(Sorted by authors.)
Most of the following papers are available online in gnuzipped Postscript, some also in PDF. There is also a complete list of all our publications sorted by language and subject.Don't forget: some proceedings are published in a later year than the conference is held.
Jose L. Abad-Peiro, N. Asokan, Michael Steiner, Michael Waidner: Designing a generic payment service; IBM Systems Journal, 37/1 (1998). Revision of: IBM Research Report RZ 2891 (# 90839), IBM Research, December 1996.
Abstract: The growing importance of electronic commerce has resulted in the introduction of a variety of different and incompatible payment systems. For business application developers, this variety implies the need to understand the details of different systems, to adapt the code as soon as new payment systems are introduced, and also to provide a way of picking a suitable payment instrument for every transaction. In our work, we unify the different mechanisms in a common framework with application programming interfaces. Our framework provides services for transparent negotiation and selection of payment instruments as well. This allows applications to be developed independent of specific payment systems with the additional benefit of providing a central point of control for payment information and policies.
N. Asokan, Birgit Baum-Waidner, Matthias Schunter, Michael Waidner: Optimistic Synchronous Multi-Party Contract Signing; IBM Research Report RZ 3089 (\#93135) 12/14/1998, IBM Research Division, Zürich, Dec. 1998. (Also as pdf.)
Abstract: A contract is a non-repudiable agreement on a given contract text, i.e., a contract can be used to prove agreement between its signatories to any verifier. A contract signing protocol is used to fairly compute a contract so that, even if (n-1) of the n signatories misbehave, either all or none of them obtain a contract.
Optimistic contract signing protocols use a third party to ensure fairness, but in such a way that the third party is not actively involved in case all parties are honest. Since no satisfactory protocols without any third party exist, this seems to be the best one can hope for.
We present an optimistic multi-party contract signing protocol for synchronous networks. The construction is significantly more efficient than the only known asynchronous multi-party contract signing protocol, and only 2-3 times more expensive than the trivial solution using an inline third party.
We show how to use multi-party contract signing to efficiently solve other atomicity problems securely, in particular optimistic certified mail and optimistic fair exchange of signatures. We also outline a generic construction for optimistic multi-party fair exchange.
N. Asokan, Victor Shoup, Michael Waidner: Optimistic Fair Exchange of Digital Signatures; Eurocrypt '98, LNCS 1403, Springer-Verlag, Berlin 1998, 591-606. Revision of: Research Report RZ 2973 (#93019), IBM Research, November 1997.
Abstract: We present a new protocol that allows two players to exchange digital signatures over the Internet in a fair way, so that either each player gets the other's signature, or neither player does. The obvious application is where the signatures represent items of value, for example, an electronic check or airline ticket. The protocol can also be adapted to exchange encrypted data. The protocol relies on a trusted third party, but is "optimistic," in that the third party is only needed in cases where one player attempts to cheat or simply crashes. A key feature of our protocol is that a player can always force a timely and fair termination, without the cooperation of the other player.
N. Asokan: Fairness in Electronic Commerce; Ph.D. Thesis, University of Waterloo, Ontario, Canada, May 1998.
Abstract:
Commerce over open networks like the Internet, sometimes
referred to as electronic commerce, is becoming more widespread. This makes
it important to study, and solve the security problems associated with electronic
commerce. There are three prominent characteristics of commerce which are
relevant in this respect. First, the crux of a commercial transaction is
usually one or more exchanges of items of value. Second, players in a commercial
transaction do not necessarily trust each other fully. Thus, protecting
players from each other is as important as protecting them from outside
attackers. Third, commercial transactions have legal significance. Therefore,
it must be possible to gather sufficient evidence during the transaction
to enable correctly behaving players to win any subsequent disputes.
This dissertation addresses the problem of fairness in electronic commerce.
A system that does not discriminate against a correctly behaving player
is said to be fair. Several protocols are proposed for performing exchanges
fairly. The protocols are practical, and provide a high degree of fairness.
The basic approach optimises for the common case that all players behave
correctly. This is known as the optimistic approach. These protocols attempt
to guarantee fairness during a protocol run. This is known as strong fairness.
When strong fairness is not possible, one can fall back on gathering enough
evidence so that fairness can be restored later by initiating a dispute.
