Yiannis Tsiounis

On the Security of ElGamal Based Encryption

The ElGamal encryption scheme has been proposed several years ago and is one of the few probabilistic encryption schemes. However, its security has never been concretely proven based on clearly understood and accepted primitives. Here we show directly that the decision Diffie-Hellman assumption implies the security of the original ElGamal encryption scheme (with messages from a subgroup) without modification. In addition, we show that the opposite direction holds, i.e., the semantic security of the ElGamal encryption is actually equivalent to the decision Diffie-Hellman problem. We also present an exact analysis of the efficiency of the reduction.

Easy come — Easy go divisible cash

Recently, there has been an interest in making electronic cash protocols more practical for electronic commerce by developing e-cash which is divisible (e.g., a coin which can be spent incrementally but total purchases are limited to the monetary value of the coin). In Crypto`95, T. Okamoto presented the first practical divisible, untraceable, off-line e-cash scheme, which requires only O(log N) computations for each of the withdrawal, payment and deposit procedures, where N = (total coin value)/(smallest divisible unit). However, Okamoto`s set-up procedure is quite inefficient (on the order of 4,000 multi-exponentiations and depending on the size of the RSA modulus). The authors formalize the notion of range-bounded commitment, originally used in Okamoto`s account establishment protocol, and present a very efficient instantiation which allows one to construct the first truly efficient divisible e-cash system. The scheme only requires the equivalent of one (1) exponentiation for set-up, less than 2 exponentiations for withdrawal and around 20 for payment, while the size of the coin remains about 300 Bytes. Hence, the withdrawal protocol is 3 orders of magnitude faster than Okamoto`s, while the rest of the system remains equally efficient, allowing for implementation in smart-cards. Similar to Okamoto`s, the scheme is based on proofs whose cryptographic security assumptions are theoretically clarified.

Indirect Discourse Proof: Achieving Efficient Fair Off-Line E-cash

Cryptography has been instrumental in reducing the involvement of over-head third parties in protocols. For example; a digital signature scheme assures a recipient that a judge who is not present at message transmission will nevertheless approve the validity of the signature. Similarly, in off-line electronic cash the bank (which is off-line during a purchase) is assured that if a user double spends he will be traced.

Anonymity Control in E-Cash Systems

Electronic cash, and other cryptographic payment systems, offer a level of user anonymity during a purchase, in order to emulate electronically the properties of physical cash exchange. However, it has been noted that there are crime-prevention situations where anonymity of notes is undesirable; in addition there may be regulatory and legal constraints limiting anonymous transfer of funds. Thus pure anonymity of users may be, in certain settings, unacceptable and thus a hurdle to the progress of electronic commerce.

Fair Off-Line e-cash Made Easy

Anonymous off-line electronic cash (e-cash) systems provide transactions that retain the anonymity of the payer, similar to physical cash exchanges, without requiring the issuing bank to be on-line at payment. Fair off-line e-cash extend this capability to allow a qualified third party (a trustee) to revoke this anonymity under a warrant or other specified suspicious activity. Extensions for achieving fair off-line e-cash based on off-line e-cash require modularity to be applicable in general settings. Simplicity (for ease of understanding and implementation) and efficiency (for cost effectiveness) are of high importance, otherwise these generic extensions will be hard and costly to apply. Of course, security must also be guaranteed and understood, yet, to date, there have been no efficient systems that offer provable security. n nA system which is (1) provably secure based on well understood assumptions, (2) efficient and (3) conceptually easy, is typically elegant. In this work we make a step towards elegant fair off-line e-cash system by proposing a system which is provably anonymous (i.e., secure for legitimate users) while its design is simple and its efficiency is similar to the most efficient systems to date. Security for the bank and shops is unchanged from the security of non-traceable e-cash. We also present ways to adapt the functionality of fairness into existing e-cash systems in a modular way, thus easing advancement and maintaining version compatibility; these extensions are also provably anonymous.

Mis-representation of Identities in E-cash Schemes and how to Prevent it

In Crypto 93, S. Brands presented a very efficient off-line electronic cash scheme based on the representation problem in groups of prime order. In Crypto 95 a very efficient off-line divisible e-cash scheme based on factoring Williams integers was presented by T. Okamoto. We demonstrate one efficient attack on Okamotos scheme and two on Brands scheme which allow users to mis-represent their identities and double-spend in an undetectable manner, hence defeating the most essential security aspect of the schemes. The attack on Brands scheme (which we suspect, given his previous related results, was an inadvertent omission) is also applicable to T. Eng and T. Okamotos divisible e-cash scheme (presented in Eurocrypt 94) which uses Brands protocols as a building block.

Electronic Payments: Where Do We Go from Here?

