About
119
Publications
13,557
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
24,776
Citations
Publications
Publications (119)
We introduce cMix, a new approach to anonymous communications. Through a precomputation, the core cMix protocol eliminates all expensive real-time public-key operations—at the senders, recipients and mixnodes—thereby decreasing real-time cryptographic latency and lowering computational costs for clients. The core real-time phase performs only a few...
This note is a response to, and critique of, recent work by Acemyan, Kortum, Bryne, and Wallach regarding the usability of end-to-end verifiable voting systems, and in particular, to their analysis of the usability of the Scantegrity II voting system. Their work is given in a JETS paper [Ace14] and was presented at EVT/WOTE 2014; it was also descri...
We propose and implement a cryptographically end-to-end verifiable (E2E) remote voting system for absentee voters and report on its deployment in a binding municipal election in Takoma Park, Maryland. Remotegrity is a hybrid mail/internet extension to the Scantegrity in-person voting system, enabling secure, electronic return of vote-by-mail ballot...
We present a new model for polling-booth voting: the voter enters the polling booth with a computational assistant which helps her verify that her vote is correctly recorded. The assistant interacts with the voting system while the voter votes on the machine in the polling booth. We present an independently-verifiable, coercion-resistant protocol b...
Building on lessons learned from the November 2009 Scantegrity II election in Takoma Park, MD, we propose improvements to the Scantegrity II voting system that (1) automatically print trustworthy receipts for easier on-line verification, (2) highlight ballot features including over/under votes to comply with the Help America Vote Act, and (3) achie...
On November 3, 2009, voters in Takoma Park, Maryland, cast ballots for mayor and city council members using the ScantegrityII voting system—the first time any end-to-end (e2e) voting system with ballot privacy has been used in any binding governmental election. This case-study describes how we carried out this complex engineering feat involving imp...
In this paper, we develop methods for constructing vote-buying/coercion attacks on end-to-end voting systems, and describe
vote-buying/coercion attacks on three proposed end-to-end voting systems: Punchscan, Prêt-à-voter, and ThreeBallot. We also
demonstrate a different attack on Punchscan, which could permit corrupt election officials to change vo...
This paper presents a method for adding end-to-end verifiability to any optical-scan vote counting system. A serial number
and set of letters, paired with every candidate, are printed on each optical-scan ballot. The letter printed next to the candidate(s)
chosen by the voter is posted to a bulletin board, and these letters are used as input to Pun...
The 13 papers in this special issue focus on electronic voting.
Scantegrity II is an enhancement for existing paper ballot systems. It allows voters to verify election integrity - from their selections on the ballot all the way to the final tally - by noting codes and checking for them online. Voters mark Scantegrity II ballots just as with conventional optical scan, but using a special ballot marking pen. Mark...
We report on our experiences and lessons learned using Scantegrity II in a mock election held April 11, 2009, in Takoma Park, Maryland (USA). Ninetyfive members of the community participated in our test of this voting system proposed for the November 2009 municipal election. Results helped improve the system for the November binding election.
David Chaum introduced Visual Voting scheme in which a voter obtains a paper receipt from a voting machine. This receipt can be used to verify that his vote was counted in the final tally, but cannot be used for vote selling. The Chaum's system requires sophisticated printers and application of random-ized partial checking (RPC) method. We propose...
All voter-verifiable voting schemes in the literature require that the voter be able to see and to mark. This paper describes modifications to the Pret aVoter and PunchScan schemes so that a voter who can either see or hear, or both, independent of marking ability, may avail of voter-verifiability without revealing her vote. The modified systems wo...
Scantegrity is a security enhancement for optical scan voting systems. It's part of an emerging class of "end-to-end" independent election verification systems that permit each voter to verify that his or her ballot was correctly recorded and counted. On the Scantegrity ballot, each candidate position is paired with a random letter. Election offici...
