Abstract: A method for sequential authentication based on chain of authentication using public key infrastructure (PKI) is provided. The method includes abutting a first wearable device belonging to a first party with a second wearable device belonging to a second party; transmitting, by the first wearable device, authentication information of the first party; verifying the authentication information of the first party; transmitting, by the second wearable device, authentication information of the second party; verifying the authentication information of the second party; authorizing electronic transaction in response to successfully verifying both the authentication information of the first party and the authentication information of the second party. Each of the authentication information of the first party and the authentication information of the second party includes information configured for authentication based on a public key infrastructure (PKI) certificate.

Abstract: A system and method for data compression with homomorphic encryption, which enables secure storage of private information in a database, and which enables searching and comparison of encrypted data within the database, comprising a stream condition system configured to optimize the contents of received data for lossless compression by a data encoder, a data encoder to perform the lossless compression, and an encrypted search engine configured to encrypt the compressed data according to a homomorphic encryption scheme and store the encrypted data in a database. The system may receive a data query and encrypt the data query according to the homomorphic encryption scheme. The encrypted data query may be compared against an encrypted element in the database and an encryption score generated. The encryption score may be compared against a set of criteria to determine if a match is found. Matched data may be returned to the requesting entity.

Abstract: An authentication-gaining apparatus includes: an acquiring unit that acquires unique information; an encrypting unit that encrypts the unique information using a cryptographic key, thereby generating encrypted information; and a transmitting unit that repeatedly transmits an authentication request containing the encrypted information, to an authentication apparatus, during an authentication period, wherein multiple authentication requests respectively containing encrypted information obtained by encrypting multiple pieces of unique information are transmitted during the authentication period.

Abstract: A virtualization host is identified for an isolated run-time environment. One or more records generated at a security module of the host, which indicate that a first phase of a multi-phase establishment of an isolated run-time environment has been completed by a virtualization management component of the host, is transmitted to a resource verifier. In response to a host approval indicator from the resource verifier, the multi-phase establishment is completed at the virtualization host.

Abstract: Systems and methods for file sharing over secure connections.

Abstract: A server device is provided for authenticating client devices on a communication network. The server device includes a transceiver configured for operable communication with at least one client of the communication network, and a processor including a memory configured to store computer-executable instructions. When executed by the processor, the instructions cause the server device to transmit one or more messages of an authentication exchange with a client device, transmit a server Registration Authorization Token (RAT) associated with the server device to the client device, receive from the client device a client RAT associated with the client device, and store the client RAT.

Abstract: Methods, apparatuses, and computer program products are provided to facilitate connections between devices, such as a printer and a cloud-based server, and to implement an adaptive application framework. In the context of an apparatus, a printer is provided comprising communications circuitry configured to facilitate communications with a network; and processing circuitry configured to transmit a connection request to the network; receive requested connection parameters from the network; transmit printer connection parameters to the network; and establish a first secure connection between the printer and the network. The printer comprising processing circuitry further configured to receive requested connection parameters comprising at least a signed security certificate and a DNS name for a server on the network and to verify the signed security certificate and the DNS name for the server.

Abstract: An implantable medical device, external device and method for managing a wireless communication are provided. The IMD includes a transceiver configured to communicate wirelessly, with an external device (ED), utilizing a protocol that utilizes multiple physical layers. The transceiver is configured to transmit information indicating that the transceiver is configured with first, second, and third physical layers (PHYs) for wireless communication. The IMD includes memory configured to store program instructions. The IMD includes one or more processors configured to execute instructions to obtain an instruction designating one of the first, second and third PHY to be utilized for at least one of transmission or reception, during a communication session, with the external device and manage the transceiver to utilize, during the communication session, the one of the first, second and third PHY as designated.

Abstract: A variable-step authentication system and a method for operating for performing variable-step authentication for communications in a controlled environment is disclosed. The variable-step authentication system may include a communication device and a server. The variable-step method includes steps for determining an authentication process that involves a number of authentication steps. The number of authentication steps is variable and dependent on a trust level associated with each participant in the communication.

Abstract: A distributed computing system provides a distributed data store for network enabled devices at the edge. The distributed database is partitioned such that each node in the system has its own partition and some number of followers that replicate the data in the partition. The data in the partition is typically used in providing services to network enabled devices from the edge. The set of data for a particular network enabled device is owned by the node to which the network enabled device connects. Ownership of the data (and the data itself) may move around the distributed computing system to different nodes, e.g., for load balancing, fault-resilience, and/or due to device movement. Security/health checks are enforced at the edge as part of a process of transferring data ownership, thereby providing a mechanism to mitigate compromised or malfunctioning network enabled devices.

