Abstract: A computer-implemented method, a computer program product, and a computer system for detecting, verifying and preventing unauthorized use of a Voice over Internet Protocol (VoIP) service. A computer rates a VoIP call based on a database including information of the caller number, in response to determining that no record of a caller number exists in a database including the information of unauthorized uses. The computer sets a predetermined time period for the VoIP call based on a rating of the VoIP call, adds the predetermined time period to a session initiation protocol (SIP) invite, and connects the VoIP call to a called party. In response to that the predetermined time period is reached, the computer interrupts the VoIP call and prompts the caller to conduct user verification. In response to that the caller is successfully verified, the computer reconnects the VoIP call to the called party.

Abstract: A Wi-Fi network includes one or more access point devices configured to connect to one or more devices; wherein the Wi-Fi network is designated by a Service Set Identifier (SSID); wherein each Wi-Fi client device accesses the Wi-Fi network using the SSID and a key of a plurality of keys each being a password or certificate for the Wi-Fi network; and wherein each of the plurality of keys designates an access zone of a plurality of access zones each defining rules for network and/or device access such that the one or more access point devices provide selective access based on which of the plurality of keys is used for each of the one or more devices.

Abstract: A system and method for establishing trust between management entities with different authentication mechanisms in a computing system utilizes a token exchange service to acquire a second security token used in a second management entity in exchange for a first security token used in a first management entity. In an embodiment, an endpoint is set at the first management entity as an authentication endpoint for the second management entity, which is used to authenticate a request with the second security token that is sent from the first management entity to the second management entity. After authentication, the request is processed at the second management entity and a response is transmitted to the first management entity.

Abstract: The disclosed technology teaches safely attaching an access token to a browser-based request from a first app loaded by a webpage, without exposing the token to malicious code loaded by the webpage, providing an identity proxy that transparently determines which network requests to relay and a secrets management proxy that provides access tokens transparently to the requests. The identity proxy intercepts an access request from the first app to the resource server and relays the request via the secrets management proxy, which forwards the request to the resource server with an access token, receives a response from the resource server and forwards the response to the identity proxy for return to the first app. The secrets management proxy is implemented in an iFrame that has isolated storage subject to a browser-enforced same origin policy that makes the isolated storage used by the iFrame inaccessible to malicious code on the webpage.

Abstract: A device and methods are described that comprise at least one host application and a rich execution environment. At least one interface is operably coupled to the REE for communicating with a remote server. A security sub-system comprises a security monitoring and control circuit coupled to the REE and connectable to the remote server via the REE and the at least one interface. The security monitoring and control circuit comprises an analytics circuit configured to detect an anomaly following a compromisation of the device. The security monitoring and control circuit is arranged to treat the REE as an untrusted component and in response to a detection of a compromisation of the REE or a component in the device that is accessible by the REE by the analytics circuit, the security monitoring and control circuit is configured to re-establish a secure connection to the remote server that tunnels through the REE and at least partially removes the compromisation from the device.

Abstract: A method including receiving, by a first server from a second server, an encrypted authentication packet to enable the first server and the second server to conduct an authentication process, the encrypted authentication packet including a crypted code field indicating a type associated with the encrypted authentication packet and a crypted payload including one or more encrypted fields; and transmitting, by the first server to the second server, a response based at least in part on determining the type associated with the encrypted authentication packet and on decrypting the one or more encrypted fields. Various other aspects are contemplated.

Abstract: At least one data file for backup can be received. The data file can be divided into a plurality of data blocks. A first portion of the plurality of data blocks can be allocated to a first data processing system for backup by the first data processing system. A second portion of the plurality of data blocks can be allocated to a second data processing system for backup by the second data processing system.

Abstract: A system and method for identifying and authenticating a counterfeit article using digital fingerprints are disclosed. The system comprises a server with a processor and memory, and a database. The memory is configured to store a set of modules executable by the processor. The set of modules include, but not limited to, a digital image acquisition module, a comparison module, and a decision module. The digital image acquisition module is configured to extract analog identification indicium of the article from one or more images. The comparison module is configured to compare analog identification indicium with actual analog identification indicium of the article. The decision module detects the authenticity of the article based on the comparison results. The system further comprises an anti-counterfeiting network verification system in communication with the server, configured to securely protect the actual analog identification indicium of the article from unauthorized access and other potential crimes.

