Abstract: The technology disclosed herein enables efficient launching of trusted execution environments. An example method can include: receiving, by a first computing device, a request from a second computing device to establish a set of trusted execution environments (TEEs) in the first computing device; establishing a first TEE of the set of TEEs in the first computing device, wherein the trusted execution environment comprises an encrypted memory area and executable code; receiving, by the first TEE, cryptographic key data from the first computing device; establishing, by the first TEE, a second TEE of the set of TEEs in the first computing device, wherein the second TEE comprises a copy of the executable code; providing, by the first TEE, the cryptographic key data to the second TEE; and causing the executable code of the second TEE to communicate with the first computing device using the cryptographic key data.

Abstract: The technology disclosed herein enables efficient launching of trusted execution environments.

Abstract: Providing smart contracts including secrets encrypted with oracle-provided encryption keys is disclosed. In one example, a contract creator encrypts sensitive data necessary for executing a smart contract into ciphertext using a symmetric cryptographic key K, and also encrypts the symmetric cryptographic key K into a wrapper using a public cryptographic key e of a contract executor. The contract creator then generates an envelope using a public cryptographic key o of a contract oracle, where the envelope includes the wrapper encrypted using the public cryptographic key o and a policy that includes condition(s) precedent and is digitally authenticated. The smart contract, including the envelope and the ciphertext, is deployed to the contract executor. The sensitive data thus may be provided within the smart contract itself, while being protected from unauthorized access in the event the smart contract is malicious or is compromised.

Abstract: Systems and methods are disclosed for protecting data. An example method includes creating an outer cluster on one or more host machines coupled to a network. The outer cluster includes a plurality of outer nodes. The method also includes creating an enclave cluster on the outer cluster. The enclave cluster includes a plurality of inner nodes, and each inner node of the plurality of inner nodes executes within an enclave of the one or more host machines. The method further includes exposing an application programming interface (API) to the outer cluster, where invocation of the API causes at least one inner node of the enclave cluster to perform an operation on data. The method also includes performing, by an inner node of the enclave cluster, the operation on the data in response to invocation of the API by an outer node of the outer cluster.

Abstract: The technology disclosed herein enables efficient launching of trusted execution environments. An example method can include: receiving, by a first computing device, a request from a second computing device to establish a set of trusted execution environments (TEEs) in the first computing device; establishing a first TEE of the set of TEEs in the first computing device, wherein the trusted execution environment comprises an encrypted memory area and executable code; receiving, by the first TEE, cryptographic key data from the first computing device; establishing, by the first TEE, a second TEE of the set of TEEs in the first computing device, wherein the second TEE comprises a copy of the executable code; providing, by the first TEE, the cryptographic key data to the second TEE; and causing the executable code of the second TEE to communicate with the first computing device using the cryptographic key data.

Abstract: Providing smart contracts including secrets encrypted with oracle-provided encryption keys using thresholding cryptosystems is disclosed. In one example, a contract creator encrypts sensitive data necessary for executing a smart contract into ciphertext with multiple symmetric cryptographic keys using a threshold cryptosystem, such that a subset of at least size R of the symmetric cryptographic keys are required to decrypt the ciphertext. The symmetric cryptographic keys are encrypted into wrappers using a public cryptographic key of a contract executor. Envelopes are generated using public cryptographic keys of corresponding contract oracles, where the envelopes include the wrappers encrypted using the public cryptographic keys, and policies that specify condition(s) precedent and are authenticated using the public cryptographic keys. The smart contract, including the envelopes, the ciphertext, and R, is then deployed to the contract executor.

Abstract: Implementations of the disclosure provide for binding data to a network in the presence of an entity. In one implementation, a cryptographic system is provided. The cryptographic system includes a memory to store encrypted date, and a processing device, operatively coupled to the memory, to identify a public key for a communications device in response to an indication of a presence of the communications device on a network. A first intermediate is determined in view of the public key for the communications device and in view of an acquisitioning public key. The acquisitioning public key is associated with the encrypted data. A second intermediate public key is received from the communications device in view of the first intermediate public key. Thereupon, the encrypted data is decrypted using an encryption key derived at least from the second intermediate public key.

Abstract: Embodiments of the disclosure enable single sign-on for secure network services. In one embodiment, a method is provided. The method comprises providing, by a processing device of a first server, a prompt for first login information associated a second server. An authentication request is transmitted on behalf of a client to the second server to authenticate the first login information received from the client. An authentication ticket is provided to the client in view of the first login information. The authentication ticket is received from the second server in response to authentication of the first login information. A service request comprising the authentication ticket and a request to access a service associated with the first server is received from the client. Thereupon, access to the service by the client is enabled by applying the authentication ticket, without prompting the client for entry of second login information.

Abstract: Aspects of the disclosure provide for mechanisms for scheduling computing tasks in a computer system. A method of the disclosure includes determining one or more attributes associated with a computing task, determining an ordered list of the attributes in view of priorities associated with the attributes, generating a first numerical representation of the attributes in view of the ordered list of the attributes, determining a second numerical representation of a priority of the computing task, and determining a third numerical representation of a total priority of the computing task in view of the first numerical representation and the second numerical representation.

Abstract: Implementations of the disclosure provide for binding data to a network in the presence of an entity. In one implementation, a cryptographic system is provided. The cryptographic system includes a memory to store encrypted data, and a processing device, operatively coupled to the memory, to identify a public key for a communications device in response to an indication of a presence of the communications device on a network. A first intermediate is determined in view of the public key for the communications device and in view of an acquisitioning public key. The acquisitioning public key associated with the encrypted data. A second intermediate public key is received from the communications device in view of the first intermediate public key. Thereupon, the encrypted data is decrypted using an encryption key derived at least from the second intermediate public key.

