Improving Helios with Everlasting Privacy Towards the Public Denise Demirel, Jeroen van de Graaf, Roberto Araújo
|
|
- Anissa Moore
- 5 years ago
- Views:
Transcription
1 Improving Helios with Everlasting Privacy Towards the Public Denise Demirel, Jeroen van de Graaf, Roberto Araúo Fachbereich 20 CDC Denise Demirel 1
2 Helios Introduced 2008 by Ben Adida Web application for Internet voting Online accessible: Easy to use, free of charge, provides end-to-end verifiability Tool to support elections for companies, online groups, President of the Université Catholique de Louvain (2009) Princeton Undergraduate Student Government election (2009) Fachbereich 20 CDC Denise Demirel 2
3 Helios Election Process (1) 1. System initialization a) User creates election by setting parameters and list of eligible voters. b) Software generates election templates (e.g. ballot, key pair for threshold decryption). Helios Server Application 2. Vote Casting process a) Voter receives containing username, password, URL,... b) Single-page JavaScript application starts and downloads parameters and Voter Fachbereich 20 CDC Denise Demirel 3
4 Helios Election Process (2) 2. Vote Casting process c) Voter fills out the ballot, which is encrypted by the application. d) Hash of encrypted vote is shown to the voter. e) The voter has the option to audit. In this case go back to step 2c). f) Application clears scope, voter authenticates g) ID, password, encrypted vote and proofs are sent to the Helios server which responds with a success message. h) The Helios server sends the voter an containing the hash of the cast vote. Helios Server Application Voter Fachbereich 20 CDC Denise Demirel 4
5 Helios Election Process (3) 3. Tallying and publishing of votes Helios Server a) The Helios server publishes the Bulletin Board encrypted votes, hashes and proofs on the Bulletin Board. b) The Helios server computes the election outcome. Mixing + decryption + tallying Homomorphic tallying + decryption Voter 1: Voter 2: Voter 3: Voter 4: Election outcome Fachbereich 20 CDC Denise Demirel 5
6 Tallying and Publishing of Votes Voters Candidate 1 Candidate 2 Candidate n Voter 1 : Voter V Enc(t 1 1 ) : Enc(t 1 V ) Enc(t 2 1 ) : Enc(t 2 V ) : Enc(t n 1 ) : Enc(t n V ) Total Enc(t 1 ) Enc(t 2 ) Enc(t n ) Equals Enc( t 1 ) Enc( t 2 ) Enc( t n ) Vote is represented as vector t 1,, t l. Vote for candidate i is vector where t i = 1 and t k = 0 for k i. Each entry is encrypted individually using exponential ElGamal. Votes for each candidate are tallied homomorphically and decrypted. Decryption results in δ t (need to solve DL, but here values are small) Fachbereich 20 CDC Denise Demirel 6
7 Properties Individual Verifiability Voter Bulletin Board Universal Verifiability Correctness Voter 1: Voter 2: Voter 3: Voter 4: Computational Privacy Election outcome Fachbereich 20 CDC Denise Demirel 7
8 Computational Privacy Homomorphic Public-Key Cryptography e.g. Paillier, ElGamal Computational Assumptions Brute-Force Principle of free suffrage Fachbereich 20 CDC Denise Demirel 8
9 Helios Providing Everlasting Privacy Towards the Public Goal: Having all published data (Bulletin Board, receipts), even a computationally unbounded attacker cannot reveal the cast voting decision. Solution: Encryption of the cast voting decision using a One-Time-Pad. Challenge: How can a pair of voting decision and associated key be tallied homomorphically providing Verifiability and Everlasting Privacy regarding the published information? Fachbereich 20 CDC Denise Demirel 9
10 Encoding using Pedersen Commitments Cyclic group G Random generators g and h (log g h unknown and computationally hard) Encoding of vote t Z G : C t, s number s Z G. = g s h t with random Fachbereich 20 CDC Denise Demirel 10
