Loading...
Loading...
Enforce governance policies on encrypted data using fully homomorphic encryption, selectively disclose credential attributes with BBS+ signatures, and coordinate multi-party enforcement decisions with threshold cryptography and secure multi-party computation.
DRD's encrypted enforcement layer ensures that governance decisions can be made over sensitive data without any party gaining access to raw inputs. This enables compliance verification, cross-organization enforcement, and privacy-preserving trust scoring across federations.
Compute on encrypted trust scores and compliance data without decryption. Enables blind policy evaluation.
Share specific credential attributes while keeping the rest hidden. Holder-controlled privacy for agent identities.
Require k-of-n federation members to co-sign enforcement actions. No single entity controls kill-switch authority.
Multiple parties jointly compute governance decisions without revealing their individual inputs or votes.
DRD uses Microsoft SEAL with the BFV scheme to perform arithmetic operations on encrypted trust scores and compliance metrics. Federation members submit encrypted data, and the platform evaluates policies without ever decrypting the underlying values.
| Parameter | Value |
|---|---|
| Scheme | BFV (Brakerski/Fan-Vercauteren) |
| Library | Microsoft SEAL 4.1 |
| Polynomial Modulus | 8192 (degree) |
| Coefficient Modulus | 218 bits (3 primes) |
| Plain Modulus | 1032193 (20-bit prime) |
| Security Level | 128-bit (post-quantum) |
| Supported Ops | Addition, multiplication, rotation |
import { DRD } from '@drd/sdk';
const drd = new DRD({ apiKey: process.env.DRD_API_KEY });
// Encrypt a trust score for blind policy evaluation
const encrypted = await drd.fhe.encrypt({
scheme: 'bfv',
plaintext: { drdScore: 87, violationCount: 2 },
publicKey: 'pk_fed_alliance_01',
});
// Evaluate a compliance policy on encrypted data (server-side)
const result = await drd.fhe.evaluate({
encryptedInputs: [encrypted.ciphertext],
policy: 'score_above_70_and_violations_below_5',
federationId: 'fed_alliance_01',
});
// Result is still encrypted — only the data owner can decrypt
console.log(result.encryptedOutput); // Encrypted boolean result
console.log(result.operationsUsed); // { additions: 3, multiplications: 2 }
console.log(result.noiseLevel); // 'low' (safe for further computation)
// Decrypt the result with your private key
const decrypted = await drd.fhe.decrypt({
ciphertext: result.encryptedOutput,
privateKeyId: 'sk_org_acme',
});
console.log(decrypted.result); // { compliant: true }BBS+ signatures allow credential holders to derive proofs that reveal only specific attributes from a signed credential, while still proving the credential was issued by a trusted authority. This enables minimal disclosure for agent identity and compliance verification.
// Issue a BBS+ signed credential with multiple attributes
const credential = await drd.bbs.issueCredential({
issuer: 'did:drd:org_acme',
subject: 'did:drd:agent_abc123',
attributes: {
agentName: 'PolicyBot-7',
complianceLevel: 'enterprise',
drdScore: 87,
frameworks: ['gdpr', 'ccpa', 'eu_ai_act'],
certifiedDate: '2026-01-15',
expiresAt: '2027-01-15',
},
signingKeyId: 'key_bbs_org_acme',
});
// Agent derives a proof revealing only specific attributes
const derivedProof = await drd.bbs.deriveProof({
credential: credential.signedCredential,
revealedAttributes: ['complianceLevel', 'frameworks'],
// agentName, drdScore, certifiedDate, expiresAt remain hidden
holderKeyId: 'key_bbs_agent_abc123',
});
console.log(derivedProof.revealedData);
// { complianceLevel: 'enterprise', frameworks: ['gdpr', 'ccpa', 'eu_ai_act'] }
// Verifier confirms the proof without seeing hidden attributes
const verified = await drd.bbs.verifyProof({
proof: derivedProof.proof,
issuerPublicKey: 'pk_bbs_org_acme',
});
console.log(verified.valid); // true
console.log(verified.issuer); // 'did:drd:org_acme'
console.log(verified.hiddenCount); // 4 (attributes hidden)Critical enforcement actions (kill-switch, federation-wide bans, credential revocation) require multi-party authorization through threshold signatures. A k-of-n scheme ensures no single organization can unilaterally execute high-impact governance decisions.
