Abstract: A security device and an operating method thereof, which generate masking data for masking a key on the basis of a physically unclonable function (PUF), are provided. The security device includes a PUF circuit including a plurality of PUF cells outputting random key data and masking data, a key generator configured to generate a key through post-processing performed on the random key data, and a masking module configured to mask and store the key by using the masking data, wherein the random key data and the masking data are generated by different PUF cells.

Abstract: A method for cryptographic key management for managing access control is provided. A key is divided into a plurality of portions of the key. Pre-encryption contextual data is received for each of a plurality of devices. The pre-encryption contextual data indicates at least one attribute of a respective device of the plurality of devices before an encryption of the plurality of portions of the key is performed. The plurality of portions of the key are encrypted based at least on the pre-encryption contextual data of the plurality of devices to make the plurality of the portions of the key dependent at least on contextual data corresponding pre-encryption contextual data. Each of the plurality of encrypted portions of the key is distributed to a respective device of the plurality of devices for storage and retrieval.

Abstract: A method including determining an assigned key pair associated with a device, the assigned key pair including an assigned public key and an associated assigned private key; determining an access key pair associated with content to be encrypted, the access key pair including an access public key and an associated access private key; encrypting the access private key using a combination encryption key determined based at least in part on the access private key and the assigned public key; encrypting a randomly generated key by utilizing the access public key; and encrypting the content utilizing the randomly generated key. Various other aspects are contemplated.

Abstract: Disclosed is a system, method, and computer program product for determining solvency of a digital asset exchange system. The method includes identifying a plurality of blockchain addresses corresponding to a plurality of users of the digital asset exchange system, generating a first commitment to an amount of digital assets corresponding to the plurality of blockchain addresses, generating a second commitment to a balance of each user of the plurality of users, generating a first component of a zero-knowledge algorithm configured to receive, as input, the first commitment, and to output a value generated based on each public key, generating a second component of the zero-knowledge algorithm configured to receive, as input, the second commitment, and to output a value generated based on each user balance, and determining, with at least one processor, that the digital asset exchange system is solvent based on the zero-knowledge algorithm.

Abstract: When it comes to monitoring human health, today's consumers are limited to so called “health trackers,” which count steps and calculate calorie burns. Traditional health trackers are only capable of measuring heart rate and are limited to external measurements. These devices are not capable of obtaining the internal body data and do not have access to human fluids. The personal health shield personal cloud case cover (or “health PCCC”) can not only analyze human fluids but also fluids being consumed by the user (food and drinks). The data collected from the fluids is then compared to a cloud or local data base. The results are displayed on a phone, tablet, personal computers, television, or any other device either mounted in the PCCC or connected to the health PCCC.

Abstract: A processor-implemented encryption method using homomorphic encryption includes: receiving data; generating a ciphertext by encrypting the received data; determining a coefficient of an approximating polynomial for performing a modular reduction on a modulus corresponding to the ciphertext, based on an error between the approximating polynomial and a modular reduction function; and performing bootstrapping on the ciphertext by performing the modular reduction based on the determined coefficient of the approximating polynomial.

Abstract: A system for generating a blockchain including an input for receiving a plurality of groups of data. Blockchain processing circuitry generates the blockchain for the plurality of groups of data. The blockchain processing circuitry generates the blockchain by performing a first hash using the first group of data and a first nonce as an input to a hash function to generate a first digital signature for a first block, wherein the hash function uses encryption based on quantum key distribution and orbital angular momentum. The blockchain processing circuitry establishes the first block of the blockchain using the first group of data, the first nonce and the first digital signature.

Abstract: Embodiments may be generally directed to techniques to encrypt and decrypt data in a first fuse block array using an encryption key of a second fuse block array, the second fuse block array having the encryption key comprising a plurality of segments of bits, an inverse encryption key comprising a second plurality of segments of bits, each segment of the inverse encryption key to correspond with a particular segment of the encryption key, and a random pattern having equally distributed bit values, the random pattern to enable detection of voltage attacks on the second fuse block array.

Abstract: A method and system are provided for updating an elliptic curve (EC) base point G, with the EC basepoint used in encryption and coding of video data. A candidate base point G is generated that includes additional data used for validation purposes and checked as a valid base point before transmission and use.

