From msuinfo!agate!howland.reston.ans.net!EU.net!sun4nl!cwi.nl!brands Sat Mar 19 00:17:15 1994 Newsgroups: sci.crypt Path: msuinfo!agate!howland.reston.ans.net!EU.net!sun4nl!cwi.nl!brands From: brands@cwi.nl (Stefan Brands) Subject: *AVAILABLE: HIGHLY EFFICIENT ELECTRONIC CASH SYSTEMS* Message-ID: Sender: news@cwi.nl (The Daily Dross) Nntp-Posting-Host: aasgier.cwi.nl Organization: CWI, Amsterdam Date: Thu, 17 Mar 1994 20:44:24 GMT Lines: 188 Subject: ------- seeking interested parties for implementing, and sharing the rights to, my technologies for privacy-protected electronic transfer of certified information. **** I am a PhD student at the Cryptography Department at the Center for Mathematics and Computer Science (CWI) in Amsterdam. In the past two years, I have developed a compact set of new techniques that enable the construction of highly efficient and secure electronic systems for off-line transfer of certified information, such that privacy is fully guaranteed. The resulting systems offers a great many advantages over any other privacy-protected systems you will find. In particular, using a subset of these techniques I have contructed off-line electronic cash systems in which the privacy of the account holders is fully guaranteed. An independent authority in the field of cryptology has recently confirmed that these systems seem to be the most practical such systems to date. I am posting this letter because I am very interested in pursuing the implementation of my systems *jointly*, in a fair business relationship, with a company capable of and interested in standardizing these systems. My technologies / ystenms are ideally suitable for smart cards, hand held computers, interactive TV, etcetera. All the rights to the technology have been transferred to me by CWI, and so part of such a cooperation would be *joint ownership of all rights*. The reason for posting this letter in a news group is that I see *no* other way to get in touch with interested parties. Before I go deeper into this, I would like to give you some more information about my technologies, and explain their many features. If you are not interested, but think you can help me by suggesting names etc.\, I would appreciate your suggestions. Privacy-protected transfer of electronic information. ----------------------------------------------------- Much work has been done to construct privacy-protected off-line cash systems previously, notably by David Chaum (formerly affiliated with CWI). This early work has resulted in two key concepts that can be used to attain the same level of security against double-spending as can trivially be attained in off-line cash systems with full traceability of payments. However, the many practical *realizations* of these concepts that have been proposed are far from satisfactory with respect to efficiency, provability of security (relative to certain well-known problems that are widely believed to be intractable), and extensibility in functionality. The new techniques I developed for my PhD thesis overcome *all* of these problems. They enable the construction of privacy-protected off-line cash systems that are almost as efficient as off-line cash systems that do *not* offer privacy. Succesful attacks against such a system provably imply that one can break a certain well-known signature scheme that is widely believed to be secure (such as the Schnorr scheme, the Guillou/Quisquater scheme, the schemes presented by Okamoto at CRYPTO 92, the Fiat/Shamir scheme etc.). The techniques in fact allow the construction of a highly efficient off-line cash system whose security (and that of all the extensions in functionality!) is based on the security of any one signature scheme of the so-called Fiat/Shamir type. Among the extensions in functionality are: prior restraint of double-spending, electronic cheques, protection against framing, currency exchange, anonymous accounts, and multi-spendable coins. All these extensions can be realized very easily without any need for additional data stuctures or basic algorithms (that is, *no* ad hoc constructions). In particular, prior restraint of double-spending can be achieved by using a tamper-resistant computing device that is capable of merely performing a signature scheme of the Fiat/Shamir type (of one's own choice), such as the Schnorr signature scheme. A highly preliminary report about a small subset of these techniques, based on the Discrete Logarithm problem, has been published by me about a year ago as a technical report at CWI. (A PostScript version of this report can be retrieved by ftp from ftp.cwi.nl, as pub/brands/CS-R9323.ps.). In August 1993 I presented these preliminary results at the CRYPTO 1993 conference in Santa Barbara. The final version of this abstract can also be retrieved by ftp from ftp.cwi.nl, as pub/brands/crypto93.ps. It's succesful acceptance can be measured by the fact that the results in the report are currently being used as the basis for a cash system by the European CAFE project, a project with 13 European partners from industry and science. I understand that some other implementations based on my