Abstract: An exemplary method includes an access management system receiving a signed message that is associated with a non-fungible digital asset and that includes a non-fungible digital asset identifier and a nonce. The non-fungible digital asset may be configured to provide access to an access-restricted resource. Based on the non-fungible digital asset identifier included in the signed message, the access management system may access a distributed record that is configured to store ownership information associated with the non-fungible digital asset. Based on the signed message and the ownership information stored in the distributed record, the access management system may verify that a user of the non-fungible digital asset is authorized to access the access-restricted resource.

Abstract: A trust rule between a first service and a second service in a plurality of services deployed in a distributed system is received; the trust rule defines whether the first service is allowed to access the second service. A trust tree is obtained for the distributed system, and the trust tree comprises a plurality of certificates for accessing the plurality of services. A first group of certificates is selected for the first service based on the trust rule and the trust tree, and the first group of certificates enables the first service to access the second service.

Abstract: Systems, methods, and computer-readable media for discovering trustworthy devices through attestation and authenticating devices through mutual attestation. A relying node in a network environment can receive attestation information from an attester node in the network environment as part of a unidirectional push of information from the attester node according to a unidirectional link layer communication scheme. A trustworthiness of the attester node can be verified by identifying a level of trust of the attester node from the attestation information. Further, network service access of the attester node through the relying node in the network environment can be controlled based on the level of trust of the attester node identified from the attestation information.

Abstract: Examples described herein relate to a graphics processing system that includes one or more integrated graphics systems and one or more discrete graphics systems. In some examples, an operating system (OS) or other software supports switching between image display data being provided from either an integrated graphics system or a discrete graphics system by configuring a multiplexer at runtime to output image data to a display. In some examples, a multiplexer is not used and interface supported messages are used to transfer image data from an integrated graphics system to a discrete graphics system and the discrete graphics system generates and outputs image data to a display. In some examples, interface supported messages are used to transfer image data from a discrete graphics system to an integrated graphics system and the integrated graphics system uses an overlay process to generate a composite image for output to a display.

Abstract: A method is disclosed and includes authenticating a first stage boot loader and authenticating a second stage boot loader in response to authentication of the first stage boot loader. The method also includes executing the second stage boot loader in response to authentication of the second stage boot loader. Executing the second stage boot loader includes loading an operating system, a first set of machine-readable instructions, and first configuration information associated with the first set of machine-readable instructions onto a non-transitory computer-readable medium, wherein the first set of machine-readable instructions and the first configuration information are associated with one or more priority partitions. Executing the second stage boot loader includes authenticating the operating system and the first set of machine-readable instructions.

Abstract: Embodiments of the present disclosure relate to managing admin-controlled access of external resources to group-based communication interfaces associated with an organization, via a group-based communication system including APIs for improved external resource permissioning, provisioning, and access handling. Embodiments include methods, computer program products, apparatuses, and systems configured to receive an external resource access request, determine an organization identifier, obtain an admin response indication, set an external resource permission status for the external resource based on the admin response indication, and cause rendering of the requested group-based communication interface based on the admin response indication. Embodiments further relate to provisioning and handling requests for services associated with an external resource by managing one or more single-interface access tokens linked to a multi-interface access token.

Abstract: A method for providing Cheon-resistance security for a static elliptic curve Diffie-Hellman cryptosystem (ECDH), the method including providing a system for message communication between a pair of correspondents, a message being exchanged in accordance with ECDH instructions executable on computer processors of the respective correspondents, the ECDH instructions using a curve selected from a plurality of curves, the selecting including choosing a range of curves; selecting, from the range of curves, curves matching a threshold efficiency; excluding, within the selected curves, curves which may include intentional vulnerabilities; and electing, from non-excluded selected curves, a curve with Cheon resistance, the electing comprising a curve from an additive group of order q, wherein q is prime, such that q?1=cr and q+1=ds, where r and s are primes and c and d are integer Cheon cofactors of the group, such that cd?48.

