Lecture Notes in Computer Science Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen Editorial Board Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M Kleinberg Cornell University, Ithaca, NY, USA Friedemann Mattern ETH Zurich, Switzerland John C Mitchell Stanford University, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel Oscar Nierstrasz University of Bern, Switzerland C Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen University of Dortmund, Germany Madhu Sudan Massachusetts Institute of Technology, MA, USA Demetri Terzopoulos New York University, NY, USA Doug Tygar University of California, Berkeley, CA, USA Moshe Y Vardi Rice University, Houston, TX, USA Gerhard Weikum Max-Planck Institute of Computer Science, Saarbruecken, Germany 3089 Springer Berlin Heidelberg New York Hong Kong London Milan Paris Tokyo Markus Jakobsson Moti Yung Jianying Zhou (Eds.) Applied Cryptography and Network Security Second International Conference, ACNS 2004 Yellow Mountain, China, June 8-11, 2004 Proceedings Springer eBook ISBN: Print ISBN: 3-540-24852-8 3-540-22217-0 ©2005 Springer Science + Business Media, Inc Print ©2004 Springer-Verlag Berlin Heidelberg All rights reserved No part of this eBook may be reproduced or transmitted in any form or by any means, electronic, mechanical, recording, or otherwise, without written consent from the Publisher Created in the United States of America Visit Springer's eBookstore at: and the Springer Global Website Online at: http://ebooks.springerlink.com http://www.springeronline.com Preface The second International Conference on Applied Cryptography and Network Security (ACNS 2004) was sponsored and organized by ICISA (the International Communications and Information Security Association) It was held in Yellow Mountain, China, June 8–11, 2004 The conference proceedings, representing papers from the academic track, are published in this volume of the Lecture Notes in Computer Science (LNCS) of Springer-Verlag The area of research that ACNS covers has been gaining importance in recent years due to the development of the Internet, which, in turn, implies global exposure of computing resources Many fields of research were covered by the program of this track, presented in this proceedings volume We feel that the papers herein indeed reflect the state of the art in security and cryptography research, worldwide The program committee of the conference received a total of 297 submissions from all over the world, of which 36 submissions were selected for presentation during the academic track In addition to this track, the conference also hosted a technical/industrial track of presentations that were carefully selected as well All submissions were reviewed by experts in the relevant areas Starting from the first ACNS conference last year, ACNS has given best paper awards Last year the best student paper award went to a paper that turned out to be the only paper written by a single student for ACNS 2003 It was Kwong H Yung who got the award for his paper entitled “Using Feedback to Improve Masquerade Detection.” Continuing the “best paper tradition” this year, the committee decided to select two student papers among the many high-quality papers that were accepted for this conference, and to give them best student paper awards These papers are: “Security Measurements of Steganographic Systems” by Weiming Zhang and Shiqu Li, and “Evaluating Security of Voting Schemes in the Universal Composability Framework” by Jens Groth Both papers appear in this proceedings volume, and we would like to congratulate the recipients for their achievements Many people and organizations helped in making the conference a reality We would like to take this opportunity to thank the program committee members and the external experts for their invaluable help in producing the conference’s program We also wish to thank Thomas Herlea of KU Leuven for his extraordinary efforts in helping us to manage the submissions and for taking care of all the technical aspects of the review process Thomas, single-handedly, served as the technical support committee of this conference! We extend our thanks also to the general chair Jianying Zhou (who also served as publication chair and helped in many other ways), the chairs of the technical/industrial track (Yongfei Han and Peter Landrock), the local organizers, who worked hard to assure that the conference took place, and the publicity chairs We also thank the various VI Preface sponsoring