Financial Cryptography

This paper describes our experience with implementing an electronic payment system for the PalmPilot. Although Palm OS lacks support for many desired security features, we are able to build a system suitable for small payments. We discuss the advantages and disadvan- tages of using a PDA to make secure payments as opposed to using a smartcard or a desktop PC. In addition, we describe the engineering of PDA-PayWord, our implementation of a commerce protocol that takes advantage of both elliptic curve and RSA public key cryptography to support payments efficiently on PDAs with limited processing capability.

We present and analyze the cryptographic techniques used in the SET protocol to implement the blinding of credit card numbers in SET certificates. This blinding is essential to protect credit card numbers from eavesdroppers in the network, and even from some merchants, as required by SET. Without these measures, bulk credit card information could be easily collected thus significantly increasing the risk and amount of credit card fraud.

We first present the security requirements from this blinding operation, which include aspects of secrecy and fraud protection, then show a solu- tion to the problem (implemented in SET) and analyze its security based on well-defined cryptographic assumptions. Interestingly, we show that the requirements for blinding in SET are equivalent to the requirements of non-interactive commitment schemes in cryptography. Thus, our so- lution for SET represents an efficient implementation of a commitment function and as such may be suitable for use in other practical contexts as well.

We introduce a trustee-based tracing mechanism for anony- mous digital cash that is simple, efficient, and provably secure relative to its underlying cryptographic primitives. In contrast to previous schemes, ours may be built on top of a real-world anonymous cash system, such as the DigiCash^TM system, with minimal modification to the underlying protocols. In addition, our scheme involves no change to the structure of the coins. On the other hand, our scheme requires user interaction with a trustee, while many other such systems do not. This interaction occurs infrequently, however, and is efficient both in terms of computation and storage requirements. Our scheme also achieves more limited security guarantees in the presence of malicious trustees than many other sys- tems do. While this is a disadvantage, it represents a tradeoff enabling us to achieve the high level of practicality of our system.

Anonymity features of electronic payment systems are im- portant for protecting privacy in an electronic world. However, complete anonymity prevents monitoring financial transactions and following the money trail, which are important tools for fighting serious crimes. To solve these type of problems several “escrowed cash” systems, that allow a “Trustee” to trace electronic money, were suggested. In this paper we suggest a completely different approach to anonymity control based on the fact that law enforcement is mainly concerned with large anonymous electronic payments. We describe a payment system that effectively lim- its the amount of money a user can spend anonymously in a given time frame. To achieve this we describe a technique to make electronic money strongly non-transferable. Our payment system protects the privacy of the honest user who plays by the rules, while introducing significant hurdles for several criminal abuses of the system.

We analyze “coin-wallet” and “balance-wallet” under partial real-time audit, and compute upper bounds on theft due to the fact that not all the transactions are audited in real time, assuming that every- thing else is perfect. In particular, we assume that the audit regime holds for innocent players. Let v be the maximum allowed balance in a wallet, 0 ≤ μ ≤ 1 be the fraction of transactions that are audited in real time in an audit round that includes overall n transactions. Assume one unit transactions. We show that for μ << 1 the upper bound on expected theft for coin-wallet is \( \frac{\upsilon } {{e^{\mu ^2 \upsilon } - 1}} \) (which if v << μ⁻² becomes \( (e^{\mu ^2 } - 1)^{ - 1} \)), while for plausible parameter choice the bound for a balance-wallet is O(exp(v ²/n)). This last bound can become huge in some cases, implying that partial audit, while suitable for coin-wallets with low denomination coins, may be too risky for balance-wallet. Some implications to the design of anonymous and non-anonymous systems are discussed.

In this paper, we discuss a process to evaluate the effectiveness of counterfeit detection systems for an electronic cash scheme which is not fully accounted (i.e., off line, peer to peer transactions are allowed, and no shadow accounting for each purse). The process includes a use of a micro dynamic simulator to simulate various counterfeit scenarios (in addition to testing on the actual non-counterfeit transaction data sets from the real deployment) and generate transaction data sets for detection systems to use for the counterfeit detection systems training and testing. A case study of preliminary test results related to the effectiveness of the detection systems in a simulated counterfeit scenario is also provided.

Public-key certification is of crucial importance for advanc- ing the global information infrastructure, yet it suffers from certain am- biguities and lack of understanding and precision. This paper suggests a few steps towards basing public-key certification and public-key in- frastructures on firmer theoretical grounds. In particular, we investigate the notion of binding a public to an entity.

We propose a calculus for deriving conclusions from a given entity Alice’s (for instance a judge’s) view consisting of evidence and inference rules valid in Alice’s world. The evidence consists of statements made by public keys (e.g., certificates, authorizations, or recommendations), statements made physically towards Alice by other entities, and trust assumptions. Conclusions are about who says a statement, who owns or is committed to a public key, and who transfers a right or authorization to another entity, and are derived by applying the inference rules.

High-value financial transactions underwrite the need for a relying party to check the status of a digital certificate in real time. In this paper, we propose a simple mechanism for online certificate status chec- king that is particularly well suited to the closed public key infrastructures that characterize financial networks. We further demonstrate how persis- tent evidence of this status checking request/response becomes a valuable by-product. In financial systems, “transaction receipts” naturally accu- mulate and by doing so, they encapsulate the entire lifecycle of a single transaction.

In this paper we consider the problem of efficiently locating cryptographic keys hidden in gigabytes of data, such as the complete file system of a typical PC. We describe efficient algebraic attacks which can locate secret RSA keys in long bit strings, and more general statistical attacks which can find arbitrary cryptographic keys embedded in large programs. These techniques can be used to apply “lunchtime attacks” on signature keys used by financial institutes, or to defeat “authenticode” type mechanisms in software packages.

