Abstract: A computer processing system and method for reducing memory footprint that includes initiating, through at least one computer processor, a cryptography session utilizing an i-degree isogeny arithmetic computation having chained computations therein. The cryptography session includes implementing a first iteration cycle, of a plurality of iteration cycles, and a implementing a remaining amount of the plurality of iteration cycles, each of the plurality iteration cycles computing isogenies using a compressed Z value to complete the -degree isogeny arithmetic computation. The first iteration cycle includes individually computing a plurality of sequentially occurring pivot points within the chained computations, implementing a Co—Z algorithm within the plurality of sequentially occurring pivot points to compute and store the compressed Z value on one of the plurality of temporary registers and computing a first isogeny of the -degree isogeny arithmetic computations using the compressed Z value.

Abstract: Systems and methods for generating a pseudo data field in a CRM system to allow end users to generate and manage pseudo data fields for account objects in the CRM system, which may behave like actual data fields of account objects in the CRM system but live outside the CRM account. The present invention uses a data model that includes two objects to allow end users to generate and manage the pseudo data fields. One of the objects is pseudo data field configuration object, which may be used to configure the pseudo data fields that should be made available to end users. The other object is pseudo data field object which may be used to record user responses or values users use to populate the pseudo data field.

Abstract: A method, system and elliptic curve cryptographic scheme for permitting secure communications between two or more cryptographic correspondent devices, the cryptographic scheme including a plurality of cryptographic operations applied to cryptographic parameters, the cryptographic operations including scalar multiplication of a point and a parameter, the elliptic curve cryptographic scheme characterized by selectively applying countermeasures and optimizations to the scalar multiplications by: applying a simple side-channel attack countermeasure for scalar multiplications that include a secret parameter as the parameter; applying a differential side-channel attack countermeasure for scalar multiplications when the elliptic curve point is not a generator point of the elliptic curve; and selectively applying optimizations.

Abstract: Provided is a signature verification system comprising: a signature terminal including a biometric information acquisition unit for acquiring biometric information of a user, a public template certificate generation unit for generating a public template certificate by subjecting the biometric information to predetermined processing, a key pair generation unit for generating a pair of a secret key and a public key, and a public key certificate generation unit for generating a public key certificate by providing a biometric signature to the public key with the biometric information used as a key; and a verification terminal including a public key certificate verification unit for receiving a transaction including the public template certificate, the public key certificate, and a signature to verify the validity of the public key certificate using the public template certificate, and a signature verification unit for verifying the signature using the public key certificate.

Abstract: A security solution for BLUETOOTH Low Energy (BLE) or equivalent wireless data exchange protocols involves authentication of a peripheral device by a central device using the advertising channel is presented. A method of authenticating a peripheral device in a wireless data exchange has a peripheral device sending an advertising channel Protocol Data Unit (PDU), a central device receiving the advertising channel PDU and the central device sending a scan request scanning PDU to the peripheral device. The advantage of this method of using discovery protocol enables a software based solution for the monitoring device and a hardware with software based solution on the beacon device.

Abstract: Embodiments described herein provide techniques to limit programmatic access to privacy related user data and system resources for applications that execute outside of a sandbox or other restricted operating environment while enabling a user to grant additional access to those applications via prompts presented to the user via a graphical interface. In a further embodiment, techniques are applied to limit the frequency in which a user is prompted by learning the types of files or resources to which a user is likely to permit or deny access.

Abstract: The present application provides identity registration and authorization methods using biometric feature information of user. In one example method, a terminal device receives biometric feature information of a user that is to be verified in association with a service processing request. The terminal device can then match the received biometric feature information to be verified with a pre-stored biometric feature of the user, where the pre-stored biometric feature of the user is associated with a corresponding identifier. In response to matching the received biometric feature information to be verified to a particular pre-stored biometric feature of the user, a private key store is searched for a private key associated with the identified of the particular pre-stored biometric feature of the user. In response to determining that no private is associated with the identifier, a user identity of the user is registered with a server.

Abstract: Articles and methods for transaction irregularity detection are disclosed. In one example, the article discloses: a memory including a record of a last-reported security-device transaction with the security-device, and including a last-reported transaction counter value associated with the last-reported security-device transaction; a previous device identifier; a record of the previous security-device transaction with the security-device, and including the previous device identifier associated with the previous security-device transaction; a record of a current security-device transaction with the security-device, and including a currently-reported transaction counter value associated with the current security-device transaction; and a back-end device tagging the previous device with fraud if the current transaction counter value differs from the last-reported transaction counter value by other than an increment.

