Abstract: A method is provided for generating an encrypted database. The method includes: receiving a plaintext database having plaintext data entries in one or more columns; augmenting the received plaintext database to generate an augmented plaintext database, the augmenting including the addition of one or more columns to the received plaintext database, each added column corresponding to an attribute which is to be made available for conditional queries; and encrypting the augmented plaintext database to generate the encrypted database including encrypted data entries. The encrypted database supports at least one form of conditional query for those attributes corresponding to the added columns, the at least one form of conditional query being computed on the encrypted data entries without the decryption thereof to produce an encrypted result.

Abstract: A method of reducing the storage requirements of blockchain metadata via dictionary-style compression includes receiving a request to add a transaction block to a blockchain. The method further includes determining an identifier (ID) of a dictionary block most recently stored on the blockchain. The method further includes compressing, by a processing device, one or more transactions of the transaction block based on the dictionary block to generate a compressed transaction block. The method further includes adding the ID of the dictionary block to the compressed transaction block. The method further includes providing the compressed transaction block, including the ID of the dictionary block, for storage on the blockchain.

Abstract: One embodiment facilities user access to a standalone computing device. During operation, the system receives, by the standalone computing device from a mobile computing device associated with a user, a first command to access capabilities of the standalone computing device, wherein the first command includes an ephemeral user identifier which includes an ephemeral key and indicates user-specific metadata, wherein the ephemeral key is generated by a network service, wherein the ephemeral user identifier is digitally signed with a private key of the network service, and wherein the standalone computing device is not directly accessible by the network service. The system verifies, by the standalone computing device using a public key of the network service, that the ephemeral user identifier was generated by the network service. The system executes, by the standalone computing device, the first command based on the user-specific metadata.

Abstract: Systems and methods for indexing blockchain data in a blockchain system so that search may proceed more quickly, efficiently, and reliably in all of the blockchain peers. These systems and methods receive a set of transactions from one or more transaction blocks of a blockchain, wherein the transactions in the set have been validated by one or more peer systems of the blockchain. The systems and methods further generate an index to one or more fields of one or more transactions in the set of transactions of the transaction block generate an index representative of at least one field in the set of transactions of the transaction block and provide the generated index for validation by a peer system of the blockchain. After receiving verification from at least a threshold number of peer systems that the generated index has been validated by the peer system, these systems and methods store the generated index as an index block in the block chain.

Abstract: One embodiment provides a method for facilitating security in a system of networked components. During operation, the system constructs a configuration graph that stores a first set of relationships between configuration parameters within a component and a second set of relationships between configuration parameters across different components. A relationship corresponds to a constraint and is indicated by one or more of: a range for a configuration parameter; and a conjunction or a disjunction of logical relationships between two or more configuration parameters. The system generates a set of candidate configuration parameter values that satisfy the constraints of the relationships in the configuration graph. The system selects, from the set of candidate configuration parameter values, a first set of configuration parameter values that optimizes a security objective function.

Abstract: The following relates generally to defense mechanisms and security systems. Broadly, systems and methods are disclosed that detect an anomaly in an Embedded Mission Specific Device (EMSD). Disclosed approaches include a meta-material antenna configured to receive a radio frequency signal from the EMSD, and a central reader configured to receive a signal from the meta-material antenna. The central reader may be configured to: build a finite state machine model of the EMSD based on the signal received from the meta-material antenna; and detect if an anomaly exists in the EMSD based on the built finite state machine model.

Abstract: A computer-implemented system and method for analyzing data quality is provided. Attributes each associated with one or more elements are maintained. A request from a user is received for determining data quality of at least one attribute based on an interest vector having a listing of the elements of that attribute and a selection of elements of interest. Each element is encrypted. A condensed vector having the same listing of elements as the interest vector is populated with occurrence frequencies for each of the listed elements. The elements of the condensed vector are encrypted by computing an encrypted product of each element in the condensed vector and the corresponding element of the interest vector. An aggregate is determined based on the encrypted products of each element of the interest vector and the corresponding element of the condensed vector. The aggregate is provided as results of the data quality.

Abstract: One embodiment provides a system that facilitates privacy-preserving order statistics. The system receives, by a first device from a second device, a second value associated with the second device perturbed by a random value. The system determines a first difference between a first value associated with the first device, and the second value. The system encrypts a second difference between the first difference and the random value. Subsequent to transmitting the encrypted second difference, the system receives a sign of a first integer and a ciphertext. The system decrypts the ciphertext to obtain a third value which indicates the first difference scaled based on the first integer, wherein the scaled first difference is perturbed by a second integer. The system determines, based on the sign of the first integer and a sign of the third value, whether the first value is greater than or less than the second value.

Abstract: A computer-implemented method for protecting sensitive data via data re-encryption is provided. Encrypted data is maintained. A data query is received from a user associated with a public key and a secret key. Results of the query are computed by identifying at least a portion of the encrypted data and by adding plaintext for the identified portion of the encrypted data as the results. A re-encryption key is generated for the results using the public key of the user and the results are re-encrypted using the re-encryption key. The re-encrypted results are then transmitted to the user.