Protocols are presented allowing someone with a secret discrete logarithm to release it, bit by bit, such that anyone can verify each bit’s correctness as they receive it. This new notion of release of secrets generalizes and extends that of the already known exchange of secrets protocols. Consequently, the protocols presented allow exchange of sec...
In this paper, we discuss Bitfrost, the security model devel- oped by the One Laptop Per Child project for its XO lap- top computers. Bitfrost implements a number of security measures intended primarily to deter theft and malware, but which also introduce severe threats to data security and in- dividual privacy. We describe several of the technical...
We introduce Scantegrity II, a practical enhancement for optical scan voting systems that achieves increased elec- tion integrity through the novel use of confirmation codes printed on ballots in invisible ink. Voters mark ballots just as in conventional optical scan but using a special pen that develops the invisible ink. Verifiability of elec- ti...
We propose and implement a modification to the Punchscan protocol that simplifies ballot print-ing and distribution. In this improved version, each voter creates a ballot at the polling loca-tion by combining independently selected bal-lot halves, rather than using two pre-selected halves with the same serial number. The only time a ballot used for...
This paper presents a voting scheme that allows voters to verify that their vote is accurately included in the count, whilst maintaining ballot secrecy and coercion resistance. It also presents a rigorously dened set of requirements for secret ballot voting, and proofs that the scheme satises these requirements.
This is a short report on Dagstuhl Seminar 07311 - Frontiers of Electronic Voting, 29.07.07 - 03.08.07, organized in The International Conference and Research Center for Computer Science (IBFI, Schloss Dagstuhl). @InProceedings{chaum_et_al:DSP:2008:1294, author = {David Chaum and Miroslaw Kutylowski and Ronald L. Rivest and Peter Y. A. Ryan}, title...
From July the 29th to August the 3th, 2007, the Dagstuhl Seminar 07311 ``Frontiers of Electronic Voting'' was held in the International Conference and Research Center (IBFI), Schloss Dagstuhl. During the seminar, several participants presented their current research, and ongoing work and open problems were discussed. Abstracts of the presentations...
We present an election scheme designed to allow voters to verify that their vote is accurately included in the count. The scheme provides a high degree of transparency whilst ensuring the secrecy of votes. Assurance is derived from close auditing of all the steps of the vote recording and counting process with minimal dependence on the system compo...
An abstract is not available.
The latest receipt system provided by electronic voting machines at polling places is discussed. In this system, the voter can see his or her choices clearly printed on the receipt in the voting booth. The voter can use it to ensure that the votes it contains are included correctly in the final tally, after taking it out of the booth. As the choice...
We present an election scheme designed to allow voters to verify that their vote is accurately included in the tabulation. The scheme provides a high degree of transparency whilst ensuring the secrecy of votes. Assurance is derived from close auditing of all the steps of the vote recording and counting process with minimal dependence on the system...
"Undeniable" (or perhaps rather "invisible") signatures are digital signatures which the recipient cannot show round without the help of the signer. If forced to either acknowledge or deny a signature, however, the signer cannot deny it if it is authentic. We present the first undeniable signature scheme which is unconditionally secure for the sign...
this paper, we use a slightly modified version of DES in which IP,IP - ],PC1 are not used and E,P are com- bined to one table EP (cf. Davio et al [83], pp. 184-185). Thus the following mappings are used in our version of DES: EP::232--:248: EPx is formed from x as follows: first y=Px is formed by permuting the 32 bits of x; then EPx=Ey is formed by...
inequality, which means that all collusions of minorities can be tolerated, is argued to be optimal and makes the main result also optimal. 592 A third construction, on which the second is based but which is interesting in its own right, is that of an "all-honest world." This is a setting, relying only on assumption (b), in which any participant wh...
tried. Although these systems will require massive investment and years to complete, their underlying architecture is already quietly being decided and their institutional momentum is growing. This momentum is driving us toward a seemingly irreconcilable conflict, between organizations' need for security and the benefits of automation on one side,...
