## CryptoDB

### Jan Camenisch

#### Affiliation: IBM Research - Zurich, Switzerland

#### Publications

**Year**

**Venue**

**Title**

2019

ASIACRYPT

iUC: Flexible Universal Composability Made Simple
Abstract

Proving the security of complex protocols is a crucial and very challenging task. A widely used approach for reasoning about such protocols in a modular way is universal composability. A perfect model for universal composability should provide a sound basis for formal proofs and be very flexible in order to allow for modeling a multitude of different protocols. It should also be easy to use, including useful design conventions for repetitive modeling aspects, such as corruption, parties, sessions, and subroutine relationships, such that protocol designers can focus on the core logic of their protocols.While many models for universal composability exist, including the UC, GNUC, and IITM models, none of them has achieved this ideal goal yet. As a result, protocols cannot be modeled faithfully and/or using these models is a burden rather than a help, often even leading to underspecified protocols and formally incorrect proofs.Given this dire state of affairs, the goal of this work is to provide a framework for universal composability which combines soundness, flexibility, and usability in an unmatched way. Developing such a security framework is a very difficult and delicate task, as the long history of frameworks for universal composability shows.We build our framework, called iUC, on top of the IITM model, which already provides soundness and flexibility while lacking sufficient usability. At the core of iUC is a single simple template for specifying essentially arbitrary protocols in a convenient, formally precise, and flexible way. We illustrate the main features of our framework with example functionalities and realizations.

2019

JOFC

On the Impossibility of Structure-Preserving Deterministic Primitives
Abstract

In structure-preserving cryptography over bilinear groups, cryptographic schemes are restricted to exchange group elements only, and their correctness must be verifiable only by evaluating pairing product equations. Several primitives, such as structure-preserving signatures, commitments, and encryption schemes, have been proposed. Although deterministic primitives, such as verifiable pseudorandom functions or verifiable unpredictable functions, play an important role in the construction of cryptographic protocols, no structure-preserving realizations of them are known. This is not coincident: In this paper, we show that it is impossible to construct algebraic structure-preserving deterministic primitives that provide provability, uniqueness, and unpredictability. This includes verifiable random functions, unique signatures, and verifiable unpredictable functions as special cases. The restriction of structure-preserving primitives to be algebraic is natural, otherwise it would not be known how to verify correctness only by evaluating pairing product equations. We further extend our negative result to pseudorandom functions and deterministic public key encryption as well as non-strictly structure-preserving primitives, where target group elements are also allowed in their ranges and public keys.

2017

PKC

2016

CRYPTO

2015

EPRINT

2015

ASIACRYPT

2014

CRYPTO

2014

EPRINT

2014

ASIACRYPT

2012

JOFC

Batch Verification of Short Signatures
Abstract

With computer networks spreading into a variety of new environments, the need to authenticate and secure communication grows. Many of these new environments have particular requirements on the applicable cryptographic primitives. For instance, a frequent requirement is that the communication overhead inflicted be small and that many messages be processable at the same time. In this paper, we consider the suitability of public key signatures in the latter scenario. That is, we consider (1) signatures that are short and (2) cases where many signatures from (possibly) different signers on (possibly) different messages can be verified quickly. Prior work focused almost exclusively on batching signatures from the same signer.We propose the first batch verifier for messages from many (certified) signers without random oracles and with a verification time where the dominant operation is independent of the number of signatures to verify. We further propose a new signature scheme with very short signatures, for which batch verification for many signers is also highly efficient. Combining our new signatures with the best known techniques for batching certificates from the same authority, we get a fast batch verifier for certificates and messages combined. Although our new signature scheme has some restrictions, it is very efficient and still practical for some communication applications.

2010

EPRINT

Privacy-friendly Incentives and their Application to Wikipedia (Extended Version)
Abstract

Double-blind peer review is a powerful method to achieve high quality and thus trustworthiness of user-contributed content. Facilitating such reviews requires incentives as well as privacy protection for the reviewers. In this paper, we present the concept of privacy-friendly incentives and discuss the properties required from it. We then propose a concrete cryptographic realization based on ideas from anonymous e-cash and credential systems. Finally, we report on our software's integration into the MediaWiki software.

