Results 1  10
of
167
Publickey cryptosystems based on composite degree residuosity classes
 IN ADVANCES IN CRYPTOLOGY — EUROCRYPT 1999
, 1999
"... Abstract. This paper investigates a novel computational problem, namely the Composite Residuosity Class Problem, and its applications to publickey cryptography. We propose a new trapdoor mechanism and derive from this technique three encryption schemes: a trapdoor permutation and two homomorphic pr ..."
Abstract

Cited by 614 (6 self)
 Add to MetaCart
Abstract. This paper investigates a novel computational problem, namely the Composite Residuosity Class Problem, and its applications to publickey cryptography. We propose a new trapdoor mechanism and derive from this technique three encryption schemes: a trapdoor permutation and two homomorphic probabilistic encryption schemes computationally comparable to RSA. Our cryptosystems, based on usual modular arithmetics, are provably secure under appropriate assumptions in the standard model. 1
Fully homomorphic encryption using ideal lattices
 In Proc. STOC
, 2009
"... We propose a fully homomorphic encryption scheme – i.e., a scheme that allows one to evaluate circuits over encrypted data without being able to decrypt. Our solution comes in three steps. First, we provide a general result – that, to construct an encryption scheme that permits evaluation of arbitra ..."
Abstract

Cited by 267 (11 self)
 Add to MetaCart
We propose a fully homomorphic encryption scheme – i.e., a scheme that allows one to evaluate circuits over encrypted data without being able to decrypt. Our solution comes in three steps. First, we provide a general result – that, to construct an encryption scheme that permits evaluation of arbitrary circuits, it suffices to construct an encryption scheme that can evaluate (slightly augmented versions of) its own decryption circuit; we call a scheme that can evaluate its (augmented) decryption circuit bootstrappable. Next, we describe a public key encryption scheme using ideal lattices that is almost bootstrappable. Latticebased cryptosystems typically have decryption algorithms with low circuit complexity, often dominated by an inner product computation that is in NC1. Also, ideal lattices provide both additive and multiplicative homomorphisms (modulo a publickey ideal in a polynomial ring that is represented as a lattice), as needed to evaluate general circuits. Unfortunately, our initial scheme is not quite bootstrappable – i.e., the depth that the scheme can correctly evaluate can be logarithmic in the lattice dimension, just like the depth of the decryption circuit, but the latter is greater than the former. In the final step, we show how to modify the scheme to reduce the depth of the decryption circuit, and thereby obtain a bootstrappable encryption scheme, without reducing the depth that the scheme can evaluate. Abstractly, we accomplish this by enabling the encrypter to start the decryption process, leaving less work for the decrypter, much like the server leaves less work for the decrypter in a serveraided cryptosystem.
A Secure and Optimally Efficient MultiAuthority Election Scheme
, 1997
"... Abstract. In this paper we present a new multiauthority secretballot election scheme that guarantees privacy, universal verifiability, and robustness. It is the first scheme for which the performance is optimal in the sense that time and communication complexity is minimal both for the individual ..."
Abstract

Cited by 217 (6 self)
 Add to MetaCart
Abstract. In this paper we present a new multiauthority secretballot election scheme that guarantees privacy, universal verifiability, and robustness. It is the first scheme for which the performance is optimal in the sense that time and communication complexity is minimal both for the individual voters and the authorities. An interesting property of the scheme is that the time and communication complexity for the voter is independent of the number of authorities. A voter simply posts a single encrypted message accompanied by a compact proof that it contains a valid vote. Our result is complementary to the result by Cramer, Franklin, Schoenmakers, and Yung in the sense that in their scheme the work for voters is linear in the number of authorities but can be instantiated to yield informationtheoretic privacy, while in our scheme the voter’s effort is independent of the number of authorities but always provides computational privacyprotection. We will also point out that the majority of proposed voting schemes provide computational privacy only (often without even considering the lack of informationtheoretic privacy), and that our new scheme is by far superior to those schemes. 1
Limits on the Provable Consequences of Oneway Permutations
, 1989
"... We present strong evidence that the implication, "if oneway permutations exist, then secure secret key agreement is possible" is not provable by standard techniques. Since both sides of this implication are widely believed true in real life, to show that the implication is false requires a new m ..."
Abstract

