Applied Batch Cryptography Christopher John Pavlovski BAppSc., Binffech (Hons) Thesis submitted for the degree of Doctor of Philosophy November, 2000 Information Security Research Centre School of Data Communications Queensland University of Technology Brisbane, Australia © 11 Copyright 2000 by Christopher J Pavlovski All Rights Reserved QUT QUEENSLAND UNIVERSITY OF TECHNOLOGY DOCTOR OF PHILOSOPHY THESIS EXAMINATION CANDIDATE NAME: Christopher John Pavlovski RESEARCH CONCENTRATION: Information Security Research Centre PRINCIPAL SUPERVISOR: Dr Colin Boyd ASSOCIATE SUPERVISOR(S): Dr Mark Looi Professor William Cael/i THESIS TITLE: Applied Batch Cryptography Under the requirements of PhD regulation 16.8, the above candidate presented a Final Seminar that was open to the public A Faculty Panel of three academics attended and reported on the readiness of the thesis for external examination The members of the panel recommended that the thesis be forwarded to the appointed Committee for examination Name: Or Colin Boyd Panel Chairperson (Principal Supervisor) Name: Or Wenbo Mao Panel Member Name: P.r MJk� �.v.r.m��.t.�r Panel Member Under the requirements of PhD regulations, Section 16, it is hereby certified that the thesis of the above-named candidate has been examined I recommend on behalf of the Examination Committee that the thesis be accepted in fulfillment of the conditions for the award of the degree of Doctor · of Philosophy Name: : �.�� �.� �.��.�.?.� Date: Chair of Examiners (Head of School or nominee) (Examination Committee) !i/ o/tf)(JO FORM B KeyWords Batch cryptography, electronic cash, digital signature, electronic commerce, micropayment, anonymous cash, digital cash, batch signature, batch verifier, modular exponentiation, homomorphic property, multiplicative property, screening, binary tree V VI Abstract The material presented in this thesis may be viewed as comprising two key parts, the first part concerns batch cryptography specifically, whilst the second deals with how this form of cryptography may be applied to security related applications such as electronic cash for improving efficiency of the protocols The objective of batch cryptography is to devise more efficient primitive cryptographic protocols In general, these primitives make use of some property such as homomorphism to perform a computationally expensive operation on a collective input set The idea is to amortise an expensive operation, such as modular exponentiation, over the input Most of the research work in this field has concentrated on its employment as a batch verifier of digital signatures It is shown that several new attacks may be launched against these published schemes as some weaknesses are exposed Another common use of batch cryptography is the simultaneous generation of digital signatures There is significantly less previous work on this area, and the present schemes have some limited use in practical applications Several new batch signatures schemes are introduced that improve upon the existing techniques and some practical uses are illustrated Electronic cash is a technology that demands complex protocols in order to furnish several security properties These typically include anonymity, traceability of a double spender, and off-line payment features Presently, the most efficient schemes make use of coin divisibility to withdraw one large financial amount that may be progressively spent with one or more merchants Several new cash