Abstract: A computer system for providing a plurality of functions for a device, in particular for a vehicle. The computer system has a plurality of system modules configured to provide functions that are differently critical for the operational security of the device. Each system module or a part of a system module is assigned to one zone of a plurality of zones, a zone being a logically and/or physically delimitable unit in the computer system. A first zone is more trustworthy than a second, less trustworthy zone, the danger of a manipulation of a more trustworthy zone being less than of a less trustworthy zone. A first, more critical function being provided by a system module of the first zone and a less critical function being provided by a system module of the second zone.

Abstract: A method training an artificial neural network (ANN) on a remote host computes, using a trusted process deployed in a trusted execution environment (TEE) on the remote host, a key-pair for a homomorphic encryption scheme and shares, by the trusted process, the public key (PK) of the key-pair with an untrusted process deployed on the remote host. The method splits the training procedure of the ANN between the untrusted process and the trusted process, wherein the untrusted process computes encrypted inputs to neurons of the ANN by means of the homomorphic encryption scheme, while the trusted process computes outputs of the neurons based on the respective encrypted inputs to the neurons as provided by the untrusted process.

Abstract: Disclosed are methods and systems for calculating an arithmetic function expressed as addition of groups of multiplications of a set of private input secrets held by dealer nodes. Random exponent blinding factors are generated, and each computing node receives polynomial shares from each exponent blinding factor and a polynomial share and a public generator from the multiplicative group of integers modulo a prime number. The indexing integers are partitioned among the computing nodes, and each computing node computes a set of shares from the polynomial shares then sent to the dealer nodes which reconstruct the corresponding dealer blinding factor, and use it to create and send a particle to the computing nodes. The computing nodes then calculate from the received particles a result share of a polynomial which, when combined by a result node, allow the evaluation of complete polynomial which includes the result of the arithmetic function.

Abstract: A digital wallet generates an identification value associated with a DID of a DID owner. The digital wallet generates a first request including the identification value for an authentication token from an identification provider. The first request is provided to the identification provider. The digital wallet receives, in response to the identification provider validating the first request, the authentication token that authenticates the digital wallet with a verifiable claim issuer including the identification value from the identification provider. The digital wallet generates a second request for one or more verifiable claims from the verifiable claim issuer. The second request includes the DID and authentication token including the identification value. In response to the verifiable claim issuer validating the authentication token and the identification value, one or more verifiable claims from the verifiable claim issuer are received by the digital wallet.

Abstract: Method and systems for decentralized confirmation of entries in a directed acyclic graph (DAG) for rapidly confirming as authentic ledger entries without centralized arbitration of authenticity are provided. Access is provided to a user account by applying Shamir Secret Sharing, the user account being accessible to a single user and to combined efforts of multiple authorized third-party users appointed by the single user. An identity of the user account is cryptographically obfuscated using post-quantum cryptography. A DAG communication having data is transmitted from the user account to the DAG. DAG communications are weighted via proof-of-work hashing conducted on randomly-selected third-party DAG users, and are recorded and reconciled at nodes that compete to achieve consensus using SABRPaxos protocol, thereby confirming entries in the DAG.

Abstract: A method for confidential computing is provided, which is performed by a security core including one or more processor, and includes storing first encrypted data associated with a first tenant in a first memory, in which the first encrypted data is obtained by performing encryption of the first plaintext data using a first encryption key associated with the first tenant, in response to receiving a request to access the first plaintext data, decrypting the first encrypted data using the first encryption key so as to generate the first plaintext data, and providing the first plaintext data to a main core that processes data stored in the first memory.

Abstract: Methods, systems, and devices for parsing text are described herein. A method of securing executable files is performed at a computing device having one or more processors and memory. The memory stories one or more programs configured for execution by the one or more processors. The computing device obtains source text that comprises a disassembled executable file and identifies, via a general parser module, the syntax of the source text by performing a recursive descent parsing of the source text. The device generates an abstract syntax tree (AST) for the source text based on the identified syntax and generates a transformed AST from the generated AST by replacing one or more system calls with respective protected system functions. The device also generates a secured executable file by assembling the transformed AST.

Abstract: Methods, systems and techniques are provided to authenticate a device under test (DUT)/system under test (SUT) comprising an electronic component(s). A profile is defined by injecting a signal to elicit an output that is responsive a physical characteristic of the type of DUT/SUT. In respective embodiments the injected signal is defined to elicit an output for time-domain or frequency-domain evaluation. An injected signal may comprise combinations of (non-destructive/non-activating) signals applied to multiple access points for measurement at arbitrary access points of the DUT/SUT. In an embodiment, measurements of multiple DUT/SUTs of a same type are used to define a common profile. In an embodiment, the profile is built using machine learning to define a classifier. In other embodiments, statistical profiles are defined. During use, output is generated for a target DUT/SUT for evaluation relative to the profile. Counterfeit/alternate designs, altered designs, and implants are detectable.

Abstract: This disclosure describes techniques that include determining a trust score for a network entity; identifying at least one weakness of the network entity, based on the determined trust score; determining a set of remediation actions for addressing the at least one weakness; determining, for each remediation action of the set of remediation actions, an expected amount of work associated with the remediation action; selecting a remediation action from the set of remediation actions, based on the determining, for each remediation action, the expected amount of work associated with the remediation action; and performing an operation associated with at least a portion of the selected remediation action.

Abstract: Techniques are disclosed relating to multi-factor authentication for data security. In some embodiments, a computer system receives, from a user device, a database operation request that specifies a set of query data, where the computer system supports multiple different security levels requiring different subsets of a set of authentication factors supported by a known device of a user of the user device. Various devices may determine current contextual information for the database operation request, where the contextual information indicates the set of query data. In some embodiments, the computer system selects, based on the current contextual information, a security level from the multiple different security levels. In some embodiments, the computer system revokes, based on the selected security level, access privileges of the user for accessing a database corresponding to the database operation request.

