### Citations

1006 | Public-Key Cryptosystems Based on Composite Degree Residuosity Classes
- Paillier
(Show Context)
Citation Context ...odel. The first one is due to Shi, Chan, Rieffel, Chow and Song [2011] and works in DDH groups. The second construction, due to Joye and Libert [2013], relies on the composite residuosity assumption [=-=Paillier 1999-=-]. These two schemes are reviewed in Appendix A. 3. A NEW DDH-BASED SCHEME As aforementioned, the security proof offered in [Shi et al. 2011] incurs an O(Tn3) degradation factor. The scheme in [Joye a... |

383 | The exact security of digital signatures: How to sign with rsa and rabin
- Bellare, Rogaway
- 1996
(Show Context)
Citation Context ...f is said tight when ε ≈ ε′ and loose otherwise. The tightness gap is measured by the ratio ε/ε′ and captures the security loss. This ratio is an important parameter as it defines the exact security [=-=Bellare and Rogaway 1996-=-; Bellare 1998] of a scheme. It quantifies the amount by which the security parameters defining the scheme need to be increased to accommodate the tightness gap. But as already pointed out in [Joye an... |

228 | Evaluating 2-dnf formulas on ciphertexts - Boneh, Goh, et al. - 2005 |

180 | Number theoretic constructions of efficient pseudorandom functions
- Naor, Reingold
- 1997
(Show Context)
Citation Context ...o generically obtain tighter security bounds. In instantiations based on specific assumptions (e.g., DDH), the random self-reducibility of underlying problems (e.g., [Abadi et al. 1989; Stadler 1996; =-=Naor and Reingold 1997-=-]) allows avoiding any dependency on qm in the reduction. 4.1.2. Smooth projective hash functions. Smooth projective hash functions (SPHFs) were introduced by Cramer and Shoup [2002] as a tool to cons... |

170 | Candidate indistinguishability obfuscation and functional encryption for all circuits.
- Garg, Gentry, et al.
- 2013
(Show Context)
Citation Context ...tional encryption [Goldwasser et al. 2014] imply non-interactive constructions of aggregator-oblivious encryption. However, due to their inevitable use of indistinguishability obfuscation candidates [=-=Garg et al. 2013-=-], they are really far from being practical and should only be seen as feasibility results. Many other settings than the one we consider have been studied in the literature. For example, the protocol ... |

146 | On Hiding Information from an Oracle,
- Abadi, Feigenbaum, et al.
- 1989
(Show Context)
Citation Context ...ss via the above game allows us to generically obtain tighter security bounds. In instantiations based on specific assumptions (e.g., DDH), the random self-reducibility of underlying problems (e.g., [=-=Abadi et al. 1989-=-; Stadler 1996; Naor and Reingold 1997]) allows avoiding any dependency on qm in the reduction. 4.1.2. Smooth projective hash functions. Smooth projective hash functions (SPHFs) were introduced by Cra... |

140 | Publicly verifiable secret sharing,”
- Stadler
- 1996
(Show Context)
Citation Context ...me allows us to generically obtain tighter security bounds. In instantiations based on specific assumptions (e.g., DDH), the random self-reducibility of underlying problems (e.g., [Abadi et al. 1989; =-=Stadler 1996-=-; Naor and Reingold 1997]) allows avoiding any dependency on qm in the reduction. 4.1.2. Smooth projective hash functions. Smooth projective hash functions (SPHFs) were introduced by Cramer and Shoup ... |

64 | Privacy-preserving Aggregation of Time-series Data
- Shi, Chan, et al.
- 2011
(Show Context)
Citation Context ...note that the billing issue is separate. In practice, smart meters report separately their monthly energy consumption to the energy provider. Related work. The above setting is the one considered in [=-=Shi et al. 2011-=-] and [Joye and Libert 2013]. Each smart meter encrypts its actual energy consumption and sends the result at regular intervals to an aggregator (that can be an entity different from the energy provid... |

32 |
Practice-oriented provable security
- Bellare
- 1998
(Show Context)
Citation Context ...′ and loose otherwise. The tightness gap is measured by the ratio ε/ε′ and captures the security loss. This ratio is an important parameter as it defines the exact security [Bellare and Rogaway 1996; =-=Bellare 1998-=-] of a scheme. It quantifies the amount by which the security parameters defining the scheme need to be increased to accommodate the tightness gap. But as already pointed out in [Joye and Libert 2013]... |

