CryptoNote v 1.0. Nicolas van Saberhagen. December


 Sharyl Conley
 4 years ago
 Views:
Transcription
1 CryptoNote v 1.0 Nicolas van Saberhagen December Introduction Bitcoin [1] has been a successful implementation of the p2p electronic cash concept. Both professionals and the general public have come to appreciate the convenient combination of public transactions and proofofwork as a trust model. Today, the user base of electronic cash is growing at a steady pace; customers are attracted to low fees and the anonymity provided by electronic cash and merchants value its predicted and decentralized emission. Bitcoin has effectively proved that electronic cash can be as simple as paper money and as convenient as credit cards. Unfortunately, Bitcoin suffers from several deficiencies. For example, the system s distributed nature is inflexible, preventing the implementation of new features until almost all of the network s users update their clients. Some critical flaws that cannot be fixed rapidly deter Bitcoin s widespread propagation. In such inflexible models, it is more efficient to rollout a new project rather than perpetually fix the original one. In this paper, we study and propose solutions to the main deficiencies of Bitcoin. We believe that a system taking into account the solutions we propose will lead to a healthy competition among different electronic cash systems. We also propose our own electronic cash, CryptoNote, a name emphasizing the next breakthrough in electronic cash. 2 Bitcoin drawbacks 2.1 Traceability Privacy and anonymity are the most important aspects of electronic cash. Peertopeer payments seek to be concealed from third party s view, a distinct difference when compared with traditional banking. The benefits are clear: companies do not want to reveal their internal transactions and ordinary people disagree to provide any information about their personal expenses. In particular, T. Okamoto and K. Ohta described six criteria of an ideal electronic cash, which included privacy: the relationship between the user and his purchases must be untraceable [2]. We define the properties of a fully anonymous payments system as follows: 1
2 Untraceability: for each incoming transaction all possible senders are equiprobable. Unlinkability: for any two outgoing transactions it is impossible to prove they were sent to the same person. Unfortunately Bitcoin does not meet the first criteria. Since all the transactions that take place between the network s participants are public, any transaction can be unambiguously traced to a unique origin and final recipient. Even if two participants exchange funds in an indirect way, a properly engineered pathfinding method (e.g. A star algorithm [6]) will reveal the origin and final recipient. Also Bitcoin doesn t seem to satisfy the second property. Some researchers stated ([3, 4, 5]) that a careful blockchain analysis may reveal a connection between users and their transactions. Although a number of the methods are disputed [7], a lot of prima facie hidden personal information can be extracted from the public database. Bitcoin s failure to satisfy the two properties outlined above leads us to conclude that it is not an anonymous but a pseudoanonymous electronic cash system. In comparison with the classic chaumian scheme with blind signatures [8] it does not provide the same level of privacy. Some solutions were proposed: ranging from mixing services [9] to distributed methods [10]. Both solutions are based on the idea of mixing several public transactions and sending them through some intermediary address; which in turn suffers the drawback of requiring a trusted third party. 2.2 Proofofwork function Bitcoin s creator Satoshi Nakamoto described the majority decision making algorithm as onecpuonevote and used a CPUbound pricing function (SHA256) for his proofofwork scheme. Since users vote for the single history of transactions order, the reasonableness and consistency of this process are critical conditions for the whole system. First, the security issue: the network is out of danger when 51% of the mining power is under the control of honest users. Second, the progress of the system is limited: the next version of the main protocols will be applied if and only if the overwhelming majority of users supports the changes [11]. Finally the same voting mechanism is also used for collective polls about the implementation of some features [13]. This permits us to conjecture the properties that must be satisfied by a proofofwork pricing function. Such a function must not enable a network participant to have a significant advantage over another participant; it requires a parity between common hardware and high cost custom devices. And as we can see [12], the Bitcoin pricing function SHA256 does not have this feature: a typical video card is more effective than a CPU and ASIC devices are more powerful than GPUs. Therefore, Bitcoin creates favourable conditions for a large gap between the voting power of participants as it violates the onecpuonevote principle since GPU and ASIC owners posses a much larger voting power when compared with CPU owners. It is a classical example of the Pareto principle where 20% of a system s participants control more than 80% of the votes. 2
3 2.3 Other shortcomings Irregular Emission Bitcoin has a predetermined emission rate: each solved block produces a fixed amount of coins. Approximately every four years this reward is halved. The original intention was to create a limited smooth emission with exponential decay, but in fact we have a piecewise linear emission function whose breakpoints may cause problems to the Bitcoin infrastructure. When the breakpoint occurs, miners start to receive only half of the value of their previous reward. The absolute difference between 12.5 and 6.25 BTC (projected for the year 2020) may seem tolerable. However, when examining the 50 to 25 BTC drop that took place recently we saw that it felt inappropriate for a significant number of members of the mining community. This event could have been the perfect moment for the malevolent individual described in the proofofwork function section to carryout a double spending attack [14]. Bulky scripts The script system in Bitcoin is too complicated and heavy. It potentially allows to create sophisticated transactions [15], but some of its features are disabled for security reasons or have never been used [16]. Meanwhile the script (including both sender and receiver parts) for the most popular transaction in Bitcoin looks as follows: <sig> <pubkey> OP DUP OP HASH160 <pubkeyhash> OP EQUALVERIFY OP CHECKSIG. It is 164 bytes long whereas its only purpose is to check if the receiver possesses the secret key, i.e. to verify his signature. 3
