Anguilla,
British West Indies
February
21-24, 2000
By
Jonathan Byron
The
Fourth International Conference on Financial Cryptography was held in Anguilla
from February 21 to February 24 under the sponsorship of the
International Financial Cryptography Association. Attendance was up over
previous years, with approximately 140 participants.
The
Anguillan people were quite friendly and accommodating. Breakfast and lunch
were served at the InterIsland Hotel; the food was plentiful and good. Courtesy
transportation between the conference site and nearby hotels ran frequently.
Internet links at the conference were improved compared to previous years; a
wireless network system was available and the public terminals saw heavy use.
Although most of Anguilla runs on ‘island time’ which is only peripherally
connected to the clock, the conference
ran very close to schedule. With the exception of one day of extremely heavy
rains and localized flooding, the weather was pleasant throughout. Participants spent so much time in the
conference and in informal discussions that sunburn was scarcely evident.
Evening
events included an initial reception sponsored by Xcert at the Sonesta Hotel, a
poolside party at the Sonesta on Monday evening sponsored by Hansa Bank and
nCipher, the rump session on Tuesday evening sponsored by e-gold, a Wednesday party at the Dunes featuring
island food and the music of Banky Banks (sponsored by InterTrust and
Telcordia), and the Villa Party part 2 sponsored by Zeroknowledge.
The
Chandeliers Conference Room of the InterIsland Hotel was filled to capacity
throughout the conference. Organizers
of FC indicated that next year’s conference would probably be held somewhere
outside of Anguilla, as the conference had grown beyond the facilities
available on the island. Proposals were
tended to hold the conference in the Cayman Islands, Ireland, and South
Africa. These proposals were discussed
by the general membership but the final decision was deferred to the next IFCA
board meeting. It was noted that the plan adopted prior to the first Financial
Cryptography was to alternate between Anguilla and other locations. Conference facilities are under construction
in Anguilla that will be capable of accommodating foreseeable growth in the
meeting; these should be available for the 2002 meeting.
The
tradition of starting the meeting with a speech from the Anguillan Minister of
Finance was broken this year. Anguilla
recently experienced a governmental impasse, and several key people (including
the finance minister) had resigned. New elections were scheduled for a few days
after the FC Conference, and campaigning for the elections was in evidence
across the island.
The
first invited speaker was Pam Samuelson (Berkeley, USA), who suggested ways of
moving “Towards a More Sensible Way of Regulating the Circumvention of
Technical Protection Systems.” Pam
contrasted the perspective of the cryptography community with the view of the
media, particularly Hollywood. She
noted that that decryption tools are commonly portrayed as ‘burglar tools’ and
that framing the debate in terms of ‘breaking and entering’ favored those
seeking to ban reverse engineering and cryptanalysis. She discussed Clinton administration’s
policies on circumventing technical protection systems and the influence that
Hollywood has had on these policies. The clash between Hollywood and the
telecommunications industry was analyzed, and the fight to balance the
interests of the internet service providers used up much of the political
capital available for intellectual property rights. The World Intellectual
Property Organization (WIPO) and its role in global lawmaking was
examined. Samuelson challenged a common
response in the crypto community to oppose all regulation, or hope that bad laws will be repealed. Such an outcome is unlikely; a more rational
response is to amend existing laws to so they are more tolerable to the crypto
community.
The second invited speaker was Kevin McCurley (IBM, USA), whose session was titled “In Search of the Killer App.” After addressing the characteristics of a killer application, he admitted that he didn’t know what the next essential uninvented technology might be. Instead, he presented several strategies for saving an existing killer app, email. Given the low cost of sending unsolicited email and the large sums of money spent on direct marketing, McCurley predicted that the average individual will soon be receiving thousands of unwanted emails each day. Such a large volume of spam would kill email. Legislative solutions to spam were considered, but considered limited given the financial incentives to spam, the international nature of the internet, and the slow response of legislatures to a fast paced technology. An alternative method of method of saving email might involve software that would allow delivery of email only if the email was accompanied by a bond or escrowed digital currency. This bond would be redeemed only if the receiver felt the email was unsolicited or a waste of time. Such a system would provide a strong financial incentive not to send undesired email. This type of filtering software could include a permission file to allow email from known parties with out the need for bonds.
Papers
and mini-abstracts:
Efficient
Trace and Revoke Schemes. Methods were
presented for discouraging users from leaking cryptographic keys, tracing keys
that have been leaked, and to disabling keys that have been leaked. This scheme
is based on secret sharing where revoked keys are broadcast and used as a
secret share by valid users to obtain new keys. Moni Naor and Benny Pinkas
(Weizmann Institute of Science, Israel)
Signing
on a Postcard. Efficient signing of short messages is discussed in relation to postal
collection systems. Using a modified elliptic curve method, the authors propose
a 26 byte signature with security comparable to a 40 byte DSA or 128 byte RSA
signature.
David
Naccache (Gemplus Card International) and Jacques Stern (Ecole Normale
Superieure)
Efficient
Watermark Detection and Collusion Security. The
notion of efficiency is approached using the question “What resources does the
watermark detector need to perform a trace?”
