Abstract: An authentication system for authenticating an authentication-target apparatus by transmitting challenge data from an authenticating apparatus to the authentication-target apparatus and transmitting response data from the authentication-target apparatus to the authenticating apparatus. The authentication-target apparatus updates ae secret key and an encrypted original key stored in a memory using a new secret key and a new encrypted original key, derives an authentication key based on an original key, and generates the response data based on a challenge data received from the authenticating apparatus and the authentication key. The authentication apparatus derives an authentication key based on identification information of the authentication-target apparatus and an authentication original key, generates response data for verification based on the challenge data and the authentication key, and obtains an authentication result.

Abstract: Mechanisms are provided for fully homomorphic encryption enabled graph embedding. An encrypted graph data structure, having encrypted entities and predicates, is received and, for each encrypted entity, a corresponding set of entity ciphertexts is generated based on an initial embedding of entity features. For each encrypted predicate, a corresponding predicate ciphertext is generated based on an initial embedding of predicate features. A machine learning process is iteratively executed, on the sets of entity ciphertexts and the predicate ciphertexts, to update embeddings of the entity features of the encrypted entities and update embeddings of predicate features of the encrypted predicates, to generate a computer model for embedding entities and predicates. A final embedding is output based on the updated embeddings of the entity features and predicate features of the computer model.

Abstract: A method is disclosed. The method includes receiving, by a user device, an encrypted message from a server computer. The encrypted message is a message encrypted with a master secret key or a key derived from the master secret key. The user device signs the encrypted message with a secure element private key. The user device, using a whitebox, cryptographically recovers a secure element public key from a certified key using a server computer public key. The certified key is certified by the server computer and based on at least the secure element public key. The user device, using the whitebox, cryptographically recovers the encrypted message from the signed encrypted message using the secure element public key. The user device, using the whitebox, decrypts the encrypted message using the master secret key or the key derived from the master secret key in the whitebox to obtain the message.

Abstract: This invention relates to a self-supervised privacy preservation action recognition system leveraging a learnable transformation anonymization function. The system is designed to process videos by removing spatial cues to protect privacy while retaining critical information for action recognition. The anonymization function, based on an encoder-decoder model, undergoes iterative training on a dataset to optimize the balance between obscuring privacy-sensitive information and preserving capability of recognizing actions. This training involves freezing and adjusting the weights of an action recognition branch and a self-supervised privacy removal branch to refine the model's effectiveness. The outcome is an anonymized video with minimized privacy information leakage, suitable for action analysis without privacy labels.

Abstract: The invention is a method of use for a VPN, customized via programming, that controls access without requiring any personal user information, and conveys only files encrypted using Diffie-Hellman AES-256-GCM encryption processes. Conveyed files are stored only in encrypted form and can only be displayed in real time by a user, and once viewed, only the encrypted file remains. The method also includes a means of end-to-end file deletion that leaves no remnants of the deleted file behind.

Abstract: The present invention is proposed to solve the above problems and is directed to providing a UWB system comprising: a memory in which a UWB ranging factor definition program is embedded; and a processor which executes the program, wherein the processor predefines UWB ranging factors to define an encryption key in consideration of a unique m-byte key characteristic for each set of a vehicle and a device.

Abstract: Systems and methods for key generation between a first user computing device and a second user computing device without requiring direct communication during key generation. The method using a plurality of third-party providers and a first private table and a second private table. The method including: performing by the second user computing device: receiving indexes each associated with a value in the second private table, each index received from the respective third-party provider sharing those values, each index associated with a value that matches an indexed value in the first private table received by the respective third-party provider from the first user computing device; and generating a common key by combining the indexed values of the second private table.

Abstract: Systems and methods for cryptography based on 128 bit integers include: receiving a complex input, the input including a 128-bit number; encrypting by: setting an imaginary part of the input to a predetermined value; encrypting the input using a Fourier transform and a scaling factor; adding a first noise and a second noise to the encrypted input, wherein the second noise obfuscates the first noise; and decrypting by: receiving the encrypted input with added first noise and second noise; estimating a standard deviation of the first noise based on an imaginary part of the received encrypted complex input; computing a standard deviation of the second noise based on the standard deviation of the first noise and a predetermined parameter; and decrypting the encrypted message using an inverse Fourier transform, the first noise, and the second noise.

