Results 1  10
of
55
On the security of joint signature and encryption
, 2002
"... We formally study the notion of a joint signature and encryption in the publickey setting. We refer to this primitive as signcryption, adapting the terminology of [35]. We present two definitions for the security of signcryption depending on whether the adversary is an outsider or a legal user of t ..."
Abstract

Cited by 154 (6 self)
 Add to MetaCart
(Show Context)
We formally study the notion of a joint signature and encryption in the publickey setting. We refer to this primitive as signcryption, adapting the terminology of [35]. We present two definitions for the security of signcryption depending on whether the adversary is an outsider or a legal user of the system. We then examine generic sequential composition methods of building signcryption from a signature and encryption scheme. Contrary to what recent results in the symmetric setting [5, 22] might lead one to expect, we show that classical “encryptthensign” (EtS) and “signthenencrypt” (StE) methods are both secure composition methods in the publickey setting. We also present a new composition method which we call “committhenencryptandsign” (CtE&S). Unlike the generic sequential composition methods, CtE&S applies the expensive signature and encryption operations in parallel, which could imply a gain in efficiency over the StE and EtS schemes. We also show that the new CtE&S method elegantly combines with the recent “hashsignswitch” technique of [30], leading to efficient online/offline signcryption. Finally and of independent interest, we discuss the definitional inadequacy of the standard notion of chosen ciphertext (CCA2) security. We suggest a natural and very slight relaxation of CCA2security, which we call generalized CCA2ecurity (gCCA2). We show that gCCA2security suffices for all known uses of CCA2secure encryption, while no longer suffering from the definitional shortcomings of the latter.
Using Hash Functions as a Hedge against Chosen Ciphertext Attack
, 2000
"... The cryptosystem recently proposed by Cramer and Shoup [5] is a practical public key cryptosystem that is secure against adaptive chosen ciphertext attack provided the Decisional DiffieHellman assumption is true. Although this is a reasonable intractability assumption, it would be preferable to bas ..."
Abstract

Cited by 73 (7 self)
 Add to MetaCart
(Show Context)
The cryptosystem recently proposed by Cramer and Shoup [5] is a practical public key cryptosystem that is secure against adaptive chosen ciphertext attack provided the Decisional DiffieHellman assumption is true. Although this is a reasonable intractability assumption, it would be preferable to base a security proof on a weaker assumption, such as the Computational DiffieHellman assumption. Indeed, this cryptosystem in its most basic form is in fact insecure if the Decisional DiffieHellman assumption is false. In this paper we present a practical hybrid scheme that is just as efficient as the scheme of of Cramer and Shoup; we prove that the scheme is secure if the Decisional DiffieHellman assumption is true; we give strong evidence that the scheme is secure if the weaker, Computational DiffieHellman assumption is true by providing a proof of security in the random oracle model.
Almost Entirely Correct Mixing with Applications to Voting
 In ACM CCS ’02
, 2002
"... In order to design an exceptionally e#cient mix network, both asymptotically and in real terms, we develop the notion of almost entirely correct mixing, and propose a new mix network that is almost entirely correct. In our new mix, the real cost of proving correctness is orders of magnitude faster t ..."
Abstract

Cited by 43 (1 self)
 Add to MetaCart
In order to design an exceptionally e#cient mix network, both asymptotically and in real terms, we develop the notion of almost entirely correct mixing, and propose a new mix network that is almost entirely correct. In our new mix, the real cost of proving correctness is orders of magnitude faster than all other mix nets. The tradeo# is that our mix only guarantees "almost entirely correct" mixing, i.e it guarantees that the mix network processed correctly all inputs with high (but not overwhelming) probability. We use a new technique for verifying correctness. This new technique consists of computing the product of a random subset of the inputs to a mix server, then require the mix server to produce a subset of the outputs of equal product. Our new mix net is of particular value for electronic voting, where a guarantee of almost entirely correct mixing may well be su#cient to announce instantly the result of a large election. The correctness of the result can later be verified beyond a doubt using any one of a number of much slower proofs of perfectcorrectness, without having to mix the ballots again.
Security of Signed ElGamal Encryption
 In Asiacrypt ’2000, LNCS 1976
, 2000
"... . Assuming a cryptographically strong cyclic group G of prime order q and a random hash function H, we show that ElGamal encryption with an added Schnorr signature is secure against the adaptive chosen ciphertext attack, in which an attacker can freely use a decryption oracle except for the target c ..."
Abstract