Cited by 162 (0 self)
 Add to MetaCart
We present strong evidence that the implication, "if oneway permutations exist, then secure secret key agreement is possible" is not provable by standard techniques. Since both sides of this implication are widely believed true in real life, to show that the implication is false requires a new model. We consider a world where dl parties have access to a black box or a randomly selected permutation. Being totally random, this permutation will be strongly oneway in provable, informationthevretic way. We show that, if P = NP, no protocol for secret key agreement is secure in such setting. Thus, to prove that a secret key greement protocol which uses a oneway permutation as a black box is secure is as hrd as proving F NP. We also obtain, as corollary, that there is an oracle relative to which the implication is false, i.e., there is a oneway permutation, yet secretexchange is impossible. Thus, no technique which relativizes can prove that secret exchange can be based on any oneway permutation. Our results present a general framework for proving statements of the form, "Cryptographic application X is not likely possible based solely on complexity assumption Y." 1
Evaluating 2dnf formulas on ciphertexts
 In proceedings of TCC ’05, LNCS series
, 2005
"... Abstract. Let ψ be a 2DNF formula on boolean variables x1,..., xn ∈ {0, 1}. We present a homomorphic public key encryption scheme that allows the public evaluation of ψ given an encryption of the variables x1,..., xn. In other words, given the encryption of the bits x1,..., xn, anyone can create th ..."
Abstract

Cited by 143 (6 self)
 Add to MetaCart
Abstract. Let ψ be a 2DNF formula on boolean variables x1,..., xn ∈ {0, 1}. We present a homomorphic public key encryption scheme that allows the public evaluation of ψ given an encryption of the variables x1,..., xn. In other words, given the encryption of the bits x1,..., xn, anyone can create the encryption of ψ(x1,..., xn). More generally, we can evaluate quadratic multivariate polynomials on ciphertexts provided the resulting value falls within a small set. We present a number of applications of the system: 1. In a database of size n, the total communication in the basic step of the KushilevitzOstrovsky PIR protocol is reduced from √ n to 3 √ n. 2. An efficient election system based on homomorphic encryption where voters do not need to include noninteractive zero knowledge proofs that their ballots are valid. The election system is proved secure without random oracles but still efficient. 3. A protocol for universally verifiable computation. 1
Designated Verifier Proofs and Their Applications
, 1996
"... For many proofs of knowledge it is important that only the verifier designated by the confirmer can obtain any conviction of the correctness of the proof. A good example of such a situation is for undeniable signatures, where the confirmer of a signature wants to make sure that only the intended ver ..."
Abstract

Cited by 134 (5 self)
 Add to MetaCart
For many proofs of knowledge it is important that only the verifier designated by the confirmer can obtain any conviction of the correctness of the proof. A good example of such a situation is for undeniable signatures, where the confirmer of a signature wants to make sure that only the intended verifier(s) in fact can be convinced about the validity or invalidity of the signature. Generally, authentication of messages and offtherecord messages are in conflict with each other. We show how, using designation of verifiers, these notions can be combined, allowing authenticated but private conversations to take place. Our solution guarantees that only the specified verifier can be convinced by the proof, even if he shares all his secret information with entities that want to get convinced. Our solution is based on trapdoor commitments [4], allowing the designated verifier to open up commitments in any way he wants. We demonstrate how a trapdoor commitment scheme can be used to constr...
ReceiptFree Electronic Voting Schemes for Large Scale Elections
, 1997
"... This paper proposes practical receiptfree voting schemes which are suitable for (nation wide) large scale elections. One of the proposed scheme requires the help of the voting commission, and needs a physical assumption, the existence of an untappable channel. The other scheme does not require the ..."
Abstract

