Abstract: A homomorphic encryption scheme, such as Paillier encryption in combination with a bit packing process allows biometric matching at a terminal without exposing a biometric template stored at a user's device. Because such encryption schemes are data intensive, the bit packing process allows reductions in data being sent and processed so that the biometric matching process can be accomplished in near real time. The high speed of this optimized process allows the technique to be applied to many real world processes such as access control and transaction processing.

Abstract: This disclosure relates to using probabilistic data structures to enable systems to detect fraud while preserving user privacy. In one aspect, a method includes obtaining a set of frequency filters. Each frequency filter defines a maximum event count for a specified event type over a specified time duration and corresponds to a respective content provider. A subset of the frequency filters are identified as triggered frequency filters for which an actual event count for the specified event type corresponding to the frequency filter exceeds the maximum event count defined by the frequency filter during a time period corresponding to a specified time duration for the frequency filter. A probabilistic data structure that represents at least a portion of the frequency filters in the subset of frequency filters is generated. A request for content is sent to multiple content providers. The request for content includes the probabilistic data structure.

Abstract: A method for authenticating an integrated circuit is provided. At an intellectual property facility, a random encryption key and a number of random input vectors are generated. For each input vector, the input vector is encrypted, based on the encryption key, to generate a corresponding output vector, and the input vector and the corresponding output vector are formed into an authentication vector pair. The encryption key is embedded into hardware description language instructions that define an integrated circuit that includes a cryptography engine. A number of authentication vector pairs is transmitted, via a secure communication link, to a semiconductor assembly and test facility. An input vector of an authentication vector pair is presented to the integrated circuit, which encrypts the input vector using the embedded encryption key. If the result matches the output vector of the authentication vector pair, the integrated circuit is determined to be authentic.

Abstract: Systems and techniques for a System-on-a-Chip (SoC) security plugin are described herein. A component message may be received at an interconnect endpoint from an SoC component. The interconnect endpoint may pass the component message to a security component via a security interlink. The security component may secure the component message, using a cryptographic engine, to create a secured message. The secured message is delivered back to the interconnect endpoint via the security interlink and transmitted across the interconnect by the interconnect endpoint.

Abstract: A blockchain-based privacy protection method for a CCN includes: executing, by a trusted AAC, an initialization algorithm to generate common parameters and a master key, generating a public key and a private key for each consumer and publisher, and randomly generating, by the trusted AAC, its own public key and private key; calculating a public key, and generating ciphertext and uploading the ciphertext to a CSP; performing transaction on-chaining; and during decryption, finding, by the consumer, transaction information of the content on the consortium blockchain, sending an interest packet based on the transaction information, and obtaining ciphertext CT through a storage address in the transaction information; generating, by the consortium blockchain, an access transaction based on access information of the consumer; sending the ciphertext CT to the consumer through a data packet; and locally decrypting, by the consumer, the ciphertext CT, and verifying correctness of the content.

Abstract: In some implementations, a front-end device may receive a physical identifier associated with the user. Accordingly, the front-end device may select a plurality of images, where each image corresponds to a unique integer of integers zero through nine. The front-end device may show, on a display, the plurality of images and receive audio that includes a sequence of words that describe a subset of the plurality of images. Accordingly, the front-end device may map the sequence of words to the subset of the plurality of images and determine a first sequence of numbers corresponding to the subset of the plurality of images. Therefore, the front-end device may authenticate the user based on the first sequence of numbers matching a second sequence of numbers associated with the user.

Abstract: An encoding method includes: receiving a plurality of messages; encoding the plurality of messages into a polynomial defined by multivariates; and encrypting the polynomial defined by the multivariates to generate a homomorphic ciphertext. The plurality of messages may be multidimensionally packed by using multivariates, and thus, an operation may be performed with low complexity in the process of matrix multiplication for ciphertexts packed with the multivariates.