schemes are introduced here that make use of batch cryptography for improving the withdrawal, payment, and deposit of electronic coins The devised schemes apply both to the batch signature and verification techniques introduced, demonstrating improved performance over the contemporary divisible based structures The solutions also provide an alternative paradigm for the construction ofelectronic cash systems Whilst electronic cash is used as the vehicle for demonstrating the relevance of batch cryptography to security related applications, the applicability of the techniques introduced extends well beyond this Vll Vlll Table of Contents INTRODUCTION 1.1 A BRIEFHISTORY OF CASH 1.2 RESEARCH GOALS 1.3 SUMMARY OF RESULTS 1.4 ORGANISATION OF THESIS 1.5 PUBLISHED RESULTS • 2.1 VERNACULAR OF ELECTRONIC CASH 2.2 PRELIMINARIES 2.3 THE BUILDING BLOCKS OF ELECTRONIC CASH 2.4 UNTRACEABLE OFF-LINE CASH 2.5 A BRIEF SURVEY OF ELECTRONIC CASH 2.6 SUMMARY ELECTRONIC CASH TOOLS AND MODELS 12 • .• 14 • 16 18 27 31 37 BATCH CRYPTOGRAPHY 40 3.1 HISTORICALPERSPECTNE 3.2 DEFINITIONS ANDPROPERTIES 3.3 FIAT'S BATCH RSA 3.4 HOMOMORPHIC VERIFICATION TECHNIQUES 48 3.5 EFFICIENCY 51 3.6 RELEVANCE TO ELECTRONIC CASH 3.7 SUMMARY • • 40 42 44 • 60 62 DIGITAL BATCH SIGNATURE PARADIGMS 66 4.1 OVERVIEW 4.2 PARADIGMS 4.3 TREE STRUCTURED DIGITAL SIGNATURES 73 4.4 SOME SUGGESTED APPLICATIONS 87 4.5 SUMMARY 94 • .• 66 67 ATTACKING VERIFIERS OF SIGNATURES 96 5.1 BACKGROUND TO CENTRAL OBSERVATION 5.2 SPECIFIC ATTACKS ON BATCH VERIFIERS 5.3 GENERAL ATTACK ON THE SMALL EXPONENTS TEST 5.4 REPAIRING THE SMALL EXPONENTS TEST 5.5 THE RSA GRouP 5.6 SUMMARY 97 101 106 110 115 116 z� LIGHT-WEIGHT ELECTRONIC COINS 120 lX 6.1 ELECTRONIC COINS FOR SMALLPAYMENTS 121 6.2 MICROPAYMENTMECHANISMS 122 6.3 MICROCASH 125 6.4 SECURITY 133 6.5 EFFICIENCY OF SCHEME 135 6.6 SOME EXTENSIONS TOMICROCASH 139 6.7 SUMMARY 140 NON-DIVISffiLE ELECTRONIC COINS 142 7.1 MOTIVATION AND BASIC lDEAS 142 7.2 EXTENSION OF SCHNORR SIGNATURE SCHEME 143 7.3 REALISING BATCH METHODS IN ELECTRONIC CASH 146 7.4 DETACHABLE ELECTRONIC COINS 154 7.5 SECURITY ANALYSIS 162 7.6 EFFICIENCY 167 7.7 SUMMARY 174 CONCLUSIONS 176 8.1 CONTRIBUTION AND RESULTS 176 8.2 OPENPROBLEMS AND FURTHER WORK 178 APPENDIX I ANOMALY IN PROOFS FOR BRANDS CASH .181 APPENDIX 11 BINARY TREES 183 APPENDIX Ill BASIC NOTATION 184 REFERENCES X 185 80 Appendix I Anomaly in Proofs for Brands Cash With the results of chapter five and seven, a weakness on Brands ' original electronic cash scheme [Bra93] is outlined The customer may substitute A with sA mod p, where s is an element of any order t, such that t I p - and t ::;; 2d, (d is the merchant challenge during payment) The general attack introduced in chapter five may be applied on Brands' scheme under the following steps Choose blinding invariant s ER Zq, and s such that ord(s) = t Compute A = (g1 J.l gzt modp Set a = sA modp Calculate c' = h(a, B, z', a ', Present (a, B) and cr(a, B) to the verifier as a valid coin b') In Brands original scheme it would be possible to spend an invalid coin (a, B) and pass verification with probability 1/t This is because r' = ru + v mod q will be of the required value with probability l it In practice the customer could examine the response returned to confirm whether merchant verification of the false coin will pass with the derived response r', thus guaranteeing that signature verification will pass during payment In addition, the representation check