Methods and systems for implementing safe and reliable artificial intelligence

By integrating FHE and advanced computing techniques, the method secures AI systems against data tampering and unauthorized access, ensuring robust and resilient AI operations in a zero-trust environment.

JP2026522155APending Publication Date: 2026-07-07

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Applications
Filing Date
2024-08-15
Publication Date
2026-07-07

AI Technical Summary

Technical Problem

Existing AI systems are vulnerable to security risks due to the use of unencrypted data for training and inference, which can lead to data tampering, false data injection, and unauthorized access, posing significant threats to identity and access management systems, especially with the advent of quantum computing.

Method used

Implementing fully homomorphic encryption (FHE) with deep neural networks (DNNs) and advanced computing techniques like adversarial machine learning, secure multi-party computation (SMPC), and probabilistic computing to ensure secure data processing and authentication, using technologies such as blockchain for immutable audit trails and smart contracts.

Benefits of technology

Provides a proactive, adaptable defense mechanism that protects AI systems from various threats, ensuring data privacy and integrity while maintaining system functionality, even in the face of evolving cyber threats and quantum computing capabilities.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 2026522155000001_ABST
    Figure 2026522155000001_ABST
Patent Text Reader

Abstract

Systems, methods, computer-readable media, and techniques for providing trusted artificial intelligence (AI) using fully homomorphic encryption (FHE) are provided herein, comprising (A) providing a deep neural network (DNN) based model having a modified architecture, the modified architecture comprising at least (i) using a Gaussian function as an activation function, and (ii) removing one or more pooling layers; (B) obtaining encrypted data, the encrypted data being generated by applying FHE to plaintext data; and (C) generating inference using a DNN-based model on the encrypted data. Systems, methods, computer-readable media, and techniques for providing trusted AI using probabilistic computing, noise-based computing, artificial immune systems, and secure multi-party computing (SMPC) that is at least partially watermark-based are also provided herein.
Need to check novelty before this filing date? Find Prior Art

Description

[Technical Field]

[0001] [Cross-reference of related applications] This application claims priority to U.S. Provisional Application No. 63 / 520,803, filed on 21 August 2023, and U.S. Provisional Patent Application No. 63 / 644,173, filed on 8 May 2024, both of which are incorporated herein by reference in their entirety. [Background technology]

[0002] By 2025, it is projected that 96% of global supply chains and manufacturing businesses are already using artificial intelligence (AI) or at least envisioning use cases for it. Coupled with the evolving threat landscape and the immense growth of AI, the rapid expansion of AI into new industries with new stakeholders presents certain security risks. Malicious actors can exploit both the strengths and vulnerabilities of AI to create new attacks, directly and indirectly, and exacerbate existing security measures. The world of identity and access management is similarly impacted by these trends in AI. For example, industries are rapidly adopting AI for authentication, identity management, and secure access control. In some cases, behavioral patterns driven by AI and machine learning (ML) are increasingly being used both for granting access (e.g., passwordless access) and for detecting access denial or violations. Other technologies, such as behavior-based adaptive access control, also rely on AI and ML algorithms. [Overview of the project] [Problems that the invention aims to solve]

[0003] This disclosure addresses the above-mentioned problems by providing trusted artificial intelligence (AI). One aspect of this disclosure includes a method for providing trusted artificial intelligence (AI) using fully homomorphic encryption (FHE). The method includes (a) providing a deep neural network (DNN) based model having a modified architecture, the modified architecture having at least (i) a Gaussian function as an activation function and (ii) removing one or more pooling layers; (b) obtaining encrypted data, the encrypted data being generated by applying FHE to plaintext data; and (c) generating inference using a DNN-based model on the encrypted data.

[0004] In some embodiments, the DNN-based model is trained on plaintext training data. In some embodiments, the DNN-based model is trained on encrypted training data. In some embodiments, the DNN-based model is pre-trained on both plaintext and encrypted training data. In some embodiments, the method further includes selecting one or more hyperparameter values ​​at least partially based on monitoring criticality during the training phase in which the DNN-based model is trained using a modified architecture. In some embodiments, the method further includes identifying and testing appropriate approximations and alternatives to FHE for various nonlinear activation functions and nonlinear loss functions. In some embodiments, one or more hyperparameters include at least one of the mean and variance of a random initialization distribution, batch size, learning rate, or optimizer settings. In some embodiments, the mean or variance of the Gaussian function is adjusted during the training phase. In some embodiments, the encrypted data is generated using a homomorphic encryption scheme so that the computational results generated for the encrypted data match those generated for the plaintext data. In some embodiments, the homomorphic encryption scheme includes the CKKS algorithm or the TFHE algorithm. In some embodiments, the DNN-based model is trained using adversarial machine learning techniques. In some embodiments, the adversarial machine learning techniques include actively acquiring knowledge from a machine learning system under attack. In some embodiments, training the DNN-based model further includes employing reinforcement learning and transfer learning. In some embodiments, the DNN-based model is trained to automatically monitor cyber threats or cyberattacks. In some embodiments, cyber threats include one or more of data poisoning attacks, malicious AI, or malware. In some embodiments, the DNN-based model is trained to detect anomalies. In some embodiments, the DNN-based model is trained using collaborative learning.In some embodiments, a DNN-based model is trained by multiple computing nodes, each computing node training the DNN-based model using a set of training data not shared with other computing nodes. In some embodiments, inference includes anomaly detection outputs generated by the computing nodes. In some embodiments, the method further includes aggregating multiple anomaly detection outputs from multiple computing nodes to generate anomaly detection results. In some embodiments, each of the multiple computing nodes generates anomaly detection outputs based at least partially on a portion of the distributed data. In some embodiments, the portion of the distributed data includes FHE encrypted data. In some embodiments, the multiple anomaly detection outputs are shared and stored using a blockchain. In some embodiments, the plaintext data includes image data. In some embodiments, the method further includes generating hypervectors based on the plaintext data to accelerate computation. In some embodiments, the plaintext data is embedded with machine-readable data using one or more encoding algorithms. In some embodiments, the machine-readable data is embedded at various hierarchical levels. In some embodiments, the various hierarchical levels include character-level, word-level, and sentence-level text input data. In some embodiments, machine-readable data includes a Universal Multiplex Watermark used for document authentication and verification. In some embodiments, the Universal Multiplex Watermark includes metadata and encrypted identification information of the data source or owner of the plaintext data. In some embodiments, the Universal Multiplex Watermark is undetectable to humans, but detectable and decodeable by hardware or software. In some embodiments, the Universal Multiplex Watermark is used to verify the authenticity of the plaintext data and to verify the source and integrity of the plaintext data. In some embodiments, FHE is applied to the plaintext data after it has been embedded with the Universal Multiplex Watermark.In some embodiments, the method further includes decrypting encrypted data and verifying the integrity of the decrypted data using a checksum. In some embodiments, the checksum is derived from the plaintext data before encryption and stored on a blockchain for secure and tamper-proof record-keeping. In some embodiments, the checksum on the blockchain is used to investigate attempts at unauthorized data modification. In some embodiments, attempts at unauthorized data modification are detected by detecting a mismatch between the decrypted data and the recorded checksum. In some embodiments, the method further includes generating an alert when a mismatch is detected. In some embodiments, the alert automatically triggers an automated mitigation process which includes at least one of the following: isolation of the affected data, initiation of a security audit, or activation of data recovery measures from a verified backup. In some embodiments, embedded machine-readable data represents a watermark that serves as a unique identifier for the plaintext data. In some embodiments, the unique identifier is encrypted using FHE, allowing computation against the encrypted watermark without disclosing the contents of the unique identifier. In some embodiments, the cryptographic watermark is verified by applying one or more operations of the FHE corresponding to watermark verification, resulting in an encrypted verification result. In some embodiments, the encrypted verification result is decrypted to (i) verify the authenticity of the plaintext data and (ii) determine whether the plaintext data has been tampered with or replaced. In some embodiments, a unique watermark identifier is linked to a transaction on the blockchain, and an immutable record of the unique watermark identifier, ownership of the plaintext data, and one or more associated transactions is recorded on the blockchain. In some embodiments, one or more associated transactions are used as verification points for the unique watermark identifier, which serves as a checksum for the plaintext data. In some embodiments, embedding machine-readable data and encrypting the plaintext data are applied to multiple layers of data representation.In some embodiments, the multiple layers of data representation include the pixel level of an image, the frame level of a video, and the packet level of network communication. In some embodiments, embedding machine-readable data and encrypting plaintext data utilize one or more machine learning algorithms.

[0005] In another embodiment, the method provides trusted AI using probabilistic computing, and the method includes (a) receiving an original image with a software application running on an endpoint computing device; (b) generating multiple image segments by the software application by cutting the original image into multiple random bits; (c) generating inferences about the multiple image segments using a pre-trained deep neural network (DNN)-based model in the cloud; (d) providing the inferences to the software application on the endpoint computing device; and (e) aggregating the inferences by the software application to determine the result. In some embodiments, the accuracy of the result is similar to the accuracy of the result obtained by generating the inference directly on the original image. In some embodiments, the inference includes multiple predicted labels for the multiple image segments.

[0006] In another embodiment, the method provides trusted AI using noise-based computing (NBC), the method comprising: (a) receiving a raw image in a software application running on an endpoint computing device; (b) generating a plurality of random images by the software application; (c) processing the plurality of random images using a pre-trained deep neural network (DNN)-based model in the cloud to predict a plurality of labeled images for the plurality of random images; (d) selecting a subset of the plurality of labeled images by the software application, wherein the number of images in the subset of the plurality of labeled images is set by the software application; and (e) generating a predictive output based at least partially on the subset of the plurality of labeled images using a weighted mean and probability. In some embodiments, the plurality of random images are generated by a random image generator in the software application.

[0007] In another embodiment, the Method provides trusted AI using an artificial immune system, the Method comprising: (a) acquiring a diverse set of detectors capable of identifying non-self elements, wherein the set of detectors represents a deep neural network (DNN)-based model; (b) providing an encrypted dataset to the set of detectors, wherein the encrypted dataset is generated by applying fully homomorphic encryption (FHE) to plaintext data; (c) running the artificial immune system to identify non-self elements in the encrypted dataset corresponding to one or more anomalies, intrusions, or attacks; (d) adapting the set of detectors via one or more machine learning techniques at least in part on the results of running the artificial immune system, wherein one or more machine learning techniques include one or more of reinforcement learning, evolutionary algorithms, or swarm intelligence; and (e) implementing a feedback loop to continuously improve and enhance the detection capabilities of the artificial immune system.

[0008] In another embodiment, the method provides a trusted AI with Secure Multi-Party Computation (SMPC) at least partially based on a watermark, the method comprising: (a) applying a watermark to plaintext data to generate watermarked plaintext data, wherein the watermark is generated using the SMPC protocol; (b) encrypting the plaintext data using a homomorphic encryption scheme to generate encrypted watermarked plaintext data; (c) training a deep neural network (DNN) based model using the encrypted watermarked plaintext data; (d) generating inferences using the DNN-based model at least partially based on the encrypted watermarked plaintext data in response to a verification of the integrity of the encrypted watermarked plaintext data; and (e) storing the verification results on a blockchain, wherein the verification results are at least partially based on a verification of the integrity of the encrypted watermarked plaintext data.

[0009] In another embodiment, the trusted AI model implements one of the methods described above to ensure the integrity and authenticity of the data used in training and operating the trusted AI model.

[0010] Another aspect of this disclosure provides an Application Programming Interface (API) for universal steganographic watermarking. The API includes a concealment API configured to embed sensitive data within a cover file and generate a sealed file; a public API configured to take the sealed file as input and extract the sensitive data; and a verification API configured to verify the integrity of the sealed file without extracting the sensitive data.

[0011] In some embodiments, the confidential API performs operations including scrambling the secret data using a private seed value to generate scrambled secret data, compressing the scrambled secret data into compressed secret data, and hashing the compressed secret data to generate a cryptographic signature. In some embodiments, the cryptographic signature is embedded in the cover file with an offset. In some cases, the offset is determined at least in part based on the type of cover file. In some cases, the type of cover file is selected from a group including text files, image files, video files, audio files, and HTML files. In some embodiments, the cryptographic signature is used by a verification API to verify the integrity of the sealed file. In some embodiments, the private seed value is accessible to authorized users. In some embodiments, the cryptographic signature is stored on a blockchain.

[0012] In some cases, the confidential API is further configured to encode the cover file using an encoding scheme before scrambling the confidential data. For example, the encoding scheme is selected based at least partially on the type of cover file. In some cases, the confidential API is further configured to encode the confidential data using an encoding scheme before scrambling the confidential data. In some cases, the confidential API is further configured to standardize the encoded confidential data.

[0013] Another aspect of this disclosure provides a non-temporary computer-readable medium containing machine-executable code that, when executed by one or more computer processors, implements any of the methods or techniques described above or elsewhere in this specification.

[0014] Another aspect of this disclosure provides a system comprising one or more computer processors and computer memory coupled thereto, the computer memory containing machine-executable code that, when executed by one or more computer processors, implements any of the methods or techniques described above or elsewhere in this specification.

[0015] Further aspects and advantages of the present disclosure will be readily apparent to those skilled in the art from the following detailed description, which shows and describes only exemplary embodiments of the present disclosure. As will be understood, various other embodiments are possible, and some of their details can be modified in various obvious ways without departing from the present disclosure. Therefore, the drawings and description should be considered illustrative and not limiting. Built-in by reference

[0016] All publications, patents, and patent applications referred to in this specification are incorporated herein by reference as if each individual publication, patent, or patent application were specifically and individually indicated to be incorporated by reference. To the extent that the incorporated publications and patents or patent applications conflict with the disclosure contained herein, this specification is intended to supersede or take precedence over such conflicting materials.

Brief Description of the Drawings

[0017] The novel features of the invention are set forth in detail in the appended claims. A good understanding of the features and advantages of the invention will be obtained by reference to the following detailed description which illustrates exemplary embodiments in which the principles of the invention are utilized, and to the appended drawings (also referred to herein as “drawings” and “figures”).

[0018] [Figure 1] FIG. showing an exemplary process of a user interacting with a trusted artificial intelligence (AI).

[0019] [Figure 2] FIG. showing an exemplary architecture diagram of a trusted AI based on fully homomorphic encryption (FHE).

[0020] [Figure 3] FIG. showing an exemplary application of the systems, methods, computer-readable media, and technologies disclosed herein with respect to autonomous vehicles.

[0021] [Figure 4] FIG. showing an exemplary application of the systems, methods, computer-readable media, and technologies disclosed herein with respect to email.

[0022] [Figure 5] FIG. showing an exemplary process of implementing a trusted AI using FHE.

[0023] [Figure 6A]This figure shows an example flowchart illustrating how to provide trusted artificial intelligence (AI) using FHE.

[0024] [Figure 6B] This figure shows an example flowchart illustrating a method for providing trusted AI using probabilistic computing.

[0025] [Figure 6C] This figure shows an example flowchart illustrating a method for providing trusted AI using noise-based computing.

[0026] [Figure 6D] This figure shows an example flowchart illustrating a method for providing trusted AI using an artificial immune system.

[0027] [Figure 6E] This figure shows an example flowchart illustrating a method for providing Secure Multi-Party Computation (SMPC) to Trusted AI, at least partially based on watermarking.

[0028] [Figure 7] This figure shows an example of a computer system programmed or otherwise configured in the manner disclosed herein.

[0029] [Figure 8] This figure schematically illustrates an example of a data integrity application programming interface (API) that implements the methods described herein. [Modes for carrying out the invention]

[0030] While various embodiments of the present invention have been shown and described herein, it will be apparent to those skilled in the art that such embodiments are provided only as examples. Those skilled in the art will be able to make numerous modifications, changes, and substitutions without departing from the present invention. It should be understood that various alternative forms to the embodiments of the present invention described herein may be used.

[0031] As artificial intelligence (AI) systems become more widespread and indispensable in the digital world, ensuring their security, privacy, and practicality is a critical concern. One operational challenge posed by these transformation capabilities is that, with today's technology, many AI / ML models are trained and perform inference on unencrypted data. Consequently, the entire ecosystem may be exposed to the risk of false data injection, tampering, and intruder observation. As many systems operate unattended to control access and identity, undiscovered breaches at the heart of AI-driven identity and access management systems could have even greater and more catastrophic consequences. Because AI / ML models are often trained on unencrypted data, the network design and hyperparameter changes provided by the systems, methods, computer-readable media, and technologies disclosed herein have not been attempted, as these changes may not be optimal in some cases when applied to AI / ML models operating on unencrypted (plaintext) input.

[0032] For example, significant adverse effects can occur if data in autonomous vehicles is tampered with, false data is injected into cybersecurity behavioral monitoring programs, or the protections of identity management systems are compromised or leaked. Even in a zero-trust environment, it is insufficient to assume that adversaries will never penetrate the perimeter defenses surrounding heavily reliant AI systems. This risk increases as adversaries gain access to quantum computing.

[0033] The innovative application of Artificial Immune Systems (AIS) to AI provided by the systems, methods, computer-readable media, and technologies disclosed herein offers advanced solutions to this complex problem. By integrating concepts from immunology and cutting-edge technologies such as adversarial machine learning, blockchain, fully homomorphic encryption (FHE), secure multi-party computing (SMPC), and stochastic computing (SC), the AIS provided herein creates a proactive, adaptable, and resilient defense mechanism that protects data privacy.

[0034] FHE across the AI ​​computation lifecycle can mitigate the risks of this complex problem. FHE has potential applications across many industries with sensitive or valuable data and can impact multiple critical technologies. By combining FHE with deep neural network (DNN) technology and in conjunction with steganographic watermarking dataset technology, the systems, methods, computer-readable media, and technologies disclosed herein can authenticate incoming and outgoing data from AI models and ensure closed-loop communication within the system using FHE. These innovations, leveraging emerging FHE and steganographic watermarking technologies to create novel AI / ML architectures and techniques for training FHE data and performing inference, will generate quantum-resistant capabilities built for a zero-trust world. DNNs can be used defensively or offensively in some cases.

[0035] Through adversarial machine learning, the systems, methods, computer-readable media, and technologies disclosed herein enable the prediction and defense of attacks targeting AI. Blockchain components provide immutable audit trails, decentralized security, and automated responses via smart contracts. Fully homomorphic encryption and secure multi-party computation ensure that privacy-preserving computations can be performed and data can be securely shared, even when multiple entities are involved. Finally, implementations of probabilistic computing provide robust and efficient computing methods that can resist adversarial manipulation and function effectively even in noisy real-world environments.

[0036] This disclosure provides a comprehensive AI Defense System (AIS) capable of protecting AI systems from a variety of threats, including AI attacks, hacking, privacy breaches, and deepfakes. The systems, methods, computer-readable media, and technologies disclosed herein provide reliable and secure AI-based applications, tools, or platforms, and robust AI defense systems, enabling their maximum use without compromising data security and user privacy.

[0037] The systems, methods, computer-readable media, and technologies disclosed herein may further provide Secure AI to Fight Identity Threat (SAIFIT) using advanced AI models based on Convolutional Neural Network (CNN) technology with fully homomorphic encrypted data / images. By leveraging FHE technology and creating novel AI / machine learning (ML) architectures and technologies for training FHE data and performing inference, quantum-resistant capabilities built for a zero-trust world are created. Consistent with the desired results, SAIFIT provided herein may prevent or mitigate novel identity and fraud risks, protect fraud prevention and threat intelligence exchange, enhance the privacy of personal data, and improve overall cybersecurity. This can address a variety of critical mission areas (e.g., government agencies, companies, etc.), such as incident management, border security, counter-terrorism, aviation security, and cybersecurity. An additional benefit is increased adoption of this capability because users (e.g., corporate security, government security, etc.) do not need to replace existing systems. Alternatively, users may need to retrain a similar AI model with SAIFIT capabilities. The final result could be a reduction in vulnerability to a wide range of threats. Furthermore, SAIFIT may be adaptable and scalable to other domains, such as supply chain protection and other critical areas, and to use cases beyond identity.

[0038] Advantageously, the systems, methods, computer-readable media, and technologies disclosed herein may provide post-quantum cryptography and trusted AI models that enable enterprises to perform analysis via encrypted data and thus eliminate the vast scope of cyberattacks. In real-world settings, such cryptographic models could be used for secure and private biometric identity verification, secure access and control of critical infrastructure and sensitive information in industries, autonomous vehicles, and more.

[0039] Specific definition Unless otherwise defined, all technical terms used herein have the same meaning as those commonly understood by those skilled in the art to which this subject belongs.

[0040] As used herein and in the appended claims, the terms “artificial intelligence,” “artificial intelligence technology,” “artificial intelligence computation,” and “artificial intelligence algorithm” generally refer to any system or computational procedure that can take one or more actions to enhance or maximize the chances of achieving an objective. An example of such objective is to mathematically or computationally model a probabilistic relationship between exposure and an outcome such as CHC. The term “artificial intelligence” may include “generative modeling,” “deep learning” (DL), “machine learning,” or “reinforcement learning” (RL).

