Abstract: Embodiments of the present systems and methods may provide techniques to provide host side encryption while maintaining compression and deduplication benefits and providing communication between the host and the storage system that does not leak information about the data compressibility/deduplication properties. For example, in an embodiment, a method may comprise compressing, at a computer system, an original sector of data, generating a new sector of data including a first part including metadata and padding data, and a second part including the original sector of data that has been compressed and encrypted using a data encryption key (DEK), encrypting, at the computer system, the new sector of data using a data reduction key (DRK), and transmitting, at the computer system, the encrypted new sector of data to a storage system.

Abstract: A computing system comprising: processor(s) and memory; at least one network interface communicatively coupled to the at least one processor and configured to communicate with at least one remotely located computing device; wherein the at least one network interface is configured to receive a plurality of public encryption keys from the at least one remotely located computing device; wherein the at least one processor is configured to: split at least one secret into a plurality of shares, wherein at least a subset of the plurality of shares is sufficient to reconstruct the at least one secret; encrypt each of the plurality of shares based on a different public encryption key of the plurality of public encryption keys to create a plurality of encrypted shares; wherein the at least one network interface is configured to communicate the encrypted shares to the at least one remotely located computing device.

Abstract: Systems, apparatuses, methods, and computer program products are disclosed for session authentication. An example method includes receiving, by decoding circuitry and over a quantum line, a set of qbits generated based on a first set of quantum bases. The example method further includes decoding, by the decoding circuitry and based on a second set of quantum bases, the set of qbits to generate a decoded set of bits comprising at least one wildcard bit. The example method further includes generating, by session authentication circuitry, a session key based on the decoded set of bits, wherein the session key is generated based at least in part on the at least one wildcard bit.

Abstract: A processing apparatus includes at least one processor configured to function as: an input unit that receives encrypted data based on homomorphic encryption as an input; and a process execution unit that executes a predetermined process by using the encrypted data while maintaining a secret state by encryption and includes one or more processing units. At least one of the processing units is a multiplication corresponding processing unit for executing a calculation in a ciphertext space corresponding to a processing of multiplying plaintext data by a predetermined multiplier. The multiplication corresponding processing unit executes a calculation in the ciphertext space corresponding to a calculation of multiplying the plaintext data by an adjustment multiplication value on first encrypted data input from a preceding stage and outputs resulting data.

Abstract: A request to perform a cryptographic operation is received, the request including a first identifier assigned to a key group, the key group comprising a plurality of second identifiers, with the plurality of second identifiers corresponding to a plurality of cryptographic keys. A second identifier is determined, according to a distribution scheme, from the plurality of second identifiers, and the cryptographic operation is performed using a cryptographic key of the plurality of cryptographic keys that corresponds to the second identifier that was determined.

Abstract: Methods, systems, and devices for wireless communications are described. A user equipment (UE) may communicate with a base station in a wireless communications system. The base station may transmit signaling to the UE over a broadcast channel. The base station may transmit control signaling to the UE that indicates a broadcast root key. The UE may identify the broadcast root key for a wireless network corresponding to the base station. The base station may transmit an encrypted broadcast transmission. The UE may receive the encrypted broadcast transmission from the base station, and the UE may decrypt the encrypted broadcast transmission to obtain broadcast information based on a cell-specific key derived from the broadcast root key.

Abstract: Securely provisioning a System on a Chip (SoC) includes generating a public/private key pair having a public key and a private key, securely storing the private key external to the SoC, embedding the public key in Resistor Transistor Logic (RTL) of the SoC during manufacture of the SoC, encrypting provisioning data using the private key to create encrypted provisioning data, and programming the SoC using the encrypted provisioning data. The secure provisioning may further include generating a secret shared key, embedding the secret shared key in the RTL of the SoC during manufacture of the SoC, and encrypting the provisioning data using the secret shared key. The RTL may be the boot Read Only Memory (ROM) of the SoC. The secure provisioning technique may also be used for subsequent provisioning after the SoC is deployed.