An adversary who knows a watermarking scheme can extract the watermarked coefficients and attack them directly. This situation can be understood in a similar way to jamming as known from military communications and system performance can be described in terms of channel capacity and distortion. Using a gradient method, the attack is optimized from the adversary’s viewpoint by minimizing channel capac- ity. It turns out that then for the same level of distortion and equiproba- ble modulation symbols binary modulation can achieve a higher channel capacity than modulation alphabets of larger size.

The problem we address is how to communicate securely with a set of users (the target set) over an insecure broadcast channel. In order to solve this problem, several broadcast encryption schemes have been proposed. In these systems, the parameters of major concern are the length of transmission and number of keys held by each user’s set top terminal (STT). Due to the need to withstand hardware tampering, the amount of secure memory available in the STTs is quite small, severely limiting the number of keys each user holds. In such cases, known the- oretical bounds seem to indicate that non-trivial broadcast encryption schemes are only feasible when the number of users is small.

In order to break away from these theoretical bounds, our approach is to allow a controlled number of users outside the target set to occasionally receive the multicast. This relaxation is appropriate for low-cost transmissions such as multicasting electronic coupons. For this purpose, we introduce ƒ-redundant establishment key allocations, which guarantee that the total number of recipients is no more than ƒ times the number of intended recipients. We measure the performance of such schemes by the number of transmissions they require, by their redundancy, and by their opportunity, which is the probability of a user outside the target set to be part of the multicast. We first prove a new lower bound and discuss the basic trade-offs associated with this new setting. Then we present several new ƒ-redundant establishment key allocations. We evaluate the schemes’ performance under all the relevant measures by extensive simulation. Our results indicate that, unlike previous solutions, it seems possible to design practical schemes in this new setting.

This paper describes concepts and principles for infrastructures that manage chargeable content, more commonly known as conditional access (CA) systems. We present a functional overview of CA systems and the security components and design principles that enable the solutions. We then present concepts that may be used to quantify the risk associated with the delivery of particular valued content in a particular way. Finally, we describe how the threat model changes as the networking bandwidth available to pirates and their customers increases, and propose a possible long-term solution.

Group signatures allow any member of a potentially large group to sign on behalf of the group. Group signatures are anonymous and unlinkable for everyone with the exception of a designated group manager who can co-relate signatures and reveal the identity of the acp- tual signer. At the same time, no one (including a group manager) can misattribute a valid group signature. Group signatures are claimed to have many practical applications in e-commerce as well as in military and legal fields.

Despite some interesting and eclectic results, group signatures remain confined to academic literature. The focus of this paper is two-fold. First, it discusses certain issues that stand in the way of practical applications of group signatures and uses the example of on recent group signature scheme to illustrate certain problems. Second, this paper (informally) introduces some practical security services that can be constructed us- ing any group signature scheme. Sample realizations of these services are provided.

This paper introduces the concept of an eshare, or digi- tal stockholder certificate, which allows investors in companies to buy and trade shares without revealing their identity or the size of their investment. In addition, the eshare protocols presented allow for pub- licly verifiable elections to be held with each share assigned one vote. Dividend payments to investors are also supported, again without re- vealing shareholder identities, even if a government taxation agency re- quires verifiable documentation of shareholder earnings. The protocols presented are based on certified anonymous public keys with trustee- revocable anonymity, which may be of independent interest.

Traditional face-to-face (English) auctions rely on the auc- tioneer to fairly interact with bidders to accept the highest bid on be- half of the seller. On-line auctions also require fair negotiation. However, unlike face-to-face auctions, on-line auctions are inherently subject to attacks because the bidders and auctioneer are not copresent. These at- tacks include selectively blocking bids based on the bidder and amount and selectively closing the auction after a particular bid is received.

In this paper, we present an on-line English auction in which bids are processed fairly and the auction closes fairly without specialized trusted parties. In particular, there is no need to trust the auctioneer to obtain a fair outcome to the auction.

Business organizations are dynamic, thus they must have sufficient flexibility in expectation of future structural changes (change in personnel, policies, internal reorganizations, external restructuring, etc.). This issue is becoming increasingly important in recent years since nowadays firms operate in a more dynamic and flexible business environ- ment. As automation progresses, it is expected that cryptography will become a major control tool in organizations. Here we discuss what cryp- tography can provide to enable and manage this business environment of mutating organizations. The main thesis we put forth is the following: “Cryptographic designs traditionally concerned with mechanistic fault tolerance, in which faults are dynamic can, in turn, be the base for a ‘flexible design for control functions' in today's business environment.”

We show how combining various key management techniques which are robust against “dynamic faults” with proper semantically rich “enter- prise view management techniques” - provides a flexible enterprise cryp- tographic control. Such control can anticipate dynamic changes of the business entity. We demonstrate how to manage group entities which are either visible externally (using modified certification technology) as well as entities whose internal workings are hidden (using certification tech- nology and proactive protocol technology when extended to withstand failing and rejoining elements).

We introduce two improvements to the recently proposed so called magic ink DSS signatures. A first improvement is that we re- duce the overhead for tracing without noticeably increasing any other cost. The tracing cost is linear in the number of generated signatures in the original proposal; our improved version reduces this to a logarithmic cost in the common case. A second improvement is that we introduce a method for determining whether forged currency is in circulation, with- out affecting the privacy of honest users.