will pass with probability 1/t since d will also be of the required value Y4 l it of the time, if ord(s) = this will be of the time This can be seen in the following equations, ' h h (a, B, z', a', b) , ' A r' = b' z h(a, B, z', a ', b) ' g ' =a When the bank goes to deposit the coin, the bank is equally likely to accept the coin as valid If the coin fails the representation check, then the coin is rejected It is interesting to note that in Brands original paper he suggests that the customer may in fact determine d, reducing the payment to a single move protocol In this case the customer is able to spend an invalid coin with a 00% success rate; as suggested above during the withdrawal protocol the customer is able to check that an 181 appropriate value r is provided that will enable a false coin to pass verification using r' = ru + v mod q Regardless of this, the question remains of any real exposure The answer is negative, since if the customer spends a second instance of a, or even A itself, he must supply r-values during payment that pass the representation criterion Since these values encode the customer's true identity the customer will be caught So this observation is rather an anomaly of the scheme, where an invalid coin (a, B), such that a � G and B E G, may be in circulation But to be able to spend these invalid coins the customer must have taken part in the withdrawal protocol Since the customers' account is debited during withdrawal and double spending will reveal the identity there is no incentive to fool the system It must also be pointed out that this observation now invalidates the theorems presented by Brands [Bra93] For it can be seen that a customer can present a coin (A ', B) cr(A ', B), where A ' = eA and not know its representation with respect to (g1 , g2) More formally the following has been previously claimed [Bra93] , where U is the customer Lemma If U in the payment protocol can give correct response with respect to two different challenges, then he knows a representation of both A and B with respect to (gJ, g2) Corollary U can spend a coin ifand only if he knows a representation of it From the results above it is clear that the lemma and corollary have been invalidated Furthermore, the customer cannot possibly know a representation of A ' and B with respect to (g1 , g2), since A ' � G and (g1 , gz) are generators of G Finally, in order to prevent the customer from spending invalid coins, the merchant should check that the value A lies in the group G expense in performing the check A 82 q = mod p This is an added Appendix 11 Binary Trees A binary tree (see Figure E) has a unique root node, which is the only node with no parent All other nodes have a unique parent node, while all nodes have zero or two child nodes A node with zero child nodes is called a leaf node Pairs of nodes, which share the same parent node, are called sibling nodes Note that each non-root node has a unique sibling node Any two siblings must be distinguished, so assign each node the direction left or right Each node, except the root node, is connected to its parent node via an arc The number of arcs traversed in the shortest path from a node to the root is Depth = Leaf Nodes called the depth of the node The height of a tree is the number of nodes on the longest path Figure E Binary Tree from the root to a leaf An ancestor of a node N is a node on a path from the root node to N A descendant of a node N is a node on a path from