[0041] As used herein and in the appended claims, the terms “machine learning,” “machine learning technique,” ​​“machine learning computation,” and “machine learning model” generally refer to any system or analytical or statistical procedure that can progressively improve the computer performance of a task. An example of such a task is to mathematically or computationally model a probabilistic relationship between exposure and an outcome such as CHC.

[0042] As used herein and in the appended claims, “several embodiments,” “further embodiments,” or “specific embodiments” means that the particular features, structures, or characteristics described in relation to an embodiment are included in at least one embodiment. Therefore, the appearance of the phrases “in some embodiments,” “further embodiments,” or “specific embodiments” in various parts of this specification does not necessarily refer to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.

[0043] As used herein and in the appended claims, when the terms “at least,” “greater than,” or “greater than or equal to” precede a first number in a set of two or more numbers, the terms “at least,” “greater than,” or “greater than or equal to” apply to each of those numbers. For example, 1, 2, or 3 or more is equal to 1 or more, 2 or more, or 3 or more.

[0044] As used herein and in the appended claims, when the terms “not greater than,” “less than,” or “less than or equal to” precede the first number in a set of two or more numbers, the terms “not greater than,” “less than,” or “less than or equal to” apply to each of those numbers. For example, 3, 2, or 1 or less is equal to 3 or less, 2 or less, or 1 or less.

[0045] As used herein, “or” is intended to mean “inclusively or” or “logical OR,” and when used as a logical statement, the expression “A or B” is true if either A or B is true, or if both A and B are true; and when used as a list of elements, the expression “A, B or C” is intended to include all combinations of the elements enumerated in the expression, such as any element selected from the group consisting of A, B, C, (A,B), (A,C), (B,C), and (A,B,C), as well as any additional elements enumerated. Accordingly, any reference to “or” herein is intended to include “and / or” unless otherwise specified.

[0046] As used herein and in the appended claims, the indefinite articles "a" or "an" and the corresponding related definite articles "the" or "said" are intended to mean one or more unless otherwise specified, implied, or physically impossible. Furthermore, it should be understood that the expressions "at least one of A and B, etc.," "at least one of A or B, etc.," "selected from A and B, etc.," and "selected from A or B, etc." are intended to mean any of the individually listed elements or any combination of two or more elements, for example, any of the elements in the group consisting of "A," "B," and "A and B together."

[0047] As used herein and in the appended claims, “about” or “approximately” often means within an acceptable margin of error for a value, which depends in part on how the value is measured or determined, for example, on the limitations of the measuring system. For example, “about” may mean within or above one standard deviation, according to convention in the art. Alternatively, “about” may mean a range of up to 20%, up to 10%, up to 5%, or up to 1% of a given value. When values ​​are described in this application and in the claims, unless otherwise specified, the term “about” can be assumed to mean within an acceptable margin of error for a particular value.

[0048] Examples of artificial immune systems (AIS) As digital systems become integrated into our daily lives, maintaining their security and integrity is becoming increasingly important. Secure integrated circuits offer hardware-based solutions for protecting sensitive information and can utilize several protective mechanisms that provide enhanced security against hardware and software attacks. This disclosure provides an artificial immune system with system security capabilities, leveraging the power of machine learning and bio-inspired computing (inspired by the body's natural defense mechanisms).

[0049] AIS's defense mechanisms are beneficial in that they can defend against a set of attacks specific to AI systems. Artificial intelligence and machine learning systems can be targets with a unique set of vulnerabilities. Adversarial attacks, data privacy breaches, and AI hacking can pose serious threats to AI-based systems and services. Attacks can compromise AI systems, leading to misclassification or erroneous actions, and deepfakes and synthetic media pose significant challenges to credibility and authenticity.

[0050] First, looking at adversarial attacks, AI systems are susceptible to such attacks, where small, deliberately designed perturbations are added to the data to deceive the AI ​​system. For example, imperceptible changes to an image can cause a machine learning model to misclassify. In real-world scenarios, this could mean, for example, misidentifying a stop sign as a speed limit sign in an autonomous driving situation, which could have potentially catastrophic consequences.

[0051] Next, turning to data poisoning, during the training phase, ML algorithms may rely on large amounts of data. If this training data is tampered with or poisoned, the AI ​​system will be trained to make incorrect decisions or predictions. Such poisoned data attacks can have a serious impact on the performance and reliability of AI applications.

[0052] Next, turning to model inversion and membership inference attacks, these attacks may aim to extract sensitive information from AI models. In a model inversion attack, an attacker may use the output from the ML model to infer details about the training data. Membership inference attacks, on the other hand, may aim to determine whether a particular data point was part of the ML model's training set. Both types of attacks pose a significant threat to privacy.

[0053] Next, turning to deepfakes and synthetic media, the rapid advancements in generative AI technology have led to the widespread proliferation of deepfakes (e.g., hyper-realistic artificial images, audio, and video). These synthetic media can pose significant challenges to credibility and authenticity in digital communications and can be used to spread misinformation, commit fraud, or engage in other malicious activities.

[0054] The systems, methods, computer-readable media, and technologies disclosed herein offer numerous advantages. Advantageously, they address the challenges of defending AI / ML systems by developing dynamic and adaptive technologies capable of identifying and responding to these threats in a manner similar to a bioimmune system. More specifically, the systems, methods, computer-readable media, and technologies disclosed herein can achieve this defense by implementing technologies including adversarial machine learning, blockchain, FHE, SMPC, or probabilistic computing. Advantageously, similar to a bioimmune system, the systems, methods, computer-readable media, and technologies disclosed herein can learn from previous attacks and responses (e.g., via AIS implementing machine learning that identifies patterns of past attacks to predict and prepare for future threats), and thus provide protection even with the rapidly changing nature of cyber threats. Furthermore, by integrating immunological principles with AI, the systems, methods, computer-readable media, and technologies disclosed herein can provide a high degree of resilience and robustness, including the ability to simultaneously handle multiple types of threats, by implementing an AIS, and have a distributed architecture so that even if part of the architecture is compromised, other parts can continue to function and respond to threats. Advantageously, the systems, methods, computer-readable media, and technologies disclosed herein can provide an AIS that can operate autonomously and continuously monitor threats without requiring human intervention, through identifying potential attacks, neutralizing potential attacks, or learning from potential attacks to improve future responses. Advantageously, the systems, methods, computer-readable media, and technologies disclosed herein can provide protection while preserving the privacy of user data. For example, by using technologies such as SMPC and FHE to handle encrypted data, the systems, methods, computer-readable media, and technologies disclosed herein can ensure that raw data remains confidential.

[0055] In a world where AI systems are ubiquitous and threats to AI systems are constantly evolving, the AI-Informed Systems (AIS) provided by the systems, methods, computer-readable media, and technologies disclosed herein represent a critical component of defensive strategies. By developing AIS for AI, the systems, methods, computer-readable media, and technologies disclosed herein ensure that these technologies (e.g., AI / ML) can continue to deliver their benefits without compromising data security and privacy.

[0056] In some embodiments, the AIS provided herein may utilize one or more technologies, including FHE, SMPC, blockchain, steganography, and watermarking.

[0057] Examples of machine learning techniques As disclosed herein, in some cases the systems, methods, computer-readable media, and techniques disclosed herein may implement one or more machine learning techniques to produce a robust and resilient AI system that protects the AI ​​system. In some cases, machine learning may generally involve identifying and recognizing patterns in existing data to facilitate prediction of subsequent data. ML may include ML models (which may include, for example, ML algorithms). Machine learning may result in deductive or abstract inferences based on real or simulated data, whether inherently analytical or statistical. ML models may be pre-trained models. ML techniques may include one or more supervised, semi-supervised, self-supervised, or unsupervised ML techniques. For example, an ML model may be a pre-trained model trained through supervised learning (e.g., various parameters are determined as weights or scaling factors). ML may include one or more of the following: regression analysis, regularization, classification, dimensionality reduction, ensemble learning, meta-learning, association rule learning, cluster analysis, anomaly detection, deep learning, or ultra-deep learning.ML includes k-means, k-means clustering, k-nearest neighbors, learned vector quantization, linear regression, nonlinear regression, least squares regression, partial least squares regression, logistic regression, stepwise regression, multivariate adaptive regression splines, ridge regression, principal component regression, Least Absolute Shrinkage and Selection Operation (LASSO), minimum angular regression, canonical correlation analysis, factor analysis, independent component analysis, linear discriminant analysis, multidimensional scaling, non-negative matrix factorization, principal component analysis, principal coordinate analysis, projection tracking, Sammon mapping, t-dispersive stochastic neighbor embedding, AdaBoosting, boosting, gradient boosting, bootstrap aggregation, ensemble averaging, decision trees, conditional decision trees, boosted decision trees, gradient boosted decision trees, random forests, stack generalization, Bayesian networks, Bayesian belief networks, naive Bayes, Gaussian naive Bayes, polynomial naive Bayes, and hidden multi-level marketing. This may include Coff models, hierarchical hidden Markov models, support vector machines, encoders, decoders, autoencoders, stacked autoencoders, perceptrons, multilayer perceptrons, artificial neural networks, feedforward neural networks, convolutional neural networks, recurrent neural networks, long-term short-term memory, deep belief networks, deep Boltzmann machines, deep convolutional neural networks, deep recurrent neural networks, large-scale language models, vision transformers, or generative adversarial networks.

[0058] Training an ML model may, in some cases, involve selecting one or more untrained data models to train using a training dataset. The selected untrained data models may include any type of untrained ML model for supervised, semi-supervised, self-supervised, or unsupervised machine learning. The selected untrained data models may be specified based on inputs (e.g., user inputs) that specify relevant parameters to use as predictors, or other variables to use as potential explanatory variables. For example, the selected untrained data models may be specified to produce outputs (e.g., predictions) based on the inputs. Conditions for training an ML model from the selected untrained data models may also be selected, for example, limits on the complexity of the ML model, or limits on the improvement of the ML model beyond a certain point. The ML model may be trained using the training dataset (e.g., via a computer system such as a server). In some cases, a first subset of the training dataset may be selected to train the ML model. The selected untrained data models may then be trained on the first subset of the training dataset using appropriate ML techniques, based on the type of ML model selected and any conditions specified for training the ML model. In some cases, due to the processing power requirements for training the ML model, selected untrained data models may be trained using additional computing resources (e.g., cloud computing resources). Such training may continue in some cases until at least one aspect of the ML model meets the selection criteria for being validated and used as a predictive model.

[0059] In some cases, to determine the accuracy and robustness of the ML model, one or more embodiments of the ML model may be validated using a second subset of the training dataset (e.g., different from the first subset of the training dataset). Such validation may include applying the ML model to the second subset of the training dataset to make predictions derived from the second subset of training data. The ML model can then be evaluated to determine whether its performance is sufficient based on the derived predictions. The sufficiency criteria applied to the ML model may vary depending on the size of the training dataset available for training, the performance of previous iterations of the trained model, or user-specified performance requirements. If the ML model does not achieve sufficient performance, additional training may be performed. Additional training may include improving the ML model or retraining it on a different first subset of the training dataset, after which the new ML model may be validated and evaluated again. When the ML model achieves sufficient performance, in some cases, the ML may be stored for current or future use. ML models are stored as sets of parameter values ​​or weights for analysis of further inputs (e.g., further predictor variables, further explanatory variables, further relevant parameters used as further user interaction data, etc.), which may also, in some cases, include analytical logic or a display of the model's effectiveness. In some cases, multiple ML models may be stored to generate predictions under various sets of input data conditions. In some embodiments, ML models may be stored in a database (e.g., associated with a server).

[0060] Examples of neural networks The systems, methods, computer-readable media, and techniques disclosed herein may implement one or more neural networks (NNs). NNs are a subset of machine learning and are often central to many deep learning algorithms. A neural network includes node layers, each of which may include one or more input layers, one or more hidden layers, and output layers. Each node in a neural network may be connected to another node in the neural network. Each node in a neural network may have associated weights and thresholds. In some cases, if the output from any individual node in a neural network exceeds a specified threshold, that node is activated, thereby sending data to the next layer of the neural network; otherwise, the data is not passed to the next layer of the neural network.

[0061] Convolutional neural networks (CNNs) are a type of neural network that, in some cases, can be implemented by the systems, methods, computer-readable media, and techniques disclosed herein. CNNs are often used for classification and computer vision tasks. Prior to CNNs, manual, time-consuming feature extraction methods were used to identify objects in images. However, CNNs leverage principles from linear algebra, particularly matrix multiplication, to identify patterns in images, resulting in scalable techniques for image classification and object recognition tasks. That said, CNNs can be computationally demanding, requiring the use of a Graphical Processing Unit (GPU) to train the model.

[0062] Convolutional Neural Networks (CNNs) can be distinguished from other neural networks by their superior performance with image, sound, or audio signal inputs. CNNs can contain three main types of layers: convolutional layers, pooling layers, and fully-connected (FC) layers. A convolutional layer can be the first layer of a CNN. Additional convolutional or pooling layers can follow the first, but a fully-connected layer can be the final layer of a CNN.

[0063] When applied to a computer vision task using each layer, a CNN increases in complexity and identifies larger portions of the image. Earlier layers of the CNN may focus on simpler image features such as color and edges. As the image data progresses through the layers of the CNN, the CNN begins to recognize larger elements or shapes of objects in the image until it identifies the intended object.

[0064] Convolutional layers are the core building blocks of a CNN and are where much of the CNN's computation takes place. Convolutional layers can use components including input data, filters, and feature maps. For example, if the input data includes a color image (which, for example, contains a matrix of 3D pixels), the input may have three dimensions corresponding to the RGB values ​​of the image: height, width, and depth. A CNN may further include feature detectors (also known as kernels or filters) that check for the presence of features and move across the receptive field of the image. This process may be known as convolution.

[0065] A feature detector may include a filter, which is a two-dimensional array of weights representing a portion of the image. The filters in the feature detector may vary in size (e.g., a 3x3 matrix), and the size may determine the size of the receptive field. The filter is applied to a region of the image, and the inner product between the input pixels and the filter may be calculated. This inner product can then be fed into the output array. The filter may then shift by a stride until it sweeps across the entire image, and this process may be repeated. The final output from the series of inner products from the input and the filter may be known as a feature map, activation map, or convolutional feature. After each convolution operation, the CNN may apply a Rectified Linear Unit (ReLU) transformation to the feature map, introducing nonlinearity into the CNN.

[0066] In some cases, another convolutional layer can follow the initial convolutional layer of a CNN. For example, a later layer can see pixels within the receptive field of a previous layer, so the structure of a CNN can be hierarchical. As an example, consider a CNN used to determine whether an image contains a bicycle. Individual parts of the bicycle (e.g., frame, handlebars, wheels, pedals, etc.) constitute lower-level patterns in the CNN, and combinations of parts represent higher-level patterns, creating a feature hierarchy within the CNN.

[0067] Pooling layers, also known as downsampling layers, are additional layers in a CNN. Pooling layers can perform dimensionality reduction, decreasing the number of parameters in the input (e.g., images, video, audio, etc.). Similar to convolutional layers, pooling layers sweep a filter across the entire input, but unlike convolutional layers, the filters in pooling layers do not have weights. Instead, the filters in pooling layers apply an aggregate function to the values ​​in the receptive field and input it to the output array. There are two main types of pooling: max pooling and mean pooling. Max pooling may involve moving the filter across the input and selecting the pixel with the maximum value to send to the output array. Mean pooling may involve moving the filter across the input and calculating the average value in the receptive field to send to the output array. Although a lot of information is lost in pooling layers, pooling layers also have many advantages for CNNs. For example, pooling layers can reduce the complexity of a CNN, improve efficiency, and help mitigate the risk of overfitting in a CNN.

[0068] The fully connected layer is the final layer of a CNN. As previously disclosed, the pixel values ​​of the input image are not directly connected to the output layer in the partially connected layer. However, in the fully connected layer, each node in the output layer is directly connected to the nodes of the previous layer. The FC layer performs the task of classification based on the previous layers and the features extracted through their different filters. While convolutional and pooling layers tend to use the ReLU function, the FC layer can leverage the softmax activation function to classify the input appropriately and generate probabilities between 0 and 1.

[0069] In some cases, the systems, methods, computer-readable media, and techniques disclosed herein can implement deep neural networks. A DNN is a neural network having a large number of layers. For example, some neural networks may be classified as DNNs if they have three or more layers, four or more layers, five or more layers, six or more layers, seven or more layers, eight or more layers, nine or more layers, ten or more layers, and so on. In some cases, these layers may include input and output layers. Therefore, in some cases, a CNN may be considered an instance of a DNN.

[0070] Hyperparameters can be used in CNN architectures to indicate information such as the number of kernels in a convolutional layer, the size of the kernels in a convolutional layer, the stride size, and the size of the kernels in a pooling layer. Hyperparameters can also be used in CNNs to indicate information such as how the CNN is trained, such as the learning rate, weights, biases, momentum, and decay. In some cases, the hyperparameters of a CNN may be set before the CNN is trained.

[0071] Examples of methods for training a CNN As mentioned above, CNN models can be modified to accommodate FHE. In some cases, training a modified CNN model may involve implementing hyperparameter selection based on criticality. In some cases, criticality may be monitored immediately after training begins, and the critical point may be used to select hyperparameter values. Such hyperparameters, tuned to quickly achieve criticality, may include the initialization distribution, batch size, learning rate, and optimizer settings.

[0072] In some cases, the systems, methods, computer-readable media, and techniques disclosed herein may use Gaussian noise itself as an activation function, for example, when used with FHE. Defining a Gaussian noise activation function may involve adjusting the mean and variance of the Gaussian noise for a given dataset and network structure.

[0073] In some cases, criticality may depend on self-organized criticality (SOC), a characteristic of dynamic systems that have a critical point as an attractor. Therefore, their macroscopic behavior exhibits spatial or temporal scale invariance of the critical point of the phase transition, but control parameters do not need to be tuned to precise values ​​because the system effectively adjusts itself as it moves toward criticality.

[0074] In some cases, when the system is at a critical point, even the smallest nudge can cause a nonlinear change. If the network is close enough to the critical point in the hyperparameter space, the network may have a good probability of training. Alternatively, if the hyperparameters are set so that the system is too stable, the network may not learn at all, or learn too slowly. Furthermore, if the hyperparameters are set so that the system is too disordered, the model may never approach one of the good local minima.

[0075] In some cases, non-traditional activation functions (e.g., x 2Modified CNN architectures, such as those that include or remove pooling layers, can make trainable networks difficult (e.g., the network may require meticulous attention). In some cases, the number of outputs of one layer can be matched with the inputs of the next layer (e.g., have the same number) to ensure that the convolutional layers have a suitable number of parameters without pooling. Thus, hyperparameters can be selected based at least in part on empirically observing the loss dynamics as the network is trained, and then iteratively trying different hyperparameters. For example, code excerpt 1 may depict a case where the weights and biases are initialized to differ by iris code. JPEG2026522155000002.jpg13129 And code excerpt 2 can illustrate the case where a uniform distribution is used for weights having an MNIST code. JPEG2026522155000003.jpg13129

[0076] In some cases, having asymmetry (e.g., a non-zero mean) can be important for setting up network training so that the network stays in the critical zone. Code excerpt 3 can illustrate such a network structure of iris codes. JPEG2026522155000004.jpg140129 Furthermore, code excerpt 4 may further depict the corresponding MNIST code. JPEG2026522155000005.jpg132130

[0077] Examples of adversarial machine learning As disclosed herein, in some cases the systems, methods, computer-readable media, and techniques disclosed herein may implement one or more adversarial machine learning techniques to create a robust and resilient AIS that protects the AI ​​system.

[0078] Adversarial ML, including the study of ML systems under attack, can be crucial for understanding how to defend against these threats. The systems, methods, computer-readable media, and techniques disclosed herein can be used to make AI models more robust against adversarial attacks and enhance their ability to identify and neutralize threats using adversarial training techniques.

[0079] Generally, some exemplary techniques for defending against adversarial ML may include threat modeling (e.g., formulating the attacker's goals and capabilities regarding a target system), attack simulation (e.g., formulating optimization problems that an attacker would attempt to solve according to possible attack strategies), attack impact assessment, countermeasure design, noise detection (e.g., in the case of evasion-based attacks), and information laundering (e.g., altering information received by an adversary). Generally, some exemplary mechanisms for defending against adversarial ML may include secure learning algorithms, Byzantine-resistant algorithms, multiple classifier systems, AI writing algorithms, AI exploring training environments (e.g., in image recognition, actively navigating a 3D environment rather than passively scanning a fixed set of 2D images), privacy-preserving learning, ladder algorithms for Kaggle-style competitions, game theory models, sanitized training data, adversarial training, backdoor detection algorithms, and gradient masking / obfuscation techniques (e.g., to prevent attackers from exploiting gradients in white-box attacks).

