Abstract: An authentication method for quantum communication between two nodes, the method comprising: applying a hash function to a message to obtain a hash code, wherein the hash function is a Poly1305; applying a one-time pad cipher to the hash code to obtain a message authentication code (MAC); and authenticating the message exchanged between the two nodes using the MAC.

Abstract: A method for storing a cryptocurrency private key offline, including: encrypting the cryptocurrency private key using a primary encryption key; sharding the encrypted cryptocurrency private key into a plurality of alpha shards; generating beta shards by encrypting the alpha shards with secondary encryption keys; and storing representations of the beta shards offline. The method can additionally or alternatively include: retrieving the representations of the beta shards from the offline storage; decrypting the beta shards into the alpha shards based on the secondary encryption keys; reconstructing the encrypted cryptocurrency private key by recombining the alpha shards; and decrypting the encrypted cryptocurrency private key with the primary encryption key.

Abstract: A method including receiving, by a user device, encrypted content and an encrypted assigned private key associated with the encrypted content; decrypting, by the user device, the encrypted assigned private key based at least in part on utilizing a master key to determine a decrypted assigned private key; determining, by the user device, a combination decryption key based at least in part on utilizing the decrypted assigned private key and an access public key associated with the encrypted content; decrypting, by the user device, an encrypted access private key associated with the access public key to determine a decrypted access private key; and decrypting, by the user device, the encrypted content based at least in part on utilizing the decrypted access private key is disclosed. Various other aspects are contemplated.

Abstract: Methods and systems for secure computation and communication are provided. The method includes transforming identifications of a first dataset using a first transforming scheme, and transforming attributes of the first dataset using a second transforming scheme. The method also includes dispatching the transformed first dataset, receiving a second dataset, transforming identifications of the received second dataset, dispatching the identifications of the transformed received second dataset, and receiving a set of identifications. The method further includes generating a first intersection of the received set of identifications and the transformed received second dataset, generating a first share based on the first intersection, receiving a second share, and constructing a result based on the first share and the second share.

Abstract: A key management device according to an embodiment is a key management device managing an application key for encrypting a communication in an application network including a plurality of applications. The key management device includes a hardware processor configured to function as a collection unit, a calculation unit, a determination unit, and a communication unit. The collection unit collects, using quantum key distribution (QKD), resource information indicating a resource of a link for which a link key is generated. The calculation unit calculates metric for a key relay route including the link on the basis of the resource information. The determination unit determines a key relay route from among a plurality of key relay routes on the basis of the metric. The communication unit uses the key relay route determined by the determination unit to send, to a destination, an application key encrypted with the link key.

Abstract: Methods and devices that manage the secure distribution of credentials from a group of autonomous specialized nodes to a requesting node. The secure distribution of credentials may uses secret share and a group private key that none of the nodes reconstructs or possesses. The credentials include an identifier for the requesting node and a secret point that the node assembles from portions of the secret point provided by each of a plurality of the specialized nodes, where the secret point is based on the group private key and a map-to-point hash of the requesting node's identifier.

Abstract: A method of establishing secure communication between a client and a server using a rotating key mechanism. The method comprises receiving a message requesting communication from a client, returning information for establishing communication to the client, including a set of cipher suites supported, receiving from the client one or more selected cipher suites from the set of cipher suites, sending rotation key mechanism attributes (RKM attributes) including a number of keys for rotation, a valid time period for each key, and a server criticality level and establishing communication between the client and server based on the rotation key mechanism attributes. The RKM attributes establish terms for key rotation when a valid time period of an active key elapses.

Abstract: A method for key management in a field-programmable integrated part of an integrated circuit is disclosed herein. According to the method, a hardware configuration for the field-programmable integrated part is loaded into the field-programmable integrated part. The hardware configuration includes a key derivation functionality. Further, using the key derivation functionality, a cryptographic key is derived based on information provided in the field-programmable integrated part.

Abstract: A method of provenance verification comprises providing a plurality of security devices, each security device being provided with a key set comprising: a secret key, and a plurality of shared keys, each shared key being derived by generating a hash of the secret key and a salt value that is specific to a pair consisting of said security device and another of the plurality of security devices. The method also comprises configuring each security device to: generate and/or receive one or more messages; and perform at least one cryptographic operation on the message or messages, and/or on data derived therefrom, using a respective secret key of the security device and/or one of said shared keys.