Abstract: Systems and methods of the present disclosure are directed to a method performed by a Wireless Communication Device (WCD) for securing wireless communication. The method includes obtaining a configuration descriptive of network entity(s) comprising (a) Legitimate Network Entity (LNE(s)); (b) or Illegitimate Network Entity (INE(s)); or (c) both LNE(s) and INE(s). The method includes determining that a trigger condition for applying the configuration has occurred. The method includes, responsive to making the determination, applying the configuration to the WCD such that connection related procedure(s) of the WCD related to connection between the WCD and the network entity(s) are adjusted in such a manner that the WCD is permitted to connect to only the LNE(s), not permitted to connect to the INE(s), both permitted to connect to only the LNE(s) and not permitted to connect to the INE(s), or not permitted to connect to any network entity.

Abstract: Various methods and systems are provided for autonomous orchestration of secrets renewal and distribution. A secrets management service (“SMS”) can be utilized to store, renew and distribute secrets in a distributed computing environment. The secrets are initially deployed, after which, SMS can automatically renew the secrets according to a specified rollover policy, and polling agents can fetch updates from SMS. In various embodiments, SMS can autonomously rollover client certificates for authentication of users who access a security critical service, autonomously rollover storage account keys, track delivery of updated secrets to secrets recipients, deliver secrets using a secure blob, and/or facilitate autonomous rollover using secrets staging. In some embodiments, a service is pinned to the path where the service's secrets are stored. In this manner, secrets can be automatically renewed without any manual orchestration and/or the need to redeploy services.

Abstract: A system and method for verifying a cryptographic access code is provided. If a set of cryptographic access components are quantum-aware, the system can obtain a post-quantum encryption and/or decryption algorithm from a context-specific non-critical extension in a private OID namespace, such as SABER, Kyber, Enhanced McEliece, or RLCE. If the set of cryptographic access components are quantum-aware, the system can obtain a post-quantum signature or verification algorithm from the private OID namespace. The system can validate a root of trust specified in a TAL record; confirm that a respective certificate, CRL, or TAL is specified in at least one Manifest record; confirm that a hash of the respective certificate, CRL, or TAL matches a recorded hash in a respective Manifest listing the respective certificate, CRL, or TAL; and confirm that a respective CRL or Manifest is fresh.

Abstract: Systems and methods are disclosed for traffic filtration by content providers. One method includes receiving a content request from a device of a user; determining whether one or more container tags are associated with requested content; determining, prior to responding to the content request, whether the content request is by a user based on the content request and the one or more container tags; generating, prior to responding to the content request, an ad request based on the content request and the one or more container tags; determining, prior to responding to the content request, an ad request recipient based on the generated ad request and the one or more container tags; transmitting the ad request to the determined ad request recipient; and transmitting, over the electronic network to the device, a response to the content request when the content request is determined to be by a user.

Abstract: A method for decoding an encrypted electromagnetic signal W encoded by a first computer with public key N_0=r×s, where N_0, r and s are integers. There is the step of obtaining the electromagnetic signal W from a telecommunications network, or a data network or an Internet or a first non-transient memory. There is the step of storing the electromagnetic signal W in a second non-transient memory. There is the step of decoding with a second computer in communication with the second non-transient memory the electromagnetic signal W in the second non-transient memory by factoring the public key N_0 in at most a time O(log^6 N_0). A non-transitory readable storage medium which includes a computer program stored on the storage medium for decoding an encrypted electromagnetic signal W.

Abstract: The invention relates to efficient zero knowledge verification of composite statements that involve both arithmetic circuit satisfiability and dependent statements about the validity of public keys (key-statement proofs) simultaneously. The method enables a prover to prove this particular statement in zero-knowledge. More specifically, the invention relates to a computer-implemented method for enabling zero-knowledge proof or verification of a statement (S) in which a prover proves to a verifier that a statement is true while keeping a witness (W) to the statement a secret. The invention also relates to the reciprocal method employed by a verifier who verifies the proof.