2010

EPRINT

Credential Authenticated Identification and Key Exchange
Abstract

Secure two-party authentication and key exchange are fundamental problems.
Traditionally, the parties authenticate each other by means of
their identities, using a public-key infrastucture (PKI).
However, this is not always feasible or desirable:
an appropriate PKI may not be available,
or the parties may want to remain anonymous, and not reveal
their identities.
To address these needs,
we introduce the notions of credential-authenticated identification (CAID) and
key exchange (CAKE), where the compatibility of the parties'
\emph{credentials}
is the criteria for authentication, rather than the parties' \emph{identities}
relative to some PKI.
We formalize CAID and CAKE in the universal composability (UC) framework,
with natural ideal functionalities,
and we give practical,
modularly designed protocol realizations.
We prove all our protocols UC-secure in the adaptive corruption model
with erasures, assuming a common reference string (CRS).
The proofs are based on standard cryptographic assumptions and do not rely on random oracles.
CAKE includes password-authenticated key exchange (PAKE) as a special case,
and we present two new PAKE protocols.
The first one is interesting in that it is uses completly different
techniques than known practical PAKE protocols, and also achieves
UC-security in the adaptive corruption model with erasures;
the second one
is the
first practical PAKE protocol
that provides a meaningful form of resilience against
server compromise
without relying on random oracles.

2009

EUROCRYPT

2009

EPRINT

On the Portability of Generalized Schnorr Proofs
Abstract

The notion of Zero Knowledge Proofs (of knowledge) [ZKP] is central to
cryptography; it provides a set of security properties that proved
indispensable in concrete protocol design. These properties are defined for any given input and also for any auxiliary verifier private state, as they are aimed at any use of the
protocol as a subroutine in a bigger application.
Many times, however, moving the theoretical notion to
practical designs has been quite problematic. This is due to the fact
that the most efficient protocols fail to provide the above ZKP
properties {\em for all} possible inputs and verifier states.
This situation has created various problems to protocol designers who
have often either introduced imperfect protocols with mistakes or with
lack of security arguments, or they have been forced to use much less
efficient protocols in order to achieve the required properties. In
this work we address this issue by introducing the notion of
``protocol portability,'' a property that identifies input and
verifier state distributions under which a protocol becomes a ZKP when
called as a subroutine in a sequential execution of a larger
application. We then concentrate on the very efficient and heavily employed
``Generalized Schnorr Proofs'' (GSP) and identify the portability of
such protocols. We also point to previous protocol weaknesses and
errors that have been made in numerous applications throughout the
years, due to employment of GSP instances while lacking the notion of
portability (primarily in the case of unknown order groups). This
demonstrates that cryptographic application designers who care about
efficiency need to consider our notion carefully.
We provide a compact specification language for GSP protocols that
protocol designers can employ. Our specification language is
consistent with the ad-hoc notation that is currently widely used and it
offers automatic derivation of the proof protocol while dictating
its portability (i.e., the proper initial state and inputs) and
its security guarantees. Thus, our language specifications can be used modularly in
designs and proofs. This assures that the protocol implementation can
indeed be used as a subroutine that is ZKP in its context.
Finally, as a second alternative to designers wishing to use GSPs, we
present a modification of GSP protocols that is unconditionally
portable (i.e., ZKP) and is still quite efficient. Our constructions
are the first such protocols proven secure in the standard model
(while the previously known efficient constructions relied on the
Random Oracle model).

2008

EPRINT

Simulatable Adaptive Oblivious Transfer
Abstract

We study an adaptive variant of oblivious transfer in which a sender has N messages, of which a receiver can adaptively choose to receive k one-after-the-other, in such a way that (a) the sender learns nothing about the receivers selections, and (b) the receiver only learns about the k requested messages. We propose two practical protocols for this primitive that achieve a stronger security notion than previous schemes with comparable efficiency. In particular, by requiring full simulatability for both sender and receiver security, our notion prohibits a subtle selective-failure attack not addressed by the security notions achieved by previous practical schemes.
Our first protocol is a very efficient generic construction from unique blind signatures in the random oracle model. The second construction does not assume random oracles, but achieves remarkable efficiency with only a constant number of group elements sent during each transfer. This second construction uses novel techniques for building efficient simulatable protocols.