A modified version of the CKLS watermarking algorithm was presented that
significantly reduces tracing time. A
relationship between the number of colluding adversaries and the amount of
secret information required was established.
Francis Zane (Lucent Technologies)
Sharing
Decryption in the Context of Voting or Lotteries. In many cryptosystems, knowledge of a single key can convey extreme
power. A variety of systems have been developed to minimize the power of any
one key by requiring that shared keys be used cooperatively. This paper proposed a distributed
implementation of the Paillier cryptosystem presented at Eurocrypt ’99. Its application to elections and lottery
pools was discussed. Pierre-Alan
Foque, Guillame Poupard and Jacques Stern (Ecole Normale Superieure, France)
Self-Escrowed
Cash Against User Blackmailing. Blackmailing
is an activity that might be enabled by of digital cash systems, as the
blackmailer can avoid physical contact for the payoff and the digital currency
lacks serial numbers or other traceable features. Some systems propose to limit
blackmailing by establishing trusted parties with the ability to revoke
anonymity, but such systems present problems of their own. The scheme presented involves a passive
trustee system in which the blackmailing party would reveal the required
information to trace extorted coins without revealing any secrets. Birgit
Pfitzmann and Ahmad-Reza Sadeghi (University of Saarland, Germany)
Blind,
Auditable Membership Proofs. Audibility is essential to establishing
trust in many systems, including financial ones. A ‘blind auditable membership
proof’ (BAMP) primitive was defined that allows for both anonymity and public
auditability of the system. A method for efficiently implementing a BAMP that
is resistant to blackmailing and bank robbery attacks was presented. Tomas
Sander (InterTrust, USA), Ammon Ta-Shma (International Computer Science
Institute, USA) and Moti Yung (CertCo, USA)
Private
Selective Payment Protocols. Auctions,
lotteries, and prize competitions are all transactions involving private selective
payments. A protocol was presented that is based on two novel methods of
oblivious transfer: ‘symmetrically-private conditional oblivious transfer’ and
‘selective oblivious transfer.’
Giovanni Di Crescenzo (Telecordia Technologies, USA)
Postal
Revenue in the Digital Age. This paper provided an overview of the
conceptual foundations of existing digital postmark systems. The authors
presented what they believe is an optimal solution for public-key postage
evidencing using an elliptic curve system; compared to RSA, this method may
provide a higher degree of security using smaller keys. Leon A. Pintsov (Pitney Bowes, USA) and
Scott A. Vanstone (University of Waterloo & Certicom, Canada)
Non-Repudiation
in SET: Open Issues. The SET protocol was developed to provide
secure transactions between customers, merchants and banks. SET digital
signatures do not provide enough evidence to prove certain transactions
features, and is especially limited with respect to non-repudiation. SET is
compared to the iKP protocol, which is better able to deal with issues of
repudiation by providing explicit rules for deriving authorization. Els Van Herreweghen (IBM Zurich,
Switzerland)
Statistics
and Secret Leakage. Electrical current flows from circuits can
function as an unlocked backdoor of crypto systems, allowing secrets to leak
out to an attacker. This paper rigorously defines leakage immunity and provides
several leakage tests. Failure of the tests confirms secret leakage, but
successfully passing the tests does not guarantee that secrets are not being
leaked. Jean-Sebastian Coron (Ecole
Normale Superieure, France), Paul Kocher (Cryptography Research, USA) and David
Naccache (Gemplus Card International, France)
Analysis
of Abuse-Free Contract Signing. Optimistic contract signing protocols involve complexity
that may lead to ambiguity and abuse. Using a finite-state verification tool,
the Garay, Jakobsson and MacKenzie Protocol was analyzed. An attack involving misconduct by the
trusted third party was presented. A modification to the protocol was proposed
to protect against this attack. The value of finite-state analysis to determine
fairness guarantees, abuse, and corruption was discussed. Vitaly Shmatikov and John C. Mitchell (Stanford University,
USA)
Asymmetric
Currency Rounding. The rules for implementing the Euro currency prohibit charging fees for
conversion and specify the rules for rounding conversions. Combined with
computerized currency trading, this creates a potential for abuse where a very
large number of conversions are made, each resulting in a small benefit from
the rounding rules. This weakness can
be eliminated through an asymmetric system which eliminates prior knowledge of
how any individual transaction will be rounded.
David
M’Raihi, David Naccache and Michael Tunstall (Gemplus Card International,
France)
The
Encryption Debate in Plaintext: National Security and Encryption in Israel and
the United States. Recent liberalization of US encryption export policy is compared to
policy in Israel. Although Israel is
extremely security-conscious, its policies have long been less restrictive than
those of the US. Strict regulations may
impose an economic cost greater than the security benefit, and
internationalization may further accelerate deregulation. Barak Jolish
(Hancock, Rothert and Bunshoft, USA)
Critical
Comments on the European Directive on a Common Framework for Electronic
Signatures and Certification Service Providers. Electronic signatures and
certificates are essential for e-commerce.