Abstract: A system and method of secure communication between computing devices based on physical unclonable functions such as memories having dissolvable conductive paths is provided. The method involves enrolling a client device, the client device having a PUF such as a pristine ReRAM. The PUF is enrolled in a secure environment by reading and storing the resistances of the PUF's addressable memory cells. The cells are categorized into “rugged” and “vulnerable” categories on the basis of their resistance, the vulnerable cells being those more likely to be permanently altered during the generations of PUF responses. The rugged cells are used for the generation of PUF responses for cryptographic key generation, but the vulnerable cells may be inspected to detect unauthorized 3rd party access to the PUF.

Abstract: According to one perspective, the invention provides a technical arrangement to calculate, register and/or apportion costs and/or generate income in proportion to the current ownership of an asset. One or more embodiments also comprise a novel technique for generating cryptographic sub-keys. Thus, one benefit provided by the invention is that it allows the secure distribution of costs and income for an asset registered and maintained on the Blockchain. In turn, this increases the capability of such assets to meet the real-world needs of various entities such as the asset itself and investing parties.

Abstract: Disclosed is a method of verifying integrity of a pair of public and private cryptographic keys within the additive group of the integers modulo N, with N being the product of two primary numbers p and q, the method including: calculating a candidate private exponent d? corresponding to a private exponent d of the private key; and executing a test of integrity. The test of integrity includes a step for verifying the coherence of the candidate private exponent d? with respect to a public exponent e of the public key and to the numbers p and q, the verification step involving a first multiple modulo of the public exponent e of the public key and a second multiple modulo of the public exponent e of the public key.

Abstract: Methods and systems for dynamic wireless network configuration are provided. Aspects include receiving, by an application on a user device, a token, deriving, by the application, a unique identifier and passcode based at least in part on the token, and controlling remote access to a first computer system based on the unique identifier and passcode.

Abstract: This disclosure relates to a data storage device. A data port transmits data between a host computer system and the data storage device over a data channel. The device repeatedly broadcasts advertising packets over a wireless communication channel different from the data channel. Each advertising packet comprises a random value and a message authentication code calculated based on the random value and an identity key. The identity key is readable by a device to be connected and in proximity of the data storage device out of band of the data channel and the communication channel. The identity key enables the device to be connected to verify the message authentication code based on the random value and the identity key to thereby authenticate the data storage device.

Abstract: A processor comprises a first register to store an encoded pointer to a memory location. First context information is stored in first bits of the encoded pointer and a slice of a linear address of the memory location is stored in second bits of the encoded pointer. The processor also includes circuitry to execute a memory access instruction to obtain a physical address of the memory location, access encrypted data at the memory location, derive a first tweak based at least in part on the encoded pointer, and generate a keystream based on the first tweak and a key. The circuitry is to further execute the memory access instruction to store state information associated with memory access instruction in a first buffer, and to decrypt the encrypted data based on the keystream. The keystream is to be generated at least partly in parallel with accessing the encrypted data.

Abstract: A privileged node holds a secret key (SKEY), and normal nodes each hold a public key (PKEY). The normal nodes each include a transaction inputting unit that receives transaction data (TDATA), a transaction transmitting unit that transmits the TDATA, a transaction managing unit that manages a transaction history in a form of blockchain, and a block receiving unit that receives blocks from the privileged node. The privileged node includes a transaction receiving unit that receives TDATA from each of the normal nodes, a block generating unit that generates a signature value (SIG) on the basis of a SKEY, and generates a block containing TDATA and the SIG, and a block transmitting unit that transmits blocks. The transaction managing unit adds a block to the blockchain on condition that the authenticity of the SIG in the block is confirmed by using the PKEY.

Abstract: An integrated circuit includes: one or more protected circuits; a license control circuit configured to request, from a license issuer, a license for activating the one or more protected circuits, the license request having a seed value; and a cryptographic circuit configured to verify the authenticity of a license received from the license issuer based on the seed value, wherein the license control circuit is configured to impose a validity limit on the received license, and to request a new license from the license issuer before the validity limit of the received license.

