Abstract: A computer-implemented method for enabling transaction-risk evaluation by resource-limited devices. The method includes receiving from a financial network transaction data, defining transactions in the network, and generating, based on the transaction data, a transaction graph comprising nodes, representing parties to transactions, interconnected by edges representing transactions between parties represented by the nodes. For each of at least some nodes, at least one risk attribute provided in the transaction graph. The method includes receiving from a resource-limited device a request describing a potential transaction, identifying at least one counterparty node, deriving transaction-risk data, dependent on aggregated risk attributes of the counterparty node and a selected set of nodes reachable from that node via edges, and sending to the device a response comprising the transaction-risk data for evaluation of risk of the potential transaction.

Abstract: An approach for locating suspect patterns of transactions in a financial network may be provided. The approach may include generating a transaction graph for a financial network by processing transaction data defining transfers between accounts in that network. The approach may include modifying the transaction graph to include synthetic suspect transaction patterns at multiple locations in the graph and extracting subgraphs from the transaction graph. The approach may include training a graph neural network model to classify subgraphs containing a synthetic suspect transaction pattern as suspect. The approach may also include locating suspect transaction patterns in a new financial network by generating a new transaction graph for that network and classifying a subgraph of the new financial network as suspect.

Abstract: A method, computer program product, and a system where a secure interface control configures a hardware security module for exclusive use by a secure guest. The secure interface control (“SC”) obtains a configuration request (via a hypervisor) to configure the hardware security module (HSM), from a given guest of guests managed by the hypervisor. The SC determines if the HSM is already configured to a specific guest of the one or more guests, but based on determining that the HSM is not configured to the and is a secure guest the SC forecloses establishing a configuration of the HSM by limiting accesses by guests to the HSM exclusively to the given guest. The SC logs the given guest into the HSM by utilizing a secret of the given guest. The SC obtains, from the HSM, a session code and retains the session code.

Abstract: A method, computer program product, and a system where a secure interface control configures a hardware security module for exclusive use by a secure guest. The secure interface control (“SC”) obtains a configuration request (via a hypervisor) to configure the hardware security module (HSM), from a given guest of guests managed by the hypervisor. The SC determines if the HSM is already configured to a specific guest of the one or more guests, but based on determining that the HSM is not configured to the and is a secure guest the SC forecloses establishing a configuration of the HSM by limiting accesses by guests to the HSM exclusively to the given guest. The SC logs the given guest into the HSM by utilizing a secret of the given guest. The SC obtains, from the HSM, a session code and retains the session code.

Abstract: An example operation may include one or more of receiving, by one or more endorser nodes of a blockchain network, an invoke chaincode transaction proposal, executing chaincode, encrypting, by an application programming interface between the chaincode and a shared ledger, blockchain state to the shared ledger, decrypting blockchain state from the shared ledger, endorsing, by the one or more endorser nodes, one or more results from executing the chaincode, and creating a blockchain transaction from the one or more endorsed results.

Abstract: The present invention discloses a method for managing priority-arbitrated access to a set of one or more computational engines of a physical computing device. The method includes providing a multiplexer module and a network bus in the physical computing device, wherein the multiplexer module is connected to the network bus. The method further includes receiving, by the multiplexer module, a first data processing request from a driver and inferring, by the multiplexer module, a first priority class from the first data processing request according to at least one property of the first data processing request. The method further includes manipulating, by the multiplexer module, a priority according to which the physical computing device handles data associated with the first data processing request in relation to data associated with other data processing requests, wherein the priority is determined by the first priority class.

Abstract: Hardware security modules for executing zero-knowledge proofs are provided. Such a module includes multiple computational engines for executing respective primitive operations of zero-knowledge proofs, and memory storing multiple data-flow graphs. Each data-flow graph defines computational functionality of a respective one of the proofs, and comprises a set of nodes, each representing a said primitive operation, interconnected by edges representing input/output data of nodes. At least edges which represent security-sensitive data are indicated by edge-labels in the graphs. The module further comprises a set of registers, comprising at least a subset of secure registers, for storing data during execution of proofs, and a processor configured to control execution, using said engines, of proofs defined by the set of dataflow graphs such that data corresponding to a security-sensitive edge in a graph is stored in a secure register during execution.

