Results 1  10
of
41
On private scalar product computation for privacypreserving data mining
 In Proceedings of the 7th Annual International Conference in Information Security and Cryptology
, 2004
"... Abstract. In mining and integrating data from multiple sources, there are many privacy and security issues. In several different contexts, the security of the full privacypreserving data mining protocol depends on the security of the underlying private scalar product protocol. We show that two of t ..."
Abstract

Cited by 75 (4 self)
 Add to MetaCart
(Show Context)
Abstract. In mining and integrating data from multiple sources, there are many privacy and security issues. In several different contexts, the security of the full privacypreserving data mining protocol depends on the security of the underlying private scalar product protocol. We show that two of the private scalar product protocols, one of which was proposed in a leading data mining conference, are insecure. We then describe a provably private scalar product protocol that is based on homomorphic encryption and improve its efficiency so that it can also be used on massive datasets. Keywords: Privacypreserving data mining, private scalar product protocol, vertically partitioned frequent pattern mining 1
Noninteractive zeroknowledge arguments for voting
 In proceedings of ACNS ’05, LNCS series
, 2005
"... Abstract. In voting based on homomorphic threshold encryption, the voter encrypts his vote and sends it in to the authorities that tally the votes. If voters can send in arbitrary plaintexts then they can cheat. It is therefore important that they attach an argument of knowledge of the plaintext bei ..."
Abstract

Cited by 26 (1 self)
 Add to MetaCart
(Show Context)
Abstract. In voting based on homomorphic threshold encryption, the voter encrypts his vote and sends it in to the authorities that tally the votes. If voters can send in arbitrary plaintexts then they can cheat. It is therefore important that they attach an argument of knowledge of the plaintext being a correctly formed vote. Typically, these arguments are honest verifier zeroknowledge arguments that are made noninteractive using the FiatShamir heuristic. Security is argued in the random oracle model. The simplest case is where each voter has a single vote to cast. Practical solutions have already been suggested for the single vote case. However, as we shall see homomorphic threshold encryption can be used for a variety of elections, in particular there are many cases where voters can cast multiple votes at once. In these cases, it remains important to bring down the cost of the NIZK argument. We improve on state of the art in the case of limited votes, where each voter can vote a small number of times. We also improve on the state of the art in shareholder elections, where each voter may have a large number of votes to spend. Moreover, we improve on the state of the art in Borda voting. Finally, we suggest a NIZK argument for correctness of an approval vote. To the best of our knowledge, approval voting has not been considered before in the cryptographic literature. 1
A certifying compiler for zeroknowledge proofs of knowledge based on sigmaprotocols
 In ESORICS ’10
, 2010
"... Abstract. Zeroknowledge proofs of knowledge (ZKPoK) are important building blocks for numerous cryptographic applications. Although ZKPoK have very useful properties, their real world deployment is typically hindered by their significant complexity compared to other (noninteractive) crypto primit ..."
Abstract

Cited by 16 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Zeroknowledge proofs of knowledge (ZKPoK) are important building blocks for numerous cryptographic applications. Although ZKPoK have very useful properties, their real world deployment is typically hindered by their significant complexity compared to other (noninteractive) crypto primitives. Moreover, their design and implementation is timeconsuming and errorprone. We contribute to overcoming these challenges as follows: We present a comprehensive specification language and a certifying compiler for ZKPoK protocols based on Σprotocols and composition techniques known in literature. The compiler allows the fully automatic translation of an abstract description of a proof goal into an executable implementation. Moreover, the compiler overcomes various restrictions of previous approaches, e.g., it supports the important class of exponentiation homomorphisms with hiddenorder codomain, needed for privacypreserving applications such as idemix. Finally, our compiler is certifying, in the sense that it automatically produces a formal proof of security (soundness) of the compiled protocol (currently covering special homomorphisms) using the Isabelle/HOL theorem prover.
On the portability of generalized schnorr proofs
 Advances in CryptologyEUROCRYPT 2009
, 2009
"... All intext references underlined in blue are linked to publications on ResearchGate, letting you access and read them immediately. ..."
Abstract

