Abstract: A user may access multiple virtual assistants via a voice-enabled device. The device may receive a command from the user, detect a wakeword corresponding to one of the assistants, and send audio data to a command processing system corresponding to the selected assistant. The device transmits encrypted audio data to one or more systems and, upon detecting a wakeword or wake command corresponding to one of the systems, the device may provide an encryption key to that particular system. The system may decrypt and process the audio data without additional latency introduced by having to wait for the audio data to arrive.

Abstract: A network device may decrypt a record received from a source device and associated with an encrypted session. The network device may process the decrypted record. The network device may encrypt the record to generate an encrypted payload. The network device may store an entry in a retransmission mapping that includes a decryption key used to decrypt the record and an encryption key used to encrypt the record. The network device may transmit the encrypted payload in a first TCP packet toward the destination device. The network device may receive retransmitted data and may determine, based on the record entry, that the retransmitted data is associated with the record. The network device may decrypt, using the decryption key, the retransmitted data and may re-encrypt, using the encryption key, the decrypted record. The network device may transmit, toward the destination device, the encrypted payload in a second TCP packet.

Abstract: Aspects of the disclosure relate to processing systems for performing cross-sectional asset editing. A computing platform may receive permission to perform a first subset of event processing steps. The computing platform may delegate permission to an external event processor to perform a second subset of event processing steps and to an external resource management platform to perform a third subset of event processing steps. The computing platform may generate an element chain corresponding to the account. In response to receiving a request to process an event, the computing platform may add a sub-element to the element chain containing a fixed parameter corresponding to an expected value associated with the event and a variable parameter corresponding to an actual value associated with the event. In response to receiving a request to write the actual value to the element chain, the computing platform may modify the variable parameter of the sub-element accordingly.

Abstract: Systems and methods for memory isolation are provided. The methods include receiving a request to write a data line to a physical memory address, where the physical memory address includes a key identifier, selecting an encryption key from a key table based on the key identifier of the physical memory address, determining whether the data line is compressible, compressing the data line to generate a compressed line in response to determining that the data line is compressible, where the compressed line includes compression metadata and compressed data, adding encryption metadata to the compressed line, where the encryption metadata is indicative of the encryption key, encrypting a part of the compressed line with the encryption key to generate an encrypted line in response to adding the encryption metadata, and writing the encrypted line to a memory device at the physical memory address. Other embodiments are described and claimed.

Abstract: A middleware system and corresponding methods are described whereby data communications, either inter-device or intra-device, are coordinated using a set of cryptographic identifiers that correspond to computing elements, such as interfaces, methods, parameters, classes, among others. The cryptographic identifiers are coupled to data messages being sent across the middleware system and processed to indicate adherence to protocol standards and/or to cause transformation of the data messages such that the receiver receives a data message adhering to their acceptable protocol standards.

Abstract: A method and apparatus include including, in a moving pictures experts group (MPEG) dynamic adaptive streaming over hypertext transfer protocol (DASH) media presentation description (MPD) file, an initialization presentation element that identifies an initialization presentation and one or more initialization groups included in the initialization presentation. An initialization group element that identifies an initialization group and one or more initialization sets included in the initialization group is included in the MPD file. An initialization set element that identifies an initialization set is included in the MPD file. The MPD file is transmitted to a client device.

Abstract: Systems and methods implemented by a network element include executing a virtual machine that processes and manages a first Blockchain; communicating with a plurality of nodes in the network, each being part of a peer-to-peer network that manages the first Blockchain, wherein at least one node of the plurality of nodes one of i) operates at a different network layer and ii) utilizes a different protocol for communication, from the network element; and performing one or more applications utilizing the first Blockchain.

Abstract: A computer implemented method to generate training data for a machine learning algorithm for determining security vulnerabilities of a virtual machine (VM) in a virtualized computing environment is disclosed. The machine learning algorithm determines the vulnerabilities based on a vector of configuration characteristics for the VM.

Abstract: A data platform creates an application in a data-provider account, where the application includes one or more application programming interfaces (APIs) corresponding to one or more underlying code blocks. The data platform shares homomorphically encrypted provider data with the application in the data-provider account. The data platform installs, in a data-consumer account, an application instance of the application. The data platform shares homomorphically encrypted consumer data with the application instance in the data-consumer account. The data platform invokes one or more of the APIs of the application instance to execute respective associated underlying code blocks, which are not visible to the data-consumer account, and which operate on the shared homomorphically encrypted provider data and the shared homomorphically encrypted consumer data. The data platform saves homomorphically encrypted output of the one or more respective associated underlying code blocks locally within the data-consumer account.