Abstract: A technique for ciphering source data (306) into target data (308) is described. As to a method aspect of the technique, a level (302) of ciphering is determined for the source data (306). A key sequence (304) is generated depending on the determined level (302) of ciphering. The source data (306) and the key sequence (304) are combined resulting in the target data (308).

Abstract: Methods for secure random selection of t client devices from a set of N client devices and methods for secure computation of inputs of t client devices randomly selected from N client devices are described. Such random selection method may include determining an initial binary vector b of weight t by setting the first t bits to one: bi=1, 1?i?t, and all further bits to zero: bi=0, t<i?N; each client device i (i=1, . . . , N) of the set of N client devices jointly generating a random binary vector b of weight t in an obfuscated domain on the basis of the initial binary vector b including: determining a position n in the binary vector; determining a random number r in {n, n+1, . . . N}; and, using the random number to swap binary values at positions n and r of the binary vector b.

Abstract: The present invention relates to a method for making available a security key, wherein a smart card adapted according to the invention is employed for the production thereof. In this case, an expedient method sequence is proposed which makes it possible for the smart card to make available, for example, a so-called one-time password or a dynamic check number in interaction with a token server. The present invention further relates to a correspondingly adapted computing arrangement and to a computer program product with control commands which implement the method and/or operate the computing arrangement.

Abstract: Traditional key generation methods in a noisy network often assume trusted devices and are thus vulnerable to many attacks including covert channels. The present invention differs from previous key generation schemes in that it presents a mechanism which allows secure key generation with untrusted devices in a noisy network with a prescribed access structure.

Abstract: A key management device for data encryption/decryption is provided. The key management device includes a static random-access memory (SRAM), a register, and a control circuit. The control circuit can set a key lookup table in the SRAM or the register, and manage a key database. The key database includes the SRAM and an one-time programmable (OTP) memory disposed outside the key management device, and the key database stores at least one key. The key lookup table includes a key number and metadata of each of the at least one key stored in the key database. According to a specific key number contained in a key read command or a key delete command from the processor, the control circuit reads or deletes a specific key corresponding to the specific key number in the key database.

Abstract: The present disclosure provides an approach for migrating the contents of an enclave, together with a virtual machine comprising the enclave, from a source host to a destination host. The approach provides a technique that allows the contents of the enclave to remain secure during the migration process, and also allows the destination host to decrypt the contents of the enclave upon receiving the contents and upon receiving the VM that includes the enclave. The approach allows for the VM to continue execution on the destination host. The enclave retains its state from source host to destination host. Applications using the enclave in the source host are able to continue using the enclave on the destination host using the data migrated from the source host to the destination host.

Abstract: An electronic circuit includes an interface, a read-only memory in which encrypted data are stored, and cryptographic circuitry coupled to the interface. In operation, the cryptographic circuitry uses a decryption key received via the interface to decrypt the encrypted data. The electronic circuit performs one or more operations using the decrypted data.

Abstract: This invention relates generally to a method and system for hybrid classical-quantum communication. The method comprises transmitting a single photon having a particular quantum state over a communication medium using a quantum mode set; and transmitting a classical light beam over the same communication medium using a classical mode set, wherein the classical and quantum mode sets comprise non-separable modes in common. The non-separable modes in common may be two degrees of freedom of a single photon or classical light and may thus be spatial modes in one or more indexes, and polarisation. The invention relates also to a system to implement the method accordingly.

Abstract: Cryptographic authentication is described to improve security in connected vehicle systems and other applications. Identity Based Cryptography and threshold cryptography are among techniques used in some embodiments.

Abstract: An aspect of the present disclosure generally relates to a computer system (100) and method (200) for securing data communication between a first computer (110) and a second computer (120).

Abstract: A programmable hardware security module, a method for securing a private key of a cryptographic key pair, and a method for securely providing a private key of a cryptographic key pair on a programmable hardware security module, wherein with the described devices and methods, a decentralised PKI is built, via which device keys and device certificates can be generated and target devices can be provided securely, where in this regard, the key-pair-specific transport key plays a central role in protecting the generated private key that is to be transferred, and where this is linked to the particular key pair intended for a target device via a key derivation from a master key utilizing a key-pair-specific derivation parameter.

