Results 1  10
of
50
Proofs of Storage from Homomorphic Identification Protocols
"... Proofs of storage (PoS) are interactive protocols allowing a client to verify that a server faithfully stores a file. Previous work has shown that proofs of storage can be constructed from any homomorphic linear authenticator (HLA). The latter, roughly speaking, are signature/message authentication ..."
Abstract

Cited by 28 (1 self)
 Add to MetaCart
Proofs of storage (PoS) are interactive protocols allowing a client to verify that a server faithfully stores a file. Previous work has shown that proofs of storage can be constructed from any homomorphic linear authenticator (HLA). The latter, roughly speaking, are signature/message authentication schemes where ‘tags ’ on multiple messages can be homomorphically combined to yield a ‘tag ’ on any linear combination of these messages. We provide a framework for building publickey HLAs from any identification protocol satisfying certain homomorphic properties. We then show how to turn any publickey HLA into a publiclyverifiable PoS with communication complexity independent of the file length and supporting an unbounded number of verifications. We illustrate the use of our transformations by applying them to a variant of an identification protocol by Shoup, thus obtaining the first unboundeduse PoS based on factoring (in the random oracle model). 1
Providing Receiptfreeness in Mixnetbased Voting Protocols
 In Proc. of Information Security and Cryptology (ICISC’03), volume 2971 of LNCS
, 2003
"... It had been thought that it is di#cult to provide receiptfreeness in mixnetbased electronic voting schemes. Any kind of user chosen randomness can be used to construct a receipt, since a user can prove to a buyer how he had encrypted the ballot. In this paper we propose a simple and e#cient met ..."
Abstract

Cited by 19 (2 self)
 Add to MetaCart
It had been thought that it is di#cult to provide receiptfreeness in mixnetbased electronic voting schemes. Any kind of user chosen randomness can be used to construct a receipt, since a user can prove to a buyer how he had encrypted the ballot. In this paper we propose a simple and e#cient method to incorporate receiptfreeness in mixnetbased electronic voting schemes by using the well known reencryption technique and designated verifier reencryption proof (DVRP). In our scheme a voter has to prepare his encrypted ballot through a randomization service provided by a tamper resistant randomizer (TRR), in such a way that he finally loses his knowledge on randomness. This method can be used in most mixnetbased electronic voting scheme to provide receiptfreeness.
Receiptfree homomorphic elections and writein voter verified ballots
 INTERNATIONAL ASSOCIATION FOR CRYPTOLOGIC RESEARCH, MAY 2, 2004, AND CARNEGIE MELLON INSTITUTE FOR SOFTWARE RESEARCH INTERNATIONAL
, 2004
"... We present a voting protocol that protects voters ’ privacy and achieves universal verifiability, receiptfreeness, and uncoercibility without ad hoc physical assumptions or procedural constraints (such as untappable channels, voting booths, smart cards, thirdparty randomizers, and so on). We discu ..."
Abstract

Cited by 18 (0 self)
 Add to MetaCart
We present a voting protocol that protects voters ’ privacy and achieves universal verifiability, receiptfreeness, and uncoercibility without ad hoc physical assumptions or procedural constraints (such as untappable channels, voting booths, smart cards, thirdparty randomizers, and so on). We discuss under which conditions the scheme allows voters to cast writein ballots, and we show how it can be practically implemented through voterverified (paper) ballots. The scheme allows voters to combine voting credentials with their chosen votes applying the homomorphic properties of certain probabilistic cryptosystems.
Verifiable Shuffles: A Formal Model and a Paillierbased Efficient Construction with Provable Security
, 2005
"... We propose a formal model for security of verifiable shuffles and a new efficient verifiable shuffle system based on the Paillier encryption scheme, and prove its security in the proposed model. The model is general, so it can be extended to verifiable shuffle decryption and provides a direction for ..."
Abstract

Cited by 17 (0 self)
 Add to MetaCart
We propose a formal model for security of verifiable shuffles and a new efficient verifiable shuffle system based on the Paillier encryption scheme, and prove its security in the proposed model. The model is general, so it can be extended to verifiable shuffle decryption and provides a direction for provable security of mixnets.
Noninteractive zeroknowledge arguments for voting
 In proceedings of ACNS ’05, LNCS series
, 2005
"... Abstract. In voting based on homomorphic threshold encryption, the voter encrypts his vote and sends it in to the authorities that tally the votes. If voters can send in arbitrary plaintexts then they can cheat. It is therefore important that they attach an argument of knowledge of the plaintext bei ..."
Abstract

Cited by 17 (1 self)
 Add to MetaCart
Abstract. In voting based on homomorphic threshold encryption, the voter encrypts his vote and sends it in to the authorities that tally the votes. If voters can send in arbitrary plaintexts then they can cheat. It is therefore important that they attach an argument of knowledge of the plaintext being a correctly formed vote. Typically, these arguments are honest verifier zeroknowledge arguments that are made noninteractive using the FiatShamir heuristic. Security is argued in the random oracle model. The simplest case is where each voter has a single vote to cast. Practical solutions have already been suggested for the single vote case. However, as we shall see homomorphic threshold encryption can be used for a variety of elections, in particular there are many cases where voters can cast multiple votes at once. In these cases, it remains important to bring down the cost of the NIZK argument. We improve on state of the art in the case of limited votes, where each voter can vote a small number of times. We also improve on the state of the art in shareholder elections, where each voter may have a large number of votes to spend. Moreover, we improve on the state of the art in Borda voting. Finally, we suggest a NIZK argument for correctness of an approval vote. To the best of our knowledge, approval voting has not been considered before in the cryptographic literature. 1
Efficient cryptographic protocol design based on distributed El Gamal encryption
 In Proceedings of 8th International Conference on Information Security and Cryptology (ICISC
, 2005
"... Abstract. We propose a set of primitives based on El Gamal encryption that can be used to construct efficient multiparty computation protocols for certain lowcomplexity functions. In particular, we show how to privately count the number of true Boolean disjunctions of literals and pairwise exclusiv ..."
Abstract