// Setup a 3-of-5 threshold signing group for a federation
const group = await drd.threshold.createGroup({
federationId: 'fed_alliance_01',
threshold: 3, // Minimum signers required
totalMembers: 5, // Total authorized signers
members: [
'org_acme', 'org_globex', 'org_initech', 'org_umbrella', 'org_waystar'
],
purpose: 'kill_switch_authorization',
});
console.log(group.groupId); // 'tsg_fed01_killswitch'
console.log(group.publicKey); // Combined threshold public key
// Initiate a threshold signing request
const request = await drd.threshold.requestSignature({
groupId: 'tsg_fed01_killswitch',
payload: {
action: 'kill_switch',
targetAgentId: 'agent_malicious_99',
reason: 'Coordinated policy violations across 4 member organizations',
evidence: ['violation_001', 'violation_002', 'violation_003'],
},
expiresIn: '24h',
});
// Individual members contribute partial signatures
await drd.threshold.sign({
requestId: request.requestId,
signerOrgId: 'org_acme',
signerKeyId: 'key_threshold_acme',
});
// After k signatures are collected, the combined signature is produced
const status = await drd.threshold.getStatus(request.requestId);
console.log(status.signatures); // 3 of 5 collected
console.log(status.thresholdMet); // true
console.log(status.combinedSignature); // Valid threshold signatureSecure Multi-Party Computation (SMPC) enables federation members to jointly compute governance decisions — such as aggregated trust scores, collective risk assessments, and policy compliance — without any party revealing their private inputs to others.
// Define an SMPC computation for federated trust scoring
const computation = await drd.smpc.createComputation({
federationId: 'fed_alliance_01',
type: 'aggregate_trust_score',
description: 'Compute average trust score for agent without revealing individual scores',
participants: ['org_acme', 'org_globex', 'org_initech'],
targetAgentId: 'agent_abc123',
});
// Each participant submits their encrypted input share
await drd.smpc.submitInput({
computationId: computation.computationId,
participantOrgId: 'org_acme',
encryptedInput: { localTrustScore: 85 }, // Secret-shared, not revealed
});
// After all participants submit, compute the result
const result = await drd.smpc.getResult(computation.computationId);
console.log(result.aggregatedScore); // 82.3 (average)
console.log(result.participantCount); // 3
console.log(result.inputsRevealed); // false (no individual scores exposed)
console.log(result.protocol); // 'shamir_secret_sharing'
// Use SMPC for privacy-preserving voting
const vote = await drd.smpc.createComputation({
federationId: 'fed_alliance_01',
type: 'private_vote',
description: 'Vote on enforcement action without revealing individual votes',
participants: ['org_acme', 'org_globex', 'org_initech', 'org_umbrella', 'org_waystar'],
options: ['approve', 'reject', 'abstain'],
});Core endpoints for encrypted enforcement primitives.
/api/fhe/encrypt
Encrypt plaintext values using BFV scheme for blind computation
/api/fhe/evaluate
Evaluate a compliance policy on encrypted inputs
/api/fhe/decrypt
Decrypt a computation result with your private key
/api/bbs/issue
Issue a BBS+ signed credential with multiple attributes
/api/bbs/derive-proof
Derive a selective disclosure proof from a credential
/api/bbs/verify-proof
Verify a BBS+ derived proof
/api/threshold/create-group
Create a threshold signing group for a federation
/api/threshold/sign
Contribute a partial signature to a threshold request
/api/smpc/create
Create an SMPC computation for joint governance decisions
/api/smpc/submit-input
Submit an encrypted input share for an SMPC computation