### Citations

10540 |
A mathematical theory of communication
- Shannon
- 1948
(Show Context)
Citation Context ...ooter about whether the decrypted tally is from its own cluster, or has been mixed with contributions from future hops, we use an information theoretic metric based on Shannon’s definition of entropy =-=[25]-=-. In the ideal situation, where there are no colluding participants, the troubleshooter only has the information that under probability 1 − ¯ Pf , the reply only contains the aggregate data values fro... |

2499 | How to share a secret
- Shamir
- 1979
(Show Context)
Citation Context ...lly during the random walk phase instead of instantiating secret key shares statically during the initialization phase. In principle, more general (t, n) threshold decryption schemes such as [21] and =-=[24]-=- could provide greater robustness against non-cooperative nodes, but this does not help here since random walk path is historyless and the return packet already needs the cooperation of every FTN node... |

1052 | Freenet: a distributed anonymous information storage and retrieval system
- Clarke
(Show Context)
Citation Context ... querying 4 branches in the second round reduces this threat to nearly zero. 12. RELATED WORK There is much related work in the area of anonymization. The random walk approach is also used in FreeNet =-=[7]-=- and Crowds [23]. FreeNet is a distributed anonymous information storage and retrieval system. Crowds provides anonymous web transactions. Other anonymization systems are based on Chaum’s mixes [5], w... |

1009 | How to prove yourself: Practical solutions to identification and signature problems
- Fiat, Shamir
- 1986
(Show Context)
Citation Context ...ol [6] given in Figure 1 to prove that the values of x and y satisfy the relation x = g s i and y = g rs i, without revealing his private key si. For practical applications, the Fiat-Shamir heuristic =-=[11]-=- is used to implement the protocol non-interactively by using pseudorandom hash functions to determine the values of the random inputs used in the interactive protocol. 8.2 Proofs of Validity We now a... |

979 |
Elliptic curve cryptosystems
- Koblitz
(Show Context)
Citation Context ...512 bit group, or 9.6 MB for a 1024 bit group. These estimates do not take into account any extra overheads which would be incurred by zero knowledge proofs.sUsing elliptic curve based ElGamal groups =-=[19]-=-, we can achieve the same level of security using fewer bits. It is estimated [20] that a 110 bit elliptic curve achieves cryptographic security equivalent to that of a 512 bit finite field, and a 139... |

822 | Crowds: Anonymity for web transactions
- Reiter, Rubin
- 1998
(Show Context)
Citation Context ...nches in the second round reduces this threat to nearly zero. 12. RELATED WORK There is much related work in the area of anonymization. The random walk approach is also used in FreeNet [7] and Crowds =-=[23]-=-. FreeNet is a distributed anonymous information storage and retrieval system. Crowds provides anonymous web transactions. Other anonymization systems are based on Chaum’s mixes [5], which serve as pr... |

384 | Tarzan: a peer-to-peer anonymizing network layer. InCCS,2002
- Freedman, Morris
(Show Context)
Citation Context ...ed on Chaum’s mixes [5], which serve as proxies to provide sender-receiver unlinkability through traffic mixing. Onion routing [14] extends the mixes with layers of onionstyle pre-encryptions. Tarzan =-=[12]-=- implements the mix idea using a peer-to-peer overlay and provides sender anonymity and robustness to the mix entry point. All of the above anonymization techniques address pointto-point communication... |

365 |
Wallet databases with observers
- Chaum, Pedersen
- 1993
(Show Context)
Citation Context ...pre-decryption and post-decryption packets to infer what values of x and y were used in the decryption phase. The keyholder can then execute the interactive Chaum-Pedersen proof of knowledge protocol =-=[6]-=- given in Figure 1 to prove that the values of x and y satisfy the relation x = g s i and y = g rs i, without revealing his private key si. For practical applications, the Fiat-Shamir heuristic [11] i... |

332 | Proofs of partial knowledge and simplified design of witness hiding protocols
- Cramer, Damg˚ard, et al.
- 1994
(Show Context)
Citation Context ...ution E(m) represents the encryption of a message m = (m1, . . . , mC) where at most one of the values mi is 1 and the rest are 0, without revealing the values themselves. The generic construction of =-=[10]-=- provides a method to transform the Chaum-Pedersen zero knowledge equality protocol of Figure 1 into a zero knowledge proof of validity for encrypted ballots of this form, at the cost of increasing co... |

