Results 1  10
of
44
CoercionResistant Electronic Elections
 In WPES ’05
, 2002
"... We introduce a model for electronic election schemes that involves a more powerful adversary than in previous work. In particular, we allow the adversary to demand of coerced voters that they vote in a particular manner, abstain from voting, or even disclose their secret keys. We define a scheme ..."
Abstract

Cited by 155 (0 self)
 Add to MetaCart
We introduce a model for electronic election schemes that involves a more powerful adversary than in previous work. In particular, we allow the adversary to demand of coerced voters that they vote in a particular manner, abstain from voting, or even disclose their secret keys. We define a scheme to be coercion resistant if it is impossible for the adversary to determine whether a coerced voter complies with the demands. Furthermore, we relax the requirements made in some previous proposals from an untappable channel to only requiring the existence of an anonymous channel.
On the security of joint signature and encryption
, 2002
"... We formally study the notion of a joint signature and encryption in the publickey setting. We refer to this primitive as signcryption, adapting the terminology of [35]. We present two definitions for the security of signcryption depending on whether the adversary is an outsider or a legal user of t ..."
Abstract

Cited by 150 (6 self)
 Add to MetaCart
(Show Context)
We formally study the notion of a joint signature and encryption in the publickey setting. We refer to this primitive as signcryption, adapting the terminology of [35]. We present two definitions for the security of signcryption depending on whether the adversary is an outsider or a legal user of the system. We then examine generic sequential composition methods of building signcryption from a signature and encryption scheme. Contrary to what recent results in the symmetric setting [5, 22] might lead one to expect, we show that classical “encryptthensign” (EtS) and “signthenencrypt” (StE) methods are both secure composition methods in the publickey setting. We also present a new composition method which we call “committhenencryptandsign” (CtE&S). Unlike the generic sequential composition methods, CtE&S applies the expensive signature and encryption operations in parallel, which could imply a gain in efficiency over the StE and EtS schemes. We also show that the new CtE&S method elegantly combines with the recent “hashsignswitch” technique of [30], leading to efficient online/offline signcryption. Finally and of independent interest, we discuss the definitional inadequacy of the standard notion of chosen ciphertext (CCA2) security. We suggest a natural and very slight relaxation of CCA2security, which we call generalized CCA2ecurity (gCCA2). We show that gCCA2security suffices for all known uses of CCA2secure encryption, while no longer suffering from the definitional shortcomings of the latter.
Civitas: Toward a secure voting system
 In IEEE Symposium on Security and Privacy
, 2008
"... Civitas is the first electronic voting system that is coercionresistant, universally and voter verifiable, and suitable for remote voting. This paper describes the design and implementation of Civitas. Assurance is established in the design through security proofs, and in the implementation through ..."
Abstract

Cited by 92 (9 self)
 Add to MetaCart
(Show Context)
Civitas is the first electronic voting system that is coercionresistant, universally and voter verifiable, and suitable for remote voting. This paper describes the design and implementation of Civitas. Assurance is established in the design through security proofs, and in the implementation through informationflow security analysis. Experimental results give a quantitative evaluation of the tradeoffs between time, cost, and security. 1.
Formal Proofs for the Security of Signcryption
 In PKC ’02
, 2002
"... Signcryption is a public key or asymmetric cryptographic method that provides simultaneously both message confidentiality and unforgeability at a lower computational and communication overhead. ..."
Abstract

Cited by 85 (3 self)
 Add to MetaCart
(Show Context)
Signcryption is a public key or asymmetric cryptographic method that provides simultaneously both message confidentiality and unforgeability at a lower computational and communication overhead.
Almost Optimal Private Information Retrieval
 In 2nd Workshop on Privacy Enhancing Technologies (PET2002
"... A private information retrieval (PIR) protocol allows a user to retrieve one of N records from a database while hiding the identity of the record from the database server. ..."
Abstract

Cited by 43 (2 self)
 Add to MetaCart
A private information retrieval (PIR) protocol allows a user to retrieve one of N records from a database while hiding the identity of the record from the database server.
Threshold Cryptosystems Secure against ChosenCiphertext Attacks
 IN PROC. OF ASIACRYPT
, 2000
"... Semantic security against chosenciphertext attacks (INDCCA) is widely believed as the correct security level for publickey encryption scheme. On the other hand, it is often dangerous to give to only one people the power of decryption. Therefore, threshold cryptosystems aimed at distributing the ..."
Abstract

