Abstract: In one embodiment, it is proposed a method for processing a generalized Goldwasser-Micali ciphertext, said ciphertext being obtained through a use of a public key, said method being executed on an electronic device and being remarkable in that it comprises:—determining at least one bit of a binary representation of a plaintext associated with said ciphertext, said at least one bit corresponding to a bit positioned at j-th position of said binary representation of said plaintext, j being an integer greater or equal to one, and position zero of said binary representation corresponding to the least significant bit of said binary representation, said determining being a function of—said ciphertext, —an element of said public key, —a private key associated to said public key, —an element defined as a function of said private key, and —least significant bits of said plaintext from position zero to position j?1 in said binary representation.

Abstract: An asset, which is a graphical 3D object, is protected at a processor of an encryption device that obtains the asset and a proxy including polyhedrons, processes points of the asset to obtain transformed points lying within the polyhedrons of the proxy, and outputs a protected asset including the transformed points. A decryption device including a processor decrypts the protected asset by obtaining the transformed points of the protected asset, processing transformed points using a reverse of the transformation to obtain reconstructed points of the asset, and obtaining a reconstructed asset using the reconstructed points.

Abstract: A public-key encryption system. Encryption of a k-bit plaintext m is performed by picking a random generating ciphertext and outputting the ciphertext. N is a non-prime integer (preferably the product of two primes p and q), y is an element in multiplicative group of integers modulo N, and k is an integer larger than 1, Decryption of ciphertext c using private key is performed by recovering such that holds and outputting plaintext m, wherein denotes the 2k-th power residue symbol modulo p, which is defined. Also provided are an encryption device and a decryption device. The encryption scheme provides better bandwidth than the Goldwasser-Micali encryption scheme.

Abstract: In one embodiment, it is proposed a method for ciphering a plaintext M belonging to a group of prime order p, such method being performed by an electronic device. The method is remarkable in that it comprises: encrypting said plaintext M in function of a public vector Z=(Z1, . . . , Zl)?l of l elements of said group , where l?2 log2(p), and a one-time private vector K comprising l binary elements (K[1], . . . , K[l])?{0,1}l, said encrypting delivering a first ciphertext belonging to a group k1 for an integer k1?1; encrypting said l binary elements delivering a second ciphertext in a group k2, for an integer k2>1.

Abstract: A group encryption system comprising at least one group member device, a group manager device, an opening authority device, a sender device and a tracing agent device. The sender device is configured to encrypt a plaintext using the public key of a group member. The group member device is configured to receive and decrypt the ciphertext using the corresponding private key, and also to claim or disclaim a ciphertext. The opening authority device is configured to disclose at least one user-specific trapdoor that makes it possible to trace, by the tracing agent device, all the ciphertexts for the specified user and only those ciphertexts.

Abstract: A threshold encryption system comprising a sender device (120) configured to generate ciphertexts and at least one entity device (110) configured to perform partial decryption of ciphertexts. The system is based on Cramer-Shoup encryption systems and use linearly homomorphic signatures as publicly verifiable proofs of ciphertext validity.

Abstract: A method and system for privacy-preserving ridge regression using partially homomorphic encryption and masks is provided. The method includes the steps of requesting a garbled circuit from a crypto service provider, collecting data from multiple users that has been formatted and encrypted using partially homomorphic encryption, summing the data that has been formatted and encrypted using partially homomorphic encryption, applying a prepared masks to the summed data, receiving garbled inputs corresponding to prepared mask from the crypto service provider using oblivious transfer, and evaluating the garbled circuit from the crypto service provider using the garbled inputs and masked data.

Abstract: A method for distributing content in a content distribution system is disclosed which comprises the steps of: encrypting at a Content Packager a content using a content encryption key to generate an encrypted content; sending the content encryption key to a Licensing Authority; receiving from the Licensing Authority a distribution key containing an encryption of the content decryption key (Kc) for a given set of authorized devices; creating a secure link between the content encryption key (Kc) and the content protected by this content encryption key using a signature of the content; and distributing the encrypted content together with the signature of the content. A method for receiving content distributed according to the above-mentioned method in a device able to play back the content is also disclosed where the content signature is checked before any play back of the content.