Abstract: The reliability of a second public key which is part of a second key pair generated in association with a first key pair is certified. A generating apparatus 210 provides certification data to a receiving apparatus 220 (S301). The receiving apparatus 220 transmits a certification request requesting a certification that the second public key PK2 is in a parent-child relationship with the first public key PKI to a certifying apparatus 230 (S302). In this example, the certification request includes the certification data, but if the certification data is provided directly from the generating apparatus 210 to the certifying apparatus 230, the certification request does not need to include the certification data. The certifying apparatus 230 verifies the certification data by calculating a verification formula for the certification data in response to the certification request (S303).

Abstract: A method includes identifying connections between plural components of a time sensitive network (TSN) that are interconnected via a predetermined connection plan. The method also includes determining quantum key distribution (QKD) information of the components. Also, the method further includes scheduling flows for the TSN based on the QKD information of the components.

Abstract: Methods and systems may be associated with a cloud computing environment. A proxy platform data store may contain node data associated with nodes of the cloud computing environment. Each node might, for example, store multi-party computation information. A proxy platform, able to access the proxy platform data store, may detect that a first node needs to access a cloud application secret key and determine, based on information in the proxy platform data store, a set of nodes associated with the secret key that the first node needs to access. The proxy platform may then use a multi-party computation algorithm and information received from the set of nodes to generate the secret key.

Abstract: A quantum-cryptographic-communication system according to an embodiment includes a key-integrated-management device, quantum-cryptography devices, and key-management-inspection devices. An inspection-target-value-calculating unit calculates an inspection-target value based on quantum-cryptography-device information related to a quantum-cryptography device. An expected-value-calculating unit calculates an expected value based on at least one of wiring information of a QKD link connected to the inspection-target-quantum-cryptography device; weather information of the site installed with the inspection-target-quantum-cryptography device; and the quantum-cryptography-device information. A permissible-value-calculating unit calculates a permissible value based on at least one of the wiring information, the weather information, and the quantum-cryptography-device information.

Abstract: Technologies for establishing device locality are disclosed. A processor in a computing device generates an identifier distinct to the computing device. The processor transmits the identifier to a management controller via a hardware bus in the computing device. The processor generates a key and encrypts the key with the identifier to generate a wrapped key. The processor transmits the wrapped key to the management controller. In turn, the management controller unwraps the key using the identifier. Other embodiments are described and claimed.

Abstract: Systems and methods for developing a novel public/private key pair having unique properties are disclosed, whereby standard data security operations in existing data security infrastructures return a data integrity validation result—but do not provide the intended data security of such infrastructures. These novel keys are referred to as degenerate keys and may be used to replace the public and private keys in existing public/private key cryptosystems. Because degenerate key data integrity validation may leverage existing data security infrastructures that are already widely-implemented, such examples may be applied immediately and configured to seamlessly transition from integrity only modes back to secure modes. In some instances, the degenerate key examples described herein may be employed during a software testing and/or factory validation stage of product development to allow for data integrity validation before burning in a developer's active (i.e.

Abstract: Systems and methods for effecting secure transactions are described. A processing device, when executing computer-executable instructions: receives from a requesting entity computing system a transaction request for a payload. The transaction request is transmitted to delivery entity computing system associated with a delivery entity identifier and geographic location. An encryption key, random number and a unique request identifier are generated and transmitted to requesting and delivery entity computing systems. In response to receiving a delivery transaction confirmation from the delivery entity computing system, the processing device verifies the secure transaction. After receiving a requestor transaction confirmation from the requesting entity computing system (indicating a verified transfer of the payload), a payload reimbursement is transferred to a delivery transaction account from a requestor transaction account.

