Risk Management for E-Cash Systems with Partial Real-Time Audit
|
|
- Dulcie McDaniel
- 6 years ago
- Views:
Transcription
1 Netnomics 3, , Kluwer Academic Publishers. Manufactured in The Netherlands. Risk Management for E-Cash Systems with Partial Real-Time Audit YACOV YACOBI Microsoft Research, One Microsoft Way, Redmond, WA 98052, USA Abstract. We analyze coin-wallet and balance-wallet under partial real-time audit, and compute upper bounds on theft due to the fact that not all the transactions are audited in real time, assuming that everything else is perfect. In particular, we assume that the audit regime holds for innocent payees. Let v be the maximum allowed balance in a wallet, and 0 µ 1 be the fraction of transactions that are audited in real time in an audit round. Assume one unit transactions. We show that the upper bound on expected theft for coin-wallet is lim µ 0 µ 2, while for plausible (similar) parameter choice the bound for a balance-wallet is O(exp(mvµ)), where 1 <m. The former is nicely bounded for small transactions, however, the bound for balance-wallet can become huge in those cases where we require very small false alarm probability. We conclude that partial audit, may be suitable for coin-wallets with low denomination coins, and possibly for balance-wallet, when we may tolerate a relatively high false alarm rate, but it may be too risky for balance-wallet, where very low false alarm rate is required. Keywords: cryptography, e-cash, randomized-audit, risk-management, economy 1. Introduction 1.1. Background We use the term coin-wallet (in short c-wallet) for a device in which individual fixed value coins are maintained, and balance-wallet (b-wallet) for a device in which only the total value available is maintained. We analyze those systems separately, even though real devices can (and probably should) support both. The processing cost of a transaction must be very small compared to transaction value. For micropayments this may become a challenge. One way to save on transaction processing costs is to use off-line systems, where the bank is involved only in large batch-processing during withdrawal and deposit, but is not a party in ordinary payment transactions. This approach requires hardware wallets that are very hard to break. Reasonably priced consumer electronics devices (e.g., smart cards) are not very hard to break. Alternatively, a payment system can be fully on-line, where the bank is involved in every transaction. On-line systems have a much higher processing cost per transaction. On-line and off-line e-cash systems are at the ends of a spectrum characterized by real-time audit sampling rate, 0 µ 1. A system is sound if its breaking cost exceeds the expected theft (theft is due to the fact that possibly not all the transactions are audited). On the plane audit rate vs. breaking cost we want to explore the continuum
2 120 YACOBI along which soundness is maintained. For any breaking cost we can find the required sampling rate that assures soundness. The hope is that for a realistic breaking cost the required sampling rate is small enough so that the system is much cheaper to operate compared with a fully on-line system. Statement of the main problem Given that not all the transactions are audited in real time, a thief (after breaking one or more wallets) may be able to spend the same coin more than once without being caught (or likewise in a balance-wallet, may be able to spend beyond his balance). This has a non-zero success probability. Once a wallet is identified as misbehaving it is revoked, and can no longer engage in transactions with good wallets (that are equipped with proper revocation lists). So, theft can be bounded. Our goal is to upper bound the expected theft under the most adversarial conditions (i.e., most favorable to the thief ). Once we know the bounds we can design proper counter-measures to assure soundness. We show that under the assumption that a constant audit sampling rate µ is enforced (along with some other common assumptions about trust and cryptography, and some reasonable assumptions on parameters sizes) the tight upper bound on the value of theft from one broken coin-wallet is lim µ 0 µ 2, measured in the units of coins. 1 This approximation is quite good for all values of 0 µ 1. For example, for µ = 0there is no audit at all, hence, theft can go to infinity (E(µ) is not defined), while when all the transactions are audited in real time (µ = 1) theft goes to zero, and in this approximation we get a theft of just one unit (coin), which is close enough (a more precise expression for large values of µ is E(µ) µ 2 1). For balance-wallet with similar parameters the upper bound on expected theft, E(µ), iso(exp(+mvµ)) which in some cases can become huge. Implying that when partial audit is desired, coin wallets are much safer. Related work on e-cash (with emphasis on randomized audit): the first balancewallet is described in [4]. Paper [6] is the first known to me that proposes the use of randomized audit with e-cash systems. Papers [7,18] started the analysis of riskmanagement aspects of randomized audit on e-cash systems. The first analyzes balancewallets, while the second discusses coin-wallets, and finds the probability of failure to detect fraud for a burst attack (the optimal attack, as shown here, is a trickle attack). Paper [13] proposed a payment system based on lottery tickets. In [16] another randomized system is presented, where the payees do not always pay (in [13] they always pay, but the payee does not always deposit). Papers [2,3] pioneered the research on conditional anonymity. Later papers along these lines include [5,10 12,17]. An earlier version of this paper appeared in [19] Assumptions 1. Banks, auditors, and certification authorities (CA) are honest, and cryptographic signatures are unbreakable The First Depositor of a coin Wins (FDW).
