Abstract: Provided is a pre-calculation device capable of keeping a secret against malicious behaviors of participants while keeping a processing load small. A Beaver triple generation processor generates a secret-shared Beaver triple formed of two secret-shared random numbers and a secret-shared value of a product of the two random numbers. A Beaver triple random inspection processor randomly selects a secret-shared Beaver triple, restores the Beaver triple through communication to and from other pre-calculation devices, and confirms that a product of first two elements is equal to a third element. The Beaver triple position stirring processor randomly replaces Beaver triples that have not been restored, to generate replaced secret-shared Beaver triples.

Abstract: An example operation may include one or more of connecting, by an identity server, to a blockchain configured to store an identity trait of a user, retrieving, by an identity server, the identity trait from the a blockchain, establishing, by the identity server, a trust group homomorphism digital signature algorithm (DSA) for the user associated with the identity trait based on a public key PK1, creating, by the identity server, a zero-knowledge proof function with a public key PK2 based on a DSA member of the trust group homomorphism for witness data, providing, by the identity server, the witness data to a challenger for the zero-knowledge proof function, and receiving, by the identity server, a validation of the user as a proved user based on execution of the zero-knowledge proof function based on the witness data.

Abstract: A system described herein may allow for the masking of user input and/or sensor data, which could otherwise be used to uniquely identify and track a user. For example, user inputs (e.g., keyboard or mouse inputs) and/or sensor data (e.g., data from a touchscreen, pressure sensor, gyroscope, etc.) may be normalized and randomized. The normalization and/or randomization may include modifying metadata associated with user inputs or sensor data (e.g., modification of timestamps and/or modification of raw data) prior to outputting the user inputs or sensor data to an application, and/or to a service that attempts to uniquely identify users based on such metadata.

Abstract: Systems and methods that may be implemented to use encryption to isolate SMI functions, libraries and data from each other, such as during operation of systems management mode (SMM). Isolation of SMI function, library and data (and limitation of SMI function/library privileges) may be achieved in SMI at runtime by decrypting only that code and data needed for performing the required action/s in response to a SMI received from a calling process by a host processor (e.g., CPU).

Abstract: The present application discloses a method, system and apparatus for storing a website private key plaintext. A specific implementation of the method includes: receiving a public key sent from a terminal configured to perform encryption and decryption, wherein the public key is generated at random by the terminal; encrypting a website private key plaintext by using the public key to generate a website private key ciphertext, wherein the website private key plaintext is pre-acquired; and sending the website private key ciphertext to the terminal, so that the terminal decrypts the website private key ciphertext by using the private key to generate the website private key plaintext and store the website private key plaintext in the terminal. This implementation improves the security of storage of the website private key plaintext.

Abstract: Various systems and methods for domain authentication are described herein. In an example, the method may include detecting a domain from a request of a tenant for access to a farm. The method may also include identifying a presence of a site ID from a database of the farm based on the domain. The method may also include sending an authentication request to a default site or a custom site, the authentication request managed through a site manager based on the identified presence of the site ID in the database of the farm. The method may also include routing traffic from the tenant to the farm in response to satisfaction of the authentication request.

Abstract: Systems and methods provide for a solution for encryption by dynamically opening multiple channels between the client and the server, where the channels include both secured (e.g., SSL/TLS and etc.) channels and non-secured channels. Non-sensitive information can be over non-secured channels, and sensitive information can be sent via the secured channels. The system can recognize whether the information is sensitive or not via the use of tags on a page or frame that delineate which information is sensitive. For instance, on a form, tags can mark off the areas of the form that may contain sensitive information, such as social security numbers, names, addresses, financial information and other private information. All the data within the tags can be considered sensitive and so be communicated to the server via a secure channel while other data can be transmitted through unsecured channels.

Abstract: Provided are a method and an apparatus for establishing a wireless connection for an application of a user equipment. In comparison with the prior art, the present application is applied to detect whether a first application has a communication requirement, and call a corresponding third-party connection module to execute a wireless connection operation when there is a communication requirement. The wireless connection operation comprises: sending a wireless access point information request to a corresponding network equipment; receiving one or more pieces of wireless access point information sent by the network equipment based on the wireless access information request; and establishing a wireless connection between the user equipment and the corresponding wireless access point according to at least one piece of information in the one or more pieces of wireless access point information so as to realize the communication requirement of the first application.

