Abstract: A device, system and method for debugging a homomorphically encrypted (HE) program. The HE program comprising real ciphertext data and encrypted operations in the HE space (production mode) may be mapped to an equivalent plaintext program comprising equivalent pseudo-ciphertext data and pseudo-encrypted operations in the unencrypted space (simulation mode). The plaintext program may be executed in a first full pass in simulation model and a sampling of the HE program may be executed in a second partial pass in production mode, the results of which are compared. The HE program and/or mapping may be validated if the results of simulation and production mode match and debugged if the results do not match. An integrated development environment (IDE) may switch among the HE space (production mode), the unencrypted space (simulation mode), and a combination of both HE and unencrypted spaces simultaneously (simultaneous production-simulation mode).

Abstract: The intrinsic data generation device of the disclosure includes a modulation control part outputting a modulation control signal for controlling modulation, a modulation part modulating a signal based on the modulation control signal and outputting a modulated modulation signal, a PUF circuit specifying a relationship between input data and output data based on random variation intrinsic to the device and changing the output data based on the modulation signal, a data holding part holding the output data from the PUF circuit in response to the modulation control signal, and an intrinsic data output part outputting intrinsic data based on the output data provided from the data holding part.

Abstract: The present disclosure relates to a vaultless format-preserving tokenization system and method that securely converts sensitive data into a non-sensitive format while maintaining the original structure. The process includes encoding the original data, generating a secure modification based on a predetermined format by encoding another input and combining it with a unique hashing key, applying a special encryption technique that incorporates the encoded data, secure modification, and a unique encryption key to produce an encoded version of the data, and finally creating a token from the encoded data to be used in place of the original sensitive information.

Abstract: A cryptographic processing method comprises the following steps: obtaining a second number determined by adding to a first number the order of a finite group or a multiple of this order; determining a quotient and a remainder by dividing the second number by a random number; obtaining a third element equal to the combination of elements equal to a first element of the finite group and in number equal to the product of the quotient and the random number; obtaining a fourth element equal to the combination of elements equal to the first element and in number equal to the remainder; determining a second element by combining the third element and the fourth element.

Abstract: A distributed transaction and data storage platform including a distributed notary ledger or blockchain and one or more individual user micro-identifier chains that together enable the secure effectuation and recordation of one or more transactions, and/or storage of data in an automated, real-time, zero-trust, globally data law and privacy law centric manner while maintaining transaction party confidentiality and preventing chain poisoning.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for analyzing hardware designs for vulnerabilities to side-channel attacks. One of the methods includes receiving a request to analyze a device hardware design for side-channel vulnerabilities in the device after being manufactured. Physical characteristics data is obtained representing one or more physical characteristics of the device based on the device hardware design. Information flow analysis is performed to identify one or more signals of interest corresponding to digital assets. From the physical characteristics data and the one or more signals of interest, data representing potentially vulnerable signals in the device hardware design is generated. A leakage model is generated for the potentially vulnerable signals that quantifies one or more leakage criteria for one or more structures of the device hardware design.

Abstract: Disclosed are systems, methods, and non-transitory computer-readable media for AI based privacy amplification. A data security system allows for data transmitted between devices to be secured using varying levels of data security that are adjusted dynamically based on the determined sensitivity level of the data. The data security system uses AI (e.g., machine learning models) to predict the sensitivity level of data being transmitted between the devices in real-time and applies an appropriate level of data security based on the predicted sensitivity level. Dynamically adjusting the level of data security that is used based on the sensitivity level of the data provides for heightened levels of data security to protect highly sensitive data, and lower levels of data security to conserve computing resources when protecting less sensitive data.

Abstract: Systems, apparatuses and methods may provide for technology that programs a plurality of seed values into a plurality of linear feedback shift registers (LFSRs), wherein the plurality of LFSRs correspond to a data word (DWORD) and at least two of the plurality of seed values differ from one another. The technology may also train a link coupled to the plurality of LFSRs, wherein the plurality of seed values cause a parity bit associated with the DWORD to toggle while the link is being trained. In one example, the technology also automatically selects the plurality of seed values based on one or more of an expected traffic pattern on the link (e.g., after training) or a deskew constraint associated with the link.

