Results 1  10
of
40
A lengthflexible threshold cryptosystem with applications
 IN PROCEEDINGS OF ACISP ’03, LNCS SERIES
, 2003
"... ..."
Accumulating composites and improved group signing
 Proceedings of Asiacrypt 2003, volume 2894 of LNCS
, 2003
"... Abstract. Constructing practical and provably secure group signature schemes has been a very active research topic in recent years. A group signature can be viewed as a digital signature with certain extra properties. Notably, anyone can verify that a signature is generated by a legitimate group mem ..."
Abstract

Cited by 21 (1 self)
 Add to MetaCart
Abstract. Constructing practical and provably secure group signature schemes has been a very active research topic in recent years. A group signature can be viewed as a digital signature with certain extra properties. Notably, anyone can verify that a signature is generated by a legitimate group member, while the actual signer can only be identified (and linked) by a designated entity called a group manager. Currently, the most efficient group signature scheme available is due to Camenisch and Lysyanskaya [CL02]. It is obtained by integrating a novel dynamic accumulator with the scheme by Ateniese, et al. [ACJT00]. In this paper, we construct a dynamic accumulator that accumulates composites, as opposed to previous accumulators that accumulated primes. We also present an efficient method for proving knowledge of factorization of a committed value. Based on these (and other) techniques we design a novel provably secure group signature scheme. It operates in the common auxiliary string model and offers two important benefits: 1) the Join process is very efficient: a new member computes only a single exponentiation, and 2) the (unoptimized) cost of generating a group signature is 17 exponentiations which is appreciably less than the stateoftheart. 1
I.: Making a Nymbler Nymble using VERBS
, 2010
"... Abstract. We propose a new system modeled after Nymble. Like Nymble, our scheme provides a privacypreserving analog of IP address blocking for anonymizing networks. However, unlike Nymble, the user in our scheme need not trust third parties to maintain their anonymity. We achieve this while avoidin ..."
Abstract

Cited by 19 (9 self)
 Add to MetaCart
Abstract. We propose a new system modeled after Nymble. Like Nymble, our scheme provides a privacypreserving analog of IP address blocking for anonymizing networks. However, unlike Nymble, the user in our scheme need not trust third parties to maintain their anonymity. We achieve this while avoiding the use of trusted hardware and without requiring an offline credential issuing authority to guarantee that users do not obtain multiple credentials. We use zeroknowledge proofs to reduce the capabilities of colluding third parties, and introduce a new cryptographic technique that we call verifierefficient restricted blind signatures, or VERBS, to maintain efficiency. Signature verification with our VERBS are 1–2 orders of magnitude faster than existing restricted blind signatures.
Practical twoparty computation based on the conditional gate
 In Proceedings of Advances in Cryptology  ASIACRYPT ’04, volume 3329 of LNCS
, 2004
"... Abstract. We present new results in the framework of secure multiparty computation based on homomorphic threshold cryptosystems. We introduce the conditional gate as a special type of multiplication gate that can be realized in a surprisingly simple and efficient way using just standard homomorphic ..."
Abstract

Cited by 18 (3 self)
 Add to MetaCart
Abstract. We present new results in the framework of secure multiparty computation based on homomorphic threshold cryptosystems. We introduce the conditional gate as a special type of multiplication gate that can be realized in a surprisingly simple and efficient way using just standard homomorphic threshold ElGamal encryption. As addition gates are essentially for free, the conditional gate not only allows for building a circuit for any function, but actually yields efficient circuits for a wide range of tasks. 1
Efficient cryptographic protocol design based on distributed El Gamal encryption
 In Proceedings of 8th International Conference on Information Security and Cryptology (ICISC
, 2005
"... Abstract. We propose a set of primitives based on El Gamal encryption that can be used to construct efficient multiparty computation protocols for certain lowcomplexity functions. In particular, we show how to privately count the number of true Boolean disjunctions of literals and pairwise exclusiv ..."
Abstract