Abstract: A verifier device of an authentication system comprises physical layer circuitry and processing circuitry coupled to the physical layer circuitry. The processing circuitry is configured to encode an authentication command for sending to a credential device; decode a response communication received from the credential device, wherein the response communication includes a first random number; encrypt the first random number, a second random number, and verifier keying material for sending to the credential device; decrypt encrypted information received from the credential device, wherein the encrypted information includes the first random number, the second random number, and receiver keying material; and calculate a session encryption key using the verifier keying material and the receiver keying material.

Abstract: An exemplary method includes a digital asset management system generating a set of collectible non-fungible digital assets, generating metadata specifying that non-fungible digital assets included the set of collectible non-fungible digital assets are configured to combine together to form a layered scene configured to be presented by a computer system, and recording, in a distributed record configured to track ownership of non-fungible digital assets, ownership information associated with the set of collectible non-fungible digital assets.

Abstract: In IP communication, an authentication code AC1 uniquely generated by a receiving-side communication device 1b is sent to an originating-side communication device 1a (S1, S2), and stored in the originating-side communication device (S3). Packets in which the stored authentication code is embedded are sent to the receiving-side communication device 1b on connection from the originating-side communication device 1a to the receiving-side communication device 1b (S4), and it is determined at the receiving-side communication device whether the originating-side communication device is true or false depending on if the authentication code sent from the receiving-side communication device is contained in the packets received from the originating-side communication device or not (S5).

Abstract: One disclosed example method includes a leader client device associated with a leader participant generating a meeting key for a video meeting joined by multiple participants. For each participant, the leader client device obtains a long-term public key and a cryptographic signature associated with the participant. The leader client device verifies the cryptographic signature of the participant based on the long-term public key and the cryptographic signature. If the verification is successful, the leader client device encrypts the meeting key for the participant using a short-term private key generated by the leader client device, a short-term public key of the participant, a meeting identifier, and a user identifier identifying the participant. The leader client device further publishes the encrypted meeting key for the participant on the meeting system. The leader client device encrypts and decrypts meeting data communicated with other participants based on the meeting key.

Abstract: An elliptic curve random number generator avoids escrow keys by choosing a point Q on the elliptic curve as verifiably random. An arbitrary string is chosen and a hash of that string computed. The hash is then converted to a field element of the desired field, the field element regarded as the x-coordinate of a point Q on the elliptic curve and the x-coordinate is tested for validity on the desired elliptic curve. If valid, the x-coordinate is decompressed to the point Q, wherein the choice of which is the two points is also derived from the hash value. Intentional use of escrow keys can provide for back up functionality. The relationship between P and Q is used as an escrow key and stored by for a security domain. The administrator logs the output of the generator to reconstruct the random number with the escrow key.

Abstract: Verifiable, secure communications between a sender and a receiver on at least one shared communication channel is provided. A manicoded key encoder produces an argument of knowledge for a secret key to the at least one shared communication channel, and a manicoded message encoder provides an implication argument indicating that knowledge of the secret key enables access to message content of the manicoded message. The argument of knowledge is included in a key manifest for the secret key within a manicoded key, and the implication argument is included in a message manifest of a manicoded message. In this way, the sender may provide message content within the manicoded message, and the receiver may operate a decoder to access the message content. A verifier may use the manicoded key and the manicoded message to verify that the receiver has access to the message content.

Abstract: An adversarial robustness testing method, system, and computer program product include testing a robustness of a black-box system under different access settings via an accelerator.

Abstract: Aspects and features of a cryptosystem and authentication for the cryptosystem, and a method or process for the cryptosystem, are described. In one example, a method for cryptographic communications includes storing a secret key, generating a system randomization number, and encrypting a plain data package into an encrypted data package by application of the plain data package, the secret key, and the system randomization number to a system of equations for encryption. The system of equations can be a system of linearly dependent equations in one example. Among other benefits, the cryptosystem relies upon the system of linearly dependent equations and the system randomization number to provide additional strength against known-plaintext attacks, chosen-plaintext attacks, and other types of attacks. The system is more semantically secure and offers ciphertext indistinguishability in a new approach using the system of linearly dependent equations.

Abstract: A constrained device, such as an Internet of Things (IoT) device, can use a handshake procedure to establish a secure transport session with a server and generate a corresponding client session state. The constrained device can encrypt the client session state into an encrypted client session state, and transmit the encrypted client session state to the server. When the constrained device enters an idle mode, the client session state may be cleared from memory of the constrained device. However, when the constrained device next wakes from the idle mode and re-enters an active mode, the constrained device can retrieve the encrypted client session state from the server. The constrained device can decrypt the encrypted client session state to recover the client session state, and use the recovered client session state to resume the secure transport session instead of establishing a new secure transport session with a new client session state.

