Abstract: A computer-implemented method according to one embodiment includes receiving at an encryption daemon a key request from a storage device; implementing, by the encryption daemon, a secure communications channel between the encryption daemon and an encryption key server; sending the key request from the encryption daemon to the encryption key server, utilizing the secure communications channel; receiving, from the encryption key server at the encryption daemon, an encrypted response, utilizing the secure communications channel; decrypting, by the encryption daemon, the encrypted response to obtain the requested key, and sending the requested key from the encryption daemon to the storage device.

Abstract: Computer-readable media, methods, and systems are disclosed for managing group-level database encryption keys under group-level encryption in a database management system. Upon startup of the database management system, persisted database entries are sequentially processed to produce an in-memory data structure comprising a set of encryption group identifier metadata tuples having an encryption group identifier and a valid-from save point cycle version. The set of encryption group identifier metadata tuples is mapped to a set of key identifier tuples including a local secure store identifier and a group-level encryption key identifier. A set of group-level encryption keys is received from a key management system, according to which a group-level encryption key is mapped to each encryption group identifier metadata tuple.

Abstract: A streaming one time Pad cipher using a One Time Pad (OTP) provides secure data storage and retrieval. The data that is encrypted using the one time pad is stored in a repository that is separate from the generation and/or storage for the one time pad.

Abstract: A method performed by one or more network node(s) of a wireless telecommunications network to dynamically manage encryption keys for multiple narrowband Internet of Things (NB-IoT) devices of the network. The network node(s) can maintain a database that stores a device profile for each of the NB-IoT devices and obtain multiple encryption keys for the multiple NB-IoT devices. The encryption keys are associated with different encryption strengths ranging from high to ultra-low encryption strengths. The network node(s) can allocate the encryption keys to the NB-IoT devices, detect a change in the condition of the network, capability or communications service of NB-IoT devices, and refresh the encryption keys accordingly to ensure that the network nodes properly balance encryption while providing efficient network performance.

Abstract: A public key of a sensor node key pair is transmitted from a sensor node 22 to a server 20 via sensor network communication, and furthermore is transmitted from the server 20 to a mobile terminal 25 via mobile line communication. In addition, a public key of a mobile terminal key pair is transmitted from the mobile terminal 25 to the sensor node 22 through local communication. Thus, the configuration allows the sensor node 22 and the mobile terminal 25 to generate a common key by combining their own private key and the public key of the counterpart in order to encrypt the local communication by using this common key.

Abstract: A distributed key management system (KMS) includes a central KMS server and multiple intermediate KMS servers. The central KMS server replicates managed keys to the intermediate KMS servers. An intermediate KMS server receives a KMS service request from a KMS client, where any of the intermediate KMS servers are capable of servicing the request. The intermediate KMS server performs the action requested if it has access to the necessary managed key and returns the response to the KMS client. If it does not have access to the necessary managed key, the intermediate KMS server transmits a request for the managed key to the central KMS server. The intermediate KMS server receives the managed key, performs the action requested, and returns the response to the KMS client.

Abstract: An indication that a secure connection has been established with a key management service is received. The secure connection is associated with an automatically generated session encryption key utilized for encryption of data communication through the secure connection. In response to the indication that the secure connection has been established with the key management service, a determination is made to perform a rotation of a local encryption key utilized in encrypting locally stored data. The rotation of the local encryption key is performed based at least in part on the automatically generated session encryption key.

Abstract: According to one embodiment, an electronic apparatus includes a transmitter. The transmitter transmits data to be transmitted to a third wireless communication apparatus and a first wireless signal to instruct transmission of the data to the third wireless communication apparatus, to the first and second wireless communication apparatuses. The transmitter transmits, if any second wireless signal transmitted from the first or second wireless communication apparatuses is not detected within a first period after transmission of the first wireless signal, a third wireless signal to instruct transmission of the data to the third wireless communication apparatus to the first and second wireless communication apparatuses in order to instruct retransmission of the data.

Abstract: In one implementation, a method for providing end-to-end communication security for a controller area network (CANbus) in an automotive vehicle across which a plurality of electronic control units (ECU) communicate is described. Such an automotive vehicle can include, for example, a car or truck with multiple different ECUs that are each configured to control various aspects of the vehicle's operation, such as an infotainment system, a navigation system, various engine control systems, and/or others.