companies and government bodies Finally, we would like to thank all the authors who submitted papers to the conference April 2004 Markus Jakobsson and Moti Yung ACNS 2004 Second International Conference on Applied Cryptography and Network Security Yellow Mountain, China June 8–11, 2004 Sponsored and organized by the International Communications and Information Security Association (ICISA) In co-operation with MiAn Pte Ltd (ONETS), China RSA Security Inc., USA Ministry of Science and Technology, China Yellow Mountain City Government, China General Chair Jianying Zhou Program Chairs Markus Jakobsson Moti Yung Program Committee Masayuki Abe N Asokan Feng Bao Kijoon Chae Ed Dawson Xiaotie Deng Philippe Golle Dieter Gollmann Goichiro Hanaoka Els van Herreweghen Chi-Sung Laih Kwok-Yan Lam Heejo Lee Institute for Infocomm Research, Singapore RSA Labs, USA Columbia University, USA NTT, Japan Nokia, Finland I2R, Singapore Ewha Women’s Univ., Korea QUT, Australia City Univ of HK, China PARC, USA TU Hamburg, Germany Univ of Tokyo, Japan IBM, Zurich NCKU, Taiwan Tsinghua Univ., China Korea Univ., Korea VIII Organization Pil Joong Lee Helger Lipmaa Javier Lopez Charanjit Jutla Hiroaki Kikuchi Kwangjo Kim Wenbo Mao David Naccache Chanathip Namprempre Phong Nguyen Adrian Perrig Josef Pieprzyk Radha Poovendran Tomas Sander Dawn Song Julien Stern Sal Stolfo Michael Szydlo Wen-Guey Tzeng Shouhuai Xu Bennet Yee Yuliang Zheng Postech, Korea Helsinki Univ of Tech., Finland Univ of Malaga, Spain IBM T.J Watson, USA Univ of Tokai, Japan Info & Communication Univ., Korea HP Labs, UK Gemplus, France Thammasat U., Thailand ENS, France Carnegie Mellon Univ., USA Macquarie University, Australia Univ of Washington, USA HP Labs, USA Carnegie Mellon Univ., USA Cryptolog International, France Columbia Univ., USA RSA Labs, USA NCTU, Taiwan Univ of Texas at San Antonio, USA Google, USA UNC Charlotte, USA Chairs of Technical/Industrial Track Yongfei Han Peter Landrock Publicity Chairs Michael Szydlo Guilin Wang Technical and Administrative Support Thomas Herlea Li Xue ONETS, China Cryptomathic, Denmark RSA Labs, USA I2R, Singapore KU Leuven, Belgium ONETS, China External Reviewers Michel Abdalla, Nuttapong Attrapadung, Dan Bailey, Dirk Balfanz, EndreFelix Bangerter, Alexandra Boldyreva, Colin Boyd, Eric Brier, Julien Brouchier, Sonja Buchegger, Christian Cachin, Jan Camenisch, Cedric Cardonnel, Haowen Chan, Xiaofeng Chen, Bent Chevallier-Mames, Hung Chim, Jung-Hui Chiu, Jae-Gwi Choi, Chen-Kang Chu, Siu-Leung Chung, Andrew Clark, Scott Contini, Jean-Sộbastien Coron, Yang Cui, Matthew Dailey, Organization IX Jean-Franỗois Dhem, Xuhua Ding, Glenn Durfee, Pasi Eronen, Chun-I Fan, Serge Fehr, Atsushi Fujioka, Eiichiro Fujisaki, Debin Gao, Philip Ginzboorg, Juanma Gonzalez-Nieto, Louis Goubin, Zhi Guo, Shin Seong Han, Yumiko Hanaoka, Helena Handschuh, Matt Henricksen, Sha Huang, Yong Ho Hwang, Tetsuya Izu, Moon Su Jang, Ari Juels, Burt Kaliski, Bong Hwan Kim, Byung Joon Kim, Dong Jin Kim, Ha Won Kim, Kihyun Kim, Tae-Hyung Kim, Yuna Kim, Lea Kissner, Tetsutaro Kobayashi, Byoungcheon Lee, Dong Hoon Lee, Hui-Lung Lee, Chin-Laung Lei, Jung-Shian Li, Mingyan Li, Minming Li, Tieyan Li, Becky Jie Liu, Krystian Matusiewicz, Bill Millan, Ilya Mironov, Yasusige Nakayama, Gregory Neven, James Newsome, Valtteri Niemi, Takashi Nishi, Kaisa Nyberg, Luke O’Connor, Kazuto Ogawa, Miyako Ohkubo, Jose A Onieva, Pascal Paillier, Dong Jin Park, Heejae Park, Jae Hwan Park, Joonhah Park, Leonid Peshkin, Birgit Pfitzmann, James Riordan, Rodrigo Roman, Ludovic Rousseau, Markku-Juhani Saarinen, Radha Sampigethaya, Paolo Scotton, Elaine Shi, Sang Uk Shin, Diana Smetters, Miguel Soriano, Jessica Staddon, Ron Steinfeld, Reto Strobl, Hong-Wei Sun, Koutarou Suzuki, Vanessa Teague, Lawrence Teo, Ali Tosun, Johan Wallen, Guilin Wang, Huaxiong Wang, Yuji Watanabe, Yoo Jae Won, Yongdong Wu, Yeon Hyeong Yang, Tommy Guoming Yang, Sung Ho Yoo, Young Tae Youn, Dae Hyun Yum, Rui Zhang, Xinwen Zhang, Hong Zhao, Xi-Bin Zhao, Yunlei Zhao, Huafei Zhu 496 R Aditya et al Background In this section we recall decryption of a single ciphertext in threshold decryption schemes for simplicity Note that many schemes require decryption of many ciphertexts in threshold decryption 2.1 Threshold Decryption In a threshold decryption scheme, a secret is encrypted using some publickey encryption algorithm as The private decryption key is shared by using Shamir’s secret sharing scheme [17] among participants (decrypting authorities) for Each