We examine multi-party key agreement protocols that provide (i) key authentication, (ii) key confirmation and (iii) forward secrecy. Several minor (repairable) attacks are presented against previous two-party key agreement schemes and a model for key agreement is presented that provably provides the properties listed above. A generalization of the Burmester-Desmedt model (Eurocrypt '94) for multi-party key agreement is given, allowing a transformation of any two-party key agreement scheme into a multi-party scheme. Multi-party schemes (based on the general model and two specific 2-party schemes) are presented that reduce the number of rounds required for key computation compared to the specific Burmester-Desmedt scheme. It is also shown how the specific Burmester-Desmedt scheme fails to provide key authentication. 1991 AMS Classification: 94A60 CR Categories: D.4.6 Key Words: multi-party, key agreement, key authentication, key confirmation, forward secrecy. Carleton University, Sc...

The difficulty of computing discrete logarithms known to be "short" is examined, motivated by recent practical interest in using Diftie-Hellman key agreement with short exponents (e.g. over Zp with 160-bit exponents and 1024-bit primes p). A new divide-and-conquer algorithm for discrete logarithms is presented, combining Pollard's lambda method with a partial Pohhg-Hellman decomposition. For random Diftie- Hellman primes p, examination reveals this partial decomposition itself allows recovery of short exponents in many cases, while the new technique dramatically extends the range. Use of subgroups of large prime order precludes the attack at essentially no cost, and is the recommended solution.

This article presents an efficient public-key protocol for mutual authentication and key exchange designed for third generation mobile communications systems. The paper also demonstrates how a micropayment scheme can be integrated into the authentication protocol; this payment protocol allows for the provision of incontestable charging. The problem of establishing authenticated public keys through crosscertification is addressed.

An attack is demonstrated on a previously proposed class of key agreement protocols. Analysis of the attack reveals that a small change in the construction of the protocols is sufficient to prevent the attack. The insight gained allows a generalisation of the class to a new design for conference key agreement protocols.

Cryptographic protocols for key establishment normally include some means to allow participants to ensure that a key is new and not replayed from an old protocol run. When the key is generated by a mutually trusted server this is usually achieved by sending with the key a quantity known to be new. A different general method for achieving freshness in this context is proposed. A number of specific example protocols are given which have some practical advantages over previous published protocols.

. There have been many proposals to realize anonymous electronic cash. Although these systems offer high privacy to the users, they have the disadvantage that the anonymity might be misused by criminals to commit perfect crimes. The recent research focuses therefore on the realization of fair electronic cash systems where the anonymity of the coins is revocable by a trustee in the case of fraudulent users. In this paper, we propose a new efficient fair cash system which offers scalable security with respect to its efficiency. Our system prevents extortion attacks, like blackmailing or the use of blindfolding protocols under off-line payments and with the involvement of the trustee only at registration of the users. Another advantage is, that it is assembled from well studied cryptographic techniques, such that its security can easily be evaluated. The strength of this approach is clearly its simplicity. Although it might astonish the reader that the design matters little from existing...

Abstract We introduce the notion of associative one-way functions and prove that they exist if and only if P 6 = NP. As evidence of their utility, we present two novel protocols that apply strong forms of these functions to achieve secret key agreement and digital signatures.

Corporate network firewalls are well-understood and are becoming commonplace. These firewalls establish a security perimeter that aims to block (or heavily restrict) both incoming and outgoing network communication. We argue that these firewalls are neither effective nor appropriate for academic or corporate research environments needing to maintain information security while still supporting the free exchange of ideas. In this paper, we present the Stanford University Research Firewall (SURF), a network firewall design that is suitable for a research environment. While still protecting information and computing resources behind the firewall, this firewall is less restrictive of outward information flow than the traditional model; can be easily deployed; and can give internal users the illusion of unrestricted e-mail, anonymous FTP, and WWW connectivity to the greater Internet. Our experience demonstrates that an adequate firewall for a research environment can be constructed for minim...