Abstract: A method includes requesting, by a first computing device having a first application and a first Transport Layer Security (TLS) library, a sequence of cryptographic keys obtained by a first agent, the sequence of cryptographic keys based on an agent key and provided from the first agent to the first TLS library, requesting, by a second computing device having a second application and a second TLS library, the sequence of cryptographic keys obtained by a second agent, the sequence of cryptographic keys based on the agent key and provided from the second agent to the second TLS library, and communicating between the first application of the first computing device to the second application of the second computing device using the sequence of cryptographic keys based on the agent key.

Abstract: In embodiments, an authentication server interfaces between a user device with a self-signed certificate and a verifying computer that accepts a user name and password. The user device generates a self-signed certificate signed by a private key on the user device. The self-signed certificate is transmitted to a verifying party computer over a network. The verifying party stores the self-signed certificate with user identification data. The user migrates trust to another device by providing the root certificate and intermediate certificate as a certificate chain to a second device, which then adds a new intermediate certificate to create a longer certificate chain with the same root certificate. In subsequent communications, the verifying party receives a certificate chain including the self-signed certificate from the second user device, and matches that with the user identification data stored in a database.

Abstract: According to a first aspect, there is provided an identity verifier comprising: at least one processor; at least one memory including computer program code; and a communication port coupled to the processor the at least one memory and the computer program code configured to, with the at least one processor, cause the identity verifier at least to: receive, through the communication port, query information to verify an identity provided by a party requesting a financial service; extract a unique identifier of an electronic device from the query information, the electronic device used to request the financial service; calculate a probability of an accuracy of the identity verification by at least determining whether one or more databases contain a record of the unique identifier, the one or more databases storing data used to perform the identity verification; and respond, through the communication port, to the query with the calculated probability.

Abstract: A method for assigning a random number to a user in a set of users includes computing a random number assignment seed value based on an ASCII-value representation of the user's name, dividing the random number assignment seed value by a quantity of unassigned numbers available to be assigned to the user to produce a modified random number assignment seed value, rounding the modified random number assignment seed value down to an integer, computing a random number offset value by multiplying the quantity of unassigned numbers by the rounded modified random number assignment seed value, subtracting the random number assignment offset value from the random number assignment seed value to determine a random number assignment lookup number, determining the random number to be assigned to the user based on the random number assignment lookup number, and assigning the determined random number to the user.

Abstract: Systems and methods described herein relate to techniques in which multiple parties each generate and exchange quantities that are based on a shared secret (e.g., powers of the shared secret) without exposing the shared secret. According to a protocol, two or more parties may exchange sets of elliptic curve points generated over polynomials that can be used, by each of the two or more parties, to determine a power of a shared secret. The protocol may be utilised as part of determining parameters for a smart contract that is broadcast to a blockchain network (e.g., Bitcoin). Based on the protocol, an additional party (e.g., a third party different from the two or more parties) may perform a computational task such as execution of the smart contract.

Abstract: The present invention puts forward a personal electronic access permission (Figure B, 31) that can both check on the customer's identity (Figure A, step 2) and right to access an event/venue in one scanning event, and address the unwanted secondary market, still enabling a customer (Figure D, 5) to sell back an electronic access permission to the system (Figure D, I) in case the customer is not able to attend the event.

Abstract: A device can receive, from a network device, information that identifies a user device. The network device might have authenticated the user device based on the user device accessing a radio access network. The device can receive, from the user device, a request for a first token. The request can include an encrypted session identifier. A server device might have encrypted the session identifier. The device can determine the session identifier, and generate the first token based on the session identifier and the information that identifies the user device. The device can encrypt the first token using an application public key, and provide, to the user device, the encrypted first token. The user device can provide, to the server device, the encrypted first token. The server device can register the user device to receive content based on the encrypted first token.

Abstract: Systems and methods for monetizing the reproduction of digital media content for the rights-holders of the digital media content. Embodiments of the present disclosure relate to determining whether a user of a media content item has a license to reproduce the media content item. In one embodiment, the media content item may be reproduced when the user is licensed. The user is prompted to select to acquire a license to reproduce the media content item or to decline the license to reproduce the media content item when the user is not licensed. Further embodiments determine whether a user may receive a license when the user wishes to acquire a license. In an embodiment, the user is declined a license when not approved for the license.

