Since the appearance of public-key cryptography in the seminal Diffie-Hellman paper, many new schemes have been proposed and many have been broken. Thus, the

. A secret sharing scheme allows to share a secret among several participants such that only certain groups of them can recover it. Verifiable secret sharing has been proposed to achieve security against cheating participants. Its first realization had the special property that everybody, not only the participants, can verify that the shares are correctly distributed. We will call such schemes publicly verifiable secret sharing schemes, we discuss new applications to escrow cryptosystems and to payment systems with revocable anonymity, and we present two new realizations based on ElGamal's cryptosystem. 1 Introduction A secret sharing scheme [20, 2] allows to split a secret into different pieces, called shares, which are given to the participants, such that only certain groups of them can recover the secret. The first secret sharing schemes have been threshold schemes, where only groups of more than a certain number of participants can recover the secret. Verifiable secret sharing (V...

Anonymity of the participants is an important requirement for some applications in electronic commerce, in particular for payment systems. Because anonymity could be in conflict with law enforcement, for instance in cases of blackmailing or money laundering, it has been proposed to design systems in which a trustee or a set of trustees can selectively revoke the anonymity of the participants involved in suspicious transactions. From an operational point of view, it can be an important requirement that such trustees are neither involved in payment transactions nor in the opening of an account, but only in case of a justified suspicion. In this paper we propose the first efficient anonymous digital payment systems satisfying this requirement. The described basic protocol for anonymity revocation can be used in on-line or off-line payment systems.

In this paper, we give a provably secure design for blind signatures, the most important ingredient for anonymity in off-line electronic cash systems. Previous examples of blind signature schemes were constructed from traditional signature schemes with only the additional proof of blindness. The design of some of the underlying signature schemes can be validated by a proof in the so-called random oracle model, but the security of the original signature scheme does not, by itself, imply the security of the blind version. In this paper, we first propose a definition of security for blind signatures, with application to electronic cash. Next, we focus on a specific example which can be successfully transformed in a provably secure blind signature scheme.

The authenticity of public keys in an asymmetric cryptosystem can be gained in two different ways: either it is verified explicitly after knowing the public key and its certificate, e.g. X.509 certificates, or it is verified implicitly during the use of the keys. The latter concept has been introduced by Girault 1991 as self-certified keys. In this paper we extend this concept: We show how to issue self-certified keypairs under different trust levels and show how to use them in authentication trees. Then we demonstrate, how a user can switch his keys to enhance the security of his actual secret key against compromising. We illustrate the relevance of all concepts by discussing several useful applications. Among them are delegation of rights, delegated signatures, delegated encryption and electronic voting schemes. Furthermore, we propose a new non-interactive key exchange protocol, that provides backward and forward secrecy of session keys. Keywords Cryptography, public key infrastru...

We introduce a new payment architecture that limits the power of an attacker while providing the honest user with privacy. Our proposed method defends against all known attacks on the bank, implements revocable privacy, and results in an efficient scheme which is well-suited for smartcard-based payment schemes over the Internet.

Traditionally, cryptography and its applications are defensive in nature, and provide privacy, authentication, and security to users. In this paper we present the idea of Cryptovirology which employs a twist on cryptography, showing that it can also be used offensively. By being offensive we mean that it can be used to mount extortion based attacks that cause loss of access to information, loss of confidentiality, and information leakage, tasks which cryptography typically prevents. In this paper we analyze potential threats and attacks that rogue use of cryptography can cause when combined with rogue software (viruses, Trojan horses), and demonstrate them experimentally by presenting an implementation of a cryptovirus that we have tested (we took careful precautions in the process to insure that the virus remained contained). Public-key cryptography is essential to the attacks that we demonstrate (which we call "cryptovirological attacks"). We also suggest countermeasures and mechanis...

The physical analog of "blind signatures" of Chaum is a document and a carbon paper put into an envelope, allowing the signer to transfer his signature onto the document by signing on the envelope, and without opening it. Only the receiver can present the signed document while the signer cannot "unblind" its signature and get the document signed. When an authority signs "access tokens", "electronic coins", "credentials " or "passports", it makes sense to assume that whereas the users can typically enjoy the disassociation of the blindly signed token and the token itself (i.e. anonymity and privacy), there may be cases which require "unblinding " of a signature by the signing authority itself (to establish what is known as "audit trail" and to "revoke anonymity" in case of criminal activity). This leads us to consider a new notion of signature with the following physical parallel: The signer places a piece of paper with a carbon paper on top in an envelope as before (but the document on...

: : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : viii I Introduction : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 1 A. The Need for Balanced E-Money Systems : : : : : : : : : : : : : : : : : : : : 1 1. Outline : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 2 2. What we achieve : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 3 3. Avoiding abuse : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 4 4. Method : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 5 5. Tools for Privacy and Authenticity : : : : : : : : : : : : : : : : : : : : : 6 6. Tools for Robustness : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 7 B. Related Work : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 7 II A Versatile and Efficient E-Money Scheme : : : : : : : : : : : : : : : : : : : : : 11 A. System Model : : : : : : : : : : : : : : : : : : : ...

Due to business relationships, alliances, trust, and distribution of liability, distribution of power is an important issue in financial systems. At the same time as the security of the scheme is strengthened by this decentralization, the perception of the security is also strengthened, which is important from a business point of view. Furthermore, apart from increasing the security, client trust and availability of the system, distribution of power can also increase its functionality, as we demonstrate. We suggest an anti-trust mechanism, namely, a method for distribution of the centralized parties into many modules (potentially controlled by different entities), and apply it to a versatile electronic-money system. The method diffuses a task into distributed modules using recent cryptographic technology; doing so, it achieves increased security, privacy, availability and functionality without introducing any noticeable disadvantage. It uses Magic Ink Signatures [29], which are blind ...