2009 Reports : Cryptology ePrint Archive Forum
Discussion forum for Cryptology ePrint Archive reports posted in 2009.
Please put the report number in the subject.
2009/424
Posted by: m.kiraz (IP Logged)
Date: 19 March 2010 12:04
Dear Authors of 2009/424,
I have two problems to be answered! I will try to be more precise in this email.
About the first problem (page 11):
There is a sentence on page 11: "In our scheme the certification of the voters also contains g_^IDv mod nCA in which IDv is the identi er of the voter which is chosen by CA in Z_q."
In the second step of the first phase (page 11, obtaining a voting ticket) AS checks the validity of I by using the Cert_V. With the sentence above you can only check that the validity of I=[g_0^(ID_v)]^(d_CA) whether it is signed by CA by simply using the public key of CA (since it is signed). For example, I can take your signed value (imitating like mine) and send it to AS. In this way, AS will not stop the protocol. Also, from the sentence above you can see that the certification contains X= g_1^(ID_v) mod n_CA. The most important thing here is to prove that the identifier inside I and X are equal to each other (namely equal to ID_v). In other words, there must be a zero knowledge proof which shows the equality of identifiers inside I and X. As far as I know this is not related to certification.
About the second problem (page 12):
Please see the first step of the second phase (page12, voting and collecting tickets): how can the voter compute r_0 without knowledge of ID_v in equation (20) (on page 12)? In other words, if only CA knows ID_v then how can the voter computer the equation 20??
I hope the explanations here are clear enough. Waiting for a reply!
Best regards,
Mehmet
I have two problems to be answered! I will try to be more precise in this email.
About the first problem (page 11):
There is a sentence on page 11: "In our scheme the certification of the voters also contains g_^IDv mod nCA in which IDv is the identi er of the voter which is chosen by CA in Z_q."
In the second step of the first phase (page 11, obtaining a voting ticket) AS checks the validity of I by using the Cert_V. With the sentence above you can only check that the validity of I=[g_0^(ID_v)]^(d_CA) whether it is signed by CA by simply using the public key of CA (since it is signed). For example, I can take your signed value (imitating like mine) and send it to AS. In this way, AS will not stop the protocol. Also, from the sentence above you can see that the certification contains X= g_1^(ID_v) mod n_CA. The most important thing here is to prove that the identifier inside I and X are equal to each other (namely equal to ID_v). In other words, there must be a zero knowledge proof which shows the equality of identifiers inside I and X. As far as I know this is not related to certification.
About the second problem (page 12):
Please see the first step of the second phase (page12, voting and collecting tickets): how can the voter compute r_0 without knowledge of ID_v in equation (20) (on page 12)? In other words, if only CA knows ID_v then how can the voter computer the equation 20??
I hope the explanations here are clear enough. Waiting for a reply!
Best regards,
Mehmet
Re: 2009/424
Posted by: m.kiraz (IP Logged)
Date: 24 March 2010 12:02
Dear Vahid & Yaser
Let me continue asking for further questions: You say that the security of your protocol comes from the security of Okamoto's protocol.
Note that in the first phase CA sends Cert_v, a, I, (u_1,u_2)^(e_AS) to the Voter. It is like the first phase of Okamoto's protocol (namely, signer sends a): Therefore, CA looks like Signer and Voter looks like User here.
However, in the second step the Voter sends [c, Cert_V, I, (u_1,u_2)^(e_AS) ]^(e_AS) to AS. This part now looks like the second step of Okamoto's protocol (namely, User sends c). After that AS computes re_1 = u_1+cx_1 mod q, re_2 = u_2+cx_2 mod q. Check now that the Voter is User and AS is Signer. The roles are changed and overlapped. That's really strange since CA was signer above. Therefore, who knows x_1 and x_2 ??? is CA=AS?? In your scheme: CA---> V ----> AS ---->V ----> VS. It is not like Okamoto's protocol as there are only two parties there, Signer and User.
Finally, are x_1, x_2's used for only a voter or re-generated for every voter??
Hope to hear you soon.
Best
Mehmet
Let me continue asking for further questions: You say that the security of your protocol comes from the security of Okamoto's protocol.
Note that in the first phase CA sends Cert_v, a, I, (u_1,u_2)^(e_AS) to the Voter. It is like the first phase of Okamoto's protocol (namely, signer sends a): Therefore, CA looks like Signer and Voter looks like User here.
However, in the second step the Voter sends [c, Cert_V, I, (u_1,u_2)^(e_AS) ]^(e_AS) to AS. This part now looks like the second step of Okamoto's protocol (namely, User sends c). After that AS computes re_1 = u_1+cx_1 mod q, re_2 = u_2+cx_2 mod q. Check now that the Voter is User and AS is Signer. The roles are changed and overlapped. That's really strange since CA was signer above. Therefore, who knows x_1 and x_2 ??? is CA=AS?? In your scheme: CA---> V ----> AS ---->V ----> VS. It is not like Okamoto's protocol as there are only two parties there, Signer and User.
Finally, are x_1, x_2's used for only a voter or re-generated for every voter??
Hope to hear you soon.
Best
Mehmet
Re: 2009/424
Posted by: m.kiraz (IP Logged)
Date: 05 April 2010 13:45
Hey guys,
I think your paper has quite a lot of errors. Therefore, I will not read anymore since it becomes rubbish.
Last issue on your paper is as follows:
See the security analysis of Rodriguez et al. In the last paragraph it says "Certainly, the DSA/RSA based scheme described in Section 4 can still be attacked by a corrupted AS as described in Section 3.4.1. However, our DSA solution can be adapted to be used in both, Hwang et al. and Yang et al. schemes, thus preventing that attack".
That means your attack to this paper is completely wrong since they don't claim that they fixed that part. I think you have not understood their paper..
Best regards
Mehmet
I think your paper has quite a lot of errors. Therefore, I will not read anymore since it becomes rubbish.
Last issue on your paper is as follows:
See the security analysis of Rodriguez et al. In the last paragraph it says "Certainly, the DSA/RSA based scheme described in Section 4 can still be attacked by a corrupted AS as described in Section 3.4.1. However, our DSA solution can be adapted to be used in both, Hwang et al. and Yang et al. schemes, thus preventing that attack".
That means your attack to this paper is completely wrong since they don't claim that they fixed that part. I think you have not understood their paper..
Best regards
Mehmet
Please log in for posting a message. Only registered users may post in this forum.