Abstract: A computer-implemented method includes receiving training data that includes a plurality of API requests from a plurality of client devices. The method includes generating a plurality of permissible API sessions based on the training data. Each of the permissible API sessions is associated with a corresponding client device of the plurality of client devices and includes a sequence of API requests originating from the corresponding client device. The method includes applying a sequence embedding technique to the plurality of permissible API sessions to generate a plurality of embeddings and applying a dimensionality reduction technique to the plurality of embedding to generate a plurality of compact embeddings. The method includes storing each of the compact embeddings in a space partitioning data structure at storage locations within the space partitioning data structure that are determined based on similarities between the compact embeddings.

Abstract: A computer-implemented method includes receiving training data including a plurality of API requests from a plurality of client devices. The method includes generating a plurality of permissible API sessions based on the training data. The method includes applying a sequence embedding technique to the plurality of permissible API sessions to generate a plurality of embeddings. The method includes applying a dimensionality reduction technique to the plurality of embeddings to generate a plurality of compact embeddings. The method includes applying a clustering technique to the plurality of compact embeddings to determine a plurality of different clusters of the compact embeddings. The method includes generating a plurality of patterns based on the plurality of different clusters. Each of the plurality of patterns is descriptive of permissible API sessions associated with a corresponding cluster of the plurality of different clusters.

Abstract: Systems and methods that may be used to provide multitenant key derivation and management using a unique protocol in which key derivation may be executed between the server that holds the root key and a client that holds the derivation data and obtains an encryption key. In one or more embodiments, the derivation data may be hashed. The disclosed protocol ensures that the server does not get access to or learn anything about the client's derived key, while the client does not get access to or learn anything about the server's root key.

Abstract: Systems and methods that may be used to provide policies and protocols for blocking decryption capabilities in symmetric key encryption using a unique protocol in which key derivation may include injecting a random string into each key derivation. For example, a policy may be assigned to each client device indicating whether the client device has been assigned encryption only permission or full access permission to both encrypt and decrypt data. The disclosed protocol prevents client devices with encryption only permission from obtaining keys for decryption.

Abstract: Systems and methods that may implement an Oracle-aided protocol for producing and using FHE encrypted data. The systems and methods may initially encrypt and store input data in one encrypted form that is not performed using FHE, which does not substantially increase the size of the data and storage resources required to store the encrypted data. In accordance with the Oracle-aided protocol, the encrypted data is re-encrypted as FHE encrypted data when FHE encrypted data is required.

Abstract: Systems and methods that may be used to provide multitenant key derivation and management using a unique protocol in which key derivation may be executed between the server that holds the root key and a client that holds the derivation data and obtains an encryption key. In one or more embodiments, the derivation data may be hashed. The disclosed protocol ensures that the server does not get access to or learn anything about the client's derived key, while the client does not get access to or learn anything about the server's root key.

Abstract: Systems and methods that may be used to provide multitenant key derivation and management using a unique protocol in which key derivation may be executed between the server that holds the root key and a client that holds the derivation data and obtains an encryption key. In one or more embodiments, the derivation data may be hashed. The disclosed protocol ensures that the server does not get access to or learn anything about the client's derived key, while the client does not get access to or learn anything about the server's root key.

Abstract: A processor may receive a request to perform an operation. The processor may generate a seed derived from data required to perform the operation. The processor may generate a perturbation based on inputting the seed into a pseudorandom number generator. The processor may generate the actual result based on performing the operation. The processor may generate a perturbed result, wherein generating the perturbed result may comprise performing a second operation based on the actual result and the perturbation. The processor may return the perturbed result in response to the request.

Abstract: Systems and methods for securely verifying integrity of application responses are disclosed. One example method includes receiving, from a client, an application encrypted in accordance with a fully homomorphic encryption (FHE) algorithm, generating, with a trained machine learning model associated with the FHE algorithm, a plurality of first application labels, each first application label indicating a true or false response associated with the application, inverting a randomly selected portion of the plurality of first application labels, generating a first randomly sorted list including the plurality of first application labels, transmitting the first randomly sorted list to the client, receiving a first decrypted list from the client, performing a validation of at least the first decrypted list, the validation based at least in part on the plurality of first application labels, and in response to the validation being successful, providing the client with a response to the application.