Abstract: A private key of a public-private key pair with a corresponding identity is written to an integrated circuit including a processor, a non-volatile memory, and a cryptographic engine coupled to the processor and the non-volatile memory. The private key is written to the non-volatile memory. The integrated circuit is implemented in complementary metal-oxide semiconductor 14 nm or smaller technology. The integrated circuit is permanently modified, subsequent to the writing, such that further writing to the non-volatile memory is disabled and such that the private key can be read only by the cryptographic engine and not off-chip. Corresponding integrated circuits and wafers are also disclosed.

Abstract: An encryption system is provided. The system includes a plurality of communication devices, one or more processors, one or more memory components, one or more network connections, and a data repository. The data repository is stored by the plurality of communication devices on the one or more memory components thereof. A polynomial function is developed to point to message data within the data repository, wherein the polynomial function is transmitted between the plurality of communication devices to exchange the message data.

Abstract: An electronic device can be commissioned with an identifier for use in a centralized tracking system. The electronic device is assigned an interim unique identifier and authentication key, for instance by a manufacturer of the electronic device. The electronic device and the centralized tracking system each separately generate a permanent unique identifier and a permanent authentication key based on the interim unique identifier and interim authentication key, without requiring the permanent unique identifier and permanent authentication key from being transmitted between the electronic device and the central tracking server. Upon generating the permanent unique identifier and permanent authentication key, tracking device functionality can be enabled within the electronic device, enabling the electronic device to function as a tracking device within the centralized tracking system.

Abstract: A system and method for facilitating a secured value transfer. A first user and the system obtain a pair of encryption and decryption apparatuses. The first user creates a request including his unique identifier and a value to be transferred. The first user encrypts the request using the encryption apparatus and sends it to the second user. The second user sends to the system the request and the second user's unique identifier. The system uses the decryption apparatus to decrypt the request. The system checks the usage of the request against a threshold limit. After a successful usage check, the system then transfers the value from the first user to the second user. The system may comprise (a) a plurality of system server for exchanging data with users' personal computing devices, registering users, and conducting transactions, and (b) data storages storing user accounts and other persistent data.

Abstract: In some examples, an access point (AP) receives, from a wireless device during a pre-associated state between the AP and the wireless device, a request, a first value, and an encrypted version of the first value. The AP sends, to the wireless device during the pre-associated state, an encrypted version of a second value relating to an encryption key that is based on the first value, and a response to the request, the response encrypted using the encryption key.

Abstract: Disclosed are various embodiments for providing access control to the underlying data of a single machine-readable identifier when read by various reader devices. A client device may receive a first cryptographic key associated with a first device profile and a second cryptographic key associated with a second device profile. Data provided through an ingestion process is formatted into at least a first portion of data and a second portion of data, where the first portion of data is intended for a first reader device and the second portion of data is intended for a second reader device. The first portion of data may be encrypted using the first cryptographic key while the second portion of data is encrypted using the second cryptographic key. A machine-readable identifier may be generated using the first portion of data as encrypted and the second portion of data as encrypted.

Abstract: A cryptographic infrastructure, which provides a method for generating private keys of variable length from a cryptographic table and a public key. This infrastructure provides an approximation of the one-time pad scheme. The cryptographic table is shared between a message sender and a message recipient by a secure transfer. After sharing the cryptographic table, no new private keys need to be sent—the private keys are independently generated by each party from the data contained within the shared cryptographic tables, using the public key. After public keys are exchanged, private keys may be generated and used to encrypt and decrypt messages and perform authentication cycles, establishing a secure communication environment between the sender and the recipient.

Abstract: Methods and systems are provided for streaming digital content. A content stream and metadata relating to the content stream are provided, and the content stream is encrypted with an encryption dependent on at least some of the metadata to provide an encrypted content stream. The metadata is embedded in readable form in the encrypted content stream and the encrypted content stream is transmitted together with the metadata in readable form such that the metadata is readable during transmission of the encrypted content stream and the readable metadata necessary for use in decryption of the encrypted content stream is provided.