3 RISK MANAGEMENT FOR E-CASH Audits happen in rounds. If a payer is detected as misbehaving, and is revoked before or during the current round then all of his transactions in the current round are invalidated. 4. A uniform distribution of randomized audit is enforced on all the honest players. The last item is difficult to approximate. We hint at a possible approach in the appendix. The idea is to design the system such that the cost of subverting the audit process of honest payee exceeds the maximum allowed balance in a wallet. Since this cannot violate soundness this subversion can be excluded from consideration Structure of the rest of the paper The analysis in section 2 is done under the assumption (among others) that the audit regime is enforced on all unbroken payees. In section 2.2 we tightly upper bound the expected theft for c-wallet. In section 2.3 we analyze balance-wallet under similar conditions, and find both the false alarm and the failure to alarm probabilities. We argue that in a b-wallet the false alarm probability must be extremely small, and show that under these assumptions expected theft may explode. Finally, in the appendix we give an example of a system that approximates the theoretical model. In this example all the transactions have to wait the same time, however, the infrastructure is cheaper, since it has to accommodate only the audited transactions in real time. 2. Analysis 2.1. Glossary ADW: All Depositors Win reimbursement policy, alarm threshold: a real value x>1, such that a b-wallet is signaled as a potential violator if the total value of audited transactions exceeds vµx, a = nµ: the total number of audited transactions out of n (see n below), b-wallet, c-wallet: balance-wallet, coin-wallet, respectively, C B : total breaking cost of a wallet, CRL: update to Certificate Revocation List, E{T }: expected theft, FDW: First Depositor Wins reimbursement policy, h : {0, 1} {0, 1} n : hash function (assumed to behave like a random function), k-off c-wallet: a c-wallet in which a coin may change k hands before it must be deposited, µ: audit (constant) sampling rate, m: multispending factor, a wallet with initial balance v, which spends s, has a multispending factor of m = s/v,
4 122 YACOBI m b, m c : the value of the optimal (for the adversary) multispending factor for b-wallet and c-wallet, respectively, n: the total number of transactions in the sample space (one audit round), q b (m), q c (m): failure to alarm probability for b-wallet and c-wallet, respectively, for multispending factor m, q b1 : false alarm probability for b-wallet, V : the maximum legal balance in a wallet, v: the number of coins used in a given audit round, from one wallet v<v Coin-wallet A thief spends v original coins, where coin i is multispent m i > 1 times, i = 0, 1,..., v 1, in one audit-interval, after which the auditor takes a fraction µ of sample transactions for an audit. We denote the failure to alarm probability for a given wallet as q c = Pr[none of the (multispent) coins is audited more than once]. It depends on the audit rate µ and on the vector of natural multispending factors m = (m 0...m v 1 ). It is defined only for 0 µ<1and where at least one of the multispending factors m j > 1 (otherwise, there is no crime, and failure to alarm is meaningless). Lemma 2.1. v 1 [ q c ( (1 µ) m i µ(m i 1) )]. Proof. Each of the v<vcoins used in the attack must escape detection. So each is audited at most once. Audit happens with probability µ. So for each coin we must add the probabilities of the independent events that it was not audited or audited once, and multiply these results for the v coins. So, [ v 1 1 ( ) ] mi v 1 [ q c µ j (1 µ) m i j = (1 µ) m i + m i µ(1 µ) ] m i 1 j j=0 v 1 [ = (1 µ) m i 1 ( 1 + µ(m i 1) )]. Lemma 2.2. For a fixed fraud volume (i.e., fixed value of v 1 m i), the choice of a uniform value for m for all the coins maximizes q c. In that case we denote it q c (m).
