Yair Frankel

On enabling secure applications through off-line biometric identification

In developing secure applications and systems, designers must often incorporate secure user identification in the design specification. In this paper, we study secure off-line authenticated user identification schemes based on a biometric system that can measure a users biometrics accurately (up to some Hamming distance). The presented schemes enhance identification and authorization in secure applications by binding a biometric template with authorization information on a token such as a magnetic strip. Also developed are schemes specifically designed to minimize the compromising of a users private biometrics data, encapsulated in the authorization information, without requiring secure hardware tokens. We also study the feasibility of biometrics performing as an enabling technology for secure systems and applications design. We investigate a new technology which allows a users biometrics to facilitate cryptographic mechanisms.

Indirect Discourse Proof: Achieving Efficient Fair Off-Line E-cash

Cryptography has been instrumental in reducing the involvement of over-head third parties in protocols. For example; a digital signature scheme assures a recipient that a judge who is not present at message transmission will nevertheless approve the validity of the signature. Similarly, in off-line electronic cash the bank (which is off-line during a purchase) is assured that if a user double spends he will be traced.

Anonymity Control in E-Cash Systems

Electronic cash, and other cryptographic payment systems, offer a level of user anonymity during a purchase, in order to emulate electronically the properties of physical cash exchange. However, it has been noted that there are crime-prevention situations where anonymity of notes is undesirable; in addition there may be regulatory and legal constraints limiting anonymous transfer of funds. Thus pure anonymity of users may be, in certain settings, unacceptable and thus a hurdle to the progress of electronic commerce.

Security issues in a CDPD wireless network

The authors first discuss the basic cellular digital packet data (CDPD) architecture and its authentication protocols. They then present threats to the network. Next, they investigate the basic requirements of the security architecture and goals in light of attacks. Then they present the improved authentication protocol in operation, and how it deals with faults. Next, they add authenticated key exchange for confidentiality, followed by anonymity provisions. Then, they summarize the design and present the complete protocol, and identify which protocol transmissions goes on which CDPD message. Finally, they present further issues and concerns that are beyond the scope of this protocol. >

Witness-based cryptographic program checking and robust function sharing

We suggest a new methodology for “result checking” that enables us to extend the notion of Blum’s program result checking to the on-line checking of cryptographic functions. In our model, the checker not only needs to be assured of the correctness of the result but the owner of the program needs to be sure not to give away anything but the requested result on the (authorized) input. The existing approaches for program result checking of numerical problems often ask the program a number of extra queries (different from the actual input). In the case of cryptographic functions, this may be in contradiction with the security requirement of the program owner. Additional queries, in fact, may be used to gain unauthorized advantage (for example, imagine the implications of the on-line checking of a decryption device that requires the decryption ofextra ciphertexts). In [Blum88], the notion of a simple checlcer was introduced where, for the purpose of efficiency, extra queries are not allowed. In our model, we do allow extra queries, but only when the response does not carry ‘(knowledge,” (namely computational advantage). We use a new “witnessbased” approach and give constructions that apply to various cryptographic scenarios while making sure that the checker/program interaction releases no extra knowledge. It is based on the fact that with certain homomorphic functions, having a witness which is an initial correct value will enable checking the entire function domain, and the fact that having a random value of a cryptographic function typically does not reduce its security. The notion has various applications. A particularly use* Sandla National Labs Albuquerque, NM 87185; yair@cssandia.gov; This work was performed under U.S. Department of Energy contract number DE-AC04-76AL85000 tSandla National Labs Albuquerque, NM 87185, psgemme@cs.sandla. gov, This work was performed under US Department of Energy contract number DE-AC04-76AL85000

Escrow Encryption Systems Visited: Attacks, Analysis and Designs

IBM T J. Watson Research Center, Yorktown Heights, NY; moti@watson. ibm com STOC’96, Philadelphia PA, USA O-89791 -785-5J9610S MOTI YUNG

Distributed Public Key Cryptosystems

ful application is achieving “efficient robust function sharing”, a method by which the power to apply a cryptographic function (e.g., RSA decryption / signature) is shared among multiple trustees. As long as a quorum of the trustees is not corrupted and is available, we can apply the function on the input parameters while maintaining the security of the function. With robustness we are able to tolerate and identify misbehaving trust ees, both with efficiency and on-line, when computing a function value.

Exact analysis of exact change

The Escrow Encryption Standard and its realization - the Clipper chips - suggest a new type of encryption scheme. We present a few basic and somewhat subtle issues concerning escrow encryption systems. We identify and perform attacks on the actual Clipper and other recent designs (fair cryptosystems, TIS software escrow, etc.). We review requirements and concerns and suggest design approaches to systems with desired properties of key escrow.

Beyond Identity: Warranty-Based Digital Signature Transactions

The cryptographic community has developed many tools to incorporate distributed trust mechanisms into cryptographic primitives and protocols as well as primitives where parties are naturally distributed. Since the fastest growing paradigm in computing is distributed systems and communication networks, the importance of distributed mechanisms has been increasing, and will likely to be pervasive in the future. Here, we review the various distributed mechanisms that have been developed and applied to achieve distributed public key cryptosystem. We focus primarily on the more efficient threshold cryptographic schemes (based on sharing public-key functions) and exemplify (only) some of the issues regarding these systems.

Witness-based cryptographic program checking and applications (an announcement)

We consider the k-payment problem: given a total budget of N units, the problem is to represent this budget as a set of coins, so that any k exact payments of total value at most N can be made using k disjoint subsets of the coins. The goal is to minimize the number of coins for any given N and k, while allowing the actual payments to be made on-line, namely without the need to know all payment requests in advance. The problem is motivated by the electronic cash model, where each coin is a long bit sequence, and typical electronic wallets have only limited storage capacity. The k-payment problem has additional applications in other resource-sharing scenarios. Our results include a complete characterization of the k-payment problem as follows. First, we prove a necessary and sufficient condition for a given set of coins to solve the problem. Using this characterization, we prove that the number of coins in any solution to the k-payment problem is at least kH/sub N/k/, where H/sub n/ denotes the nth element in the harmonic series. This condition can also be used to efficiently determine k (the maximal number of exact payments) which a given set of coins allows in the worst case. Secondly, we give an algorithm which produces, for any N and k, a solution with minimal number of coins. In the case that all denominations are available, the algorithm finds a coin allocation with at most (k+1)H/sub N/(k+1)/ coins (both upper and lower bounds are the best possible). Finally, we show how to generalize the algorithm to the case where some of the denominations are not available.