Abstract: In a method for cogenerating a shared cryptographic material implemented within a first electronic device, which is connected to a second electronic cogeneration device and to a third electronic cogeneration device, a shared encryption material (pkx) is determined, as a function of a set of cogeneration parameters ECG. The shared encryption material (pkx) is transmitted, and corresponding shared encryption materials (pky, pkz) are received from the other devices. A shared seed (mx) is computed as a function of the shared encryption materials (pkx, pky, pkz) and the set of cogeneration parameters ECG. A masked form (Ox) of said shared seed (mx) is transmitted, and masked forms (Oy, Oz) of corresponding shared seeds (my, mz) are received. A final seed (ad) is computed as a function of the masked forms (Ox, Oy, Oz) of the shared seeds (mx, my, mz) and the set of cogeneration parameters ECG.

Abstract: The disclosed embodiments relate to hardware security modules. In one embodiment, a method is disclosed comprising reading a random value from a physically unclonable function (PUF); generating a seed value from the random value; generating a cryptographic key using the seed value; and processing a cryptographic operation using the cryptographic key.

Abstract: A method of constructing a procedural threshold in quotient algebra partition-based fault tolerance quantum computation, which is based on the framework of quotient algebra partition (QAP) applied in the fault tolerance quantum computation (FTQC), wherein an n-qubit fault tolerant encode of a k-qubit quantum gate M, is feasible to a threshold, wherein the method comprises: preparing a quantum code, with a stabilizer; creating an n-qubit encoding, in the quantum code, and obtaining an n-qubit fault tolerant encode of M; factorizing each encoded component, of this n-qubit fault tolerant encode; and producing a detection-correction operator by placing n-k ancilla qubits with the original system of n qubits, wherein the detection-correction operator comprises a conditional detection operator and a conditional correction operator to remove r-qubit spinor error.

Abstract: The present invention concerns a method for processing system logs of a computer system. A system log generator (LG) transmits these system logs to a system log analyser (SIEM) after they have been encrypted by means of a symmetric encryption key and sends the symmetric encryption key in parallel with a homomorphic cryptosystem public key. The system log analyser carries out a transcryption of these logs then a processing thereof in the homomorphic domain. The result of the processing in the homomorphic domain is then transmitted to a security centre (SOC) or even directly to the system log generator to be decrypted there. The security centre can establish a security report or propose a countermeasure before sending it, in form encrypted by the symmetric key, to the system log generator.

Abstract: A computer-implemented method is disclosed. The method includes providing a blockchain transaction comprising a public key combination verification function. The blockchain transaction is configured to be redeemable to permit access to, or transfer control of, a resource by providing to the blockchain transaction an input comprising: a plurality of public keys; a gradient value (?) related to two of the plurality of public keys; and a group public key derived from a combination of the public keys and the gradient value (?). The blockchain transaction is configured to apply the public key verification function to the input to verify, upon successful redemption of the transaction, that the group public key is derived from the combination of the plurality of public keys.

Abstract: A decoding apparatus having a non-transient memory in which is stored an electromagnetic signal representative of data which were encrypted relying on the difficulty of computing discrete logarithms. The decoding apparatus has a computer in communication with the memory that decodes the encrypted data in the memory by computing the data's discrete logarithm. The decoding apparatus has a display on which the decoded encrypted data are displayed by the computer. A method for decoding.

Abstract: A wireless mobile device, and a computer-implemented method of distributing encryption keys to Internet of Things (IoT) systems begins with the wireless mobile device requesting IoT systems keys from a key management system with a first radio transceiver. Next, the requested IoT systems keys are received. Each of the IoT systems keys is i) encrypted with a public key from a recipient IoT system, and ii) signed by the key management system. In response to the wireless mobile device being located in proximity to the recipient IoT system, identifiers of the IoT system are received by the wireless mobile device with a second radio transceiver. The wireless mobile device selects at least one of the IoT systems keys that corresponds to the identifiers. The IoT system keys are transmitted from the wireless mobile device to the recipient IoT system with the second radio transceiver.

Abstract: An apparatus comprises an encryption key generator to generate a media encryption key to encrypt data in number of memory components, where the encryption key generator is configured to wrap the media encryption key to generate an encrypted media encryption key, The encrypted media encryption key is stored in a non-volatile memory. The apparatus comprises firmware having instructions to transition the apparatus to and from a secure state using the encrypted media encryption key.