Abstract: There is disclosed a circuit for monitoring the security of a processor, wherein the circuit is configured to access a memory configured to store execution context data of a software program executed by the processor; to determine one or more signatures from said execution context data; and to compare said signatures with predefined signatures to monitor the security of the processor (110). Developments describe that context data can comprise control flow data, that a signature can comprise a hash value or a similarity signature, or that the integrity of signatures can be verified for example by using a secret key (e.g. obtained by random, or by using a physically unclonable function). Further developments describe various controls or retroactions on the processor, as well as various countermeasures if cyber attacks are determined.

Abstract: A server includes a processor core including system memory, and a cryptographic engine storing a key data structure. The data structure is to store multiple keys for multiple secure domains. The core receives a request to program a first secure domain into the cryptographic engine. The request includes first domain information within a first wrapped binary large object (blob). In response a determination that there is no available entry in the data structure, the core selects a second secure domain within the data structure to de-schedule and issues a read key command to read second domain information from a target entry of the data structure. The core encrypts the second domain information to generate a second wrapped blob and stores the second wrapped blob in a determined region of the system memory, which frees up the target entry for use to program the first secure domain.

Abstract: Examples described herein relate to systems, apparatuses, methods, and non-transitory computer-readable medium for maintaining, by an authoritative server, a plurality of pinned certificates. The authoritative server sends a certificate pinning list (CPL) to a client system. The CPL is a list of the plurality of pinned certificates each of the plurality of pinned certificates is associated with a corresponding one of host systems different from the authoritative server. The client system uses the plurality of pinned certificates in cryptographic processes involving the host systems.

Abstract: Embodiments herein relate to a method performed by a network node 110 of a wireless communication network 100 for communicating at an unlicensed frequency spectrum with a wireless device 121 having a device identity. The network node 110 sends an access grant to the wireless device according to the device identity, granting the wireless device access to an uplink communication channel of the unlicensed frequency spectrum. The network node also receives data from the wireless device 121, on the granted uplink communication channel, the data comprising information on the identity of the wireless device 121, thus enabling the network node 110 to detect whether the wireless device that was granted access on the uplink communication channel is the same wireless device as the wireless device from which the data comprising the information on the uplink communication channel was subsequently received. Embodiments of the network node 110 are also described.

Abstract: Methods and systems for securing customer data in a multi-tenant database environment are described. A key identifier received from a security server may be stored by an application server. The key identifier may be associated with a private key that is accessible by the security server and not accessible by the application server. A request to derive a symmetric key may be transmitted from the application server to the security server, the request including a public key generated by the application server, a salt value, and the key identifier. The symmetric key may then be derived based on the transmitted public key and the private key using a key derivation function. The application server may then receive and store the symmetric key in an in-memory cache, and be used to securely encrypt data received by the application server from client devices.

Abstract: A message management service allows a user to access and manage messages from various message services. The user can access the message management service using a message management client application executing on a client device and can draft messages using the message management client application and send the messages through the different message services. The message management service can add information to messages sent using the message management client application that can be used to identify and organize the messages. A secure sent-message identifier can be added to messages sent by the message management service to reliably indicate that the messages were sent by the message management service.

Abstract: Techniques for computer security, and more specifically timestamp-based key generation techniques, are described. Some implementations provide a table of key generation processes that is shared as a secret between a first computing system and a second computing system, both of which have synchronized clocks. Both computing systems use the same technique for selecting a key generation process from the table, such as based on a random number generator seeded with a timestamp. Since the computing systems have synchronized clocks, they both select and use the same key generation process, thereby generating the same encryption key without the need to communicate the key from one system to another. Furthermore, both computing systems may synchronize their clocks to a private time server that maintains a clock that runs faster or slower than standard time.

Abstract: A method including determining, by a user device, an assigned key pair including an assigned public key and an associated assigned private key; determining, for content to be encrypted, an access key pair including an access public key and an associated access private key; encrypting the access private key by utilizing the assigned public key; encrypting a randomly generated key by utilizing the access public key; and encrypting content utilizing the randomly generated key. Various other aspects are contemplated.

Abstract: A mobile device securely communicates with an electronic device within an automobile. The mobile device transmits encrypted spatial state information and the electronic device provides commands to the automobile in response. Spatial state information may include location, motion, or the like. Commands to the automobile may include door unlock commands, remote start commands, horn honk commands, or the like.