Abstract: According to one embodiment, an information management device includes a Bloom filter generator configured to generate a Bloom filter based on information on a revoked certificate; a data distributor configured to send the Bloom filter to an authentication device, the authentication device authenticates a device with a certificate provided by the device; and an examiner configured to determine, when an examination request is received from the authentication device, whether an certificate designated by the examination request has been revoked based on revocation management information that contains information on the revoked certificate, and to send an examination result indicating whether the designated certificate has been revoked to the authentication device.

Abstract: According to an embodiment, an information processing apparatus includes one or more processor. The processor is configured to run a process and a process manager to manage the process. The process includes a first key generator, a first authentication code generator, and a first output unit. The first key generator is configured to generate a first message authentication key by using process unique data assigned by the process manager. The first authentication code generator is configured to generate a first message authentication code by using the first message authentication key and a first message. The first output unit is configured to transmit the first message and the first message authentication code to the process manager.

Abstract: The disclosed computer-implemented method for verifying connection integrity may include (i) receiving a request from a client to initiate a connection to a server via a middlebox, (ii) receiving, from the client, via a side protocol executing in parallel with a transport layer security protocol, a request for a certificate for the middlebox, (iii) sending, to the client, via the side protocol, the certificate, (iv) receiving, from the client, via the side protocol, a request for an additional certificate from a device upstream of the middlebox, (v) requesting, from the device upstream of the middlebox, via the side protocol, the additional certificate, (vi) receiving, from the device upstream of the middlebox, via the side protocol, the additional certificate, (vii) sending, to the client, via the side protocol, the additional certificate, and (viii) relaying data via the connection. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A network can operate a WiFi access point with credentials. An unconfigured device can support a Device Provisioning Protocol (DPP), and record bootstrap public keys and initiator private keys. The network can record bootstrap public and responder private keys and operate a DPP server. A responder proxy can establish a secure and mutually authenticated connection with the network. The network can (i) derive responder ephemeral public and private keys, (ii) record the initiator bootstrap public key, and (iii) select a responder mode for the responder. The network can derive an encryption key with at least the (i) recorded the initiator bootstrap public key and (ii) derived responder ephemeral private key. The network can encrypt credentials using at least the derived encryption key and send the encrypted credentials through the responder proxy to the initiator, which can forward the encrypted credentials to the device, thereby supporting a device configuration.

Abstract: Techniques described and suggested include systems and processes for handling data and client lock management in multi-tenant storage systems, such as distributed storage systems. In some embodiments, data lock and client lock records are stored in connection with a plurality of data stores on which client data resides. In some embodiments, a storage hub operably connected to the data stores determines and retain client lease information. In some embodiments, the client lease information is used in conjunction with the data lock and client lock records to effect and determine the validity of locks on various data elements.

Abstract: A wireless device establishes a first link for communications with a cellular base station, wherein the first link uses a first channel as a carrier. The wireless device receives information from the cellular base station for configuring a second link between the wireless device and another wireless device, wherein the second link uses a second channel as a carrier and wherein the second channel is different than the first channel. The wireless device communicates directly with the other wireless device using the second link, wherein the second link resources are assigned by the cellular base station using the first link. The wireless device can use one or more uplink and/or downlink grants from the cellular base station to communicate directly with the other wireless device.

Abstract: A data communication system, in which a sender obtains a set of base data elements; generates a first and a second key from (i) the set of base data elements and (ii) sets of first and second entanglement data elements, the first and second keys comprised of a respective first and second public component and a respective first and second private component. A recipient generates first and second ciphers by encoding a digital message using the first and second public components; and sends the first and second ciphers towards the sender apparatus. The sender then extracts the digital message based on the first and second ciphers, the first and second private components, and the sets of first and second entanglement data elements. The private components are not derivable from the public components or from the ciphers irrespective of computing power. A method of digital signing and verification is also described.

Abstract: A computer-implemented method includes: verifying, by a trusted server, an identity of a first terminal; determining that the verification is a success; based on determining that the verification is a success, determining, using a remote attestation protocol, that the first terminal is in a trusted state; and based on determining that the first terminal is in the trusted state, issuing a digital certificate including a trusted identifier to the first terminal, in which the digital certificate is usable by a second terminal to verify the identity of the first terminal.

