Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant
|
|
- Bennett Reynolds
- 5 years ago
- Views:
Transcription
1 Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant Roberto Araújo, Amira Barki, Solenn Brunet and Jacques Traoré 1st Workshop on Advances in Secure Electronic Voting Schemes VOTING 16 February 26th, 2016
2 Content 1. Previous Work 2. Building Blocks 3. Our Electronic Voting Scheme 4. Conclusion 2 Remote e-voting: Efficient, Verifiable and Coercion-Resistant
3 Previous Work (Juel, Catalano and Jakobsson, WPES 2005) JCJ formally defined the property of coercion-resistance, by considering possible attacks: constrain a voter to cast given or random votes force her to reveal her private data vote on her behalf force her to abstain Main idea: a coercer must be unable to distinguish a fake credential from a valid one. for N ballots, the tallying complexity is in O N 2 3 Remote e-voting: Efficient, Verifiable and Coercion-Resistant
4 Motivations Linear complexity Multiple elections Practical for real polls Completely anonymous AFT07 AT13 CH11 SKHS11 4 Remote e-voting: Efficient, Verifiable and Coercion-Resistant
5 Building Blocks Designated Verifier Proof (DVP) which cannot be transferred: Only the designated verifier can be convinced by this proof Non-Interactive Zero-Knowledge Proof of Knowledge (NIZKP): Enable a prover to convince a verifier that he knows some secret ElGamal Cryptosystem Algebraic MAC Scheme Sequential Aggregate MAC Scheme 5 Remote e-voting: Efficient, Verifiable and Coercion-Resistant
6 ElGamal Cryptosystem Given G = g cyclic group of prime order p private key x, public key pk = g x encryption of m: E pk m = g r, mh r decryption of E pk m : mh r gr x Properties: multiplicatively homomorphic: E pk m 1 E pk m 2 = E pk [m 1 m 2 ] distribution of the private key (i.e. the decryption) comparison of two ciphertexts via Plaintext Equivalence Test (PET): PET E pk m 1, E pk m 2 easy re-encryption: = 1 if m 1 = m 2 and 0 otherwise E pk m = (g r, mh r ) can be transformed in E pk m = (g r+r, mh r+r ) 6 Remote e-voting: Efficient, Verifiable and Coercion-Resistant
7 Algebraic MAC Scheme (Chase, Meiklejohn, Zaverucha, ACM CCS2014) Setup 1 k : Generate pp = (G, p, g, h) such that G cylic group of prime order p, where DDH is hard g, h two of its generators KeyGen(pp): secret key sk = x 0, x 1, x 2 optionally, the public parameters (C x0 = g x 0h x, X 1 = h x 1, X 2 = h x 2) MAC(sk, m 1, m 2 ): choose u randomly generate σ = (u, u ) where u = u x 0+m 1 x 1 +m 2 x 2 Verify(sk, m 1, m 2, σ): u 1 and u x 0+m 1 x 1 +m 2 x 2 =? u Deciding whether m, u, u = u x 0+mx 1 is a valid MAC on m is equivalent to the DDH problem. 7 Remote e-voting: Efficient, Verifiable and Coercion-Resistant
8 Our Sequential Aggregate MAC Scheme Setup: pp = (G, p, g, h) sk 1 = x 0, x 1, secret key of the first signer S 1 sk 2 = x 2, secret key of the second signer S 2 C x0 = g x 0h x, X 1 = h x 1, X 2 = h x 2, associated public parameters Computation of MAC on m 1 by S 1 and m 2 by S 2 : S 1 u, u = u x 0+m 1 x 1, m 1 S 2 w = u t, w = u u m 2x 2 t, m 1, m 2 Verification: w 1 and w =? w x 0+m 1 x 1 +m 2 x 2 receiver existentially unforgeable 8 Remote e-voting: Efficient, Verifiable and Coercion-Resistant
9 voters Our evote Scheme Receive credential in order to cast a vote 1. Setup 2. Registration 3. Voting 4. Tallying Issue credentials in a distributed manner during the registration step registration authorities coercers Force voters to make a particular vote and try to verify it Jointly manage the tallying phase tallying authorities 9 Remote e-voting: Efficient, Verifiable and Coercion-Resistant
10 Security Model Registration occurs through an untappable channel no adversaries at this step Votes may be posted anonymously Bulletin Board is universally accessible Attacker may: access to all public information corrupt a subpart of the election authorities coerce voters: requests secrets, forces a particular vote Voters trust their voting client. 10 Remote e-voting: Efficient, Verifiable and Coercion-Resistant