[0080] More specifically, one technique for adversarial ML could be adversarial training. Adversarial training can involve introducing adversarial examples (e.g., inputs designed to cause the ML model to fail) into the training set of an ML model. By training the ML model with these adversarial examples, the ML model can learn to classify them correctly, thereby increasing its robustness against such attacks.

[0081] Another technique for adversarial ML may be evasive attack training. Evasive attacks may involve manipulating test inputs to mislead the ML model, for example, resulting in a misclassification by the ML model. By integrating adversarial machine learning techniques, the AIS of the systems, methods, computer-readable media, and techniques disclosed herein can become resilient to such evasive attacks. Thus, the AIS can learn to identify when the input has been subtly altered in an attempt to deceive the system.

[0082] Another technique in adversarial ML may be poisoning attack mitigation. Data poisoning attacks can introduce harmful data into the training set of an ML model with the aim of manipulating the learning process of the ML model. The AIS of the systems, methods, computer-readable media, and techniques disclosed herein can use advanced detection algorithms to identify potential poisoning attempts, maintain the integrity of the training data, and ensure reliable model behavior.

[0083] Another technique for adversarial ML may be transfer learning. The systems, methods, computer-readable media, and techniques disclosed herein can leverage the concept of transfer learning, where knowledge gained from one problem is applied to solve a different but related problem. In the context of adversarial machine learning, transfer learning may involve applying insights from one type of attack to defend against other types of attacks, thereby enhancing overall protection. Thus, this enables defense against novel types of attacks that are at least partially related to previously observed types of attacks.

[0084] Another technique for adversarial ML may be model hardening. The systems, methods, computer-readable media, and techniques disclosed herein may be used to apply model hardening to modify an ML model and reduce its vulnerability to attack. Techniques may include feature squeezing (e.g., reducing the search space available to the adversary) and distillation for defense (e.g., training an ML model to produce similar outputs for similar inputs).

[0085] Advantageously, by integrating adversarial machine learning into AIS, the systems, methods, computer-readable media, and techniques disclosed herein enable AI systems to not only identify and respond to threats but also to be resilient to attacks over time, contributing to the robustness, adaptability, and overall security of AI systems.

[0086] Examples of encryption technologies The systems, methods, computer-readable media, and techniques disclosed herein may implement one or more cryptographic techniques to enable the secure handling of sensitive data. In cryptographic techniques, encryption is the process of encoding information. This process can convert the original representation of the information (e.g., data), which may be called plaintext, into an alternative form, which may be called ciphertext. In some cases, if encryption is successful, only authorized parties can decrypt the ciphertext back into plaintext and access the information. While encryption cannot prevent interference, it can deny an interceptor access to an understandable representation of the information.

[0087] Generally, encryption schemes can use pseudo-random encryption keys generated by an algorithm. While it may be possible to decrypt a message without possessing the key, a well-designed encryption scheme may require considerable computational resources and skill to decrypt it. On the other hand, a legitimate recipient can easily decrypt the message using the key.

[0088] Homomorphic encryption is a form of encryption that can be applied herein to enable the performance of computations on encrypted data without the need to first decrypt the encrypted data. The resulting computations may remain in their encrypted form or, when decrypted, may produce the same output as if the computations had been performed on unencrypted data instead. Advantageously, homomorphic encryption can be applied to privacy-protected outsourced storage and computations (for example, data may be encrypted and outsourced to a commercial cloud environment for processing while remaining encrypted). Thus, homomorphic encryption is useful for sensitive data such as medical information, and can be used to enable new services by removing privacy barriers that hinder data sharing or by enhancing security for existing services.

[0089] Homomorphic encryption can encompass several types of encryption schemes that can perform various classes of computations on encrypted data. These computations can be represented as either Boolean circuits or arithmetic circuits. Types of homomorphic encryption may include partial homomorphic encryption, partially homomorphic encryption, fully homomorphic encryption with levels, and fully homomorphic encryption. Homomorphic encryption can function in many types of encryption schemes or cryptographic systems, including RSA, ElGamal, Goldwasser-Micali, Benaloh, FV, BGV, and Paillier.

[0090] Partial homomorphic encryption encompasses schemes that support the evaluation of circuits containing one type of gate (e.g., addition or multiplication). Partially homomorphic encryption schemes can evaluate two types of gates for a subset of a circuit. Leveled full homomorphic encryption can support the evaluation of any circuit containing multiple types of gates at a limited (predetermined) depth. Fully homomorphic encryption (FHE) allows the evaluation of any circuit containing multiple types of gates at infinite depth and may be the most powerful concept of homomorphic encryption.

[0091] Figure 1 shows an exemplary process 100 for implementing trusted AI. As shown in process 100, encrypted data can be used to implement secure data requests. In some cases, a user application 105 operated by a user (e.g., browser-based, desktop, mobile, etc.) may send commands. These commands may respond to user input such as searches. In some cases, once the user application 105 sends a command, agent 115 may convert the command from an unencrypted (e.g., plaintext) command to an encrypted command (e.g., via homomorphic encryption such as partial homomorphic encryption, partially homomorphic encryption, fully homomorphic encryption with levels, FHE, etc.). The encrypted command may perform an action (e.g., computation) on the encrypted data 120, thereby generating an encrypted result. The encrypted result can then be decrypted by agent 115 before being presented to the user application 105. In some cases, agent 115 may reside on a computing device that may be remote to the user. For example, agent 115 may be a server. In some cases, agent 115 may be located in the same position as the user. For example, agent 115 may be an application hosted on the same device as user application 105, on a device that can communicate directly with the device running user application 105, or on an application programming interface (API) that can be called (e.g., directly or indirectly) by user application 105. In some cases, agent 115 may operate with a password (e.g., encryption key) management system 110 that can be used to encrypt or decrypt data. For example, password management system 110 may be an application hosted on the same device as user application 105, on a device that can communicate directly with the device running user application 105, or on an API that can be called (e.g., directly or indirectly) by user application 105.

[0092] Figure 3 shows an exemplary application 300 that implements the methods and trusted AI systems described herein with respect to an autonomous vehicle. As shown in the figure, data used for the operation of the autonomous vehicle may be encrypted end-to-end using one or more quantum-resistant secure keys. For example, a user / operator (e.g., driver, rider, etc.) 305 can provide specific commands to an application within the autonomous vehicle 310. These commands may include vehicle commands such as destination, speed, direction, route preference, time of arrival, driving style, and entertainment preference.

[0093] The autonomous vehicle 310 may be monitored by a monitor 315. The monitor 315 may include a human, a computer system, an AI / ML model, etc. As disclosed herein, data transmitted from the autonomous vehicle 310 may be encrypted so that the monitor 315 receives the encrypted data and takes action (e.g., calculations). When the monitor 315 encrypts the data before receiving it, the user / operator 305 of the autonomous vehicle 310 can protect the data from third parties intercepting it, and once the data is received (e.g., viewed) by the monitor 315, the privacy of the data can be protected.

[0094] Data exchanged between the autonomous vehicle 310, the remote control station 315, and various components of the system can be encrypted, and AI-based analysis can be performed on the encrypted data to directly guarantee data integrity. The AI-based analysis may utilize a CNN or DNN with the modified architecture described above so that the calculation results can approximate results based on plaintext data (original unencrypted data). Once the monitor 315 takes action on the data and generates result data, the result data can be decrypted upon receipt by the autonomous vehicle 310.

[0095] In some cases, much of the calculation may be performed in the autonomous vehicle 310 by encrypting data received from the autonomous vehicle 310's sensors. Furthermore, in some cases, the calculation may also include performing inference via the encrypted data to generate instructions on how to drive the autonomous vehicle 310 to a destination issued by the user / operator 305 or the monitor 315, and how to drive the driving environment.

[0096] Figure 4 illustrates an application 400 of the systems, methods, computer-readable media, and technologies disclosed herein with respect to email. Use case 400 shown in Figure 4 for email use cases may be identical or similar to process 100 shown with respect to Figure 1, or use case 300 shown with respect to Figure 3. For example, as shown in Figure 4, multiple emails may be encrypted on the client side (e.g., via homomorphic encryption) and sent to the server as encrypted emails. The server may perform one or more actions (e.g., calculations) on the encrypted emails. For example, as shown, the server may perform a spam detection algorithm on the encrypted emails, thereby generating an encrypted result. The encrypted result may be sent back to the client. The encrypted result may be decrypted by the client, thereby generating a decrypted result. For example, as shown, the decrypted result may include decryption detection of spam emails from multiple emails.

[0097] Examples of fully homomorphic encryption As described above, cryptographic systems that support arbitrary computations on ciphertext may be called FHEs. By using FHEs, the systems, methods, computer-readable media, and techniques disclosed herein enable the performance of computations on encrypted data without the need to decrypt the data first, thereby enabling the maintenance of data privacy throughout the data processing pipeline.

[0098] In some cases, FHE allows for the construction of programs for any desired function that can be executed on an encrypted input to produce the result of encryption. Since such a program may not decrypt its input, the program can be executed by an untrusted party without exposing the input and its internal state. FHE technology has undergone numerous iterations, including partial implementations such as the RSA cryptosystem (unlimited modular multiplications), ElGamal cryptosystem (unlimited modular multiplications), Goldwasser-Micali cryptosystem (unlimited exclusive or arithmetic operations), Benaloh cryptosystem (unlimited modular additions), Paillier cryptosystem (unlimited modular additions), Sander-Young-Yung system (implementing logarithmic depth circuits), Boneh-Goh-Nissim cryptosystem (unlimited addition operations but at most one multiplication), and Ishai-Paskin cryptosystem (polynomial-sized branching program).

[0099] There are several implementations of fully homomorphic encryption schemes. Second and fourth-generation FHE scheme implementations operate in leveled FHE mode (although bootstrapping may still be available in some libraries) and may support efficient SIMD-like data packing (e.g., these implementations may be used to compute encrypted integers or real / complex numbers). Third-generation FHE scheme implementations may bootstrapping after each operation, but support for packing may be limited (e.g., these implementations may be used to compute Boolean circuits via encryption bits and support integer arithmetic and univariate function evaluation, etc.). The choice of which of the second, third, and fourth-generation schemes to use may depend on the type of input data and the type of computation applied. Specific iterations of FHE may be open source. For example, an open-source FHE library may implement second-generation (BGV / BFV), third-generation (FHEW / TFHE), or fourth-generation (CKKS) FHE schemes. Such FHE schemes may include HElib, Microsoft SEAL, OpenFHE, PALISADE, HEAAN, FHEW, TFHE, FV-NFLlib, NuFHE, REDcuFHE, Lattigo, TFHE-rs, Concrete, E3, SHEEP, T2, and others.

[0100] In general, when implementing FHE, the systems, methods, computer-readable media, and techniques disclosed herein enable the evaluation of any circuit composed of multiple gate types at infinite depth, and FHE can be used in complex data security situations and help overcome challenges in mobile networks. Specific exemplary applications of FHE for the systems, methods, computer-readable media, and techniques disclosed herein may include privacy-preserving computation, secure data sharing, augmented AI model privacy, and robustness against inference attacks.

[0101] Turning to privacy-preserving computation, the AIS of the systems, methods, computer-readable media, and techniques disclosed herein, through the implementation of FHE, can perform privacy-preserving computation, analysis, and generate insights while ensuring the confidentiality of raw data (e.g., unencrypted data). Implementing FHE is particularly important when dealing with sensitive data such as personal identifiers, financial information, medical information, election / voting information, and trade secrets, all of which are frequently targeted by cyberattacks.

[0102] Turning to secure data sharing, the AIS of the systems, methods, computer-readable media, and techniques disclosed herein, through the implementation of FHE, can also facilitate secure data sharing between various entities. For example, different parts of an ML model can be hosted by various parties, each performing calculations on its own encrypted data. The results can then be combined to obtain the final output without any party having to expose their raw data.

[0103] Turning to enhanced AI model privacy, the AIS of the systems, methods, computer-readable media, and techniques disclosed herein through the implementation of FHE can protect the privacy of the ML models themselves. This is particularly important in scenarios where ML models are deployed in untrusted environments. By keeping the models encrypted, FHE can help prevent model extraction attacks aimed at replicating the capabilities of the ML models.

[0104] Focusing on robustness against inference attacks, the AIS of the systems, methods, computer-readable media, and techniques disclosed herein, through the implementation of FHE, can help defend against inference attacks aimed at obtaining sensitive information by an attacker querying an ML model. Since the computation is performed on encrypted data by embedding FHE, the attacker cannot infer meaningful information from the response.

[0105] The systems, methods, computer-readable media, and techniques disclosed herein optimize combinations of FHEs tailored to the AI ​​problem space. While multiple FHE schemes exist, in some cases, the systems, methods, computer-readable media, and techniques disclosed herein can implement FHE schemes that are quantum-resistant, even if complex.

[0106] For example, the CKKS scheme is a quantum-resistant homomorphic encryption scheme that can efficiently perform calculations on floating-point (decimal) numbers and, in some cases, can be implemented by the systems, methods, computer-readable media, and techniques disclosed herein. These cryptographically secure schemes may add random noise to the data during encryption. This noise is amplified during computation, but as long as the noise remains sufficiently low, the encrypted data can still be decrypted. Homomorphic encryption schemes can become FHE schemes (e.g., fully homomorphic and quantum-resistant) when a specific operation called bootstrap is implemented to "reset" the noise so that computation can continue indefinitely. In some cases, the systems, methods, computer-readable media, and techniques disclosed herein provide FHE for these AI-based use cases. In some cases, when data is encrypted using the quantum-resistant FHE schemes of the systems, methods, computer-readable media, and techniques disclosed herein, it may not be necessary to decrypt the data in order to perform analysis (e.g., computation).

[0107] Training and utilizing AI models through FHE data can be inherently challenging. For example, some FHE operations carry significant overhead, making these encrypted calculations slower than their unencrypted counterparts. Open-source libraries can be used in both the FHE domain and the AI / ML domain. Libraries for implementing FHE may include OpenFHE, Microsoft's SEAL, etc. Examples of potentially compatible AI / ML models may include scikit-learn, TensorFlow, PyTorch, etc. However, combining such AI models with FHE can still present certain challenges. These challenges may stem from the limitations imposed by standard FHE implementations on the permissible mathematical operations. Precisely by their nature, AI and ML algorithms may use nonlinear mathematical operators, while FHE matrix operations may use multiplication and addition.

[0108] Addressing these challenges within the constraints imposed by FHE may involve combining a variety of techniques and novel holistic design methods, such as using deep neural network architectures, simple axlimeters for standard nonlinear operators like exponential and square root functions, function substitution, hypervector computing, and bitwise operators.

[0109] For example, two high-density neural network-based AI models may be trained in plaintext, but FHE may be used to bring inference to help address these challenges. Public datasets can be used for plaintext training and FHE inference. In some cases, various AI models may be trained on encrypted data; for example, a CNN may be trained for image recognition and validation, which may be applicable to biometric authentication. Three computational methods can be used to develop and release AI models via FHE encrypted data aimed at combating identity threats, including: To develop and implement plaintext-trained CNN AI models for FHE cryptographic data inference, including (A)(i) identifying and testing appropriate approximations and alternatives for various nonlinear activation functions and nonlinear loss functions for FHE, and (ii) systematically constructing increasingly large and complex CNN models; to develop and implement CNN (and potentially other) AI models for cryptographic data in the FHE domain, including (B)(i) creating mathematical models to prove homomorphic encryption-based similarity computation, and (ii) using the knowledge gained from creating mathematical models to systematically construct increasingly large and complex AI models, including other DNNs (e.g., targeting the use of DHS); and to provide products and APIs for using FHE-based AI models.

[0110] By implementing post-quantum cryptography AI models, individuals can encrypt their own data, thereby ensuring user privacy and minimizing the fraud and theft of identification information. In real-world settings, such encryption models could be used for biometric identity verification (e.g., for transit security) or to identify containers that pose a potential risk for terrorism, drugs, or other contraband (e.g., for border / customs security). Having AI models built on and utilizing encrypted data can provide an additional layer of privacy and security in cyberspace.

[0111] Figure 5 shows an exemplary process 500 that implements trusted AI using fully homomorphic encryption. As illustrated, the process in Figure 5 can operate in a zero-trust environment and provide end-to-end security.

[0112] Process 500 may, in some cases, begin with a user / device / machine generating encrypted data using fully homomorphic encryption. FHE is shown as being used in Figure 5 and presents certain advantages (e.g., as disclosed herein), but in some cases, other suitable cryptographic techniques may be used to achieve results that have at least certain similarities to those disclosed herein with respect to FHE. The encrypted data may be sent to a server (e.g., a cloud server). On the server, the encrypted data may be validated for authenticity before being sent to an AI / ML model. The AI / ML model may then perform validation, verification, training, inference, etc., on the encrypted data. The user / device / machine may then receive encrypted, trusted results from the AI / ML model.

[0113] Advantageously, by implementing FHE in AIS, the systems, methods, computer-readable media, and technologies disclosed herein can ensure data privacy while enabling the use of AI power to detect and respond to threats. This technology can further guarantee data confidentiality and integrity and enhance user trust in AI systems.

[0114] Example of a neural network with a modified architecture for FHE data The systems, methods, computer-readable media, and techniques disclosed herein provide artificial intelligence in which calculations are performed on encrypted (FHE-based) values ​​such that (1) decryption is arbitrary and provably difficult, and (2) the result is consistent with some given plain-text (PT) calculation. In some cases, the FHE calculation does not need to reflect the PT calculation to produce a consistent output.

[0115] In some embodiments, the disclosure provides DNN-based models having a modified architecture suitable for FHE computation. As used herein, the term “modified architecture” may generally refer to having one or more components of a deep learning network modified to be suitable for FHE computation. In some cases, the modified architecture may include using a Gaussian function as the activation function. In some cases, the modified architecture may include removing one or more pooling layers. In some cases, the DNN-based model may be trained on plaintext data, encrypted data (FHE encrypted), or a combination of both. The trained DNN model may be deployed to perform inference on FHE encrypted data.

[0116] The model architecture can be modified to suit FHE computations, thereby improving computational efficiency and result accuracy compared to computations performed on plaintext data. For example, ReLU (Normalized Linear Lumens) may be the optimal activation function used in PT models. In that domain, ReLU can be efficient and useful for training accurate models. In contrast, in FHE, ReLU may not be computationally efficient. Some practitioners have shown that nearly 60 terminological approximations can be used to model ReLU sufficiently faithfully in FHE.

[0117] Another optimal design example in PT might be "pooling," a process for handling the outputs of convolutional layers. While pooling can be useful in some cases, it can also be avoided in network design, resulting in a network with less overall computation. While fewer computations might be preferable for the same precision, this can be even more computationally expensive under FHE, where the computation can be significantly higher. In FHE, the neural network may not use pooling in some cases. In such cases, the pooling layer may simply be removed, and the currently interacting convolutional layers may be appropriately tuned to have a specific number of parameters. Furthermore, in some cases, the ReLU function is x 2 It can be replaced with.

[0118] In some cases, activation functions can be used because they can generate nonlinearity between layers. For example, without activation functions, there may be no mathematical benefit to having multiple layers. These nonlinearities allow the network to split signals without the signals subsequently merging again. In some cases, the completed network can utilize multiple such splits constructed within the network to perform more complex tasks such as multi-class labeling or regression. In some cases, ReLU performs splitting by making some signals positive and others zero, which may be the two states of interest. 2 In this case, the two states of the subject can be close to zero and far from zero. In these two states, x 2 This allows the signal to be split. Furthermore, in some cases, a precisely defined Gaussian noise can act as an activation function. The noise activation function is x 2 It reflects the original with near-perfect accuracy and can achieve similar accuracy when trained. In some cases, DNN-based networks with modified architectures may be difficult to train. This disclosure may provide an improved method for training modified DNN models. In some cases, during the training phase of training a DNN-based model with a modified architecture, the method may include selecting hyperparameter values ​​based on criticality. For example, the method may include selecting one or more hyperparameter values ​​based at least in part on monitoring criticality. In some cases, one or more hyperparameters may include at least one of the mean and variance of a random initialization distribution, batch size, learning rate, or optimizer settings. In some cases, the mean or variance of a Gaussian function is adjusted during the training phase. Once trained, an advantage of such a network may be that it operates faster in FHE than standard network designs.

[0119] Examples of blockchain technology The systems, methods, computer-readable media, and technologies disclosed herein can implement blockchain. Blockchain implemented by the systems, methods, computer-readable media, and technologies disclosed herein can form an important component of AIS technology.

