Abstract: A method, a computer system, and a computer program product for cryptography are provided. A guest virtual server registers with a trusted hypervisor by using guest credentials. A guest wrapping key associated with the guest credentials is generated. A satellite virtual server instance that shares a master key with the virtual guest server is generated in the trusted hypervisor. A copy of the guest wrapping key is passed to the satellite virtual server instance. A random guest key is wrapped with the guest wrapping key, thereby producing a wrapped guest key. The wrapped guest key is rewrapped with the master key to form a protected guest key.

Abstract: Disclosed are various embodiments for implementing a key escrow system without disclosure of a client's encryption key to third parties. An encryption key is split into a plurality of key segments pursuant to a shared secret protocol. A plurality of peer client devices are then identified. Each peer client device in the plurality of peer client devices is then verified and the respective one of the plurality of key segments are sent to a respective one of the plurality of peer client devices. A response is then received from each respective one of the plurality of peer client devices, the response confirming receipt of the respective one of the plurality of key segments. A list identifying the plurality of peer client devices is finally provided to a key escrow service, the list comprising key-value pairs that identify each respective one of the plurality of peer client devices and the respective one of the plurality of key segments.

Abstract: Values and a sequence of operations associated with generating a key may be received. A determination may be made as to whether the sequence of operations associated with the key matches an authorized sequence of operations. The key may be outputted when the received sequence of operations matches the authorized sequence of operations and the key may not be outputted when the received sequence of operations does not match the authorized sequence of operations.

Abstract: Various implementations described herein may refer to a compliance platform for use with identity data. In one implementation, a method may include receiving a compliance data package from a user, where the compliance data package includes encrypted evidence data corresponding to digital identity data of the user. The method may also include encrypting the compliance data package using a first cryptographic key. The method may further include generating a user key shard, a requestor key shard, and a regulator key shard based on the first cryptographic key. The method may include generating an unlock data package that includes the requestor key shard and encrypting the unlock data package using a second cryptographic key. The method may also include transmitting the user key shard, the encrypted unlock data package, and the encrypted compliance data package to the user. The method may include transmitting the regulator key shard to a regulator.

Abstract: Secure network communications are described. In one aspect, a secure network can include a passbuilder that provides policy information related to performance characteristics of the secure network. A sender can receive the policy information and transmit packets to a receiver if the policy information is complied with by the potential packet transmission.

Abstract: Systems and methods for monitoring malicious software engaging in online advertising fraud or other form of deceit are disclosed herein. An example method includes identifying a communication process used by a compromised computing device to communicate with a control server, the control server providing access to advertising weblinks, the compromised computing device associated with malicious software, directing, by an instruction executed by a processor, the compromised computing device to communicate with an uncompromised computing device by re-routing of packets used for communication between the compromised computing device and the control server, the uncompromised computing device is configured to mimic communications between the compromised computing device and the control server using the communication processes, storing information from one or more packets transmitted from the uncompromised computing device, and creating a profile of the malicious software based on the stored information.

Abstract: Systems, methods, and computer-readable media for creating service chains for inter-cloud traffic. In some examples, a system receives domain name system (DNS) queries associated with cloud domains and collects DNS information associated the cloud domains. The system spoofs DNS entries defining a subset of IPs for each cloud domain. Based on the spoofed DNS entries, the system creates IP-to-domain mappings associating each cloud domain with a respective IP from the subset of IPs. Based on the IP-to-domain mappings, the system programs different service chains for traffic between a private network and respective cloud domains. The system routes, through the respective service chain, traffic having a source associated with the private network and a destination matching the IP in the respective IP-to-domain mapping.

Abstract: The present invention relates a method, the method comprising: based on a data element (50), generating M data element shares (52), wherein M is an integer greater than 1; providing each of M encryption keys (42) to a first data processing unit (10); the first data processing unit (10) encrypting each of the M data element shares (52) with an encryption key (42), respectively, and thus generating M encrypted data element shares (55), wherein each of the encryption keys (42) corresponds to a decryption key (45), respectively. The present invention also relates to a determining method to determine the data element. The present invention also relates to corresponding computer programs, data processing units and systems.

