Abstract: In one embodiment, it is proposed a signing method delivering a partial signature associated with a message, said partial signature being used in a threshold signing method, the signing method being executed on an electronic device. Such signing method is remarkable in that it comprises signing a hash of said message with a one-time linearly homomorphic structure preserving signature method with a partial secret key, said partial secret key being obtained from an output of a secret sharing scheme, and said signing delivering said partial signature associated with said message.

Abstract: A threshold encryption system comprising a sender device configured to generate ciphertexts and at least one entity device configured to perform partial decryption of ciphertexts. The system is based on Cramer-Shoup encryption systems and use linearly homomorphic signatures as publicly verifiable proofs of ciphertext validity.

Abstract: The present principles use the message to be signed as a label—of the private key augmented with a QA-NIZK proof that the encrypted value is a persistent hidden secret. One-time homomorphic signatures are used to generate the signature and the public key. The private key for the one-time homomorphic signatures is included in the private key for signing the message, and the public key for the one-time homomorphic signatures is included in the public key for verifying the signature. Consequently, we obtain DLIN-based signatures comprised of only 6 group elements. The security proof uses a sequence of hybrid games, gradually moves to a game where all signatures contain an encryption of a random value while the QA-NIZK proofs are simulated proofs for false statements.

Abstract: A method and a device for generation of a cryptographic key pair for use in a (generalized) Goldwasser-Micali cryptosystem. The device generates a first prime p?1 (mod 2k), where k?1 is an integer, and a second prime q?3 (mod 4) or q?1 (mod 4); computes a modulus N=pq; picks an integer y?N\N, where N is a set of integers whose Jacobi symbol is 1 and N is a set of quadratic residues; and outputs a public key pk={N,y,k} and a private key sk={p,k}.

Abstract: In one embodiment, it is proposed a for ciphering digital data M being an element of a group T, said group T being part of a bilinear group of prime order p.

Abstract: In one embodiment, it is proposed a method for processing a generalized Goldwasser-Micali ciphertext, said ciphertext being obtained through a use of a public key, said method being executed on an electronic device and being remarkable in that it comprises:—determining at least one bit of a binary representation of a plaintext associated with said ciphertext, said at least one bit corresponding to a bit positioned at j-th position of said binary representation of said plaintext, j being an integer greater or equal to one, and position zero of said binary representation corresponding to the least significant bit of said binary representation, said determining being a function of—said ciphertext, —an element of said public key, —a private key associated to said public key, —an element defined as a function of said private key, and —least significant bits of said plaintext from position zero to position j?1 in said binary representation.

Abstract: In one embodiment, it is proposed a method for ciphering a plaintext M belonging to a group of prime order p, such method being performed by an electronic device. The method is remarkable in that it comprises: encrypting said plaintext M in function of a public vector Z=(Z1, . . . , Zl)?l of l elements of said group , where l?2 log2(p), and a one-time private vector K comprising l binary elements (K[1], . . . , K[l])?{0,1}l, said encrypting delivering a first ciphertext belonging to a group k1 for an integer k1?1; encrypting said l binary elements delivering a second ciphertext in a group k2, for an integer k2>1.

Abstract: A group encryption system comprising at least one group member device, a group manager device, an opening authority device, a sender device and a tracing agent device. The sender device is configured to encrypt a plaintext using the public key of a group member. The group member device is configured to receive and decrypt the ciphertext using the corresponding private key, and also to claim or disclaim a ciphertext. The opening authority device is configured to disclose at least one user-specific trapdoor that makes it possible to trace, by the tracing agent device, all the ciphertexts for the specified user and only those ciphertexts.

Abstract: A threshold encryption system comprising a sender device (120) configured to generate ciphertexts and at least one entity device (110) configured to perform partial decryption of ciphertexts. The system is based on Cramer-Shoup encryption systems and use linearly homomorphic signatures as publicly verifiable proofs of ciphertext validity.

Abstract: In one embodiment, it is proposed a method for encrypting a plaintext M ? , where is a DDH-hard group of prime order p. The method is executed by an electronic device, and is remarkable in that it comprises: obtaining a public key PK=(, N, g, h, X, H, G) where N is a RSA module, elements g, h are random elements belonging to said group , X=gxhy ? , where elements x, y are random values from a ring p, and H, G are hash functions; obtaining two random elements r, s, each element belonging to the ring p; determining a vector being (C0, C1, C2)=(M.Xr, gr, hr); determining a proof ? that logg(C1)=logh(C2), said proof comprising two components c, t?, with c=H(C0, C1, C2, gs, hs) and t?=s+c.r mod p; delivering a ciphertext C=(C0, C1, C2, ?)=(C0, C1, C2, c, t?) ? 3×p2.

Abstract: Paillier-based blind decryption. A user device obtains a first Paillier Paillier ciphertext c for a message m, generates a blinded Paillier ciphertext c0 by calculating c0=c mod N, sends the blinded Paillier ciphertext c0 to a decryptor and generates a first value 0=c0?1 mod N and a blinded plaintext m * = ( c ? ? ? 0 ? ? mod ? ? N 2 ) - 1 N . The decryptor generates a first key ?0 from a private key ?, generates a second value ?0=c0?0 mod N, generates a third value =?0N mod N2 and, finally, generates a return value ? 1 = ( ?c 0 ? ? mod ? ? N 2 ) - 1 N that is returned to the user device, which calculates the clear plaintext m=m*+?1 mod N. The clear plaintext m can then for example be output to a user or stored for later retrieval. Also provided is a generalized Paillier-based blind decryption.