4 3 Untraceable Transactions In this section we propose a scheme for fully anonymous transactions satisfying both untraceability and unlinkability conditions. An important feature of our solution is its autonomy: the sender is not required to cooperate with other users or a trusted third party to make his transactions; hence each participant produces a cover traffic independently 3.1 Related works Our scheme relies on a cryptographic primitive called group signature. Invented by D. Chaum and E. van Heyst [17], it allows a user to sign a message on behalf of a group. After signing, the user provides (for verifying) not his own single public key, but the keys of all the users of his group. A verifier is convinced that the real signer is a member of this set, but doesn t know his exact identity. The original protocol included a Trusted Third Party (Group Manager), and he was the only one who could trace the signer. The next version ring signature, introduced by Rivest et al. in [18], was an autonomous scheme without the Group Manager and anonymity revocation. Various powerful modifications appeared later: linkable ring signature [19, 20, 21] allowed to determine if two signatures were produced by the same group member, traceable ring signature [22, 23] limited excessive anonymity by providing the possibility to trace the signer of two messages with respect to the same metainformation ( tag in terms of [22]). A similar cryptographic construction is also known as adhoc group signature [24, 25]. It emphasizes the arbitrary group formation, whereas group/ring signature schemes rather imply a fixed set of members. For the most part, our solution is based on the work Traceable ring signature by E. Fujisaki and K. Suzuki [22]. In order to distinguish the original algorithm and our modification we will call the latter onetime ring signature, stressing the user s capability to produce only one valid signature under the private key. We weakened the traceability property and kept the linkability only to provide onetimeness: the public key may appear in many foreign verifying sets and the private key can be used for generating a unique anonymous signature. In case of a double spend attempt these two signatures will be linked together, but revealing the signer is not necessary for our purposes. 3.2 Definitions Elliptic curve parametres As a base signature algorithm we use the modern extremely fast scheme EdDSA, which was developed and implemented by D.J. Bernstein et al. [26]. Common domain parameters are: q: prime number; 4
5 d: element of F q ; E: elliptic curve equation; G: base point; l: prime order of the base point; H s : cryptographic hash function {0, 1} F q ; H p : deterministic hash function E(F q ) E(F q ). Terms Enhanced privacy requires some new terms which should not be confused with Bitcoin entities. private eckey is a standard elliptic curve secret key: a number a [1, l 1]; public eckey is a standard elliptic curve public key: a point A = ag; onetime keypair is a pair of private and public eckeys; private user key is a pair (a, b) of two different private eckeys; tracking key is a pair (a, B) of private and public eckey (where B = bg and a b); public user key is a pair (A, B) of two public eckeys derived from (a, b); standard address is a representation of a public user key by a humantypable string with error correction; The general transaction structure remained almost identitcal to Bitcoin s: every user can choose several independent incoming payments (transaction outputs), sign them with the corresponding private keys and send them to different destinations. Contrary to Bitcoin s model, where a user possesses both the unique private and public keys, in the proposed model a sender generates a onetime public key based on the recipient s address and some random data. In this sense, an incoming transaction for the same recipient is sent to a onetime public key (not directly to a unique address) and only the recipient can recover the corresponding private part to redeem his funds (using his unique private key). The recipient can spend the funds using a ring signature, keeping his ownership and actual spending anonymous. The details of the protocol are explained in the next subsections. 5
6 3.3 Unlinkable payments Classic Bitcoin addresses, once published, becomes unambiguous identifiers for every incoming payment, linking them together and tying them to the recepient. We propose a solution allowing the user to publish a single address and receive unconditional unlinkable payments. The destination of each output (by default) is an unique public key, derived from the recipient s address and the sender injecting random data. First the sender performs the DiffieHellman exchange protocol to get a shared secret from his data and a half of the address. Then he computes a onetime destination key, using these secrets and the second half. Two different recipient eckeys are needed for these two steps, so the standard CryptoNote address is nearly twice as large compared to a Bitcoin address. The receiver also performs the DiffieHellman protocol and then recovers corresponding secret key. A standard transaction sequence goes as follows: 1. Alice wants to send a payment to Bob, who published his standard address. She unpacks it and gets Bob s public user key (A, B); 2. Then Alice generates a random r [1, l 1] and computes the public onetime key P = H s (ra)g + B; 3. Alice uses P as a destination key for the output and also puts the value R = rg (as part of the DiffieHellman protocol) somewhere into the transaction. Note that she can create other outputs with unique public keys: different recipients keys (A i, B i ) imply different P i s even with the same r; 4. Bob checks every passing transaction with his private key (a, b), computing P = H s (ar)g + B. If Alice s transaction was present, then ar = arg = ra and P = P. 5. Now Bob can recover the corresponding onetime private key: x = H s (ar) + b, so as P = xg. He can spend this output at any time by signing the transaction with x. As a result Bob gets incoming payments, associated with onetime public keys which are unlinkable for a wingside spectator. 3.4 Onetime ring signature A protocol based on onetime ring signatures allows users to achieve unconditional unlinkability. Unfortunately, ordinary types of cryptographic signatures permit to trace transactions to their respective senders and receivers. Our solution to this defficiency lies in using a different signature type than those currently used in electronic cash systems. The onetime ring signature consists of four algorithms (GEN, SIG, VER, LNK): 6
7 GEN takes public parameters and outputs an ecpair (P, x) and a public key I. SIG takes a message m, a set S of public keys {P i } i s, the pairs (P s, x s ) and outputs a signature σ and a set S = S {P s }. VER takes a message m, a set S, signature σ and outputs true or false. LNK takes a set I = {I i }, a signature σ and outputs linked or indep. The general purpose of the protocol is as follows: a user produces a signature which can be checked not by a single public key, but a set of keys. The real signer is indistinguishable from the other key owners until he produces the second signature under the same keypair. GEN: The signer picks up a random secret key x [1, l 1] and computes the corresponding public key P = xg. Additionally he computes another public key I = xh p (P ) which we will call key image. SIG: The signer generates a onetime ring signature with a noninteractive zeroknowledge proof using the technique from [27]. He selects a random subset S of n 1 other users public keys P i, his own keypair (x, P ) and the key image I. Let 1 s n be signer s secret index in S (so that his key is P s ). He picks a random element from{q i i = 1... n} and {w i i = 1... n, i s} from (1... l) and makes the following commitments: { q i G, if i = s L i = q i G + w i P i, if i s { q i H p (P i ), if i = s R i = q i H p (P i ) + w i I, if i s The next step is getting the noninteractive challenge: c = H s (m, L 1,..., L n, R 1,..., R n ) Finally the signer computes the response: w i, if i s c i = c n c i mod l, if i = s r i = { q i, i=1 if i s q s c s x mod l, if i = s The resulting signature is σ = (I, c 1,..., c n, r 1,..., r n ). VER: The verifier checks the signature, reconstructing the commitments: { L i = r ig + c i P i R i = r ih p (P i ) + c i I 7
