Abstract: Techniques for subscriber revocation in a publish-subscribe network using attribute-based encryption (ABE) are disclosed, including: generating a tree data structure including leaf nodes representing subscribers, subtrees of the tree data structure representing subsets of subscribers having different likelihoods of ABE key revocation; generating ABE keys associated with edges in the tree data structure; assigning ABE keys to the leaf nodes, each leaf node being assigned a subset of the ABE keys associated with edges that form a path from a root node to the leaf node; based at least on a revocation record that indicates one or more revoked subscribers, determining a minimal subset of ABE keys that covers all non-revoked subscribers; and encrypting a payload using an encryption policy requiring at least one ABE key in the minimal subset of the ABE keys, to obtain a ciphertext that is not accessible to the one or more revoked subscribers.

Abstract: Techniques for verifiable computation for cross-domain information sharing are disclosed. An untrusted node in a distributed cross-domain solution (CDS) system is configured to: receive a first data item and a first cryptographic proof associated with the first data item; perform a computation on the first data item including one or more of filtering, sanitizing, or validating the first data item, to obtain a second data item; generate, using a proof-carrying data (PCD) computation, a second cryptographic proof that indicates (a) validity of the first cryptographic proof and (b) integrity of the first computation on the first data item; and transmits the second data item and the second cryptographic proof to a recipient node in the distributed CDS system. Alternatively or additionally, the untrusted node may be configured to transmit a cryptographic proof to a trusted aggregator in the CDS system.

Abstract: Techniques for verifiable computation for cross-domain information sharing are disclosed. An untrusted node in a distributed cross-domain solution (CDS) system is configured to: receive a first data item and a first cryptographic proof associated with the first data item; perform a computation on the first data item including one or more of filtering, sanitizing, or validating the first data item, to obtain a second data item; generate, using a proof-carrying data (PCD) computation, a second cryptographic proof that indicates (a) validity of the first cryptographic proof and (b) integrity of the first computation on the first data item; and transmits the second data item and the second cryptographic proof to a recipient node in the distributed CDS system. Alternatively or additionally, the untrusted node may be configured to transmit a cryptographic proof to a trusted aggregator in the CDS system.

Abstract: Techniques for cross-domain routing using a fractionated cross-domain solution (F-CDS) are disclosed. A first intermediate node operating in a first physical device in an assured pipeline of the F-CDS receives a data item originating at a source node in a first security domain. The first intermediate node applies a first data filter to determine that the data item complies with a data security requirement of the F-CDS. The first intermediate node transmits the data item to a second intermediate node operating in a second physical device in the assured pipeline of the F-CDS. The second intermediate node applies a second data filter to redundantly determine that first data item complies with the data security requirement of the F-CDS. The second intermediate node transmits the data item to a recipient node in a second security domain via the assured pipeline.

Abstract: Techniques for stream-based key management are disclosed. A system obtains a first payload to be published to a first set of one or more subscribers, encrypts the first payload using a symmetric key, to obtain a first payload ciphertext, encrypts the symmetric key using an attribute-based encryption (ABE) policy associated with the first payload, to obtain a key ciphertext, and publishes the first payload ciphertext and the key ciphertext. The system obtains a second payload to be published to a second set of one or more subscribers. Responsive at least to determining that each subscriber in the second set of one more subscribers is in the first set of one or more subscribers and the ABE policy is associated with the second payload, the system encrypts the second payload using the symmetric key, to obtain a second payload ciphertext, and publishes the second payload ciphertext without republishing the key ciphertext.

Abstract: Techniques for subscriber revocation in a publish-subscribe network using attribute-based encryption (ABE) are disclosed, including: generating a tree data structure including leaf nodes representing subscribers, subtrees of the tree data structure representing subsets of subscribers having different likelihoods of ABE key revocation; generating ABE keys associated with edges in the tree data structure; assigning ABE keys to the leaf nodes, each leaf node being assigned a subset of the ABE keys associated with edges that form a path from a root node to the leaf node; based at least on a revocation record that indicates one or more revoked subscribers, determining a minimal subset of ABE keys that covers all non-revoked subscribers; and encrypting a payload using an encryption policy requiring at least one ABE key in the minimal subset of the ABE keys, to obtain a ciphertext that is not accessible to the one or more revoked subscribers.

