Abstract: Some embodiments are directed to a computer-implemented method (500) of determining a set of coefficients for homomorphically multiplying an encrypted value by a scalar. The encrypted value is represented by multiple respective value ciphertexts encrypting the value multiplied by respective powers of an even radix. The scalar multiplication is performed as a linear combination of the multiple respective value ciphertexts according to the set of coefficients. The set of coefficients are determined as digits of a radix decomposition of the scalar with respect to the radix. The determined digits lie between minus half the radix, inclusive, and plus half the radix, inclusive. It is ensured that no two subsequent digits are both equal in absolute value to half the radix.

Abstract: Some embodiments are directed to a fully homomorphic encryption (FHE) cryptography, wherein some encrypted data items are clipped, thereby reducing a bit-size of the encrypted data item and increasing an associated noise level of the encrypted data item. An FHE operation or a decrypt operation that operates on the clipped encrypted data item as input, has noise tolerance above a noise level associated with the clipped encrypted data item.

Abstract: A method and data processing system for detecting tampering of a machine learning model is provided. The method includes training a machine learning model. During a training operating period, a plurality of input values is provided to the machine learning model. In response to a predetermined invalid input value, the machine learning model is trained that a predetermined output value will be expected. The model is verified that it has not been tampered with by inputting the predetermined invalid input value during an inference operating period. If the expected output value is provided by the machine learning model in response to the predetermined input value, then the machine learning model has not been tampered with. If the expected output value is not provided, then the machine learning model has been tampered with. The method may be implemented using the data processing system.

Abstract: A method is provided for protecting a trained machine learning model that provides prediction results with confidence levels. The confidence level is a measure of the likelihood that a prediction is correct. The method includes determining if a query input to the model is an attempted attack on the model. If the query is determined to be an attempted attack, a first prediction result having a highest confidence level is swapped with a second prediction result having a relatively lower confidence level so that the first and second prediction results and confidence levels are re-paired. Then, the second prediction result is output from the model with the highest confidence level. By swapping the confidence levels and outputting the prediction results with the swapped confidence levels, the machine learning model is more difficult for an attacker to extract.

Abstract: A method for performing a secure evaluation of a decision tree, including: receiving, by a processor of a server, an encrypted feature vector x=(x1, . . . , xn) from a client; choosing a random mask ?0; calculating m0 and sending m0 to the client, wherein m0=xi0(0)?t0(0)+?0 and t0(0) is a threshold value in the first node in the first level of a decision tree ?; performing a comparison protocol on m0 and ?0, wherein the server produces a comparison bit b0 and the client produces a comparison bit b?0; choosing a random bit s0?{0,1} and when s0=1 switching a left and right subtrees of ?; sending b0?s0 to the client; and for each level =1, 2, . . . , d?1 of the decision tree ?, where d is the number of levels in the decision tree ?, perform the following steps: receiving from the client yk where k=0, 1, . . .

Abstract: Various embodiments relate to a method of encrypting a message m using a Paillier cryptosystem, including: computing a ciphertext c based upon the message m, N, and r, where N is the product of two distinct primes p and q, and r is randomly chosen such that r?[1, N); computing a first verification value based upon u and N, where u is randomly chosen such that u?[1, N); computing a second verification value s based upon u, r, the ciphertext c, the verification value, and a hash function H.

Abstract: A method for producing a white-box implementation of a cryptographic function using garbled circuits, including: producing, by a first party, a logic circuit implementing the cryptographic function using a plurality of logic gates and a plurality of wires; garbling the produced logic circuit, by the first party, including garbling the plurality of logic gates and assigning two garbled values for each of the plurality of wires; and providing a second party the garbled logic circuit and a first garbled circuit input value.

Abstract: The present disclosure provides a method (1100) and apparatus (702) for inhibiting the interruption of the content being consumed by a user that is provided by an entertainment system. The method (1100) and apparatus (702) of the present disclosure may detect an interruption event and determine, based on the current state of a user, whether the interruption event matches the current state of the user. If the method (1100) and apparatus (702) of the present disclosure determine that the interruption event does not match the current state of the user, the method (1100) and apparatus (702) of the present disclosure may inhibit the interruption of the content being consumed by the user.

Abstract: A method for performing a secure comparison between a first secret data and a second secret data, including: receiving, by a processor of a first party, encrypted bits of the second secret data y from a second party, where is an integer; computing the Hamming weight h of first secret data x, wherein x has bits; computing the value of a first comparison bit ?A such that ?A=0 when h>?/2?, ?A=1 when h<?/2?, and ?A is randomly selected when h=/2; forming a set of ?/2? indexes that includes at least the indexes i where xi=?A; selecting random invertible scalars ri for each i in and computing c*i=(1+(1?2?A)xi·yi2?A?1·(xj?yj))ri wherein w denotes the homomorphic encryption of w using a cryptographic key of the second party; selecting random invertible scalars r?1 and computing c*?1=(?A·xj?yj)r?1; transmitting ciphertexts c*i in a random order to the second party.