2008

EPRINT

Delegatable Anonymous Credentials
Abstract

We construct an efficient delegatable anonymous credential system. Users can anonymously and unlinkably obtain credentials from any authority, delegate their credentials to other users, and prove possession of a credential $L$ levels away from the given authority. The size of the proof (and time to compute it) is $O(Lk)$, where $k$ is the security parameter. The only other construction of delegatable anonymous credentials (Chase and Lysyanskaya, Crypto 2006) relies on general non-interactive proofs for NP-complete languages of size $k \Omega(2^{L})$.
We revise the entire approach to constructing anonymous credentials
and identify \emph{randomizable} zero-knowledge proof of knowledge
systems as the key building block. We formally define the notion of
randomizable non-interactive zero-knowledge proofs, and give the first construction by showing how to appropriately rerandomize Groth and Sahai (Eurocrypt 2008) proofs. We show that such proof systems, in combination with an appropriate authentication scheme and a few other protocols, allow us to construct delegatable anonymous credentials. Finally, we instantiate these building blocks under appropriate assumptions about groups with bilinear maps.

2008

EPRINT

An Accumulator Based on Bilinear Maps and Efficient Revocation for Anonymous Credentials
Abstract

The success of electronic authentication systems, be it e-ID card systems or Internet authentication
systems such as CardSpace, highly depends on the provided level of user-privacy.
Thereby, an important requirement is an efficient means for revocation of the authentication credentials.
In this paper we consider the problem of revocation for certificate-based privacy-protecting authentication systems.
To date, the most efficient solutions for revocation for such systems are based on cryptographic accumulators.
Here, an accumulate of all currently valid certificates is published regularly and each user holds
a {\em witness} enabling her to prove the validity of her (anonymous) credential while retaining anonymity.
Unfortunately, the users' witnesses must be updated at least each time a credential is revoked.
For the know solutions, these updates are computationally very expensive for users and/or certificate issuers which is very problematic
as revocation is a frequent event as practice shows.
In this paper, we propose a new dynamic accumulator scheme based on bilinear maps and show how to apply it to the problem
of revocation of anonymous credentials.
In the resulting scheme, proving a credential's validity and updating witnesses both come at (virtually) no cost for
credential owners and verifiers.
In particular, updating a witness requires the issuer to do only one multiplication per addition or revocation of a credential
and can also be delegated to untrusted entities from which a user could just retrieve the updated witness.
We believe that thereby we provide the first authentication system offering privacy protection suitable for implementation
with electronic tokens such as eID cards or drivers' licenses.

2008

EPRINT

A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks
Abstract

Recently, at Crypto 2008, Boneh, Halevi, Hamburg, and Ostrovsky (BHHO)
solved the long-standing open problem of ``circular encryption,''
by
presenting a public key encryption scheme
and proving that it
is semantically secure against key dependent chosen plaintext attack (KDM-CPA security)
under standard assumptions (and without resorting to random oracles).
However, they left as an open problem that of designing
an encryption scheme that \emph{simultaneously} provides security
against both key dependent chosen plaintext \emph{and} adaptive chosen ciphertext
attack (KDM-CCA2 security).
In this paper, we solve this problem.
First, we show that by applying the Naor-Yung ``double encryption''
paradigm, one can combine
any KDM-CPA secure scheme with any (ordinary) CCA2 secure scheme,
along with an appropriate non-interactive zero-knowledge proof,
to obtain a KDM-CCA2 secure scheme.
Second, we give a concrete instantiation that makes use
the above KDM-CPA secure scheme of BHHO,
along with a generalization of the Cramer-Shoup CCA2 secure
encryption scheme,
and recently developed
pairing-based NIZK proof systems.
This instantiation increases the complexity of the BHHO
scheme by just a small constant factor.

