Abstract: A method is disclosed. An authentication node may receive a plurality of encrypted match values, wherein the plurality of encrypted match values were formed by a plurality of worker nodes that compare a plurality of encrypted second biometric template parts derived from a second biometric template to a plurality of encrypted first biometric template parts derived from a first biometric template. The authentication node may decrypt the plurality of encrypted match values resulting in a plurality of decrypted match values. The authentication node may then determine if a first biometric template matches the second biometric template using the plurality of decrypted match values. An enrollment node may be capable of enrolling a biometric template and storing encrypted biometric template parts at worker nodes.

Abstract: The disclosed technology provides for establishment of a secure tunnel with implicit device identification. The implicit device identification can be provided during establishment of a secure tunnel with a server by performing a mutual authentication with the server using a device-specific private key of the device. The device-specific private key may be provisioned during manufacturing of the device and stored by a secure hardware component of the device. Establishing the secure tunnel using implicit device identification can be helpful for operations in which a server is configured to only establish secure communications with one or more particular types of device, and can be performed without the use additional device identification communications.

Abstract: Systems and methods for generating min-increment counting bloom filters to determine count and frequency of device identifiers and attributes in a networking environment are disclosed. The system can maintain a set of data records including device identifiers and attributes associated with device in a network. The system can generate a vector comprising coordinates corresponding to counter registers. The system can identify hash functions to update a counting bloom filter. The system can hash the data records to extract index values pointing to a set of counter registers. The system can increment the positions in the min-increment counting bloom filter corresponding to the minimum values of the counter registers. The system can obtain an aggregated public key comprising a public key. The system can encrypt the counter registers using the aggregated shared key to generate an encrypted vector. The system can transmit the encrypted vector to a networked worker computing device.

Abstract: Provided are methods and systems for performing secure analytics using term generations and a homomorphic encryption. An example method includes receiving, by at least one server from a client, a term generation function, a hash function, a public key of a homomorphic encryption scheme, and a homomorphically encrypted list of indices, wherein the list of indices is generated using the term generation function and the hash function, applying, by the server, the term generation function, the hash function, and the public key to a data set to determine a further homomorphically encrypted list of indices, extracting, by the server and using the homomorphically encrypted list of indices and the further homomorphically encrypted list of indices, data from the encrypted data set to obtain an encrypted result, and sending the encrypted result to the client to decrypt the encrypted result using a private key of the homomorphic encryption scheme.

Abstract: Systems and techniques for a System-on-a-Chip (SoC) security plugin are described herein. A component message may be received at an interconnect endpoint from an SoC component. The interconnect endpoint may pass the component message to a security component via a security interlink. The security component may secure the component message, using a cryptographic engine, to create a secured message. The secured message is delivered back to the interconnect endpoint via the security interlink and transmitted across the interconnect by the interconnect endpoint.

Abstract: A method including receiving, by a first device from a second device in a mesh network, message data to be transmitted to a communication device, the message data being received via a first meshnet connection between the first device and the second device; and transmitting, by the first device to the second device, response data based at least in part on transmitting the message data to the communication device, the response data being transmitted via the first meshnet connection. Various other aspects are contemplated.

Abstract: An electronic key pre-distribution device for configuring multiple network nodes with local key information is provided. The key pre-distribution device applies at least a first hash function and a second hash function to a digital identifier of a network node. The first and second hash functions map the digital identifier to a first public point and a second public point on a first elliptic curve and second elliptic curve. A first and second secret isogeny are applied to the first and second public elliptic curve points, to obtain a first private elliptic curve point and second private elliptic curve point that are part of private key material for the network node.

Abstract: Embodiments disclosed herein are directed to methods and systems of password-based threshold authentication, which distributes the role of an authentication server among multiple servers. Any t servers can collectively verify passwords and generate authentication tokens, while no t?1 servers can forge a valid token or mount offline dictionary attacks.

Abstract: Signing data so that a signature can be verified by a verifier while preserving the privacy of a signer, the method including: generating a signature nonce; encrypting the signature nonce with a public key of the verifier to produce an encrypted signature nonce; and calculating a signature of the data of the signer by signing the data concatenated with the signature nonce using a private key of the signer.