[0120] Blockchain (which may also be called, for example, a distributed ledger or shared ledger) is a technology that can be used to achieve a distributed consensus on the validity or invalidity of information within a chain. In other words, blockchain brings decentralized trust to participants and observers. In contrast to the use of a central authority, blockchain is a distributed database or ledger where transaction records can be maintained at each node in a peer-to-peer network.

[0121] A distributed ledger can be constructed from groups of transactions that are grouped into "blocks" and arranged sequentially (hence the term "blockchain"). Nodes can join and leave the blockchain network over time, and may acquire blocks that have propagated while a node was away from its peer nodes. Nodes can maintain the addresses of other nodes and exchange known node addresses with each other, facilitating the propagation of new information across the network in a decentralized, peer-to-peer manner.

[0122] Nodes sharing a ledger form a so-called distributed ledger network. Nodes within a distributed ledger network can validate changes to the blockchain according to a set of consensus rules (for example, when a new transaction or block is created), and each node forms a consensus on how the changes will be integrated into the distributed ledger. Consensus rules depend on information tracked by the blockchain and may include rules concerning the chain itself. For example, consensus rules may include requiring change originators to provide proof of identity, so that only approved entities can originate changes to the chain. Consensus rules may include requiring blocks and transactions to adhere to formatting requirements and provide specific metadata about changes (e.g., blocks must be below a size limit, transactions must contain certain fields, etc.). Consensus rules may include mechanisms for determining the order in which new blocks are added to the chain (e.g., through proof-of-work systems, proof-of-stake systems, etc.).

[0123] Once consensus is reached, the agreed-upon changes are pushed out to each node, so that each node maintains a copy of the updated distributed ledger (e.g., an identical copy). For example, an addition to the blockchain that satisfies the consensus rules may propagate from the node that validated the addition to other nodes known to the validating node. If all nodes that have received changes to the blockchain have validated the new block, the distributed ledger reflects the new changes stored in all nodes, and it can be said that a distributed consensus has been reached regarding the new block and the information it contains. Changes that do not satisfy the consensus rules are ignored by the node that received the change by validating it and cannot be propagated to other nodes. Therefore, unlike a central authority, no single party can unilaterally alter the distributed ledger unless it can be altered in a way that satisfies the consensus rules. Because past transactions cannot be altered, blockchains are generally described as trustworthy, secure, and immutable.

[0124] The validation activities of nodes that apply consensus rules on a blockchain network can take various forms. For example, a blockchain can be thought of as a shared spreadsheet that tracks data such as asset ownership. In another example, validation nodes execute code contained in a "smart contract," and decentralized consensus is represented as network nodes agreeing on the output of the executed code.

[0125] A smart contract can be a computer protocol that enables the automatic execution or enforcement of agreements between various parties. In particular, a smart contract can be computer code located at a specific address on a blockchain. In some cases, a smart contract can be automatically executed in response to a blockchain participant sending funds (e.g., cryptocurrency such as Bitcoin, Ether, or other digital or virtual currencies) to the address where the smart contract is stored. Furthermore, smart contracts can maintain a balance of the amount of funds stored at those addresses. In some cases, when this balance reaches zero, the smart contract may cease to function. A smart contract may contain one or more trigger conditions that, when met, correspond to one or more actions. In some smart contracts, which action from one or more actions is performed may be determined at least in part on one or more decision conditions. In some cases, data streams may be routed to the smart contract so that the smart contract can detect when a trigger condition has occurred or analyze the decision conditions.

[0126] Some blockchains may be deployed in an open, decentralized, and permissionless manner, meaning that any party can participate in the blockchain as a node responsible for viewing information, submitting new information, or verifying information. This open, decentralized, and permissionless approach to blockchains may have certain limitations. For example, these blockchains may not be good candidates for interactions where information needs to be kept private, or interactions where all participants need to be screened before joining.

[0127] Other blockchains may be deployed as private (e.g., permissioned ledger) blockchains that keep chain data confidential among a group of entities permitted to participate in the blockchain network. Other blockchain implementations may be permitted or not, where participants may need to be validated, but only information that network participants wish to make public is made public.

[0128] In some cases, to create a new block in the blockchain, each transaction within the block may be assigned a checksum value, which may also be called a hash (e.g., the output of a cryptographic hash function such as SHA-256 or MD5). These checksum values ​​can then be combined using data storage and cryptographic techniques (e.g., Merkle trees) to generate a checksum value representing the entire new block and therefore the transactions stored in it. This checksum value can then be combined with the checksum values ​​of previous blocks to form a checksum value included in the header of the new block, thereby cryptographically linking the new block to the blockchain. In some embodiments, one or more associated transactions are used as verification points for a unique watermark identifier that acts as a checksum for the plaintext data. For this purpose, the exact value used in the header of the new block may depend on the checksum values ​​of each transaction within the new block, as well as the checksum values ​​for each transaction in all previous blocks.

[0129] In some cases, the checksum value and nonce value (any number used once) generated for a new block can be used as input to a cryptographic puzzle, so that the information stored on the blockchain can be trusted (e.g., at least partially trusted). A cryptographic puzzle may have a difficulty level set by nodes connected to the blockchain network, and the difficulty level may be set by the administrator of the blockchain network. In one example of a cryptographic puzzle, a solving node uses the checksum value generated for a new block and repeatedly changes the nonce value until a solution to the puzzle is found. For example, finding a solution to a cryptographic puzzle may involve finding a nonce value that satisfies a certain criterion (e.g., the nonce value starts with five zeros).

[0130] When a solution to a cryptographic puzzle is found, the solving node publishes the solution, and other nodes can verify that the solution is valid. Because a solution may depend on a specific checksum value for each transaction in the blockchain, if a solving node attempts to modify a transaction stored in the blockchain, the solution may not be verified by other nodes. More specifically, if a single node attempts to modify a previous transaction in the blockchain, a cascade of different checksum values ​​can be generated for each layer of cryptographic combinatorial technology. This means that the headers of one or more blocks may differ from the corresponding headers of all other nodes that did not make the exact same modifications.

[0131] In some cases, when paired with steganography and watermarks, blockchain checksums can be used on the blockchain to guarantee verification and non-repudiation of data. The use of steganography and watermarks paired with checksums in a blockchain database guarantees both data verifiability and non-repudiation, thereby providing data reliability and enabling secure transactions and reliable data management. In other words, blockchain-based checksum verification can guarantee that decrypted data has not been tampered with, thus providing non-repudiation of data.

[0132] With regard to the AIS of the systems, methods, computer-readable media, and technologies disclosed herein, blockchain can be integrated into the AIS because it can maintain a transparent, tamper-proof record of all transactions, and therefore can help create an immutable audit trail of all activity within the system. For example, this real-time record of events contained in the blockchain can enable rapid identification of anomalies and provide crucial insights for swift and decisive action when a threat is detected.

[0133] Furthermore, because blockchain is decentralized and data is distributed across multiple nodes or computers, applying blockchain to AIS can guarantee the absence of a single point of failure, thereby further enhancing the system's resilience to attacks. For example, in the event of an intrusion, the compromised node can be isolated and repaired without affecting the overall system's functionality.

[0134] As disclosed herein, blockchains can be programmed with smart contracts (e.g., automated contracts in which the terms of the contract are written in code). In the context of AIS, smart contracts can automate responses to detected threats, reduce response times, and minimize potential damage. For example, smart contracts may automatically restrict access for suspicious users or isolate nodes that are potentially at risk.

[0135] As disclosed herein, blockchains can implement various consensus mechanisms. Blockchain consensus mechanisms can be used within AIS to establish trust in AIS. For example, multiple nodes may check the validity of a proposed update to an AI model before the AI ​​model is updated. This can prevent unauthorized or malicious modifications to the AI ​​model.

[0136] Blockchain also offers the potential to improve privacy and data control within AIS. By combining blockchain technology with other technologies such as SMPC or FHE, sensitive data can be securely stored and processed without being exposed to malicious entities. This approach, which fuses AI with FHE to emulate an artificial immune system and enables an autonomous, self-learning, and resilient system for data protection, may depend on core technologies that can be suitably woven in, such as SMPC, application-specific integrated circuits (ASICs) and optical processors for high-performance FHE, hypervectors and vector symbolic architectures (VSAs), and the use of steganography and watermarking with checksums in blockchain databases. In some cases, the use of SMPC provides data privacy even during processing, and ASICs and optical processors bring new levels of efficiency and speed to FHE computations, making them practical for a wide range of applications. Hypervectors and VSAs can be further utilized to effectively represent and manipulate complex symbolic structures and to further extend the capabilities of the systems, methods, computer-readable media, and technologies disclosed herein.

[0137] Through these characteristics, blockchain technology offers significant advantages for application to AIS, enhancing the capabilities of the systems, methods, computer-readable media, and technologies disclosed herein for maintaining secure, transparent, and reliable AI operation.

[0138] Example of secure multi-party computation The systems, methods, computer-readable media, and techniques disclosed herein may implement secure multi-party computation for building robust and privacy-protected AIS. Generally, SMPC is an interactive protocol for multiple parties to compute several functions (represented as circuits). Depending on the type of circuit, there are two main ways to implement SMPC. Garbled circuits are efficient for Boolean circuits, while implementing SMPC through the sharing of secrets is useful for arithmetic circuits. The SMPC protocol has the advantage of being information-theoretically secure, rather than relying on computational assumptions, unless there is collusion. Data may be shared secretly without encryption. Sharing by each server does not reveal information about the secret unless all servers collude with each other.

[0139] In some cases, SMPC may be called secure computation, multi-party computation (MPC), or privacy-preserving computation. SMPC is a subfield of cryptography that allows parties to jointly compute a function through their inputs while keeping those inputs confidential. Unlike certain cryptographic techniques that can provide security and integrity for communications or storage with adversaries outside the participants' systems (e.g., eavesdroppers on senders and receivers), the cryptography in SMPC protects the privacy of the participants from one another. Exemplary implementations of SMPC may include Yao-based protocols, SEPIA (Security through Private Information Aggregation), SCAPI (Secure Computation API), PALISADE (homomorphic cryptography library), and MP-SPDZ (general-purpose framework for multi-party computation).

[0140] In general, the application of SMPC to the systems, methods, computer-readable media, and technologies disclosed herein enables multiple parties to perform computations on those non-public inputs while maintaining the privacy of those inputs.

[0141] Systems, methods, computer-readable media, and technologies using SMPC enable privacy-preserving collaborative learning. For example, various entities can train a shared AI model using their private data without disclosing that data to others. This can facilitate data-driven collaboration between organizations and lead to well-trained models while ensuring data privacy.

[0142] SMPC enables distributed threat detection and response in AIS. For example, when applied to AIS, the systems, methods, computer-readable media, and techniques disclosed herein can detect and mitigate threats by leveraging data and resources from various nodes, without a single node having access to all the data. This distribution not only enhances privacy but also reduces the risk of a single point of failure.

[0143] In some cases, AIS can use SMPC to securely aggregate insights from various nodes. In such cases, each node can process its local data and only share the information used for aggregation. Thus, this technique can maintain the privacy of local data while enabling collective insights to inform the overall system defense strategy.

[0144] By distributing data processing and decision-making processes across multiple nodes, in some cases the systems, methods, computer-readable media, and techniques disclosed herein reduce the risk of data poisoning attacks using AIS. For example, even if one node is compromised and supplied with poisoned data, the impact on the entire system can be mitigated because decisions are made collectively.

[0145] Therefore, SMPC enables coordinated anomaly detection, where various nodes can work together to detect anomalies. For example, each node can process its local data to identify potential anomalies, and these findings can be securely aggregated to identify anomalies across the entire system. Advantageously, by incorporating SMPC into the AIS of the systems, methods, computer-readable media, and technologies disclosed herein, a secure distributed coordinated defense system can be created that can protect AI services from various threats while ensuring the privacy and security of sensitive data.

[0146] Examples of probabilistic computing The systems, methods, computer-readable media, and techniques disclosed herein can implement probabilistic computing to reduce the effectiveness of adversarial attacks and improve robustness, fault tolerance, and hardware efficiency. SC can be a technique for computation that treats data as probabilities. SC has applications in large-scale parallel systems and is extremely tolerant of soft errors. Furthermore, SC can efficiently perform tasks such as communication decoding and neural network inference. Specific applications of SC may include redundant and highly fault-tolerant data formats and implementations of arithmetic operations using small logic circuits that benefit from the low precision levels of SC (e.g., comparable to analog computing).

[0147] Let's assume that in order to see the specific strength of SC, each of us wants to multiply by the following two numbers. n-bit precision. Using a typical long multiplication method, 2 nCalculations will be performed. In probabilistic computing, any number of bits can be AND - combined, and the expected value is correct (however, for example, when the number of samples is small, the variance can make the actual result extremely inaccurate). Further, the underlying operation in a digital multiplier may be a full - adder, while a probabilistic computer uses only AND gates. Further, a digital multiplier simply uses 2n input wires, while a probabilistic multiplier can use 2 input wires. Further, probabilistic computing is robust to noise; for example, if a few bits in a stream are flipped, those errors may have a minimal impact on the solution or no impact at all. Further, probabilistic computing elements can tolerate skew in the arrival time of inputs, and the circuit will function properly even when inputs are time - shifted. Thus, a probabilistic system can be designed to operate with inexpensive locally - generated clocks instead of using a global clock and an expensive clock - distribution network. Finally, probabilistic computing can yield an estimate of the exact solution as the bit - stream expands. In particular, a probabilistic system can yield an approximation very quickly. This property is sometimes called progressive precision, which implies that the accuracy of the SN (e.g., the bit - stream) improves as the computation progresses. In other words, it is as if the most significant bits of a number arrive before its least significant bits, which is different from other arithmetic circuits where the most significant bits usually arrive last. In some iterative systems, the partial solutions obtained with progressive precision can provide faster feedback than conventional computing methods and lead to faster convergence.

[0148] In some cases, each bit of an N - bit stochastic number (SN: Stochastic Number) X is randomly selected to be 1 with some probability p X and X is generated and processed by a conventional logic circuit. In other words, the SN has a probability p i that the value of X is x Xx was randomly selected to achieve this. i It may have bits. Here again, the resulting data value is in the unit interval [0,1]. For example, a single AND gate performs multiplication. The value X of SN can be measured by the density of SN in 1s, which is an information coding scheme also found in the biological nervous system.

[0149] In some cases, by interpreting SN as probabilities, they can be limited to the unit interval [0,1]. Therefore, to implement arithmetic operations outside this interval, the range of numbers may be scaled in an application-dependent manner. For example, integers in the range [0,256] may be mapped to [0,1] by dividing them by a scaling factor of 256, thereby replacing {0,1,2,...,255,256} with {0,1 / 256,2 / 256,...,255 / 256,1}. Such scaling may be a preprocessing step used in SC.

[0150] In some cases, SC can be easily defined to handle signed numbers. For example, if the number is p X SN X, as interpreted, is sometimes called having a unipolar form. To accommodate negative numbers, the SC technique uses a value of 2p such that the SC range is essentially [-1, 1]. X A bipolar format can be used, which can be interpreted as -1. Therefore, a bitstream with all zeros can have a unipolar value of 0 and a bipolar value of -1, while a bitstream with an equal number of 0s and 1s can have a unipolar value of 0.5 but a bipolar value of 0.

[0151] Several types of SN formats can be used to implement SC. For example, the SN format is unipolar (p X p for X (having a relationship), bipolar (p X 2p against X (has a -1 relation), inverted bipolar (p X 1-2p for X (having a relationship), a ratio of 1 to 0 (p X p forX / (1-p X This may include things like (having a relationship with) others.

[0152] In some cases, SC can be applied to the decoding of specific error correction codes. For example, probabilistic XOR and averaging operations can be used for belief propagation and may be modeled with SC. Furthermore, in some cases, since the belief propagation algorithm may be iterative, SC provides a partial solution that can lead to faster convergence. Hardware implementations of probabilistic decoders can be built on FPGAs.

[0153] The systems, methods, computer-readable media, and techniques disclosed herein apply SC to AIS by representing data as random bitstreams rather than fixed-point or floating-point numbers, resulting in inherent advantages in terms of robustness, fault tolerance, and hardware efficiency. For example, the SC advantages of the systems, methods, computer-readable media, and techniques disclosed herein may include robustness against adversarial attacks, strong fault tolerance, efficient hardware utilization, parallel processing, and noise immunity.

[0154] Focusing on robustness against adversarial attacks, the implementation of SC, and therefore its inherent randomness, can make it difficult for adversaries to manipulate the AI ​​system to produce desired results. For example, even small changes in input may not result in predictable changes in output, making adversarial attacks against AI systems that implement SC using AIS less effective.

[0155] Turning to fault tolerance, through the implementation of SC, and therefore its probabilistic properties, AI systems can be inherently fault-tolerant, which is a desirable trait when faced with attacks. For example, even if some bits are flipped due to a fault (which may be induced by an attack), the overall computation can still yield at least a nearly correct result. This fault tolerance enhances the resilience and robustness of AI systems against attacks.

[0156] Focusing on efficient hardware utilization, since SCs can perform arithmetic operations using basic logic gates, SCs can perform complex calculations using relatively simple hardware. Therefore, this efficient utilization of hardware resources can improve the feasibility of deploying AIS functions to edge devices and extend protection to the increasingly important edge computing domain.

[0157] Turning to parallel processing, SC can naturally support parallel processing that is well-suited to the distributed nature of many AI applications. Therefore, by implementing SC, the speed and efficiency of AIS functions can be enhanced, enabling a rapid response to AIS threats.

[0158] Turning to noise immunity, unlike other types of computation where noise (e.g., undesirable random fluctuations) is generally undesirable, SC allows noise to be integrated into the computation. This characteristic means that implementing SC in AIS can help maintain performance even in the noisy environments that AIS often encounters in real-world applications.

[0159] Advantageously, applying SC to the AIS of the systems, methods, computer-readable media, and technologies disclosed herein introduces levels of randomness and fault tolerance that make the misuse of the AI ​​system more difficult and enhance the overall robustness of the system. Furthermore, the efficient and parallel nature of SC ensures that the AIS can be integrated into a variety of AI applications without significantly increasing resource utilization.

[0160] Example of noise-based calculation By applying SC, the systems, methods, computer-readable media, and techniques disclosed herein may be used to develop noise-based computation (NBC). NBC may implement two classes of techniques: techniques that enable secure computation and threat detection for AIS, and techniques that authenticate data to control which data is used.

[0161] As an example, NBC can be applied to medical images. In such an example, the AI ​​can be trained on patient images (for example, public or private datasets have been used to train the AI ​​to recognize whether cells from colon cancer pathology images are cancerous or not). In such an example, the AI ​​may be hosted on the cloud (for example, as a computational service method). In such a case, a client that wants to know whether a new image contains cancer cells can do the following: (A) generate random images (e.g., 1,000, 5,000, 10,000, etc.) using client-side code to generate random images; (B) send the random images (e.g., generally noisy images like snow) to the AI ​​in the cloud; (C) use the AI ​​to label the images as "cancer" or "not cancerous"; (D) return the labeled images to the client-side software; and (E) examine, calculate, and verify the image that best matches the original image and generate a predicted result of "cancer" or "not cancerous".

[0162] In another exemplary application, NBC could use MNIST data to recognize handwritten digits (10 possible results). The accuracy would be 90+%, and the computation time could be around 800 microseconds, compared to minutes for FHE.

[0163] In some cases, the NBC may be used by systems, methods, computer-readable media, and techniques disclosed herein for secure communication, for example, as a one-time key or stored for future use. In some cases, conducting secure communication (e.g., point-to-point, one-to-many, etc.) via the NBC may include: (A) communicating parties, each having a device containing an NBC-trained AI model (e.g., the trained AI model may be configured to recognize alphabets, numbers, special characters, specific images, etc.); (B) each AI model processing data (e.g., 100,000 random images (white noise)) and labeling the data based on the trained model results; (C) communicating parties sending labeled random data points (e.g., the letter "A") to the receiving party; (D) NBC software identifying the random data points (e.g., identifying them as the letter "A"); and (E) communicating parties continuing to send random "noise" data (e.g., images) to the receiving party until the message to be delivered is complete. In some cases, actions (A) to (E) can be repeated each time a new message is sent, thus ensuring that the same "noise data" (e.g., images) is not sent to the receiving party. However, in some cases, actions (A) to (E) do not need to be repeated each time a new message is sent. For example, in some cases, actions (A) to (E) may be repeated every X times, where X can be determined, for example, by the communicating parties (e.g., collectively). X may be determined, for example, in advance (e.g., before sending the first message).

[0164] Advantageously, using the systems, methods, computer-readable media, and techniques disclosed herein for implementing NBC, clients may not need to transmit images outside their networks, thereby preventing images from being hacked or tampered with during transmission or computation. In some cases, images may be cropped to extremely small noise levels and sent to an AI model to perform noise inference. In some cases, inference may be added on the client side to provide results.

