Abstract. Fingerprinting schemes are technical means to discourage people from illegally redistributing the digital data they have legally purchased. These schemes enable the original merchant to identify the original buyer of the digital data. In so-called asymmetric fingerprinting schemes the fingerprinted data item is only known to the buyer after a sale and if the merchant finds an illegally redistributed copy, he obtains a proof convincing a third party whom this copy belonged to. All these fingerprinting schemes require the buyers to identify themselves just for the purpose of fingerprinting and thus offer the buyers no privacy. Hence anonymous asymmetric fingerprinting schemes were introduced, which preserve the anonymity of the buyers as long as they do not redistribute the data item. In this paper a new anonymous fingerprinting scheme based on the principles of digital coins is introduced. The construction replaces the general zero-knowledge techniques from the known certificate-based construction by explicit protocols, thus bringing anonymous fingerprinting far nearer to practicality. 1

The security of many cryptographic constructions relies on assumptions related to Discrete Logarithms (DL), e.g., the Di#e-Hellman, Square Exponent, Inverse Exponent or Representation Problem assumptions. In the concrete formalizations of these assumptions one has some degrees of freedom o#ered by parameters such as computational model, problem type (computational, decisional) or success probability of adversary. However, these parameters and their impact are often not properly considered or are simply overlooked in the existing literature.

Group signatures allow members of a group to sign anonymously on group's behalf. However, in exceptional cases, the anonymity can be revoked by a group manager. One of the most difficult tasks in developing group signature schemes is to prevent coalition attacks: malicious collusions of group members that produce untraceable signatures. This paper describes coalition attacks against some recently proposed group signature schemes. It also presents a candidate scheme resistant against coalition attacks; its security is based on a widely accepted number-theoretic assumption. The paper also includes a survey of notable group signature schemes.

Fingerprinting schemes support copyright protection by enabling the merchant of a data item to

Probably the most successful application of blind signatures is electronic cash. In order to avoid multiple copies of the same electronic coin, one-time blind signatures are of particular importance, i.e., a recipient can obtain a signature for at most one message from each interaction with a signer. In offine electronic cash, customers who spend their electronic coins more than a specified number of times should get identified at least after the fact. This can be ensured by one-time restrictive blind signatures. Another important application of blind signatures are untraceable membership cards that can be used arbitrarily often, but only by their respective owners. An efficient cryptographic approach was presented at the Information Hiding Workshop '98. At its heart, a special signature scheme is specified and used for which no implementation has been given yet. It turns out that many-time restrictive blind signatures meet this specification. We present a first implementation of this n...