11 Properties of Pedersen Commitments Computational Binding: Decrypting (opening) to a different value is impossible given that solving Discrete Log is computationally hard. C t 1, s 1 = g s 1 h t 1 = g s 2h t 2 g s 1 s 2 = h t t2 t1 2 t 1 g = hs1 s2 Additive Homomorphic: C t 1, s 1 C t 2, s 2 = g s 1h t 1 g s 2h t 2 = C t 1 + t 2, s 1 + s 2 Everlasting Privacy: The commitment scheme is unconditionally hiding Fachbereich 20 CDC Denise Demirel 11
12 Modified Election Process (1) 1. System initialization a) User creates election by setting parameters and list of eligible voters. b) Software generates election templates (e.g. ballot, key pair for threshold decryption, parameters for Pedersen Commitment). Helios Server Application 2. Vote Casting process a) Voter receives containing username, password, URL,... b) Single-page JavaScript application starts and downloads parameters and Voter Fachbereich 20 CDC Denise Demirel 12
13 Modified Election Process (2) 2. Vote Casting process c) Voter marks a choice, which is encoded using Pedersen Commitments. d) The Hash of the commitment is shown to the voter. e) The voter has the option to audit. In this case go back to step 2c). f) Application clears scope, voter authenticates g) ID, password, commitment, encrypted decommitment values and proofs are sent to the Helios server which responds with a success message. h) The Helios server sends the voter an containing the hash of the cast vote. Helios Server Application Voter Fachbereich 20 CDC Denise Demirel 13
14 Everlasting Privacy Additional Assumption: There exists a private channel between the user s browser and the server (e.g. by sending keys per mail). Additional Property: Everlasting Privacy towards the public. Attacking this version requires much more work. Helios Server v, w Application v*,w* u Key Trustees t*,s* Bulletin Board Fachbereich 20 CDC Denise Demirel 14
15 Modified Tallying Process 1 u 1 1 = α s 1(1) β t 1(1) u l 1 = α s l(1) β t l(1) : : : : V u 1 V = α s 1() β t 1() u l V = α s l() β t l() 1 v 1 1 = γ s 1 1 (r 1 (1)) N v l 1 = γ s l 1 (r l (1)) N : : : : V v 1 V = γ s 1 V (r 1 (V)) N v l V = γ sl(v) (r l (V)) N D(v 1 ) D(v l ) 1 w 1 1 = γ t 1 1 (r 1 (1)) N w l 1 = γ t l 1 (r l (1)) N s 1 = s 1 () s l = s l () : : : : V w 1 V = γ t 1 V (r 1 (V)) N w l V = γ tl(v) (r l (V)) N D(w 1 ) D(w l ) u 1 () t 1 = t 1 () t l = t l () = α s1 β t 1 u l () = α sl β t l decrypt and publish v 1 = w 1 = v 1 () w 1 () v l = w l = v l () w l () Public Helios Bulletin Board Helios Server (private Information) Fachbereich 20 CDC Denise Demirel 15
16 Modified Tallying Process 1 u 1 1 = α s 1(1) β t 1(1) u l 1 = α s l(1) β t l(1) : : : : V u 1 V = α s 1() β t 1() u l V = α s l() β t l() 1 v 1 1 = γ s 1 1 (r 1 (1)) N v l 1 = γ s l 1 (r l (1)) N : : : : V v 1 V = γ s 1 V (r 1 (V)) N v l V = γ sl(v) (r l (V)) N D(v 1 ) D(v l ) 1 w 1 1 = γ t 1 1 (r 1 (1)) N w l 1 = γ t l 1 (r l (1)) N s 1 = s 1 () s l = s l () : : : : V w 1 V = γ t 1 V (r 1 (V)) N w l V = γ tl(v) (r l (V)) N u 1 () t 1 = D(w 1 ) t 1 () t l = D(w l ) t l () = α s1 β t 1 u l () = α sl β t l Public Helios Bulletin Board decrypt and publish v 1 = w 1 = v 1 () w 1 () v l = w l = v l () w l () Note: The Message space of the Commitment and the Encryption Scheme must match. Helios Server (private Information) Fachbereich 20 CDC Denise Demirel 16
17 Parameters Need a commitment scheme with a matching semantically secure encryption scheme. Construction by Moran and Naor (Split Ballot): Paillier: N = p 1 p 2 where p 1 and p 2 are safe primes. Pedersen Commitments: Subgroup of Group Z 4N+1 having order N, where 4N + 1 must be prime Fachbereich 20 CDC Denise Demirel 17
18 Proofs 1) Public Proof - Proof of validity of the ballot 1) Each entry of the vector is either 0 or 1. Modification of proof of validity [CFSY96]. 2) Only one entry equals 1. Prove knowledge of l i=1 u i β 1 using Schnorr. 2) Private Proof - Consistency of the commitment and encrypted information Cut-and-Choose (Compare to [MN10]) Fachbereich 20 CDC Denise Demirel 18
