### Citations

2575 | How to share a secret
- Shamir
- 1979
(Show Context)
Citation Context ...e functionality and powers of a single TTP among several parties 4 . In most SMPC approaches, this is only achieved with very high computational costs [16], due to the intensive use of secret sharing =-=[23]-=- and operations on secret shared data in SMPC protocols. Yet, more efficient special purpose approaches to SMPC have been proposed. E.g. in the mix-andmatch approach [13], secret sharing techniques ar... |

1548 | A public key cryptosystem and a signature scheme based on discrete logarithms
- ElGamal
- 1985
(Show Context)
Citation Context ...ually employ cryptographically secure PRNGs. For simplicity, we often refer to this tool simply as PRNG. 3.2 Threshold ElGamal Cryptosystem A key primitive in our approach is the ElGamal cryptosystem =-=[7]-=-, over subgroups Gq of order q of the multiplicative group Z ∗ p, for large primes p = 2q + 1. The primes p, q and a generator g of Gq are common system parameters. ElGamal encryption is semantically ... |

1236 | The knowledge complexity of interactive proof systems
- Goldwasser, Micali, et al.
- 1989
(Show Context)
Citation Context ...the following primitives, i.e. non-interactive zero-knowledge proofs, plaintext equality tests and ElGamal reencryption mixnets. 3.3 Non-Interactive Zero Knowledge Proofs Zero knowledge proofs (ZKPs) =-=[12]-=- are basically generalized challenge-response authentication protocols which are used to guarantee correctness of and verify participation in distributed cryptographic operations and protocols. A spec... |

1019 | How to prove yourself: Practical solutions to identification and signature problems
- Fiat, Shamir
- 1986
(Show Context)
Citation Context ...ofs (NIZKPs) [2] are variants which allow rendering the challenge-response process non-interactive, i.e. they can be executed by a single party. This is achieved by applying the Fiat-Shamir heuristic =-=[8]-=- and thus produces transcripts of the NIZKPs. See e.g. [6] for a broader discussions of zero knowledge techniques. A NIZKP it thus comparable to a digital signature, it can be stored and may also be v... |

371 |
Wallet databases with observers
- Chaum, Pedersen
- 1992
(Show Context)
Citation Context ...ing its secret zj. Also, each broker publishes bj together with a NIZKP for assuring logg ρzj = logx bj The latter is realized using a non-interactive proof of knowledge for equality of discrete logs =-=[5]-=-. The proof assures that the broker indeed utilized the correct share to produce the partial blinding12 . 2. For any subset Λ of t linkability brokers with valid zero-knowledge proofs, the complete bl... |

334 | B.: Proofs of partial knowledge and simplified design of witness hiding protocols
- Cramer, Damgård, et al.
- 1994
(Show Context)
Citation Context ...allenge-response process non-interactive, i.e. they can be executed by a single party. This is achieved by applying the Fiat-Shamir heuristic [8] and thus produces transcripts of the NIZKPs. See e.g. =-=[6]-=- for a broader discussions of zero knowledge techniques. A NIZKP it thus comparable to a digital signature, it can be stored and may also be verified, after its execution. Thus, incorrect or inappropr... |

235 |
A threshold cryptosystem without a trusted party (extended abstract
- Pedersen
- 1991
(Show Context)
Citation Context ...he ciphertext, nor distinguish whether a ciphertext is the encryption of a known plaintext or not. More specifically, we utilize a threshold variant of the ElGamal cryptosystem, according to Pedersen =-=[19, 20]-=-, which allows distributing cryptographic operations. It thus supports distributability of powers. In this threshold system, an ElGamal private key s ∈R Zq can be defined in two ways 5 : – Firstly, it... |

214 | Robust Noninteractive Zero Knowledge
- Santis, Crescenzo, et al.
- 2001
(Show Context)
Citation Context ...tributed cryptographic operations and protocols. A special feature of ZKPs is that they disclose no further information beyond that a statement is true. Non-interactive zero knowledge proofs (NIZKPs) =-=[2]-=- are variants which allow rendering the challenge-response process non-interactive, i.e. they can be executed by a single party. This is achieved by applying the Fiat-Shamir heuristic [8] and thus pro... |