319 | Selecting Cryptographic Key Sizes
- Lenstra, Verheul
(Show Context)
Citation Context ...count any extra overheads which would be incurred by zero knowledge proofs.sUsing elliptic curve based ElGamal groups [19], we can achieve the same level of security using fewer bits. It is estimated =-=[20]-=- that a 110 bit elliptic curve achieves cryptographic security equivalent to that of a 512 bit finite field, and a 139 bit elliptic curve is comparable to a 1024 bit finite field. These group sizes re... |

301 | A secure and optimally efficient multi-authority election scheme
- Cramer, Gennaro, et al.
- 1997
(Show Context)
Citation Context ...oy a type of homomorphic voting system with threshold decryption [2,s3]. The particular scheme we use is a simplified version of the ElGamal based election scheme of Cramer, Gennaro, and Schoenmakers =-=[9]-=-; this scheme was chosen over the others because of its optimality with respect to communication complexity. In this paper, we modify the CGS protocol so that shares of the decryption key can be aggre... |

299 |
A practical secret voting scheme for large scale elections
- Fujioka, Okamoto, et al.
- 1993
(Show Context)
Citation Context ...popular value, while keeping the individual contributions private. Our problem of privacy-preserving parameter aggregation shares much similarity to the problem of secure and privacypreserving voting =-=[13, 2, 9, 8]-=- with a few differences. First, voting requires voters to be authenticated by a centralized authority, such as the government. Second, our protocol has an additional requirement of participation priva... |

261 |
Receipt-free secret-ballot elections
- Benaloh, Tuinstra
- 1994
(Show Context)
Citation Context ...s who voted 1, without revealing who contributed a 1 and who contributed a 0. In order to accomplish encrypted data collection, we employ a type of homomorphic voting system with threshold decryption =-=[2,s3]-=-. The particular scheme we use is a simplified version of the ElGamal based election scheme of Cramer, Gennaro, and Schoenmakers [9]; this scheme was chosen over the others because of its optimality w... |

249 | SIA: Secure information aggregation in sensor networks
- Przydatek, Song, et al.
(Show Context)
Citation Context ...o compute the resilient data aggregation function; this is infeasible in the peer-topeer FTN context where data contributions must be kept confidential from the other participants. The authors of SIA =-=[22]-=- also presented a set of techniques for secure information aggregation in sensor networks. Thesintegrity of information aggregation is achieved essentially through authentication which is identity-rev... |

232 |
A threshold cryptosystem without a trusted party
- Pedersen
- 1991
(Show Context)
Citation Context ... dynamically during the random walk phase instead of instantiating secret key shares statically during the initialization phase. In principle, more general (t, n) threshold decryption schemes such as =-=[21]-=- and [24] could provide greater robustness against non-cooperative nodes, but this does not help here since random walk path is historyless and the return packet already needs the cooperation of every... |

214 | Onion routing for anonymous and private internet connections
- Goldschlag, Reed, et al.
- 1999
(Show Context)
Citation Context ... provides anonymous web transactions. Other anonymization systems are based on Chaum’s mixes [5], which serve as proxies to provide sender-receiver unlinkability through traffic mixing. Onion routing =-=[14]-=- extends the mixes with layers of onionstyle pre-encryptions. Tarzan [12] implements the mix idea using a peer-to-peer overlay and provides sender anonymity and robustness to the mix entry point. All ... |

187 | Privacy preserving data mining - Agrawal, Srikant |

164 | Collaborative filtering with privacy
- Canny
- 2002
(Show Context)
Citation Context ...ork could not be trusted to be authentic, as only friends can be trusted not to contribute false and potentially harmful information about their configurations. Homomorphic encryption is also used in =-=[4]-=- to allow a community of users to compute a public aggregate of their data without exposing individual users’ data. Similarly, the well known secure multiparty sum protocol enables aggregation without... |

154 | Making mix nets robust for electronic voting by randomized partial checking - Jakobsson, Juels, et al. - 2002 |