19 Proof of Validity Prover Verifier v = 1 v = 0 α, r 1, d 1, w 2 R Z q α, r 2, d 2, w 1 R Z q B α s β B α s a 1 α r 1B d 1 a 1 α w 1 a 2 α w 2 a 2 α r 2(B/β) d 2 B, a 1, a 2 d 2 c d 1 d 1 c d 2 c c R Z q r 2 w 2 + sd 2 r 1 w 1 + sd 1 d 1, d 2, r 1, r 2 d 1 + d 2 c α r 1 a 1 B d 1 α r 2 a 2 (B/β) d Fachbereich 20 CDC Denise Demirel 19
20 Consistency Proof u = α s β t, v = γ s r N, w = γ t r N Show knowledge of t, s, r, r by Cut-and-Choose 1. Choose t, s, r, r and generate second triple u, v, w 2. Challenge: 0 or 1 3. If 0 publish t, s, r, r, if 1 publish t + t, s + s, r r, r r. 4. Check and 5. Repeat u u α s β t u = α s β t v = γ s r N w = γ t r N u α s+s β t+t v γ s+s (r r ) N w γ t+t (r r ) N v v γ s r N, w w γ t r N Fachbereich 20 CDC Denise Demirel 20
21 Consistency Proof u = α s β t, v = γ s r N, w = γ t r N Show knowledge of t, s, r, r by Cut-and-Choose 1. Choose t, s, r, r and generate second triple u, v, w 2. Challenge: 0 or 1 3. If 0 publish t, s, r, r, if 1 publish t + t, s + s, r r, r r. 4. Check and 5. Repeat u = α s β t v = γ s r N w = γ t r N u u α s β t Probability that two different values for s and t will not be detected is 1 u = α s+s β t+t 2 b v for γ b s+s iterations. (r r ) N w γ t+t (r r ) N v v γ s r N, w w γ t r N Fachbereich 20 CDC Denise Demirel 21
22 Future Work Improvements for booth voting: Principle of free suffrage. Everlasting privacy can be implemented also for electronic voting systems like Prêt à Voter, Scratch & Vote and MarkPledge. Cuvelier, Peters and Pereira s Efficient commitment scheme with matching encryption scheme based on elliptic curves (presented at SecVote 2012) Fachbereich 20 CDC Denise Demirel 22
23 Thank you Questions? Fachbereich 20 CDC Denise Demirel 23
Election Verifiability or Ballot Privacy: Do We Need to Choose?
Election Verifiability or Ballot Privacy: Do We Need to Choose? Édouard Cuvelier, Olivier Pereira, and Thomas Peters Université catholique de Louvain ICTEAM Crypto Group 1348 Louvain-la-Neuve Belgium Abstract.
More informationCryptographic Voting Systems (Ben Adida)
Cryptographic Voting Systems (Ben Adida) Click to edit Master subtitle style Jimin Park Carleton University COMP 4109 Seminar 15 February 2011 If you think cryptography is the solution to your problem.
More informationPractical Provably Correct Voter Privacy Protecting End to End Voting Employing Multiparty Computations and Split Value Representations of Votes
Practical Provably Correct Voter Privacy Protecting End to End Voting Employing Multiparty Computations and Split Value Representations of Votes Michael O. Rabin Columbia University SEAS Harvard University
More informationHow not to Prove Yourself: Pitfalls of the Fiat-Shamir Heuristic and Applications to Helios
How not to Prove Yourself: Pitfalls of the Fiat-Shamir Heuristic and Applications to Helios David Bernhard 1, Olivier Pereira 2, and Bogdan Warinschi 1 1 University of Bristol, {csxdb,csxbw}@bristol.ac.uk
More informationSelections:! Internet voting with over-the-shoulder coercion-resistance. Jeremy Clark
Selections:! Internet voting with over-the-shoulder coercion-resistance Jeremy Clark Overview We consider the problem of over-theshoulder adversaries in Internet voting We design a voting protocol resistant
More informationA Security Analysis of the Helios Voting Protocol and Application to the Norwegian County Election
A Security Analysis of the Helios Voting Protocol and Application to the Norwegian County Election Kristine Salamonsen Master of Science in Physics and Mathematics Submission date: June 2014 Supervisor:
More informationLecture Notes 15 : Voting, Homomorphic Encryption
6.857 Computer and Network Security October 29, 2002 Lecture Notes 15 : Voting, Homomorphic Encryption Lecturer: Ron Rivest Scribe: Ledlie/Ortiz/Paskalev/Zhao 1 Introduction The big picture and where we
