Abstract: A method, apparatus and system for providing controlled access to data in a distributed computing environment include storing received data to be accessed via the distributed computing environment in at least one storage device, generating at least one integrity data structure identifying at least a storage location of at least a respective portion of the stored data, storing the generated at least one integrity data structure in a block of a blockchain, encrypting the at least one integrity data structure in the block of the blockchain, and selectively providing at least a portion of at least one decryption key for decrypting the encrypted at least one integrity data structure to enable access to the respective portion of the stored data for which the at least one integrity data structure is generated. Additionally, the stored data can be encrypted and a decryption key can be provided for decrypting the stored data.

Abstract: A method, apparatus and system for determining a weakness or risk for devices of an Internet-of-things (IoT) network include determining a representation of a physical environment of the IoT network and expected physical and cyber interactions between the devices of the IoT network based at least in part on operating characteristics of the devices of the IoT network, monitoring the physical environment and actual interactions between the devices to generate a network model including at least one of uncharacteristic physical or cyber interaction paths between the devices, based on the determined network model, determining at least one weakness or risk of at least one of the IoT network or of at least one of the devices, and providing a metric of security of at least one of the IoT network or of at least one of the devices based on at least one of the determined weakness or risk.

Abstract: This document relates to using secure MPC to select digital components in ways that preserve user privacy and protects the security of data of each party that is involved in the selection process. In one aspect, a method includes receiving, by a first computing system of a secure MPC system and from a client device, a digital component request and a nonce. The first computing system generates, based on the nonce and a function, an array including a share of a Bloom filter representing user group identifiers for user groups that include a user of the client device as a member. For each of multiple user group identifiers, the first computing system calculates, in collaboration with one or more second computing systems of the secure MPC system and using the array, a respective first secret share of one or more user group membership condition parameters.

Abstract: Systems and methods for selectively sharing of portion of unstructured data containers/documents based on security attributes or policies used to encrypt/decrypt data within the unstructured data containers using standard encryption schemes are provided herein. In some embodiments, a system includes a key generation authority to generate encryption keys based on a selected cryptographic security scheme and one or more security attributes or security policies; an encryption service to selectively encrypt one or more data subgroups using the one or more public keys and based on one or more security attributes or security policies assigned to the one or more data subgroups with the unstructured data containers; and a decryption service to decrypt the one or more data subgroups within unstructured data containers using the one or more secret keys and the one or more public keys.

Abstract: Systems and methods for selectively sharing of portion of unstructured data containers/documents based on security attributes or policies used to encrypt/decrypt data within the unstructured data containers using attribute-based encryption (ABE) are provided herein. In some embodiments, a system includes a key generation authority to generate encryption keys based on a selected cryptographic security scheme and one or more security attributes or security policies; an encryption service to selectively encrypt one or more data subgroups using the one or more public keys and based on one or more security attributes or security policies assigned to the one or more data subgroups with the unstructured data containers; and a decryption service to decrypt the one or more data subgroups within unstructured data containers using the one or more secret keys and the one or more public keys.

Abstract: A method includes obtaining a plaintext query that includes a sequence of plaintext integers and generating a polynomial having coefficients that include the sequence of plaintext integers of the plaintext query. The method also includes encrypting the polynomial using a secret encryption key and transmitting the encrypted polynomial to a server. The secret encryption key is randomly sampled from a ciphertext space and the server is configured to expand the encrypted polynomial using a public encryption key to obtain a sequence of encrypted integers corresponding to the sequence of plaintext integers. The method also includes receiving an encrypted result from the server. The encrypted result is based on the sequence of encrypted integers.

Abstract: Systems and methods for selectively sharing of portion of unstructured data containers/documents based on security attributes or policies used to encrypt/decrypt data within the unstructured data containers using standard encryption schemes are provided herein. In some embodiments, a system includes a key generation authority to generate encryption keys based on a selected cryptographic security scheme and one or more security attributes or security policies; an encryption service to selectively encrypt one or more data subgroups using the one or more public keys and based on one or more security attributes or security policies assigned to the one or more data subgroups with the unstructured data containers; and a decryption service to decrypt the one or more data subgroups within unstructured data containers using the one or more secret keys and the one or more public keys.

Abstract: An example computing device includes a functional encryption unit configured to generate a master secret key and public key; apply functional encryption using the public key to biometric information of a user to produce functionally encrypted biometric information, the functional encryption is based on an encryption function that encodes the biometric information, a computation engine configured to perform re-enrollment by at least one of 1) retrieving a pre-generated function key from a memory, or 2) retrieving a dynamically generated function key from the one or more storage nodes that can be inaccessible during user authentication, the function key dynamically generated using the master secret key, and applying, using the function key and functionally encrypted biometric information, a decryption operation to generate new helper data, wherein the new helper data is generated as an evaluation of a cryptographic function during the decryption operation without the need to decrypt the biometric information.