Abstract: A processor of a remote crypto cluster (RCC) may receive a public key from a client device through at least one network. The processor of the RCC may obtain an encrypted specific key and a blinded project key from at least one data source through the at least one network. The processor of the RCC may derive a derived key in blind based on the encrypted specific key and the blinded project key. The processor of the RCC may send the derived key in blind to the client device.

Abstract: At least one processor of a central authority separate from a computing process may establish a first trust relationship between the computing process and a central authority separate from the computing process. The establishing may include authenticating the computing process, which may include providing a signed token to the computing process, receiving a request for the certificate from the computing process including the signed token and policy ID data, determining that the computing process is eligible for the certificate according to a policy that associates the certificate with the policy ID data, and validating the signed token. In response to the establishing, the at least one processor may obtain the certificate. The certificate may be signed by a third-party certificate authority with which the central authority has a second trust relationship separate from the first trust relationship. The at least one processor may provide the certificate to the computing process.

Abstract: Systems and methods that may implement an Oracle-aided protocol for producing and using FHE encrypted data. The systems and methods may initially encrypt and store input data in one encrypted form that is not performed using FHE, which does not substantially increase the size of the data and storage resources required to store the encrypted data. In accordance with the Oracle-aided protocol, the encrypted data is re-encrypted as FHE encrypted data when FHE encrypted data is required.

Abstract: Certain aspects of the present disclosure provide techniques for performing computations on encrypted data. One example method generally includes obtaining, at a computing device, encrypted data, wherein the encrypted data is encrypted using fully homomorphic encryption and performing at least one computation on the encrypted data while the encrypted data remains encrypted. The method further includes identifying a clear data operation to perform on the encrypted data and transmitting, from the computing device to a server, a request to perform the clear data operation on the encrypted data, wherein the request includes the encrypted data. The method further includes receiving, at the computing device in response to the request, encrypted output from the server, wherein the encrypted output is of the same size and the same format for all encrypted data transmitted to the server.

Abstract: Systems and methods that may implement an Oracle-aided protocol for producing and using FHE encrypted data. The systems and methods may initially encrypt and store input data in one encrypted form that is not performed using FHE, which does not substantially increase the size of the data and storage resources required to store the encrypted data. In accordance with the Oracle-aided protocol, the encrypted data is re-encrypted as FHE encrypted data when FHE encrypted data is required.

Abstract: Systems and methods that approximate and use branching operations on data encrypted by fully homomorphic encryption (FHE). The systems and methods may use polynomial approximation to convert “if” statements into “soft if” statements that may be applied to the FHE encrypted data in a manner that preserves the security of the systems and methods.

Abstract: Systems and methods that may be used to provide multitenant key derivation and management using a unique protocol in which key derivation may be executed between the server that holds the root key and a client that holds the derivation data and obtains an encryption key. In one or more embodiments, the derivation data may be hashed. The disclosed protocol ensures that the server does not get access to or learn anything about the client's derived key, while the client does not get access to or learn anything about the server's root key.

Abstract: Systems and methods that may implement an Oracle-aided protocol for producing and using FHE encrypted data. The systems and methods may initially encrypt and store input data in one encrypted form that is not performed using FHE, which does not substantially increase the size of the data and storage resources required to store the encrypted data. In accordance with the Oracle-aided protocol, the encrypted data is re-encrypted as FHE encrypted data when FHE encrypted data is required.

Abstract: A processor of a remote crypto cluster (RCC) may receive a public key from a client device through at least one network. The processor of the RCC may obtain an encrypted specific key and a blinded project key from at least one data source through the at least one network. The processor of the RCC may derive a derived key in blind based on the encrypted specific key and the blinded project key.

Abstract: A processor of a remote crypto cluster (RCC) may obtain an encrypted specific key from at least one data source through at least one network. The processor of the RCC may derive intermediate data in blind based on the encrypted specific key. The intermediate data may include information from which a derived key is derived. The processor of the RCC may send the intermediate data in blind to a client device.

Abstract: The present disclosure relates to deriving cryptographic keys for use in encrypting data based on a plaintext to be encrypted. An example method generally includes receiving, from a querying device, a request for a cryptographic key. The request generally includes data derived from a plaintext value to be encrypted and an indication of a type of the plaintext value to be encrypted. A cryptographic key is generated based, at least in part, on the derived data and the type of the plaintext value to be encrypted. The key deriver transmits the generated cryptographic key to the querying device.