Cited by 42 (3 self)
 Add to MetaCart
(Show Context)
. Assuming a cryptographically strong cyclic group G of prime order q and a random hash function H, we show that ElGamal encryption with an added Schnorr signature is secure against the adaptive chosen ciphertext attack, in which an attacker can freely use a decryption oracle except for the target ciphertext. We also prove security against the novel onemoredecyption attack. Our security proofs are in a new model, corresponding to a combination of two previously introduced models, the Random Oracle model and the Generic model. The security extends to the distributed threshold version of the scheme. Moreover, we propose a very practical scheme for private information retrieval that is based on blind decryption of ElGamal ciphertexts. 1 Introduction and Summary We analyse a very practical public key cryptosystem in terms of its security against the strong adaptive chosen ciphertext attack (CCA) of [RS92], in which an attacker can access a decryption oracle on arbitrary ciphertexts (ex...
Optimistic Mixing for ExitPolls
 Asiacrypt 2002, LNCS 2501
, 2002
"... We propose a new mix network that is optimized to produce a correct output very fast when all mix servers execute the mixing protocol correctly (the usual case). Our mix network only produces an output if no server cheats. However, in the rare case when one or several mix servers cheat, we convert t ..."
Abstract

Cited by 40 (3 self)
 Add to MetaCart
We propose a new mix network that is optimized to produce a correct output very fast when all mix servers execute the mixing protocol correctly (the usual case). Our mix network only produces an output if no server cheats. However, in the rare case when one or several mix servers cheat, we convert the inputs to a format that allows "backup" mixing. This backup mixing can be implemented using any one of a wide array of already proposed (but slower) mix networks. When all goes well, our mix net is the fastest, both in real terms and asymptotically, of all those that offer standard guarantees of privacy and correctness. In practice, this benefit far outweighs the drawback of a comparatively complex procedure to recover from cheating. Our new mix is ideally suited to compute almost instantly the output of electronic elections, whence the name "exitpoll" mixing.
Attacking and fixing helios: An analysis of ballot secrecy
, 2010
"... Helios 2.0 is an opensource webbased endtoend verifiable electronic voting system, suitable for use in lowcoercion environments. In this paper, we analyse ballot secrecy and discover a vulnerability which allows an adversary to compromise the privacy of voters. This vulnerability has been success ..."
Abstract

Cited by 36 (16 self)
 Add to MetaCart
(Show Context)
Helios 2.0 is an opensource webbased endtoend verifiable electronic voting system, suitable for use in lowcoercion environments. In this paper, we analyse ballot secrecy and discover a vulnerability which allows an adversary to compromise the privacy of voters. This vulnerability has been successfully exploited to break privacy in a mock election using the current Helios implementation. Moreover, the feasibility of an attack is considered in the context of French legislative elections and, based upon our findings, we believe it constitutes a real threat to ballot secrecy in such settings. Finally, we present a fix and show that our solution satisfies a formal definition of ballot secrecy using the applied pi calculus.
How Not to Prove Yourself: Pitfalls of the FiatShamir Heuristic and Applications to Helios
 In ASIACRYPT 2012, number 7658 in LNCS
"... Abstract. The FiatShamir transformation is the most efficient construction of noninteractive zeroknowledge proofs. This paper is concerned with two variants of the transformation that appear but have not been clearly delineated in existing literature. Both variants start with the prover making ..."
Abstract