8 Then verifier checks if n? c i = Hs (m, L 1,..., L n, R 1,..., R n) mod l i=1 If this equality holds, the verifier runs the algorithm LNK, otherwise he rejects the signature. LNK: The verifier checks if I has been used in past signatures (these values are stored in the set I). Double use means that two signatures were produced under the same secret key. The mechanizm of the protocol: using Lcommitments the signer proves that he knows such x that at least one P i = xg. To make this proof nonrepeatable we introduce the key image as I = xh p (P ). The signer uses the same coefficients (r i, c i ) to prove almost the same: he knows such x that at least one H p (P i ) = I x 1. If the mapping x I is a oneway injection: 1. Nobody can recover public key from the key image and identify the Signer; 2. The signer cannot make two signatures with different I s and the same x. 3.5 Summary With a onetime ring signature Bob can effectively hide Alice s output (i.e. his input) among others: all possible spenders will be equiprobable, even the Alice has no more information than any observer. When making a transaction Bob specifies n 1 foreign outputs with the same amount as his, mixing all of them without the participation of other users. Bob (as well as anybody else) does not know if any of these outputs have been spent: an output can be used in thousands of signatures as an ambiguity factor and never as a target of hiding. The double spend check occurs in the LNK phase when looking up in the used key images set. Bob can choose the ambiguity degree on his own: n = 2 means that he will have spent the output with 50% probability, n = 100 gives 1%. The size of the resulting signature is linear O(n), so the improved anonymity costs to Bob a bigger transaction size and higher fees. He also can set n = 1 and make his ring signature to consist of only one element: this will instantly reveal him as a spender. Combining both methods (onetime txkeys and onetime ring signatures) Bob achieves a new level of privacy in comparison with the original Bitcoin scheme. It requires him only to store one private key (a, b), and to generate a public key (A, B) to start receiving and sending anonymous transactions. For every output Bob recovers unique txkeypairs (p i, P i ) which are unlinkable with each other or his public key. He can spend any of them, signing each input with an untaceable ring signature. 8
9 4 Egalitarian Proofofwork In this section we propose and implement the new proofofwork algorithm. Our primary goal is to close the gap between CPU (majority) and GPU/FPGA/ASIC (minority) miners. It is appropriate for some users to have a certain advantage over others, but their investments should grow at least linearly with the power. More generally, producing specialpurpose devices has to be the least profitable possible. 4.1 Related works The original Bitcoin proofofwork protocol uses the CPUintensive pricing function SHA256. It mainly consists of basic logical operators and relies solely on the computational speed of the processor, therefore is perfectly suitable for multicore/conveyer implementation. However, modern computers are not limited by the number of operations per second alone, but also by memory size. While some processors can be substantially faster than others [12], memory sizes are less likely to vary between machines. Memorybound price functions were first introduced by Abadi et al and were defined as functions whose computation time is dominated by the time spent accessing memory [28]. The main idea is to construct an algorithm allocating a large block of data ( scratchpad ) within memory that can be accessed relatively slowly (for example, RAM) and accessing an unpredictable sequence of locations in it. A block should be large enough to make preserving the data more advantageous than recomputing it for each access. The algorithm should also prevent internal parallelism, hence N simultaneous threads should require N times more memory at once. Dwork et al [29] investigated and formalized this approach leading them to suggest another variant of the pricing function: Mbound. One more work belongs to F. Coelho [30], who proposed the most effective solution: Hokkaido. To our knowledge the last work based on the idea of pseudorandom searches in a big array is the algorithm known as scrypt by C. Percival [31]. Unlike the previous functions it focuses on key derivation, and not proofofwork systems. Despite this fact scrypt can serve our purpose: it works well as a pricing function in the partial hash conversion problem such as SHA256 in Bitcoin. By now scrypt has already been applied in Litecoin [32]. But its implementation is not truly memorybound: the ratio memory access time / overall time is not large enough because each instance uses only 128 KB. This permits GPU miners to be roughly 10 times more effective and continues to leave the possibility of creating relatively cheap but highlyeffcient mining devices. 4.2 Our algorithm We propose a new memorybound algorithm for the proofofwork price function. It relies on random access to a slow memory and emphasizes latency dependence. As opposed to 9
10 scrypt every new block (64 bytes in length) depends on the all the previous blocks, not only one, so the tradeoff between memory size and CPU speed becomes exponential. Our algorithm requires about 2 Mb per instance for the following reasons: 1. It fits in the L3 cache (per core) of modern processors, which will come into mainstream in a few years; 2. A megabyte of internal memory is almost an unacceptable size for the modern ASIC pipeline; 3. GPUs may run hundreds of concurrent instances, but they are limited in other ways: GDDR5 memory is slower than CPU L3 cache and remarkable for its bandwidth, not random access speed. 4. Significant expansion of the scratchpad would require an increase in iterations, which in turn implies overall time increases. Heavy calls in a trustless p2p network may lead to serious vulnerabilities, because nodes are obliged to check every new block s proofofwork. If a node spends a considerable amount of time on each hash evaluation, he can be easily DDoSed by a flood of fake objects with arbitrary work data (nonce values). 10