holds a a share of The ciphertext is partially decrypted by each as and later reconstructed using the decryption shares from the set S containing at least honest participants by Lagrange interpolation A verification function is used to determine honest participants Normally the verification key of participant contains a commitment to Threshold decryption is often employed in many crypto-based applications The two most commonly used are threshold versions of ElGamal and RSA algorithms E-auction and e-voting schemes employing them include [11,2,4,8,1, 16] 2.2 Threshold ElGamal Pedersen [14] presented a threshold ElGamal signature scheme It is straightforward to adjust the scheme into a threshold decryption protocol We recall the protocol as follows: Key generation and sharing: Randomly select a large prime such that is also a prime G is a cyclic subgroup in of order with a generator The private decryption key is while and is the public encryption key Using Shamir’s secret sharing scheme, let where and the rest of are random values For distribute the secret share to participants and each computes the verification key The parameters and are made public, while and are kept secret for Encryption: Select a random and encrypt a secret message as a pair where and Shared decryption: Each participant computes the decryption share and proves the knowledge of the secret share using non-interactive zero-knowledge that: Since is public, and can be publicly verified to be generators of G Batch Verification for Equality of Discrete Logarithms 497 Shares combining: Correct decryption share of is verified as proves the knowledge of shown in the previous step S is the set of more than participants providing correct shares The original message is reconstructed by computing where 2.3 Threshold RSA Shoup [18] presented a threshold version of RSA signature scheme, which can be adjusted to a threshold decryption scheme as shown by Fouque et al [11] We recall the scheme as follows: Key generation and sharing: Randomly select primes and such that and are strong primes Set N = pq and Select a prime and compute such that ed = mod N The public encryption key is while is the private decryption key Using Shamir’s secret sharing scheme, let where and random values for rest of For distribute the secret share to participants Randomly select a verification base in the cyclic group of squares in Each participant then computes the verification key The parameters and are made public, while and are kept secret, for Encryption: Encrypt a secret message as Shared decryption: Each participant computes the decryption share where and proves the knowledge of the secret share using non-interactive zeroknowledge that: Notice that as and are squares, Shoup argues that they are of order M with a large probability (accurately: Thus, the proof is assumed to be PEQDL in a group with a known order Shares combining: Correct decryption share of is verified as proves the knowledge of shown in the previous step S is the set of more than participants providing correct shares The original message is obtained by first calculating where Since is relatively prime to extended Euclidean algorithm can be applied to obtain and such that Therefore, is reconstructed as As in the original scheme [18,11], parameters in the key generation and sharing stage are generated by a trusted dealer The random verification base is trusted to be in the cyclic subgroup of squares in Therefore, and are 498 R Aditya et al squares in the group of As a result, when verification of Equation is performed to check the validity of the decryption share, it is guaranteed to be PEQDL in the same cyclic group with a large probability Batch Verification for Equality of Logarithms In many cryptographic applications as mentioned in the previous sections, normally there are many ciphertexts to be processed in threshold decryption This is illustrated in Figure For encrypted messages to be decrypted by authorities, one requires instances of PEQDL verifications of decryption share (participant decryption share from ciphertext Verification of correct shared decryption for every share is the greatest factor contributing to computational cost in a threshold decryption scheme Fig Threshold decryption of participants shares recovering secret messages ciphertexts mn decryption Techniques presented in [3], [5] and [12] only address batch verification for modular exponentiation However, tests in [3] can be modified and extended to batch verify