5 RISK MANAGEMENT FOR E-CASH 123 Proof. Consider the case v = 2 (i.e., just two original coins). Let m 0 m 1. We compare 1 (1 µ) ( m i µ(m i 1) ) to [ (1 µ) m 1( 1 + µ(m 1) )] 2, where m = (m 0 + m 1 )/2. One can easily see that if m 0 1andm 1 1then (1 µ) m 0 1 (1 µ) m 1 1 = [ (1 µ) m 1] 2, and that if m 0 m 1 then ( 1 + µ(m0 1) )( 1 + µ(m 1 1) ) < ( 1 + µ(m 1) ) 2. This implies that the adversary is better off replacing m 0 and m 1 with m. The case v>2follows likewise. If any two coins i, j with m i m j are replaced with two coins with the same m = (m i + m j )/2 then we know that q c increases. We can repeat this process until all the coins have the same m, changing one pair at a time. This technique could also be used to show that information-theoretic entropy is maximized for a uniform density. Lemma 2.3. q c (m) is maximized for m = 2. Proof. In the expression for q c we use a uniform value for m (and change the notation to q c (m)). So, q c (m) =[(1 µ) m 1 (1 + µ(m 1))] v. To see that the smallest m>1 (if m 1 there is no theft) maximizes q c (m) we take the derivative of q c (m) with respect to m and show that it is negative. This together with the fact that for c-wallet m must be an integer yields the claim. Let ψ = (1 µ) m 1 (1 + µ(m 1)). d dm (q c(m)) = vψ v 1[( (1 µ) m 1 ln(1 µ) )( 1 + µ(m 1) ) + (1 µ) m 1 µ ]. One can easily verify that for µ<1andm>1weget(d/dm)(q c (m)) < 0. Let E(µ) denote the expected theft in the following experiment: Experiment 2.1. In each audit round, as long as she is not revoked, the thief withdraws v fresh coins, and multispends each m times until she is caught. In each round, if she is not caught her gain (theft) is (m 1)v. We multiply this by the probability not to be caught, which for round i is q c (m) i (i.e., this is the probability that up to and including round i she was not caught). We sum over all the rounds, to get: E(µ) = (m 1)v q c (m) i q c (m) = (m 1)v 1 q c (m). Clearly the maximal q c (m) (i.e., q c (2)) maximizes E(µ). i=1
6 124 YACOBI Theorem 2.1. lim E(µ) = µ 0 µ 2. Proof. q c (2) =[1 µ 2 ] v. Plugging it (and m = 2) into the above expression for E(µ) yields (1 µ 2 ) v E(µ) = v 1 (1 µ 2 ). v The value of 1 v V that maximizes this expression is v = 1forwhichtheclaim follows Balance-wallet Let W be a wallet under consideration, with maximum balance v, and overspending factor m. Suppose that in a given audit interval there are overall n transactions, and the uniform audit rate is 0 <µ<1. Transactions have uniform value of one unit. Definition 2.1 (Alarm policy). Declare wallet W guilty if in an audit interval the number of samples coming from W (denoted S) exceeds vµx, wherex>1 is real. The assumption here is that within an audit interval a wallet cannot both spend and withdraw (to replenish its balance), x is a security parameter. It gives us some freedom to balance failure to alarm versus false alarm rates. Let a = nµ, andletx i, i = 1, 2, 3,...,a, denote mutually independent 0 1 random variables. X i = 1 iff audit i came from wallet W. Let p(m) denote Pr[X i = 1]. Then p(m) = mv/n and Pr[X i = 0] =1 p(m). LetS = a i=1 X i. Definition 2.2. (i) Failure to alarm probability q b (m) = Pr[S <vµx m>1]. (ii) False alarms probability q b1 = Pr[S >vµx m = 1]. Let M denote the mean of random variable S, namely, M = mvµ. From[9]we have the Chernoff bounds for left tail: (0 <δ 1) Pr [ S<(1 δ)m ] < e Mδ2 /2, and right tail: (0 <δ) Pr [ S>(1 + δ)m ] [ e δ ] M <. (1 + δ) 1+δ Using these inequalities we get: for 1 <x<mlet δ = 1 x/m. q b (m) < e Mδ2 /2,
7 RISK MANAGEMENT FOR E-CASH 125 and for any m = 1 <x [ e x 1 ] vµ q b1 <. For example, for µ = 0.01 and v = 10 3, x = 2 implies q b1 0.07, while x = 15 yields q b As before, in the case of c-wallet, E(µ) = (m 1)v(q b (m)/1 q b (m)),so x x E(µ)>(m 1)v ( e Mδ2 /2 1 ) 1. Attack If the adversary knows the threshold x, she can choose a multispending factor 1 <m< x. In this case the failure to alarm probability becomes the complement of a small right tail, and can become huge. Moreover, it grows as the sampling rate µ grows. Finding the alarm threshold x is similar to a common medical insurance fraud, where clients file false claims with gradually increasing value, until they hit an audit [15]. If we compensate with x for the increase in µ so as to keep false alarm fixed, then as µ goes up, x decreases. Once x<meverything at once goes back to normal (the failure to alarm probability becomes a small left tail as we would like it to be) Exact expressions For a given x>1, let r = Pr[S >mvµx 1 <m<x]. The expression for r resembles that of q b1, since both are the right tails of similar distributions. They become identical for m = 1. Using the previous Chernoff bound for a right tail with x = 1 + δ we get [ e x 1 ] mvµ r<. x x In this case q b (m) = 1 r. So, ( ) q b (m) 1 E(µ) > (m 1)v = (m 1)v. 1 q b (m) r 1 For x>1itisalways the case that x x > e x 1 and we get the paradoxical effect E(µ) = O ( exp(+mvµ) ). Explosion happens for large x, e.g., x = 15, which is needed in cases where it is important to have negligible false alarm probability. Acknowledgements I thank Brian Beckman, Josh Benaloh, Wei Dai, Paul England, Dan Simon, Matt Thomlinson, and Gideon Yuval, for many helpful discussions. I would also like to thank an anonymous referee of Netnomics for his constructive criticism.
