Abstract. We present a new protocol that allows two players to ex-change digital signatures over the Internet in a fair way, so that either each player gets the other’s signature, or neither player does. The ob-vious application is where the signatures represent items of value, for example, an electronic check or airline ticket. The protocol can also be adapted to exchange encrypted data. The protocol relies on a trusted third party, but is “optimistic, ” in that the third party is only needed in cases where one player attempts to cheat or simply crashes. A key feature of our protocol is that a player can always force a timely and fair termination, without the cooperation of the other player. 1

Abstract. A credential system is a system in which users can obtain credentials from organizations and demonstrate possession of these credentials. Such a system is anonymous when transactions carried out by the same user cannot be linked. An anonymous credential system is of significant practical relevance because it is the best means of providing privacy for users. In this paper we propose a practical anonymous credential system that is based on the strong RSA assumption and the decisional Diffie-Hellman assumption modulo a safe prime product and is considerably superior to existing ones: (1) We give the first practical solution that allows a user to unlinkably demonstrate possession of a credential as many times as necessary without involving the issuing organization. (2) To prevent misuse of anonymity, our scheme is the first to offer optional anonymity revocation for particular transactions. (3) Our scheme offers separability: all organizations can choose their cryptographic keys independently of each other. Moreover, we suggest more effective means of preventing users from sharing their credentials, by introducing allor-nothing sharing: a user who allows a friend to use one of her credentials once, gives him the ability to use all of her credentials, i.e., taking over her identity. This is implemented by a new primitive, called circular encryption, which is of independent interest, and can be realized from any semantically secure cryptosystem in the random oracle model.

Anonymity of the participants is an important requirement for some applications in electronic commerce, in particular for payment systems. Because anonymity could be in conflict with law enforcement, for instance in cases of blackmailing or money laundering, it has been proposed to design systems in which a trustee or a set of trustees can selectively revoke the anonymity of the participants involved in suspicious transactions. From an operational point of view, it can be an important requirement that such trustees are neither involved in payment transactions nor in the opening of an account, but only in case of a justified suspicion. In this paper we propose the first efficient anonymous digital payment systems satisfying this requirement. The described basic protocol for anonymity revocation can be used in on-line or off-line payment systems.

In this paper, we give a provably secure design for blind signatures, the most important ingredient for anonymity in off-line electronic cash systems. Previous examples of blind signature schemes were constructed from traditional signature schemes with only the additional proof of blindness. The design of some of the underlying signature schemes can be validated by a proof in the so-called random oracle model, but the security of the original signature scheme does not, by itself, imply the security of the blind version. In this paper, we first propose a definition of security for blind signatures, with application to electronic cash. Next, we focus on a specific example which can be successfully transformed in a provably secure blind signature scheme.

. A blind signature scheme is a protocol for obtaining a signature from a signer such that the signer's view of the protocol cannot be linked to the resulting message-signature pair. Blind signature schemes are used in anonymous digital payment systems. Since the existing proposals of blind signature schemes provide perfect unlinkability, such payment systems could be misused by criminals, e.g. to safely obtain a ransom or to launder money. In this paper, a new type of blind signature schemes called fair blind signature schemes is proposed. Such schemes have the additional property that a trusted entity can deliver information allowing the signer to link his view of the protocol and the message-signature pair. Two types of fair blind signature schemes are distinguished and several realizations are presented. Keywords. Blind signatures, fair cryptosystems, electronic payment systems, cryptographic protocols. 1 Introduction The concept of a blind signature scheme was introduced by Chau...

This article

Proof systems for knowledge of discrete logarithms are an important primitive in cryptography. We identify the basic underlying techniques, generalize these techniques to prove linear relations among discrete logarithms, and propose a notation for describing complex and general statements about knowledge of discrete logarithms. This notation leads directly to a method for constructing efficient proof systems of knowledge. 1 Introduction Many complex cryptographic systems, such as payment systems (e.g. see [1, 2, 4]) and voting schemes [11], are based on the difficulty of the discrete logarithm problem. These systems make use of various minimum-disclosure proofs of statements about discrete logarithms [13, 7, 6, 10]. Typical examples are efficient proofs of knowledge of a discrete logarithm which are based on Schnorr's digital signature scheme [18] and systems for proving the equality of two discrete logarithms, as used in [8]. The goal of this paper is to identify the basic techniques...

This paper addresses the problem of defining and providing proofs of knowledge for a general class of exponentiation-based formulae.

In this paper, we introduce a new electronic money methodology: sub-contracting the blinding to a trustee and using an Identitybased piece of information to achieve provable privacy and security. This variation on the Brickel, Gemmel and Kravitz paradigm [2] offers protection against various attacks minimizing user's computational requirement. Furthermore, our scheme...

Many eligibility or entitlement certificates in every day life are non-transferable between persons. However, they are usually implemented by personal physical tokens that owners can easily pass around (e.g. credit card), driver's license). So there must either be negligible incentives to pass these certificates or the tokens around, or the tokens must allow to authenticate the persons who show certificates, e.g., by imprinted photographs. However, any kind of easily accessible personal identifying information threatens the owners' privacy. To solve these somehow paradoxical requirements, we assume for each owner a kind of pilot that is equipped with a tamper resistant biometric authentication facility. We draft cryptographic protocols for issuing and showing non-transferable yet privacy protecting certificates. Unforgeability of certificates relies on a well-established computational assumption, nontransferability relies upon a physical assumption and owners' privacy is protected unconditionally. Ke ywords: Non-transferable certificates, Wallets-with-observer, Blind Signatures, Interactive proofs, Biometric person authentication. 1