Results 1  10
of
231
Short signatures from the Weil pairing
, 2001
"... Abstract. We introduce a short signature scheme based on the Computational DiffieHellman assumption on certain elliptic and hyperelliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme is designed for systems where signa ..."
Abstract

Cited by 743 (28 self)
 Add to MetaCart
Abstract. We introduce a short signature scheme based on the Computational DiffieHellman assumption on certain elliptic and hyperelliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme is designed for systems where signatures are typed in by a human or signatures are sent over a lowbandwidth channel. 1
Evaluating 2dnf formulas on ciphertexts
 In proceedings of TCC ’05, LNCS series
, 2005
"... Abstract. Let ψ be a 2DNF formula on boolean variables x1,..., xn ∈ {0, 1}. We present a homomorphic public key encryption scheme that allows the public evaluation of ψ given an encryption of the variables x1,..., xn. In other words, given the encryption of the bits x1,..., xn, anyone can create th ..."
Abstract

Cited by 231 (7 self)
 Add to MetaCart
(Show Context)
Abstract. Let ψ be a 2DNF formula on boolean variables x1,..., xn ∈ {0, 1}. We present a homomorphic public key encryption scheme that allows the public evaluation of ψ given an encryption of the variables x1,..., xn. In other words, given the encryption of the bits x1,..., xn, anyone can create the encryption of ψ(x1,..., xn). More generally, we can evaluate quadratic multivariate polynomials on ciphertexts provided the resulting value falls within a small set. We present a number of applications of the system: 1. In a database of size n, the total communication in the basic step of the KushilevitzOstrovsky PIR protocol is reduced from √ n to 3 √ n. 2. An efficient election system based on homomorphic encryption where voters do not need to include noninteractive zero knowledge proofs that their ballots are valid. The election system is proved secure without random oracles but still efficient. 3. A protocol for universally verifiable computation. 1
Secure Distributed Key Generation for DiscreteLog Based Cryptosystems
, 1999
"... Abstract. Distributed key generation is a main component of threshold cryptosystems and distributed cryptographic computing in general. Solutions to the distributed generation of private keys for discretelog based cryptosystems have been known for several years and used in a variety of protocols an ..."
Abstract

Cited by 169 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Distributed key generation is a main component of threshold cryptosystems and distributed cryptographic computing in general. Solutions to the distributed generation of private keys for discretelog based cryptosystems have been known for several years and used in a variety of protocols and in many research papers. However, these solutions fail to provide the full security required and claimed by these works. We show how an active attacker controlling a small number of parties can bias the values of the generated keys, thus violating basic correctness and secrecy requirements of a key generation protocol. In particular, our attacks point out to the places where the proofs of security fail. Based on these findings we designed a distributed key generation protocol which we present here together with a rigorous proof of security. Our solution, that achieves optimal resiliency, can be used as a dropin replacement for key generation modules as well as other components of threshold or proactive discretelog based cryptosystems.
Collaborative Filtering with Privacy
, 2002
"... Serverbased collaborative filtering systems have been very successful in ecommerce and in direct recommendation applications. In future, they have many potential applications in ubiquitous computing settings. But today's schemes have problems such as loss of privacy, favoring retail monopolie ..."
Abstract

Cited by 166 (9 self)
 Add to MetaCart
(Show Context)
Serverbased collaborative filtering systems have been very successful in ecommerce and in direct recommendation applications. In future, they have many potential applications in ubiquitous computing settings. But today's schemes have problems such as loss of privacy, favoring retail monopolies, and with hampering diffusion of innovations. We propose an alternative model in which users control all of their log data. We describe an algorithm whereby a community of users can compute a public "aggregate" of their data that does not expose individual users' data. The aggregate allows personalized recommendations to be computed by members of the community, or by outsiders. The numerical algorithm is fast, robust and accurate. Our method reduces the collaborative filtering task to an iterative calculation of the aggregate requiring only addition of vectors of user data. Then we use homomorphic encryption to allow sums of encrypted vectors to be computed and decrypted without exposing individual data. We give verification schemes for all parties in the computation. Our system can be implemented with untrusted servers, or with additional infrastructure, as a fully peertopeer (P2P) system. 1
Efficient receiptfree voting based on homomorphic encryption
, 2000
"... Abstract. Voting schemes that provide receiptfreeness prevent voters from proving their cast vote, and hence thwart votebuying and coercion. We analyze the security of the multiauthority voting protocol of Benaloh and Tuinstra and demonstrate that this protocol is not receiptfree, opposed to what ..."
Abstract

Cited by 156 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Voting schemes that provide receiptfreeness prevent voters from proving their cast vote, and hence thwart votebuying and coercion. We analyze the security of the multiauthority voting protocol of Benaloh and Tuinstra and demonstrate that this protocol is not receiptfree, opposed to what was claimed in the paper and was believed before. Furthermore, we propose the first practicable receiptfree voting scheme. Its only physical assumption is the existence of secret oneway communication channels from the authorities to the voters, and due to the public verifiability of the tally, voters only join a single stage of the protocol, realizing the “voteandgo ” concept. The protocol combines the advantages of the receiptfree protocol of Sako and Kilian and of the very efficient protocol of Cramer, Gennaro, and Schoenmakers, with help of designatedverifier proofs of Jakobsson, Sako, and Impagliazzo. Compared to the receiptfree protocol of Sako and Kilian for security parameter ℓ (the number of repetitions in the noninteractive cutandchoose proofs), the protocol described in this paper realizes an improvement of the total bit complexity by a factor ℓ.
Securing Threshold Cryptosystems against Chosen Ciphertext Attack
 JOURNAL OF CRYPTOLOGY
, 1998
"... ..."
Pocketlens: Toward a personal recommender system
 ACM Trans. Inf. Syst
"... Recommender systems using collaborative filtering are a popular technique for reducing information overload and finding products to purchase. One limitation of current recommenders is that they are not portable. They can only run on large computers connected to the Internet. A second limitation is ..."
Abstract

