Results 11  20
of
335
Mix and Match: Secure Function Evaluation via Ciphertexts (Extended Abstract)
 In Proceedings of Asiacrypt00
, 2000
"... We introduce a novel approach to general secure multiparty computation that avoids the intensive use of verifiable secret sharing characterizing nearly all previous protocols in the literature. Instead, our scheme involves manipulation of ciphertexts for which the underlying private key is shared by ..."
Abstract

Cited by 105 (5 self)
 Add to MetaCart
(Show Context)
We introduce a novel approach to general secure multiparty computation that avoids the intensive use of verifiable secret sharing characterizing nearly all previous protocols in the literature. Instead, our scheme involves manipulation of ciphertexts for which the underlying private key is shared by participants in the computation. The benefits of this protocol include a high degree of conceptual and structural simplicity, low message complexity, and substantial flexibility with respect to input and output value formats. We refer to this new approach as mix and match. While the atomic operations in mix and match are logical operations, rather than full field operations as in previous approaches, the techniques we introduce are nonetheless highly practical for computations involving intensive bitwise manipulation. One application for which mix and match is particularly well suited is that of sealedbid auctions. Thus, as another contribution in this paper, we present a practical, mixandmatchbased auction protocol that is fully private and noninteractive and may be readily adapted to a wide range of auction strategies.
OneRound Secure Computation and Secure Autonomous Mobile Agents (Extended Abstract)
, 2000
"... This paper investigates oneround secure computation between two distrusting parties: Alice and Bob each have private inputs to a common function, but only Alice, acting as the receiver, is to learn the output; the protocol is limited to one message from Alice to Bob followed by one message from Bob ..."
Abstract

Cited by 84 (0 self)
 Add to MetaCart
(Show Context)
This paper investigates oneround secure computation between two distrusting parties: Alice and Bob each have private inputs to a common function, but only Alice, acting as the receiver, is to learn the output; the protocol is limited to one message from Alice to Bob followed by one message from Bob to Alice. A model in which Bob may be computationally unbounded is investigated, which corresponds to informationtheoretic security for Alice. It is shown that 1. for honestbutcurious behavior and unbounded Bob, any function computable by a polynomialsize circuit can be computed securely assuming the hardness of the decisional DiffieHellman problem; 2. for malicious behavior by both (bounded) parties, any function computable by a polynomialsize circuit can be computed securely, in a publickey framework, assuming the hardness of the decisional DiffieHellman problem.
A Verifiable Secret Shuffle of Homomorphic Encryptions
, 2003
"... We show how to prove in honest verifier zeroknowledge the correctness of a shuffle of homomorphic encryptions (or homomorphic commitments.) A shuffle consists in a rearrangement of the input ciphertexts and a reencryption of them so that the permutation is not revealed. Our scheme ..."
Abstract

Cited by 80 (7 self)
 Add to MetaCart
(Show Context)
We show how to prove in honest verifier zeroknowledge the correctness of a shuffle of homomorphic encryptions (or homomorphic commitments.) A shuffle consists in a rearrangement of the input ciphertexts and a reencryption of them so that the permutation is not revealed. Our scheme
PrivacyPreserving Smart Metering
"... Smart grid proposals threaten user privacy by potentially disclosing finegrained consumption data to utility providers, primarily for timeofuse billing, but also for profiling, settlement, forecasting, tariff and energy efficiency advice. We propose a privacypreserving protocol for general calcu ..."
Abstract

Cited by 79 (5 self)
 Add to MetaCart
(Show Context)
Smart grid proposals threaten user privacy by potentially disclosing finegrained consumption data to utility providers, primarily for timeofuse billing, but also for profiling, settlement, forecasting, tariff and energy efficiency advice. We propose a privacypreserving protocol for general calculations on finegrained meter readings, while keeping the use of tamper evident meters to a strict minimum. We allow users to perform and prove the correctness of computations based on readings on their own devices, without disclosing any fine grained consumption. Applying the protocols to timeofuse billing is particularly simple and efficient, but we also support a wider variety of tariff policies. Cryptographic proofs and multiple implementations are used to show the proposed protocols are secure and efficient.
Efficient and Generalized Group Signatures
, 1997
"... The concept of group signatures was introduced by Chaum et al. at Eurocrypt '91. It allows a member of a group to sign messages anonymously on behalf of the group. In case of a later dispute a designated group manager can revoke the anonymity and identify the originator of a signature. In t ..."
Abstract

Cited by 78 (6 self)
 Add to MetaCart
The concept of group signatures was introduced by Chaum et al. at Eurocrypt '91. It allows a member of a group to sign messages anonymously on behalf of the group. In case of a later dispute a designated group manager can revoke the anonymity and identify the originator of a signature. In this paper we propose a new efficient group signature scheme. Furthermore we present a model and the first realization of generalized group signatures. Such a scheme allows to define coalitions of group members that are able to sign on the group's behalf.
Identity Escrow
 In Advances in Cryptology — CRYPTO ’98
, 1997
"... We introduce the notion of escrowed identity, an application of keyescrow ideas to the problem of identification. In escrowed identity, one party A does not give his identity to another party B, but rather gives him information that would allow an authorized third party E to determine A's i ..."
Abstract