This is known as weak fairness. An analysis of the protocols leads to the
conclusion that the exchange of generatable items can be guaranteed to be
strongly fair. Various techniques to add generatability to items, including
one technique which uses a cryptographic primitive called verifiable encryption,
are presented.
In the case of weak fairness, a subsequent dispute is necessary to restore
fairness. In general, disputes can occur even after a correctly concluded
transaction. Non-repudiation techniques are used to gather evidence that
can be later used in disputes. A novel non-repudiation technique called
server-supported signatures is proposed. The issue of handling disputes
in electronic commerce is complex and hitherto not well-understood. Some
aspects of the problem, within the limited context of electronic payment
systems, are addressed. First, a unified definition of electronic payment
systems, called the generic payment service is presented. Based on the generic
payment service, a uniform way to express payment dispute claims is proposed.
The need for a coherent framework for handling disputes in electronic payment
systems is motivated.
N. Asokan, Victor Shoup, Michael Waidner:
Abstract: The optimistic approach of involving a third party only in the case of exceptions is a useful technique to build secure, yet practical fair exchange protocols. Previous solutions using this approach implicitly assumed that players had reliable communication channels to the third party. In this paper, we present a set of optimistic fair exchange protocols which tolerate temporary failures in the communication channels to the third party. A central feature of the protocols is that either player can asynchronously and unilaterally bring a protocol run to completion.
Giuseppe Ateniese, Michael Steiner, Gene Tsudik: Authenticated Group Key Agreement and Related Protocols Fifth ACM Conference on Computer and Communication Security, pages 17--26, San Franscisco, November 1998. Revision of: Research Report RZ 3063 (#93109), IBM Research, October 1998.
Abstract: Many modern computing environments involve dynamic peer groups. Distributed simulation, multi-user games, conferencing and replicated servers are just a few examples. Given the openness of today's networks, communication among group members must be secure and, at the same time, efficient. This paper studies the problem of authenticated key agreement in dynamic peer groups with the emphasis on efficient and provably secure key authentication, key confirmation and integrity. It begins by considering 2-party authenticated key agreement and extends the results to Group Diffie-Hellman key agreement. In the process, some new security properties (unique to groups) are discussed.
N. Asokan, Els Van Herreweghen, Michael Steiner: Towards A Framework for Handling Disputes in Payment Systems; Third Usenix Workshop on Electronic Commerce, pages 187--202, Boston Mass., September 1998.
Abstract: The ability to support disputes is an important, but often neglected aspect of payment systems. In dealing with dispute support, the first step is to define how to express various dispute claims. In this report, we present a language for expressing dispute claims in a unified manner, independent of any specific payment system. We illustrate how to support claims made in this system-independent language with evidence tokens from an example payment system. We describe an architecture for handling disputes, and present a design for incorporating dispute handling support into SEMPER [Wai96]. Our approach may be generalised to other services where accountability is a requirement.
Abstract: Many countries have a compulsory health insurance system in place. Compulsory health insurers charge income related fees as opposed to private health insurers who charge risk related fees. Compulsory health insurance is based on solidarity among policy holders and can give them more privacy than any private health insurer can. As an example, we consider the German health insurance system, and we discuss how the charging and clearing of medical services can be implemented so as to support both the legitimate privacy interests of patients and physicians and the health insurer's interest to control the overall cost. We present a cryptographic solution that is based on digital patient assistants, i.e., personal palmtop computers, organizers or PDAs. Patients are thus able to manage their own health insurance certificates, referrals and prescriptions. Although still too expensive for large scale introduction, digital patient assistants have a number of significant advantages over any chip-card or paper based system: (i) significantly more efficient and reliable data communication between the various health care providers involved in treatment; (ii) real patient privacy through direct and offline communication between digital patient assistants and physicians' practices; (iii) a huge potential to develop telemedicine in a privacy oriented way. Finally we present one possible implementation in more detail. We also show how compulsory health insurers can use our solution to control their overall costs.
Abstract: We study interactive arguments, in particular their error probability under sequential iteration. This problem is more complex than for interactive proofs, where the error trivially decreases exponentially in the number of iterations.
In particular, we study the typical efficient case where the iterated protocol is based on a single instance of a computational problem. This is not a special case of independent iterations of an entire protocol, and real exponential decrease of the error cannot be expected. Nevertheless, for practical applications, one needs concrete relations between the complexity and error probability of the underlying problem and the iterated protocol. We formalize and solve this problem using the theory of proofs of knowledge. We also seem to present the first definition of arguments in a fully uniform model of complexity.