11 5 Further advantages 5.1 Smooth emission The upper bound for the overall amount of CryptoNote digital coins is also digital: MSupply = atomic units. This is natural restriction based only on implementation limits, not on intuition such as N coins ought to be enough for anybody. To ensure the smoothness of the emission process we use the following formula for block rewards: BaseReward = (MSupply A) 18, where A is the amount of previously generated coins. Difficulty CryptoNote contains a targeting algorithm which changes the difficulty of every block. This improves the system s reaction time when the network hashrate is intensely growing or shrinking, preserving a constant block rate. The original Bitcoin method calculates the ratio of actual and target difficulty between the last 2016 blocks and uses it as the multiplier for the current difficulty. Obviously this is unsuitable for rapid recalculations (because of large inertia) and results in oscillations. The general idea behind our algorithm is to sum all the work completed by the nodes and divide it by the time they have spent to complete the work. The measure of work are the corresponding difficulty values in each block. But due to inaccurate and untrusted timestamps we cannot determine the exact time interval between blocks. A user can shift his timestamp into the future and the next time intervals might be improbably small or even negative. Presumably there will be few incidents of this kind, we can just sort the timestamps and cutoff the outliers (i.e. 20%). The range of the remaining values is the time which was spent for 80% of the corresponding blocks. Block size limit Users pay others for storing the blockchain and shall be entitled to vote for its size. Every miner deals with the tradeoff between balancing the costs and profit from the fees, hence sets his own softlimit for creating blocks. Also the core rule for the maximum block size is necessary for preventing the blockchain from being flooded with bogus transactions, however this value should not be hardcoded. Let M N be the median value of the last N blocks sizes. Then the hardlimit for the size of accepting blocks is 2 M N. It averts the blockchain from bloating but still allows the limit to slowly grow with time if necessary. 11
12 6 Conclusion We have investigated the major flaws in Bitcoin and proposed the corresponding solutions. These advantageous features and our active ongoing development make the new ecash system CryptoNote a serious rival to Bitcoin, outclassing all its forks. We believe that a competition between concurrent currencies will be great for users, as the creators will be interested in further development of their products, adding new features, enlarging the communities and fixing bugs. We do not consider CryptoNote as a full replacement to Bitcoin. On the contrary, having two (or more) strong and convenient currencies is better than having only one. Running two or more different projects in parallel is the natural path of digital cash economics. 12
13 A Security Now we give a sketch of the security proof for our onetime ring signature scheme. At some points it coincides with the parts of the proof given in [22], but we are going to rewrite them with a reference rather than force a reader to rush from one paper to another. These are the properties to be established: Linkability. Given all the secret keys {x i } n i=1 for a set S it is impossible to produce n + 1 valid signatures σ 1, σ 2,..., σ n+1, such that all of them pass LNK phase (i.e. with n + 1 different key images I i ). This property implies the double spend proof in the context of CryptoNote. Exculpability. Given a set S, at most n 1 corresponding private keys x i (excluding i = j) and the image I j of the key x j it is impossible to produce a valid signature σ with I j. This property implies the theft proof in the context of CryptoNote. Unforgeability. Given only a set of public keys, S, it is impossible to produce a valid signature σ. Anonymity. Given a signature σ and a corresponding set S it is impossible to determine the secret index j of the signer with a probability p > 1 n. B Notes on the hash function H p We defined H p as a deterministic hash function E(F q ) E(F q ). None of the proofs demand H p to be an ideal cryptographic hash function. Its main purpose is to get a pseudorandom base for image key I = xh p (xg) in some determined way. With a fixed base (I = xg 2 ) the following scenario is possible: 1. Alice sends two standard transactions to Bob, generating onetime txkeys: P 2 = H s (r 1 A)G + B and P 1 = H s (r 2 A)G + B. 2. Bob recovers the corresponding onetime private txkeys x 1 and x 2 and spends the outputs with valid signatures and images keys I 1 = x 1 G 2 and I 2 = x 2 G Now Alice can link these signatures by checking the equality I 1 I 2? = (Hs (r 1 A) H s (r 2 A))G 2. This is possible because Alice knows the linear correlation between the public keys P 1 and P 2 and in case of fixed base G 2 she also gets the same correlation between key images I 1 and I 2. Replacing G 2 with a function H p, which does not preserved linearity, fixes that flaw. Nicolas van Saberhagen 13
14 References [1] [2] Tatsuaki Okamoto, Kazuo Ohta, Universal Electronic Cash, Advances in Cryptology CRYPTO 91, LNCS 576, pp , [3] Fergal Reid, Martin Harrigan, An Analysis of Anonymity in the Bitcoin System, [4] Kay Hamacher, Stefan Katzenbeisser, Bitcoin  An Analysis, 2011, youtube.com/watch?v=hlwytql1hfa [5] Dorit Ron, Adi Shamir, Quantitative Analysis of the Full Bitcoin Transaction Graph, [6] Hart, P. E.; Nilsson, N. J.; Raphael, B. (1968). A Formal Basis for the Heuristic Determination of Minimum Cost Paths. IEEE Transactions on Systems Science and Cybernetics SSC4 4 (2): [7] Jeff Garzik, Peer review of Quantitative Analysis of the Full Bitcoin Transaction Grap, 2012, [8] David Chaum, Advances in Cryptology: Proceedings of CRYPTO 82, pp , 1982 [9] [10] [11] [12] [13] [14] Meni Rosenfeld, Analysis of hashratebased doublespending, bitcoil.co.il/doublespend.pdf [15] [16] [17] D. Chaum and E. van Heyst (1991). Group signatures. Advances in Cryptology EUROCRYPT 91, volume 547 of Lecture Notes in Computer Science. pp [18] Ronald L. Rivest, Adi Shamir, Yael Tauman, How to Leak a Secret, Proceedings of the 7th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology, p , December 0913,
15 [19] Liu, J.K., Wei, V.K., Wong, D.S.: Linkable spontaneous anonymous group signature for ad hoc groups. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP LNCS, vol. 3108, pp Springer, Heidelberg (2004) [20] Liu, J.K., Wong, D.S.: Linkable ring signatures: Security models and new schemes. In: Gervasi, O., Gavrilova, M.L., Kumar, V., Lagan a,a.,lee,h.p.,mun,y., Taniar, D., Tan, C.J.K. (eds.) ICCSA LNCS, vol. 3481, pp Springer, Heidelberg (2005) [21] Au, M.H., Chow, S.S.M., Susilo, W., Tsang, P.P.: Short linkable ring signatures revisited. In: Atzeni, A.S., Lioy, A. (eds.) EuroPKI LNCS, vol. 4043, pp Springer, Heidelberg (2006) [22] Fujisaki, E., Suzuki, K.: Traceable ring signature. IEICE Trans. of Fund. E91A(1), (2008); Presented in PKC 2007, LNCS 4450 [23] Eiichiro Fujisaki, Sublinear size traceable ring signatures without random oracles, Proceeding CTRSA 11 Proceedings of the 11th international conference on Topics in cryptology: CTRSA 2011, pages SpringerVerlag Berlin, Heidelberg 2011 [24] B. Adida, S. Hohenberger, and R. L. Rivest. AdHocGroup Signatures from Hijacked Keypairs, At [25] Qianhong Wu, Willy Susilo, Yi Mu, Fangguo Zhang. Ad hoc group signatures, Proceeding IWSEC 06 Proceedings of the 1st international conference on Security, pages SpringerVerlag Berlin, Heidelberg 2006 [26] D. J. Bernstein, N. Duif, T. Lange, P. Schwabe, B. Yang, Highspeed highsecurity signatures,journal of Cryptographic Engineering, September 2012, Volume 2, Issue 2, pp [27] R. Cramer, I. Damgard, B. Schoenmakers, Proofs of partial knowledge and simplifed design of witness hiding protocols, Advances in Cryptology CRYPTO 94, volume 839 of Lecture Notes in Computer Science, pp Springer Verlag, [28] M. Abadi, M. Burrows, M. Manasse, and T. Wobber, Moderately Hard, Memory Bound Functions, manuscript paper to appear in Proceedings of the 10th Annual Network and Distributed System Security Symposium February, [29] Cynthia Dwork, Andrew Goldberg, and Moni Naor. On memorybound functions for fighting spam. In Advances in Cryptology CRYPTO 2003, volume 2729 of Lecture Notes in Computer Science, pages Springer, [30] Fabien Coelho, Exponential MemoryBound Functions for Proof of Work Protocols,