Abstract: A technological approach can be employed to protect data. Datasets from distinct computing environments of an organization can be scanned to identify data elements subject to protection, such as sensitive data. The identified elements can be automatically protected such as by masking, encryption, or tokenization. Data lineage including relationships amongst data and linkages between computing environments can be determined along with data access patterns to facilitate understanding of data. Further, personas and exceptions can be determined and employed as bases for access recommendations.

Abstract: Systems and methods for a bifurcated self-executing program that wraps a first self-executing program (e.g., a first smart contract) on a blockchain within a second self-executing program (e.g., a second smart contract), in which the second self-executing program enforces the requirement for particular security credentials/certificates. The bifurcated self-executing program comprises a single compiled self-executing program that combines the first self-executing program and the second self-executing program.

Abstract: A computer-implemented method according to one aspect includes creating an initialization vector, utilizing an instance of plaintext and a secret key; encrypting the instance of plaintext, utilizing the initialization vector, the secret key, and the instance of plaintext; combining the initialization vector and the encrypted instance of plaintext to create a ciphertext string; and outputting the ciphertext string.

Abstract: A method of generating a digital signature. The method comprises calculating a first random number and, based on second and third random numbers, first and second modified versions thereof. A curve point on an elliptic curve is determined based on a base point and the first modified version. A first signature part is calculated based on the curve point. Based on the second and third random numbers, the modified versions of the first random number, data to be signed, the first signature part, and a private key, a second signature part and a check value for the second signature part are calculated. The second signature part is compared with the check value for the second signature part and, responsive to the check value for the second signature part matching the second signature part, a cryptographic signature is output comprising the first signature part and the second signature part.

Abstract: A method includes processing, by an arithmetic and logic unit of a processor, masked data, and keeping, by the arithmetic and logic unit of the processor, the masked data masked throughout their processing by the arithmetic and logic unit. A processor includes an arithmetic and logic unit configured to keep masked data masked throughout processing of the masked data in the arithmetic and logic unit.

Abstract: A Basic Input Output System (BIOS)-based multi-user management method and system. The method includes: identifying states of multiple users of a current BIOS to find a user whose state is an enable state; finding a Non-Volatile Random Access Memory (NVRAM) corresponding to the user in the enable state, and reading BIOS configuration parameter information of the user in the enable state; monitoring a hot key boot phase of a BIOS startup process to determine whether there is a key action at the hot key boot phase; and when there is no key action, performing a manipulation to configure the current BIOS with the read BIOS configuration parameter information of the user in the enable state, thereby effectively configuring the BIOS for the multiple users, and retaining more customized parameters in BIOS information. Therefore, a server becomes a diversely used terminal device more easily.

Abstract: Content, such as an encryption key, may be transmitted between computing systems that both use more than one encryption algorithm. Secrets may be used to encode the content. The different encryption algorithms may be used to separately encrypt the encoded content and the secrets prior to communicating the encrypted, encoded content and encrypted secrets between computing systems.

Abstract: A server can record a device static public key (Sd) and a server static private key (ss). The server can receive a message with (i) a device ephemeral public key (Ed) and (ii) a ciphertext encrypted with key K1. The server can (i) conduct an EC point addition operation on Sd and Ed and (ii) send the resulting point/secret X0 to a key server. The key server can (i) perform a first elliptic curve Diffie-Hellman (ECDH) key exchange using X0 and a network static private key to derive a point/secret X1, and (ii) send X1 to the server. The server can conduct a second ECDH key exchange using the server static private key and point X0 to derive point X2. The server can conduct an EC point addition on X1 and X2 to derive X3. The server can derive K1 using X3 and decrypt the ciphertext.

Abstract: Disclosed is an orthogonal access control system based on cryptographic operations provided by multi-hop proxy re-encryption (PRE) that strictly enforces only authorized access to data by groups of users, scalable to large numbers of users. Scalable delegation of decryption authority can be shared with a plurality of members of a group whether those members be users or devices, and members of a group can further create sub groups and delegate decryption authority to those members, whether users or devices. Members are granted access via generation of transform keys, and membership or access can be revoked merely be deleting the transform key—no elimination of the encrypted data, regardless of its storage location, is needed.

Abstract: A processing apparatus, an embedded system, a system-on-chip, and a security control method are disclosed. The processing apparatus includes a processor, adapted to execute a program; and a memory, coupled to the processor and adapted to provide a plurality of enclaves isolated from each other. One of the plurality of enclaves is a source enclave, another one of the plurality of enclaves is a target enclave, and the source enclave and the target enclave each are used to provide a storage space required for running a corresponding program. The processing apparatus further comprises a storage access controller, adapted to transmit specified data stored in the source enclave to the target enclave.

