Abstract: A system performs digital notarization using a biometric identification service. A signature requesting service receives a request to validate a digital item with a signature for a person. The signature requesting service provides a payload that identifies the digital item and/or the person to an identity service. The identity service obtains one or more digital representations of biometrics for the person, determines an identity for the person, and returns a data structure including the payload and one or more identity attestations regarding the determined identity. The identity service encrypts at least a portion of the data structure using a private encryption key. A public encryption key for the identity service can then be used to decrypt the portion to verify that the data structure was generated by the identity service after determining the identity. In this way, validation can be verified to the full trust level of the identification service.

Abstract: A service provider manages access control to multiple services through an authentication system. One or more services are able to fulfill requests at least in part by submitting requests to other services of the service provider. Such a service is able to obtain, from the authentication system, information that can be passed on to one or more other services to enable the one or more other services to determine request validity without having to contact the authentication system. The information may include, for example, one or more responses that the one or more other services would have received had the one or more services contacted the authentication system themselves.

Abstract: An example operation may include one or more of transmitting, from a client application, a proposed storage request to a plurality of endorser nodes of a blockchain, receiving a first endorsement of the storage request from a first endorser node, the first endorsement comprising a full-step hash verification of the proposed storage request, receiving a second endorsement of the storage request from a second endorser node, the second endorsement comprising a reduced-step hash verification of the storage request, and transmitting a storage proposal including the full-step hash endorsement and the reduced-step hash endorsement to an ordering node of the blockchain.

Abstract: This application provides an authentication credential protection method and system. The protection method includes the following steps: generating authentication secret information based on a lock screen password and hardware secret information of a first device; randomly generating, by the first device, a symmetric key, and using the symmetric key as an encryption key for the authentication secret information; splitting the encryption key into at least two first key segments by using a multi-party data splitting algorithm, where one of the at least two first key segments is stored on the first device; and sending, by the first device, another first key segment to a trusted device. In the foregoing technical solution, the authentication secret information is generated by using the lock screen password and the hardware secret information, increasing information complexity. In addition, different trusted devices are used to store the split key segments, improving security of the encryption key.

Abstract: A computer-implemented method and system for managing digital evidence using a blockchain (12). The method comprises receiving an evidence data file (5), the evidence data file (5) being identified by: an evidence identifier, and a hash code computed from the evidence data file (5); generating a block (11) for the blockchain (12) by combining data indicative of: a hash of a previous block (13) in the blockchain (12), the evidence identifier, and the hash code computed from the evidence data file (5); and storing the generated block (11) as a new block in the blockchain (12), wherein the method further comprises: outputting at least part of the data in the blockchain (12) in response to a user request to enable a user to verify the authenticity of the evidence data file (5) using the data in the blockchain (12).

Abstract: An information processing apparatus includes a processor configured to use authentication information of a first user who is registered in plural electronic signature services and uses the electronic signature services, to acquire at least one of contract information regarding a contract using each electronic signature service or service information, from each electronic signature service, the authentication information being provided for each of the electronic signature services and used for using the electronic signature service, and the service information being information regarding each electronic signature service, display a check screen in association with the acquired at least one of the contract information or the service information and the electronic signature service as an acquisition source, the check screen being used for checking the plural electronic signature services, and receive selection of the electronic signature service used by the first user on the check screen.

Abstract: A computer-implemented method, comprising: dividing a first binary image into a plurality of variable-sized chunks, wherein the first binary image is an aggregate of a plurality of files, and wherein the dividing does not depend on file boundaries; and computing hashes of the variable-sized chunks, and storing the hashes in a content addressable storage (CAS) with the hashes as keys.

Abstract: Systems for authenticating a file are disclosed. A system may include one or more physical devices. The one or more physical devices may select, based on an identifier, a subset of data segments of a computer file for generating a first digest with a cryptographic function. The one or more physical devices may also execute the cryptographic function on the selected subset of data segments of the computer file to generate the first digest. Further, the one or more physical devices may generate an authenticator based on the first digest and a private key. The one or more physical devices may further send the computer file, the identifier, and the authenticator to a secure node. Associated methods and non-transitory machine-readable medium are also disclosed.

Abstract: An example operation may include one or more of receiving, from a blockchain peer node, a sequence of blocks stored in a hash-linked chain of blocks on a distributed ledger, where each block in the sequence of blocks includes a reduced-step hash of block content from a previous block in the sequence, performing an approximate hash verification on the reduced-step hashes stored among the sequence of blocks, and determining whether the sequence of blocks has been tampered with based on the approximate hash verification on the reduced-step hashes.