16 [31] Colin Percival, Stronger Key Derivation via Sequential MemoryHard Functions, presented at BSDCan 09, May 2009 [32] 16
CryptoNote v 2.0. 2 Bitcoin drawbacks and some possible solutions
CryptoNote v 2.0 Nicolas van Saberhagen October 17, 2013 1 Introduction Bitcoin [1] has been a successful implementation of the concept of p2p electronic cash. Both professionals and the general public
More informationCryptography: Authentication, Blind Signatures, and Digital Cash
Cryptography: Authentication, Blind Signatures, and Digital Cash Rebecca Bellovin 1 Introduction One of the most exciting ideas in cryptography in the past few decades, with the widest array of applications,
More informationNEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES
NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES Ounasser Abid 1, Jaouad Ettanfouhi 2 and Omar Khadir 3 1,2,3 Laboratory of Mathematics, Cryptography and Mechanics, Department of Mathematics, Fstm,
More informationThe Mathematics of the RSA PublicKey Cryptosystem
The Mathematics of the RSA PublicKey Cryptosystem Burt Kaliski RSA Laboratories ABOUT THE AUTHOR: Dr Burt Kaliski is a computer scientist whose involvement with the security industry has been through
More informationMOMENTUM  A MEMORYHARD PROOFOFWORK VIA FINDING BIRTHDAY COLLISIONS. DANIEL LARIMER dlarimer@invictusinnovations.com Invictus Innovations, Inc
MOMENTUM  A MEMORYHARD PROOFOFWORK VIA FINDING BIRTHDAY COLLISIONS DANIEL LARIMER dlarimer@invictusinnovations.com Invictus Innovations, Inc ABSTRACT. We introduce the concept of memoryhard proofofwork
More informationOn Electronic Payment Systems
On Electronic Payment Systems Ronald Cramer, Ivan Damgård and Jesper Buus Nielsen CPT 2009 April 22, 2009 Abstract This note is an introduction to the area of electronic cash (ecash) schemes. The note
More informationCryptographic aspects of Bitcoin
Cryptographic aspects of Bitcoin Stefan Dziembowski University of Warsaw Digital vs. paper currencies Paper: Digital: 16fab13fc6890 Very useful if is also digital. A tradi@onal ways of paying digitally
More informationCryptanalysis of a Partially Blind Signature Scheme or How to make $100 bills with $1 and $2 ones
Cryptanalysis of a Partially Blind Signature Scheme or How to make $100 bills with $1 and $2 ones Gwenaëlle Martinet 1, Guillaume Poupard 1, and Philippe Sola 2 1 DCSSI Crypto Lab, 51 boulevard de La TourMaubourg
More informationA blind digital signature scheme using elliptic curve digital signature algorithm
A blind digital signature scheme using elliptic curve digital signature algorithm İsmail BÜTÜN * and Mehmet DEMİRER *Department of Electrical Engineering, University of South Florida, Tampa, FL, USA Department
More information36 Toward Realizing PrivacyPreserving IPTraceback
36 Toward Realizing PrivacyPreserving IPTraceback The IPtraceback technology enables us to trace widely spread illegal users on Internet. However, to deploy this attractive technology, some problems
More informationSecurity in Electronic Payment Systems
Security in Electronic Payment Systems Jan L. Camenisch, JeanMarc Piveteau, Markus A. Stadler Institute for Theoretical Computer Science, ETH Zurich, CH8092 Zurich email: {camenisch, stadler}@inf.ethz.ch
More informationAn Anonymous Endorsement System
JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 18, 107114 (2002) Short Paper An Anonymous Endorsement System Department of Electrical Engineering National Taiwan University Taipei, 106 Taiwan Email:
More informationLecture 2: Complexity Theory Review and Interactive Proofs
600.641 Special Topics in Theoretical Cryptography January 23, 2007 Lecture 2: Complexity Theory Review and Interactive Proofs Instructor: Susan Hohenberger Scribe: Karyn Benson 1 Introduction to Cryptography
More informationUsing the Bitcoin Blockchain for secure, independently verifiable, electronic votes. Pierre Noizat  July 2014
Using the Bitcoin Blockchain for secure, independently verifiable, electronic votes. Pierre Noizat  July 2014 The problem with proprietary voting systems Existing electronic voting systems all suffer
More informationDistributed Public Key Infrastructure via the Blockchain. Sean Pearl smp1697@cs.rit.edu April 28, 2015
Distributed Public Key Infrastructure via the Blockchain Sean Pearl smp1697@cs.rit.edu April 28, 2015 Overview Motivation: Electronic Money Example TTP: PayPal Bitcoin (BTC) Background Structure Other
More informationPaillier Threshold Encryption Toolbox
Paillier Threshold Encryption Toolbox October 23, 2010 1 Introduction Following a desire for secure (encrypted) multiparty computation, the University of Texas at Dallas Data Security and Privacy Lab created
More informationCRYPTOGRAPHY IN NETWORK SECURITY
ELE548 Research Essays CRYPTOGRAPHY IN NETWORK SECURITY AUTHOR: SHENGLI LI INSTRUCTOR: DR. JIENCHUNG LO Date: March 5, 1999 Computer network brings lots of great benefits and convenience to us. We can
More informationCrittografia e sicurezza delle reti. Digital signatures DSA
Crittografia e sicurezza delle reti Digital signatures DSA Signatures vs. MACs Suppose parties A and B share the secret key K. Then M, MAC K (M) convinces A that indeed M originated with B. But in case
More informationA Secure Decentralized Access Control Scheme for Data stored in Clouds
A Secure Decentralized Access Control Scheme for Data stored in Clouds Priyanka Palekar 1, Abhijeet Bharate 2, Nisar Anjum 3 1 SKNSITS, University of Pune 2 SKNSITS, University of Pune 3 SKNSITS, University
More informationA New and Efficient Signature on Commitment Values
International Journal of Network Security, Vol.7, No., PP.0 06, July 2008 0 A New and Efficient Signature on Commitment Values Fangguo Zhang,3, Xiaofeng Chen 2,3, Yi Mu 4, and Willy Susilo 4 (Corresponding
More informationGroup Blind Digital Signatures: Theory and Applications by Zulækar Amin Ramzan Submitted to the Department of Electrical Engineering and Computer Science in partial fulællment of the requirements for the
More informationLecture 25: PairingBased Cryptography
6.897 Special Topics in Cryptography Instructors: Ran Canetti and Ron Rivest May 5, 2004 Lecture 25: PairingBased Cryptography Scribe: Ben Adida 1 Introduction The field of PairingBased Cryptography
More informationAn Analysis of the Bitcoin Electronic Cash System
An Analysis of the Bitcoin Electronic Cash System Danielle Drainville University of Waterloo December 21, 2012 1 Abstract In a world that relies heavily on technology, privacy is sought by many. Privacy,