Abstract: Methods and systems are provided for streaming digital content. A content stream and metadata relating to the content stream are provided, and the content stream is encrypted with an encryption dependent on at least some of the metadata to provide an encrypted content stream. The metadata is embedded in readable form in the encrypted content stream and the encrypted content stream is transmitted together with the metadata in readable form such that the metadata is readable during transmission of the encrypted content stream and the readable metadata necessary for use in decryption of the encrypted content stream is provided.

Abstract: An example multiply accumulate (MACC) circuit includes: a multiply-accumulator having an accumulator output register; a quantizer, coupled to the multiply accumulator; and a control circuit coupled to the multiply-accumulator and the quantizer, the control circuit configured to provide control data to the quantizer, the control data indicative of a most-significant bit (MSB) to least significant bit (LSB) range for selecting bit indices from the accumulator output register.

Abstract: Methods, systems, and computer programs for using an implicit certificate are disclosed. In some aspects, a message and an implicit certificate are accessed. The implicit certificate is associated with an entity. A modified message is generated by combining the message with a value based on the implicit certificate. A digital signature can be generated based on the modified message and transmitted to a recipient. In some aspects, a digital signature from an entity and a message to be verified based on the digital signature are accessed. An implicit certificate associated with the entity is accessed. A modified message is generated by combining the message with a value based on the implicit certificate. The message is verified based on the digital signature and the modified message.

Abstract: The method and device are intended to prove the posteriority date (P) and anteriority date (A) of a digital image (IN) including building with a first server a previously unknown code (C) and transmitting this code (C) at the posteriority date (P), acquiring the digital image including a joint representation of a subject (S) and the code (C), computing an electronic fingerprint (EIN) of the digital image (IN), receiving with a second server at the anteriority date (A) the electronic fingerprint (EIN), inserting a combination (EIN+A) of the electronic fingerprint (EIN) and the anteriority date (A) in a block chain and possibly retrieving and sending back with a third server the recorded posteriority (P) and anteriority (A) dates from the reception of a new digital image (IN2). The disclosure is intended in particular to prove with images the correct performance of clinical protocol steps in clinical trials.

Abstract: Embodiments of the invention provide improved account authentication using public-private key cryptography instead of passwords. Instead of registering a password and using that password to login to an account, an authentication server of an account provider registers a public key received from a user device. To authenticate the user device for logging into an account, the authentication server generates a challenge and encrypts using the registered public key. The encrypted challenge is sent to the user device, which can decrypt the challenge using the private key corresponding to the registered public key. The decrypted challenge is used for authentication instead of using a password. The private key corresponding to the public key is securely stored and not revealed to the authentication server.

Abstract: An example operation may include one or more of generating, by a transaction initiator peer, a key pair for a transaction on a blockchain, querying, by the transaction initiator peer, a built-in account manager to discover webhooks of a plurality of blockchain peers, comparing, by the transaction initiator peer, query results from the plurality of the blockchain peers to ensure consistency, encrypting, by the transaction initiator peer, a transaction data with a key of the key pair based on the ensured consistency of the query results, committing, by the transaction initiator peer, the transaction data to the blockchain, and in response to a successful commitment of the transaction data, instantiating, by the transaction initiator peer, a client application executed on the transaction initiator peer to post a decryption key for the transaction data to webhook URLs of the plurality of the blockchain peers.

Abstract: FIDO (“Fast IDentity Online”) authentication processes and systems are described. In an embodiment, a FIDO (“Fast IDentity Online”) authentication process includes a FIDO information systems (IS) computer system receiving a FIDO authentication request for a transaction from a user device, the FIDO authentication request including user data and user device authenticator data, then verifying the user data and user device authenticator data, selecting a FIDO-certified server based on a list of authorized authenticators, business rules and the user device authenticator data, and transmitting the FIDO authentication request to the selected FIDO server. The process also includes the FIDO IS computer system receiving an authentication result from the FIDO-certified server, and transmitting the authentication result to the user device.

Abstract: A method for generating secure alternative representation for a numerical datum, being performed in a processing system comprising a processing unit coupled to a storage unit, is provide. The method comprises: receiving the numerical datum; providing a plurality of semi-finished conditions; associating each of the semi-finished conditions with one or more secret parameters to form a plurality of secret conditions; for each of the secret conditions: determining whether the numerical datum satisfies the secret condition; outputting a first character as a result element if the numerical datum satisfies the secret condition; and outputting a second character as the result element if the numerical datum does not satisfy the secret condition; and concatenating each result element being output corresponding to the secret conditions as an alternative representation for the numerical datum.