2008

EPRINT

Automatic Generation of Sound Zero-Knowledge Protocols
Abstract

Efficient zero-knowledge proofs of knowledge (ZK-PoK) are basic building blocks of many practical cryptographic applications such as identification schemes, group signatures, and secure multiparty computation. Currently, first applications that essentially rely on ZK-POKs are being deployed in the real world. The most prominent example is Direct Anonymous Attestation (DAA), which was adopted by the Trusted Computing Group (TCG) and implemented as one of the functionalities of the cryptographic chip Trusted Platform Module (TPM).
Implementing systems using ZK-PoK turns out to be challenging, since ZK-PoK are, loosely speaking, significantly more complex than standard crypto primitives, such as encryption and signature schemes. As a result, implementation cycles of ZK-PoK are time-consuming and error-prone, in particular for developers with minor or no cryptographic skills.
To overcome these challenges, we have designed and implemented a compiler with corresponding languages that given a high-level ZK-PoK protocol specification automatically generates a sound implementation of this. The output is given in form of $\Sigma$-protocols, which are the most efficient protocols for ZK-PoK currently known. Our compiler translates ZK-PoK protocol specifications, written in a high-level protocol description language, into Java code or \LaTeX\ documentation of the protocol.
The compiler is based on a unified theoretical framework that encompasses a large number of existing ZK-PoK techniques. Within this framework we present a new efficient ZK-PoK protocol for exponentiation homomorphisms in hidden order groups. Our protocol overcomes several limitations of the existing proof techniques.

2007

EPRINT

Batch Verification of Short Signatures
Abstract

With computer networks spreading into a variety of new environments, the need to authenticate and secure communication grows. Many of these new environments have particular requirements on the applicable cryptographic primitives. For instance, several applications require that communication overhead be small and that many messages be processed at the same time. In this paper we consider the suitability of public key signatures in the latter scenario. That is, we consider signatures that are 1) short and 2) where many signatures from (possibly) different signers on (possibly) different messages can be verified quickly. Prior work focused almost exclusively on batching signatures from the same signer.
We propose the first batch verifier for messages from many (certified) signers without random oracles and with a verification time where the dominant operation is independent of the number of signatures to verify. We further propose a new signature scheme with very short signatures, for which batch verification for many signers is also highly efficient. Combining our new signatures with the best known techniques for batching certificates from the same authority, we get a fast batch verifier for certificates and messages combined. Although our new signature scheme has some restrictions, it is very efficient and still practical for some communication applications.

2006

EPRINT

Remarks on "Analysis of One Popular Group Signature Scheme'' in Asiacrypt 2006
Abstract

In \cite{Cao}, a putative framing ``attack'' against the ACJT group signature scheme \cite{ACJT00} is presented. This note shows that the attack framework considered in \cite{Cao} is \emph{invalid}. As we clearly illustrate, there is \textbf{no security weakness} in the ACJT group signature scheme as long as all the detailed specifications in \cite{ACJT00} are being followed.

2006

EPRINT

How to Win the Clone Wars: \\ Efficient Periodic n-Times Anonymous Authentication
Abstract

We create a credential
system that lets a user anonymously authenticate at most $n$ times in
a single time period. A user withdraws a dispenser of $n$ e-tokens.
She shows an e-token to a verifier to authenticate herself; each
e-token can be used only once, however, the dispenser automatically
refreshes every time period.
The only prior solution to this problem,
due to Damg{\aa}rd et al.~[DDP05], uses protocols that are a factor of $k$ slower for the user and verifier, where $k$ is the security parameter.
Damg{\aa}rd et al. also only support one authentication per time
period, while we support $n$. Because our construction is based on
e-cash, we can use existing techniques to identify a cheating user,
trace all of her e-tokens, and revoke her dispensers. We also offer a
new anonymity service: glitch protection for basically honest users
who (occasionally) reuse e-tokens. The verifier can always recognize
a reused e-token; however, we preserve the anonymity of users who do
not reuse e-tokens too often.

2005

PKC

2005

EPRINT

Compact E-Cash
Abstract

This paper presents efficient off-line anonymous e-cash schemes
where a user can withdraw a wallet containing 2^l coins each of which she can spend unlinkably. Our first result is a scheme, secure under the strong RSA and the y-DDHI assumptions, where the complexity of the withdrawal and spend operations is O(l+k)
and the user's wallet can be stored using O(l+k) bits, where k is a security parameter.
The best previously known schemes require at least one of these complexities to
be O(2^l k).
In fact, compared to previous e-cash schemes, our whole wallet of 2^l coins
has about the same size as one coin in these schemes.
Our scheme also offers exculpability
of users, that is, the bank can prove to third parties that a user has
double-spent.
We then extend our scheme to our second result, the first e-cash scheme that provides traceable coins without a trusted third party.
That is, once a user has double spent one of the 2^l coins in her wallet, all her spendings of these coins can be traced.
We present two alternate constructions. One construction shares the same complexities with our first result but requires a strong bilinear map assumption that is only conjectured to hold on MNT curves. The second construction works on more general types of elliptic curves, but the price for this is that the complexity of the spending and of the withdrawal protocols becomes O(lk) and O(lk + k^2) bits, respectively, and wallets take O(lk) bits of storage.
All our schemes are secure in the random oracle model.

