Abstract: In a method for validation of a finality proof in a distributed ledger system network a support node collects a required number of confirmations from the distributed ledger system network indicating that a requested transaction is finalized. The support node generates the finality proof based on the collected confirmations. The support node transmits the finality proof to a trusted agent for verification.

Abstract: A method for securing a genuine machine learning model against adversarial samples includes receiving a sample, as well as receiving a classification of the sample using the genuine machine learning model or classifying the sample using the genuine machine learning model. The sample is classified using a plurality of backdoored models, which are each a backdoored version of the genuine machine learning model. The classification of the sample using the genuine machine learning model is compared to each of the classifications of the sample using the backdoored models to determine a number of the backdoored models outputting a different class than the genuine machine learning model. The number of the backdoored models outputting a different class than the genuine machine learning model is compared against a predetermined threshold so as to determine whether the sample is an adversarial sample.

Abstract: A method for detecting a trusted execution environment (TEE) clone application operating on a computing device includes measuring a plurality of read time periods associated with a plurality of monitored cache sets within a memory cache based on executing a first auxiliary thread of a TEE application on the computing device. Each of the read time periods indicating a time period that is used to read data within one of the monitored cache sets. The read time periods are compared with a time threshold to determine one or more cache misses. The TEE clone application is detected as operating on the computing device based on the determined cache misses.

Abstract: A method is for identification and monitoring of devices of a network. The devices of the network are provided and/or operated by different participating entities. The method includes: setting up a distributed ledger network, where each of the participating entities maintains one or multiple nodes in the distributed ledger network; setting up a public key infrastructure that assigns each device, before being deployed to the network, a unique certified public key; and keeping an updated status of the devices in a ledger of the distributed ledger network by identifying, by the participating entities, a change of a status of a device and issuing a transaction related to the status change of the device to the ledger. The device's public key is recorded in the transaction.

Abstract: A method for re-keying an encrypted data file, the data file being stored chunkwise on a storage entity (SE), data file chunks being encrypted with a global secret, and the method being performed by one or more computing devices, includes updating the global secret for encryption data for a data chunk to be re-keyed such that an output of a non-interactive oblivious key exchange is used to identify the private key of the data chunk to be re-keyed with a new private key, wherein the non-interactive oblivious key exchange uses an oblivious protocol; and reencrypting the data chunk to be re-keyed with the updated global secret.

Abstract: A method secures a system that includes an application owner, a master application, and a plurality secure platforms. The master application receives from the application owner an application and an input. The application computes a function to calculate an output from the input. The master application deploys replicas of the application on a number of the secure platforms. The master application establishes a secure channel with each of the replicas, and sends at least a portion of the input to the replicas. The master application receives a result calculated by each of the replicas. The result is determined according to the function and the at least the portion of input. The master application determines the output based on the result received from each of the replicas; and sends to the application owner, the output.

Abstract: A method for supporting identity management of travelers in an airport using a distributed ledger system includes receiving, by a global identity blockchain, a registration request from a traveler via a traveler device. The registration request includes a commitment for identity data that is uploaded by the traveler in a secure cloud storage. The method further includes recording the commitment in the global identity blockchain, receiving, by the global identity blockchain, a result of an identity verification with respect to the traveler from a verifier entity, recording the result in the global identity blockchain, and receiving, by a security blockchain, a ticket registration transaction issued by an airline entity. The ticket registration transaction comprises a unique traveler ID of the traveler. The method further includes issuing, by the security blockchain, an access control list update upon reception of consent by the traveler.

Abstract: A method performs remote attestation using a gateway between a verifier and a remote host. The remote host has a trusted execution environment (TEE), in which an application to be attested is running. The gateway receives an attestation request from the verifier, determines a type of the TEE of the remote host and an expected identity of the application to be attested and selecting an attestation protocol based on the determined type of the TEE of the remote host, and verifies the expected identity of the application to be attested by executing the selected attestation protocol with the remote host and transmitting an attestation result to the verifier.

Abstract: A method for executing smart contracts in a cryptocurrency, in which a state of the smart contract is stored on a blockchain of the cryptocurrency, is performed by a contract creator and includes determining a distributed set of service providers. A smart contract is deployed and a trust model is defined that allows the distributed set of service providers to perform a transaction that effects a state transition of the smart contract in a case that a predefined or configurable quorum of the service providers of the distributed set of service providers attests to validity of the transaction. Contract execution is offloaded to the distributed set of service providers and, in a case of achieving the quorum, the state transition effected by the transaction is included in the blockchain.

Abstract: A method of preserving privacy for usage of a lightweight blockchain client in a blockchain network includes using, in a full blockchain node of the blockchain network, a trusted execution environment (TEE). A secure communication is established between the lightweight blockchain client and the TEE. The TEE receives a request from the lightweight blockchain client for at least one transaction or address of the lightweight blockchain client. The TEE obtains unspent transaction output (UTXO) information with respect to the request from the lightweight blockchain client from a UTXO database by oblivious database access using an oblivious RAM (ORAM) protocol.

