Abstract: The disclosure provides an approach for providing cryptographic agility for data storage. Embodiments include receiving, by a cryptographic provider component, a request to perform a cryptographic operation with respect to a storage operation for a data object, wherein the cryptographic provider component is associated with an interception point between a metadata layer of a storage system and an object storage layer of the storage system. Embodiments include determining, by the cryptographic provider component, one or more attributes related to the request based on information received from the metadata layer about the data object. Embodiments include selecting, by the cryptographic provider component, based on the one or more attributes related to the request, a cryptographic technique for handling the request from a set of possible cryptographic techniques. Embodiments include storing, at the object storage layer, an encrypted version of the data object based on the selected cryptographic technique.

Abstract: The disclosure provides an approach for providing cryptographic agility for virtualized data storage. Embodiments include determining, by a hypervisor running on a host machine, one or more attributes of a virtual machine (VM) running on top of the hypervisor. Embodiments include sending, by the hypervisor, to a cryptographic provider component, a request to perform cryptographic functionality with respect to one or more virtual disks associated with the VM, wherein the request comprises the one or more attributes of the VM. Embodiments include selecting, by the cryptographic provider component, based on the one or more attributes of the VM and one or more cryptographic policies, one or more cryptographic techniques for handling the request from a set of possible cryptographic techniques. Embodiments include encrypting the one or more virtual disks in a virtual storage area network (VSAN) based on the selected one or more cryptographic techniques.

Abstract: The disclosure provides an approach for multi-endpoint cryptographic orchestration. Embodiments include establishing, by a first endpoint of a plurality of endpoints related to a multi-endpoint secure communication session, a metadata channel with one or more other endpoints of the plurality of endpoints. Embodiments include sending, by the first endpoint, to a second endpoint of the one or more other endpoints, via the metadata channel, an indication of a cryptographic requirement related to the multi-endpoint secure communication session. Embodiments include performing, by the second endpoint, one or more cryptographic operations related to the multi-endpoint secure communication session based on the indication of the cryptographic requirement. Embodiments include attesting, by the second endpoint, via the metadata channel, that the one or more cryptographic operations comply with the cryptographic requirement.

Abstract: Disclosed are examples of a system that publishes metadata to a blockchain network. The metadata can contain properties of data generated by a system. The metadata can allow for other entities to validate or trust the data generated by the system. The metadata can include data attributes that profile the data.

Abstract: The disclosure provides an approach for cryptographic agility for multi-layer privacy-preserving data aggregation. Embodiments include receiving a request for dynamic cryptographic technique selection related to a data aggregation process involving a first aggregator device and a second aggregator device performing one or more computations on data provided from multiple endpoints. Embodiments include determining, based on contextual information, that the second aggregator device is associated with a confidential computing component and that the first aggregator device is not associated with any confidential computing component. Embodiments include selecting one or more homomorphic encryption techniques for protecting the data while in use by the first aggregator device based on the determining that the first aggregator device is not associated with any confidential computing component and selecting a confidential computing technique for protecting the data while in use by the second aggregator device.

Abstract: The disclosure provides an approach for multi-endpoint cipher negotiation. Embodiments include determining, by one or more first endpoints of a plurality of endpoints involved in a multi-party data aggregation process, a privacy-preserving version of an underlying function to be evaluated for cryptographic technique selection. Embodiments include sending, by the one or more first endpoints, to a second endpoint of the plurality of endpoints, the privacy-preserving version of the underlying function and encrypted input values related to attributes of the one or more first endpoints. Embodiments include evaluating, by the second endpoint, the privacy-preserving version of the function based on the encrypted input values and one or more additional encrypted input values. Embodiments include determining, based on the evaluating of the privacy-preserving version of the function, one or more cryptographic techniques to be used for the multi-party data aggregation process.

Abstract: The disclosure provides an approach for cryptographic agility for privacy-preserving data aggregation. Embodiments include receiving a request for dynamic cryptographic technique selection related to a data aggregation process, wherein the data aggregation process is to involve an aggregator device performing one or more computations on data that is to be provided from multiple endpoints. Embodiments include selecting a cryptographic technique based on contextual information related the request, wherein the contextual information comprises one or more of: one or more types of mathematical operations that are to be performed by the aggregator device on the data that is to be provided from the multiple endpoints during the data aggregation process; or an indication of whether the aggregator device is associated with a confidential computing component. Embodiments include providing a response based on the selecting of the cryptographic technique.

Abstract: The disclosure provides an approach for cryptographic agility for privacy-preserving federated learning. Embodiments include receiving a request from an application for dynamic cryptographic technique selection related to a federated learning process, wherein the request indicates one or more types of mathematical operations that are to be performed by an aggregator device on data that is to be provided from multiple endpoints during the federated learning process. Embodiments include selecting, based on the one or more types of mathematical operations that are to be performed by the aggregator device, a cryptographic technique from a plurality of cryptographic techniques. Embodiments include providing a response to the application based on the selecting of the cryptographic technique, wherein the cryptographic technique is used to perform one or more cryptographic operations related to the federated learning process.

Abstract: The disclosure provides an approach for certificate management for cryptographic agility. Embodiments include receiving, by a cryptographic agility system, a cryptographic request related to an application. Embodiments include selecting, by the cryptographic agility system, a cryptographic technique based on contextual information associated with the cryptographic request. Embodiments include determining, by the cryptographic agility system, based on the cryptographic request, a certificate for authenticating a key related to the cryptographic technique. Embodiments include providing, by the cryptographic agility system, the certificate to an endpoint related to the cryptographic request for use in authenticating the key.