Abstract: A system and method for maintaining a fraud risk profile in a fraud risk engine are described. In a method conducted at a remote server, a payload from a secure mobile application executing on a user mobile device associated with a user is received. The payload including contextual data having been obtained by the secure mobile application and a trust indicator linked to the contextual data. Validity of the contextual data is confirmed by verifying the trust indicator. If the trust indicator is verified, the contextual data is input into a fraud risk engine as truth data. The fraud risk engine maintains a fraud risk profile associated with the user. The fraud risk profile is usable by the fraud risk engine in evaluating a fraud risk associated with an activity associated with the user.

Abstract: Various disclosed embodiments include illustrative apparatuses, methods, and program products. In an illustrative embodiment, an apparatus includes a processor, a network interface, and a memory that stores code executable by the processor. The code receives signed keys from a computing device over a network via the network interface. The signed keys include a key signed by a mobile device associated with the computing device and the signed keys were generated responsive to a first key agreement protocol configured to provide one of forward secrecy protection and time-based expiration. The code authenticates the received signed keys responsive to prior knowledge of public keys associated with at least one of the computing device and the mobile device according to a second key agreement protocol configured to provide one of forward secrecy protection and time-based expiration and code that initiates a communication between the processor and the device responsive to the received signed keys being authenticated.

Abstract: Aspects of the disclosure relate to a system and method for cryptographically transmitting and storing identity tokens and/or activity data among spatially distributed computing devices. The system may comprise a plurality of chains, such as an identity chain and an activity chain. In some aspects, identity data associated with a user may be used to generate an identity token for the user. The identity token may be transmitted to a plurality of computing devices for verification. Based on a verification of the identity token, the identity token may be stored in the identity chain. A request to perform an activity may also be received, and identity data associated with the user may be received in order to authenticate the user. The computing device may generate, based on the received identity data, an identity token for the user. The identity token may be compared to the identity token stored in the identity chain, and the user may be authenticated based on the comparison.

Abstract: An access management system (AMS) is disclosed that includes SSO capabilities for providing users secure access to protected resources within an enterprise using encryption keys generated by a client application. The AMS receives a request from a client application for a user to access a protected resource. In certain examples, the request comprises a client application identifier, a session identifier and a client public encryption key. The AMS determines if the session identifier points to a valid session and upon determining that the session identifier corresponds to a valid session, transmits information associated with the valid session to the client application. In certain examples, the information associated with the valid session is encrypted using the client public encryption key. Based on information associated with the valid session received from the client application, the AMS determines whether to grant or deny a user access to a protected resource within the enterprise.

Abstract: An example method of upgrading a host in a cluster under management of a lifecycle manager in a virtualized computing system includes: receiving, from the lifecycle manager at a host in the cluster being upgraded, a desired software specification for a hypervisor of the host; determining, by the host, a list of required software installation bundles (SIBs) to satisfy the desired software specification; identifying a neighboring host in the cluster for the host; downloading, from the neighboring host to the host, at least at portion of the required SIBs; and executing an upgrade of the hypervisor in the host using the required SIBs.

Abstract: In one or more embodiments, a first information handling system (IHS) may: encrypt a document utilizing a symmetric encryption key to produce an encrypted document; and encrypt a metadata file, which includes the symmetric encryption key, utilizing a session encryption key to produce a first encrypted metadata file. In one or more embodiments, a second IHS may: decrypt the first encrypted metadata file utilizing the session encryption key to produce the metadata file; and encrypt the metadata file utilizing a public encryption key associated with a second TPM associated with a third IHS to produce a second encrypted metadata file. In one or more embodiments, the third information handling system may: decrypt the second encrypted metadata file utilizing a private encryption key associated with the second TPM to produce the metadata file; and decrypt the encrypted document utilizing the symmetric encryption key, from the metadata file, to produce the document.

Abstract: Computer code embedded in an electronic component (e.g., a processor, a sensor, etc.) of a medical device, such as a dialysis machine, can be authenticated by comparing a metadata signature derived from the computer code of the electronic component to a key derived from a pre-authenticated code associated with the electronic component. The metadata signature can be derived by running an error-check/error-correct algorithm (e.g., SHA256) on the computer code of the electronic component. A use of the metadata signature enables detection of any unauthorized changes to the computer code as compared to the pre-authenticated code.