Abstract: In a system comprising an customer providing a service to a plurality of client devices, a method and system for providing an customer-specific digital certificate to a client device of the plurality of client devices is disclosed. The method comprises receiving, in an intermediate certificate authority, a pre-generated digital certificate and an encrypted client device private key encrypted according to a private key encryption key PrKEK, receiving, from the client device, a request for the customer-specific digital certificate, the request comprising at least one of client device identifying information and information identifying the customer, the request signed according to a pre-provisioned client device digital certificate, and transmitting the customer-specific digital certificate and the encrypted client device private key to the client device.

Abstract: A cryptographic acceleration card generates, using an attribute unique to a blockchain integrated station that comprises the cryptographic acceleration card, an identity private key for the blockchain integrated station. The cryptographic acceleration card generates a private key ciphertext by encrypting the identity private key. The cryptographic acceleration card stores the private key ciphertext.

Abstract: Provided is a method for securing a digital document. An initial version of the digital document contains a set of data. The method comprises: generating a link value by applying a preset function to a subset of the set of data, allocating the link value to a target data belonging to the set of data and storing an entry comprising the target data in a secure storage unit, the target data being reachable in the secure storage unit through the link value, the secure storage unit being configured to use access rules for authorizing or denying a request initiated by a user and aiming at accessing the target data comprised in said entry, and generating an updated version of the digital document by removing the target data from the initial version of the digital document.

Abstract: A cryptographic key of a first instance of a group of one or more cloud nodes providing a service is managed. A request to share the cryptographic key with a second instance of a different group of one or more cloud nodes is received. A determination is made whether the second instance is allowed to access the cryptographic key. In response to a determination that the second instance is allowed to access the cryptographic key, the cryptographic key is encrypted with a target key of the second instance and the encrypted cryptographic key is signed using a cryptographic signature of the first instance. The signed encrypted cryptographic key is provided to the second instance.

Abstract: A method including decrypting, by a user device based at least in part on utilizing a master key, an assigned private key associated with the user device; decrypting, by a user device based at least in part on utilizing a trusted key, a double-encrypted symmetric key to determine a single-encrypted symmetric key; decrypting, by the user device based at least in part on utilizing the assigned private key, the single-encrypted symmetric key to determine a symmetric key; and decrypting, by the user device based at least in part on utilizing the symmetric key, an encrypted folder stored on the user device to provide access to data included in the encrypted folder. Various other aspects and techniques are contemplated.

Abstract: Disclosed are various examples for securing the transmission of files to and from a client device. In some examples, an initialization token is identified for a file that includes a number of portions. An algorithm is iteratively applied to the initialization token to determine that no repeated output occurs over a number of iterations corresponding to the number of file portions. Initialization data is transmitted from a client device to a management service that manages access to the file. The initialization token is included in the initialization data if no repeated output occurs when the algorithm is iteratively applied over the number of iterations.

Abstract: A computer storage device having a host interface, a controller, non-volatile storage media, and firmware. The firmware instructs the controller to: limit a crypto key to be used in data access requests made in a first namespace allocated on the non-volatile storage media of the computer storage device; store data in the first namespace in an encrypted form that is to be decrypted using the crypto key; free a portion of the non-volatile storage media from the first namespace, the portion storing the data; and make the portion of the non-volatile storage media available in a second namespace without erasing the data stored in the portion of the non-volatile storage media.

Abstract: Embodiments afford secure transfer of security key type(s) between different database servers having different key hierarchies. For example, a key transfer may occur from a source server to a target server during a database migration process. Particular embodiments comprise a SQL transfer command statement (e.g., TRANSFER ENCRYPTION KEY) recognized by an engine. Syntax of the SQL transfer command includes a password and a filename for a security key. Upon receiving the SQL transfer command, the engine references an information repository to identify a relevant key hierarchy and key type, encrypts the security key with a key derived from password, and stores (exports) the encrypted security key in a file for consumption (import) at the target server. The SQL transfer command may further comprise a direction component determining flow of key information, and an override function to deal with error messages arising from any already-existing security key having the same name.