11 Set-Up Set-Up: 1. Setup 2. Registration 3. Voting 4. Tallying g, h, o generators of a cyclic group G of prime order p registrars R: share sk = (x 0, x 1 ), pk = (C x0 = g x 0h x, X 1 = h x 1) talliers T: share sk and an ElGamal keypair T, T Registration: credential s, u, u : s and u chosen randomly by R u = u x 0+sx 1 computed by R in case of coercion, fake credential: s, u, u (DDH assumption) 11 Remote e-voting: Efficient, Verifiable and Coercion-Resistant
12 Registration 1. Setup 2. Registration 3. Voting 4. Tallying R jointly compute (u, u = u x 0+sx 1 ) with s, u cooperatively selected and prove its validity through a DVP: s, u, u, DVP If a coercer asks to her credential, she can send a fake one: (s, u, u ) The DVP can only convince the designated voter! 12 Remote e-voting: Efficient, Verifiable and Coercion-Resistant
13 More about our Ballot Credential: (s, u, u ) where u = u x 0+sx 1 Ballot: E T v, w, w, E T w s, o s, P w, w is a randomized credential s.t. w = u l and w = u l P is a pair of NIZKPs of validity: E T v is an encryption of a valid vote the voter knows: the plaintext of E T w s the secret s, common both to E T w s and o s 13 Remote e-voting: Efficient, Verifiable and Coercion-Resistant
14 Voting (first election) 1. Setup 2. Registration 3. Voting 4. Tallying Vote under coercion: E T a, w, w, E T w s, o s, P Revote: E T b, w, w, E T w s, o s, P Bulletin Board E T a, w, w, E T w s, o s, P E T b, w, w, E T w s, o s, P 14 Remote e-voting: Efficient, Verifiable and Coercion-Resistant
15 Tallying Phase [1/5] 1. Discard ballots with invalid proofs 1. Setup 2. Registration 3. Voting 4. Tallying Bulletin Board (offline) E T b, w 1, w 1, E T w r 1, o r, P E T b, w 2, w 2, E T w s 2, o s, P E T a, w 3, w 3, E T w t 3, o t, P E T b, w 4, w 4, E T w s 4, o s, P E T a, z 1, z 1, E T z r 1, o r, P E T a, z 2, z 2, E T z s 2, o s, P 15 Remote e-voting: Efficient, Verifiable and Coercion-Resistant
16 Tallying Phase [2/5] 2. Remove duplicates votes ballots published using the same secret s 1. Setup 2. Registration 3. Voting 4. Tallying Bulletin Board (offline) E T b, w 1, w 1, E T w r 1, o r E T b, w 2, w 2, E T w s 2, o s E T a, w 3, w 3, E T w t 3, o t E T b, w 4, w 4, E T w s 4, o s E T a, z 2, z 2, E T z s 2, o s Possible policy: keep the last one 16 Remote e-voting: Efficient, Verifiable and Coercion-Resistant
17 Tallying Phase [3/5] 3. Reconstruction and checking of credentials 1. Setup 2. Registration 3. Voting 4. Tallying Bulletin Board (offline) E T b, w 1, w 1, E T w r 1 E T a, w 3, w 3, E T w t 3 E T b, w 4, w 4, E T w s 4 s E T a, z 2, z 2, E T z 2 1. The authorities cooperatively compute E T w, E T w x 0, E T w s, E T w s x 1 in order to obtain: E T w x 0 E T w sx 1 = E T w x 0+sx 1 2. Then, power C = E T w x 0+sx 1 /w to a fresh random α for the PET: D = C α should be equal to E T 1 17 Remote e-voting: Efficient, Verifiable and Coercion-Resistant
18 Tallying Phase [4/5] 1. Setup 2. Registration 3. Voting 4. Mix the ballots 4. Tallying Bulletin Board (offline) E T b, D 1 E T a, D 2 E T b, D 3 E T a, D 4 Mix Net Bulletin Board E T a, D 2 E T a, D 4 E T b, D 3 E T b, D 1 Re-encrypt and permute each row Published on the WBB 18 Remote e-voting: Efficient, Verifiable and Coercion-Resistant
19 Tallying Phase [5/5] 5. Identify valid votes by jointly decrypting D i : 1. Setup 2. Registration 3. Voting 4. Tallying If the plaintext is equal to 1, the ballot is valid and thus decrypted Bulletin Board (offline) E T a, D 2 E T a, D 4 E T b, D 3 E T b, D 1 Distributed decryption Results a a b 19 Remote e-voting: Efficient, Verifiable and Coercion-Resistant
20 Multiple Elections and Credentials Revocation For a second election, registrars R: jointly generate an election identifier e I compute a new pair of keys (x 2, X 2 = h x 2), shared with the talliers T publish an updated credential w, w for each eligible voter: (u, u = u x 0+sx 1 ) associated to the secret s becomes u t, u u e Ix 2 t = (w, w = w x 0+sx 1 +e I x 2 ) voting and tallying phases are unchanged 20 Remote e-voting: Efficient, Verifiable and Coercion-Resistant