Abstract: A method for increasing validity of digital signatures comprising: receiving a request from a browser to have a user apply a digital signature to a document; verifying that the document complies with a predefined ruleset (e.g., prescribing font colors); presenting the user with the document on a user-computer interface in such a way that the document's entire content is completely reviewable by the user only if the document complies with the predefined ruleset; upon receiving instruction from the user to sign the document, generating a digital signature according to Advanced Encryption Standard (AES) public key infrastructure (PKI) that protects the document in its entirety, as presented to the user in the previous step; enabling the user to perform one or more of printing, sharing, and saving the digitally-signed document in a memory store; and sending the digitally-signed document with the newly-generated signature to the browser.

Abstract: Methods and systems for detecting false base stations are provided. A computing device transmits a request for a verification message to a base station. An encrypted verification message comprising a base station identifier and a signature encrypted using an encryption key associated with the base station is received by the computing device. The computing device decrypts the signature included in the encrypted verification message utilizing a decryption key associated with the computer system. Based on the decrypted signature, the computing device determines that the encryption key does not correspond to the decryption key. Based on determining that the encryption key does not correspond to the decryption key, the computing device stores the base station identifier in a data store in association with a false base station indicator.

Abstract: System and methods for key printing may include a control panel operable to receive a mobile device identifier from a mobile device. A property management system in communication with the control panel may assign or allocate a room in a hotel to a guest. A lock server may be in communication with the property management system, the lock server may create a digital key. A virtual encoder may be in communication with the property management system and the lock server, the virtual encoder may transmit a room number, lock information, authorized zones, a start time, an expiration, and the digital key to the mobile device. A key printer may receive the digital key from the mobile device, authenticate the mobile device, and print a physical key based on the received digital key.

Abstract: Method for calculating a modifier code of a file, the method comprising the following steps: a) establishing a list of possible modifier codes; b) establishing a list of a plurality of possible mixer numbers; c) for each modifier code: i) creating a list of hashes of the file; ii) for each mixer number, calculating the hash of the file mixed and modified by the modifier code, the modification of the file being performed using the same modification function; iii) adding each hash calculated in step ii) to the list of hashes of the file; iv) counting the number of different elements N of the list of hashes; v) memorizing this number N, as well as the associated modifier code, if N is the first to be counted or is greater than the number N previously memorized; and d) returning the last modifier code memorized.

Abstract: Systems, apparatuses, methods, and computer program products are disclosed for authenticating handwriting on paper-based documents. An example method includes receiving, by an embedded chip device, handwriting information from a signature device in communication with the embedded chip device. The example method further includes transmitting, by the embedded chip device, document identification information to the signature device. The example method further includes receiving, by the embedded chip device, authentication information from the signature device. Subsequently, the example method includes storing, by the embedded chip device, the handwriting information and the authentication information as handwriting authentication metadata in association with the document identification information.

Abstract: A method of facilitating a match between an employer with at least one job opening and job seekers is provided. The employer has a set of position preferences related to the job opening. The job seekers have suitability data, resumes, etc., that are provided to the employer. The suitability data includes normalized assessment data. The method includes the steps of: determining a position quotient based on the position preferences; deriving a performance quotient for each job seeker; comparing each the performance quotient to the position quotient; and ranking each the job seeker based on the comparison of the performance quotient to the position quotient.

Abstract: The present disclosure relates to pre-processing of files to better prepare them for the process of comparing fingerprints of fragments of fixed size N from these files to other files that contain similar information but may be structured differently. The pre-processing method and system are applied to files with known protected data before fingerprints of some of the N-fragments from these files are added to the digital fingerprint library and to the unknown files before the fingerprints of some of their N-fragments are compared to the fingerprints of other N-fragments of data stored in the digital fingerprint library.

Abstract: The present invention provides a method for signing and submitting an electronic document by performing a single action in relation to a visual indicium, reducing the number of interactions that a signer needs to carry out to create and submit a digitally signed electronic document. The invention involves four parties: a server system, an auxiliary client system, a client system, and a recipient system. The server system stores the electronic document and facilitates its creation and submission processes. The auxiliary client system obtains the electronic document from the server system and displays the electronic document along with a visual indicium. Subsequently, the client system displays a single action for the signer to perform on the indicium in order to set in motion the signing process and submit the digitally signed electronic document to the recipient system.