[0165] Examples of data lineage maintenance technologies The systems, methods, computer-readable media, and techniques disclosed herein may maintain data lineage to help ensure the integrity of AI systems. Techniques for maintaining data lineage may include steganography, that is, the practice of concealing information within another message or physical object to avoid detection. Steganography may be used to conceal many different types of digital content, including text data, image data, video data, audio data, etc. The concealed information may later be extracted at the destination.

[0166] In some cases, content concealed through steganography may be encrypted (or processed in some way to make detection more difficult) before being hidden within another file format. Steganography may involve concealing information in a way that avoids suspicion. Generally, steganography techniques may include text steganography (e.g., concealing information within a text file by changing the format of existing text, altering words within text, using context-free grammars to generate readable text, generating random character sequences, etc.), image steganography (concealing information within an image file by using images to conceal information, etc.), video steganography (e.g., concealing information within a video file, which allows for the concealment of large amounts of data within video streams of images and audio by embedding data in uncompressed raw video, then compressing it, and directly embedding the data in the compressed data stream, etc.), audio steganography (e.g., concealing information within an audio file by altering the binary sequence of the corresponding audio file, embedding secret messages in audio signals, etc.), and network steganography (concealing information by embedding information within network control protocols used for data transmission, such as TCP, UDP, and ICMP, etc.).

[0167] One specific technique of steganography is called least significant bit (LSB) steganography. LSB steganography can involve embedding secret information in the least significant bit of a media file. For example, in an image file, each pixel consists of three bytes of data corresponding to red, green, and blue colors, and some image formats allocate an additional fourth byte for transparency or alpha. In such cases, LSB steganography can modify the last bit of each of those fourth bytes to hide one bit of data. Modifying the last bit of a pixel value may not produce a visually perceptible change in the image, meaning that a viewer of the original image and a steganically modified image may not be able to distinguish the difference. Similar techniques can be applied to other digital media such as audio and video, where data is hidden in the part of the file that produces the least change to the audible or visual output.

[0168] Another specific steganographic technique may involve the use of word or character substitution. This may include techniques in which the sender of a secret message conceals the text of the secret message by distributing the text within a much larger text and placing words at specific intervals.

[0169] Other specific steganographic techniques may include hiding entire partitions on a hard drive or embedding data in the header sections of files and network packets. The effectiveness of these techniques may depend on how much data they can hide and how easily they can be detected.

[0170] Steganography can be used maliciously (e.g., to conceal malicious payloads in digital media files, ransomware and data theft, to hide commands in web pages, malware, malvertising, e-commerce skimming, malicious software updates, document infections, etc.), but it also has applications in improving the security of AI systems, such as through digital watermarking, which can be used to send and receive sensitive information (e.g., without attracting attention) or to track whether a file is being used without permission.

[0171] A digital watermark may be a marker hidden and embedded in a noise-resistant signal such as audio, video, or image data. A digital watermark can be used to identify ownership of such a signal. A watermark may be a process of concealing digital information within a carrier signal, and in some cases, this hidden information may have a relationship to the carrier signal. In some cases, a digital watermark can be used to verify the authenticity or integrity of a carrier signal or to indicate the identity of its owner. Similar to conventional physical watermarks, a digital watermark may be perceptible under certain conditions, for example, after using certain algorithms. For example, if a digital watermark distorts the carrier signal to make it easily perceptible, then the digital watermark may be considered less effective for its purpose. In digital watermarking, the signal may be audio, image, video, text, 3D model, etc. A signal may carry several different watermarks simultaneously. Unlike metadata added to a carrier signal, a digital watermark cannot alter the size of the carrier signal. The characteristics of a digital watermark may depend on the use case in which it is applied. For example, when marking media files with copyright information, digital watermarks can be robust against modifications that may be applied to the carrier signal. Conversely, if integrity must be guaranteed, a weaker watermark may be applied. Since a digital copy of the data may be identical to the original, digital watermarks are a passive protection tool. Similarly, digital watermarks mark the data but cannot degrade it or control access to it. Another use of digital watermarks is source tracking, where if a copy of the data is found later, the watermark can be retrieved from that copy, and watermarks are embedded in the digital signal at each distribution point so that the source of distribution is known. Both steganography and digital watermarks can utilize steganographic techniques to hide and embed data in noisy signals.

[0172] In some cases, the systems, methods, computer-readable media, and techniques disclosed herein may implement steganography to conceal information within other data to ensure the confidentiality and integrity of the information. For example, the AIS of the systems, methods, computer-readable media, and techniques may utilize steganography techniques to embed and extract digital signatures or metadata within AI models or datasets. This enables verification of the authenticity of the data and helps ensure that the AI ​​system is operating with reliable, unaltered data.

[0173] In some cases, the systems, methods, computer-readable media, and technologies disclosed herein may implement a watermark ledger that serves as an immutable record for tracking the history and lineage of data. The AIS of the systems, methods, computer-readable media, and technologies disclosed herein may leverage blockchain or distributed ledger technology to maintain a watermark record of data and capture information about the origin of data, data transformation, data access history, and so on. This thus enables comprehensive data lineage tracking and allows system administrators and auditors to verify the authenticity, integrity, and compliance of the AI ​​system.

[0174] By combining steganography and watermarking ledgers, the AI ​​systems, methods, computer-readable media, and technologies disclosed herein can achieve robust proofance tracking. In some cases, each data element, model, or decision generated by an AI system can be traced back to its origin, ensuring accountability and facilitating the identification of potential malicious activity or data breaches.

[0175] Furthermore, in some cases, watermark ledgers can provide a tamper-proof record of data and model changes. Attempts at unauthorized alterations or tampering can be detected through consistency checks provided by watermarking technology. This ensures auditability, allows for investigation of suspicious activity, and guarantees transparency in the operation of AI systems.

[0176] In some cases, steganography is used to directly embed watermarks, which are a form of hidden, often unidentifiable identifier, into datasets. This combination ensures data traceability while protecting data from unauthorized use and manipulation. Embedding watermarks using steganographic techniques enhances the inherent protective capabilities of the watermarks, as they are difficult to detect / remove without precise knowledge of their placement. By combining these techniques, the systems, methods, computer-readable media, and techniques disclosed herein create a nearly imperceptible layer of data security that enhances the resilience of datasets to adversarial attacks while also preserving data ownership and lineage. This technique promotes reliable data sharing, secure collaborative learning, and enhanced trustworthiness of machine learning models. In some cases, after applying watermarks, the systems, methods, computer-readable media, and techniques disclosed herein can use FHE to ensure the integrity of the AI ​​computations themselves. Once authenticated data is encrypted with a quantum-resistant FHE scheme, decryption is not required to perform analysis (e.g., computations). In some cases, steganographic watermarking allows the receiving party to check the authenticity of the received data at the start and end of secure AI computations. If the information is tampered with in any way along the way, the watermark may no longer be effective. Therefore, the data is not used for AI training or inference purposes to guarantee reliable and secure AI. This end-to-end protection provides maximum protection for the information.

[0177] Advantageously, the integration of the systems, methods, computer-readable media, and technologies disclosed herein into steganography and watermark ledgers for AI systems enhances the ability to establish, maintain, detect tampering with, and provide an auditable trail of data transformations. This robust data governance approach strengthens confidence in the decision-making processes of AI systems, improves transparency, and enables regulatory compliance.

[0178] Examples of universal multiplexing In some cases, watermarks implemented by the systems, methods, computer-readable media, and techniques disclosed herein may include Universal Multiplexed Watermarks (UMW), which are an example of Universal Multiplexed Encoding (UME). Unlike other techniques for communication between data formats, UME can steganographically embed machine-readable language within human-readable data streams, covering a spectrum of data types including text, images, video, audio, and medical data. As a result, UME can serve as a key facilitator for a wide range of multiplexed human-machine communication possibilities. UME helps to seamlessly and securely fuse human-machine communication through the complex integration of machine-encoded data into human-readable content, thereby revealing numerous potential applications across diverse fields.

[0179] Generally, UME represents a pioneering technology that provides a unique ability to steganographically integrate machine-readable language within data streams intended for human consumption. This technology can result in dual-encoded messages, i.e., “multiplexed” data that carries a human-readable outer layer of content and a concealed layer intended for machine interpretation. The systems, methods, computer-readable media, and technologies disclosed herein utilize a set of advanced encoding schemes to nest machine-readable data within human-intended content. This embedded data can be interlaced at multiple levels within diverse forms of content, such as text, images, audio, or video, and later decoded by AI systems utilizing corresponding decoding schemes.

[0180] As a fundamental medium of human-to-human communication, text provides a crucial platform for UME. By integrating machine-readable language within human-readable text, UME significantly enhances the security and effectiveness of text-based communication. For example, UME's text-based applications may include steganographic embedding of machine-encoded data within written content. This technology can utilize various encoding algorithms to embed machine-readable data at various hierarchical levels within text, from characters and words to sentences. Upon reception, AI systems can decode and interpret this embedded data using complementary decoding algorithms.

[0181] The implementation of UME within text presents several advantages, ushering in a new era of secure, efficient, and multiplexed communications. Regarding secure communications, UME functions as a robust security layer in digital communications. By concealing sensitive information within seemingly ordinary text, UME significantly enhances the privacy and security of confidential data transmissions. UME implementations can also protect digital content by enabling the integration of copyright information within text, thereby preventing unauthorized use and distribution and resulting in effective digital copyright management. Furthermore, UME implementations offer the unique ability to embed relevant metadata within text, thus providing additional context or background information without complicating human-readable content. Such metadata can serve various purposes, including content classification, search optimization, and data analysis.

[0182] It should be understood that the application of UME by the systems, methods, computer-readable media, and technologies disclosed herein extends beyond text. For example, the usefulness of UME in embedding metadata or confidential information within images and videos can serve a variety of purposes, from secure communications, digital forensics, and digital rights management to the creation of augmented reality experiences. In another example, with audio data, UME can be applied to embed additional information, assisting AI systems in understanding the context or source of the audio. This has proven extremely beneficial in applications such as speech recognition, audio forensics, and telecommunications. In yet another example, with medical data, UME can revolutionize the healthcare sector by facilitating the embedding of patient data, medical instructions, or diagnostic data into medical images or text without interfering with the original data. This significantly enhances patient data management, telemedicine, and medical research.

[0183] Advantageously, UME, when applied by the systems, methods, computer-readable media, and techniques disclosed herein, may offer the potential to integrate machine-readable data into diverse human-intended data streams, thereby revolutionizing human-machine communication across a wide range of applications in digital communications.

[0184] Implementation forms of universal multiple watermarking

[0185] In some embodiments, this disclosure provides an application programming interface (API) or comprehensive platform for secure data manipulation. The API provides a combination of cryptography, digital signatures, hashing, steganography, and blockchain technologies, which, beneficially, enables a general-purpose and robust solution for data security and provenance, non-repudiation, and lineage checking as described above. Figure 8 schematically illustrates an example of a data integrity API 800 implementing the methods of this specification. In some embodiments, the data integrity API 800 allows embedding a secret file in a cover file, thereby creating a seal. The type of secret file is arbitrary. The API may be a standard or unified API capable of supporting any standard file format.

[0186] In some cases, the Data Integrity API 800 may include a Universal Steganographic Watermarking API. The Data Integrity API 800 could be a unified API architecture for seamlessly watermarking various file types (e.g., text files, image files, video files, audio files, HTML, etc.). The Data Integrity API 800 may provide multiple functions, including, but are not limited to, concealment, disclosure, and checking. Each function is designed to ensure robust security and integrity of the watermarking process.

[0187] As shown in Figure 8, the data integrity API 800 may include a confidentiality API or an embedded endpoint API 801. The embedded endpoint takes a cover file 811 and a secret file 813 as input, embeds the secret file using its own technology, and outputs a sealed cover file 815. The output sealed cover file may be an embedded cover file with a seal. As described above, the cover file and / or secret file may be of any type (e.g., audio, video, image, plain text file, etc.). The cover file may be any file that can be sealed / watermarked. The secret file may be any file that contains secret data to be embedded in the cover file. In some cases, the cover file may be human-readable while the secret data is machine-readable only. For example, the cover file may be a medical image (e.g., a patient chest X-ray as a cover file with patient information for lung diagnosis, i.e., a QR code® containing secret data). The cover file / secret file may be static or dynamic (e.g., streaming data).

[0188] In some cases, the embedded endpoint API 801 embeds sensitive data 813 within the cover file 811 by performing the following actions:

[0189] 1. Initial Encoding: a) The cover file is loaded into memory and encoded into the array using an encoding scheme. In some cases, the encoding scheme may be adaptively selected based on the file type of the cover file. b) The secret file is loaded into memory and encoded into the array using an encoding scheme. In some cases, the encoding scheme may be selected to ensure compatibility and ease of handling. For example, the encoded cover file may be a base64 string encoding of the cover file, and the secret file may be encoded into a base64 string encoding of the secret file.

[0190] 2. Secret Packaging: The encoded secret file is standardized in a format for subsequent processing (e.g., scrambling). For example, the name of the encoded file (file format) is guaranteed to include an extension, such as in the JSON response "Secret File Name: The string name of the secret file which must include an extension".

[0191] 3. Scrambling: Encoded sensitive data is scrambled using a secure pseudorandom number generator (PRNG) seeded with a unique value to provide a critical layer of obfuscation and protect the secret from unauthorized detection and extraction. The sensitive file may contain sensitive information hidden behind a cover file (e.g., patient information hidden behind a chest X-ray). The "seed" is selected by the user and can be used in the PRNG method for scrambling purposes. For example, the seed may be a private seed containing a string that protects the sensitive data. The string may be selected and / or defined by the user (e.g., a uuid4 string). For example, a user-selected seed may be combined with pseudorandom numbers generated by the PRNG used to scramble and then descramble the encoded sensitive file.

[0192] 4. Compression: The scrambled sensitive data is compressed to minimize its impact on the cover file, maintaining its usefulness and inconspicuousness. The compressed sensitive data is then inserted into the encoded cover file. Compression beneficially reduces the overall impact on the cover file's file size.

[0193] 5. Signature Generation: The encryption of the compressed and scrambled confidential data is computed. The cryptographic signature of the confidential data acts as a unique signature or fingerprint of the confidential data, enabling tamper detection and integrity verification. The scrambled and compressed confidential data can be hashed to generate a specific hash key for the embedded file. The hash is the cryptographic signature of the confidential data.

[0194] 6. Final Assembly: a) The generated cryptographic signature is added to the compressed data. For example, a hash may be added to the compressed file. b) The data (attached signature (hash) and compressed data) are then embedded in the cover file at a specific offset. The specific offset may be determined based on the file type and / or the intended invisibility of the watermark. For example, the offset may be determined by examining various byte positions within the cover file, and the position is determined based on the file type (audio, video, image, plaintext, etc.). In some cases, the systems herein may utilize machine learning algorithms to analyze the content of the cover file, such as digital media (e.g., images, video, audio), and determine the optimal watermark position / offset based on the content characteristics and intended use case.

[0195] 7. File Output: a) The modified data, including any secrets embedded here, is written to a new file 815 of the same type as the original cover file. b) This output file is a watermarked carrier ready for distribution or storage. For example, the output may be a JSON response including the sealing file and extension.

[0196] The following are examples of inputs and outputs to the embedded endpoint API.

[0197] input:

[0198] Cover file: Base64 string encoding of the cover file.

[0199] Cover file name: The string name of the cover file must include the file extension.

[0200] Secret file format: Base64 string encoding of the secret file.

[0201] Secret file name: The string name of the secret file must include the file extension.

[0202] Private seed: A string that protects the sealing, user-selected and defined (e.g., a UUID4 string).

[0203] output:

[0204] The following is a JSON response in the format: { "result":{ "sealed_file":str base64, ``extension'':str extension of ´sealed_file´ } }

[0205] In some embodiments, the data integrity API may further include a public API or a retrieval endpoint API 803. The public API 803 extracts sensitive data from a watermarked file by reversing the steps of the concealment API 801. As an example, the retrieval endpoint API 803 may perform the following actions:

[0206] 1. Extraction: a) The watermarked file or sealed cover file 815 is loaded into memory and decoded by the retrieval endpoint API 803. b) The retrieval endpoint API 803 scans the data for a specific sequence representing the watermark. c) Embedded data based on the specific sequence, including compressed data and cryptographic signatures, is extracted.

[0207] 2. Decompression: a) The compressed data is decompressed using the same algorithm used in the compression step. b) The result is the restoration of the scrambled data.

[0208] 3. Descrambling and Decoding: a) The scrambled data is descrambled using the same pseudo-random byte sequence used in the scrambling step. b) The descrambling operation restores the original data with the encoded secret data. c) The data is decoded into the actual secret file using the reverse of the encoding scheme used in the confidential API.

[0209] In some cases, the retrieve endpoint API takes in the sealed file 815 and the private seed 817 used to create the sealed file in order to expose the embedded sensitive data. In some cases, the retrieve endpoint API may perform validation checks and output a notification indicating whether the cover file or sensitive file has been tampered with. The following are examples of inputs and outputs to the retrieve endpoint API.

[0210] input:

[0211] Encapsulated file: Base64 string encoding of the enclosed file.

[0212] Encapsulated file extension: The string of the enclosed file name must include the extension.

[0213] Private seed: Used to protect the seal; a user-selected and defined string (UUID4 string recommended).

[0214] output:

[0215] The following is a JSON response in the format: { "result":{ “secret”:str base64 of secret file, ``extension'':str extension of ´secret´ }, “verification_result”:str notifies if tampering occurred

[0216] }

[0217] In some embodiments, the data integrity API may further include a verification endpoint API 805. The verification endpoint API enables efficient verification of the integrity and authenticity of watermarked files without the need to fully extract and expose sensitive data. For example, the verification endpoint ingests a sealed file, verifies the state of the seal, and determines whether the seal is broken. If the seal is broken, the verification endpoint API may perform a verification check and output a notification indicating whether the cover file or sensitive file has been tampered with.

[0218] The validation endpoint API can perform the following actions:

[0219] 1. Extraction: a) Watermarked files are read and decoded. b) Embedded compressed data and signatures are extracted using a process similar to that used in public APIs.

[0220] 2. Signature Verification: a) The compressed data is hashed using the same cryptographic hash function used in the signature generation step of the confidential API. b) This newly calculated hash is compared to the signature extracted from the watermarked file. c) If the two hashes match, it is confirmed that the watermarked data has not been altered since the watermark was applied, and its integrity and authenticity are verified. The following are examples of inputs and outputs for the verification endpoint API.

[0221] input: a. Encapsulated file: Base64 string encoding of the enclosed file. b. Enclosed file extension: The string of the enclosed file name must include the extension.

[0222] output: a. JSON response in the following format: { "result":{ “status”:str tampered || clean, “message”:str explication of status(if tampered, which: cover or seal) } }

[0223] In some embodiments, the data integrity API may further include a removal endpoint API 807. The removal endpoint API takes in the encapsulated file, removes the encapsulation, and restores the cover file to its original state. The following are examples of inputs and outputs to the removal endpoint API.

[0224] input:

[0225] Encapsulated file: Base64 string encoding of the enclosed file.

[0226] Encapsulated file extension: The string of the enclosed file name must include the extension.

[0227] Private seed: Used to protect the seal; a user-selected and defined string (UUID4 string recommended).

[0228] output:

[0229] The following is a JSON response in the format: { "result":{ “cover_file”:str base64 of cover file, ``extension'':str extension of ´cover_file´} }

[0230] The APIs and methods described above provide a universal steganographic watermarking API that utilizes a multi-layered security model to prevent tampering and ensure the integrity of watermarked data. The multi-layered security model may include a unique seed value, a unique sequence of operations (e.g., scrambling, compression, and hashing), and the inclusion of a cryptographic signature.

[0231] As described above, the PRNG used in the scrambling and descrambling steps is seeded with a unique value known only to authorized parties / users. The private seed acts as a secret key, ensuring that only users with knowledge of the correct seed can successfully descramble and extract the watermarked data. In some cases, attempting to tamper with the watermarked file or extract secrets without the correct seed may result in garbage data after descrambling, rendering the tampered data useless. The private seed value may be a key generated by the system herein and distributed to authorized users.

[0232] The unique sequence of scrambling, compressing, and hashing adds an extra layer of security in preventing tampering. For example, scrambling data before compression obfuscates the original content, making it difficult for attackers to identify patterns or make targeted modifications. Compressing scrambled data further obscures its structure, reducing the possibility of tampering by minimizing redundancy and predictability. Hashting compressed and scrambled data creates a unique signature that is sensitive to any changes made in the previous steps.