Abstract: A technique to stop lateral movement of ransomware between endpoints in a VLAN is disclosed. A security appliance is set as the default gateway for intra-LAN communication. Message traffic from compromised endpoints is detected. Attributes of ransomware may be detected in the message traffic, as well as attempts to circumvent the security appliance. Compromised devices may be quarantined.

Abstract: A method for maintaining a log of events in a shared computing environment is provided. One example of the disclosed method includes receiving one or more data streams from the shared computing environment that include transactions conducted in the shared computing environment by a first entity and a second entity that is different from the first entity. The method further includes creating a first blockchain entry for a first transaction conducted in the shared computing environment for the first entity, creating a second blockchain entry for a second transaction conducted in the shared computing environment for the second entity, where the second blockchain entry includes a signature that points to the first blockchain entry, and then causing the first and second blockchain entries to be written to a common blockchain data structure in a database that is made accessible to both the first entity and the second entity.

Abstract: Embodiments of the present invention provide systems and techniques for changing cryptographic keys in high-frequency transaction environments to mitigate service disruptions or loss of transactions associated with key maintenance. In various embodiments, a server device can employ a working key encrypted with a first master key to decrypt messages being communicated from a client device, whereby each message is encrypted with a first cryptogram that was generated based on the working key encrypted with the first master key. While the working key encrypted with the first master key is being employed, the server device can generate a notification including a second cryptogram generated based on the working key encrypted with a second master key for transmission to the client device. The transmitted notification can cause the client device to encrypt the messages being communicated with the second cryptogram.

Abstract: A method, a computer program product, and a system for embedding a message in a random value. The method includes generating a random value and applying a hash function to the random value to produce a hash value. Starting with the hash value, the method further includes reapplying the hash function in an iterative or recursive manner, with a new hash value produced by the hash function acting as an initial value that is applied to the hash function for a next iteration, until a bit sequence representing a message is produced in a message hash value. The method further includes utilizing the message hash value as a new random value that can be used by an encryption algorithm.

Abstract: Systems and methods directed to a third-party gateway that controls egress traffic from Internet Data Centers (IDC) and/or Virtual Private Clouds (VPC) are described. When egress traffic reaches the third-party gateway, a forward proxy may obtain a service identified or otherwise associated with the source IP address and port. Once, the service is identified, the third-party gateway may obtain a configuration rule specified by a rule manager to determine if the service is allowed to access the destination host(s). If the destination host is approved for the service, the forward proxy may send the traffic to the internet. If the destination host is not approved for the service, the forward proxy may block or otherwise drop the respective communication. In some examples, one or more auditors or auditing agencies may access essential information from the third-party gateway to view egress traffic logs and verify egress traffic approved destinations.

Abstract: A method for being allocated a discovery resource by a user equipment (UE) in a communication system supporting a device to device (D2D) scheme is provided. The method includes determining whether a discovery resource request message may be transmitted to a network entity; transmitting the discovery resource request message to the network entity based on the determining result; and receiving a discovery resource response message as a response message to the discovery resource request message from the network entity.

Abstract: Systems and methods are disclosed for securing a network, for admitting new nodes into an existing network, and/or for securely forming a new network. As a non-limiting example, an existing node may be triggered by a user, in response to which the existing node communicates with a network coordinator node. Thereafter, if a new node attempts to enter the network, and also for example has been triggered by a user, the network coordinator may determine, based at least in part on parameters within the new node and the network coordinator, whether the new node can enter the network.

Abstract: Verification of a data recipient is disclosed, including: sending, to a server, a request for requested information, wherein the request includes identifying information associated with a user; receiving, from the server, at least two pieces of information over different transmission channels; sending, to the server, recovered security data that is generated based at least in part on the at least two pieces of information, wherein the server is configured to determine whether the recovered security data matches stored security data; receiving, from the server, protected requested information associated with the request; and using the recovered security data to recover unprotected requested information based at least in part on the protected requested information.

