Abstract: A method, system and computer program product for performing computations on sensitive data while guaranteeing privacy. A service provider receives a first and a second ciphertext from a medical provider that homomorphically encrypts matrices A and B, respectively, using an encryption key, where the matrices A and B include medical data encoded as vectors. The service provider performs a homomorphic matrix multiplication on the first and second ciphertexts without decrypting the first and second ciphertexts. An encrypted result from the performed homomorphic matrix multiplication on the first and second ciphertexts is generated and transmitted to the medical provider to decrypt which matches a result of performing a matrix multiplication on unencrypted matrices A and B thereby enabling computations to be performed on the medical data in a secure manner.

Abstract: A method, system and computer program product for performing computations on sensitive data while guaranteeing privacy. A service provider receives a first and a second ciphertext from a medical provider that homomorphically encrypts matrices A and B, respectively, using an encryption key, where the matrices A and B include medical data encoded as vectors. The service provider performs a homomorphic matrix multiplication on the first and second ciphertexts without decrypting the first and second ciphertexts. An encrypted result from the performed homomorphic matrix multiplication on the first and second ciphertexts is generated and transmitted to the medical provider to decrypt which matches a result of performing a matrix multiplication on unencrypted matrices A and B thereby enabling computations to be performed on the medical data in a secure manner.

Abstract: In this application, example methods for performing quantum Montgomery arithmetic are disclosed. Additionally, circuit implementations are disclosed for reversible modular arithmetic, including modular addition, multiplication and inversion, as well as reversible elliptic curve point addition. This application also shows that elliptic curve discrete logarithms on an elliptic curve defined over an n-bit prime field can be computed on a quantum computer with at most 9n+2?log2(n)?+10 qubits using a quantum circuit of at most 512n3 log2(n)+3572n3 Toffoli gates.

Abstract: In this application, example methods for performing quantum Montgomery arithmetic are disclosed. Additionally, circuit implementations are disclosed for reversible modular arithmetic, including modular addition, multiplication and inversion, as well as reversible elliptic curve point addition. This application also shows that elliptic curve discrete logarithms on an elliptic curve defined over an n-bit prime field can be computed on a quantum computer with at most 9n+2 ?log2(n)?+10 qubits using a quantum circuit of at most 512n3 log2(n)+3572n3 Toffoli gates.

Abstract: A user device and one or more server computers securely evaluate a k-nearest neighbor model, with reasonable computation speed and bandwidth utilization, using a combination of techniques. The user device encrypts input vectors using a client's public key to keep client information private. The server computer homomorphically computes a distance between the encrypted input vector and vectors stored in the k-nearest neighbor model. The server computer then engages in a minimization process which results in the user device receiving classification vectors corresponding to the k-nearest neighbors.

Abstract: Decision trees can be securely evaluated with reasonable computation speed and bandwidth utilization. A user device encrypts input vectors using a client's public key in an additively homomorphic encryption system. A server computer effectively randomizes the decision tree for each use, such that a value indicative of a path resulting from applying an input vector to the decision tree is different each time the decision tree is used. The server computer homomorphically computes the evaluations of each decision node. The server computer provides the value indicative of the path through the decision tree as one part accessible by the client, and another part accessible by the server. The server computer uses the parts to look up a corresponding output value from a database of output values for each path. In this operation, only the output value corresponding to the combined parts can be retrieved, and only by the intended recipient.

Abstract: Genomic data encryption embodiments are presented which generally maintain the privacy of genomic data via an encryption scheme which allows computations to be performed on the encrypted data without the need for decryption. The genomic data is encrypted using a homomorphic polynomial encryption scheme to produce a vector of ciphertexts, where each ciphertext represents a different sample of the genomic data and takes the form of a polynomial and its associated coefficients. Computations on the encrypted genomic data are then performed on the vector or vectors of ciphertexts without decrypting the data. The results of the computations are then provided to an end user who decrypts them.

Abstract: A user device and one or more server computers securely evaluate a k-nearest neighbor model, with reasonable computation speed and bandwidth utilization, using a combination of techniques. The user device encrypts input vectors using a client's public key to keep client information private. The server computer homomorphically computes a distance between the encrypted input vector and vectors stored in the k-nearest neighbor model. The server computer then engages in a minimization process which results in the user device receiving classification vectors corresponding to the k-nearest neighbors.

Abstract: Decision trees can be securely evaluated with reasonable computation speed and bandwidth utilization. A user device encrypts input vectors using a client's public key in an additively homomorphic encryption system. A server computer effectively randomizes the decision tree for each use, such that a value indicative of a path resulting from applying an input vector to the decision tree is different each time the decision tree is used. The server computer homomorphically computes the evaluations of each decision node. The server computer provides the value indicative of the path through the decision tree as one part accessible by the client, and another part accessible by the server. The server computer uses the parts to look up a corresponding output value from a database of output values for each path. In this operation, only the output value corresponding to the combined parts can be retrieved, and only by the intended recipient.

