POST-QUANTUM CONSTANT-TIME KEY ROTATION VERIFICATION

BACKGROUND
Field

Aspects of the present disclosure relate to verifiable key rotation of an encryption key.

Description of Related Art

An encryption key is used to encrypt and/or decrypt data. Encryption keys may be generated with an algorithm to ensure it is unique, unpredictable, and properly encrypts/decrypts the data.

In symmetric encryption, the same encryption key is used to encrypt and decrypt data (e.g., plaintext). A sender of encrypted data (e.g., ciphertext) must share the symmetrical key with the receiver to allow the receiver to decrypt the ciphertext, revealing the plaintext. If the symmetrical key is compromised, then the ciphertext is also compromised because anyone with the symmetrical key may decrypt the ciphertext with the key, revealing the plaintext. Additionally, the key may be used to encrypt other plaintext, rendering the ciphertext untrustworthy.

In asymmetric encryption, two different, albeit related, encryption keys are used. A public key is distributed and a private key is kept secret. A sender encrypts the data with a public key and the receiver uses the corresponding secret private key to decrypt the encrypted data. The ciphertext remains secret even with a distributed public key because the encryption function is one-way such that only the receiver with the private key can decrypt the ciphertext. However, if the private key is compromised, the ciphertext may be decrypted and the plaintext revealed. Further, a private key may be used to sign verifiable messages. However, if the key is compromised, any signature is also compromised.

Generally, it is best practice to periodically update an encryption key, regardless of whether it is used for symmetric or asymmetric encryption, through key rotation whereby the current encryption key is replaced with a new encryption key. Key rotation prevents compromise of data, such as through key exhaustion. An encryption key is exhausted and thus exposed when it is used more times than it should be used because overuse of an encryption key can result in revealing information about the underlying plaintext or the secret values in the encryption key itself.

Furthermore, key rotation can be used to revoke old encryption keys, for example, that might have been compromised or to revoke data access, because once an encryption key has been replaced by a new encryption key, the older encryption key cannot access the data.

Accordingly, there is a need in the art for methods of key rotation for encryption key materials.

SUMMARY

Certain aspects provide a method for key rotation of an encryption key, comprising: generating a first ciphertext by encrypting a plaintext with a homomorphic probabilistic encryption scheme based on a first key; generating an updating token based on a difference between the homomorphic probabilistic encryption scheme based on the first key and the homomorphic probabilistic encryption scheme based on a second key; and generating a second ciphertext by encrypting the first ciphertext with the updating token.

Other aspects provide processing systems configured to perform the aforementioned methods as well as those described herein; non-transitory, computer-readable media comprising instructions that, when executed by a processor of a processing system, cause the processing system to perform the aforementioned methods as well as those described herein; a computer program product embodied on a computer-readable storage medium comprising code for performing the aforementioned methods as well as those further described herein; and a processing system comprising means for performing the aforementioned methods as well as those further described herein.

The following description and the related drawings set forth in detail certain illustrative features of one or more aspects.

DESCRIPTION OF THE DRAWINGS

The appended figures depict certain aspects and are therefore not to be considered limiting of the scope of this disclosure.

FIG. 1 depicts an example process flow for performing key rotation.

FIG. 2 depicts an example data flow for performing key rotation.

FIG. 3 depicts an example data flow for validating a key rotation.

FIG. 4 depicts an example proof of validation of a key rotation.

FIG. 5 depicts an example method for performing key rotation.

FIG. 6 depicts an example processing system for performing various aspects described herein.

To facilitate understanding, identical reference numerals have been used, where possible, to designate identical elements that are common to the drawings. It is contemplated that elements and features of one embodiment may be beneficially incorporated in other embodiments without further recitation.

DETAILED DESCRIPTION

Aspects of the present disclosure provide apparatuses, methods, processing systems, and computer-readable mediums for performing computationally efficient, secure, and verifiable key rotation of an encryption key.

As described above, key rotation is the process of periodically exchanging the cryptographic key material (or encryption key) used to encrypt and protect data. By replacing an old key with a new key at regular intervals, the underlying data remains secure and protected, and any compromise of the old key is mitigated.

One method for key rotation is to decrypt the ciphertext and then re-encrypt the resulting plaintext with the new key. However, in symmetrical encryption, every time a key needs to be rotated, the new key must be shared with the receiver. As keys may need to be frequently rotated, the plaintext is also frequently exposed when it is decrypted. Additionally, it requires extensive computational resources (e.g., compute, memory, power, and in some cases network bandwidth) to decrypt and then re-encrypt large amounts of data regularly.

Another method for key rotation involves encapsulating an encryption key (e.g., a symmetric key or a private key) by encrypting the encryption key with an encapsulation key. The encapsulation key is then periodically rotated by decrypting the encryption of the encryption key and then re-encrypting the encryption key (“encapsulating it”) with a new encapsulation key. Beneficially, this method avoids exposing the underlying data because it is not being decrypted and then re-encrypted. Additionally, this method is relatively efficient because the data being decrypted and re-encrypted extends to the encryption key, and not the potentially large amount of underlying data. However, the encryption key for the underlying data is not actually being rotated, rather the encapsulation key is being rotated. Thus, if the encryption key were compromised, for example, by the exposure during key rotation or the encapsulation key being compromised, the underlying data is compromised.

Yet another method for key rotation uses a re-encryption or update token to securely update a ciphertext generated with a first key to a ciphertext generated with a second key. This method, called symmetric updatable encryption, supports full key rotation without requiring the ciphertext to be decrypted, revealing the underlying data. However, some methods of symmetric updatable encryption suffer from relatively weak confidentiality goals and may not provide post-compromise security (i.e., security after a key is compromised). One proposed method to provide post-compromise security is based on the Decisional Diffie Hellman assumption, however this assumption, and thus this method are vulnerable to quantum computers. Additionally, symmetric updatable encryption methods are bidirectional, in that the update token used to update the ciphertext to a new key can also be used to revert to the old ciphertext, decryptable by the old key, so compromise is possible despite the updated ciphertext. Furthermore, symmetric updatable encryption methods do not provide a mechanism for validating the re-encryption of the ciphertext generated with a second key. Thus, in order to ensure the updated ciphertext is a valid encryption of the underlying plaintext, ensuring integrity, the update ciphertext would be decrypted and then re-encrypted, resulting in potential exposure of the data, and requiring extensive computational resources for the decryption and re-encryption.