Abstract: Systems and methods are disclosed herein for a user to use a trusted device to provide sensitive information to an identity provider via QR (Quick Response) code for the identity provider to broker a website login or to collect information for the website. A user may securely transact with the website from unsecured devices by entering sensitive information into the trusted device. The identity provider may generate the QR code for display by the website on an unsecured device. A user running an application from the identity provider on the trusted device may scan the QR code to transmit the QR code to the identity provider. The identity provider may validate the QR code and may receive credential information to authenticate the user or may collect information for the website. Advantageously, the user may perform a safe login to the website from untrusted devices using the trusted device.

Abstract: Novel tools and techniques might provide for implementing secure communications for IoT devices. In various embodiments, a gateway or computing device might provide connectivity between or amongst two or more Internet of Things (“IoT”) capable devices, by establishing an IoT protocol-based, autonomous machine-to-machine communication channel amongst the two or more IoT capable devices. For sensitive and/or private communications, the gateway or computing device might establish a secure off-the-record (“OTR”) communication session within the IoT protocol-based, autonomous machine-to-machine channel, thereby providing encrypted machine-to-machine communications amongst the two or more IoT capable devices, without any content of communications that are exchanged amongst the IoT capable devices over the secure OTR communication session being recorded or logged.

Abstract: Provided is a detection device which is suitable for receiving a service within a network assembly, having the following:—means for providing cryptographic security at or above the transport level of the communication protocol levels which can be used in the network assembly for at least one first existing communication connection between the detection device and a network access device which is arranged in the network assembly and which can be used to monitor data detected by the detection device and/or control an additional device within the network assembly using the data detected by the detection device,—means for generating and/or determining network access configuration data for at least one additional second communication connection, which is to be cryptographically secured below the transport level, between the detection device and the network access device,—means for providing the generated and/or determined network access configuration data to the network access device.

Abstract: A system includes a user computing device with an application for removal of privacy data. The application obtains vehicle information associated with a target vehicle that has a target in-vehicle device from which privacy information of a user is to be removed. Using the vehicle information, the application determines vehicle parameters associated with the target vehicle. The application obtains a privacy information removal file comprising an instruction set associated with removing privacy data from candidate in-vehicle devices, and presents the instruction set. A user experience feedback associated with the candidate in-vehicle devices is obtained and stored in a database.

Abstract: Techniques for verifiable computation for cross-domain information sharing are disclosed. An untrusted node in a distributed cross-domain solution (CDS) system is configured to: receive a first data item and a first cryptographic proof associated with the first data item; perform a computation on the first data item including one or more of filtering, sanitizing, or validating the first data item, to obtain a second data item; generate, using a proof-carrying data (PCD) computation, a second cryptographic proof that indicates (a) validity of the first cryptographic proof and (b) integrity of the first computation on the first data item; and transmits the second data item and the second cryptographic proof to a recipient node in the distributed CDS system. Alternatively or additionally, the untrusted node may be configured to transmit a cryptographic proof to a trusted aggregator in the CDS system.

Abstract: A first network device may install a receiving key for decrypting traffic on protocol hardware associated with a data plane of the first network device. The first network device may receive, from the data plane, a first notification indicating that the receiving key is installed on the protocol hardware and may provide, to a second network device, a first message identifying the receiving key. The first network device may receive, from the second network device, an acknowledgment message indicating that the receiving key is installed on the second network device and may install a transmission key for encrypting traffic on the protocol hardware. The first network device may receive, from the data plane, a second notification indicating that the transmission key is installed on the protocol hardware and may provide, to the second network device, a second message identifying the transmission key.

Abstract: This document describes a module and method for authenticating data transfer between a storage device and a host device. The module is configured to allow encrypted data to be exchanged between the storage device and the host device once the module has verified that the storage device has been correctly paired with an authorized host device whereby the verification step does not require a password to be manually entered or an additional external device to be attached.

Abstract: Described is a system for maintaining dual-party authentication requirements for data retention compliance in a distributed storage environment that includes servers or nodes with remote access components. When administering a data retention policy, an operating system component may require a dual-party authentication mechanism to prevent data deletion, while a different authentication mechanism may control access to the remote access components. Access to the remote access component by a single privileged user, however, may enable overriding or compromising the retention lock compliance implemented by the operating system. Accordingly, the system may tie the dual-party authentication requirement to the authentication mechanism of the remote access components.

Abstract: An information processing apparatus in which a plurality of applications operate is provided. The apparatus comprises a verification unit that verifies whether or not an application can be trusted; and a controller that controls the application, wherein during the execution of a first application executed in response to a user instruction, the controller causes the verification unit to verify a second application that the first application dynamically imports, before the second application is loaded.

