Abstract: In one embodiment, it is proposed a signing method delivering a partial signature associated with a message, said partial signature being used in a threshold signing method, the signing method being executed on an electronic device. Such signing method is remarkable in that it comprises signing a hash of said message with a one-time linearly homomorphic structure preserving signature method with a partial secret key, said partial secret key being obtained from an output of a secret sharing scheme, and said signing delivering said partial signature associated with said message.

Abstract: A cryptographic device performs modular addition between a first integer value x and a second integer value y in a processor by: obtaining a first masked input {circumflex over (x)}, a second masked input ?, a first mask rx and a second mask ry, the first masked input {circumflex over (x)} resulting from the first integer value x masked by the first mask rx and the second masked input ? resulting from the second integer value y masked by the second mask ry; computing a first iteration masked carry value ?1, using the first masked input {circumflex over (x)}, the second masked input ?, the first mask rx, the second mask ry and a carry mask value ?; recursively updating the masked carry value ?i to obtain a final masked carry value ?k?1, wherein the masked carry value is updated using the first masked input {circumflex over (x)}, the second masked input ?, the first mask rx, the second mask ry, and the carry mask value ?; combining the first masked input {circumflex over (x)} and the second masked input ? and t

Abstract: In one embodiment, it is proposed a method for determining a statistic value, for a given time period t, on a set of n?2 of plaintext data {xi,t}1?i?n with xi,t?p, p being a primer number, only based on a set of corresponding ciphertext data {ci,t=Eski(xi,t,t)}1?i?n, where E is an encryption method and ski an encryption key, without having access to all elements of the set of corresponding encryption key {ski}1?i?n. The method is implemented by an electronic device and is remarkable in that it comprises: obtaining said given time period t, and said set of corresponding ciphertext data {ci,t=Eski(xi,t,t)}1?i?n for which Eski(xi,t,t)=ƒ(xi,t) ?j=1k+1Hj(t)sj,i where functions H1, . . .

Abstract: In one embodiment, it is proposed a method for ciphering a message by a sender device at destination to a receiver device, said method comprising using a keyed homomorphic encryption function associated with a public key of said receiver device.

Abstract: In one embodiment, it is proposed a method for signing a set of binary element comprising n elements, where n is an integer, by an electronic device. Such method is remarkable in that it outputs a signature associated to the set, that can be derived by the use of the public key when one or several new elements are added to the set.

Abstract: A method and apparatus for performing modular exponentiation using iterative modular multiplications steps and taking as input a first modulus N, a secret exponent d and a base x. During at least one modular multiplication step aiming at computing a result c from two values a, b and the first modulus N so that c=a·b mod N, a processor takes as input the two values a, b and the first modulus N from which are obtained two operands a?, b? and a second modulus N? using operations with at most linear complexity—at least one of the two operands a?, b? is different from the two values a, b, and the two operands a?, b? are different when a is equal to b—so that the modular multiplication c=a·b mod N from a side-channel viewpoint behaves like a modular squaring except for when a? equals b? . An intermediate result c?=a?·b? mod N? is computed, and the result c is derived from the intermediate result c? using an operation with at most linear complexity; and the result c is used in the modular exponentiation.

Abstract: In one embodiment, it is proposed a method for ciphering a plaintext M belonging to a group of prime order p, such method being performed by an electronic device. The method is remarkable in that it comprises: encrypting said plaintext M in function of a public vector Z=(Z1, . . . , Zl)?l of l elements of said group , where l?2 log2(p), and a one-time private vector K comprising l binary elements (K[1], . . . , K[l])?{0,1}l, said encrypting delivering a first ciphertext belonging to a group k1 for an integer k1?1; encrypting said l binary elements delivering a second ciphertext in a group k2, for an integer k2>1.

Abstract: To generate a group signature on a message, a processor generates a two-level signature on an identity of the group member at the first level and the message at the second level; generates a commitment to the identity of the group member, commitments to each group element and a proof that the identity and the group elements satisfy a predetermined equation; encodes the identity of the group member in the group signature in a bit-wise manner using an identity-based encryption scheme where the message serves as the identity of the identity-based encryption scheme to produce a ciphertext; generates a first proof that the ciphertext encrypts the identity of the group member; generates a second proof that the encoded identity is an identity of a group member in a certificate signed by a group manager and that the certificate was used to generate the signature on the message at the second level; and outputs the group signature comprising the two-level signature, the commitments, the encoded identity of the group me

Abstract: The present invention improves on prior art group encryption schemes by encrypting an alias of a recipient's public key instead of the public key itself. A Group Manager publishes the encryption of the alias,the corresponding public key and a corresponding certificate on a public database DB. The alias is a resulting value of a suitably chosen function ƒ on the public key, and can be viewed as a hash of the public key. This can allow a significant decrease in the size and cost of the resulting construction as the alias can be made smaller than the public key. In particular, there is no need to apply the second encryption scheme as many times as there are group dements in the recipient's public key.

Abstract: A processor in a device performs fault-resistant exponentiation using an input x and a secret exponent d to obtain a result S, by using an a priori selected integer r and a chosen random element a ? {0, . . . , r?1} to form an extended base {circumflex over (x)} is formed such that ? { x ^ ? x ? ( mod ? ? N ) x ^ ? 1 + a · r ? ( mod ? ? r 2 ) In a generalization, for an a priori selected integer t=br2 (where b is an integer) co-prime to a modulus N, the processor has a modular inverse iN=N?N mod t. The processor generates the extended base by computing {circumflex over (x)}=x+N·[iN(1+ar?x) mod t] and then computes an extended modulus {circumflex over (N)}=Nt, computes Sr={circumflex over (x)}d mod {circumflex over (N)}, verifies if Sr?1+dar(mod r2), and if and only if this is so, returns the result S=Sr mod N via the interface.

