A public key cryptosystem and a signature scheme based on discrete logarithms
Proceedings of CRYPTO 84 on Advances in cryptology
STOC '87 Proceedings of the nineteenth annual ACM symposium on Theory of computing
How to prove yourself: practical solutions to identification and signature problems
Proceedings on Advances in cryptology---CRYPTO '86
All-or-nothing disclosure of secrets
Proceedings on Advances in cryptology---CRYPTO '86
Founding crytpography on oblivious transfer
STOC '88 Proceedings of the twentieth annual ACM symposium on Theory of computing
Linear zero-knowledge—a note on efficient zero-knowledge proofs and arguments
STOC '97 Proceedings of the twenty-ninth annual ACM symposium on Theory of computing
A new public key cryptosystem based on higher residues
CCS '98 Proceedings of the 5th ACM conference on Computer and communications security
Oblivious transfer and polynomial evaluation
STOC '99 Proceedings of the thirty-first annual ACM symposium on Theory of computing
Efficient oblivious transfer protocols
SODA '01 Proceedings of the twelfth annual ACM-SIAM symposium on Discrete algorithms
Paillier's cryptosystem revisited
CCS '01 Proceedings of the 8th ACM conference on Computer and Communications Security
Committed Oblivious Transfer and Private Multi-Party Computation
CRYPTO '95 Proceedings of the 15th Annual International Cryptology Conference on Advances in Cryptology
Priced Oblivious Transfer: How to Sell Digital Goods
EUROCRYPT '01 Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology
A New Efficient All-Or-Nothing Disclosure of Secrets Protocol
ASIACRYPT '98 Proceedings of the International Conference on the Theory and Applications of Cryptology and Information Security: Advances in Cryptology
Private Selective Payment Protocols
FC '00 Proceedings of the 4th International Conference on Financial Cryptography
PKC '01 Proceedings of the 4th International Workshop on Practice and Theory in Public Key Cryptography: Public Key Cryptography
Probabilistic encryption & how to play mental poker keeping secret all partial information
STOC '82 Proceedings of the fourteenth annual ACM symposium on Theory of computing
Verifiable secret-ballot elections
Verifiable secret-ballot elections
Conditional oblivious transfer and timed-release encryption
EUROCRYPT'99 Proceedings of the 17th international conference on Theory and application of cryptographic techniques
Public-key cryptosystems based on composite degree residuosity classes
EUROCRYPT'99 Proceedings of the 17th international conference on Theory and application of cryptographic techniques
Keyword search and oblivious pseudorandom functions
TCC'05 Proceedings of the Second international conference on Theory of Cryptography
On private scalar product computation for privacy-preserving data mining
ICISC'04 Proceedings of the 7th international conference on Information Security and Cryptology
Private itemset support counting
ICICS'05 Proceedings of the 7th international conference on Information and Communications Security
Non-interactive zero-knowledge from homomorphic encryption
TCC'06 Proceedings of the Third conference on Theory of Cryptography
Hi-index | 0.00 |
We consider oblivious transfer protocols and their applications that use underneath semantically secure homomorphic encryption scheme (e.g. Paillier's). We show that some oblivious transfer protocols and their derivatives such as private matching, oblivious polynomial evaluation and private shared scalar product could be subject to an attack. The same attack can be applied to some non-interactive zero-knowledge arguments which use homomorphic encryption schemes underneath. The roots of our attack lie in the additional property that some semantically secure encryption schemes possess, namely, the decryption also reveals the random coin used for the encryption, and that the (sender's or prover's) inputs may belong to a space, that is very small compared to the plaintext space. In this case it appears that even a semi-honest chooser (verifier) can derive from the random coin bounds for all or some of the sender's (prover's) private inputs with non-negligible probability. We propose a fix which precludes the attacks.