Abstract: An integrated circuit is configured to compute multiply-accumulate (MAC) operations in convolutional neural networks. The integrated circuit includes a lookup table (LUT) configured to store multiple values. The integrated circuit also includes a compute unit. The compute unit is composed of an accumulator. The compute unit also includes a first multiplier configured to receive a first value of a padded input feature and a first weight of a filter kernel. The compute unit also includes a first selector. The first selector is configured to select an input to supply to the accumulator between an output from the first multiplier and an output from the LUT.

Abstract: This disclosure provides systems, methods, and apparatus, including computer programs encoded on computer storage media, for enhancing a device provisioning protocol (DPP) to support multiple configurators. In one aspect, a first configurator device can export a configurator key package. In one aspect, the configurator key package may be used for backup and restore of the configurator keys. The configurator key package may include a configurator private signing key and, optionally, a configurator public verification key. A second configurator device may obtain the configurator key package and also may obtain decryption information which can be used to decrypt the configurator key package. Thus, in another aspect, both the first configurator device and the second configurator device can use the same configurator keys with the device provisioning protocol to configure enrollees to a network.

Abstract: An apparatus for optimizing a computational network is configure to receive an input at a first processing component. The first processing component may include at least a first programmable processing component and a second programmable processing component. The first programmable processing component is configured to compute a first nonlinear function and the second programmable processing component is configured to compute a second nonlinear function which is different than the second nonlinear function. The computational network which may be a recurrent neural network such as a long short-term memory may be operated to generate an inference based at least in part on outputs of the first programmable processing component and the second programmable processing component.

Abstract: An apparatus for operating a computational network, such as a long short term memory, is configured to compute in a first cell, an input for a cell of a next layer based on a prior hidden state and a current input. A memory state may be computed for the first cell based on a prior memory state, the prior hidden state, and the current input. The first cell outputs the computed input to the next layer cell, which may also receive a second prior memory state, a second prior hidden state. In turn, the next layer cell computes an input for a subsequent layer cell based on the second prior hidden state and the input supplied by the first cell in parallel with the first cell computing a hidden state and a memory state to be supplied to a subsequent cell in the same layer.

Abstract: This disclosure provides systems, methods and apparatus, including computer programs encoded on computer storage media, for onboarding one or more Multi-AP devices using a device provisioning protocol (DPP) and a Multi-AP communication protocol. In one aspect, a first Multi-AP device may determine, during an onboarding process, DPP configuration information that was derived using the DPP. The first Multi-AP device may establish a Multi-AP network configuration between the first Multi-AP device and a second Multi-AP device using the Multi-AP communication protocol based, at least in part, on the DPP configuration information. In one aspect, the DPP configuration information may be derived remotely by the network operator prior to device deployment. In one aspect, a configurator station (STA) may be delegated as the DPP configurator by the network operator, and may onboard one or more STAs into the Multi-AP network using the DPP and the Multi-AP communication protocol.

Abstract: A method, apparatus, and system for utilizing a register virtualization mapping to improve defense against return-oriented programming-based attacks is disclosed. A register virtualization mapping, which is bijection between nominal registers and physical registers, is generated for a subroutine call when the subroutine call is detected. The register virtualization mapping is applied to instructions within the subroutine call. The register virtualization mapping is stopped for the subroutine call at the return of the subroutine call.

Abstract: Certain aspects relate to an apparatus includes an interface configured to obtain a first frame including a first information element (IE) indicating a list of encoding algorithms and a processing system configured to generate a second frame including a second IE indicating at least one of an encoding algorithm from the list or the list. The interface is further configured to output the second frame for transmission to a device and obtain a first random number from the device and the processing system is further configured to generate a code based on the first random number, a second random number and a master key and generate a third frame comprising the second IE, the second random number and an integrity protected IE generated based on the second IE and the code. Furthermore, the interface is configured to output the third frame for transmission to the device.

Abstract: Aspects of the present disclosure are directed to detecting and responding to injected faults. In some examples, fault injections are detected in a pipeline processor using transactional memory by comparing a predicted value (e.g. from a Value Predictor) against a subsequently loaded or computed reference value, and then detecting the fault based on the result of the comparison. If the predicted value is found to differ from the subsequently loaded or calculated value, the difference is deemed to be due to a fault and actions are taken to address the fault, such as by using deception or blinding of observable values. In some examples, the Value Predictor is modified to perform the comparison to detect the fault. The Value Predictor then notifies Transactional Hardware, which responds to the fault. In other examples described herein, the Value Predictor is unchanged and the Transactional Hardware detects and corrects the fault.

Abstract: Techniques for protecting software in a computing device are provided. A method according to these techniques includes receiving a request from a non-secure software module to execute an instruction of a secure software module comprising encrypted program code, determining whether the instruction comprises an instruction associated with a controlled point of entry to the secure software module accessible outside of the secure software module, executing one or more instructions of the secure software module responsive to the instruction comprising an instruction associated with the controlled point of entry to the secure software module, and controlling exit from the secure software module to return execution to the non-secure software module.

Abstract: In an aspect, a cache memory device receives a request to read an instruction or data associated with a memory device. The request includes a first realm identifier and a realm indicator bit, where the first realm identifier enables identification of a realm that includes one or more selected regions in the memory device. The cache memory device determines whether the first realm identifier matches a second realm identifier in a cache tag when the instruction or data is stored in the cache memory device, where the instruction or data stored in the cache memory device has been decrypted based on an ephemeral encryption key associated with the second realm identifier when the first realm identifier indicates the realm and when the realm indicator bit is enabled. The cache memory device transmits the instruction or data when the first realm identifier matches the second realm identifier.