N to a leaf The subtree of a node N is the left child of N plus its descendants from the left subtree, and the right child of N plus its descendants from the right subtree Huffinan coding [CT9 ] is a technique for compression of text, that uses a binary tree where each leaf node contains a single character and the code used to identify each character is defined by the its path from the root node to the leaf When traversing the tree '0' indicates a branch to the left and ' ' a branch to the right, this forms the code, (e.g the left most leaf node in Figure E is represented by "00") The Huffman tree is the representative set (or equivalence class) of full binary trees 83 Appendix Ill Basic Notation The following basic notations and definitions are provided as a reference • The concatenation of two binary strings a and b is denoted by a • Let a I • For some integer n, let • Let • For some integer b b denote that the integer a divides the integer b { 0, } * { 0, } n define the set of all binary strings of length n define the set of all binary strings of no fixed length n, let Zn denote the set of integers modulo n, this is the set {0, , , n - } • For some integer n, let Z� denote the multiplicative group of Zn, this is the set of elements E Zn, such that gcd(ai, n) = S denote that element a is chosen from the set S • Let a E • Let a ER S denote that element a is chosen uniformly at random from the set S • An element g E G is said to be a generator of a group G if there exists some integer x such that each element b E G of the group is generated under the exponentiation b = gx • Euler's Totient function (n) defines the number of elements from Zn relatively prime to n • Let TI� = I denote the product a • Let L� = I denote the sum a + a2 + + at • The order of a group G is defined as the number of elements in G • Let a E G The order of the element a, denoted ord(a), is the least positive integer t such that at = 84 x a2 x x at References [AMS96] R Anderson, C Manifavas, C Sutherland NetCard - A Practical Electronic Cash System Proceedings of 4th Cambridge Workshop on Security Protocols, Springer-Verlag, 996 [BGH95] M Bellare, J A Garay, R Hauser, A Herzber, H Krawczyk, M Steiner, G Tsudik, and M Waidner iKP - A Family of Secure Electronic Payment Protocols Proceedings of First Usenix Workshop on Electronic Commerce, pp.89-1 06, 995 [BGR] M Bellare, J A Garay, and T Rabin Fast Batch Verification for Modular Exponentiation and Digital Signatures Available on-line at: http://www-cse ucsd edu/userslmihir [BGR98] M Bellare, J A Garay, and T Rabin Fast Batch Verification for Modular Exponentiation and Digital Signatures In K Nyberg, editor, Advances in Cryptology - EUROCRYPT ' 98, Springer-Verlag, Vol 1403 , LNCS, pp.23 6-250, 998 [BR96] M Bellare and P Rogaway The exact security of digital signatures: how to sign with RSA and Rabin In U Maurer, editor, Advances in Cryptology - EUROCRYPT '96, Springer-Verlag, Vol 070, LNCS, pp.399-4 6, 996 [BY92] M Beller and Y Yacobi Batch Diffie-Hellman Key Agreement Systems and their Application to Portable Communications In R Rueppel, editor, Advances in Cryptology - EUROCRYPT '92, Springer-Verlag, Vol 658, LNCS, pp.208-220, 992 [BM93] J Benaloh and M de Mare One-Way Accumulators: A Decentralized Alternative to Digital Signatures (Extended Abstract) In T Helleseth, editor, Advances in Cryptology - EUROCRYPT ' 93 , Springer-Verlag, Vol 765, LNCS, pp.274-285, 993 [BoyOO] C Boyd Choice of safe pnmes