Abstract: A method for verification at a computing device of a signed message received from a first party over a public communications channel, the method including extracting a message digest “a” belonging to a semigroup from the signed message; obtaining a public key [c,e] for the first party, including a fixed value checker “c” and an endpoint “e”, checker “c” and endpoint “e” belonging to the semigroup and the endpoint comprising a multiplication of a private key “b” for the first party and the checker “c”, multiplying the message digest “a” and the endpoint “e” to create an endmatter “ae”; extracting a signature “d” from the signed message, the signature “d” belonging to the semigroup and being a multiplication of message digest “a” and private key “b”; multiplying the signature “d” and the checker “c” to create a signcheck “dc”; and verifying that the endmatter “ae” matches the signcheck “dc”.

Abstract: A signing system for validating stateful hash-based digital signatures includes a signing device, a logging device and a verifying device, wherein each signing device is configured to receive data, generate a hash-based digital signature including a one-time signature, generate a one-time public key, send the generated one-time public key, send the hash-based digital signature, the verifying device is configured to generate a validation one-time public key, send the validation one-time public key, and the logging device is configured to store the generated one-time public key, receive a validation one-time public key, compare the validation one-time public key with all one-time public keys, provide a validation feedback signal, if the validation one-time public key coincides with exactly one stored one-time private key, and provide a warning feedback signal, if the validation one-time public key does not coincide with exactly one stored one-time private key.

Abstract: A system configures, executes, and monitors document workflows executing using workflow engines executing on cloud platforms. The system generates a platform independent document workflow specification that describes a document workflow configured for execution on any of a plurality of workflow engines, each workflow engine executing on a cloud platform. The system compiles the platform independent document workflow specification to generate a platform specific document workflow specification configured for execution on a target workflow engine executing on a target cloud platform. A document workflow orchestration runtime executes and monitors the execution of the platform specific document workflow specification.

Abstract: It is provided a method for configuring a target device. The method comprises the steps of: transmitting a configuration request message to the target device, the configuration request message comprising a configuration request and a request signature, wherein the request signature is based on the configuration request; receiving a configuration response message from the target device, the configuration response message comprising a configuration response and a response signature, wherein the response signature is based on the configuration response and the request signature; verifying the response signature to determine whether the configuration response message is valid, based on the configuration response, the request signature and a public key for the target device; and transmitting a configuration commit message to the target device only when the configuration response message is valid, the configuration commit message comprising a configuration commit indicator and a commit signature.

Abstract: A hardware detection method includes sending first verification data to a physical carrier, where the physical carrier carries a plurality of pieces of hardware; receiving a ciphertext and binding relationship information from the physical carrier, where the ciphertext is obtained after at least two of the pieces of hardware respectively encrypt the first verification data using respective keys, and where the binding relationship information indicates a binding relationship between the at least two pieces of hardware; verifying the ciphertext and the binding relationship information; and determining security of the at least two pieces of hardware based on a verification result.

Abstract: Technologies for secure collective authorization include multiple computing devices in communication over a network. A computing device may perform a join protocol with a group leader to receive a group private key that is associated with an interface implemented by the computing device. The interface may be an instance of an object model implemented by the computing device or membership of the computing device in a subsystem. The computing device receives a request for attestation to the interface, selects the group private key for the interface, and sends an attestation in response to the request. Another computing device may receive the attestation and verify the attestation with a group public key corresponding to the group private key. The group private key may be an enhanced privacy identifier (EPID) private key, and the group public key may be an EPID public key. Other embodiments are described and claimed.

Abstract: A digital signature terminal device and a secure communication method are provided. The digital signature terminal includes a first module and a second module. The first module includes a communication component configured to communicate with outside and includes a central unit. The central unit includes a memory configured to store data received by the communication component. The central unit is configured to receive an operation from a user, and is controlled, in response to the operation from the user, to be simultaneously connected to the second module and disconnected from the communication component or to be simultaneously disconnected from the second module and connected to the communication component. The second module includes a signature component configured to generate a digital signature for the data, and the second module is configured to send the digital signature to the memory.