It is often the case in applications of cryptographic protocols that one party would like to determine a practical upper-bound
on the physical distance to the other party. For instance, when a person conducts a cryptographic identification protocol
at an entrance to a building, the access control computer in the building would like to be ensured th...
Previously there have been essentially only two models for computers that people can use to handle ordinary consumer transactions:
(1) the tamper-proof module, such as a smart card, that the person cannot modify or probe; and (2) the personal workstation
whose inner working is totally under control of the individual. The first part of this article...
The first aim of this paper is to situate the call for integrity and authentication algorithms within research on cryptography
and within evolution of telecommunication. Motivations for submitting primitives and details on the submission process are
also given.
A multiparty-computation protocol allows each of a set of participants to provide secret input to a mutually agreed computation.
Such protocols enforce two security properties: (1) secrecy of the inputs, apart from what is revealed by the output; and
(2) correctness of the output, as defined by the agreed computation. All solutions, including those...
The techniques presented allow powerful, readily extensible, and flexible arrangements for exchange of information between
organizations about individuals. They protect against abuses by individuals, while providing unconditional security against
linking of pseudonyms.
Undeniable signature protocols were introduced at Crypto’ 89 [CA]. The present article contains new undeniable signature protocols, and these are the first that are zero-knowledge.
Chaum, Fiat, and Naor proposed an offline check system [1], which has the advantage that the withdrawal and (anonymous) payment of a check are unlinkable. Here we present an improved
protocol that saves 91% of the signatures, 41% of the other multiplications, 73% of the divisions, and 33% of the bit transmissions.
This paper introduces a new kind of signature authentication and gives practical protocols that implement it. The technique can be used in ways that approach the functionality of known techniques, such as ordinary digital signatures and zero-knowledge proofs. But more importantly, it opens up a whole space of possibilities in between them. The tech...
A manual intended for those seeking to secure information systems by
applying modern cryptography is presented. It represents the successful
attainment of goals by RIPE (RACE (Research and development of Advanced
Communication technology in Europe) Integrity Primitives Evaluation).
The recommended portfolio of integrity primitives, which is the mai...
It is often the case in applications of cryptographic protocols that one party would like to determine a practical upper-bound on the physical distance to the other party. For instance, when a person conducts a cryptographic identification protocol at an entrance to a building, the access control computer in the building would like to be ensured th...
Very strong definitions of security for signature schemes have been proposed in the literature. Constructions for such schemes
have been proposed, but so far they have only been of theoretical interest and have been considered far too inefficient for
practical use.
Here we present a new scheme that satisfies these strongest definitions and uses es...
All of your electronic transactions, from credit card purchases to bank withdrawals, are creating a digital dossier of your life. The author proposes an encryption system that would allow individuals and institutions to take advantage of the benefits of computer communications while protecting privacy.
All known methods for transferring electronic money have the disadvantages that the number of bits needed to represent the
money after each payment increases, and that a payer can recognize his money if he sees it later in the chain of payments
(forward traceability). This paper shows that it is impossible to construct an electronic money system pr...
First Page of the Article
Previously there have been essentially only two models for computers that people can use to handle ordinary consumer transactions: (1) the tamper-proof module, such as a smart card, that the person cannot modify or probe: and (2) the personal workstation whose inner working is totally under control of the individual. The first part of this article...
We present the first undeniable signature schemes where signers are unconditionally secure. In the efficient variants, the security for the recipients relies on a discrete logarithm assumption or on factoring; and in a theoretical version, on claw-free permutation pairs.
Besides, on the one hand, the efficient variants are the first practical crypt...
Zero-knowledge proofs of computational power have been proposed by Yung and others. In this paper, we propose an efficient (direct) and constant round (five round) construction of zero knowledge proofs of computational power. To formulate the classes that can be applied to these efficient
protocols, we introduce a class of invulnerable problems, Fe...