8 126 YACOBI Appendix. Practical considerations The audit protocol Let CRL denote updates to Certificate Revocation Lists (with a proper design a CRL for the whole USA may be on the order of 1 MByte; so many hand held devices can store it). denotes broadcast, denotes transmissions, x i,x i+1,...denote audit instructions. We assume they are randomly generated in each wallet. T + i,t i denote signed hash trees [8] for good and bad transactions that were audited in round i; trans = transaction. Recall that we assume that all the communications are cryptographically protected for secrecy and integrity (and omit the mechanisms from this description). A typical audit round may look like this: Auditor Table 1 Round i of the audit protocol. Payee ( CRL i 1,T + i 1,T i 1 ) If h(trans) = x i 1 then ( CRL i,t i +,Ti ) (trans) Conclude current trans if payer not revoked, and for audited trans, trans T + i. Note that in this approximation both audited and non-audited transactions have the same one round delay before completion (we still benefit from partial real-time audit in terms of load on the infrastructure; there are other approximations which allow nonaudited transactions to conclude immediately, but they are riskier). We are interested in the net gain or loss of bad collusions, and assume that coins are nontransferable, i.e., that when an honest payee receives a coin he eventually deposits it back to the bank. This implies that we can lump any bad collusion into one large node. In addition, we engineer the system such that monitoring the behavior of an honest payee costs more than the maximum allowed balance in a wallet (an honest payee deposits when his balance reaches the maximum). Thus audit-subversion attacks on honest payees are excluded (they do not make economic sense to the thief). 3 Notes 1. Throughout the paper we express our results asymptotically, however, these asymptotes are good approximations of actual behaviors with realistic parameters. 2. These assumptions may seem too strong, but if we want users to be able to withdraw money from their bank accounts, and vendors to be able to deposit into their bank accounts, then we must trust that banks do not steal from those accounts. Likewise, we must trust that CA is honest, so that user A cannot impersonate user B, when talking to the bank. If risk management relies on some audit process, as
9 RISK MANAGEMENT FOR E-CASH 127 advocated here (and as done in any quality control) then the auditor must be trusted as well. Finally, it is convenient to assume that cryptographic signatures are unbreakable, since currently, to the best of our knowledge they are by far the most reliable element in any protection system. 3. Example attack on honest payees: The attacker breaks one c-wallet, to be used as a payer, and monitors the payee s interaction with auditor. She multispends a coin (not to the same payee) until it is sent for audit. Then stops using this coin, and starts using another coin. References [1] N. Alon, J.H. Spencer and P. Erdos, The Probabilistic Method (Wiley/Interscience, New York). [2] D. Chaum, Achieving electronic privacy, Scientific American (August 1992) [3] D. Chaum, Fiat and Naor, Untraceable electronic cash, in: Proc. of Crypto 88 (1992) Appendix A, pp [4] S. Even, O. Goldreich and Y. Yacobi, Electronic wallet, in: Proc of Crypto 83 (see also the Zurich 94 Seminar) pp [5] M. Franklin and M. Yung, Secure and efficient off-line digital money, in: Proc. of the 20th ICALP (1993). [6] E. Gabber and A. Silberschatz, Agora: A minimal distributed protocol for electronic commerce, in: USENIX Workshop on E-Commerce, Oakland, CA (November 1996). [7] S. Jarecki and A.M. Odlyzko, An efficient micropayment system based on probabilistic polling, in: Proc. Financial Cryptography-97, ed. R. Hirschfeld, Lecture Notes in Computer Science, Vol (Springer, Berlin). [8] R.C. Merkle, Protocols for public key cryptosystems, in: Proc. of 1980 Symp. on Security and Privacy, IEEE Computer Society (April 1980) pp [9] R. Motwani and P. Raghavan, Randomised Algorithms (Cambridge Univ. Press, Cambridge, 1997). [10] T. Okamoto, An efficient divisible electronic cash scheme, in: Proc. of Crypto 95, Lecture Notes in Computer Science, Vol. 963 (Springer, Berlin) pp [11] T. Okamoto and K. Ohta, Disposable zero-knowledge authentications and their applications to untraceable electronic cash, in: Proc. Crypto 89, Lecture Notes in Computer Science, Vol. 435 (Springer, Berlin) pp [12] T. Okamoto and K. Ohta, Universal electronic cash, in: Proc. Crypto 90, Lecture Notes in Computer Science, Vol. 576 (Springer, Berlin) pp [13] R.L. Rivest, Electronic lottery tickets as micropayments, in: Proc. Financial Cryptography-97, ed. R. Hirschfeld, Lecture Notes in Computer Science, Vol (Springer, Berlin) pp [14] D.R. Simon, Anonymous Communication and Anonymous Cash, in: Proc. Crypto 96, Lecture Notes in Computer Science, Vol (Springer, Berlin) pp [15] H. Varian, Private communication. [16] D. Wheeler, Transactions using bets, in: Proc. ARE, Lecture Notes in Computer Science, Vol (Springer, Berlin, 1997) pp [17] Y. Yacobi, Efficient E-money, in: Proc. Asiacrypt 94, Lecture Notes in Computer Science, Vol. 917 (Springer, Berlin) pp [18] Y. Yacobi, On the continuum between on-line and off-line e-cash systems I, in: Proc. Financial Cryptography-97, ed. R. Hirschfeld, Lecture Notes in Computer Science, Vol (Springer, Berlin). [19] Y. Yacobi, Risk management for e-cash systems with partial real-time audit, in: Proc. Financial Cryptography 1999, ed. M. Franklin, Lecture Notes in Computer Science, Vol (Springer, Berlin) pp
Fairness realized with Observer
Fairness realized with Observer Heike Neumann Mathematical Institute University of Giessen Arndtstr. 2 G-35392 Giessen Heike.B.Neumann@math.uni-giessen.de Thomas Schwarzpaul Mathematical Institute University
More informationA FEW E-COMMERCE APPLICATIONS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 9 of Trappe and Washington
A FEW E-COMMERCE APPLICATIONS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 9 of Trappe and Washington E-COMMERCE: SET SET = Secure Electronic Transaction Consider a credit
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationDivisible E-cash Made Practical
Divisible E-cash Made Practical Sébastien Canard (1), David Pointcheval (2), Olivier Sanders (1,2) and Jacques Traoré (1) (1) Orange Labs, Caen, France (2) École Normale Supérieure, CNRS & INRIA, Paris,
