An authentication and encryption protocol is provided that can be implemented within a single clock cycle of an integrated circuit chip while still providing unbreakable encryption. The protocol of the present invention is so small that it can co-exist on any integrated circuit chip with other functions, including a general purpose central processing unit, general processing unit, or application specific integrated circuits with other communication related functionality.

The disclosure provides an approach for cryptographic agility. Embodiments include establishing, by a proxy component associated with a cryptographic agility system, a first secure connection with an application. Embodiments include receiving, by the proxy component, via the first secure connection, a communication from the application directed to an endpoint. Embodiments include selecting, by the cryptographic agility system, a cryptographic technique based on contextual information related to the communication. Embodiments include establishing, by the proxy component, a second secure connection with the endpoint based on the cryptographic technique. Embodiments include transmitting, by the proxy component, a secure communication to the endpoint via the second secure connection based on the communication.

A processor of an aspect is to perform a Single Instruction Multiple Data (SIMD) instruction. The SIMD instruction is to indicate a source register storing input data to be processed by a round of AES and is to indicate a source of a round key to be used for the round of AES. The processor is to perform the SIMD instruction to perform the round of AES on the input data using the round key and store a result of the round of AES in a destination. In one aspect, the SIMD instruction is to provide a parameter to specify whether or not a round of AES to be performed is a last round. Other instructions, processors, methods, and systems are described.

A path is secured from one node to another node of the computing environment. The one node obtains a first encryption key and a second encryption key. A shared key is obtained by the one node from a key server, and the shared key is used to encrypt a message. The encrypted message includes the first encryption key and the second encryption key. The encrypted message and an identifier of the shared key is sent from the one node to the other node, and a response message is received by the one node. The response message at least provides an indication that the other node received the encrypted message and obtained the shared key.

A communication server, interacting with an organization system having users that wish to communicate securely, provides secure communication capability to the users, without the communication server itself having access to unencrypted content of the user communications or to cryptographic keys that would allow the communication server to derive the unencrypted content. Thus, the communication server that provides the secure communication capability need not itself be trusted by the users with access to communicated content. To achieve this, the various entities communicate to exchange cryptographic keys in such a manner that the communication server never obtains usable copies of the cryptographic keys. Secure search capability is also provided by the client devices supplying a set of message tokens obtained by transformations that the communication server cannot replicate, and the communication server maintaining a search index storing the message tokens in association with the (encrypted) messages from which they were obtained.

A device can (i) operate a primary platform (PP) within a tamper resistant element (TRE) and (ii) receive encrypted firmware images for operating within the primary platform. The TRE can store in nonvolatile memory of the TRE (i) a PP static private key (SK-static.PP), (ii) a server public key (PK.IDS1), and (iii) a set of cryptographic parameters. The TRE can generate a one-time PKI key pair of SK-OT1.PP and PK-OT1.PP and send the public key PK-OT1.PP to a server. The TRE can receive a one-time public key from the server comprising PK-OT1.IDS1. The TRE can derive a ciphering key using an elliptic curve Diffie Hellman key exchange and the SK-static.PP, SK-OT1.PP, PK.IDS1, and PK-OT1.IDS1 keys. The TRE can decrypt the encrypted firmware using the derived ciphering key. The primary platform can comprise a smart secure platform (SSP) and the decrypted firmware can comprise a virtualized image for the primary platform.

Systems and methods are disclosed for side-channel attack mitigation for secure devices including cryptographic circuits using block ciphers that are not based upon feedback. For disclosed embodiments, an integrated circuit includes a cryptographic circuit and a controller. The cryptographic circuit performs cryptographic operations in a block cipher AES mode without feedback. The controller outputs control signals to the cryptographic circuit that cause the cryptographic circuit to perform the cryptographic operations on sequential data blocks with an internally permuted order to mitigate block cipher side-channel attacks. The internally permuted order can be generated using one or more random number generators, one or more pre-configured permutated orders, or other techniques. Further, sequential data blocks can be grouped into sequential subsets of data blocks, and the cryptographic operations can be performed in sequence for the subsets with data blocks within each subset being processed with an internally permuted order.

Provided is a method of an electronic device for performing ultra wide band (UWB) communication. The method includes receiving upper bit information including pre-set at least one parameter via a UWB command interface (UCI), obtaining slot count information and key information including a constant key value, and performing static scrambled timestamp sequence (STS) generation, based on the upper bit information, the slot count information, and the key information.

One or more keys are derived from a master key by executing a plurality of encryption operations. A first encryption operation uses the master key to encrypt a plaintext input having a plurality of bytes. Multiple intermediate encryption operations are performed using a respective intermediate key generated by a previous encryption operation to encrypt respective plaintext inputs having a number of bytes. At least two bytes of a plaintext input have values based on a respective set of bits of a plurality of sets of bits of an initialization vector, wherein individual bits of the respective set of bits are introduced into respective individual bytes of the plaintext input and the respective set of bits has at least two bits and at most a number of bits equal to the number of bytes of the plaintext input.

A network gateway apparatus monitors Quic user datagram protocol (UDP) Internet Connection (QUIC) packets between a first device and a second device, extracts a version of the QUIC protocol and a connection identification from an unprotected portion of the protected header in response to detecting a QUIC packet having a protected header in use, determines a salt used in encryption of the protected header based on the version of the QUIC protocol, calculates a client initial secret based on the salt and the connection identification, determines an unprotected payload of the QUIC packet based on the client initial secret, a protected payload of the QUIC packet and the unprotected portion of the protected header, and extracts a server name indication (SNI) from the unprotected payload.