Abstract: Aspects of the present disclosure involve a method, a system and a computer readable memory to perform a cryptographic operation that includes identifying a first set of mutually coprime numbers, obtaining a second set of input numbers coprime with a corresponding one of the first set of mutually coprime numbers, obtaining an output number that is a weighted sum of the second set of input numbers, each of the second set of input numbers being taken with a weight comprising a product of all of the first set of mutually coprime numbers except the corresponding one of the first set of mutually coprime numbers, and performing the cryptographic operation using the output number.

Abstract: Disclosure provides devices, methods, and computer-readable medium for secure frame management. Techniques disclosed herein provide an intelligent method for detecting triggering items in one or more frames of streaming video from an Internet Protocol camera. Upon detection, the camera transmits one or more frames of the video over a network to a computing device. Upon detecting a triggering item in a frame of the video stream, the computing device begins a streaming session with a server and stream the one or more frames of video and accompanying metadata to the server. The frames, metadata, and associated keys can all be encrypted prior to streaming to the server. For each subsequent segment of video frames that includes the triggering item, the server can append the frames of that segment to the video clip in an encrypted container. Once the triggering item is no longer detected, the streaming session can be closed.

Abstract: A writing method of a crypto device includes receiving a write request from a central processing unit, determining a write attribute of the write request, and performing one of a partial write operation and a full write operation according to the write attribute. In the full write operation, a random number for a version count is generated, a key stream is generated using the version count, the key stream and write data are encrypted in a first logical operation, and the encrypted data and the version count are stored in a memory device.

Abstract: An enhanced robust input protocol for secure multi-party computation (MPC) via pseudorandom secret sharing is provided. With this enhanced protocol, the servers that participate in MPC can generate and send a single random sharing [R] to a client with k inputs (rather than a separate random sharing per input), and the client can derive k pseudorandom sharings from [R] without any further server interactions.

Abstract: A division unit (22) divides a plaintext M every b bits from a beginning, thereby generating b-bit values M1, . . . , Mm-1 and a value Mm having 1 or more bits to b or less bits. An S1 calculation unit (241) assigns a b-bit value H1 to a value M0, and for each integer i of i=1, . . . , m in an ascending order, takes a value Mi-1 as input to an encryption function E, thereby calculating a value S1(i), and calculates a value Ci from the value S1(i) and a value Mi. An S2 calculation unit (242) assigns an r-bit value H2 to a value S2(0), and for each integer i of i=1, . . . , m in an ascending order, calculates a value S2(i) from the value S1(i) and from a value S2(i?1). A ciphertext generation unit (243) generates a ciphertext C from a value Ci for each integer i of i=1, . . . , m. An authenticator generation unit (25) generates a (b+r)-bit authenticator T by using a value S1(m) and a value S2(m).

Abstract: A storage circuit stores secret information. A software processing circuit obtains an operation task and generates scheduling instructions corresponding to the operation task. After receiving the scheduling instructions, a hardware processing circuit obtains the secret information from the storage circuit when the flag bit in the scheduling instruction is a valid value, determines, based on the secret information, data addresses of one or more pieces of operation data required for completing the operation corresponding to the scheduling instruction, and obtains the one or more pieces of operation data based on the data addresses to complete the operation corresponding to each scheduling instruction.

Abstract: Methods, computer program products, and systems are presented. The method computer program products, and systems can include, for instance: identifying an invoked database query for execution on a database, the invoked database query being associated to a user; generating an execution plan for executing the database query on the database; wherein the generating the execution plan for execution of the database query on the database includes establishing an ordering of first and second tables, the ordering of the first and second tables being in dependence on an access privilege attribute of the user in respect to the first table; and executing the database query according to the execution plan.

Abstract: Systems and methods for operating a cryptographic system. The methods comprise: obtaining ciphertext by the cryptographic system; performing operations by the cryptographic system to determine whether a given sequence of values exits within the ciphertext; and synchronizing the cryptographic system with another cryptographic system using the ciphertext as a bitrate portion of an initialization value for a cryptographic algorithm and zero as a capacity portion of the initialization value for the cryptographic algorithm, when a determination is made that the given sequence of values exist within the ciphertext.