21 Security A voter cannot prove her vote: false and real credentials are indistinguishable No forced abstention: votes cast using anonymous channel No forced randomization and impersonation: voter can use fake credential for false vote and cast another one later Resistance to shoulder-surfing: Re-vote policy: only the last might count Our voting scheme satisfies: - eligibility requirement through security properties of the MAC, - coercion-resistance property under DDH assumption. 21 Remote e-voting: Efficient, Verifiable and Coercion-Resistant
22 Conclusion a Sequential Aggregate MAC Scheme existentially unforgeable Our new voting scheme for remote elections is: publicly verifiable efficient (linear time complexity) coercion-resistant allowing multiple elections and credentials revocation 22 Remote e-voting: Efficient, Verifiable and Coercion-Resistant
23 Thank you
Selections:! Internet voting with over-the-shoulder coercion-resistance. Jeremy Clark
Selections:! Internet voting with over-the-shoulder coercion-resistance Jeremy Clark Overview We consider the problem of over-theshoulder adversaries in Internet voting We design a voting protocol resistant
More informationImproved Algebraic MACs and Practical Keyed-Verification Anonymous Credentials
Improved Algebraic MACs and Practical Keyed-Verification Anonymous Credentials Amira Barki, Solenn Brunet, Nicolas Desmoulins and Jacques Traoré August 11th, 2016 Selected Areas in Cryptography SAC 2016
More informationLecture Notes 15 : Voting, Homomorphic Encryption
6.857 Computer and Network Security October 29, 2002 Lecture Notes 15 : Voting, Homomorphic Encryption Lecturer: Ron Rivest Scribe: Ledlie/Ortiz/Paskalev/Zhao 1 Introduction The big picture and where we
More informationHow to Shuffle in Public
How to Shuffle in Public Ben Adida Harvard (work done at MIT) Douglas Wikström ETH Zürich TCC 27 February 24th, 27 How to Shuffle in Public Ben Adida Harvard (work done at MIT) Douglas Wikström ETH Zürich
More informationLecture 19: Verifiable Mix-Net Voting. The Challenges of Verifiable Mix-Net Voting
6.879 Special Topics in Cryptography Instructors: Ran Canetti April 15, 2004 Lecture 19: Verifiable Mix-Net Voting Scribe: Susan Hohenberger In the last lecture, we described two types of mix-net voting
More informationA Security Analysis of the Helios Voting Protocol and Application to the Norwegian County Election
A Security Analysis of the Helios Voting Protocol and Application to the Norwegian County Election Kristine Salamonsen Master of Science in Physics and Mathematics Submission date: June 2014 Supervisor:
More informationImproving Helios with Everlasting Privacy Towards the Public Denise Demirel, Jeroen van de Graaf, Roberto Araújo
Improving Helios with Everlasting Privacy Towards the Public Denise Demirel, Jeroen van de Graaf, Roberto Araúo 15.08.2012 Fachbereich 20 CDC Denise Demirel 1 Helios Introduced 2008 by Ben Adida Web application
More informationBasics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018
Basics in Cryptology II Distributed Cryptography David Pointcheval Ecole normale supérieure, CNRS & INRIA ENS Paris 2018 NS/CNRS/INRIA Cascade David Pointcheval 1/26ENS/CNRS/INRIA Cascade David Pointcheval
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationAn Incoercible E-Voting Scheme Based on Revised Simplified Verifiable Re-encryption Mix-nets
Information Security and Computer Fraud, 2015, Vol. 3, No. 2, 32-38 Available online at http://pubs.sciepub.com/iscf/3/2/2 Science and Education Publishing DOI:10.12691/iscf-3-2-2 An Incoercible E-Voting
More informationCryptographic Voting Systems (Ben Adida)
Cryptographic Voting Systems (Ben Adida) Click to edit Master subtitle style Jimin Park Carleton University COMP 4109 Seminar 15 February 2011 If you think cryptography is the solution to your problem.
More informationSIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography
SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 8 of Trappe and Washington DIGITAL SIGNATURES message sig 1. How do we bind
More informationElection Verifiability or Ballot Privacy: Do We Need to Choose?
Election Verifiability or Ballot Privacy: Do We Need to Choose? Édouard Cuvelier, Olivier Pereira, and Thomas Peters Université catholique de Louvain ICTEAM Crypto Group 1348 Louvain-la-Neuve Belgium Abstract.
More informationD4-1. Formal description of our case study: Helios 2.0
D4-1. Formal description of our case study: Helios 2.0 Ben Smyth and Véronique Cortier Loria, CNRS, France Abstract Helios 2.0 is an open-source web-based end-to-end verifiable electronic voting system,
More informationGroup Undeniable Signatures
Group Undeniable Signatures YUH-DAUH LYUU Dept. of Computer Science & Information Engineering and Dept. of Finance National Taiwan University No 1, Sec 4, Roosevelt Rd, Taipei, Taiwan lyuu@csie.ntu.edu.tw
More informationDavid Chaum s Voter Verification using Encrypted Paper Receipts
David Chaum s Voter Verification using Encrypted Paper Receipts Poorvi Vora In this document, we provide an exposition of David Chaum s voter verification method [1] that uses encrypted paper receipts.
More informationHomework 3 Solutions
5233/IOC5063 Theory of Cryptology, Fall 205 Instructor Prof. Wen-Guey Tzeng Homework 3 Solutions 7-Dec-205 Scribe Amir Rezapour. Consider an unfair coin with head probability 0.5. Assume that the coin
More informationSome ZK security proofs for Belenios
Some ZK security proofs for Belenios Pierrick Gaudry CNRS, INRIA, Université de Lorraine January 30, 2017 The purpose of this document is to justify the use of ZK proofs in Belenios. Most of them are exactly
More informationGroup Undeniable Signatures
Group Undeniable Signatures YUH-DAUH LYUU Department of Computer Science & Information Engineering and Department of Finance National Taiwan University No 1, Sec 4, Roosevelt Rd, Taipei, Taiwan lyuu@csie.ntu.edu.tw
More informationDigital Signatures. p1.
Digital Signatures p1. Digital Signatures Digital signature is the same as MAC except that the tag (signature) is produced using the secret key of a public-key cryptosystem. Message m MAC k (m) Message
More informationOverview of the Talk. Secret Sharing. Secret Sharing Made Short Hugo Krawczyk Perfect Secrecy
Overview of the Talk Secret Sharing CS395T Design and Implementation of Trusted Services Ankur Gupta Hugo Krawczyk. Secret Sharing Made Short, 1993. Josh Cohen Benaloh. Secret Sharing Homomorphisms: Keeping
More informationCryptographic Protocols. Steve Lai
Cryptographic Protocols Steve Lai This course: APPLICATIONS (security) Encryption Schemes Crypto Protocols Sign/MAC Schemes Pseudorandom Generators And Functions Zero-Knowledge Proof Systems Computational
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationLecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge
CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to
More informationHow not to Prove Yourself: Pitfalls of the Fiat-Shamir Heuristic and Applications to Helios
How not to Prove Yourself: Pitfalls of the Fiat-Shamir Heuristic and Applications to Helios David Bernhard 1, Olivier Pereira 2, and Bogdan Warinschi 1 1 University of Bristol, {csxdb,csxbw}@bristol.ac.uk
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationEfficient Multiplicative Homomorphic E-Voting
Efficient Multiplicative Homomorphic E-Voting Kun Peng and Feng Bao Institute for Infocomm Research, Singapore dr.kun.peng@gmail.com Abstract. Multiplicative homomorphic e-voting is proposed by Peng et
More informationEfficient Secure Auction Protocols Based on the Boneh-Goh-Nissim Encryption
Efficient Secure Auction Protocols Based on the Boneh-Goh-Nissim Encryption Takuho Mistunaga 1, Yoshifumi Manabe 2, Tatsuaki Okamoto 3 1 Graduate School of Informatics, Kyoto University, Sakyo-ku Kyoto
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationExtracting Witnesses from Proofs of Knowledge in the Random Oracle Model
Extracting Witnesses from Proofs of Knowledge in the Random Oracle Model Jens Groth Cryptomathic and BRICS, Aarhus University Abstract We prove that a 3-move interactive proof system with the special soundness