Abstract: Methods, systems and computer program products for loading, storing and executing dynamically modifiable functional exercisers are provided. Aspects also include receiving a plurality of functional exercisers by a secondary reload memory disposed on a device-under-test. Aspects include loading at least a first functional exerciser from the secondary reload memory into a primary execution memory disposed on the device-under-test. Aspects include executing and modifying the first functional exerciser stored in the primary execution memory. Aspects further include, responsive to determining based on a test algorithm that one or more functional exercisers of the plurality have not been fully executed, loading a second functional exerciser from the secondary reload memory into the primary execution memory.

Abstract: Systems and methods involving secure device authentication using aspects of a zero-knowledge password proof approach are disclosed. In one example, a device may generate a self-authenticating message including its identity and/or its capabilities. The device may use a secret value, random nonce, public ephemeral value (PEV), session key, and/or other values to generate the self-authenticating message. The secret value may be unknown to device receiving the self-authenticating message. With the use of pre-loaded values, including a verifier, the receiving device may compare a host-HMAC with the router-HMAC to verify the authenticity of the message. Such authentication may be used, inter alia, on an Internet Protocol network utilizing Neighbor Discovery protocol.

Abstract: A sender device includes a non-transitory memory storage comprising instructions and a location control policy, and a processor coupled to the memory. The processor executes the instructions to generate an email, generate a control mechanism for the email, wherein the control mechanism instructs a security server to implement the location control policy and wherein the location control policy affects a recipient device's use of the email, and integrate the control mechanism into the email to generate an integrated email. The sender device further includes a transmitter coupled to the processor and configured to transmit the integrated email to the security server for the security server to implement the control mechanism.

Abstract: An electronic signing authorization method includes converting a signing request submitted by an end user into a predetermined format, verifying an identity of an authorizing user of an authorization layer according to a predetermined verification process, accepting input data of the authorizing user of the authorization layer when the identity of the authorizing user of the authorization layer is verified, and outputting an authorization command according to the input data when the input data includes authorization data. The predetermined format includes at least one of a text format, an audio format, or a video format. The authorization command corresponds to rejecting the signing request, not authorizing the signing request, or authorizing the signing request.

Abstract: A method including: receiving a first plurality of randomly-selected logical operations; performing a first decryption of first client credentials stored locally at the client device by inputting cipher code to a decryption algorithm, wherein the decryption algorithm includes the first plurality of randomly-selected logical operations; subsequent to the first decryption of the first client credentials, performing a first authentication of the client-based application with a server, including transferring the first client credentials to the server; after the first authentication, receiving a second plurality of randomly-selected logical operations from a network resource separate from the client device; applying the second plurality of randomly-selected logical operations to the decryption algorithm; and performing a second decryption of the first client credentials stored locally at the client device by inputting the cipher code to the decryption algorithm, wherein the decryption algorithm includes the second

Abstract: Computerized systems and methods facilitate detection of anomalous activity during the authentication of login attempts. When a login attempt is made, credentials (e.g., a username and password) are provided. A function call is made to check for anomalous activity. A count of unique usernames attempted during a given time period is compared against a unique username threshold. In some embodiments, a count of login attempts for the current username is also compared against a login attempt threshold. If either (or both) threshold is met or exceeded, an abnormal state is returned, and one or more enhanced authentication requirements are invoked. Alternatively, a normal state is returned, and the credentials are validated. If the login attempt is successful, the username is removed from consideration for anomalous activities checks for other login attempts.

Abstract: Systems and methods of the present invention provide for one or more server computers communicatively coupled to a network and configured to: receive a request to execute a computational task, including a transformed input used to execute a computational task. A client computer transforms the original input into the transformed input, using an affine mapping where the transformed input is a one-to-one equivalent to the original input (but which can't be inferred by the server computer), and according to a user selection limiting the computational complexity of the mapping according to resource constraints on the client. The server may then execute the computational task and transmit a result to the client to apply an inverse affine mapping, and receive a response which verifies that the computational task result is complete and valid.

Abstract: Embodiments of the present invention disclose a method, a computer program product, and a computer system for data synchronization. A first data storage device reads a first data region and generates a first hash of the first data region before transmitting the first hash to a second data storage device. The second data storage device reads a second data region corresponding to the first data region and generates a second hash of the second data region. The second data storage device then determines whether the first hash matches the second hash and, based on determining that the first hash does not match the second hash, transmits data of the second data region to the first data storage device. The first data storage device applies the data of the second data region, thereby synchronizing the first data storage device and the second data storage device.

