The invention relates to a method for performing a multi-party electronic computation using a plurality of evaluating computer systems. The cryptographic security of the multi-party computation is implemented using lattice-based cryptography. Each evaluating computer system receives from each user of a plurality of users an individual input share of an input chosen by the respective user. Furthermore, each evaluating computer system receives from the user a commitment to the received individual input share and an opening information. Each evaluating computer system checks the commitments received to the individual input shares and generates a first lattice-based zero-knowledge proof that all the commitments received are valid commitments to input shares. Each evaluating computer system publishes the first lattice-based zero-knowledge proof. Thus, a verifier may be enabled to verify that all commitments are valid commitments to input shares.

A method for trading on an electronic trading platform. The method includes the following features: trade orders of subscribers of the trading platform are given, a decentralized transaction database of the trading platform is managed that includes an order book, balances of accounts of the subscribers, and a zero-knowledge proof of a present state of the transaction database. On the basis of trade orders of the subscribers, starting from the current state, the transaction database is brought into a new state by a multiparty calculation.

An equality determination unit obtains [e.sub.i] in which e.sub.i=(e.sub.i,1, . . . , e.sub.i,N) is concealed, e.sub.i in which e.sub.i,j=a.sub.1 is established when x.sub.i,j is k.sub.j and e.sub.i,j=a.sub.0 is established when x.sub.i,j is not k.sub.j, by secure computation using a concealed search target word [x.sub.i] and a concealed search word [k]. A wildcard determination unit obtains [w] in which w=(w.sub.1, . . . , w.sub.N) is concealed, w in which w.sub.j=b.sub.1 is established when k.sub.j is a wildcard character and w.sub.j=b.sub.0 is established when k.sub.j is not a wildcard character, by secure computation using [k]. An OR operation unit obtains [y.sub.i] in which y.sub.i=(y.sub.i,1, . . . , y.sub.i,N) is concealed, y.sub.i in which y.sub.i,j=d.sub.1 is established when at least one of e.sub.i,j=a.sub.1 and w.sub.j=b.sub.1 is satisfied and y.sub.i,j=d.sub.0 is established when at least one of e.sub.i,j=a.sub.1 and w.sub.j=b.sub.1 is not satisfied, by secure computation using [e.sub.i] and [w].

A method is disclosed. An authentication node may receive a plurality of encrypted match values, wherein the plurality of encrypted match values were formed by a plurality of worker nodes that compare a plurality of encrypted second biometric template parts derived from a second biometric template to a plurality of encrypted first biometric template parts derived from a first biometric template. The authentication node may decrypt the plurality of encrypted matchvalues resulting in a plurality of decrypted matchvalues. The authentication node may then determine if a first biometric template matches the second biometric template using the plurality of decrypted match values. An enrollment node may be capable of enrolling a biometric template and storing encrypted biometric template parts at worker nodes.

Disclosed are methods and systems for calculating an arithmetic function expressed as addition of groups of multiplications of a set of private input secrets held by dealer nodes. Random exponent blinding factors are generated, and each computing node receives polynomial shares from each exponent blinding factor and a polynomial share and a public generator from the multiplicative group of integers modulo a prime number. The indexing integers are partitioned among the computing nodes, and each computing node computes a set of shares from the polynomial shares then sent to the dealer nodes which reconstruct the corresponding dealer blinding factor, and use it to create and send a particle to the computing nodes. The computing nodes then calculate from the received particles a result share of a polynomial which, when combined by a result node, allow the evaluation of complete polynomial which includes the result of the arithmetic function.

One of the drawbacks of Distributed Ledger Technology (DLT) is the conflation of authorization and authentication of transactions on a distributed ledger. The present invention includes a highly adaptable method and system for separating, but cryptographically linking, the authentication and authorization process of signing a transaction of a distributed ledger. The present invention facilitates group authority, common in corporate structures, for proposed transactions, voting models, and even workflow decision making. The present invention supports implementation of a variety of known authorization models into a decentralized network.

Provided is a pre-calculation device capable of keeping a secret against malicious behaviors of participants while keeping a processing load small. A Beaver triple generation processor generates a secret-shared Beaver triple formed of two secret-shared random numbers and a secret-shared value of a product of the two random numbers. A Beaver triple random inspection processor randomly selects a secret-shared Beaver triple, restores the Beaver triple through communication to and from other pre-calculation devices, and confirms that a product of first two elements is equal to a third element. The Beaver triple position stirring processor randomly replaces Beaver triples that have not been restored, to generate replaced secret-shared Beaver triples.

There is provided a computer-implemented method of applying a first function to each data element in a first data set, the method comprising (i) determining whether each data element in the first data set satisfies a criterion, wherein the criterion is satisfied only if the result of applying the first function to the data element is equal to the result of applying a second first data set satisfies a criterion function to the data element; (ii) forming a compressed data set comprising the data elements in the first data set that do not satisfy the criterion; (iii) applying the first function to 10 each data element in the compressed data set; and (iv) forming an output based on the results of step (iii); wherein steps (i)-(iv) are performed using multiparty computation, MPC, techniques. A corresponding system and worker node are also provided.

A secure computation apparatus calculates a secret sharing value {s.sub.i}={x.sub.i} using a secret sharing value {x.sub.i} of x.sub.i (where i=0, 1, 2), calculates a secret sharing value {y}={4s.sub.0s.sub.1s.sub.2}+ by secure computation using the secret sharing value {s.sub.i} and outputs the secret sharing value {y}, and calculates a secret sharing value {y.sub.r}={4rs.sub.0s.sub.1s.sub.2}+{r}/2 by secure computation using a secret sharing value {r} of a random number r and the secret sharing value {s.sub.i} and outputs the secret sharing value {y.sub.r}.

This disclosure relates to secret sharing data exchange for generating a data processing model. In some aspects, first data party device determines respective values of first coefficients based on a first share of service data. The first coefficients are corresponding coefficients of respective target variables in different terms of a polynomial expression and the target variables are variables that are in the polynomial expression and associated with the first share of the service data. A second data party device determines respective values of second coefficients based on a second share of the service data. The second coefficients include coefficients other than the first coefficients in the different terms of the polynomial expression. The first data party device secretly shares respective values of the different terms in the polynomial expression in parallel based on the respective values of the first coefficients.