Abstract: Provided is a computer-implemented method for implementing a blockchain-based rewards network. The method includes establishing a blockchain network including administrative nodes, client nodes, and entity nodes, maintaining a distributed ledger on at least a portion of the administrative nodes of the blockchain network, receiving, from a plurality of entities, rewards data including a plurality of offers, each offer of the plurality of offers corresponding to at least one entity identifier, publishing the rewards data to the distributed ledger, querying the distributed ledger based on at least one entity identifier received from a client node, and determining, based on the distributed ledger, at least one offer corresponding to the at least one entity identifier received from the client node.

Abstract: A control device includes: a feature extraction unit that calculates one or more feature amounts from one or more state values; a processing unit that calculates a score based on the one or plurality of feature amounts calculated by the feature extraction unit with reference to a learning model; a determination unit that generates a determination result indicating whether any abnormality has occurred in a monitoring target based on the score; a first data storage unit that stores at least one of data related to processing in the feature extraction unit and data related to processing in the processing unit; a second data storage unit that stores an arbitrary state value capable of being referred to by the control device; and an authority management unit that restricts access to the first data storage unit.

Abstract: In order to ensure that a Subscription Concealed Identifier, SUCI, is calculated in the Universal Subscriber Identity Module, USIM, part of a User Equipment, UE, when intended, when a SUCI-Calculation-Indicator is set to a value indicating that the SUCI should be calculated in the USIM, a network node sets proprietary information, which is not known to a Mobile Equipment, ME, part of the UE, as required for calculation of the SUCI. The USIM facilitates calculation of the SUCI in the ME part of the UE only when the SUCI-Calculation-Indicator is set to a value indicating that the SUCI should be calculated in the ME. When the SUCI-Calculation-Indicator is set to a value indicating that the SUCI should be calculated in the USIM, the ME part deletes any locally stored information required for calculation of the SUCI.

Abstract: In one embodiment, an apparatus comprises a processor to read a data line from memory in response to a read request from a VM. The data line comprises encrypted memory data. The apparatus also comprises a memory encryption circuit in the processor. The memory encryption circuit is to use an address of the read request to select an entry from a P2K table; obtain a key identifier from the selected entry of the P2K table; use the key identifier to select a key for the read request; and use the selected key to decrypt the encrypted memory data into decrypted memory data. The processor is further to make the decrypted memory data available to the VM. The P2K table comprises multiple entries, each comprising (a) a key identifier for a page of memory and (b) an encrypted address for that page of memory. Other embodiments are described and claimed.

Abstract: Embodiments of a system and method for dual connectivity for device to vehicle or vehicle to vehicle communication in a Wireless Network are generally described herein. In some embodiments, processing circuitry may determine a quality of service (QoS) level for data to be transmitted over a first radio access technology (RAT) connection and determine a QoS indicator from the QoS level, the QoS indicator identifying a dual connectivity backup transmission, the dual connectivity backup transmission including a hot, warm, or cold backup. In some embodiments, transceiver circuitry may attempt to transmit the data using a first transmission mode, the first transmission mode using the first RAT connection and the data including the QoS indicator and retransmit, in response to the attempt failing, the data using a second transmission mode.

Abstract: A method, apparatus and computer program product are provided for generating a registered certified seal, sealing an asset, and verifying a sealed asset. In an example embodiment, a method is provided for receiving a request to generate a registered certified seal from an entity, accessing certifier entity data via a uniform resource locator of a certification authority identified by a certifying certificate, and verifying a digitally signed entity certifying certificate. The method further comprises upon verifying the digitally signed entity certifying certificate, receiving seal data comprising a seal data key for a certified seal, and saving the seal data for the entity within a digital seal registry, wherein the digital seal registry is searchable based at least in part on at least a portion of the seal data key.

Abstract: A device and a method implemented by computer for authorizing, to a user having access rights granted by a first operator, a completely anonymous and secure access, with no trusted third-party, to a collaborative anonymization platform and/or to a service requiring privacy properties based on such a platform operated by various operators.