Abstract: A method including determining, by a first device in communication with a second device and a third device in a mesh network, a first instant message to be transmitted to the second device and a second instant message to be transmitted to the third device, the first instant message and the second instant message including instant messaging (IM) information; encrypting, by the first device, the first instant message based at least in part on utilizing a symmetric key negotiated between the first device and the second device and the second instant message based at least in part on utilizing a symmetric key negotiated between the first device and the third device; and selectively transmitting, by the first device, the encrypted first instant message over a first meshnet connection and the encrypted second instant message over a second meshnet connection. Various other aspects are contemplated.

Abstract: A method including determining, by a first device in communication with a second device in a mesh network, an instant message to be transmitted to the second device; first encrypting, by the first device, the instant message based at least in part on utilizing a symmetric key negotiated between the first device and the second device; second encrypting, by the first device, the first encrypted instant message based at least in part on utilizing a public key associated with the second device; and selectively transmitting, by the first device, the second encrypted instant message to the second device. Various other aspects are contemplated.

Abstract: Systems and methods for provisioning secure terminals for secure transactions are disclosed herein. A disclosed method includes generating a key using a key generator element on a secure terminal and sending a key validation request for the key from the secure terminal to a provisioning device. The method also includes parsing the key validation request and generating a key validation for the key and a trusted time stamp on the provisioning device. The method also includes sending, from the provisioning device, the key validation and the trusted time stamp to the secure terminal. The method also includes setting a clock on the secure terminal using the trusted time stamp and storing the key validation at the secure terminal.

Abstract: A multi-scheme random selection of blockchain endorsers may preserve anonymity of nodes that participate in a blockchain network, and may assign each node an endorsement load that is proportionate to the utilization of the blockchain network by that node. Selection of one or more nodes to endorse data before recordation to the blockchain may include randomly selecting an active endorser selection scheme from a set of available endorser selection schemes, and randomly selecting one or more nodes as endorsers for the data based on the active endorser selection scheme. Each scheme may be derived based on the tracked utilization over different time scales. Exit criteria may determine when to switch the active endorser selection scheme. The exit criteria may be based on a number of times each node is selected as an endorser under the active endorser selection scheme, and utilization of the blockchain network by each node.

Abstract: Computer-implemented methods for locking a blockchain transaction based on undetermined data are described. The invention is implemented using a blockchain network. This may, for example, be the Bitcoin blockchain. A locking node may include a locking script in a blockchain transaction Node to lock a digital asset. The locking script includes a public key for a determined data source and instructions to cause a validating node executing the locking script to verify the source of data provided in an unlocking script by: a) generating a modified public key based on the public key for the determined data source and based on data defined in the unlocking script; and b) evaluating a cryptographic signature in the unlocking script based on the modified public key. The blockchain transaction containing the locking script is sent by the locking node to the blockchain network. The lock may be removed using a cryptographic signature generated from a private key modified based on the data.

Abstract: Systems and methods for attesting an enclave in a network. A method includes receiving, by a first device, proof information from an application provider entity that the enclave is secure, wherein the proof information includes a public part, Ga, of information used by the enclave to derive a Diffie-Hellman key in a key generation process with the application provider entity, processing, by the first device, the proof information to verify that the enclave is secure and ensuring that Ga is authentic and/or valid, deriving, by the first device, a new Diffie-Hellman key, based on Ga and x, wherein x is a private part of information used by the first device to derive the new Diffie-Hellman key, and sending, by the first device, a message including Ga and a public part, Gx, of the information used by the first device to derive the new Diffie-Hellman key to the enclave.

Abstract: Systems and methods for automatic VPN establishment are provided.

Abstract: An encryption method and apparatus based on homomorphic encryption using an odd function property. The encryption method includes generating a ciphertext by encrypting data, and bootstrapping the ciphertext by performing a modular reduction based on an odd function property for a modulus corresponding to the ciphertext.

