Abstract: The Interrogator is a Prolog program that searches for security vulnerabilities in network protocols for automatic cryptographic key distribution. Given a formal specification of the protocol, it looks for message modification attacks that defeat the protocol objective. It is still under developement, but is has been able to rediscover a known vulnerability in a published protocol. It is implemented in LM-Prolog on a Lisp Machine, with a graphical user interface.

Abstract: A multi-party cryptographic protocol and a proof of its security are presented. The protocol is based on RSA using a one-way-function. Its participants are individuals and organizations, which are not assumed to trust each other. The protocol implements a "credential mechanism", which is used to transfer personal information about individuals from one organization to another, while allowing individuals to retain substantial control over such transfers.It is proved that the privacy of individuals is protected in a way that is optimal against cooperation of all organizations, even if the organizations have infinite computational resources. We introduce a "formal credential mechanism", based on an "ideal RSA cryptosystem". It allows individuals a chance of successful cheating that is proved to be exponentially small in the amount of computation required. The new proof techniques used are based on probability theory and number theory and may be of more general applicability.

Abstract: We present a protocol scheme which directly simulates any given computation, defined on any computational device, in a minimum-knowledge fashion. We also present a scheme for simulation of computation in dual (perfect) minimum-knowledge fashion. Using the simulation protocol, we can assure that one user transfers to another user exactly the result of a given computation and nothing more.The simulation is direct and efficient; it extends, simplifies and unifies important recent results which have useful applications in cryptographic protocol design. Our technique can be used to implement several different sorts of transfer of knowledge, including: transfer of computational results, proving possession of information, proving knowledge of knowledge, gradual and adaptive revealing of information, and commitment to input values.The novelty of the simulation technique is the separation of the data encryption from the encryption of the device's structural (or control) information.

Abstract: It has been shown previously how almost any multiparty protocol problem can be solved. All the constructions suggested so far rely on trapdoor one-way functions, and therefore must assume essentially that public key cryptography is possible. It has also been shown that unconditional protection of a single designated participant is all that can be achieved under that model. Assuming only authenticated secrecy channels between pairs of participants, we show that essentially any multiparty protocol problem can be solved. Such a model actually implies the further requirement that less than one third of the participants deviate from the protocol. The techniques presented do not, however, rely on any cryptographic assumptions; they achieve the optimal result and provide security as good as the secrecy and authentication of the channeis used. Moreover, the constructions have a built-in fault tolerance: once the participants have sent messages committing themselves to the secrets they will use in the protocol, there is no way less than a third of them can stop the protocol from completing correctly. Our technique relies on the so called key-safeguarding or secret-sharing schemes proposed by Blakley and Shamir as basic building blocks. The usefulness of their homomorphic structure was observed by Benaloh, who proposed techniques very similar to ours.

Abstract: Simultaneous broadcast [CGMAJ is a fundamental tool in designing secure protocols for fault tolerant distributed computing. A system that supports it enables n processes to globally commit to independently chosen values (a significantly harder task than mere agreement). It is also a basic building block in a recent %ompleteness” theorem of [GMWZ]. In this paper we present a new protocol for simultaneous broadcast. Building upon past work, we introduce a novel method of concurrently alternating and interleaving n executions of verifiable secret sharing protocols. This approach greatly improves the time complexity (number of communication rounds) of simultaneous broadcast. Previous protocols (combination of [CGMA] and [GMW]) q re uired the complete serialization of the ra verifiable secret sharings, resulting in n(n) communication rounds. Our protocol is constructive, and requires only log n + log log n serial executions of verifiable secret sharings. It preserves maximum fault tolerance (t < n/2 faults), and polynomial resource bounds (internal computation and communication bits). The same improvement appiies to the general simulation in [GMWX]. In light of its improved performance, it is significant that our our protocol has a fairly simple correctness proof. In the slippery business of distributed cryptographic protocols, simpler proofs are important. * Research supported by NSF Grant MCS81-21431 at Harvard University t Contact author. Email address: rabinQharvard.harvard.edu Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for direct commercial advantage, the ACM copyright notice and the title of the publication and its date appear, and notice is given that copying is by permission of the Association for Computing Machinery. To copy otherwise, or to republish, requires a fee and/or specific permission.

Abstract: We give a general procedure for designing correct, secure, and fault-tolerant cryptographic protocols for many parties, thus enlarging the domain of tasks that can be performed efficiently by cryptographic means. We model the most general sort of feasible adversarial behavior, and describe fault-recovery procedures that can tolerate it. Our constructions minimize the use of cryptographic resources. By applying the complexity-theoretic approach to knowledge, we are able to measure and control the computational knowledge released to the various users, as well as its temporal availability.