Abstract: A processing device includes a storage unit that stores device-specific information in association with device identification information for identifying each of a plurality of devices, an authentication key request reception unit that receives an authentication key request including the device identification information, an authentication key issuing unit that issues the authentication key, a license key request reception unit that receives a license key request including the device identification information and the authentication key, a license key issuing unit that issues a license key, a user identification information registration unit that stores the user identification information of the user who has presented the license key, in association with the device identification information associated with the license key, and a device control unit that integrally controls the plurality of devices identifying a plurality of pieces of device identification information associated with the same user identificat

Abstract: The systems, methods and apparatuses described herein provide a virtual integrated circuit card (ICC). In one aspect, a method of creating a virtual ICC may be provided. The method may comprise obtaining executable code configured to run on a user device to facilitate financial transactions, preparing a first encryption key usable by the executable code, receiving a second encryption key associated with the user device, forming a virtual ICC comprising the executable code and the first encryption key, and encrypting the virtual ICC with the second encryption key. In another aspect, a virtual ICC may be embodied on a non-transitory computer-readable medium. The virtual ICC may comprise executable code configured to run on a user device to facilitate financial transactions and a first encryption key usable by the executable code. The virtual ICC may be encrypted using a second encryption key associated with the user device.

Abstract: Techniques for providing a credential of a secure data network to a computing device are described. In an example, a system stores an association between the computing device and a user account. The user account is also associated with a credential of the secure data network. The system receives a certificate of the computing device and determines the association between the computing device and the user account based on the certificate. Further, the system authenticates the computing device based on the association being determined to send to the computing device data, where this data is verified based on a private key of the system. The system receives a request of the computing device for the credential based on the data and sends the credential to the computing device.

Abstract: Some embodiments provide systems and methods for confidentially and securely provisioning data to an authenticated user device. A user device may register an authentication public key with an authentication server. The authentication public key may be signed by an attestation private key maintained by the user device. Once the user device is registered, a provisioning server may send an authentication request message including a challenge to the user device. The user device may sign the challenge using an authentication private key corresponding to the registered authentication public key, and may return the signed challenge to the provisioning server. In response, the provisioning server may provide provisioning data to the user device. The registration, authentication, and provisioning process may use public key cryptography while maintaining confidentiality of the user device, the provisioning server, and then authentication server.

Abstract: A data protection method for protecting backup data stored in a data backup device is executed by a mobile device. When the mobile device is included in a trust circle of the data backup device, the mobile device can receive a certified signal, can execute a file manager of a backup APP for loading the backup data, and can generate a first invitation code. Otherwise, the mobile device cannot access the backup data, and displays a code input menu for inputting a second invitation code. The data backup device can certify the first invitation code and the second invitation code for determining whether the mobile device can be added into the trust circle of the data backup device. Therefore, the mobile device included in the trust circle can access the backup data, and the privacy of the backup data can be secured.

Abstract: Systems and techniques of the present disclosure may provide remote debugging of an integrated circuit (IC) device while preventing unauthorized access of device intellectual property (IP). A system may include an IC device that generates an encrypted session key and an interface that enables communication between the IC device and a remote debugging site. The interface may enable the IC device to send the encrypted the encrypted session key to initiate a remote debug process, receive an acknowledgement from the remote debugging session, and authenticate the acknowledgement. Further, the interface may enable to the IC device to initiate a secure debug session between the IC device and the remote debugging site.

Abstract: Methods, systems, and devices for facilitating the automated configuration of one or more new 802.11 access points (APs) are disclosed herein. A cloud server may receive a message associated with a customer account for one or more new APs. The cloud server may associate a first AP of the one or more new APs based on the message. The cloud server may then retrieve a public key associated with the first AP which has a reciprocal private key. The cloud server may send the public key to a gateway (GW) associated with the customer account. The GW may encrypt the GW credentials, such as a password and SSID, into a ciphertext using the public key and then broadcast this information. When the first AP has been powered on it may decrypt the ciphertext using the private key and use the credentials to act as a node in the GW's network.