Abstract: A secure storage module of a client device interacts with a set of secure storage servers to securely store data items of the client on the servers, such that no individual server has the data in readable (non-obfuscated) form. Additionally, the client secure storage module and the servers interact to allow the client device to read a given portion of the original data items from the servers, such that none of the servers can determine which portion of the original data is being requested. Similarly, the interactions of the client secure storage module and the servers allows the client device to update a given portion of the original data on the servers to a new value, such that none of the servers can determine which portion is being updated and that none of the servers can determine either the prior value or new value or the difference between the new value and the prior value.

Abstract: At least one proof transaction for recording on a blockchain comprises at least an s-part for an Elliptic Curve Digital Signature Algorithm, ECDSA, signature. The s-part is computed from a set of signature components, each provided by a participant of a signing subset of a set of keyshare participants. Each of keyshare participant holds an ephemeral keyshare of an unknown ephemeral key, and each of the signing components is provided by the participant of the signing subset based on their ephemeral keyshare. The at least one proof transaction indicates an r-challenge of at least one challenge transaction, and a node of a blockchain network applies signature verification to: (i) the s-part of the at least one proof transaction, and (ii) one of: (iia) an r-part of the r-challenge, (iib) an r-part of the at least one proof transaction, and in that event checks that that r-part satisfies the r-challenge.

Abstract: A system for auditing event data includes an interface and a processor. The interface is configured to receive an audit query request and a client key. The processor is configured to determine whether the audit query request is valid; determine whether a chain of events is stored in an audit store, wherein the chain of events is associated with the audit query request; and in response to determining that the chain of events is stored in the audit store, provide data for the audit query request.

Abstract: An obfuscation process is described for obfuscating a cryptographic parameter of cryptographic operations such as calculations used in elliptical curve cryptography and elliptical curve point multiplication. Such obfuscation processes may be used for obfuscating device characteristics that might otherwise disclose information about the cryptographic parameter, cryptographic operations or cryptographic operations more generally, such as information sometimes gleaned from side channel attacks and lattice attacks.

Abstract: Various embodiments relate to a data processing system comprising instructions embodied in a non-transitory computer readable medium, the instructions for masked sampling of polynomials for lattice-based cryptography in a processor, the instructions, including: determining a number m of random bits to be sampled based upon a sample bound parameter ?; producing a plurality of Boolean masked shares of a polynomial coefficient each having the determined number m of random bits using a uniform random function; determining that the polynomial coefficient is within a range of values based upon the sample bound parameter ?; converting the plurality of Boolean masked shares of the polynomial coefficient to a plurality of arithmetic masked shares of the polynomial coefficient; and shifting the plurality of arithmetic masked shares based upon the sample bound parameter ?.

Abstract: A first device transmits a first random number to a second device through a first quantum channel, and receives a second random number from the second device through a second quantum channel. The first device generates a first encryption key based on the first random number and the second random number. The second device transmits the second random number to the first device through the second quantum channel, and receives the first random number from the first device through the first quantum channel. The second device generates a second encryption key based on the first random number and the second random number.

Abstract: Systems and methods for generating min-increment counting bloom filters to determine count and frequency of device identifiers and attributes in a networking environment are disclosed. The system can maintain a set of data records including device identifiers and attributes associated with device in a network. The system can generate a vector comprising coordinates corresponding to counter registers. The system can identify hash functions to update a counting bloom filter. The system can hash the data records to extract index values pointing to a set of counter registers. The system can increment the positions in the min-increment counting bloom filter corresponding to the minimum values of the counter registers. The system can obtain an aggregated public key comprising a public key. The system can encrypt the counter registers using the aggregated shared key to generate an encrypted vector. The system can transmit the encrypted vector to a networked worker computing device.

Abstract: In IaaS (Infrastructure as a Service), when it is desirable to delegate the authority to a user outside a system, a recipient of an access token is designated, thereby preventing illegal distribution of the access token. There is provided an access token system including a generator and a verifier. The generator generates, using secret information of a recipient, a recipient-designated access token for which the recipient is designated, and provides the recipient-designated access token to a user. The verifier verifies that the user who makes access using the recipient-designated access token is the designated recipient.