Cited by 17 (0 self)
 Add to MetaCart
Abstract. We propose a set of primitives based on El Gamal encryption that can be used to construct efficient multiparty computation protocols for certain lowcomplexity functions. In particular, we show how to privately count the number of true Boolean disjunctions of literals and pairwise exclusive disjunctions of literals. Applications include efficient twoparty protocols for computing the Hamming distance of two bitstrings and the greaterthan function. The resulting protocols only require 6 rounds of interaction (in the random oracle model) and their communication complexity is O(kQ) where k is the length of bitstrings and Q is a security parameter. The protocols are secure against active adversaries but do not provide fairness. Security relies on the decisional DiffieHellman assumption and error probability is negligible in Q. 1
Secure computation of the mean and related statistics
 in Proceedings of the Theory of Cryptography Conference, ser. Lecture Notes in Computer Science
"... Abstract. In recent years there has been massive progress in the development of technologies for storing and processing of data. If statistical analysis could be applied to such data when it is distributed between several organisations, there could be huge benefits. Unfortunately, in many cases, for ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
Abstract. In recent years there has been massive progress in the development of technologies for storing and processing of data. If statistical analysis could be applied to such data when it is distributed between several organisations, there could be huge benefits. Unfortunately, in many cases, for legal or commercial reasons, this is not possible. The idea of using the theory of multiparty computation to analyse efficient algorithms for privacy preserving datamining was proposed by Pinkas and Lindell. The point is that algorithms developed in this way can be used to overcome the apparent impasse described above: the owners of data can, in effect, pool their data while ensuring that privacy is maintained. Motivated by this, we describe how to securely compute the mean of an attribute value in a database that is shared between two parties. We also demonstrate that existing solutions in the literature that could be used to do this leak information, therefore underlining the importance of applying rigorous theoretical analysis rather than settling for ad hoc techniques. 1
Efficient binary conversion for Paillier encrypted values
 in Advances in Cryptology – EUROCRYPT, ser. LNCS
"... Abstract. We consider the framework of secure nparty computation based on threshold homomorphic cryptosystems as put forth by Cramer, Damg˚ard, and Nielsen at Eurocrypt 2001. When used with Paillier’s cryptosystem, this framework allows for efficient secure evaluation of any arithmetic circuit defi ..."
Abstract