Currently, the Internet and the World Wide Web on-line business is booming, with traffic, advertising and content growing at sustained exponential rates. However, the full potential of on-line commerce has not been possible to realize due to the lack of convenient and secure electronic payment methods (e.g., for buying e-goods and paying with e-money). Although it became clear very early that it is vital for payments to be safe and efficient, and to avoid requiring complicated user intervention, it is still the case that the Internet payment method of choice today is that of traditional credit cards. Despite their widespread use and market penetration, these have a number of significant limitations and shortcomings, including lack of security, lack of anonymity, inability to reach all audiences due to credit requirements, large overhead with respect to payments, and the related inefficiency in processing small payment amounts. n nThese limitations (some of which are present in the real world) prompted the design of alternative electronic payment systems very early in the Internet age - even before the conception of the World Wide Web. Such designs promised the security, anonymity, efficiency, and universal appeal of cash transactions, but in an electronic form. Some early schemes, such as the one proposed by First Virtual, were built around the credit card structure; others, such as the scheme developed by DigiCash, offered a solution with cryptographic security and payer anonymity. Still others, such as Millicent, introduced micropayment solutions. However, none of these systems managed to proliferate in the marketplace, and most have either ceased to exist or have only reached a limited audience. n nThis paper is associated with a panel discussion whose purpose is to address the reasons why the international e-commerce market has rejected proposed solutions, and to suggest new ways for electronic payments to be used over the Internet, avoiding the problems inherent in credit card transactions. The purpose of this paper is to set the stage for such a discussion by presenting, in brief, some of the payment schemes currently available and to discuss some of the basic problems in the area.

Decision Oracles are Equivalent to Matching Oracles

One of the key directions in complexity theory which has also filtered through to cryptographic research, is the effort to classify related but seemingly distinct notions. Separation or reduction arguments are the basic means for this classification. n nContinuing this direction we identify a class of problems, called matching problems, which are related to the class of decision problems. In many cases, these classes are neither trivially equivalent nor distinct. Briefly, a decision problem consists of one instance and a supposedly related image of this instance; the problem is to decide whether the instance and the image indeed satisfy the given predicate. In a matching problem two such pairs of instances-images are given, and the problem is to match or distinguish which image corresponds to which instance. Clearly the decision problem is more difficult, since given a decision oracle one can simply test each of the two images to be matched against an instance and solve the matching problem. Here we show that the opposite direction also holds, presuming that randomization of the input is possible, and that the matching oracle is successful in all but a negligible part of its input set. n nWe first apply our techniques to show equivalence between the matching Diffie-Hellman and the decision Diffie-Hellman problems which were both applied recently quite extensively. This is a constructive step towards examining the strength of the Diffie-Hellman related problems. Then we show that in cryptosystems which can be uniformly randomized, non-semantic security implies that there is an oracle that decides whether a given plaintext corresponds to a given ciphertext. In the process we provide a new characteristic of encryption functions, which we call universal malleability.

Efficient key distribution for slow computing devices: achieving fast over the air activation for wireless systems

Any system which contains some form of cryptographic authentication, confidentiality and/or identification requires the provisioning of a secure key generation and distribution capability. The key distribution mechanism for wireless cellular systems, such as IS-95 CDMA, IS-136 TDMA and IS-91 Analog, has recently been investigated by the Telephone Industry Associations standards working groups. There are several requirements that a cellular key provisioning system must satisfy; however, the current approaches for such generation and distribution are in general inadequate. As with any commercial application, the system must satisfy cost (e.g., efficiency by all parties, minimal specialized equipment, etc.), convenience and most of all security requirements. The cellular system requirements, however, are much more constraining than most environments since the customers cellular phones have minimal computational capabilities and the authenticated setup protocol is generally performed with the user and carrier never meeting face to face. Moreover, the cellular phone companies are also insisting, for business competition needs, that the key distribution and generation mechanism is as convenient and transparent to the user (customer) as possible. We propose a cryptographically secure approach for such generation and distribution which will satisfy the phone industries needs as well as the needs of other applications using slow devices.

Exact Analysis of Exact Change: The k -Payment Problem

We introduce the k-payment problem: given a total budget of N units, the problem is to represent this budget as a set of coins, so that any k exact payments of total value at most N can be made using k disjoint subsets of the coins. The goal is to minimize the number of coins for any given N and k, while allowing the actual payments to be made on-line, namely without the need to know all payment requests in advance. The problem is motivated by the electronic cash model, where each coin is a long bit sequence, and typical electronic wallets have only limited storage capacity. The k-payment problem has additional applications in other resource-sharing scenarios. nOur results include a complete characterization of the k-payment problem as follows. First, we prove a necessary and sufficient condition for a given set of coins to solve the problem. Using this characterization, we prove that the number of coins in any solution to the k-payment problem is at least k HN/k, where Hn denotes the nth element in the harmonic series. This condition can also be used to efficiently determine k (the maximal number of exact payments) which a given set of coins allows in the worst case. Secondly, we give an algorithm which produces, for any N and k, a solution with a minimal number of coins. In the case that all denominations are available, the algorithm finds a coin allocation with at most (k+1)HN/(k+1) coins. (Both upper and lower bounds are the best possible.) Finally, we show how to generalize the algorithm to the case where some of the denominations are not available.