Results 1  10
of
17
Practical MultiCandidate Election System
 In PODC
, 2001
"... The aim of electronic voting schemes is to provide a set of protocols that allow voters to cast ballots while a group of authorities collect the votes and output the final tally. In this paper we describe a practical multicandidate election scheme that guarantees privacy of voters, public verifi ..."
Abstract

Cited by 77 (7 self)
 Add to MetaCart
The aim of electronic voting schemes is to provide a set of protocols that allow voters to cast ballots while a group of authorities collect the votes and output the final tally. In this paper we describe a practical multicandidate election scheme that guarantees privacy of voters, public verifiability, and robustness against a coalition of malicious authorities. Furthermore, we address the problem of receiptfreeness and incoercibility of voters. Our new scheme is based on the Paillier cryptosystem and on some related zeroknowledge proof techniques. The voting schemes are very practical and can be efficiently implemented in a real system. Keywords: Homomorphic cryptosystems, HighResiduosity Assumption, Practical Voting scheme, threshold cryptography 1
Efficient Computation Modulo a Shared Secret with Application to the Generation of Shared SafePrime Products
, 2002
"... We present a new protocol for ecient distributed computation modulo a shared secret. We further present a protocol to distributively generate a random shared prime or safe prime that is much more efficient than previously known methods. This allows to distributively compute shared RSA keys, where th ..."
Abstract

Cited by 49 (0 self)
 Add to MetaCart
We present a new protocol for ecient distributed computation modulo a shared secret. We further present a protocol to distributively generate a random shared prime or safe prime that is much more efficient than previously known methods. This allows to distributively compute shared RSA keys, where the modulus is the product of two safe primes, much more efficiently than was previously known.
Threshold Cryptosystems Secure against ChosenCiphertext Attacks
 IN PROC. OF ASIACRYPT
, 2000
"... Semantic security against chosenciphertext attacks (INDCCA) is widely believed as the correct security level for publickey encryption scheme. On the other hand, it is often dangerous to give to only one people the power of decryption. Therefore, threshold cryptosystems aimed at distributing the ..."
Abstract

Cited by 33 (3 self)
 Add to MetaCart
Semantic security against chosenciphertext attacks (INDCCA) is widely believed as the correct security level for publickey encryption scheme. On the other hand, it is often dangerous to give to only one people the power of decryption. Therefore, threshold cryptosystems aimed at distributing the decryption ability. However, only two efficient such schemes have been proposed so far for achieving INDCCA. Both are El Gamallike schemes and thus are based on the same intractability assumption, namely the Decisional DiffieHellman problem. In this article we rehabilitate the twinencryption paradigm proposed by Naor and Yung to present generic conversions from a large family of (threshold) INDCPA scheme into a (threshold) INDCCA one in the random oracle model. An efficient instantiation is also proposed, which is based on the Paillier cryptosystem. This new construction provides the first example of threshold cryptosystem secure against chosenciphertext attacks based on the factorization problem. Moreover, this construction provides a scheme where the “homomorphic properties” of the original scheme still hold. This is rather cumbersome because homomorphic cryptosystems are known to be malleable and therefore not to be CCA secure. However, we do not build a “homomorphic cryptosystem”, but just keep the homomorphic properties.
RSAbased Undeniable Signatures For General Moduli
 Advances in CTRSA 2002, LNCS 2271
"... Gennaro, Krawczyk and Rabin gave the first undeniable signature scheme based on RSA signatures. However, their solution required the use of RSA moduli which are a product of safe primes. This paper gives techniques which allow RSAbased undeniable signatures for general moduli. ..."
Abstract

Cited by 21 (2 self)
 Add to MetaCart
Gennaro, Krawczyk and Rabin gave the first undeniable signature scheme based on RSA signatures. However, their solution required the use of RSA moduli which are a product of safe primes. This paper gives techniques which allow RSAbased undeniable signatures for general moduli.
Evaluating Security of Voting Schemes in the Universal Composability Framework
, 2004
"... In the literature, voting protocols are considered secure if they satisfy requirements such as privacy, accuracy, robustness, etc. It can be time consuming to evaluate a voting protocol with respect to all these requirements and it is not clear that the list of known requirements is complete. Perhap ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
In the literature, voting protocols are considered secure if they satisfy requirements such as privacy, accuracy, robustness, etc. It can be time consuming to evaluate a voting protocol with respect to all these requirements and it is not clear that the list of known requirements is complete. Perhaps because of this many papers on electronic voting do not offer any security proof at all. As a solution to this, we suggest...
A Sender Verifiable MixNet and a New Proof of a Shuffle, Cryptology ePrint Archive, Report 2005/137
, 2005
"... Abstract. We introduce the first El Gamal based mixnet in which each mixserver partially decrypts and permutes its input, i.e., no reencryption is necessary. An interesting property of the construction is that a sender can verify noninteractively that its message is processed correctly. We call t ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
Abstract. We introduce the first El Gamal based mixnet in which each mixserver partially decrypts and permutes its input, i.e., no reencryption is necessary. An interesting property of the construction is that a sender can verify noninteractively that its message is processed correctly. We call this sender verifiability. The mixnet is provably UCsecure against static adversaries corrupting any minority of the mixservers. The result holds under the decision DiffieHellman assumption, and assuming an ideal bulletin board and an ideal zeroknowledge proof of knowledge of a correct shuffle. Then we construct the first proof of a decryptionpermutation shuffle, and show how this can be transformed into a zeroknowledge proof of knowledge in the UCframework. The protocol is sound under the strong RSAassumption and the discrete logarithm assumption. Our proof of a shuffle is not a variation of existing methods. It is based on a novel idea of independent interest, and we argue that it is at least as efficient as previous constructions. 1
Extending Nymblelike Systems
"... Abstract—We present several extensions to the Nymble framework for anonymous blacklisting systems. First, we show how to distribute the Verinym Issuer as a threshold entity. This provides liveness against a threshold Byzantine adversary and protects against denialofservice attacks. Second, we desc ..."
Abstract