Abstract: A method for decoding a video according to the present invention may comprise: determining whether to divide a current block with quad tree partitioning, and dividing the current block into four partitions based on a vertical line and a horizontal line when it is determined that the current block is divided with the quad tree partitioning.

Abstract: A processor-implemented method is disclosed. The method includes: generating a secure data object associated with a request for transfer of resources, the secure data object indicating one or more resource transfer parameters including account information for a transferee account at a resource account management system, wherein the secure data object includes a first hash computed based on the one or more resource transfer parameters; signing the secure data object using a private key associated with the resource account management system; and sending the secure data object to a messaging address associated with a transferor of the requested resources.

Abstract: A first arithmetic input share and a second arithmetic input share of an initial arithmetically-masked cryptographic value are received. A sequence of operations using the arithmetic input shares and a randomly generated number is performed, where a current operation in the sequence of operations generates a corresponding intermediate value that is used in a subsequent operation. At the end of the sequence of operations, a first Boolean output share and a second Boolean output share are generated. The arithmetic-to-Boolean mask conversion is independent of the input bit length.

Abstract: There is provided a device for protecting the execution of a cryptographic operation from attacks, the cryptographic operation being implemented by a cryptographic algorithm, the cryptographic operation comprising at least one modular operation between a main base (m) representing a data block and at least one scalar (d) in at least one finite starting group. The device is configured to determine at least one intermediary group (E?) different from the at least one starting group (E), the number of intermediary groups being equal to the number of starting groups E. The device is further configured to determine at least one final group (E?) from the at least one starting group E and the at least one intermediary group E?. The base m being mapped to an auxiliary element (x) in the at least one intermediary group and to an auxiliary base (m?) in the at least one final group E?.

Abstract: Methods and apparatus for combining received uplink transmissions. In an embodiment, a method is provided that includes receiving a descrambled resource element associated with selected second channel state information (CSI2) and receiving a descrambling sequence used to generate the descrambled RE. The method also includes rescrambling the descrambled RE using the descrambling sequence to generate a rescrambled RE and modifying the descrambling sequence to generate a modified descrambling sequence. The method also includes descrambling the rescrambled RE with the modified descrambling sequence to generate a modified descrambled RE and accumulating the modified descrambled RE to form a combined CSI2 value.

Abstract: A method including receiving, by a receiving device from a transmitting device, a combination of messages including encrypted decoy messages and one or more encrypted content messages, the encrypted decoy messages being determined based at least in part on encrypting decoy data and the one or more encrypted content messages being determined based at least in part on encrypting content data; and decrypting, by the receiving device, a received message included in the combination of messages based at least in part on utilizing a cryptographic key; and determining, by the receiving device, that the received message is a content message or that the received message is a decoy message based at least in part on a result of decrypting the received message. Various other aspects are contemplated.

Abstract: A public key generated by each user of a plurality of users is used to encrypt the contacts for that user. The results are sent to a server by each user. The key generated by each user is then distributed to every other user in the system, and each recipient encrypts their contacts with the keys. The result of these encryptions for all contacts for all recipients is then received by the server, and the server computes an encrypted computation of equality of two contacts and sends all computations back to the original user. The user can use the homomorphic property of the crypto protocol (e.g., a private key) to determine a set of users that are matched as contacts with the other users. The binary results are returned to the server, and the server computes a graph using the results.

Abstract: Systems and methods are described for establishing trust between two devices for secure peer-to-peer communication. In an example, a first and a second device can each possess a digital signature issued by the same certificate authority and a hash function issued by the same trusted entity. The devices can exchange public keys that include their respective digital signatures. The second device can verify the first device's digital signature, encrypt an encryption key with the second device's public key, hash the encryption key using its hash function, and encrypt the hash using its private key. The second device can send the encrypted hash and encryption key to the first device. The first device can verify the second device's digital signature, decrypt the encryption key, and decrypt the encrypted hash. The first device can hash the encryption key using its hashing function and compare the two hashes to verify the second device.

Abstract: A database management system receives a request to process a database query on behalf of a security principal. The database management system determines that processing the database query requires access to an encrypted portion of a file containing data subject to access conditions. The database management system determines that the security principle is authorized to use a key that corresponds to the encrypted portion of the file. The database management system then completes processing of the query by using the key to access the encrypted portion of the file.