Abstract: Encrypted information retrieval can include generating a database that is partitioned into shards each having a shard identifier, and database entries in each shard that are partitioned into buckets having a bucket identifier. A batch of client-encrypted queries are received. The batch of client-encrypted queries are processed using a set of server-encrypted data stored in a database. The processing includes grouping the client-encrypted queries according to shard identifiers of the client-encrypted queries, executing multiple queries in the group of client-encrypted queries for the shard together in a batch execution process, and generating multiple server-encrypted results to the multiple queries in the group of client-encrypted queries. The multiple server-encrypted results for each shard are transmitted to the client device.

Abstract: Systems, methods and devices for validating and performing operations on homomorphically encrypted data are described herein. The methods include securely transmitting and extracting information from encrypted data without fully decrypting the data. A data request may include an encrypted portion including a set of confidential data. One or more sets of encrypted comparison data may be then retrieved from a database in response to the data request. The encrypted set of confidential data from the data request is then compared with each set of encrypted comparison data using one or more homomorphic operations to determine which set of encrypted comparison data matches the encrypted set of confidential data. If there is a match, this validates the set of confidential data. An encrypted indicator is then generated indicating success or failure in validating the set of confidential data, which may then be forwarded to a party associated with the data request.

Abstract: Systems and methods for providing authentication and secure cryptographic communication between a client and server are described. The client includes an addressable array of PUF devices. The client receives or generates a set of instructions usable to determine a range of PUF addresses. The client measures the PUF addresses and generates a first set of responses. The responses are used to encrypt a session key, which is stored, along with the instructions and a hash of the responses, at the client. Later, the client may recover the session key by using the instructions to measure the PUF again, resulting in a second set of responses. Using a response-based cryptography search engine, the client may then iteratively modify and hash the second set of responses until a response set is uncovered that matches the first response set. This modified response set may then be used to uncover the session key.

Abstract: One variation of a method for assisting execution of manual protocols at production equipment includes: identifying a site occupied by a mobile device based on a geospatial location of a device; identifying a space within the building occupied by the device based on identifiers of a set of wireless access points wirelessly accessible to the device and known locations of wireless access points within the building; loading a protocol associated with an equipment unit in the space; calculating a position of the device within the space based on positions optical features, detected in a field of view of an optical sensor at the device, relative to reference features represented in a space model of the space; and, when the position of the device falls within a threshold distance of a reference location proximal the equipment unit defined in a step of the procedure, rendering guidance for the step.

Abstract: Leveraging stochastic physical characteristics of resistive switching devices to generate data having very low cross correlation among bits of that data is disclosed. Data generated from stochastic physical characteristics can also be referred to as physical unclonable feature—or function—(PUF) data. Additionally, error correction functions for PUF data generated from resistive switching memory cells are provided. The error correction functions facilitate additional redundancy and longevity of PUF data, among other benefits. Different embodiments include addressing arrangements to incorporate ECC parity bits among generated PUF data bits, even for differential PUF bits respectively defined by multiple memory cells in different portions of a resistive memory array.

Abstract: Methods and systems for secure validation of a machine learning model can facilitate encryption of a machine learning model and evaluating the performance of the model. Validation data can be encrypted and processed by the machine learning model so that results of the model's processing can be received and evaluated to evaluate how the machine learning model functioned.

Abstract: Systems and methods for a bifurcated self-executing program that wraps a first self-executing program (e.g., a first smart contract) on a blockchain within a second self-executing program (e.g., a second smart contract), in which the second self-executing program enforces the digital signature requirement. The bifurcated self-executing program comprises a single compiled self-executing program that combines the first self-executing program and the second self-executing program.

Abstract: Systems and methods of improving public key infrastructure using PUF arrays are disclosed. The systems and methods are usable to improve PKI based on Lattice and Code cryptography. In the disclosed system, a client device includes an enrolled PUF array, and a server device acting as a Certification Authority includes an image of the PUF array including previously measured responses data for the devices in the PUF array. The CA sends a set of addresses to the client device, which generates a public key from measuring the response of PUF devices with the addresses. The CA receives the generated public key, and determines that the enrolled PUF was used to generate the key.