More informationAttacking and fixing Helios: An analysis of ballot secrecy
Attacking and fixing Helios: An analysis of ballot secrecy Véronique Cortier 1 and Ben Smyth 2 1 Loria, CNRS & INRIA Nancy Grand Est, France 2 Toshiba Corporation, Kawasaki, Japan June 25, 2012 Abstract
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationOn the CCA1-Security of Elgamal and Damgård s Elgamal
On the CCA1-Security of Elgamal and Damgård s Elgamal Cybernetica AS, Estonia Tallinn University, Estonia October 21, 2010 Outline I Motivation 1 Motivation 2 3 Motivation Three well-known security requirements
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More informationChapter 7: Signature Schemes. COMP Lih-Yuan Deng
Chapter 7: Signature Schemes COMP 7120-8120 Lih-Yuan Deng lihdeng@memphis.edu Overview Introduction Security requirements for signature schemes ElGamal signature scheme Variants of ElGamal signature scheme
More informationAdvanced Topics in Cryptography
Advanced Topics in Cryptography Lecture 6: El Gamal. Chosen-ciphertext security, the Cramer-Shoup cryptosystem. Benny Pinkas based on slides of Moni Naor page 1 1 Related papers Lecture notes of Moni Naor,
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationA Novel Strong Designated Verifier Signature Scheme without Random Oracles
1 A Novel Strong Designated Verifier Signature Scheme without Random Oracles Maryam Rajabzadeh Asaar 1, Mahmoud Salmasizadeh 2 1 Department of Electrical Engineering, 2 Electronics Research Institute (Center),
More informationPractical Provably Correct Voter Privacy Protecting End to End Voting Employing Multiparty Computations and Split Value Representations of Votes
Practical Provably Correct Voter Privacy Protecting End to End Voting Employing Multiparty Computations and Split Value Representations of Votes Michael O. Rabin Columbia University SEAS Harvard University
More informationA SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL
A SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL Prastudy Fauzi, Helger Lipmaa, Michal Zajac University of Tartu, Estonia ASIACRYPT 2016 OUR RESULTS A new efficient CRS-based NIZK shuffle argument OUR RESULTS
More informationAlgebraic MACs and Keyed-Verification Anonymous Credentials
This is the full version of an extended abstract published in ACM CCS 2014. Posted as Report 2013/516 on 19 August 2013; revised 8 September 2014. Algebraic MACs and Keyed-Verification Anonymous Credentials
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationLecture 7: Boneh-Boyen Proof & Waters IBE System
CS395T Advanced Cryptography 2/0/2009 Lecture 7: Boneh-Boyen Proof & Waters IBE System Instructor: Brent Waters Scribe: Ioannis Rouselakis Review Last lecture we discussed about the Boneh-Boyen IBE system,
More informationU.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6
U.C. Berkeley CS276: Cryptography Handout N6 Luca Trevisan February 5, 2009 Notes for Lecture 6 Scribed by Ian Haken, posted February 8, 2009 Summary The encryption scheme we saw last time, based on pseudorandom
More informationAn homomorphic LWE based E-voting Scheme
An homomorphic LWE based E-voting Scheme Ilaria Chillotti, Nicolas Gama,2, Mariya Georgieva 3, and Malika Izabachène 4 Laboratoire de Mathématiques de Versailles, UVSQ, CNRS, Université Paris-Saclay, 78035
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More information1 Secure two-party computation
CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure
More information5.4 ElGamal - definition
5.4 ElGamal - definition In this section we define the ElGamal encryption scheme. Next to RSA it is the most important asymmetric encryption scheme. Recall that for a cyclic group G, an element g G is
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationPublic Key Cryptography
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Public Key Cryptography EECE 412 1 What is it? Two keys Sender uses recipient s public key to encrypt Receiver uses his private key to decrypt
More informationMaking Sigma-protocols Non-interactive without Random Oracles
Making Sigma-protocols Non-interactive without Random Oracles Pyrros Chaidos and Jens Groth University College London Abstract. Damgård, Fazio and Nicolosi (TCC 2006) gave a transformation of Sigma-protocols,