report are under way as well. New developments. ----------------- In the mean time, however, I have significantly improved and *greatly* extended the techniques described in the preliminary report. Furthermore, I came up with a fully RSA-based variant that offers various advantages over the Discrete Log based variant. Contrary to the description in the preliminary report, the improved techniques allow the construction of withdrawal protocols for which it can rigorously be proven that the aforementioned attack to the withdrawal protocol is as hard as breaking a well-known signature scheme, and the efficiency of the system increases by a factor of two (a factor not to be neglected, especially not in case such a system is implemented using smart card technology!). As an interesting side note, the improved techniques do *not* use the blind signature technique as developed and patented by David Chaum. The full set of techniques can be used to construct highly efficient privacy-protected off-line mechanisms for transferring certified information, the security of which again can be *proven* assuming only the security of a certain well-known signature scheme of the Fiat/Shamir type of one's own choice. The off-line cash systems are in fact just one very particular instance of the general applicability of the complete set of techniques; it is a system in which credentials that may be shown only once can be transferred between any ``organizations'' while privacy is guaranteed. As an example of the usefulness of the new techniques, highly efficient and secure off-line cash systems can be constructed in which payments are made under pseudonym: in order to pay with a coin, an accountholder need do no more than send 35 bytes to an ``organization'' at which he has a pseudonym. For those who want to know in detail about the *many* features of the new techniques, as well as the performance of several preferred embodiments of systems that can be contructed from them, I have prepared a document that can be retrieve by ftp from ftp.cwi.nl, again in the directory pub/brands. There is a PostScript version called features.ps, as well as a plain text version called features.plain. Why am I posting this letter? ----------------------------- As I already mentioned at the start of this letter, I am very interested in pursuing the implementation of my systems *jointly*, in a fair business relationship, with a company capable of and interested in standardizing these systems. I am in the process of finishing my PhD thesis, which deals exclusively with these technologies. If you have read the detailed description of the features in my ``features'' document, then I have no doubt that you will agree with me that these systems offer a *great* many advantages over any other privacy-protected system for off-line transfer of digital information. In general, if you want to implement electronic systems for secure transfer of certified information, whether it be cash or other types of credentials, such that privacy can be guaranteed, then you will find out that this is *the* way to go. I am *not* involved with any project or company whatsoever. In particular, I want like to point out that I am *not* involved in the CAFE project, and I also do *not* have business relations with the company (DigiCash) of David Chaum, although I greatly respect his innovative work on privacy-protected transfer of electronic information. In fact, *all* rights on my technologies have been transferred to me by my employee, CWI. Due to the fact that my research was done independently of any project or company, it is extremely hard for me to get in touch with the appropriate persons at companies that are really interested in this technology *and* that have the capability of implementing it. Since projects and companies that I am not part of obviously do not provide me with such information, I see no better way to bring my technologies under the attention than by publishing this letter on the news net. If you are interested in my technologies, and want to pursue implementation together with me in the *near* future, I invite you to contact me. We can then discuss things further. Part of such a cooperation would be that *sharing* with me the rights to my technologies. My fax number is (31) 30 - 546 468 This is also my telephone number; however, I would prefer if you send fax or e-mail. My e-mail address at CWI is brands@cwi.nl. In case you are interested in having my work reviewed beforehand by some cryptography authority, to make sure I am not talking nonsense, I am happy to send to you a detailed description of my work. I guarantee you that he or she will *not* be able to break it, and will confirm the many statements I make about the benefits of my technologies. In addition, or alternatively, depending on the circumstances, I am happy to come over and explain my technologies in person with you. Alternatively, if you or your company is not interested in my technologies, but you think you can help me with pointers to persons at companies that might be interested in this technology, I would very much appreciate any such suggestions.