Abstract: A distributed secure communication system includes a first System Control Processor (SCP) subsystem coupled to second and third SCP subsystems via a network. The first SCP subsystem identifies the second SCP subsystem, signs a first SCP authentication communication with a first private key to provide a first signed SCP authentication communication that it transmits to the second SCP subsystem. The first SCP subsystem receives a second signed SCP authentication communication from the second SCP subsystem, authenticates the second signed SCP authentication communication using a second public key associated with the second SCP subsystem and, in response, establishes a first secure communication channel with the second SCP subsystem.

Abstract: Examples provided herein are directed to a computing device and media playback system sharing access to a media service corresponding to a media application installed on the computing device. In one example, a media playback system may be configured to (i) receive from the computing device an authorization code that corresponds to a media application installed on the computing device that is authorized to access media from a media service, (ii) transmit to the media service an authorization request with the authorization code, (iii) receive from the media service an authorization token that facilitates obtaining media from the media service, and (iv) transmit to the media service a request for media for playback by the media playback system, where the request for media includes the authorization token.

Abstract: A content distribution system includes content receivers that provide a plurality of blockchain databases that store transaction records associated with subscriber requests for content, and a computer system that processes those transaction records and enables authorized content receivers to output requested content.

Abstract: An electronic device comprises a processor, a memory, a memory controller for controlling access to the memory, a hardware security module, and a bus system, to which the processor, the memory controller, and the hardware security module are connected. The hardware security module uses its connection to the bus system to detect requests on the bus system that are sent by the processor. The hardware security module has a secure state and a non-secure state. When in the secure state, the hardware security module adds a secure-state signal to requests sent by the processor over the bus system. The memory controller determines whether memory-access requests include the secure-state signal, and denies access to a secure region of the memory in response to receiving memory-access requests that do not include the secure-state signal.

Abstract: Embodiments of the disclosure include systems and methods for secure storage and/or retrieval of customer secrets by, e.g., a cloud services provider. According to methods, secret data that is to be securely stored may be transmitted, along with an initialization vector, to an encryption service for encryption using a private key stored on in a remote key vault. The encrypted data can be returned and stored, in its encrypted form, in a secure storage along with the initialization vector data. To retrieve the securely stored data, embodiments disclose retrieving the encrypted form of the data and transmitting it, along with its related initialization vector data, to the encryption service for decryption using the private key stored in the remote key vault. The decrypted data can then be made available to a requesting product service.

Abstract: A method at a network node of a radio access network (RAN) for managing a context of a user equipment (UE) operating in an inactive mode, the method comprising: receiving, from a second network node, a context retrieval request comprising a UE identifier and a first message, the first message being protected with a first cryptographic key; validating the first message using a stored cryptographic key associated with a UE context indicated by the UE identifier; and sending a context retrieval response message to the second network node containing a relocation indication of whether the UE context is to be relocated to the second network node.

Abstract: Described herein is a system, method, and non-transitory computer readable medium related to a service provider using a third party identity provider to authenticate a user with improved security. An authentication token is received from the identity provider, and can be verified against internal configuration information. The internal configuration information includes data that is not included in the authentication token, and therefore, is not vulnerable to some security attacks, such as a man-in-the-middle attack. After the authentication token is verified, the internal configuration information and authentication token may be used to create a custom identifier, referred to as an identity ID. The identity ID may be used by the service provider to verify user access to resources.

Abstract: Example techniques relate to changing a playback device mode based on a device base. In an example implementation, a first playback device operates in a first mode where it is connected to a first network and plays back audio content while in the first mode. The playback device detects connection of the first playback device to a device base and while the first playback device is on the device base, detects connection to a second network. The first playback device switches from operating in the first mode to operating in a second mode. The first playback device forms a stereo pair configuration with a second playback device over the second network in the second mode. While in the second mode, the first playback device plays back a first channel of audio content in synchrony with the second playback device playing back a second channel of the audio content.

Abstract: The present disclosure relates to a computing architecture configured to run a first operating system (512) and an isolated operating system (520), wherein the computing architecture is configured to load and run the isolated operating system before loading and running the first operating system.

