Results 1 
9 of
9
A generalisation, a simplification and some applications of Paillier's probabilistic publickey system
 LNCS
, 2001
"... We propose a generalisation of Paillier’s probabilistic public key system, in which the expansion factor is reduced and which allows to adjust the block length of the scheme even after the public key has been fixed, without loosing the homomorphic property.We show that the generalisation is as secu ..."
Abstract

Cited by 149 (2 self)
 Add to MetaCart
We propose a generalisation of Paillier’s probabilistic public key system, in which the expansion factor is reduced and which allows to adjust the block length of the scheme even after the public key has been fixed, without loosing the homomorphic property.We show that the generalisation is as secure as Paillier’s original system. We construct a threshold variant of the generalised scheme as well as zeroknowledge protocols to show that a given ciphertext encrypts one of a set of given plaintexts, and protocols to verify multiplicative relations on plaintexts. We then show how these building blocks can be used for applying the scheme to efficient electronic voting. This reduces dramatically the work needed to compute the final result of an election, compared to the previously best known schemes. We show how the basic scheme for a yes/no vote can be easily adapted to casting a vote for up to t out of L candidates.The same basic building blocks can also be adapted to provide receiptfree elections, under appropriate physical assumptions. The scheme for 1 out of L elections can be optimised such that for a certain range of parameter values, a ballot has size only O(log L) bits.
Practical Verifiable Encryption and Decryption of Discrete Logarithms
, 2003
"... Abstract. This paper addresses the problem of designing practical protocols for proving properties about encrypted data. To this end, it presents a variant of the new public key encryption of Cramer and Shoup based on Paillier’s decision composite residuosity assumption, along with efficient protoco ..."
Abstract

Cited by 135 (20 self)
 Add to MetaCart
Abstract. This paper addresses the problem of designing practical protocols for proving properties about encrypted data. To this end, it presents a variant of the new public key encryption of Cramer and Shoup based on Paillier’s decision composite residuosity assumption, along with efficient protocols for verifiable encryption and decryption of discrete logarithms (and more generally, of representations with respect to multiple bases). This is the first verifiable encryption system that provides chosen ciphertext security and avoids inefficient cutandchoose proofs. The presented protocols have numerous applications, including key escrow, optimistic fair exchange, publicly verifiable secret and signature sharing, universally composable commitments, group signatures, and confirmer signatures. 1
Almost Entirely Correct Mixing with Applications to Voting
 In ACM CCS ’02
, 2002
"... In order to design an exceptionally e#cient mix network, both asymptotically and in real terms, we develop the notion of almost entirely correct mixing, and propose a new mix network that is almost entirely correct. In our new mix, the real cost of proving correctness is orders of magnitude faster t ..."
Abstract

Cited by 34 (1 self)
 Add to MetaCart
In order to design an exceptionally e#cient mix network, both asymptotically and in real terms, we develop the notion of almost entirely correct mixing, and propose a new mix network that is almost entirely correct. In our new mix, the real cost of proving correctness is orders of magnitude faster than all other mix nets. The tradeo# is that our mix only guarantees "almost entirely correct" mixing, i.e it guarantees that the mix network processed correctly all inputs with high (but not overwhelming) probability. We use a new technique for verifying correctness. This new technique consists of computing the product of a random subset of the inputs to a mix server, then require the mix server to produce a subset of the outputs of equal product. Our new mix net is of particular value for electronic voting, where a guarantee of almost entirely correct mixing may well be su#cient to announce instantly the result of a large election. The correctness of the result can later be verified beyond a doubt using any one of a number of much slower proofs of perfectcorrectness, without having to mix the ballots again.
An Optimally Robust Hybrid Mix Network
 In Principles of Distributed Computing  PODC ’01
, 2001
"... We present a mix network that achieves efficient integration of publickey and symmetrickey operations. This hybrid mix network is capable of natural processing of arbitrarily long input elements, and is fast in both practical and asymptotic senses. While the overhead in the size of input elements ..."
Abstract