More informationLecture 9  Message Authentication Codes
Lecture 9  Message Authentication Codes Boaz Barak March 1, 2010 Reading: BonehShoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,
More informationOutline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures
Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike
More informationOperation Count; Numerical Linear Algebra
10 Operation Count; Numerical Linear Algebra 10.1 Introduction Many computations are limited simply by the sheer number of required additions, multiplications, or function evaluations. If floatingpoint
More informationLecture 17: Reencryption
600.641 Special Topics in Theoretical Cryptography April 2, 2007 Instructor: Susan Hohenberger Lecture 17: Reencryption Scribe: Zachary Scott Today s lecture was given by Matt Green. 1 Motivation Proxy
More informationVictor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract
Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart
More informationA SOFTWARE COMPARISON OF RSA AND ECC
International Journal Of Computer Science And Applications Vol. 2, No. 1, April / May 29 ISSN: 97413 A SOFTWARE COMPARISON OF RSA AND ECC Vivek B. Kute Lecturer. CSE Department, SVPCET, Nagpur 9975549138
More informationFinal Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket
IT 4823 Information Security Administration Public Key Encryption Revisited April 5 Notice: This session is being recorded. Lecture slides prepared by Dr Lawrie Brown for Computer Security: Principles
More informationSecure Network Communication Part II II Public Key Cryptography. Public Key Cryptography
Kommunikationssysteme (KSy)  Block 8 Secure Network Communication Part II II Public Key Cryptography Dr. Andreas Steffen 20002001 A. Steffen, 28.03.2001, KSy_RSA.ppt 1 Secure Key Distribution Problem
More informationBitIodine: extracting intelligence from the Bitcoin network
BitIodine: extracting intelligence from the Bitcoin network Michele Spagnuolo http://miki.it michele@spagnuolo.me @mikispag Bitcoin BitIodine About Bitcoin Decentralized, global digital currency A global
More informationCryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur
Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Module No. # 01 Lecture No. # 05 Classic Cryptosystems (Refer Slide Time: 00:42)
More informationEfficient construction of votetags to allow open objection to the tally in electronic elections
Information Processing Letters 75 (2000) 211 215 Efficient construction of votetags to allow open objection to the tally in electronic elections Andreu Riera a,,joseprifà b, Joan Borrell b a isoco, Intelligent
More informationOrwell. From Bitcoin to secure Domain Name System
Orwell. From Bitcoin to secure Domain Name System Michał Jabczyński, Michał Szychowiak Poznań University of Technology Piotrowo 2, 60965 Poznań, Poland {Michal.Jabczynski, Michal.Szychowiak}@put.poznan.pl
More informationCSCE 465 Computer & Network Security
CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Public Key Cryptogrophy 1 Roadmap Introduction RSA DiffieHellman Key Exchange Public key and
More informationAsicBoost A Speedup for Bitcoin Mining
AsicBoost A Speedup for Bitcoin Mining Dr. Timo Hanke March 31, 2016 (rev. 5) Abstract. AsicBoost is a method to speed up Bitcoin mining by a factor of approximately 20%. The performance gain is achieved
More information1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.
1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks
More informationCryptanalysis and security enhancement on the generation of MuVaradharajan electronic voting protocol. Vahid Jahandideh and Amir S.
72 Int. J. Electronic Governance, Vol. 3, No. 1, 2010 Cryptanalysis and security enhancement on the generation of MuVaradharajan electronic voting protocol Vahid Jahandideh and Amir S. Mortazavi Department
More informationSECURITY ANALYSIS OF A SINGLE SIGNON MECHANISM FOR DISTRIBUTED COMPUTER NETWORKS
SECURITY ANALYSIS OF A SINGLE SIGNON MECHANISM FOR DISTRIBUTED COMPUTER NETWORKS Abstract: The Single signon (SSO) is a new authentication mechanism that enables a legal user with a single credential
More informationApplication of Electronic Currency on the Online Payment System like PayPal
Application of Electronic Currency on the Online Payment System like PayPal Rafael Martínez Peláez, Francisco J. Rico Novella Technical University of Catalonia (UPC), Department of Telematics Engineering
More informationDigital Cash. is not a check, credit card or a debit card. They leave audit trails. can be sent through computer networks.
Digital Cash is not a check, credit card or a debit card. They leave audit trails. is anonymous and untraceable. can be sent through computer networks. can be used offline (not connected to a bank). is
More informationRSA Attacks. By Abdulaziz Alrasheed and Fatima
RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.
More informationAn Approach to Enhance in Group Signature Scheme with Anonymous Revocation
An Approach to Enhance in Group Signature Scheme with Anonymous Revocation Thu Thu Mon Oo, and Win Htay Abstract This paper concerns with the group signature scheme. In this scheme, anyone who can access
More information1 Message Authentication
Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions
More informationNetwork Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 81
Network Security Abusayeed Saifullah CS 5600 Computer Networks These slides are adapted from Kurose and Ross 81 Public Key Cryptography symmetric key crypto v requires sender, receiver know shared secret
More informationCIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives
CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; DH key exchange; Hash functions; Application of hash
More informationCapture Resilient ElGamal Signature Protocols
Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department
More informationInternational Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013
FACTORING CRYPTOSYSTEM MODULI WHEN THE COFACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II MohammediaCasablanca,
More informationNonBlackBox Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak
NonBlackBox Techniques In Crytpography Introduction Thesis for the Ph.D degree Boaz Barak A computer program (or equivalently, an algorithm) is a list of symbols a finite string. When we interpret a
More informationEmbedding more security in digital signature system by using combination of public key cryptography and secret sharing scheme
International Journal of Computer Sciences and Engineering Open Access Research Paper Volume4, Issue3 EISSN: 23472693 Embedding more security in digital signature system by using combination of public
More informationNetwork Security. Mobin Javed. October 5, 2011
Network Security Mobin Javed October 5, 2011 In this class, we mainly had discussion on threat models w.r.t the class reading, BGP security and defenses against TCP connection hijacking attacks. 1 Takeaways
More information1720  Forward Secrecy: How to Secure SSL from Attacks by Government Agencies
1720  Forward Secrecy: How to Secure SSL from Attacks by Government Agencies Dave Corbett Technical Product Manager Implementing Forward Secrecy 1 Agenda Part 1: Introduction Why is Forward Secrecy important?