2005

EPRINT

Practical Group Signatures without Random Oracles
Abstract

We provide a construction for a
group signature scheme that is provably secure in a universally composable framework,
within the standard model with trusted parameters.
Our proposed scheme is fairly simple and its efficiency falls
within small factors of the most efficient group signature schemes
with provable security in any model (including random oracles).
Security of our constructions require new
cryptographic assumptions, namely the Strong LRSW, EDH, and Strong SXDH assumptions. Evidence for any assumption we introduce is provided by proving hardness in the generic group model.
Our second contribution is the first definition of security for group signatures based on the simulatability
of real protocol executions in an ideal setting that captures
the basic properties of unforgeability, anonymity, unlinkability, and exculpability for
group signature schemes.

2004

EPRINT

Direct Anonymous Attestation
Abstract

This paper describes the direct anonymous attestation scheme (DAA). This scheme was adopted by the Trusted Computing Group as the method for remote authentication of a hardware module, called trusted platform module (TPM), while preserving the privacy of the user of the platform that contains the module. Direct anonymous attestation can be seen as a group signature without the feature that a signature can be opened, i.e., the anonymity is not revocable.
Moreover, DAA allows for pseudonyms, i.e., for each signature a user (in agreement with the recipient of the signature) can decide whether or not the signature should be linkable to another signature. DAA furthermore allows for detection of ``known'' keys: if the DAA secret keys are extracted from a TPM and published, a verifier can detect that a signature was produced using these secret keys. The scheme is provably secure in the random oracle model under the strong RSA and the decisional Diffie-Hellman assumption.

2002

EPRINT

Efficient Computation Modulo a Shared Secret with Application to the Generation of Shared Safe-Prime Products
Abstract

We present a new protocol for efficient distributed computation modulo a
shared secret. We further present a protocol to distributively generate a
random shared prime or safe prime that is much more efficient than
previously known methods. This allows to distributively compute shared RSA
keys, where the modulus is the product of two safe primes, much more
efficiently than was previously known.

2002

EPRINT

Practical Verifiable Encryption and Decryption of Discrete Logarithms
Abstract

This paper presents a variant of the new public key encryption of Cramer and Shoup based on Paillier's decision composite residuosity assumption, along with an efficient protocol for verifiable encryption of discrete logarithms. This is the first verifiable encryption system that provides chosen ciphertext security and avoids inefficient cut-and-choose proofs. This has numerous applications, including fair exchange and key escrow. We also present efficient protocols for verifiable decryption, which has applications to, e.g., confirmer signatures. The latter protocols build on a new protocol for proving whether or not two discrete logarithms are equal that is of independent interest. Prior such protocols were either inefficient or not zero-knowledge.

2001

EUROCRYPT

2001

EPRINT

An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation
Abstract

A credential system is a system in which users can obtain
credentials from organizations and demonstrate possession of these
credentials. Such a system is anonymous when transactions carried out by the
same user cannot be linked. An anonymous credential system is of significant
practical relevance because it is the best means of providing privacy for
users. In this paper we propose a practical anonymous credential system that
is based on the strong RSA assumption and the decisional Diffie-Hellman
assumption modulo a safe prime product and is considerably superior to
existing ones:
(1) We give the first practical solution that allows
a user to unlinkably demonstrate possession of a credential as many times as
necessary without involving the issuing organization.
(2) To prevent misuse of anonymity, our scheme is the first to offer optional
anonymity revocation for particular transactions.
(3) Our scheme offers separability: all organizations can choose their
cryptographic keys independently of each other.
Moreover, we suggest more effective means of preventing users from sharing their
credentials, by introducing {\em all-or-nothing} sharing: a user who allows a
friend to use one of her credentials once, gives him the ability to use all of
her credentials, i.e., taking over her identity. This is implemented by a new
primitive, called {\em circular encryption}, which is of independent interest,
and can be realized from any semantically secure cryptosystem in the random
oracle model.