Abstract: A near field communication (NFC)-enabled client device includes one or more computer-readable storage media and an NFC interface component operational in a card emulation mode of an NFC protocol. The client device also includes an application for performing a transaction using the NFC protocol. The application is stored on the one or more computer-readable storage media. Programming logic is configured to receive and store a state object (e.g., a cookie) provided by a security authority using the NFC protocol when performing a transaction using the application. The state object includes an identifier, data payload and a public key associated with the security authority. The programming logic is also configured to transmit the state object to the security authority upon receiving an HTTP operation identifying the state object.

Abstract: A method and system are disclosed in a network for controlling data signalling therein. A core network includes at least a first node storing a contents parameters database. A sub-network operably interfaced with the core network includes at least a network transaction processing node. The first node and the network transaction processing node are each adapted to authenticate all users of data processing terminals connected to the network for access to the network or predetermined parts of the network and to monitor respective network signals of same for contents data encoded therein. An information exchange server is also operably interfaced with the sub-network and stores a registration and communication database having respective unique identifier(s) of each of the one or more network users recorded therein.

Abstract: A device, system and method for notifying a person-of-interest of their location within an estimated field-of-view of a camera is provided. The device: identifies a person-of-interest in an area proximal one or more of a first camera and the device; receives and processes images from the first camera to identify a second camera located in the area; determines a location of the person-of-interest; and determines, from the images, a respective location and estimated field-of-view of the second camera; determines, by comparing the location of the person-of-interest and the respective location and estimated field-of-view of the second camera, whether the person-of-interest is located within the estimated field-of-view of the second camera; and, when the person-of-interest is located within the estimated field-of-view of the second camera, controls a notification device to provide a notification to notify the person-of-interest of their location within the estimated field-of-view of the second camera.

Abstract: Example embodiments of systems and methods for data transmission between contactless card and receiving devices are provided. In an embodiment, the contactless card may be configured to create a cryptogram based on a plurality of keys and a counter. The cryptogram may be transmitted to the receiving device. The contactless card may be configured to transmit a one-time password to the client device. The counter value may be adjusted each time the one-time password is generated, and the counter may be configured to increment in a non-monotonic sequence, the sequence associated with one or more cryptographic algorithms.

Abstract: A method for performing secure computations on records, comprising: receiving a request to apply an arithmetic computation on a record; assigning a respective partial record to each of a plurality of computational processes; instructing each of the computational processes sharing a computation scheme to perform the following: submitting the arithmetic computation to the computation scheme to assemble a processed partial record from the respective partial record components; instructing each of the plurality of computational processes to verify an integrity of at least one of the plurality of processed partial records by: broadcasting combined encryptions of one of the plurality of processed partial record components to all other of the plurality of computational processes and analyzing received combined encryptions to detect integrity in the other of the processed partial record components; and when the detected integrity is valid, calculating a response to the request by combining the received processed parti

Abstract: A system and method is provided for a web services-based data transfers. A data power component translates a service request in a first format received from a first computing device into a translated service request in a second format compatible with a web service. The translated service request includes converted freight data associated with a set of items structured for storage within one or more database(s) associated with a second computing device. The translated service request is a request to load the freight data onto the database(s). The translated service request is transmitted to the web service. In response, the data power component receives a response from the web service indicating whether the freight data is successfully loaded onto the database(s). The data power component translates the response from the second format into the first format. The translated response is returned to the first computing device.

Abstract: Embodiments disclosed herein describe computing private set intersection (PSI) between various parties using delegation to other devices and in one round of interaction (request and response). The various parties involved and their associated computing devices are referred to herein as participants. The protocol is forward-secure and completely hides the data of participants from an eavesdropper. Because the protocol only uses a single round of interaction, it is more efficient and does not require each participant to have servers that remain online continuously.

Abstract: A parent cryptographic key associated with a blockchain object is obtained. A number of parties (N) to share control over the blockchain object is obtained. N child cryptographic keys are generated based on the parent cryptographic key by applying a predetermined algorithm to the parent cryptographic key, wherein N is an integer greater than or equal to 2, and wherein the N child cryptographic keys are collectively configured to enable reconstruction of the parent cryptographic key.