The European Directive is an attempt to standardize the legal systems of
EC countries with respect to signatures and certificates. The existing framework is seriously limited
with respect to key issues such as certificate lifespan and revocation, and
liability. Apollonia Martinez-Nada and J.L. Ferrer-Gomila (University of
Balearic Islands, Spain)
A
Response to “Can We Eliminate Certificate Revocation Lists?” The
use of certificate revocation lists (CRLs) to convey the state of certificates
is an important issue in PKI management.
This paper responds to Rivest’s proposal that CRLs are impractical. An
analysis of various scenarios indicates that CRLs are sometimes the most
practical verification method. ‘Revocation on Demand’ was presented as an efficient
CRL based method. Patrick McDaniel (University of Michigan, USA) and Avi
Rubin (AT&T Labs, USA)
Self
Scrambling Anonymizers. The authors provide a new tool and a new business based on the
provision of scalable anonymity. Such ‘anonymity providers’ would certify
re-encrypted data regarding the authenticity of the data without knowing the
content. The system is scalable as the user specifies the degree of anonymity
desired, and is charged accordingly. David Pointcheval (Ecole Normale Superieure, France)
Authentic
Attributes with Fine-Grained Anonymity Protection. This paper proposes a pseudonym registration scheme that permits
Globally Unique Pseudonyms (GUPs). Such a system enables authentication of user
attributes while preserving anonymity and is resistant to pseudonym profiling.
The system allows for partial or complete revocation of multi-group
certificates held by an individual. Stuart
G. Stubblebine (CertCo, USA) and Paul F. Syverson (Naval Research Labs, USA)
Resource
Efficient Anonymous Group Identification.
The Homage system was presented as
a way to anonymously verify that a person is a member of a group; not even the
group that issues membership can determine the identify of the person. The
computational intensity is not a function of the number of members. The method is based on the assumption that
the Diffie-Hellman decision problem is hard. Although the impossibility of
forgery is not proved, it is suggested. Ben Handley (New Zealand)
Secret
Key Authentication with Software-Only Verification. Two authentication protocols use a symmetric cipher applied
asymmetrically; the result is a software based system that does not require
storage of any secret information. The protocols are particularly suited to
smart card applications.
Jaap-Henk
Hoepman (University of Twente, Netherlands)
Financial
Cryptography in 7 Layers. A model was presented to conceptualize the
discipline of financial cryptography. The proposed layers include 1)
cryptography, 2) Software Engineering, 3) Rights, 4) Accounting, 5) Governance, 6) Value, and 7) Finance. The
model allows for the delineation of areas of expertise and a common vocabulary
for coordinating projects. The model
has a number of limitations, and is not a design methodology. Ian Grigg (Systemics)
Capability-Based
Financial Instruments. The idea of ‘cryptographic capabilities’ is
introduced as a method for standardizing design of e-commerce systems. Cryptographic capabilities are compared to
the object-oriented approach that allows high-level modular design. Mark S. Miller (Erights.org), Bill Franz and
Chip Morningstar (Communities.com, USA)
Panel
Discussion I Payment Systems: The
Next Generation. Focus on business issues
relating to second generation electronic payment systems. Identification of markets, assessing
technology, forecasting future trends.
Moderated
by Moti Yung (CertCo, USA)
Shannon
Byrne (Paradata, Canada)
Greg
Napiorkowski (Mondex, International)
Max
Levechin (Confinity, USA)
David
Farago (Ecash, USA)
Charles
Evans (e-gold, USA)
Panel
Discussion II Public Key
Infrastructure: PKIX, Signed XML, or Something Else?
The
1999 IETF proposed standard for public key infrastructure has been criticized
on a number of levels. The proposed
standards are somewhat ambiguous and do not prohibit application specific
features. PKIX software from different sources interoperates on a basic level,
but many functions are not fully interoperable. The 1999 document places an
emphasis on certificates and has little to say on public/private key pairs.
Extensible Markup Language (XML) offers an alternative for building a PKI that
is flexible and more interoperable.
Moderated
by Barb Fox and Brian LaMacchia (Microsoft)
Carl
Ellison (Intel Architecture Labs)
Caelen
King (Baltimore Technologies)
Patrick
Richard (Xcert)
Ron
Rivest (MIT LCS)
Vince
Cate’s term as an IFCA Director expired and he declined to run for re-election.
In the election to fill that spot, Barb Fox was elected.
Vince
Cate gave a presentation immediately after the conference on the several
strategies for improving Anguilla’s internet connectivity. Various satellite, line of sight, and cable
alternatives are under consideration. A number of Anguillan residents involved
in FC planned on approaching the new
government with a plan to increase bandwidth and stimulate business following
the March elections.
Corporate
Sponsors of FC 2000 include: e-gold, InterTrust Star Lab, Hushmail, Telcordia
Technologies, Zeroknowledge, Ncipher, Xcert, Hansa.net Global Commerce,
Offshore
Information Services, and CertCo.