PEQDL Hence, the efficiency of the threshold decryption scheme, as discussed in the previous paragraph, can be greatly improved This section presents two theorems on the modified SE test to batch verify PEQDL, i.e: verifying common exponent Batching verification of common base is also briefly discussed In Section 4, the theorems are used as a foundation to the applications proposed RS test randomly selects subsets of the instances to be verified in avoiding “bad pairs” This test is not sufficiently efficient, and thus is not discussed in this paper SE test introduces random small exponents on the instances, such that an attacker needs to guess the random values to produce an accepted incorrect batch This test is more suitable for our purpose and we modify this test on batch verification for PEQDL Bucket test forms groups of the instances to be batched, and performs random SE tests on them Our SE test can be extended naturally to Bucket test for batch verifying PEQDL However, the extension of SE test to Bucket test for batch verifying PEQDL is omitted for simplicity In the theorems below, we batch the verification of instances of PEQDL on one participant and omit the subscript Batch Verification for Equality of Discrete Logarithms 3.1 499 Batching PEQDL within the Same Cyclic Group Theorem provides the foundation for batching PEQDL within the same cyclic group Theorem For G is a cyclic group with as the smallest factor of ord(G), generators and and a security parameter where The small exponents are random strings, and If with a then probability (taken over choice of of no less than To prove Theorem 1, we first prove the following lemma: Lemma If given a definite set then there is only at most one satisfying where Proof (Lemma 1) If the lemma is incorrect, the following two equations are satisfied simultaneously where and Suppose we re-write the two previous equations as: Without losing generality, suppose equations to be or factor of ord(G) if Since This is contradictory to the assumption of we can simplify the previous two As is a therefore, or Proof (Theorem 1) Lemma means that among the possible combinations of for at most of them can satisfy when Therefore, given a random for if then with a probability of no more than is accepted 500 3.2 R Aditya et al Batching PEQDL in Different Cyclic Subgroup of In Theorem 1, there is a condition that for However, in some applications there is uncertainty of satisfaction on this condition, and additional computation is often required to verify the condition This is a problem ignored by Bellare et al [3] In reality, this extra computation is too expensive so that in many cases it prevents the applicability of Theorem To overcome this problem, Theorem is proposed This theorem does not require the pre-condition that the LHS and RHS of the batching equation be in the same cyclic subgroup of Theorem Suppose and are large primes, such that G, of order and generator is a cyclic multiplicative subgroup in For and is a security parameter satisfying and If then with a probability of no less than Due to space restrictions and similarity of Theorem and Theorem 1, we defer the proof for Theorem to the full version of the paper 3.3 Screening For ciphertexts processed in threshold decryption, the previous two theorems are suited to batch each verification of valid decryption shares produced by one participant Thus, if the batch verification fails, we can identify that particular participant to be dishonest This is examined in detail in Section and Section In this subsection, we briefly explain another type of batch verifying valid decryption shares using a common base (same ciphertexts, different participants) If there is only one message in the threshold decryption process we can slightly modify the two theorems above to verify valid decryption shares produced by all the participants together as: We call this technique ‘screening’ because it can only detect invalid decryption share(s), but is unable to identify the dishonest participant(s) However, divide and conquer, cut and choose, or binary search method [13] can be applied for identifying the bad decryption share(s), thus identifying the dishonest participant(s) Note that this technique only offers considerable performance increase if used in identifying dishonest participants in a large group (i.e: is large) Applications in Threshold Decryption In this section, we present the application of our batching theorems (Section 3) to batch verify threshold versions