Abstract: A system may include a plurality of matching block cipher devices, and a hardware state machine communicatively coupled to each of the plurality of matching block cipher devices. Each of the plurality of matching block cipher devices can be independently invoked by the hardware state machine such that the hardware state machine causes two or more of the plurality of matching block cipher devices to selectively perform a block-cipher-based symmetric cryptographic operation in a redundant mode or a parallel mode. The block-cipher-based symmetric cryptographic operation may be associated with securing a communication channel of an automotive system.

Abstract: The present invention relates to a method for encryption or decryption of a data block from a secret key, wherein the method comprises: generating a first round key kr dependent on the secret key, selecting each of a first mask (?br) and a second mask (?br+1) in a set consisting of a mask of bits all at one and a mask of all zero bits, calculating a first masked key kr? from the first round key kr and the first mask (?br) as follows: kr?=kr?(?br) wherein ? is an exclusive disjunction, executing a first encryption round applied to two first data dependent on the data block, by means of the first masked round key kr? so as to produce two second data, after producing the first masked key kr?, generating a second round key kr+1 dependent on the secret key, calculating a second masked key kr+1? from the second round key kr+1 and the second mask (?br+1) as follows: kr+1?=kr+1?(?br+1), calculating two third data Lrbr+1, Rrbr+1 as follows: Rrbr+1=Rrbr?(?br?1)?(?br) Lrbr+1=Lrbr?(?br?1)?(?br) and executing a secon

Abstract: A set of measurement data is gathered by a network-enabled end device over a period of time. A mathematical function is generated to describe behavior of the set of measurement data. A compact, encoded message is generated representing the behavior of the gathered set of measurement data and the compact, encoded message is transmitted for storage in a data store associated with a backend server. Responsive to a received data analysis request, particular compact, encoded messages stored in the data store and applicable to the data analysis request are decoded. Time series data reconstructing the measurement data based on the decoded messages is generated.

Abstract: A communication apparatus includes an acquiring unit that acquires information regarding another communication apparatus from a captured image; a determining unit that determines, on the basis of the information acquired by the acquiring unit, whether the other communication apparatus requests a connection using an infrastructure mode based on an IEEE 802.11 standard or requests a connection using Wi-Fi Direct; and a providing unit that provides, to the other communication apparatus, a communication parameter used for a connection requested by the other communication apparatus on the basis of a result of determination by the determining unit.

Abstract: Aspects of the present disclosure provide for systems and methods to automatically load security access files and/or keys on a local digital controller serving subscriber communication equipment, but are not so limited. A disclosed system operates to use a deployment manager as part of auto-loading security access files and/or keys on a local digital controller serving subscriber communication equipment. A disclosed method operates in part to auto-load security access files and/or keys on a local digital controller serving subscriber communication equipment.

Abstract: A transaction verification process performed by a transaction network operator in communication with a client computing device and a third party provider. A computing device may be equipped with an integrity verification module for verifying the system integrity of the computing device, and a cryptographic module for digitally signing transaction requests. The transaction network operator may verify that transaction requests processed by the third party provider are properly associated with a valid computing device by verifying signatures from the cryptographic module and the integrity verification module. In response to a request from the third party provider, the transaction network operator may verify that the computing device is authorized to complete the transaction by challenging the computing device for proper credentials. The transaction network operator may verify the credentials provided by the client device and indicate to the third party provider that the transaction is valid.

Abstract: A portable device receives an account information request signal from a merchant machine. The portable device transmits a response message to the merchant machine. The response message comprises the account information for a purchase. The portable device transmits a first message to an account server. The first message comprises a request to get information comprising the purchase amount. The portable device receives a second message comprising the information from the account server. The portable device sends the purchase amount to a display.

Abstract: A method includes receiving registration information regarding a telematics unit and a control system for each equipment piece in a plurality of equipment pieces; receiving a seed from a control system via a telematics unit for a particular equipment piece in the plurality of equipment pieces responsive to reception of a telematics session request by the control system for the particular equipment piece of the plurality of equipment pieces; authenticating the telematics unit and the control system for the particular equipment piece based on information included with the seed and the registration information; generating an encrypted key responsive to the authentication; and providing the encrypted key to the control system via the telematics unit to establish a proprietary data communication channel from the control system to the processing circuit via the telematics unit for the particular equipment piece.

