Abstract: A tamper detection system may include organic material and a tamper detection circuit embedded in the organic material. A portion of the organic material is ablated away to form an incision in the organic material. A portion of the tamper detection circuit obstructs a fragment of the ablation path. The tamper detection circuit remains intact. The incision enables a gas flow between a first side of the organic material and a second side of the organic material.

Abstract: Aspects of the invention include a computer-implemented method of executing a hybrid quantum safe key exchange system. The computer-implemented method includes initially retrieving an authenticated random value from a trusted source, generating a first Z value using a first elliptic curve (EC) private key and a first certified form of an EC public key with an EC Diffie-Hellman (ECDH) algorithm, deriving a shared key using the authenticated random value and the first Z value with a key derivation function, decrypting the authenticated random value using a quantum safe algorithm (QSA) private key, generating a second Z value using a second EC private key and a second certified form of the EC public key with the ECDH algorithm and deriving the shared key using the authenticated random value and the second Z value with the key derivation function.

Abstract: Aspects of the invention include a computer-implemented method of executing a hybrid quantum safe key exchange system. The computer-implemented method includes initially retrieving an authenticated random value from a trusted source, generating a first Z value using a first elliptic curve (EC) private key and a first certified form of an EC public key with an EC Diffie-Hellman (ECDH) algorithm, deriving a shared key using the authenticated random value and the first Z value with a key derivation function, decrypting the authenticated random value using a quantum safe algorithm (QSA) private key, generating a second Z value using a second EC private key and a second certified form of the EC public key with the ECDH algorithm and deriving the shared key using the authenticated random value and the second Z value with the key derivation function.

Abstract: Securely executing instructions of software on a computerized device by accessing a software of a computerized device, wherein the software includes a plurality of instructions and respective reference message authentication codes (MACs), generating a cryptographic key based at least in part on a key derivation function, wherein arguments of the key derivation function are based at least in part on a unique identifier of the computerized device and a value extended from a measurement of a content of the software of an extension mechanism of a platform configuration register of the computerized device, verifying an instruction of the plurality of instructions of the software based at least in part on the cryptographic key and a reference MAC of the respective reference MACs, and in response to verifying the instruction of the plurality of instructions of the software, executing the instruction.

Abstract: A tamper detection system may include organic material and a tamper detection circuit embedded in the organic material. A portion of the organic material is ablated away to form an incision in the organic material. A portion of the tamper detection circuit obstructs a fragment of the ablation path. The tamper detection circuit remains intact. The incision enables a gas flow between a first side of the organic material and a second side of the organic material.

Abstract: Aspects of the invention include a computer-implemented method of executing a hybrid quantum safe key exchange system. The computer-implemented method includes initially retrieving an authenticated random value from a trusted source, generating a first Z value using a first elliptic curve (EC) private key and a first certified form of an EC public key with an EC Diffie-Hellman (ECDH) algorithm, deriving a shared key using the authenticated random value and the first Z value with a key derivation function, decrypting the authenticated random value using a quantum safe algorithm (QSA) private key, generating a second Z value using a second EC private key and a second certified form of the EC public key with the ECDH algorithm and deriving the shared key using the authenticated random value and the second Z value with the key derivation function.

Abstract: Provided is a method for masking a sensitive signal by injecting noise into planes of a printed circuit board (PCB). The method comprises detecting, by a secondary integrated circuit (IC), a noise signal on a shared plane of a PCB that includes the secondary IC. The noise signal may be analyzed to determine the characteristics of the noise signal. A masking signal may be generated based on the characteristics. The masking signal may then be injected onto the shared plane.

Abstract: The present invention discloses a method for managing priority-arbitrated access to a set of one or more computational engines of a physical computing device. The method includes providing a multiplexer module and a network bus in the physical computing device, wherein the multiplexer module is connected to the network bus. The method further includes receiving, by the multiplexer module, a first data processing request from a driver and inferring, by the multiplexer module, a first priority class from the first data processing request according to at least one property of the first data processing request. The method further includes manipulating, by the multiplexer module, a priority according to which the physical computing device handles data associated with the first data processing request in relation to data associated with other data processing requests, wherein the priority is determined by the first priority class.

Abstract: A method to fabricate a tamper respondent assembly is provided. The tamper respondent assembly includes an electronic component and an enclosure at least partly enclosing the electronic component. A piezoelectric sensor is integrated in the enclosure. The integrating includes providing a base structure that includes a first conductive layer, depositing a piezoelectric layer on the first conductive layer, covering the piezoelectric layer with a second conductive layer, and providing sensing circuitry for observing sensing signals of the piezoelectric layer. The piezoelectric layer includes a plurality of nanorods. Aspects of the invention further relates to a corresponding assembly and a corresponding computer program product.

Abstract: Hardware security modules for executing zero-knowledge proofs are provided. Such a module includes multiple computational engines for executing respective primitive operations of zero-knowledge proofs, and memory storing multiple data-flow graphs. Each data-flow graph defines computational functionality of a respective one of the proofs, and comprises a set of nodes, each representing a said primitive operation, interconnected by edges representing input/output data of nodes. At least edges which represent security-sensitive data are indicated by edge-labels in the graphs. The module further comprises a set of registers, comprising at least a subset of secure registers, for storing data during execution of proofs, and a processor configured to control execution, using said engines, of proofs defined by the set of dataflow graphs such that data corresponding to a security-sensitive edge in a graph is stored in a secure register during execution.