Furthermore, many encryption techniques rely on the difficulty of “cracking” the encryption scheme by conventional computers by guessing the encryption key. For example, conventional computers may require extensive computational resources (e.g., compute, memory, power, etc.) and time to find the right key. However, quantum computers may be able to crack encryption schemes by performing calculations needed to find the right key exponentially faster, thus reducing the security of such encryption schemes.

Aspects described herein provide a technical solution to the aforementioned technical shortcomings (problems) by providing systems and methods for a homomorphic probabilistic encryption scheme for performing verifiable encryption key rotation. The homomorphic probabilistic encryption scheme is used to encrypt data and then periodically update the encryption to be based on a new encryption key with an updating token. Thus, the data remains encrypted, but the key used for encrypting the data is rotated regularly. Beneficially, by using the updating token described herein, the updated encryption is verifiable to ensure the integrity of the underlying data.

The key-homomorphic probabilistic encryption scheme described herein is based on a binary-learning with errors problem to build a secure post-quantum cryptosystem, meaning the encryption scheme is resistant to compromise by a quantum computer. In one example, a key is obtained from a key-homomorphic pseudorandom function family by sampling a secret matrix of the key-homomorphic pseudorandom function family from a binary distribution with a lower norm, such that a Hamming weight, or the number of non-zeros, of the secret matrix is below a fixed threshold. By using this secret matrix, the homomorphic pseudorandom function family outputs a randomized linear combination of the output of another randomized linear function. Thus, for example, performing updatable encryption on a plaintext with different keys selected from the secret matrix yields two outputs, or two ciphertexts, for which the Hamming distance may be predicted based on the Hamming distance between the two keys. Beneficially, then, a data owner may validate the two ciphertexts encrypting the same plaintext by comparing the Hamming distance between the two ciphertexts and the Hamming distance between the two keys because the two ciphertexts are correlated via key-homomorphism of the underlying key-homomorphic pseudorandom function family. Therefore, an encryption key may be rotated using the key-homomorphic probabilistic encryption scheme presented herein, and the updated encryption is validated by determining the Hamming distance between the two ciphertexts, without decrypting the updated encryption.

Thus, aspects described herein provide many benefits compared to the conventional schemes described above. Specifically, aspects described herein provide key rotation by using the update token to update the encryption to be based on a new key. Beneficially, the old key is replaced and the new key may be used to decrypt the encrypted data. Thus, the old key, which may be compromised, is revoked and cannot decrypt the encrypted data. Further, by using the update token, the ciphertext may be efficiently re-encrypted with the new key without needing to both decrypt the encryption and then re-encrypt with the new key. Also, by using the key-homomorphic probabilistic encryption scheme described herein, the encryption is not vulnerable to quantum computers, due to the reliance on the learning with errors problem, as described further below. Furthermore, as described herein, the updated ciphertext may be verified as a valid re-encryption of the plaintext, to ensure the underlying plaintext remains accurate, without needing to decrypt the updated ciphertext, risking exposure and requiring extensive computational resources.

Pseudorandom Functions

A pseudorandom function (PRF) family is a collection of functions where each function is specified by a key such that the function may be evaluated deterministically with the key, but behaves like a random function without the key. In other words, each function in a PRF family is specified by a short random key and is easily computed given the key. However, when without the key and being computationally-bounded, the function appears to be a random function. For a PRF F_k∈ custom-character , the index k is called its key (or seed). PRFs have a wide range of applications, most notably in cryptography, but also in computational complexity and computational learning theory.

The security of a scheme based on a PRF family is based on the collision resistance of the hash function H, hardness of binary-learning with errors, and pseudorandomness of a homomorphic PRF family, for example, the key-homomorphic and bi-homomorphic PRF families described herein. An encryption scheme is provably secure if the probability of security failure is negligible. For security parameter custom-character , a function η() is called negligible if, for all c>0, there exists an ₀such that

$η (Ł) < \frac{1}{Ł^{c}}$

for all custom-character >₀. Two ensembles are computationally indistinguishable if no efficient algorithm can tell the difference between them except with negligible probability. For two ensembles, X={X₈₀ and Y={Y_λ, where X_λ's and Y_λ's are probability distributions over {0,1}^κ(λ)for λ∈ and some polynomial κ(λ), then {X_λ custom-character {Y_λ are polynomially or computationally indistinguishable if the following holds for every (probabilistic) polynomial-time algorithm and all λ∈:

$❘ \Pr [t \leftarrow X_λ : (t) = 1] - \Pr [t \leftarrow Y_λ : (t) = 1] ❘ \leq η (λ)$

where η is a negligible function. Further {X_λ custom-character and {Y_λ are perfectly indistinguishable if the following holds for all t: Pr[t←X_λ]=Pr[t←Y_λ].

Security is considered between adversaries interacting as part of probabilistic experiments, called games. For an adversary, custom-character and two games ₁, ₂with which the adversary can interact, s distinguishing advantage is:

$Adv_(_1,_2) := ❘ \Pr [cceptsin_1] - \Pr [cceptsin_2] ❘ .$

For the security parameter custom-character , the two games are said to be computationally indistinguishable if it holds that: Ad(₁, ₂)≤η(), where η is a negligible function.

Learning with errors (LWE) is a computation problem used in lattice-based cryptographic constructions. For positive integers w and q≥2 and an error (probability) distribution χ over custom-character , the decision-LWE_w,q,χ problem is to distinguish between the following pairs of distributions: ((a_i,a_i, s+e_imod q))_iand ((a_i, u_i))_i, where

$i \in [poly (w)], a_{i} \overset{$}{\leftarrow}, s \in, e_{i} \leftarrow χ,$

$and$

$u_{i} \overset{$}{\leftarrow} q .$

In the learning with rounding (LWR) problem, instead of adding a small random error, as done in LWE, a deterministically rounded version of the sample is generated. For q≥p≥2, the rounding function, └·┐_p: custom-character _q→_p, is defined as:

${⌊ x ⌉}_{p} = ⌊ \frac{p}{q} \cdot x ⌉,$

i.e., if └x┐_p=y, then

$y \cdot ⌊ \frac{q}{p} ⌉$

is the integer multiple of

$⌊ \frac{q}{p} ⌉$

that is nearest to x. Hence, the error in LWR originates from deterministically rounding x to a (relatively) nearby value in custom-character _p. Let q≥p≥2 be positive integers, then: for a vector, s∈, LWR distribution L_sdefined to be a distribution over ×_p, that is obtained by choosing a vector and outputting (a, b=└a,s┐_p.