Abstract: A secure communication channel is established between network devices separated by an unsecured physical space by dynamically performing server/client resolution based on comparison of unique identifiers of the devices. After a link between a first network device and a second network device is established, the devices exchange start frames in accordance with a network security protocol such as the Media Access Control Security (MACsec) protocol. Comparison logic at the first network device compares a value of a unique identifier of the first network device to a value of a unique identifier of the second network device obtained from the start frame transmitted by the second network device, and vice versa. Based on the comparison, one of the devices assumes a server/authenticator role, and the other device assumes a client/supplicant role. The devices operate in their determined roles to perform an authentication process and thereby establish a secure communication channel.

Abstract: A data processing method is provided. A terminal device encrypts a target instruction and a first identifier using a first key to obtain a first ciphertext; and sends the first ciphertext to an IoT device through an IoT platform. The IoT device decrypts the first ciphertext using a second key to obtain the target instruction and the first identifier; determines whether the first identifier matches a second identifier stored locally and comes to a matching result, the first key and the second key being negotiated by the terminal device and the IoT device; and obtains a second cipher text by encrypting the matching result using the second key. The terminal device receives the second ciphertext returned by the IoT device through the IoT platform; decrypts the second ciphertext using the first key to obtain a decryption result; and performs a corresponding operation using the decryption result.

Abstract: A channel between quantum controller modules (e.g., pulse processors) is operable to communicate high speed data required for processing qubit states that may be distributed across a quantum computer. The latency of the communication channel is deterministic and controllable according to a system clock domain.

Abstract: Embodiments described herein provide a security model and interface for wearable device digital purchases that can be made without the assistance of a companion device. The satellite device can be configured to be used as a primary device, without reliance upon a paired device. A provisioning process may be implemented to generate and validate one or more tokens to authenticate the wearable device and a set of cryptographic keys can be generated. Subsequently, the token(s) and cryptographic keys may be used to enable a user of the wearable device to make purchases from a digital shopping store without support from an associated companion electronic device.

Abstract: An example operation may include one or more of determining a data point trigger has occurred at a particular block cycle of a blockchain, initiating a sidechain to store subsequent entries based on the data point trigger, and a genesis block of the sidechain includes one or more relevant data fields from the blockchain, initiating a sidechain smart contract to manage data entries submitted to the sidechain, storing the data entries in the sidechain for a conditional period, and when the conditional period has matured, convoluting the sidechain into the blockchain.

Abstract: An enhanced email service that mitigates drawbacks of conventional email services by enabling transmission of encrypted content to a recipient regardless of the recipient having a prior relationship with the sender or having credentials issued from a certificate authority. A method is provided for receiving encrypted content and generating a message includes both the encrypted content as an attachment and a link to enable access to the encrypted content. The method may include transmitting the message to an intended recipient's mailbox while also storing the message in another mailbox to provide for subsequent decryption of the encrypted content. The link may provide the intended recipient of the message with access to the encrypted content in various ways depending on, for example, whether the recipient is viewing the message through a webmail browser or through a local mail client that is compatible with the enhanced email service.

Abstract: A computer implemented method of protecting data in a message for communication from a sender to a receiver, the sender and receiver sharing a secret, the method including splitting the message into a plurality of ordered message blocks, the order being a proper order such that an aggregation of the blocks in the proper order constitutes the message; generating a hash value for each message block, each hash value being generated on the basis of at least a content of the block and the secret; generating, for each block, an encoded indication of a position of the block in the proper order of blocks, the encoding being reversible and based on at least the hash value for the block and a position of the block in the proper order; communicating the blocks to the receiver in an order different to the proper order so as to obfuscate the message; and communicating the encoded indications to the receiver such that the blocks can be reassembled by the receiver in the proper order on the basis of the shared secret.

Abstract: System and method are disclosed for providing authentication of a terminal device. One embodiment includes a method implemented by a first terminal device. The method may include receiving first location information and receiving a first predetermined signal. The method may also include transmitting status information and the first location information to a server upon receiving the first predetermined signal to allow the server to compare the first location information with second location information received from a second terminal device and to allow the server to transmit the status information to the second terminal device. The status information may indicate that the first terminal device is authenticated and the first location information may indicate a current location of the first terminal device.