More informationECash and Anonymous Credentials
ECash and Anonymous Credentials CS/ECE 598MAN: Applied Cryptography Nikita Borisov November 9, 2009 1 E-cash Chaum s E-cash Offline E-cash 2 Anonymous Credentials e-cash-based Credentials Brands Credentials
More informationUncloneable Quantum Money
1 Institute for Quantum Computing University of Waterloo Joint work with Michele Mosca CQISC 2006 1 Supported by NSERC, Sun Microsystems, CIAR, CFI, CSE, MITACS, ORDCF. Outline Introduction Requirements
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 19 November 8, 2017 CPSC 467, Lecture 19 1/37 Zero Knowledge Interactive Proofs (ZKIP) ZKIP for graph isomorphism Feige-Fiat-Shamir
More informationLecture Notes. (electronic money/cash) Michael Nüsken b-it. IPEC winter 2008
Lecture Notes ee (electronic money/cash) Michael Nüsken b-it (Bonn-Aachen International Center for Information Technology) IPEC winter 2008 c 2008 Michael Nüsken Workshop
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationLecture 10: Zero-Knowledge Proofs
Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam
More informationSecure Vickrey Auctions without Threshold Trust
Secure Vickrey Auctions without Threshold Trust Helger Lipmaa Helsinki University of Technology, {helger}@tcs.hut.fi N. Asokan, Valtteri Niemi Nokia Research Center, {n.asokan,valtteri.niemi}@nokia.com
More informationGroup Blind Digital Signatures: A Scalable Solution to Electronic Cash
Group Blind Digital Signatures: A Scalable Solution to Electronic Cash Anna Lysyanskaya 1 and Zulfikar Ramzan 1 Laboratory for Computer Science, Massachusetts Institute of Technology, Cambridge MA 02139,
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationCryptographic e-cash. Jan Camenisch. IBM Research ibm.biz/jancamenisch. IACR Summerschool Blockchain Technologies
IACR Summerschool Blockchain Technologies Cryptographic e-cash Jan Camenisch IBM Research Zurich @JanCamenisch ibm.biz/jancamenisch ecash scenario & requirements Bank Withdrawal User Spend Deposit Merchant
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationUnlinkable Divisible Electronic Cash
Unlinkable Divisible Electronic Cash Toru Nakanishi and Yuji Sugiyama Department of Communication Network Engineering, Faculty of Engineering, Okayama University, 3-1-1 Tsushimanaka, Okayama 700-8530,
More informationLecture 1. 1 Introduction. 2 Secret Sharing Schemes (SSS) G Exposure-Resilient Cryptography 17 January 2007
G22.3033-013 Exposure-Resilient Cryptography 17 January 2007 Lecturer: Yevgeniy Dodis Lecture 1 Scribe: Marisa Debowsky 1 Introduction The issue at hand in this course is key exposure: there s a secret
More informationGeneralized hashing and applications to digital fingerprinting
Generalized hashing and applications to digital fingerprinting Noga Alon, Gérard Cohen, Michael Krivelevich and Simon Litsyn Abstract Let C be a code of length n over an alphabet of q letters. An n-word
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationLecture December 2009 Fall 2009 Scribe: R. Ring In this lecture we will talk about
0368.4170: Cryptography and Game Theory Ran Canetti and Alon Rosen Lecture 7 02 December 2009 Fall 2009 Scribe: R. Ring In this lecture we will talk about Two-Player zero-sum games (min-max theorem) Mixed
More informationColluding Attacks to a Payment Protocol and Two Signature Exchange Schemes
Colluding Attacks to a Payment Protocol and Two Signature Exchange Schemes Feng Bao Institute for Infocomm Research 21 Heng Mui Keng Terrace, Singapore 119613 Email: baofeng@i2r.a-star.edu.sg Abstract.
More informationAnalysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh
Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh Bruno Produit Institute of Computer Science University of Tartu produit@ut.ee December 19, 2017 Abstract This document is an analysis
More information18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018
18734: Foundations of Privacy Anonymous Cash Anupam Datta CMU Fall 2018 Today: Electronic Cash Goals Alice can ask for Bank to issue coins from her account. Alice can spend coins. Bank cannot track what
More informationSecurity Protocols and Application Final Exam
Security Protocols and Application Final Exam Solution Philippe Oechslin and Serge Vaudenay 25.6.2014 duration: 3h00 no document allowed a pocket calculator is allowed communication devices are not allowed
More informationAn Anonymous Authentication Scheme for Trusted Computing Platform
An Anonymous Authentication Scheme for Trusted Computing Platform He Ge Abstract. The Trusted Computing Platform is the industrial initiative to implement computer security. However, privacy protection
More information: Cryptography and Game Theory Ran Canetti and Alon Rosen. Lecture 8
0368.4170: Cryptography and Game Theory Ran Canetti and Alon Rosen Lecture 8 December 9, 2009 Scribe: Naama Ben-Aroya Last Week 2 player zero-sum games (min-max) Mixed NE (existence, complexity) ɛ-ne Correlated
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 18 November 3, 2014 CPSC 467, Lecture 18 1/43 Zero Knowledge Interactive Proofs (ZKIP) Secret cave protocol ZKIP for graph isomorphism
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 18 November 6, 2017 CPSC 467, Lecture 18 1/52 Authentication While Preventing Impersonation Challenge-response authentication protocols
More informationSharing DSS by the Chinese Remainder Theorem
Sharing DSS by the Chinese Remainder Theorem Kamer Kaya,a, Ali Aydın Selçuk b a Ohio State University, Columbus, 43210, OH, USA b Bilkent University, Ankara, 06800, Turkey Abstract In this paper, we propose
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 16 October 30, 2017 CPSC 467, Lecture 16 1/52 Properties of Hash Functions Hash functions do not always look random Relations among
More informationEntity Authentication
Entity Authentication Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie? α k The
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 15 October 25, 2017 CPSC 467, Lecture 15 1/31 Primitive Roots Properties of primitive roots Lucas test Special form primes Functions
More informationBlind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems
Applied Mathematical Sciences, Vol. 6, 202, no. 39, 6903-690 Blind Signature Protocol Based on Difficulty of Simultaneous Solving Two Difficult Problems N. H. Minh, D. V. Binh 2, N. T. Giang 3 and N. A.