Early in 1989, a call for integrity primitives was disseminated within the cryptographic community by the RIPE consortium.
The goal of this consortium is to put forward an ensemble of techniques to meet the anticipated requirements of the future
Integrated Broadband Communication Network in the European Community. The aim of this paper is to descri...
The weaknesses that are the subject of [DY 91] have already been addressed in the published literature [C 90] & [CvA 89]. The main class of these weaknesses consists of ways of cheating undeniable signatures; but these ways are shown here to
themselves be “weak.” Specifically, a cheater using them can double-cross the other cheaters, to the extent...
In this paper we present a new type of signature for a group of persons, called a group signature, which has the following properties: (i) only members of the group can sign messages; (ii) the receiver can verify that it is a valid group signature, but cannot discover which group member made it; (iii) if necessary, the signature can be "opened", so...
)David Chaum1, Eug¨¨ne van Heijst1, Birgit Pfitzmann2AbstractWe present the first undeniable signature schemes where signers are unconditionally secure. In theefficient variants, the security for the recipients relies on a discrete logarithm assumption or onfactoring; and in a theoretical version, on claw-free permutation pairs.Besides, on the one...
All known digital signature schemes can be forged by anyone having enough computing power. For a finite set of participants,
we can overcome this weakness.
We present a polynomial time protocol in which a participant can convince (with an exponentially small error probability)
any other participant that his signature is valid. Moreover, such a con...
We introduce a new concept called convertible undeniable signature schemes. In these schemes, release of a single bit string by the signer turns all of his signatures, which were originally undeniable signatures, into ordinary digital signatures. We prove that the existence of such schemes is implied by the existence of digital signature schemes. T...
Savings of roughly an order of magnitude in space, storage, and bandwidth over previously published online electronic cash
protocols are achieved by the techniques introduced here. In addition, these techniques can increase convenience, make more
efficient use of funds, and improve privacy.
inequality, which means that all collusions of minoritiescan be tolerated, is argued to be optimal and makes the main result also optimal.592A third construction, on which the second is based but which is interesting inits own right, is that of an "all-honest world." This is a setting, relying only onassumption (b), in which any participant who has...
Digital signatures [DH]—unlike handwritten signatures and banknote printing—are easily copied exactly. This property can be advantageous for some uses, such as dissemination of announcements and public keys, where the more copies distributed the better. But it is unsuitable for many other applications. Consider electronic replacements for all the w...
Protocols are given for allowing a “prover” to convince a “verifier” that the prover knows some verifiable secret information, without allowing the verifier to learn anything about the secret. The secret can be probabilistically or deterministically verifiable, and only one of the prover or the verifier need have constrained resources. This paper u...
Protocols are given for allowing a “prover” to convince a “verifier” that the prover knows some verifiable secret information, without allowing the verifier to learn anything about the secret. The secret can be probabilistically or deterministically verifiable, and only one of the prover or the verifier need have constrained resources. This paper u...
Election protocols embodying robustness, verifiability of returns by voters, and unconditional security for voters’ privacy
have been presented. The techniques also allow untraceable payments and credentials.
Keeping confidential who sends which messages, in a world where any physical transmission can be traced to its origin, seems impossible. The solution presented here is unconditionally or cryptographically secure, depending on whether it is based on one-time-use keys or on public keys, respectively. It can be adapted to address efficiently a wide va...
The use of credit cards today is an act of faith on the p a t of all concerned. Each party is vulnerable to fraud by the others,
and the cardholder in particular has no protection against surveillance.
A protocol is presented that allows a set of parties to collectively perform any agreed computation, where every party is able to choose secret inputs and verify that the resulting output is correct, and where all secret inputs are optimally protected.
The protocol has the following properties:
One participant is allowed to hide his secrets uncondi...