Abstract: The method of cryptographic capsules, especially (but not exclusively) when combined with residue classes, seems to be a powerful tool with many applications. This simple tool makes possible several protocols which would be impractical or completely impossible without them. In addition, several previously published protocols can be significantly simplified by the use of capsules.

Abstract: A tutorial is given on two public key cryptographic systems that provide an alternative to classical cryptographic key management techniques: the RSA system and the SEEK system. The certification of public numbers is discussed.

Abstract: This paper presents an approach to analyzing Encryption protocols using machine aided formal verification techniques. The desirable properties that a protocol is to preserve are expressed as state invariants and the theorems that need to be proved to guarantee that the cryptographic facility satisfies the invariants are automatically generated by the verification system. A formal specification of an example system is presented, and a weakness that was revealed by testing the formal specification is discussed.

Abstract: Given that tamperfree devices exist it is possible to construct true signature schemes that have the advantages of arbitrated signature schemes, protection against disavowing or forging messages, and lacking certain short commings Other cryptographic protocols can also be improved The contents of tamperfree devices cannot be examined as well as not modified

Abstract: In general, secure communication in a distributed system that spans physically insecure networks and hosts must be implemented using cryptography. Software implementations of cryptographic algorithms such as DES are much slower than typical network bandwidths. However, fast hardware implementations of these algorithms are being developed [4, 6] and are projected to have encryption speeds comparable to network bandwidths (i.e., 10–100 megabits per second).

Abstract: A system for generating a cryptographic key (k) shared by entities (A, B) that establish communications, which is particularly called a key predistribution system. A center algorithm (G) which the center only knows is formed under the conditions determined among a plurality of entities that establish communications under the control of the center, and discriminators (yA, yB) of the entities (A, B) are adapted to the center algorithm to form secret algorithms (XA, XB) specific to each of the entities. Then the secret algorithms are loaded onto cipher forming means (2, 3) such as IC cards. The cipher forming means (2, 3) are mounted on the individual entities (A, B), and the discriminators (yB, yA) of the other entities are applied to each other to calculate the cryptographic key (k), thereby forming the shared cryptographic key. The invention further discloses a system of communications using the above-mentioned shared cryptographic key.

Abstract: We discuss the problem of deciding whether a given cryptographic protocol is secure or not under a certain environment. We present sufficient conditions under which the security problem is decidable. The classes of protocols which satisfy the conditions are larger than that considered by Dolev, et al. The security problem for the classes is shown to be solved in polynomial time.

Abstract: The problem of authentication of mutually suspicious parties is one that is becoming more and more important with the proliferation of distributed systems. In this paper we describe a protocol, based on the difficulty of finding discrete logarithms over finite fields, by which users can verify whether they have matching credentials without revealing their credentials to each other unless there is a match. This protocol requires a trusted third party, but does not require it to be available to the users except when they sign up for the system. Thus it is useful in situations in which a trusted third party exists but is not available to all users at all times.

Abstract: This paper explores the complexity-theoretic approach to the transmission of knowledge that was introduced by Goldwasser, Micali. and Rackoff, and further studied by a number of authors. Roughly speaking, a protocol designed to solve a given computational problem is said to be minimum-knowledge if its outputs give no more information than an oracle for the problem would give to a user whose computational resources are polynomially bounded. This notion has important consequences for the design of cryptographic protocols. A few slightly different definitions have been given in the literature: some of the results included here have been published previously without proofs. This paper proposes a uniform definition. collects the known results and proves them, and describes the problems that are still not understood.

Abstract: Recent progress in the area of cryptography has given rise to strong cryptoalgorithms using complex mathematical systems. These algorithms often require quite sophisticated computing capabilities for their implementation and are designed to withstand attack by equally sophisticated opponents with nearly unlimited resources available to them. However, the mere existence o f such algorithms is not enough to solve the problems of message secrecy and authentication. The procedures for handling the data, including the use of a cryptoalgorithm, must insure that the desired level of security is achieved. Such a set of rules or procedures is known as a cryptographic protocol.

Abstract: Much work has been done in the area of analyzing encryption algorithms, such as DES [Dav 81.Bri 85.BMP 861]. A vast amount of work has also been expended on formally verifying com- munication protocols [IEE 82,STE 82,RW 83.LS 84.Hol 871]. In contrast, very little work has been devoted to the analysis and formal verification of encryption protocols.

Abstract: The concept of the complexity of a sequence is used to develop a measure of cryptographic performance. The discussion is kept for the most part on an intuitive level for the sake of clarity.

Abstract: This paper introduces an algebra for expressing security policies with particular application to cryptographic methods of storing information. The algebra is composed of operands which are cryptographic functions, dependent upon an algorithm and a key, and a set of operators. By combining expressions in meaningful ways, security policies can be represented. The advantages of this are that the categories and classifications of information can clearly be seen, the representation of security policies can be concise, and a model represented in the algebra may be translated readily into a configuration of cryptographic keys, thus simplifying the otherwise difficult task of verifying security.