Abstract: The disclosure herein describes deploying a Virtual Secure Enclave (VSE) using a universal enclave binary and a Trusted Runtime (TR). A universal enclave binary is generated that includes a set of binaries of Instruction Set Architectures (ISAs) associated with Trusted Execution Environment (TEE) hardware backends. A TEE hardware backend is identified in association with a VSE-compatible device. A VSE that is compatible with the identified TEE hardware backend is generated on the VSE-compatible device and an ISA binary that matches the TEE hardware backend is selected from the universal enclave binary. The selected binary is linked to a runtime library of the TR and loads the linked binary into memory of the generated VSE. The execution of a trusted application is initiated in the generated VSE using a set of interfaces of the TR. The trusted application depends on the TR interfaces rather than the selected ISA binary.

Abstract: The disclosure provides an approach for cryptographic agility. Embodiments include receiving a request from an application for a cryptographic operation, wherein the request is associated with a computing device. Embodiments include determining one or more resource constraints related to the computing device. Embodiments include selecting, based on the one or more resource constraints, a cryptographic technique from a plurality of cryptographic techniques associated with indications of resource requirements. Embodiments include performing the cryptographic operation using the cryptographic technique. Embodiments include providing a response to the application based on performing the cryptographic operation.

Abstract: Disclosed are various embodiments for binding the configuration state of client devices to the blockchain and utilizing the binding for managing compliance. A management agent can send a request to a smart contract hosted by a blockchain network for a configuration state for a computing device, the state including data sovereignty and governance policies of the computing device. The management agent can update the configuration of the computing device based upon the configuration state obtained from the blockchain network.

Abstract: Disclosed are various embodiments for binding the configuration state of client devices to the blockchain and utilizing the binding for managing cryptographic compliance. A management agent can send a request to a smart contract hosted by a blockchain network for a zero-knowledge proof (ZKP) of a configuration state for a computing device, the state including cryptographic policies. Cryptographic operations performed by the client device can be performed by complying with the policies stored on the blockchain network.

Abstract: The disclosure herein describes deploying a Virtual Secure Enclave (VSE) using a universal enclave binary and a Trusted Runtime (TR). A universal enclave binary is generated that includes a set of binaries of Instruction Set Architectures (ISAs) associated with Trusted Execution Environment (TEE) hardware backends. A TEE hardware backend is identified in association with a VSE-compatible device. A VSE that is compatible with the identified TEE hardware backend is generated on the VSE-compatible device and an ISA binary that matches the TEE hardware backend is selected from the universal enclave binary. The selected binary is linked to a runtime library of the TR and loads the linked binary into memory of the generated VSE. The execution of a trusted application is initiated in the generated VSE using a set of interfaces of the TR. The trusted application depends on the TR interfaces rather than the selected ISA binary.

Abstract: System and method for creating and managing trusted execution environments (TEEs) using different underlying hardware TEE mechanisms use a virtual secure enclave device which runs in a virtualized environment in a computer system. The device enables an enclave command transmitted to the virtual secure enclave device to be retrieved and parsed to extract an enclave operation to be executed. A TEE backend module is used to interact with a particular hardware TEE mechanism among those available in the computer system. The module ensures the enclave operation for the software process is executed by the particular hardware TEE mechanism, or the TEE scheme based on a particular hardware TEE mechanism.

Abstract: The disclosure provides an approach for certificate management for cryptographic agility. Embodiments include receiving, by a cryptographic agility system, a cryptographic request related to an application. Embodiments include selecting, by the cryptographic agility system, a cryptographic technique based on contextual information associated with the cryptographic request. Embodiments include determining, by the cryptographic agility system, based on the cryptographic request, a certificate for authenticating a key related to the cryptographic technique. Embodiments include providing, by the cryptographic agility system, the certificate to an endpoint related to the cryptographic request for use in authenticating the key.

Abstract: The disclosure provides an approach for cryptographic agility. Embodiments include establishing, by a proxy component associated with a cryptographic agility system, a first secure connection with an application. Embodiments include receiving, by the proxy component, via the first secure connection, a communication from the application directed to an endpoint. Embodiments include selecting, by the cryptographic agility system, a cryptographic technique based on contextual information related to the communication. Embodiments include establishing, by the proxy component, a second secure connection with the endpoint based on the cryptographic technique. Embodiments include transmitting, by the proxy component, a secure communication to the endpoint via the second secure connection based on the communication.

Abstract: The disclosure provides an approach for certificate management for cryptographic agility. Embodiments include receiving, by a cryptographic agility system, a cryptographic request related to an application. Embodiments include selecting, by the cryptographic agility system, a cryptographic technique based on contextual information associated with the cryptographic request. Embodiments include determining, by the cryptographic agility system, based on the cryptographic request, a certificate for authenticating a key related to the cryptographic technique. Embodiments include providing, by the cryptographic agility system, the certificate to an endpoint related to the cryptographic request for use in authenticating the key.

Abstract: A system and method may be provided to receive sample RNA reads from patients and generate lists of genes and their associated RNA expression levels in each patient. Some of the RNA reads may be matched to an RNA transcript or gene or gene family in terms of their match likelihood and other RNA reads may be matched to an RNA transcript or gene or gene family through the use of one or more machine learning classifiers. A machine learning classifier may be trained based on the plurality of the lists and a plurality of corresponding patients’ clinical status data to identify gene patterns that recur with a high degree of frequency in the plurality of the lists. Those gene patterns can be capable of modifying a disease or treatment response and can be targeted for drug/treatment development.

Abstract: System and method for providing secure execution environments in a computer system uses an enclave virtual computing instance to create a secure execution environment, which is deployed in response to a request for such a secure execution environment for content from a software process running in the computer system.