Abstract: Genomic data encryption embodiments are presented which generally maintain the privacy of genomic data via an encryption scheme which allows computations to be performed on the encrypted data without the need for decryption. The genomic data is encrypted using a homomorphic polynomial encryption scheme to produce a vector of ciphertexts, where each ciphertext represents a different sample of the genomic data and takes the form of a polynomial and its associated coefficients. Computations on the encrypted genomic data are then performed on the vector or vectors of ciphertexts without decrypting the data. The results of the computations are then provided to an end user who decrypts them.

Abstract: One or more techniques and/or systems are disclosed that provide for determining mathematical pairings for a curve for use in cryptography. A plurality of inversions used for determining the mathematical pairings for the curve are aggregated (e.g., into a single inversion in respective levels of a binary tree representation of elements of the computation). The mathematical pairings for the curve are determined in affine coordinates from a binary representation of a scalar read from right to left using the aggregated plurality of inversions.

Abstract: One or more techniques and/or systems are disclosed for generating a genus 2 curve for use in cryptography. One or more invariant values used to generate the genus 2 curve are determined by evaluating one or more invariant functions on a Hilbert modular surface. The genus 2 curve is generated using the one or more invariant values to determine an equation describing the genus 2 curve. A group is generated from the genus 2 curve, and the group may be used for a cryptographic application.

Abstract: One or more techniques and/or systems are disclosed that provide for determining mathematical pairings for a curve for use in cryptography. A plurality of inversions used for determining the mathematical pairings for the curve are aggregated (e.g., into a single inversion in respective levels of a binary tree representation of elements of the computation). The mathematical pairings for the curve are determined in affine coordinates from a binary representation of a scalar read from right to left using the aggregated plurality of inversions.

Abstract: One or more techniques and/or systems are disclosed for generating a genus 2 curve for use in cryptography. One or more invariant values used to generate the genus 2 curve are determined by evaluating one or more invariant functions on a Hilbert modular surface. The genus 2 curve is generated using the one or more invariant values to determine an equation describing the genus 2 curve. A group is generated from the genus 2 curve, and the group may be used for a cryptographic application.

Abstract: A cryptosystem has a secret based on an order of a group of points on a Jacobian of a curve. In certain embodiments, the cryptosystem is used to generate a product identifier corresponding to a particular product. The product identifier is generated by initially receiving a value associated with a copy (or copies) of a product. The received value is padded using a recognizable pattern, and the padded value is converted to a number represented by a particular number of bits. The number is then converted to an element of the Jacobian of the curve, and the element is then raised to a particular power. The result of raising the element to the particular power is then compressed and output as the product identifier. Subsequently, the encryption process can be reversed and the decrypted value used to indicate validity and/or authenticity of the product identifier.

Abstract: Function properties may be approximated using an expander graph. For example, an approximate average of a function may be determined by randomly exploring an expander graph. Values of the function are associated with vertices of the expander graph. The expander graph is randomly explored by traversing edges and encountering vertices. The exploration may comprise a crawl, a walk, and so forth. An approximate average of the function is determined based on the function values that are associated with encountered vertices.

Abstract: Pscudorandom numbers may be generated from input seeds using expander graphs. Expander graphs are a collection of vertices that are interconnected via edges. Generally, a walk around an expander graph is determined responsive to an input seed, and a pseudorandom number is produced based on vertex names. Specifically, a next edge, which is one of multiple edges emanating from a current vertex, is selected responsive to an extracted seed chunk. The next edge is traversed to reach a next vertex. The name of the next vertex is ascertained and used as a portion of the pseudorandom number being produced by the walk around the expander graph.

Abstract: Systems and methods are described for trapdoor pairing. In one implementation, a trapdoor pairing is a cryptographic primitive generated by determining a bilinear pairing between an elliptic curve group and another group and selecting a parameter of the bilinear pairing, such as a group order or an isogeny between curves, to be a key for generating and evaluating the bilinear pairing. Trapdoor pairing allows construction of a group in which the Decisional Diffie-Hellman (DDH) problem is computationally infeasible given only the description of the group, but is easy given the secret key. Exemplary trapdoor pairing constructions have general applicability to cryptography and also lend themselves more specifically to certain special practical implementations, such as public key cryptography and certificate authority infrastructures.

Abstract: Digital signatures for network coding are described. In one aspect, digital signatures for network coding are described. In one aspect, segmented blocks of content for distribution are digitally signed using homomorphic digital signatures generated from an elliptic curve. A linear combination of packets comprising the digitally signed content is distributed to a destination device according to an implemented distribution scheme. The linear combination of packets includes public information when digitally signing the segmented blocks. The homomorphic digital signatures and the public information allow a device receiving one or more packets of the linear combination of packets to verify and authenticate content associated with the one of our packets independent of secure transmission of secret keys and hash digests used to digitally sign the one or more packets.

Abstract: Hash function constructions from expander graphs are described. In one aspect, an expander graph is walked to compute a hash function. The expander graph is walked using respective subsets of an input message. A label of a last vertex walked is an output of the hash function.