Abstract. This paper studies various computational and decisional Diffie-Hellman problems by providing reductions among them in the high granularity setting. We show that all three variations of computational Diffie-Hellman problem: square Diffie-Hellman problem, inverse Diffie-Hellman problem and divisible Diffie-Hellman problem, are equivalent with optimal reduction. Also, we are considering variations of the decisional Diffie-Hellman problem in single sample and polynomial samples settings, and we are able to show that all variations are equivalent except for the argument DDH ⇐ SDDH. We are not able to prove or disprove this statement, thus leave an interesting open problem. Keywords: Diffie-Hellman problem, Square Diffie-Hellman problem, Inverse Diffie-Hellman problem, Divisible Diffie-Hellman problem

The security of many cryptographic constructions relies on assumptions related to Discrete Logarithms (DL), e.g., the Di#e-Hellman, Square Exponent, Inverse Exponent or Representation Problem assumptions. In the concrete formalizations of these assumptions one has some degrees of freedom o#ered by parameters such as computational model, problem type (computational, decisional) or success probability of adversary. However, these parameters and their impact are often not properly considered or are simply overlooked in the existing literature.

Abstract. We introduce a new type of cryptographic primitives which enforce high communication or storage complexity. Intuitively, to evaluate these primitives on a random input one has to engage in a protocol of high communication complexity, or one has to use a lot of storage. Therefore, the ability to compute these primitives constitutes certain “proof of work, ” because the computing party is forced to contribute a lot of its communication or storage resources to this task. Such primitives can be used in applications which deal with non-malicious but selfishly resource-maximizing parties. For example, they can be useful in constructing peer-to-peer systems which are robust against so called “free riders. ” In this paper we define two such primitives, a communicationenforcing signature and a storage-enforcing commitment scheme, and we give constructions for both.

Forward security has been proposed as a method to minimize the consequences of key exposure. In this paper we analyze this method and consider a vulnerability, which is due to the fact that the exposure may not have been detected. All forward secure cryptosystems proposed so far are vulnerable during the period between key exposure and its detection. We consider the notion of strong forward security in which cryptographically processed data is protected not only for the periods prior to key exposure but also after key exposure, and present two applications with this novel property: a basic public key cryptosystem and an ElGamal-based key escrow scheme. Keywords: Forward security, key update, intrusion detection Research supported by the Secretariat of Research and Technology of Greece. 1 2 1.

We investigate a simple method of fraud management for secure devices that may serve as an alternative or complement to conventional hardware-based tamper resistance. Under normal operating conditions in our scheme, a secure device includes an authentication code in its communications, e.g., in the digital signatures it issues. This code may be verified by a fraud management center under a pre-determined key . When the device detects an attempted break-in, it modifies . This results in a change to the authentication codes issued by the device such that the fraud management center can detect the apparent break-in. Hence, in contrast to the case with typical tamper-resistance schemes, the deployer of our proposed scheme seeks to trace break-ins, rather than prevent them. In reference to the wartime practice of physically capturing and subverting underground radio transmitters -- a practice analogous to the capture and use of secret information on secure devices -- we denote this idea by the German term funkspiel, meaning "radio game." One challenge in constructing a funkspiel scheme is to ensure that an attacker privy to the authentication codes of the secure device both before and after the break-in, as well as the secrets of the device following the break-in, cannot detect the alteration to . Additional challenges involve minimizing the communication and computation overhead, the requirement for use of shared secrets, and the state information associated with the authentication codes. We present several simple and practical schemes in this paper.

Abstract. The British Regulations of Investigatory Powers (RIP) Act 2000 is one of the first modern bills for mandatory disclosure of protected data in a democratic country. In this paper we compare this bill from a technical point of view with the US key escrow proposal (EES) and its variants and then, more generally we compare the merits of data confiscation vs key escrow. A major problem with key escrow is that once a private key is recovered it can be used to decipher ciphertexts which were sent well before a warrant was issued (or after its expiration). Several alternative key escrow systems have been proposed in the literature to address this issue. These are equitable, in the sense that the control of society over the individual and the control of the individual over society are fairly shared. We show that equitability is much easier to achieve with data confiscation than with key escrow. Consequently, although the RIP act was heavily criticized in the press and on the internet, it inherently maintains a better level of privacy than key escrow. Finally we present some practical deniable decryption variants of popular public key systems. Key words: RIP, key escrow, data confiscation. 1

The notion of uncoercibility was first introduced in e-voting systems to deal with the coercion of voters. However this notion extends to many other e-systems for which the privacy of users must be protected, even if the users wish to undermine their own privacy. In this paper we consider uncoercible e-bidding games. We discuss necessary requirements for uncoercibility, and present a general uncoercible e-bidding game that distributes the bidding procedure between the bidder and a tamper-resistant token in a verifiable way. We then show how this general game can be used to design provably uncoercible e-auctions and e-elections. Finally, we discuss the practical consequences of uncoercibility in other areas of e-commerce.

Hardly a day passes without reports of new threats in or about the Internet. Denial of service, worms, viruses, spam, and divulged credit card information highlight the major security threats. At the same time, we are bombarded by reports that privacy is at the greatest risk of all time, caused by the massive ability to store and search information and to trace activities across the Internet. In this paper, we address issues of conflict that exist between security mechanisms and privacy, including the tradeoffs from a public safety and well-being standpoint, and the technology that can facilitate a suitable balance between privacy and protection priorities. The recent brutal attacks at the World Trade Center and the Pentagon on Sept 11, 2001, confirm the connection between security, privacy, and public safety. To protect our liberties and freedoms it is therefore essential that we adopt a holistic security approach.

. Limiting escrow activity in time has been an important requirement for key escrow systems. Recently two protocols were proposed for limited time span key escrow and contract bidding. We investigate the proposed protocols, bring out certain issues that were neglected in the proposal and amend it in a manner that these issues will be dealt with. Our proposal does not require tamper proofness for security of the system and assumes minimal trust in the trustees of the system to achieve a more robust scheme. The importance of publicly verifiable proofs is highlighted in this paper.

Given a cyclic group G and a generator g, the Diffie-Hellman function (DH) maps two group elements (g a ; g b ) to g ab . For many groups G this function is assumed to be hard to compute. We generalize this function to the P -Diffie-Hellman function (P-DH) that maps two group elements (g a ; g b ) to g P (a;b) for a (non-linear) polynomial P in a and b.