Kazue Sako

Designated verifier proofs and their applications

For many proofs of knowledge it is important that only the verifier designated by the confirmer can obtain any conviction of the correctness of the proof. A good example of such a situation is for undeniable signatures, where the confirmer of a signature wants to make sure that only the intended verifier(s) in fact can be convinced about the validity or invalidity of the signature. Generally, authentication of messages and off-the-record messages are in conflict with each other. We show how, using designation of verifiers, these notions can be combined, allowing authenticated but private conversations to take place. Our solution guarantees that only the specified verifier can be convinced by t,he proof, even if he shares all his secret information with entities that want to get convinced. Our solution is based on trap-door conim.itments [4], allowing the designated verifier to open up commitments in any way he wants. We demonstrate how a trap-door commitment scheme can be uscd to construct designated verifier proofs, both interactive and non-interactive. We examplify the verifier designation method for the confirmation protocol for undeniable signatures.

An Efficient Scheme for Proving a Shuffle

In this paper, we propose a novel and efficient protocol for proving the correctness of a shuffle, without leaking how the shuffle was performed. Using this protocol, we can prove the correctness of a shuffle of n data with roughly 18n exponentiations, where as the protocol of Sako-Kilian[SK95] required 642n and that of Abe[Ab99] required 22n log n. The length of proof will be only 211n bits in our protocol, opposed to 218n bits and 214 n log n bits required by Sako-Kilian and Abe, respectively. The proposed protocol will be a building block of an efficient, universally verifiable mix-net, whose application to voting system is prominent.

Receipt-Free Mix-Type Voting Scheme

We present a receipt-free voting scheme based on a mixtype anonymous channel[Cha81, PIK93]. The receipt-freeness property [BT94] enables voters to hide how they have voted even from a powerful adversary who is trying to coerce him. The work of [BT94] gave the first solution using a voting booth, which is a hardware assumption not unlike that in current physical elections. In our proposed scheme, we reduce the physical assumptions required to obtain receipt-freeness. Our sole physical assumption is the existence of a private channel through which the center can send the voter a message without fear of eavesdropping.

Secure Voting Using Partially Compatible Homomorphisms

We introduce a new number-theoretic based protocol for secure electronic voting. Our scheme is much more communication efficient than previous schemes of its type, and has a much lower round complexity than is currently possible using the anonymous-channel/mixer techniques. Preprocessing allows for nearly all of the communication and computation to be performed before any voting takes place. Unlike the mixer-based protocols, anyone can verify that everyones vote has been properly counted. Also, our techniques allow for a wide variety of different schemes.Our protocols are based on families of homomorphic encryptions which have a partial compatibility property, generalizing a method of Benaloh and Yung [2]. We use these functions to generate very simple interactive proofs on encrypted shares. We also develop amortization techniques yielding dramatic efficiency improvements over our simple protocols. Our protocols can be realized by current-generation PCs with access to an electronic bulletin board.

Fault tolerant anonymous channel

Previous anonymous channels, called MIX nets, do not work if one center stops. This paper shows new anonymous channels which allow less than a half of faulty centers. A fault tolerant multivalued election scheme is obtained automatically. A very efficient ZKIP for the centers is also presented.

k-Times Anonymous Authentication (Extended Abstract)

We propose an authentication scheme in which users can be authenticated anonymously so long as times that they are authenticated is within an allowable number. The proposed scheme has two features that allow 1) no one, not even an authority, identify users who have been authenticated within the allowable number, and that allow 2) anyone to trace, without help from the authority, dishonest users who have been authenticated beyond the allowable number by using the records of these authentications. Although identity escrow/group signature schemes allow users to be anonymously authenticated, the authorities in these schemes have the unnecessary ability to trace any user. Moreover, since it is only the authority who is able to trace users, one needs to make cumbersome inquiries to the authority to see how many times a user has been authenticated. Our scheme can be applied to e-voting, e-cash, electronic coupons, and trial browsing of content. In these applications, our scheme, unlike the previous one, conceals users’ participation from protocols and guarantees that they will remain anonymous to everyone.

An Auction Protocol Which Hides Bids of Losers

Many auction protocols using practical cryptographic means have successfully achieved capability of hiding the bids of each entity, but not the values of bids themselves. In this paper we describe an auction protocol which hides the bids of non-winners even from the bid-opening centers, and still makes it possible to publicly verify the validity of the winning bid, i.e. that it was the highest bid submitted. The first approach to such a protocol was made by Kikuchi et al in [KHT98]. However, several deficiencies have been pointed out regarding their protocol; for example, it is not well suited for handling tie bids.

k -times anonymous authentication with a constant proving cost

A k-Times Anonymous Authentication (k-TAA) scheme allows users to be authenticated anonymously so long as the number of times that they are authenticated is within an allowable number. Some promising applications are e-voting, e-cash, e-coupons, and trial browsing of contents. However, the previous schemes are not efficient in the case where the allowable number k is large, since they require both users and verifiers to compute O(k) exponentiation in each authentication. We propose a k-TAA scheme where the numbers of exponentiations required for the entities in an authentication are independent of k. Moreover, we propose a notion of public detectability in a k-TAA scheme and present an efficient publicly verifiable k-TAA scheme, where the number of modular exponentiations required for the entities is O(log(k)).

An implementation of a universally verifiable electronic voting scheme based on shuffling

This paper discusses the implementation of the voting scheme based on mix-net technology. The advantages of employing this technology are that voters can vote-and-go, and that it is flexible enough to be used for variety of vote-expression methods, while ensuring the privacy of votes and the elimination of faulty players. The most attractive security feature of this scheme is its universal verifiability; anyone can confirm the correctness of the result. Such verifiability is achieved by providing proofs on correct shuffling and decryption. The paper presents a new scheme for generating a single proof for shuffle-and-decrypt process. Compared to the combination of two separate proofs on shuffle and decryption, the new scheme is 150% faster with only 80% of the length. As a result, the system was able to produce results that were verified correct within twenty minutes following a vote participated in by ten thousand voters, with three shuffling centers being used. We believe this is the first implementation report of a voting scheme with universal verifiability.

Using group signatures for identity management and its implementation

We discuss the merits of using group signature technology in Identity Management. We propose a novel model of group signature scheme and introduce a new entity called User-Revocation manager. User-Revocation manager plays an independent role regarding user revocation which was previously covered by either Group manager or Issuing manager. We extend the idea of the Camenisch-Groth scheme and present an efficient revocation scheme where the cost of user revocation is smaller than that of the Camenisch-Groth scheme. We also discuss the details of our implementation.