Abstract: Systems and methods for performing data protection operations including garbage collection operations and copy forward operations. For deduplicated data stored in a cloud-based storage or in a cloud tier that stores containers containing dead and live segments or dead and live regions such as compression regions, the dead compression regions are deleted by copying the live compression regions into new containers and then deleting the old containers. The copy forward is based on a recipe from a data protection system and is performed using a serverless approach.

Abstract: A computerized method for analyzing an object is disclosed. The computerized method includes performing, by a first cybersecurity system, a first malware analysis of the object, wherein a first context information is generated by the first cybersecurity system based on the first malware analysis. The first context information includes at least origination information of the object. Additionally, a second cybersecurity system, obtains the object and the first context information and performs a second malware analysis of the object to determine a verdict indicating maliciousness of the object. The second malware analysis is based at least in part on the first context information. The second cybersecurity system generates and issues a report based on the second malware analysis, the report including the verdict.

Abstract: A blockchain-based method for document transformation and accountability is provided. Document templates for real property transfer are maintained. Each template includes data fields. Some of the document templates are collected as transaction documents for a transaction for the property transfer. The data fields are populated with received data values. Compliance checking is performed on the populated data values. The checked transaction documents are provided to a network having a first tier of network nodes and a second tier of supernodes. One of the supernodes is selected to validate the transaction documents. The validated transaction documents are added to a ledger of transactions. A hash of the validated transaction documents is transmitted to the first tier. One of the network nodes is selected to commit the hash to a blockchain of the first tier. The hash is committed to copies of the blockchain.

Abstract: Method and apparatus for virtualized environment where virtual computing instances interface a service platform operated on a physical computing apparatus are disclosed. A new virtual computing instance interfacing the service platform can be created, the created new virtual computing instance belonging to a class of virtual computing instances. At least one security credential is obtained from a storage of security credentials associated with the class of the new virtual computing instance. Data communicated with at least one further computing instance is secured based on the obtained at least one security credential.

Abstract: Methods, systems, and media for providing dynamic media sessions with audio stream expansion features are provided. In some embodiments, the methods include: receiving an indication that audio content associated with a video content item is to be presented by a follower device synchronously with the audio content presented by the leader device; identifying candidate follower devices by determining whether devices connected to a local area network are capable of being designated as a follower device; causing a user interface to be presented that indicates each candidate follower device; receiving, via the user interface, a selection of one of the candidate follower devices; and transmitting, from the leader to the selected follower device, control instructions that cause the audio content associated with the video content item to be presented synchronously by the selected follower device with the video content item presented by the leader device.

Abstract: A system that provides responses to requests obtains a key that is used to digitally sign the request. The key is derived from information that is shared with a requestor to which the response is sent. The requestor derives, using the shared information, derives a key usable to verify the digital signature of the response, thereby enabling the requestor to operate in accordance with whether the digital signature of the response matches the response.

Abstract: Disclosed herein are systems and method for performing secure computing while maintaining data confidentiality. In one exemplary aspect, a method receives, via an application, both data and a request to perform a secure operation on the data, wherein the secure operation is to be performed using a secure compute engine on a cloud platform such that the data is not viewable to a provider of the cloud platform. The method applies transformations to the data so that the data is not viewable to the provider. The method transmits the transformed data to the secure compute engine on the cloud platform to perform the secure operation on the transformed data, receives a result of the secure operation from the secure compute engine, and transmits the result to the application.

Abstract: A method and apparatus include including, in a moving pictures experts group (MPEG) dynamic adaptive streaming over hypertext transfer protocol (DASH) media presentation description (MPD) file, an initialization presentation element that identifies an initialization presentation and one or more initialization groups included in the initialization presentation. An initialization group element that identifies an initialization group and one or more initialization sets included in the initialization group is included in the MPD file. An initialization set element that identifies an initialization set is included in the MPD file. The MPD file is transmitted to a client device.

Abstract: Methods, systems, techniques, and devices for smart factory reset procedures are described. In accordance with examples as disclosed herein, a memory system may receive one or more commands associated with a reset procedure. The memory system may identify, in response to the one or more commands, a first portion of one or more memory arrays of the memory system as storing user data and a second portion of the one or more memory arrays as storing data associated with an operating system. The memory system may update a mapping of the memory system based on identifying the first portion and the second portion. The memory system may transfer the data associated with the operating system to a third portion of the one or more memory arrays and perform an erase operation on a subset of physical addresses of the set of physical addresses.