More informationRemote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant
Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant Roberto Araújo, Amira Barki, Solenn Brunet and Jacques Traoré 1st Workshop on Advances in Secure Electronic Voting Schemes VOTING
More informationEvaluating 2-DNF Formulas on Ciphertexts
Evaluating 2-DNF Formulas on Ciphertexts Dan Boneh, Eu-Jin Goh, and Kobbi Nissim Theory of Cryptography Conference 2005 Homomorphic Encryption Enc. scheme is homomorphic to function f if from E[A], E[B],
More informationCryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1
Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes
More informationAN INTRODUCTION TO THE UNDERLYING COMPUTATIONAL PROBLEM OF THE ELGAMAL CRYPTOSYSTEM
AN INTRODUCTION TO THE UNDERLYING COMPUTATIONAL PROBLEM OF THE ELGAMAL CRYPTOSYSTEM VORA,VRUSHANK APPRENTICE PROGRAM Abstract. This paper will analyze the strengths and weaknesses of the underlying computational
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationOverview of the Talk. Secret Sharing. Secret Sharing Made Short Hugo Krawczyk Perfect Secrecy
Overview of the Talk Secret Sharing CS395T Design and Implementation of Trusted Services Ankur Gupta Hugo Krawczyk. Secret Sharing Made Short, 1993. Josh Cohen Benaloh. Secret Sharing Homomorphisms: Keeping
More informationHow to Shuffle in Public
How to Shuffle in Public Ben Adida Harvard (work done at MIT) Douglas Wikström ETH Zürich TCC 27 February 24th, 27 How to Shuffle in Public Ben Adida Harvard (work done at MIT) Douglas Wikström ETH Zürich
More informationPractical everlasting privacy
Practical everlasting privacy Myrto Arapinis 1, Véronique Cortier 2, Steve Kremer 2, and Mark Ryan 1 1 School of Computer Science, University of Birmingham 2 LORIA, CNRS, France Abstract. Will my vote
More informationLecture 19: Verifiable Mix-Net Voting. The Challenges of Verifiable Mix-Net Voting
6.879 Special Topics in Cryptography Instructors: Ran Canetti April 15, 2004 Lecture 19: Verifiable Mix-Net Voting Scribe: Susan Hohenberger In the last lecture, we described two types of mix-net voting
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationSecure Vickrey Auctions without Threshold Trust
Secure Vickrey Auctions without Threshold Trust Helger Lipmaa Helsinki University of Technology, {helger}@tcs.hut.fi N. Asokan, Valtteri Niemi Nokia Research Center, {n.asokan,valtteri.niemi}@nokia.com
More informationThreshold Cryptography
Threshold Cryptography Cloud Security Mechanisms Björn Groneberg - Summer Term 2013 09.07.2013 Threshold Cryptography 1 ? 09.07.2013 Threshold Cryptography 2 Threshold Cryptography Sharing Secrets Treasure
More informationEfficient Receipt-Free Ballot Casting Resistant to Covert Channels
Efficient Receipt-Free Ballot Casting Resistant to Covert Channels Ben Adida C. Andrew Neff Abstract We present an efficient, covert-channel-resistant, receipt-free ballot casting scheme that can be used
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationELECTION is a process of establishing the democracy. A secure end-to-end verifiable e-voting system using zero knowledge based blockchain
1 A secure end-to-end verifiable e-voting system using zero knowledge based blockchain Somnath Panja, Bimal Kumar Roy Abstract In this paper, we present a cryptographic technique for an authenticated,
More informationCryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1
Cryptography CS 555 Topic 25: Quantum Crpytography CS555 Topic 25 1 Outline and Readings Outline: What is Identity Based Encryption Quantum cryptography Readings: CS555 Topic 25 2 Identity Based Encryption
More informationDavid Chaum s Voter Verification using Encrypted Paper Receipts
David Chaum s Voter Verification using Encrypted Paper Receipts Poorvi Vora In this document, we provide an exposition of David Chaum s voter verification method [1] that uses encrypted paper receipts.
