Results 1  10
of
45
Universal Reencryption for Mixnets
 IN PROCEEDINGS OF THE 2004 RSA CONFERENCE, CRYPTOGRAPHER’S TRACK
, 2002
"... We introduce a new cryptographic technique that we call universal reencryption. A conventional cryptosystem that permits reencryption, such as ElGamal, does so only for a player with knowledge of the public key corresponding to a given ciphertext. In contrast, universal reencryption can be don ..."
Abstract

Cited by 112 (10 self)
 Add to MetaCart
We introduce a new cryptographic technique that we call universal reencryption. A conventional cryptosystem that permits reencryption, such as ElGamal, does so only for a player with knowledge of the public key corresponding to a given ciphertext. In contrast, universal reencryption can be done without knowledge of public keys. We propose an asymmetric cryptosystem with universal reencryption that is half as efficient as standard ElGamal in terms of computation and storage. While
Almost Entirely Correct Mixing with Applications to Voting
 In ACM CCS ’02
, 2002
"... In order to design an exceptionally e#cient mix network, both asymptotically and in real terms, we develop the notion of almost entirely correct mixing, and propose a new mix network that is almost entirely correct. In our new mix, the real cost of proving correctness is orders of magnitude faster t ..."
Abstract

Cited by 44 (1 self)
 Add to MetaCart
In order to design an exceptionally e#cient mix network, both asymptotically and in real terms, we develop the notion of almost entirely correct mixing, and propose a new mix network that is almost entirely correct. In our new mix, the real cost of proving correctness is orders of magnitude faster than all other mix nets. The tradeo# is that our mix only guarantees "almost entirely correct" mixing, i.e it guarantees that the mix network processed correctly all inputs with high (but not overwhelming) probability. We use a new technique for verifying correctness. This new technique consists of computing the product of a random subset of the inputs to a mix server, then require the mix server to produce a subset of the outputs of equal product. Our new mix net is of particular value for electronic voting, where a guarantee of almost entirely correct mixing may well be su#cient to announce instantly the result of a large election. The correctness of the result can later be verified beyond a doubt using any one of a number of much slower proofs of perfectcorrectness, without having to mix the ballots again.
Optimistic Mixing for ExitPolls
 Asiacrypt 2002, LNCS 2501
, 2002
"... We propose a new mix network that is optimized to produce a correct output very fast when all mix servers execute the mixing protocol correctly (the usual case). Our mix network only produces an output if no server cheats. However, in the rare case when one or several mix servers cheat, we convert t ..."
Abstract

Cited by 41 (3 self)
 Add to MetaCart
(Show Context)
We propose a new mix network that is optimized to produce a correct output very fast when all mix servers execute the mixing protocol correctly (the usual case). Our mix network only produces an output if no server cheats. However, in the rare case when one or several mix servers cheat, we convert the inputs to a format that allows "backup" mixing. This backup mixing can be implemented using any one of a wide array of already proposed (but slower) mix networks. When all goes well, our mix net is the fastest, both in real terms and asymptotically, of all those that offer standard guarantees of privacy and correctness. In practice, this benefit far outweighs the drawback of a comparatively complex procedure to recover from cheating. Our new mix is ideally suited to compute almost instantly the output of electronic elections, whence the name "exitpoll" mixing.
A lengthflexible threshold cryptosystem with applications
 IN PROCEEDINGS OF ACISP ’03, LNCS SERIES
, 2003
"... ..."
A universally composable mixnet.
 TCC 2004. LNCS,
, 2004
"... Abstract. A mixnet is a cryptographic protocol executed by a set of mixservers that provides anonymity for a group of senders. The main application is electronic voting. Numerous mixnet constructions and standalone definitions of security are proposed in the literature, but only partial proofs ..."
Abstract

Cited by 30 (5 self)
 Add to MetaCart
(Show Context)
Abstract. A mixnet is a cryptographic protocol executed by a set of mixservers that provides anonymity for a group of senders. The main application is electronic voting. Numerous mixnet constructions and standalone definitions of security are proposed in the literature, but only partial proofs of security are given for most constructions and no construction has been proved secure with regards to any kind of composition. We define an ideal mixnet in the universally composable security framework of Canetti
A Survey of Anonymous Communication Channels
 JOURNAL OF PRIVACY TECHNOLOGY
"... We present an overview of the field of anonymous communications, from its establishment in 1981 from David Chaum to today. Key systems are presented categorized according to their underlying principles: semitrusted relays, mix systems, remailers, onion routing, and systems to provide robust mixing. ..."
Abstract