We also prove that in non-uniform complexity, the error probability of independent iterations of an argument does decrease exponentially -- to our knowledge this is the first result about a strictly exponentially small error probability in a computational cryptographic security property.
To illustrate our first result, we present a very efficient zero-knowledge argument for circuit satisfiability, and thus for any NP problem, based on any collision-intractable hash function.
Hannes Federrath, Andreas Pfitzmann: Die Rolle der Datenschutzbeauftragten bei der Aushandlung von mehrseitiger Sicherheit; H. Bäer (Hrsg.): Der neue Datenschutz - Datenschutz in der Informationsgesellschaft von morgen; Luchterhand, Berlin 1998, 166-172.
Abstract: Datenschutzbeauftragte können bei der Aushandlung von mehrseitiger Sicherheit ihre juristische und technische Kompetenz sowie ihre normativen Einflußmöglichkeiten nutzen: Sie besitzen neben ihren Kontrollaufgaben auch Beratungs- und Empfehlungsmöglichkeiten, können Musterentwürfe für mehrseitig sichere und datenschutzgerechtere Technik erarbeiten und auch verbraucherschützend auftreten. Darüber hinaus sollten sie die Aufgaben eines vertrauenswürdigen Dritten übernehmen, sofern die mehrseitig sicheren technischen Systeme solche Instanzen überhaupt noch erforderlich machen.
Hannes Federrath, Andreas Pfitzmann: "Neue" Anonymitätstechniken - Eine vergleichende Übersicht; Datenschutz und Datensicherheit DuD 22/11 (1998) 628-632.
Abstract:
Zunächst werden einige zum Verständnis der vorgestellten
Anonymitätstechniken wichtige Begriffe, wie Anonymität,
Unbeobachtbarkeit und Unverkettbarkeit definiert. Anschließend
werden die bekannten Standardtechniken systematisiert und kurz
vorgestellt. Am Beispiel der Mixe wird gezeigt, wie solche Techniken
funktionieren.
In Abschnitt 2 wird das Angreifermodell beschrieben, das der
Bewertung der anschließend vorgestellten Verfahren zugrunde
liegt. In Abschnitt 3 werden die Verfahren vorgestellt und
bezüglich ihrer erreichten Sicherheit verglichen.
Elke Franz, Andreas Pfitzmann: Einführung in die Steganographie und Ableitung eines neuen Stegoparadigmas; Informatik-Spektrum 21/4 (1998) 183-193;.
Abstract: Einführung in die Steganographie und Ableitung eines neuen Stegoparadigmas Introduction to Steganography and Derivation of a New Stego Paradigm Zusammenfassung: Steganographie hat das Ziel, geheimzuhaltende Daten so in unverfänglichen umfangreicheren H�lldaten einzubetten, daß dies von Au�enstehenden nicht einmal bemerkt werden kann. Auf der Suche nach Bewertungskriterien f�r digitale Bilder bzgl. Steganographie werden verschiedene Möglichkeiten aufgezeigt, zu entscheiden, ob in einem Bild Daten steganographisch eingebettet sind. Kriterien ergeben sich daraus, wie stark das gleiche Motiv darstellende Bilder voneinander abweichen k�nnen. Die Differenzen zwischen ihnen erzeugen "normalerweise" verschiedene informationsver�ndernde Prozesse. Als Beispiel f�r einen solchen Proze� wurde das Scannen ausgew�hlt. Die durch mehrmaliges Scannen desselben Bildes erzeugten Differenzen werden mit durch steganographische Operationen erzeugten Differenzen verglichen. Die Vergleiche zeigen, da� durch das Scannen betragsm��ig gr��ere Differenzen zwischen Bildern entstehen als durch Stegoprogramme. Unterschiede sind insbesondere in der Art der Differenzen zu erkennen. Aus diesen empirisch gewonnenen Ergebnissen wird ein neues Stegoparadigma abgeleitet. Abstract: Steganography aims at embedding data which should be kept confidential in innocuous cover data such that others cannot even detect this. To find criteria to assess digital images w.r.t. steganography, various possibilities are shown to decide whether a digital image includes steganographically embedded data. Criteria result from possible differences between images which show the same scene. The differences between them are normally caused by processes which change the information representation. Scanning has been chosen as an example for such a process. The differences between image files resulting from repeated scanning are compared with differences between image files caused by stegoprograms. The comparisons show that scanning causes greater differences than stegoprograms. However, the characteristic of the differences is not the same. A new stegoparadigm is derived from these empirically gained results.