Abstract: Generally discussed herein are devices, systems, and methods for binding with cryptographic key attestation. A method can include generating, by hardware of a device, a device public key and a device private key, based on the device private key, signing a first attestation resulting in a signed first attestation, the first attestation claiming the device private key originated from the hardware, based on the device public key and the signed first attestation, registering the device with a trusted authority, generating, by the hardware, a first application private key and a first application public key, and based on the device private key, signing a second attestation resulting in a signed second attestation, the second attestation claiming the first application private key originated from the hardware, and based on the first application public key and the signed second attestation, registering a first application of the device to a first server.

Abstract: A system for transmitting and receiving data based on a vehicle network and a method therefor are provided. The method includes generating, by a first hardware security module (HSM), a first session key using a first random number and a first fixed key and, encrypting, by a first electric control unit (ECU), a message using the first session. The method also includes generating, by a second HSM, a second session key using a second random number and a second fixed key, and decrypting, by a second ECU, the message using the second session key.

Abstract: A system and a method for an electronic method of authenticating a user to establish a service session the method comprising the steps of receiving an access request at a service provider device from a user device, authenticating a user based on a unique user credential associated with the user, by the service provider, establishing a service session between the user device and the service device.

Abstract: Systems and methods that may implement an Oracle-aided protocol for producing and using FHE encrypted data. The systems and methods may initially encrypt and store input data in one encrypted form that is not performed using FHE, which does not substantially increase the size of the data and storage resources required to store the encrypted data. In accordance with the Oracle-aided protocol, the encrypted data is re-encrypted as FHE encrypted data when FHE encrypted data is required.

Abstract: A communication system includes a plurality of apparatuses each performing wireless communication with a mobile apparatus. Each of the plurality of apparatuses performs authentication processing for determining whether the mobile apparatus is a mobile apparatus registered beforehand. At least one apparatus of the plurality of apparatuses performs registration processing for obtaining mobile key information to be used for the authentication processing from the mobile apparatus and registering the mobile key information, and sharing processing for transmitting the mobile key information obtained by the registration processing to the other apparatus.

Abstract: A method for a mobile station (STA) is described. The method may be performed to use an identifiable medium access control (MAC) random (IRM) address (IRMA) to associate to an access point (AP). The method includes exchanging one IRM key (IRMK) with the AP for each association of a plurality of associations; determining an IRM hash using the IRMA and the IRMK exchanged with the AP at an immediately previous association of the plurality of associations and/or a temporal element; associating to the AP using the IRMA as a transmitted address (TA); and transmitting an association request including the IRM hash. The transmitted association request triggers the AP to one or both of check a list of stored IRMKs to find one stored IRMK that together with the IRMA produces the IRM hash included in the association request and identify the STA by the one IRMK.

Abstract: Embodiments described herein relate to credential wrapping for secure transfer of electronic SIMs (eSIMs) between wireless devices. Transfer of an eSIM from a source device to a target device includes re-encryption of sensitive eSIM data, e.g., eSIM encryption keys, financial transaction credentials, transit authority credentials, and the like, using new encryption keys that include ephemeral elements applicable to a single, particular transfer session between the source device and the target device. The sensitive eSIM data encrypted with a symmetric key (Ks) is re-wrapped with a new header that includes a version of Ks encrypted with a new key encryption key (KEK) and information to derive KEK by the target device. The re-encrypted sensitive SIM data is formatted with additional eSIM data into a new bound profile package (BPP) to transfer the eSIM from the source device to the target device.

Abstract: Systems and methods for network security are provided. Various embodiments issue single use certificates for validating remote endpoints access to the private network. Some embodiments use a triage zone (or triage gateway) to which remote device can calls into using a static issued certificate. However, instead of granting complete access to the virtual private network, the use of this static certificate only grants access to the triage zone where further validation of the endpoint without any access to sensitive content on the private network. The endpoint can be connected to an ID manager within the triage zone. The endpoint can then send the username and password to the ID manager that can create a single use certificate (e.g., valid for a limited period of time). While valid, the single use certificate can be used by the remote device to gain access to the production zone using a VPN tunnel.