Abstract: A key identifier that identifies a cryptographic key is transmitted to a cryptographic coprocessor. A first set of attributes is received from the cryptographic coprocessor. The first set of attributes and a second set of attributes are serialized into a first sequence of attributes. The first sequence of attributes are stored to an attribute frame. One or more attributes in the second set of attributes are associated with the cryptographic key and originate from a key attribute storage of the key management system. The second set of attributes is different from the first set of attributes. The first sequence of attributes is transmitted to the cryptographic coprocessor. A first message authentication code (MAC) calculated from the first sequence of attributes is received from the cryptographic coprocessor. The attribute frame is verified by comparing the first MAC, or a value derived from the first MAC, to a reference value.

Abstract: A key identifier that identifies a cryptographic key is transmitted to a cryptographic coprocessor. A first set of attributes is received from the cryptographic coprocessor. The first set of attributes and a second set of attributes are serialized into a first sequence of attributes. The first sequence of attributes are stored to an attribute frame. One or more attributes in the second set of attributes are associated with the cryptographic key and originate from a key attribute storage of the key management system. The second set of attributes is different from the first set of attributes. The first sequence of attributes is transmitted to the cryptographic coprocessor. A first message authentication code (MAC) calculated from the first sequence of attributes is received from the cryptographic coprocessor. The attribute frame is verified by comparing the first MAC, or a value derived from the first MAC, to a reference value.

Abstract: The present invention discloses a method for managing priority-arbitrated access to a set of one or more computational engines of a physical computing device. The method includes providing a multiplexer module and a network bus in the physical computing device, wherein the multiplexer module is connected to the network bus. The method further includes receiving, by the multiplexer module, a first data processing request from a driver and inferring, by the multiplexer module, a first priority class from the first data processing request according to at least one property of the first data processing request. The method further includes manipulating, by the multiplexer module, a priority according to which the physical computing device handles data associated with the first data processing request in relation to data associated with other data processing requests, wherein the priority is determined by the first priority class.

Abstract: A method including: receiving, via a processor, established upper bounds for dynamic structures in a multi-tenant system; creating, via the processor, arrays comprising related memory-management unit (MMU) mappings to be placed together; and placing the dynamic structures within the arrays, the placing comprising for each array: skipping an element of the array based on determining that placing a dynamic structure in that element would cause the array to become overcommitted and result in a layout where accessing all elements would impose a translation look aside buffer (TLB) replacement action; and scanning for an array-start entry by placing the start of a first element at an address from which an entire array can be placed without TLB contention, and accessing, via the processors, all non-skipped elements without incurring TLB replacements.

Abstract: A method includes determining, by a tracker controller of a hardware security module, that a first processor has submitted a first request to access a computing resource. The method also includes determining, by the tracker controller, whether the first request and a second request both request access to the same computing resource. The second request is submitted by a second processor. The method also includes preventing access to the computing resource based on a determination that the first request and the second request do not request access to the same computing resource. The method also includes permitting access to the computing resource based on a determination that the first request and the second request both request access to the same computing resource.

Abstract: A method including: receiving, via a processor, established upper bounds for dynamic structures in a multi-tenant system; creating, via the processor, arrays comprising related memory-management unit (MMU) mappings to be placed together; and placing the dynamic structures within the arrays, the placing comprising for each array: skipping an element of the array based on determining that placing a dynamic structure in that element would cause the array to become overcommitted and result in a layout where accessing all elements would impose a translation look aside buffer (TLB) replacement action; and scanning for an array-start entry by placing the start of a first element at an address from which an entire array can be placed without TLB contention, and accessing, via the processors, all non-skipped elements without incurring TLB replacements.

