Classical cryptographic protocols based on user-chosen keys allow an attacker to mount password-guessing attacks. We introduce a novel combination of asymmetric (public-key) and symmetric (secret-key) cryptography that allow two parties sharing a common password to exchange confidential and authenticated information over an insecure network. These protocols are secure against active attacks, and have the property that the password is protected against off-line "dictionary" attacks. There are a number of other useful applications as well, including secure public telephones.

An "electronic coin scheme" as defined by Chaum, Fiat, and Naor [5] is a collection of protocols to achieve untraceable, unforgeable coins with offline purchasing; this is the minimum set of properties to make electronic money useful. We give a new electronic coin scheme that is simple and practical. Withdrawal requires only two rounds of interaction, while purchase and deposit are non-interactive; all previous efficient cash schemes require interaction (cut-and-choose) for purchases. Moreover, messages during purchase and deposit contain only a few encrypted values, independent of the tolerable probability of cheating. We present a security model for electronic coins, and prove the security of our scheme relative to certain specific cryptographic assumptions (hardness of Discrete Log and possibility of secure blind signature). TR CUCS-018-92 Partially supported by an AT&T Bell Laboratories Scholarship 1 Introduction Six desirable properties of electronic money are stated by Okamo...

) Thomas Hardjono 1 ? and Yuliang Zheng 2 ?? 1 ATR Communications Research Laboratories 2-2 Hikaridai, Seika-Cho, Soraku-gun, Kyoto 619-02, Japan 2 Department of Computer Science, University of Wollongong, Australia Abstract. This paper proposes a practical digital multisignature scheme based on the C ? sig cryptosystem derived from the Csig cryptosystem of Zheng and Seberry (1993). The simple scheme consists of three phases. In the first phase the issuer of the document prepares the document, the list of prospective signatories and a pad on which signatories are to write their signatures. In the second phase each signatory verifies the document, signs it and forwards it to the next signatory. In the third phase a trusted verifier or notary decides on the validity of the signatures. The scheme prevents cheating by dishonest signatories from going undetected. The scheme is practical and offers at least the same security level afforded by its underlying cryptosystem against extern...