Cited by 27 (5 self)
 Add to MetaCart
We present an overview of the field of anonymous communications, from its establishment in 1981 from David Chaum to today. Key systems are presented categorized according to their underlying principles: semitrusted relays, mix systems, remailers, onion routing, and systems to provide robust mixing. We include extended discussions of the threat models and usage models that different schemes provide, and the tradeoffs between the security properties offered and the communication characteristics different systems support.
A mix route algorithm for mixnet in wireless ad hoc networks
 in Proceedings of IEEE Mobile Sensor and Adhoc and Sensor Systems
, 2004
"... Providing anonymous connection service in mobile ad hoc networks is a challenging task. In addition to security concern, performance concern must be addressed properly as well. Chaum’s Mix method [4] can effectively thwart an adversary’s attempt of tracing packet routes and hide source and/or destin ..."
Abstract

Cited by 19 (0 self)
 Add to MetaCart
(Show Context)
Providing anonymous connection service in mobile ad hoc networks is a challenging task. In addition to security concern, performance concern must be addressed properly as well. Chaum’s Mix method [4] can effectively thwart an adversary’s attempt of tracing packet routes and hide source and/or destination of packets. However, applying the Mix method in ad hoc networks may cause significant performance degradation due to its nonadaptive Mix route selection algorithm. We propose a dynamic Mix route algorithm to find topologydependent Mix routes for anonymous connections. Its effectiveness in improving network performance is validated by simulation results. We also address the potential degradation of anonymity due to dynamic Mix route. 1.
Electronic jury voting protocols
 Latin American Theoretical INformatics
, 2002
"... This work stresses the fact that all current proposals for electronic voting schemes disclosethe final tally of the votes. In certain situations, like jury voting, this may be undesirable. We present a robust and universally verifiable Membership Testing Scheme (MTS) that allows,among other things ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
This work stresses the fact that all current proposals for electronic voting schemes disclosethe final tally of the votes. In certain situations, like jury voting, this may be undesirable. We present a robust and universally verifiable Membership Testing Scheme (MTS) that allows,among other things, a collection of voters to cast votes and determine whether their tally belongs to some prespecified small set (e.g., exceeds a given threshold) our scheme discloses noadditional information than that implied from the knowledge of such membership. We discuss several extensions of our basic MTS. All the constructions presented combine features of twoparallel lines of research concerning electronic voting schemes, those based on MIXnetworks and in homomorphic encryption.
A Sender Verifiable MixNet and a New Proof of a Shuffle
, 2005
"... We introduce the first El Gamal based mixnet in which each mixserver partially decrypts and permutes its input, i.e., no reencryption is necessary. An interesting property of the construction is that a sender can verify noninteractively that its message is processed correctly. We call this sende ..."
Abstract

Cited by 12 (2 self)
 Add to MetaCart
We introduce the first El Gamal based mixnet in which each mixserver partially decrypts and permutes its input, i.e., no reencryption is necessary. An interesting property of the construction is that a sender can verify noninteractively that its message is processed correctly. We call this sender verifiability. The mixnet is provably UCsecure against static adversaries corrupting any minority of the mixservers. The result holds under the decision DiffieHellman assumption, and assuming an ideal bulletin board and an ideal zeroknowledge proof of knowledge of a correct shuffle. Then we construct the first proof of a decryptionpermutation shuffle, and show how this can be transformed into a zeroknowledge proof of knowledge in the UCframework. The protocol is sound under the strong RSAassumption and the discrete logarithm assumption. Our proof of a shuffle is not a variation of existing methods. It is based on a novel idea of independent interest, and we argue that it is at least as efficient as previous constructions.
Extensions to the Paillier Cryptosystem with Applications to Cryptological Protocols
, 2003
"... The main contribution of this thesis is a simplification, a generalization and some modifications of the homomorphic cryptosystem proposed by Paillier in 1999, and several cryptological protocols that follow from these changes. The Paillier ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
(Show Context)
The main contribution of this thesis is a simplification, a generalization and some modifications of the homomorphic cryptosystem proposed by Paillier in 1999, and several cryptological protocols that follow from these changes. The Paillier