Abstract: Periodically re-encrypting user data stored on a storage device, including: determining that data stored in a first location of a storage device is encrypted with a data encryption key that has been decommissioned; re-encrypting the data utilizing a current data encryption key; and writing the data that is encrypted utilizing the current data encryption key to a second location of the storage device.

Abstract: The present disclosure is directed to systems and methods for protecting software application information that is passed between a caller of an API and the logic contained within the API by using a Secure Calling Convention (SCC). The SCC involves performing a cryptographic operation on the information such that the true nature of the information is obfuscated. The SCC prevents a hacker from using the information to reverse-engineer the software application to behave as desired.

Abstract: Methods, systems, and computer media provide attestation tokens that protect the integrity of communications transmitted from client devices, while at the same time avoiding the use of stable device identifiers that could be used to track client devices or their users. In one approach, client devices can receive batches of N device integrity elements from a device integrity computing system, each corresponding to a different public key. The N device elements can be signed by a device integrity computing system. The signing by the device integrity computing system can be signing with a blind signature scheme. Client devices can include throttlers imposing limits on the quantity of attestation tokens created by the client device.

Abstract: The present disclosure relates to a method for a cryptographic key rotation in a publish-subscribe system providing a broker service for routing stored encrypted messages to one or more subscribers of the topic to which the routed messages are assigned. The routing comprises decrypting the stored encrypted messages. The cryptographic key rotation comprises a re-encryption of the stored messages using a cryptographic replacement key. The re-encryption is executed by an encryption module of the publish-subscribe system as a background process, while the broker service is continued.

Abstract: Decryption of an RSA encrypted message encrypted with a public RSA key by receiving encrypted key share components computed by generating a private RSA key d and a RSA modulus integer N, where N and d are integers; splitting the private key into key shares, encrypting with a fully homomorphic encryption (FHE) algorithm each key share component by using a Fully Homomorphic Encryption secret key ps associated with a set Ss to generate the encrypted key share components of said secure RSA key, computing an intermediate value YS for each set SS from said encrypted key share components, such that said computed intermediate value is a part of the RSA decrypted message, under FHE-encrypted form, and decrypting the encrypted message by combining said computed intermediate values for all sets.

Abstract: A customer of a computing resource provider is associated with a key provided by a key management system. When the key is generated, a value is generated and encrypted with the key. In response to a detection of a trigger to re-encrypt the customer's key, the encrypted value is used to verify validity of the re-encrypted customer's key before committing it to storage and made available for use.

Abstract: A transparent data display window apparatus, system, and method that receives and processes encrypted data in the form of non-fungible token (NFT) for display thereon. The transparent data display window receives and displays encrypted NFT data. The transparent data display window generates and embeds a unique time code within the transparent data display specific to a current display of the encrypted NFT data on the transparent data display such that the embedded unique time code is readable and recordable at a particular time by a user device proximate to the transparent data display window and useful for continuing the current display of the encrypted NFT data from the particular time of the recording of the embedded unique time code by the user device proximate to the transparent data display on another display device.

Abstract: Described are a system, method, and computer program product for secure real-time n-party computation. The method includes receiving a first computation input and a first portion of a one-time key from a first computer device, and receiving a second computation input and a second portion of the one-time key from a second computer device. The method also includes generating the one-time key based on the first and second portion of the one-time key, and executing a computation based on the first and second computation input. The method further includes generating an encrypted output by encrypting the computation with the one-time key, and communicating the encrypted output to the first computer device. The method further includes receiving a proof of publication from the first computer device and, in response to receiving the proof of publication, communicating the one-time key to the first computer device.

Abstract: The invention is a method for updating a first secret data in a credential container including a subscriber identity module. The credential container comprises a set of secret parameters customized for a network operator and is configured to execute a symmetric mutual authentication algorithm using said set. The credential container receives from a remote server a second secret data enciphered using a second algorithm different from said symmetric mutual authentication algorithm and a subset of said secret parameters, the credential container deciphers the enciphered second secret data by using both the subset and a third algorithm and replaces the first secret data with the second secret data.

