Journal of Cryptology

, Volume 28, Issue 4, pp 796–819 | Cite as

Spreading Alerts Quietly and the Subgroup Escape Problem

  • James Aspnes
  • Zoë Diamadi
  • Aleksandr Yampolskiy
  • Kristian Gjøsteen
  • René Peralta


We introduce a new cryptographic primitive called a blind coupon mechanism (BCM). In effect, a BCM is an authenticated bit commitment scheme, which is AND-homomorphic. We show that a BCM has natural and important applications. In particular, we use it to construct a mechanism for transmitting alerts undetectably in a message-passing system of \(n\) nodes. Our algorithms allow an alert to quickly propagate to all nodes without its source or existence being detected by an adversary, who controls all message traffic. Our proofs of security are based on a new subgroup escape problem, which seems hard on certain groups with bilinear pairings and on elliptic curves over the ring \({\mathbb {Z}}_n\).


Blind coupon mechanism AND-homomorphic bit commitment Subgroup escape problem Elliptic curves over composite moduli Anonymous communication Intrusion detection 



We are grateful to Yevgeniy Dodis for his helpful comments regarding this work. We also acknowledge the helpful comments of anonymous referees.


  1. 1.
    M. Abe, Mix-networks on permutation networks, in Advances in Cryptology-ASIACRYPT ’99. Lecture Notes in Computer Science, vol. 1706 (Springer-Verlag, Berlin, 1999), pp. 258–273Google Scholar
  2. 2.
    J. Algesheimer, J. Camenisch, V. Shoup, Efficient computation modulo a shared secret with applications to the generation of shared safe prime products, in Advances in Cryptology-Proceedings of CRYPTO 2002. Lecture Notes in Computer Science, vol. 2442 (Springer-Verlag, Berlin, 2002), pp. 417–432Google Scholar
  3. 3.
    E. Barker, W. Barker, W. Burr, W. Polk, M. Smid, Recommendation for key management. Part 1: (revised March 2007) (National Institute of Standards and Technology, Gaithersburg, 2007)Google Scholar
  4. 4.
    A. Beimel, S. Dolev, Buses for anonymous message delivery, in Second International Conference on FUN with Algorithms (Carleton Scientific, Ottawa, 2001), pp. 1–13Google Scholar
  5. 5.
    I.F. Blake, G. Seroussi, N.P. Smart, Elliptic Curves in Cryptography. London Mathematical Society Lecture Note Series, vol. 265 (Cambridge University Press, Cambridge, 1999)Google Scholar
  6. 6.
    M. Blum, A. D. Santis, S. Micali, G. Persiano, Non-interactive zero knowledge. SIAM J. Comput. 20(6):1084–1118 (1991)Google Scholar
  7. 7.
    D. Boneh, E.-J. Goh, K. Nissim, Evaluating 2-DNF formulas on ciphertexts, in Proceedings of Second Theory of Cryptography Conference (TCC 2005), (2005) pp. 325–341Google Scholar
  8. 8.
    D. Boneh, K. Rubin, A. Silverberg, Finding composite order ordinary elliptic curves using the cocks-pinch method. Cryptology ePrint Archive, Report 2009/533 (2009).
  9. 9.
    G. Brassard, D. Chaum, C. Crépeau, Minimum disclosure proofs of knowledge. J. Comput. Syst. Sci. 37(2):156–189 (1988)Google Scholar
  10. 10.
    D. Chaum, Untraceable electronic mail, return address and digital pseudonyms. Commun. ACM 24(2):84–88 (1981)Google Scholar
  11. 11.
    D. Chaum, The dining cryptographers problem: Unconditional sender and recipient untraceability. J. Cryptol. 1:65–75 (1988)Google Scholar
  12. 12.
    R. Cramer, V. Shoup, Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption, in L.R. Knudsen, editor, Proceedings of EUROCRYPT 2002. Lecture Notes in Computer Science, vol. 2332, (Springer-Verlag, Berlin, 2002) pp. 45–64Google Scholar