Cited by 78 (0 self)
 Add to MetaCart
We introduce the notion of escrowed identity, an application of keyescrow ideas to the problem of identification. In escrowed identity, one party A does not give his identity to another party B, but rather gives him information that would allow an authorized third party E to determine A's identity. However, B receives a guarantee that E can indeed determine A's identity. We give protocols for escrowed identity based on the ElGamal (signature and encryption) schemes and on the RSA function. A useful feature of our protocol is that after setting up A to use the system, E is only involved when it is actually needed to determine A's identity. Keywords: Cryptography, Key escrow, Proofs of identity. 1
Separability and Efficiency for Generic Group Signature Schemes (Extended Abstract)
, 1999
"... A cryptographic protocol possesses separability if the participants can choose their keys independently of each other. This is advantageous from a keymanagement as well as from a security point of view. This paper focuses on separability in group signature schemes. Such schemes allow a group member ..."
Abstract

Cited by 77 (13 self)
 Add to MetaCart
A cryptographic protocol possesses separability if the participants can choose their keys independently of each other. This is advantageous from a keymanagement as well as from a security point of view. This paper focuses on separability in group signature schemes. Such schemes allow a group member to sign messages anonymously on the group's behalf. However, in case of this anonymity's misuse, a trustee can reveal the originator of a signature. We provide a generic fully separable group signature scheme and present an ecient instantiation thereof. The scheme is suited for large groups; the size of the group's public key and the length of signatures do not depe...
Pinocchio: Nearly practical verifiable computation
 In Proceedings of the 34th IEEE Symposium on Security and Privacy, Oakland ’13
, 2013
"... Abstract To instill greater confidence in computations outsourced to the cloud, clients should be able to verify the correctness of the results returned. To this end, we introduce Pinocchio, a built system for efficiently verifying general computations while relying only on cryptographic assumption ..."
Abstract

Cited by 69 (6 self)
 Add to MetaCart
(Show Context)
Abstract To instill greater confidence in computations outsourced to the cloud, clients should be able to verify the correctness of the results returned. To this end, we introduce Pinocchio, a built system for efficiently verifying general computations while relying only on cryptographic assumptions. With Pinocchio, the client creates a public evaluation key to describe her computation; this setup is proportional to evaluating the computation once. The worker then evaluates the computation on a particular input and uses the evaluation key to produce a proof of correctness. The proof is only 288 bytes, regardless of the computation performed or the size of the inputs and outputs. Anyone can use a public verification key to check the proof. Crucially, our evaluation on seven applications demonstrates that Pinocchio is efficient in practice too. Pinocchio's verification time is typically 10ms: 57 orders of magnitude less than previous work; indeed Pinocchio is the first generalpurpose system to demonstrate verification cheaper than native execution (for some apps). Pinocchio also reduces the worker's proof effort by an additional 1960×. As an additional feature, Pinocchio generalizes to zeroknowledge proofs at a negligible cost over the base protocol. Finally, to aid development, Pinocchio provides an endtoend toolchain that compiles a subset of C into programs that implement the verifiable computation protocol.
A survey of algebraic properties used in cryptographic protocols
 JOURNAL OF COMPUTER SECURITY
"... Cryptographic protocols are successfully analyzed using formal methods. However, formal approaches usually consider the encryption schemes as black boxes and assume that an adversary cannot learn anything from an encrypted message except if he has the key. Such an assumption is too strong in general ..."
Abstract

Cited by 69 (20 self)
 Add to MetaCart
(Show Context)
Cryptographic protocols are successfully analyzed using formal methods. However, formal approaches usually consider the encryption schemes as black boxes and assume that an adversary cannot learn anything from an encrypted message except if he has the key. Such an assumption is too strong in general since some attacks exploit in a clever way the interaction between protocol rules and properties of cryptographic operators. Moreover, the executability of some protocols relies explicitly on some algebraic properties of cryptographic primitives such as commutative encryption. We give a list of some relevant algebraic properties of cryptographic operators, and for each of them, we provide examples of protocols or attacks using these properties. We also give an overview of the existing methods in formal approaches for analyzing cryptographic proto
Traceable signatures
"... This work presents a new privacy primitive called “Traceable Signatures”, together with an efficient provably secure implementation. To this end, we develop the underlying mathematical and protocol tools, present the concepts and the underlying security model, and then realize the scheme and its s ..."
Abstract

Cited by 67 (5 self)
 Add to MetaCart
(Show Context)
This work presents a new privacy primitive called “Traceable Signatures”, together with an efficient provably secure implementation. To this end, we develop the underlying mathematical and protocol tools, present the concepts and the underlying security model, and then realize the scheme and its security proof. Traceable signatures support an extended set of fairness mechanisms (mechanisms for anonymity management and revocation) when compared with the traditional group signature mechanism. The extended functionality of traceable signatures is needed for proper operation and adequate level of privacy in various settings and applications. For example, the new notion allows (distributed) tracing of all signatures of a single (misbehaving) party without opening signatures and revealing identities of any other user in the system. In contrast, if such tracing is implemented by a state of the art group signature system, such wide opening of all signatures of a single user is a (centralized) operation that requires the opening of all anonymous signatures and revealing the users associated with them, an act that violates the privacy of all users. To allow efficient implementation of our scheme we develop a number of basic tools, zeroknowledge proofs, protocols, and primitives that we use extensively throughout. These novel mechanisms work directly over a group of unknown order, contributing to the efficiency and modularity of our design, and may be of independent interest. The interactive version of our signature scheme yields the notion of “traceable (anonymous) identification.”