More informationGeorge Danezis Microsoft Research, Cambridge, UK
George Danezis Microsoft Research, Cambridge, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationP4R: Privacy-Preserving Pre-Payments with Refunds for Transportation Systems
P4R: Privacy-Preserving Pre-Payments with Refunds for Transportation Systems ndy Rupp1, Gesine Hinterwälder2, Foteini3 Baldimtsi, Christof Paar2,4 Karlsruhe Institute of Technology University of Massachusetts
More informationPAPER An Identification Scheme with Tight Reduction
IEICE TRANS. FUNDAMENTALS, VOL.Exx A, NO.xx XXXX 200x PAPER An Identification Scheme with Tight Reduction Seiko ARITA, Member and Natsumi KAWASHIMA, Nonmember SUMMARY There are three well-known identification
More informationA Note on the Cramer-Damgård Identification Scheme
A Note on the Cramer-Damgård Identification Scheme Yunlei Zhao 1, Shirley H.C. Cheung 2,BinyuZang 1,andBinZhu 3 1 Software School, Fudan University, Shanghai 200433, P.R. China {990314, byzang}@fudan.edu.cn
More informationAuthenticated Broadcast with a Partially Compromised Public-Key Infrastructure
Authenticated Broadcast with a Partially Compromised Public-Key Infrastructure S. Dov Gordon Jonathan Katz Ranjit Kumaresan Arkady Yerukhimovich Abstract Given a public-key infrastructure (PKI) and digital
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 14 October 16, 2013 CPSC 467, Lecture 14 1/45 Message Digest / Cryptographic Hash Functions Hash Function Constructions Extending
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Secret Sharing Vault should only open if both Alice and Bob are present Vault should only open if Alice, Bob, and Charlie are
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 22 November 27, 2017 CPSC 467, Lecture 22 1/43 BBS Pseudorandom Sequence Generator Secret Splitting Shamir s Secret Splitting Scheme
More informationON THE ECONOMIC PAYOFF OF FORENSIC SYSTEMS WHEN USED TO TRACE COUNTERFEITED SOFTWARE AND CONTENT
ON THE ECONOMIC PAYOFF OF FORENSIC SYSTEMS WHEN USED TO TRACE COUNTERFEITED SOFTWARE AND CONTENT YACOV YACOBI Abstract. We analyze how well forensic systems reduce counterfeiting of software and content.
More informationPERFECTLY secure key agreement has been studied recently
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 45, NO. 2, MARCH 1999 499 Unconditionally Secure Key Agreement the Intrinsic Conditional Information Ueli M. Maurer, Senior Member, IEEE, Stefan Wolf Abstract
More informationFinal Examination. Adrian Georgi Josh Karen Lee Min Nikos Tina. There are 12 problems totaling 150 points. Total time is 170 minutes.
Massachusetts Institute of Technology 6.042J/18.062J, Fall 02: Mathematics for Computer Science Prof. Albert Meyer and Dr. Radhika Nagpal Final Examination Your name: Circle the name of your Tutorial Instructor:
More informationASPECIAL case of the general key agreement scenario defined
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL 49, NO 4, APRIL 2003 839 Secret-Key Agreement Over Unauthenticated Public Channels Part III: Privacy Amplification Ueli Maurer, Fellow, IEEE, and Stefan Wolf
More informationZero-Knowledge Proofs and Protocols
Seminar: Algorithms of IT Security and Cryptography Zero-Knowledge Proofs and Protocols Nikolay Vyahhi June 8, 2005 Abstract A proof is whatever convinces me. Shimon Even, 1978. Zero-knowledge proof is
More informationis caused by the urgent need to protect against account-holders who doublespend their electronic cash, since hardly anything is easier to copy than di
Untraceable O-line Cash in Wallets with Observers (Extended abstract) Stefan Brands CWI, PO Box 4079 Amsterdam, The Netherlands. E-mail: brands@cwi.nl Abstract. Incorporating the property of untraceability
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationA Note on Negligible Functions
Appears in Journal of Cryptology Vol. 15, 2002, pp. 271 284. Earlier version was Technical Report CS97-529, Department of Computer Science and Engineering, University of California at San Diego, March
More informationQuantum-secure symmetric-key cryptography based on Hidden Shifts
Quantum-secure symmetric-key cryptography based on Hidden Shifts Gorjan Alagic QMATH, Department of Mathematical Sciences University of Copenhagen Alexander Russell Department of Computer Science & Engineering
More informationDesign Validations for Discrete Logarithm Based Signature Schemes
Proceedings of the 2000 International Workshop on Practice and Theory in Public Key Cryptography (PKC 2000) (18 20 january 2000, Melbourne, Australia) H. Imai and Y. Zheng Eds. Springer-Verlag, LNCS 1751,