Abstract: Systems and methods are provided for retrieving a set of code changes to source code from a source code repository, analyzing the set of code changes to generate a vector representation of each code change of the set of code changes, analyzing the vector representation of each code change of the set of code changes using a trained security-relevant code detection machine learning model, receiving a prediction from the security-relevant code detection machine learning model representing a probability that each code change of the set of code changes contains security-relevant changes, analyzing the prediction to determine whether the prediction is below or above a predetermined threshold, and generating results based on determining whether the prediction is below or above a predetermined threshold.

Abstract: Techniques for distributed computing system node management are described herein. In some cases, internal compute nodes (i.e., compute nodes that are allocated to the distributed system) may be mutually trusted such that they may freely establish communications with one another. By contrast, external compute nodes (i.e., compute nodes that aren't allocated to the distributed computing system) may be untrusted such that their access to the distributed system may be regulated. In some cases, one or more of the compute nodes within the distributed computing system may maintain respective collections of system view information. Each respective collection of system view information may include, for example, information associated with the corresponding compute node's view of the distributed computing system based on information that is available to the corresponding compute node.

Abstract: The technology disclosed relates to reducing error in security enforcement by a network security system (abbreviated NSS). The NSS classifies incoming connection access requests as loss prevention inspectable or connection preserving by determining their conformance or non-conformance with semantic and content requirements of HTTP and HTTPs protocols. The NSS forwards the loss prevention inspectable connection access requests to a data inspection and loss prevention appliance (abbreviated DILPA) for deep inspection. The NSS directly sends the connection preserving connection access requests to the destination servers, preventing connection termination and error generation.

Abstract: A technique for providing federated login to a password vault generates a master password for a federated user, renders the master password as multiple parts, and stores the key parts in separate entities. After successful authentication with an identity provider (IDP), a user's local machine receives the password parts and combines them to recreate the master password. The local machine then applies the master password to decrypt the password vault.

Abstract: A system and method synchronizes accounts across different computer systems using a matching computer system and a network, when the accounts on the source computer system are organized differently than they are on the destination computer system.

Abstract: A parent cryptographic key associated with a blockchain object is obtained. A number of parties (N) to share control over the blockchain object is obtained. N child cryptographic keys are generated based on the parent cryptographic key by applying a predetermined algorithm to the parent cryptographic key, wherein N is an integer greater than or equal to 2, and wherein the N child cryptographic keys are collectively configured to enable reconstruction of the parent cryptographic key.

Abstract: A scrambling method of data on a J1939 communication system of a vehicle involves at least moving data from one of a PGN and a PGN/SPN location to another PGN or PGN/SPN location at a first controller on the vehicle before transmitting data and then re-ordering the data at a second controller. Some embodiments further comprise encrypting data either before or after shifting, but before transmitting so as to further complicate efforts to interpret meaningful data from the transmission. The second controller may be on the vehicle or may be remotely located.

Abstract: The approved email generation system described is capable of producing email communications between user and customer by using approved email templates and content that have been aligned with customer information regarding access to such content. Once the approved email has been generated, the content may be verified again for accuracy and validity before being delivered to the customer. When the customer accesses delivered content, the approved email generation system again verifies the content and allows the customer access to only the most current version of the content available. The system provides for control of the content of electronic communications to customers.

Abstract: An authentication system and device including physical unclonable function (PUF) and threshold cryptography comprising: a PUF device having a PUF input and a PUF output and constructed to generate, in response to the input of a challenge, an output value characteristic to the PUF and the challenge; and a processor having a processor input that is connected to the PUF output, and having a processor output connected to the PUF input, the processor configured to: control the issuance of challenges to the PUF input via the processor output, receive output from the PUF output, combine multiple received PUF output values each corresponding to a share of a private key or secret, and perform threshold cryptographic operations. The system and device may be configured so that shares are refreshable, and may be configured to perform staggered share refreshing.

Abstract: A method for enabling a scalable public-key infrastructure (PKI) comprises invoking a process of receiving a message for a device, identifying an association ID for the device, retrieving encrypted association keys stored on the server for communicating with the device, the encrypted association keys encrypted using a wrapping key stored on a Hardware Security Module (HSM). The method further comprises sending the message and the encrypted association keys to the HSM, unwrapping, by the HSM, the encrypted association keys to create unwrapped association keys, cryptographically processing the message to generate a processed message, deleting the unwrapped association keys, sending the processed message to the device, and invoking, concurrently and by a second application, the process.