Abstract: We introduce delegation schemes wherein a user may delegate certain rights to himself, but may not safely delegate these rights to others. In our motivating application, a user has a primary (long-term) key that receives some personalized access rights, yet the user may reasonably wish to delegate these rights to new secondary (short-term) keys he creates to use on his laptop when traveling, to avoid having to store his primary secret key on the vulnerable laptop. We propose several cryptographic schemes, both generic ones under general assumptions and more specific practical ones, that fulfill these somewhat conflicting requirements, without relying on special-purpose (e.g., tamper-proof) hardware.
Anja Jerichow, Jan Müller, Andreas Pfitzmann, Birgit Pfitzmann, Michael Waidner: Real-Time Mixes: A Bandwidth-Efficient Anonymity Protocol; IEEE Journal on Selected Areas in Communications, Special Issue "Copyright and privacy protection, 16/4 (1998) 495-509.
Abstract: We present techniques for efficient anonymous communication
with real-time constraints, as necessary for services like telephony where
a continuous data stream has to be transmitted.
For concreteness, we present the detailed protocols for the narrowband ISDN
(Integrated Services Digital Network), although the heart of our techniques
anonymous channels can also be applied to other networks. For ISDN, we achieve
the same data rate as without ano-nymity using the same subscriber lines
and without any significant modifications to the long-distance network.
A precise performance analysis is given.
Our techniques are based on mixes, a method for anonymous communication
for email-like services introduced by D. Chaum.
Birgit Pfitzmann: Sicherheit; Folienskript zur Vorlesung im Wintersemester 97/98, Universität des Saarlandes, Saarbrücken, Februar 1998.
Zweck: Sicherheit bedeutet, gewisse Ziele trotz gewisser Bedrohungen zu erreichen. Mit Bedrohungen meint man hier meist absichtlich von Menschen ausgehende; Sicherheit gegen unabsichtliche, typischerweise statistisch auftretende Fehler bezeichnet man als Fehlertoleranz. Sicherheit wird um so wichtiger, je mehr verschiedene, unabhängige Menschen über Rechner miteinander interagieren; gerade in den Bereichen Telekommunikation und sicherer Handel über Netze (Internet, WWW) herrscht derzeit ein regelrechter Sicherheitsboom.
Das Teilgebiet Kryptographie war lange Zeit nur die Lehre von Geheimschriften;
mittlerweile umfaßt es alle algorithmischen Aspekte von Sicherheit,
bei denen mehrere Parteien interagieren, die einander oder jedenfalls den
Leitungen zwischen sich nicht vertrauen. Die wichtigsten Einzelprobleme
sind mittlerweile digitale Unterschriften, andere die Algorithmen für
elektronisches Bezahlen oder sichere Wahlen über Netze.
Behandelter Stoff: Die Vorlesung versucht, einen Überblick
über Sicherheit zu geben und genügend Grundlagen zu vermitteln,
daß man hinterher selbst weiterführende Literatur lesen kann.
Sie wird je etwa zur Hälfte Kryptographie und sonstige Sicherheit behandeln.
Birgit Pfitzmann, Matthias Schunter, Michael Waidner: Optimal Efficiency of Optimistic Contract Signing; 17th Symposium on Principles of Distributed Computing (PODC), ACM, New York 1998, 113-122. (Also in pdf.)
Abstract: A contract is a non-repudiable agreement on a given
contract text, i.e., a contract can be used to prove agreement between its
signatories to any verifier. A contract signing scheme is used to fairly
compute a contract so that, even if one of the signatories misbehaves, either
both or none of the signatories obtain a contract.
Optimistic contract signing protocols use a third party to ensure fairness,
but in such a way that the third party is not actively involved in the fault-less
case. Since no satisfactory protocols without any third party exist, this
seems to be the best one can hope for.
We prove tight lower bounds on the message and round complexity of optimistic
contract signing on synchronous and asynchronous networks, and present new
and efficient protocols based on digital signatures which achieve provably
optimal efficiency.
Birgit Pfitzmann, Michael Waidner: Kopierschutz durch asymmetrisches Fingerprinting; Datenschutz und Datensicherheit DuD 22/5 (1998) 258-264.