[0233] Signature-based integrity verification performed by the Verification Endpoint API adds another layer of security. The signature generated by hashing compressed and scrambled data acts as a tamper-proof seal. Modifications to watermarked data, whether compressed or scrambled, may result in a different hash value when recalculated during the Check API's signature verification process. A mismatch between the recalculated hash and the extracted signature ultimately indicates that the watermarked data has been tampered with, allowing the Verification Endpoint API to detect and flag the malicious modification.

[0234] The combination of APIs described above creates a robust barrier against tampering attempts. An entity would need to possess the correct, unique seed value to perform a modification that descrambles the data, reverses the compression algorithm to restore the original scrambled data, and then re-scrambles and re-compresses it, preserving the exact same hash value. Finding such a collision in a cryptographic hash function is computationally impossible, and coupled with the need for a secret seed, it is virtually impossible to tamper with undetected.

[0235] Including the signature as a separate component in watermarked data provides an additional layer of protection. Even if an attacker manages to alter the compressed and scrambled data while retaining the hash value, the signature must be updated accordingly. Without knowledge of the secret seed and the specific hash algorithm used, generating a valid signature against tampered data is an insurmountable challenge.

[0236] The security model of the Universal Steganographic Watermarking API, built on a unique seed, precise execution sequence, and signature-based integrity verification, provides improved protection against tampering. The interlocking nature of these security measures ensures that unauthorized alterations to watermarked data can be detected, guaranteeing the integrity and authenticity of embedded confidential information.

[0237] The Universal Steganographic Watermark API, which includes concealment, disclosure, and verification features, provides a versatile and secure solution for watermarking a wide variety of file types. By utilizing strong encryption primitives, compression, and obfuscation techniques along with a robust integrity verification mechanism, the API ensures that sensitive data is securely and unnoticed embedded in a wide range of carrier files.

[0238] The order of scrambling before compression enhances security by making it difficult for attackers to infer the contents of sensitive data based on patterns in the compressed output. The verification API enables efficient integrity verification without the need to fully extract and expose secrets, improving performance in scenarios where only authenticity needs to be verified.

[0239] A multi-layered security model incorporating unique seed values, optimal execution sequences, and signature-based integrity verification creates a barrier against tampering attempts. The interlocking nature of these security measures ensures that unauthorized alterations to watermarked data are detected, guaranteeing the integrity and authenticity of embedded confidential information.

[0240] With its unified architecture, optimized algorithms, and comprehensive security model, the Universal Steganographic Watermarking API brings improvements to the field of digital watermarking. It addresses the challenges faced by current fragmented methods while upholding the fundamental principles of steganography, providing a reliable and secure solution for concealing and protecting sensitive data within digital media.

[0241] In some embodiments, the data integrity API may include other endpoint APIs. For example, the data integrity API may include an encryption endpoint API, a decryption endpoint API, and various hash APIs for hashing various types of files (e.g., text, images, videos, etc.). As described elsewhere in this specification, the system may adaptively select APIs based on the content and / or type of the file.

[0242] In some cases, the encryption API endpoint can be used to encrypt and decrypt files using an appropriate encryption algorithm (e.g., AES256 encryption). For example, the encryption endpoint encrypts a file using the Advanced Encryption Standard (AES) with a 256-bit key in Galois / Counter Mode (GCM). For example, the encryption API endpoint may take a binary file as input. As an example, the response may be a downloadable .bin file that also includes an encoded filename for reference. The following are examples of input and output for the encryption API endpoint.

[0243] input File: A file uploaded via multipart form data.

[0244] output The endpoint generates a .bin file containing encrypted file content, an encrypted DEK, a nonce, and encryption tags. The filename is also encoded within this file.

[0245] In some cases, the decryption API endpoint provides functionality to decrypt files previously encrypted by the encryption API endpoint (e.g., using AES-256 GCM encryption). This endpoint can result in the decryption of various encrypted content, such as the Data Encryption Key (DEK), nonce, and encrypted content extracted from the uploaded .bin file. In some cases, the original filename is also retrieved from the encrypted file and used in the downloadable response containing the decrypted file content. Below are examples of inputs and outputs for the decryption API endpoint.

[0246] input: Encrypted files: Encrypted files uploaded via multipart form data (.bin).

[0247] output: If decryption is successful, the endpoint returns a downloadable file containing the decrypted content. The original filename is preserved and used in the response.

[0248] In some embodiments, the system may provide various hash APIs for hashing various types of files. For example, an API endpoint for hashing images or text allows for the generation of SHA-256 hashes for image or text files. In another example, an API endpoint for hashing images is configured to generate SHA-256 hashes for image files. This service supports all image formats, including PNG, JPEG, DICOM, and various other types. The endpoint analyzes the MIME type of uploaded images to ensure compatibility, and during validation, calculates and returns a hash of the image content. The following are examples of inputs and outputs for the hash API.

[0249] input: a. The image file to be hashed.

[0250] output: a. The output is a JSON response in the following format: { “hash”:str SHA256 hash of uploaded image }

[0251] The hash text endpoint is provided for generating SHA-256 hashes of text-based documents, including PDF and Microsoft Excel files. This service evaluates the MIME type of the uploaded document to verify its eligibility. If the document format is supported, the endpoint calculates its SHA-256 hash and returns the hash value. The following are examples of input and output for the text hash API.

[0252] input:

[0253] A document file that will be hashed.

[0254] output:

[0255] The output is JSON in the following format: { “hash”:str SHA256 hash of uploaded text }

[0256] Privacy-Enhanced Adaptive Digital Watermarking System (PEADWS)

[0257] In another aspect, a Privacy-Enhanced Adaptive Digital Watermarking System (PEADWS) is provided to address the challenges of data privacy, security, and integrity in digital media by leveraging blockchain technology, advanced encryption standards, and machine learning algorithms. The system dynamically adapts its watermarking technology based on content type, intended security level, and regulatory compliance requirements, ensuring an optimal balance between robustness, imperceptibility, and computational efficiency.

[0258] Digital watermarking systems may integrate blockchain for watermark management. For example, the digital watermarking systems herein may use blockchain technology to create a decentralized, secure, and transparent registry for watermarks. In some embodiments, digital watermarking systems may provide content-aware adaptive watermarking. For example, a digital watermarking system may utilize machine learning to analyze the content of a cover file (e.g., media content) and adaptively select watermarking and encryption techniques based on content characteristics and security requirements. In some embodiments, digital watermarking systems may include regulatory compliance automation. Automating compliance of watermarking processes with international data protection laws through integrated tools is a unique feature that addresses a significant need in the digital content industry. In some embodiments, digital watermarking systems result in dynamic adaptation of encryption and watermarking parameters. The system can dynamically adjust encryption and watermarking parameters in real time based on an analysis of content and regulatory requirements, thereby balancing security, privacy, and performance.

[0259] In some embodiments, the digital watermarking system may include a content recognition watermarking engine. The watermarking engine can be implemented using the above-described data integrity API with additional features for adapting to the content of various cover files. For example, the content recognition watermarking engine may utilize machine learning algorithms to analyze the content of digital media (e.g., images, videos, audio) and determine a watermarking technique based on the content characteristics and intended use cases. In some embodiments, the machine learning model may take as input a file (e.g., an image) to be watermarked / encapsulated and output a converter model or a large language model (LLM) that outputs a specific API or algorithm for watermarking / encapsulating this input data.

[0260] In some embodiments, the digital watermarking system may include a blockchain-based watermark registry for managing watermarks. For example, the system may implement a decentralized registry for watermarks on the blockchain, ensuring tamper-proof storage, traceability, and verification of watermarked content. This blockchain registry facilitates digital rights management and aids in detecting and preventing unauthorized use.

[0261] In some embodiments, the digital watermarking system may include an adaptive encryption module. The adaptive encryption module utilizes the Advanced Encryption Standard (AES) and the Public Key Infrastructure (PKI) to encrypt watermark information. In some embodiments, the encryption method is adaptively selected based on the confidentiality of the watermarked content and the required security level. The selection may be based on handcrafted selection rules or a machine learning algorithm training model.

[0262] In some embodiments, the digital watermarking system may be integrated with a regulatory compliance analyzer. The regulatory compliance analyzer may be a compliance analysis tool that automatically evaluates and ensures that the watermarking process complies with global data protection regulations (e.g., GDPR, CCPA) based on the geographical location and nature of the data. For example, the input to the regulatory compliance analyzer may include the original file / data, the location where the request to watermark the data came from, and the rules applicable to that location. In some cases, the compliance tool may be provided by a third party, and the digital watermarking system herein provides an integration point for interfacing with the compliance tool. For example, the digital watermarking system may make an API call to evaluate data and information about the data, such as the location of the data, the rules of the location, and other rules applicable to a particular type of data (e.g., electronic medical records), to determine how to process the compliance of this data (e.g., it may not be possible to comply with GDPR by storing this new watermarked data outside the EU).

[0263] In some embodiments, a digital watermarking system may include dynamic watermark embedding and extraction capabilities. For example, the system may utilize an embedding algorithm that dynamically adjusts watermark strength and depth based on the perceptual features of one or more media contents and the output of an encryption module, optimizing both robustness and imperceptibility. The system may decide to dynamically adjust encryption strength (e.g., strong encryption, no encryption) and / or utilize additional techniques (e.g., steganography, spread spectrum, or data noise substitution) based on the type of content. For example, audio and video allow for spread spectrum type embedding, although not plaintext (spread spectrum is a telecommunications technique that spreads signals over a wider frequency band than the original signal's bandwidth). The extraction process uses a combination of cryptographic verification and machine learning-based anomaly detection to accurately retrieve and authenticate the watermark even in the presence of corruption or tampering. For example, a model may be trained to determine the type of attack based on the type of input data. The model may be trained on the types of attacks against watermarked / sealed data and the types of "signatures". Once trained, the model can determine the type of future attack, and / or predict whether and how an attack is likely to occur based on certain types of data. In some cases, the model can be trained to predict how a "seal" will be broken. If the prediction is that the seal is broken for unintentional reasons, the system can still retrieve the original "secret" (watermark) even though the seal is broken.

[0264] Example of a method

[0265] Figure 6A shows an example flowchart illustrating Method 600A for providing trusted artificial intelligence using FHE. In some cases, Method 600A may include providing a DNN-based model with a modified architecture. In some cases, the modified architecture uses at least (i) a Gaussian function as the activation function, and (ii) removes one or more pooling layers (block 605A), obtains encrypted data, the encrypted data is generated by applying FHE to plaintext data (block 610A), and generates inference using a DNN-based model based on the encrypted data (block 615A).

[0266] In some cases, the DNN-based model is trained on plaintext training data. In some cases, the DNN-based model is trained on encrypted training data. In some cases, the DNN-based model is pre-trained on both plaintext and encrypted training data. In some cases, Method 600A further includes selecting one or more hyperparameter values ​​during the training phase based at least partially on monitoring criticality to train the DNN-based model using a modified architecture. In some cases, Method 600A further includes identifying and testing appropriate FHE approximations and alternatives for various nonlinear activation functions and nonlinear loss functions. In some cases, one or more hyperparameters include at least one of the random initialization distribution, batch size, learning rate, or mean and variance of the optimizer settings. In some cases, the mean or variance of the Gaussian function is adjusted during the training phase. In some cases, the encrypted data is generated using a homomorphic encryption scheme so that the computation results generated for the encrypted data match the computation results generated for the plaintext data. In some cases, homomorphic encryption schemes include CKKS or TFHE. In some cases, DNN-based models are trained using adversarial machine learning techniques. In some cases, adversarial machine learning techniques include actively acquiring knowledge from a machine learning system under attack. In some cases, training a DNN-based model further includes employing reinforcement learning and transfer learning. In some cases, DNN-based models are trained to automatically monitor cyber threats or cyberattacks. In some cases, cyber threats include one or more of data poisoning attacks, malicious AI, or malware. In some cases, DNN-based models are trained to detect anomalies. In some cases, DNN-based models are trained using collaborative learning.In some cases, the DNN-based model is trained by multiple computing nodes, each computing node training the DNN-based model using a set of training data not shared with other computing nodes. In some cases, inference includes anomaly detection outputs generated by the computing nodes. In some cases, method 600A further includes aggregating multiple anomaly detection outputs from multiple computing nodes to generate anomaly detection results. In some cases, each of the multiple computing nodes generates anomaly detection outputs based at least partially on a portion of the distributed data. In some cases, the portion of the distributed data includes FHE encrypted data. In some cases, the multiple anomaly detection outputs are shared and stored using a blockchain. In some cases, the plaintext data includes image data. In some cases, method 600A further includes generating hypervectors based on the plaintext data to accelerate computation. In some cases, the plaintext data is embedded with machine-readable data using one or more encoding algorithms. In some cases, the machine-readable data is embedded at various hierarchical levels. In some cases, various hierarchical levels include character, word, and sentence levels of text input data. In some cases, machine-readable data includes universal multiple watermarks used for document authentication and verification. In some cases, universal multiple watermarks include metadata and encrypted identification information of the data source or owner of the plaintext data. In some cases, universal multiple watermarks are undetectable to humans, while universal multiple watermarks are detectable and decodeable by hardware or software. In some cases, universal multiple watermarks are used to verify the authenticity of plaintext data and to verify the source and integrity of the plaintext data. In some cases, FHE is applied to the plaintext data after it has been embedded with a universal multiple watermark.In some cases, Method 600A further includes decrypting encrypted data and verifying the integrity of the decrypted data using a checksum. In some cases, one or more transactions associated with a unique watermark identifier are used as verification points for the unique watermark identifier, which serves as a checksum for the plaintext data. In some cases, the checksum is derived from the plaintext data before encryption and stored on a blockchain for secure and tamper-resistant record-keeping. In some cases, the checksum on the blockchain is used to investigate attempts at unauthorized data modification. In some cases, attempts at unauthorized data modification are detected by detecting a mismatch between the decrypted data and the recorded checksum. In some cases, Method 600A further includes generating an alert when a mismatch is detected. In some cases, the alert automatically triggers an automated mitigation process, which includes at least one of the following: isolation of the affected data, initiation of a security audit, or activation of data recovery measures from a verified backup. In some cases, embedded machine-readable data represents a watermark, which serves as a unique identifier for the plaintext data. In some cases, the unique identifier is encrypted using FHE, allowing calculations against the cryptographic watermark to be performed without revealing the contents of the unique identifier. In some cases, the cryptographic watermark is verified by applying one or more actions of FHE corresponding to the watermark verification step, resulting in an encrypted verification result. In some cases, the encrypted verification result is decrypted to (i) verify the authenticity of the plaintext data and (ii) determine whether the plaintext data has been tampered with or replaced. In some cases, the unique watermark identifier is linked to a transaction on the blockchain, and an immutable record of the unique watermark identifier, ownership of the plaintext data, and one or more associated transactions is recorded on the blockchain. In some cases, one or more associated transactions are used as verification points for the unique watermark identifier, which acts as a checksum for the plaintext data.In some cases, embedding machine-readable data and encrypting plaintext data involves multiple layers of data representation. In some cases, these layers include the pixel level of an image, the frame level of a video, and the packet level of network communication. In some cases, embedding machine-readable data and encrypting plaintext data utilizes one or more machine learning algorithms.

[0267] Figure 6B shows an example flowchart illustrating Method 600B for providing trusted AI using probabilistic computing. In some cases, Method 600B may include receiving the original image in a software application running on an endpoint computing device (block 605B), generating multiple image segments by the software application by cutting the original image into multiple random bits (block 610B), generating inferences about the multiple image segments using a pre-trained DNN-based model in the cloud (block 615B), providing the inferences to the software application on the endpoint computing device (block 620B), and aggregating the inferences by the software application to determine the result (block 625B).

[0268] In some cases, the accuracy of the results is similar to that of results obtained by generating inferences directly on the original image. For example, the accuracy of inferences made based on aggregated inferences of image segments may be within a range of at least 1%, 2%, 3%, 4%, or 5% of the accuracy of inferences made based on the original image. In some cases, the inferences include multiple predicted labels for multiple image segments.

[0269] Figure 6C shows an example flowchart illustrating Method 600C for providing trusted AI using NBC. In some cases, Method 600C may include receiving original images in a software application running on an endpoint computing device (Block 605C), generating a number of random images by the software application (Block 610C), processing the number of random images to predict a number of labeled images for the number of random images using a pre-trained DNN-based model in the cloud (Block 615C), selecting a subset of the number of labeled images by the software application, the number of images in the subset of the number of labeled images being set by the software application (Block 620C), and generating a predictive output based at least partially on the subset of the number of labeled images using a weighted mean and probability (Block 625C).

[0270] In some cases, multiple random images are generated by a random image generator in a software application.

[0271] Figure 6D shows an example flowchart illustrating Method 600D for providing trusted AI using an artificial immune system. In some cases, Method 600D may include obtaining a set of detectors that are diverse and capable of identifying non-self elements, wherein the set of detectors represents a DNN-based model (Block 605D); providing an encrypted dataset to the set of detectors, wherein the encrypted dataset is generated by applying FHE to plaintext data (Block 610D); running the artificial immune system to identify non-self elements in the encrypted dataset that correspond to one or more of anomalies, intrusions, or attacks (Block 615D); adapting the set of detectors via one or more machine learning techniques, at least in part on the results of running the artificial immune system, wherein one or more machine learning techniques include one or more of reinforcement learning, evolutionary algorithms, or swarm intelligence (Block 620D); and implementing a feedback loop to continuously improve and enhance the detection capabilities of the artificial immune system (Block 625D).

[0272] Figure 6E shows an example flowchart illustrating Method 600E for providing SMPC to Trusted AI based at least in part on a watermark. In some cases, Method 600E may include: applying a watermark to plaintext data, thereby generating watermarked plaintext data, wherein the watermark is generated using the SMPC protocol (Block 605E); encrypting the plaintext data using a homomorphic encryption scheme, thereby generating encrypted watermarked plaintext data (Block 610E); training a DNN-based model using the encrypted watermarked plaintext data (Block 615E); generating inference using the DNN-based model based at least in part on the encrypted watermarked plaintext data in response to a verification of the integrity of the encrypted watermarked plaintext data (Block 620E); and storing the verification results on the blockchain, wherein the verification results are based at least in part on a verification of the integrity of the encrypted watermarked plaintext data (Block 625E).

[0273] In some cases, any number of the one or more operations described above with respect to one or more of methods 600A to 600E may be added or removed. Furthermore, the one or more operations described above with respect to one or more of methods 600A to 600E may be performed in any order. Furthermore, at least one of the one or more operations described above with respect to one or more of methods 600A to 600E may be repeated, for example.

[0274] Examples of secure integrated circuits Unlike other reactive cybersecurity techniques, which address problems only after detection (e.g., only defend against known threats and may be vulnerable to novel attacks), the systems, methods, computer-readable media, and techniques disclosed herein can be integrated with emerging fields of secure integrated circuits and AIS, including Trusted Platform Modules (TPMs), Hardware Security Modules (HSMs), and Physically Unclonable Functions (PUFs), to enhance system security in an ever-evolving threat landscape.

[0275] A TPM (Telescopic Processor) can be a dedicated microcontroller used to secure hardware by integrating cryptographic keys into the device. A TPM can support a variety of functions, including remote authentication (attestation) and sealed storage. A HSM (Hardware Scale Module) is a secure cryptographic processor that can be used to protect cryptographic keys and provide substantial physical security for performing sensitive operations such as encryption and digital signing. A PUF (Potentially Unequipped Function) can be used to implement hardware-specific variations during manufacturing, creating a unique "fingerprint" for each device. This fingerprint can be used for secure identification and authentication. The integration of secure integrated circuits with AIS (Advanced Information System) enables a new era of hardware security. For example, AIS can be used to continuously monitor the behavior of hardware components. Any anomalies in the functionality of the TPM, HSM, or PUF can be immediately detected and mitigated, enhancing the robustness of the system. When integrated with AIS, a PUF can create a secure and dynamic authentication process. The learning mechanism of AIS can continuously update the authentication process based on observed patterns, making it resilient to attacks. The ability of AIS to learn and adapt can ensure that hardware security remains robust even when faced with evolving threats. By learning from past attacks, AIS can adapt its defense mechanisms to be more effective against future attacks.

[0276] The protective mechanisms provided by TPM, HSM, and PUF can be combined with the learning characteristics of the adaptive AIS to provide comprehensive security. Through the implementation of these secure integrated circuits, the AIS accomplishes tasks including anomaly detection, pattern recognition, learning, and distributed detection mechanisms, enabling the system to self-organize, learn from data, and make decisions about potential threats. Leveraging these capabilities, the AIS delivers dynamic and adaptive security that can respond to emerging threats in real time.

[0277] Examples of computing systems Figure 2 shows an exemplary architecture diagram 200 of an FHE-based trusted AI. As shown, the API 210 for inbound and outbound message processing may implement one or more of the methods or techniques disclosed herein. For example, the API 210 may be configured to perform data transformation via a data transformation module 220 (e.g., via homomorphic encryption).