Abstract: Embodiments provide methods, and systems for cryptographic keys exchange where the method can include receiving, by a server system, a client public key being part of a client asymmetric key pair from a client device; sending, by the server system, a server public key being part of a server asymmetric key pair to the client device; generating, by the server system, a random value master key and sending the random value master key encrypted using the client public key to the client device; and generating, by the server system, an initial unique session key and sending the initial unique session key encrypted under the random value master key to the client device. A unique session key from the set of the unique session keys is used by the client device to encrypt a session data for transmission to the server system per session.

Abstract: A security authentication method and device are provided. The method includes performing, based on a transmitted password authentication message, password authentication with a server and acquiring a result of the password authentication; sending a request authentication message to the server in a case that the result of the password authentication is determined to indicate that the password authentication is successful; performing security authentication through digitally signing by the server all intercommunicated messages and verifying the digital signature by the client, or through encrypting a local random number and all intercommunicated messages by the client using a public key and verifying a random number returned by the server.

Abstract: The technology disclosed herein enables a method to receive an indication of a change to an operating mode of a device from a first operating mode to a second operating mode, and identify a cryptographic item stored at a memory of the device, wherein the cryptographic item corresponds to an identification of the device signed with a digital signature, and wherein the digital signature is based on a private key that is inaccessible to the device. On response to receiving the indication of the change to the operating mode of the device, the method can modify the cryptographic item stored at the memory, and operate the device in the second operating mode based on the modified cryptographic item. The indication of the change to the operating mode of the device can correspond to a detection of a change in a function of the device.

Abstract: This document discloses a method and device for implementing secure communication, and a storage medium. The method for implementing secure communication includes: encrypting first information and second information of a data packet respectively to generate an encrypted message; wherein, a region in which the encrypted first information is located is a first encrypted region, and a region in which the encrypted second information is located is a second encrypted region; the first information is used for a receiving device to determine whether to acquire the second information; and sending the encrypted message.

Abstract: Disclosed herein is an identity network that can provide a universal, digital identity for users that can be used to authenticate the user by an identity provider for relying parties to utilize for confirming the identity of the user during sign-up. The identity network receives a request from a relying party that includes deep linking to an identity provider selected by the user. The request specifies the user and any other information about the user the relying party is requesting. A service of the identity network launches the application for the identity provider on the user's device and the user logs into the identity provider's application, which provides the user authentication/validation and information about the user to the identity network. The identity network can then provide the information to the relying party, which the relying party can rely on for creating an account with the relying party for the user.

Abstract: Implementations disclosed describe techniques to allow wireless devices to initially connect with randomized MAC addresses and send an encrypted permanent MAC for differentiated services. In one method, a first wireless device connects to an access point (AP) using a randomized MAC address. The first wireless device receives a request for a permanent MAC address from the AP. The first wireless device determines whether to send the permanent MAC address. Responsive to determining to send the permanent MAC address, the first wireless device encrypts the permanent MAC address to obtain an encrypted MAC address and sends a response to the request, including the encrypted MAC address, to the AP.

Abstract: A method of operating a payment device for selectively enabling a payment function according to the validity of a host is provided. The method relates to a method of operating the payment device which includes a near field communication controller (NFCC) and a host communicating with the NFCC. The method selectively enables the payment function according to the validity of the host, thereby preventing illegal or unwanted payment.

Abstract: One example method includes contacting, by a client, a service, receiving a credential from the service, obtaining trust information from a trust broker, comparing the credential with the trust information, and either connecting to the service if the credential and trust information match, or declining to connect to the service if the credential and the trust information do not match. Other than by way of the trust information obtained from the trust broker, the client may have no way to verify whether or not the service can be trusted.

Abstract: A system includes reception of a database query, determination of result set output columns associated with the database query, and determination, for each of the determined result set output columns, of one or more data sources associated with the result set output column. Sensitivity information is determined for each of the one or more data sources based on metadata, and result set sensitivity information is determined based on the determined sensitivity information. A result set is determined based on the database query, and the result set and the result set sensitivity information are transmitted.

