    One-Out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin

    We construct a 3-move public coin special honest verifier zero-knowledge proof, a so-called Sigma-protocol, for a list of commitments having at least one commitment that opens to 0. It is not required for the prover to know openings of the other commitments. The proof system is efficient, in particular in terms of communication requiring only the transmission of a logarithmic number of commitments. We use our proof system to instantiate both ring signatures and zerocoin, a novel mechanism for bitcoin privacy. We use our Sigma-protocol as a (linkable) ad-hoc group identification scheme where the users have public keys that are commitments and demonstrate knowledge of an opening for one of the commitments to unlinkably identify themselves (once) as belonging to the group. Applying the Fiat-Shamir transform on the group identification scheme gives rise to ring signatures, applying it to the linkable group identification scheme gives rise to zerocoin. Our ring signatures are very small compared to other ring signature schemes and we only assume the users’ secret keys to be the discrete logarithms of single group elements so the setup is quite realistic. Similarly, compared with the original zerocoin protocol we only rely on a weak cryptographic assumption and do not require a trusted setup. A third application of our Sigma protocol is an efficient proof of membership of a secret committed value belonging to a public list of values

    Strong Privacy Protection in Electronic Voting

    We give suggestions for protection against adversaries with access to the voter's equipment in voting schemes based on homomorphic encryption. Assuming an adversary has complete knowledge of the contents and computations taking place on the client machine we protect the voter's privacy in a way so that the adversary has no knowledge about the voter's choice. Furthermore, an active adversary trying to change a voter's ballot may do so, but will end up voting for a random candidate. To accomplish the goal we assume that the voter has access to a secondary communication channel through which he can receive information inaccessible to the adversary. An example of such a secondary communication channel is ordinary mail. Additionally, we assume the existence of a trusted party that will assist in the protocol. To some extent, the actions of this trusted party are verifiable

    Optimal Reinsertion of Cancelled Train Lines

    One recovery strategy in case of a major disruption in a rail network is to cancel all trains on a specific line of the network. When the disturbance has ended, the cancelled line must be reinserted as soon as possible. In this article we present a mixed integer programming (MIP) model for calculating the best way to reinsert cancelled train lines in a rail network covered by a periodic timetable. Using a high abstraction level it has been possible to incorporate the temporal aspect in the model only relying on the information embedded in the train identification numbers of each departure. The model finds the optimal solution in an average of 0.5 CPU seconds in each test case

    Efficient Fully Structure-Preserving Signatures for Large Messages

    We construct both randomizable and strongly existentially unforgeable structure-preserving signatures for messages consisting of many group elements. To sign a message consisting of N=mn group elements we have a verification key size of mm group elements and signatures contain n+2 elements. Verification of a signature requires evaluating n+1 pairing product equations. We also investigate the case of fully structure-preserving signatures where it is required that the secret signing key consists of group elements only. We show a variant of our signature scheme allowing the signer to pick part of the verification key at the time of signing is still secure. This gives us both randomizable and strongly existentially unforgeable fully structure-preserving signatures. In the fully structure preserving scheme the verification key is a single group element, signatures contain m+n+1 group elements and verification requires evaluating n+1 pairing product equations

    A Verifiable Secret Shuffle of Homomorphic Encryptions

    We suggest an honest verifier zero-knowledge argument for the correctness of a shuffle of homomorphic encryptions. A shuffle consists of a rearrangement of the input ciphertexts and a re-encryption of them. One application of shuffles is to build mix-nets. Our scheme is more efficient than previous schemes in terms of both communication and computational complexity. Indeed, the HVZK argument has a size that is independent of the actual cryptosystem being used and will typically be smaller than the size of the shuffle itself. Moreover, our scheme is well suited for the use of multi-exponentiation techniques and batch-verification. Additionally, we suggest a more efficient honest verifier zero-knowledge argument for a commitment containing a permutation of a set of publicly known messages. We also suggest an honest verifier zero-knowledge argument for the correctness of a combined shuffle-and-decrypt operation that can be used in connection with decrypting mix-nets based on ElGamal encryption. All our honest verifier zero-knowledge arguments can be turned into honest verifier zero-knowledge proofs. We use homomorphic commitments as an essential part of our schemes. When the commitment scheme is statistically hiding we obtain statistical honest verifier zero-knowledge arguments, when the commitment scheme is statistically binding we obtain computational honest verifier zero-knowledge proofs

    Non-interactive distributed key generation and key resharing

    We present a non-interactive publicly verifiable secret sharing scheme where a dealer can construct a Shamir secret sharing of a field element and confidentially yet verifiably distribute shares to multiple receivers. We also develop a non-interactive publicly verifiable resharing scheme where existing share holders of a Shamir secret sharing can create a new Shamir secret sharing of the same secret and distribute it to a set of receivers in a confidential, yet verifiable manner. A public key may be associated with the secret being shared in the form of a group element raised to the secret field element. We use our verifiable secret sharing scheme to construct a non-interactive distributed key generation protocol that creates such a public key together with a secret sharing of the discrete logarithm. We also construct a non-interactive distributed resharing protocol that preserves the public key but creates a fresh secret sharing of the secret key and hands it to a set of receivers, which may or may not overlap with the original set of share holders. Our protocols build on a new pairing-based CCA-secure public-key encryption scheme with forward secrecy. As a consequence our protocols can use static public keys for participants but still provide compromise protection. The scheme uses chunked encryption, which comes at a cost, but the cost is offset by a saving gained by our ciphertexts being comprised only of source group elements and no target group elements. A further efficiency saving is obtained in our protocols by extending our single-receiver encryption scheme to a multi-receiver encryption scheme, where the ciphertext is up to a factor 5 smaller than just having single-receiver ciphertexts. The non-interactive key management protocols are deployed on the Internet Computer to facilitate the use of threshold BLS signatures. The protocols provide a simple interface to remotely create secret-shared keys to a set of receivers, to refresh the secret sharing whenever there is a change of key holders, and provide proactive security against mobile adversaries

    Rolling Stock Recovery Problem

    The Rolling Stock Recovery Problem

    DSB S-tog (S-tog) operates on the double tracked, suburban network surrounding Copenhagen, Denmark. S-tog is the sole operator on the network. The network is owned and controlled by the infrastructure manager BaneDanmark. During the last years there has been an increased focus on developing tools to aid the planning process in railway transportation. The tools are computer software, which can fully or partly automate some part of the planning process. As in other industries the initial focus has been on strategic, tactical and operational planning. Only lately focus has turned to the area of short term and real time planning. This paper concentrates on the area of rolling stock real time planning. In practice rolling stock dispatchers monitor the operation of the rolling stock plan and the depot plans. When the rolling stock plan is disrupted, the rolling stock dispatcher makes real time decisions on the re-assignments of train units to train tasks. This process is called recovery. An automated tool will improve the recovery process, help supplying sufficient seat capacity for passengers and reduce the operating cost

    Trafikken over Øresund

    Øresundsforbindelsen åbnede for biler og tog den 1. juli 2000. DSB, Skånetrafiken, Scandli- nes og Øresundsbrokonsortiet har siden Øresundsbrons åbning gennemført markedsundersø- gelser blandt deres kunder over Øresund. Markedsundersøgelserne har primært som formål at give hvert af selskaberne et solidt grund- lag for deres markedsføring. Herudover kan undersøgelserne benyttes til at sætte fokus på den effekt, som den faste forbindelse over Øresund kombineret med gode færgeforbindelser har på aktiviteter hen over den landegrænse, som Øresund udgør
