Abstract: In this paper we introduce a new tool for controlling the knowl­ edge transfer process in cryptographic protocol design. It is applied to solve a general class of problems which include most of the two-party cryptographic problems in the literature. -- -_.Specifically, we show how two parties A and B can interactively generate a random integer N =p' q such that its secret, i.e., the prime factors (p, q), is hidden from either party individually but is recoverab~~ jointly if desired. This can be utilized to give a protocol for two parties with private values i and j to compute any polynomially computable functions f(i,j) and g(i,j) with minimal knowledge transfer and a strong fairness property. As a special case, A and B can exchange a pair of secrets SA, SB, e.g. the factorizatio~ of an integer and a Hamiltonian circuit in a graph, in such a way that SA becomes computable by Bwhen and only when SB becomes computable by A. All these results are proved assuming only that the problem of factoring large intergers is computationally intractable.

Abstract: In this paper we demonstrate the generality and wide applicability of zero-knowledge proofs, a notion introduced by Goldwasser, Micali and Rackoff. These are probabilistic and interactive proofs that, for the members x of a language L, efficiently demonstrate membership in the language without conveying any additional knowledge. So far, zero-knowledge proofs were known only for some number theoretic languages in NP ∩ Co-NP.

Abstract: Signatures and authentication.- Breaking the Ong-Schnorr-Shamir Signature Scheme for Quadratic Number Fields.- Another Birthday Attack.- Attacks on Some RSA Signatures.- An Attack on a Signature Scheme Proposed by Okamoto and Shiraishi.- A Secure Subliminal Channel (?).- Unconditionally Secure Authentication Schemes and Practical and Theoretical Consequences.- Protocols.- On the Security of Ping-Pong Protocols when Implemented using the RSA (Extended Abstract).- A Secure Poker Protocol that Minimizes the Effect of Player Coalitions.- A Framework for the Study of Cryptographic Protocols.- Cheating at Mental Poker.- Security for the DoD Transmission Control Protocol.- Symmetric Public-Key Encryption.- Copy Protection.- Software Protection: Myth or Reality?.- Public Protection of Software.- Fingerprinting Long Forgiving Messages.- Single Key Cryptology.- Cryptanalysis of des with a Reduced Number of Rounds.- Is DES a Pure Cipher? (Results of More Cycling Experiments on DES) (Preliminary Abstract).- A Layered Approach to the Design of Private Key Cryptosystems.- Lifetimes of Keys in Cryptographic Key Management Systems.- Correlation Immunity and the Summation Generator.- Design of Combiners to Prevent Divide and Conquer Attacks.- On the Security of DES.- Information theory without the finiteness assumption, II. Unfolding the DES.- Two Key Cryptology.- Analysis of a Public Key Approach Based on Polynomial Substitution.- Developing an RSA Chip.- An M3 Public-Key Encryption Scheme.- Trapdoor Rings And Their Use In Cryptography.- On Computing Logarithms Over Finite Fields.- N Using RSA with Low Exponent in a Public Key Network.- Lenstra's Factorisation Method Based on Elliptic Curves.- Use of Elliptic Curves in Cryptography.- Randomness and Other Problems.- Cryptography with Cellular Automata.- Efficient Parallel Pseudo-Random Number Generation.- How to Construct Pseudo-random Permutations from Pseudo-random Functions.- The Bit Security of Modular Squaring given Partial Factorization of the Modulos.- Some Cryptographic Aspects of Womcodes.- How to Reduce your Enemy's Information (extended abstract).- Encrypting Problem Instances.- Divergence Bounds on Key Equivocation and Error Probability in Cryptanalysis.- Impromptu Talks.- A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes.- On the Design of S-Boxes.- The Real Reason for Rivest's Phenomenon.- The Importance of "Good" Key Scheduling Schemes (How to Make a Secure DES* Scheme with ? 48 Bit Keys?).- Access Control at the Netherlands Postal and Telecommunications Services.

Abstract: A perfect zero-knowledge interactive proof is a protocol by which Alice can convince Bob of the truth of some theorem in a way that yields no information as to how the proof might proceed (in the sense of Shannon's information theory). We give a general technique for achieving this goal for any problem in NP (and beyond). The fact that our protocol is perfect zero-knowledge does not depend on unproved cryptographic assumptions. Furthermore, our protocol is powerful enough to allow Alice to convince Bob of theorems for which she does not even have a proof. Whenever Alice can convince herself probabilistically of a theorem, perhaps thanks to her knowledge of some trap-door information, she can convince Bob as well without compromising the trap-door in any way. This results in a non-transitive transfer of confidence from Alice to Bob, because Bob will not be able to subsequently convince someone else that the theorem is true. Our protocol is dual to those of [GMW1, BC].