Cited by 13 (5 self)
 Add to MetaCart
(Show Context)
All intext references underlined in blue are linked to publications on ResearchGate, letting you access and read them immediately.
Automatic generation of sound zeroknowledge protocols (Extended Poster Abstract)
, 2008
"... Efficient zeroknowledge proofs of knowledge (ZKPoK) are basic building blocks of many practical cryptographic applications such as identification schemes, group signatures, and secure multiparty computation. Currently, first applications that critically rely on ZKPoKs are being deployed in the re ..."
Abstract

Cited by 12 (6 self)
 Add to MetaCart
(Show Context)
Efficient zeroknowledge proofs of knowledge (ZKPoK) are basic building blocks of many practical cryptographic applications such as identification schemes, group signatures, and secure multiparty computation. Currently, first applications that critically rely on ZKPoKs are being deployed in the real world. The most prominent example is Direct Anonymous Attestation (DAA), which was adopted by the Trusted Computing Group (TCG) and implemented as one of the functionalities of the cryptographic chip Trusted Platform Module (TPM). Implementing systems using ZKPoK turns out to be challenging, since ZKPoK are, loosely speaking, significantly more complex than standard crypto primitives, such as encryption and signature schemes. As a result, implementation cycles of ZKPoK are timeconsuming and errorprone, in particular for developers with minor or no cryptographic skills. In this paper we report on our ongoing and future research vision with the goal to bring ZKPoK to practice by automatically generating sound ZKPoK protocols and make them accessible to crypto and security engineers. To this end we are developing protocols and compilers that support and automate the design and generation of secure and efficient implementation of ZKPoK protocols.
Bringing zeroknowledge proofs of knowledge to practice
 In 17th International Workshop on Security Protocols
, 2009
"... Abstract. Efficient zeroknowledge proofs of knowledge (ZKPoK) are basic building blocks of many practical cryptographic applications such as identification schemes, group signatures, and secure multiparty computation. Currently, first applications that critically rely on ZKPoKs are being deployed ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Efficient zeroknowledge proofs of knowledge (ZKPoK) are basic building blocks of many practical cryptographic applications such as identification schemes, group signatures, and secure multiparty computation. Currently, first applications that critically rely on ZKPoKs are being deployed in the real world. The most prominent example is Direct Anonymous Attestation (DAA), which was adopted by the Trusted Computing Group (TCG) and implemented as one of the functionalities of the cryptographic Trusted Platform Module (TPM) chip. Implementing systems using ZKPoK turns out to be challenging, since ZKPoK are, loosely speaking, significantly more complex than standard crypto primitives, such as encryption and signature schemes. As a result, implementation cycles of ZKPoK are timeconsuming and errorprone, in particular for developers with minor or no cryptographic skills. In this paper we report on our ongoing and future research vision with the goal to bring ZKPoK to practice by making them accessible to crypto and security engineers. To this end we are developing compilers and related tools that support and partially automate the design, implementation, verification and secure implementation of ZKPoK protocols. 1
Full proof cryptography: Verifiable compilation of efficient zeroknowledge protocols
 In 19th ACM Conference on Computer and Communications Security, CCS 2012. ACM
, 2012
"... Developers building cryptography into securitysensitive applications face a daunting task. Not only must they understand the security guarantees delivered by the constructions they choose, they must also implement and combine them correctly and efficiently. Cryptographic compilers free developers f ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
(Show Context)
Developers building cryptography into securitysensitive applications face a daunting task. Not only must they understand the security guarantees delivered by the constructions they choose, they must also implement and combine them correctly and efficiently. Cryptographic compilers free developers from having to implement cryptography on their own by turning highlevel specifications of security goals into efficient implementations. Yet, trusting such tools is risky as they rely on complex mathematical machinery and claim security properties that are subtle and difficult to verify. In this paper, we present ZKCrypt, an optimizing cryptographic compiler that achieves an unprecedented level of assurance without sacrificing practicality for a comprehensive class of cryptographic protocols, known as ZeroKnowledge Proofs of Knowledge. The pipeline of ZKCrypt tightly integrates purposebuilt verified compilers and verifying compilers producing formal proofs in the CertiCrypt framework. By combining the guarantees delivered by each stage in the pipeline, ZKCrypt provides assurance that the implementation it outputs securely realizes the highlevel proof goal given as input. We report on the main characteristics of ZKCrypt, highlight new definitions and concepts at its foundations, and illustrate its applicability through a representative example of an anonymous credential system.
Efficient rsa key generation and threshold paillier in the twoparty setting. Cryptology ePrint Archive
, 2011
"... The problem of generating an RSA composite in a distributed manner without leaking its factorization is particularly challenging and useful in many cryptographic protocols. Our first contribution is the first nongeneric fully simulatable protocol for distributively generating an RSA composite with ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
The problem of generating an RSA composite in a distributed manner without leaking its factorization is particularly challenging and useful in many cryptographic protocols. Our first contribution is the first nongeneric fully simulatable protocol for distributively generating an RSA composite with security against malicious behavior. Our second contribution is complete Paillier [Pai99] threshold encryption scheme in the twoparty setting with security against malicious behavior. Furthermore, we describe how to extend our protocols to the multiparty setting with dishonest majority. Our RSA key generation is comprised of the following: (i) a distributed protocol for generation of an RSA composite, and (ii) a biprimality test for verifying the validity of the generated composite. Our Paillier threshold encryption scheme uses the RSA composite as public key and is comprised of: (i) a distributed generation of the corresponding secretkey shares and, (ii) a distributed decryption protocol for decrypting according to Paillier. Keywords:
A Framework for Practical Universally Composable ZeroKnowledge Protocols
"... Zeroknowledge proofs of knowledge (ZKPoK) for discrete logarithms and related problems are indispensable for practical cryptographic protocols. Recently, Camenisch, Kiayias, and Yung provided a specification language (the CKYlanguage) for such protocols which allows for a modular design and prot ..."
Abstract

