Jörn Müller-Quade

Bingo voting: secure and coercion-free voting using a trusted random number generator

It is debatable if current direct-recording electronic votingmachines can sufficiently be trusted for a use in elections. Reports about malfunctions and possible ways ofmanipulation abound. Voting schemes have to fulfill seemingly contradictory requirements: On one hand the election process should be verifiable to prevent electoral fraud and on the other hand each vote should be deniable to avoid coercion and vote buying. This work presents a new verifiable and coercion-free voting scheme Bingo Voting, which is based on a trusted random number generator. As a motivation for the new scheme two coercion/vote buying attacks on voting schemes are presented which show that it can be dangerous to let the voter contribute randomness to the voting scheme. A proof-of-concept implementation of the scheme shows the practicality of the scheme: all costly computations can be moved to a non time critical pre-voting phase.

Universally Composable Commitments Using Random Oracles

In the setting of universal composability [Can01], commitments cannot be implemented without additional assumptions such as that of a publicly available common reference string[CF01]. Here, as an alternative to the commitments in the common reference string model, the use of random oracles to achieve universal composability of commitment protocols is motivated. Special emphasis is put on the security in the situation when the additional “helper functionality” is replaced by a realizable primitive. This contribution gives two constructions which allow to turn a given non-interactive commitment scheme into a non-interactive universally composable commitment scheme in the random oracle model. For both constructions the binding and the hiding property remain valid when collision-free hash functions are used instead of random oracles. Moreover the second construction in this case even preserves the property of perfect binding.

A CCA2 Secure Public Key Encryption Scheme Based on the McEliece Assumptions in the Standard Model

We show that a recently proposed construction by Rosen and Segev can be used for obtaining the first public key encryption scheme based on the McEliece assumptions which is secure against adaptive chosen ciphertext attacks in the standard model.

Composability in quantum cryptography

If we combine two secure cryptographic systems, is the resulting system still secure? Answering this question is highly nontrivial and has recently sparked a considerable research effort, in particular, in the area of classical cryptography. A central insight was that the answer to the question is yes, but only within a well-specified composability framework and for carefully chosen security definitions.In this article, we review several aspects of composability in the context of quantum cryptography. The first part is devoted to key distribution. We discuss the security criteria that a quantum key distribution (QKD) protocol must fulfill to allow its safe use within a larger security application (e.g. for secure message transmission); and we demonstrate—by an explicit example—what can go wrong if conventional (non-composable) security definitions are used. Finally, to illustrate the practical use of composability, we show how to generate a continuous key stream by sequentially composing rounds of a QKD protocol.In the second part, we take a more general point of view, which is necessary for the study of cryptographic situations involving, for example, mutually distrustful parties. We explain the universal composability (UC) framework and state the composition theorem that guarantees that secure protocols can securely be composed to larger applications. We focus on the secure composition of quantum protocols into unconditionally secure classical protocols. However, the resulting security definition is so strict that some tasks become impossible without additional security assumptions. Quantum bit commitment is impossible in the UC framework even with mere computational security. Similar problems arise in the quantum bounded storage model and we observe a trade-off between the UC and the use of the weakest possible security assumptions.

ANALYTICAL BEAM SHAPING WITH APPLICATION TO LASER-DIODE ARRAYS

In contrast to numerical methods for beam shaping, analytical beam shaping consists of two steps: first, finding a purely geometrical distortion between the input plane and the output plane redistributing the intensity of the incoming wave front; and, second, computing a phase-only element realizing this coordinate transform. For the latter the method of stationary phase may be applied. The known classes of possible analytical wave transformation are extended to comprise separable and isotropic super-Gaussian-to-super-Gaussian conversion as well as transformation of Gaussian arrays to super-Gaussian distributions, and vice versa. The resulting optical phase elements contain no spiral phase dislocation and may thus be realized as refractive or diffractive elements. In addition, the outgoing wave front does not contain spiral phase dislocations.

Unconditional and composable security using a single stateful tamper-proof hardware token

Cryptographic assumptions regarding tamper proof hardware tokens have gained increasing attention. Even if the tamperproof hardware is issued by one of the parties, and hence not necessarily trusted by the other, many tasks become possible: Tamper proof hardware is sufficient for universally composable protocols, for information-theoretically secure protocols, and even allow to create software which can only be used once (One-Time-Programs). However, all known protocols employing tamper-proof hardware are either indirect, i.e., additional computational assumptions must be used to obtain general two party computations or a large number of devices must be used. In this work we present the first protocol realizing universally composable two-party computations (and even trusted One-Time-Programs) with information-theoretic security using only one single tamper-proof device issued by one of the mutually distrusting parties.

Initiator-Resilient Universally Composable Key Exchange

Key exchange protocols in the setting of universal composability are investigated. First we show that the ideal functionality \(\mathcal{F}_{\rm KE}\) of [9] cannot be realized in the presence of adaptive adversaries, thereby disproving a claim in [9]. We proceed to propose a modification \(\mathcal{F}_{\rm KE}^{(i,j)}\), which is proven to be realizable by two natural protocols for key exchange. Furthermore, sufficient conditions for securely realizing this modified functionality are given. Two notions of key exchange are introduced that allow for security statements even when one party is corrupted. Two natural key exchange protocols are proven to fulfill the ”weaker” of these notions, and a construction for deriving protocols that satisfy the ”stronger” notion is given.

Lossy Codes and a New Variant of the Learning-With-Errors Problem

The hardness of the Learning-With-Errors (LWE) Problem has become one of the most useful assumptions in cryptography. It exhibits a worst-to-average-case reduction making the LWE assumption very plausible. This worst-to-average-case reduction is based on a Fourier argument and the errors for current applications of LWE must be chosen from a gaussian distribution. However, sampling from gaussian distributions is cumbersome.

IND-CCA secure cryptography based on a variant of the LPN problem

In 2003 Michael Alekhnovich (FOCS 2003) introduced a novel variant of the learning parity with noise problem and showed that it implies IND-CPA secure public-key cryptography. In this paper we introduce the first public-key encryption-scheme based on this assumption which is IND-CCA secure in the standard model. Our main technical tool to achieve this is a novel all-but-one simulation technique based on the correlated products approach of Rosen and Segev (TCC 2009). Our IND-CCA1 secure scheme is asymptotically optimal with respect to ciphertext-expansion. To achieve IND-CCA2 security we use a technique of Dolev, Dwork and Naor (STOC 1991) based on one-time-signatures. For practical purposes, the efficiency of the IND-CCA2 scheme can be substantially improved by the use of additional assumptions to allow for more efficient signature schemes. Our results make Alekhnovichs variant of the learning parity with noise problem a promising candidate to achieve post quantum cryptography.

Oblivious Transfer Based on the McEliece Assumptions

We implement one-out-of-two bit oblivious transfer (OT) based on the assumptions used in the McEliece cryptosystem: the hardness of decoding random binary linear codes, and the difficulty of distinguishing a permuted generating matrix of Goppa codes from a random matrix. To our knowledge this is the first OT reduction to these problems only.