205 |
Protocols for secure computations (extended abstract
- Yao
- 1982
(Show Context)
Citation Context ...MPC) can theoretically be applied to a large range of problems in the area of privacy-preserving data analysis and in the construction of privacy-preserving protocols [16]. Basically, SMPC mechanisms =-=[30]-=- allow implementing multiparty protocols that do not rely on a single trusted third party (TTP). The intention of these cryptographic techniques is that a number of distinct, but connected parties may... |

124 | An efficient scheme for proving a shuffle
- Furukawa, Sako
(Show Context)
Citation Context ...e assume that the mixnet is additionally verifiable, i.e. it provides NIZKPs of correctness of the operations. This can e.g. be achieved by employing the verifiable mixnet proposed by Furukawa et al. =-=[11]-=-, describing the details of the cryptographic verifiability mechanisms. 6 Given that the group order of the underlying group is prime, then (m1/m2) z is a random non-identity group element [17, 22, 3]... |

113 |
Efficient anonymous channel and all/nothing election scheme
- Park, Itoh, et al.
- 1993
(Show Context)
Citation Context ...y Chaum [4], is a primitive that can be used to anonymize sets of ciphertexts by a set of mix servers. Together, the mix servers form the mixnet. In our work, we build on ElGamal reencryption mixnets =-=[18]-=-, which basically reencrypt and permute ciphertexts in order to anonymize them. In this setting, reencryption can be executed without a private key, i.e. it is not required to decrypt the ciphertext i... |

108 | Squealing Euros: Privacy Protection in RFID-Enabled Banknotes,"
- Juels, Pappu
- 2003
(Show Context)
Citation Context ...seudonyms due to specific registration information, – an (optional) law enforcement authority may completely disclose every transaction pseudonym. Our approach extends earlier work of Juels and Pappu =-=[14]-=-, which proposed reencryption-based transaction pseudonyms for privacy protection in a RFID application context. In existing proposals for transaction pseudonyms, the controlled linkability is usually... |

105 | Mix and match: Secure function evaluation via ciphertexts.
- Jakobsson, Juels
- 1976
(Show Context)
Citation Context ...tensive use of secret sharing [23] and operations on secret shared data in SMPC protocols. Yet, more efficient special purpose approaches to SMPC have been proposed. E.g. in the mix-andmatch approach =-=[13]-=-, secret sharing techniques are replaced by operations on encrypted data. We exploit this capability in our proposal. Hereby, we follow basic ideas of the mix-and-match approach. We formulate the pseu... |

92 | Secure multiparty computation for privacypreservingdata mining,”
- Lindell, Pinkas
- 2009
(Show Context)
Citation Context ... secure multiparty computation (SMPC) can theoretically be applied to a large range of problems in the area of privacy-preserving data analysis and in the construction of privacy-preserving protocols =-=[16]-=-. Basically, SMPC mechanisms [30] allow implementing multiparty protocols that do not rely on a single trusted third party (TTP). The intention of these cryptographic techniques is that a number of di... |

82 | A terminology for talking about privacy by data minimization:
- Pfitzmann, Hansen
- 2010
(Show Context)
Citation Context ...are an important base mechanism for many privacy-enhancing technologies. In a technical sense, a (digital) pseudonym is an identifier of an entity that is used instead of the entity’s real-world name =-=[21]-=-. Pseudonymity is the use of pseudonyms as identifiers. In a computing system, a user can act among one or multiple pseudonyms in digital transactions, e.g. in order to access a digital resource or se... |

54 |
IT-Security and Privacy: Design and Use of Privacy-Enhancing Security Mechanisms.
- Fischer-Hübner
- 2001
(Show Context)
Citation Context ...nabling such a mapping requires that a pseudonym additionally encodes some kind of or is associated to trapdoor information, to enable attribution of pseudonyms to real-world identities. According to =-=[9]-=-, major types of pseudonyms are: – Reference pseudonyms: In a simple case, a (non-changing) pseudonym can be mapped back to an identity based on existing reference information, e.g. if issued public k... |

39 | M.: Threshold password-authenticated key exchange
- MacKenzie, Shrimpton, et al.
- 2006
(Show Context)
Citation Context ...et al. [11], describing the details of the cryptographic verifiability mechanisms. 6 Given that the group order of the underlying group is prime, then (m1/m2) z is a random non-identity group element =-=[17, 22, 3]-=-. This is true in our setting, i.e. the underlying group Gq is of prime order q.Fig. 1. Distributed computations and bulletin board Basically, a mixnet consists of a set of mix servers Mi, that conse... |