Abstract: Methods and apparatus to monitor media presentations are disclosed. Example methods disclosed herein include presenting information via a display of a media device, the information indicating that monitor software in the media device can be enabled, the monitor software to monitor media presented by the media device, the monitor software to be disabled by default. Disclosed example methods also include detecting a first user input that is to authorize the monitor software in the media device to be enabled, and in response to detection of the first user input: (i) enabling the monitor software in the media device to generate and report at least one of video fingerprints, audio fingerprints, video watermarks or audio watermarks representative of media presented by the media device, and (ii) transmitting, via a network interface, a notification to a remote monitoring entity to indicate that the monitor software in the media device has been enabled.

Abstract: A request is received from a trusted application to authorize a client application that requests a service offered by the trusted application. Whether the client application is authorized to access the trusted application is determined in view of the request. An authentication of a user of the client application is caused in response to determining the client application is authorized to access the trusted application. An authorization result is returned to the trusted application in view of the determining and the authentication.

Abstract: A mobile network operator (MNO) uses a provisioning server to update or install profile content in a profile or electronic subscriber identity module (eSIM). In an exemplary embodiment, the profile is present on a secure element such as an embedded universal integrated circuit card (eUICC) in a wireless device. One or more MNOs use the provisioning server to perform profile content management on profiles in the eUICC. In some embodiments, an MNO has a trust relationship with the provisioning server. In some other embodiments, the MNO does not have a trust relationship with the provisioning server and protects payload targeted for an MNO-associated profile using an over the air (OTA) key.

Abstract: Aspects of the disclosure include methods, apparatuses, and non-transitory computer-readable storage mediums for receiving media data. One apparatus includes processing circuitry that receives a media presentation description (MPD) file that includes an essential property descriptor for session-based dynamic adaptive streaming over hypertext transfer protocol (DASH). The essential property descriptor indicates a session-based description (SBD) file and includes a set of keys for a part of a uniform resource locator (URL) that is used for receiving the media data. The processing circuitry determines a respective value for each of the set of keys based on whether the respective value is included in the SBD file and modifies the URL based on the set of keys and the determined values.

Abstract: An approach for operating at least one touch-sensitive, flat input device of a complete device, the input device being connected via a message-based bus connection to a control device of the complete device, and messages containing touch datasets describing touch data events being transmitted to the control device, which evaluates the messages for input information for an application program implemented by the control device, wherein when a security function in the control device that queries sensitive input information is accessed, the touch datasets are transmitted from the input device to the control apparatus via the bus connection in encrypted form until the associated input process has ended.

Abstract: Methods and systems for contingency communication are disclosed. In one embodiment, a method for providing emergency services may be performed by a base station operating in a communication system in an embodiment, the method for providing emergency services includes transmitting a beacon signal to indicate an emergency status to enable portable devices to operate in a stress mode. A distress signal may be transmitted by a mobile device in response to the beacon signal to the base station, wherein the distress signal carries information at least comprising user identity associated with the mobile device, geolocation of the mobile device, or biometrics of a user of the mobile device.

Abstract: Techniques for modifying queries in a set of nested queries are disclosed. A graphical user interface displays a query detail region alongside a nested query display region. The graphical user interface includes functionality to provide for modification of queries in the nested set of queries. Based on a selection by a user, a query modification tool promotes a query attribute from a child query to one or more parent queries. Based on another selection by a user associated with one query in the set of nested queries, the system deletes an attribute from each query in the set of nested queries. Responsive to a selection to create multiple conditions for a query rule, the system modifies the functionality of the user interface to enable entry of multiple condition characteristics. Based on a further selection, the system creates the multiple conditions for the query rule.

Abstract: A system, method and computer-readable medium provide secure communication between a first and a second computer system based on supersingular isogeny elliptic curve cryptography. The first computer system and the second computer system each determine kernels KA and KB including computing mP+nQ by accessing a lookup table stored in a memory that contains a range of doubles of an end point of the respective kernels, where P and Q are points on the public elliptic curve and m and n are integers. The first computer system and the second computer system compute secret isogenies by determining a respective kernel KBA and KAB using mixed-base multiplicands with a single inversion, including computing the respective kernel KBA and KAB by converting the multiplicands to base 32, and computing scalar multiplications using the base 32 multiplicands.