Results 11  20
of
149
Practical MultiCandidate Election System
 In PODC
, 2001
"... The aim of electronic voting schemes is to provide a set of protocols that allow voters to cast ballots while a group of authorities collect the votes and output the final tally. In this paper we describe a practical multicandidate election scheme that guarantees privacy of voters, public verifi ..."
Abstract

Cited by 77 (7 self)
 Add to MetaCart
The aim of electronic voting schemes is to provide a set of protocols that allow voters to cast ballots while a group of authorities collect the votes and output the final tally. In this paper we describe a practical multicandidate election scheme that guarantees privacy of voters, public verifiability, and robustness against a coalition of malicious authorities. Furthermore, we address the problem of receiptfreeness and incoercibility of voters. Our new scheme is based on the Paillier cryptosystem and on some related zeroknowledge proof techniques. The voting schemes are very practical and can be efficiently implemented in a real system. Keywords: Homomorphic cryptosystems, HighResiduosity Assumption, Practical Voting scheme, threshold cryptography 1
Compact Proofs of Retrievability
, 2008
"... In a proofofretrievability system, a data storage center must prove to a verifier that he is actually storing all of a client’s data. The central challenge is to build systems that are both efficient and provably secure — that is, it should be possible to extract the client’s data from any prover ..."
Abstract

Cited by 72 (0 self)
 Add to MetaCart
In a proofofretrievability system, a data storage center must prove to a verifier that he is actually storing all of a client’s data. The central challenge is to build systems that are both efficient and provably secure — that is, it should be possible to extract the client’s data from any prover that passes a verification check. All previous provably secure solutions require that a prover send O(l) authenticator values (i.e., MACs or signatures) to verify a file, for a total of O(l 2) bits of communication, where l is the security parameter. The extra cost over the ideal O(l) communication can be prohibitive in systems where a verifier needs to check many files. We create the first compact and provably secure proof of retrievability systems. Our solutions allow for compact proofs with just one authenticator value — in practice this can lead to proofs with as little as 40 bytes of communication. We present two solutions with similar structure. The first one is privately verifiable and builds elegantly on pseudorandom functions (PRFs); the second allows for publicly verifiable proofs and is built from the signature scheme of Boneh, Lynn, and Shacham in bilinear groups. Both solutions rely on homomorphic properties to aggregate a proof into one small authenticator value. 1
Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology
 Theory of Cryptography  TCC 2004, Lecture Notes in Computer Science
, 2004
"... Abstract. The goals of this paper are threefold. First we introduce and motivate a generalization of the fundamental concept of the indistinguishability of two systems, called indifferentiability. This immediately leads to a generalization of the related notion of reducibility of one system to anot ..."
Abstract

Cited by 71 (1 self)
 Add to MetaCart
Abstract. The goals of this paper are threefold. First we introduce and motivate a generalization of the fundamental concept of the indistinguishability of two systems, called indifferentiability. This immediately leads to a generalization of the related notion of reducibility of one system to another. Second, we prove that indifferentiability is the necessary and sufficient condition on two systems S and T such that the security of any cryptosystem using T as a component is not affected when T is substituted by S. In contrast to indistinguishability, indifferentiability is applicable in settings where a possible adversary is assumed to have access to additional information about the internal state of the involved systems, for instance the public parameter selecting a member from a family of hash functions. Third, we state an easily verifiable criterion for a system U not to be reducible (according to our generalized definition) to another system V and, as an application, prove that a random oracle is not reducible to a weaker primitive, called asynchronous beacon, and also that an asynchronous beacon is not reducible to a finitelength random string. Each of these irreducibility results alone implies the main theorem of Canetti, Goldreich and Halevi stating that there exist cryptosystems that are secure in the random oracle model but for which replacing the random oracle by any implementation leads to an insecure cryptosystem. Key words. Indistinguishability, reductions, indifferentiability, security proofs, random oracle methodology, hash functions.
Provably Secure Blind Signature Schemes
, 1996
"... In this paper, we give a provably secure design for blind signatures, the most important ingredient for anonymity in offline electronic cash systems. Previous examples of blind signature schemes were constructed from traditional signature schemes with only the additional proof of blindness. The des ..."
Abstract

Cited by 68 (10 self)
 Add to MetaCart
In this paper, we give a provably secure design for blind signatures, the most important ingredient for anonymity in offline electronic cash systems. Previous examples of blind signature schemes were constructed from traditional signature schemes with only the additional proof of blindness. The design of some of the underlying signature schemes can be validated by a proof in the socalled random oracle model, but the security of the original signature scheme does not, by itself, imply the security of the blind version. In this paper, we first propose a definition of security for blind signatures, with application to electronic cash. Next, we focus on a specific example which can be successfully transformed in a provably secure blind signature scheme.
On Deniability in the Common Reference String and Random Oracle Model
 In proceedings of CRYPTO ’03, LNCS series
, 2003
"... Abstract. We revisit the definitions of zeroknowledge in the Common Reference String (CRS) model and the Random Oracle (RO) model. We argue that even though these definitions syntactically mimic the standard zeroknowledge definition, they loose some of its spirit. In particular, we show that there ..."
Abstract