Abstract: Techniques for stream-based key management are disclosed. A system obtains a first payload to be published to a first set of one or more subscribers, encrypts the first payload using a symmetric key, to obtain a first payload ciphertext, encrypts the symmetric key using an attribute-based encryption (ABE) policy associated with the first payload, to obtain a key ciphertext, and publishes the first payload ciphertext and the key ciphertext. The system obtains a second payload to be published to a second set of one or more subscribers. Responsive at least to determining that each subscriber in the second set of one more subscribers is in the first set of one or more subscribers and the ABE policy is associated with the second payload, the system encrypts the second payload using the symmetric key, to obtain a second payload ciphertext, and publishes the second payload ciphertext without republishing the key ciphertext.

Abstract: Techniques for geospatial-temporal pathogen tracing include: obtaining, from multiple mobile devices in association with a first time, first contact tracing data including at least first geospatial traffic data and first values of a set of attributes associated with a pathogen; obtaining, from the multiple mobile devices in association with a second time, second contact tracing data including at least second geospatial traffic data and second values of the set of attributes associated with the pathogen; and applying at least the first contact tracing data and the second contact tracing data to a machine learning model, to obtain actionable intelligence associated with the pathogen.

Abstract: Techniques for geospatial-temporal pathogen tracing in zero knowledge include: generating, by a first user device, a first proximity token for contact tracing; receiving, by the first user device, a second proximity token from a second user device; generating, by the first user device, a hash based on the first proximity token and the second proximity token; generating, by the first user device using a prover function of a preprocessing zero knowledge succinct non-interactive argument of knowledge (pp-zk-SNARK), a cryptographic proof attesting that an individual associated with the first user device tested positive for a pathogen; transmitting, by the first user device, first publicly verifiable exposure data including at least the cryptographic proof and the hash to a public registry; and applying at least the first publicly verifiable exposure data and second publicly verifiable exposure data to a machine learning model, to obtain actionable intelligence associated with the pathogen.

Abstract: Techniques for privacy-preserving contact tracing are disclosed, including: generating, by a first user device, a first proximity token for contact tracing; receiving, by the first user device, a second proximity token from a second user device; generating, by the first user device, a hash based on the first proximity token and the second proximity token; generating, by the first user device using a prover function of a preprocessing zero knowledge succinct non-interactive argument of knowledge (pp-zk-SNARK), a cryptographic proof attesting that an individual associated with the first user device tested positive for a pathogen; and transmitting, by the first user device, publicly verifiable exposure data including at least the cryptographic proof and the hash to a public registry.

Abstract: Techniques for cross-domain routing using a fractionated cross-domain solution (F-CDS) are disclosed. A first intermediate node operating in a first physical device in an assured pipeline of the F-CDS receives a data item originating at a source node in a first security domain. The first intermediate node applies a first data filter to determine that the data item complies with a data security requirement of the F-CDS. The first intermediate node transmits the data item to a second intermediate node operating in a second physical device in the assured pipeline of the F-CDS. The second intermediate node applies a second data filter to redundantly determine that first data item complies with the data security requirement of the F-CDS. The second intermediate node transmits the data item to a recipient node in a second security domain via the assured pipeline.

Abstract: Techniques for verifiable computation for cross-domain information sharing are disclosed. An untrusted node in a distributed cross-domain solution (CDS) system is configured to: receive a first data item and a first cryptographic proof associated with the first data item; perform a computation on the first data item including one or more of filtering, sanitizing, or validating the first data item, to obtain a second data item; generate, using a proof-carrying data (PCD) computation, a second cryptographic proof that indicates (a) validity of the first cryptographic proof and (b) integrity of the first computation on the first data item; and transmits the second data item and the second cryptographic proof to a recipient node in the distributed CDS system. Alternatively or additionally, the untrusted node may be configured to transmit a cryptographic proof to a trusted aggregator in the CDS system.

