1994-03-18 - Fwd: AVAILABLE: HIGHLY EFFICIENT ELECTRONIC CASH SYSTEMS

Header Data

From: Matthew J Ghio <mg5n+@andrew.cmu.edu>
To: Cypherpunks Mailing List <cypherpunks@toad.com>
Message Hash: eadb45a9eefebe052f4b0229557721cdd9ccde1f9ba26b619a82853bc67b3405
Message ID: <UhWIFoy00awRA18UVy@andrew.cmu.edu>
Reply To: <CMttnF.Btu@cwi.nl>
UTC Datetime: 1994-03-18 06:05:16 UTC
Raw Date: Thu, 17 Mar 94 22:05:16 PST

Raw message

From: Matthew J Ghio <mg5n+@andrew.cmu.edu>
Date: Thu, 17 Mar 94 22:05:16 PST
To: Cypherpunks Mailing List <cypherpunks@toad.com>
Subject: Fwd: *AVAILABLE: HIGHLY EFFICIENT ELECTRONIC CASH SYSTEMS*
In-Reply-To: <CMttnF.Btu@cwi.nl>
Message-ID: <UhWIFoy00awRA18UVy@andrew.cmu.edu>
MIME-Version: 1.0
Content-Type: text/plain


---------- Forwarded message begins here ----------

Received: via nntpserv with nntp; Thu, 17 Mar 1994 17:00:49 -0500 (EST)
Newsgroups: alt.2600,alt.cyberpunk.tech,talk.politics.crypto
Path:
andrew.cmu.edu!bb3.andrew.cmu.edu!news.sei.cmu.edu!cis.ohio-state.edu!magn
us.acs.ohio-state.edu!usenet.ins.cwru.edu!howland.reston.ans.net!EU.net!s
un4nl!cwi.nl!brands
From: brands@cwi.nl (Stefan Brands)
Subject: *AVAILABLE: HIGHLY EFFICIENT ELECTRONIC CASH SYSTEMS*
Message-ID: <CMttnF.Btu@cwi.nl>
Sender: news@cwi.nl (The Daily Dross)
Nntp-Posting-Host: aasgier.cwi.nl
Organization: CWI, Amsterdam
Date: Thu, 17 Mar 1994 20:45:15 GMT
Lines: 188
Xref: bb3.andrew.cmu.edu alt.2600:2751 alt.cyberpunk.tech:2971
talk.politics.crypto:3810

Subject: 
-------
   seeking interested parties for implementing, and sharing the 
   rights to, my technologies for privacy-protected electronic transfer 
   of certified information.


                              ****


I am a PhD student at the Cryptography Department at the Center for
Mathematics and Computer Science (CWI) in Amsterdam. In the past two
years, I have developed a compact set of new techniques that enable
the construction of highly efficient and secure electronic systems for
off-line transfer of certified information, such that privacy is fully
guaranteed. The resulting systems offers a great many advantages over
any other privacy-protected systems you will find. In particular,
using a subset of these techniques I have contructed off-line
electronic cash systems in which the privacy of the account holders is
fully guaranteed. An independent authority in the field of cryptology
has recently confirmed that these systems seem to be the most
practical such systems to date.

I am posting this letter because I am very interested in pursuing the
implementation of my systems *jointly*, in a fair business
relationship, with a company capable of and interested in
standardizing these systems. My technologies / ystenms are ideally
suitable for smart cards, hand held computers, interactive TV,
etcetera. All the rights to the technology have been transferred to me
by CWI, and so part of such a cooperation would be *joint ownership of
all rights*. 

The reason for posting this letter in a news group is that I see *no*
other way to get in touch with interested parties. Before I go deeper
into this, I would like to give you some more information about my
technologies, and explain their many features.  If you are not
interested, but think you can help me by suggesting names etc.\, I
would appreciate your suggestions.

          Privacy-protected transfer of electronic information.
          -----------------------------------------------------

Much work has been done to construct privacy-protected off-line cash
systems previously, notably by David Chaum (formerly affiliated with CWI).
This early work has resulted in two key concepts that can be used to attain
the same level of security against double-spending as can trivially be
attained in off-line cash systems with full traceability of payments.
However, the many practical *realizations* of these concepts that have been
proposed are far from satisfactory with respect to efficiency, provability
of security (relative to certain well-known problems that are
widely believed to be intractable), and extensibility in functionality.

The new techniques I developed for my PhD thesis overcome *all* of these
problems. They enable the construction of privacy-protected off-line cash
systems that are almost as efficient as off-line cash systems that do *not*
offer privacy. Succesful attacks against such a system provably imply that
one can break a certain well-known signature scheme that is widely believed
to be secure (such as the Schnorr scheme, the Guillou/Quisquater scheme, the
schemes presented by Okamoto at CRYPTO 92, the Fiat/Shamir scheme etc.). The
techniques in fact allow the construction of a highly efficient off-line
cash system whose security (and that of all the extensions in functionality!)
is based on the security of any one signature scheme of the
so-called Fiat/Shamir type.