Abstract: A service providing system providing services to a plurality of users includes a transmitting unit configured to transmit, to a user terminal of each user, an authentication request requesting authentication for executing a predetermined process, a receiving unit configured to receive, from the user terminal of each user, an authentication response affixed with a user signature, and an executing unit configured to execute the predetermined process with respect to each user upon successful signature verification for all the plurality of users.

Abstract: Embodiments of the invention provide enhanced security solutions which are enforced through the use of cryptographic techniques. It is suited for, but not limited to, use with blockchain technologies such as the Bitcoin blockchain. Methods and devices for generating an elliptic curve digital signature algorithm signature (r, w) are described.

Abstract: The server system transmits, from a virtualized third-party application to a client device, an instruction to open a media resource from a content distribution network, the media resource comprising a plurality of video segments, each video segment of the plurality of video segments having video segment data and metadata. The server system receives, from the client device, first metadata for a first video segment of the plurality of video segments, without receiving first video segment data for the first video segment. The server system generates a recreated representation of the first video segment using the first metadata. The virtualized third-party application generates a transformed version of the recreated representation of the first video segment. The server system transmits, to the client device, an instruction to play the first video segment, wherein the instruction is based on the transformed version of the recreated representation of the first video segment.

Abstract: A physically unclonable function (PUF) device comprises a plurality of conductors, at least some of which are arranged so that they interact electrically and/or magnetically with one another. A media surrounds at least a portion of each of the conductors and a plurality of temperature compensation particles are arranged throughout the media, where the temperature compensation particles have a temperature coefficient selected such that they compensate for temperature-related effects in the PUF device by making the permittivity and/or permeability of the media substantially temperature independent. Circuitry applies an electrical challenge signal to at least one or the conductors and receives an electrical output from at least one of the other conductors to generate an identifying response to the challenge signal that is unique to the device.

Abstract: A method includes: receiving, by a processor set, a cloud architecture document; converting, by the processor set, the cloud architecture document to a graph including nodes; determining, by the processor set, cloud environment information for the nodes by analyzing textual content of the nodes using natural language processing; determining, by the processor set, additional cloud environment information for the nodes using domain ontology data; and creating, by the processor set, an Infrastructure as Code (IaC) document based on the cloud environment information and the additional cloud environment information.

Abstract: Systems and methods are described for implementing communication of data between a group of users in a communication system. In one implementation, a plurality of quorum portions of a private group signing key are generated and provided to each of a plurality of devices of the group of users, wherein a group digital signature is reconstructed from a predetermined minimum number of encrypted portions of the group digital signature, each generated by a respective device of the group of users using a corresponding quorum portion of the private group signing key. Each user device may digitally sign group output data using a respective private group signing key portion. A reconstructed group digital signature may be verified using a corresponding public group signing key. Other embodiments are also described and claimed.

Abstract: An example operation may include one or more of storing a full-step hash of a data file and a reduced-step hash of the data file within a data block of a hash-linked chain of blocks of a blockchain, receiving a request from a client application to verify the data file, determining whether to provide the full-step hash of the data file or the reduced-step hash of the data file based on the request, and in response to determining to provide the reduced-hash, transmitting the reduced-step hash of the data file to the client application.

Abstract: Systems and techniques are provided for a resource transfer system. An instruction to transfer a first quantity of a resource from a first resource pool to a second resource pool may be received. A hold may be placed on a second quantity of the resource in the first resource pool. The held second quantity of the first resource may not be transferred from the first resource pool until the hold is released. Responsive to receiving a message that fulfills a condition on the hold and an instruction to execute the transfer, the hold may be released. A register that is in the first resource pool and is associated with the resource may decremented by the first quantity, and a register that is in the second resource pool and is associated with the resource may be incremented by the first quantity.

Abstract: A method for key agreement between a first party and a second party over a public communications channel, the method including selecting, by the first party, a first value “a”; multiplying the first value “a” by a second value “b” using Knuth multiplication to create a third value “d”, the third value “d” being a semistandard tableau; sending the third value “d” to the second party; receiving, from the second party, a fourth value “e”, the fourth value being a second semistandard tableau comprising the second value “b” multiplied by a fifth value “c” selected by the second party; and creating a shared secret by multiplying the first value “a” with the fourth value “e” using Knuth multiplication, wherein the shared secret matches the third value “d” multiplied by the fifth value “c” using Knuth multiplication.

