A hardware cipher engine encrypts or decrypts a block of input data from a sequence of blocks using a cipher operation where the block of output data depends on the input block's position in the sequence. In a random-access mode of operation, the engine receives a sequence position, receives a block of input data having that position, and outputs a block of output data without outputting data that encrypts, or that decrypts, every block of input data preceding the received position. In some embodiments, the operation is a stream cipher, and the engine generates a sequence of keystream blocks and performs a combining operation between the input block and a keystream block having a corresponding sequence position. In other embodiments, the cipher operation is a block cipher, and the engine generates, but doesn't output, blocks of data that encrypt, or decrypt, one or more blocks preceding the received input block.

A computer-implemented method includes retrieving, by a bridge device communicatively linked to a blockchain network node of a blockchain network, a first set of blockchain blocks from the blockchain network node using a first set of threads of the bridge device; storing, by the bridge device, the first set of blockchain blocks in the bridge device; and verifying, by the bridge device, a second set of blockchain blocks that are stored in the bridge device using a second set of threads of the bridge device; and wherein retrieving the first set of blockchain blocks and verifying the second set of blockchain blocks are performed asynchronously using the first set of threads and the second set of threads.

This document describes techniques for rotating keys used to tokenize data stored in a streaming data store where data is stored for a maximum time [W]. In some embodiments, a data layer of such a data store can encrypt arriving original data values twice. The original data value is first encrypted with a first key, producing a first token. The original data value is encrypted with a second key, producing a second token. Each encrypted token can be stored separately in the data store. A field may be associated with two database columns, one holding the value encrypted with the first key and the second holding the value encrypted with the second key. Keys are rotated after time [K], which is at least equal to and preferably longer than [W]. Rotation can involve discarding the older key and generating a new key so that two keys are still used.

A communication system is provided that includes a first quantum key distribution device and a communication device. The first quantum key distribution device is configured to be coupled to a second quantum key distribution device over a quantum channel and to generate a quantum key based on a quantum state transmitted along the quantum channel. The communication device is communicatively connected to the first quantum key distribution device within a network. The communication device is configured to receive the quantum key from the first quantum key distribution device and transmit the quantum key to an end device in the network via a classical link to enable the end device to use the quantum key for encrypting and/or decrypting messages communicated through the network.

A computing device includes a secure storage hardware to store a secret value and processing hardware comprising at least one of a cache or a memory. During a secure boot process the processing hardware loads untrusted data into at least one of the cache or the memory of the processing hardware, the untrusted data comprising an encrypted data segment and a validator, retrieves the secret value from the secure storage hardware, derives an initial key based at least in part on an identifier associated with the encrypted data segment and the secret value, verifies, using the validator, whether the encrypted data segment has been modified, and decrypts the encrypted data segment using a first decryption key derived from the initial key to produce a decrypted data segment responsive to verifying that the encrypted data segment has not been modified.

A set of servers can support secure and efficient “Machine to Machine” communications using an application interface and a module controller. The set of servers can record data for a plurality of modules in a shared module database. The set of servers can (i) access the Internet to communicate with a module using a module identity, (i) receive server instructions, and (iii) send module instructions. Data can be encrypted and decrypted using a set of cryptographic algorithms and a set of cryptographic parameters. The set of servers can (i) receive a module public key with a module identity, (ii) authenticate the module public key, and (iii) receive a subsequent series of module public keys derived by the module with a module identity. The application interface can use a first server private key and the module controller can use a second server private key.

Instructions and logic provide for a Single Instruction Multiple Data (SIMD) SM4 round slice operation. Embodiments of an instruction specify a first and a second source data operand set, and substitution function indicators, e.g. in an immediate operand. Embodiments of a processor may include encryption units, responsive to the first instruction, to: perform a slice of SM4-round exchanges on a portion of the first source data operand set with a corresponding keys from the second source data operand set in response to a substitution function indicator that indicates a first substitution function, perform a slice of SM4 key generations using another portion of the first source data operand set with corresponding constants from the second source data operand set in response to a substitution function indicator that indicates a second substitution function, and store a set of result elements of the first instruction in a SIMD destination register.

Systems and methods for performing cryptographic data processing operations employing non-linear share encoding for protecting from external monitoring attacks. An example method includes: receiving a plurality of shares representing a secret value employed in a cryptographic operation, such that the plurality of shares includes a first share represented by an un-encoded form and a second share represented by an encoded form; producing a transformed form of the second share; and performing the cryptographic operation using the transformed form of the second share.

In general, this disclosure describes encryption engines that adaptively synchronize signals and suppress glitch propagation in a data decryption pipeline. An apparatus includes a decryption data path having a plurality of computational stages arranged in a pipeline configured to decrypt an encrypted block of data to form a decrypted block of data. One of the computational stages included in the pipeline of the decryption data path includes multiple asymmetric logical paths. A first signal traverses a first logical path and a second signal traverses a second logical path having a greater number of logical units than the first logical path. A glitch suppression register of the apparatus is configured to synchronize the first signal with respect to the second signal such that the first signal and the second signal arrive at a downstream logic element of the computational stage of the decryption data path at substantially a same time.

Techniques of data authentication in a distributed computing system are disclosed herein. One example technique includes receiving a request for performing an operation along with a data package that includes a security token, a first digital signature of the security token generated using an ephemeral private key, and an ephemeral public key with a second digital signature generated using a master private key stored at a secure location. The example technique can also include initially validating the second digital signature using a public key corresponding to the master private key, and upon validating the second digital signature, validating the first digital signature of the security token using the ephemeral public key included in the data package. Upon validating that the first digital signature of the security token, the request can be authenticated, and the requested operation can be performed.