More informationProtocol for irreversible offline transactions in anonymous electronic currency exchange
Soft Comput (2014) 18:2587 2594 DOI 10.1007/s0050001414422 METHODOLOGIES AND APPLICATION Protocol for irreversible offline transactions in anonymous electronic currency exchange Marek R. Ogiela Piotr
More informationDigital Signatures. Meka N.L.Sneha. Indiana State University. nmeka@sycamores.indstate.edu. October 2015
Digital Signatures Meka N.L.Sneha Indiana State University nmeka@sycamores.indstate.edu October 2015 1 Introduction Digital Signatures are the most trusted way to get documents signed online. A digital
More informationEnhanced Privacy ID (EPID) Ernie Brickell and Jiangtao Li Intel Corporation
Enhanced Privacy ID (EPID) Ernie Brickell and Jiangtao Li Intel Corporation 1 Agenda EPID overview EPID usages Device Authentication Government Issued ID EPID performance and standardization efforts 2
More informationA Privacy Preserving of Composite Private/Public Key in Cloud Servers
A Privacy Preserving of Composite Private/Public Key in Cloud Servers O Sri Nagesh PhD Scholar, Department of CSE, Lingaya s University, Faridabad ABSTRACT Security is a term used to provide secrecy of
More informationAn Internet Based Anonymous Electronic Cash System
Research Paper American Journal of Engineering Research (AJER) eissn: 23200847 pissn : 23200936 Volume4, Issue4, pp148152 www.ajer.org Open Access An Internet Based Anonymous Electronic Cash System
More informationSignature Schemes. CSG 252 Fall 2006. Riccardo Pucella
Signature Schemes CSG 252 Fall 2006 Riccardo Pucella Signatures Signatures in real life have a number of properties They specify the person responsible for a document E.g. that it has been produced by
More informationBitcoin Miner Optimization
Bitcoin Miner Optimization Nicolas T. Courtois  University College London, UK Bitcoin Mining Bottom Line Bitcoin Mining = a high tech race to determine who will own the currency of the 21 century 2 Nicolas
More informationBitmessage: A Peer to Peer Message Authentication and Delivery System
Bitmessage: A Peer to Peer Message Authentication and Delivery System Jonathan Warren jonathan@bitmessage.org www.bitmessage.org November 27, 2012 Abstract. We propose a system that allows users to securely
More informationChapter 7: Network security
Chapter 7: Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice: application layer: secure email transport
More informationAn Electronic Voting System Based On Blind Signature Protocol
CSMR, VOL. 1, NO. 1 (2011) An Electronic Voting System Based On Blind Signature Protocol Marius Ion, Ionuţ Posea University POLITEHNICA of Bucharest Faculty of Automatic Control and Computers, Computer
More informationDigital Signatures. (Note that authentication of sender is also achieved by MACs.) Scan your handwritten signature and append it to the document?
Cryptography Digital Signatures Professor: Marius Zimand Digital signatures are meant to realize authentication of the sender nonrepudiation (Note that authentication of sender is also achieved by MACs.)
More informationQuantitative Analysis of the Full Bitcoin Transaction Graph
Quantitative Analysis of the Full Bitcoin Transaction Graph Dorit Ron and Adi Shamir Department of Computer Science and Applied Mathematics, The Weizmann Institute of Science, Israel {dorit.ron,adi.shamir}@weizmann.ac.il
More informationBreaking Generalized DiffieHellman Modulo a Composite is no Easier than Factoring
Breaking Generalized DiffieHellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The DiffieHellman keyexchange protocol may naturally be extended to k > 2
More informationBitcoin: A PeertoPeer Electronic Cash System
Bitcoin: A PeertoPeer Electronic Cash System Satoshi Nakamoto satoshin@gmx.com www.bitcoin.org Abstract. A purely peertopeer version of electronic cash would allow online payments to be sent directly
More informationProtocols for Secure Cloud Computing
IBM Research Zurich Christian Cachin 28 September 2010 Protocols for Secure Cloud Computing 2009 IBM Corporation Where is my data? 1985 2010 Who runs my computation? 1985 2010 IBM Research  Zurich Overview
More informationInductive Analysis of Security Protocols in Isabelle/HOL with Applications to Electronic Voting
Inductive Analysis of Security Protocols in Isabelle/HOL with Applications to Electronic Voting Denis Butin 1 / 37 2 / 37 Introduction Network communication sensitive: banking, private correspondence,
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 20 PublicKey Cryptography and Message Authentication First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown PublicKey Cryptography
More informationDeveloping and Investigation of a New Technique Combining Message Authentication and Encryption
Developing and Investigation of a New Technique Combining Message Authentication and Encryption Eyas ElQawasmeh and Saleem Masadeh Computer Science Dept. Jordan University for Science and Technology P.O.
More informationThe science of encryption: prime numbers and mod n arithmetic
The science of encryption: prime numbers and mod n arithmetic Go check your email. You ll notice that the webpage address starts with https://. The s at the end stands for secure meaning that a process
More information1 Signatures vs. MACs
CS 120/ E177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. KatzLindell 10 1 Signatures vs. MACs Digital signatures
More informationSECURE AND EFFICIENT PRIVACYPRESERVING PUBLIC AUDITING SCHEME FOR CLOUD STORAGE
International Journal of Computer Network and Security(IJCNS) Vol 7. No.1 2015 Pp. 18 gopalax Journals, Singapore available at : www.ijcns.com ISSN: 09758283 
More informationOverview of Cryptographic Tools for Data Security. Murat Kantarcioglu
UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the
More informationImprovement of digital signature with message recovery using selfcertified public keys and its variants
Applied Mathematics and Computation 159 (2004) 391 399 www.elsevier.com/locate/amc Improvement of digital signature with message recovery using selfcertified public keys and its variants Zuhua Shao Department
More information1 Domain Extension for MACs
CS 127/CSCI E127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures KatzLindell Ÿ4.34.4 (2nd ed) and Ÿ12.012.3 (1st ed).