Abstract: Provided is a method for producing a product by a machine tool, wherein the control information and/or production data of a machine tool, such as a milling machine, injection molding machine, welding robot, laser cutter or 3D printer, is protected or cryptographically encrypted such that unauthorized copying or modifying is prevented, including the steps: producing product by the machine tool taking into consideration control information which controls the production of the product; generating production data by the machine tool during production of the product, wherein the production data describes the production of the product; providing protection information to the machine tool, which indicates which of the production data is to be protected, and defines a protection method for the production data which is protected; and protecting that production data which, according to the protection information, is to be protected, by the protection method defined by the protection information.

Abstract: A modular operation circuit includes a controller, a modular multiplier and a modular adder. The controller divides a first number into K segments. The modular multiplier performs modular multiplication operations and the modular adder performs modular addition operations to the K segments in (K?1) iterations for deriving a remainder of a division of the first number by a second number.

Abstract: Described are methods, systems and computer readable media for providing a current row position query language construct and array processing query language constructs and associated processing.

Abstract: Techniques are disclosed relating to authenticating a user with a mobile device. In some embodiments, a computing device stores a first signed attestation indicating an ability of the computing device to securely perform a user authentication. The computing device receives a request to store credential information of an identification document issued by an issuing authority to a user for establishing an identity of the user. In response to the request, the computing device sends, to the issuing authority, a request to store the credential information, the sent request including the first signed attestation to indicate an ability to perform a user authentication prior to permitting access to the credential information. In response to an approval of the sent request based on the first signed attestation, the computing device stores the credential information in a secure element of the computing device.

Abstract: The computer-implemented method for generating a public key and a secret key of the present disclosure comprises determining, by a processor, the secret key (s) by sampling from a distribution over {?1, 0, 1}nd; determining, by a processor, a first error vector (e) by sampling from (D?qn)d and a second error value (e?) by sampling from D?qn; choosing, by a processor, a randomly uniform matrix A which satisfies A·s=e (mod q); choosing, by a processor, a random column vector b which satisfies ? b , s ? = ? q 2 ? + e ? ? ( mod ? ? q ) ; and determining, by a processor, the public key (pk) by (A?b)?Rqd×(d+1).

Abstract: A first share value and a second share value may be received. A combination of the first share value and the second share value may correspond to an exponent value. The value of a first register is updated using a first equation that is based on the first and second share values and the value of a second register is updated using a second equation that is based on the second share value. One of the value of the first register or the value of the second register is selected based on a bit value of the second share value.

Abstract: An embodiment of an automatic key delivery system is described, An automatic key delivery system comprises the following operations. Herein, a first token is generated and provided to a first network device. Thereafter, a first key value pair, including the first token and a first key segment of a cryptographic key, is received by a first relay server and a second key value pair, including the first token and a second key segment of the cryptographic key, is received from a second relay server. In response, a second token to be provided to the first relay server and the second relay server. Thereafter, the first and second key segment are returned from the first and second relay servers based on usage of the second token as a lookup in order to recover the cryptographic key for decryption of an encrypted content from the first network device.

Abstract: An example operation includes one or more of receiving, via a first communication channel between a sending device and a recipient device, a first partial encryption key from the receiving device, receiving, via a second communication channel between the sending device and the recipient device, a second partial encryption key from the receiving device, wherein the second communication channel comprises a different communication medium than the first communication channel, generating a transport key based on the first partial encryption key and the second partial encryption key received via the first and second channels, and encrypting data based on the generated transport key and transmitting the encrypted data to the receiving device.

Abstract: User-generated messages encapsulating selections from each of a plurality of entities for a selection task having a selection option are received via one or more interfaces presented by a selection processing system. For each selection, a different share of a signing key is obtained that has an identity associated with the selection task. For each selection, a different partial signature is generated by signing the messages using the associated share of the signing key. The partial signatures are combined into a threshold signature if a number of entities for a selection option specified by the task exceeds a pre-defined threshold. Data characterizing the results of the selection task can then be provided.