Abstract: A method for redacting a private blockchain comprises applying a hash function to a prefix and new content to compute a hash for a block of the blockchain; performing a modulo operation to convert the hash to an integer modulo; determining an inverse of the integer modulo; computing a redactable suffix from the prefix and the inverse of the integer modulo; replacing current content of the blockchain with the new content; and applying the redactable suffix to the block having the new content.

Abstract: Disclosed is a method, system, and computer program product for determining solvency of a digital asset exchange system. The method includes identifying a plurality of blockchain addresses corresponding to a plurality of users of a digital asset exchange system, generating a first commitment to an amount of digital assets corresponding to the plurality of blockchain addresses, and generating a second commitment to a balance of each user of the plurality of users. The method also includes generating a first component of a zero-knowledge algorithm that is configured to receive, as input, the first commitment. The method further includes generating, with at least one processor, a second component of the zero-knowledge algorithm that is configured to receive, as input, the second commitment. The method further includes determining that the digital asset exchange system is solvent based on the zero-knowledge algorithm.

Abstract: A method for securing communications for a given network is provided. The method comprises by at least one node(i) of the network configured to utilize pairwise keys: generating a set of encryption keys; and transmitting the set of encryption keys to a controller for the network; by the controller, executing a key selection process wherein for each node(j) in the network an encryption key J is selected from the set of encryption keys; assigning the encryption key J to the node(j); and transmitting the selected encryption key J to the node(j); by each node(j), generating an encryption key I to the node(i); and sending the encryption key I to the node(i) via the controller.

Abstract: A collation system 20, which is provided with a client 30 and a server 40, the client 30 includes: a random number generation unit 31 which generates a random number; a concealed information storage unit 32 which stores concealed information generated by concealing registered information and the generated random number using a concealment key; and a concealed index computation unit 33 which, on the basis of the collation information input for collation with the registered information and the concealed information, computes a concealed index, generated by concealing an index indicating closeness between the registered information and the collation information; the server 40 includes a determination unit 41 which uses a release key corresponding to the concealment key and the random number transmitted from the client 30 to determine whether or not the index can be acquired from the concealed index transmitted from the client 30.

Abstract: Various aspects of the subject technology relate to systems, methods, and machine-readable media for encrypting data. The method includes adding a new encryption key for encrypting and/or decrypting data of a database, the data previously encrypted by an old encryption key. The method also includes hashing the new encryption key to generate a new hash. The method also includes comparing the new hash and an old hash with values in an encryption log, the old hash generated by hashing an old encryption key. The method also includes in response to the comparing, decrypting the data with the old encryption key when the new hash and old hash match the values in the encryption log. The method also includes encrypting the data with the new encryption key. The method also includes adding a new entry into the encryption log, the new entry comprising the new hash.

Abstract: The present invention is a platform and/or agnostic method and system operable to protect data, documents, devices, communications, and transactions. Embodiments of the present invention may be operable to authenticate users and may be operable with any client system. The method and system are operable to disburse unique portions of anonymous related information amongst multiple devices. These devices disburse unique portions of anonymous information and are utilized by the solution to protect sensitive data transmissions, and to authenticate users, data, documents, device and transactions. When used for authentication, login-related information is not stored in any portion of the solution, users and devices are anonymously authenticated. The solution also permits a user to access secured portions of the client system through a semi-autonomous process and without having to reveal the user's key.

Abstract: Methods and endpoint nodes and controllers are disclosed for mutual authentication and key exchange. In an embodiment, physical unclonable function circuits on the endpoint nodes are used in combination with key masks to allow mutual authentication and key exchange between the endpoint nodes.

Abstract: Systems, devices, and methods are disclosed for exchanging electronic information over a communication network and, more specifically, to authenticating and verifying data integrity between two or more interacting users exchanging information. A client computing device generates a split secret that is transmitted to a server via two distinct communication channels. The split secret is generated based on a public key of a public-private key pair generated by the client computing device based on a unique identifier. Validity of the public key can authenticate source identity.

Abstract: Systems, apparatuses, and methods for improving security of a silicon-based system by creating a glitch-resistant process for executing a software code block on the silicon-based system are disclosed. An example method may begin by marking the software code block as non-executable. Second, intent to execute the software code block is registered with a staging register. Third, the software code block is compressed into a compression constant. Fourth, the compression constant is compared with a first predetermined value using two comparators. Fifth, responsive to the comparators providing a true result after comparison, the software code block is marked as executable to allow the software code block to execute. In another aspect, the example method may be repeated for n>1 iterations, and in each iteration i, an ith software code block is compressed into an ith compression constant that is compared to an ith predetermined value.