Abstract: Aspects of the present disclosure relate to encryption management. A determination can be made whether an encryption algorithm is at-risk. In response to determining that the encryption algorithm is at-risk, data protected by the encryption algorithm can be identified. A security action can then be executed on the data protected by the encryption algorithm.

Abstract: Embodiments of the invention involve using biometric templates to wirelessly authenticate individuals. In one embodiment, a mobile device may generate a first biometric template and a first public value from a first biometric sample of a user and generate a first cryptographic key by passing the first biometric template to a fuzzy extractors generate function. An access device may generate a second biometric template from a second biometric sample of the user, generate a second secret cryptographic key by passing the second biometric template and the first public value to the fuzzy extractors reproduce function, encrypt the second biometric template with the second secret cryptographic key, and broadcast the encrypted template to a plurality of nearby mobile devices including the mobile device. If the mobile device is able to decrypt the encrypted template with the first cryptographic key, the access device can associate the user with the mobile device.

Abstract: A peripheral device of a computing device may include a processor; a sharing module to, upon execution of the processor, allow the peripheral device to be shared with an external computing device over a network; and a communication module to, upon execution of the processor: provide data from the peripheral device to a peripheral device hub module of a computing device; and provide communication by the peripheral device with the external computing device.

Abstract: Implementations of the present specification disclose an information verification method, apparatus, and device.

Abstract: In some embodiments, a method can include detecting, at a first circuit, the first circuit being operatively coupled to a memory device having a set of memory portions. The method can include receiving, from the memory device and at the first circuit, a set of encryption key portions after the detecting, each encryption key portion from the encryption key portions being a unique portion of an encryption key. The method can include assembling the encryption key by ordering each encryption key portion from the set of encryption key portions based on (1) a first previously defined list and (2) a second previously defined list. The first previously defined list and the second previously defined list each is stored at or accessible by the first circuit but not stored at or accessible by the memory device. The method can include authorizing access to a second circuit based on the encryption key.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for blockchain-based consensus management, are provided. One of the methods includes: obtaining a request for creating a consensus template, wherein the request comprises information about a plurality of participating entities associated with the consensus template; generating, based on the request, a dataset representing a hierarchical structure of the participating entities associated with the consensus template; creating a blockchain transaction for registering the consensus template to a blockchain, wherein the blockchain transaction comprises the dataset representing the hierarchical structure of the participating entities; and sending, to one or more blockchain nodes associated with the blockchain for adding to the blockchain, the blockchain transaction for registering the consensus template to the blockchain.

Abstract: The present application discloses a method for configuring and transmitting a key, which includes that: a) a serving cell (PCell) of UE determines a key (KeNB) used by a SCell and transmits the KeNB to the SCell; and b) the PCell transmits configuration information for configuring the SCell to the UE after receiving a response message from the SCell, and receives a response message from the UE. Or, the method includes that: a SCell of UE transmits a cell key request to an MME and receives key information from the MME; and the SCell transmits the key information received from the MME to the UE, and receives a response message from the UE. By the present application, data of the SCell is transmitted after being encrypted, so as to avoid a case that the data is decoded by other users, and further guarantee the security of the data.

Abstract: Described herein are methods, systems, and computer-readable storage media for participating in a validation process with the host computing device. Techniques include receiving, from the host computing device, a second key that is part of a cryptographic key pair comprising a first key and the second key. Techniques further include, encrypting, using the second key and as part of the validation process, data at the peripheral device and sending the encrypted data to the host computing device. Further, the host computing device validates an identity of the peripheral device based on a decryption, using the first key, of the encrypted data.

Abstract: The present application discloses methods, apparatuses, and systems for acquiring local information. An exemplary method may include sending a first request for information acquisition to a network apparatus through a script in a browser. The method may also include monitoring, through the local application tool, a random number, sent by the network apparatus, corresponding to the first request for information acquisition. Moreover, the method may include acquiring, through the local application tool, the first request for information acquisition corresponding to the random number stored in the network apparatus. Furthermore, the method may include acquiring, through the local application tool, local information corresponding to the first request for information acquisition, and sending, through the local application tool, the local information to the network apparatus.