Cited by 7 (5 self)
 Add to MetaCart
Abstract—We present several extensions to the Nymble framework for anonymous blacklisting systems. First, we show how to distribute the Verinym Issuer as a threshold entity. This provides liveness against a threshold Byzantine adversary and protects against denialofservice attacks. Second, we describe how to revoke a user for a period spanning multiple linkability windows. This gives service providers more flexibility in deciding how long to block individual users. We also point out how our solution enables efficient blacklist transferability among service providers. Third, we augment the Verinym Acquisition Protocol for Toraware systems (that utilize IP addresses as a unique identifier) to handle two additional cases: 1) the operator of a Tor exit node wishes to access services protected by the system, and 2) a user’s access to the Verinym Issuer (and the Tor network) is blocked by a firewall. Finally, we revisit the objective blacklisting mechanism used in Jack, and generalize this idea to enable objective blacklisting in other Nymblelike systems. We illustrate the approach by showing how to implement it in Nymble and Nymbler. I.
Threshold cryptosystems based on factoring
 In Asiacrypt 2002
, 2002
"... 3 Work done while at Columbia University and Telcordia Technologies Abstract. We consider threshold cryptosystems over a composite modulus N where the factors of N are shared among the participants as the secret key. This is a new paradigm for threshold cryptosystems based on a composite modulus, di ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
3 Work done while at Columbia University and Telcordia Technologies Abstract. We consider threshold cryptosystems over a composite modulus N where the factors of N are shared among the participants as the secret key. This is a new paradigm for threshold cryptosystems based on a composite modulus, differing from the typical treatment of RSAbased systems where a “decryption exponent ” is shared among the participants. Our approach yields solutions to some open problems in threshold cryptography; in particular, we obtain the following: 1. Threshold Homomorphic Encryption. A number of applications (e.g., electronic voting or efficient multiparty computation) require threshold homomorphic encryption schemes. We present a protocol for threshold decryption of the homomorphic GoldwasserMicali encryption scheme [34], answering an open question of [21]. 2. Threshold Cryptosystems as Secure as Factoring. We describe a threshold version of a variant of the signature standards ISO 97962 and PKCS#1 v1.5 (cf. [39, Section 11.3.4]), thus giving the first threshold signature scheme whose security (in the random oracle model) is equivalent to the hardness of factoring [12]. Our techniques may be adapted to distribute the Rabin encryption scheme [44] whose semantic security may be reduced to the hardness of factoring. 3. Efficient Threshold Schemes without a Trusted Dealer. Because our schemes only require sharing of N – which furthermore need not be a product of strong primes – our schemes are very efficient (compared to previous schemes) when a trusted dealer is not assumed and key generation is done in a distributed manner. Extensions to achieve robustness and proactivation are also possible with our schemes. 1
A New Distributed Primality Test for Shared RSA Keys using Quadratic Fields
 Proc. 7th Australasian Conference on Information Security and Privacy (ACISP’02
, 2002
"... In the generation method for RSAmoduli proposed by Boneh and Franklin in [BF97] the partial signing servers generate random shares p i ; q i and compute as candidate for an RSAmodulus n = pq where p = ( p i ) and q = ( q i ). Then they perform a timeconsuming distributed primality test ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
In the generation method for RSAmoduli proposed by Boneh and Franklin in [BF97] the partial signing servers generate random shares p i ; q i and compute as candidate for an RSAmodulus n = pq where p = ( p i ) and q = ( q i ). Then they perform a timeconsuming distributed primality test which simultaneously checks the primality both of p and q by computing g = 1 mod n. The primality test proposed in [BF97] cannot be generalized to products of more than two primes. A more complicated one for products of three primes was presented in [BH98].
Optimizing robustness while generating shared secret safe primes
 Public Key Cryptography. Lecture Notes in Computer Science
, 2005
"... Abstract. We develop a method for generating shared, secret, safe primes applicable to use in threshold RSA signature schemes such as the one developed by Shoup. We would like a scheme usable in practical settings, so our protocol is robust and efficient in asynchronous, hostile environments. We sho ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. We develop a method for generating shared, secret, safe primes applicable to use in threshold RSA signature schemes such as the one developed by Shoup. We would like a scheme usable in practical settings, so our protocol is robust and efficient in asynchronous, hostile environments. We show that the techniques used for robustness need special care when they must be efficient. Specifically, we show optimizations that minimize the number and size of the proofs of knowledge used. We also develop optimizations based on computer arithmetic algorithms, in particular, precomputation and Montgomery modular multiplication.