Financial Cryptography

The?fthFinancialCryptographyconferencewasheldFebruary19–22,2001. Afterhalfadecade,wemovedbeyondourAnguillanoriginstoGrandCayman, BWI. Thevenuechangedbutthefocusoftheprogramremainedtopresentthe bestresearchinsecuringelectronic?nancialtransactionsandelectronicc- merce. Asinthepastfewyears,mostofthecontributedpapersfocusedonthe technicalcryptographicandsecurityaspectsof?nancialcryptography,whilethe ?nancialaspectsarere?ectedprimarilyininvitedtalksandpanels. (Andinthe informaldiscussion. )Thisyear,inadditiontothesubmittedpapers,wehada provocativeinvitedtalkbyRichardRahnonmoneylaunderingaswellaspanels ondigitalrightsmanagementandthebusinessofelectronicvoting. Therewas alsoarumpsession,chairedbyRebeccaWright. Thereweremanyinterestingandmanytechnicallystrongsubmissions. I thanktheprogramcommittee(listedonthenextpage)fortheirhelpinthe di?culttaskofchoosingthosepapersthatmadethestrongestcontributionto theconference.^ WehadadditionalreviewinghelpfromOlivierBaudron,Paul Fahn,JuanGaray,MarkusJakobsson,GuenterKarjoth,PhongNguyen,David Pointcheval,ThomasPornin,SholomRosen,DawnSong,SusanneWetzel,and RebeccaWright. (MyapologiesifIhaveoverlookedanyone. )Iwouldalsoliketo thankGeorgeDavida,theelectronicsubmissionschair,andhisstudent,Dawn MarieGibson,forsettingupandrunningthesubmissionsprocessattheUniv- sityofWisconsin. AnextrabigthankyoutoYairFrankel,whowasalwaysthere withhisexperienceandadvicethatgreatlyimprovedthejobIdidasprogram chair,aswellasmakingitmoreenjoyable. MattFranklinalsoprovidedvaluable advice. Thankstoallthepeoplewhosubmittedpapers,withoutwhichthere wouldbenoprogram. Authorsweregiventheopportunitytorevisetheirpapers followingtheconference. Thesewerecollectedwithoutfurtherreviewandare includedinthisvolume. ThankstogeneralchairStuartHaberfordoingmanythingsthatnoneofthe attendeesnoticedbecausehedidthemsonicely. HewasablyassistedbyHinde tenBerge.^ ThankstoHarrisMcCoyforhandlinglocalarrangementsandJason CronkformaintainingtheWebsite. ThankstotheIFCAdirectorsforkeeping FCthriving,toAdamShostackforvenuearrangements,andtoBarbFox,the sponsorshipchair. Thankstoour?nancialsponsors,whoarelistedonthenext page. SpecialthankstoRayHirschfeldwhoseadvicetomeandtotheothersm- tionedherehasbeeninvaluable. Thanks?nallytoattendeeswithoutwhomthere wouldbenoconference. March2001 PaulSyverson VI Preface ProgramCommittee MattBlaze,AT&TLabs-Research YairFrankel,Ecash MattFranklin,UCDavis DavidKravitz,WaveSystemsCorp. ArjenLenstra,Citicorp PhilipMacKenzie,LucentBellLabs AviRubin,AT&TLabs-Research JacquesStern,EcoleNormaleSup´erieure KazueSako,NEC StuartStubblebine,CertCo PaulSyverson(Chair),NavalResearchLab WinTreese,OpenMarket,Inc.^ DougTygar,UCBerkeley MichaelWaidner,IBMZurichResearchLab MotiYung,CertCo GeneralChair StuartHaber,Intertrust SponsorshipChair BarbFox,Microsoft FinancialCryptography2001wasorganizedbytheInternationalFinancialCr- tographyAssociation(IFCA),andwassponsoredbyBibitInternetPayments, CertCo,Certicom,HushCommunications,IBM,InterTrustSTARLab,- crosoft,nCipher,RSASecurity,andZero-KnowledgeSystems. TableofContents ManagingPaymentTransactionCosts AmortizedE-Cash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 MosesLiskov,SilvioMicali O?ineMicropaymentswithoutTrustedHardware. . . . . . . . . . . . . . . . . . . . . . 21 MattBlaze,JohnIoannidis,AngelosD. Keromytis Panel(I) ThePracticalProblemsofImplementingMicroMint. . . . . . . . . . . . . . . . . . . . 41 NickovanSomeren ProtectingDigitalRights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .^ 51 YairFrankel AspectsofDigitalRightsManagementandtheUseofHardwareSecurity Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 DavidW. Kravitz ASolutiontotheNapsterPhenomenon:WhyValueCannotBeCreated AbsenttheTransferofSubjectiveData. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 ScottMoskowitz GoldenTimesforDigitalRightsManagement? . . . . . . . . . . . . . . . . . . . . . . . . 64 TomasSander ApplicabilityofPublicKeyCryptosystemstoDigitalRightsManagement Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 JeremyWyant TrustandRiskManagement OntheGlobalContentPMI:ImprovedCopy-ProtectedInternetContent Distribution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 TadayoshiKohno,MarkMcGovern Trust:ACollisionofParadigms. . . . . . . . . . . . . . . . . . . . . . .^ . . . . . . . . . . . . . . . 91 L. JeanCamp,HelenNissenbaum,CathleenMcGrath GroupsandAnonymity OntheSecurityofHomageGroupAuthenticationProtocol. . . . . . . . . . . . . . 106 ´ ElianeJaulmes,GuillaumePoupard VIII Table of Contents Anonymitywithout‘Cryptography’ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 DahliaMalkhiandElanPavlov FairTracingwithoutTrustees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 DennisKu¨gler,HolgerVogt InvitedTalk WhytheWaronMoneyLaunderingShouldBeAborted. . . . . . . . . . . . . . . . 149 RichardW. Rahn Certi?catesandAuthentication ProvablySecureImplicitCerti?cateSchemes. . . . . . . . . . . . . . . . . . . . . . . . . . 156 DanielR. L. Brown,RobertGallant,ScottA. Vanstone Nonmonotonicity,UserInterfaces,andRiskAssessmentinCerti?cate Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .^ 166 NinghuiLi,JoanFeigenbaum MutualAuthenticationforLow-PowerMobileDevices. . . . . . . . . . . . . . . . . . 178 MarkusJakobsson,DavidPointcheval CreditCardSecurity O?-LineGenerationofLimited-UseCreditCardNumbers. . . . . . . . . . . . . . . 196 AvielD. Rubin,RebeccaN. Wright ASecurityFrameworkforCard-BasedSystems. . . . . . . . . . . . . . . . . . . . . . . . 210 YiannisTsiounis SecureClick:AWebPaymentSystemwithDisposableCreditCard Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 AdiShamir Panel(II) TheBusinessofElectronicVoting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 EdGerck,C. AndrewNe?,RonaldL. Rivest,AvielD. Rubin, MotiYung MarketsandMultipartyComputation PrivacyfortheStockMarket. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 GiovanniDiCrescenzo SecureDistributedComputinginaCommercialEnvironment. . . . . . . . . . . .^ 289 PhilippeGolle,StuartStubblebine Table of Contents IX SignaturesinFinancialCryptography MonotoneSignatures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 DavidNaccache,DavidPointcheval,ChristopheTymen ThePowerofRSAInversionOraclesandtheSecurityofChaum’s RSA-BasedBlindSignatureScheme. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319 MihirBellare,ChanathipNamprempre,DavidPointcheval, MichaelSemanko OptimisticFairExchangewithTransparentSignatureRecovery. . . . . . . . . . 339 OlivierMarkowitch,ShahrokhSaeednia Auctions (M+1)st-PriceAuctionProtocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351 HiroakiKikuchi Non-interactivePrivateAuctions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364 OlivierBaudron,JacquesStern AuthorIndex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .^ 379 AmortizedE-Cash 1 2 Moses Liskov and Silvio Micali 1 MITLaboratoryforComputerScience mliskov@theory. lcs. mit. edu 2 MITLaboratoryforComputerScience silvio@lcs. mit. edu Abstract. Wepresentane-cashschemewhichprovidesatrade-o?- tweenanonymityande?ciency,byamortizingthecostofzero-knowledge andsignaturecomputationinthecashgenerationphase. OurworksolvesanopenproblemofOkamotoindivisiblee-cash.