A method for sharing read access to a document stored on memory hardware. The method includes receiving a shared read access command from a sharor sharing read access to a sharee for a document stored on memory hardware in communication with the data processing hardware, and receiving a shared read access request from the sharee. The shared read access command includes an encrypted value and a first cryptographic share value based on a write key, a read key, a document identifier, and a sharee identifier. The method also includes multiplying the first and second cryptographic share values to determine a cryptographic read access value. The cryptographic read access value authorizes read access to the sharee for the document. The method also includes storing a read access token for the sharee including the cryptographic read access value and the encrypted value in a user read set of the memory hardware.

Systems and methods herein secure computer memory from potential hacks. In one embodiment, a system includes a computer memory, and a memory protection module communicatively coupled to the computer memory. The memory protection module is operable to assign a counter value to a write Input/Output (I/O) request, to encrypt data of the write I/O request based on the counter value, and to write the encrypted data to a location of the computer memory. The counter value comprises a version number of the write I/O request and, for example, the location of the computer memory to where the data of the write I/O request is being written in the computer memory. The memory protection module is further operable to compute the version number based on memory access patterns of an application writing to the computer memory.

A processor comprises a first register to store an encoded pointer to a memory location. First context information is stored in first bits of the encoded pointer and a slice of a linear address of the memory location is stored in second bits of the encoded pointer. The processor also includes circuitry to execute a memory access instruction to obtain a physical address of the memory location, access encrypted data at the memory location, derive a first tweak based at least in part on the encoded pointer, and generate a keystream based on the first tweak and a key. The circuitry is to further execute the memory access instruction to store state information associated with memory access instruction in a first buffer, and to decrypt the encrypted data based on the keystream. The keystream is to be generated at least partly in parallel with accessing the encrypted data.

One embodiment provides an apparatus. The apparatus includes a lightweight cryptographic engine (LCE), the LCE is optimized and has an associated throughput greater than or equal to a target throughput.

A method includes receiving a memory access request comprising a first memory address and translating the first memory address to a second memory address using a first page table associated with the first virtual machine. The first page table indicates whether the memory of the first virtual machine is encrypted. The method further includes determining that the first virtual machine is nested within a second virtual machine and translating the second memory address to a third memory address using a second page table associated with the second virtual machine. The second page table indicates whether the memory of the second virtual machine is encrypted.

In one embodiment, a processing device includes a symmetric block cipher configured to encrypt plaintext blocks yielding respective ciphertext blocks, obfuscation circuitry configured to obfuscate the respective ciphertext blocks responsively to an obfuscation secret yielding respective obfuscated ciphertext blocks and an interface to send the respective obfuscated ciphertext blocks to at least one remote processing device. In one embodiment, the processing device provides side-channel attack protection within a symmetric key scheme by data obfuscation and by changing encryption/decryption keys using key manipulation so that different blocks or group of blocks of data are encrypted/decrypted using respective encryption/decryption keys.

Data may be stored by receiving the data to be stored, determining whether the data is regulated in a jurisdiction, and, responsive to the determination, selecting between a regulated storage scheme, requiring that the data be stored and/or processed in the jurisdiction in accordance with one or more laws pertaining to the jurisdiction, and an unregulated storage scheme, in which the data is not required to be stored in the jurisdiction and/or is not required to be stored in accordance with the one or more laws. Further, the regulated storage scheme may be followed by initiating storage of the data in the jurisdiction in accordance with the one or more laws.

An apparatus comprises an input register to receive a transport layer data packet, an encryption/decryption pipeline communicatively coupled to the input register, comprising a first section comprising a set of advanced encryption standard (AES) engines including at least a first AES engine to perform encryption and/or decryption operations on input data from the at least a portion of a transport layer data packet, a second AES engine to determine an authentication key, and a third AES engine to determine an authentication tag mask, a second section comprising a first set of Galois field multipliers comprising at least a first Galois field multiplier to compute a first multiple of the authentication key, a third section comprising a second set of Galois field multipliers to compute a first partial authentication tag, and a fourth section comprising a processing circuitry to compute a second partial authentication tag and a final authentication tag.

An integrated-circuit radio transmitter chip comprises a transmitter, a cryptographic engine and control circuitry for the cryptographic engine. The cryptographic engine performs a cryptographic operation by receiving input data, performing a first process to generate first result data and a second process to generate second result data. The first and second result data are used to generate output data. In response to determining that the transmitter is active, the control circuity controls the cryptographic engine to perform the first process and prevents the cryptographic engine from performing the second process while the transmitter is active. The control circuitry controls the cryptographic engine to perform the second process in response to determining that the transmitter is not active.

A method includes receiving, by a server computer, a thin client identifier from a thin client on a communication device. The server computer can then retrieve an encrypted first cryptographic key based on the thin client identifier. The encrypted first cryptographic key is a first cryptographic key that is encrypted with a second cryptographic key. The server computer can initiate the sending of the encrypted first cryptographic key to the thin client. The server computer then receives an encrypted secret from the thin client, the encrypted secret being a secret encrypted with the first cryptographic key.