Abstract: This disclosure is related to devices, systems, and techniques for automatically generating software packages to provide Secure Computation as a Service (SCaaS). For example, a computing device includes processing circuitry configured to receive a set of information comprising an indication of a first party and an indication of a second party. Additionally, the processing circuitry is configured to generate, based on the set of information, a first software package corresponding to the first party, the first software package configured to implement a secure computation, and generate, based on the set of information, a second software package corresponding to the second party, the second software package configured to implement the secure computation. Additionally, the processing circuitry is configured to export the first software package and export the second software package, enabling the first party device and the second party device to perform the secure computation.

Abstract: A method includes obtaining a plaintext query that includes a sequence of plaintext integers and generating a polynomial having coefficients that include the sequence of plaintext integers of the plaintext query. The method also includes encrypting the polynomial using a secret encryption key and transmitting the encrypted polynomial to a server. The secret encryption key is randomly sampled from a ciphertext space and the server is configured to expand the encrypted polynomial using a public encryption key to obtain a sequence of encrypted integers corresponding to the sequence of plaintext integers. The method also includes receiving an encrypted result from the server. The encrypted result is based on the sequence of encrypted integers.

Abstract: A method, apparatus and system for providing controlled access to data in a distributed computing environment include storing received data to be accessed via the distributed computing environment in at least one storage device, generating at least one integrity data structure identifying at least a storage location of at least a respective portion of the stored data, storing the generated at least one integrity data structure in a block of a blockchain, encrypting the at least one integrity data structure in the block of the blockchain, and selectively providing at least a portion of at least one decryption key for decrypting the encrypted at least one integrity data structure to enable access to the respective portion of the stored data for which the at least one integrity data structure is generated. Additionally, the stored data can be encrypted and a decryption key can be provided for decrypting the stored data.

Abstract: A method, apparatus and system for automated verification of a smart contract on a blockchain include translating operating properties of a smart contract annotated with contract specifications at a source code level into verification conditions in an intermediate verification language, discharging the verification conditions using an SMT solver, and reporting results of the discharged verification conditions, such as successes and failures of the discharged verification conditions. The translating can include mapping statements of the smart contract to statements of the intermediate verification language and mapping expressions of the smart contract to expressions of the intermediate verification language.

Abstract: Methods and systems for ensuring forward and backward secrecy in an encrypted communication protocol are provided herein. In some embodiments, a method for ensuring forward and backward secrecy in an encrypted communication protocol includes extracting, from a first device, a unique physically unclonable function (PUF) value of the first device based on structural properties of the first device, creating a PUF key pair including a first public key and a first private key that are generated based on the PUF value, deriving a first session key using the PUF key pair, deleting the first public key and the first private key, and sending a first encrypted communication to a second device using the derived session key.

Abstract: A method, apparatus and system for determining a weakness or risk for devices of an Internet-of-things (IoT) network include determining a representation of a physical environment of the IoT network and expected physical and cyber interactions between the devices of the IoT network based at least in part on operating characteristics of the devices of the IoT network, monitoring the physical environment and actual interactions between the devices to generate a network model including at least one of uncharacteristic physical or cyber interaction paths between the devices, based on the determined network model, determining at least one weakness or risk of at least one of the IoT network or of at least one of the devices, and providing a metric of security of at least one of the IoT network or of at least one of the devices based on at least one of the determined weakness or risk.

Abstract: This disclosure is related to devices, systems, and techniques for automatically generating software packages to provide Secure Computation as a Service (SCaaS). For example, a computing device includes processing circuitry configured to receive a set of information comprising an indication of a first party and an indication of a second party. Additionally, the processing circuitry is configured to generate, based on the set of information, a first software package corresponding to the first party, the first software package configured to implement a secure computation, and generate, based on the set of information, a second software package corresponding to the second party, the second software package configured to implement the secure computation. Additionally, the processing circuitry is configured to export the first software package and export the second software package, enabling the first party device and the second party device to perform the secure computation.

Abstract: Systems and methods for selectively sharing of portion of unstructured data containers/documents based on security attributes or policies used to encrypt/decrypt data within the unstructured data containers using attribute-based encryption (ABE) are provided herein. In some embodiments, a system includes a key generation authority to generate encryption keys based on a selected cryptographic security scheme and one or more security attributes or security policies; an encryption service to selectively encrypt one or more data subgroups using the one or more public keys and based on one or more security attributes or security policies assigned to the one or more data subgroups with the unstructured data containers; and a decryption service to decrypt the one or more data subgroups within unstructured data containers using the one or more secret keys and the one or more public keys.

Abstract: An example computing device includes a functional encryption unit configured to generate a master secret key and public key; apply functional encryption using the public key to biometric information of a user to produce functionally encrypted biometric information, the functional encryption is based on an encryption function that encodes the biometric information, a computation engine configured to perform re-enrollment by at least one of 1) retrieving a pre-generated function key from a memory, or 2) retrieving a dynamically generated function key from the one or more storage nodes that can be inaccessible during user authentication, the function key dynamically generated using the master secret key, and applying, using the function key and functionally encrypted biometric information, a decryption operation to generate new helper data, wherein the new helper data is generated as an evaluation of a cryptographic function during the decryption operation without the need to decrypt the biometric information.