of two popular cryptosystems - threshold ElGamal and RSA We apply Theorem to batch verify threshold ElGamal, and Batch Verification for Equality of Discrete Logarithms 501 Theorem to batch verify threshold RSA The protocols presented in this section are based on Chaum-Pedersen [6] with a slight modification where the verifier randomly selects the small exponents on the first step 4.1 Batch Verification in ElGamal Theorem is suitable to batch verify threshold ElGamal as: with For threshold version of ElGamal, the group G is the subgroup of an order and and can easily be For checked by testing whether and are publicly verifiable by testing and The values (using the Legendre symbol as in [12]) This proves and to be generators of G, if and can be chosen randomly while still For satisfying According to Theorem 2, verification of PEQDL in threshold ElGamal (Equation 1) can be batched using SE test as: Fig Batch verification of valid decryption shares for threshold version of ElGamal cryptosystem 502 R Aditya et al Interactive batch verification protocol for threshold version of ElGamal is shown in Figure Using a hash function and employing the well-known FiatShamir heuristic [10], the protocol can be made non-interactive by producing the challenge using a collision-resistant hash function H, where and as follows: Producing the small exponents non-interactively requires a different scenario further explained in Section 5.2 We slightly extend the coin-flipping protocol for the participants to provide a shared source of randomness This is required in order to prevent a prover from cheating by trying multiple values until a suitable value is found The random values provided are then used to compute the small exponents using a collision-resistant hash function These are conducted during the shared decryption stage The protocol to produce the small exponents is shown in Figure and is detailed as below Each participant (prover) selects a random value commits to it using a suitable commitment function, e.g: a hash function as and publishes the commitment then produces and publishes their decryption share as Each participant The random value selected in the first step is then revealed by publishing it The random small exponents are then calculated using a collision-resistant hash function as: where and Fig Producing the small exponents non-interactively Note that the use of digital signature on the published values is required to authenticate them Non-interactively, each prover uses the same small exponents as opposed to using different values provided by the verifier for each prover in the interactive version The prover then publishes for public verification The verification process can be conducted publicly by calculating the small exponents and challenge as above, and checking: Batch Verification for Equality of Discrete Logarithms 503 Fig Batch verification of valid decryption shares for threshold version of RSA cryptosystem If all these are satisfied, the verification is accepted Otherwise, it fails We are only convinced that if there exists where and the batch verification can only be passed with negligible probability Namely, unless the batch verification will always fail Thus, our batch verification result is not yet satisfactory as may also satisfy our batch verification This will lead to incorrect decryption To fix this, the decryption requires one extra step, i.e: multiplying with (–1) when After is recovered through the threshold decryption procedure, we test if (using the Legendre symbol) If it is accepted, Otherwise, Then the original secret message is recovered as additional cost is only one exponentiation 4.2 The Batch Verification in RSA Theorem is applicable to batch the verification of RSA threshold decryption shares as: For threshold version of RSA cryptosystem, G is the cyclic group containing all the squares in with order the smallest factor of which is 504 R Aditya et al The value v is trusted to be a generator of squares in As is produced using and are squares that can be generated by the verifier, thus (cyclic subgroup of squares in The value of is a square, and is trusted to be squares in chosen by the trusted dealer Therefore, both Thus, and are generators of G (see [18]) with a very large probability For and can be chosen randomly while still satisfying According to Theorem 1, SE test can be implemented as the following: Interactive batch verification for threshold version of RSA is shown in Figure Where A × ord(G) is