For a given distribution over s∈ custom-character (e.g., the uniform distribution), the decision-LWE_w,q,χ problem is to distinguish (with advantage non-negligible in w) between some fixed number of independent samples (a_i, b_i)←L_s, and the same number of samples drawn uniformly from ×_p. Decision-LWR can be as hard as decision-LWE for a setting of parameters where the modulus and modulus-to-error ratio are superpolynomial in the security parameter.

Because the error generated by LWR is both short and deterministic, Gaussian elimination may be used to generate both the key and inputs, such that the Hamming distance between two ciphertexts C₁and C₂, encrypting the same plaintext P, is predictable, allowing validation, as described with respect to FIG. 3.

As described above, PRF families are efficient distributions of functions that cannot be efficiently distinguished from the uniform distribution. For example, given two finite sets, A and B, let custom-character ={F_k: A→B} be a function family, endowed with an efficiently sampleable distribution (more precisely, , A, and B are all indexed by the security parameter ). is a PRF family if the following two games are computationally indistinguishable: (1) choose a function F_k∈ and give the adversary adaptive oracle access to F_k; and (2) choose a uniformly random function U:A→B and give the adversary adaptive oracle access to U.

Homomorphic encryption allows computation over encrypted data without accessing the key and the result remains encrypted. Encryption schemes based on homomorphic PRF families are described herein.

For example, a key-homomorphic PRF based probabilistic encryption scheme may be used for the key rotation methods described herein. Let F: custom-character ×X→ be an efficiently computable function such that (,⊕) is a group, where ⊕ denotes exclusive OR. The tuple (F,⊕) is a γ-almost key-homomorphic PRF if the following two properties hold: (1) F is a secure PRF, and (2) for all k₁, k₂∈ and x∈X, there exists e∈[0, γ]^wsuch that:

$(F_{k_{1}} (x) + F_{k_{2}} (x) = F_{k_{1} \oplus k_{2}} (x) + e \mod q .$

In another example, a bi-homomorphic PRF based probabilistic encryption scheme may be used for the key rotation methods described herein. Let F: custom-character ×X→ be a PRF family, such that (,⊕) and (X,⊖) are groups, where ⊕ denotes exclusive OR, and ⊖ denotes symmetric difference. The tuple (F,⊖,⊕) is a γ-almost fully key and partially input homomorphic PRF if one of the following conditions holds: (1) for every k₁, k₂∈ custom-character , and for every x₁, x₂εX, such that ==, there exists a vector E∈[0, γ]^m×msuch that:

$F (k_{1}, x_{1}) + F (k_{2}, x_{2}) + E = F (k_{1} \oplus k_{2}, x) \mod p,$

where x=x_ custom-character ∥(x_(1.r)⊖x_(2.r)); or (2) for every k₁, k₂∈, and for every x₁, x₂∈X, such that x_1.r, =x_2.r=x_r, there exists a vector E∈[0, γ]^m×msuch that:

$F (k_{1}, x_{1}) + F (k_{2}, x_{2}) + E = F (k_{1} \oplus k_{2}, x) \mod p,$

where x=(x_(1. custom-character )⊖x_(2.))∥x_r.

In yet a further example, another bi-homomorphic PRF based probabilistic encryption scheme may be used for the key rotation methods described herein. Let X⊂ custom-character , with ⊖ defining the surjective mapping: X⊖X→. Let F:×X→ and F′:×→ be two PRF families where (,⊕) is a group. The tuple (F,⊖,⊕) is a γ-almost fully key and partially input homomorphic PRF with homomorphically induced variable input length, if one of the following conditions holds: (1) for every k₁, k₂∈ custom-character , and for every x₁, x₂∈X, such that =(=), there exists a vector E∈[0, γ]^m×msuch that:

$F (k_{1}, x_{1}) + F (k_{2}, x_{2}) + E = F^{'} (k_{1} \oplus k_{2}, y) \mod p,$

where y∈ custom-character , such that y=y_∥y_r, with y_l=x_land y_r=(x_1.r⊖x_2.r); or (2) for every k₁, k₂∈, and x₁, x₂∈X, such that x_1.r=x_2.r=x_r, there exists a vector E∈[0, γ]^m×msuch that:

$F (k_{1}, x_{1}) + F (k_{2}, x_{2}) + E = F^{'} (k_{1} \oplus k_{2}, y) \mod p,$

where y∈ custom-character , such that y=y_∥y_r, with y_r=x_rand =(⊖).

For both key-homomorphic and bi-homomorphic PRF families, the output is a linear combination of the inputs. For example, for PRF families F_S(y) and Fζ_S(z₀, z₁), the output is a linear combination of the following for b∈{0,1}:

$A_{b}, A_{\neg b}$

$A_{b}, A_{x_{0}} G^{- 1} (A_{b})$

$A_{\neg b}, A_{x_{0}} G^{- 1} (A_{b})$

$A_{b}, A_{x_{0}} G^{- 1} (A_{\neg b})$

$A_{x_{0}} G^{- 1} (A_{\neg b} + A_{x_{0}} G^{- 1} (A_{b}))$

$A_{x_{0}} G^{- 1} (A_{b} + A_{x_{0}} G^{- 1} (A_{\neg b}))$

$A_{x_{0}} G^{- 1} (A_{b} + A_{x_{0}} G^{- 1} (A_{b}))$

with the seed (key) S included where applicable. Analogous combinations for B and C may easily be identified with an additional pseudorandomly-generated factor. The secret key s and S for the key-homomorphic families and the bi-homomorphic families, respectively, may be sampled such that the Hamming weight of the key is the smallest permitted by binary-LWE hardness proofs.

The correctness of the encryption is based on utilizing the PRF families described herein. Specifically, correctness follows because the PRF families are randomized linear combinations of their respective inputs, and validity, such as described below with respect to FIG. 3, is based on the selection of blocks of encryption, e.g., based on

$Ψ = ⌊ 1 - \frac{1}{2^{\frac{B}{t}}} ⌋$

such that the correctness probability is equal to Ψ.

Example Process for Storing and Updating Encryption Keys for Encrypted Data

FIG. 1 depicts an example key rotation process 100 for storing and updating encryption keys for encrypted data.