Abstract: Systems, apparatuses, and methods are disclosed for quantum entanglement authentication (QEA). An example method includes transmitting a first number and a second electronic identification of a second subset of the first set of entangled quantum particles to a second computing device, transmitting a second number and a first electronic identification of a first subset of a first set of entangled quantum particles to a first computing device, wherein each entangled quantum particle in the first set of entangled quantum particles is entangled with a respective entangled quantum particle in a second set of entangled quantum particles, receiving, from the first computing device, a third number, receiving, from the second computing device, a fourth number and in an instance in which the third number corresponds to the first number and the fourth number corresponds to the second number, authenticating a session between the first computing device and the second computing device.

Abstract: Techniques described herein enhance information security in contexts that utilize key management systems and cryptographic keys. A cryptographic structure is utilized to maintain cryptographic keys with associated expiration times such that after an expiration time associated with a cryptographic key has passed, the cryptographic key is no longer accessible.

Abstract: Techniques are disclosed relating to credential sharing for user authentication. In some embodiments, a first computing device maintains a credential manager that stores a plurality of user credentials usable to authenticate a user. The first computing device receives a request from the user to send one of the plurality of user credentials to a second computing device. In response to the request, the first computing device sends the user credential to the second computing device. The second computing device is configured to determine whether an application of the second computing device is presenting an authentication prompt to a user and, in response to determining that the authentication prompt is being presented, populate one or more fields of the authentication prompt with the user credential. In some embodiments, the second computing device is configured to store the user credential in a credential manager maintained by the second computing device.

Abstract: Systems, apparatuses, and methods are disclosed for quantum entanglement authentication (QEA). An example method includes transmitting a first number and a second electronic identification of a second subset of the first set of entangled quantum particles to a second computing device, transmitting a second number and a first electronic identification of a first subset of a first set of entangled quantum particles to a first computing device, wherein each entangled quantum particle in the first set of entangled quantum particles is entangled with a respective entangled quantum particle in a second set of entangled quantum particles, receiving, from the first computing device, a first session key, receiving, from the second computing device, a second session key and in an instance in which the first session key corresponds to the second session key, authenticating a session between the first computing device and the second computing device.

Abstract: An apparatus, process, and system, that enables secure information and communication across channels based on a perfect key-exchange method. The secure channel between two users enables each to use the public key of the other user—to derive a secret key specific to both users. Traditional (but yet widely used) key-exchange methods are not perfect-secure; the public key encryption makes these methods to be broken under many kinds of attacks. Unlike these methods, the apparatus, process, and system of the present invention is not based on the computational assumptions like: Integer Factorization and Discrete Logarithm Problem. The apparatus, process, and system of the present invention inhibits and/or prevents the man-in-the-middle attack, which is a problem that has not been solved to this day.

Abstract: Disclosed is a physical unclonable function generator circuit and testing method. In one embodiment, a physical unclonable function (PUF) generator, includes: a PUF cell array comprising a plurality of bit cells configured in at least one column and at least one row, wherein the plurality of bit cells each provides two voltage transient behaviors on two corresponding bit lines of the at least one column; and at least two load control circuits coupled to the two bit lines of the at least one corresponding column, wherein the at least two load control circuits are each configured to provide at least one discharge pathway to at least one of the two corresponding bit lines, wherein the at least one discharge pathway is configured to change at least one of the two voltage transient behaviors so as to determine stability of each of the plurality of bit cells of the PUF cell array.

Abstract: Embodiments described herein provide an implicit protocol with improved resource and bandwidth efficiency. A post-quantum secure approach for issuing multiple pseudonym certificates from a small piece of information is provided, while traditionally most encryption schemes are vulnerable to post-quantum attacks (e.g., in a traditional SCMS). Long-term security can be improved with the post-quantum protocol.