Abstract: Since Shamir, Rivest and Adleman first stated a solution to the mental poker problem [SRA], many protocols trying to implement a fully secure game have been proposed. Although SRA proved in the two player case that such a solution is not possible from an information theoretic point of view, such solutions might be possible when the players’ computational power is limited. The leakage of partial information, found by Lipton [Li], in the initial SRA protocol was fixed by Goldwasser & Micali [GM1], in the two player case, using probabilistic encryption. Unfortunately this scheme did not extend to a larger number of players. No complete solution to the multi-player version of the problem is yet known. All proposals make special assumptions, like the players’ inability to establish secret communications [Yu]&[BF] or the existence of a trusted third party [FM].

Abstract: Can public-key cryptography succeed without industry-wide standards? Some feel it's time to get started on them. Public-key cryptography has not yet been widely accepted for commercial applications. There are some commercially available public-key encryp-tion products in the personal computer industry that have not sold particularly well. One reason for this is that public-key cryptography is not well known, so its value is not yet appreciated by the industry. This situation may improve with time. Another possible reason is that the most popular public-key encryption algorithm, the Rivest-Shamir-Adleman (RSA) algorithm , is relatively slow compared to single-key algorithms such as the NBS Data Encryption Standard, or DES. However , one may use RSA to \"bootstrap\" into the DES. Also, the speed of RSA may improve soon when VLSI hardware implementations of the RSA algorithm become available. Another reason for the lack of commercial acceptance of public-key cryptography is that different vendor's products cannot readily exchange messages, signatures , and keys, since no industry standard protocols have been defined for their data formats. The DES algorithm is widely used in the industry today because a standard exists. While industry standards may not be a sufficient condition for wide acceptance of public-key cryptosystems, I contend that they are likely to be a necessary condition. For this reason this article proposes a standard data format protocol for public-key cryptography. What is public-key cryptography? In conventional cryptosystems such as the DES, a single key is used for both en-cryption and decryption. This means that keys must be initially transmitted via secure channels so that both parties can know them before encrypted messages can be sent over insecure channels. This may be inconvenient. In public-key cryptosystems, there are two complementary keys: a publicly revealed encryption key, and a secret decryp-tion key. Each key is the functional inverse of the other key, such that using one of the keys on a message produces ciphertext that can be converted back to plaintext by the other key. Further, knowing the public key does not help you deduce the corresponding secret key. This produces two useful consequences. First, secret channels such as couriers are not required to transmit keys, because the intended recipient (in this discussion, a woman) ofa message has already publicly revealed her encryption key. The encryption key can even be published in a public key directory. Anyone wishing to send the recipient a message can use that …

Abstract: We present a distributed protocol for achieving a distributed coin in the presence of an extremely powerful adversary in constant time. The protocol can tolerate up to n/log n malicious processor failures where n is the number of processors in the system. The protocol needs only a fixed constant number of rounds of message exchange; no preprocessing is required. As a corollary we obtain an (n/log n)-resilient probabilistic protocol for Byzantine agreement running in constant expected time. Combining this with a generalization of a technique of Bracha, we obtain a probabilistic Byzantine agreement protocol tolerant of almost n/3 failures with O(log log n) expected running time.

Abstract: We informally discuss "knowledge complexity": a measure for the amount of knowledge that can be feasibly extracted from a communication. Our measure provides an answer to the following two questions: 1) How much knowledge should be communicated for proving a theorem? 2) How to prove correctness of cryptographic protocols?

Abstract: This paper will discuss the role of cryptography within a particular “world view”, with the aim of investigating the history and foundations of the subject. Particular emphasis will be placed of the role of cryptography in the German military failures of WW2, lessons t o be derived, and possible new directions for research (including extending the theory of cryptographic protocols to what I call “Abstract Protocol Theory”.) I hope that some of the readers will become interested in doing further research in the areas discussed.

Abstract: Under the assumption that encryption functions exist, we show that all languages in NP possess zero-knowledge proofs. That is, it is possible to demonstrate that a CNF formula is satisfiable without revealing any other property of the formula. In particular, without yielding neither a satisfying assignment nor weaker properties such as whether there is a satisfying assignment in which x 1 = TRUE, or whether there is a satisfying assignment in which x 1 = x 3 etc.