m the RSA group Personal communication, July 2000 [Bra93] S Brands Untraceable off-line cash in wallet with observers (extended abstract) In D Stinson, editor, Advances in Cryptology - CRYPTO '93, Springer-Verlag, Vol 773, LNCS, pp.302-3 8, 993 85 [Bra93a] S Brands An Efficient Off-Line Electronic Cash System Based On The Representation Problem Technical Report CS-R9323 , CWI Centre for Mathematics and Computer Science, 993 [Bra95] S Brands Off-Line Electronic Cash Based on Secret-Key Certificates Proceedings of the Second International Symposium of Latin American Theoretical Informatics - LATIN ' 95, April l 995 [CFMY96] A Chan, Y Frankel, P MacKenzie, and Y Tsiounis Misrepresentation of identities in e-cash schemes and how to prevent it In K Kim, T Matsumoto, editors, Advances in Cryptology - ASIACRYPT '96, Springer-Verlag, Vol 1 63 , LNCS, pp.276-285, 996 [CFT98] A Chan, Y Frankel, and Y Tsiounis Easy Come - Easy Go Divisible Cash Advances in Cryptology In K Nyberg, editor, Advances in Cryptology - EUROCRYPT '98, Springer-Verlag, Vol 1403, LNCS, pp.561 -575, 998 [Cha82] D Chaum Blind Signatures for untraceable payments In D Chaum, R Rivest, and A Sherman, editors, Advances in Cryptology - CRYPTO ' 82, Plenum Press, New York, pp 99-203, 983 [CEG87] D Chaum, J.H Evertse and J Graaf An improved protocol for demonstrating possessiOn of discrete logarithms and some generalisations In D Chaum and W Price, editors, Advances in Cryptology - EUROCRYPT ' 87, Springer-Verlag, Vol 304, LNCS, pp 127- , 987 [CFN88] D Chaum, A Fiat, and M Naor Untraceable electronic cash (extended abstract) In S Goldwasser, editor, Advances in Cryptology CRYPTO '88, Springer-Verlag, Vol 403, LNCS, pp.3 9-327, 988 [CP92] D Chaum and T Pedersen Wallet databases with observers (extended abstract) In E Brickell, editor, Advances in Cryptology - CRYPTO '92, Springer-Verlag, Vol 740, LNCS, pp.89- 05, 992 [CH9 ] D Chaum, and E Van Heyst Group Signatures In D Davies, editor, Advances in Cryptology - EUROCRYPT ' , Springer-Verlag, Vol 547, LNCS, pp.257-265, 99 86 [CM99] J Camenisch and M Michels Proving in Zero-Knowledge that a Number is the Product of Two Safe Primes In J Stem, editor, Advances in Cryptology - EUROCRYPT '99, Springer-Verlag, pp 071 22, 999 [CS97] J Camenisch and M Stadler Efficient group signature schemes for large groups (extended abstract) In B Kaliski Jr., editor, Advances in Cryptology - CRYPTO '97, Springer-Verlag, Vol 294, LNCS, pp.4 0-424, 997 [CN99] J-S Coron and D Naccache On The Security Of RSA Screening In H Imai and Y Zheng, editors, Second International Workshop o n Practice and Theory in Public Key Cryptography, PKC '99, Springer-Verlag, Vol 60, LNCS, pp l 97-203 , 999 [CCH75] J Coulson, C.T Carr, L Hutchinson, and D Eagle The Standard English Desk Dictionary Oxford University Press, (Bay Books), Sydney, 975 [CT9 ] T Cover and J Thomas Elements of Information Theory, Wiley, 99 [CTS95] B Cox, J D Tygar, and M Sirbu NetBill Security and Transaction Protocol Proceedings of the First Usenix Workshop on Electronic Commerce, 995 [Dav82] G Davida Chosen signature cryptanalysis of the RSA (MIT) public­ key cryptosystem Technical report TR-CS-82-2, Department of EECS, University of Wisconsin, 982 [Dav96] G Davies A History of Money from Ancient Times to the Present Day University of Wales Press, 996 [DH76] W Diffie and M Hellman New Directions in Cryptography IEEE Transactions on Information Theory, Vol IT-22, NQ 6, pp.644-654, 976 [DSS9 ] Digital Signature Standard (DS S) NIST FIPS Federal Register, Vol 56, NQ 69, 99 [DBP96] H Dobbertin, A Bosselaers, and B Prenell RIPEMD- 60: a strengthened version of RIPEMD In E Biham, editor, Proceedings of 87 3rd Internal Workshop on Fast Software Encryption, Springer-Verlag, Vol 039, LNCS, pp.71 -82, 996 [EBC96] D Eastlake, B Boesch, S Crocker, and M Yesil CyberCash Credit Card Protocol RFC 898, Version 0.8, February 996 [Elg84] T ElGamal A public key cryptosystem and a signature scheme based on discrete logarithms In G Blakley, D Chaum, editors, Advances in Cryptology - CRYPTO ' 84, Springer-Verlag, Vol 96, LNCS, pp l 01 8, 84 [E094] T Eng and T Okamoto Single-Term Divisible Electronic Coins In A Santis, editor, Advances in Cryptology - EUROCRYPT '94, Springer­ Verlag, Vol 950, LNCS, pp.306-3 9, 994 [Fer93] N Ferguson Single Term Off-Line Coins In T Helleseth, editor, Advances in Cryptology - EUROCRYPT '93, Springer-Verlag, Vol 765, LNCS, pp.3 8-328, 993 [Fer93a] N Ferguson Extensions of single-term coins In D Stinson, editor, Advances in Cryptology - CRYPTO ' 93, Springer-Verlag, Vol 773, LNCS, pp.292-3 , 993 [Fia89] A Fiat Batch RSA In G Brassard, editor, Advances in Cryptology ­ CRYPTO '89, Springer-Verlag, Vol 435, LNCS, pp l 75-1 85, 989 [Fia97] A Fiat Batch RSA Journal of Cryptology, Vol 0(2), pp.75-88, Spring 997 [FIP95] FIPS 80- Secure hash standard, Federal Information Processing Standards Publication 80- N.I.S.T, 995 [GKR97] R Gennaro, H Krawczyk, and T Rabin RSA-based undeniable signatures In B.S Kaliski Jr., editor, Advances in Cryptology CRYPTO '97, Springer-Verlag, Vol 294, LNCS, pp l 32- 149, 997 [GMA95] S Glassman, M Manasse, M Abadi, P Gauthier, P Sobalvarro, The Millicent protocol for inexpensive electronic commerce, Proceedings of Fourth International World Wide Web Conference, O 'Reilly, pp.603-6 8, December 995 [Har94] L Ham New digital signature scheme based on discrete logarithm Electronic Letters, Vol 30(5), pp.396-398, March 994 88 [Har95] L Ham DSA type secure interactive batch verification protocols Electronic Letters, Vol (4), pp.257-258, Feb 995 [Har98a] L Ham Batch Verifying Multiple DSA-type Digital Signatures Electronics Letters, Vol 34(9), pp.870-87 , April 998 [Har98b] L Ham Batch verifying multiple RSA digital signatures Electronic Letters, Vol 34( 2), pp 9- 220, June 998 [HSW96] R Hauser, M Steiner and M Waidner Micro-Payments based on iKP Proceedings of SECURICOM '96, 996 [JY96a] Revokable and Versatile Electronic Money (extended abstract) Proceedings of the 3rd ACM Conference on M Jakobsson and M Yung Computer and Communications Security, CCS ' 96, ACM Press, pp.7687, 996 [JY96b] C Jutla and M Yung Paytree: "amortized signature" for flexible micropayments Proceedings of 2nd USENIX Workshop on Electronic Commerce, pp.2 3-2 , 996 [Knu8 ] D Knuth The Art of Computer Programming - Seminumerical Algorithms Addison-Wesley, Vol 2, (2nd ed 983), 98 [Kob87] N Koblitz A Course in Number Theory and Cryptography Graduate Texts in Mathematics, Springer-Verlag, Vol 1 4, (2nd ed 994), 987 [Kra93] D Kravitz Digital Signature Algorithm US Patent NQ 23 668, July 993 [Lam8 ] L Lamport Password Authentication with Insecure Communication Communications of the ACM, NQ 24, pp 770-772, 98 [LVOO] A Lenstra and E Verheul Selecting Cryptographic Key Sizes In H Imai and Y Zheng, editors, Third International Workshop on Practice and Theory in Public Key Cryptography, PKC 2000, Springer-Verlag, Vol 75 , LNCS, pp.446-465, 2000 [LL94] C H Lim and P J Lee Security of interactive DSA batch verification Electronic Letters, Vol 30(1 9), pp 592- 593, February 994 [LL97] C.H Lim and P.J Lee A key recovery attack on discrete log-based schemes using a prime order subgroup In B Kaliski Jr., editor, Advances in Cryptology - CRYPTO ' 97, Springer-Verlag, Vol 294, 89 LNCS, pp.249-263, 997 [LR98] A Lysyanskaya and Z Ramzan Group Blind Digital Signatures: A Scalable Solution to Electronic Cash In R Hirschfeld, editor, Second International Conference on Financial Cryptography, FC '98, Springer­ Verlag, Vol 1465, LNCS, pp l 84-1 97, 998 [MOV96] A.J Menezes, P.C Van Oorschot and S.A Vanstone Handbook of Applied Cryptography Discrete Mathematics and Its Applications, CRC Press, 996 [Mer82] R.C Merkle Method of Providing Digital Signatures U.S Patent No 309 569, Jan 982 [Mer89] R C Merkle A Certified Digital Signature In G Brassard, editor, Advances in Cryptology - CRYPTO ' 89, Springer-Verlag, Vol 435, LNCS, pp.2 8-238, 989 [MN96] D M'Raihi and D Naccache Batch Exponentiation - A Fast DLP­ Based Signature Generation Strategy Proceedings of 3rd ACM Conference on Computer and Communications Security, pp.58-6 , 996 [MVL97] Y Mu, V Varadharajan, and Y Lin New Micropayment Schemes Based on PayWords In V Varadharajan, J Pieprzyk, and Y Mu, editors, Second Australasian Conference on Information Security and Privacy, ACISP ' 97, Springer-Verlag, Vol 270, LNCS, pp.283-293, 997 [NMRV] D Naccache, D M'Raihi, D Rapheali, and S Vaudenay Complexity trade-offs with the Digital Signature Standard Pre-proceedings of EUROCRYPT ' 94, 994 [NMRV94] D Naccache, D M'Raihi, D Rapheali, and S Vaudenay Can DSA be improved: complexity trade-offs with the digital signature standard In A Santis, editor, Advances in Cryptology EUROCRYPT '94, Springer-Verlag, Vol 950, LNCS, pp.77-85, 994 [Nao90] M Naor Bit commitment using pseudo-randomness (extended abstract) In G Brassard, editor, Advances in Cryptology - CRYPTO '89, Springer-Verlag, Vol 43 5, LNCS, pp 28-1 36, 990 90 [NMV97] K Q Nguyen, Y Mu, and V Varadharajan One-Response Off-line Digital Coins Proceedings of Selected Areas in Cryptography, SAC '97, 997 [Oka92] T Okamoto Provably Secure and Practical Identification Schemes and Corresponding Signature Schemes In E Brickell, editor, Advances in Cryptology - CRYPTO '92, Springer-Verlag, Vol 740, LNCS, pp.3 53, 992 [Oka95] T Okamoto An Efficient Divisible Electronic Cash Scheme In D Coppersmith, editor, Advances in Cryptology - CRYPTO '95, Springer-Verlag, Vol 963, LNCS, pp.43 8-45 , 99 [0089] T Okamoto and K Ohta Divertible Zero-Knowledge Interactive Proofs and Commutative Random Self-Reducibility In J.J Quisquater, J Vandewalle, editors, Advances in Cryptology EUROCRYPT '89, Springer-Verlag, Vol 434, LNCS, pp 34- 148, 989 [009 ] T Okamoto and K Ohta Universal Electronic Cash In J Feigenbaum, editor, Advances in Cryptology - CRYPTO ' , Springer-Verlag, Vol 576, LNCS, pp.324-33 7, 99 [Pai92] J Pailes New Protocols for Electronic Money In J Seberry and Y Zheng, editors, Advances in Cryptology - ASIACRYPT '92, Springer­ Verlag, Vol 8, LNCS, pp.263-274, 992 [PMPSOO] J Pastuszak, D Michatek, JosefPieprzuk, and J Seberry Identification of Bad Signatures in Batches In H Imai and Y Zheng, editors, Third International Workshop on Practice and Theory in Public Key Cryptography, PKC 2000, Springer-Verlag, Vol 75 , LNCS, pp.2845, 2000 [Ped96] T Pedersen Electronic Payments of