Key management component 116 is configured to manage encryption keys (such as secret keys s (or k₁) and S (or k₂)) for encrypted data stored in a database 108 by storing and rotating encryption keys associated with the encrypted data. Key management component 116 includes key rotation component 118, validation component 120, and key storage component 112.

Key rotation component 118 is configured to periodically rotate encryption keys, such as k₁to k₂, through a probabilistic encryption scheme based on homomorphic PRF families, for example, described with respect to FIG. 2, below. Key rotation performed by key rotation component 118 is validated by validation component 120 before a rotated key, such as k₂, is stored in a key storage component 122, as described with respect to FIG. 3, below.

Through the key rotation process described herein, ciphertext C₁106 associated with k₁104 may be updated to ciphertext C₂110 associated with k₂112. In this example, database 108 is depicted as storing plaintext P 102 encrypted with k₁104 as ciphertext C₁before key rotation. Database 114 is depicted as storing updated ciphertext C₂110, which is plaintext P 102 encrypted with k₂112. Although depicted here as two databases, the ciphertext may be stored in the same database before key rotation, depicted as database 108, and after key rotation, depicted as database 114.

Example Data Flow for Performing Key Rotation

FIG. 2 depicts an example data flow 200 for key rotation using a homomorphic probabilistic encryption scheme, for example, by key rotation component 118 in FIG. 1.

Initially, flow 200 begins at step 204 with encrypting plaintext P 202, such as plaintext P 102 in FIG. 1, with a homomorphic probabilistic encryption scheme, F_s(y), based on a first key k₁to generate ciphertext C₁206.

In some embodiments, the homomorphic probabilistic encryption scheme is derived from a key-homomorphic PRF family. For example, when using the key-homomorphic PRF family, F_s(y), the following operation is performed for encryption: −F_s₁(H(D_i))⊕P_i, where H:{0,1}*→{0,1}^|T| is a cryptographic hash function and D_iis the ID of the i^thplaintext block, P_i.

The key-homomorphic PRF family is defined as: custom-character _A₀_,A₁_,T,p={F_s:{0,1}^|T|→}, where p≤q is the modulus. A member of the function family is indexed by the seed s∈ as:

${F_{s} (x) = ⌊ s \cdot A_{T} (x) ⌉}_{p} .$

F_s(y) may be constructed as follows. Let T be a full binary tree with at least one node, i.e., every non-leaf node in T has two children. Let T.r and T.l denote its right and left subtree, respectively, and └·┐_pdenote the rounding function from LWR, as described above. Let q≥2, d=┌log q┐, and x[i] denote the i^thbit of a bit-string x. Define a gadget vector as:

$g = (1, 2, 4, \dots, 2^{d - 1}) \in ℤ_{q}^{d} .$

Further, define a decomposition function g⁻¹: custom-character _q→{0,1}^dsuch that g⁻¹(a) is a “short” vector and ∀a∈_q, it holds that: , g⁻(a)=a, where · denotes the inner product.

$g^{- 1} (a) = (x [0], x [1], \dots, x [d - 1]) \in {0, 1}^{d}$

where a=Σ_i=0^d-1x[i]·2ⁱis the binary representation of a.

The gadget vector is used to define the gadget matrix G as:

$G = I_{w} \otimes g = diag (g, \dots, g) \in$

where I_Wis the w×w identity matrix and ⊗ denotes the Kronecker product. The binary decomposition function, g⁻¹, is applied entry-wise to vectors and matrices over custom-character _q. Thus, g⁻¹can be extended to get another deterministic decomposition function G⁻¹:→{0,1}^wd×usuch that G·G⁻¹(A)=A.

Given uniformly sampled matrices, A₀, A₁∈ custom-character , define a function:

$A_{T} (x) : {0, 1}^{❘ T ❘} \to as : A_{T} (x) = {\begin{matrix} A_{x} & if ❘ T ❘ = 1, \\ A_{T, l} (x_{l}) \cdot G^{- 1} (A_{T, r} (x_{r})) & otherwise, \end{matrix}$

where |T| denotes the total number of leaves in T and x∈{0,1}^|T| such that x=x_l∥x_rfor both x_l∈{0,1}^|T.l| and x_r∈{0,1}^|T.r|.

Thus, the key-homomorphic PRF family is defined as:

$A_{0}, A_{1}, T, p = {F_{s} : {0, 1}^{| T |} \to}$

where p≤q is the modulus and a member of the function family custom-character is indexed by the seed s∈ as: F_s(x)=└s·A_T(x)┐_p.

In some embodiments, the homomorphic probabilistic encryption scheme is derived from a bi-homomorphic PRF family. In terms of the PRF family, F_S(y), the following operation is performed for encryption: −F_S₁(H(D_i),y_rh)⊕B_i, where H:{0,1}*→{0,1}^|T| is a cryptographic hash function, y_rh custom-character {0,1}^|T|, and D_iis the ID of the i^thplaintext block, P_i. A member of the function family ₍_T,p)is defined as:

${F_{s}^{'} (z_{0}, z_{1}) := ⌊ S^{T} \cdot A_{T} (z_{0}) + R_{0} (z_{0}) \cdot G^{- 1} (C_{T}^{S} (z_{1})) ⌉}_{p}, where$

$R_{0} (z_{0}) = R (z_{0}) \cdot A_{z_{0} [0]} .$

Construction of is subsequently described F′_s(y) as follows. Let x_lhbe the left half of x, such that

$❘ x_{ℓ h} ❘ = ⌊ ❘ \frac{x}{2} ❘ ⌋ .$

Let x_rhbe the right half of x, such that

$❘ x_{rh} ❘ = ⌈ ❘ \frac{x}{2} ❘ ⌉ .$

Let x[i] be the i^thbit of x. Let T be a full binary tree with at least one node, with T.r and T. custom-character denoting its right and left subtree, respectively. For random matrices A₀, A₁∈, define function A_T:{0,1}^|T|→recursively as:

$A_{T} (x) = {\begin{matrix} A_{x} & if ❘ T ❘ = 1 \\ A_{T, ℓ} (x_{ℓ}) + A_{x [0]} G^{- 1} (A_{T, r})) & otherwise \end{matrix}$

where x=x custom-character ∥x_r, ∈{0,1, e x_r∈{0,1}^|T.r|, and |T| denotes the number of leaves in T.