[0278] Furthermore, API 210 may include a proxy / agent form factor module 230 configured to provide client-side proxy software to computing devices (e.g., laptops, desktop computers, or small devices such as mobile phones with agent software). A virtual machine form factor 232 may provide software to be provided to servers that function as communication gateways between the enterprise and the outside world (e.g., a front bank of servers in a data center). A middleware form factor 234 may provide a set of APIs that a solution provider can use to integrate the functions disclosed herein into a solution, thereby providing FHE to the solution.

[0279] In some cases, the cryptographic low-level function module 240 may perform low-level functions such as matrix addition / multiplication, binary shifts, and Boolean operations (AND, OR, NOR, etc.). The stored procedure module 242 may group calculations instead of reworking individual calculations. For example, the procedure module 242 may group matrix multiplication, inverse matrix multiplication, etc., as stored procedures that can be invoked by software.

[0280] The metadata module 250 may generate quantum-resistant cryptographic keys that enable data to be encrypted (e.g., for later processing). The tokenized structured data module 252 may generate tokens for computational purposes from structured data (e.g., database data). The parsed unstructured data module 254 may parse unstructured data (e.g., random social media feeds in a data lake). Furthermore, the parsed unstructured data module 254 enables parsed words to be tokenized for computational purposes. The command translation module 256 may translate commands into low-level computations. For example, the command translation module 256 may translate API commands or client commands into actual computational commands (e.g., matrix multiplication). In some cases, where it is necessary to increase the noise budget, the command translation module 256 may translate commands into bootstraps for low-level computations. The audit / logging module 258 may provide a view of which API or client commands are received and executed.

[0281] The results analysis module 260 may provide inferences performed across FHE data. In some cases, the results analysis module may provide the FHE data in an encrypted form before it is provided to external modules / devices. For example, these external modules / devices may include a business intelligence tool 270, an AI / ML tool 272, a specific device 274, or an Internet of Things (IOT) device 276, which may receive FHE data via an API. In another example, these external modules / devices may include a proxy / agent form factor module 230, a virtual machine form factor module 232, or a middleware form factor module 234, which may receive FHE data via a form factor.

[0282] As shown, API 210 can communicate with business intelligence tool 270, AI / ML tool 272, a specific device 274, or an IoT device 276. Generally, business intelligence tool 270, AI / ML tool 272, user device 274, and IoT device 276 represent examples of third-party solution providers that can integrate the APIs of the systems, methods, computer-readable media, and technologies disclosed herein to provide FHE capabilities to their client solutions.

[0283] The architecture of the FHE function within the trusted AI solution can be utilized by or integrated into any third-party system or component. As shown in FIG. 2, the trusted AI system 200 can be coupled to one or more of third-party components 270-276, including third-party solutions such as Salesforce (registered trademark), which can be embodied in business intelligence 270, AI tools such as CNNs for image recognition, which can be embodied in AI / ML tool 272, secure communication devices, autonomous drones, MRI machines, etc., one or more of which can be embodied in a specific device 274, or internet-connected devices such as cameras, which can be embodied in IoT device 276. In some cases, these third-party solutions of elements 270-276 can be configured to provide analysis via encrypted data. In some cases, these third-party solutions of elements 270-276 can license APIs corresponding to the systems, methods, computer-readable media, and technologies disclosed herein. In some cases, these third-party solutions of elements 270-276 can embed the FHE capabilities disclosed herein into their solutions and thus provide analysis via encrypted data.

[0284] Referring to Figure 7, a block diagram is shown illustrating an exemplary machine including a computer system 700 (e.g., a processing or computing system) capable of executing a set of instructions to cause a device to implement or perform one or more of the methods or techniques for static code scheduling of the present disclosure. In some cases, one or more components of Figure 2 may be included in or implemented by one or more components of the computer system 700. The components of Figure 7 are examples and do not limit the scope of use or functionality of any hardware, software, embedded logic components, or combinations of two or more such components having a particular implementation form.

[0285] The computer system 700 may include one or more processors 701, memory 703, and storage 708 communicating with each other and with other components via bus 740. Bus 740 may also link a display 732, one or more input devices 733 (which may include, for example, a keypad, keyboard, mouse, stylus, etc.), one or more output devices 734, one or more storage devices 735, and various tangible storage media 736. All of these elements may interface to bus 740 directly or via one or more interfaces or adapters. For example, various tangible storage media 736 may interface to bus 740 via a storage media interface 726. The computer system 700 may have any suitable physical form, including, but is not limited to, one or more integrated circuits (ICs), printed circuit boards (PCBs), mobile handheld devices (such as mobile phones or PDAs), laptop or notebook computers, distributed computer systems, computing grids, or servers.

[0286] The computer system 700 includes one or more processors 707 that perform functions (e.g., a central processing unit (CPU), a general-purpose graphics processing unit (GPGPU), or a quantum processing unit (QPU)). The processor 701 optionally includes a cache memory unit 702 for temporary local storage of instructions, data, or computer addresses. The processor 701 is configured to assist in the execution of computer-readable instructions. The computer system 700 may provide the functionality of the components shown in Figure 7 as a result of the processor 701 executing non-temporary processor-executable instructions embodied in one or more tangible computer-readable storage media, such as memory 703, storage 708, storage device 735, or storage medium 736. The computer-readable media store software that implements specific operations, and the processor 701 may execute the software. Memory 703 may read software from one or more other computer-readable media (such as mass storage devices 735, 736) or from one or more other sources through a suitable interface such as network interface 720. The software may cause processor 701 to execute one or more processes, or one or more operations of one or more processes, as described or illustrated herein. Executing such processes or operations may include defining data structures stored in memory 703 and modifying data structures as directed by the software.

[0287] Memory 703 may include, but is not limited to, various components including random access memory components (e.g., RAM 704) (e.g., static RAM (SRAM), dynamic RAM (DRAM), ferroelectric random access memory (FRAM), phase-change random access memory (PRAM)), read-only memory components (e.g., ROM 705), and any combination thereof (e.g., machine-readable media). ROM 705 may act to communicate data and instructions to the processor 701 in one direction, while RAM 704 may act to communicate data and instructions to the processor 701 bidirectionally. ROM 705 and RAM 704 may include any suitable tangible computer-readable media described later. In one example, a basic input / output system 706 (BIOS) containing basic routines to assist in the transfer of information between elements within the computer system 700 during startup, etc., may be stored in memory 703.

[0288] The fixed storage 708 is optionally connected bidirectionally to the processor 701 through the memory control unit 707. The fixed storage 708 provides additional data storage capacity and may include any suitable tangible computer-readable media diagrams, and the storage 708 may be used to store the operating system 709, executable files 710, data 711, applications 712 (application programs), etc. The storage 708 may also include optical disc drives, solid-state memory devices (e.g., flash-based systems), or any combination of the above. The information in the storage 708 may, in appropriate cases, be incorporated as virtual memory in memory 703.

[0289] In one example, the storage device 735 may be detachably interfaced to the computer system 700 via a storage device interface 725 (for example, via an external port connector (not shown)). In particular, the storage device 735 and associated machine-readable media may provide non-volatile or volatile storage for machine-readable instructions, data structures, program modules, or other data for the computer system 700. In one example, the software may reside entirely or partially within the machine-readable media on the storage device 735. In another example, the software may reside entirely or partially within the processor 701.

[0290] Bus 740 connects a wide variety of subsystems. In this specification, references to a bus may, where necessary, encompass one or more digital signal lines that perform a common function. Bus 740 may be any of several types of bus structures, including, but not limited to, memory buses, memory controllers, peripheral buses, local buses, and any combination thereof, using any of various bus architectures. Examples of such architectures include, but are not limited to, the Industry Standard Architecture (ISA) bus, the Extended ISA (EISA) bus, the Micro Channel Architecture (MCA) bus, the Video Electronics Standards Association Local Bus (VLB), the Peripheral Component Interconnect (PCI) bus, the PCI Express (PCI-X) bus, the Accelerated Graphics Port (AGP) bus, the HyperTransport (HTX) bus, the Serial Advanced Technology Attachment (SATA) bus, and any combination thereof.

[0291] The computer system 700 may also include an input device 733. In one example, a user of the computer system 700 may input commands or other information to the computer system 700 via the input device 733. Examples of input devices 733 include, but are not limited to, alphanumeric input devices (e.g., keyboards), pointing devices (e.g., mice or touchpads), touchpads, touchscreens, multitouchscreens, joysticks, styluses, gamepads, audio input devices (e.g., microphones, voice response systems, etc.), optical scanners, video or still image capture devices (e.g., cameras), and any combination thereof. In some cases, the input device may be Kinect, Leap Motion, etc. The input device 733 may interface to the bus 740 via one of various input interfaces 723 (e.g., input interface 723), which may include, but are not limited to, serial, parallel, game port, USB, FIREWIRE®, THUNDERBOLT®, or any combination thereof.

[0292] In some cases, when computer system 700 is connected to network 730, computer system 700 may communicate with other devices connected to network 730, particularly mobile devices and enterprise systems, distributed computing systems, cloud storage systems, and cloud computing systems. Communication with computer system 700 may be transmitted through network interface 720. For example, network interface 720 may receive incoming communications (such as requests or responses from other devices) from network 730 in the form of one or more packets (such as Internet Protocol (IP) packets), and computer system 700 may store the incoming communications in memory 703 for processing. Similarly, computer system 700 may store outgoing communications (such as requests or responses to other devices) in memory 703 in the form of one or more packets that have been communicated from network interface 720 to network 730. Processor 701 may access these communication packets stored in memory 703 for processing.

[0293] Examples of network interface 720 include, but are not limited to, network interface cards, modems, and any combination thereof. Examples of network 730 or network segment 730 include, but are not limited to, distributed computing systems, cloud computing systems, wide area networks (WANs) (e.g., the internet, corporate networks), local area networks (LANs) (e.g., networks associated with offices, buildings, campuses, or other relatively small geographical spaces), telephone networks, direct connections between two computing devices, peer-to-peer networks, and any combination thereof. Networks such as network 730 may utilize wired or wireless communication modes. In general, any network topology may be used.

[0294] Information and data can be displayed through the display 732. Examples of the display 732 include, but are not limited to, cathode ray tubes (CRTs), liquid crystal displays (LCDs), thin-film transistor-LCDs (TFT-LCDs), passive-matrix OLEDs (PMOLEDs), or active-matrix OLEDs (AMOLEDs), as well as plasma displays and any combination thereof. The display 732 can interface with other devices via the bus 740, such as the processor 701, memory 703, fixed storage 708, and input device 733. The display 732 is linked to the bus 740 via a video interface 722, and data transfer between the display 732 and the bus 740 can be controlled via a graphics control 721. In some cases, the display is a video projector. In some cases, the display is a head-mounted display (HMD), such as a VR headset. In further cases, suitable VR headsets include, but are not limited to, HTC Vive, Oculus Rift, Samsung Gear VR, Microsoft HoloLens, Razer OSVR, FOVE VR, Zeiss VR One, Avegant Glyph, and Freefly VR headsets. In yet another case, the display is a combination of devices such as those disclosed herein.

[0295] In addition to the display 732, the computer system 700 may include one or more other peripheral output devices 734, including, but not limited to, audio speakers, printers, storage devices, and any combination thereof. Such peripheral output devices may be connected to the bus 740 via an output interface 724. Examples of the output interface 724 include, but not limited to, serial ports, parallel connections, USB ports, FireWire ports, Thunderbolt ports, and any combination thereof.

[0296] In addition, or as an alternative, the computer system 700 may provide functions resulting from logic hardwired or otherwise embodied in the circuitry, which may, in place of or in conjunction with software, perform one or more processes, or one or more operations of one or more processes, as described or illustrated herein. References to software in this disclosure include logic, and references to logic may include software. Furthermore, references to computer-readable media may, as necessary, include circuitry (such as an IC) for storing software for execution, circuitry for embodying logic for execution, or both. This disclosure encompasses any suitable combination of hardware, software, or both.

[0297] The various exemplary logic blocks, modules, circuits, and algorithmic operations described in relation to the examples disclosed herein may be implemented as electronic hardware, computer software, or a combination of both. To clearly demonstrate this hardware-software compatibility, various exemplary components, blocks, modules, circuits, and operations are generally described above in relation to their functions.

[0298] The various exemplary logic blocks, modules, and circuits described in relation to the examples disclosed herein may be implemented or carried out using general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs) or other programmable logic devices, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to implement the functional diagrams. The general-purpose processor may be a microprocessor, but in alternative examples, the processor may be any processor, controller, microcontroller, or state machine. The processor may also be implemented as a combination of computing devices, for example, a combination of a DSP and a microprocessor, multiple microprocessors, one or more microprocessors combined with a DSP core, or any other such configuration.

[0299] The operation of methods, techniques, or algorithms described in relation to the examples disclosed herein may be directly embodied in hardware, in software modules executed by one or more processors, or in a combination of the two. The software modules may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disks, removable disks, CD-ROMs, or any other form of storage medium known in the art. The exemplary storage medium may be connected to the processor so that the processor can read information from and write information to the storage medium. Alternatively, the storage medium may be integrated with the processor. The processor and storage medium may reside in an ASIC. The ASIC may reside in a user terminal. Alternatively, the processor and storage medium may reside as separate components within a user terminal.

[0300] According to this specification, suitable computing devices include, in non-limiting examples, server computers, desktop computers, laptop computers, notebook computers, subnotebook computers, netbook computers, netpad computers, set-top computers, media streaming devices, handheld computers, internet appliances, mobile smartphones, tablet computers, personal digital assistants, video game consoles, and vehicles. Select televisions, video players, and digital music players with optional computer network connectivity may be suitable for use in system diagrams. Suitable tablet computers include, in various cases, those having booklet, slate, and convertible configurations.

[0301] In some cases, computing devices include an operating system configured to execute executable instructions. An operating system is software, for example, containing programs and data, which manages the device's hardware and provides services for application execution. Suitable server operating systems may include, in non-limiting examples, FreeBSD, OpenBSD, NetBSD®, Linux®, Apple® Mac OS X Server®, Oracle® Solaris®, Windows Server®, and Novell® Netware®. Suitable personal computer operating systems may include, in non-limiting examples, Microsoft® Windows®, Apple® Mac OS X®, UNIX®, and UNIX-like operating systems such as GNU / Linux®. In some cases, the operating system is provided through cloud computing. Appropriate mobile smartphone operating systems may include, but are not limited to, Nokia® Symbian® OS, Apple® iOS®, Research In Motion® BlackBerry OS®, Google® Android®, Microsoft® Windows Phone® OS, Microsoft® Windows Mobile® OS, Linux®, and Palm® WebOS®.

[0302] In some cases, the systems, methods, computer-readable media, and techniques disclosed herein include one or more encoded non-temporary computer-readable storage media having programs containing instructions executable by the operating system of a networked computing device. In further cases, the computer-readable storage media is a tangible component of the computing device. In yet another case, the computer-readable storage media is optionally removable from the computing device. In some cases, the computer-readable storage media includes, in non-limiting examples, CD-ROMs, DVDs, flash memory devices, solid-state memory, magnetic disk drives, magnetic tape drives, optical disk drives, distributed computing systems including cloud computing systems and services, etc. In some cases, the programs and instructions are encoded on the medium permanently, substantially permanently, semi-permanently, or non-temporarily.

[0303] In some cases, the systems, methods, computer-readable media, and techniques disclosed herein include at least one computer program or use thereof. A computer program includes a single sequence of instructions, executable by one or more processors of a computing device's CPU, written to perform a specified task. Computer-readable instructions may be implemented as program modules, such as functions, objects, APIs, and computing data structures, which perform a particular task or implement a particular abstract data type. Computer programs may be written in various versions of various languages.

[0304] The functionality of computer-readable instructions may be combined or distributed in various ways across different environments. In some cases, a computer program contains one instruction sequence. In some cases, a computer program contains multiple instruction sequences. In some cases, a computer program is provided from one location. In some cases, a computer program is provided from multiple locations. In some cases, a computer program contains one or more software modules. In some cases, a computer program contains, in part or in whole, one or more web applications, one or more mobile applications, one or more standalone applications, one or more web browser plugins, extensions, add-ins or add-ons, or a combination thereof.

[0305] In some cases, computer programs include web applications. Web applications may, in various cases, utilize one or more software frameworks and one or more database systems. In some cases, web applications are built on software frameworks such as Microsoft® .NET or Ruby on Rails (RoR). In some cases, web applications utilize one or more database systems, including, in non-limiting examples, relational, non-relational, object-oriented, associative, XML, and document-oriented database systems. In further cases, suitable relational database systems, in non-limiting examples, include Microsoft® SQL Server, MySQL®, and Oracle®. In some cases, web applications may be written in one or more versions of one or more languages. Web applications may be written in one or more markup languages, presentation-definition languages, client-side scripting languages, server-side coding languages, database query languages, or a combination thereof. In some cases, web applications are written to some extent in markup languages ​​such as Hypertext Markup Language (HTML), Extensible Hypertext Markup Language (XHTML), or Extensible Markup Language (XML). In some cases, web applications are written to some extent in presentation definition languages ​​such as Cascading Style Sheets (CSS). In some cases, web applications are written to some extent in client-side scripting languages ​​such as Asynchronous JavaScript and XML (AJAX), Flash® ActionScript, JavaScript, and Silverlight®.In some cases, web applications are written to some extent in server-side coding languages ​​such as Active Server Pages (ASP), ColdFusion®, Perl, Java®, JavaServer Pages (JSP), Hypertext Preprocessor (PHP), Python®, Ruby, Tcl, Smalltalk, WebDNA®, or Groovy. In some cases, web applications are written to some extent in database query languages ​​such as Structured Query Language (SQL). In some cases, web applications integrate enterprise server products such as IBM® Lotus Domino®. In some cases, web applications include media player elements. In some cases, the media player elements utilize one or more of many appropriate multimedia technologies, including, but not limited to, Adobe® Flash®, HTML5, Apple® QuickTime®, Microsoft® Silverlight®, Java®, and Unity®.

[0306] In some cases, the computer program includes a mobile application provided to a mobile computing device. In some cases, the mobile application is provided to the mobile computing device at the time of manufacture. In other cases, the mobile application is provided to the mobile computing device via a computer network disclosed herein.

[0307] In consideration of the disclosures provided herein, mobile applications may be created using hardware, languages, and development environments known in the art. In some cases, mobile applications are written in several languages. Suitable programming languages, in non-limiting examples, may include C, C++, C#, Objective-C, Java®, JavaScript, Pascal, Object Pascal, Python®, Ruby, VB.NET, WML, and XHTML / HTML with or without CSS, or a combination thereof.

[0308] Suitable mobile application development environments are available from several sources. Commercial development environments, in non-exclusive examples, include Airplay SDK, alcheMo, Appcelerator®, Celsius, Bedrock, Flash Lite, .NET Compact Framework, Rhomobile, and WorkLight Mobile Platform. Other development environments, in non-exclusive examples, include Lazarus, MobiFlex, MoSync, and PhoneGap, which are available free of charge. Mobile device manufacturers also distribute software developer kits, in non-exclusive examples, including iPhone® and iPad® (iOS) SDKs, Android® SDK, BlackBerry® SDK, BREW SDK, Palm® OS SDK, Symbian SDK, webOS SDK, and Windows® Mobile SDK.

[0309] Several commercial forums may be available for the distribution of mobile applications, including, but not limited to, the Apple® App Store, Google® Play, Chrome WebStore, BlackBerry® App World, App Store for Palm devices, App Catalog for webOS, Windows® Marketplace for Mobile, Ovi Store for Nokia® devices, and Samsung® App.

[0310] In some cases, a computer program is a program that runs as an independent computer process, including standalone applications that are not add-ons to existing processes, such as plug-ins. Standalone applications can be compiled. A compiler can be a computer program that translates source code written in a programming language into binary object code, such as assembly language or machine code. Suitable compiled programming languages, in non-exclusive examples, include C, C++, Objective-C, COBOL, Delphi, Eiffel, Java®, Lisp, Python®, Visual Basic, and VB.NET, or combinations thereof. Compilation is often performed, at least partially, to create an executable program. In some cases, a computer program includes one or more executable compiled applications.

[0311] In some cases, a computer program includes web browser plugins (e.g., extensions). In computing, a plugin is one or more software components that add specific functionality to a larger software application. Software application makers support plugins to create the ability for third-party developers to extend the application, supporting the easy addition of new features and reducing the application's size. When supported, plugins allow for customization of the software application's functionality. For example, plugins are commonly used in web browsers to play videos, generate interactivity, scan for viruses, and display specific file types. Web browser plugins may include Adobe® Flash® Player, Microsoft® Silverlight®, and Apple® QuickTime®. In some cases, a toolbar includes one or more web browser extensions, add-ins, or add-ons. In some cases, a toolbar includes one or more explore bars, toolbands, or deskbands.

