Abstract: A method, apparatus, and computer program product for processing a data record including encrypted and decrypted data is described. Various embodiments include receiving a data record including ciphertext and plaintext blocks and determining whether each block in the data record is a ciphertext block or a plaintext block. If a block is a ciphertext block, the ciphertext block is stored into a ciphertext record, decrypted into a plaintext block utilizing a decryption algorithm, and stored in a plaintext record. If the block is a plaintext block, the plaintext block is stored into the plaintext record, encrypted into a ciphertext block utilizing an encryption algorithm, and stored in the ciphertext record. Embodiments described also include authenticating the data record by passing each block of the ciphertext record to an authentication scheme and outputting the plaintext record to a destination application.

Abstract: Methods, systems, and apparatuses, including computer storage media and hardware security modules, for performing batch cryptography on hardware security modules. A hardware security module can receive a request to perform one or more cryptographic operations. The request can include a batch data structure storing a plurality of data elements. The hardware security module can unbatch the plurality of data elements, perform one or more cryptographic operations on the plurality of data elements to generate a plurality of outputs, generate an output batch data structure storing the plurality of outputs, and transmit the output batch data structure in response to the request. The request and the batch data structure can be formed in accordance with a batch hardware security module application program interface (API) implemented by the hardware security module.

Abstract: A cryptographic accelerator may include an input buffer to store an additional authenticated data (AAD) portion of a message and a plain text portion of the message. The cryptographic accelerator may include a cryptographic engine to generate cipher text using the plain text portion of the message, generate a message authentication code (MAC) using the AAD portion and either the plain text portion or the cipher text, determine a configuration for creating an assembled message in an output buffer of the cryptographic accelerator, and provide at least the cipher text to the output buffer to create the assembled message in the output buffer according to the configuration. The cryptographic accelerator may include the output buffer to provide the assembled message.

Abstract: Briefly, an encryption/decryption algorithm providing for consistent encryption entropy and encryption/decryption performance that is independent of the type of input data.

Abstract: Methods, systems, and devices for cryptographic key management are described. A memory device can issue, by a firmware component, a command to generate a first cryptographic key for encrypting or decrypting user data stored on a memory device. The memory device can generate, by a hardware component, the first cryptographic key based on the command. The memory device can encrypt, by the hardware component, the first cryptographic key using a second cryptographic key and an initialization vector. The memory device can store the encrypted first cryptographic key in a nonvolatile memory device separate from the hardware component.

Abstract: A computer that operates with a distributed ledger system, and stores a copy of a distributed ledger file that is stored by multiple different client computers. The distributed ledger file having plural values therein, and the distributed ledger file also having encryption values that verify the values in the distributed ledger file. The computer processes the values to verify at least some of the values in the distributed ledger file using the encryption values in a way that ascertains a cryptographic accuracy of the values, and to create a report indicating values that have been verified using the encryption values. The computer can use its GPU to process these values in parallel. The computer can also set new sequence numbers using a distributed system, for new values to be added to the distributed ledger.

Abstract: A data decryption system includes an address checking circuit, an encryption/decryption processor, and a computation circuit. The address checking circuit is configured to receive an address through an address channel. The computation circuit is coupled to the encryption/decryption processor. The computation circuit is configured to receive a reading data of the address from a storage device through a data channel in a first duration. The encryption/decryption processor computes a second key in a second duration, according to a first key and the address, and the second key is configured to decrypt the reading data, wherein the first duration overlaps with the second duration.

Abstract: A method including decrypting, by a user device based at least in part on utilizing a master key, an assigned private key associated with the user device; decrypting, by a user device based at least in part on utilizing a trusted key, a double-encrypted symmetric key to determine a single-encrypted symmetric key; decrypting, by the user device based at least in part on utilizing the assigned private key, the single-encrypted symmetric key to determine a symmetric key; and decrypting, by the user device based at least in part on utilizing the symmetric key, an encrypted folder stored on the user device to provide access to data included in the encrypted folder. Various other aspects and techniques are contemplated.

Abstract: A security circuit includes a decoder configured to receive input data and output a decoding signal in response to the input data, a first encoder configured to output one of first phenotypes corresponding to any one among integers in N-decimal (N is a natural number of 1 or more) as a first encoding value in response to the decoding signal, a second encoder configured to output one of second phenotypes corresponding to any one among integers in N-decimal as a second encoding value in response to the decoding signal, and a gate module circuit configured to generate output data by performing a logic operation on the first encoding value and the second encoding value.

Abstract: The present invention provides an encrypting device including an encryption unit and a communications unit. Paired encrypting devices allow for communication of trusted data between trusted devices over an untrusted network. Data received by the encryption unit is encrypted and provided with a connectionless header for delivery to the communications unit. Data received by the communications units is provided with a complex header for delivery to the paired encrypting device. The encrypting devices may be implemented in hardware or may be virtualized on a server or a plurality of servers. Arrangement of the encrypting devices in a hub-and-spoke topology allows for communication amongst a plurality of trusted devices. The encrypting devices can be used to convert commercially available equipment suitable for high assurance environments.