Abstract: Fingerprinting (Datenkennzeichnung) dient dem Kopierschutz digitaler Daten: der Händler kennzeichnet jede verkaufte Kopie durch kleine Änderungen so, daß er später von einer gefundenen Raubkopie den ursprünglichen Käufer feststellen kann. Dies dient zur Abschreckung vor unerlaubtem Weiterverteilen. Dieser Artikel ordnet Fingerprinting unter anderen Kopierschutzverfahren ein. Danach konzentriert er sich auf asymmetrisches Fingerprinting: Im Gegensatz zu bisherigen Verfahren kann dabei der Händler nicht nur für sich feststellen, von welchem Käufer eine Raubkopie stammte, sondern dies auch Dritten gegenüber nachweisen.
Birgit Pfitzmann, Michael Waidner: Extensions to Multi-Party Computations; Slides, presented at The 1998 Weizmann Workshop on Cryptography, June 16-18th, Weizmann Institute of Science, Rehovot, Israel. (Also as pdf.)
Abstract: Multiparty computation (MPC) is typically defined as distributed function evaluation. Security means robustness and secrecy of the individual inputs, and is defined relative to an ideal implementation using a trusted host. We discuss several variants of MPC, motivated by practical applications, and sketch how definitions would look like:
Andreas Rieke, Ahmad-Reza Sadeghi, Werner Poguntke: On Primitivity Tests for Polynomials; 1998 IEEE International Symposium on Information Theory, Cambridge, MA, August 1998, 53.
Abstract: This paper deals with algorithms for testing polynomials over finite fields on primitivity. The algorithms are optimised for the case that the polynomials tested turn out to be primitive. As its main contribution, this paper suggests a careful selection among many known algorithms for exponentiation. The results provide a primitivity test whose implementation confirmed that it is significantly faster than other known algorithms.
Abstract: Cash-like payments in electronic commerce and at the traditional point of sale are ex-pected to be beneficial, e.g., because of privacy protection, low transaction costs, and irrevocability. Therefore, we discuss how to design electronic cash in a way that it both mirrors the most important characteristics of traditional cash, but also fulfils the expec-tations which arise towards electronic means of payment. We analyse the problems and trade-offs between the different characteristics to be implemented. This analysis is based on a user survey and a review of existing technologies for electronic payment systems. Finally we argue why existing systems do not fulfil the critical requirements, and point out future work towards electronic cash which will meet more requirements.
Matthias Schunter, Michael Waidner, Dale Whinnett: A Status Report on the SEMPER Framework for Secure Electronic Commerce; Computer Networks and ISDN Systems 30/ (1998) 1501-1510, 1998 TERENA Networking Conference, Dresden, Germany, October 5-8, 1998.
Abstract: The goal of the ACTS Project SEMPER (Secure Electronic Marketplace for Europe) is to provide the first open and comprehensive solution for secure commerce over the Internet and other public information networks. The basic framework described in an earlier article has now been implemented in the Java programming language. It includes the payment systems SET, Chipper, and ecash. The prototype uses a distinguished user-interface for trustworthy user in- and output which enables to use SEMPER on secure hardware. This article describes recent refinements to the SEMPER Framework as well as experiences gained in the field trials of the SEMPER software.
Michael Steiner, Gene Tsudik, Michael Waidner: CLIQUES: A New Approach to Group Key Agreement; 18th International Conference on Distributed Computing Systems (ICDCS), IEEE Computer Society, 1998, 380-387.
Abstract: This paper considers the problem of key agreement in a group setting with highly-dynamic group member population. A protocol suite, called CLIQUES, is developed by extending the well-known Diffie-Hellman key agreement method to support dynamic group operations. Constituent protocols are provably secure and efficient.
J. Zöllner, H. Federrath, H. Klimant, A. Pfitzmann, R. Piotraschke, A. Westfeld, G. Wicke, G. Wolf: Modeling the security of steganographic systems; 2nd Workshop on Information Hiding, LNCS 1525, Springer-Verlag, Berlin 1998, 345-355.
Abstract: We present a model of steganographic systems which allows to evaluate their security. We especially want to establish an analogy to the known-plaintext-attack which is commonly used to rate cryptographic systems. This model's main statement is that the embedding operation of a steganographic system should work indeterministic from the attacker's point of view. This is proved by means of information theory.
Back to SIRENE's Home or Pointers to the Outside World.