How Not to Prove Yourself: Pitfalls of the Fiat-Shamir Heuristic and Applications to Helios

Bernhard, David; Pereira, Olivier; Warinschi, Bogdan

doi:10.1007/978-3-642-34961-4_38

Cited by 139 publications

(168 citation statements)

References 28 publications

Supporting

Mentioning

166

Contrasting

Unclassified

Order By: Relevance

“…paper result model [6] NM-CPA secure ROM [16] obvious CCA proof fails ROM [14] not PA2 unless CDH easy ROM [5] no adaptive extractor under OMDL ROM this work no CCA reduction under IES ROM [1] CCA ROM vs. algebraic adv. [13,18] CCA ROM+GGM Although CCA security of Signed ElGamal has sometimes been claimed informally, the strongest formal result in the ROM to date [6] only shows the weaker non-malleability (NM-CPA). If one extends the ROM to include either the generic group model [13], a generic knowledge assumption [18] or restricts to algebraic adversaries [1] then one can prove CCA security.…”

Section: State Of the Artmentioning

confidence: 95%

On the Hardness of Proving CCA-Security of Signed ElGamal

Bernhard

Fischlin

Warinschi

2016

Public-Key Cryptography – PKC 2016

Self Cite

View full text Add to dashboard Cite

Abstract. The well-known Signed ElGamal scheme consists of ElGamal encryption with a non-interactive Schnorr proof of knowledge. While this scheme should be intuitively secure against chosen-ciphertext attacks in the random oracle model, its security has not yet been proven nor disproven so far, without relying on further non-standard assumptions like the generic group model. Currently, the best known positive result is that Signed ElGamal is non-malleable under chosen-plaintext attacks. In this paper we provide evidence that Signed ElGamal may not be CCA secure in the random oracle model. That is, building on previous work of Shoup and Gennaro (Eurocrypt'98), Seurin and Treger (CT-RSA 2013), and Bernhard et al. (PKC 2015), we exclude a large class of potential reductions that could be used to establish CCA security of the scheme.

show abstract

Section: State Of the Artmentioning

confidence: 95%

On the Hardness of Proving CCA-Security of Signed ElGamal

Bernhard

Fischlin

Warinschi

2016

Public-Key Cryptography – PKC 2016

Self Cite

View full text Add to dashboard Cite

show abstract

“…Analogously, here we formalize privacy of RPC mix nets as the inability of an adversary to distinguish whether some sender under observation submitted plaintexts p or p , when running her honest program. While this definition is quite strong (see, e.g., the discussion in [2]), simulation-based definitions [12] are stronger (see also [3] for a related game-based definition). Roughly speaking, simulation-based definitions imply that an adversary should not be able to distinguish between two (different) vectors of honest inputs.…”

Section: Defining Privacy Of Rpc MIX Netsmentioning

confidence: 99%

“…This security requirement corresponds to the central property in the context of e-voting, already sketched above, and it is what our privacy notion for RPC mix nets, which we define precisely below, is therefore supposed to capture. 3 In the analysis of privacy of RPC mix nets, it turns out that it is useful to distinguish between risk-avoiding and venturesome adversaries, i.e., between adversaries that try to avoid being caught (i.e., blamed by the judge for misbehavior) and those that do not care. The class of venturesome adversary is simply the class of all probabilistic polynomial-time adversaries.…”

Section: Defining Privacy Of Rpc MIX Netsmentioning

confidence: 99%

Formal Analysis of Chaumian Mix Nets with Randomized Partial Checking

Küsters

Truderung

Vogt

2014

2014 IEEE Symposium on Security and Privacy

View full text Add to dashboard Cite

Mix nets with randomized partial checking (RPC mix nets) have been introduced by Jakobsson, Juels, and Rivest as particularly simple and efficient verifiable mix nets. These mix nets have been used in several implementations of prominent e-voting systems to provide vote privacy and verifiability. In RPC mix nets, higher efficiency is traded for a lower level of privacy and verifiability. However, these mix nets have never undergone a rigorous formal analysis. Recently, Kahazei and Wikström even pointed out several severe problems in the original proposal and in implementations of RPC mix nets in e-voting systems, both for so-called re-encryption and Chaumian RPC mix nets. While Kahazei and Wikström proposed several fixes, the security status of Chaumian RPC mix nets (with the fixes applied) has been left open; re-encryption RPC mix nets, as they suggest, should not be used at all.In this paper, we provide the first formal security analysis of Chaumian RPC mix nets. We propose security definitions that allow one to measure the level of privacy and verifiability RPC mix nets offer, and then based on these definitions, carry out a rigorous analysis. Altogether, our results show that these mix nets provide a reasonable level of privacy and verifiability, and that they are still an interesting option for the use in e-voting systems.

show abstract

“…More detailed definitions, as well as techniques for making these proofs non-interactive are available in [9] for instance.…”

Section: Definition 3 (Sigma Protocol)mentioning

confidence: 99%

“…Different strategies for improving the accountability in the case of Helios have been explored in [3,27]. A rigorous cryptographic analysis of verifiability/accountability of a fully-fledged voting system is an open problem (note that all current works on Helios [26,27] abstracted the cryptographic aspects and, as result, overlooked the recently found attacks on the verifiability of Helios [9]), and is out of our scope.…”

Section: Decryptionmentioning

confidence: 99%

Election Verifiability or Ballot Privacy: Do We Need to Choose?

Cuvelier

Pereira

Peters

2013

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. We propose a new encryption primitive, commitment consistent encryption (CCE), and instances of this primitive that enable building the first universally verifiable voting schemes with a perfectly private audit trail (PPAT) and practical complexity. That is:-the audit trail that is published for verifying elections guarantees everlasting privacy, and -the computational load required from the participants is only increased by a small constant factor compared to traditional voting schemes, and is optimal in the sense of Cramer, Gennaro and Schoenmakers [16]. These properties make it possible to introduce election verifiability in large scale elections as a pure benefit, that is, without loss of privacy compared to a non-verifiable scheme and at a similar level of efficiency. We propose different approaches for constructing voting schemes with PPAT from CCE, as well as two efficient CCE constructions: one is tailored for elections with a small number of candidates, while the second is suitable for elections with complex ballots.

show abstract

How Not to Prove Yourself: Pitfalls of the Fiat-Shamir Heuristic and Applications to Helios

Cited by 139 publications

References 28 publications

On the Hardness of Proving CCA-Security of Signed ElGamal

On the Hardness of Proving CCA-Security of Signed ElGamal

Formal Analysis of Chaumian Mix Nets with Randomized Partial Checking

Election Verifiability or Ballot Privacy: Do We Need to Choose?

Contact Info

Product

Resources

About