Abstract: A key identifier that identifies a cryptographic key is transmitted to a cryptographic coprocessor. A first set of attributes is received from the cryptographic coprocessor. The first set of attributes and a second set of attributes are serialized into a first sequence of attributes. The first sequence of attributes are stored to an attribute frame. One or more attributes in the second set of attributes are associated with the cryptographic key and originate from a key attribute storage of the key management system. The second set of attributes is different from the first set of attributes. The first sequence of attributes is transmitted to the cryptographic coprocessor. A first message authentication code (MAC) calculated from the first sequence of attributes is received from the cryptographic coprocessor. The attribute frame is verified by comparing the first MAC, or a value derived from the first MAC, to a reference value.

Abstract: A key identifier that identifies a cryptographic key is transmitted to a cryptographic coprocessor. A first set of attributes is received from the cryptographic coprocessor. The first set of attributes and a second set of attributes are serialized into a first sequence of attributes. The first sequence of attributes are stored to an attribute frame. One or more attributes in the second set of attributes are associated with the cryptographic key and originate from a key attribute storage of the key management system. The second set of attributes is different from the first set of attributes. The first sequence of attributes is transmitted to the cryptographic coprocessor. A first message authentication code (MAC) calculated from the first sequence of attributes is received from the cryptographic coprocessor. The attribute frame is verified by comparing the first MAC, or a value derived from the first MAC, to a reference value.

Abstract: The present invention discloses a method for managing priority-arbitrated access to a set of one or more computational engines of a physical computing device. The method includes providing a multiplexer module and a network bus in the physical computing device, wherein the multiplexer module is connected to the network bus. The method further includes receiving, by the multiplexer module, a first data processing request from a driver and inferring, by the multiplexer module, a first priority class from the first data processing request according to at least one property of the first data processing request. The method further includes manipulating, by the multiplexer module, a priority according to which the physical computing device handles data associated with the first data processing request in relation to data associated with other data processing requests, wherein the priority is determined by the first priority class.

Abstract: Tamper-respondent assemblies and fabrication methods are provided which utilize liquid crystal polymer layers in solid form. The tamper-respondent assemblies include a circuit board, and an enclosure assembly mounted to the circuit board to enclose one or more electronic components coupled to the circuit board within a secure volume. The assembly includes a tamper-respondent sensor that is a three-dimensional multilayer sensor structure, which includes multiple liquid crystal polymer layers, and at least one tamper-detect circuit. The at least one tamper-detect circuit includes one or more circuit lines in a tamper-detect pattern disposed on at least one liquid crystal polymer layer of the multiple liquid crystal polymer layers. Further, a monitor circuit is provided disposed within the secure volume to monitor the at least one tamper-detect circuit of the tamper-respondent sensor for a tamper event.

Abstract: A method including: receiving, via a processor, established upper bounds for dynamic structures in a multi-tenant system; creating, via the processor, arrays comprising related memory-management unit (MMU) mappings to be placed together; and placing the dynamic structures within the arrays, the placing comprising for each array: skipping an element of the array based on determining that placing a dynamic structure in that element would cause the array to become overcommitted and result in a layout where accessing all elements would impose a translation look aside buffer (TLB) replacement action; and scanning for an array-start entry by placing the start of a first element at an address from which an entire array can be placed without TLB contention, and accessing, via the processors, all non-skipped elements without incurring TLB replacements.

Abstract: The present invention relates to a method to fabricate a tamper respondent assembly. The tamper respondent assembly includes an electronic component and an enclosure fully enclosing the electronic component. The method includes printing, by a 3-dimensional printer, a printed circuit board that forms a bottom part of the enclosure and includes a first set of embedded detection lines for detecting tampering events and signal lines for transferring signals between the electronic component and an external device. The electronic component is assembled on the printed circuit board, and a cover part of the enclosure is printed on the printed circuit board. The cover part includes a second set of embedded detection lines. Sensing circuitry can be provided for sensing the conductance of the first set of embedded detection lines and the second set of embedded detection lines to detect tampering events.

Abstract: Provided is a method for masking a sensitive signal by injecting noise into planes of a printed circuit board (PCB). The method comprises detecting, by a secondary integrated circuit (IC), a noise signal on a shared plane of a PCB that includes the secondary IC. The noise signal may be analyzed to determine the characteristics of the noise signal. A masking signal may be generated based on the characteristics. The masking signal may then be injected onto the shared plane.

Abstract: A method includes determining, by a tracker controller of a hardware security module, that a first processor has submitted a first request to access a computing resource. The method also includes determining, by the tracker controller, whether the first request and a second request both request access to the same computing resource. The second request is submitted by a second processor. The method also includes preventing access to the computing resource based on a determination that the first request and the second request do not request access to the same computing resource. The method also includes permitting access to the computing resource based on a determination that the first request and the second request both request access to the same computing resource.

Abstract: A method including: receiving, via a processor, established upper bounds for dynamic structures in a multi-tenant system; creating, via the processor, arrays comprising related memory-management unit (MMU) mappings to be placed together; and placing the dynamic structures within the arrays, the placing comprising for each array: skipping an element of the array based on determining that placing a dynamic structure in that element would cause the array to become overcommitted and result in a layout where accessing all elements would impose a translation look aside buffer (TLB) replacement action; and scanning for an array-start entry by placing the start of a first element at an address from which an entire array can be placed without TLB contention, and accessing, via the processors, all non-skipped elements without incurring TLB replacements.

Abstract: The present disclosure relates to a computer-implemented method for controlling operation of multiple computational engines of a physical computing device. The computer-implemented method includes providing a multiplexer module in the device, the multiplexer module including a first and second memory region. The multiplexer module may receive from a first driver at the multiplexer module a data processing request to be processed by a first set of one or more computational engines of the computational engines. Subsequent to receiving the data processing request, the multiplexer module may assign a request sub-region of the first region and a response sub-region of the second region to the first driver. Data indicative of the request sub-region and the response sub-region may be submitted to the first driver. Results of processing the request may be received at the response sub-region.