Abstract: A processor of a device of user i in an aggregator-oblivious encryption system with n users encrypts a message {right arrow over (xl,t)}=(xi,t,1, . . . , xi,t,r) where t denotes a time period by generating an encrypted value ci,t for the time period t, by calculating ci,t=g1xi,t,1 . . . grxi,t,r·H(t)si, wherein H(t) is a hash function that hashes the time t on to an element of a first group 1 with order q1 in which discrete logarithms are calculable only in non-polynomial time for a security parameter ?, wherein g1, . . . , gr the base of a second group 2=g1, . . . , gr with order q2 in which discrete logarithms are calculable in polynomial time, the first group 1 and the second group 2 both being different subgroups of a third group , and wherein si is a key for user i provided by a dealer so that an aggregator key s0=??i=1n si and outputs the encrypted value ci,t to an aggregator.

Abstract: In one embodiment, it is proposed a signing method delivering a partial signature associated with a message, said partial signature being used in a threshold signing method, the signing method being executed on an electronic device. Such signing method is remarkable in that it comprises signing a hash of said message with a one-time linearly homomorphic structure preserving signature method with a partial secret key, said partial secret key being obtained from an output of a secret sharing scheme, and said signing delivering said partial signature associated with said message.

Abstract: In one embodiment, it is proposed a method for determining a statistic value, for a given time period t, on a set of n?2 of plaintext data {xi,t}1?i?n with xi,t?p, p being a primer number, only based on a set of corresponding ciphertext data {ci,t=Eski(xi,t,t)}1?i?n, where E is an encryption method and ski an encryption key, without having access to all elements of the set of corresponding encryption key {ski}1?i?n. The method is implemented by an electronic device and is remarkable in that it comprises: obtaining said given time period t, and said set of corresponding ciphertext data {ci,t=Eski(xi,t,t)}1?i?n for which Eski(xi,t,t)=ƒ(xi,t) ?j=1k+1Hj(t)sj,i where functions H1, . . .

Abstract: In one embodiment, it is proposed a method for signing a set of binary element comprising n elements, where n is an integer, by an electronic device. Such method is remarkable in that it outputs a signature associated to the set, that can be derived by the use of the public key when one or several new elements are added to the set.

Abstract: In one embodiment, it is proposed a method for ciphering a message by a sender device at destination to a receiver device, said method comprising using a keyed homomorphic encryption function associated with a public key of said receiver device.

Abstract: To generate a group signature on a message, a processor generates a two-level signature on an identity of the group member at the first level and the message at the second level; generates a commitment to the identity of the group member, commitments to each group element and a proof that the identity and the group elements satisfy a predetermined equation; encodes the identity of the group member in the group signature in a bit-wise manner using an identity-based encryption scheme where the message serves as the identity of the identity-based encryption scheme to produce a ciphertext; generates a first proof that the ciphertext encrypts the identity of the group member; generates a second proof that the encoded identity is an identity of a group member in a certificate signed by a group manager and that the certificate was used to generate the signature on the message at the second level; and outputs the group signature comprising the two-level signature, the commitments, the encoded identity of the group me

Abstract: In one embodiment, it is proposed a method for ciphering a plaintext M belonging to a group of prime order p, such method being performed by an electronic device. The method is remarkable in that it comprises: encrypting said plaintext M in function of a public vector Z=(Z1, . . . , Zl)?l of l elements of said group , where l?2 log2(p), and a one-time private vector K comprising l binary elements (K[1], . . . , K[l])?{0,1}l, said encrypting delivering a first ciphertext belonging to a group k1 for an integer k1?1; encrypting said l binary elements delivering a second ciphertext in a group k2, for an integer k2>1.

Abstract: Encoding-free encryption on elliptic curves is obtained by a device having a processor choosing an integer r?/q; computing in E(p) the a first point C1=[r]P and a second point C2=[r]Y, wherein E is an elliptic curve defined over p, P?E(p) is a point of prime order q, Y=[s]P?E(p) is an encryption key for an integer s?/q; computing the class ? of ?(C2); computing a first value c2 by performing an elementary arithmetic operation modulo p between the message m?/p and the class ?; combining the first point C1 and the first value c2 to obtain the ciphertext (C1, c2); and outputting the ciphertext (C1, c2).

Abstract: Generation of linearly homomorphic structure-preserving signature ? on a vector (M1, . . . , Mn)?n by computing, in a processor, using a signing key sk={?i, ?i, ?i}i=1n, signature elements (z, r, u) by calculating z = ? i = 1 n ? ? M i - ? i ? , r = ? i = 1 n ? ? M i - ? i , u = ? i = 1 n ? ? M i - ? i , and outputting the signature ? comprising the signature elements (z, r, u). The signature is verified by verifying, in a processor that (M1, . . . , Mn)?(, . . . , ) and that (z, r, u) satisfy the equalities =e(gz, z)·e(gr, r)·?i=1ne(gi, Mi), =e(hz, z)·e(h, u)·?i=1ne (hi, Mi); and determining that the signature has been successfully verified in case the verifications are successful and that the signature has not been successfully verified otherwise. Also provided are a fully-fledged scheme and a context-hiding scheme.