Abstract: A data poisoning method and a data poisoning apparatus are provided. In the method, a training dataset and a validation dataset are retrieved. A perturbation is randomly initiated and added to data in the training dataset to generate poisoned training data. Values of multiple kernel functions of the poisoned training data and the validation dataset are computed by using kernel functions in a Gaussian process, and used to compute a mean of the Gaussian process on the validation dataset. A loss between the mean and the data in the validation dataset is computed by using a loss function of the Gaussian process, and used to generate an objective function that maximizes the loss. The objective function is solved to compute the perturbation that can maximize the loss.

Abstract: A method of facilitating generation of a verifiable and immutable record. The method comprises, at a user device, obtaining a data file, generating an audit file for the data file, and separately hashing the data file and the audit file. The method further comprises storing the data file, the audit file and the hash values in a secure memory location, access to which is controlled, and preventing changes to the stored data by a user. When access is available to a remote server system, the stored data is sent to the remote server system and, in response, a notification received over confirming that the remote server system has verified the data file and the audit file and has created an immutable record of both. The user is then permitted to change the stored data file and or audit file in the secure memory location.

Abstract: An approach is provided for distributing a root key to a hardware security module (HSM) of an HSM cluster. A signed first command is transmitted to a source HSM to create a master key. A fingerprint of the master key is received in a response signed by the source HSM using a module signing key hardcoded into the source HSM at manufacturing time. A second command is transmitted to a first HSM to generate an importer key pair. A request is transmitted to the source HSM to create and export a wrapped master key. The master key wrapped with a transport key is received. The wrapped master key is transmitted to the first HSM. The master key is activated in the first HSM.

Abstract: Methods and systems of similarity searching encrypted data strings are disclosed. An exemplary method can include receiving data strings, obtaining a set of reference strings, determining edit distances between each data string and the reference strings, converting each set of edit distances into a document of tokens. A method may further include encrypting the data strings, associating each of the documents with a corresponding data string, and storing the data strings and the associated documents in a memory. A method may continue by receiving a search request, determining a search set of edit distances between the search request and the reference strings, converting the search set of edit distances into a document, comparing the search document with the documents stored in memory to determine which documents are above a similarity threshold compared to the search document, and returning the data strings associated with documents above the similarity threshold.

Abstract: Disclosed herein is a system architecture that structures commodity heterogeneous interconnected computing platforms around universal object abstractions, which are a fundamental system abstraction and building block that provides practical and provable end-to-end guarantees of security, correctness, and timeliness for the platform.

Abstract: A computing device is disclosed. The computing device includes a central processing unit and a mass storage bus. The central processing unit includes an application processing unit and an immutable encryption key for use with the encryption of data and the decryption of data. The application processing unit includes an instruction set to perform an encryption of data and a decryption of data stored via the mass storage bus. The immutable encryption key stored in the central processing unit and inaccessible from outside of the instruction set.

Abstract: The proposed system employs an architectural arrangement of a plurality of relevant functional element to enable a secure communication. An artificial intelligence (AI) server is communicably coupled with a first local network server, a second local network server, a first computing device and a second computing device over a communication network interface. The AI server, first local network server, the second local network server is arranged to perform one or more security orchestration before transmission of the received encrypted data packet. The first computing device is arranged to receive the transmitted encryption key and the first self-destruction code, from the AI server, associated with the first communication request.

Abstract: In one arrangement, a method for a key management server to manage cryptographic key rotation comprises rotating, by the key management server, an initial symmetric key based on a first rotation schedule. Rotating the initial symmetric key comprises rotating bits of the initial symmetric key to create a rotated key, the rotated key being different from the initial symmetric key. The method further comprises enciphering, by the key management server using the rotated key, data sent to a first client server. In another arrangement, a method for a client server to manage cryptographic key rotation comprises rotating, by the client server, an initial symmetric key based on a schedule. The method further comprises deciphering, by the client server, data sent from a key management server using the rotated key and providing the deciphered data to a user.

Abstract: The disclosure provides an approach for cryptographic agility. Embodiments include receiving a request from an application for a cryptographic operation, wherein the request is associated with a computing device. Embodiments include determining one or more resource constraints related to the computing device. Embodiments include selecting, based on the one or more resource constraints, a cryptographic technique from a plurality of cryptographic techniques associated with indications of resource requirements. Embodiments include performing the cryptographic operation using the cryptographic technique. Embodiments include providing a response to the application based on performing the cryptographic operation.