Cited by 15 (0 self)
 Add to MetaCart
Abstract. We consider the framework of secure nparty computation based on threshold homomorphic cryptosystems as put forth by Cramer, Damg˚ard, and Nielsen at Eurocrypt 2001. When used with Paillier’s cryptosystem, this framework allows for efficient secure evaluation of any arithmetic circuit defined over ZN, where N is the RSA modulus of the underlying Paillier cryptosystem. In this paper, we extend the scope of the framework by considering the problem of converting a given Paillier encryption of a value x ∈ ZN into Paillier encryptions of the bits of x. We present solutions for the general case in which x can be any integer in {0, 1,..., N − 1}, and for the restricted case in which x < N/(n2 κ) for a security parameter κ. In the latter case, we show how to extract the ℓ least significant bits of x (in encrypted form) in time proportional to ℓ, typically saving a factor of log 2 N/ℓ compared to the general case. Thus, intermediate computations that rely in an essential way on the binary representations of their input values can be handled without enforcing that the entire computation is done bitwise. Typical examples involve the relational operators such as < and =. As a specific scenario we will consider the setting for (approximate) matching of biometric templates, given as bit strings. 1
Secure arithmetic computation with no honest majority
 In Theory of Cryptography Conference — TCC ’09
, 2009
"... We study the complexity of securely evaluating arithmetic circuits over finite rings. This question is motivated by natural secure computation tasks. Focusing mainly on the case of twoparty protocols with security against malicious parties, our main goals are to: (1) only make blackbox calls to th ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
We study the complexity of securely evaluating arithmetic circuits over finite rings. This question is motivated by natural secure computation tasks. Focusing mainly on the case of twoparty protocols with security against malicious parties, our main goals are to: (1) only make blackbox calls to the ring operations and standard cryptographic primitives, and (2) minimize the number of such blackbox calls as well as the communication overhead. We present several solutions which differ in their efficiency, generality, and underlying intractability assumptions. These include: • An unconditionally secure protocol in the OThybrid model which makes a blackbox use of an arbitrary ring R, but where the number of ring operations grows linearly with (an upper bound on) log R. • Computationally secure protocols in the OThybrid model which make a blackbox use of an underlying ring, and in which the number of ring operations does not grow with the ring size. The protocols rely on variants of previous intractability assumptions related to linear codes. In the most efficient instance of these protocols, applied to a suitable class of fields, the (amortized) communication cost is a constant number of field elements per multiplication gate and the computational cost is dominated by O(log k) field operations per gate, where k is a security parameter. These results extend a previous approach of Naor and Pinkas for secure polynomial evaluation (SIAM J. Comput., 35(5), 2006). • A protocol for the rings Zm = Z/mZ which only makes a blackbox use of a homomorphic encryption scheme. When m is prime, the (amortized) number of calls to the encryption scheme for each gate of the circuit is constant. All of our protocols are in fact UCsecure in the OThybrid model and can be generalized to multiparty computation with an arbitrary number of malicious parties.
Unconditionally Secure Constant Round MultiParty Computation for Equality, Comparison, Bits and Exponentiation
 In Proceedings of the third Theory of Cryptography Conference
, 2005
"... In this paper we are interested in efficient and secure constant round multiparty protocols which provide unconditional security against so called honestbutcurious adversaries. In particular, we design a novel constant round protocol that converts from shares over Z_q to shares over the integers ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
In this paper we are interested in efficient and secure constant round multiparty protocols which provide unconditional security against so called honestbutcurious adversaries. In particular, we design a novel constant round protocol that converts from shares over Z_q to shares over the integers working for all shared inputs from Z_q. Furthermore, we present a constant round protocol to securely evaluate a shared input on a public polynomial whose running time is linear in the degree of the polynomial. The proposed solution makes use of Chebyshev Polynomials. We show that the latter two protocols can be used to design efficient constant round protocols for the following natural problems: (i) Equality: Computing shares of the bit indicating if a shared input value equals zero or not. This provides the missing building blocks for many constant round linear algebra protocols from the work of Cramer and Damgård [CD01]. (ii) Comparison: Computing shares of a bit indicating which of two shared inputs is greater. (iii) Bits: Computing shares of the binary representation of a shared input value. (iv) Exponentiation: Computing shares of x^a mod q given shares of x, a and q. Prior to this paper, for all the above mentioned problems, there were in general no efficient constant round protocols known providing unconditional security.
Efficient Maximal Privacy in Boardroom Voting and Anonymous Broadcast
, 2004
"... Most voting schemes rely on a number of authorities. If too many of these authorities are dishonest then voter privacy may be violated. To give stronger guarantees of voter privacy Kiayias and Yung \cite{KY} introduced the concept of elections with perfect ballot secrecy. In this type of election sc ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
Most voting schemes rely on a number of authorities. If too many of these authorities are dishonest then voter privacy may be violated. To give stronger guarantees of voter privacy Kiayias and Yung \cite{KY} introduced the concept of elections with perfect ballot secrecy. In this type of election scheme it is guaranteed that the only thing revealed about voters' choices is the result of the election, no matter how many parties are corrupt. Our first contribution is to suggest a simple voting scheme with perfect ballot secrecy that is more efficient than \cite{KY}. Considering the question of achieving maximal privacy in other protocols, we look at anonymous broadcast. We suggest the notion of perfect message secrecy; meaning that nothing is revealed about who sent which message, no matter how many parties are corrupt. Our second contribution is an anonymous broadcast channel with perfect message secrecy built on top of a broadcast channel.