Abstract: In an aspect, a method for protecting software includes obtaining a payload including at least one of instructions or data, establishing a realm in a memory device, encrypting the payload based on an ephemeral encryption key (EEK) associated with the realm, and storing the encrypted payload in the realm of the memory device. In another aspect, a method for protecting software includes receiving a memory transaction associated with the memory device, the memory transaction including at least a realm identifier (RID) and a realm indicator bit, obtaining the EEK associated with the RID when the RID indicates the realm and when the realm indicator bit is enabled, decrypting an instruction and/or data retrieved from the realm based on the EEK when the memory transaction is a read transaction, and encrypting second data for storage in the realm based on the EEK when the memory transaction is a write transaction.

Abstract: Techniques for preventing side-channel attacks on a cache are provided. A method according to these techniques includes executing a software instruction indicating that a portion of software requiring data protection is about to be executed, setting the cache to operate in a randomized mode to de-correlate cache timing and cache miss behavior from data being processed by the portion of software requiring data protection responsive to the instruction indicating that the portion of software requiring data protection is about to be executed, executing the portion of software requiring data protection, storing the data being processed by the portion of software requiring data protection, and setting the cache to operate in a standard operating mode responsive to an instruction indicating that execution of the portion of software requiring data protection has completed.

Abstract: In an aspect of the disclosure, a method, a computer-readable medium, and an apparatus are provided. The apparatus may establish a communication link based on the 1905.1 protocol with at least one second AP. The apparatus may receive an authentication request from the at least one second AP via the communication link based on the 1905.1 protocol. In certain aspects, the authentication request may include at least a first signed certificate and a first generated value. The apparatus may transmit an authentication response to the at least one second AP using the communication link based on the 1905.1 protocol. In certain aspects, the authentication response may include at least a second signed certificate and a second generated value. The apparatus may determine shared information with the at least one second AP based at least in part on the first generated value and the second generated value.

Abstract: Aspects of the present disclosure implement techniques that allow an enrollee (e.g., DPP-AP or other DPP devices) to be informed of the bootstrapping method selected by a device (e.g., STA) when initiating onboarding. As such, in one example, authentication requests from the device may additionally carry information that inform the network of the bootstrapping method (e.g., QR-code, NFC, Wi-Fi Aware, Wi-Fi Direct) selected by the device. Each bootstrapping method may correspond to an authentication key. Accordingly, based on the exchange of bootstrapping information, the enrollee (e.g., network device) may verify the authenticity of the device by calculating an authentication key that unlocks additional sensitive information that may be included in the authentication request.

Abstract: A method includes: decrypting, in a device, a first subset of encrypted data using a cryptographic device key associated with the device to produce first plain text, where a set of encrypted data comprises the first subset of encrypted data and a second subset of encrypted data, and where the first subset of encrypted data and the second subset of encrypted data each contain less encrypted data than the set of encrypted data and are different from each other; decrypting, in the device, the second subset of encrypted data using the cryptographic device key to produce second plain text; encrypting, in the device, the first plain text using a first ephemeral key to produce first re-encrypted data; and encrypting, in the device, the second plain text using a second ephemeral key to produce second re-encrypted data, the second ephemeral key being different from the first ephemeral key.

Abstract: Techniques for mitigating side-channel attacks on cryptographic algorithms are provided. An example method according to these techniques includes applying a block cipher algorithm to an input data to generate a cryptographic output, such that applying the block cipher to input data comprises modifying an output of a stage of the block cipher algorithm such that each output of the stage of the block cipher algorithm has a constant Hamming weight, and outputting the cryptographic output.

Abstract: A cryptographic device includes: a data input; a data output; a cipher circuit configured to perform a cipher algorithm on cipher-algorithm input data to produce cipher-algorithm output data; and a network coupled to the data input, the data output, and the cipher circuit, the network comprising a plurality of switches and a plurality of logical signal combiners that are configured to provide the cipher-algorithm input data to the cipher circuit and to provide device output data to the data output using the cipher-algorithm output data and that, in combination with the cipher circuit, are configured to implement a plurality of different cryptographic algorithms that each include the cipher algorithm that the cipher circuit is configured to perform.

Abstract: This disclosure provides systems, methods, and apparatus, including computer programs encoded on computer storage media, for enhancing a device provisioning protocol (DPP) to support multiple configurators. In one aspect, a first configurator device can export a configurator key package. In one aspect, the configurator key package may be used for backup and restore of the configurator keys. The configurator key package may include a configurator private signing key and, optionally, a configurator public verification key. A second configurator device may obtain the configurator key package and also may obtain decryption information which can be used to decrypt the configurator key package. Thus, in another aspect, both the first configurator device and the second configurator device can use the same configurator keys with the device provisioning protocol to configure enrollees to a network.

Abstract: This disclosure provides systems, methods and apparatus, including computer programs encoded on computer storage media, for enhancing a device provisioning protocol (DPP) with assisted bootstrapping. In one aspect, a configurator device can provision an enrollee device for a network with the assistance of an intermediary device. The intermediary device may obtain enrollee bootstrapping data associated with the enrollee device and send the enrollee bootstrapping data to the configurator device. The configurator device may use the enrollee bootstrapping data in an authentication process between the configurator device and the enrollee device. Following the authentication, the enrollee device may be configured by the configurator device such that the enrollee device may access a network.

Abstract: This disclosure provides systems, methods and apparatus, including computer programs encoded on computer storage media for mitigating an Internet of things (IoT) worm. In one aspect, a processor of a router device may randomly select a plurality of Internet Protocol (IP) addresses. The processor may expose one or more emulated services at the plurality of randomly selected IP addresses. The processor may determine whether IoT worm communication activity is detected at one of the randomly selected IP addresses. The processor may grant to, or otherwise enable, an IoT worm access to one of the emulated services in response to detecting IoT worm communication activity at one of the selected IP addresses.