Abstract: Systems and methods for validation of transaction policy compliance are provided. Code is implemented, including a transaction policy compliance check, in a form of a trusted application to be executed in a trusted execution environment (TEE). A secret is attested and provisioned to a trusted application instance in the TEE. The trusted application instance is executed on a client transaction request to generate a policy compliance result. A transaction object is generated, including the policy compliance result and a proof of the execution. The transaction object is proposed to a distributed ledger system. The policy compliance result and a proof of the execution during transaction validation in the distributed ledger system is verified.

Abstract: A method for providing a trusted service to a trusted execution environment running on a remote host machine includes receiving a message from the trusted execution environment and incrementing a counter of the trusted service. A response message is sent to the trusted execution environment using a value of the incremented counter.

Abstract: A reference monitor (RM) operates within a network having controllers that each control a corresponding network part having a forwarding element (FE) for forwarding data within the network. The RM enforces the security policy for a first network part managed by a first controller. The method includes: receiving a first rule request from the first controller, checking the first rule request for policy compliance, authorizing a part of the first rule request that is policy compliant, receiving a second rule request, the second rule request being from a second controller configured to control a second part of the network, the second rule request comprising an outside modification impacting the first network part, which is not managed by the second controller, checking the outside modification part for policy compliance, and based on determining that the outside modification part is policy compliant, authorizing the outside modification part of the second rule request.

Abstract: A method of providing secure ledger distribution for interbank settlement includes maintaining a first consensus layer in a mainchain among a plurality of nodes of the centralized computer system and a second consensus layer in a first private sidechain among at least one node of the centralized computer system and computer systems of at least a first sender bank and a first receiver bank, each of which have an account with the central bank. A first transaction is received from the computer system of the first sender bank as a first payment request. It is determined that the first transaction is valid and consensus is reached on a distributed ledger in the mainchain. A first finality proof for the first transaction is forwarded to the first private sidechain. The first transaction is added to a first private ledger accessible only within the first private sidechain.

Abstract: Systems and methods for validation of transaction policy compliance are provided. Code is implemented, including a transaction policy compliance check, in a form of a trusted application to be executed in a trusted execution environment (TEE). A secret is attested and provisioned to a trusted application instance in the TEE. The trusted application instance is executed on a client transaction request to generate a policy compliance result. A transaction object is generated, including the policy compliance result and a proof of the execution. The transaction object is proposed to a distributed ledger system. The policy compliance result and a proof of the execution during transaction validation in the distributed ledger system is verified.

Abstract: A method for mining a block in a decentralized blockchain consensus network (DBCN) includes sending, by a mining computing entity (MCE), a signing request for mining a new block of a blockchain to a trusted execution environment computing entity (TEE-CE), the signing request including block information, the block information including block height information, and comparing, by the TEE-CE, the block height information of the signing request with block height information from a last signing request and providing a matching, when the difference between the block height information of the signing request and the block height information from the last signing request satisfies a defined value. The method further comprises, upon providing the matching, signing, by the TEE-CE, the new block based on the block information, and providing, by the MCE, the new signed block to the DBCN.

Abstract: A method for signing a new block of a blockchain of a distributed blockchain consensus network (DBCN), comprising a mining computing entity (MCE) and a node computing entity, includes the step of signing and/or encrypting of predefined MCE information by the MCE, using a secret key of a public key/secret key key pair of the MCE to obtain hidden information (HI). The new block is signed by the MCE using the secret key and block information comprising block height information to create a signature for the new block. In a case of at least one further signing of a different block with the respective same block height information by the MCE, reveal information is provided to reveal the HI to the DBCN by another node computing entity of the DBCN when the node computing entity has received two signatures comprising the same corresponding block height information.

Abstract: A method prevents posterior-corruption long-range attacks in a proof of stake blockchain protocol in a blockchain network. The method includes: generating, by a blockchain node associated with a TEE device, a signing key pair, including a public key and a private key; remotely-attesting, by the blockchain node, a trusted enclave application, including generating an attestation certificate; and issuing, by the blockchain node, a registration transaction to distribute the attestation certificate; the registration transaction specifying an amount of mining stake purchased by the blockchain validator. Once the registration transaction is confirmed, the TEE device becomes enabled for mining blocks in the blockchain network.

Abstract: A method for storing data on a storage entity (SE) includes the steps of: (a) dividing a file to be stored into a plurality of chunks by a client; (b) computing a secret key for each of the chunks of the file; (c) computing for each of the chunks a chunk identifier by the client; (d) checking, by the SE, whether one or more of the chunks have already been stored based on the computed chunk identifiers; and (e) it a case where it is determined that one or more of the chunks have not already been stored, performing the following: encoding the corresponding chunks; computing chunk tags for the chunks using the computed secret key; and storing the encoded chunks and the chunk tags.

Abstract: A method for securely sharing validation information of one or more data files stored on different cloud servers using distributed ledger technology includes requesting access to the data files and calculating a hash thereof. A structured Merkle tree is constructed using the hash and additional hashes of other data files for which a user has not granted access, but has used to construct a corresponding Merkle tree for which the user has committed a root value to a main blockchain. It is checked whether the root value of the Merkle tree is the same as the one the user has committed, and whether the hash of the data files is stored in a block of a satellite blockchain linked to the main blockchain and operated by a subset of nodes of the main blockchain that trust one another.