Abstract. This paper considers two questions in cryptography. Cryptography Secure Against Memory Attacks. A particularly devastating side-channel attack against cryptosystems, termed the “memory attack”, was proposed recently. In this attack, a significant fraction of the bits of a secret key of a cryptographic algorithm can be measured by an adversary if the secret key is ever stored in a part of memory which can be accessed even after power has been turned off for a short amount of time. Such an attack has been shown to completely compromise the security of various cryptosystems in use, including the RSA cryptosystem and AES. We show that the public-key encryption scheme of Regev (STOC 2005), and the identity-based encryption scheme of Gentry, Peikert and Vaikuntanathan (STOC 2008) are remarkably robust against memory attacks where the adversary can measure a large fraction of the bits of the secret-key, or more generally, can compute an arbitrary function of the secret-key of bounded output length. This is done without increasing the size of the secret-key, and without introducing any

A group signature scheme allows members of a group to sign messages anonymously. To counter misuse, the so-called group manager can revoke the anonymity.

Abstract not found

We propose a generalization of Paillier's probabilistic public key system, in which the expansion factor is reduced and which allows to adjust the block length of the scheme even after the public key has been fixed, without losing the homomorphic property. We show that the generalization is as secure as Paillier's original system and propose several ways to optimize implementations of both the generalized and the original scheme. We construct

The main contribution of this thesis is a simplification, a generalization and some modifications of the homomorphic cryptosystem proposed by Paillier in 1999, and several cryptological protocols that follow from these changes. The Paillier

We present a pseudo-random bit generator expanding a uniformly random bitstring r of length k/2, where k is the security parameter, into a pseudo-random bit-string of length 2k - log 2 (k) using one modular exponentiation. In contrast to all previous high expansion-rate pseudo-random bit generators, no hashing is necessary. The security of the generator is proved relative to Paillier's composite degree residuosity assumption. As a first application of our pseudo-random bit generator we exploit its e#ciency to optimise Paillier's crypto-system by a factor of (at least) 2 in both running time and usage of random bits. We then exploit the algebraic properties of the generator to construct an efficient protocol for secure constant-round multiparty function evaluation in the cryptographic setting. This construction gives an improvement in communication complexity over previous protocols in the order of nk², where n is the number of participants and k is the security parameter, resulting in a communication complexity of O(nk² |C|) bits, where C is a Boolean circuit computing the function in question.

We present a simple to implement and efficient pseudorandom generator based on the factoring assumption. It outputs more than pn/2 pseudorandom bits per p exponentiations, each with the same base and an exponent shorter than n/2 bits. Our generator is based on results by H˚astad, Schrift and Shamir [HSS93], but unlike their generator and its improvement by Goldreich and Rosen [GR00], it does not use hashing or extractors, and is thus simpler and somewhat more efficient. In addition, we present a general technique that can be used to speed up pseudorandom generators based on iterating one-way permutations. We construct our generator by applying this technique to results of [HSS93]. We also show how the generator given by Gennaro [Gen00] can be simply derived from results of Patel and Sundaram [PS98] using our technique.

Pseudorandom Generators (PRGs) based on the RSA inversion (one-wayness) problem have been extensively studied in the literature over the last 25 years. These generators have the attractive feature of provable pseudorandomness security assuming the hardness of the RSA inversion problem. However, despite extensive study, the most e#cient provably secure RSA-based generators output asymptotically only at most O(log n) bits per multiply modulo an RSA modulus of bitlength n, and hence are too slow to be used in many practical applications.

Since Diffie-Hellman [14], many secure systems, based on discrete logarithm or Diffie-Hellman assumption in Z_p, were introduced in the literature. In this work, we investigate the possibility to construct efficient primitives from exponentiation techniques over Z_p. Consequently, we propose a new pseudorandom generator, where its security is proven under the decisional Diffie-Hellman assumption. Our generator is the most efficient among all generators from Z*_p that are provably secure under standard assumptions. If an appropriate precomputation is allowed, our generator can produce O(log log p) bits per modular multiplication. This is the best possible result in...

Abstract In this paper, we propose a zero-knowledge proof scheme of shuffle. Unlike the previous schemes [3, 6], our scheme can be used as the shuffle of the elements that are encrypted from Paillier's cryptosystem. The Paillier's encryption scheme has an additive homomorphic property. The ElGamal cryptosystem, used in the previous works [3, 6], does not have this property. Keywords: Paillier's encryption, Zero-knowledge proof, Shuffle 1 Introduction Mix-nets have important applications in the situation which require anonymity, e.g., voting. A mix-net is a secure channel that consists of servers to shuffle a number of elements such as encrypted ballots so that each output decryption cannot linked to any of the input encryptions.