Abstract: A method and an apparatus for controlling a data access right are disclosed. The method includes: receiving, by a first proxy node, a first request message from a request node, where the first request message includes an identity of the request node and an identifier of to-be-accessed data; determining a first encrypted ciphertext on a blockchain based on the identifier; determining, based on the identity, whether the request node has a right to read the first encrypted ciphertext; and if yes, initiating a right verification request for the request node to at least one second proxy node, and determining, based on a feedback result of the at least one second proxy node, provisioning of the first encrypted ciphertext. A proxy node is added to the blockchain network, so that a data source can freely grant or revoke the right of the request node without modifying a ciphertext, ensuring information security.

Abstract: A system, apparatus, and method for communicating Bluetooth keys is described. The system and method utilize a gateway apparatus that is communicates coupled to a cloud component over a first network channel, and communicates a gateway key over a local wireless Bluetooth channel. The gateway includes a processor, a memory, a fixed location, and a local broadcast range associated with an area surrounding the fixed location. The cloud component registers the gateway and a mobile wireless device having a processor and memory. When the mobile wireless device is within the local broadcast range of the gateway, the mobile wireless receives the gateway key over the local wireless channel. Upon receiving the gateway key, the mobile wireless device communicates a device key over the local wireless channel to the gateway.

Abstract: Implementations generally relate methods, systems, and computer readable media for providing automatic access point registration. In some implementations, a method includes receiving an indication of automatic device on-boarding activation. The method further includes receiving a selection of one or includes identification more reference devices. The method further includes determining one or more detectable devices of the one or more candidate devices to be onboarded that are detectable by at least one of the one or more reference devices. The method further includes obtaining one or more automatic configuration parameters from one or more of the reference devices. The method further includes configuring one or more of the detectable devices to be onboarded with the one or more automatic configuration parameters.

Abstract: Provided is an authentication device capable of generating a master key suited to a UE in a 5GS. The authentication device (10) includes a communication unit (11) configured to, in registration processing of user equipment (UE), acquire UE key derivation function (KDF) capabilities indicating a pseudo random function supported by the UE, a selection unit (12) configured to select a pseudo random function used for generation of a master key related to the UE by use of the UE KDF capabilities, and a key generation unit (13) configured to generate a master key related to the UE by use of the selected pseudo random function.

Abstract: Methods and systems for encrypting and decrypting data comprising sending sensitive information to a first cryptographic processing system in a first cloud region for encryption with a first key encryption key generated by and stored by the first cryptographic processing system. The first encrypted sensitive information received from the first cryptographic processing system is stored in a first database. The sensitive information is also sent to a second cryptographic processing system in a second cloud region different from the first cloud region for encryption with a second key encryption key generated by and stored by the second cryptographic processing system. The second encrypted sensitive information received from the second cryptographic processing system is stored in a second database. If the first encrypted sensitive information cannot be decrypted by the first cryptographic processing system, the second encrypted sensitive information is sent to the second cryptographic processing system.

Abstract: A network device may establish a media access control security (MACsec) key agreement (MKA) session with another network device via a MACsec communication link; establish a fast heartbeat session via the MACsec communication link, between a first packet processing engine of the network device and a second packet processing engine of the other network device, where the fast heartbeat session is to permit the first packet processing engine and the second packet processing engine to exchange fast heartbeat messages via the fast heartbeat session and the MACsec communication link; place an MKA protocol of the MKA session in a pause state until the first packet processing engine detects a rekey event; determine that a key for the MKA session is to be regenerated based on detection of the rekey event; and perform an action based on the rekey event for the MKA session.

Abstract: A key manager receives one or more asymmetric key pairs associated with a user to be associated with remote access of cloud computing resources, selects a first asymmetric key pair of the one or more asymmetric key pairs, determines one or more cloud service providers associated with the user, selects a first cloud service provider of the one or more cloud service providers to be associated with the first asymmetric key pair, determines one or more cloud service components associated with the first cloud service provider that are accessible to the user, provisions at least one of the one or more cloud service components with the first public key, and configures a connection component to establish a secure connection to the at least one of the one or more cloud service components using the first private key.

Abstract: Embodiments of a device and method are disclosed. In an embodiment, a method of communications involves from a wireless sensor deployed at a customer site, connecting to a wireless access point (AP) deployed at the customer site and based on a private key stored in the wireless sensor, performing mutual authentication between the wireless sensor and an authentication server connected to the wireless AP.

Abstract: Systems and methods authenticate storage devices. In one implementation, a computer-implemented method is provided for authenticating a storage device. According to the method, a manifest that identifies a destination is receive. A transfer station reads a digital signature from the storage device. The digital signature is validated and, based on the validation of the digital signature, a transfer of one or more files from the storage device via the transfer station is authorized to the destination identified in the manifest.