Abstract: Embodiments described herein enable the generation of cryptographic material for ranging operations in a manner that reduces and obfuscates potential correlations between leaked and secret information. One embodiment provides for an apparatus including a ranging module having one or more ranging sensors. The ranging module is coupled to a secure processing system through a hardware interface to receive at least one encrypted ranging session key, the ranging module to decrypt the at least one encrypted ranging session key to generate a ranging session key, generate a sparse ranging input, derive a message session key based on the ranging session key, and derive a derived ranging key via a key derivation cascade applied to the message session key and the sparse ranging input, the derived ranging key to encrypt data transmitted during a ranging session.

Abstract: A method for implementing zero-knowledge private key management for decentralized applications on a client device including registering an account with a verifier server, initializing a wallet, generating a public key and a private key, encrypting the private key with a zero-knowledge encryption function, producing an encrypted private key, transmitting the encrypted private key to the verifier server, removing the private key from the decentralized client application, sending a transaction request to a decentralized application, receiving a raw transaction, requesting and receiving the encrypted private key from the verifier server, decrypting the encrypted private key with a zero-knowledge decryption function, signing the raw transaction with the decrypted private key, transmitting the signed transaction to the decentralized application, and removing each of the encrypted private key and the decrypted private key from the client application.

Abstract: A communication device of a communication network receives, via a network, a challenge, generates a first Diffie Hellman, DH, parameter, a first verification code for the first DH parameter, forwards the challenge or a derivative thereof to an identity module, receives at least one result parameter as response from the identity module, determines, based on the result parameter, whether the first DH parameter is authentic, and if the first DH parameter is authentic, generates and sends a second DH parameter to the network device for session key generation based on the first DH parameter and the second DH parameter.

Abstract: In an aspect, a network supporting a number of client devices includes a network device that generates a context for a client device. The client device context may include network state information for the client device that enables the network to communicate with the client device. The client device may obtain, from a network device that serves a first service area of the network, information that includes a first client device context. The client device may enter a second service area of the network served by a second network device. Instead of performing a service area update procedure with the network, the client device may transmit a packet in the different service area with the information that includes the client device context. The client device may receive a service relocation message including information associated with the different network device in response to the transmission.

Abstract: A communication network employing a method and system for secure access from a security device at a local network location to a remote network location are disclosed. At the security device having a unique identifier (UID), processor, and memory, a security software is obtained from a remote network location, the security software obtaining a personal identification number (PIN) of a user, and the UID of the security device. The PIN, the UID and the private security software are forwarded to the remote network location for generating a credential code, including encrypting the credential code. At the security device, the credential code is obtained from the remote network location, and authenticity of the PIN and the UID is verified, without communicating over a network, including decrypting the credential code. Upon verifying the authenticity of the PIN and the UID, access credentials to the remote network location are retrieved.

Abstract: Methods, systems, and media for protected near-field communications are provided. In some embodiments, the method comprises: receiving, from an NFC tag device, a request for an NFC reader device identifier (ID); transmitting the NFC reader device ID to the NFC tag device; receiving an NFC tag device ID; determining whether the NFC tag device ID matches an NFC tag device ID stored in memory of the NFC reader device; in response to determining that the NFC tag device ID matches the NFC tag device ID, transmitting a password to the NFC tag device; receiving, from the NFC tag device, a shared secret; determining whether the received shared secret matches a shared secret stored in the memory of the NFC reader device; and in response to determining that the received shared secret matches the shared secret, causing an action to be performed by a device associated with the NFC reader device.

