In this paper, we give a provably secure design for blind signatures, the most important ingredient for anonymity in off-line electronic cash systems. Previous examples of blind signature schemes were constructed from traditional signature schemes with only the additional proof of blindness. The design of some of the underlying signature schemes can be validated by a proof in the so-called random oracle model, but the security of the original signature scheme does not, by itself, imply the security of the blind version. In this paper, we first propose a definition of security for blind signatures, with application to electronic cash. Next, we focus on a specific example which can be successfully transformed in a provably secure blind signature scheme.

The aim of electronic voting schemes is to provide a set of protocols that allow voters to cast ballots while a group of authorities collect the votes and output the final tally. In this paper we describe a practical multi-candidate election scheme that guarantees privacy of voters, public verifiability, and robustness against a coalition of malicious authorities. Furthermore, we address the problem of receipt-freeness and incoercibility of voters. Our new scheme is based on the Paillier cryptosystem and on some related zero-knowledge proof techniques. The voting schemes are very practical and can be efficiently implemented in a real system. Keywords: Homomorphic cryptosystems, High-Residuosity Assumption, Practical Voting scheme, threshold cryptography 1

Abstract. We propose the first forward-secure signature scheme for which both signing and verifying are as efficient as for one of the most efficient ordinary signature schemes (Guillou-Quisquater [GQ88]), each requiring just two modular exponentiations with a short exponent. All previously proposed forward-secure signature schemes took significantly longer to sign and verify than ordinary signature schemes. Our scheme requires only fractional increases to the sizes of keys and signatures, and no additional public storage. Like the underlying [GQ88] scheme, our scheme is provably secure in the random oracle model. 1

We examine multi-party key agreement protocols that provide (i) key authentication, (ii) key confirmation and (iii) forward secrecy. Several minor (repairable) attacks are presented against previous two-party key agreement schemes and a model for key agreement is presented that provably provides the properties listed above. A generalization of the Burmester-Desmedt model (Eurocrypt '94) for multi-party key agreement is given, allowing a transformation of any two-party key agreement scheme into a multi-party scheme. Multi-party schemes (based on the general model and two specific 2-party schemes) are presented that reduce the number of rounds required for key computation compared to the specific Burmester-Desmedt scheme. It is also shown how the specific Burmester-Desmedt scheme fails to provide key authentication. 1991 AMS Classification: 94A60 CR Categories: D.4.6 Key Words: multi-party, key agreement, key authentication, key confirmation, forward secrecy. Carleton University, Sc...

Consider the well-known oracle attack: Somehow one gets a certain computation result as a function of a secret key from the secret key owner and tries to extract some information on the secret key. This attacking scenario is well understood in the cryptographic community. However, there are many protocols based on the discrete logarithm problem that turn out to leak many of the secret key bits from this oracle attack, unless suitable checkings are carried out. In this paper we present a key recovery attack on various discrete log-based schemes working in a prime order subgroup. Our attack can disclose part of, or the whole secret key in most Diffie-Hellman-type key exchange protocols and some applications of ElGamal encryption and signature schemes. Key Words : Key recovery attack, Discrete logarithms, Key exchange, Digital signatures. 1 Introduction Many cryptographic protocols have been developed based on the discrete logarithm problem. The main objective of developers is to design...

We give an informal analysis and critique of several typical “provable security” results. In some cases there are intuitive but convincing arguments for rejecting the conclusions suggested by the formal terminology and “proofs,” whereas in other cases the formalism seems to be consistent with common sense. We discuss the reasons why the search for mathematically convincing theoretical evidence to support the security of public-key systems has been an important theme of researchers. But we argue that the theorem-proof paradigm of theoretical mathematics is often of limited relevance here and frequently leads to papers that are confusing and misleading. Because our paper is aimed at the general mathematical public, it is self-contained and as jargon-free as possible.

Abstract. The goals of this paper are three-fold. First we introduce and motivate a generalization of the fundamental concept of the indistinguishability of two systems, called indifferentiability. This immediately leads to a generalization of the related notion of reducibility of one system to another. Second, we prove that indifferentiability is the necessary and sufficient condition on two systems S and T such that the security of any cryptosystem using T as a component is not affected when T is substituted by S. In contrast to indistinguishability, indifferentiability is applicable in settings where a possible adversary is assumed to have access to additional information about the internal state of the involved systems, for instance the public parameter selecting a member from a family of hash functions. Third, we state an easily verifiable criterion for a system U not to be reducible (according to our generalized definition) to another system V and, as an application, prove that a random oracle is not reducible to a weaker primitive, called asynchronous beacon, and also that an asynchronous beacon is not reducible to a finite-length random string. Each of these irreducibility results alone implies the main theorem of Canetti, Goldreich and Halevi stating that there exist cryptosystems that are secure in the random oracle model but for which replacing the random oracle by any implementation leads to an insecure cryptosystem. Key words. Indistinguishability, reductions, indifferentiability, security proofs, random oracle methodology, hash functions.

A signature scheme is existentially unforgeable if, given any polynomial (in the security parameter) number of pairs (m 1 ; S(m 1 )); (m 2 ; S(m 2 )); : : : (m k ; S(m k )) where S(m) denotes the signature on the message m, it is computationally infeasible to generate a pair (m k+1 ; S(m k+1 )) for any message m k+1 = 2 fm 1 ; : : : m k g. We present an existentially unforgeable signature scheme that for a reasonable setting of parameters requires at most 6 times the amount of time needed to generate a signature using "plain" RSA (which is not existentially unforgeable). We point out applications where our scheme is desirable. Preliminary version appeared in Crypto'94 y IBM Research Division, Almaden Research Center, 650 Harry Road, San Jose, CA 95120. Research supported by a BSF Grant 32-00032-1. E-mail: dwork@almaden.ibm.com. z Incumbent of the Morris and Rose Goldman Career Development Chair, Dept. of Applied Mathematics and Computer Science, Weizmann Institute of Science, Re...

The Probabilistic Signature Scheme (PSS) designed by Bellare and Rogaway is a signature scheme provably secure against chosen message attacks in the random oracle model, whose security can be tightly related to the security of RSA. We derive a new security proof for PSS in which a much shorter random salt is used to achieve the same security level, namely we show that log 2 qsig bits suce, where qsig is the number of signature queries made by the attacker. When PSS is used with message recovery, a better bandwidth is obtained because longer messages can now be recovered. In this paper, we also introduce a new technique for proving that the security proof of a signature scheme is optimal. In particular, we show that the size of the random salt that we have obtained for PSS is optimal: if less than log 2 qsig bits are used, then PSS is still provably secure but it cannot have a tight security proof.

. A MIX net takes a list of ciphertexts (c1 ; \Delta \Delta \Delta ; cN ) and outputs a permuted list of the plaintexts (m1 ; \Delta \Delta \Delta ; mN ) without revealing the relationship between (c1 ; \Delta \Delta \Delta ; cN ) and (m1 ; \Delta \Delta \Delta ; mN ). This paper first shows that the Jakobsson's MIX net of Eurocrypt'98, which was believed to be resilient and very efficient, is broken. We next propose an efficient t-resilient MIX net with O(t 2 ) servers in which the cost of each MIX server is O(N ). Two new concepts are introduced, existential-honesty and limited-open-verification. They will be useful for distributed computation in general. 1