Abstract: Systems and techniques for securing vehicle privacy in a driving infrastructure are described herein. A vehicle may contact a group identification (ID) issuer to register itself. A group ID may be received from the group ID issuer to indicate acceptance as a member. The vehicle may then contact the driving infrastructure to attach to the driving infrastructure using the group ID to identify the vehicle. In response, the vehicle receives an attachment ID from the driving infrastructure. Here, the attachment ID is used to secure communications between the vehicle and the driving infrastructure.

Abstract: Technologies for providing secure utilization of tenant keys include a compute device. The compute device includes circuitry configured to obtain a tenant key. The circuitry is also configured to receive encrypted data associated with a tenant. The encrypted data defines an encrypted image that is executable by the compute device to perform a workload on behalf of the tenant in a virtualized environment. Further, the circuitry is configured to utilize the tenant key to decrypt the encrypted data and execute the workload without exposing the tenant key to a memory that is accessible to another workload associated with another tenant.

Abstract: A computing device (e.g., an FPGA or integrated circuit) processes an incoming packet comprising data to compute a Galois hash. The computing device includes a plurality of circuits, each circuit providing a respective result used to determine the Galois hash, and each circuit including: a first multiplier configured to receive a portion of the data; a first exclusive-OR gate configured to receive an output of the first multiplier as a first input, and to provide the respective result; and a second multiplier configured to receive an output of the first exclusive-OR gate, wherein the first exclusive-OR gate is further configured to receive an output of the second multiplier as a second input. In one embodiment, the computing device further comprises a second exclusive-OR gate configured to output the Galois hash, wherein each respective result is provided as an input to the second exclusive-OR gate.

Abstract: Encryption is enabled at a low load in a storage system. An encryption processing device 20 uses, as an expectation value for key validation, a value that is uniquely identified from a storage location address of encrypted text data in a storage drive. The encryption processing device 20 encrypts the expectation value and plain text data, respectively, using a same encryption key, substitutes a DIF according to the encrypted text data obtained by encrypting the plain text data, and stores the encrypted expectation value in the substituted DIF. Upon receiving a read request of the encrypted text data, the encryption processing device 20 decrypts the encrypted expectation value stored in the substituted DIF using a decryption key, and validates whether the encryption key and the decryption key are properly corresponding by comparing the decrypted expectation value and the expectation value identified from the address at the time of reading.

Abstract: The disclosed embodiments are related to securely updating a semiconductor device and in particular to a key management system. In one embodiment, a method is disclosed comprising storing a plurality of activation codes, each of the activation codes associated with a respective unique identifier (UID) of semiconductor device; receiving, over a network, a request to generate a new storage root key (SRK), the request including a response code and a requested UID; identifying a selected activation code from the plurality of activation codes based on the requested UID; generating the SHRSRK value using the response code and the selected activation code; associating the SHRSRK value with the requested UID and storing the SHRSRK value; and returning an acknowledgement in response to the request.

Abstract: Random number generators include a thermal optical source and detector configured to produce random numbers based on quantum-optical intensity fluctuations. An optical flux is detected, and signals proportional to optical intensity and a delayed optical intensity are combined. The combined signals can be electrical signals or optical signals, and the optical source is selected so as to have low coherence over a predetermined range of delay times. Balanced optical detectors can be used to reduce common mode noise, and in some examples, the optical flux is directed to only one of a pair of balanced detectors.

Abstract: Methods, apparatus, systems and articles of manufacture manage credentials in hyper-converged infrastructure s are disclosed. An example method includes establishing, by executing an instruction with at least one processor, a communication between a software defined data center manager of the hyper-converged infrastructure and a component of the hyper-converged infrastructure using first credentials included in a known hosts file. The example method also includes generating, by executing an instruction with the at least one processor, second credentials at the component in response to a power-on event detected by the software defined data center manager. The example method also includes recording, by executing an instruction with the at least one processor, the second credentials at the known host file.

Abstract: Techniques for computer security, and more specifically timestamp-based key generation techniques, are described. Some implementations provide a table of key generation processes that is shared as a secret between a first computing system and a second computing system, both of which have two clocks. The first clock is a real-time clock and the second clock is a variable-time clock. The variable time clocks are synchronized and run at the same rate, faster or slower than real time. Both computing systems use the same technique for selecting a key generation process from the table, such as based on a random number generator seeded with a timestamp obtained from their variable time clocks. Since the computing systems have synchronized variable-time clocks, they both select and use the same key generation process, thereby generating the same encryption key without the need to communicate the key from one system to another.

