One-Out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin

We construct a 3-move public coin special honest verifier zero-knowledge proof, a so-called Sigma-protocol, for a list of commitments having at least one commitment that opens to 0. It is not required for the prover to know openings of the other commitments. The proof system is efficient, in particular in terms of communication requiring only the transmission of a logarithmic number of commitments. We use our proof system to instantiate both ring signatures and zerocoin, a novel mechanism for bitcoin privacy. We use our Sigma-protocol as a (linkable) ad-hoc group identification scheme where the users have public keys that are commitments and demonstrate knowledge of an opening for one of the commitments to unlinkably identify themselves (once) as belonging to the group. Applying the Fiat-Shamir transform on the group identification scheme gives rise to ring signatures, applying it to the linkable group identification scheme gives rise to zerocoin. Our ring signatures are very small compared to other ring signature schemes and we only assume the users’ secret keys to be the discrete logarithms of single group elements so the setup is quite realistic. Similarly, compared with the original zerocoin protocol we only rely on a weak cryptographic assumption and do not require a trusted setup. A third application of our Sigma protocol is an efficient proof of membership of a secret committed value belonging to a public list of values

Strong Privacy Protection in Electronic Voting

We give suggestions for protection against adversaries with access to the voter's equipment in voting schemes based on homomorphic encryption. Assuming an adversary has complete knowledge of the contents and computations taking place on the client machine we protect the voter's privacy in a way so that the adversary has no knowledge about the voter's choice. Furthermore, an active adversary trying to change a voter's ballot may do so, but will end up voting for a random candidate. To accomplish the goal we assume that the voter has access to a secondary communication channel through which he can receive information inaccessible to the adversary. An example of such a secondary communication channel is ordinary mail. Additionally, we assume the existence of a trusted party that will assist in the protocol. To some extent, the actions of this trusted party are verifiable

Optimal Reinsertion of Cancelled Train Lines

One recovery strategy in case of a major disruption in a rail network is to cancel all trains on a specific line of the network. When the disturbance has ended, the cancelled line must be reinserted as soon as possible. In this article we present a mixed integer programming (MIP) model for calculating the best way to reinsert cancelled train lines in a rail network covered by a periodic timetable. Using a high abstraction level it has been possible to incorporate the temporal aspect in the model only relying on the information embedded in the train identification numbers of each departure. The model finds the optimal solution in an average of 0.5 CPU seconds in each test case

Efficient Fully Structure-Preserving Signatures for Large Messages

We construct both randomizable and strongly existentially unforgeable structure-preserving signatures for messages consisting of many group elements. To sign a message consisting of N=mn group elements we have a verification key size of $m$ group elements and signatures contain n+2 elements. Verification of a signature requires evaluating n+1 pairing product equations. We also investigate the case of fully structure-preserving signatures where it is required that the secret signing key consists of group elements only. We show a variant of our signature scheme allowing the signer to pick part of the verification key at the time of signing is still secure. This gives us both randomizable and strongly existentially unforgeable fully structure-preserving signatures. In the fully structure preserving scheme the verification key is a single group element, signatures contain m+n+1 group elements and verification requires evaluating n+1 pairing product equations

A Verifiable Secret Shuffle of Homomorphic Encryptions

We suggest an honest verifier zero-knowledge argument for the correctness of a shuffle of homomorphic encryptions. A shuffle consists of a rearrangement of the input ciphertexts and a re-encryption of them. One application of shuffles is to build mix-nets. Our scheme is more efficient than previous schemes in terms of both communication and computational complexity. Indeed, the HVZK argument has a size that is independent of the actual cryptosystem being used and will typically be smaller than the size of the shuffle itself. Moreover, our scheme is well suited for the use of multi-exponentiation techniques and batch-verification. Additionally, we suggest a more efficient honest verifier zero-knowledge argument for a commitment containing a permutation of a set of publicly known messages. We also suggest an honest verifier zero-knowledge argument for the correctness of a combined shuffle-and-decrypt operation that can be used in connection with decrypting mix-nets based on ElGamal encryption. All our honest verifier zero-knowledge arguments can be turned into honest verifier zero-knowledge proofs. We use homomorphic commitments as an essential part of our schemes. When the commitment scheme is statistically hiding we obtain statistical honest verifier zero-knowledge arguments, when the commitment scheme is statistically binding we obtain computational honest verifier zero-knowledge proofs

