A bit-decomposition secure computation apparatus uses r1, r2, and r3 satisfying w=r1+r2+r3 mod 2{circumflex over ( )}n as share information of (2, 3) threshold type RSS (Replicated Secret Sharing) stored in a share value storage apparatus, and includes an addition sharing part that sums two values out of the share information by modulo 2{circumflex over ( )}n arithmetic and distributes the sum using (2, 3) type RSS; and a full adder secure computation part that adds the value generated by the addition sharing part by distributing the sum of the two values to share information of one remaining value other than the two values used by the addition sharing part for each digit by using secure computation of a full adder.

Systems and methods for end-to-end encryption and compression are described herein. A query is encrypted at a client using a homomorphic encryption scheme. The encrypted query is sent to a server where the encrypted query is evaluated over target data to generate encrypted response without decrypting the encrypted query. The result elements of the encrypted response are grouped, co-located, and compressed, without decrypting the encrypted query or the encrypted response. The compressed encrypted response is sent to the client where it is decrypted and decompressed to obtain the results of the query without revealing the query or results to the owner of the target data, an observer, or an attacker.

Aspects of the present disclosure describe a method and a system to support execution of the method to perform a cryptographic operation involving identifying an N-word number, X=XN−1 . . . X.sub.1X.sub.o, to be squared, performing a first loop comprising M first loop iterations, wherein M is a largest integer not exceeding (N+1)/2, each of the M first loop iterations comprising a second loop that comprises a plurality of second loop iterations, wherein an iteration m of the second loop that is within an iteration j of the first loop comprises computing a product X.sub.a*X.sub.b of a word X.sub.a and a word X.sub.b, wherein a+b=2j+m, j≥0 and m≥0, and wherein all second loops have an equal number of second loop iterations.

An information processing apparatus comprises a partial modular exponentiation calculating part and a partial modular exponentiation synthesizing part. The partial modular exponentiation calculating part is given a base in plaintext and a modulo in plaintext and shared exponents and calculates a partial modular exponentiation that equals a set of shared values according to a modular exponentiation of the base raised by the shared exponent. The partial modular exponentiation synthesizing part calculates shared values of the modular exponentiation from the partial modular exponentiation that equals shared values relating to the modular exponentiation of a sum of shared exponents.

A method for outsourcing exponentiation in a private group includes executing a query instruction to retrieve a query element stored on an untrusted server by selecting a prime factorization of two or more prime numbers of a modulus associated with the query element stored on the server, obtaining a group element configured to generate a respective one of the prime numbers, generating a series of base values using the prime factorization and the group element, and transmitting the series of base values from the client device to the server. The server is configured to determine an exponentiation of the group element with an exponent stored on the server using the series of base values. The method also includes receiving a result from the server based on the exponentiation of the group element with the exponent.

In a general aspect, a test method can include: acquiring a plurality of value sets, each comprising values of a physical quantity or of logic signals, linked to the activity of a circuit to be tested when executing distinct cryptographic operations applied to a same secret data, for each value set, counting occurrence numbers of the values of the set, for each operation and each of the possible values of a part of the secret data, computing a partial result of operation, computing sums of occurrence numbers, each sum being obtained by adding the occurrence numbers corresponding to the operations which when applied to a same possible value of the part of the secret data, provide a partial operation result having a same value, and analyzing the sums of occurrence numbers to determine the part of the secret data.

An obfuscation process is described for obfuscating a cryptographic parameter of cryptographic operations such as calculations used in elliptical curve cryptography and elliptical curve point multiplication. Such obfuscation processes may be used for obfuscating device characteristics that might otherwise disclose information about the cryptographic parameter, cryptographic operations or a cryptographic operations more generally, such as information sometimes gleaned from side channel attacks and lattice attacks.

Systems and techniques that facilitate Hamiltonian simulation based on simultaneous-diagonalization are provided. In various embodiments, a partition component can partition one or more Pauli operators of a Hamiltonian into one or more subsets of commuting Pauli operators. In various embodiments, a diagonalization component can generate one or more simultaneous-diagonalization circuits corresponding to the one or more subsets. In various aspects, a one of the one or more simultaneous-diagonalization circuits can diagonalize the commuting Pauli operators in a corresponding one of the one or more subsets. In various embodiments, an exponentiation component can generate one or more exponentiation circuits corresponding to the one or more subsets. In various aspects, a one of the one or more exponentiation circuits can exponentiate the simultaneously diagonalized commuting Pauli operators in a corresponding one of the one or more subsets. In various embodiments, a simulation component can concatenate the one or more simultaneous-diagonalization circuits, the one or more exponentiation circuits, and one or more adjoints of the one or more simultaneous-diagonalization circuits of the one or more subsets to simulate a time evolution of the Hamiltonian.

A first share value and a second share value may be received. A combination of the first share value and the second share value may correspond to an exponent value. The value of a first register is updated using a first equation that is based on the first and second share values and the value of a second register is updated using a second equation that is based on the second share value. One of the value of the first register or the value of the second register is selected based on a bit value of the second share value.

In a method for determining the modular inverse of a number, successive iterations are applied to two pairs each including a first variable and a second variable, such that at the end of each iteration and for each pair, the product of the second variable and of the number is equal to the first variable modulo a given module. Each iteration includes at least one division by two of the first variable of a first pair or of a second pair, or a combination of the first variable of the first pair and of the first variable of the second pair by addition or subtraction. At least some of the iterations including a combination by addition or subtraction include a step of storing the result of the combination in the first variable of a pair determined randomly from among the first pair and the second pair. An associated cryptographic processing device is also described.