Based on the random seed S∈ custom-character , the KIH-PRF family, _(A₀_,A₁_,T,p), is defined as: _(A₀_,A₁_,T,p)={F_s:{0,1}^2|T|␣}. Two seed dependent matrices, B₀, B₁∈ are defined as: B₀=A₀+S B₁=A₁+S. Using the seed dependent matrices, a function B_T^S(x) is defined recursively as:

$B_{T}^{S} (x) = {\begin{matrix} B_{x} & if ❘ T ❘ = 1 \\ B_{T, ℓ}^{S} (x_{ℓ}) + A_{x [0]} G^{- 1} (B_{T, r}^{S} (x_{r})) & otherwise \end{matrix}$

Let R: {0,1}^|T|→ custom-character be a pseudorandom generator. Let y=y_h∥y_rh, where , y_rh∈{0,1}^|T|. In order to keep the length of the equations in check, the product R()·A_y[0] may be represented by the notation: R₀(). A member of the KIH-PRF family is indexed by the seed S as:

${F_{S} (y) := ⌊ S^{T} \cdot A_{T} (y_{ℓ h}) + R_{0} (y_{ℓ h}) \cdot G^{- 1} (B_{T}^{S} (y_{rh})) ⌉}_{p} .$

Let 0=00, i.e., it represents two consecutive 0 bits. Define the following function family:

$(T, p) = {F_{S}^{'} : {0, 1}^{| T |} \times {0, 1, \bar{0}}^{| T |} \to},$

where custom-character ={A₀, A₁, B₀, B₁, C₀, C₁, C₀}, and where the matrices C₁, C₀, C₀are defined by the seed S∈ as: C₁=A₀+B₁; C₀=A₀+B₀; C₀=A₁+B₁.

Define a function C_T: {0,1}^|T|×{0,1, 0)^|T|→ custom-character recursively as:

$C_{T}^{S} (x) = {\begin{matrix} C_{x} & if ❘ T ❘ = 1 \\ {\overline{C}}_{0} & if ❘ T ❘ > 1 \land x [i] = x [i + 1] = 0 \\ C_{T, ℓ}^{S} (x_{ℓ}) + A_{x [0]} G^{- 1} (C_{T, r}^{S} (x_{r})) & otherwise \end{matrix}$

i.e., C₀denotes two bits. Hence, during the evaluation of C_T^S(x), a leaf in T may represent one bit or two bits. Let z=z_0∥z₁, where z₀∈{0,1}^|T| and z₁∈{0,1, 0}^|T|. Thus, a member of the function family custom-character ₍_,T,P)is defined as:

${F_{S}^{'} (z_{0}, z_{1}) := ⌊ S^{T} \cdot A_{T} (z_{0}) + R_{0} (z_{0}) \cdot G^{- 1} (C_{T}^{S} (z_{1})) ⌉}_{p} where$

$R_{0} (z_{0}) = R (z_{0}) \cdot A_{z_{0} [0]} .$

Beneficially, a bi-homomorphic PRF family may be utilized to achieve maximum entropy because z₁and y_rhdo not need to be equal, and can be sampled uniformly where the Hamming distance requirements are satisfied. For example, the Hamming distance requirement may be d(z₁,y_rh)≤c, as described below. Additionally, the input length may be increased when moving from {0,1} to {0,1, 0}.

At step 208, ciphertext C₁206 is updated to ciphertext C₂210 with an updating token Δ_i. By using the updating token Δ_i, ciphertext C₁206 associated with k₁is updated to ciphertext C₂210 associated with k₂. Thus, the encryption key associated with the plaintext is rotated.

In embodiments where the ciphertext C₁206 is encrypted based on a key-homomorphic PRF family, the updating token is: Δ_i=F_s₂(H(D_i))−F_s₁(H(D_i)).

In embodiments where the ciphertext C₁206 is encrypted based on a bi-homomorphic PRF family, the updating token is Δ_i=F′_s₂(H(D_i),z₁)−F_s₁(H(D_i), y_rh), where z₁is chosen such that the following holds for the Hamming distance: d(z₁,y_rh)≤c, where c∈ custom-character is a constant.

Note that flow 200 is just one example, and other flows including fewer, additional, or alternative steps, consistent with this disclosure, are possible.

Example Flow for Validating a Key Rotation

FIG. 3 depicts an example flow 300 for validating key rotation, such as a key rotation performed according to flow 200 described with respect to FIG. 2.

At step 312, a set of blocks of ciphertext C₂310 is randomly selected with cardinality B. The cardinality of a set is a measure of the number of elements of the set, thus, blocks of ciphertext C₂310 may be randomly selected to obtain B number of blocks for the set. B is computed based on the desired probability of correctness Ψ, where

$Ψ = ⌊ 1 - \frac{1}{2^{\frac{ℬ}{t}}} ⌋ .$

Each block of the set of blocks of ciphertext C₂310 is reverted to a block of ciphertext C₃306, forming a set of blocks of ciphertext C₃306 (by C₂−Δ_i(from step 208 in FIG. 2)).

At step 314, the Hamming distance between the encryptions of each of the corresponding blocks from ciphertext C₃306 and ciphertext C₂310 is determined. The Hamming weight wt(v) of v∈ custom-character is the number of nonzero entries in v. The Hamming distance d(u, v) between u, v∈ is the number of positions in which they differ, i.e., d(u, v)=wt(u−v). For example, the Hamming distance between “karolin” and “kathrin” is 3.

At step 316, the Hamming distance between each block of ciphertext C₃306 and ciphertext C₂310, determined at step 314, is compared to a threshold. The threshold may be based on t and the maximum Hamming distance between any two keys. For example, as described herein, a maximum Hamming weight may be set for the secret key vector or matrix. Because low-norm keys are described herein, the threshold Hamming weight of each key will be much smaller than n or w, representing the dimension of the lattice. Where t is the threshold Hamming weight for each key, then for any two keys, the maximum threshold Hamming distance is 2t<< n, where << denotes “much smaller than.”

In embodiments where the encryption scheme is a key-homomorphic PRF probabilistic encryption scheme, the threshold may be t+1. If the Hamming distance between the encryptions of all the blocks from the set of blocks of ciphertext C₃306 and the set of blocks of ciphertext C₂310 is less than the threshold, then flow 300 proceeds to step 318.

In embodiments where the encryption scheme is a bi-homomorphic PRF probabilistic encryption scheme, the threshold may be t+c, where c∈ custom-character is a constant. In embodiments, c is set with a maximum of

$n^{\frac{1}{z}}$

for some integer z≈t. If the Hamming distance between the encryptions of all the blocks from the set of blocks of ciphertext C₃306 and the set of blocks of ciphertext C₂310 is less than the threshold, then flow 300 proceeds to step 318.