Cited by 40 (3 self)
 Add to MetaCart
(Show Context)
Semantic security against chosenciphertext attacks (INDCCA) is widely believed as the correct security level for publickey encryption scheme. On the other hand, it is often dangerous to give to only one people the power of decryption. Therefore, threshold cryptosystems aimed at distributing the decryption ability. However, only two efficient such schemes have been proposed so far for achieving INDCCA. Both are El Gamallike schemes and thus are based on the same intractability assumption, namely the Decisional DiffieHellman problem. In this article we rehabilitate the twinencryption paradigm proposed by Naor and Yung to present generic conversions from a large family of (threshold) INDCPA scheme into a (threshold) INDCCA one in the random oracle model. An efficient instantiation is also proposed, which is based on the Paillier cryptosystem. This new construction provides the first example of threshold cryptosystem secure against chosenciphertext attacks based on the factorization problem. Moreover, this construction provides a scheme where the “homomorphic properties” of the original scheme still hold. This is rather cumbersome because homomorphic cryptosystems are known to be malleable and therefore not to be CCA secure. However, we do not build a “homomorphic cryptosystem”, but just keep the homomorphic properties.
Attacking and fixing helios: An analysis of ballot secrecy
, 2010
"... Helios 2.0 is an opensource webbased endtoend verifiable electronic voting system, suitable for use in lowcoercion environments. In this paper, we analyse ballot secrecy and discover a vulnerability which allows an adversary to compromise the privacy of voters. This vulnerability has been success ..."
Abstract

Cited by 36 (16 self)
 Add to MetaCart
(Show Context)
Helios 2.0 is an opensource webbased endtoend verifiable electronic voting system, suitable for use in lowcoercion environments. In this paper, we analyse ballot secrecy and discover a vulnerability which allows an adversary to compromise the privacy of voters. This vulnerability has been successfully exploited to break privacy in a mock election using the current Helios implementation. Moreover, the feasibility of an attack is considered in the context of French legislative elections and, based upon our findings, we believe it constitutes a real threat to ballot secrecy in such settings. Finally, we present a fix and show that our solution satisfies a formal definition of ballot secrecy using the applied pi calculus.
Flaws in Applying Proof Methodologies to Signature Schemes
 In Advances in Cryptology crypto'02, Santa Barbara, Lectures Notes in Computer Science 2442
, 2002
"... Abstract. Methods from provable security, developed over the last twenty years, have been recently extensively used to support emerging standards. However, the fact that proofs also need time to be validated through public discussion was somehow overlooked. This became clear when Shoup found that th ..."
Abstract

Cited by 33 (7 self)
 Add to MetaCart
(Show Context)
Abstract. Methods from provable security, developed over the last twenty years, have been recently extensively used to support emerging standards. However, the fact that proofs also need time to be validated through public discussion was somehow overlooked. This became clear when Shoup found that there was a gap in the widely believed security proof of OAEP against adaptive chosenciphertext attacks. We give more examples, showing that provable security is more subtle than it at first appears. Our examples are in the area of signature schemes: one is related to the security proof of ESIGN and the other two to the security proof of ECDSA. We found that the ESIGN proof does not hold in the usual model of security, but in a more restricted one. Concerning ECDSA, both examples are based on the concept of duplication: one shows how to manufacture ECDSA keys that allow for two distinct messages with identical signatures, a duplicate signature; the other shows that from any messagesignature pair, one can derive a second signature of the same message, the malleability. The security proof provided by Brown [7] does not account for our first example while it surprisingly rules out malleability, thus offering a proof of a property, nonmalleability, that the actual scheme does not possess. 1
Quantum complexity of testing group commutativity
 Proceedings of ICALP’05
, 2005
"... Abstract. We consider the problem of testing the commutativity of a blackbox group specified by its k generators. The complexity (in terms of k) of this problem was first considered by Pak, who gave a randomized algorithm involving O(k) group operations. We construct a quite optimal quantum algorit ..."
Abstract

Cited by 30 (5 self)
 Add to MetaCart
(Show Context)
Abstract. We consider the problem of testing the commutativity of a blackbox group specified by its k generators. The complexity (in terms of k) of this problem was first considered by Pak, who gave a randomized algorithm involving O(k) group operations. We construct a quite optimal quantum algorithm for this problem whose complexity is in Õ(k2/3). The algorithm uses and highlights the power of the quantization method of Szegedy. For the lower bound of Ω(k 2/3), we introduce a new technique of reduction for quantum query complexity. Along the way, we prove the optimality of the algorithm of Pak for the randomized model. 1
An Efficient Group Signature Scheme from Bilinear Maps
, 2006
"... We propose a new group signature scheme which is secure if we assume the Decision DiffieHellman assumption, the qStrong DiffieHellman assumption, and the existence of random oracles. The proposed scheme is the most efficient among the all previous group signature schemes in signature length and ..."
Abstract

Cited by 28 (0 self)
 Add to MetaCart
We propose a new group signature scheme which is secure if we assume the Decision DiffieHellman assumption, the qStrong DiffieHellman assumption, and the existence of random oracles. The proposed scheme is the most efficient among the all previous group signature schemes in signature length and in computational complexity. This paper is the full version of the extended abstract appeared in ACISP 2005 [17].