More informationCryptographic Security of Macaroon Authorization Credentials
Cryptographic ecurity of Macaroon Authorization Credentials Adriana López-Alt New York University ecember 6, 2013 Abstract Macaroons, recently introduced by Birgisson et al. [BPUE + 14], are authorization
More informationConvertible Group Undeniable Signatures
Convertible Group Undeniable Signatures Yuh-Dauh Lyuu 1 and Ming-Luen Wu 2 1 Dept. of Computer Science & Information Engineering and Dept. of Finance, National Taiwan University, Taiwan lyuu@csie.ntu.edu.tw
More informationEfficient Receipt-Free Ballot Casting Resistant to Covert Channels
Efficient Receipt-Free Ballot Casting Resistant to Covert Channels Ben Adida C. Andrew Neff Abstract We present an efficient, covert-channel-resistant, receipt-free ballot casting scheme that can be used
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationMachine-Checked Proofs of Privacy for Electronic Voting Protocols
Machine-Checked Proofs of Privacy for Electronic Voting Protocols Véronique Cortier LORIA, CNRS & Inria & Université de Lorraine veronique.cortier@loria.fr Benedikt Schmidt IMDEA Software Institute beschmi@gmail.com
More informationChapter 2. A Look Back. 2.1 Substitution ciphers
Chapter 2 A Look Back In this chapter we take a quick look at some classical encryption techniques, illustrating their weakness and using these examples to initiate questions about how to define privacy.
More informationPractice Assignment 2 Discussion 24/02/ /02/2018
German University in Cairo Faculty of MET (CSEN 1001 Computer and Network Security Course) Dr. Amr El Mougy 1 RSA 1.1 RSA Encryption Practice Assignment 2 Discussion 24/02/2018-29/02/2018 Perform encryption
More informationFormalising security properties in electronic voting protocols
Formalising security properties in electronic voting protocols Stéphanie Delaune and Steve Kremer LSV, ENS Cachan & CNRS & INRIA Saclay Île-de-France The results presented in this report are based on joint
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationAnonymous Proxy Signature with Restricted Traceability
Anonymous Proxy Signature with Restricted Traceability Jiannan Wei Joined work with Guomin Yang and Yi Mu University of Wollongong Outline Introduction Motivation and Potential Solutions Anonymous Proxy
More informationExam Security January 19, :30 11:30
Exam Security January 19, 2016. 8:30 11:30 You can score a maximum of 100. Each question indicates how many it is worth. You are NOT allowed to use books or notes, or a (smart) phone. You may answer in
More informationNotes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.
COS 533: Advanced Cryptography Lecture 9 (October 11, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Udaya Ghai Notes for Lecture 9 1 Last Time Last time, we introduced zero knowledge proofs
More informationDistributed Homomorphic Voting
Distributed Homomorphic Voting Trevor Henderson, Fernando Torija, Alex Noakes May 12, 2016 Abstract We devise and implement a scheme that allows a voter to vote at a polling station or supervised location
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationNew Approach for Selectively Convertible Undeniable Signature Schemes
New Approach for Selectively Convertible Undeniable Signature Schemes Kaoru Kurosawa 1 and Tsuyoshi Takagi 2 1 Ibaraki University, Japan, kurosawa@mx.ibaraki.ac.jp 2 Future University-Hakodate, Japan,
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationA short identity-based proxy ring signature scheme from RSA
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2015 A short identity-based proxy ring signature
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationNon-Interactive ZK:The Feige-Lapidot-Shamir protocol
Non-Interactive ZK: The Feige-Lapidot-Shamir protocol April 20, 2009 Remainders FLS protocol Definition (Interactive proof system) A pair of interactive machines (P, V ) is called an interactive proof
More informationProofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures
Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures G. Fuchsbauer D. Pointcheval École normale supérieure Pairing'09, 13.08.2009 Fuchsbauer, Pointcheval (ENS) Proofs