Abstract: A highly versatile data processing is implemented on data collected in a manufacturing process. A data processing device includes: a calculation part configured to collect a plurality of data groups associated with a predetermined step of a process, and calculate effects in the predetermined step for each of the plurality of data groups; a dividing part configured to divide a feature space such that a distribution of each of the plurality of data groups associated with the predetermined step in the feature space is classified for each of the calculated effects; and an output part configured to output specific data that specifies respective regions of the divided feature space.

Abstract: A method for creating devices facilitating secure data transmission, storage and key management. At least two devices are each comprised of at least part of a physically unclonable function unit originally shared by the at least two devices on a single, monolithic original integrated circuit. The process includes physically segmenting the shared physically unclonable function unit between the at least two devices. The at least two devices which share the single, monolithic integrated circuit are physically separated into individual device units.

Abstract: According to an embodiment, the arithmetic device includes a controller. The controller is configured to: convert a bit string of m bits (where m is an integer of 4 or more) representing a multiplication value k when a certain condition is satisfied; set a value based on a coordinate value P of a specific point for a first variable and a second variable based on a second bit value from a least significant bit of the bit string; perform loop processing (m?3) times for multiplication processing of performing multiplication on the first variable and addition processing of adding two different points which are not infinite points by adding the first variable and the second variable; and output a coordinate value kP obtained by a scalar multiplication of the coordinate value P with the multiplication value k based on processing for a most significant bit of the bit string.

Abstract: Embodiments are directed to homomorphic encryption for machine learning and neural networks using high-throughput Chinese remainder theorem (CRT) evaluation. An embodiment of an apparatus includes a hardware accelerator to receive a ciphertext generated by homomorphic encryption (HE) for evaluation, decompose coefficients of the ciphertext into a set of decomposed coefficients, multiply the decomposed coefficients using a set of smaller modulus determined based on a larger modulus, and convert results of the multiplying back to an original form corresponding to the larger modulus by performing a reverse Chinese remainder theorem (CRT) transform on the results of multiplying the decomposed coefficients.

Abstract: A method including determining, by a transmitting device in communication with a receiving device, encrypted decoy messages based at least in part on encrypting decoy data utilizing an encryption key; determining, by the transmitting device, one or more encrypted content messages based at least in part on encrypting content data utilizing a cryptographic key, different from the encryption key; and transmitting, by the transmitting device to the receiving device, the one or more encrypted content messages among the encrypted decoy messages. Various other aspects are contemplated.

Abstract: Methods and processes for manufacture of an image product from a digital image. An object in the digital image is detected and recognized. Object metadata is assigned to the object, the object metadata linking sound to the object in the digital image which produced the sound. At least one cryptographic hash of the object metadata is generated, and the hash is written to a node of a transaction processing network.

Abstract: A circuit includes a data input that is configured to receive a data word, the data word including at least one operand which is rotated by a number of bits given by a rotation parameter, a first control input that is configured to receive the rotation parameter, a second control input that is configured to receive an indication of an operation to be performed, a first subcircuit that is configured to generate an operation- and rotation-dependent bit mask from the rotation parameter and the indication of the operation to be performed, a second subcircuit which is configured to process the at least one operand as a function of the bit mask and the operation to be performed, wherein the operand and the operation result generated by the processing remain in the rotated state, and a data output which is configured to output the operation result.

Abstract: A method for generating random numbers includes initializing a pseudo-random number generator (PRNG) having a state of 2048 bits comprising inner bits and outer bits, the inner bits comprising the first 128 bits of the 2048 bits and the outer bits comprising the remaining bits of the 2048 bits. The method also includes retrieving AES round keys from a key source, and for a threshold number of times, executing a round function using the AES round keys by XOR'ing odd-numbered branches of a Feistel network having 16 branches of 128 bits with a function of corresponding even-numbered neighbor branches of the Feistel network, and shuffling each branch of 128 bits into a prescribed order. The method also includes executing an XOR of the inner bits of the permuted state with the inner bits of a previous state.