Abstract: Disclosed are methods, systems, and machine-readable mediums which provide for customer chatbots that detect a customer handoff condition and in response, transferring the customer to a communication session with a live agent. The handoff condition may comprise an inability to understand the customer, an inability to answer the customer's question, expressions of frustration or anger on the part of the customer, a customer's express request to be transferred, or the like. The live agent may receive a complete history of the conversation with the chatbot so that the customer does not have to repeat him or herself to the live agent. The chatbot chat session may be linked to a social networking account of the customer and may take place in association with a social networking profile page of the company.

Abstract: Methods, apparatus, systems and articles of manufacture to provide machine programmed creative support to a user are disclosed. An example apparatus include an artificial intelligence architecture to be trained based on previous inputs of the user; a processor to: implement a first machine learning model based on the trained artificial intelligence architecture; and predict a first action based on a current state of a computer program using the first machine learning model; implement a second machine learning model based on the trained artificial intelligence architecture; and predict a second action based on the current state of the computer program using the second machine learning model; and a controller to select a state based on the action that results in a state that is more divergent from the current state of the computer program.

Abstract: A method of sharing encrypted data includes, by an electronic device, receiving a password from a user to perform an action, receiving a salt value, generating a user key using the password and salt value, receiving an encrypted key location identifier value, decrypting the encrypted key location identifier value to obtain a key location identifier, receiving an encrypted read token value, decrypting the encrypted read token value using the user key to obtain a read token value, and transmitting the read token value and the key location identifier to a server electronic device.

Abstract: A system for collecting data artifacts from a production environment, storing them, and replaying them in a testing environment is disclosed. One or more processors receive a data artifact from a sensor in a production environment, and store the data artifact in a first storage with a unique identifier, while also storing in a second storage record(s) associating the unique identifier with a tag. A clone of at least a portion of the production environment is created within the testing environment, and an analytic targeting the data artifact is incorporated into the clone. Upon receiving a request to replay the data artifact, referencing the tag associated with the data artifact's unique identifier, the data artifact is replayed by causing the clone to receive the data artifact as if it were presently encountered. Logs of output from the clone's response are stored in a third storage for future analysis.

Abstract: A secure digital communications method is provided in which a Certificate Authority generates an improved RSA key pair having a modulus, a public key exponent, a public key, and a private key. The public key exponent can contain descriptive attributes and a digital signature. The digital signature can be responsive to the descriptive attributes and the modulus. A secure session can be established between a first system and a second system, within a secure digital communication protocol. The second system can verify the digital signature to authenticate the public key.

Abstract: In one illustrative example, a user plane (UP) entity for use in a mobile network may receive a data packet from a user equipment (UE) operative to communicate in one or more sessions via a serving base station (BS) (e.g. eNB or gNB) of the mobile network. The UP entity may detect, in a header (e.g. SRH) of the data packet, an identifier indicating a new serving BS or session of the UE. The identifier may be UE- or BS-added data (e.g. iOAM data) that is inserted in the header by the UE or BS. In response, the UP entity may cause a message to be sent to an analytics function (e.g. a NWDAF) to perform analytics for session or flow migration for the UE.

Abstract: A method includes extracting, by an individual computing system, physical movement intentions of an individual from neural signals; mapping, by a secure element of the individual computing system, the physical movement intentions to a character string representing a knowledge factor; and establishing, by the individual computing system, a secure, mutually authenticated communication channel between the individual computing system and a provider computing system by using the knowledge factor as an input to a password authenticated key exchange protocol and generating a symmetric encryption key using the knowledge factor as an input to a key exchange protocol.

Abstract: In one example an apparatus comprises a memory and a processor to create, from a first deep neural network (DNN) model, a first plurality of DNN models, generate a first set of adversarial examples that are misclassified by the first plurality of deep neural network (DNN) models, determine a first set of activation path differentials between the first plurality of adversarial examples, generate, from the first set of activation path differentials, at least one composite adversarial example which incorporates at least one intersecting critical path that is shared between at least two adversarial examples in the first set of adversarial examples, and use the at least one composite adversarial example to generate a set of inputs for a subsequent training iteration of the DNN model. Other examples may be described.