It has been shown previously how almost any multiparty protocol problem can be solved. All the constructions suggested so far rely on trapdoor one-way functions, and therefore must assume essentially that public key cryptography is possible. It has also been shown that unconditional protection of a single designated participant is all that can be a...
Protocols are presented allowing someone with a secret discrete logarithm to release it, bit by bit, such that anyone can verify each bit's correctness as they receive it. This new notion of release of secrets generalizes and extends that of the already known exchange of secrets protocols. Consequently, the protocols presented allow exchange of sec...
A new protocol is presented that allows A to convince B that she knows a solution to the Discrete Log Problem—i.e. that she knows an x such that α
x ≡ β (mod N) holds—without revealing anything about x to B. Protocols are given both for N prime and for N composite.
We also give protocols for extensions of the Discrete Log problem allowing A to show...
Previously known blind signature systems require an amount of computation at least proportional to the number of signature
types, and also that the number of such types be fixed in advance. These requirements are not practical in some applications.
Here, a new blind signature technique is introduced that allows an unlimited number of signature type...
The S-boxes used in the DES are the major cryptographic component of the system. Any structure which they possess can have far reaching implications for the security of the algorithm. Structure may exist as a result of design principles intended ...
A multi-party cryptographic protocol and a proof of its security are presented. The protocol is based on RSA using a one-way-function.
Its participants are individuals and organizations, which are not assumed to trust each other. The protocol implements a “credential
mechanism”, which is used to transfer personal information about individuals from...
Techniques are presented that allow A to convince B that she knows a solution to the Discrete Log Problem—i.e. that she knows an x such that α
x ≡ β (mod N) holds—without revealing anything about x to B. Protocols are given both for N prime and for N composite. We prove these protocols secure under a formal model which is of interest in its own rig...
The homomorphic structure of RSA signatures can impair security. Variations on a generalization of RSA signatures are considered with the aim of obviating such vulnerabilities. Of these variations, which involve a function of the message in the exponent, several are shown to have potential weaknesses similar to those of RSA.
No attacks have been fo...
It is shown that the large-scale automated transaction systems of the near future can be designed to protect the privacy and maintain the security of both individuals and organizations. A new approach is described in which: (1) an individual uses a different account number or 'digital pseudonym' with each organization; (2) individuals conduct trans...
Two simple redundancy schemes are shown to be inadequate in securing RSA signatures against attacks based on multiplicative
properties. The schemes generalize the requirement that each valid message starts or ends with a fixed number of zero bits.
Even though only messages with proper redundancy are signed, forgers are able to construct signatures...
As the use of computers becomes more pervasive, they are capturing increasingly more revealing data about our habits, lifestyles, values, whereabouts, associations, political and religious orientation, etc. The current approach, which requires individuals to identify themselves in relationships with organizations, allows records of all an individua...
It is becoming increasingly easy and common for organizations to routinely exchange data on individuals. Because each individual provides most organizations essentially the same uniquely identifying information, such, as social security number, or name, age and place of birth, the records held by one organization on an individual are readily matche...
A blockcipher is said to have a linear factor if, for all plaintexts and keys, there is a fixed non-empty set of key bits
whose simultaneous complementation leaves the exclusive-or sum of a fixed non-empty set of ciphertext bits unchanged.
As the use of computers becomes more pervasive, they are capturing increasingly more revealing data about our habits, lifestyles,
values, whereabouts, associations, political and religious orientation, etc. The current approach, which requires individuals
to identify themselves in relationships with organizations, allows records of all an individua...
Partial key, key safeguarding, and threshold techniques appear to be another example of similar good ideas springing up in
several places at nearly the same time — each with a different name and associated terminology. The use of partial key techniques
actually appeared in print first in a technical report [Chaum 79] before the key safeguarding tec...
An untraceable payments system based on an extension of public key cryptography, called blind signatures, has been presented previously by the author. The existence of such blind signature systems was not demonstrated. An actual set of implementable functions is presented in the present work which have the blind signature property, and for which th...