More informationA Knapsack Cryptosystem Based on The Discrete Logarithm Problem
A Knapsack Cryptosystem Based on The Discrete Logarithm Problem By K.H. Rahouma Electrical Technology Department Technical College in Riyadh Riyadh, Kingdom of Saudi Arabia E-mail: kamel_rahouma@yahoo.com
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationAn Identification Scheme Based on KEA1 Assumption
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationBlind Collective Signature Protocol
Computer Science Journal of Moldova, vol.19, no.1(55), 2011 Blind Collective Signature Protocol Nikolay A. Moldovyan Abstract Using the digital signature (DS) scheme specified by Belarusian DS standard
More informationA METHOD FOR REVOCATION IN GROUP SIGNATURE SCHEMES
Mathematica Moravica Vol. 7 (2003), 51 59 A METHOD FOR REVOCATION IN GROUP SIGNATURE SCHEMES Constantin Popescu Abstract. A group signature scheme allows any group member to sign on behalf of the group
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationTutorial: Device-independent random number generation. Roger Colbeck University of York
Tutorial: Device-independent random number generation Roger Colbeck University of York Outline Brief motivation of random number generation Discuss what we mean by a random number Discuss some ways of
More informationCryptanalysis of Threshold-Multisignature Schemes
Cryptanalysis of Threshold-Multisignature Schemes Lifeng Guo Institute of Systems Science, Academy of Mathematics and System Sciences, Chinese Academy of Sciences, Beijing 100080, P.R. China E-mail address:
More informationANALYSIS OF PRIVACY-PRESERVING ELEMENT REDUCTION OF A MULTISET
J. Korean Math. Soc. 46 (2009), No. 1, pp. 59 69 ANALYSIS OF PRIVACY-PRESERVING ELEMENT REDUCTION OF A MULTISET Jae Hong Seo, HyoJin Yoon, Seongan Lim, Jung Hee Cheon, and Dowon Hong Abstract. The element
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More informationA Strong Identity Based Key-Insulated Cryptosystem
A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China
More informationUniversity of Tokyo: Advanced Algorithms Summer Lecture 6 27 May. Let s keep in mind definitions from the previous lecture:
University of Tokyo: Advanced Algorithms Summer 2010 Lecture 6 27 May Lecturer: François Le Gall Scribe: Baljak Valentina As opposed to prime factorization, primality testing is determining whether a given
More informationTowards Provable Security of Substitution-Permutation Encryption Networks
Towards Provable Security of Substitution-Permutation Encryption Networks Zhi-Guo Chen and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University at Kingston, Ontario,
More informationAn Overview of Homomorphic Encryption
An Overview of Homomorphic Encryption Alexander Lange Department of Computer Science Rochester Institute of Technology Rochester, NY 14623 May 9, 2011 Alexander Lange (RIT) Homomorphic Encryption May 9,
More informationLecture 11: Hash Functions, Merkle-Damgaard, Random Oracle
CS 7880 Graduate Cryptography October 20, 2015 Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle Lecturer: Daniel Wichs Scribe: Tanay Mehta 1 Topics Covered Review Collision-Resistant Hash Functions
More informationAN OBSERVATION ABOUT VARIATIONS OF THE DIFFIE-HELLMAN ASSUMPTION
Serdica J. Computing 3 (2009), 309 38 AN OBSERVATION ABOUT VARIATIONS OF THE DIFFIE-HELLMAN ASSUMPTION Raghav Bhaskar, Karthekeyan Chandrasekaran, Satyanaryana V. Lokam, Peter L. Montgomery, Ramarathnam
More informationIntroduction to Modern Cryptography Lecture 11
Introduction to Modern Cryptography Lecture 11 January 10, 2017 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 16 March 19, 2012 CPSC 467b, Lecture 16 1/58 Authentication While Preventing Impersonation Challenge-response authentication protocols
More informationLecture 14: Secure Multiparty Computation
600.641 Special Topics in Theoretical Cryptography 3/20/2007 Lecture 14: Secure Multiparty Computation Instructor: Susan Hohenberger Scribe: Adam McKibben 1 Overview Suppose a group of people want to determine
More informationPseudonym and Anonymous Credential Systems. Kyle Soska 4/13/2016
Pseudonym and Anonymous Credential Systems Kyle Soska 4/13/2016 Moving Past Encryption Encryption Does: Hide the contents of messages that are being communicated Provide tools for authenticating messages
More informationOn the Key-collisions in the Signature Schemes
On the Key-collisions in the Signature Schemes Tomáš Rosa ICZ a.s., Prague, CZ Dept. of Computer Science, FEE, CTU in Prague, CZ tomas.rosa@i.cz Motivation to study k-collisions Def. Non-repudiation [9,10].