Abstract: Aspects of the disclosure provide for mechanisms for scheduling computing tasks in a computer system. A method of the disclosure includes maintaining a priority queue comprising a plurality of computing tasks sorted in view of a plurality of numerical representations of priorities associated with the plurality of computing tasks; determining an attribute mask for a processing unit of a computer system, the attribute mask comprising a numerical representation of at least one attribute of the processing unit; and identifying, in view of the attribute mask, a computing task in the priority queue of the sorted computing tasks for processing by the processing unit of the computer system.

Abstract: Systems and methods are disclosed for protecting data. An example method includes creating an outer cluster on one or more host machines coupled to a network. The outer cluster includes a plurality of outer nodes. The method also includes creating an enclave cluster on the outer cluster. The enclave cluster includes a plurality of inner nodes, and each inner node of the plurality of inner nodes executes within an enclave of the one or more host machines. The method further includes exposing an application programming interface (API) to the outer cluster, where invocation of the API causes at least one inner node of the enclave cluster to perform an operation on data. The method also includes performing, by an inner node of the enclave cluster, the operation on the data in response to invocation of the API by an outer node of the outer cluster.

Abstract: Providing smart contracts including secrets encrypted with oracle-provided encryption keys is disclosed. In one example, a contract creator encrypts sensitive data necessary for executing a smart contract into ciphertext using a symmetric cryptographic key K, and also encrypts the symmetric cryptographic key K into a wrapper using a public cryptographic key e of a contract executor. The contract creator then generates an envelope using a public cryptographic key o of a contract oracle, where the envelope includes the wrapper encrypted using the public cryptographic key o and a policy that includes condition(s) precedent and is digitally authenticated. The smart contract, including the envelope and the ciphertext, is deployed to the contract executor. The sensitive data thus may be provided within the smart contract itself, while being protected from unauthorized access in the event the smart contract is malicious or is compromised.

Abstract: Providing smart contracts including secrets encrypted with oracle-provided encryption keys using thresholding cryptosystems is disclosed. In one example, a contract creator encrypts sensitive data necessary for executing a smart contract into ciphertext with multiple symmetric cryptographic keys using a threshold cryptosystem, such that a subset of at least size R of the symmetric cryptographic keys are required to decrypt the ciphertext. The symmetric cryptographic keys are encrypted into wrappers using a public cryptographic key of a contract executor. Envelopes are generated using public cryptographic keys of corresponding contract oracles, where the envelopes include the wrappers encrypted using the public cryptographic keys, and policies that specify condition(s) precedent and are authenticated using the public cryptographic keys. The smart contract, including the envelopes, the ciphertext, and R, is then deployed to the contract executor.

Abstract: Aspects of the disclosure provide for mechanisms for scheduling computing tasks in a computer system. A method of the disclosure includes maintaining a priority queue comprising a plurality of computing tasks sorted in view of a plurality of numerical representations of priorities associated with the plurality of computing tasks; determining an attribute mask for a processing unit of a computer system, the attribute mask comprising a numerical representation of at least one attribute of the processing unit; and identifying, in view of the attribute mask, a computing task in the priority queue of the sorted computing tasks for processing by the processing unit of the computer system.

Abstract: Embodiments of the disclosure enable single sign-on for secure network services. In one embodiment, a method is provided. The method comprises providing, by a processing device of a first server, a prompt for first login information associated a second server. An authentication request is transmitted on behalf of a client to the second server to authenticate the first login information received from the client. An authentication ticket is provided to the client in view of the first login information. The authentication ticket is received from the second server in response to authentication of the first login information. A service request comprising the authentication ticket and a request to access a service associated with the first server is received from the client. Thereupon, access to the service by the client is enabled by applying the authentication ticket, without prompting the client for entry of second login information.

Abstract: Embodiments of the disclosure enable single sign-on for secure network services. In one embodiment, a method is provided. The method comprises providing, by a processing device of a first server, a prompt for first login information associated a second server. An authentication request is transmitted on behalf of a client to the second server to authenticate the first login information received from the client. An authentication ticket is provided to the client in view of the first login information. The authentication ticket is received from the second server in response to authentication of the first login information. A service request comprising the authentication ticket and a request to access a service associated with the first server is received from the client. Thereupon, access to the service by the client is enabled by applying the authentication ticket, without prompting the client for entry of second login information.

Abstract: Various examples are directed to systems and methods for exchanging encrypted information. A first computing device may select a first private key and generate a session key based at least in part on the first private key. The first computing device may receive from a second computing device a second public key and generate a first public key based at least in part on: the second public key, a shared secret integer, and the first private key. A second computing device may select a second private key and generate the second public key based at least in part on the second private key; a generator, a first group constant and the shared secret integer.

Abstract: A method relates to receiving, by a processing device of an authentication server over a public network, an authentication request from a client device, the authentication request comprising a user identifier associated with first factor data, in which the first factor data comprises a password stored in a storage associated with the authentication server, calculating a generator value in view of the first factor data and a second factor data associated with the user identifier, and generating a session key in view of the generator value and a first public key received from the client device.

Abstract: Implementations of the disclosure provide for binding data to a network in the presence of an entity with revocation capabilities. A cryptographic system is provided that includes a memory to store revocation information comprising a plurality of identifiers and a processing device operatively coupled to the memory. A provisioning public key is recovered in view of a first intermediate public key associated with a client device storing encrypted data. A binding identifier is generated for the client device in view of the provisioning public key. It is determined whether access to the encrypted data associated with the binding identifier is revoked or allowed in view of the revocation information. Responsive to determining that the access is allowed, provide a second intermediate public key to derive an encryption key to access the encrypted data in view of at least the provisioning public key and the first intermediate public key.