Abstract: Examples described herein include systems and methods for performing distributed encryption across multiple devices. An example method can include a first device discovering a second device that shares a network. The device can identify data to be sent to a server and calculate a checksum for that data. The device can then split the data into multiple portions and send a portion to the second device, along with a certificate associated with the server for encrypting the data. The first device can encrypt the portion of data it retained. The first device can receive an encrypted version of the second portion of the data sent to the second device. The first device can merge these two portions and send the merged encrypted data to the server, along with the checksum value. The server can decrypt the data and confirm that it reflects the original set of data.

Abstract: Systems and methods for securing user location data are described. A method includes receiving, by a location server computer, an encrypted location from a mobile device. The encrypted location is a location of the mobile device encrypted with a public key. The method then includes receiving, by the location server computer, a location request message from an interaction processing server and partially decrypting, by the location server computer, the encrypted location with a first private key share to form a partially decrypted location. The method further includes transmitting, by the location server computer to the interaction processing server, a location response message with the encrypted location and the partially decrypted location. The interaction processing server then uses the partially decrypted location and the second private key share to form a decrypted location.

Abstract: Briefly, in accordance with one or more embodiments, an apparatus of a user equipment (UE), comprises one or more baseband processors to derive a dynamic scrambling key, and a memory to store the dynamic scrambling key and a temporary UE identifier (temporary UE ID) assigned to the UE. The one or more baseband processors monitor a paging request for a scrambled UE identifier (UE ID) to determine if the paging request is intended for the UE by unscrambling the scrambled UE ID with the dynamic scrambling key to produce the temporary UE ID. The paging request is intended for the UE if the temporary UE ID produced by unscrambling the scrambled UE ID matches the temporary UE ID stored in the memory. A new dynamic scrambling key may be derived each time the UE returns to a radio resource control idle (RRC_IDLE) state.

Abstract: Binding a public cloud account and a personal cloud account is described. A pre-approval list indicates that a user's public cloud account and personal cloud account are approved for binding. A copy of the pre-approval list is stored on the personal cloud device; another copy is stored on the public cloud service. The user logs into the public cloud account using a client device. Based on the pre-approval list stored on the public cloud service, the client device obtains information identifying the user's personal cloud account. The personal cloud device verifies the pre-approval of the binding based on the pre-approval list stored on the personal cloud device. The personal cloud device transmits a verification to the public cloud service. Each of the public cloud service and the personal cloud device stores information indicating the binding.

Abstract: Systems and methods for a publish-subscribe broker network that distributes data packets between authorized entities and includes one or more publish-subscribe brokers. Each publish-subscribe broker is reachable by an entity attempting to connect thereto via a transport network configured to transport IP packets. The publish-subscribe brokers are configured to check credentials of entities attempting to connect to the publish-subscribe broker network and ensure that first and second entities are authorized for publishing packets on the secured named channel or for receiving published packets via the secured named channel. Cipher keys are used by the first and second authorized entities to encrypt and decrypt messages distributed via the publish-subscribe broker network and the publish-subscribe brokers are configured to route encrypted messages as data packets on behalf of the first authorized entity to the second authorized entity using the secured named channel.

Abstract: Methods and systems for serving advertisement objects on an advertising platform are disclosed. The advertising platform detects invalid activity related to advertisement objects served in response to a request, and identifies a source associated with the invalid activity. In response to detection of the invalid activity, at least one decoy advertisement object is served in response to further requests originating from the identified source. The decoy advertisement object is an advertisement object that is processed by the advertising platform differently from regular advertisement objects that are served by the advertising platform in response to requests from other sources.

Abstract: A method, system, and apparatus for managing digital certificates, managing a certificate authority (CA), and cross-referencing CA hierarchies. The method includes receiving, by a processor of a CA computing system, at least one of a digital certificate generation request and a digital certificate revocation from a user via a user computing device, the digital certificate generation request including a user public key and a user identity. The method further includes generating a digital certificate for the user and signing the digital certificate with a CA private key, wherein the CA private key is associated with a known CA public key. The method further includes publishing the digital certificate signed with the CA private key to a digital certificate blockchain, determining a certificate status of the digital certificate, and publishing an update to the digital certificate blockchain to reflect the certificate status of the digital certificate.