At step 318, ciphertext C₂is determined to be a valid re-encryption of the plaintext P.

As depicted in FIG. 4, the Hamming distance 414 between k₁, k₂, may be determined because k₁, k₂, are known based on the encryption scheme used in FIG. 2.

The Hamming distance 412 between two ciphertexts, ciphertext C₁406 generated by encrypting plaintext P 402 with a probabilistic scheme based on k₁at step 404, and ciphertext C₂410 generated by encrypting plaintext P 402 with a probabilistic scheme based on k₂at 408 may be predicted based on the Hamming distance 414 between k₁and k₂. This is because k₁and k₂are sampled from a binary distribution with a low norm such that the Hamming weight of each key is below a fixed threshold. The threshold may be determined based on the binary-LWE problem and desired security against quantum probabilistic polynomial time (PPT) adversaries. For example, the threshold may be

$\ \sqrt \frac{m}{n} σ,$

where σ is the standard deviation of the Gaussian distribution used to sample the binary errors. As used here, n denotes the dimension of the lattice and m denotes the number of samples the adversary is provided by the LWE oracle, as described above. Further m may be [poly(n)], however, it may be limited based on the desired settings and the implementation. Having such a key implies that the key- and bi-homomorphic PRF families output a randomized linear combination of the output of another randomized linear function on the input.

Therefore, performing updatable encryption procedure from FIG. 2 on plaintext P with different keys, k₁, k₂, yields outputs whose Hamming distance, e.g., Hamming distance 412, can be predicted with respect to the Hamming distance 414 between k₁, k₂, without needing to compute the Hamming distance 412 by generating ciphertext C₁and ciphertext C₂at step 404 and step 408, respectively.

Thus, returning to step 318 in FIG. 3, the ciphertext C₂310 may be accepted as a valid re-encryption of plaintext P.

At step 320, the encryption key is rotated, by replacing the previous key k₁associated with ciphertext C₁with the new key k₂associated with ciphertext C₂.

If at step 316, the Hamming distance between the encryptions of all the blocks from the set of blocks of ciphertext C₃306 and the set of blocks of ciphertext C₂310 is greater than or equal to the threshold, then flow 300 proceeds to step 322 with rejecting ciphertext C₂310 as a valid re-encryption of the plaintext P. At step 324, the previous key k₁associated with ciphertext C₁is retained.

In some embodiments, where the re-encryption is rejected as an invalid key rotation, a subsequent key rotation is performed, such as described with respect to FIG. 2.

In some embodiments, the Hamming distance may be replaced with the Renyi divergence (RD). RD is a measure of the closeness of two probability distributions. Let P and Q be probability measures on some measurable space with p and q denoting their respective densities with respect to a common σ-finite dominating measure μ. Then, α∈R⁺\{0, 1, ∞}, the RD D_α between P and Q is defined as:

$q \geq 2, D_{α} (P || Q) = \frac{1}{α - 1} \log \int p^{α} q^{1 - α} d μ$

where p^αq^1-α=0 if p=q=0, and x/0=∞ for x>0. Let X, Y be a pair of discrete random variables such that the value of X is determined from the value of Y by asking questions in the form: “Is X equal to x?” until the answer is affirmative. Where the RD distance between each block of ciphertext C₃and ciphertext C₂, is within a predicted range, then ciphertext C₂is accepted as a valid re-encryption of plaintext P.

Note that flow 300 is just one example, and other flows including fewer, additional, or alternative steps, consistent with this disclosure, are possible.

Example Method for Key Rotation

FIG. 5 depicts an example method 500 for key rotation of an encryption key, such as by a key rotation component, for example, key rotation component 118 in FIG. 1.

Initially, method 500 begins at step 502 with generating a first ciphertext by encrypting a plaintext with a homomorphic probabilistic encryption scheme based on a first key, such as described with respect to step 204 in FIG. 2.

In some embodiments, the homomorphic probabilistic encryption scheme is derived from a key-homomorphic pseudorandom function family.

In some embodiments, the homomorphic probabilistic encryption scheme is derived from a bi-homomorphic pseudorandom function family.

Method 500 proceeds to step 504 with generating an updating token based on a difference between the homomorphic probabilistic encryption scheme based on the first key and the homomorphic probabilistic encryption scheme based on a second key.

In embodiments where the encryption is based on a key-homomorphic PRF family, the updating token is: Δ_i=F_s₂(H(D_i))−F_s₁(H(D_i)). As described above, the updating token is generated using F_s(H(D_i))⊕P_i, given H:{0,1}*→{0,1}^|T| is a cryptographic hash function and D_iis the ID of the i^thplaintext block, P_i, for a first key s₁and for a second key s₂.

In embodiments where the encryption is based on a bi-homomorphic PRF family, the updating token is Δ_i=F′_s₂(H(D_i), z₁)−F_s₁(H(D_i), y_rh),where z₁is chosen such that the following holds for the Hamming distance: d(z₁,y_rh)≤c, where c∈ custom-character is a constant. As described above, the updating token is generated using F_s₁(H(D_i),y_rh)⊕B_i, where H:{0,1}*→{0,1}^|T| is a cryptographic hash function, y_rh{0,1}^|T|, and D_iis the ID of the i^thplaintext block, P_i, for a first key s₁and F′_S(z₀,z₁):=└S^T·A_T(z₀)+R₀(z₀)·G⁻¹(C_T^S(z₁))┐_p,where R₀(z₀)=R(z₀) A_z₀_[0], for a second key s₂.

Method 500 then proceeds to step 506 with generating a second ciphertext by encrypting the first ciphertext with the updating token, such as described with respect to step 208 in FIG. 2.

In some embodiments, method 500 further comprises: selecting a set of second ciphertext blocks from the second ciphertext, such as described with respect to step 312 in FIG. 3; reverting the set of second ciphertext blocks with the updating token to a set of third ciphertext blocks; and computing a Hamming distance between blocks of the set of second ciphertext blocks and the corresponding set of third ciphertext blocks, such as described with respect to step 314 in FIG. 3.

In some embodiments, the set of third ciphertext blocks corresponds to a set of blocks selected from the first ciphertext.

In some embodiments, in response to determining the Hamming distance is less than a threshold, method 500 further comprises validating the second ciphertext, such as described with respect to step 318 in FIG. 3; and replacing the first key with the second key as the encryption key for the plaintext, such as described with respect to step 320 in FIG. 3.