Abstract: A method of encoding and/or decoding data is described, having the steps of: generating a challenge code, the challenge code being based on a pattern associated with at least one challenge arrangement having duplicated signs, encrypting the challenge code using a one-way hashing function to obtain a temporary encryption key, generating encoded data by encoding the data using a two-way transcoding function using the obtained temporary encryption key, wherein data is decoded using the two-way transcoding function and a subsequently obtained user temporary encryption key when the subsequently obtained user temporary encryption key matches the previously obtained temporary encryption key used to encode the data.

Abstract: Techniques are disclosed relating to authentication using public key encryption. In one embodiment, a computing device includes a secure circuit, a processor, and memory. The secure circuit is configured to generate a public key pair usable to authenticate a user of the computing device. The memory has program instructions stored therein that are executable by the processor to cause the computing device to perform operations including authenticating the user with a server system by sending authentication information supplied by the user. The operations further include, in response to the server system verifying the authentication information, receiving a first token usable to register the public key pair with the server system and sending, to the server system, a request to register the public key pair for authenticating the user. In such an embodiment, the request includes the first token and identifies a public key of the public key pair.

Abstract: A method including determining, by a first device in communication with a second device in a mesh network, an instant message to be transmitted to the second device; and encrypting, by the first device, the instant message based at least in part on utilizing a symmetric key negotiated between the first device and the second device; and selectively transmitting, by the first device to the second device, the instant message over a meshnet connection between the first user device and the second user device in the mesh network. Various other aspects are contemplated.

Abstract: A method of performing finite field addition and doubling operations in an elliptic curve cryptography (ECC) authentication scheme as a countermeasure to side-channel attack. The addition and doubling operations are executed using atomic patterns that involve the same sequence and number of operation types, so that the noise consumption and electromagnetic emanation profile of circuitry performing the operations is identical regardless of operation. A subtraction operation using such an atomic pattern is also disclosed.

Abstract: A homomorphic encryption processing device includes the processing circuitry is configured to generate ciphertext operation level information based on field information. The field information represents a technology field to which homomorphic encryption processing is applied. The ciphertext operation level information represents a maximum number of multiplication operations between homomorphic ciphertexts without a bootstrapping process. The processing circuitry is further configured to select and output a homomorphic encryption parameter based on the ciphertext operation level information. The processing circuitry is further configured to perform one of a homomorphic encryption, a homomorphic decryption and a homomorphic operation, based on the homomorphic encryption parameter.

Abstract: A key server network device may install, on the key server network device, a new decryption key based on a timer-based key rollover setting and may provide, to peer network devices, messages identifying the new decryption key. The key server network device may utilize an original encryption key, to encrypt traffic, until all of the peer network devices provide acknowledgements of installation of the new decryption key. The key server network device may be configured to utilize the original encryption key based on the timer-based key rollover setting. The key server network device may generate an alarm. The alarm may include information indicating that the key server network device is waiting for the acknowledgements from one or more peer network devices and information identifying the one or more peer network devices.

Abstract: Methods and systems for product authentication include the storage of product authenticity data in integrated circuit (IC) chips of verification objects for physical association with authentic products. The IC chips are operable to determine verification data using the stored product authenticity data, and may include private key encryption, private algorithm and/or count processing functionality for verification data determination. A verification server(s) is utilized to receive an inbound message(s) from an electronic device(s) that includes test data obtained by the electronic device(s) from an integrated circuit chip at a product of interest, and in response thereto, to send an outbound message to the electronic device(s) indicative of verification or non-verification of authenticity of the product of interest, based upon identification or non-identification of an association between the test data and product authenticity data.

Abstract: Methods of performing transactions with a payment card comprising an integrated circuit are disclosed comprising interacting with an integrated circuit on a received payment card and inferring an application corresponding to a card brand and card type of the payment card, or retrieving a map of the integrated circuit to read records on the integrated circuit based on the map, are disclosed. Corresponding devices, such as PIN pads, and computer products are also disclosed.

Abstract: Provided is a process that affords out-of-band authentication based on a secure channel to a trusted execution environment on a client device. The authentication process includes one or more authentication steps in addition to verifying any credentials provided by a client device. A notification may be transmitted by a server to a device other than the client device attempting to access the asset. That device may be a mobile device with a trusted execution environment storing user credential information, and the server may store representations of those credentials. The mobile device collects user input credentials and transmits representations for matching the previously stored representations and signed data for verification by the server that received data originated from the mobile device. The access attempt by the client is granted based in part on the result of authenticating the data received from the mobile device in a response to the notification.