14 |
Threshold-based identity recovery for privacy enhanced applications, in
- Biskup, Flegel
- 2000
(Show Context)
Citation Context ...nding on how and by whom given pseudonyms can be re-translated into the users identity (by making use of the pseudonym-to-identity-mapping). This is also captured in the notion of linkable pseudonyms =-=[1]-=-. Technically, enabling such a mapping requires that a pseudonym additionally encodes some kind of or is associated to trapdoor information, to enable attribution of pseudonyms to real-world identitie... |

10 |
Distributed Provers and Verifiable Secret Sharing Based on the Discrete Logarithm Problem
- Pedersen
- 1992
(Show Context)
Citation Context ...he ciphertext, nor distinguish whether a ciphertext is the encryption of a known plaintext or not. More specifically, we utilize a threshold variant of the ElGamal cryptosystem, according to Pedersen =-=[19, 20]-=-, which allows distributing cryptographic operations. It thus supports distributability of powers. In this threshold system, an ElGamal private key s ∈R Zq can be defined in two ways 5 : – Firstly, it... |

7 |
Privacy-Respecting Intrusion Detection
- Flegel
- 2007
(Show Context)
Citation Context ...ifier of an entity that is used instead of the real-world name of the entity, it implements a certain degree of unlinkability and thus privacy protection. By using the identifier-to-pseudonym-mapping =-=[10]-=-, a re-identification of entities’ real world names is possible; thus making pseudonymized entities accountable again. Hence, a fair balance of interests depends on the provided degrees of (un-)linkab... |

7 | Towards trustworthy identity and access management for the future internet, in: - Weber, Martucci, et al. - 2010 |

6 | MundoMessage: Enabling Trustworthy Ubiquitous Emergency Communication - Weber, Kalev, et al. - 2011 |

5 | M.: Multilaterally Secure Ubiquitous Auditing - Weber, Mühlhäuser - 2010 |

3 |
Pseudo-Random Number Generator. In: Encyclopedia of Cryptography and Security
- Koeune
- 2005
(Show Context)
Citation Context ...lize the mechanisms for multilevel linkability of pseudonyms based on extended mix-and-match concepts. Additionally, we propose to make use of cryptographically secure pseudo random number generators =-=[15]-=- in order to control random factors inside the encryption operations. This allows implementing a further direct pseudonymto-identity-mapping, that can be exploited by a user, in order to authenticate ... |

3 | Multilaterally Secure Pervasive Cooperation - Privacy Protection, Accountability and Secure Communication for the Age of Pervasive Computing - Weber - 2012 |

1 |
T.: Contemporary Cryptology. Birkhäuser (2005) If the access to the registration list is restricted, LBs are unable to completely disclose a transaction pseudonym. In this case, they have to cooperate with the RA in order to access the matching encrypted
- Catalano, Cramer, et al.
- 1981
(Show Context)
Citation Context ...et al. [11], describing the details of the cryptographic verifiability mechanisms. 6 Given that the group order of the underlying group is prime, then (m1/m2) z is a random non-identity group element =-=[17, 22, 3]-=-. This is true in our setting, i.e. the underlying group Gq is of prime order q.Fig. 1. Distributed computations and bulletin board Basically, a mixnet consists of a set of mix servers Mi, that conse... |

1 | On Equality Testing Protocols and their Security
- Redz
- 2003
(Show Context)
Citation Context ...et al. [11], describing the details of the cryptographic verifiability mechanisms. 6 Given that the group order of the underlying group is prime, then (m1/m2) z is a random non-identity group element =-=[17, 22, 3]-=-. This is true in our setting, i.e. the underlying group Gq is of prime order q.Fig. 1. Distributed computations and bulletin board Basically, a mixnet consists of a set of mix servers Mi, that conse... |

1 |
On the Security of ElGamal Based Encryption. In: Workshop on Practice and Theory in Public Key Cryptography (PKC ’98
- Tsiounis, Yung
- 1998
(Show Context)
Citation Context ...e group Z ∗ p, for large primes p = 2q + 1. The primes p, q and a generator g of Gq are common system parameters. ElGamal encryption is semantically secure in Gq, under certain complexity assumptions =-=[24]-=-. Practically, semantic security means that no partial information about a plaintext is leaking from the corresponding ciphertext. Thus, an adversary can neither recover any information about the plai... |