much smaller than N, the challenge must be chosen in [0, A) such that the shared secret key is statistically hidden in the response as in [15,2] Analysis in [15] suggests the minimum size of the challenge to be 80 bits, and 128 bits for more secure applications Using a hash function and employing the well-known Fiat-Shamir heuristic, the protocol is made non-interactive similar to the previous section The prover produces the small exponents as shown in the previous section (Figure 3), and produces the challenge using a collision-resistant hash function H, where and similar to the previous section as follows: The prover then publishes for public verification The verification process can be conducted publicly by calculating the small exponents and challenge as above, and checking: If all these are satisfied, the verification is accepted Otherwise, it fails Unlike in threshold ElGamal, extra verification to ensure that decryption shares passing the batch verification are not is not necessary This is because decryption shares are explicitly squared in the share combining phase to reconstruct the secret message Security Analysis 5.1 Completeness Completeness of each of the two protocols in Section is straight-forward This is because if the batch verification equations in the two protocols are correct, they output positive results Batch Verification for Equality of Discrete Logarithms 5.2 505 Soundness The two protocols in Section are very similar They are based on ChaumPedersen’s protocol We slightly modify the protocol where the verifier randomly selects the small exponents at the beginning of the protocol run The proof of soundness for the protocols follows from Chaum-Pedersen’s scheme as they are essentially the same The small exponents are chosen randomly in a very similar manner to choosing the random challenge Given the same random small exponents and commitments, no matter which challenge is chosen, the prover reveals no other information than the fact that the discrete logarithms of the verification key to the base of verification base equals the discrete logarithms of the product of the decryption shares to the base of the product of the ciphertexts (Equation and 4) In the interactive version, the probability for a prover to cheat is negligible It is not feasible to forge the decryption shares where the verification is accepted without the knowledge of the share decryption key Also, where the prover indeed holds the decryption key share, the probability of producing bad decryption shares where the verification is accepted is also negligible This is because the small exponents and challenge are chosen randomly by the verifier For example, in batching the verification of correct ElGamal decryption shares, the probability of a prover guessing a correct random small exponent and challenge, and the verification is accepted is In the non-interactive version, we also follow Chaum-Pedersen’s protocol with a slight addition in choosing the random small exponents (Figure 3) based on the coin-flipping protocol We avoid the use of a hash function with the input (the decryption share chosen by a single prover to compute the small exponents This is because it might be possible for a dishonest participant to try fixing the decryption share(s) and produce the small exponents, such that the verification is accepted and the share combining fails A distributed source of randomness (based on the coin-flipping protocol) is required as the small exponents are only of length where is small The probability of a prover forging his decryption share and fixing the small exponent share is negligible This is because the prover is required to commit to the random share first before publishing his decryption share, and the small exponents are produced by hashing the combined random shares (common reference string) of all the participants As a collision-resistant hash function is used to produce the small exponents, a prover can only attempt to forge his decryption share if all the participants collude The rest of the protocol is a [7], and thus has a special soundness property as proven in [7] The proof of soundness for the batching operation has been proven in Section 3.1 and Section 3.2 5.3 Error Probability In any of the two batch verification protocols presented, the probability that a dishonest participant is discovered is overwhelmingly large as the following: 506 R Aditya et al As indicated by Theorem 1, the probability that the batch verification equation is