More informationSecurity Implications of Quantum Technologies
Security Implications of Quantum Technologies Jim Alves-Foss Center for Secure and Dependable Software Department of Computer Science University of Idaho Moscow, ID 83844-1010 email: jimaf@cs.uidaho.edu
More informationA multi-candidate electronic voting scheme with unlimited participants
1 INTRODUCTION 1 A multi-candidate electronic voting scheme with unlimited participants Xi Zhao 1, Yong Ding 2, Quanyu Zhao 3 (Corresponding author: Yong Ding) arxiv:1712.10193v1 [cs.cr] 29 Dec 2017 School
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationSecure Multi-Party Computation
Secure Multi-Party Computation (cryptography for the not so good, the not so bad and the not so ugly) María Isabel González Vasco mariaisabel.vasco@urjc.es Based on joint work with Paolo D Arco (U. Salerno)
More informationD4-1. Formal description of our case study: Helios 2.0
D4-1. Formal description of our case study: Helios 2.0 Ben Smyth and Véronique Cortier Loria, CNRS, France Abstract Helios 2.0 is an open-source web-based end-to-end verifiable electronic voting system,
More informationCryptographic Protocols. Steve Lai
Cryptographic Protocols Steve Lai This course: APPLICATIONS (security) Encryption Schemes Crypto Protocols Sign/MAC Schemes Pseudorandom Generators And Functions Zero-Knowledge Proof Systems Computational
More informationPublic Key Algorithms
Public Key Algorithms Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-09/
More informationAn Introduction. Dr Nick Papanikolaou. Seminar on The Future of Cryptography The British Computer Society 17 September 2009
An Dr Nick Papanikolaou Research Fellow, e-security Group International Digital Laboratory University of Warwick http://go.warwick.ac.uk/nikos Seminar on The Future of Cryptography The British Computer
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationSome ZK security proofs for Belenios
Some ZK security proofs for Belenios Pierrick Gaudry CNRS, INRIA, Université de Lorraine January 30, 2017 The purpose of this document is to justify the use of ZK proofs in Belenios. Most of them are exactly
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationA Generalization of Paillier s Public-Key System with Applications to Electronic Voting
A Generalization of Paillier s Public-Key System with Applications to Electronic Voting Ivan Damgård, Mads Jurik and Jesper Buus Nielsen Aarhus University, Dept. of Computer Science, BRICS Abstract. We
More information6.892 Computing on Encrypted Data September 16, Lecture 2
6.89 Computing on Encrypted Data September 16, 013 Lecture Lecturer: Vinod Vaikuntanathan Scribe: Britt Cyr In this lecture, we will define the learning with errors (LWE) problem, show an euivalence between
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationNon-malleable encryption with proofs of plaintext knowledge and applications to voting
Non-malleable encryption with proofs of plaintext knowledge and applications to voting Ben Smyth 1 and Yoshikazu Hanatani 2 1 Interdisciplinary Centre for Security, Reliability and Trust, University of
More informationAttacking and fixing Helios: An analysis of ballot secrecy
Attacking and fixing Helios: An analysis of ballot secrecy Véronique Cortier 1 and Ben Smyth 2 1 Loria, CNRS & INRIA Nancy Grand Est, France 2 Toshiba Corporation, Kawasaki, Japan June 25, 2012 Abstract
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationCrypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.
Crypto math II Alin Tomescu alinush@mit.edu May 7, 015 Abstract A quick overview on group theory from Ron Rivest s 6.857 course in Spring 015. 1 Overview Group theory review Diffie-Hellman (DH) key exchange
More informationHomomorphic Encryption. Liam Morris
Homomorphic Encryption Liam Morris Topics What Is Homomorphic Encryption? Partially Homomorphic Cryptosystems Fully Homomorphic Cryptosystems Benefits of Homomorphism Drawbacks of Homomorphism What Is
More information14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption. Victor Shoup New York University
14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption Victor Shoup New York University A Historical Perspective The wild years (mid 70 s-mid 80 s): Diffie-Hellman, RSA, ElGamal The
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationExtracting Witnesses from Proofs of Knowledge in the Random Oracle Model
Extracting Witnesses from Proofs of Knowledge in the Random Oracle Model Jens Groth Cryptomathic and BRICS, Aarhus University Abstract We prove that a 3-move interactive proof system with the special soundness
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: 10-1 Overview 1. How to exchange
More informationPractical Verifiable Encryption and Decryption of Discrete Logarithms
Practical Verifiable Encryption and Decryption of Discrete Logarithms Jan Camenisch IBM Zurich Research Lab Victor Shoup New York University p.1/27 Verifiable encryption of discrete logs Three players:
More informationduring transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL
THE MATHEMATICAL BACKGROUND OF CRYPTOGRAPHY Cryptography: used to safeguard information during transmission (e.g., credit card number for internet shopping) as opposed to Coding Theory: used to transmit
More informationEfficient Multiplicative Homomorphic E-Voting
Efficient Multiplicative Homomorphic E-Voting Kun Peng and Feng Bao Institute for Infocomm Research, Singapore dr.kun.peng@gmail.com Abstract. Multiplicative homomorphic e-voting is proposed by Peng et
More informationBlind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems
Applied Mathematical Sciences, Vol. 6, 202, no. 39, 6903-690 Blind Signature Protocol Based on Difficulty of Simultaneous Solving Two Difficult Problems N. H. Minh, D. V. Binh 2, N. T. Giang 3 and N. A.