Abstract: Systems and methods are disclosed for preventing tampering of a programmable integrated circuit device. Generally, programmable devices, such as FPGAs, have two stages of operation; a configuration stage and a user mode stage. To prevent tampering and/or reverse engineering of a programmable device, various anti-tampering techniques may be employed during either stage of operation to disable the device and/or erase sensitive information stored on the device once tampering is suspected. One type of tampering involves bombarding the device with a number of false configuration attempts in order to decipher encrypted data. By utilizing a dirty bit and a sticky error counter, the device can keep track of the number of failed configuration attempts that have occurred and initiate anti-tampering operations when tampering is suspected while the device is still in the configuration stage of operation.

Abstract: There is provided an encryption device to ensure strong security without using a random number in a white-box model. The encryption device includes: an encryption part configured to encrypt an input value using a black-box model in which input/output values are able to be recognized from the outside and an intermediate value is not able to be recognized from the outside; and a key generation part configured to encrypt the input value to the encryption part to generate a cryptographic key of the encryption part using a white-box model in which the input/output value and the intermediate value are able to be recognized from the outside.

Abstract: Methods and apparatus for protecting a physical unclonable function (PUF) generator are disclosed. In one example, a PUF generator is disclosed. The PUF generator includes a PUF cell array, a PUF control circuit and a reset circuit. The PUF cell array comprises a plurality of bit cells. Each of the plurality of bit cells is configurable into at least two different stable states. The PUF control circuit is coupled to the PUF cell array and is configured to access each of the plurality of bit cells to determine one of the at least two different stable states upon a power-up of the plurality of bit cells, and generate a PUF signature based on the determined stable states of the plurality of bit cells. The reset circuit is coupled to the PUF cell array and is configured to set the plurality of bit cells to represent their initialization data based on an indication of a voltage tempering event of a supply voltage of the PUF cell array.

Abstract: A device for compressing subject data. the device comprises a communication link, the communication link capable of receiving a set of subject data; a compression module, the compression module configured to apply a compression algorithm to the set of subject data, the compression algorithm compressing the set of subject data using a reference string of subject data; and a transmission module, the transmission module configured to transmit the compressed subject data. The device further comprising an encryption module for encrypting the subject data.

Abstract: A method for auditing an advertisement impression in which a first advertisement was presented in conjunction with first media content is disclosed. The method generally comprises transmitting to a plurality of second computing devices a plurality of randomly generated first cryptographic proofs; receiving, a first message from a second computing device indicating that the first advertisement was presented in conjunction with the first media content; and evaluating the first targeting model for the first advertisement based on the at least one media content classifier.

Abstract: Systems, apparatuses, methods, and computer-readable media are provided for reducing or eliminating cryptographic waste for link protection in computer buses. In various embodiments, data packets are encrypted/decrypted in accordance with advanced encryption standard (AES) Galois counter mode (GCM) encryption/decryption. Monotonically increased counter values are used as initialization vectors; and/or accumulated MAC is practiced to reduce or eliminate cryptographic waste. Other related aspects are also described and/or claimed.

Abstract: A request is received for specific information that can be determined using data in a database on a first computer system. Either at least some of the data is encrypted or the request is encrypted. The first computer system does not have a decryption key to decrypt the encrypted data or request. The first computer system performs compressible HE operations on the data to determine compressed ciphertext(s) that correspond to the specific information. The operations include using a first uncompressed HE scheme and a second compressed HE scheme. The first HE scheme is used on the data to create other multiple ciphertexts and the second HE scheme is used on the other multiple ciphertexts to pack the other multiple ciphertexts into fewer ciphertexts that are compressed. Both the HE schemes use a same secret key. The first computer system sends a response including compressed ciphertext(s) corresponding to the specific information.

Abstract: The disclosed technology relates to broadcasting encrypted data to multiple receiver devices, where some receiver devices have long-term access to the encrypted data and some receiver devices have a temporary access to the encrypted data. Receivers having long-term access are part of a “member group” because these member group devices have a master key and the master key enables the member group devices to derive the necessary information to decrypt the encrypted broadcast. In contrast, devices with temporary access possess only a guest key and not master key, without a master key the devices need to receive the guest key from another device to decrypt the broadcast. Access to the encrypted stream can also be based on broadcasting multiple or single diversifiers, where a diversifier can include group identification information to assist in restricting access to the encrypted stream.