152 | Privacy-preserving set operations
- Kissner, Song
- 2005
(Show Context)
Citation Context ...a public bulletin board (where L is the number of participants) mean that the bandwidth usage of this scheme exceeds that of our elliptic curve based scheme. Likewise, recent work of Kissner and Song =-=[18]-=- enables private computation of a very general class of set operations, but does so at the cost of sacrificing the bandwidth savings afforded by elliptic curves. Wagner in [26] addresses the problem o... |

150 |
Resilient aggregation in sensor networks
- Wagner
- 2004
(Show Context)
Citation Context ...ork of Kissner and Song [18] enables private computation of a very general class of set operations, but does so at the cost of sacrificing the bandwidth savings afforded by elliptic curves. Wagner in =-=[26]-=- addresses the problem of compromised nodes in the context of sensor networks, and describes how resilient aggregation techniques can be used to limit the amount of damage a compromised sensor can inf... |

133 | Automatic Misconfiguration Troubleshooting with PeerPressure
- Wang, Platt, et al.
- 2004
(Show Context)
Citation Context ...cation that leverages content sharing and aggregation among the peers to diagnose misconfigurations on a desktop PC automatically. The diagnosis is based on the PeerPressure troubleshooting algorithm =-=[28]-=-. The key intuition of PeerPressure is that misconfigurations of a PC are likely anomalous when compared with the respective configurations from other PCs having the same setting. Hence, in a peer-to-... |

77 | Distributing the power of a government to enhance the privacy of the voters - Benaloh, Yung - 1986 |

27 | Privacy-preserving friends troubleshooting network
- Huang, Wang, et al.
- 2005
(Show Context)
Citation Context ...Society]: [Public Policy Issuesprivacy] General Terms Security, Design Keywords Privacy, Integrity, Automatic Troubleshooting, Homomorphic Encryption, Zero Knowledge Proof 1. INTRODUCTION Recent work =-=[27, 15]-=- introduced a novel (and legal) peerto-peer application that leverages content sharing and aggregation among the peers to diagnose misconfigurations on a desktop PC automatically. The diagnosis is bas... |

17 | Cryptographic counters and applications to electronic voting
- Katz, Myers, et al.
- 2001
(Show Context)
Citation Context ...hour are perfectly acceptable, FTN needs to accommodate several thousand ballot items and turnaround times need to be minimized. As an alternative to full-blown homomorphic encryption, the authors of =-=[17]-=- present a voting system based on cryptographic counters that only support a restricted set of encrypted increment and decrement operations. Although the concept of cryptographic counters is potential... |

16 |
Friends troubleshooting network: Towards privacy-preserving, automatic troubleshooting
- Wang, Hu, et al.
- 2004
(Show Context)
Citation Context ...Society]: [Public Policy Issuesprivacy] General Terms Security, Design Keywords Privacy, Integrity, Automatic Troubleshooting, Homomorphic Encryption, Zero Knowledge Proof 1. INTRODUCTION Recent work =-=[27, 15]-=- introduced a novel (and legal) peerto-peer application that leverages content sharing and aggregation among the peers to diagnose misconfigurations on a desktop PC automatically. The diagnosis is bas... |

7 | Towards a privacy measurement criterion for voting systems
- Coney, Hall, et al.
- 2005
(Show Context)
Citation Context ...popular value, while keeping the individual contributions private. Our problem of privacy-preserving parameter aggregation shares much similarity to the problem of secure and privacypreserving voting =-=[13, 2, 9, 8]-=- with a few differences. First, voting requires voters to be authenticated by a centralized authority, such as the government. Second, our protocol has an additional requirement of participation priva... |

1 |
Untraceable electronic mail, return addesses, and digital pseudonyms
- Chaum
- 1981
(Show Context)
Citation Context ...cate the actual most popular values of the top ranking entries to the troubleshooter for the purpose of correcting misconfigurations, we perform another round of queries using a Chaumian-style mixnet =-=[5]-=- to protect the identities of the machines having those entries. The second round uses the same clusters, keyholders, entrance and exit nodes as in the first round. For each top ranking, root-cause ca... |