Abstract: Discussed herein is technology for verifiable network configuration repair. A method can include adding a routing adjacency or route redistribution edge to a router of an aETG to generate an enhanced aETG (eaETG), adding, for each dETG of dETGs, static route edges to a destination of the dETG to generate an enhanced dETG (edETG), determining, for each of the edETGs, all simple paths from all sources to the destination of the edETG, determining a set of paths (pathtset) over the determined simple paths that satisfies the policies, and translating the edge additions and/or removals in the eaETG and in the edETGs to an addition and/or removal of one or more of a routing adjacency, routing filter, or static route based on the determined pathset.

Abstract: Discussed herein is technology for verifiable network configuration repair. A method can include adding a routing adjacency or route redistribution edge to a router of an aETG to generate an enhanced aETG (eaETG), adding, for each dETG of dETGs, static route edges to a destination of the dETG to generate an enhanced dETG (edETG), determining, for each of the edETGs, all simple paths from all sources to the destination of the edETG, determining a set of paths (pathset) over the determined simple paths that satisfies the policies, and translating the edge additions and/or removals in the eaETG and in the edETGs to an addition and/or removal of one or more of a routing adjacency, routing filter, or static route based on the determined pathset.

Abstract: Generally discussed herein are systems, devices, and methods for generating multi-function waveforms. A device can include input circuitry to receive parameters indicating respective frequencies and codes for the multi-function waveforms, one or more memories to store the respective frequencies and codes, waveform management circuitry configured to produce a series of values based on the frequencies and codes, respectively, and refine the series of values by reducing a cost associated with a waveform produced using the series of values, and a transceiver to generate the waveform.

Abstract: Generally discussed herein are systems, devices, and methods for generating multi-function waveforms. A device can include input circuitry to receive parameters indicating respective frequencies and codes for the multi-function waveforms, one or more memories to store the respective frequencies and codes, waveform management circuitry configured to produce a series of values based on the frequencies and codes, respectively, and refine the series of values by reducing a cost associated with a waveform produced using the series of values, and a transceiver to generate the waveform.

Abstract: Generally discussed herein are systems, devices, and methods for generating multi-function waveforms. A device can include input circuitry to receive parameters indicating respective frequencies and codes for the multi-function waveforms, one or more memories to store the respective frequencies and codes, waveform management circuitry configured to produce a series of values based on the frequencies and codes, respectively, and refine the series of values by reducing a cost associated with a waveform produced using the series of values, and a transceiver to generate the waveform.

Abstract: Generally discussed herein are systems, devices, and methods for scheduling node performance of communication and/or function. A method can include receiving, from a plurality of nodes, parameters indicating a trajectory and position of each of the plurality of nodes, creating a directed communication graph, creating a communications conflict graph, creating a function conflict graph indicating which function performed by one node of the plurality of nodes interferes with at least one of a function and communication performed by another node of the plurality of nodes, creating a universal conflict graph based on the communications conflict graph and the function conflict graph, creating a schedule for communication and function performance for each of the nodes based on the universal conflict graph, and providing data indicative of the schedule to nodes of the plurality of nodes.

Abstract: Generally discussed herein are systems, devices, and methods for generating multi-function waveforms. A device can include input circuitry to receive parameters indicating respective frequencies and codes for the multi-function waveforms, one or more memories to store the respective frequencies and codes, waveform management circuitry configured to produce a series of values based on the frequencies and codes, respectively, and refine the series of values by reducing a cost associated with a waveform produced using the series of values, and a transceiver to generate the waveform.

Abstract: Generally discussed herein are systems, devices, and methods for scheduling node performance of communication and/or function. A method can include receiving, from a plurality of nodes, parameters indicating a trajectory and position of each of the plurality of nodes, creating a directed communication graph, creating a communications conflict graph, creating a function conflict graph indicating which function performed by one node of the plurality of nodes interferes with at least one of a function and communication performed by another node of the plurality of nodes, creating a universal conflict graph based on the communications conflict graph and the function conflict graph, creating a schedule for communication and function performance for each of the nodes based on the universal conflict graph, and providing data indicative of the schedule to nodes of the plurality of nodes.