Abstract: A method for recovery of missing or extra data using a bloom filter includes: storing a plurality of transaction messages, each including a transaction value; generating a bloom filter of the transaction messages, the bloom filter being generated using a number of hash rounds and with a size at least double the number of transaction messages; generating a recover message including the number of transaction messages, the number of hash rounds, the size, and the generated bloom filter; transmitting the recover message to a consensus node; receiving a response message from the consensus node, the response message including at least one additional transaction message; and inserting the at least one additional transaction message into the plurality of transaction messages.

Abstract: Techniques are provided for aggregate inline deduplication and volume granularity encryption. For example, data that is exclusive to a volume of a tenant is encrypted using an exclusive encryption key accessible to the tenant. The exclusive encryption key of that tenant is inaccessible to other tenants. Shared data that has been deduplicated and shared between the volume and another volume of a different tenant is encrypted using a shared encryption key of the volume. The shared encryption key is made available to other tenants. In this way, data can be deduplicated across multiple volumes of different tenants of a storage environment, while maintaining security and data privacy at a volume level.

Abstract: A wireless sniffer for analyzing the channel quality of a Wireless Local Area Network (WLAN) identifies which of the wireless transmissions it detects over a wireless interface are carried on the WLAN it is analyzing by having a dedicated link from a network management system controlling the WLAN under investigation, over which signature data such as a MAC ID associated with the WLAN is received and stored for comparison with signature data associated with the wireless transmissions it detects on the wireless interface it can identify which of the received wireless transmissions are carried on the WLAN it is to analyze.

Abstract: This application provides a buffer allocation method and a device. The method includes determining, by a device, a first output rate of a first queue on the device and a second output rate of a second queue on the device. The method also includes separately allocating, by the device, a first buffer to the first queue and a second buffer to the second queue based on a ratio of the first output rate to the second output rate. The device separately allocates a buffer to each of queues based on a ratio of output rates of the queues, so that a ratio of output traffic of the queues meets an expected scheduling ratio.

Abstract: A system protects personally identifiable information (PII) by implementing an unconventional key management scheme. In this scheme, the system uses a set of keys rather than an individual key for encrypting PII. Different portions of the PII are encrypted using different keys from the set of keys. In this manner, even if a malicious user were to access a key, that key would not give the malicious user the ability to decrypt all of the PII. Additionally, the system generates a new set of keys periodically (e.g., once a month). The system also deletes sets of keys that are too old (e.g., six months old). As a result, even if a malicious user were to access a key, the usefulness of that key would be time limited.

Abstract: A system and method of providing pin-level encryption to low-information signals is provided. The system comprises a first system and a second system communicatively coupled together. The second system comprises a signal generator and a one-time pad (OTP) key mixer. An emanator is communicatively coupled to the first system and the second system and is configured to emanate an OTP key to both the first system and the second system. The OTP key mixer is configured to apply the OTP key to a low-information signal from the signal generator prior to transmitting the low-information signal to the first system.

Abstract: This application describes methods, mediums, and systems for verifying a device for use in a messaging system. Using the device verification procedures described, a messaging system can securely authorize new devices to send and receive encrypted messages on behalf of a user, preferably without the need to share a private encryption key between the users' different devices. The application describes several techniques that can be used to provide such a system, including distributing a computer-perceptible code that encodes encryption information between a secondary device and a primary device. This allows the information to be distributed without intervention by a server. Other techniques provide unique ways to build and reverify authorized device lists, distribute encryption keys in chat channels, ensure that lists of authorized devices are distributed in the correct order and remain valid for an appropriate amount of time, add new devices to an ongoing or new conversation, and more.

Abstract: Aspects of the present disclosure relate to an apparatus comprising first interface circuitry to communicate with a first computing device and second interface circuitry to communicate with a second computing device. The first interface circuitry is configured to receive a handshake message from the first computing device. The second interface circuitry is configured to transmit the handshake message to the second computing device and to receive a handshake response message from the second computing device. The first interface circuitry is configured to transmit the handshake response message to the first computing device, whereby to establish a communication session between the first computing device and the second computing device.

Abstract: A method for transmitting data from a management entity in a communication system further comprising at least one data concentrator device to which smart electricity meters are attached via a first powerline communication network, each data concentrator device being connected to the management entity via a second communication network. Said smart electricity meter receives, coming from the management entity, via the first powerline communication network, a message indicating that a transfer of data is pending with the management entity. Said smart electricity meter comprising a wireless communication interface adapted to communicate via a third wireless local communication network with a residential gateway connected to the management entity via a fourth communication network, said smart electricity meter obtains said data from the management entity via the third wireless local communication network.