Cited by 17 (0 self)
 Add to MetaCart
Abstract. We propose a set of primitives based on El Gamal encryption that can be used to construct efficient multiparty computation protocols for certain lowcomplexity functions. In particular, we show how to privately count the number of true Boolean disjunctions of literals and pairwise exclusive disjunctions of literals. Applications include efficient twoparty protocols for computing the Hamming distance of two bitstrings and the greaterthan function. The resulting protocols only require 6 rounds of interaction (in the random oracle model) and their communication complexity is O(kQ) where k is the length of bitstrings and Q is a security parameter. The protocols are secure against active adversaries but do not provide fairness. Security relies on the decisional DiffieHellman assumption and error probability is negligible in Q. 1
SplitBallot Voting: Everlasting Privacy With Distributed Trust
"... In this paper we propose a new voting protocol with several desirable security properties. The voting stage of the protocol can be performed by humans without computers; it provides every voter with the means to verify that all the votes were counted correctly (universal verifiability) while preserv ..."
Abstract

Cited by 16 (1 self)
 Add to MetaCart
In this paper we propose a new voting protocol with several desirable security properties. The voting stage of the protocol can be performed by humans without computers; it provides every voter with the means to verify that all the votes were counted correctly (universal verifiability) while preserving ballot secrecy. The protocol has “everlasting privacy”: even a computationally unbounded adversary gains no information about specific votes from observing the protocol’s output. Unlike previous protocols with these properties, this protocol distributes trust between two authorities: a single corrupt authority will not cause voter privacy to be breached. Finally, the protocol is receiptfree: a voter cannot prove how she voted even if she wants to do so. We formally prove the security of the protocol in the Universal Composability framework, based on numbertheoretic assumptions.
On Some Incompatible properties of Voting Schemes
 In Proceedings of the IAVoSS Workshop on Trustworthy Elections, 2006. [CMS00] Iliano Cervesato, Catherine
"... Abstract. In this paper, we study the problem of simultaneously achieving several security properties, for voting schemes, without nonstandard assumptions. This paper is a work in progress. More specifically, we focus on the universal verifiability of the computation of the tally, on the unconditio ..."
Abstract

Cited by 15 (0 self)
 Add to MetaCart
Abstract. In this paper, we study the problem of simultaneously achieving several security properties, for voting schemes, without nonstandard assumptions. This paper is a work in progress. More specifically, we focus on the universal verifiability of the computation of the tally, on the unconditional privacy/anonymity of the votes, and on the receiptfreeness properties. More precisely, under usual assumptions and efficiency requirements, we show that we cannot achieve: – universal verifiability of the tally (UV) and unconditional privacy of the votes (UP) simultaneously, unless all the registered voters actually vote; – universal verifiability of the tally (UV) and receipt freeness (RF), unless the voting process involves interactions between several voters (and possibly the voting authority). 1
Sublinear zeroknowledge argument for correctness of a shuffle
 Proceedings of EUROCRYPT 2008, LNCS 4965
, 2008
"... A shuffle of a set of ciphertexts is a new set of ciphertexts with the same plaintexts in permuted order. Shuffles of homomorphic encryptions are a key component in mixnets, which in turn are used in protocols for anonymization and voting. Since the plaintexts are encrypted it is not directly verif ..."
Abstract

Cited by 12 (1 self)
 Add to MetaCart
A shuffle of a set of ciphertexts is a new set of ciphertexts with the same plaintexts in permuted order. Shuffles of homomorphic encryptions are a key component in mixnets, which in turn are used in protocols for anonymization and voting. Since the plaintexts are encrypted it is not directly verifiable whether a shuffle is correct, and it is often necessary to prove the correctness of a shuffle using a zeroknowledge proof or argument. In previous zeroknowledge shuffle arguments from the literature the communication complexity grows linearly with the number of ciphertexts in the shuffle. We suggest the first practical shuffle argument with sublinear communication complexity. Our result stems from combining previous work on shuffle arguments with ideas taken from probabilistically checkable proofs.
Practical and secure solutions for integer comparison
 In Public Key Cryptography (PKC’07), volume 4450 of LNCS
, 2007
"... Abstract. Yao’s classical millionaires ’ problem is about securely determining whether x> y, given two input values x, y, which are held as private inputs by two parties, respectively. The output x> y becomes known to both parties. In this paper, we consider a variant of Yao’s problem in which the i ..."
Abstract

Cited by 12 (1 self)
 Add to MetaCart
Abstract. Yao’s classical millionaires ’ problem is about securely determining whether x> y, given two input values x, y, which are held as private inputs by two parties, respectively. The output x> y becomes known to both parties. In this paper, we consider a variant of Yao’s problem in which the inputs x, y as well as the output bit x> y are encrypted. Referring to the framework of secure nparty computation based on threshold homomorphic cryptosystems as put forth by Cramer, Damg˚ard, and Nielsen at Eurocrypt 2001, we develop solutions for integer comparison, which take as input two lists of encrypted bits representing x and y, respectively, and produce an encrypted bit indicating whether x> y as output. Secure integer comparison is an important building block for applications such as secure auctions. In this paper, our focus is on the twoparty case, although most of our results extend to the multiparty case. We propose new logarithmicround and constantround protocols for this setting, which achieve simultaneously very low communication and computational complexities. We analyze the protocols in detail and show that our solutions compare favorably to other known solutions. Key words: Millionaires ’ problem; secure multiparty computation; homomorphic encryption. 1