Abstract: This application relates to the field of space communications technologies, and provides an acquisition, pointing, and tracking (APT) subsystem and a spacecraft communications system. The APT subsystem includes a first controller, a first terahertz transceiver, and a terahertz antenna array that are sequentially connected, where the first terahertz transceiver is configured to modulate and demodulate a terahertz wave; the terahertz antenna array is configured to send and receive the terahertz wave; and the first controller is configured to control the first terahertz transceiver to acquire, point, and track another APT subsystem by using the terahertz antenna array.

Abstract: Sorting an array consisting of large number of elements. The present invention provides an apparatus for executing a multiway merging process which generates one output sequence from N input sequences on an array consisting of a large number of elements. The apparatus includes: an execution unit configured to execute the multiway merging process on N input sequences without rearranging the elements based on a plurality of input sequences; and a generation unit configured to rearrange the elements constituting the input sequences according to an output sequence that has been generated by the multiway merging process in the execution unit so as to generate a sorted array of elements.

Abstract: The physically unclonable function device (DIS) comprises a set of MOS transistors (TR1i, TR2j) mounted in diodes having a random distribution of respective threshold voltages, and comprising N first transistors and at least one second transistor. At least one output node of the function is capable of delivering a signal, the level of which depends on the comparison between a current obtained using a current circulating in the at least one second transistor and a current obtained using a reference current that is equal or substantially equal to the average of the currents circulating in the N first transistors. A first means (FM1i) is configured to impose on each first transistor a respective fixed gate voltage regardless of the value of the current circulating in the first transistor, and a second means (SM2j) is configured to impose a respective fixed gate voltage on each second transistor regardless of the value of the current circulating in the second transistor.

Abstract: According to an example aspect of the present invention, there is provided an apparatus comprising at least one processing core, at least one memory including computer program code, the at least one memory and the computer program code being configured to, with the at least one processing core, cause the apparatus at least to receive from a pressure sensor matrix data describing a time-varying pressure interaction of the pressure sensor matrix with a second pressure sensor matrix, process the data to obtain a bit sequence, and use the bit sequence as a shared secret in a cryptographic procedure with a device.

Abstract: A secure cartridge-based storage system includes a set of read/write control electronics on a control board adapted to removably couple with each of a plurality of storage cartridges. For each individual storage cartridge, the read/write electronics are adapted to retrieve a unique device identifier from the storage cartridge; retrieve an encryption key stored on the control board in association with the unique device identifier; and utilize the encryption key to encrypt or decrypt data that is in transit to or from a target storage location on the storage media.

Abstract: A control circuit configured to associate a plurality of memory with an error correction scheme. The control circuit including an internal operation circuit configured to generate an internal command based on an access unit of the plurality of memory. The control circuit including a storage circuit configured to store information on the access unit of the plurality of memory.

Abstract: A system and method for the generation of composite private keys are provided. First and second bitstreams are retrieved from an addressable cryptographic table by deriving addresses in the addressable cryptographic table from an initial instruction, accessing first and second bit values stored at addresses belonging to the derived addresses in the addressable cryptographic table, and outputting the first bit values as the first bitstream and the second bit values as the second bitstream. The first bitstream is concatenated with data from the first bitstream to form a data stream having a desired length and the second bitstream is concatenated with data from the second bitstream to form a selector stream having the desired length. A first composite encryption key having a length longer than the first and second bitstreams is formed by selecting values of the data stream identified by corresponding bit values of the selector stream.

Abstract: A security test logic system can include a non-transitory memory configured to store measurements from a measurement apparatus, the measurement outputs comprising indications of presence or absence of coincidences where particles are detected at more than one detector at substantially the same time, the detectors being at the end of different channels from a particle source and having substantially the same length. The system can include a processor configured to compute a test statistic from the stored measurements. The test statistic may express a Bell inequality, and the system can compare the test statistic with a threshold. The processor can be configured to generate and output a certificate certifying that the measurements are from a quantum system if the value of the computed test statistic passes the threshold.