Results 1  10
of
298
Publickey cryptosystems based on composite degree residuosity classes
 IN ADVANCES IN CRYPTOLOGY — EUROCRYPT 1999
, 1999
"... This paper investigates a novel computational problem, namely the Composite Residuosity Class Problem, and its applications to publickey cryptography. We propose a new trapdoor mechanism and derive from this technique three encryption schemes: a trapdoor permutation and two homomorphic probabilist ..."
Abstract

Cited by 991 (4 self)
 Add to MetaCart
This paper investigates a novel computational problem, namely the Composite Residuosity Class Problem, and its applications to publickey cryptography. We propose a new trapdoor mechanism and derive from this technique three encryption schemes: a trapdoor permutation and two homomorphic probabilistic encryption schemes computationally comparable to RSA. Our cryptosystems, based on usual modular arithmetics, are provably secure under appropriate assumptions in the standard model.
Evaluating 2dnf formulas on ciphertexts
 In proceedings of TCC ’05, LNCS series
, 2005
"... Abstract. Let ψ be a 2DNF formula on boolean variables x1,..., xn ∈ {0, 1}. We present a homomorphic public key encryption scheme that allows the public evaluation of ψ given an encryption of the variables x1,..., xn. In other words, given the encryption of the bits x1,..., xn, anyone can create th ..."
Abstract

Cited by 230 (7 self)
 Add to MetaCart
Abstract. Let ψ be a 2DNF formula on boolean variables x1,..., xn ∈ {0, 1}. We present a homomorphic public key encryption scheme that allows the public evaluation of ψ given an encryption of the variables x1,..., xn. In other words, given the encryption of the bits x1,..., xn, anyone can create the encryption of ψ(x1,..., xn). More generally, we can evaluate quadratic multivariate polynomials on ciphertexts provided the resulting value falls within a small set. We present a number of applications of the system: 1. In a database of size n, the total communication in the basic step of the KushilevitzOstrovsky PIR protocol is reduced from √ n to 3 √ n. 2. An efficient election system based on homomorphic encryption where voters do not need to include noninteractive zero knowledge proofs that their ballots are valid. The election system is proved secure without random oracles but still efficient. 3. A protocol for universally verifiable computation. 1
A verifiable secret shuffle and its application to EVoting
, 2001
"... We present a mathematical construct which provides a cryptographic protocol to verifiably shuffle a sequence of k modular integers, and discuss its application to secure, universally verifiable, multiauthority election schemes. The output of the shuffle operation is another sequence of k modular in ..."
Abstract

Cited by 212 (0 self)
 Add to MetaCart
(Show Context)
We present a mathematical construct which provides a cryptographic protocol to verifiably shuffle a sequence of k modular integers, and discuss its application to secure, universally verifiable, multiauthority election schemes. The output of the shuffle operation is another sequence of k modular integers, each of which is the same secret power of a corresponding input element, but the order of elements in the output is kept secret. Though it is a trivial matter for the “shuffler ” (who chooses the permutation of the elements to be applied) to compute the output from the input, the construction is important because it provides a linear size proof of correctness for the output sequence (i.e. a proof that it is of the form claimed) that can be checked by an arbitrary verifiers. The complexity of the protocol improves on that of FurukawaSako[16] both measured by number of exponentiations and by overall size. The protocol is shown to be honestverifier zeroknowledge in a special case, and is computational zeroknowledge in general. On the way to the final result, we also construct a generalization of the well known ChaumPedersen protocol for knowledge of discrete logarithm equality ([10], [7]). In fact, the generalization specializes exactly to the ChaumPedersen protocol in the case k = 2. This result may be of interest on its own. An application to electronic voting is given that matches the features of the best current protocols with significant efficiency improvements. An alternative application to electronic voting is also given that introduces an entirely new paradigm for achieving Universally Verifiable elections.
Secure Distributed Key Generation for DiscreteLog Based Cryptosystems
, 1999
"... Abstract. Distributed key generation is a main component of threshold cryptosystems and distributed cryptographic computing in general. Solutions to the distributed generation of private keys for discretelog based cryptosystems have been known for several years and used in a variety of protocols an ..."
Abstract