Abstract: There is disclosed a system (100) comprising computing nodes (102A, 102B, 102C, 102D), wherein each computing node includes processor (104A, 104B, 104C, 104D), wherein each computing node comprises hash value of each data entity of pre-existing data entities therein, and wherein system (100) operates to provide verified recordal of data entities therein to ensure consistent recordal of data that assists to ensure reliable, efficient and robust operation of the system (100).

Abstract: A communication method and a related product are provided. The communication method includes: When UE switches from a source slice to a target slice mutually exclusive with the source slice, both the UE and a target AMF serving the target slice can obtain a first AMF key Kamf_new. The first AMF key Kamf_new is different from a second AMF key Kamf, and the second AMF key Kamf is a key of a source AMF serving the source slice. According to the application communication security and effectiveness are significantly improved_in a mutually exclusive slice switching scenario.

Abstract: Disclosed is a highly available distributed key management system (KMS). The system receives a request for an encrypted data encryption key (DEK) from a user at an instance of the KMS. The instance of the KMS generates a blob that is signed with a symmetric key, and negotiated keys based on a key agreement scheme between the instance of the KMS and another instance of the KMS. The negotiation steps are performed using different public/private key pairings, while producing equivalent negotiated keys shared between KMS instances. This blob is sent to the user where it is stored by the user. Subsequently, when the user needs a decrypted DEK, the user may send this blob to any instance of the KMS and obtain a decrypted DEK for use in encrypting user data.

Abstract: The invention relates to a computer-implemented method for enabling zero-knowledge proof or verification of a statement in which a prover proves to a verifier that a statement is true while keeping a witness to the statement a secret. The method includes the prover sending to the verifier a set of data including a statement, which for a given function circuit output and an elliptic curve point, the function circuit input is equal to the corresponding elliptic curve point multiplier. The data includes individual wire commitments and/or a batched commitment for wires of the circuit, a function circuit output, and a prover key, which enables the verifier to determine that the circuit is satisfied and calculate the elliptic curve point and validate the statement, thus determining that the prover holds the witness to the statement.

Abstract: Some embodiments are directed to a fully homomorphic encryption (FHE) cryptography, wherein some encrypted data items are clipped, thereby reducing a bit-size of the encrypted data item and increasing an associated noise level of the encrypted data item. An FHE operation or a decrypt operation that operates on the clipped encrypted data item as input, has noise tolerance above a noise level associated with the clipped encrypted data item.

Abstract: A blockchain-implemented transaction from an originator node is to be broadcast. The originator node is communicatively coupled to proxy nodes. The method, implemented by a proxy node, includes: receiving a transaction including an input taking x+r units of computing resources, an output providing x units to the output address and another output providing d+r units to a 1-of-n multi-signature address unlockable by any one of a set of private keys associated the proxy nodes. The proxy node selects a quantity of computing resources, t units, to be allocated to the proxy node for broadcasting the transaction and having it included in the blockchain and generates a further transaction taking d+r units sourced from the multi-signature address and an output providing t units to the proxy node. The proxy node broadcasts both transactions timed to permit their inclusion in the same block of the blockchain.

Abstract: A data comparison device holds first and second encrypted data of first and second plaintext, respectively. The first plaintext is divided into a plurality of blocks and the first encrypted data is generated by executing encryption of each of the plurality of blocks and shuffling of the plurality of blocks. The second plaintext is divided into a plurality of blocks and the second encrypted data is generated by executing encryption of each of the plurality of blocks. In at least one of the first encrypted data and the second encrypted data, a plaintext value is embedded as a value indicating a magnitude comparison result, and the data comparison device compares blocks at the same position before shuffling of the first encrypted data and the second encrypted data based on the embedded value and determines a magnitude relationship between the first plaintext and the second plaintext.

Abstract: Systems and methods are described for removing unused encryption key files from a computing device. In an example, a key removal tool can identify three sets of keys to preserve. For the first set, the key removal tool can append a device identifier to known key names and add the resulting key file names to a whitelist. For the second set, the key removal tool can identify keys associated with certificates on the computing device and add their corresponding file names to the whitelist. The third set can correspond to keys created after a cutoff timestamp. The key removal tool can delete all key files with key file names not on the whitelist that were created before the cutoff timestamp.