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationOn the Possibility of Non-Interactive E-Voting in the Public-key Setting
On the Possibility of Non-Interactive E-Voting in the Public-key Setting Rosario Giustolisi 1, Vincenzo Iovino 2, and Peter B. Rønne 3 3 1 SICS Swedish ICT, fgiustol@gmail.com 2 University of Luxembourg,
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationPrivacy-Preserving Aggregation of Time-Series Data with Public Verifiability from Simple Assumptions
Privacy-Preserving Aggregation of Time-Series Data with Public Verifiability from Simple Assumptions Keita Emura National Institute of Information and Communications Technology (NICT), Japan. k-emura@nict.go.jp
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationPairings. Tel: 886+ (0) ext Institute of Information systems and applications, National Tsing Hua University
A Novel Secure Electronic oting rotocol Based On Bilinear airings Abstract Jue-Sam Chou, Yalin Chen, Jin-Cheng Huang 3 Department of Information Management, Nanhua University Chiayi 6 Taiwan, R.O.C jschou@mail.nhu.edu.tw
More informationA Practical Set-Membership Proof for Privacy-Preserving NFC Mobile Ticketing
Proceedings on Privacy Enhancing Technologies 2015; 2015 (2):25 45 Ghada rfaoui, Jean-François Lalande, Jacques Traoré, Nicolas Desmoulins, Pascal Berthomé, and Saïd Gharout Practical Set-Membership Proof
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationEssam Ghadafi CT-RSA 2016
SHORT STRUCTURE-PRESERVING SIGNATURES Essam Ghadafi e.ghadafi@ucl.ac.uk Department of Computer Science, University College London CT-RSA 2016 SHORT STRUCTURE-PRESERVING SIGNATURES OUTLINE 1 BACKGROUND
More informationPractice Exam Winter 2018, CS 485/585 Crypto March 14, 2018
Practice Exam Name: Winter 2018, CS 485/585 Crypto March 14, 2018 Portland State University Prof. Fang Song Instructions This exam contains 8 pages (including this cover page) and 5 questions. Total of
More informationColluding Attacks to a Payment Protocol and Two Signature Exchange Schemes
Colluding Attacks to a Payment Protocol and Two Signature Exchange Schemes Feng Bao Institute for Infocomm Research 21 Heng Mui Keng Terrace, Singapore 119613 Email: baofeng@i2r.a-star.edu.sg Abstract.
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationMinimal Design for Decentralized Wallet. Omer Shlomovits
Minimal Design for Decentralized Wallet Omer Shlomovits 1 !2 Motivation Imagine we had a private key management system where: No single point of failure Move of assets (signing) cannot happen without Owner
More informationA Practical Set-Membership Proof for Privacy-Preserving NFC Mobile Ticketing
Ghada rfaoui, Jean-François Lalande, Jacques Traoré, Nicolas Desmoulins, Pascal Berthomé, and Saïd Gharout Practical Set-Membership Proof for Privacy-Preserving NFC Mobile Ticketing arxiv:1505.03048v1
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationARTICLE IN PRESS Mathematical and Computer Modelling ( )
Mathematical and Computer Modelling ( ) Contents lists available at ScienceDirect Mathematical and Computer Modelling journal homepage: www.elsevier.com/locate/mcm An information-theoretic model of voting
More informationEnforcing honesty of certification authorities: Tagged one-time signature schemes
Enforcing honesty of certification authorities: Tagged one-time signature schemes Information Security Group Royal Holloway, University of London bertram.poettering@rhul.ac.uk Stanford, January 11, 2013
More informationLecture Note 3 Date:
P.Lafourcade Lecture Note 3 Date: 28.09.2009 Security models 1st Semester 2007/2008 ROUAULT Boris GABIAM Amanda ARNEDO Pedro 1 Contents 1 Perfect Encryption 3 1.1 Notations....................................
More informationNon-Interactive Zero-Knowledge Proofs of Non-Membership
Non-Interactive Zero-Knowledge Proofs of Non-Membership O. Blazy, C. Chevalier, D. Vergnaud XLim / Université Paris II / ENS O. Blazy (XLim) Negative-NIZK CT-RSA 2015 1 / 22 1 Brief Overview 2 Building
More informationRing Group Signatures
Ring Group Signatures Liqun Chen Hewlett-Packard Laboratories, Long Down Avenue, Stoke Gifford, Bristol, BS34 8QZ, United Kingdom. liqun.chen@hp.com Abstract. In many applications of group signatures,
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More information