Among the extensions in functionality are: prior restraint of
double-spending, electronic cheques, protection against framing,
currency exchange, anonymous accounts, and multi-spendable coins. All these
extensions can be realized very easily without any need for additional data
stuctures or basic algorithms (that is, *no* ad hoc constructions). In
particular, prior restraint of double-spending can be achieved by using a
tamper-resistant computing device that is capable of merely performing a
signature scheme of the Fiat/Shamir type (of one's own choice), such as the
Schnorr signature scheme.

A highly preliminary report about a small subset of these techniques,
based on the Discrete Logarithm problem, has been published by me
about a year ago as a technical report at CWI. (A PostScript version
of this report can be retrieved by ftp from ftp.cwi.nl, as
pub/brands/CS-R9323.ps.). 

In August 1993 I presented these preliminary results at the CRYPTO
1993 conference in Santa Barbara.  The final version of this abstract
can also be retrieved by ftp from ftp.cwi.nl, as
pub/brands/crypto93.ps. It's succesful acceptance can be measured by
the fact that the results in the report are currently being used as
the basis for a cash system by the European CAFE project, a project
with 13 European partners from industry and science. I understand that
some other implementations based on my report are under way as well.

                       New developments.
                       -----------------

In the mean time, however, I have significantly improved and *greatly*
extended the techniques described in the preliminary report.
Furthermore, I came up with a fully RSA-based variant that offers
various advantages over the Discrete Log based variant.

Contrary to the description in the preliminary report, the improved
techniques allow the construction of withdrawal protocols for which it
can rigorously be proven that the aforementioned attack to the
withdrawal protocol is as hard as breaking a well-known signature
scheme, and the efficiency of the system increases by a factor of two
(a factor not to be neglected, especially not in case such a system is
implemented using smart card technology!).

As an interesting side note, the improved techniques do *not* use the blind
signature technique as developed and patented by David Chaum.

The full set of techniques can be used to construct highly efficient
privacy-protected off-line mechanisms for transferring certified
information, the security of which again can be *proven* assuming only
the security of a certain well-known signature scheme of the
Fiat/Shamir type of one's own choice. The off-line cash systems are in
fact just one very particular instance of the general applicability of
the complete set of techniques; it is a system in which credentials
that may be shown only once can be transferred between any
``organizations'' while privacy is guaranteed.  As an example of the
usefulness of the new techniques, highly efficient and secure off-line
cash systems can be constructed in which payments are made under
pseudonym: in order to pay with a coin, an accountholder need do no
more than send 35 bytes to an ``organization'' at which he has a
pseudonym.

For those who want to know in detail about the *many* features of the
new techniques, as well as the performance of several preferred
embodiments of systems that can be contructed from them, I have
prepared a document that can be retrieve by ftp from ftp.cwi.nl, again
in the directory pub/brands. There is a PostScript version called
features.ps, as well as a plain text version called features.plain.

                   Why am I posting this letter?
                   -----------------------------

As I already mentioned at the start of this letter, I am very
interested in pursuing the implementation of my systems *jointly*, in
a fair business relationship, with a company capable of and interested
in standardizing these systems. I am in the process of finishing my
PhD thesis, which deals exclusively with these technologies. If you
have read the detailed description of the features in my ``features''
document, then I have no doubt that you will agree with me that these
systems offer a *great* many advantages over any other
privacy-protected system for off-line transfer of digital information.
In general, if you want to implement electronic systems for secure
transfer of certified information, whether it be cash or other types
of credentials, such that privacy can be guaranteed, then you will
find out that this is *the* way to go.

I am *not* involved with any project or company whatsoever. In
particular, I want like to point out that I am *not* involved in the
CAFE project, and I also do *not* have business relations with the
company (DigiCash) of David Chaum, although I greatly respect his
innovative work on privacy-protected transfer of electronic
information. In fact, *all* rights on my technologies have been
transferred to me by my employee, CWI.

Due to the fact that my research was done independently of any project or
company, it is extremely hard for me to get in touch with the appropriate
persons at companies that are really interested in this technology *and*
that have the capability of implementing it. Since projects and
companies that I am not part of obviously do not provide me with such
information, I see no better way to bring my technologies under the
attention than by publishing this letter on the news net. 

If you are interested in my technologies, and want to pursue
implementation together with me in the *near* future, I invite you to
contact me. We can then discuss things further. Part of such a
cooperation would be that *sharing* with me the rights to my
technologies.

My fax number is

                        (31) 30 - 546 468

This is also my telephone number; however, I would prefer if you send
fax or e-mail. My e-mail address at CWI is brands@cwi.nl.

In case you are interested in having my work reviewed beforehand by
some cryptography authority, to make sure I am not talking nonsense, I
am happy to send to you a detailed description of my work. I guarantee
you that he or she will *not* be able to break it, and will confirm
the many statements I make about the benefits of my technologies. In
addition, or alternatively, depending on the circumstances, I am happy
to come over and explain my technologies in person with you.

Alternatively, if you or your company is not interested in my
technologies, but you think you can help me with pointers to persons
at companies that might be interested in this technology, I would very
much appreciate any such suggestions.






Thread