Cited by 52 (5 self)
 Add to MetaCart
Abstract. We revisit the definitions of zeroknowledge in the Common Reference String (CRS) model and the Random Oracle (RO) model. We argue that even though these definitions syntactically mimic the standard zeroknowledge definition, they loose some of its spirit. In particular, we show that there exist a specific natural security property that is not captured by these definitions. This is the property of deniability. We formally define the notion of deniable zeroknowledge in these models and investigate the possibility of achieving it. Our results are different for the two models: – Concerning the CRS model, we rule out the possibility of achieving deniable zeroknowledge protocols in “natural ” settings where such protocols cannot already be achieved in plain model. – In the RO model, on the other hand, we construct an efficient 2round deniable zeroknowledge argument of knowledge, that preserves both the zeroknowledge property and the proof of knowledge property under concurrent executions (concurrent zeroknowledge and concurrent proofof knowledge). 1
Verifiable encryption, group encryption, and their applications to group signatures and signature sharing schemes
, 2000
"... Abstract. We generalize and improve the security and efficiency ofthe verifiable encryption scheme ofAsokan et al., such that it can rely on more general assumptions, and can be proven secure without assuming random oracles. We extend our basic protocol to a new primitive called verifiable group enc ..."
Abstract

Cited by 51 (8 self)
 Add to MetaCart
Abstract. We generalize and improve the security and efficiency ofthe verifiable encryption scheme ofAsokan et al., such that it can rely on more general assumptions, and can be proven secure without assuming random oracles. We extend our basic protocol to a new primitive called verifiable group encryption. We show how our protocols can be applied to construct group signatures, identity escrow, and signature sharing schemes from a wide range of signature, identification, and encryption schemes already in use. In particular, we achieve perfect separability for all these applications, i.e., all participants can choose their signature and encryption schemes and the keys thereofindependent ofeach other, even without having these applications in mind. 1
1outofn signatures from a variety of keys
 In Advances in Cryptology  ASIACRYPT 2002, LNCS
, 2002
"... Abstract. This paper addresses how to use publickeys of several different signature schemes to generate 1outofn signatures. Previously known constructions are for either RSAkeys only or DLtype keys only. We present a widely applicable method to construct a 1outofn signature scheme that allo ..."
Abstract

Cited by 51 (0 self)
 Add to MetaCart
Abstract. This paper addresses how to use publickeys of several different signature schemes to generate 1outofn signatures. Previously known constructions are for either RSAkeys only or DLtype keys only. We present a widely applicable method to construct a 1outofn signature scheme that allows mixture use of different flavors of keys at the same time. The resulting scheme is more efficient than previous schemes even if it is used only with a single type of keys. With all DLtype keys, it yields shorter signatures than the ones of the previously known scheme based on the witness indistinguishable proofs by Cramer, et. al. With all RSAtype keys, it reduces both computational and storage costs compared to that of the Ring signatures by Rivest, et. al. 1
Strong KeyInsulated Signature Schemes
, 2002
"... Digital signing is at the heart of Internet based transactions and ecommerce. In this global communication environment, signature computation will be frequently performed on a relatively insecure device (e.g., a mobile phone) that cannot be trusted to completely (and at all times) maintain the se ..."
Abstract

Cited by 48 (13 self)
 Add to MetaCart
Digital signing is at the heart of Internet based transactions and ecommerce. In this global communication environment, signature computation will be frequently performed on a relatively insecure device (e.g., a mobile phone) that cannot be trusted to completely (and at all times) maintain the secrecy of the private key.
Fast Signature Generation with a Fiat ShamirLike Scheme
, 1991
"... We propose two improvements to the Fiat Shamir authentication and signature scheme. We reduce the communication of the Fiat Shamir authentication scheme to a single round while preserving the efficiency of the scheme. This also reduces the length of Fiat Shamir signatures. Using secret keys consisti ..."
Abstract

Cited by 40 (1 self)
 Add to MetaCart
We propose two improvements to the Fiat Shamir authentication and signature scheme. We reduce the communication of the Fiat Shamir authentication scheme to a single round while preserving the efficiency of the scheme. This also reduces the length of Fiat Shamir signatures. Using secret keys consisting of small integers we reduce the time for signature generation by a factor 3 to 4. We propose a variation of our scheme using class groups that may be secure even if factoring large integers becomes easy. 1 Introduction and Summary The FiatShamir signature scheme (1986) and the GQscheme by Guillou and Quisquater (1988) are designed to reduce the number of modular multiplications that are necessary for generating signatures in the RSAscheme. Using multicomponent private and public keys Fiat and Shamir generate signatures much faster than with the RSAscheme. The drawback is that signatures are rather long. They are about ttimes longer than RSAsignatures, where t is the round nu...
Computation of Discrete Logarithms in Prime Fields
 Design, Codes and Cryptography
, 1991
"... The presumed difficulty of computing discrete logarithms in finite fields is the basis of several popular public key cryptosystems. The secure identification option of the Sun Network File System, for example, uses discrete logarithms in a field GF (p) with p a prime of 192 bits. This paper describe ..."
Abstract

Cited by 38 (1 self)
 Add to MetaCart
The presumed difficulty of computing discrete logarithms in finite fields is the basis of several popular public key cryptosystems. The secure identification option of the Sun Network File System, for example, uses discrete logarithms in a field GF (p) with p a prime of 192 bits. This paper describes an implementation of a discrete logarithm algorithm which shows that primes of under 200 bits, such as that in the Sun system, are very insecure. Some enhancements to this system are suggested. 1. Introduction If p is a prime and g and x integers, then computation of y such that y j g x mod p; 0 y p \Gamma 1 (1.1) is referred to as discrete exponentiation. Using the successive squaring method, it is very fast (polynomial in the number of bits of jpj + jgj + jxj). On the other hand, the inverse problem, namely, given p; g, and y, to compute some x such that Equation 1.1 holds, which is referred to as the discrete logarithm problem, appears to be quite hard in general. Many of the mos...