Abstract: According to one embodiment, a controller writes first data into a first storage area in accordance with a first write command from a host. The controller identifies a logical address mapped to the written first data. The controller writes internal data that is read from a second storage area into a first location of the first storage area. The controller associates the first storage location with the logical address. The controller reads the internal data from the first storage location in response to receiving, from the host, a read command that designates the logical address. The controller transmits, to the host, the internal data read from the first storage location.

Abstract: An integrated circuit (IC) protection circuit can include a reconfigurable block that receives a seed value from a tamper-proof memory and generates a dynamic key; an authentication block that receives the dynamic key from the reconfigurable block and taint bits from a scan chain to generate an authentication signature; and an encryptor that encrypts a test pattern response on the scan chain if a mismatch is found between the authentication signature and a test pattern embedded signature.

Abstract: A vulnerability management method acquires, during an OS runtime of an information handling system, vulnerability information indicating potentially vulnerable resources of the system. Disclosed methods calculate a vulnerability determination code (VDC) based on the vulnerability information. The VDC may indicate a scan zone that includes one or more scan zone components. Each component may correspond to a region of a potentially vulnerable resource. After a system reset, disclosed methods may perform a vulnerability aware (VA) boot sequence. The VA boot sequence may include, prior to booting a runtime operating system, determining, in accordance with the vulnerability information, whether to perform a comprehensive vulnerability detection (CVD) boot. A CVD boot refers to a boot sequence configured to boot a distinct operating system dedicated to performing a targeted vulnerability assessment that includes scanning the scan zone components indicated by the VDC.

Abstract: An image forming apparatus includes a controller and a memory interface having a port to receive a portable memory. The controller performs a portable memory using process that includes storing data in a dedicated memory, and performing a process using the data stored in the dedicated memory in response to an operation received via a user interface. The controller stores, before the portable memory using process, identification information in a portable memory attached to the port, thereby setting the portable memory as the dedicated memory. The controller determines whether a target portable memory as attached to the port is set as the dedicated memory, based on whether the identification information is stored in the target portable memory. The controller determines whether to display a first screen or a second screen, based on whether the target portable memory is set as the dedicated memory.

Abstract: Described are systems and methods that may be used to compare virtual machine manager-level system operations in a host environment to verify to a guest environment, such as a virtual machine, that the requested operations have been performed and the data managed by the host on behalf of the guest is secure. The implementations may include a security monitor that interfaces with a trusted platform module included in a hardware of the host. The security monitor may work with the TPM to verify consistency between a VM operation and a corresponding VMM-level operation of the host. This verification provides transparency that the host machine is complying with its responsibility to properly manage and secure data of the VM.

Abstract: A security integrated circuit (IC) includes a memory including a first register and a second register, a token generation circuit configured to generate first data based on first bits of interest extracted before performance of an operation by using the first register, generate a first token by converting the first data, generate second data based on second bits of interest extracted after the performance of the operation by using the second register, and generate a second token by converting the second data, and an error detection circuit configured to detect an error on the first and second bits of interest by comparing the first token with the second token.

Abstract: Some embodiments provide a non-transitory machine-readable medium that stores a program. The program receives a request to execute a task for re-encrypting a set of data associated with an application that has been encrypted with a first encryption key. The task is for re-encrypting the set of data using a second encryption key. The program further determines an amount of work to complete the task. The program also divides the task into a set of subtasks based on the amount of work. The program further assigns each subtask in the set of subtasks to a node in a plurality of nodes for execution of the subtask. The plurality of nodes are configured to implement the application.

Abstract: A storage device and an operating method are provided. The storage device includes a non-volatile memory comprising a first area configured to store a plurality of normal firmware images and a second area configured to store a plurality of trusted firmware images, a firmware table configured to store information about the plurality of normal firmware images and the plurality of trusted firmware images, and a storage controller configured to control the non-volatile memory, perform a self-test for the storage device and write at least one of the plurality of trusted firmware images over a boot image based on a result of the self-test. The firmware table is configured to store a first hash value calculated before encryption of the plurality of trusted firmware images, and a second hash value calculated after encryption of the plurality of trusted firmware images.