Abstract: Crossbar arrays (e.g., Resistive Processing Unit (RPU) accelerators) are leveraged to create a Physically Unclonable Function (PUF) that exploits variations, such as statistical process variation in manufacture or operation, to generate key material to secure information in a computing environment. One environment is a cloud compute infrastructure whose shared resources are used to process workloads. During RPU accelerator use, the state of the RPU's bits are changed by reproducible inputs, e.g., stochastic pulses applied to change resistive values in the array, and the corresponding changes in the RPU array state captured. These responses, which cannot be reproduced from another device due to random device variations across chips that embody the RPUs, are then used to generate (or facilitate generation of) the cryptographic material. In one embodiment, inputs applied to the RPU accelerator array are generated from a pseudo-random number generator that is otherwise associated with the RPU accelerator.

Abstract: Techniques are presented for (a) securely maintaining, by a computing device, a set of correspondences between encryption keys and key identifiers, (b) receiving, by the computing device, a cryptographic request from a remote device received across the network, the cryptographic request including credentials, data to be cryptographically processed, and a key identifier to be used for cryptographic processing, and (c) in response to successfully authenticating the cryptographic request: (1) obtaining, by the computing device with reference to the set of correspondences, an encryption key corresponding to the key identifier, (2) cryptographically processing, by the computing device, the received data using the obtained encryption key to generate cryptographically-processed data, and (3) sending the cryptographically-processed data from the computing device across the network to the remote device.

Abstract: Periodically re-encrypting user data stored on a storage device, including: detecting that a data encryption key should be decommissioned; and for user data stored on the storage device that is encrypted with the data encryption key: reading the user data that is encrypted with the data encryption key from the storage device; re-encrypting the user data utilizing a current data encryption key; and writing the user data that is encrypted utilizing the current data encryption key to the storage device.

Abstract: A method for managing entitlement of a device to access a service, the method comprising providing an authenticated identity for the device, the authenticated identity including a public encryption key pair associated with the device signed by a trusted authority, and generating a device entitlement certificate encoding an authorisation related to the service and including a public key of the public encryption key pair associated with the device, wherein the device entitlement certificate is signed by the trusted authority.

Abstract: Establishing inter-device communication is disclosed including receiving, using a first device, an encrypted session key sent by a second device, decrypting, based on a private key of the first device, the encrypted session key in a trusted environment to obtain a decrypted session key, and conducting, based on the decrypted session key, data communications with the second device.

Abstract: A wireless mobile device in a public communication network receives network-initiated signaling or messaging, while operating in a battery-conserving mode, or modes that, keep(s) minimal baseband processing functions awake. The baseband processing functions process incoming signaling or data in a received message to determine whether to act further on information in the incoming message by enabling additional processing capability in the mobile device. The mobile device may have permanent template criteria values, either coded in firmware or implemented in hardware, or temporary template criteria values, stored in RAM or processor registers, that are compared to values of an incoming message or datagram from the mobile network to determine whether to perform additional actions, such as awakening an application processor.

Abstract: A processor device with a white-box masked implementation of the cryptographic algorithm AES implemented thereon, which comprises a SubBytes transformation. The white-box masked implementation is hardened in that white-box round input values x? are supplied at the round input of rounds instead of the round input values x, said white-box round input values being formed from a concatenation of: (i) the round input values x that are masked by means of the invertible masking mapping A and (ii) obfuscation values y that are likewise masked with the invertible masking mapping A; wherein from the white-box round input values x? only the (i) round input values x are fed to the SubBytes transformation T, and (ii) the masked obfuscation values y are not.

Abstract: A data processing method may include: determining, by a transaction initiation node in a blockchain, transaction data of a transaction and information to be hidden in the transaction data; obtaining, by using the transaction data as an input of a predetermined one-way function, a transaction root of the transaction, and constructing, based on the transaction root, proof data corresponding to the information to be hidden; and, after signing the transaction root, initiating a transaction request to write the transaction root and the proof data on the blockchain, for a node in the blockchain to perform consensus verification on the transaction root and the proof data, and approve or reject the transaction request based on a verification result.

Abstract: Blockchain-based service data encryption methods and apparatuses are provided wherein by a first derived key is obtained by a node device of a key receiver, the first derived key distributed by a node device of a key distributor, wherein the first derived key is derived from a derived key of the key distributor based on a service data permission type of the key receiver and service data is encrypted based on the first derived key to obtain encrypted service data. The encrypted service data is sent to a blockchain, so that the encrypted service data is recorded in a distributed database of the blockchain after the blockchain performs consensus verification on the encrypted service. Because the derived key of the key distributor can decrypt the service data encrypted by the first derived key, the key distributor can decrypt, monitor, and manage service data uploaded by the key receiver.