Abstract: A credentials store definition identifying a remote credential store is received. The credential store definition includes access information to enable access to the remote credentials store. A credentials object is created in an internal database based on a credentials object definition. The credentials object identifies a security credential to retrieve from the remote credentials store to access an external resource. At runtime, a request to access the external resource is received, and based on receiving the request, the security credentials identified by the credentials object are retrieved from the remote credential store using the access information. The retrieved security credential is provided to a processing component to access the external resource.

Abstract: A system and method for collecting, processing, storing, or transmitting traffic data. A localized data collection module may retrieve, receive, or intercept traffic data through or from hardware installed in a traffic control cabinet adjacent an intersection or other roadway feature of interest. Data which may have previously been confined to a closed loop traffic control system may be remotely accessible for traffic operations control or monitoring via a network connected server and/or cloud architecture.

Abstract: Virtual memory address space is divided according to areas of the virtual memory address and allocating some areas to low-cost volatile memory (such as RAM) when the memory areas are not required by an application to be stored in non-volatile memory, such as NVDIMM. A loader mechanism creates and maintains a layout address table in non-volatile memory for recovery from an unexpected reset.

Abstract: Disclosed are various approaches for authenticating a user through a voice assistant device and creating an association between the device and a user account. The request is associated with a network or federated service. The user is prompted to use a client device, such as a smartphone, to initiate an authentication flow. A soundwave is played through the voice assistant device that contains a secret key, which is then sent to an assistant connection service along with a token identifying the user or the user's device. An association between the user account and the voice assistant device can then be created.

Abstract: Methods and systems for sharing a network link of a file in network storage for collaboration among multiple computing devices using end-to-end encryption may involve generating a link key associated with the file stored remotely in the network storage, being accessible by a first device, and to be accessible by a second device, encrypting a session key associated with the file to generate an encrypted session key using the link key, the file being encrypted with the session key and, generating a salt associated with the file, generating a verifier associated with the file using the link key, sending a message to a server computer with an identifier associated with the file, the salt, the verifier, and the encrypted session key, creating a first link to the file with a name associated with the first device, the identifier, and the link key, and transmitting the first link to second device.

Abstract: Methods and systems including: receiving a request to take an action in a cryptoasset custodial system for an account holder; authenticating a policy map associated with the action, wherein the policy map defines access control rules governing which actions are allowed under conditions including a threshold number of endorsements needed; and validating endorsement messages for the action by checking digital signatures of the received endorsement messages, wherein at least one of the validated endorsement messages has been generated by digital signing with a first private key of a person, who is associated with the account holder, and at least one of the validated endorsement messages has been generated by digital signing with a second private key of a program, which is associated with the account holder, responsive to the program confirming one or more circumstances specified by the account holder are met at a time when the program is run.

Abstract: Disclosed are systems, methods, and non-transitory computer-readable media for symmetric cryptography using varying sized symbol sets. To protect against a brute force or other similar type of attack, multiple symbol sets of varying sizes can be used for encrypting/decrypting data. For example, different portions of the data (e.g., data blocks representing multiple symbols, set of bits representing a single symbol) may be encrypted/decrypted using different symbol sets that include different numbers of unique symbols. Using varying sized symbol sets adds additional complexity to the encryption process, thereby greatly increasing the difficulty in decrypting the encrypted data with a brute force attack.

Abstract: Systems, methods, and computer-readable media for conducting payments are provided. In one example embodiment, a commercial entity system, in communication with a merchant subsystem and a payment electronic device, includes at least one processor component, at least one memory component, and at least one communications component, wherein the commercial entity system is configured to receive transaction request data from the merchant subsystem, wherein the transaction request data includes a payment device identifier of the payment electronic device and transaction information related to a transaction, transmit payment request data to the payment electronic device, wherein the payment request data includes at least a portion of the transaction information of the received transaction request data, receive payment card data from the payment electronic device based on the transmitted payment request data, and transmit at least a portion of the received payment card data to the merchant subsystem.

Abstract: An example operation may include one or more of generating, by a first blockchain client, a transaction to a blockchain network to transfer a document, transferring over a private channel, by a second blockchain client, a first key to the first blockchain client, the private channel providing a point-to-point connection between the first and second blockchain clients, encrypting the document using a shared key, transferring, by the first blockchain client, the encrypted document over the private channel, generating, by the second blockchain client, a transaction to acknowledge receipt of the encrypted document, and transferring the shared key encrypted with the first key.