Abstract: Disclosed herein are system, method, and computer program product embodiments for encrypting and decrypting a sensitive data item using a zero-knowledge encryption protocol. An embodiment operates by receiving a request to decrypt the sensitive data item from a client. The embodiment retrieves the requested sensitive data item from a data store. The embodiment generates a result set by replacing a ciphertext value of the sensitive data item to be stored in the result set with a placeholder identifier. The embodiment retrieves a data encryption key (DEK) block from a DEK manager, wherein the DEK block comprises a DEK associated with the sensitive data item. The embodiment generates and encrypts a cipher ticket comprising the ciphertext value of the sensitive data item. The embodiment then sends the result set, the cipher ticket, and the DEK block to the client for decryption of the ciphertext value of the sensitive data item.

Abstract: Technology related to accessing security hardware keys is disclosed. In one example, a method includes receiving an initial request to perform a first cryptographic operation using a key stored in security hardware circuitry. In response to servicing the initial request, a persistent attribute of the key can be used to query the security hardware circuitry to receive a volatile attribute of the key. The volatile attribute of the key can be stored external to the security hardware circuitry to enable subsequent requests to perform cryptographic operations on the security hardware circuitry without querying the security hardware circuitry for the volatile attribute of the key. A subsequent request referencing the key can be received. The subsequent request can be serviced by using the security hardware circuitry and identifying the key using the stored volatile attribute of the key without querying the security hardware circuitry for the volatile attribute of the key.

Abstract: Techniques are disclosed relating to dispatching compute work from a compute stream. In some embodiments, a graphics processor executes instructions of compute kernels. Workload parser circuitry may determine, for distribution to the graphics processor circuitry, a set of workgroups from a compute kernel that includes workgroups organized in multiple dimensions, including a first number of workgroups in a first dimension and a second number of workgroups in a second dimension. This may include determining multiple sub-kernels for the compute kernel, wherein a first sub-kernel includes, in the first dimension, a limited number of workgroups that is smaller than the first number of workgroups. The parser circuitry may iterate through workgroups in both the first and second dimensions to generate the set of workgroups, proceeding through the first sub-kernel before iterating through any of the other sub-kernels. Disclosed techniques may provide desirable shapes for batches of workgroups.

Abstract: A value corresponding to a physical variation of a device may be received. Furthermore, helper data associated with the physical variation of the device may be received. A result data may be generated based on a combination of the value corresponding to the physical variation of the device and the helper data. An error correction operation may be performed on the result data to identify one or more code words associated with the error correction operation. Subsequently, a target data may be generated based on the one or more code words.

Abstract: A method and system of augmenting display content in a graphical user interface environment. Content produced by a graphical user interface is augmented with additional content before the content is displayed. In an example, a security marker may be rendered on top of an existing display content using the method described to protect high-value or sensitive information.

Abstract: A method is provided for determining a unique identifier of a device, the device including a quantum tunnelling barrier unique to the device. The method comprises applying a potential difference across the quantrum tunnelling barrier, the potential difference sufficient to enable tunnelling barrier. The method further comprises measuring an electrical signal, the electrical signal representative of a tunnelling current through the quantrum tunnelling barrier. The method further comprises determining, from the measured electrical signal, a unique identifier for the device. Related apparatuses, systems, computer-readable media and methods are also provided herein.

Abstract: To protect against physical and side-channel attacks, circuit assemblies may mount a main processor opposite of a cryptographic processor such that traces between the two processors are hidden in a substrate. Another substrate defining a cavity may be mounted on the bottom of the substrate to enclose the cryptographic processor and prevent physical access without disrupting the cryptographic operations. Voltage converters with integrated inductors may also be included in the cavity to generate electromagnetic noise that will disrupt the sensitive equipment used in side-channel attacks. An electromagnetic shield may be sputtered on top of the main processor to block electromagnetic sniffing attacks while still allowing the processor to be coupled with a heat sink.

Abstract: An illustrative embodiment disclosed herein is an apparatus including a processor and a memory. In some embodiments, the memory includes programmed instructions that, when executed by the processor, cause the apparatus to upload an object to a source bucket in an object store and create a lambda bucket in the object store that is symlinked to the source bucket. In some embodiments, the lambda bucket is associated with a predefined transformation. In some embodiments, the memory includes the programmed instructions that, when executed by the processor, cause the apparatus to receive a request to download the object from the lambda bucket, detect that the object is in the source bucket, fetch the object from the source bucket, transform the object, by compute resources of the object store, using the predefined transformation, and download the transformed object.