  13. 13.
    A. Demers, D. Greene, C. Hauser, W. Irish, J. Larson, S. Shenker, H. Sturgis, D. Swinehart, D. Terry, Epidemic algorithms for replicated database maintenance, in F.B. Schneider, editor, Proceedings of the 6th Annual ACM Symposium on Principles of Distributed Computing, (ACM Press, Vancouver, 1987), pp. 1–12Google Scholar
  14. 14.
    N. Demytko, A new elliptic curve based analogue of RSA, in Advances in Cryptology-Proceedings of EUROCRYPT 93. Lecture Notes in Computer Science, vol. 765, (Springer-Verlag, Berlin, 1993), pp. 40–49Google Scholar
  15. 15.
    S.D. Galbraith, Elliptic curve Paillier schemes. J. Cryptol. 15(2):129–138 (2002)Google Scholar
  16. 16.
    K. Gjøsteen, Subgroup membership problems and public key cryptosystems. PhD thesis, NTNU (2004)Google Scholar
  17. 17.
    K. Gjøsteen, Symmetric subgroup membership problems, in S. Vaudenay, editor, Proceedings of Public Key Cryptography 2005. LNCS, vol. 3386, (Springer-Verlag, Berlin, 2005), pp. 104–119Google Scholar
  18. 18.
    S. Goldwasser, J. Kilian, Primality testing using elliptic curves. J. Assoc. Comput. Mach. 46:450–472 (1999)Google Scholar
  19. 19.
    S. Goldwasser, S. Micali, Probabilistic encryption. J. Comput. Syst. Sci. 28:270–299 (1984)Google Scholar
  20. 20.
    P. Golle, A. Juels, Dining cryptographers revisited, in Advances in Cryptology-Proceedings of EUROCRYPT 2004, (2004), pp. 456–473Google Scholar
  21. 21.
    M. Jakobsson, A practical mix, in Advances in Cryptology-Proceedings of EUROCRYPT 98, Lecture Notes in Computer Science, vol. 1403, (Springer-Verlag, Berlin, 1998), pp. 448–461Google Scholar
  22. 22.
    M. Jakobsson, Flash mixing, in: Proceedings of the Eighteenth Annual ACM Symposium on Principles of Distributed Computing, (ACM, Las Vegas, 1999), pp. 83–89Google Scholar
  23. 23.
    R. Johnson, D. Molnar, D.X. Song, D. Wagner. Homomorphic signature schemes, in CT-RSA, (2002), pp. 244–262Google Scholar
  24. 24.
    A. Joux, A one round protocol for tripartite Diffie–Hellman, in W. Bosma, editor, ANTS. Lecture Notes in Computer Science, vol. 1838, (Springer, Berlin, 2000), pp. 385–394Google Scholar
  25. 25.
    K. Koyama, U.M. Maurer, T. Okamoto, S.A. Vanstone. New public-key schemes based on elliptic curves over the ring \(z_n\), in Advances in Cryptology-Proceedings of CRYPTO 91. Lecture Notes in Computer Science, vol. 576, (1992), pp. 252–266Google Scholar
  26. 26.
    N. Kunihiro and K. Koyama. Equivalence of counting the number of points on elliptic curve over the ring \({Z}_n\) and factoring n, in K. Nyberg, editor. Advances in Cryptology-EUROCRYPT ’98. Lecture Notes in Computer Science, vol. 1403 (Springer-Verlag, Berlin, 1998)Google Scholar
  27. 27.
    L. Lamport, R. Shostack, M. Pease, The Byzantine generals problem. ACM Trans. Progr. Lang. Syst. 4(3):382–401, 1982Google Scholar
  28. 28.
    G.-J. Lay, H.G. Zimmer, Constructing elliptic curves with given group order over large finite fields. in L.M. Adleman, M.-D.A. Huang, editors, ANTS. Lecture Notes in Computer Science, vol. 877, (Springer-Verlag, Berlin, 1994), pp. 250–263Google Scholar
  29. 29.
    H.W. Lenstra, Jr, Factoring integers with elliptic curves. Ann. Math. 126:649–673 (1987)Google Scholar
  30. 30.
    A. Menezes, T. Okamoto, S.A. Vanstone, Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Inf. Theor., 39(5):1639–1646 (1993)Google Scholar
  31. 31.