Cited by 8 (4 self)
 Add to MetaCart
(Show Context)
Zeroknowledge proofs of knowledge (ZKPoK) for discrete logarithms and related problems are indispensable for practical cryptographic protocols. Recently, Camenisch, Kiayias, and Yung provided a specification language (the CKYlanguage) for such protocols which allows for a modular design and protocol analysis: for every zeroknowledge proof specified in this language, protocol designers are ensured that there exists an efficient protocol which indeed proves the specified statement. However, the protocols resulting from their compilation techniques only satisfy the classical notion of ZKPoK, which is not retained are when they used as building blocks for higherlevel applications or composed with other protocols. This problem can be tackled by moving to the Universal Composability (UC) framework, which guarantees retention of security when composing protocols in arbitrary ways. While there exist generic transformations from Σprotocols to UCsecure protocols, these transformation are often too inefficient for practice. In this paper we introduce a specification language akin to the CKYlanguage and a compiler such that the resulting protocols are UCsecure and efficient. To this end, we propose an extension of the UCframework addressing the issue that UCsecure zeroknowledge proofs are by definition proofs of knowledge, and state a special composition theorem which allows one to use the weaker – but more efficient and often sufficient – notion of proofs of membership in the UCframework. We believe that our contributions enable the design of practically efficient protocols that are UCsecure and thus themselves can be used as building blocks.
Homomorphic Trapdoor Commitments to Group Elements
"... We present homomorphic trapdoor commitments to group elements. In contrast, previous homomorphic trapdoor commitment schemes only allow the messages to be exponents. Our commitment schemes are lengthreducing, we can make a short commitment to many group elements at once, and they are perfectly hidi ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
We present homomorphic trapdoor commitments to group elements. In contrast, previous homomorphic trapdoor commitment schemes only allow the messages to be exponents. Our commitment schemes are lengthreducing, we can make a short commitment to many group elements at once, and they are perfectly hiding and computationally binding. The commitment schemes are based on groups with a bilinear map. We can commit to elements from a base group, whereas the commitments belong to the target group. We present two constructions based on simple computational intractability assumptions, which we call respectively the double pairing assumption and the simultaneous triple pairing assumption. While the assumptions are new, we demonstrate that they are implied by wellknown assumptions; respectively the decision DiffieHellman assumption and the decision linear assumption.