[0312] Several plugin frameworks are available that enable the development of plugins in a variety of programming languages, including, but not limited to, C++, Delphi, Java®, PHP, Python®, and VB.NET, or combinations thereof.

[0313] A web browser (also called an internet browser) is a software application designed for use on network-connected computing devices to search, display, and navigate information resources on the World Wide Web. Suitable web browsers include, but are not limited to, Microsoft® Internet Explorer®, Mozilla® Firefox®, Google® Chrome, Apple® Safari®, Opera Software® Opera®, and KDE Konqueror. In some cases, a web browser is a mobile web browser. Mobile web browsers (also called microbrowsers, minibrowsers, and wireless browsers) are designed for use on mobile computing devices, including, but are not limited to, handheld computers, tablet computers, netbooks, subnotebook computers, smartphones, music players, personal digital assistants (PDAs), and handheld video game systems. Suitable mobile web browsers include, but are not limited to, the Google® Android® Browser, RIM BlackBerry® Browser, Apple® Safari®, Palm® Blazer, Palm® WebOS® Browser, Mozilla® Firefox® for mobile, Microsoft® Internet Explorer® Mobile, Amazon® Kindle® Basic Web, Nokia® Browser, Opera Software® Opera® Mobile, and Sony® PSP® Browser.

[0314] In some cases, the systems, methods, computer-readable media, and techniques disclosed herein include software, servers, or database modules, or the use thereof. Software modules may be created by machine, software, and language-based techniques. Software modules disclosed herein are implemented in numerous ways. In some cases, a software module includes files, code sections, programming objects, programming structures, distributed computing resources, cloud computing resources, or a combination thereof. In some cases, a software module includes multiple files, multiple code sections, multiple programming objects, multiple programming structures, multiple distributed computing resources, multiple cloud computing resources, or a combination thereof. In some cases, one or more software modules include, as non-limiting examples, web applications, mobile applications, standalone applications, and distributed or cloud computing applications. In some cases, a software module resides within one computer program or application. In some cases, a software module resides within multiple computer programs or applications. In some cases, a software module is hosted on one machine. In some cases, a software module is hosted on multiple machines. In some cases, the software module is hosted on a distributed computing platform, such as a cloud computing platform. In some cases, the software module is hosted on one or more machines in a single location. In some cases, the software module is hosted on one or more machines in multiple locations.

[0315] In some cases, the systems, methods, computer-readable media, and techniques disclosed herein involve one or more databases or their use. In some cases, various databases are suitable for storing and retrieving various types of data (e.g., encrypted, unencrypted, etc.), one or more of which may be past, present, or future data or information. In some cases, suitable databases include, in non-limiting examples, relational databases, non-relational databases, object-oriented databases, object databases, entity-relational model databases, associative databases, XML databases, document-oriented databases, and graph databases. Further non-limiting examples include SQL, PostgreSQL, MySQL®, Oracle, DB2, Sybase, and MongoDB. In some cases, the database is internet-based. In further cases, the database is web-based. In yet another case, the database is cloud computing-based. In certain cases, the database is a distributed database. In other cases, the database is based on one or more local computer storage devices.

[0316] Preferred embodiments of the present invention have been shown and disclosed herein, but it will be apparent to those skilled in the art that such embodiments are provided only as examples. The present invention is not intended to be limited by any particular example provided herein. Although the present invention has been described with reference to the preceding specification, the descriptions and examples of embodiments herein are not intended to be constrained. A number of variations, modifications, and substitutions will be made by those skilled in the art without departing from the present invention. Furthermore, it should be understood that all aspects of the present invention are not limited to any particular description, configuration or relative proportion described herein, which depend on various conditions and variables. It should be understood that various alternative forms to the embodiments of the present invention disclosed herein may be used when carrying out the present invention. Thus, the present invention is considered to encompass any such alternative forms, modifications, variations, or equivalents. The following claims define the scope of the present invention, and the methods and structures within these claims, as well as their equivalents, are intended to be encompassed by the claims.

[0317] It should be noted that the various exemplary or proposed ranges described herein are specific to those exemplary embodiments and are not intended to limit the scope or range of the disclosed technology, but rather merely to provide exemplary ranges of frequencies, amplitudes, and figures relevant to each of those embodiments or use cases. Where values ​​are described as ranges, it will be understood that such disclosure includes disclosure of all possible subranges within such range, as well as specific numerical values ​​that fall within such range, whether or not a particular numerical value or particular subrange is explicitly stated.

[0318] Unless a term is expressly defined in this Patent by the phrase "As used herein, the term "_______" is defined herein to mean..." or a similar phrase, there is no intention to explicitly or implicitly limit the meaning of that term beyond its obvious or ordinary meaning, and such term should not be construed as being limited at least in part on the basis of any statement made in any section of this Patent (excluding the wording of the claims). To the extent that any term used in the last claim of this Patent is referred to in this Patent in a manner that matches a single meaning, this is done solely for the purpose of clarity to avoid confusing the reader, and such claim term is not intended to be implicitly or otherwise limited to its single meaning.

[0319] Throughout this specification, multiple instances may implement components, operations, or structures described as a single instance. While individual operations of one or more methods are illustrated and described as separate operations, one or more of these operations may be performed simultaneously, and the operations do not need to be performed in the illustrated order. Structures and functions presented as separate components in exemplary configurations may be implemented as combined structures or components. Similarly, structures and functions presented as single components may be implemented as separate components. These and other variations, alterations, additions, and improvements are within the scope of this specification.

[0320] Furthermore, certain embodiments are disclosed herein as including logic, or several routines, subroutines, applications, or instructions. These may constitute either software (e.g., code embodied on a machine-readable medium) or hardware. In hardware, routines, etc., are tangible units capable of performing specific operations and may be configured or arranged in a particular manner. In exemplary embodiments, one or more hardware modules of one or more computer systems (e.g., standalone, client, or server computer systems) or computer systems (e.g., a processor or group of processors) may be configured by software (e.g., an application or application portion) as hardware modules that operate to perform specific operations disclosed herein.

[0321] In various embodiments, the hardware module may be implemented mechanically or electronically. For example, the hardware module may comprise dedicated circuitry or logic permanently configured to perform a specific operation (e.g., as a dedicated processor such as a field-programmable gate array (FPGA) or application-specific integrated circuit (ASIC)). The hardware module may also comprise programmable logic or circuitry temporarily configured by software to perform a specific operation (e.g., to be incorporated into a general-purpose processor or other programmable processor). It will be understood that the decision to implement the hardware module mechanically, with dedicated and permanently configured circuitry, or with temporarily configured circuitry (e.g., configured by software) may be determined by cost and time considerations.

[0322] Accordingly, a hardware module may encompass a tangible entity that is permanently configured (e.g., hardwired) or temporarily configured (e.g., programmed) and is physically built to operate in a particular manner or to perform a particular operation disclosed herein. Considering embodiments in which the hardware module is temporarily configured (e.g., programmed), each hardware module does not need to be configured or instantiated in time in any single instance. For example, if the hardware module comprises a general-purpose processor configured using software, the general-purpose processor may be configured as each of different hardware modules at different points in time. Thus, the software may configure the processor to configure a particular hardware module at any given time and different hardware modules at different points in time.

[0323] Hardware modules can provide information to other hardware modules and receive information from other hardware modules. Therefore, the described hardware modules may be considered to be communicatively coupled. If multiple such hardware modules exist simultaneously, communication can be achieved through signal transmissions connecting the hardware modules (e.g., via appropriate circuits and buses). In embodiments where multiple hardware modules are configured or instantiated at different times, communication between such hardware modules can be achieved, for example, by storing and retrieving information in a memory structure accessed by the multiple hardware modules. For example, one hardware module may perform an operation and store the output of that operation in a memory device to which it is communicatively coupled. Further hardware modules may then access the memory device to retrieve and process the stored output. Hardware modules may also initiate communication with input or output devices and operate on resources (e.g., a collection of information). The elements described as coupled and / or connected may be in direct contact with each other (e.g., direct physical contact) or not (e.g., electrically connected, communicatively coupled, etc.), but still cooperate or interact with each other.

[0324] Various operations of the exemplary methods disclosed herein may be performed, at least in part, by one or more processors that are temporarily (e.g., by software) or permanently configured to perform the relevant operations. Whether temporarily or permanently configured, such processors may constitute a processor implementation module that operates to perform one or more operations or functions. The modules referred to herein may, in some exemplary embodiments, comprise a processor implementation module.

[0325] Similarly, any methods or routines disclosed herein may be processor-implemented at least partially. For example, at least part of the operation of a method may be performed by one or more processors or a processor-implemented hardware module. The implementation of a particular operation may reside not only within a single machine but also distributed among one or more processors deployed across multiple machines. In some exemplary embodiments, one or more processors may be located in a single location (e.g., in a home environment, an office environment, or a server farm), while in other embodiments, the processors may be distributed across multiple locations.

[0326] The execution of a particular operation may reside not only within a single machine, but may also be distributed across one or more processors deployed across multiple machines. In some exemplary embodiments, one or more processors or processor implementation modules may be located in a single geographical location (e.g., a home environment, an office environment, or a server farm). In other exemplary embodiments, one or more processors or processor implementation modules may be distributed across multiple geographical locations.

[0327] In this specification, various elements may be described using the terms Figure 1, Figure 2, etc., but it will be understood that these elements should not be limited by these terms. These terms are used solely to distinguish any element from another. For example, without departing from the scope of this disclosure, we may refer to the first element as the second element, and similarly, the second element as the first element.

[0328] While preferred embodiments of the subject matter have been shown and described herein, it will be apparent to those skilled in the art that such embodiments are provided merely as examples. Numerous modifications, alterations, and substitutions will be made by those skilled in the art without departing from the subject matter. It should be understood that various alternative forms to the embodiments of the subject matter described herein may be used when carrying out the subject matter.

Claims

1. A method for providing trusted artificial intelligence (AI) using fully homomorphic encryption (FHE), (a) Providing a deep neural network (DNN)-based model having an architecture modified to suit FHE, wherein the architecture is modified by (i) using a Gaussian function as the activation function, and (ii) removing one or more pooling layers. (b) A step of obtaining encrypted data, wherein the encrypted data is generated by applying the FHE to the plaintext data, (c) A step of generating inference using the DNN-based model based on the encrypted data. Methods that include...

2. The method according to claim 1, wherein the DNN-based model is trained with plaintext training data.

3. The method according to claim 1, wherein the DNN-based model is trained with encrypted training data.

4. The method according to claim 1, wherein the DNN-based model is pre-trained with plaintext training data and encrypted training data.

5. The method according to claim 1, further comprising the step of selecting one or more hyperparameter values ​​on at least partly based on criticality monitoring during a training phase in which the DNN-based model is trained using the architecture.

6. The method according to claim 5, further comprising the step of identifying and testing suitable approximations and alternatives for various nonlinear activation functions and nonlinear loss functions.

7. The method according to claim 5, wherein the one or more hyperparameters include at least one of a random initialization distribution, batch size, learning rate, or mean and variance of optimizer settings.

8. The method according to claim 5, wherein the mean or variance of the Gaussian function is adjusted during the training phase.

9. The method according to claim 1, wherein the encrypted data is generated using a homomorphic encryption scheme such that the calculation results generated for the encrypted data match the calculation results generated for the plaintext data.

10. The method according to claim 9, wherein the homomorphic encryption scheme includes the CKKS algorithm or the TFHE algorithm.

11. The method according to claim 1, wherein the DNN-based model is trained using adversarial machine learning techniques.

12. The method according to claim 11, wherein the adversarial machine learning technique includes actively acquiring knowledge from a machine learning system under attack.

13. The method according to claim 11, wherein the step of training the DNN-based model further includes a step of utilizing reinforcement learning and transfer learning.

14. The method according to claim 11, wherein the DNN-based model is trained to detect cyber threats or cyberattacks.

15. The method according to claim 14, wherein the cyber threat includes one or more of a data poisoning attack, a malicious AI, and malware.

16. The method according to claim 1, wherein the DNN-based model is trained to detect anomalies.

17. The method according to claim 16, wherein the DNN-based model is trained using collaborative learning.

18. The method according to claim 17, wherein the DNN-based model is trained by a plurality of computing nodes, and each computing node trains the DNN-based model using a set of training data not shared with other computing nodes.

19. The method according to claim 16, wherein the inference includes an anomaly detection output generated by a computing node.

20. The method according to claim 19, further comprising the step of aggregating multiple anomaly detection outputs from multiple computing nodes in order to generate an anomaly detection result.

21. The method according to claim 20, wherein each of the plurality of computing nodes generates an anomaly detection output based at least partially on a portion of the distributed data.

22. The method according to claim 21, wherein a portion of the distributed data includes FHE encrypted data.

23. The method according to claim 20, wherein the plurality of anomaly detection outputs are shared and stored using a blockchain.

24. The method according to claim 16, wherein the plaintext data includes image data.

25. The method according to claim 24, further comprising the step of generating a hypervector based on the plaintext data in order to accelerate the computation.

26. The method according to claim 1, wherein the plaintext data is embedded with machine-readable data using one or more encoding algorithms.

27. The method according to claim 26, wherein the machine-readable data is embedded at various hierarchical levels.

28. The method according to claim 27, wherein the various hierarchical levels include character level, word level and sentence level of text input data.

29. The method according to claim 26, wherein the machine-readable data includes a universal multiple watermark used for authenticating and verifying the document.

30. The method according to claim 29, wherein the universal multiple watermark includes metadata and encrypted identification information of the data source or owner of the plaintext data.

31. The method according to claim 29, wherein the universal multiple watermark is undetectable to humans, and the universal multiple watermark is detectable and decodeable by hardware or software.

32. The method according to claim 29, wherein the universal multiple watermark is used to verify the authenticity of the plaintext data and to verify the source and integrity of the plaintext data.

33. The method according to claim 29, wherein the plaintext data is embedded using universal multiple watermarking, and then the FHE is applied to the plaintext data.

34. The method according to claim 33, further comprising the steps of decrypting the encrypted data and verifying the integrity of the decrypted data using a checksum.

35. The method according to claim 34, wherein the checksum is derived from the plaintext data before encryption and stored on a blockchain for secure and tamper-resistant record keeping.

36. The method according to claim 35, wherein the checksum on the blockchain is used to investigate attempts to tamper with data.

37. The method according to claim 36, wherein the attempted unauthorized data modification is detected by detecting a mismatch between the decoded data and the recorded checksum.

38. The method according to claim 37, further comprising the step of generating an alert when the aforementioned mismatch is detected.

39. The method according to claim 38, wherein the alert automatically triggers an automated mitigation process which includes at least one of the following: isolating the affected data, initiating a security audit, or activating data recovery measures from a verified backup.

40. The method according to claim 26, wherein the embedded machine-readable data represents a watermark that functions as a unique identifier for the plaintext data.

41. The method according to claim 40, wherein the unique identifier is encrypted using the FHE, and calculations can be performed on the encrypted watermark without disclosing the contents of the unique identifier.

42. The method according to claim 41, wherein the encrypted watermark is verified by applying one or more operations of the FHE corresponding to watermark verification, resulting in an encrypted verification result.

43. The method according to claim 42, wherein the encrypted verification result is decrypted in order to (i) verify the authenticity of the plaintext data and (ii) determine whether the plaintext data has been tampered with or replaced.

44. The method according to claim 42, wherein a unique watermark identifier is linked to a transaction on the blockchain, and an immutable record of the unique watermark identifier, ownership of the plaintext data, and one or more associated transactions is recorded on the blockchain.

45. The method according to claim 44, wherein one or more associated transactions are used to verify the unique watermark identifier which serves as a checksum for the plaintext data.

46. The method according to claim 29, wherein the steps of embedding machine-readable data and encrypting plaintext data are applied to multiple layers of data representation.

47. The method according to claim 46, wherein the plurality of layers of the data representation include the pixel level of an image, the frame level of a video, and the packet level of network communication.

48. The method according to claim 1, wherein the steps of embedding the machine-readable data and encrypting the plaintext data utilize one or more machine learning algorithms.

49. A trusted artificial intelligence (AI) model that implements the method described in claim 1, wherein the trusted artificial intelligence (AI) model ensures the integrity and authenticity of the data used in the training and operation of the trusted AI model.

50. A method for providing trusted artificial intelligence (AI) using probabilistic computing, (a) A step of receiving the original image in a software application running on an endpoint computing device, (b) The software application generates multiple image segments by cutting the original image into multiple random bits, (c) The step of generating inferences about the plurality of image segments using a pre-trained deep neural network (DNN) based model in the cloud, (d) Providing the inference to the software application on the endpoint computing device, (e) The software application aggregates the inferences in order to generate results. Methods that include...

51. The method according to claim 50, wherein the accuracy of the result is the same as the accuracy of the result obtained by directly generating inference on the original image.

52. The method according to claim 50, wherein the inference includes a plurality of labels predicted for the plurality of image segments.

53. A method for providing trusted artificial intelligence (AI) using noise-based computing (NBC), (a) A step of receiving the original image in a software application running on an endpoint computing device, (b) The software application generates a plurality of random images, (c) The step of processing the plurality of random images in order to predict the plurality of labeled images for the plurality of random images using a pre-trained deep neural network (DNN) based model in the cloud, (d) A step of selecting a subset of the plurality of labeled images using the software application, wherein the number of images in the subset of the plurality of labeled images is set by the software application, (e) The step of generating a predictive output based at least partially on a subset of the plurality of labeled images using a weighted mean and probabilities. Methods that include...

54. The method according to claim 53, wherein the plurality of random images are generated by the random image generator of the software application.

55. A method for providing trusted artificial intelligence (AI) using an artificial immune system, (a) A step of obtaining a diverse set of detectors capable of identifying non-self elements, wherein the set of detectors represents a deep neural network (DNN) based model, (b) Providing an encrypted dataset to the set of detectors, wherein the encrypted dataset is generated by applying fully homomorphic encryption (FHE) to plaintext data, (c) The step of running the artificial immune system to identify non-self elements in the encrypted dataset that correspond to one or more of anomalies, intrusions, or attacks, (d) A step of adapting the set of detectors via one or more machine learning techniques based at least in part on the results of the step of performing the artificial immune system, wherein the one or more machine learning techniques include one or more of reinforcement learning, evolutionary algorithms, or swarm intelligence. (e) The step of implementing a feedback loop to continuously improve and enhance the detection capability of the artificial immune system. Methods that include...

56. A method for providing secure multi-party computing (SMPC) to trusted artificial intelligence (AI) based at least in part on watermarking, (a) A step of applying a watermark to plaintext data, thereby generating watermarked plaintext data, wherein the watermark is generated using the SMPC protocol. (b) Encrypting the plaintext data using a homomorphic encryption scheme, thereby generating encrypted watermarked plaintext data; (c) The step of training a deep neural network (DNN) based model using the encrypted watermarked plaintext data, (d) In response to verifying the integrity of the encrypted watermarked plaintext data, the step of generating an inference using the DNN-based model based at least partially on the encrypted watermarked plaintext data, (e) A step of storing the verification result on the blockchain, wherein the verification result is at least in part based on the verification of the integrity of the encrypted watermarked plaintext data. Methods that include...

57. An application programming interface (API) for universal steganographic watermarking, (a) A confidential API configured to embed confidential data within a cover file and generate a sealed file, (b) A public API configured to take the sealed file as input and extract the confidential data, (c) A verification API configured to verify the integrity of the sealed file without extracting the confidential data, Application programming interfaces (APIs), including the API itself.

58. The aforementioned confidential API, a) To generate scrambled confidential data, scramble the confidential data using a private seed value, b) Compressing the scrambled confidential data into compressed confidential data, c) hashing the compressed secret data in order to generate a cryptographic signature, The API according to claim 57, further configured to perform operations including the following.

59. The API according to claim 58, wherein the cryptographic signature is embedded in the cover file at an offset.

60. The API according to claim 59, wherein the offset is determined at least in part on the type of cover file.

61. The API according to claim 60, wherein the type of cover file is selected from the group including text files, image files, video files, audio files, and HTML files.

62. The API according to claim 58, wherein the cryptographic signature is used by the verification API to verify the integrity of the sealed file.

63. The API according to claim 58, wherein the private seed value is accessible by one or more authorized users.

64. The API according to claim 58, wherein the cryptographic signature is stored on the blockchain.

65. The API according to claim 58, wherein the confidential API is further configured to encode the cover file using an encoding scheme before scrambling the confidential data.

66. The API according to claim 65, wherein the encoding method is selected at least in part based on the type of cover file.

67. The API according to claim 65, wherein the confidential API is further configured to encode the confidential data using an encoding scheme before scrambling the confidential data.

68. The API according to claim 67, wherein the confidential API is further configured to standardize the encoded confidential data.