Cited by 22 (7 self)
 Add to MetaCart
(Show Context)
Abstract. The FiatShamir transformation is the most efficient construction of noninteractive zeroknowledge proofs. This paper is concerned with two variants of the transformation that appear but have not been clearly delineated in existing literature. Both variants start with the prover making a commitment. The strong variant then hashes both the commitment and the statement to be proved, whereas the weak variant hashes only the commitment. This minor change yields dramatically different security guarantees: in situations where malicious provers can select their statements adaptively, the weak FiatShamir transformation yields unsound/unextractable proofs. Yet such settings naturally occur in systems when zeroknowledge proofs are used to enforce honest behavior. We illustrate this point by showing that the use of the weak FiatShamir transformation in the Helios cryptographic voting system leads to several possible security breaches: for some standard types of elections, under plausible circumstances, malicious parties can cause the tallying procedure to run indefinitely and even tamper with the result of the election. On the positive side, we define a form of adaptive security for zeroknowledge proofs in the random oracle model (essentially simulationsound extractability), and show that a variant which we call strong FiatShamir yields secure noninteractive proofs. This level of security was assumed in previous works on Helios and our results are then necessary for these analyses to be valid. Additionally, we show that strong proofs in Helios achieve nonmalleable encryption and satisfy ballot privacy, improving on previous results that required CCA security. 1
Accumulating composites and improved group signing
 Proceedings of Asiacrypt 2003, volume 2894 of LNCS
, 2003
"... Abstract. Constructing practical and provably secure group signature schemes has been a very active research topic in recent years. A group signature can be viewed as a digital signature with certain extra properties. Notably, anyone can verify that a signature is generated by a legitimate group mem ..."
Abstract

Cited by 21 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Constructing practical and provably secure group signature schemes has been a very active research topic in recent years. A group signature can be viewed as a digital signature with certain extra properties. Notably, anyone can verify that a signature is generated by a legitimate group member, while the actual signer can only be identified (and linked) by a designated entity called a group manager. Currently, the most efficient group signature scheme available is due to Camenisch and Lysyanskaya [CL02]. It is obtained by integrating a novel dynamic accumulator with the scheme by Ateniese, et al. [ACJT00]. In this paper, we construct a dynamic accumulator that accumulates composites, as opposed to previous accumulators that accumulated primes. We also present an efficient method for proving knowledge of factorization of a committed value. Based on these (and other) techniques we design a novel provably secure group signature scheme. It operates in the common auxiliary string model and offers two important benefits: 1) the Join process is very efficient: a new member computes only a single exponentiation, and 2) the (unoptimized) cost of generating a group signature is 17 exponentiations which is appreciably less than the stateoftheart. 1
Secure Lengthsaving ElGamal Encryption under the Computational DiffieHellman Assumption
 In Proc. 5th Australian Conference on Information, Security, and Privacy
, 2000
"... A design of secure and efficient public key encryption schemes under weaker computational assumptions has been regarded as an important and challenging task. As far as the ElGamaltype encryption is concerned, some variants of the original ElGamal encryption scheme whose security depends on weaker c ..."
Abstract

Cited by 14 (2 self)
 Add to MetaCart
(Show Context)
A design of secure and efficient public key encryption schemes under weaker computational assumptions has been regarded as an important and challenging task. As far as the ElGamaltype encryption is concerned, some variants of the original ElGamal encryption scheme whose security depends on weaker computational assumption have been proposed: Although the security of the original ElGamal encryption is based on the decisional DiffieHellman assumption (DDHA), the security of a recent scheme, such as Pointcheval's ElGamal encryption variant, is based on the weaker assumption, the computational DiffieHellman assumption (CDHA). In this paper, we propose a lengthsaving ElGamal encryption variant whose security is based on CDHA and analyze its security in the random oracle model. The proposed scheme is lengthefficient which provides a shorter ciphertext than that of Pointcheval's scheme and provably secure against the chosenciphertext attack.
Policyhiding access control in open environment
 In Proceedings of the 24nd ACM Symposium on Principles of Distributed Computing
, 2005
"... In trust management and attributebased access control systems, access control decisions are based on the attributes (rather than the identity) of the requester: Access is granted if Alice’s attributes in her certificates satisfy Bob’s access control policy. In this paper, we develop a policyhiding ..."
Abstract

Cited by 10 (5 self)
 Add to MetaCart
(Show Context)
In trust management and attributebased access control systems, access control decisions are based on the attributes (rather than the identity) of the requester: Access is granted if Alice’s attributes in her certificates satisfy Bob’s access control policy. In this paper, we develop a policyhiding access control scheme that protects both sensitive attributes and sensitive policies. That is, Bob can decide whether Alice’s certified attribute values satisfy Bob’s policy, without Bob learning any other information about Alice’s attribute values or Alice learning Bob’s policy. To enable policyhiding access control, we introduce the notion of certified input private policy evaluation. Our construction uses Yao’s scrambled circuit protocol and two new techniques introduced in this paper. One novel technique is constructing circuits with uniform topology that can compute arbitrary functions in a family. The other technique is committedinteger based oblivious transfer. Categories and Subject Descriptors