In some embodiments in response to determining the Hamming distance is greater than a threshold, method 500 further comprises rejecting the second ciphertext, such as described with respect to step 322 in FIG. 3; and retaining the first key as the encryption key for the plaintext, such as described with respect to step 324 in FIG. 3.

In some embodiments, method 500 further comprises generating a second updating token based on a difference between the homomorphic probabilistic encryption scheme based on the first key and the homomorphic probabilistic encryption scheme based on a fourth key; and generating a fourth ciphertext by encrypting the first ciphertext with the second updating token, such as described with respect to flow 200 in FIG. 2.

In some embodiments, method 500 further comprises: selecting a set of second ciphertext blocks from the second ciphertext; reverting the second of second ciphertext blocks with the updating token to a set of third ciphertext blocks; and computing a Renyi divergence between blocks of the set of second ciphertext blocks and the corresponding set of third ciphertext blocks, such as described with respect to FIG. 3.

In some embodiments, method 500 further comprises: in response to determining the Renyi divergence is between a predicted range, validating the second ciphertext; and replacing the first key with the second key as the encryption key for the plaintext, such as described with respect to FIG. 3.

Note that method 500 is just one example, and other flows including fewer, additional, or alternative steps, consistent with this disclosure, are possible.

Example Processing Systems for Managing Blockchain Addresses

FIG. 6 depicts an example processing system configured for performing various aspects described herein, for example,

Processing system 600 includes one or more processors 602. Generally, processor(s) 602 may be configured to execute computer-executable instructions (e.g., software code) to perform various functions, as described herein.

Processing system 600 further includes one or more network interfaces 604, which generally provide data access to any sort of data network, including personal area networks (PANs), local area networks (LANs), wide area networks (WANs), the Internet, and the like. In some cases, network interface(s) 604 provide access to blockchain networks, including source and destination blockchain networks, such as described above.

Processing system 600 further includes input(s) and output(s) 606, which generally provide means for providing data to and from processing system 600, such as via connection to computing device peripherals, including user interface peripherals.

Processing system further includes a memory 610 configured to store various types of components and data. In this example, memory 610 includes a key management component 612; a key rotation component 614; a validation component 616; a key storage component 618; a generating component 620; a selecting component 622; a reverting component 624; a computing component 626; a ciphertext data 628; and key data 630.

In some embodiments, key management component 612, such as key management component 116 in FIG. 1, is configured to manage keys and key rotation, for example, flow 200 in FIG. 2, flow 300 in FIG. 3, and method 500 in FIG. 5.

In some embodiments, key rotation component 614, such as key rotation component 118 in FIG. 1, is configured to rotate keys for example, flow 200 in FIG. 2 and method 500 in FIG. 5.

In some embodiments, validation component 616, such as validation component 120, is configured to validate key rotation, for example, flow 300 in FIG. 3.

In some embodiments, key storage component 618, such as key storage component 112 in FIG. 1, is configured to store keys, such as in key data 630.

In some embodiments, generating component 620 is configured to generate a first ciphertext by encrypting a plaintext with a homomorphic pseudorandom function probabilistic encryption scheme based on a first key, such as described with respect to step 204 in FIG. 2 or step 502 in FIG. 5; generate an updating token based on a difference between the homomorphic probabilistic encryption scheme pseudorandom function based on the first key and the homomorphic probabilistic encryption scheme function based on a second key, such as described with respect to step 504 in FIG. 5; or generate a second ciphertext by encrypting the first ciphertext with the updating token, such as described with respect to step 208 in FIG. 2 or step 506 in FIG. 5, stored as ciphertext data 628.

In some embodiments, selecting component 622 is configured to select a set of second ciphertext blocks from the second ciphertext, such as described with respect to step 312 in FIG. 3. For example, the set of blocks of ciphertext is randomly selected with cardinality B.

In some embodiments, reverting component 624 is configured to revert the set of second ciphertext blocks with the updating token to a set of third ciphertext blocks, such as described with respect to step 315 in FIG. 3.

In some embodiments, computing component 626 is configured to compute a Hamming distance between blocks of the set of second ciphertext blocks and the corresponding set of third ciphertext blocks, such as described with respect to step 316 in FIG. 3. In some embodiments, computing component 626 is configured to compute a Renyi divergence between blocks of the set of second ciphertext blocks and the corresponding set of third ciphertext blocks.

Processing system 600 may be implemented in various ways. For example, processing system 600 may be implemented within on-site, remote, or cloud-based processing equipment.

Note that while depicted as a single processing system in FIG. 6, aspects of processing system 600 may be distributed among a plurality of processing systems. For example, each of the steps of method 500 described above with respect to FIG. 5 may be performed on a separate processing system (not depicted).

Processing system 600 is just one example, and other configurations are possible. For example, in alternative embodiments, aspects described with respect to processing system 600 may be omitted, added, or substituted for alternative aspects.

Example Clauses

Implementation examples are described in the following numbered clauses:

Clause 1: A method for key rotation of an encryption key, comprising: generating a first ciphertext by encrypting a plaintext with a homomorphic pseudorandom function probabilistic encryption scheme based on a first key; generating an updating token based on a difference between the homomorphic probabilistic encryption scheme pseudorandom function based on the first key and the homomorphic probabilistic encryption scheme function based on a second key; and generating a second ciphertext by encrypting the first ciphertext with the updating token.

Clause 2: The method of clause 1, further comprising: selecting a set of second ciphertext blocks from the second ciphertext; reverting the set of second ciphertext blocks with the updating token to a set of third ciphertext blocks; and computing a Hamming distance between blocks of the set of second ciphertext blocks and the corresponding set of third ciphertext blocks.

Clause 3: The method of clause 2, further comprising: in response to determining the Hamming distance is less than a threshold, validating the second ciphertext; and replacing the first key with the second key as the encryption key for the plaintext.

Clause 4: The method of clause 2, further comprising: in response to determining the Hamming distance is greater than a threshold, rejecting the second ciphertext; and retaining the first key as the encryption key for the plaintext.

Clause 5: The method of clause 4, further comprising: generating a second updating token based on a difference between the homomorphic probabilistic encryption scheme pseudorandom function based on the first key and the homomorphic probabilistic encryption scheme function based on a fourth key, and generating a fourth ciphertext by encrypting the first ciphertext with the second updating token.