Abstract: A method for protecting against faults in a computation of a point multiplication Q=[k]P on an elliptic curve E defined over a prime field p, including: defining an integer r and a group ?={?()|?/r} represented with elements having a group law that coincides with a group law used in the representation for E(p) and isomorphic to an additive group (/r)+ through isomorphism ?; forming a combined group E(p)×?E(p)×(/r)+ which is isomorphic to a cross product of the groups E(p) and (/r)+; selecting an element in /r and defining an element P?=?() in group ?; forming a combined element {circumflex over (P)}=CRT(P,P?) in the group E(p)×?; calculating {circumflex over (Q)}=[k]{circumflex over (P)} in the combined group E(p)×?; calculating k in /r; and checking whether {circumflex over (Q)}?Q?(mod r) where Q?=?(k).

Abstract: A device, including: a memory; a processor configured to implement an encrypted machine leaning model configured to: evaluate the encrypted learning model based upon received data to produce an encrypted machine learning model output; producing verification information; a tamper resistant hardware configured to: verify the encrypted machine learning model output based upon the verification information; and decrypt the encrypted machine learning model output when the encrypted machine learning model output is verified.

Abstract: A method for computing the distance between two encrypted data vectors using elliptic curve cryptography.

Abstract: An asset, which is a graphical 3D object, is protected at a processor of an encryption device that obtains the asset and a proxy including polyhedrons, processes points of the asset to obtain transformed points lying within the polyhedrons of the proxy, and outputs a protected asset including the transformed points. A decryption device including a processor decrypts the protected asset by obtaining the transformed points of the protected asset, processing transformed points using a reverse of the transformation to obtain reconstructed points of the asset, and obtaining a reconstructed asset using the reconstructed points.

Abstract: A user inputs a password at a user device whose processor receives the password, retrieves a stored derived value resulting from a derivation function, preferably a cryptographic one-way function, applied to a reference password, scrambles the received password using a function taking the derived value as a variable to obtain a scrambled password, and sends the scrambled password to an authentication server. In case the stored derived value cannot be retrieved, the processor uses the derivation function to generate a derived value from the received password. In case the password is received during generation of a new password, the processor generates and stores a derived value from the new password. In an embodiment, the apparatus comprises the authentication server.

Abstract: In one embodiment, it is proposed a signing method delivering a partial signature associated with a message, said partial signature being used in a threshold signing method, the signing method being executed on an electronic device. Such signing method is remarkable in that it comprises signing a hash of said message with a one-time linearly homomorphic structure preserving signature method with a partial secret key, said partial secret key being obtained from an output of a secret sharing scheme, and said signing delivering said partial signature associated with said message.

Abstract: A threshold encryption system comprising a sender device configured to generate ciphertexts and at least one entity device configured to perform partial decryption of ciphertexts. The system is based on Cramer-Shoup encryption systems and use linearly homomorphic signatures as publicly verifiable proofs of ciphertext validity.

Abstract: In one embodiment, it is proposed a method of cryptographic processing of data, the method being executed by an electronic device, and comprising obtaining at least two points belonging to a same elliptic curve defined on an algebraic structure being a finite ring, each point being represented by at least two coordinates.

Abstract: A cryptographic device performs modular addition between a first integer value x and a second integer value y in a processor by: obtaining a first masked input {circumflex over (x)}, a second masked input ?, a first mask rx and a second mask ry, the first masked input {circumflex over (x)} resulting from the first integer value x masked by the first mask rx and the second masked input ? resulting from the second integer value y masked by the second mask ry; computing a first iteration masked carry value ?1, using the first masked input {circumflex over (x)}, the second masked input ?, the first mask rx, the second mask ry and a carry mask value ?; recursively updating the masked carry value ?i to obtain a final masked carry value ?k?1, wherein the masked carry value is updated using the first masked input {circumflex over (x)}, the second masked input ?, the first mask rx, the second mask ry, and the carry mask value ?; combining the first masked input {circumflex over (x)} and the second masked input ? and t

Abstract: A public-key encryption system. Encryption of a k-bit plaintext m is performed by picking a random generating ciphertext and outputting the ciphertext. N is a non-prime integer (preferably the product of two primes p and q), y is an element in multiplicative group of integers modulo N, and k is an integer larger than 1, Decryption of ciphertext c using private key is performed by recovering such that holds and outputting plaintext m, wherein denotes the 2k-th power residue symbol modulo p, which is defined. Also provided are an encryption device and a decryption device. The encryption scheme provides better bandwidth than the Goldwasser-Micali encryption scheme.

Abstract: In one embodiment, it is proposed a method for ciphering a plaintext M belonging to a group of prime order p, such method being performed by an electronic device. The method is remarkable in that it comprises: encrypting said plaintext M in function of a public vector Z=(Z1, . . . , Zl)?l of l elements of said group , where l?2 log2(p), and a one-time private vector K comprising l binary elements (K[1], . . . , K[l])?{0,1}l, said encrypting delivering a first ciphertext belonging to a group k1 for an integer k1?1; encrypting said l binary elements delivering a second ciphertext in a group k2, for an integer k2>1.