Abstract: A method for execution of a Byzantine Fault Tolerant (BFT) protocol among a number of participating nodes of a network includes: receiving, by a primary node of the BFT protocol, a transaction request, applying, by the primary node, a data dissemination protocol for distributing the transaction request among the participating nodes via a data-plane of the network, and generating, by the primary node, a hash of the transaction request and requesting consensus among the participating nodes via a control-plane of the network using the hash of the transaction request.

Abstract: A method for enabling enclave migration is provided, where the contents of the enclave and its sealed data are transferred from a sending host to a receiving host. An attestation is performed between a security monitor of the sending host and a security monitor of the receiving host, where the attestation includes an exchange of a shared cryptographic key K between the two security monitors. The shared cryptographic key K is used to implement a secure communication channel between the two security monitors. The two security monitors execute, via the secure communication channel, a predetermined transfer protocol. The predetermined transfer protocol includes an initial exchange of verification messages between the security monitors to verify that both security monitors are ready and can execute the transfer, and a subsequent transfer of enclave data between the security monitors.

Abstract: A blockchain payment involves a transfer of funds from an account of a user to a collateral account of a service provider. The service provider receives a payment intent from the user including a payment index, a random payment ID, and an address of the collateral account. The service provider replaces the address by a commitment and provides the modified payment intent to a majority of statekeepers of a blockchain, receives payment approvals from the statekeepers, each payment approval including the modified payment intent signed with a private key of a respective statekeeper, evaluates the received payment approvals, aggregates successfully evaluated payment approvals, and transmits the aggregation result to the user. The service provider receives a final transaction created by the user after having verified the aggregation result, verifies that the user correctly constructed the final transaction, and accepts the payment in case of successful verification of the final transaction.

Abstract: A method for supporting sharing of travel history of travelers in airports includes receiving, by a trusted entity of the distributed ledger system, a registration request from a traveler via a traveler application. The registration request provides personal information of the traveler to the trusted entity. The method further includes generating, by the trusted entity, a public key for the traveler using an identity-based encryption mechanism and sending, from the trusted entity to the global identity blockchain, a registration transaction with respect to the traveler. The registration transaction comprises the public key of the traveler. The method further includes recording a travel history that includes all travel tickets of the traveler, wherein a Merkle tree of all the travel tickets of the traveler is generated. The Merkle tree has a Merkle root, and the Merkle root of the Merkle tree is stored in the global identity blockchain.

Abstract: A method for validating a transaction transmitted on a distributed ledger system network includes receiving, by a first node of the distributed ledger system network, verification data associated with the transaction from a second node of the distributed ledger system network. The verification data includes a digital signature generated in a secure enclave of the second node. The first node integrates the verification data into a distributed ledger of the distributed ledger system network.

Abstract: A blockchain payment involves a transfer of funds from an account of a user to a collateral account of a service provider. The service provider receives a payment intent from the user including a payment index, a random payment ID, and an address of the collateral account. The service provider replaces the address by a commitment and provides the modified payment intent to a majority of statekeepers of a blockchain, receives payment approvals from the statekeepers, each payment approval including the modified payment intent signed with a private key of a respective statekeeper, evaluates the received payment approvals, aggregates successfully evaluated payment approvals, and transmits the aggregation result to the user. The service provider receives a final transaction created by the user after having verified the aggregation result, verifies that the user correctly constructed the final transaction, and accepts the payment in case of successful verification of the final transaction.

Abstract: A method for supporting identity management of travelers in an airport using a distributed ledger system includes receiving, by a global identity blockchain, a registration request from a traveler via a traveler device. The registration request includes a commitment for identity data that is uploaded by the traveler in a secure cloud storage. The method further includes recording the commitment in the global identity blockchain, receiving, by the global identity blockchain, a result of an identity verification with respect to the traveler from a verifier entity, recording the result in the global identity blockchain, and receiving, by a security blockchain, a ticket registration transaction issued by an airline entity. The ticket registration transaction comprises a unique traveler ID of the traveler. The method further includes issuing, by the security blockchain, an access control list update upon reception of consent by the traveler.

Abstract: A method for securing a genuine machine learning model against adversarial samples includes the steps of attaching a trigger to a sample to be classified and classifying the sample with the trigger attached using a backdoored model that has been backdoored using the trigger. In a further step, it is determined whether an output of the backdoored model is the same as a backdoor class of the backdoored model, and/or an outlier detection method is applied to logits compared to honest logits that were computed using a genuine sample. These steps are repeated using different triggers and backdoored models respectively associated therewith. It is compared a number of times that an output of the backdoored models is not the same as the respective backdoor class, and/or a difference determined by applying the outlier detection method, against one or more thresholds so as to determine whether the sample is adversarial.

Abstract: A method for performing a privacy-preserving membership test includes performing an oblivious pseudo-random function (OPRF) protocol to determine a pseudo-random function (PRF) result based on an input from a proving device and a PRF key. The input indicates a user identity of a user associated with the providing device. The method further includes determining whether the user belongs to a verifier list associated with a verifier device based on testing membership of the user using the verifier list and the PRF result.

Abstract: A method for securing an interblockchain transaction includes receiving, from a first user application, a registration request including a first permissioned blockchain public key and a first permissionless blockchain public key. The method also includes performing, by the processing circuitry, receiving, from a second user application, a second registration request including a second permissioned blockchain public key and a second permissionless blockchain public key. The permissioned blockchain public keys are valid on the permissioned blockchain and the permissionless blockchain public keys are valid on the permissionless public blockchain. In addition, the method includes receiving, from the first user application, a transaction identification, the transaction identification identifying a first transfer transaction executed on the permissionless public blockchain. The transaction identification identifies the first and second permissionless blockchain public keys.