Abstract: A method for edge network authentication and access, implemented by an edge server, including receiving user equipment (UE) information from an application client executed on a UE to establish a connection between the edge server and the UE, verifying whether the UE has authorization to the local access point name (APN) based on the UE information, generating a session key when the UE has authorization to the local APN, sending the session key to the UE, receiving a request to access content of an application on a content server from the UE, decrypting the information to obtain a key, comparing the key with the application key to validate the UE, verifying identifiers of the UE when the UE is valid, identifying the application on the content server to obtain the content based on the request, encrypting and sending a session identifier to the UE based on a new application key.

Abstract: Aspects of the disclosure relate to a dynamic event securitization and neural network analysis system. A dynamic event inspection and securitization computing platform comprising at least one processor, a communication interface, and memory storing computer-readable instructions may securitize event data prior to authorizing execution of the event. A neural network event analysis computing platform comprising at least one processor, a communication interface, and memory storing computer-readable instructions may utilize a plurality of event analysis modules, a neural network, and a decision engine to analyze the risk level values of data sharing events. The dynamic event inspection and securitization computing platform may interface with the neural network event analysis computing platform by generating data securitization flags that may be utilized by the neural network event analysis computing platform to modify event analysis results generated by the event analysis modules.

Abstract: A method for providing Cheon-resistance security for a static elliptic curve Diffie-Hellman cryptosystem (ECDH), the method including providing a system for message communication between a pair of correspondents, a message being exchanged in accordance with ECDH instructions executable on computer processors of the respective correspondents, the ECDH instructions using a curve selected from a plurality of curves, the selecting including choosing a range of curves; selecting, from the range of curves, curves matching a threshold efficiency; excluding, within the selected curves, curves which may include intentional vulnerabilities; and electing, from non-excluded selected curves, a curve with Cheon resistance, the electing comprising a curve from an additive group of order q, wherein q is prime, such that q?1=cr and q+1=ds, where r and s are primes and c and d are integer Cheon cofactors of the group, such that cd?48.

Abstract: One or more computer processors intercept one or more network inputs entering or existing an internal network; synthesize one or more network input images from a random noise vector sampled from a normal distribution of textually embedded network inputs utilizing a trained generative adversarial network; classify one or more synthesized network input images by identifying contained objects utilizing a trained convolutional neural network with rectified linear units, wherein the objects include patterns, sequences, trends, and signatures; predict a security profile of the one or more classified network input images and associated one or more network inputs, wherein the security profiles includes a set of rules and associated mitigation actions, analogous historical network traffic, a probability of infection, a probability of signature match with historical malicious network inputs, and a harm factor; apply one or more mitigation actions based on the predicted security profile.

Abstract: A method for ensuring integrity of data sent by a vehicle V2X communication device to a control module to ensure operational safety, including: receiving data transferred by vehicle-to-X communication by a first computing apparatus of the V2X communication device, storing the data in a data memory, forwarding the data to a second computing apparatus, receiving the data by the second computing apparatus, establishing whether an action is to be triggered for the data and, in response, transmitting the data to a comparison apparatus, carrying out a comparison test for the data provided by the second computing apparatus with the data stored in the data memory and, in response to the test being passed, outputting the data and/or a control instruction and/or a warning message by the V2X communication device to a control module. Furthermore, a corresponding vehicle-to-X device and the use of the device in a vehicle are disclosed.

Abstract: The subject matter discloses computer-implemented method performed during a multi-party computation (MPC) process performed between multiple parties, said method comprising, the multiple parties executing a pre-processing phase and obtain values of correlated random variables to be used in an MPC process, the parties periodically verifying the correctness of the correlated random variables by exchanging information between the multiple parties, refreshing the values of the correlated random variables in each of the multiple parties, wherein no party of the multiple parties has access to values of the correlated random variables stored in another party of the multiple parties during the verifying and refreshing processes, the multiple parties using the correlated random variables during the MPC process after verifying a correctness of the correlated random variables.

Abstract: Systems and techniques that facilitate universal and efficient privacy-preserving vertical federated learning are provided. In various embodiments, a key distribution component can distribute respective feature-dimension public keys and respective sample-dimension public keys to respective participants in a vertical federated learning framework governed by a coordinator, wherein the respective participants can send to the coordinator respective local model updates encrypted by the respective feature-dimension public keys and respective local datasets encrypted by the respective sample-dimension public keys. In various embodiments, an inference prevention component can verify a participant-related weight vector generated by the coordinator, based on which the key distribution component can distribute to the coordinator a functional feature-dimension secret key that can aggregate the encrypted respective local model updates into a sample-related weight vector.