Abstract: A client can allocate and reassociate unique identifiers to local content items associated with an account at a content management system, and use the unique identifiers to commit operations for the content items on the content management system. For example, a client can create a content item and determine the content item does not have an identifier from the content management system. The client obtains an identifier for the content item and asks the content management system to verify a uniqueness of the identifier. When the identifier is unique, the client adds a node corresponding to the content item to a local tree representing a state at the client of content items associated with the account, and uploads the content item with the identifier to the content management system. When the identifier is not unique, the client obtains a new identifier for the content item.

Abstract: Systems and methods of an internet of things device connecting to a remote server. The internet of things device connects to a web target. The web target sends a response to the internet of things device indicating whether a change to the one or more settings of the internet of things device has been received at a cloud server. If a change has occurred, the internet of things device connects to a secure cloud server to update the settings on the internet of things device.

Abstract: A method of a wireless private gateway securely obtaining a communication link to another wireless private gateway is provided. The method comprises transmitting a request for a first partial identifier of a relay wireless private gateway by an application executing on a first wireless private gateway to a second wireless private gateway, receiving the first partial identifier, transmitting a request for a second partial identifier of the relay wireless private gateway to a third wireless private gateway, receiving the second partial identifier, concatenating the first partial identifier and the second partial identifier to form a complete identifier of the relay wireless private gateway by the application, and transmitting a request to establish a communication link with the relay wireless private gateway by the application to the relay wireless private gateway, wherein the request to establish the communication link comprises the complete identifier of the relay wireless private gateway.

Abstract: Described herein are systems and techniques for privacy-preserving unsupervised learning. The disclosed system and methods can enable separate computers, operated by separate entities, to perform unsupervised learning jointly based on a pool of their respective data, while preserving privacy. The system improves efficiency and scalability, while preserving privacy and avoids leaking a cluster identification. The system can jointly compute a secure distance via privacy-preserving multiplication of respective data values x and y from the computers based on a 1-out-of-N oblivious transfer (OT). In various embodiments, N may be 2, 4, or some other number of shares. A first computer can express its data value x in base-N. A second computer can form an ×N matrix comprising random numbers mi,0 and the remaining elements mi,j=(yjNi-mi,0) mod . The first computer can receive an output vector from the OT, having components mi=(yxi Ni-mi,0) mod .

Abstract: Systems and methods for enabling Media Access Control Security (MACsec) at a MAC layer, according to IEEE 802.1AE, and extending MACsec are provided. An edge device, according to one implementation, includes one or more User-to-Network Interface (UNI) ports and a plurality of Network-to-Network Interface (NNI) ports. The edge device also includes a processing device and a memory device configured to store a computer program having instructions. The instructions, when executed, allow the processing device to provide network security on a Media Access Control (MAC) layer, the network security defined by the MAC Security (MACsec) protocol. The instructions also allow the processing device to provide network path protection by enabling packet routing over multiple paths via the plurality of NNI ports on a network layer.

Abstract: In certain embodiments, shares related to an output of a function having multiple shares of a secret as input may be computed. In some embodiments, with respect to initial key shares of a key that are collectively held by multiple parties, an output of an arithmetic function (performed on an initial key share of the initial key shares) may be received from each of the multiple parties. The outputs from the multiple parties may be provided as input for a Multi-Party Computation (MPC) process, where the MPC process outputs final key shares in connection with the outputs from the multiple parties being provided as input for the MPC process. With respect to each party of the multiple parties, a final key share of the final key shares may be sent to the party.

Abstract: Features for providing a secure method of symmetric encryption for private smart contacts among multiple parties in a private peer-to-peer network. The features include a master key representing a unique blockchain ledger. The master key may be shared among multiple participants in a private peer-to-peer network. Sharing of the master key may include communicating the master key in an encrypted message (e.g., email) using public key infrastructure (PKI). In some implementations, more complex distribution features may be includes such as quantum entanglement. The features support instantiation of a smart contract using a specific master key. The request may be submitted as an entry to the ledger with appropriate metadata and/or payload information for identifying and processing the request.