Abstract: Embodiments described herein provide a system for improving a classifier by computing a statistic for the utility of sharing data with a second party. The system may encrypt a set of class labels based on a public key/private key pair to obtain a set of encrypted class labels. The system may send a public key and the set of encrypted class labels to a second computing device. The system may receive an encrypted value computed by the second computing device based on the public key. The system may decrypt the encrypted value based on a private key to obtain a decrypted value. The system may then send a pair of encrypted values computed based on the decrypted value to the second computing device. The system may subsequently receive an encrypted utility statistic from the second computing device, and decrypt the encrypted utility statistic to obtain a decrypted utility statistic.

Abstract: One embodiment facilitates detection of attacks in a cyber-physical system of interacting elements with physical inputs and outputs. During operation, the system receives, by a first entity of a plurality of entities, a first reading from a first set of sensors of the cyber-physical system via a first network. The system receives, by the first entity, a second reading from a second set of sensors of the cyber-physical system via a second network, wherein the second network includes security measures which prevent access by any external entity or any of the plurality of entities. The system executes a set of instructions based on the first reading and the second reading. The system determines that a result of the executed instructions does not match an expected condition. The system performs a remedial action based on the result.

Abstract: One embodiment provides a system for noise addition to enforce data privacy protection in a star network. In operation, participants may add a noise component to a dataset. An aggregator may receive the noise components from the plurality of participants, compute an overall noise term based on the received noise components, and aggregate values using the noise components and overall noise term.

Abstract: A method is provided for generating an encrypted database. The method includes: receiving a plaintext database having plaintext data entries in one or more columns; augmenting the received plaintext database to generate an augmented plaintext database, the augmenting including the addition of one or more columns to the received plaintext database, each added column corresponding to an attribute which is to be made available for conditional queries; and encrypting the augmented plaintext database to generate the encrypted database including encrypted data entries. The encrypted database supports at least one form of conditional query for those attributes corresponding to the added columns, the at least one form of conditional query being computed on the encrypted data entries without the decryption thereof to produce an encrypted result.

Abstract: A method is provided for generating an encrypted database. The method includes: receiving a plaintext database having plaintext data entries therein; and generating an encrypted database using the plaintext database, the encrypted database including encrypted data entries therein. The encrypted database is configured to support at least one form of conditional query such that the at least one form of conditional query returns a correct encrypted result when the query is computed on the encrypted data entries without the decryption thereof.

Abstract: Aggregate statistics are securely determined on private data by first sampling independent first and second data at one or more clients to obtain sampled data, wherein a sampling parameter substantially smaller than a length of the data. The sampled data are encrypted to obtain encrypted data, which are then combined. The combined encrypted data are randomized to obtain randomized data. At an authorized third-party processor, a joint distribution of the first and second data is estimated from the randomized encrypted data, such that a differential privacy requirement of the first and second is satisfied.

Abstract: One embodiment provides a system that facilitates privacy-preserving order statistics. The system receives, by a first device from a second device, a second value associated with the second device perturbed by a random value. The system determines a first difference between a first value associated with the first device, and the second value. The system encrypts a second difference between the first difference and the random value. Subsequent to transmitting the encrypted second difference, the system receives a sign of a first integer and a ciphertext. The system decrypts the ciphertext to obtain a third value which indicates the first difference scaled based on the first integer, wherein the scaled first difference is perturbed by a second integer. The system determines, based on the sign of the first integer and a sign of the third value, whether the first value is greater than or less than the second value.

Abstract: One embodiment provides a system that facilitates encrypted-domain aggregation of data in a star network. During operation, the system receives a set of ciphertexts, representing respective encrypted polynomial shares, of an input value from each participant in a plurality of participants. Each ciphertext in the set of ciphertexts is associated with a specific participant in the plurality of participants. The system computes an encrypted partial value for each participant by aggregating in the encrypted-domain a respective ciphertext associated with that participant received from the plurality of participants and sends a message comprising the encrypted partial value to that participant. This encrypted partial value is encrypted based on a public key of a corresponding participant. The system receives a decrypted partial value from each participant and computes a target value based on a set of decrypted partial values received from a set of participants in the plurality of participants.

Abstract: A method and system for verifying Internet connectivity at an access point in a fast, secure, and privacy-friendly manner. During operation, the system may perform passive network discovery, challenge response discovery, and/or active discovery to verify Internet connectivity for a mobile device. Passive network discovery involves the mobile device using a public key of a server to decrypt a time value to verify Internet connectivity. The mobile device receives the encrypted time value as part of the server's signed timing information in an overloaded WiFi beacon frame. Challenge response discovery involves the mobile device sending an encrypted challenge to servers, and a server returns a correct response to the challenge to confirm Internet connectivity. Active discovery involves a mobile device sending HTTP GET requests to a randomly selected set of servers without including a user agent, and a server may send an HTTP REPLY to confirm Internet connectivity.

Abstract: One embodiment provides a system for noise addition to enforce data privacy protection in a star network. In operation, participants may add a noise component to a dataset. An aggregator may receive the noise components from the plurality of participants, compute an overall noise term based on the received noise components, and aggregate values using the noise components and overall noise term.

Abstract: A computer-implemented system and method for automatically identifying attributes for anonymization is provided. A dataset of attributes is accessed. Each attribute in the dataset is associated with a plurality of values. The values of the dataset are encrypted and the attributes are processed by assigning a sensitivity level to each of the attributes. One or more of the attributes are selected from the dataset for anonymization based on the assigned sensitivity levels.