    V.S. Miller, The Weil pairing, and its efficient calculation. J. Cryptol. 17(4):235–261 (2004)Google Scholar
  32. 32.
    D. Naccache, J. Stern, A new public key cryptosystem based on higher residues, in K. Nyberg, editor. Advances in Cryptology-EUROCRYPT ’98. Lecture Notes in Computer Science, vol. 1403 (Springer-Verlag, Berlin, 1998), pp. 308–318.Google Scholar
  33. 33.
    J.M.G. Nieto, C. Boyd, E. Dawson. A public key cryptosystem based on the subgroup membership problem, in S. Quing, T. Okamoto, J. Zhou, editors, Proceedings of ICICS 2001, Lecture Notes in Computer Science, vol. 2229, (Springer-Verlag, Berlin, 2001), pp. 352–363.Google Scholar
  34. 34.
    T. Okamoto, S. Uchiyama. A new public-key cryptosystem as secure as factoring. In Nyberg [34], pp. 308–318.Google Scholar
  35. 35.
    H. Ong, C.-P. Schnorr, A. Shamir, An efficient signature scheme based on quadratic equations, in Proceedings of ACM Symposium on Theory of Computing, (ACM, Cambridge, 1984), pp. 208–216Google Scholar
  36. 36.
    P. Paillier, Public-key cryptosystems based on composite degree residue classes, in J. Stern, editor, Proceedings of EUROCRYPT ’99. Lecture Notes in Computer Science, vol. 1592, (Springer-Verlag, Berlin, 1999), pp. 223–238Google Scholar
  37. 37.
    M. Rabin, Digitalized signatures and public-key functions as intractable as factorization. Technical Report MIT/LCS/TR-212, Laboratory for Computer Science, Massachusetts Institute of Technology (1979)Google Scholar
  38. 38.
    R. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM, 21(2):120–126 (1978)Google Scholar
  39. 39.
    C. P. Schnorr, J. Pollard, An efficient solution of the congruence \(x^2 + ky^2 \equiv m (mod \; n)\). IEEE Trans. Inf. Theor. 33(5):702–709 (1987)Google Scholar
  40. 40.
    R. Schoof. Counting points on elliptic curves over finite fields. Journal de Théorie des Nombres de Bordeaux 7:219–254 (1995)Google Scholar
  41. 41.
    V. Shoup, Lower bounds for discrete logarithms and related problems, in W. Fumy, editor, Proceedings of EUROCRYPT ’97. Lecture Notes in Computer Science, vol. 1233, (Springer-Verlag, Berlin, 1997), pp. 256–266Google Scholar
  42. 42.
    J.H. Silverman, The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics, vol. 105 (Springer-Verlag, Berlin, 1986)Google Scholar
  43. 43.
    J.H. Silverman. Computing rational points on rank 1 elliptic curves via \(L\)-series and canonical heights. Math. Comput. 68(226):835–858 (1999)Google Scholar
  44. 44.
    P.F. Syverson, D.M. Goldschlag, M.G. Reed, Anonymous connections and onion routing. IEEE J. Select. Areas Commun. 16(4):482–494 (1998)Google Scholar
  45. 45.
    P.F. Syverson, M.G. Reed, D.M. Goldschlag, Onion routing access configurations, in DISCEX2000:Proceedings of the DARPA information survivability conference and exposition, (IEEE CS Press, Wiley, 2000), pp. 34–40Google Scholar

Copyright information

© International Association for Cryptologic Research 2014

Authors and Affiliations

  • James Aspnes
    • 1
  • Zoë Diamadi
    • 2
  • Aleksandr Yampolskiy
    • 3
  • Kristian Gjøsteen
    • 4
  • René Peralta
    • 5
  1. 1.Department of Computer ScienceYale UniversityNew HavenUSA
  2. 2.LinkedIn CorporationMountain ViewCAUSA
  3. 3.Security Scorecard Inc.New YorkNY
  4. 4.Department of Mathematical SciencesNorwegian University of Science and TechnologyTrondheim Norway
  5. 5.National Institute of Standards and TechnologyGaithersburgUSA

Personalised recommendations