Cited by 168 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Distributed key generation is a main component of threshold cryptosystems and distributed cryptographic computing in general. Solutions to the distributed generation of private keys for discretelog based cryptosystems have been known for several years and used in a variety of protocols and in many research papers. However, these solutions fail to provide the full security required and claimed by these works. We show how an active attacker controlling a small number of parties can bias the values of the generated keys, thus violating basic correctness and secrecy requirements of a key generation protocol. In particular, our attacks point out to the places where the proofs of security fail. Based on these findings we designed a distributed key generation protocol which we present here together with a rigorous proof of security. Our solution, that achieves optimal resiliency, can be used as a dropin replacement for key generation modules as well as other components of threshold or proactive discretelog based cryptosystems.
Collaborative Filtering with Privacy
, 2002
"... Serverbased collaborative filtering systems have been very successful in ecommerce and in direct recommendation applications. In future, they have many potential applications in ubiquitous computing settings. But today's schemes have problems such as loss of privacy, favoring retail monopolie ..."
Abstract

Cited by 166 (9 self)
 Add to MetaCart
(Show Context)
Serverbased collaborative filtering systems have been very successful in ecommerce and in direct recommendation applications. In future, they have many potential applications in ubiquitous computing settings. But today's schemes have problems such as loss of privacy, favoring retail monopolies, and with hampering diffusion of innovations. We propose an alternative model in which users control all of their log data. We describe an algorithm whereby a community of users can compute a public "aggregate" of their data that does not expose individual users' data. The aggregate allows personalized recommendations to be computed by members of the community, or by outsiders. The numerical algorithm is fast, robust and accurate. Our method reduces the collaborative filtering task to an iterative calculation of the aggregate requiring only addition of vectors of user data. Then we use homomorphic encryption to allow sums of encrypted vectors to be computed and decrypted without exposing individual data. We give verification schemes for all parties in the computation. Our system can be implemented with untrusted servers, or with additional infrastructure, as a fully peertopeer (P2P) system. 1
Efficient receiptfree voting based on homomorphic encryption
, 2000
"... Abstract. Voting schemes that provide receiptfreeness prevent voters from proving their cast vote, and hence thwart votebuying and coercion. We analyze the security of the multiauthority voting protocol of Benaloh and Tuinstra and demonstrate that this protocol is not receiptfree, opposed to what ..."
Abstract

Cited by 154 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Voting schemes that provide receiptfreeness prevent voters from proving their cast vote, and hence thwart votebuying and coercion. We analyze the security of the multiauthority voting protocol of Benaloh and Tuinstra and demonstrate that this protocol is not receiptfree, opposed to what was claimed in the paper and was believed before. Furthermore, we propose the first practicable receiptfree voting scheme. Its only physical assumption is the existence of secret oneway communication channels from the authorities to the voters, and due to the public verifiability of the tally, voters only join a single stage of the protocol, realizing the “voteandgo ” concept. The protocol combines the advantages of the receiptfree protocol of Sako and Kilian and of the very efficient protocol of Cramer, Gennaro, and Schoenmakers, with help of designatedverifier proofs of Jakobsson, Sako, and Impagliazzo. Compared to the receiptfree protocol of Sako and Kilian for security parameter ℓ (the number of repetitions in the noninteractive cutandchoose proofs), the protocol described in this paper realizes an improvement of the total bit complexity by a factor ℓ.
CoercionResistant Electronic Elections
 In WPES ’05
, 2002
"... We introduce a model for electronic election schemes that involves a more powerful adversary than in previous work. In particular, we allow the adversary to demand of coerced voters that they vote in a particular manner, abstain from voting, or even disclose their secret keys. We define a scheme ..."
Abstract