Cited by 33 (2 self)
 Add to MetaCart
We present a mix network that achieves efficient integration of publickey and symmetrickey operations. This hybrid mix network is capable of natural processing of arbitrarily long input elements, and is fast in both practical and asymptotic senses. While the overhead in the size of input elements is linear in the number of mix servers, it is quite small in practice. In contrast to previous hybrid constructions, ours has optimal robustness, that is, robustness against any minority coalition of malicious servers.
A Generalization of Paillier's PublicKey System with Applications to Electronic Voting
 P Y A RYAN
, 2003
"... We propose a generalization of Paillier's probabilistic public key system, in which the expansion factor is reduced and which allows to adjust the block length of the scheme even after the public key has been fixed, without losing the homomorphic property. We show that the generalization is as secur ..."
Abstract

Cited by 20 (1 self)
 Add to MetaCart
We propose a generalization of Paillier's probabilistic public key system, in which the expansion factor is reduced and which allows to adjust the block length of the scheme even after the public key has been fixed, without losing the homomorphic property. We show that the generalization is as secure as Paillier's original system and propose several ways to optimize implementations of both the generalized and the original scheme. We construct
Receiptfree homomorphic elections and writein voter verified ballots
 INTERNATIONAL ASSOCIATION FOR CRYPTOLOGIC RESEARCH, MAY 2, 2004, AND CARNEGIE MELLON INSTITUTE FOR SOFTWARE RESEARCH INTERNATIONAL
, 2004
"... We present a voting protocol that protects voters ’ privacy and achieves universal verifiability, receiptfreeness, and uncoercibility without ad hoc physical assumptions or procedural constraints (such as untappable channels, voting booths, smart cards, thirdparty randomizers, and so on). We discu ..."
Abstract

Cited by 18 (0 self)
 Add to MetaCart
We present a voting protocol that protects voters ’ privacy and achieves universal verifiability, receiptfreeness, and uncoercibility without ad hoc physical assumptions or procedural constraints (such as untappable channels, voting booths, smart cards, thirdparty randomizers, and so on). We discuss under which conditions the scheme allows voters to cast writein ballots, and we show how it can be practically implemented through voterverified (paper) ballots. The scheme allows voters to combine voting credentials with their chosen votes applying the homomorphic properties of certain probabilistic cryptosystems.
Extensions to the Paillier Cryptosystem with Applications to Cryptological Protocols
, 2003
"... The main contribution of this thesis is a simplification, a generalization and some modifications of the homomorphic cryptosystem proposed by Paillier in 1999, and several cryptological protocols that follow from these changes. The Paillier ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
The main contribution of this thesis is a simplification, a generalization and some modifications of the homomorphic cryptosystem proposed by Paillier in 1999, and several cryptological protocols that follow from these changes. The Paillier
Cryptographic Counters and Applications to Electronic Voting
, 2001
"... We formalize the notion of a cryptographic counter, which allows a group of participants to increment and decrement a cryptographic representation of a (hidden) numerical value privately and robustly. ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
We formalize the notion of a cryptographic counter, which allows a group of participants to increment and decrement a cryptographic representation of a (hidden) numerical value privately and robustly.
Funkspiel Schemes: An Alternative to Conventional Tamper Resistance
 In ACM CCS
, 2000
"... We investigate a simple method of fraud management for secure devices that may serve as an alternative or complement to conventional hardwarebased tamper resistance. Under normal operating conditions in our scheme, a secure device includes an authentication code in its communications, e.g., in the ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
We investigate a simple method of fraud management for secure devices that may serve as an alternative or complement to conventional hardwarebased tamper resistance. Under normal operating conditions in our scheme, a secure device includes an authentication code in its communications, e.g., in the digital signatures it issues. This code may be verified by a fraud management center under a predetermined key . When the device detects an attempted breakin, it modifies . This results in a change to the authentication codes issued by the device such that the fraud management center can detect the apparent breakin. Hence, in contrast to the case with typical tamperresistance schemes, the deployer of our proposed scheme seeks to trace breakins, rather than prevent them. In reference to the wartime practice of physically capturing and subverting underground radio transmitters  a practice analogous to the capture and use of secret information on secure devices  we denote this idea by the German term funkspiel, meaning "radio game." One challenge in constructing a funkspiel scheme is to ensure that an attacker privy to the authentication codes of the secure device both before and after the breakin, as well as the secrets of the device following the breakin, cannot detect the alteration to . Additional challenges involve minimizing the communication and computation overhead, the requirement for use of shared secrets, and the state information associated with the authentication codes. We present several simple and practical schemes in this paper.