Abstract. In mining and integrating data from multiple sources, there are many privacy and security issues. In several different contexts, the security of the full privacy-preserving data mining protocol depends on the security of the underlying private scalar product protocol. We show that two of the private scalar product protocols, one of which was proposed in a leading data mining conference, are insecure. We then describe a provably private scalar product protocol that is based on homomorphic encryption and improve its efficiency so that it can also be used on massive datasets. Keywords: Privacy-preserving data mining, private scalar product protocol, vertically partitioned frequent pattern mining 1

We present a new cryptographic auction protocol that prevents extraction of bid information despite any collusion of participants. This requirement is stronger than common assumptions in existing protocols that prohibit the collusion of certain third-parties (e.g. distinct auctioneers) . Full privacy is obtained by using homomorphic encryption (e.g. ElGamal) and distributing the private key among the set of bidders. Bidders jointly compute the auction outcome on their own without uncovering any additional information in a constant number of rounds. No auctioneers or other trusted third parties are needed to resolve the auction. Yet, robustness is assured due to public verifiability of the entire protocol. The scheme can be applied to any uniform-price (or so-called (M + 1)st-price) auction. To the best of our knowledge, there is no other cryptographic auction protocol that achieves a similar level of privacy. The selling price is only revealed to the seller and the winning bidders themselves. In addition, we propose schemes that require more rounds but are computationally much more e#cient. 1

Security and privacy have become crucial factors in auction design. Various schemes to ensure the safe conduction of sealed-bid auctions have been proposed recently. We introduce a new standard of privacy for auctions ("full privacy"), that prevents extraction of bid information despite any collusion of participants. This requirement is stronger than other common assumptions that prohibit the collusion of certain third-parties (e.g., distinct auctioneers). Full privacy can be obtained by applying a secret sharing scheme in which the bidders jointly compute the selling price on their own without uncovering any additional information. No auctioneers or other trusted third parties are used to resolve the auction.

Abstract. We show how to construct practical honest-verifier statistical zero-knowledge Diophantine arguments of knowledge (HVSZK AoK) that a committed tuple of integers belongs to an arbitrary language in bounded arithmetic. While doing this, we propose a new algorithm for computing the Lagrange representation of nonnegative integers and a new efficient representing polynomial for the exponential relation. We apply our results by constructing the most efficient known HVSZK AoK for non-negativity and the first constant-round practical HVSZK AoK for exponential relation. Finally, we propose the outsourcing model for cryptographic protocols and design communication-efficient versions of the Damg˚ard-Jurik multi-candidate voting scheme and of the Lipmaa-Asokan-Niemi (b + 1)st-price auction scheme that work in this model.

Chameleon signatures are non-interactive signatures based on a hash-and-sign paradigm, and similar in efficiency to regular signatures.

We propose a generalization of Paillier's probabilistic public key system, in which the expansion factor is reduced and which allows to adjust the block length of the scheme even after the public key has been fixed, without losing the homomorphic property. We show that the generalization is as secure as Paillier's original system and propose several ways to optimize implementations of both the generalized and the original scheme. We construct

We present a practical system for conducting sealed-bid auctions that preserves the secrecy of the bids while providing for verifiable correctness and trustworthiness of the auction. The auctioneer must accept all bids submitted and follow the published rules of the auction. No party receives any useful information about bids before the auction closes and no bidder is able to change or repudiate her 1 bid. Our solution uses Paillier’s homomorphic encryption scheme [25] for zero knowledge proofs of correctness. Only minimal cryptographic technology is required of bidders; instead of employing complex interactive protocols or multi-party computation, the single auctioneer computes optimal auction results and publishes proofs of the results ’ correctness. Any party can check these proofs of correctness via publicly verifiable computations on encrypted bids. The system is illustrated through application to firstprice, uniform-price and second-price auctions, including multiitem auctions. Our empirical results demonstrate the practicality of our method: auctions with hundreds of bidders are within reach of a single PC, while a modest distributed computing network can accommodate auctions with thousands of bids. 1.

Abstract. In voting based on homomorphic threshold encryption, the voter encrypts his vote and sends it in to the authorities that tally the votes. If voters can send in arbitrary plaintexts then they can cheat. It is therefore important that they attach an argument of knowledge of the plaintext being a correctly formed vote. Typically, these arguments are honest verifier zero-knowledge arguments that are made non-interactive using the Fiat-Shamir heuristic. Security is argued in the random oracle model. The simplest case is where each voter has a single vote to cast. Practical solutions have already been suggested for the single vote case. However, as we shall see homomorphic threshold encryption can be used for a variety of elections, in particular there are many cases where voters can cast multiple votes at once. In these cases, it remains important to bring down the cost of the NIZK argument. We improve on state of the art in the case of limited votes, where each voter can vote a small number of times. We also improve on the state of the art in shareholder elections, where each voter may have a large number of votes to spend. Moreover, we improve on the state of the art in Borda voting. Finally, we suggest a NIZK argument for correctness of an approval vote. To the best of our knowledge, approval voting has not been considered before in the cryptographic literature. 1

Security and privacy have become crucial factors in auction design. Various schemes to ensure the safe conduction of sealed-bid auctions have been proposed recently. We introduce a new standard of security for auctions ("full privacy"), that prevents extraction of bid information despite any collusion of participants. This requirement is stronger than other common assumptions that prohibit the collusion of certain third-parties (e.g., distinct auctioneers).

The purpose of multi-unit auctions is to allocate identical units of a single type of good to multiple agents. Besides well-known applications like the selling of treasury bills, electrical power, or spectrum licenses, multi-unit auctions are also well-suited for allocating CPU time slots or network bandwidth in computational multiagent systems. A crucial problem in sealed-bid auctions is the lack of trust bidders might have in the auctioneer. For one, bidders might doubt the correctness of the auction outcome. Secondly, they are reluctant to reveal their private valuations to the auctioneer since these valuations are often based on sensitive information. We propose privacy-preserving protocols that allow bidders to jointly compute the auction outcome without the help of third parties. All three common types of multi-unit auctions (uniform-price, discriminatory, and generalized Vickrey auctions) are considered for the case of marginal decreasing valuation functions. Our protocols are based on distributed homomorphic encryption and can be executed in a small constant number of rounds in the random oracle model. Security merely relies on computational intractability (the decisional Diffie-Hellman assumption). In particular, no subset of (computationally bounded) colluding participants is capable of uncovering private information.