Disclosed are homomorphic encryption method and apparatus specialized for zero-knowledge proof. The homomorphic encryption method specialized for zero-knowledge proof includes (a) dividing a message M into n message blocks; (b) generating a ciphertext CT by encrypting the n message blocks, wherein the ciphertext CT includes each encryption block for each of the n message blocks, and each encryption block includes the message block in the form G.sub.i.sup.m.sup.i of an exponentiation of a generator G; and (c) generating a zero-knowledge proof key π for the n message blocks by applying the n message blocks as inputs to a preset zero-knowledge proof algorithm.

An electronic point multiplication device (100) is provided for computing a point multiplication (kG) on an elliptic curve between a multiplier (k) and a base point (G) on the elliptic curve (E) for use in a cryptographic protocol. The device being arranged to compute from a first set of multiple joint encodings (A.sub.i) a blinded base multiplier (A, 131), and a second set of multiple joint encodings (B.sub.i) multiple blinded auxiliary multipliers (η.sub.i, 136). The device performs obtains the point multiplication (141) (kG) of the multiplier (k) and the base point (G) by computing the point addition of the point multiplication of the blinded base multiplier and the base point on the elliptic curve, and the multiple point multiplications of a blinded auxiliary multiplier and an auxiliary point. The blinded base multiplier and auxiliary multipliers may be represented in a plain format during the performing of the elliptic curve arithmetic.

A cryptographic circuit performs a substitution operation of a cryptographic algorithm. For each substitution operation of the cryptographic algorithm, a series of substitution operations are performed by the cryptographic circuit. One of the substitution operations of the series is a real substitution operation corresponding to the substitution operation of the cryptographic algorithm. One or more other substitution operations of the series are dummy substitution operations. A position of the real substitution operation in said series is selected randomly.

A computer-implemented method comprises: committing a transaction amount t of a transaction with a commitment scheme to obtain a transaction commitment value T, the commitment scheme comprising at least a transaction blinding factor r_t; encrypting a combination of the transaction blinding factor r_t and the transaction amount t with a public key PK_B of a recipient of the transaction; and transmitting the transaction commitment value T and the encrypted combination to a recipient node associated with the recipient for the recipient node to verify the transaction.

Systems and methods are described based on an integrated circuit that performs a challenge-response physically unclonable function (PUF). The PUF is used for challenge-response authentication. The integrated circuit includes a PUP block configured to output an n-bit internal response corresponding to a challenge that requests a response where n is an integer greater than 1 and a response generator configured to calculate a Hamming weight of the internal response and output the response by comparing the Hamming weight with at least one reference.

This disclosure describes systems on a chip (SOCs) that prevent side channel attacks (SCAs). The SoCs of this disclosure concurrently operate multi-round encryption and decryption datapaths according to a combined sequence of encryption rounds and decryption rounds. An example SoC of this disclosure includes an engine configured to encrypt transmission (Tx) channel data using a multi-round encryption datapath, and to decrypt encrypted received (Rx) channel data using a multi-round decryption datapath. The SoC further includes a security processor configured to multiplex the multi-round encryption datapath against the multi-round decryption datapath on a round-by-round basis to generate a mixed sequence of encryption rounds and decryption rounds, and to control the engine to encrypt the Tx channel data and decrypt the encrypted Rx channel data according to the mixed sequence of encryption rounds and decryption rounds.

Textual masking for multiparty computation is provided. The method comprises receiving masked input data from a number of contributors, wherein the input data from each contributor has a unique contributor mask value. A unique analyst mask factor is received for each contributor, computed by an analyst as a difference between a uniform analyst mask value and the contributor mask value. An API call is received from the analyst to aggregate the input data from the contributors. The respective analyst mask factors are added to the input data from the contributors, and the data is aggregated and shuffled. Computational results received from the analyst based on the aggregated input data are published. In response to API calls from the contributors, the analyst mask factors are removed from the computational results, wherein computational results received by each contributor are masked only by the respective contributor mask value.

An encryption device includes hardware processors to: acquire a public key including an identification polynomial f(t) and a multivariable indeterminate equation X having elements of a ring F.sub.p[t]/g(t) as coefficients; disperse and embed a message m as coefficients of plaintext polynomial factors m.sub.i having, as coefficients, polynomials with a limited degree among the elements of the ring; generate a plaintext polynomial M by multiplying the plaintext polynomial factors m.sub.i; randomly generate a random polynomial r having as a coefficient an element of the ring; randomly generate a noise polynomial e having as coefficients polynomials with a limited degree among the elements of the ring; and generate a ciphertext by encryption processing of performing an operation including adding, subtracting, or multiplying the identification polynomial f(t), the random polynomial r, the noise polynomial e, and the multivariable indeterminate equation X to, from, or by the plaintext polynomial M.

Embodiments described herein provide a compressed container format that enables the container to be decrypted and decompressed in a streaming manner. One embodiment provides a container format for encrypted archives in which data is compressed and encrypted in a segmented manner. A segment of the archive can be decompressed, decrypted, and checked for integrity before the entire archive is received. Metadata for the encrypted archive is also encrypted to secure details of data stored within the archive.

Aspects of associative cryptography key operations are described. In one embodiment, a first cryptographic function is applied to secret data to produce a first encrypted result. The first encrypted result is transmitted by a first device to a second device. The second device applies a second cryptographic function to the first encrypted result to produce a second encrypted result. At this point, the secret data has been encrypted by two different cryptographic functions, each of them being sufficient to secure the secret data from others. The two different cryptographic function can be inversed or removed, in any order, to reveal the secret data. Thus, the first device can apply a first inverse cryptographic function to the second encrypted result to produce a first result, and the second device can apply a second inverse cryptographic function to the first result to decrypt the secret data.