Abstract: An encryption method and apparatus based on homomorphic encryption using a composition of functions. The encryption method includes generating a ciphertext by encrypting data, and bootstrapping the ciphertext by performing a modular reduction based on a composition of a function for a modulus corresponding to the ciphertext.

Abstract: Generating a private key recovery seed based on random words extracted from an input memory of a user and using the recovery seed to recover the private key. An input that is related to a specific memory of a user is received. The specific memory was previously entered and used to generate random words that are related to each other by being included in the specific memory. The random words are extracted from the received input. The random words are associated with a first private key recovery mechanism for recovering a private key. The random words are input into the first private key recovery mechanism to generate a recovery seed. The recovery seed is input into a second private key recovery mechanism. The second private key recovery mechanism generates a recovered private key upon performing a recovery operation on the private key recovery seed.

Abstract: Systems and methods for threshold authenticated encryption are provided. A collection of cryptographic devices may encrypt or decrypt a message, provided that a threshold number of those devices participate in the encryption process. One cryptographic device may generate a commitment message and transmit it to the other selected devices. Those devices may each perform a partial computation using the commitment message, and transmit the partial computations back to the encrypting or decrypting device. The encrypting or decrypting device may use those partial computations to produce a cryptographic key, which may then be used to encrypt or decrypt the message.

Abstract: A hardware accelerator for accelerating the zero knowledge succinct non-interactive argument of knowledge (zk-SNARK) protocol by reducing the computation time of the cryptographic verification is disclosed. The accelerator includes a zk-SNARK engine having one or more processing units running in parallel. The processing unit can include one or more multiply-accumulate operation (MAC) units, one or more fast Fourier transform (FFT) units; and one or more elliptic curve processor (ECP) units. The one or more ECP units are configured to reduce a bit-length of a scalar di in an ECP algorithm used for generating a proof, thereby the cryptographic verification requires less computation power.

Abstract: A homomorphic operation accelerator includes a plurality of circuits and a homomorphic operation managing circuit. The plurality of circuits may perform homomorphic operations. The homomorphic operation managing circuit may receive cipher text data, homomorphic encryption information and homomorphic operation information from an external device. The homomorphic operation managing circuit may activate or deactivate each of a plurality of enable signals applied to the plurality of circuits based on the homomorphic encryption information and the homomorphic operation information. The homomorphic operation managing circuit may activate or deactivate each of the plurality of circuits based on the plurality of enable signals. The homomorphic encryption information may be associated with a homomorphic encryption algorithm used to generate the cipher text data. The homomorphic operation information may be associated with the homomorphic operations to be performed on the cipher text data.

Abstract: Transaction ID information corresponding to proof certificate-verifying transaction information is transmitted to a block chain retention server if a request for proof certificate information is sensed, when the proof certificate-verifying transaction information generated by using the proof certificate information, to be provided to a customer, is recorded in a block chain retention server and the transaction ID information is managed. The proof certificate-verifying transaction information corresponding to the transaction ID information is acquired from the block chain retention server. A proof certificate index hash value used for comparison, acquired from the proof certificate information to be provided to a customer and corresponding to a request, is compared with a proof certificate-verifying index hash value acquired from the proof certificate verifying-transaction information.

Abstract: An automated system configured for streamed contents, to be self-aware in preventing fraudulent tactics, during real-time and offline usages, while communicating with its owner for accurate decision making, comprising: a content player module, and a content streaming service module; configured using a codec module to embed logic, encryptions, heuristics data, associated meta data, and management data into the content format; configured to use symmetric encryption keys, public keys, biometrics, and payload data; configured to authenticate the user and content owner; configured to request, receive, send, stream content, and analytics through a secure communication; configured to provide secure virtual communications between users and content owners; configured to use a call-home data, to enable the content and content owner to communicate and update one another securely; Configured to provide real-time, and offline, fraud prevention heuristics using artificial intelligence.

