A method comprises identifying a sensitive heap allocation for a sensitive data object in memory, and encrypting the data object using a first encryption key, different from a second encryption key used to encrypt one or more non-sensitive data objects in the memory, to provide cryptographic isolation between the sensitive data object and the one or more non-sensitive data objects.

A method, apparatus and computer program product to detect whether specific sensitive data of a client is present in a cloud computing infrastructure is implemented without requiring that data be shared with the cloud provider, or that the cloud provider provide the client access to all data in the cloud. Instead of requiring the client to share its database of sensitive information, preferably the client executes a tool that uses a cryptographic protocol, namely, Private Set Intersection (PSI), to enable the client to detect whether their sensitive information is present on the cloud. Any such information identified by the tool is then used to label a document or utterance, send an alert, and/or redact or tokenize the sensitive data.

A method of cryptographically secured decentralized testing includes receiving, by a computing device and from a secure test apparatus, an output of a cryptographic function of a secret test result identifier, authenticating the output, and recording, in a data repository, an indication of a test result as a function of the output.

A method for outsourcing exponentiation in a private group includes executing a query instruction to retrieve a query element stored on an untrusted server by selecting a prime factorization of two or more prime numbers of a modulus associated with the query element stored on the server, obtaining a group element configured to generate a respective one of the prime numbers, generating a series of base values using the prime factorization and the group element, and transmitting the series of base values from the client device to the server. The server is configured to determine an exponentiation of the group element with an exponent stored on the server using the series of base values. The method also includes receiving a result from the server based on the exponentiation of the group element with the exponent.

A method for re-keying an encrypted data file, the data file being stored chunkwise on a storage entity (SE), data file chunks being encrypted with a global secret, and the method being performed by one or more computing devices, includes updating the global secret for encryption data for a data chunk to be re-keyed such that an output of a non-interactive oblivious key exchange is used to identify the private key of the data chunk to be re-keyed with a new private key, wherein the non-interactive oblivious key exchange uses an oblivious protocol; and reencrypting the data chunk to be re-keyed with the updated global secret.

Various embodiments include a first node for providing a function to a second node for evaluation, the first node configured to form a first plurality of garbled circuits for the function, each circuit being formed from a circuit representing the function and a respective set of wire keys and including one or more logic operations, one or more input wires for inputting data into the circuit and one or more output wires for outputting the result of the function, wherein each respective set of wire keys comprises a respective subset of wire keys for each input wire and each output wire, each subset of wire keys comprising a plurality of wire keys, each wire key in the plurality being associated with a possible value for the wire; and publish a first list of the first plurality of garbled circuits for the function for access by a plurality of second nodes.

This application describes systems and methods for using a physical unclonable function (PUF) to authenticate a device, which may include circuitry for generating PUF values that may uniquely identify the device. According to one aspect, the device may provide enrollment PUF values to an authentication device. The device may later be authenticated if PUF values generated by the device are within a threshold distance of the enrollment PUF values. Since the PUF values are compared using a distance, it may not necessary to apply an error correcting code to the PUF values. The enrollment values and/or the calculated distance may be adjusted to compensate for time variations in the PUF values due to circuit aging. Systems and methods are also described herein for authenticating the device without revealing new PUF values to any second party, for example using a cryptographic technique known as a garbled circuit.

Systems and methods for computing a private set intersection are disclosed. A method includes storing, at a sender device, a first set of values. The method includes receiving, from a receiver device, a homomorphic encryption of a receiver device value. The method includes computing a homomorphically encrypted number based on a difference between the homomorphic encryption of the receiver device value and each value in the first set of values, and based on a hash function of the encryption of the receiver device value. The method includes transmitting the homomorphically encrypted number to the receiver device for determination, at the receiver device, whether the receiver device value is in the first set of values.

Methods and systems for managing cryptographic keys in on-premises and cloud computing environments and performing multi-party cryptography are disclosed. A cryptographic key can be retrieved from a hardware security module by a key management computer. The key management computer can generate key shares from the cryptographic key, and securely distribute the key shares to computer nodes or key share databases. The computer nodes can use the key shares in order to perform secure multi-party cryptography.

A computing device implements a key management system (KMS), and includes an interface, memory, and processing circuitry that executes operational instructions to maintain structured key parameters and a generating procedure associated with associated with a structured key. The generating procedure produces the structured key from an Oblivious Pseudorandom Function (OPRF) output, and the structured key parameters. The computing device receives a blinded value associated with the structured key from a requesting computing device, processes the blinded value using an OPRF secret to generate a blinded OPRF output, and returns the blinded OPRF output, the generating procedure, and the structured key parameters to the requesting computing device, which uses that information to generate the requested structured key.