Abstract: Techniques for protecting information may include: exposing a logical device of a data storage system to a host, wherein the logical device has an attribute identifying the logical device as a stealth device having accessibility controlled by the data storage system based on commands issued over a control path, wherein the logical device has a mode indicating whether the logical device is accessible to the host; sending, from the host to the data storage system, a write command that writes first data on the logical device when the mode indicates the logical device is accessible to the host; and subsequent to said sending, issuing a command over the control path to the data storage system, wherein the command sets the mode of the logical device to inaccessible indicating the logical device is not accessible to the host.

Abstract: In providing cloud services, key-based security measures specific to a local network are utilized when an internal client terminal logs into the network to access cloud services, and when a remote client terminal connects directly to the cloud services. A cloud service computer references the credential authorization service of the local network, allowing key-based security measures of that network to be applied even when a remote client terminal connects directly to a cloud service computer. By referencing the local credential authorization service, it is possible to provide cloud services to different organizations that administer key-based security measures independently of each other.

Abstract: Examples disclosed herein relate to receiving a record of a data transaction between two participants, creating a ledger entry associated with the record of the data transaction, appending the ledger entry to a subset of a plurality of partial ledgers associated with a blockchain, and updating a table of contents associated with each of the plurality of partial ledgers associated with the blockchain.

Abstract: Embodiments of the disclosure include systems and methods for secure storage and/or retrieval of customer secrets by, e.g., a cloud services provider. According to methods, secret data that is to be securely stored may be transmitted, along with an initialization vector, to an encryption service for encryption using a private key stored on in a remote key vault. The encrypted data can be returned and stored, in its encrypted form, in a secure storage along with the initialization vector data. To retrieve the securely stored data, embodiments disclose retrieving the encrypted form of the data and transmitting it, along with its related initialization vector data, to the encryption service for decryption using the private key stored in the remote key vault. The decrypted data can then be made available to a requesting product service.

Abstract: A system that comprises a quantum key device configured to generate quantum information and transmit the quantum information over a first and second quantum communication channel. The system also comprises a first device, communicatively coupled to the quantum key device over the first quantum communication channel, and a second device, communicatively coupled to the quantum key device over the second quantum communication channel. The system further comprises an encryption module configured to encrypt data to create encrypted data, at the first device, using a first quantum encryption key. The system also comprises a decryption module configured to decrypt the encrypted data to create decrypted data, at the second device, using a second quantum encryption key. The first quantum encryption key is the same as the second quantum encryption key. The system further comprises a termination module configured to prevent access to the decrypted data after a predetermined period of time.

Abstract: A method for anonymous authentication and key establishment based on passwords (APAKE), includes instantiating, by the server, an OPRF scheme and a symmetric encryption scheme; engaging in, by the client and the server, an OPRFEvaluate protocol so that the client learns a decryption key associated with its password while the server learns nothing; securely transferring, by the server, a nonce and a symmetric encryption key to the client if the client holds a valid password; sending, by the client, its nonce encrypted under the symmetric encryption key; using, by the server, the symmetric encryption key to decipher ciphertext received by virtue of the sending, by the client, its nonce encrypted under the symmetric encryption key and to recover the client's nonce; and computing, by the server and the client, a compute key based on the client's nonce and the server's nonce.

Abstract: An apparatus for enhancing secret key rate exchange over quantum channel in QKD systems includes an emitter system with a quantum emitter and a receiver system with a quantum receiver, wherein both systems are connected by a quantum channel and a service communication channel. User interfaces within the systems allow to define a first quantum channel loss budget based on the distance to be covered between the quantum emitter and the quantum receiver and the infrastructure properties of the quantum channel as well as a second quantum channel loss budget associated to the loss within the realm of the emitter system. The emitter system is adapted to define the optimal mean number of photons of coherent states to be emitted based on the first and the second quantum channel loss budgets.