Results 1 
4 of
4
Malleable Signatures: Complex Unary Transformations and Delegatable Anonymous Credentials
, 2013
"... A signature scheme is malleable if, on input a message m and a signature σ, it is possible to efficiently compute a signature σ ′ on a related message m ′ = T (m), for a transformation T that is allowable with respect to this signature scheme. Previous work considered various useful flavors of allo ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
A signature scheme is malleable if, on input a message m and a signature σ, it is possible to efficiently compute a signature σ ′ on a related message m ′ = T (m), for a transformation T that is allowable with respect to this signature scheme. Previous work considered various useful flavors of allowable transformations, such as quoting and sanitizing messages. In this paper, we explore a connection between malleable signatures and anonymous credentials, and give the following contributions: • We define and construct malleable signatures for a broad category of allowable transformation classes, with security properties that are stronger than those that have been achieved previously. Our construction of malleable signatures is generically based on malleable zeroknowledge proofs, and we show how to instantiate it under the Decision Linear assumption. • We construct delegatable anonymous credentials from signatures that are malleable with respect to an appropriate class of transformations; we also show that our construction of malleable signatures works for this class of transformations. The resulting concrete instantiation is the first to achieve security under a standard assumption (Decision Linear) while also scaling linearly with the number of delegations. 1
Succinct Malleable NIZKs and an Application to Compact Shuffles
, 2012
"... Depending on the application, malleability in cryptography can be viewed as either a flaw or — especially if sufficiently understood and restricted — a feature. In this vein, Chase, Kohlweiss, Lysyanskaya, and Meiklejohn recently defined malleable zeroknowledge proofs, and showed how to control the ..."
Abstract

Cited by 7 (6 self)
 Add to MetaCart
(Show Context)
Depending on the application, malleability in cryptography can be viewed as either a flaw or — especially if sufficiently understood and restricted — a feature. In this vein, Chase, Kohlweiss, Lysyanskaya, and Meiklejohn recently defined malleable zeroknowledge proofs, and showed how to control the set of allowable transformations on proofs. As an application, they construct the first compact verifiable shuffle, in which one such controlledmalleable proof suffices to prove the correctness of an entire multistep shuffle. Despite these initial steps, a number of natural open problems remain: (1) their construction of controlledmalleable proofs relies on the inherent malleability of GrothSahai proofs and is thus not based on generic primitives; (2) the classes of allowable transformations they can support are somewhat restrictive; and (3) their construction of a compactly verifiable shuffle has proof size O(N 2 + L) (where N is the number of votes and L is the number of mix authorities), whereas in theory such a proof could be of size O(N + L). In this paper, we address these open problems by providing a generic construction of controlledmalleable proofs using succinct noninteractive arguments of knowledge, or SNARGs for short. Our construction has the advantage that we can support a very general class of transformations (as we no longer rely on the transformations that GrothSahai proofs can support), and that we can use it to obtain a proof of size O(N + L) for the compactly verifiable shuffle.
A comprehensive analysis of gamebased ballot privacy definitions
 In 2015 IEEE Symposium on Security and Privacy, SP 2015
"... Abstract. We critically survey gamebased security definitions for the privacy of voting schemes. In addition to known limitations, we unveil several previously unnoticed shortcomings. Surprisingly, the conclusion of our study is that none of the existing definitions is satisfactory: they either pro ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
Abstract. We critically survey gamebased security definitions for the privacy of voting schemes. In addition to known limitations, we unveil several previously unnoticed shortcomings. Surprisingly, the conclusion of our study is that none of the existing definitions is satisfactory: they either provide only weak guarantees, or can be applied only to a limited class of schemes, or both. Based on our findings, we propose a new gamebased definition of privacy which we call BPRIV. We also identify a new property which we call strong consistency, needed to express that tallying does not leak sensitive information. We validate our security notions by showing that BPRIV, strong consistency (and an additional simple property called strong correctness) for a voting scheme imply its security in a simulationbased sense. This result also yields a proof technique for proving entropybased notions of privacy which offer the strongest security guarantees but are hard to prove directly: first prove your scheme BPRIV, strongly consistent (and correct),then study the entropybased privacy of the result function of the election, which is a much easier task.
SoK: A comprehensive analysis of gamebased ballot privacy definitions
"... Abstract—We critically survey gamebased security definitions for the privacy of voting schemes. In addition to known limitations, we unveil several previously unnoticed shortcomings. Surprisingly, the conclusion of our study is that none of the existing definitions is satisfactory: they either pro ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract—We critically survey gamebased security definitions for the privacy of voting schemes. In addition to known limitations, we unveil several previously unnoticed shortcomings. Surprisingly, the conclusion of our study is that none of the existing definitions is satisfactory: they either provide only weak guarantees, or can be applied only to a limited class of schemes, or both. Based on our findings, we propose a new gamebased definition of privacy which we call BPRIV. We also identify a new property which we call strong consistency, needed to express that tallying does not leak sensitive information. We validate our security notions by showing that BPRIV, strong consistency (and an additional simple property called strong correctness) for a voting scheme imply its security in a simulationbased sense. This result also yields a proof technique for proving entropybased notions of privacy which offer the strongest security guarantees but are hard to prove directly: first prove your scheme BPRIV, strongly consistent (and correct), then study the entropybased privacy of the result function of the election, which is a much easier task. I.