Abstract: A secure network navigation system includes a secure network portal and a site-to-site authenticator. The secure network portal includes a network authenticator to authenticate a user's browser connection to access content at a first site on the secure network. The site-to-site authenticator creates an object that authenticates the user's browser connection, creates a transfer URL by which the user is to access content on a second site of the plural network sites on the secure network. The transfer URL includes values exported from the created object and a unique transfer token. The site-to-site authenticator then transfers the user's browser connection to an address corresponding to the transfer URL. The secure navigation from the first site to the other site on the secure network is transparent to the user.

Abstract: An analysis function imparting device according to the present invention includes processing circuitry configured to execute a script engine while monitoring the script engine to acquire an execution trace including an application programming interface (API) trace and a branch trace, analyze the execution trace, and detect a hook point that is a location to which a hook is applied and a code for analysis is inserted, detect, based on monitoring at the hook point, a tap point that is a memory monitoring location at which the code for analysis outputs a log, and apply a hook to the script engine to impart an analysis function to the script engine based on the hook point and the tap point.

Abstract: A key updater for a first party operating on a network generates a mutually distilled key for communication between the first party and a second party. The key updater determines a set of verifying parties operating on the network needed to authenticate the mutually distilled key, wherein each verifying party of the set of verifying parties operates on the network. The key updater iteratively executes a key equivalency test for each verifying party in the set of verifying parties to determine a nonce sum until the key equivalency test has been executed for each of the verifying parties in the set of verifying parties or until it is determined that at least one node on the network has been compromised. The key updater generates a final key for communication between the first party and the second party based on the nonce sum and the mutually distilled key.

Abstract: A system for enhanced public key infrastructure is provided. The system includes a computer device. The computer device is programmed to receive a digital certificate including a composite signature field including a plurality of signatures. The plurality of signatures include at least a first signature and a second signature. The computer device is also programmed to retrieve, from the digital certificate, a first key associated with the first signature from the digital certificate. The computer device is further programmed to retrieve the first signature from the composite signature field. In addition, the at least one computer device is programmed to validate the first signature using the first key.

Abstract: A method for verification at a computing device of a signed message received from a first party over a public communications channel, the method including extracting a message digest “a” belonging to a semigroup from the signed message; obtaining a public key [c,e] for the first party, including a fixed value checker “c” and an endpoint “e”, checker “c” and endpoint “e” belonging to the semigroup and the endpoint comprising a multiplication of a private key “b” for the first party and the checker “c”, multiplying the message digest “a” and the endpoint “e” to create an endmatter “ae”; extracting a signature “d” from the signed message, the signature “d” belonging to the semigroup and being a multiplication of message digest “a” and private key “b”; multiplying the signature “d” and the checker “c” to create a signcheck “dc”; and verifying that the endmatter “ae” matches the signcheck “dc”.

Abstract: A system and method for automatic identification of photocopied documents is disclosed wherein the method is performed by capturing an image of a marked printed document; decoding a digital watermark embedded in the image, obtaining a mark identifier; recovering, by searching a database, at least one calibration parameter associated with the mark identifier; applying a discrete Fourier transform to the image, obtaining a frequency matrix; obtaining at least one maximum frequency value in the frequency matrix; comparing the at least one maximum frequency value with at least one calibration parameter; determining, on the basis of the comparison, if the marked printed document is an original document or a photocopied document.

Abstract: Software and system settings can be migrated between computing environments. In one example, a system can receive a group of software identification modules defining a group of software fingerprints for detecting a group of software components. Each software identification module can include a respective software fingerprint for detecting a respective software component. The system can determine that a source computing environment includes one or more software components from within the group of software components by analyzing the source computing environment using each respective software fingerprint in the group of software fingerprints. The system may then deploy the one or more software components in a target computing environment.

Abstract: This disclosure relates generally to techniques for encrypting and decrypting data and to systems that encrypt and/or decrypt data to maintain secrecy associated with such data as the data is transmitted from a source to one or more recipients. More specifically, this disclosure relates to techniques for encrypting and decrypting standalone data packages (e.g., user datagram protocol (UDP) data packages, etc.) and to systems that encrypt and/or decrypt standalone data packages. Even more specifically, encryption techniques are disclosed that employ scrambled headers and payloads that are uniquely encrypted from package to package.

Abstract: A digital asset security device, includes an asset capture unit configured to electronically capture a digital asset, a processor configured to digitally sign the captured asset, a memory configured to store a digitally signed asset from the processor, and a hashing module in communication the asset capture unit, the processor, and the memory, and configured to provide a cryptographic hash to one or more of the captured asset and the digitally signed asset.

