Results 1  10
of
112
Privacypreserving Distributed Mining of Association Rules on Horizontally Partitioned Data
, 2002
"... Data mining can extract important knowledge from large data collections  but sometimes these collections are split among various parties. Privacy concerns may prevent the parties from directly sharing the data, and some types of information about the data. This paper addresses secure mining of ass ..."
Abstract

Cited by 179 (17 self)
 Add to MetaCart
Data mining can extract important knowledge from large data collections  but sometimes these collections are split among various parties. Privacy concerns may prevent the parties from directly sharing the data, and some types of information about the data. This paper addresses secure mining of association rules over horizontally partitioned data. The methods incorporate cryptographic techniques to minimize the information shared, while adding little overhead to the mining task.
A verifiable secret shuffle and its application to EVoting
, 2001
"... We present a mathematical construct which provides a cryptographic protocol to verifiably shuffle a sequence of k modular integers, and discuss its application to secure, universally verifiable, multiauthority election schemes. The output of the shuffle operation is another sequence of k modular in ..."
Abstract

Cited by 159 (0 self)
 Add to MetaCart
We present a mathematical construct which provides a cryptographic protocol to verifiably shuffle a sequence of k modular integers, and discuss its application to secure, universally verifiable, multiauthority election schemes. The output of the shuffle operation is another sequence of k modular integers, each of which is the same secret power of a corresponding input element, but the order of elements in the output is kept secret. Though it is a trivial matter for the “shuffler ” (who chooses the permutation of the elements to be applied) to compute the output from the input, the construction is important because it provides a linear size proof of correctness for the output sequence (i.e. a proof that it is of the form claimed) that can be checked by an arbitrary verifiers. The complexity of the protocol improves on that of FurukawaSako[16] both measured by number of exponentiations and by overall size. The protocol is shown to be honestverifier zeroknowledge in a special case, and is computational zeroknowledge in general. On the way to the final result, we also construct a generalization of the well known ChaumPedersen protocol for knowledge of discrete logarithm equality ([10], [7]). In fact, the generalization specializes exactly to the ChaumPedersen protocol in the case k = 2. This result may be of interest on its own. An application to electronic voting is given that matches the features of the best current protocols with significant efficiency improvements. An alternative application to electronic voting is also given that introduces an entirely new paradigm for achieving Universally Verifiable elections.
Efficient generation of shared RSA keys
 Advances in Cryptology  CRYPTO 97
, 1997
"... We describe efficient techniques for a number of parties to jointly generate an RSA key. At the end of the protocol an RSA modulus N = pq is publicly known. None of the parties know the factorization of N. In addition a public encryption exponent is publicly known and each party holds a share of the ..."
Abstract

Cited by 127 (5 self)
 Add to MetaCart
We describe efficient techniques for a number of parties to jointly generate an RSA key. At the end of the protocol an RSA modulus N = pq is publicly known. None of the parties know the factorization of N. In addition a public encryption exponent is publicly known and each party holds a share of the private exponent that enables threshold decryption. Our protocols are efficient in computation and communication. All results are presented in the honest but curious settings (passive adversary).
A simple publicly verifiable secret sharing scheme and its application to electronic voting
 In CRYPTO
, 1999
"... Abstract. A publicly verifiable secret sharing (PVSS) scheme is a verifiable secret sharing scheme with the property that the validity of the shares distributed by the dealer can be verified by any party; hence verification is not limited to the respective participants receiving the shares. We prese ..."
Abstract

Cited by 79 (1 self)
 Add to MetaCart
Abstract. A publicly verifiable secret sharing (PVSS) scheme is a verifiable secret sharing scheme with the property that the validity of the shares distributed by the dealer can be verified by any party; hence verification is not limited to the respective participants receiving the shares. We present a new construction for PVSS schemes, which compared to previous solutions by Stadler and later by Fujisaki and Okamoto, achieves improvements both in efficiency and in the type of intractability assumptions. The running time is O(nk), where k is a security parameter, and n is the number of participants, hence essentially optimal. The intractability assumptions are the standard DiffieHellman assumption and its decisional variant. We present several applications of our PVSS scheme, among which is a new type of universally verifiable election scheme based on PVSS. The election scheme becomes quite practical and combines several advantages of related electronic voting schemes, which makes it of interest in its own right. 1
A ZeroOne Law for Boolean Privacy
 STOC 89 and SIAM J. Disc. Math
, 1991
"... A Boolean function f : A 1 \Theta A 2 \Theta : : : \Theta A n ! f0;1g is t  private if there exists a protocol for computing f so that no coalition of size t can infer any additional information from the execution, other than the value of the function. We show that f is d n 2 e  private if a ..."
Abstract

Cited by 73 (14 self)
 Add to MetaCart
A Boolean function f : A 1 \Theta A 2 \Theta : : : \Theta A n ! f0;1g is t  private if there exists a protocol for computing f so that no coalition of size t can infer any additional information from the execution, other than the value of the function. We show that f is d n 2 e  private if and only if it can be represented as f(x 1 ; x 2 ; : : : ; x n ) = f 1 (x 1 ) \Phi f 2 (x 2 ) \Phi : : : \Phi f n (x n ) ; where the f i are arbitrary Boolean functions. It follows that if f is d n 2 e  private, then it is also n  private. Combining this with a result of BenOr, Goldwasser, and Wigderson, we derive an interesting "zeroone" law for private distributed computation of Boolean functions: Every Boolean function defined over a finite domain is either n  private, or it is \Xi n\Gamma1 2 \Pi  private but not \Sigma n 2 \Upsilon  private. We also investigate a weaker notion of privacy, where (a) coalitions are allowed to infer a limited amount of additional inf...
Practical High Certainty Intent Verification for Encrypted Votes
, 2004
"... We construct a universally verifiable, cryptographic vote casting protocol that enables each voter to determine with high certainty via a receipt that her choices (intended votes) have been accurately represented in the input to a public tally. However, since the receipt, in isolation, can represent ..."
Abstract