More informationProofs of communication and its application for fighting spam
Proofs of communication and its application for fighting spam Marek Klonowski Tomasz Strumiński Wrocław University of Technology Nový Smokovec, January Agenda filtering mail previous work: regular proofofwork
More informationPublic Key Cryptography in Practice. c Eli Biham  May 3, 2005 372 Public Key Cryptography in Practice (13)
Public Key Cryptography in Practice c Eli Biham  May 3, 2005 372 Public Key Cryptography in Practice (13) How Cryptography is Used in Applications The main drawback of public key cryptography is the inherent
More informationImproved Online/Offline Signature Schemes
Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion
More informationCategorical Heuristic for Attribute Based Encryption in the Cloud Server
Categorical Heuristic for Attribute Based Encryption in the Cloud Server R. Brindha 1, R. Rajagopal 2 1( M.E, Dept of CSE, Vivekanandha Institutes of Engineering and Technology for Women, Tiruchengode,
More informationElectronic Contract Signing without Using Trusted Third Party
Electronic Contract Signing without Using Trusted Third Party Zhiguo Wan 1, Robert H. Deng 2 and David Lee 1 Sim Kim Boon Institute for Financial Economics 1, School of Information Science 2, Singapore
More informationETH Zurich. Email: fstadler, camenischg@inf.ethz.ch UBILAB. Email: piveteau@ubilab.ubs.ch
Fair Blind Signatures Markus Stadler 1, JeanMarc Piveteau 2, Jan Camenisch 1 1 Institute for Theoretical Computer Science ETH Zurich CH8092 Zurich, Switzerland Email: fstadler, camenischg@inf.ethz.ch 2
More informationSecurity Analysis of DRBG Using HMAC in NIST SP 80090
Security Analysis of DRBG Using MAC in NIST SP 80090 Shoichi irose Graduate School of Engineering, University of Fukui hrs shch@ufukui.ac.jp Abstract. MAC DRBG is a deterministic random bit generator
More informationElectronic Voting Protocol Analysis with the Inductive Method
Electronic Voting Protocol Analysis with the Inductive Method Introduction Evoting use is spreading quickly in the EU and elsewhere Sensitive, need for formal guarantees Inductive Method: protocol verification
More informationChristoph Sorge. February 12th, 2014 Bitcoin minisymposium at KNAW
Bitcoin s PeertoPeer network Christoph Sorge February 12th, 2014 Bitcoin minisymposium at KNAW Clipart source: http://openclipart.org, users Machovka and Keistutis Department of Computer Science What
More informationMTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic
More informationInternational Journal for Research in Computer Science
TOPIC: MOBILE COMPUTING AND SECURITY ISSUES. ABSTRACT Owodele Odukale The past decade has seen a growth in the use of mobile computing. Its use can be found in areas such as social media, information exchange,
More informationA Survey on Untransferable Anonymous Credentials
A Survey on Untransferable Anonymous Credentials extended abstract Sebastian Pape Databases and Interactive Systems Research Group, University of Kassel Abstract. There are at least two principal approaches
More informationA novel deniable authentication protocol using generalized ElGamal signature scheme
Information Sciences 177 (2007) 1376 1381 www.elsevier.com/locate/ins A novel deniable authentication protocol using generalized ElGamal signature scheme WeiBin Lee a, ChiaChun Wu a, WoeiJiunn Tsaur
More informationTwo Factor Zero Knowledge Proof Authentication System
Two Factor Zero Knowledge Proof Authentication System Quan Nguyen Mikhail Rudoy Arjun Srinivasan 6.857 Spring 2014 Project Abstract It is often necessary to log onto a website or other system from an untrusted
More informationNew Proxy Signature, Proxy Blind Signature and Proxy Ring Signature Schemes from Bilinear Pairings
New Proxy Signature, Proxy Blind Signature and Proxy Ring Signature Schemes from Bilinear Pairings Fangguo Zhang 1, Reihaneh SafaviNaini 1 and ChihYin Lin 2 1 School of Information Technology and Computer
More informationPrivacyProviding Signatures and Their Applications. PhD Thesis. Author: Somayeh Heidarvand. Advisor: Jorge L. Villar
PrivacyProviding Signatures and Their Applications PhD Thesis Author: Somayeh Heidarvand Advisor: Jorge L. Villar PrivacyProviding Signatures and Their Applications by Somayeh Heidarvand In fulfillment
More informationSplit Based Encryption in Secure File Transfer
Split Based Encryption in Secure File Transfer Parul Rathor, Rohit Sehgal Assistant Professor, Dept. of CSE, IET, Nagpur University, India Assistant Professor, Dept. of CSE, IET, Alwar, Rajasthan Technical
More informationSome Identity Based Strong BiDesignated Verifier Signature Schemes
Some Identity Based Strong BiDesignated Verifier Signature Schemes Sunder Lal and Vandani Verma Department of Mathematics, Dr. B.R.A. (Agra), University, Agra282002 (UP), India. Email sunder_lal2@rediffmail.com,
More informationNetwork Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23
Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest
More informationSecurity/Privacy Models for "Internet of things": What should be studied from RFID schemes? Daisuke Moriyama and Shin ichiro Matsuo NICT, Japan
Security/Privacy Models for "Internet of things": What should be studied from RFID schemes? Daisuke Moriyama and Shin ichiro Matsuo NICT, Japan 1 Internet of Things (IoT) CASAGRAS defined that: A global
More informationBinary search tree with SIMD bandwidth optimization using SSE
Binary search tree with SIMD bandwidth optimization using SSE Bowen Zhang, Xinwei Li 1.ABSTRACT Inmemory tree structured index search is a fundamental database operation. Modern processors provide tremendous
More informationCertificate Based Signature Schemes without Pairings or Random Oracles
Certificate Based Signature Schemes without Pairings or Random Oracles p. 1/2 Certificate Based Signature Schemes without Pairings or Random Oracles Joseph K. Liu, Joonsang Baek, Willy Susilo and Jianying
More information