Abstract: Disclosed herein are methods, systems, and apparatus, including computer programs encoded on computer storage media, for recovering and verifying a public key. One of the methods includes accepting information encoding parameters of an elliptic curve, a published public key, a hash value of a message, a digital signature, and an identification parameter; generating a recovered public key based on the parameters of the elliptic curve, the hash value of the message, the digital signature, and the identification parameter; comparing the published public key and the recovered public key to verify the published public key.

Abstract: A method, a device, and a non-transitory storage medium provide for receiving a request to provision a trial service to a user device, wherein the trial service includes providing a premium service to the user device during a trial time period; identifying a class of service provided to the user device, wherein the request is denied when the premium service is provided to the user device; determining whether the user device is eligible to receive the premium service; determining, when the user device is eligible to receive the premium service, whether the user device is eligible to receive the trial service; and provisioning, based on determining that the user device is eligible to receive the trial service, the trial service to the user device.

Abstract: Exploiting the wealth of information in the intricate structure of a network where vertices are interconnected through edges—to insure data integrity between communication partners, where the partners gauge the projected security through the size and complexity of the deployed shared network.

Abstract: Systems for collaboration system application authentication. A collaboration system identifies a downloadable application that comprises at least one operation that functions only after obtaining user authentication credentials. The application is configured to invoke one of a plurality of different authentication procedures based on a set of server-provided authentication style parameters. After establishing a connection between an application server that interfaces with the user device that runs the application, the collaboration system determines the set of authentication style parameters, wherein the determination is based at least in part on an identification of the user device or based at least in part on an identification of a user of the user device. The application server sends at least a portion of the set of authentication style parameters to the user device.

Abstract: Certificates issued by a CA are distributed across multiple CRLs. Each certificate issued by the CA is assigned to a specific CRL, and the address of that CRL is written to the appropriate field of the certificate, such that an authenticating application can subsequently determine if the certificate is revoked. When the CA revokes a specific one of the issued certificates, it determines to which CRL the revoked certificate is assigned, and updates the specific CRL accordingly. In some embodiments, a single one of the multiple CRLs is active for assignment of certificates at any given time, and each certificate issued by the CA is assigned to the currently active CRL. In other embodiments, assignments of issued certificates are distributed between different ones of a pre-determined number of multiple CRLs by applying a statistical distribution formula to each issued certificate to determine a corresponding target CRL.

Abstract: Methods and apparatuses for using certificates using a positive list are provided. This involves a message, wherein the message includes a certificate for a device, the certificate has a signature for checking an authenticity of the certificate and a piece of admissibility information for ascertaining an admissibility of the certificate using a positive list, being taken as a basis for carrying out authorization for the device subject to the check and the ascertainment. The disclosed can be used in industrial or medical environments.

Abstract: A payment card binding method, a trust evaluation method, an apparatus, and an electronic device are provided. The payment card binding method includes: receiving a payment card binding request; sending a payment request to a payment system; in response to the payment request being successfully processed by the payment system, determining (1) an account trust level, (2) a device trust level, and (3) an environment trust level; inputting the account trust level, the device trust level, and the environment trust level into a trained classifier to determine a new card trust level (NCTL); determining a payment limit restriction for the digital wallet account using the payment card on the computing device; and binding, based on the NCTL and the payment limit restriction, the digital wallet account with the payment card for the digital wallet account to use the payment card for future payments.

Abstract: The invention relates to a method for performing a multi-party electronic computation using a plurality of evaluating computer systems. The cryptographic security of the multi-party computation is implemented using lattice-based cryptography. Each evaluating computer system receives from each user of a plurality of users an individual input share of an input chosen by the respective user. Furthermore, each evaluating computer system receives from the user a commitment to the received individual input share and an opening information. Each evaluating computer system checks the commitments received to the individual input shares and generates a first lattice-based zero-knowledge proof that all the commitments received are valid commitments to input shares. Each evaluating computer system publishes the first lattice-based zero-knowledge proof. Thus, a verifier may be enabled to verify that all commitments are valid commitments to input shares.