Abstract: A system, method, and apparatus for carrying out a value transfer is provided. A method includes receiving, by a computing system of a financial institution, a de-signcrypted value transfer message including terms of a value transfer from an account of a sending party to an account of a merchant, wherein a receiving party desires to make a purchase from the merchant and the value transfer is a payment from the sending party account to the merchant account; and one or more spending limitations on the desired purchase, wherein the payment is contingent on the desired purchase meeting the spending limitations. The method then includes verifying the authenticity of the de-signcrypted message using a public key of the sending party and a private key of the financial institution; and dispersing funds according to the terms of the value transfer.

Abstract: Techniques for determining whether a public encryption key is vulnerable as the result of deficiencies in pseudorandom number generation algorithms are provided. In some embodiments, a system may compile a database of cryptographic information received from a plurality of sources, including databases, and network traffic monitoring tools. RSA public keys extracted from the cryptographic information may be stored in an organized database in association with corresponding metadata. The system may construct a product tree from all unique collected RSA keys, and may then construct a remainder tree from the product tree, wherein each output remainder may be determined to be a greatest common divisor of one of the RSA keys against all other unique RSA keys in the database. The system may then use the greatest common divisors to factor one or more of the RSA keys and to determine that the factored keys are vulnerable to being compromised.

Abstract: A processor-implemented method with homomorphic encryption includes: receiving a first ciphertext corresponding to a first modulus; generating a second ciphertext corresponding to a second modulus by performing modulus raising on the first ciphertext; and performing bootstrapping by encoding the second ciphertext using a commutative property and an associative property of operations included in a rotation operation.

Abstract: In one embodiment, data at rest is securely stored. A data safe performing data plane processing operations in response to requests of received read data requests, received write data requests, and received read information responses, with the data safe being immutable to processing-related modifications resulting from said performing data plane processing operations. Performing these data plane processing operations does not expose any pilot keys outside the data safe in plaintext form nor in encrypted form. The pilot keys are used to encrypt information that is subsequently stored in a storage system. In one embodiment, the information encrypted and decrypted by the data safe includes data structure instances including feature-preserving encrypted entries generated using feature-preserving encryption on corresponding plaintext data items.

Abstract: A data storage device includes a memory device and a controller coupled to the memory device. The controller is configured to receive key value (KV) pair data, determine an entropy value of the received KV pair data, select an error correction code (ECC) code rate based on the determined entropy value, and program the KV pair data to a codeword (CW). The KV pair data includes a key and a value. The programming includes encoding the KV pair data using the selected ECC code rate. The controller is further configured to aggregate a portion of another KV pair data and the KV pair data and program the aggregated KV pair data to the CW using a selected ECC code rate.

Abstract: In response to identifying that a Single Instruction, Multiple Data (SIMD) operation has been instructed to be performed or has been performed by a Fully-Homomorphic Encryption (FHE) software on one or more original ciphertexts, performing the following steps: Performing the same operation on one or more original plaintexts, respectively, that are each a decrypted version of one of the one or more original ciphertexts. Decrypting a ciphertext resulting from the operation performed on the one or more original ciphertexts. Comparing the decrypted ciphertext with a plaintext resulting from the same operation performed on the one or more original plaintexts. Based on said comparison, performing at least one of: (a) determining an amount of noise caused by the operation, (b) determining whether unencrypted data underlying the one or more original ciphertexts has become corrupt by the operation, and (c) determining correctness of an algorithm which includes the operation.

Abstract: Provided is a method and system for building a compliance software service using reusable and configurable components. In one example, the method may include receiving a request to build a software in association with an identified jurisdiction from among a plurality of jurisdictions, retrieving a plurality of configurable software components which comprise built-in functionality that is generic across the plurality of jurisdictions, dynamically configuring non-generic functionality for the identified jurisdiction within the plurality of configurable software components based on inputs received from a user, and creating a software program for the identified jurisdiction based on the dynamically configured software components and storing a file including the created software program in a storage device.