Abstract: This application claims the benefit of Belgian Application No. BE2016/5964 filed 22 Dec. 2016, Belgian Application No. BE2016/5965 filed 22 Dec. 2016, Belgian Application No. BE2016/5966 filed 22 Dec. 2016, PCT/IB2017/056624 filed 25 Oct. 2017 and PCT/EP2017/082803 filed Dec. 14, 2017, International Publication No. WO 2018/114587 A1, which are hereby incorporated by reference in their entirety as if fully set forth herein.

Abstract: Embodiments disclosed herein are directed to methods and systems of password-based threshold authentication, which distributes the role of an authentication server among multiple servers. Any t servers can collectively verify passwords and generate authentication tokens, while no t?1 servers can forge a valid token or mount offline dictionary attacks.

Abstract: Techniques for determining whether a public encryption key is vulnerable as the result of deficiencies in pseudorandom number generation algorithms are provided. In some embodiments, a system may compile a database of cryptographic information received from a plurality of sources, including databases, and network traffic monitoring tools. RSA public keys extracted from the cryptographic information may be stored in an organized database in association with corresponding metadata. The system may construct a product tree from all unique collected RSA keys, and may then construct a remainder tree from the product tree, wherein each output remainder may be determined to be a greatest common divisor of one of the RSA keys against all other unique RSA keys in the database. The system may then use the greatest common divisors to factor one or more of the RSA keys and to determine that the factored keys are vulnerable to being compromised.

Abstract: Systems and methods are described for orchestrating a security object, including, for example, defining and storing a plurality of policies in a database coupled to a policy engine and receiving, by the policy engine, the security object and at least one object attribute associated with the security object. In addition, the policy engine determines the acceptability of the security object based, at least in part, on the at least one object attribute and at least one of the plurality of policies corresponding to the at least one object attribute. The security object to at least one communication device associated with the policy engine is distributed when the security object is determined to be acceptable. The at least one communication device establishes communication based, at least in part, on the security object.

Abstract: A device implementing a system for authenticating an identity document includes at least one processor configured to receive, from a service provider, a request associated with verifying an integrity of an identity document, and capture, responsive to receiving the request, image data of the identity document. The at least one processor is further configured to generate a representation based on the image data, the representation comprising form factor data of the identity document, and compare the representation with a prior representation of the identity document, the prior representation comprising prior form factor data of the identity document. The at least one processor is further configured to provide, to the service provider, a response to the request based on comparing the representation with the prior representation.

Abstract: Provided is a non-transitory computer readable medium. The non-transitory computer readable medium storing program code that, when is executed by a processor, causes the processor to calculate a message, based on a first cipher text, a second cipher text, and a private key, to compare a coefficient of the message with a reference value based on a prime number, to decide a coefficient of a modified message, based on a comparison result between the coefficient of the message and the reference value, and to decrypt the modified message.

Abstract: A methods for payment authorization (10) on mobile devices (DM) such as smartphones, tablets or any others available, which may be offline; the method for payment authorization (10) comprises the compilation of sequential steps of method (M1) of the payer (20) with method (M2) of the operational system (50) or application that constitutes a logical structure for alignment with the method (M3) of the payee (30), resulting in authenticated payment (PG) of financial transactions (TF) with assurance of “non-repudiation” through generation of a private key (51) and public key (52), as well as association of positive identification (21a) and personal identification (21b) of the payer (PG) with the mobile device (DM); said methods (M1), (M2) and (M3) are executed on mobile devices (DM) with enough processing capacity for execution of encryption algorithms and which may be used for issuing payment orders (PG), on-site or otherwise, carried out with financial resources (RF) or credit limits (LC) such as bonuses, point

Abstract: A method may include generating word string vectors for word strings in a document, obtaining encrypted word string vectors by encrypting the word string vectors, generating a search vector for a search query, obtaining an encrypted search vector by encrypting the search vector, calculating encrypted distances between the encrypted word string vectors and the encrypted search vector, obtaining a decrypted distance by decrypting an encrypted distance, and using the decrypted distance, determining a semantic match between the search query and the document.