example, an apparatus may receive, from a first device, a request to transfer a digital asset to a second device and a first digital signature applied to the request. Based on a validation of the first digital signature, the apparatus may approve the request and apply a second digital signature to the request and the first digital signature indicative of the approval of the request by the apparatus. The apparatus may also transmit the request, the first digital signature, and the second digital signature to a computing system, which may validate the first and second digital signatures and perform operations that record the first public key and asset data identifying the digital asset within at least one element of a distributed ledger.

Abstract: Disclosed are systems, methods, and non-transitory computer-readable media for cryptography using different sized symbol sets. To protect against a brute force or other similar type of attack, multiple symbol sets having different sizes can be used for encrypting/decrypting data. For example, different portions of the data (e.g., data blocks representing multiple symbols, set of bits representing a single symbol) may be encrypted/decrypted using different symbol sets that include different numbers of unique symbols. Using different sized symbol sets adds additional complexity to the encryption process, thereby greatly increasing the difficulty in decrypting the encrypted data with a brute force attack.

Abstract: Techniques of authenticating a first device of a user to a second device are disclosed. The method enables the second device to perform authentication using a biometric template stored on the first device and a biometric measurement. Homomorphic encryption may be used by the first device to encrypt the biometric template and the second device to determine an encrypted similarity metric between the biometric template and the biometric measurement. The second device can also determine an encrypted code using an authentication function and the encrypted similarity metric. The second device sends the encrypted code and the encrypted similarity metric to be decrypted by the first device. The second device can receive a response from the first device, indicating whether a decrypted similarity metric exceeds a threshold; and whether the decrypted code matches a test code. The second device can then authenticate the user based on the response.

Abstract: A system and method is disclosed for transporting application data through a communications tunnel between a host device and a guest device that each includes networked processors. The application data may be transported between the host device and the guest device through an allowed port of the host device, the communications tunnel, and a port of the guest device. Based on logon credentials, the guest device can be authenticated by a security server and a role may be determined. The role can include allowed ports and associated applications on the host that the guest is allowed to access. Remote access from the guest device to host devices or remote devices may be enabled without needing prior knowledge of their configurations. Secure access may be facilitated to remote host devices or remote devices, according to security policies that can vary on a per-session basis and takes into account various factors.

Abstract: A computer-implemented method includes receiving, by a transcoder, second encrypted data. The second encrypted data is data that has been encrypted in a first key to create first encrypted data that is then encrypted in a second key to create the second encrypted data. The method includes receiving the second key and decrypting the second encrypted data using the second key to obtain the first encrypted data. The method includes encrypting the first encrypted data using a third key to create third encrypted data, and sending the third encrypted data to a destination node. A computer-implemented method includes receiving, by a transcoder, a second encrypted key. The second encrypted key is a key that has been encrypted in a first key to create a first encrypted key that is then encrypted in a second key to create the second encrypted key.

Abstract: Techniques are disclosed for securing traffic flowing across multi-tenant virtualized infrastructures using group key-based encryption. In one embodiment, an encryption module of a virtual machine (VM) host intercepts layer 2 (L2) frames sent via a virtual NIC (vNIC). The encryption module determines whether the vNIC is connected to a “secure wire,” and invokes an API exposed by a key management module to encrypt the frames using a group key associated with the secure wire, if any. Encryption may be performed for all frames from the vNIC, or according to a policy. In one embodiment, the encryption module may be located at a layer farthest from the vNIC, and encryption may be transparent to both the VM and a virtual switch. Unauthorized network entities which lack the group key cannot decipher the data of encrypted frames, even if they gain access to such frames.

Abstract: This disclosure is directed to monitoring a crypto-partitioned, or cipher-text, wide-area network (WAN). A first computing device may be situated in a plain-text portion of a first enclave behind a first inline network encryptor (INE). A second device may be positioned in a plain-text portion of a second enclave behind a second INE. The two enclaves may be separated by a cipher-text WAN, over which the two enclaved may communicate. The first computing device may receive a data packet from the second computing device. The first computing device may then determine contents of a header of the data packet. The first computing device may, based at least in part on the contents of the header of the data packet, determine a status of the cipher-text WAN.

Abstract: A method of a digital identity system generating a sharing token for authenticating a bearer to a validator, wherein a data store of the digital identity system holds a plurality of attributes of the bearer, the method comprising implementing by the digital identity system the following steps: receiving at the digital identity system from a bearer an electronic sharing token request, wherein the token request identifies at least one of the bearer's attributes in the data store selected for sharing with a validator; in response to the electronic token request, generating a sharing token, which is unique to that request, for presentation by the bearer to a validator; associating with the unique sharing token at the digital identity system the identified at least one bearer attribute; and issuing to the bearer the unique sharing token; and wherein later presentation of the unique sharing token to the digital identify system by a validator causes the at least one bearer attribute associated with the sharing token

Abstract: Systems and methods for account access/identity verification based on access to a third party account. In various embodiments, the disclosed system facilitates access to a particular account via verification of the identity of the accessing user through control of a third party account. That is, in one embodiment, the system allows a user to access an account if the user can prove that he/she also has access to another account (e.g., via providing a code to the system that was transmitted to the other account).