The Rolling Stock Recovery Problem

DSB S-tog (S-tog) operates on the double tracked, suburban network surrounding Copenhagen, Denmark. S-tog is the sole operator on the network. The network is owned and controlled by the infrastructure manager BaneDanmark. During the last years there has been an increased focus on developing tools to aid the planning process in railway transportation. The tools are computer software, which can fully or partly automate some part of the planning process. As in other industries the initial focus has been on strategic, tactical and operational planning. Only lately focus has turned to the area of short term and real time planning. This paper concentrates on the area of rolling stock real time planning. In practice rolling stock dispatchers monitor the operation of the rolling stock plan and the depot plans. When the rolling stock plan is disrupted, the rolling stock dispatcher makes real time decisions on the re-assignments of train units to train tasks. This process is called recovery. An automated tool will improve the recovery process, help supplying sufficient seat capacity for passengers and reduce the operating cost

Trafikken over Øresund

Øresundsforbindelsen åbnede for biler og tog den 1. juli 2000. DSB, Skånetrafiken, Scandli- nes og Øresundsbrokonsortiet har siden Øresundsbrons åbning gennemført markedsundersø- gelser blandt deres kunder over Øresund. Markedsundersøgelserne har primært som formål at give hvert af selskaberne et solidt grund- lag for deres markedsføring. Herudover kan undersøgelserne benyttes til at sætte fokus på den effekt, som den faste forbindelse over Øresund kombineret med gode færgeforbindelser har på aktiviteter hen over den landegrænse, som Øresund udgør

On the security of ECDSA with additive key derivation and presignatures

Two common variations of ECDSA signatures are additive key derivation and presignatures. Additive key derivation is a simple mechanism for deriving many subkeys from a single master key, and is already widely used in cryptocurrency applications with the Hierarchical Deterministic Wallet mechanism standardized in Bitcoin Improvement Proposal 32 (BIP32). Because of its linear nature, additive key derivation is also amenable to efficient implementation in the threshold setting. With presignatures, the secret and public nonces used in the ECDSA signing algorithm are precomputed. In the threshold setting, using presignatures along with other precomputed data allows for an extremely efficient online phase of the protocol. Recent works have advocated for both of these variations, sometimes combined together. However, somewhat surprisingly, we are aware of no prior security proof for additive key derivation, let alone for additive key derivation in combination with presignatures. In this paper, we provide a thorough analysis of these variations, both in isolation and in combination. Our analysis is in the generic group model (GGM). Importantly, we do not modify ECDSA or weaken the standard notion of security in any way. Of independent interest, we also present a version of the GGM that is specific to elliptic curves. This EC-GGM better models some of the idiosyncrasies (such as the conversion function and malleability) of ECDSA. In addition to this analysis, we report security weaknesses in these variations that apparently have not been previously reported. For example, we show that when both variations are combined, there is a cube-root attack on ECDSA, which is much faster than the best known, square-root attack on plain ECDSA. We also present two mitigations against these weaknesses: re-randomized presignatures and homogeneous key derivation. Each of these mitigations is very lightweight, and when used in combination, the security is essentially the same as that of plain ECDSA (in the EC-GGM)

Design and analysis of a distributed ECDSA signing service

We present and analyze a new protocol that provides a distributed ECDSA signing service, with the following properties: * it works in an asynchronous communication model; * it works with $n$ parties with up to $f < n/3$ Byzantine corruptions; * it provides guaranteed output delivery; * it provides a very efficient, non-interactive online signing phase; * it supports additive key derivation according to the BIP32 standard. While there has been a flurry of recent research on distributed ECDSA signing protocols, none of these newly designed protocols provides guaranteed output delivery over an asynchronous communication network; moreover, the performance of our protocol (in terms of asymptotic communication and computational complexity) meets or beats the performance of any of these other protocols. This service is being implemented and integrated into the architecture of the Internet Computer, enabling smart contracts running on the Internet Computer to securely hold and spend Bitcoin and other cryptocurrencies. Along the way, we present some results of independent interest: * a new asynchronous verifiable secret sharing (AVSS) scheme that is simple and efficient; * a new scheme for multi-recipient encryption that is simple and efficient