satisfied given incorrect share decryption(s) is As the prover has to guess the challenge at random, the probability that the batch verification test is accepted where the batch verification equation is not satisfied is Therefore, the probability that the batch verification is not accepted given incorrect share decryption is As is very small, e.g: the probability that a dishonest participant being undetected given incorrect share decryption(s) is approximately Efficiency Analysis Most schemes employing threshold decryption take the decryption process for granted For example, in the mixnet scheme by Boneh and Golle [4], they focus on improving the efficiency of correct mixing operation and only mention the use of threshold decryption Using our result, the overall performance of the mixnet scheme can be greatly improved We follow Bellare et al in measuring the cost of our algorithms, where denotes the time to compute exponentiations in a common base with different exponents of the same length The computational cost comparison of naive verification against interactive batch verification for threshold versions of two popular cryptosystems - ElGamal and RSA - is summarised in Table in terms of the number of modular multiplications required Suppose and Table also illustrates an example of verifying valid decryption shares from 50 ciphertexts for 10 participants where the length of the integers involved is 1024 bits and the acceptable error is Implemented in the mixnet of Boneh and Golle, our result offers a great reduction of the computational cost in the threshold decryption phase of the shuffled ciphertexts to be decrypted in the final phase of mixnet The performance increase in Table is calculated based on the difference of modular multiplication required in the naive and batch version According to Table 1, it is estimated that performance increase when batch verification is employed would be about 97% Our results offer better proving and verification performance, while the probability of an invalid decryption share being accepted is no more than When increases, the computational verification cost saved by using our scheme also increases Conclusion The SE test by Bellare et al is originally designed to batch verify modular exponentiations in the context of signature verification We modified and extended the scheme to batch verify PEQDL in the context of threshold decryption Batch Verification for Equality of Discrete Logarithms 507 The scheme presented in this paper greatly improves the efficiency of identifying correct decryption shares (honest participants) with an overwhelmingly high probability when a large number of ciphertexts are involved The bucket test by Bellare et al (a variant of SE test) can similarly be modified and extended to achieve better efficiency It is quite straight-forward to apply the scheme to batch verify decryption shares in threshold version of Paillier cryptosystem [9], similar to that of threshold version of RSA Due to space constraints, we provide the application in the full version of this paper Our scheme can easily be implemented in cryptographic applications employing threshold decryption in lowering their computational cost This offers great performance benefit to various applications requiring verification of many PEQDLs, such as in secure e-auction or e-voting schemes Acknowledgements We acknowledge the support of the Australian government through ARC Discovery 2002, Grant No: DP0211390; ARC Discovery 2003, Grant No: DP0345458; and ARC Linkage International fellowship 2003, Grant No: LX0346868 References l Masayuki Abe and Koutarou Suzuki M+1-st price auction using homomorphic encryption In Public Key Cryptography—PKC 02, pages 115–124, 2002 Olivier Baudron, Pierre-Alain Fouque, David Pointcheval, Jacques Stern, and Guillaume Poupard Practical multi-candidate election system In Twentieth Annual ACM Symposium on Principles of Distributed Computing, pages 274–283, 2001 508 R Aditya et al Mihir Bellare, Juan A Garay, and Tal Rabin Fast batch verification for modular exponentiation and digital signatures In Advances in Cryptology— EUROCRYPT 98, pages 236–250, 1998 Dan Boneh and Philipe Golle Almost entirely correct mixing with applications to voting In ACM Conference on Computer and Communications Security—CCS 02, pages 68–77, 2002 Colin Boyd and Chris Pavlovski Attacking and repairing batch verification schemes In Advances in Cryptology—ASIACRYPT 00, pages 58–71, 2000 David Chaum and Torben Pryds Pedersen