More informationLecture 1. 1 Introduction. 2 Secret Sharing Schemes (SSS) G Exposure-Resilient Cryptography 17 January 2007
G22.3033-013 Exposure-Resilient Cryptography 17 January 2007 Lecturer: Yevgeniy Dodis Lecture 1 Scribe: Marisa Debowsky 1 Introduction The issue at hand in this course is key exposure: there s a secret
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationAdvanced Topics in Cryptography
Advanced Topics in Cryptography Lecture 6: El Gamal. Chosen-ciphertext security, the Cramer-Shoup cryptosystem. Benny Pinkas based on slides of Moni Naor page 1 1 Related papers Lecture notes of Moni Naor,
More informationThis is a repository copy of DRE-ip : A Verifiable E-Voting Scheme without Tallying Authorities.
This is a repository copy of DRE-ip : A Verifiable E-Voting Scheme without Tallying Authorities. White Rose Research Online URL for this paper: http://eprints.whiterose.ac.uk/117997/ Version: Accepted
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationDATA PRIVACY AND SECURITY
DATA PRIVACY AND SECURITY Instructor: Daniele Venturi Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Interlude: Number Theory Cubum autem in duos cubos, aut quadratoquadratum
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes Lecture 8 Tel-Aviv University
More informationCosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks
1 Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks Michael Albert michael.albert@cs.otago.ac.nz 2 This week Arithmetic Knapsack cryptosystems Attacks on knapsacks Some
More informationAre you the one to share? Secret Transfer with Access Structure
Are you the one to share? Secret Transfer with Access Structure Yongjun Zhao, Sherman S.M. Chow Department of Information Engineering The Chinese University of Hong Kong, Hong Kong Private Set Intersection
More informationBallot secrecy and ballot independence: definitions and relations
Ballot secrecy and ballot independence: definitions and relations Ben Smyth 1 and David Bernhard 2 1 INRIA Paris-Rocquencourt, France 2 University of Bristol, England October 9, 2014 Abstract We study
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationPublic Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy
Symmetric Cryptography Review Alice Bob Public Key x e K (x) y d K (y) x K K Instructor: Dr. Wei (Lisa) Li Department of Computer Science, GSU Two properties of symmetric (secret-key) crypto-systems: The
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationCut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings
Cut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings Yehuda Lindell Bar-Ilan University, Israel Technion Cryptoday 2014 Yehuda Lindell Online/Offline and Batch Yao 30/12/2014
More informationA Fair and Robust Voting System by Broadcast
A Fair and Robust Voting System by Broadcast Dalia Khader 1, Ben Smyth 2, Peter Y. A. Ryan 1, and Feng Hao 3 1 Université du Luxembourg, SnT 2 Toshiba Corporation, Kawasaki, Japan 3 Newcastle University
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Fun with Public-Key Tonight we ll Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial
More informationInstructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year
Data Privacy and Security Instructor: Daniele Venturi Master Degree in Data Science Sapienza University of Rome Academic Year 2017-2018 Interlude: Number Theory Cubum autem in duos cubos, aut quadratoquadratum
More informationSession 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University
Session 4: Efficient Zero Knowledge Yehuda Lindell Bar-Ilan University 1 Proof Systems Completeness: can convince of a true statement Soundness: cannot convince for a false statement Classic proofs: Written
More informationCryptographic e-cash. Jan Camenisch. IBM Research ibm.biz/jancamenisch. IACR Summerschool Blockchain Technologies
IACR Summerschool Blockchain Technologies Cryptographic e-cash Jan Camenisch IBM Research Zurich @JanCamenisch ibm.biz/jancamenisch ecash scenario & requirements Bank Withdrawal User Spend Deposit Merchant
More informationVote-Independence: A Powerful Privacy Notion for Voting Protocols
: Powerful Privacy Notion for Voting Protocols Université Grenoble 1, CNRS, Verimag FPS 2011: May 13, 2011 Plan Introduction 1 Introduction What is electronic voting? n ttack on Privacy in Helios 2 Privacy