29 |
C.: I have a dream!: differentially private smart metering
- Ács, Castelluccia
- 2011
(Show Context)
Citation Context ...ise to their data prior to encryption Two other protocols in settings similar to the one of aggregator-oblivious encryption are the low-overhead protocol of [Kursawe et al. 2011] and the protocol of [=-=Ács and Castelluccia 2011-=-]. These protocols however have the drawback of requiring each smart meter to store as many keys as there are users, which can be impractical for a large set of smart meters. We also note that recent ... |

17 | An algebraic framework for Diffie-Hellman assumptions - Escala, Herold, et al. |

15 | Privacy-preserving stream aggregation with fault tolerance. Tech. rep., Full online technical report, http://eprint. iacr. org/2011/722. pdf
- Chan, Shi, et al.
- 2011
(Show Context)
Citation Context ...such a scheme is termed an aggregator-oblivious encryption scheme. Like [Shi et al. 2011] and [Joye and Libert 2013], all our schemes can serve as a building block for the fault tolerant solution of [=-=Chan et al. 2012-=-] while enjoying the benefits of our construction. In fact, all the extensions of [Shi et al. 2011] are also possible with our system. In particular, although the focus of this paper is put on the enc... |

14 | Fault-tolerant privacy-preserving statistics
- Jawurek, Kerschbaum
- 2012
(Show Context)
Citation Context ...al channels between the smart meters and the aggregator, while we only require a uni-directional channel from each smart meter to the aggregator. The protocols of [Leontiadis et al. 2014] as well as [=-=Jawurek and Kerschbaum 2012-=-] suppose the existence of an additional semi-trusted party, who cannot collude with the aggregator. In addition, in the second paper, the smart meter should be able to receive data from this third pa... |

12 | Yearly report on algorithms and keysizes - ECRYPT - 2012 |

7 | Feng-Hao Liu, Amit Sahai, Elaine Shi, and Hong-Sheng Zhou. Multiinput functional encryption. - Goldwasser, Gordon, et al. - 2014 |

7 | P.: How long does it take to catch a wild kangaroo
- Montenegro, Tetali
- 2009
(Show Context)
Citation Context ... of H(τ)/H1(τ)/H2(τ); c Computation of Vτ from (ci,τ ), excluding computation of H(τ)/H1(τ)/H2(τ); d Computation of Xτ from Vτ (we used a variant of the Pollard’s kangaroo (or λ) method described in [=-=Montenegro and Tetali 2009-=-]). 4. GENERALIZATION USING KEY-HOMOMORPHIC SMOOTH PROJECTIVE HASH FUNCTIONS In this section, we use the framework of key-homomorphic smooth projective hashing to generalize our DDH construction prese... |

6 |
A note on game-hopping proofs. Cryptology ePrint Archive, Report 2006/260
- Dent
- 2006
(Show Context)
Citation Context ...nc + 1 ( 1− 1 qenc + 1 )qenc ≥ 1 e (qenc + 1) , where e is the base for the natural logarithm. The transition from Game 0 to Game 1 is thus a transition based on a failure event of large probability [=-=Dent 2006-=-] and we therefore have Adv1 = Adv0 · Pr[¬E] ≥ Adv0/(e(qenc + 1)). 3In the proof, the output b′ ∈ {0, 1} of the adversary A is not directly the output of the game, but is first given to the challenger... |

4 | Privacy Technologies for Smart Grids - A Survey of Options
- Jawurek, Kerschbaum, et al.
- 2012
(Show Context)
Citation Context ...per, the smart meter should be able to receive data from this third party. For more information on aggregation schemes, we refer the reader to the detailed survey of Jawurek, Kerschbaum, and Danezis [=-=Jawurek et al. 2012-=-]. Our contributions. While applicable to our framework, the solutions offered in [Shi et al. 2011] and [Joye and Libert 2013] are not fully satisfying, but for different reasons. Table I gives a roug... |

1 | Techniques for SPHFs and Efficient One-Round PAKE Protocols - New |

1 | Ilya Mironov, and Moni Naor. 2006. Our Data, Ourselves: Privacy Via Distributed Noise Generation - Dwork, Kenthapadi, et al. |

1 | ENCRYPTION SCHEMES For completeness, we review in this appendix the two known constructions for aggregatoroblivious encryption [Shi et - AO |