More informationDistributed systems Lecture 4: Clock synchronisation; logical clocks. Dr Robert N. M. Watson
Distributed systems Lecture 4: Clock synchronisation; logical clocks Dr Robert N. M. Watson 1 Last time Started to look at time in distributed systems Coordinating actions between processes Physical clocks
More informationLecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers
1 Winter 2018 CS 485/585 Introduction to Cryptography Lecture 6 Portland State University Jan. 25, 2018 Lecturer: Fang Song Draft note. Version: February 4, 2018. Email fang.song@pdx.edu for comments and
More informationINFORMATION-THEORETICALLY SECURE STRONG VERIFIABLE SECRET SHARING
INFORMATION-THEORETICALLY SECURE STRONG VERIFIABLE SECRET SHARING Changlu Lin State Key Lab. of Information Security, Graduate University of Chinese Academy of Sciences, China Key Lab. of Network Security
More informationA Small Subgroup Attack on Arazi s Key Agreement Protocol
Small Subgroup ttack on razi s Key greement Protocol Dan Brown Certicom Research, Canada dbrown@certicom.com lfred Menezes Dept. of C&O, University of Waterloo, Canada ajmeneze@uwaterloo.ca bstract In
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationEntropy Accumulation in Device-independent Protocols
Entropy Accumulation in Device-independent Protocols QIP17 Seattle January 19, 2017 arxiv: 1607.01796 & 1607.01797 Rotem Arnon-Friedman, Frédéric Dupuis, Omar Fawzi, Renato Renner, & Thomas Vidick Outline
More informationAsymmetric Cryptography
Asymmetric Cryptography Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman General idea: Use two different keys -K and +K for encryption and decryption Given a
More informationChapter 4 Asymmetric Cryptography
Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman [NetSec/SysSec], WS 2008/2009 4.1 Asymmetric Cryptography General idea: Use two different keys -K and +K for
More information1 Secure two-party computation
CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure
More informationA Security Model for Anonymous Credential Systems
A Security Model for Anonymous Credential Systems Andreas Pashalidis and Chris J. Mitchell Information Security Group Royal Holloway, University of London E-mail: {A.Pashalidis,C.Mitchell}@rhul.ac.uk corrected
More informationRound-Efficient Perfectly Secure Message Transmission Scheme Against General Adversary
Round-Efficient Perfectly Secure Message Transmission Scheme Against General Adversary Kaoru Kurosawa Department of Computer and Information Sciences, Ibaraki University, 4-12-1 Nakanarusawa, Hitachi,
More informationPublic Key Authentication with One (Online) Single Addition
Public Key Authentication with One (Online) Single Addition Marc Girault and David Lefranc France Télécom R&D 42 rue des Coutures F-14066 Caen, France {marc.girault,david.lefranc}@francetelecom.com Abstract.
More informationPAIRING-BASED IDENTIFICATION SCHEMES
PAIRING-BASED IDENTIFICATION SCHEMES DAVID FREEMAN Abstract. We propose four different identification schemes that make use of bilinear pairings, and prove their security under certain computational assumptions.
More informationSamostalna Liberalna Stranka
Annual Financial Statements with Independent Auditors Report thereon 01 January 2013-31 December 2013 Table of Contents: Independent Auditors report..... 3 Statement of financial position....... 7 Statement
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationID-Based Blind Signature and Ring Signature from Pairings
ID-Based Blind Signature and Ring Signature from Pairings Fangguo Zhang and Kwangjo Kim International Research center for Information Security (IRIS) Information and Communications University(ICU), 58-4
More informationPrivacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics
Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics F. Prost Frederic.Prost@ens-lyon.fr Ecole Normale Supérieure de Lyon July 2015 F. Prost Frederic.Prost@ens-lyon.fr (Ecole
More informationDr George Danezis University College London, UK
Dr George Danezis University College London, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationProvably Secure Partially Blind Signatures
Provably Secure Partially Blind Signatures Masayuki ABE and Tatsuaki OKAMOTO NTT Laboratories Nippon Telegraph and Telephone Corporation 1-1 Hikari-no-oka Yokosuka-shi Kanagawa-ken, 239-0847 Japan E-mail:
More information18733: Applied Cryptography Anupam Datta (CMU) Course Overview
18733: Applied Cryptography Anupam Datta (CMU) Course Overview Logistics Introductions Instructor: Anupam Datta Office hours: SV Bldg 23, #208 + Google Hangout (id: danupam) Office hours: Mon 1:30-2:30
More informationComputer Science A Cryptography and Data Security. Claude Crépeau
Computer Science 308-547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308-647A)
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationREMARKS ON IBE SCHEME OF WANG AND CAO
REMARKS ON IBE SCEME OF WANG AND CAO Sunder Lal and Priyam Sharma Derpartment of Mathematics, Dr. B.R.A.(Agra), University, Agra-800(UP), India. E-mail- sunder_lal@rediffmail.com, priyam_sharma.ibs@rediffmail.com
More information5th March Unconditional Security of Quantum Key Distribution With Practical Devices. Hermen Jan Hupkes
5th March 2004 Unconditional Security of Quantum Key Distribution With Practical Devices Hermen Jan Hupkes The setting Alice wants to send a message to Bob. Channel is dangerous and vulnerable to attack.
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationInformation Disclosure in Identity Management
Information Disclosure in Identity Management all of us Abstract User Controlled Identity Management Systems have the goal to hinder the linkability between the different digital identities of a user.
More informationduring signature generation the secret key is never reconstructed at a single location. To provide fault tolerance, one slightly modies the above tech
Generating a Product of Three Primes with an Unknown Factorization Dan Boneh and Jeremy Horwitz Computer Science Department, Stanford University, Stanford, CA 94305-9045 fdabo,horwitzg@cs.stanford.edu
More informationTheme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS
1 C Theme : Cryptography Instructor : Prof. C Pandu Rangan Speaker : Arun Moorthy 93115 CS 2 RSA Cryptosystem Outline of the Talk! Introduction to RSA! Working of the RSA system and associated terminology!
More information