Cited by 107 (3 self)
 Add to MetaCart
Recommender systems using collaborative filtering are a popular technique for reducing information overload and finding products to purchase. One limitation of current recommenders is that they are not portable. They can only run on large computers connected to the Internet. A second limitation is that they require the user to trust the owner of the recommender with personal preference data. Personal recommenders hold the promise of delivering high quality recommendations on palmtop computers, even when disconnected from the Internet. Further, they can protect the user’s privacy by storing personal information locally, or by sharing it in encrypted form. In this article we present the new PocketLens collaborative filtering algorithm along with five peertopeer architectures for finding neighbors. We evaluate the architectures and algorithms in a series of offline experiments. These experiments show that Pocketlens can run on connected servers, on usually connected workstations, or on occasionally connected portable devices, and produce recommendations that are as good as the best published algorithms to date.
Proactive Public Key and Signature Systems
, 1996
"... Emerging applications like electronic commerce and secure communications over open networks have made clear the fundamental role of public key cryptography as a unique enabler for worldwide scale security solutions. On the other hand, these solutions clearly expose the fact that the protection of p ..."
Abstract

Cited by 99 (19 self)
 Add to MetaCart
Emerging applications like electronic commerce and secure communications over open networks have made clear the fundamental role of public key cryptography as a unique enabler for worldwide scale security solutions. On the other hand, these solutions clearly expose the fact that the protection of private keys is a security bottleneck in these sensitive applications. This problem is further worsened in the cases where a single and unchanged private key must be kept secret for very long time (such is the case of certification authority keys, bank and ecash keys, etc.). One crucial defense against exposure of private keys is offered by threshold cryptography where the private key functions (like signatures or decryption) are distributed among several parties such that a predetermined number of parties must cooperate in order to correctly perform these operations. This protects keys from any single point of failure. An attacker needs to break into a multiplicity of locations before it ca...
A practical mix
, 1998
"... vvu.bel1labs.com/user/markusj Abstract. We introduce a robust and efficient mixnetwork for exponentiation, and use it to obtain a threshold decryption mixnetwork for ElGamal encrypted messages, in which mix servers do not need to trust each other for the correctness of the result. If a subset of ..."
Abstract

Cited by 79 (11 self)
 Add to MetaCart
(Show Context)
vvu.bel1labs.com/user/markusj Abstract. We introduce a robust and efficient mixnetwork for exponentiation, and use it to obtain a threshold decryption mixnetwork for ElGamal encrypted messages, in which mix servers do not need to trust each other for the correctness of the result. If a subset of mix servers cheat, they will be caught with an overwhelming probability, and the decryption can restart after replacing them, in a fashion that is transparent to the participants providing the input to be decrypted. As long as a quorum is not controlled by an adversary, the privacy of the mix is guaranteed. Our solution is proved to be secure if a commonly used assumption, the Decision DiffieHellman assumption, holds. Of possible independent interest are two new methods that we introduce: blinded destructive robustness, a type of destructive robustness with protection against leaks of secret information; and repetition robustness, a method for obtaining robustness for some distributed vector computations. Here, two or more calculations of the same equation are performed, where the different computations are made independent by the use of blinding and permutation. The resulting vectors are then unblinded, sorted and compared to each other. This allows us to detect cheating (resulting in inequality of the vectors). Also of possible independent interest is a modular extension to the ElGamal encryption scheme, making the resulting scheme nonmalleable in the random oracle model. This is done by interpreting part of the ciphertext as a public key, and sign the ciphertext using the corresponding secret key.
An efficient threshold public key cryptosystem secure against adaptive chosen ciphertext attack
, 1999
"... Abstract. This paper proposes a simple threshold PublicKey Cryptosystem (PKC) which is secure against adaptive chosen ciphertext attack, under the Decisional DiffieHellman (DDH) intractability assumption. Previously, it was shown how to design noninteractive threshold PKC secure under chosen ciph ..."
Abstract

Cited by 76 (0 self)
 Add to MetaCart
(Show Context)
Abstract. This paper proposes a simple threshold PublicKey Cryptosystem (PKC) which is secure against adaptive chosen ciphertext attack, under the Decisional DiffieHellman (DDH) intractability assumption. Previously, it was shown how to design noninteractive threshold PKC secure under chosen ciphertext attack, in the randomoracle model and under the DDH intractability assumption [25]. The randomoracle was used both in the proof of security and to eliminate interaction. General completeness results for multiparty computations [6,13] enable in principle converting any single server PKC secure against CCA (e.g., [19,17]) into a threshold one, but the conversions are inefficient and require much interaction among the servers for each ciphertext decrypted. The recent work by Cramer and Shoup [17] on single server PKC secure against adaptive CCA is the starting point for the new proposal. 1