Abstract: A virtual private network (VPN) server connected to a client device within a VPN obtains data for delivery to the client device. The VPN server selects a data stream from a set of data streams of the VPN connection with the client device, where each data stream of the set of data streams has a different encryption context. The VPN server generates a data packet based on the data such that the data packet is encrypted using the encryption context specific to the selected data stream. The VPN server transmits the data packets to the client device via the selected data stream.

Abstract: Generally described, one or more aspects of the present application correspond to techniques for managing snapshots in a partially encrypted state and providing access to partially encrypted snapshots. These snapshot management techniques allow a snapshot that is being encrypted to be accessed prior to the encryption being completed. Such a snapshot may have some blocks that have been encrypted, and other blocks that have not yet been encrypted. In order to provide access to such a snapshot in a partially encrypted state, a system may allow the encryption status of the blocks in the snapshot to be checked at the block level instead of at the snapshot level (or at some other intermediary level therebetween), according to some embodiments. By doing so, the system can reduce the delays resulting from snapshots that are locked during the encryption process.

Abstract: Techniques for cryptographically protecting personally identifiable information in images and videos are described herein. An image may be obtained. One or more regions in the image may be detected based on an object detection algorithm. Pixels for each region of the one or more regions may be encrypted using a symmetric encryption technique and an initialization vector. The encrypted pixels for each region of the one or more regions may be written back into the image. A symmetric key of the symmetric encryption technique and the initialization vector may be encrypted using an asymmetric encryption technique. Metadata of the image may be updated to store the encrypted symmetric key and the encrypted initialization vector.

Abstract: The present disclosure relates to implementations of physically unclonable functions (PUFs) for cryptographic and authentication purposes. Specifically, the disclosure describes implementations of systems using PUFs that may replace existing public key infrastructures (PKIs).

Abstract: Systems and methods of generating a security key for an integrated circuit device include generating a plurality of key bits with a physically unclonable function (PUF) device. The PUF can include a random number generator that can create random bits. The random bits may be stored in a nonvolatile memory. The number of random bits stored in the nonvolatile memory allows for a plurality of challenge and response interactions to obtain a plurality of security keys from the PUF.

Abstract: A processing system including at least one processor may receive a task request for a user from a requesting party, identify a trust profile for the requesting party, identify a first automated system to access to fulfill the task request, determine whether the trust profile for the requesting party permits an access to the first automated system, and fulfill the task request via the first automated system when it is determined that the trust profile for the requesting party permits the access to the first automated system.

Abstract: An apparatus, method, and computer program product are provided for encrypting a function symbol with relocation. The apparatus includes a compiler module, a static linker module, and an encryptor module. The compiler module inserts sequences of instructions to decrypt function symbols to be randomized at runtime before indirect function calls. The compiler module inserts an instruction sequence at compile time to encrypt an operand register that receives a local function symbol in position-independent code (PIC), where a call or store instruction uses the register as an operand. The static linker module inserts an encoding section at link time. The encoding section includes two columns representing the sizes of function symbols in bits or bytes and the locations storing the function symbols to be encrypted at runtime. The encryptor module encrypts at runtime the function symbols whose sizes and stored memory locations are identified in the encoding section.

Abstract: There is a need for more effective and efficient secure data transmission. This need can be addressed by, for example, solutions for secure data transmission that utilize per-user-functionality secret shares. In one example, a method includes generating a hashed user identifier based on a received user identifier; transmitting the hashed user identifier to an external computing entity; and receiving a data retrieval secret share from the external computing entity, wherein: (i) the data retrieval secret share is selected from a plurality of per-user-functionality secret shares, (ii) the plurality of per-user-functionality secret shares are generated based on a secret value, (iii) the secret value is generated based on the hashed user identifier, (iv) the secret value is used to generate a user data private key, and (v) the external computing entity is configured to encrypt user-provided data using the user data private key prior to transmission of the encrypted user-provided data.

Abstract: A key generator system that includes a quantum random number generator (QRNG) to generate a string of ternary digits. The QRNG includes a preparation stage, a universal interferometer to output a measurement outcome, and a detector to detect the measurement outcome and produce a quantum random (QR) ternary digit based on the outcome. The system includes a key generator to receive the string of QR ternary digits and generate a key including binary string of bits produced by mapping pairs of QR ternary digits into bits. The preparation stage includes an arrangement of beamsplitters defined by a selected probability distribution including a probability set of {p1, p2, p3} that adds to 1 and p1, p2 and p3 are rational numbers and less than 1 and greater than zero, and a selected one preparation stage candidate of candidates derived based on a value definite quantum states equation.

Abstract: One aspect of the present invention discloses a text watermarking method for hiding user information. The text watermarking method comprises inputting encryption variable set information with which to encrypt a target document, wherein the target document includes text, generating an encrypted block based on the encryption variable set information and embedding the encrypted block into the target document by using an embedding rule of the encrypted block. The encryption variable set information includes a predetermined random key value, a user ID, and information indicating the embedding rule of the encrypted block. The predetermined random key value and the information indicating an embedding rule of the encrypted block are managed in a non-disclosure manner.