Abstract: A user device configured to operate in a blockchain network includes a communicator; a memory; and a processor configured to: based on a peer-to-peer communication based content being received from at least one of a plurality of external apparatuses constituting the blockchain network, generate, through the communicator, block information related to the received content, store the generated block information in the memory, and transmit, through the communicator, the generated block information to the blockchain network; based on a user command for reporting the received content being received, transmit information on the reported content to the blockchain network; identify, based on verification on the reported content performed by at least one administrator device from among the plurality of external apparatuses, whether or not the reported content corresponds to an illegal content; and based on the reported content corresponding to the illegal content, block distribution of the received content.

Abstract: A system, method, and non-transitory computer readable storage medium for privacy preserving routing of a data packet. The data packet may comprise a packet header and a data payload; the packet header comprising at least a homomorphically encrypted final destination address of a final destination device. An intermediate routing device may receive the data packet. At the intermediate routing device, in a non-TEE, homomorphic computations may be performed to determine a homomorphically encrypted address of a next intermediate routing device. At the intermediate routing device, in a TEE, one or more secret homomorphic decryption keys may be stored and used to decrypt the homomorphically encrypted address of the next address of the next intermediate routing device. The data packet may be transmitted to the decrypted address of the next intermediate routing device according to an updated packet header with the unencrypted address of the next intermediate routing device in the sequence.

Abstract: A method, apparatus, and computer program product for processing a data record including encrypted and decrypted data is described. Various embodiments include receiving a data record including ciphertext and plaintext blocks and determining whether each block in the data record is a ciphertext block or a plaintext block. If a block is a ciphertext block, the ciphertext block is stored into a ciphertext record, decrypted into a plaintext block utilizing a decryption algorithm, and stored in a plaintext record. If the block is a plaintext block, the plaintext block is stored into the plaintext record, encrypted into a ciphertext block utilizing an encryption algorithm, and stored in the ciphertext record. Embodiments described also include authenticating the data record by passing each block of the ciphertext record to an authentication scheme and outputting the plaintext record to a destination application.

Abstract: Responding to a data subject access request includes receiving the request and identifying the requestor and source. In response to identifying the requestor and source, a computer processor determines whether the data subject access request is subject to fulfillment constraints, including whether the requestor or source is malicious. If so, then the computer processor denies the request or requests a processing fee prior to fulfillment. If not, then the computer processor fulfills the request.

Abstract: Techniques for client side multi-factor password generation include randomly removing one or more features of a record of a fingerprint image of a user and creating a distorted record of the fingerprint image by merging the record with a user input code using an encryption technique, the distorted record being reversible using the user input code. The distorted record for authentication of the user is registered.

Abstract: The present disclosure involves systems and methods for identity authentication across multiple institutions using a trusted mobile device as a proxy for a user login. In one example, the operations include identifying a request to trust a particular user associated with a first entity in a digital ID network. A set of personally identifiable information (PII) associated with the user is obtained via the first entity and an identity verification (IDV)/fraud risk analysis is performed. In response to satisfying the analysis, instructions are transmitted to the user to verify the identity via a mobile trust application on an associated mobile device. Upon verification, the mobile device is bound to the user within the digital ID network along with a digital ID associated with the particular user. The digital ID can be used by other entities registered within the digital ID network to authenticate the user.

Abstract: Systems, methods, and computer-readable media for evaluation of trustworthiness of network devices are proposed. In one aspect, a first network device can determine a first determine a first probability of a security compromise of a second network device based on visible indicators. The first network device can also determine a second probability of the security compromise of the second device based on invisible indicators. The first network device also determines a trust degradation score for the second network device and establishes, based on the trust degradation score, a specified type of communication session with the second network device.

Abstract: A system and method are provided for proactively buffering quantum key distribution (QKD) key material. The method includes monitoring key generation rates and surpluses at QKD devices at each node of a QKD link in a QKD network, retrieving surplus key material from the QKD devices at one or both nodes of the QKD link, and buffering the surplus key material in a local storage at one or both nodes in the QKD link. The surplus key material can be used to offset overhead introduced in securely relaying keys between non-adjacent demand pairs in the QKD network. The surplus key material can also be used to offset future transient decreases in key generation rates.