Abstract: A method is disclosed. An authentication node may receive a plurality of encrypted match values, wherein the plurality of encrypted match values were formed by a plurality of worker nodes that compare a plurality of encrypted second biometric template parts derived from a second biometric template to a plurality of encrypted first biometric template parts derived from a first biometric template. The authentication node may decrypt the plurality of encrypted match values resulting in a plurality of decrypted match values. The authentication node may then determine if a first biometric template matches the second biometric template using the plurality of decrypted match values. An enrollment node may be capable of enrolling a biometric template and storing encrypted biometric template parts at worker nodes.

Abstract: The disclosed technology provides for establishment of a secure tunnel with implicit device identification. The implicit device identification can be provided during establishment of a secure tunnel with a server by performing a mutual authentication with the server using a device-specific private key of the device. The device-specific private key may be provisioned during manufacturing of the device and stored by a secure hardware component of the device. Establishing the secure tunnel using implicit device identification can be helpful for operations in which a server is configured to only establish secure communications with one or more particular types of device, and can be performed without the use additional device identification communications.

Abstract: Systems and methods for generating min-increment counting bloom filters to determine count and frequency of device identifiers and attributes in a networking environment are disclosed. The system can maintain a set of data records including device identifiers and attributes associated with device in a network. The system can generate a vector comprising coordinates corresponding to counter registers. The system can identify hash functions to update a counting bloom filter. The system can hash the data records to extract index values pointing to a set of counter registers. The system can increment the positions in the min-increment counting bloom filter corresponding to the minimum values of the counter registers. The system can obtain an aggregated public key comprising a public key. The system can encrypt the counter registers using the aggregated shared key to generate an encrypted vector. The system can transmit the encrypted vector to a networked worker computing device.

Abstract: Provided are methods and systems for performing secure analytics using term generations and a homomorphic encryption. An example method includes receiving, by at least one server from a client, a term generation function, a hash function, a public key of a homomorphic encryption scheme, and a homomorphically encrypted list of indices, wherein the list of indices is generated using the term generation function and the hash function, applying, by the server, the term generation function, the hash function, and the public key to a data set to determine a further homomorphically encrypted list of indices, extracting, by the server and using the homomorphically encrypted list of indices and the further homomorphically encrypted list of indices, data from the encrypted data set to obtain an encrypted result, and sending the encrypted result to the client to decrypt the encrypted result using a private key of the homomorphic encryption scheme.

Abstract: Systems and techniques for a System-on-a-Chip (SoC) security plugin are described herein. A component message may be received at an interconnect endpoint from an SoC component. The interconnect endpoint may pass the component message to a security component via a security interlink. The security component may secure the component message, using a cryptographic engine, to create a secured message. The secured message is delivered back to the interconnect endpoint via the security interlink and transmitted across the interconnect by the interconnect endpoint.

Abstract: A method including receiving, by a first device from a second device in a mesh network, message data to be transmitted to a communication device, the message data being received via a first meshnet connection between the first device and the second device; and transmitting, by the first device to the second device, response data based at least in part on transmitting the message data to the communication device, the response data being transmitted via the first meshnet connection. Various other aspects are contemplated.

Abstract: An electronic key pre-distribution device for configuring multiple network nodes with local key information is provided. The key pre-distribution device applies at least a first hash function and a second hash function to a digital identifier of a network node. The first and second hash functions map the digital identifier to a first public point and a second public point on a first elliptic curve and second elliptic curve. A first and second secret isogeny are applied to the first and second public elliptic curve points, to obtain a first private elliptic curve point and second private elliptic curve point that are part of private key material for the network node.

Abstract: A method including determining, by a first device in communication with a second device in a mesh network, an instant message to be transmitted to the second device; first encrypting, by the first device, the instant message based at least in part on utilizing a symmetric key negotiated between the first device and the second device; second encrypting, by the first device, the first encrypted instant message based at least in part on utilizing a public key associated with the second device; and selectively transmitting, by the first device, the second encrypted instant message to the second device. Various other aspects are contemplated.