Abstract: This paper discusses the decision problem concerning security for such cryptographic protocols as the cryptographic key distribution protocols and the digital signature protocols. A cryptographic protocol and its utilization environment are considered secure if an opponent cannot know the secret message or forge a signature successfully by wiretapping or communication function is secure. This paper presents a sufficient condition under which the security problem is decidable. Dolev et al. also investigated the decision problem of the security, but they discussed only the simple case where the cryptographic key is not the object of manipulation (i.e., key generation and distribution are not included in the protocol), and a decision method is presented in which the decision can be made in a polynomial time. By contrast, this paper discusses the problem including the case where the cryptographic key can be an object of manipulation. The key delivery protocol by Ehrsam et al. and the digital signature protocol by Needham et al. satisfy the sufficient condition for the decidability given in this paper. Under the sufficient condition given in this paper, the security can again be decided in a polynomial time.

Abstract: Randomness is an important computational resource, and has found application in such diverse computational tasks as combinatorial algorithms, synchronization and deadlock resolution protocols, encrypting data and cryptographic protocols. Blum [Bl] pointed out the fundamental fact that whereas all these applications of randomness assume a source of independent, unbiased bits, the available physical sources of randomness (such as zener diodes) suffer seriously from problems of correlation. A general

Abstract: Under the assumption that encryption functions exist, we show that all languages in NP possess zero-knowledge proofs.That is, it is possible to demonstrate that a CNF formula is satisfiable without revealing any other property of the formula. In particular, without yielding neither a satisfying assignment nor weaker properties such as whether there is a satisfying assignment in which x1=TRUE, or whether there is a satisfying assignment in which x1=x3 etc.The above result allows us to prove two fundamental theorems in the field of (two-party and multi-party) cryptographic protocols. These theorems yield automatic and efficient transformations that, given a protocol that is correct with respect to an extremely weak adversary, output a protocol correct in the most adversarial scenario. Thus, these theorems imply powerful methodologies for developing two-party and multiparty cryptographic protocols.

Abstract: Data Encryption Standard.- Structure in the S-Boxes of the DES (extended abstract).- Cycle Structure of the DES with Weak and Semi-Weak Keys.- Public-Key Cryptography.- Private-Key Algebraic-Coded Cryptosystems.- Some Variations on RSA Signatures & their Security.- Breaking the Cade Cipher.- A Modification of a Broken Public-Key Cipher.- A Pseudo-Random Bit Generator Based on Elliptic Logarithms.- Two Remarks Concerning the Goldwasser-Micali-Rivest Signature Scheme.- Public-key Systems Based on the Difficulty of Tampering (Is there a difference between DES and RSA?).- A Secure and Privacy-Protecting Protocol for Transmitting Personal Information Between Organizations.- Cryptographic Protocols And Zero-Knowledge Proofs.- How to Prove All NP Statements in Zero-Knowledge and a Methodology of Cryptographic Protocol Design (Extended Abstract).- How To Prove Yourself: Practical Solutions to Identification and Signature Problems.- Demonstrating that a Public Predicate can be Satisfied Without Revealing Any Information About How.- Demonstrating Possession of a Discrete Logarithm Without Revealing it.- Cryptographic Capsules: A Disjunctive Primitive for Interactive Protocols.- Zero-Knowledge Simulation of Boolean Circuits.- All-or-Nothing Disclosure of Secrets.- A zero-knowledge Poker protocol that achieves confidentiality of the players' strategy or How to achieve an electronic Poker face.- Secret-Sharing Methods.- Secret Sharing Homomorphisms: Keeping Shares of a Secret Secret (Extended Abstract).- How to Share a Secret with Cheaters.- Smallest Possible Message Expansion in Threshold Schemes.- Hardware Systems.- VLSI implementation of public-key encryption algorithms.- Architectures for exponentiation in GF(2n).- Implementing the Rivest Shamir and Adleman Public Key Encryption Algorithm on a Standard Digital Signal Processor.- Software Systems.- A High Speed Manipulation Detection Code.- Electronic Funds Transfer Point of Sale in Australia.- Software Protection, Probabilistic Methods, and Other Topics.- The Notion of Security for Probabilistic Cryptosystems (Extended Abstract).- Large-Scale Randomization Techniques.- On the Linear Span of Binary Sequences Obtained from Finite Geometries.- Some Constructions and Bounds for Authentication Codes.- Towards a Theory of Software Protection (Extended Abstract).- Informal Contributions.- Two Observations on Probabilistic Primality Testing.- Public Key Registration.- Is there an ultimate use of cryptography? (Extended Abstract).- Smart Card a Highly Reliable and Portable Security Device.- Thomas - A Complete Single Chip RSA Device.