Abstract: A system and method for providing anonymous validation of a query among a plurality of nodes in a network may receive at a support node a query from a requester node; wherein the query comprises a one-way function representation of at least one data point of information of the requester node; receive at the support server, from at least one validator node, a one-way function representation of at least one data point of information of the validator node; compare by the support server the query from the requestor node with the one-way function representation of the at least one data point of information; determine by an aggregator server, based on the comparison, whether the at least one data point of information of the requester node matches the at least one data point of information of the at least one validator node; and output a match result to the requestor node.

Abstract: A network and a device can support secure sessions with both (i) a post-quantum cryptography (PQC) key encapsulation mechanism (KEM) and (ii) forward secrecy. The device can generate (i) an ephemeral public key (ePK.device) and private key (eSK.device) and (ii) send ePK.device with first KEM parameters to the network. The network can (i) conduct a first KEM with ePK.device to derive a first asymmetric ciphertext and first shared secret, and (ii) generate a first symmetric ciphertext for PK.server and second KEM parameters using the first shared secret. The network can send the first asymmetric ciphertext and the first symmetric ciphertext to the device. The network can receive (i) a second symmetric ciphertext comprising “double encrypted” second asymmetric ciphertext for a second KEM with SK.server, and (ii) a third symmetric ciphertext. The network can decrypt the third symmetric ciphertext using the second asymmetric ciphertext.

Abstract: Establishing secure communications by sending a server certificate message, the certificate message including a first certificate associated with a first encryption algorithm and a second certificate associated with a second encryption algorithm, the first certificate and second certificate bound to each other, signing a first message associated with client-server communications using a first private key, the first private key associated with the first certificate, signing a second message associated with the client-server communications using a second private key, the second private key associated with the second certificate, the second message including the signed first message, and sending a server certificate verify message, the server certificate verify message comprising the signed first message and the signed second message.

Abstract: The system and methods described herein may be utilized to perform operations in a faster and less complex manner than provided by conventional systems. An encrypted record may be stored at a user device. The encrypted record may include entries related to operations that were previously requested by the user device. The encrypted record may have been encrypted using a dynamic value and a key that is associated with an entity associated with the user. A recipient computer of a request by the user device may be configured to utilize the dynamic value provided in the request and the key associated with the entity to derive the encryption key(s) last used to encrypt the record. The recipient computer may decrypt and modify the decrypted record to perform the requested operation while the user device is precluded from doing so.

Abstract: Techniques are described herein for dialog-based enrollment of individual users for single- and/or multi-modal recognition by an automated assistant, as well as determining how to respond to a particular user's request based on the particular user being enrolled and/or recognized. Rather than requiring operation of a graphical user interface for individual enrollment, dialog-based enrollment enables users to enroll themselves (or others) by way of a human-to-computer dialog with the automated assistant.

Abstract: An authentication method of a prover by a verifier includes: performing at least once, an enrollment process by an enrollment center computer; and subsequent to performing the enrollment process, performing an on demand authentication process including: receiving at a verifier computer from the prover, a prover authentication request sent from the prover computer device which includes the prover identity and a preferred ZKP protocol identifier; looking up a prover's public key in the database via the identity; the verifier sending a selected ZKP protocol identifier to the prover computer device; commencing a round of authentication by receiving a commitment generated according to the selected ZKP protocol; and repeating the step of commencing a round of authentication until the verifier computer accepts or rejects the prover's identity. A zkMFA method of authentication and an authentication system for authenticating a prover by a verifier are also described.

Abstract: A method of generating a hierarchical deterministic keys portfolio, in particular to sign transactions sent to a blockchain. The generation method includes an initialization phase by an administrator and a phase of setting parameters for at least one user. Private key usage contexts are created from the administrator account, each context specifying conditions for use of the private key in said context. User accounts are also created, each user account being associated with a private key in the tree structure, the private key of said user being obtained from a master private key of the administrator, the usage context to which the user account is attached, and the user's identifier.

Abstract: In one embodiment, a device in a network receives traffic data regarding a plurality of observed traffic flows. The device maps one or more characteristics of the observed traffic flows from the traffic data to traffic characteristics associated with a targeted deployment environment. The device generates synthetic traffic data based on the mapped traffic characteristics associated with the targeted deployment environment. The device trains a machine learning-based traffic classifier using the synthetic traffic data.

Abstract: Certificate and key management is provided. A signed certificate corresponding to an enterprise is deployed to a plurality of cryptographic communication protocol endpoint proxies located in a heterogeneous distributed computing environment where a private key corresponding to the enterprise is not placed in any of the plurality of cryptographic communication protocol endpoint proxies. Offload of cryptographic communications from the plurality of cryptographic communication protocol endpoint proxies to the hardware security module is received by the hardware security module where the hardware security module verifies connection authenticity for the plurality of cryptographic communication protocol endpoint proxies across the heterogeneous distributed computing environment using the private key corresponding to the enterprise that remains within a security boundary of the hardware security module.

Abstract: Embodiments of the present invention provide systems and techniques for changing cryptographic keys in high-frequency transaction environments to mitigate service disruptions or loss of transactions associated with key maintenance. In various embodiments, a server device can employ a working key encrypted with a first master key to decrypt messages being communicated from a client device, whereby each message is encrypted with a first cryptogram that was generated based on the working key encrypted with the first master key. While the working key encrypted with the first master key is being employed, the server device can generate a notification including a second cryptogram generated based on the working key encrypted with a second master key for transmission to the client device. The transmitted notification can cause the client device to encrypt the messages being communicated with the second cryptogram.