Abstract: Disclosed herein are an apparatus and method for mutual authentication of quantum entities based on Measurement-Device-Independent Quantum Key Distribution (MDI-QKD). The method may include configuring a quantum input form based on an authentication key shared in advance with a counterpart entity, applying polarization modulation to the configured quantum input form, transmitting the quantum input form to which polarization modulation is applied to a quantum measurement device, and authenticating the counterpart entity by checking whether the counterpart entity configures a quantum input form according to the shared authentication key using a measurement result and information about polarization modulation.

Abstract: 1. Implementations of the present disclosure include receiving, by a database system, a query from an entity, providing a parse tree based on the query, the parse tree including nodes representative of operations to be executed and data objects stored within the database system, generating a module tree based on the parse tree, the module tree including a set of modules provided in sequential order from a root module to a leaf module, and executing an authorization check using the module tree by, for each module, determining a set of data objects and, for each data object in the set of data objects, determining whether the entity is one or more of authorized access the data object and perform an operation on the data object.

Abstract: A system for processing data within a Trusted Execution Environment (TEE) of a processor is provided. The system may include: a trust manager unit for verifying identity of a partner and issuing a communication key to the partner upon said verification of identity; at least one interface for receiving encrypted data from the partner encrypted using the communication key; a secure database within the TEE for storing the encrypted data with a storage key and for preventing unauthorized access of the encrypted data within the TEE; and a recommendation engine for decrypting and analyzing the encrypted data to generate recommendations based on the decrypted data.

Abstract: In accordance with an embodiment, a video flow transmission method includes: the generating, by an image sensor, a video flow comprising first and second images; hashing, by the image sensor, a portion of the first image based on a first hashing configuration to generate a first hash value, the first hashing configuration defining first positions of pixels to be hashed; hashing, by the image sensor, a portion of the second image based on a second hashing configuration to generate a second hash value, the second hashing configuration being different from the first configuration and defining second positions of pixels to be hashed; and transmitting, by the image sensor, the first and second images, and the first and second hash values, to a second device.

Abstract: A computer readable medium having non-transitory memory for storing machine instructions that are to be executed by a computer. The machine instructions when executed by the computer implement the following function: establishing a network interface communication path between a first router on a first network and a second router on a second network. The first network including first and second network devices is in communication with the first router. A further function is establishing a first network interface between the second router and the first network device through the network interface communication path and a second network interface between the second router and the second network device through the network interface communication path. A further function includes permitting access to the first and second network devices through the first and second network interfaces, respectively, by a user application. The network interfaces may be virtual private networks (VPNs).

Abstract: A proxy server receives, from multiple visitors of multiple client devices, a plurality of requests for actions to be performed on identified network resources belonging to a plurality of origin servers. At least some of the origin servers belong to different domains and are owned by different entities. The proxy server and the origin servers are also owned by different entities. The proxy server analyzes each request it receives to determine whether that request poses a threat and whether the visitor belonging to the request poses a threat. The proxy server blocks those requests from visitors that pose a threat or in which the request itself poses a threat. The proxy server transmits the requests that are not a threat and is from a visitor that is not a threat to the appropriate origin server.

Abstract: Certain aspects of the present disclosure provide techniques for receiving, from a user, a command for a virtual assistant to perform a task on behalf of the user; determining a communication channel for the virtual assistant to communicate with a remote service in order to perform the task; registering a communication session with an identity provider service, wherein the communication session is associated with the communication channel; initiating the communication session with the remote service using the communication channel; receiving a communication session authentication query from the remote service; and determining, in response to the communication session authentication query, whether the user is authenticated.

Abstract: Some embodiments help protect an organization against ransomware attacks by combining incrimination logics. An organizational-level incrimination logic helps detect alert spikes across many machines, which collectively indicate an attack. Graph-based incrimination logics help detect infestations of even a few machines, and local incrimination logics focus on protecting respective individual machines. Graph-based incrimination logics may compare monitored system graphs to known ransomware attack graphs. Graphs may have devices as nodes and device network connectivity, repeated files, repeated processes or actions, or other connections as edges. Statistical analyses and machine learning models may be employed as incrimination logics. Search logics may find additional incrimination candidates that would otherwise evade detection, based on files, processes, IP addresses, devices, accounts, or other computational entities previously incriminated.

Abstract: A method for extending a blockchain comprises, at a space server: allocating an amount of drive storage for generating proofs-of-space; or accessing a first challenge based on a prior block of the blockchain, the prior block comprising a first proof-of-space and a first proof-of-time; in response to accessing the first challenge, generating a second proof-of-space based on the first challenge and the amount of drive storage, the second proof-of-space indicating allocation of the amount of drive storage; accessing a second proof-of-time based on the prior block and indicating a first time delay elapsed after extension of the blockchain with the prior block; generating a new block comprising the second proof-of-space and the second proof-of-time; and broadcasting the new block over a distributed network.

Abstract: The present disclosure relates to configuring at least one pair of devices in a physical unclonable function (PUF) apparatus and reading out at least one pair of devices for determining a persistent random PUF output. The pair of devices may be readout by measuring a physical difference between the devices/components caused by random manufacturing differences, which may then be used to determine a persistence random PUF output. Configuring the pair of devices includes measuring the random manufacturing difference and, based on that measurement, setting a readout condition for the pair of devices, which dictates aspects of the readout process that should be used for that pair of devices. Each time the pair of devices is readout in the future, it may be readout in accordance with the condition that was set at configuration.