Abstract: Disclosed is an input/output circuit for a physical unclonable function generator circuit. In one embodiment, a physical unclonable function (PUF) generator includes: a PUF cell array comprising a plurality of bit cells configured in a plurality of columns and at least one row, and at least one input/output (I/O) circuit each coupled to at least two neighboring columns of the PUF cell array, wherein the at least one I/O circuit each comprises a sense amplifier (SA) with no cross-coupled pair of transistors, wherein the SA comprises two cross-coupled inverters with no access transistor and a SA enable transistor, and wherein the at least one I/O circuit each is configured to access and determine logical states of at least two bit cells in the at least two neighboring columns; and based on the determined logical states of the plurality of bit cells, to generate a PUF signature.

Abstract: Proper use of a remote monitoring function is realized in an elevator-control-device that monitors an elevator. An elevator-control-device is connected with a remote-monitoring-server that remotely monitors an elevator, via a communication network. The elevator-control-device includes a processor that performs a monitoring-control-process for monitoring the elevator, and a memory. The memory stores a communication function in which a control program for communicating with the remote-monitoring-server for the elevator is stored, a remote-monitoring-function in which a control program for the monitoring-control-process is stored, and a maintenance terminal function in which a control program for connection with a maintenance terminal is stored. The remote-monitoring-function is encrypted and is stored in the memory.

Abstract: Disclosed example people monitoring methods include detecting a first watermark in a first audio signal obtained from an acoustic sensor, the first watermark identifying media presented by a monitored media device, determining whether a second watermark, different from the first watermark, is embedded in the first audio signal obtained from the acoustic sensor, the second watermark identifying at least one of a mobile device or a user of the mobile device, classifying the second watermark as a media watermark or a people monitoring watermark based on a characteristic of the second watermark, and when the second watermark is determined to be embedded in the first audio signal, reporting at least one of the second watermark or information decoded from the second watermark to identify at least one of the mobile device or the user of the mobile device as being exposed to the media presented by the monitored media device.

Abstract: A method for outsourcing exponentiation in a private group includes executing a query instruction to retrieve a query element stored on an untrusted server by selecting a prime factorization of two or more prime numbers of a modulus associated with the query element stored on the server, obtaining a group element configured to generate a respective one of the prime numbers, generating a series of base values using the prime factorization and the group element, and transmitting the series of base values from the client device to the server. The server is configured to determine an exponentiation of the group element with an exponent stored on the server using the series of base values. The method also includes receiving a result from the server based on the exponentiation of the group element with the exponent.

Abstract: Embodiments described herein relate to apparatuses and methods for registering and storing a local key associated with a local application of a communication device, including, but not limited to, receiving a request from the communication device to register and store the local key, evaluating the request based on at least one first policy, and sending the request to register and store the local key to a secure key storage.

Abstract: The method of the invention comprises: an identification step (E30-E50) of identifying the user of the mobile terminal; a generation step, triggered if identification is successful, of a secure element of the terminal generating (E70) at least one identification value for the terminal by using a first secret key shared between the secure element and a token service provider device; a sending step (E100) of sending a request to the token service provider device to obtain at least one security token, the request including said at least one identification value for the terminal; and a reception step (F90) of receiving from the token service provider device said at least one security token in encrypted form, each security token being associated with a random number generated by the token service provider device and being encrypted by means of an encryption key generated for that token from the random number and from a second secret key shared between the token service provider device and the secure element of th

Abstract: There is a need for more effective and efficient secure data transmission. This need can be addressed by, for example, solutions for secure data transmission that utilize per-user-functionality secret shares. In one example, a method includes generating a hashed user identifier based on a received user identifier; transmitting the hashed user identifier to an external computing entity; and receiving a data retrieval secret share from the external computing entity, wherein: (i) the data retrieval secret share is selected from a plurality of per-user-functionality secret shares, (ii) the plurality of per-user-functionality secret shares are generated based on a secret value, (iii) the secret value is generated based on the hashed user identifier, (iv) the secret value is used to generate a user data private key, and (v) the external computing entity is configured to encrypt user-provided data using the user data private key prior to transmission of the encrypted user-provided data.