Clause 6: The method of any one of clauses 2-5, wherein the set of third ciphertext blocks corresponds to a set of blocks selected from the first ciphertext.

Clause 7: The method of clause 1, further comprising: selecting a set of second ciphertext blocks from the second ciphertext; reverting the second of second ciphertext blocks with the updating token to a set of third ciphertext blocks; and computing a Renyi divergence between blocks of the set of second ciphertext blocks and the corresponding set of third ciphertext blocks.

Clause 8: The method of clause 7, further comprising: in response to determining the Renyi divergence is between a predicted range, validating the second ciphertext; and replacing the first key with the second key as the encryption key for the plaintext.

Clause 9: The method of clause 7, further comprising: in response to determining the Renyi divergence is not between a predicted range, rejecting the second ciphertext; and retaining the first key as the encryption key for the plaintext.

Clause 10: The method of any one of clauses 7-9, wherein the set of third ciphertext blocks corresponds to a set of blocks selected from the first ciphertext.

Clause 11: The method of any one of clauses 1-10, wherein the homomorphic probabilistic encryption scheme function comprises a probabilistic scheme derived from a key-homomorphic pseudorandom function family.

Clause 12: The method of any one of clauses 1-10, wherein the homomorphic probabilistic encryption scheme function comprises a probabilistic scheme is derived from a bi-homomorphic pseudorandom function family.

Clause 13: A processing system, comprising: a memory comprising computer-executable instructions; and a processor configured to execute the computer-executable instructions and cause the processing system to perform a method in accordance with any one of Clauses 1-12.

Clause 14: A processing system, comprising means for performing a method in accordance with any one of Clauses 1-12.

Clause 15: A non-transitory computer-readable medium storing program code for causing a processing system to perform the steps of any one of Clauses 1-12.

Clause 16: A computer program product embodied on a computer-readable storage medium comprising code for performing a method in accordance with any one of Clauses 1-12.

ADDITIONAL CONSIDERATIONS

The preceding description is provided to enable any person skilled in the art to practice the various embodiments described herein. The examples discussed herein are not limiting of the scope, applicability, or embodiments set forth in the claims. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments. For example, changes may be made in the function and arrangement of elements discussed without departing from the scope of the disclosure. Various examples may omit, substitute, or add various procedures or components as appropriate. For instance, the methods described may be performed in an order different from that described, and various steps may be added, omitted, or combined. Also, features described with respect to some examples may be combined in some other examples. For example, an apparatus may be implemented or a method may be practiced using any number of the aspects set forth herein. In addition, the scope of the disclosure is intended to cover such an apparatus or method that is practiced using other structure, functionality, or structure and functionality in addition to, or other than, the various aspects of the disclosure set forth herein. It should be understood that any aspect of the disclosure disclosed herein may be embodied by one or more elements of a claim.

As used herein, the word “exemplary” means “serving as an example, instance, or illustration.” Any aspect described herein as “exemplary” is not necessarily to be construed as preferred or advantageous over other aspects.

As used herein, a phrase referring to “at least one of” a list of items refers to any combination of those items, including single members. As an example, “at least one of: a, b, or c” is intended to cover a, b, c, a-b, a-c, b-c, and a-b-c, as well as any combination with multiples of the same element (e.g., a-a, a-a-a, a-a-b, a-a-c, a-b-b, a-c-c, b-b, b-b-b, b-b-c, c-c, and c-c-c or any other ordering of a, b, and c). Reference to an element in the singular is not intended to mean only one unless specifically so stated, but rather “one or more.” For example, reference to an element (e.g., “a processor,” “a memory,” etc.), unless otherwise specifically stated, should be understood to refer to one or more elements (e.g., “one or more processors,” “one or more memories,” etc.). The terms “set” and “group” are intended to include one or more elements, and may be used interchangeably with “one or more.” Where reference is made to one or more elements performing functions (e.g., steps of a method), one element may perform all functions, or more than one element may collectively perform the functions. When more than one element collectively performs the functions, each function need not be performed by each of those elements (e.g., different functions may be performed by different elements) and/or each function need not be performed in whole by only one element (e.g., different elements may perform different sub-functions of a function). Similarly, where reference is made to one or more elements configured to cause another element (e.g., an apparatus) to perform functions, one element may be configured to cause the other element to perform all functions, or more than one element may collectively be configured to cause the other element to perform the functions. Unless specifically stated otherwise, the term “some” refers to one or more.

As used herein, the term “determining” encompasses a wide variety of actions. For example, “determining” may include calculating, computing, processing, deriving, investigating, looking up (e.g., looking up in a table, a database or another data structure), ascertaining and the like. Also, “determining” may include receiving (e.g., receiving information), accessing (e.g., accessing data in a memory) and the like. Also, “determining” may include resolving, selecting, choosing, establishing and the like.

The methods disclosed herein comprise one or more steps or actions for achieving the methods. The method steps and/or actions may be interchanged with one another without departing from the scope of the claims. In other words, unless a specific order of steps or actions is specified, the order and/or use of specific steps and/or actions may be modified without departing from the scope of the claims. Further, the various operations of methods described above may be performed by any suitable means capable of performing the corresponding functions. The means may include various hardware and/or software component(s) and/or module(s), including, but not limited to a circuit, an application specific integrated circuit (ASIC), or processor. Generally, where there are operations illustrated in figures, those operations may have corresponding counterpart means-plus-function components with similar numbering.

The following claims are not intended to be limited to the embodiments shown herein, but are to be accorded the full scope consistent with the language of the claims. Within a claim, reference to an element in the singular is not intended to mean “one and only one” unless specifically so stated, but rather “one or more.” Unless specifically stated otherwise, the term “some” refers to one or more. No claim element is to be construed under the provisions of 35 U.S.C. § 112(f) unless the element is expressly recited using the phrase “means for” or, in the case of a method claim, the element is recited using the phrase “step for.” All structural and functional equivalents to the elements of the various aspects described throughout this disclosure that are known or later come to be known to those of ordinary skill in the art are expressly incorporated herein by reference and are intended to be encompassed by the claims. Moreover, nothing disclosed herein is intended to be dedicated to the public regardless of whether such disclosure is explicitly recited in the claims.

POST-QUANTUM CONSTANT-TIME KEY ROTATION VERIFICATION

Information

Publication Number

Date Filed

Date Published

Inventors

Original Assignees

CPC

International Classifications

Abstract

Description

Claims