Cited by 54 (1 self)
 Add to MetaCart
We construct a universally verifiable, cryptographic vote casting protocol that enables each voter to determine with high certainty via a receipt that her choices (intended votes) have been accurately represented in the input to a public tally. However, since the receipt, in isolation, can represent a choice for any candidate with equal probability, it does not enable vote buying or coercion. The key to making this possible is that the totality of information that the voter uses to convince herself of encrypted ballot integrity includes temporal information that is only available at the time the ballot is cast. We assume that, as with conventional voting systems, the act of casting takes place in a private environment – i.e. the “poll booth.” Under this assumption then, the scheme, in conjunction with a universally verifiable tabulation protocol, provides an endtoend verifiable, secret vote receipt based election protocol that is coercion free. Intrinsically, the protocol is unconditionally secure, although for the sake of usability, the commitment of data is likely to be implemented via a secure oneway hash. The security of such an implementation would then depend on the oneway property of the hash function employed. The scheme requires no more computation or data processing from the voter than is performed by a bank customer at a typical ATM. Thus, it is very practical.
ZeroKnowledge Proofs for Finite Field Arithmetic, or: Can ZeroKnowledge be for Free?
 IN PROC. CRYPTO
, 1997
"... We present zeroknowledge proofs and arguments for arithmetic circuits over finite prime fields, namely given a circuit, show in zeroknowledge that inputs can be selected leading to a given output. For a field GF (q), where q is an nbit prime, a circuit of size O(n), and error probability 2 ..."
Abstract

Cited by 52 (5 self)
 Add to MetaCart
We present zeroknowledge proofs and arguments for arithmetic circuits over finite prime fields, namely given a circuit, show in zeroknowledge that inputs can be selected leading to a given output. For a field GF (q), where q is an nbit prime, a circuit of size O(n), and error probability 2 , our protocols require communication of O(n ) bits. This is the same worstcast complexity as the trivial (non zeroknowledge) interactive proof where the prover just reveals the input values. If the circuit involves n multiplications, the best previously known methods would in general require communication of \Omega\Gamma n log n) bits. Variations of the
Some Recent Research Aspects of Threshold Cryptography
 In Proc. of the 1st Intl. Information Security Workshop
, 1997
"... In the traditional scenario in cryptography there is one sender, one receiver and an active or passive eavesdropper who is an opponent. Depending from the application the sender or the receiver (or both) need to use a secret key. Often we are not dealing with an individual sender/receiver, but the s ..."
Abstract

Cited by 44 (0 self)
 Add to MetaCart
In the traditional scenario in cryptography there is one sender, one receiver and an active or passive eavesdropper who is an opponent. Depending from the application the sender or the receiver (or both) need to use a secret key. Often we are not dealing with an individual sender/receiver, but the sender/receiver is an organization. The goal of threshold cryptography is to present practical schemes to solve such problems without the need to use the more general methods of mental games. In this paper we survey some recent research results on this topic. In particular on: DSS based threshold signatures, robust threshold cryptography, threshold cryptography without a trusted dealer, more optimal secret sharing schemes for threshold cryptography, proactive threshold cryptography and its generalizations. 1
Privacypreserving distributed mining of association rules on horizontally partitioned data
 In The ACM SIGMOD Workshop on Research Issues on Data Mining and Knowledge Discovery (DMKD’02
"... Abstract—Data mining can extract important knowledge from large data collections—but sometimes these collections are split among various parties. Privacy concerns may prevent the parties from directly sharing the data and some types of information about the data. This paper addresses secure mining o ..."
Abstract

Cited by 41 (11 self)
 Add to MetaCart
Abstract—Data mining can extract important knowledge from large data collections—but sometimes these collections are split among various parties. Privacy concerns may prevent the parties from directly sharing the data and some types of information about the data. This paper addresses secure mining of association rules over horizontally partitioned data. The methods incorporate cryptographic techniques to minimize the information shared, while adding little overhead to the mining task. Index Terms—Data mining, security, privacy. æ
Redistributing Secret Shares to New Access Structures and Its Applications
, 1997
"... Proactive secret sharing deals with refreshing secret shares, i.e., redistributing the shares of a secret to the original access structure. In this paper we focus on the general problem of redistributing shares of a secret key. Shares of a secret have been distributed such that access sets specified ..."
Abstract

Cited by 40 (0 self)
 Add to MetaCart
Proactive secret sharing deals with refreshing secret shares, i.e., redistributing the shares of a secret to the original access structure. In this paper we focus on the general problem of redistributing shares of a secret key. Shares of a secret have been distributed such that access sets specified in the access structure \Gamma (e.g., toutofl) can access (or use) the secret. The problem is how to redistribute the secret, without recovering it, in such a way that those specified in the new access structure \Gamma 0 will be able to recover the secret. We also adapt our scheme such that it can be used in the context of threshold cryptography and discuss its applications to secure databases. 1 Introduction Since it invention, several improvements and variants of threshold schemes [6, 34] and general secret sharing [22] have been presented. In proactive secret sharing schemes [30, 20] (see also [10]), shares of a secret are being refreshed by the participants to avoid a mobile atta...