Abstract: An image processing device includes: a recognition unit configured to recognize a part of a confidential target from a captured image; a processing unit configured to process the captured image such that the part recognized by the recognition unit is concealed; an encryption unit configured to encrypt data relating to the part recognized by the recognition unit; and a merging unit configured to merge data of the image processed by the processing unit and the data encrypted by the encryption unit.

Abstract: A method including configuring a security device to store, in a database, a trusted fingerprint determined based at least in part on encrypting trusted connection information included in a trusted transmission packet received from a trusted source application; configuring the security device to determine a current fingerprint based at least in part on encrypting current connection information included in a current transmission packet received from a current source application; configuring the security device to compare the current fingerprint with the trusted fingerprint; and configuring the security device to process the current transmission packet based at least in part on a result of comparing the current fingerprint with the trusted fingerprint. Various other aspects are contemplated.

Abstract: An example operation may include one or more of connecting, by a smart note, to a blockchain configured to store Bitcoins (BTCs) of a user on a ledger, displaying, by the smart note, a value of a BTC read from the ledger on a display screen located on the smart note, detecting, by the smart note, a press of a button located on the smart note, generating, by the smart note, a BTC address pair in response to the detecting of the press of the button, checking, by the smart note, if a private key associated with the smart note has been used, in response to a confirmation that the private key has not been used, generating and displaying, by the smart note, a trusted symbol indicating to the user of the smart note that the private key has not been used, and transferring, by the smart note, the value of the BTC to the blockchain using the private key associated with the smart note.

Abstract: A microprocessor device comprising an implementation of a cryptographic operation constructed to process parameters and generate an output, wherein at least some of the parameters are obfuscated such that the cryptographic operation processes the obfuscated parameters, wherein the parameters which are obfuscated are obfuscated in that they are encrypted according to an additive homomorphic cryptographic system.

Abstract: A symmetric cryptography for encrypting and decrypting information is provided, that can be implemented efficiently in hardware or in software. The symmetric cryptography uses a key generator, so that the cryptography is not dependent on a single, static cryptography key. The key generator is a value or collection of values from which the key is generated. In some embodiments, the key generator substantially increases the computational complexity of differential cryptanalysis and other cryptographic attacks because it has more entropy than the key(s). In an embodiment, the key generator is updated with one-way functions exhibiting the avalanche effect, which generates an unpredictable sequence of keys used during the encryption or decryption process. In an embodiment, a dynamic key is derived from a key generator with a one-way function. In an embodiment, a block cipher uses a different dynamic key to encrypt each block of plaintext, where each key is derived from a different key generator.

Abstract: The present disclosure describes a system, method, and computer program for syncing content across workspace pages. The system creates a first synced block on a first workspace page. Content on workspace pages rendered by the system is stored in blocks and each of the workspace pages has a hierarchy of blocks. The system adds one or more child blocks to the first synced block as content to be synced. The system creates a reference synced block on a second workspace page and adds a pointer to the reference synced block that points to the first synced block. This is done in order to sync the one or more child blocks of the first synced block across the first and second workspace pages, where editing the first synced block or the reference synced block includes editing the one or more child blocks of the first synced block.

Abstract: Aspects of the present disclosure relate to encrypted data processing (EDAP). A processor includes a register file configured to store ciphertext data, an instruction fetch and decode unit configured to fetch and decode instructions, and a functional unit configured to process the stored ciphertext data. The functional unit further includes a decryption module configured to decrypt ciphertext data from the register file to receive cleartext data using an encryption key stored within the functional unit. The functional unit further includes a local buffer configured to store the cleartext data. The functional unit further includes an arithmetic logical unit configured to generate cleartext computation results using the cleartext data The functional unit further includes an encryption module configured to encrypt the cleartext computation results to generate ciphertext computation results for storage back into the register file.

Abstract: It is provided a method for managing central secret keys of a plurality of user devices associated with a single public key. The method is performed in a key manager and comprises the steps of: receiving, from a first user device, transformation data and an identifier of a second user device; obtaining a first central secret key associated with the first user device; generating a second central secret key by applying the transformation data to the first central secret key, wherein the transformation data is applied in reverse to how the same transformation data is applied by the first user device to a device secret key of the first user device; and storing the second central secret key in association with the second user device.