Torben Pryds Pedersen

Wallet Databases with Observers

Previously there have been essentially only two models for computers that people can use to handle ordinary consumer transactions: (1) the tamper-proof module, such as a smart card, that the person cannot modify or probe: and (2) the personal workstation whose inner working is totally under control of the individual. The first part of this article argues that a particular combination of these two kinds of mechanism can overcome the limitations of each alone, providing both security and correctness for organizations as well as privacy and even anonymity for individuals.Then it is shown how this combined device, called a wallet, ran carry a database containing personal information. The construction presented ensures that no single part of the device (i.e. neither the tamper-proof part nor the workstation) can learn the contents of the database -- this information can only be recovered by the two parts together.

A threshold cryptosystem without a trusted party

In a threshold cryptosystem n members share the necret key of an organization such that k members (1 5 k 5 n) must cooperate in order to decipher a given uphertext. In this note it is shown how to implement such a scheme without having a trusted party, which selects the secret key and distributes it to the members. In stead, the members choose the secret key and distribute it verifiably among themselves. Subsequently, this key can be used for authentication as well as secret communication.

Distributed provers with applications to undeniable signatures

This paper introduces distributed prover protocols. Such a protocol is a proof system in which a polynomially bounded prover is replaced by many provers each having partial information about the witness owned by the original prover. As an application of this concept, it is shown how the signer of undeniable signatures can distribute part of his secret key to n agents such that any k of these can verify a signature. This facility is useful in most applications of undeniable signatures, and as the proposed protocols are practical, the results in this paper makes undeniable signatures more useful. The first part of the paper describes a method for verifiable secret sharing, which allows non-interactive verification of the shares and is as secure as the Shamir secret sharing scheme in the proposed applications.

New group signature schemes

Group signatures, introduced by Chaum and van Heijst, allow individual members of a group to sign messages on behalf of the group. The identity of the signer is kept secret except that a group authority can identify the signer if needed. This note presents a new group signature scheme, which hides the identity of the signer unconditionally and (unlike previous similar suggestions) allows new members to join the group. Simplifying this scheme a somewhat more efficient scheme giving computational anonymity is obtained. The group authority identifies the signer using a general method. This method can also be used to simplify three of the schemes suggested by Chaum and van Heijst. Finally, the schemes suggested here can be used to solve an open problem posed by Chaum and van Heijst.

Convertible Undeniable Signatures

We introduce a new concept called convertible undeniable signature schemes. In these schemes, release of a single bit string by the signer turns all of his signatures, which were originally undeniable signatures, into ordinary digital signatures. We prove that the existence of such schemes is implied by the existence of digital signature schemes. Then, looking at the problem more practically, we present a very efficient convertible undeniable signature scheme. This scheme has the added benefit that signatures can also be selectively converted.

Transferred cash grows in size

All known methods for transferring electronic money have the disadvantages that the number of bits needed to represent the money after each payment increases, and that a payer can recognize his money if he sees it later in the chain of payments (forward traceability). This paper shows that it is impossible to construct an electronic money system providing transferability without the property that the money grows when transferred. Furthermore it is argued that an unlimited powerful user can always recognize his money later. Finally, the lower bounds on the size of transferred electronic money are discussed in terms of secret sharing schemes.

On the existence of statistically hiding bit commitment schemes and fail-stop signatures

We show that the existence of a statistically hiding bit commitment scheme with non-interactive opening and public verification implies the existence of fail-stop signatures. Therefore such signatures can now be based on any one-way permutation - the weakest assumption known to be sufficient for fail-stop signatures. We also show that genuinely practical fail-stop signatures follow from the existence of any collision-intractable hash function. A similar idea is used to improve a commitment scheme of Naor and Yung, so that one can commit to several bits with amortized O(1) bits of communication per bit committed to.Conversely, we show that any fail-stop signature scheme with a property we call the almost unique secret key property can be transformed into a statistically hiding bit commitment scheme. All previously known fail-stop signature schemes have this property. We even obtain an equivalence since we can modify the construction of fail-stop signatures from bit commitments such that it has this property.

The ESPRIT Project CAFE - High Security Digital Payment Systems

CAFE (“Conditional Access for Europe”) is an ongoing project in the European Communitys ESPRIT program. The goal of CAFE is to develop innovative systems for conditional access, and in particular, digital payment systems. An important aspect of CAFE is high security of all parties concerned, with the least possible requirements that they are forced to trust other parties (so-called multi-party security). This should give legal certainty to everybody at all times. Moreover, both the electronic money issuer and the individual users are less dependent on the tamper-resistance of devices than in usual digital payment systems. Since CAFE aims at the market of small everyday payments that is currently dominated by cash, payments are offline, and privacy is an important issue.

Improved privacy in wallets with observers

Wallets with observers were suggested by David Ghaum and have previously been described in [Ch92] and [CP92]. These papers argue that a particular combination of a tamper-resistant-unit and a small computer controlled by the user is very suitable as a personal device in consumer transaction systems. Using such devices, protocols are constructed that, simultaneously, achieve high levels of security for organizations and anonymity for individual users. The protocols from [CP92] offer anonymity to users, under the assumption that the information stored by observers is never revealed to the outside world.This paper extends [CP92] by defining additional requirements for the protocols which make it impossible to trace the behaviour of individuals in the system if one is also allowed to analyse a posteriori the information observers can collect. We propose two protocols satisfying our requirements, thus achieving a higher degree of privacy for individuals. This extra level of privacy is obtained at essentially no cost as the new protocols have the same complexity as those previously proposed.

Fail-Stop Signatures

Fail-stop signatures can briefly be characterized as digital signatures that allow the signer to prove that a given forged signature is indeed a forgery. After such a proof has been published, the system can be stopped. This type of security is strictly stronger than that achievable with ordinary digital signatures as introduced by Diffie and Hellman in 1976 and formally defined by Goldwasser, Micali, and Rivest in 1988, which was widely regarded as the strongest possible definition. This paper formally defines fail-stop signatures and shows their relation to ordinary digital signatures. A general construction and actual schemes derived from it follow. They are efficient enough to be used in practice. Next, we prove lower bounds on the efficiency of any fail-stop signature scheme. In particular, we show that the number of secret random bits needed by the signer, the only parameter where the complexity of all our constructions deviates from ordinary digital signatures by more than a small constant factor, cannot be reduced significantly.