2001

EPRINT

Efficient Revocation of Anonymous Group Membership
Abstract

An accumulator scheme, introduced be Benaloh and de Mare
and further studied by Bari{\'c} and Pfitzmann, is an algorithm that
allows to hash a large set of inputs into one short value, called the
\textit{accumulator}, such that there is a short witness that a given
input was incorporated into the accumulator.
We put forward the notion of \textit{dynamic accumulators}, i.e., a method
that allows to dynamically add and delete inputs from the accumulator,
such that the cost of an add or delete is independent on the number of
accumulated values. We achieve this under the strong RSA assumption. For
this construction, we also show an efficient zero-knowledge protocol for
proving that a committed value is in the accumulator.
In turn, our construction of dynamic accumulator enables efficient
membership revocation in the anonymous setting. This method applies
to membership revocation in group signature schemes, such as the one
due to Ateniese et al., and efficient revocation of
credentials in anonymous credential systems, such as the one due to
Camenisch and Lysyanskaya. Using our method,
allowing revocation does not alter the complexity of any operations of
the underlying schemes. In particular, the cost of a group signature
verification or credential showing increases by only a small constant
factor, less than 2. All previously known methods (such as the ones
due to Bresson and Stern and Ateniese and Tsudik incurred an increase in these costs that was
linear in the number of members.

2000

ASIACRYPT

1999

EPRINT

Verifiable Encryption and Applications to Group Signatures and Signature Sharing
Abstract

We generalize and improve the security and efficiency of the
verifiable encryption scheme of Asokan et al., such that it can rely
on more general assumptions, and can be proven secure without
assuming random oracles. We show a new application of verifiable
encryption to group signatures with separability, these schemes do
not need special purpose keys but can work with a wide range of
signature, identification, and encryption schemes already in use.
Finally, we extend our basic primitive to verifiable threshold and
group encryption. By encrypting digital signatures this way, one
gets new solutions to the verifiable signature sharing problem.

#### Program Committees

- Eurocrypt 2018
- Eurocrypt 2015
- Crypto 2013
- PKC 2009
- Crypto 2005
- Eurocrypt 2004
- Crypto 2003
- Eurocrypt 2001
- Crypto 2001

#### Coauthors

- Masayuki Abe (2)
- Jae Hyun Ahn (2)
- Joy Algesheimer (2)
- Giuseppe Ateniese (3)
- Endre Bangerter (3)
- Mira Belenkiy (2)
- Fabrice Benhamouda (1)
- Dan Boneh (2)
- Ernest F. Brickell (1)
- Christian Cachin (1)
- Nathalie Casati (2)
- Rafik Chaabouni (1)
- Nishanth Chandran (2)
- Melissa Chase (2)
- Liqun Chen (1)
- Ivan Damgård (2)
- David Derler (1)
- Rafael Dowsley (2)
- Manu Drijvers (3)
- Maria Dubovitskaya (6)
- Robert R. Enderlein (3)
- Tommaso Gagliardoni (1)
- Thomas Groß (3)
- Kristiyan Haralambiev (3)
- Peter Hladky (1)
- Christian Hoertnagl (1)
- Susan Hohenberger (9)
- Marc Joye (2)
- Aggelos Kiayias (2)
- Markulf Kohlweiss (9)
- Stephan Krenn (7)
- Ralf Küsters (2)
- Jorn Lapon (1)
- Anja Lehmann (6)
- Anna Lysyanskaya (14)
- Vadim Lyubashevsky (1)
- Ueli Maurer (1)
- Breno de Medeiros (1)
- Mira Meyerovich (1)
- Markus Michels (4)
- Vincent Naessens (1)
- Gregory Neven (10)
- Michael Østergaard Pedersen (3)
- Jean-Marc Piveteau (2)
- Henrich Christopher Pöhls (1)
- Daniel Rausch (2)
- Alfredo Rial (3)
- Ahmad-Reza Sadeghi (1)
- Kai Samelin (1)
- Thomas Schneider (1)
- Hovav Shacham (2)
- Caroline Sheedy (1)
- Abhi Shelat (5)
- Victor Shoup (9)
- Daniel Slamanig (1)
- Claudio Soriente (2)
- Markus Stadler (3)
- Gene Tsudik (2)
- Brent Waters (2)
- Moti Yung (2)
- Gregory M. Zaverucha (1)