Abstract: A processor within a networked distributed drafting platform generates a public key-value context file that includes initial default key-value mappings between keywords and values for use in a distributed drafting project. Refined project-level key-value mappings are elected by considering differences between the initial default key-value mappings and personal key-value mappings within a set of distributed personal key-value context files each maintained by different drafters of the distributed drafting project. The initial default key-value mappings of the public key-value context file are updated with the elected refined project-level key-value mappings within the networked distributed drafting platform.

Abstract: Methods and apparatuses for a computerized system are disclosed. A data processing device receives information from at least one source of log information in the computerized system and detects, based at least in part on said received log information, at least one security protocol related event at a first host device, the at least one security protocol related event being initiated by a second host device. Information is then stored for determination of a trust relationship record based on the detected at least one security protocol related event and information of the second host device.

Abstract: Examples are disclosed for remote management of a computing device. In some examples, a secure communication link may be established between a network input/output device for a computing device and a remote management application. Commands may be received from the remote management application and management functions may be implemented at the network input/output device. Implementation of the management functions may enable the remote management application to manage or control at least some operating parameters of the computing device. Other examples are described and claimed.

Abstract: Disclosed herein are a method and apparatus for generating a dynamic security module which is allocated to a user terminal so that code configured to be executed on the user terminal for security varies with execution time. The method includes allocating a predetermined value to at least one of variables as which parts or all of variable portions of code constituting a dynamic security module have been designated. Part or all of the code constituting the dynamic security module transmitted to a user terminal has a predetermined valid period.

Abstract: Disclosed herein are a dynamic security module terminal device for receiving a dynamic security module and transmitting a security management event to a security server, and a method of operating the dynamic security module terminal device. The dynamic security module terminal device includes a communication unit configured to transmit and receive a security management event over a network, and a processor configured to control the communication unit. The processor is configured to create a security session with a security server, and to receive the dynamic security module from the security server so that part or all of code of the dynamic security module performing security management has a predetermined valid period.

Abstract: Disclosed herein are a dynamic security module server device for transmitting a dynamic security module to a user terminal and receiving a security management event from the user terminal, and a method of operating the dynamic security module server device. The dynamic security module server device includes a communication unit configured to transmit and receive a security management event over a network, and a processor configured to control the communication unit. The processor is configured to create a security session with the security client of a user terminal, and to transmit a dynamic security module to the security client of the user terminal so that part or all of code performing security management in the security client of the user terminal in which the security session has been created has a predetermined valid period.

Abstract: A user device can verify a user's identity to a server while protecting user privacy by not sharing any personal data with any other device. To ensure user privacy and to allow multiple independent enrollments, the user device performs an enrollment process in which the user device locally collects and uses biometric data together with a random salt to generate a set of public/private key pairs from which biometric information cannot be extracted. The public keys and the salt, but not the biometric data, are sent to a server to store. To verify user identity, a user device can repeat the collection of biometric data from the user and the generation of public/private key pairs using the salt obtained from the server. If the device can prove to the server its possession of at least a minimum number of correct private keys, the user's identity can be verified.

Abstract: The present invention provides a method and system for verifying and tracking transactional information. In an embodiment of the invention, a system for delivering security solutions is provided that includes at least one of the following: a radio frequency (RF) identification device, an identification mechanism (e.g., a card, sticker), and an RF reader.

Abstract: Techniques for determining whether a public encryption key is vulnerable as the result of deficiencies in pseudorandom number generation algorithms are provided. In some embodiments, a system may compile a database of cryptographic information received from a plurality of sources, including databases, and network traffic monitoring tools. RSA public keys extracted from the cryptographic information may be stored in an organized database in association with corresponding metadata. The system may construct a product tree from all unique collected RSA keys, and may then construct a remainder tree from the product tree, wherein each output remainder may be determined to be a greatest common divisor of one of the RSA keys against all other unique RSA keys in the database. The system may then use the greatest common divisors to factor one or more of the RSA keys and to determine that the factored keys are vulnerable to being compromised.

Abstract: A data processing device comprises a storage unit adapted to store an initial value of a pair of a public key and a private key and a communication unit adapted to execute communication with an external device with use of the initial value of the pair of the public key and the private key stored in the storage unit, thereby enabling encryption communication without generating the pair of the public key and the private key.