Abstract: A technique for protecting a cryptographic key. A user has an identifier and an associated password. The first cryptographic key is designed to decrypt a piece of encrypted data. The user device generates a second cryptographic key by applying a key derivation algorithm to at least the password, then encrypts the first cryptographic key by applying an encryption algorithm parameterized by the second cryptographic key. The user device then provides the encryption of the first cryptographic key to a management device for storage. A response associated with a question is obtained from the user. The user device calculates a result of an application of a function to at least one response associated with a question, then provides a value dependent on the result to a management device for storage. The value then enables the user device to determine the password when it has the response to the corresponding question.

Abstract: A computer-implemented method according to one embodiment includes identifying a creation of a container within a system, selecting a security policy for the container, based on one or more attributes, identifying a key label associated with the security policy for the container, retrieving a data encryption key, utilizing the key label, and encrypting the container, utilizing the data encryption key. This may enable a highly granular level of automatic container-level security within the system that may be transparently implemented within the system, which may streamline container security and reduce an amount of stored data and processing necessary for implementing container security, and may thereby improve the performance of the system.

Abstract: There is a need for more effective and efficient secure data transmission. This need can be addressed by, for example, solutions for secure data transmission that utilize per-user-functionality secret shares. In one example, a method includes generating a hashed user identifier based on a received user identifier; transmitting the hashed user identifier to an external computing entity; and receiving a data retrieval secret share from the external computing entity, wherein: (i) the data retrieval secret share is selected from a plurality of per-user-functionality secret shares, (ii) the plurality of per-user-functionality secret shares are generated based on a secret value, (iii) the secret value is generated based on the hashed user identifier, (iv) the secret value is used to generate a user data private key, and (v) the external computing entity is configured to encrypt user-provided data using the user data private key prior to transmission of the encrypted user-provided data.

Abstract: Systems and methods for enabling collection of signed data in a collaborative content sharing platform. One embodiment is a method including producing a form having one or more data entry components and at least one signature block component, selecting assignee users of the content sharing platform, providing the form to the selected assignee users, enabling these users to enter data and sign the form, and storing the assignee users' data in a data structure which is separate from the form, where the data structure includes a record for each assignee user, the record containing data entered by the user and electronic signature data for the user. The data structure is protected in the same manner as other data in the collaborative content sharing platform and may be accessible by some users, but not others, in accordance with their respective roles and authorizations.

Abstract: Medical devices critical to patient health and safety that communicate with third party hardware and software, such as smart devices, require validation to ensure compatibility and correct performance. Disclosed are methods and systems to perform a self-validation of hardware and/or software components with a medical device to confirm that any combination of hardware and software are compatible and perform acceptably. If the self-validation passes then the user may safely use the system, and it may report to a cloud server that the particular configuration tested was successful. If the self-validation fails, the user will be prevented from using safety-critical aspects of the application and be notified of the incompatibility; and the results may also be reported to a cloud server.

Abstract: A communication system is described in which user plane communication and control plane communication for a particular mobile communication device can be split between a base station that operates a small cell and a macro base station. Appropriate security for the user plane and control plane communications is safeguarded by ensuring that each base station is able to obtain or derive the correct security parameters for protecting the user plane or control plane communication for which it is responsible.

Abstract: An encryption device (50) generates a ciphertext ct encrypted from information x with using an encryption token etk. A decryption key generation device (60) generates a decryption key dk from a user secret key sk in which a vector y is set, with using a decryption token dtk corresponding to the encryption token etk. A privacy-preserving analysis device (70) decrypts the ciphertext ct generated by the encryption device (50), by means of the decryption key dk generated by the decryption key generation device (60), so as to generate a result of computation over the vector x and the vector y.

Abstract: A first device and a second device are disclosed for reaching agreement on a secret value. Herein, the second device comprises a receiver configured to receive information indicative of a reconciliation data h from the first device, a processor configured to compute a common secret s based on an integer value b, an equation, and system parameters. The processor is configured to compute b based on a key exchange protocol. The first device has a number a in approximate agreement with the number b. The first device comprises a processor configured to determine a common secret s based on an integer value a an equation, and system parameters, and determine a reconciliation data h. The first device further comprises a transmitter configured to transmit information indicative of the reconciliation data h to the second device.

