A system for security key rotation in a cloud computing environment is disclosed. The system performs steps to at least initiate, at a predetermined interval, a call to determine whether to initiate generation of a public-private key pair for a client application. The system determines whether to initiate generation of the public-private key pair for the client application and based on determining to initiate generation of the public-private key pair for the client application, transmits a control signal requesting generation of the public-private key pair The system generates the public-private key pair and transmits a private key associated with the public-private key pair to a secure storage location for later retrieval by the client application and transmits a public key associated with the public-private key pair to a public key service for later retrieval by a client associated with the client application.

Implementations generally relate to providence certificates. In some implementations, a method includes generating a first providence certificate digitally signed with a first private encryption key, where the first providence certificate is associated with a first component of a product, and where the first providence certificate provides a first predetermined assurance. The method further includes generating a second providence certificate digitally signed with a second private encryption key, where the second providence certificate is associated with the product, and where the second providence certificate provides the first providence certificate and a second predetermined assurance.

A server can record (i) a first digital signature algorithm with a first certificate, and a corresponding first private key, and (ii) a second digital signature algorithm with a second certificate, and a corresponding second private key. The server can select first data to sign for the first algorithm and the first private key in order to generate a first digital signature. The server can select second data to sign, wherein the second data to sign includes at least the first digital signature. The server can generate a second digital signature for the second data to sign using the second algorithm and the second private key. The server can transmit a message comprising (i) the first and second certificates, and (ii) the first and second digital signatures to a client device. Systems and methods can concurrently support the use of both post-quantum and classical cryptography to enhance security.

Various techniques are provided to implement information leakage mitigation associated with elliptic curve operations. In one example, a method includes generating second data based on first data. The first data is associated with a message. The second data is associated with a decoy message. The method further includes performing a first elliptic curve operation based on the first data. The method further includes performing a second elliptic curve operation based on the second data. The first elliptic curve operation and the second elliptic curve operation are performed in a random order. Related systems and devices are provided.

A secure programming system and method for provisioning and programming a target payload into a programmable device mounted in a programmer. The programmable devices are provisioned with a job package created by a user on a host system and deployed on a device programmer. The secure programming system supports a hardware security module on the host system that can be accessed remotely from the device programmer using coordinated sets of template and mechanism dictionaries linked to a security API coupled to the hardware security module.

A protocol that is managed by a coordinating network element or third-party intermediary or peer network elements and utilizes tokens prohibits any subset of a union of the coordinating network element or third-party intermediary, if any, and a proper subset of the processors involved in token generation from substantively accessing underlying data. By one approach, processors utilize uniquely-held secrets. By one approach, an audit capability involves a plurality of processors. By one approach, the protocol enables data transference and/or corroboration. By one approach, transferred data is hosted independently of the coordinating network element. By one approach, the coordinating network element or third-party intermediary or a second requesting network element is at least partially blinded from access to tokens submitted by a first requesting network element. By one approach, a third-party intermediary uses a single- or consortium-sourced database. By one approach, network elements provisioned with tokens jointly manage the protocol.

There may be provided a computer-implemented method. It may be implemented using a blockchain such as, for example, the Bitcoin blockchain. The computer-implemented method includes: i) joining a congress by transferring, by a node operating in a proof-of-work blockchain network, one or more digital assets to a congress pool having one or more other digital assets associated with other members of a congress; ii) detecting, by the node, a special transaction of digital assets on the proof-of-work blockchain network to an address associated with the congress pool, the special transaction satisfying determined criteria; and iii) minting, by the node, one or more digital assets on a proof-of-stake blockchain network in response to detecting the special transaction.

Systems and methods for securely storing digital assets using a secure portal are disclosed. Using an isolated computer within an electronic isolation chamber, a plurality of digital asset accounts may be generated, and one or more private keys and a digital asset account identifier corresponding to each of the digital asset accounts may be obtained. A respective reference identifier may be associated with each digital asset account. At least one of the one or more private keys corresponding to each digital asset account may be divided into a plurality of private key segments and written to a card along with the respective reference identifier to create sets of collated cards, wherein each set comprises cards corresponding to different private keys.

A server can record a device static public key (Sd) and a server static private key (ss). The server can receive a message with (i) a device ephemeral public key (Ed) and (ii) a ciphertext encrypted with key K1. The server can (i) conduct an EC point addition operation on Sd and Ed and (ii) send the resulting point/secret X0 to a key server. The key server can (i) perform a first elliptic curve Diffie-Hellman (ECDH) key exchange using X0 and a network static private key to derive a point/secret X1, and (ii) send X1 to the server. The server can conduct a second ECDH key exchange using the server static private key and point X0 to derive point X2. The server can conduct an EC point addition on X1 and X2 to derive X3. The server can derive K1 using X3 and decrypt the ciphertext.

A computer-implemented method of generating shares of private keys, wherein the method is performed by a first participant of a group of participants and comprises: obtaining a first seed share, wherein each other participant has a respective seed share; generating a first master private key share of a shared master private key, wherein the first master private key share is generated based on the first seed share and the respective seed share of each other participant, and wherein each other participant has a respective master private key share; and generating one or more first private key shares based on the first master private key share, wherein each first private key share is a share of a respective shared private key.