Abstract: Signing data so that a signature can be verified by a verifier while preserving the privacy of a signer, the method including: generating a signature nonce; encrypting the signature nonce with a public key of the verifier to produce an encrypted signature nonce; and calculating a signature of the data of the signer by signing the data concatenated with the signature nonce using a private key of the signer.

Abstract: A method including determining, by a first device in communication with a second device and a third device in a mesh network, a first instant message to be transmitted to the second device and a second instant message to be transmitted to the third device, the first instant message and the second instant message including instant messaging (IM) information; encrypting, by the first device, the first instant message based at least in part on utilizing a symmetric key negotiated between the first device and the second device and the second instant message based at least in part on utilizing a symmetric key negotiated between the first device and the third device; and selectively transmitting, by the first device, the encrypted first instant message over a first meshnet connection and the encrypted second instant message over a second meshnet connection. Various other aspects are contemplated.

Abstract: Embodiments disclosed herein are directed to methods and systems of password-based threshold authentication, which distributes the role of an authentication server among multiple servers. Any t servers can collectively verify passwords and generate authentication tokens, while no t?1 servers can forge a valid token or mount offline dictionary attacks.

Abstract: Systems and methods for provisioning secure terminals for secure transactions are disclosed herein. A disclosed method includes generating a key using a key generator element on a secure terminal and sending a key validation request for the key from the secure terminal to a provisioning device. The method also includes parsing the key validation request and generating a key validation for the key and a trusted time stamp on the provisioning device. The method also includes sending, from the provisioning device, the key validation and the trusted time stamp to the secure terminal. The method also includes setting a clock on the secure terminal using the trusted time stamp and storing the key validation at the secure terminal.

Abstract: Systems and methods for attesting an enclave in a network. A method includes receiving, by a first device, proof information from an application provider entity that the enclave is secure, wherein the proof information includes a public part, Ga, of information used by the enclave to derive a Diffie-Hellman key in a key generation process with the application provider entity, processing, by the first device, the proof information to verify that the enclave is secure and ensuring that Ga is authentic and/or valid, deriving, by the first device, a new Diffie-Hellman key, based on Ga and x, wherein x is a private part of information used by the first device to derive the new Diffie-Hellman key, and sending, by the first device, a message including Ga and a public part, Gx, of the information used by the first device to derive the new Diffie-Hellman key to the enclave.

Abstract: Computer-implemented methods for locking a blockchain transaction based on undetermined data are described. The invention is implemented using a blockchain network. This may, for example, be the Bitcoin blockchain. A locking node may include a locking script in a blockchain transaction Node to lock a digital asset. The locking script includes a public key for a determined data source and instructions to cause a validating node executing the locking script to verify the source of data provided in an unlocking script by: a) generating a modified public key based on the public key for the determined data source and based on data defined in the unlocking script; and b) evaluating a cryptographic signature in the unlocking script based on the modified public key. The blockchain transaction containing the locking script is sent by the locking node to the blockchain network. The lock may be removed using a cryptographic signature generated from a private key modified based on the data.

Abstract: A multi-scheme random selection of blockchain endorsers may preserve anonymity of nodes that participate in a blockchain network, and may assign each node an endorsement load that is proportionate to the utilization of the blockchain network by that node. Selection of one or more nodes to endorse data before recordation to the blockchain may include randomly selecting an active endorser selection scheme from a set of available endorser selection schemes, and randomly selecting one or more nodes as endorsers for the data based on the active endorser selection scheme. Each scheme may be derived based on the tracked utilization over different time scales. Exit criteria may determine when to switch the active endorser selection scheme. The exit criteria may be based on a number of times each node is selected as an endorser under the active endorser selection scheme, and utilization of the blockchain network by each node.