Abstract: Encoding-free encryption on elliptic curves is obtained by a device having a processor choosing an integer r?/q; computing in E(p) the a first point C1=[r]P and a second point C2=[r]Y, wherein E is an elliptic curve defined over p, P?E(p) is a point of prime order q, Y=[s]P?E(p) is an encryption key for an integer s?/q; computing the class ? of ?(C2); computing a first value c2 by performing an elementary arithmetic operation modulo p between the message m?/p and the class ?; combining the first point C1 and the first value c2 to obtain the ciphertext (C1, c2); and outputting the ciphertext (C1, c2).

Abstract: A processor of a device generates a cryptographic commitment by receiving a vector {right arrow over (m)}, a public verification key of a homomorphic signature scheme, and a tag; choosing a signature ? in the signature space; generating a commitment c by running the verification algorithm of the homomorphic signature scheme; and outputting the commitment c as intermediate values resulting from the verification algorithm.

Abstract: Generation of linearly homomorphic structure-preserving signature ? on a vector (M1, . . . , Mn)?n by computing, in a processor, using a signing key sk={?i, ?i, ?i}i=1n, signature elements (z, r, u) by calculating z = ? i = 1 n ? ? M i - ? i ? , r = ? i = 1 n ? ? M i - ? i , u = ? i = 1 n ? ? M i - ? i , and outputting the signature ? comprising the signature elements (z, r, u). The signature is verified by verifying, in a processor that (M1, . . . , Mn)?(, . . . , ) and that (z, r, u) satisfy the equalities =e(gz, z)·e(gr, r)·?i=1ne(gi, Mi), =e(hz, z)·e(h, u)·?i=1ne (hi, Mi); and determining that the signature has been successfully verified in case the verifications are successful and that the signature has not been successfully verified otherwise. Also provided are a fully-fledged scheme and a context-hiding scheme.

Abstract: An exponentiation method resistant against side-channel attacks and safe-error attacks. Input to the method is g in a multiplicatively written group G and a /-digit exponent d with a radix m>1 and output is z=gd-1·(d?1) is expressed as a series of (/?1) non-zero digits, d*0 . . . d*I-2, in the set {m?1, . . . , 2m?2} and an extra digit d*I-1 that is equal to dI-1?1, where dI-1 represents the most significant radix-m digit of d, and gd-1 is evaluated through a m-ary exponentiation algorithm on input g and (d?1) represented by d*0 . . . d*I-1. Also provided are an apparatus and a computer program product.

Abstract: The public exponent e of an RSA key is embedded in a RSA key object that lacks this exponent. During exponentiation, the public exponent e may be extracted and used to verify that the result of the exponentiation is correct. The result is output only if this is the case. The invention counters fault-attacks. Also provided are an apparatus and a computer program product.

Abstract: Collaborative execution by a first device and a second device of a software application comprising at least one encrypted instruction. The first device obtains a first encrypted instruction; generates a session key; encrypts the first encrypted instruction; encrypts the session key using a symmetric algorithm and a first key; and transfers the encrypted first encrypted instruction and the encrypted session key to the second device. The second device decrypts the encrypted session key using the first key; decrypts the encrypted first encrypted instruction to obtain the first encrypted instruction; decrypts the first encrypted instruction using a third key to obtain an instruction; encrypts the instruction using the symmetric encryption algorithm and the session key to obtain a second encrypted instruction; and transfers the second encrypted instruction to the first device. The first device decrypts the second encrypted instruction using the session key to obtain the instruction; and executes the instruction.

Abstract: A method for performing a m-ary right-to-left exponentiation using a base x, a secret exponent d and a modulus N, wherein m is a power of 2.

Abstract: A method for controlling distribution of licenses, a license being for an excerpt of a content item, the content item comprising a set of continuous units, each excerpt comprising a subset of the set of continuous units, A device receives an identifier of a receiver of a license, and the license or a request to generate the license, the license or the request to generate the license comprising a content identifier and at least one indicator of the units covered by the license; retrieves stored information regarding licenses previously delivered to the receiver; compares a limit value for the content item with the stored information combined with information from the license or the request to generate the license; and allows the receiver access to the license only if the limit value is not exceeded by the stored information combined with information from the license or the request to generate the license Also provided is the device.

Abstract: A device and a method for calculating a multiple of a point on an elliptic curve from the right to the left by repeated point doubling and point addition. Each point doubling is evaluated with an extended set of coordinates and each point addition is evaluated by taking as input a restricted set of the extended set of coordinates. The at least one coordinate of the extended set that is not part of the restricted set is stored in a memory between each iteration of the point doubling. This can enable speeding up the calculations as compared to prior art solutions. Also provided is a computer program product.

Abstract: At CRYPTO 2003, Rubin and Silverberg introduced the concept of torus-based cryptography over a finite field. The present invention extends their setting to the ring of integers modulo N, thus obtaining compact representations for cryptographic systems that base their security on the discrete logarithm problem and the factoring problem. This can result in small key sizes and substantial savings in memory and bandwidth. However, unlike the case of finite field, analogous trace-based compression methods cannot be adapted to accommodate the extended setting of the invention when the underlying systems require more than a mere exponentiation. The invention finds particular application in a torus-based implementation of the ACJT group signature scheme. Also provided is a processor.