Abstract: Batched execution of encryption operations is performed. A batched set of data for which format-preserving encryption is to be performed is obtained. The batched set of data includes a plurality of fields of data, which are independent of one another. Multiple rounds of format-preserving encryption are performed on the plurality of fields of data to provide an output of format-preserved encrypted data. A round of format-preserving encryption includes calling an encryption function to perform one or more encryption operations on the plurality of fields of data in parallel.

Abstract: The present disclosure relates to a computer-implemented method for controlling operation of multiple computational engines of a physical computing device. The computer-implemented method includes providing a multiplexer module in the device, the multiplexer module including a first and second memory region. The multiplexer module may receive from a first driver at the multiplexer module a data processing request to be processed by a first set of one or more computational engines of the computational engines. Subsequent to receiving the data processing request, the multiplexer module may assign a request sub-region of the first region and a response sub-region of the second region to the first driver. Data indicative of the request sub-region and the response sub-region may be submitted to the first driver. Results of processing the request may be received at the response sub-region.

Abstract: Hardware security modules for executing zero-knowledge proofs are provided. Such a module includes multiple computational engines for executing respective primitive operations of zero-knowledge proofs, and memory storing multiple data-flow graphs. Each data-flow graph defines computational functionality of a respective one of the proofs, and comprises a set of nodes, each representing a said primitive operation, interconnected by edges representing input/output data of nodes. At least edges which represent security-sensitive data are indicated by edge-labels in the graphs. The module further comprises a set of registers, comprising at least a subset of secure registers, for storing data during execution of proofs, and a processor configured to control execution, using said engines, of proofs defined by the set of dataflow graphs such that data corresponding to a security-sensitive edge in a graph is stored in a secure register during execution.

Abstract: A machine instruction is provided that includes an opcode field to provide an opcode, the opcode to identify a perform pseudorandom number operation, and a register field to be used to identify a register, the register to specify a location in memory of a first operand to be used. The machine instruction is executed, and execution includes for each block of memory of one or more blocks of memory of the first operand, generating a hash value using a 512 bit secure hash technique and at least one seed value of a parameter block of the machine instruction; and storing at least a portion of the generated hash value in a corresponding block of memory of the first operand, the generated hash value being at least a portion of a pseudorandom number.

Abstract: The present disclosure relates to a computer-implemented method for controlling operation of multiple computational engines of a physical computing device. The computer-implemented method includes providing a multiplexer module in the device, the multiplexer module including a first and second memory region. The multiplexer module may receive from a first driver at the multiplexer module a data processing request to be processed by a first set of one or more computational engines of the computational engines. Subsequent to receiving the data processing request, the multiplexer module may assign a request sub-region of the first region and a response sub-region of the second region to the first driver. Data indicative of the request sub-region and the response sub-region may be submitted to the first driver. Results of processing the request may be received at the response sub-region.

Abstract: System, methods, and media are provided for enforcing segmentation of multi-tenant data. An example method includes informing hardware of direct memory access (DMA) segmented regions, in which the hardware is informed of software-specified size and count parameters relating to DMA windows. Identifying an originating DMA window for each DMA descriptor and referenced data. Verifying that contents of one or more DMA transfers are entirely from memory controlled by a single process. Setting DMA window-describing registers based the software-specified size and count parameters. Enforcing restrictions, based on the DMA window-describing registers, for DMA requests relating to the DMA windows as DMA requests are received.

Abstract: A method, computer program product, and a system where a secure interface control configures a hardware security module for exclusive use by a secure guest. The secure interface control (“SC”) obtains a configuration request (via a hypervisor) to configure the hardware security module (HSM), from a given guest of guests managed by the hypervisor. The SC determines if the HSM is already configured to a specific guest of the one or more guests, but based on determining that the HSM is not configured to the and is a secure guest the SC forecloses establishing a configuration of the HSM by limiting accesses by guests to the HSM exclusively to the given guest. The SC logs the given guest into the HSM by utilizing a secret of the given guest. The SC obtains, from the HSM, a session code and retains the session code.