Abstract: A method includes: receiving a first set of records, each record received from a respective user in a first set of users, and including a set of tokens and a set of items, and kept secret from parties other than the respective user, evaluating the first set of records by a recommender system using a first garbled circuit based on matrix factorization to obtain a masked item profile for each of a plurality of items in the first set of records, receiving a recommendation request from a requesting user for a particular item, and transferring the masked item profiles to the requesting user, wherein the requesting user evaluates a second record and the masked item profiles by using a second garbled circuit based on ridge regression to obtain the recommendation about the particular item and only known by the requesting user. An equivalent apparatus is configured to perform the method.

Abstract: A method includes: receiving a set of records from a source, wherein each record in the set of records includes a set of tokens, and wherein each record is kept secret from parties other than the source, and evaluating the set of records with a garbled circuit, wherein the output of the garbled circuit is a count based on the set of tokens. An apparatus includes: a processor, that communicates with at least one input/output interface and at least one memory in signal communication with the processor, and wherein the processor is configured to: receive a set of records from a source, wherein each record includes a set of tokens, and wherein each record is kept secret from parties other than the source and evaluate the set of records with a garbled circuit, wherein the output of the garbled circuit is a count based on the set of tokens.

Abstract: A hybrid approach to privacy-preserving ridge regression is presented that uses both homomorphic encryption and Yao garbled circuits. Users in the system submit their data encrypted under a linearly homomorphic encryption. The linear homomorphism is used to carry out the first phase of the algorithm that requires only linear operations. The output of this phase generates encrypted data, in a form that is independent of the number of users n. In a second phase, a Yao garbled circuit that first implements homomorphic decryption and then does the rest of the regression algorithm (as shown, an optimized realization can avoid decryption in the garbled circuit) is evaluated. For this step a Yao garbled circuit approach is much faster than current fully homomorphic encryption schemes. Thus the best of both worlds is obtained by using linear homomorphisms to handle a large data set and using garbled circuits for the heavy non-linear part of the computation.

Abstract: A method includes: receiving a set of records, wherein each record in the set of records is received from a respective user and includes a set of tokens and a set of items, and wherein each record is kept secret from parties other than the respective user, receiving a recommendation request from a requesting user for a particular item, evaluating the set of records by using a garbled circuit based on matrix factorization, wherein the output of the garbled circuit includes a masked item profile for a particular item and a masked user profile for the requesting user, receiving an encrypted user profile from the requesting user, generating an encrypted recommendation for the particular item based on the encrypted user profile, and providing the encrypted recommendation to the requesting user, wherein the requesting user decrypts it to obtain the recommendation. An equivalent apparatus is configured to perform the method.

Abstract: A method includes: receiving a set of records from a source, wherein each record in the set of records includes a set of tokens and a set of items, and wherein each record is kept secret from parties other than the source, receiving at least one separate item, and evaluating the set of records and the at least one separate item by using a garbled circuit based on matrix factorization, wherein the output of the garbled circuit includes an item profile for each at least one separate item. An apparatus includes: a processor that communicates with at least one input/output interface, and at least one memory in signal communication with the processor, wherein the processor is configured to perform the method.

Abstract: In one embodiment, it is proposed a method for encrypting a plaintext M ? , where is a DDH-hard group of prime order p. The method is executed by an electronic device, and is remarkable in that it comprises: obtaining a public key PK=(, N, g, h, X, H, G) where N is a RSA module, elements g, h are random elements belonging to said group , X=gxhy ? , where elements x, y are random values from a ring p, and H, G are hash functions; obtaining two random elements r, s, each element belonging to the ring p; determining a vector being (C0, C1, C2)=(M.Xr, gr, hr); determining a proof ? that logg(C1)=logh(C2), said proof comprising two components c, t?, with c=H(C0, C1, C2, gs, hs) and t?=s+c.r mod p; delivering a ciphertext C=(C0, C1, C2, ?)=(C0, C1, C2, c, t?) ? 3×p2.