Abstract: A blockchain smart contract rewriting framework system has a vulnerability detection tool, a rewriter tool, and a deployment component. The deployment component obtains a permission to upgrade the smart contract, which granted by a smart contract creator/owner. The contract rewriting framework system retrieves the smart contract from the blockchain network, and passes it to the vulnerability detection tool. The vulnerability detection tool detects a vulnerability in the smart contract, and determines a type of the vulnerability and an instruction location of the vulnerability. The rewriter tool rewrites the smart contract to include a patch for fixing the vulnerability, a patched smart contract being generated by the rewriter tool based on the type of the vulnerability and the instruction location of the vulnerability.

Abstract: A method for thwarting attacks on a machine-learning (ML) model is provided. The method includes determining, by the ML model, a classification vector based on an input. The method further includes evaluation the classification vector based on a threshold parameter to determine a threshold result. The method also includes outputting a classification prediction based on the threshold result.

Abstract: A method provides trusted timing services to an enclave of a computer having memory and a trusted hardware timer. The computer executes a privileged management program and an untrusted operating system. The privileged management program has access to the memory and the trusted hardware timer, has higher privileges than the untrusted operating system, and exposes a system call to the enclave for requesting the trusted timing services. The method includes: receiving, by the privileged management program, a request for timing services from the enclave, via the system call; reserving, by the privileged management program, a memory region of the memory for tracking time; and writing, by the privileged management program, at least one value of the trusted hardware timer into the memory region.

Abstract: A computer-implemented method for supporting smart contracts in a blockchain network includes: translating a source code of a smart contract into an abstract syntax tree model; generating a code property graph based on the abstract syntax tree model; performing an enrichment phase, wherein the code property graph is enriched with information that is obtained from the abstract syntax tree model; performing a vulnerability detection phase, wherein the code property graph is analyzed for one or more predetermined vulnerability patterns in order to detect one or more predetermined vulnerabilities; and performing a vulnerability patching phase, wherein one or more patches are applied in order to fix the one or more predetermined vulnerabilities detected in the vulnerability detection phase, wherein the one or more patches are inserted into the code property graph such that a patched code property graph is generated.

Abstract: A method for secure chain division of a satellite chain by a validator node of a permission-based blockchain system includes executing, by communicating with a set of validator nodes of an original satellite chain of the blockchain system, a validator assignment scheme that splits the set of validator nodes of the original satellite chain into subsets of validator nodes of child chains of the original satellite chain, and running, by communicating with the validator nodes of the respective subsets, a reconfiguration protocol to set up the respective child chains and sending, to an identity management component that maintains identity information of all members of the blockchain system in a registry, a configuration update to record the division of the original satellite chain and corresponding creation of the child chains.

Abstract: A method for storing data on a storage entity (SE) includes: computing a file identifier for a file to be stored on the SE; checking if the file has already been stored using the file identifier; generating a user-specific private and public identifier, wherein generating the user-specific private identifier is based on using an oblivious key generation protocol between the client and a trusted entity, and wherein the user-specific private identifier is a deterministic private identifier; updating or computing tags of the file by the client such that the updating or computing is homomorphic in the user-specific private identifier and in parts of the file; and providing the user-specific public identifier, the updated tags and a proof of possession of the secret identifier to the SE to enable the SE to store information associated with the file.

Abstract: A method for performing federated learning includes initializing, by a server, a global model G0. The server shares G0 with a plurality of participants (N) using a secure communications channel. The server selects n out of N participants, according to filtering criteria, to contribute training for a round r. The server partitions the selected participants n into s groups and informs each participant about the other participants belonging to the same group. The server obtains aggregated group updates AU1, . . . , AUg from each group and compares the aggregated group updates and identifies suspicious aggregated group updates. The server combines the aggregated group updates by excluding the updates identified as suspicious, to obtain an aggregated update Ufinal. The server derives a new global model Gr from the previous model Gr-1 and the aggregated update Ufinal and shares Gr with the plurality of participants.

Abstract: A method for detecting a trusted execution environment (TEE) clone application operating on a computing device includes measuring a plurality of read time periods associated with a plurality of monitored cache sets within a memory cache based on executing a first auxiliary thread of a TEE application on the computing device. Each of the read time periods indicating a time period that is used to read data within one of the monitored cache sets. The read time periods are compared with a time threshold to determine one or more cache misses. The TEE clone application is detected as operating on the computing device based on the determined cache misses.

Abstract: A method for sharing of digital health data in a travel environment is provided. Traveler's identities are managed using a distributed ledger system, that includes a global identity blockchain, security blockchains, and a health blockchain. The method comprises sending a request for predetermined number of health data records, receiving consecutive access keys for the requested records and a zero knowledge proof, verifying the zero knowledge proof, wherein the zero knowledge proof validates a latest access key of the consecutive access keys. Upon verification, retrieving the health data records from the health blockchain based on hashed access keys, wherein the hashed access keys are generated from the consecutive access keys, and verifying the consecutive access keys provided by the traveler using hashed previous access keys included in the retrieved health data records, to determine whether the traveler has provided the access keys required for the retrieved health data records as requested.

Abstract: Methods and systems for supporting trusted communication between nodes from different blockchains are provided. The method comprises using a bootstrapping service for bootstrapping trust among blockchains of a group of federated blockchains. The bootstrapping service records security parameters of the federated blockchains. The security parameters include information on consensus configurations of the federated blockchains.