Cited by 79 (0 self)
 Add to MetaCart
This paper proposes practical receiptfree voting schemes which are suitable for (nation wide) large scale elections. One of the proposed scheme requires the help of the voting commission, and needs a physical assumption, the existence of an untappable channel. The other scheme does not require the help of the commission, but needs a stronger physical assumption, the existence of a voting booth. We define receiptfreeness, and prove that the proposed schemes satisfy receiptfreeness under such physical assumptions. 1 Introduction Various types of electronic secret voting schemes have been proposed in the last ten years [BGW88, BT94, CCD88, CFSY96, Cha88, FOO92, GMW87, Ive92, JSI96, Oka96, SK94, SK95], and recently receiptfree voting schemes are attracting many researchers [BT94, JSI96, Oka96, SK95]. The receiptfree property means that voting system generates no receipt (evidence) of whom a voter voted for, where the receipt of a vote, which proves that a voter has voted for a candid...
Practical MultiCandidate Election System
 In PODC
, 2001
"... The aim of electronic voting schemes is to provide a set of protocols that allow voters to cast ballots while a group of authorities collect the votes and output the final tally. In this paper we describe a practical multicandidate election scheme that guarantees privacy of voters, public verifi ..."
Abstract

Cited by 77 (7 self)
 Add to MetaCart
The aim of electronic voting schemes is to provide a set of protocols that allow voters to cast ballots while a group of authorities collect the votes and output the final tally. In this paper we describe a practical multicandidate election scheme that guarantees privacy of voters, public verifiability, and robustness against a coalition of malicious authorities. Furthermore, we address the problem of receiptfreeness and incoercibility of voters. Our new scheme is based on the Paillier cryptosystem and on some related zeroknowledge proof techniques. The voting schemes are very practical and can be efficiently implemented in a real system. Keywords: Homomorphic cryptosystems, HighResiduosity Assumption, Practical Voting scheme, threshold cryptography 1
Sharing decryption in the context of voting or lotteries
, 2000
"... Several public key cryptosystems with additional homomorphic properties have been proposed so far. They allow to perform computation with encrypted data without the knowledge of any secret information. In many applications, the ability to perform decryption, i.e. the knowledge of the secret key, giv ..."
Abstract

Cited by 72 (6 self)
 Add to MetaCart
Several public key cryptosystems with additional homomorphic properties have been proposed so far. They allow to perform computation with encrypted data without the knowledge of any secret information. In many applications, the ability to perform decryption, i.e. the knowledge of the secret key, gives a huge power. A classical way to reduce the trust in such a secret owner, and consequently to increase the security, is to share the secret between many entities in such a way that cooperation between them is necessary to decrypt. In this paper, we propose a distributed version of the Paillier cryptosystem presented at Eurocrypt ’99. This shared scheme can for example be used in an electronic voting scheme or in a lottery where a random number related to the winning ticket has to be jointly chosen by all participants.
Verifying privacytype properties of electronic voting protocols
"... Electronic voting promises the possibility of a convenient, efficient and secure facility for recording and tallying votes in an election. Recently highlighted inadequacies of implemented systems have demonstrated the importance of formally verifying the underlying voting protocols. We study three p ..."
Abstract

Cited by 62 (34 self)
 Add to MetaCart
Electronic voting promises the possibility of a convenient, efficient and secure facility for recording and tallying votes in an election. Recently highlighted inadequacies of implemented systems have demonstrated the importance of formally verifying the underlying voting protocols. We study three privacytype properties of electronic voting protocols: in increasing order of strength, they are voteprivacy, receiptfreeness, and coercionresistance. We use the applied pi calculus, a formalism well adapted to modelling such protocols, which has the advantages of being based on wellunderstood concepts. The privacytype properties are expressed using observational equivalence and we show in accordance with intuition that coercionresistance implies receiptfreeness, which implies voteprivacy. We illustrate our definitions on three electronic voting protocols from the literature. Ideally, these three properties should hold even if the election officials are corrupt. However, protocols that were designed to satisfy receiptfreeness or coercionresistance may not do so in the presence of corrupt officials. Our model and definitions allow us to specify and easily change which authorities are supposed to be trustworthy.