Abstract: Disclosed herein is an Internet of things (IoT) device which is capable of defending against an attack such as hacking while strengthening security of IoT by dynamically determining whether to operate as a master device in an IoT network, and, when the master device is determined, generating, distributing, and managing private keys of other IoT devices in the IoT network.

Abstract: Nested commit/reveal sequences using randomized inputs from each participant in a gaming transaction (e.g., the house and each player) may be employed to provide a selection of outcome or outcomes that can be verified by each participant as free from cheating. In general, techniques may be employed in a variety of distributed gaming transaction environments and as a verification facility for any of a wide variety of games in which the risk of player collusion can be eliminated. Nonetheless, several variations on a distributed card dealing method are illustrative and will be appreciated by persons of ordinary skill in the art as applicable in other gaming environments, including games employing outcomes denominated in die (or dice) rolls, coin toss, wheel spins, blind selection or other ostensibly random selection of an outcome from a predefined set thereof.

Abstract: A system, comprising: memory operable to store at least one program; at least one processor in communication with the memory, in which the at least one program, when executed by the at least one processor, causes the at least one processor to perform the steps of: receiving an initial request for access to restricted data from a client device, the initial request including a user identifier; determining whether the user identifier is associated with any of a plurality of user registration records for accessing the restricted data; transmitting login data to the client device if the user identifier is associated with one of the plurality of user registration records and transmitting registration data to the client device if the user identifier is not associated with any of the plurality of the user registration records.

Abstract: Information can be added to the headers of email messages to ensure the messages are delivered using encryption, without the user having to manage keys or perform the encryption. A user can select an option in an email program that causes a flag to be added to the message header. Each mail server along the delivery path can provide (or expose) information about the type(s) of encryption supported, and if the encryption is not sufficient then the message will not be delivered to that server. This ensures the transport will remain encrypted before delivering the message to the next hop along the path. If the message cannot be delivered encrypted then the message will not be transmitted past that point. An end user then only needs to click a button or perform another such action to ensure encrypted message delivery.

Abstract: A system including a mobile device, a user of the mobile device, a computer system having a telecommunication module for telephonically communicating with the mobile device, a user of the computer system, and a security server is provided. Also provided is a method, at a mobile device, of authenticating a user of the mobile device during a telephone call having the steps of obtaining a user authentication input, obtaining validation of the user authentication input, initiating a telephone call with, or receiving a telephone call from, the computer system, and if the user authentication input is successfully validated, sending a token generated for the telephone call with the computer system via data-over-voice frequency signaling during the telephone call thereby providing an indication that the user authentication input has been successfully validated to the computer system.

Abstract: In a fully homomorphic encryption scheme, a method is provided for performing a homomorphic operation on a data set by applying an encrypted operand supplied as a ciphertext. A data set containing ‘i’ library vectors, each with ‘j’ coefficients is subjected to a pivot operation such that each set of common ‘j’ coefficients is stored in respective library ciphertexts. A query ciphertext containing a query vector is then subjected to a homomorphic pivot operation to separate out its ‘j’ coefficients into respective pivoted query ciphertexts. A more efficient homomorphic computation can then be carried out between the ciphertexts of the pivoted forms of the query and library vectors so as to compute an encrypted set of vector differences between the query vector and each of the library vectors.

Abstract: Embodiments of the disclosure are directed to systems and methods in which verification data is written to a portable device and used to complete a transaction. The system may identify a number of trusted third-party entities computers capable of providing verification data associated with a particular user. The system may generate requests to each of the trusted third-party computers for that verification data. Upon receiving responses, the system may select an appropriate verification data from the responses received from those trusted third-party computers. The verification data is then written to a portable device, which is provided to a user with which it is associated. Once provided, the portable device may be used in a transaction conducted at a resource provider and the verification data may be caused to be displayed on a display operated by the resource provider.

Abstract: In a fully homomorphic encryption scheme, a method is provided for performing a homomorphic operation on a data set by applying an encrypted operand supplied as a ciphertext. A data set containing ‘i’ library vectors, each with ‘j’ coefficients is subjected to a pivot operation such that each set of common ‘j’ coefficients is stored in respective library ciphertexts. A query ciphertext containing a query vector is then subjected to a homomorphic pivot operation to separate out its ‘j’ coefficients into respective pivoted query ciphertexts. A more efficient homomorphic computation can then be carried out between the ciphertexts of the pivoted forms of the query and library vectors so as to compute an encrypted set of vector differences between the query vector and each of the library vectors.