Abstract: A data storage method in a storage system and a related system. The method includes: calculating a similar fingerprint of first to-be-stored data to obtain a first similar fingerprint, where the first similar fingerprint is for determining whether the first to-be-stored data is similar to stored data; determining reference data based on the first similar fingerprint, where a similar fingerprint of the reference data is the first similar fingerprint; determining first differential data between the to-be-stored data and the reference data based on the reference data, where the reference data is stored in a first storage unit; and storing the first differential data in a second storage unit, where the first storage unit and the second storage unit belong to a read range of a same read I/O.

Abstract: A method comprises: tokenizing, at a first device, a search query; creating search requests and send to delegate devices, each search request including a public key encrypted message containing the tokenized search query and index identifiers of indices to be searched; computing search responses to the search requests, each search response comprising a partial trapdoor computed per token per identifier; transmitting the search responses to the first device; recombining, at the first device, the search responses per identifier per token; performing a ranked set of queries against the indices; and returning the search results in order of relevancy.

Abstract: A method for establishing a shared key, includes: determining, by a first device, a braid group Bn having an index n as a public key; selecting, by the first device, a plurality of elements from the braid group Bn to generate a subgroup P, and selecting an element x from the subgroup P as a private key; receiving, by the first device, {y?1?1y,y?1?2y, . . . , y?1?n?1y} sent from a second device; sending, by the first device, {x?1?1x,x?1?2x, . . . , x?1?n?1x} calculated according to the first private key and each element of the public key, to the second device, to allow the second device to replace all occurrences of ?k in the second private key y with x??kx to obtain fy(x?1?1x,x?1?2x, . . . , x?1?n?1x)=x?1yx and to obtain the shared key x?1y?1xy by calculation; and replacing all ?k in the first private key of the first device with y?1?ky to obtain fx(y?1?1yy?1?2y, . . . , y?1?n?1y)=y?1xy, and calculating to obtain the shared key x?1y?1xy.

Abstract: The method of constructing QAP-based Homomorphic Encryption (HE) in the semi-public setting is introduced, which comprises: encryption, computation, and decryption. The data receiver produces a semi-public key Keys-pub. The data provider can encode his k-qubit plaintext |x to a k-qubit ciphertext |?en=QP|x via a k-qubit invertible operator QP randomly generated by Keys-pub. From the provider, the message En(?p) of QP encoded by a cryptosystem Gcrypt in Keys-pub is transmitted to the receiver through a small-resource communication channel and the ciphertext |?en is conveyed to the cloud. The receiver creates the instruction of encoded computation Uen=PMQP and transports to the cloud, where M is the required k-qubit arithmetic operation, P a k-qubit permutation, and a k-qubit operator to mingle with M. According the instruction, the cloud performs the encrypted evaluation Uen|?en and transfer to the receiver.

Abstract: A privacy gateway may communicate with user devices located at a plurality of premises. The privacy gateway may receive a data packet, from one of the user devices, indicating destinations, such as other computing devices, located external to the premises. The privacy gateway may decrypt at least a portion of the data packet to determine that at least a portion of data in the packet is associated with the user device. The privacy gateway may remove the data associated with the user device from the data packet and replace the removed data with data associated with the privacy gateway. The privacy gateway may send the data packet with the replaced data to a destination device. The privacy gateway may receive a response to the data packet from the destination device. The privacy gateway may encrypt a portion of the response and send the response to the user device.

Abstract: Systems and methods for providing exception failover augmented, homomorphic encrypted (HE) distributing, end-to-endpoint persistent encryption, and distributed HE domain non-decrypting, privacy-protective biometric processing are provided. Some configurations may include generating HE biometric feature data, based on homomorphic encrypting the biometric feature data. Some configurations determine an exception status of the HE biometric feature data between exception and non-exception. Systems and methods may include performing a HE domain, non-decrypting biometric classifying of the HE biometric feature data.

Abstract: A circuit includes a cipher accessing a plurality of read-write memory units configured to handle data tables obtained from a modified mask; wherein the modified mask is being determined from an initial mask and a random value, the random value selecting one or more modifications of the initial mask amongst a plurality of predefined modifications including permutation operations. Developments of the invention describe the use of mathematically optimal or equivalent masks; the use of random values; a range of permutation operations comprising offset shifting and/or rotation and/or XOR operations and/or coprime construction; the use of round masks; the use of a Physically Unclonable Function; the refresh or update of modified masks and/or round masks; and verifications of the optimality and/or integrity of masks. System features (e.g. CPU, co-processor, local and/or remotely accessed external memory storing masks, volatile memory) and computer program products are described.