Wallet databases with observers In Advances in Cryptology—CRYPTO 92, pages 89–105, 1993 Ronald Cramer and Ivan Damgård Secure signature schemes based on interactive protocols In Advances in Cryptology—CRYPTO 95, pages 297–310, 1995 Ronald Cramer, Rosario Gennaro, and Berry Schoenmakers A secure and optimally efficient multi-authority election scheme In Advances in Cryptology— EUROCRYPT 97, pages 103–118, 1997 Ivan Damgaård and Mats Jurik A generalisation, a simplification and some applications of paillier’s probabilistic public-key system In Public Key Cryptography— PKC 01, pages 119–136, 2001 10 Amos Fiat and Adi Shamir How to prove yourself: Practical solutions to identification and signature problems In Advances in Cryptology—CRYPTO 86, pages 186–194, 1986 11 Pierre-Alain Fouque, Guillaume Poupard, and Jacques Stern Sharing decryption in the context of voting or lotteries In Financial Cryptology—FC 00, pages 90–104, 2000 12 Fumitaka Hoshino, Masayuki Abe, and Tetsutaro Kobayashi Lenient/strict batch verification in several groups In Information Security, 4th International Conference, ISC 01, pages 81–94, 2001 13 Jaroslaw Pastuszak, Dariusz Michatek, Josef Pieprzyk, and Jennifer Seberry Identification of bad signatures in batches In Public Key Cryptography—PKC 00, pages 28–45, 2000 14 Torben P Pedersen Non-interactive and information-theoretic secure verifiable secret sharing In Advances in Cryptology—CRYPTO 91, pages 129–140, 1992 15 Guillaume Poupard and Jacques Stern On the fly signatures based on factoring In ACM Conference on Computer and Communications Security—CCS 99, pages 37–45, 1999 16 Kazue Sako An auction protocol which hides bids of losers In Public Key Cryptography—PKC 00, pages 422–432, 2000 17 Adi Shamir How to share a secret Communications of the ACM, 22(11):612–613, November 1979 18 Victor Shoup Practical threshold signatures In Advances in Cryptology— EUROCRYPT 00, pages 207–220, 2000 Author Index Aditya, Riza 494 Bao, Feng 303,369 Barua, Rana 479 Boyd, Colin 248,494 Boyd, Stephen W 292 Cai, Shengwen Chen, Xiaofeng Choi, TaeKyu Curtis, Nathan 439 135 278 205 Dawson, Ed 494 Deng, Robert H 369 Feng, Dengguo 303 Frincke, Deborah 452 Lai, Haiguang 439 Lee, Byoungcheon 494 Lee, ByungKwon 278 Lee, C.H 180 Lee, Dong Hoon 220 Lee, Hyung-Woo 426 Li, Hui 439 Li, Shiqu 194 Locasto, Michael E Mao, Wenbo 248 Matsunaka, Takashi 310 McCarty, Joe 263 Mishra, Pradeep Kumar 479 Misra, Vishal 120 Miyaji, Atsuko 164,310 Mu, Yi 149 Mueller-Quade, Joern 355 Goi, Bok-Min 369 Golle, Philippe 31 Groth, Jens 46 Nascimento, Anderson C.A Nguyen, Lan 61 Han, Dong-Guk 398 Hanaoka, Goichiro 76, 355 Huang, Hao 439 Hwang, Yoon Sung 398 Okeya, Katsuyuki 383, 398 Oorschot, Paul C van 103 Oprea, Alina 16 Otsuka, Akira 355 Imai, Hideki 76, 355 Inoue, Daisuke 339 Ioannidis, John 120 Jeong, Ik Rae 220 Jeun, InKyoung 278 Jung, Souhwan 398 Kanso, Ali A 326 Katz, Jonathan 220 Keromytis, Angelos D 1, 120, 292 Kim, Kwangjo 135 Kim, Tae Hyun 398 Kinast, John A 263 Kissner, Lea 16 Kranakis, Evangelos 103 Kuang, BaiJie 467 Kuroda, Masahiro 339 Kurosawa, Kaoru 61 Park, BaeHyo 278 Park, Jongwook 278 Park, SangWan 278 Park, Young-Ho 398 Paterson, Kenneth G 248 Peltonen, Antti 91 Peng, Kun 494 Phan, Raphael C.-W 369 Reiter, Michael K 16 Rubenstein, Dan 120 Safavi-Naini, Rei 61,205 Sarkar, Palash 479 Shin, YongSup 278 Siddiqi, M.U 369 Song, Dawn 16 Staddon, Jessica 31 Stavrou, Angelos 120 Susilo, Willy 149, 205 355 510 Author Index Takagi, Tsuyoshi 383 Takano, Yuuki 310 Turtiainen, Esa 91 Umeda, Kozue Yang, Ke 16 Yang, Yanjiang Yu, Dong 452 369 164 Virtanen, Teemupekka 91 Wan, Tao 103 Wang, Jie 414 Wang, Shuhong 414 Waters, Brent 31 Wright, Andrew K 263 Wu, Hongjun 303 Xie, Junyuan 439 Xu, Maozhi 414 Zhang, Bin 303 Zhang, Fangguo 135 Zhang, Muxiang 233 Zhang, Rui 76 Zhang, Weiming 194 Zhang, YaJuan 467 Zhao, Yiming 180 Zhao, Yunlei 180 Zhu, Hong 180 Zhu, YueFei 467 ... Applied Cryptography and Network Security Second International Conference, ACNS 2004 Yellow Mountain, China, June 8-1 1, 2004 Proceedings Springer eBook ISBN: Print ISBN: 3-5 4 0-2 485 2-8 3-5 4 0-2 221 7-0 ... The second International Conference on Applied Cryptography and Network Security (ACNS 2004) was sponsored and organized by ICISA (the International Communications and Information Security Association)... conference April 2004 Markus Jakobsson and Moti Yung ACNS 2004 Second International Conference on Applied Cryptography and Network Security Yellow Mountain, China June 8–11, 2004 Sponsored and