Cited by 148 (0 self)
 Add to MetaCart
We introduce a model for electronic election schemes that involves a more powerful adversary than in previous work. In particular, we allow the adversary to demand of coerced voters that they vote in a particular manner, abstain from voting, or even disclose their secret keys. We define a scheme to be coercion resistant if it is impossible for the adversary to determine whether a coerced voter complies with the demands. Furthermore, we relax the requirements made in some previous proposals from an untappable channel to only requiring the existence of an anonymous channel.
Pocketlens: Toward a personal recommender system
 ACM Trans. Inf. Syst
"... Recommender systems using collaborative filtering are a popular technique for reducing information overload and finding products to purchase. One limitation of current recommenders is that they are not portable. They can only run on large computers connected to the Internet. A second limitation is ..."
Abstract

Cited by 107 (3 self)
 Add to MetaCart
Recommender systems using collaborative filtering are a popular technique for reducing information overload and finding products to purchase. One limitation of current recommenders is that they are not portable. They can only run on large computers connected to the Internet. A second limitation is that they require the user to trust the owner of the recommender with personal preference data. Personal recommenders hold the promise of delivering high quality recommendations on palmtop computers, even when disconnected from the Internet. Further, they can protect the user’s privacy by storing personal information locally, or by sharing it in encrypted form. In this article we present the new PocketLens collaborative filtering algorithm along with five peertopeer architectures for finding neighbors. We evaluate the architectures and algorithms in a series of offline experiments. These experiments show that Pocketlens can run on connected servers, on usually connected workstations, or on occasionally connected portable devices, and produce recommendations that are as good as the best published algorithms to date.
Practical MultiCandidate Election System
 In PODC
, 2001
"... The aim of electronic voting schemes is to provide a set of protocols that allow voters to cast ballots while a group of authorities collect the votes and output the final tally. In this paper we describe a practical multicandidate election scheme that guarantees privacy of voters, public verifi ..."
Abstract

Cited by 106 (7 self)
 Add to MetaCart
(Show Context)
The aim of electronic voting schemes is to provide a set of protocols that allow voters to cast ballots while a group of authorities collect the votes and output the final tally. In this paper we describe a practical multicandidate election scheme that guarantees privacy of voters, public verifiability, and robustness against a coalition of malicious authorities. Furthermore, we address the problem of receiptfreeness and incoercibility of voters. Our new scheme is based on the Paillier cryptosystem and on some related zeroknowledge proof techniques. The voting schemes are very practical and can be efficiently implemented in a real system. Keywords: Homomorphic cryptosystems, HighResiduosity Assumption, Practical Voting scheme, threshold cryptography 1
Adnostic: Privacy Preserving Targeted Advertising ∗
"... Online behavioral advertising (OBA) refers to the practice of tracking users across web sites in order to infer user interests and preferences. These interests and preferences are then used for selecting ads to present to the user. There is great concern that behavioral advertising in its present fo ..."
Abstract

Cited by 97 (2 self)
 Add to MetaCart
(Show Context)
Online behavioral advertising (OBA) refers to the practice of tracking users across web sites in order to infer user interests and preferences. These interests and preferences are then used for selecting ads to present to the user. There is great concern that behavioral advertising in its present form infringes on user privacy. The resulting public debate — which includes consumer advocacy organizations, professional associations, and government agencies — is premised on the notion that OBA and privacy are inherently in conflict. In this paper we propose a practical architecture that enables targeting without compromising user privacy. Behavioral profiling and targeting in our system takes place in the user’s browser. We discuss the effectiveness of the system as well as potential social engineering and webbased attacks on the architecture. One complication is billing; adnetworks must bill the correct advertiser without knowing which ad was displayed to the user. We propose an efficient cryptographic billing system that directly solves the problem. We implemented the core targeting system as a Firefox extension and report on its effectiveness. 1