Abstract: A method for transmitting information between a data processing system external to the vehicle and systems using the information in a vehicle employs integrity protection and/or encryption mechanisms. The integrity and/or encryption mechanisms are used with different levels of protection, wherein the level of protection is selected and/or adjusted based on the information or a classification of the information, the provided use of the information, the state of the vehicle, the surroundings of the vehicle, the origin of the information, the protection goal, and/or the resource consumption.

Abstract: Multiple data paths may be available to a data management system for transferring data between a primary storage device and a secondary storage device. The data management system may be able to gain operational advantages by performing load balancing across the multiple data paths. The system may use application layer characteristics of the data for transferring from a primary storage to a backup storage during data backup operation, and correspondingly from a secondary or backup storage system to a primary storage system during restoration.

Abstract: Computer-readable media, methods, and systems are disclosed for tenant-specific encryption of container in connection with a database employing group-level encryption. An encryption group identifier may be assigned to container. The encryption group identifier may define how the container is encrypted. A container entry corresponding to the container may be created. A commit operation may be received for committing the assignment of the encryption group identifier to the container. A job may be initialized for encryption the container according to the encryption group identifier. The container may be flagged as modified. A flush operation may be initiated whereby the container is re-encrypted according to the encryption group identifier. Once flushing is complete, the container entry may be deleted.

Abstract: Systems, computer program products, and methods are described herein for secure access control using dynamic resource replication. The present invention is configured to electronically receive, from a computing device of a user, a request to generate a resource access path to access a resource; determine one or more resource requirements associated with the resource; determine an authentication level associated with the user; initiate a resource replication engine on the one or more resource requirements and the authentication level associated with the user; determine, using the resource replication engine, that the one or more requirements and the authentication level associated with the user meets one or more conditions for a replication process; and generate, using the resource replication engine, the resource access path and a plurality of replicate resource access paths.

Abstract: A quantum communication system for encrypting communication includes a processor configured to receive an encryption request from a mobile device. The mobile device determines a first encryption key from the mobile device. A quantum random number generator generates a second encryption key using quantum mechanics. The processor transmits the second encryption key to the mobile device. The mobile device implements a digital XOR logic gate configured to perform an XOR operation on the first encryption key and the second encryption key to generate a third encryption key.

Abstract: Devices and techniques for host accelerated operations in managed NAND devices are described herein. A host logical-to-physical (L2P) table of the NAND device has an associated map. Entries in the map correspond to one or more logical addresses (LA) and indicate whether the host L2P table is current for those LAs. If the table is not current, then a request will bypass the host L2P table, using a standard device L2P lookup instead. Otherwise, the host L2P table can be used.

Abstract: A processing unit comprising: a processor; and a memory, coupled to the processor and adapted to provide a plurality of enclaves isolated from each other, where the plurality of enclaves include a plurality of application enclaves, each of the application enclaves is used for running a respective application program, and the plurality of enclaves further include at least one of the following: a runtime enclave adapted to provide a storage space required for an invokable program; and a crypto enclave adapted to provide a storage space required for a crypto related program, wherein the runtime enclave and the crypto enclave have read/write permission for the plurality of application enclaves, and each of the application enclaves has no read/write permission for the runtime enclave and the crypto enclave.

Abstract: A storage system that can achieve a cryptographic operation circuit that supports multiple types of cryptographic operation formats. The cryptographic operation circuit is provided that encrypts data according to the format determined by the processor based on a request by the host terminal for writing the data into the storage device, and decrypts the encrypted data on the data stored in the storage device according to the format determined by the processor based on a request by the host terminal for reading the data from the storage device.

Abstract: A method of authenticating a user to a computer in an adverse environment includes receiving the user's password in a trusted user device, such as by the user typing the password, and encoding a keyword with a hash of the entered password to create an encoded keyword. The encoded keyword is sent from the trusted user device to the computer using a physical communication channel perceivable by the user; and the encoded keyword is compared in the computer with a keyword encoded with a known hash of the user's password in the computer to authenticate the user.