Abstract: A secure cryptographic cold storage apparatus and system. Embodiments of the present disclosure provide for a cold storage apparatus configured to generate a private key, compute an associated PK/PKY and display the latter on a visual display screen. An associated interface apparatus is configured to retrieve the PK/PKH optically and store it in memory. The interface apparatus is configured to produce an associated message and render it at a visual display. The cold storage apparatus may retrieve the message optically, and cryptographically sign the message utilizing one or more public key cryptography methods. The cold storage apparatus produces a graphical output comprising the signed message and renders it at the visual display. The interface apparatus retrieves the signed message and verifies that the cold storage apparatus signed the message, utilizing the public key cryptography methods.

Abstract: Quantum key distribution network security survivability can be provided by receiving, at a software defined networking controller operating in a control layer of a network, a recommendation from a global analytics service operating in an application layer of the network, the recommendation for replacing a failed communication link in a quantum key distribution layer of the network, the failed communication link being detected by a quantum edge computing device operating in the quantum key distribution layer. The software defined networking controller can generate a command to cause a quantum key distribution resource to perform an action to mitigate impact from the failed communication link. The command can be sent to the quantum key distribution resource and the quantum key distribution resource can perform the action to mitigate the impact from the failed communication link.

Abstract: Methods for managing a device and said device configured to communicate on multiple radio communication systems. The communications device includes a memory and an electronic processor electrically connected to the memory. The processor is configured to store a plurality of keymaps, each keymap of the plurality of keymaps corresponding to at least one of a particular communication system of the multiple radio communication systems and operate, in response to a user input, on a first radio communication system of the multiple radio communication systems. The processor is further configured to manage traffic operations to and from a communication system according to a first keymap of the plurality of keymaps corresponding to the first communication system when the electronic processor is operating on the first radio communication system and perform a key management operation of a selected second keymap corresponding to a second radio communication system in response to receiving a command.

Abstract: A method and device for protecting encrypted data are disclosed. In an embodiment an integrated circuit includes a secure module including a first register containing a first mask and a second register containing masked data, the first mask and the masked data forming a secret key and a processor configured to generate a second mask and mask the secret key with the second mask when the secret key is not used for an encryption operation and during reception of a validation signal, wherein the first and second registers are disposed in the secure module so that the outputs of the registers are not simultaneously optically viewable.

Abstract: Systems and methods for adaptive attack resistant distributed symmetric cryptography are disclosed. A client computer may communicate with a number of cryptographic devices in order to encrypt or decrypt data. Each cryptographic device may possess multiple secret shares corresponding to distinct secret values, which may be used in the process of encrypting or decrypting data. The client computer may generate multiple commitments and transmit those commitments to the cryptographic devices. Each cryptographic device may generate a partial computation based on the commitments and their respective secret shares. The partial computations may be transmitted to the client computer. The client computer may use the partial computations to generate a cryptographic key. The client computer may use the cryptographic key to encrypt a message or decrypt ciphertext.

Abstract: An encryption processing system includes: a first device; second devices; and a third device, wherein the first device generates synthesis keys by selecting public keys of the second devices; generates an intermediate text from confidential texts generated by encrypting secret information by using public keys of the second devices having decryption authority; generates ciphertexts by further encrypting the intermediate text using the synthesis keys; and makes public the ciphertexts, each of the second devices verifies validity of the ciphertexts; generates decryption key fragments by using an own private key; and makes public the decryption key fragments, the third device verifies validity of the decryption key fragments; generates a decryption key by combining decryption key fragments; generates the Intermediate text by decrypting one of the ciphertexts; and makes public the intermediate text, and the second device decrypts the intermediate text using the own private key; and restores the secret information.

Abstract: A method comprises: receiving, at a first device, a request to decrypt data encrypted with a symmetric key, the encrypted data stored on a memory device; retrieving shards of the symmetric key, the shards encrypted with public keys from a plurality of devices, wherein decryption of the data requires reconstituting the symmetric key from a threshold number of the shards; determining a priority to request decryption of the shards with private keys from the plurality of devices; requesting decryption by the plurality of devices of the shards in the determined priority until the threshold number of shards is reached; reconstituting the symmetric key from the decrypted shards; and decrypting the encrypted data with the symmetric key.