Abstract: A method and system for privacy-preserving ridge regression using masks is provided. The method includes the steps of requesting a garbled circuit from a crypto service provider, collecting data from multiple users that has been formatted and encrypted using homomorphic encryption, summing the data that has been formatted and encrypted using homomorphic encryption, applying prepared masks to the summed data, receiving garbled inputs corresponding to prepared mask from the crypto service provider using oblivious transfer, and evaluating the garbled circuit from the crypto service provider using the garbled inputs and masked data.

Abstract: A user inputs a password at a user device whose processor receives the password, retrieves a stored derived value resulting from a derivation function, preferably a cryptographic one-way function, applied to a reference password, scrambles the received password using a function taking the derived value as a variable to obtain a scrambled password, and sends the scrambled password to an authentication server. In case the stored derived value cannot be retrieved, the processor uses the derivation function to generate a derived value from the received password. In case the password is received during generation of a new password, the processor generates and stores a derived value from the new password. In an embodiment, the apparatus comprises the authentication server.

Abstract: A user inputs a password entry at a computer, which processes the entry using a function to obtain a plurality of sub-entries that are sent to a server. Each sub-entry is generated by padding the password entry to obtain a fix-length password entry from which are generated a number of strings in which different combinations of k characters are missing and then passed through a one-way function. The server receives the sub-entries and compares each sub-entry with stored password verifiers for the user to determine if they match. If at least one sub-entry matches a password verifier, the user is authenticated and a notification is sent to the user via the computer. If no sub-entry matches a password verifier, then the user is not authorized. Up to k typing errors can be accepted in the password entry.

Abstract: Paillier-based blind decryption. A user device obtains a first Paillier Paillier ciphertext c for a message m, generates a blinded Paillier ciphertext c0 by calculating c0=c mod N, sends the blinded Paillier ciphertext c0 to a decryptor and generates a first value 0=c0?1 mod N and a blinded plaintext m * = ( c ? ? ? 0 ? ? mod ? ? N 2 ) - 1 N . The decryptor generates a first key ?0 from a private key ?, generates a second value ?0=c0?0 mod N, generates a third value =?0N mod N2 and, finally, generates a return value ? 1 = ( ?c 0 ? ? mod ? ? N 2 ) - 1 N that is returned to the user device, which calculates the clear plaintext m=m*+?1 mod N. The clear plaintext m can then for example be output to a user or stored for later retrieval. Also provided is a generalized Paillier-based blind decryption.

Abstract: A processor of a device of user i in an aggregator-oblivious encryption system with n users encrypts a message {right arrow over (xl,t)}=(xi,t,1, . . . , xi,t,r) where t denotes a time period by generating an encrypted value ci,t for the time period t, by calculating ci,t=g1xi,t,1 . . . grxi,t,r·H(t)si, wherein H(t) is a hash function that hashes the time t on to an element of a first group 1 with order q1 in which discrete logarithms are calculable only in non-polynomial time for a security parameter ?, wherein g1, . . . , gr the base of a second group 2=g1, . . . , gr with order q2 in which discrete logarithms are calculable in polynomial time, the first group 1 and the second group 2 both being different subgroups of a third group , and wherein si is a key for user i provided by a dealer so that an aggregator key s0=??i=1n si and outputs the encrypted value ci,t to an aggregator.

Abstract: In one embodiment, it is proposed a method of cryptographic processing of data, the method being executed by an electronic device, and comprising obtaining at least two points belonging to a same elliptic curve defined on an algebraic structure being a finite ring, each point being represented by at least two coordinates.