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationCRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16
CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16 Groth-Sahai proofs helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Interactive zero knowledge from Σ-protocols
More informationLecture 7: ElGamal and Discrete Logarithms
Lecture 7: ElGamal and Discrete Logarithms Johan Håstad, transcribed by Johan Linde 2006-02-07 1 The discrete logarithm problem Recall that a generator g of a group G is an element of order n such that
More informationCOS Cryptography - Final Take Home Exam
COS 433 - Cryptography - Final Take Home Exam Boaz Barak May 12, 2010 Read these instructions carefully before starting to work on the exam. If any of them are not clear, please email me before you start
More informationIntroduction to Modern Cryptography Lecture 11
Introduction to Modern Cryptography Lecture 11 January 10, 2017 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Serge Vaudenay 17.1.2017 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not
More informationThe Paillier Cryptosystem
E-Votig Semiar The Paillier Cryptosystem Adreas Steffe Hochschule für Techik Rapperswil adreas.steffe@hsr.ch Adreas Steffe, 17.1.010, Paillier.pptx 1 Ageda Some mathematical properties Ecryptio ad decryptio
More informationThe Theory and Applications of Homomorphic Cryptography
The Theory and Applications of Homomorphic Cryptography by Kevin Henry A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master of Mathematics
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationRSA-OAEP and Cramer-Shoup
RSA-OAEP and Cramer-Shoup Olli Ahonen Laboratory of Physics, TKK 11th Dec 2007 T-79.5502 Advanced Cryptology Part I: Outline RSA, OAEP and RSA-OAEP Preliminaries for the proof Proof of IND-CCA2 security
More informationAnonymous Credential Schemes with Encrypted Attributes
Anonymous Credential Schemes with Encrypted Attributes Bart Mennink (K.U.Leuven) joint work with Jorge Guajardo (Philips Research) Berry Schoenmakers (TU Eindhoven) Conference on Cryptology And Network
More informationQuantum-secure symmetric-key cryptography based on Hidden Shifts
Quantum-secure symmetric-key cryptography based on Hidden Shifts Gorjan Alagic QMATH, Department of Mathematical Sciences University of Copenhagen Alexander Russell Department of Computer Science & Engineering
More informationCS 355: Topics in Cryptography Spring Problem Set 5.
CS 355: Topics in Cryptography Spring 2018 Problem Set 5 Due: June 8, 2018 at 5pm (submit via Gradescope) Instructions: You must typeset your solution in LaTeX using the provided template: https://crypto.stanford.edu/cs355/homework.tex
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu Outline Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow
More informationTowards Append-Only Authenticated Dictionaries. Vivek Bhupatiraju, CS-PRIMES 2017
Towards Append-Only Authenticated Dictionaries Vivek Bhupatiraju, CS-PRIMES 27 Public-key Cryptography PK M e(m, PK SK Secure Channels - Having secure channels is becoming more and more necessary - Many
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu Outline Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationDigital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay
Digital Signatures Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay July 24, 2018 1 / 29 Group Theory Recap Groups Definition A set
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More informationEx1 Ex2 Ex3 Ex4 Ex5 Ex6
Technische Universität München (I7) Winter 2012/13 Dr. M. Luttenberger / M. Schlund Cryptography Endterm Last name: First name: Student ID no.: Signature: If you feel ill, let us know immediately. Please,
More informationNumber Theory in Cryptography
Number Theory in Cryptography Introduction September 20, 2006 Universidad de los Andes 1 Guessing Numbers 2 Guessing Numbers (person x) (last 6 digits of phone number of x) 3 Guessing Numbers (person x)
More informationSymmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)
Symmetric Ciphers Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5) Symmetric Cryptography C = E(P,K) P = D(C,K) Requirements Given C, the only way to obtain P should be with the knowledge of K Any
More information