Small Amounts In T Mark and A Lamas, editors, International Workshop on Security Protocols, pp.59-68, 996 [Pol75] J Pollard A Monte Carlo method for factorisation BIT, Vol 5, pp.33 -334, 975 [Pom82] C Pomerance Analysis and comparison of some integer factoring 191 algorithms Computational Methods in Number Theory, Part , Mathematisch Centrum, pp.89- 39, 982 [PS96] D Pointcheval and J Stem Security Proofs for Signature Schemes In U Maurer, editor, Advances in Cryptology - EUROCRYPT '96, Springer-Verlag, Vol 070, LNCS, pp.3 87-398, 996 [PKC93] Public Key Cryptography Standards (PKCS), RSA Data Security, Version 5, 993 [Rab77] M Rabin Digitalized signatures In Foundations of Secure Computation, Academic Press, New York, 978 [Riv92] R Rivest The MD5 message-digest algorithm Internet Request For Comment (RFC) , Apri1 992 [Riv97] R Rivest Electronic Lottery Tickets as Micropayments In R Hirschfeld, editor, First International Conference on Financial Cryptography, FC '97, Springer-Verlag, Vol 8, LNCS, 997 [RS84] R Rivest and A Shamir How to expose an eavesdropper Communications of the ACM, 27, pp.393-395, 984 [RS96] R Rivest and A Shamir Payword and MicroMint: Two Simple Micropayment Schemes In T Mark and A Lomas, editors, International Workshop on Security Protocols, Springer-Verlag, Vol 1 89, LNCS, pp.69-87, 996 [RSA78] R L Rivest, A Shamir, and L Adleman A method for obtaining digital signatures and public key cryptosystems ACM, Vol (2), pp 20- 26, 978 [Sch90] C P Schnorr Efficient Signature Generation for Smart Cards In G Brassard, editor, Advances in Cryptology - CRYPTO ' 89, Springer­ Verlag, Vol 435, LNCS, pp.239-252, 990 [Sch9 ] C P Schnorr Efficient Signature Generation by SmartCards Journal of Cryptology, Vol 4(3), pp - 74, 99 [Sha83] A Shamir On the Generation of Cryptographically Strong Pseudorandom Sequence ACM Transactions on Computer Systems, Vol ( ), 983 [SLH99] 92 X Shen, Z Liu, and L Ham A Batch-Verifying Algorithm for Multiple Digital Signatures Proceedings of the lASTED International Conference on Parallel and distributed Computing Systems, MIT, Boston, USA, November 999 [Set97] SET Specification Book 1: Business Description Mastercard & Visa, Version 0, May 997 [Tra99] J Traore Group Signatures and Their Relevance to Privacy-Protecting Off-Line Electronic Cash Systems In J Pieprzyk, R Safavi-Naini, and J Seberry, editors, 4th Australasian Conference on Information Security and Privacy, ACISP'99, Springer-Verlag, Vol 87, LNCS, pp.228243, 999 [Tsi97] Y Tsiounis Efficient Electronic Cash: New Notions and Techniques Ph.D Thesis, College of Computer Science, Northern University, Boston MA., June 997 [Tsu93] Y.Tsuruoka A Fast Algorithm on Addition Sequence JWISC ' 93, 993 (Cited in [MN96]) [War98] D R Warwick Ending Cash : The Public Benefits of Federal Electronic Currency Quorum Books, Westport Corm., 998 [Whe96] D Wheeler Transactions Using Bets In T Mark and A Lomas, editors, International Workshop on Security Proto cols, Springer­ Verlag, Vol 1 89, LNCS, pp.89-92, 996 [Wie98] M Wiener Performance Comparison of Public-Key Cryptosystems Cryptobytes Summer ' 98, RSA Laboratories, 998 [YB92] Y Yacobi and M Beller Batch Diffie-Hellman Key Agreement Systems and their Application to Portable Communications In R Rueppel, editor, Advances in Cryptology - EUROCRYPT '92, Vol 658, pp.208-220, 992 [YB97] Y Yacobi and M Beller Batch Diffie-Hellman Key Agreement Systems Journal of Cryptology, Vol 0(2), pp.89-96, Spring 997 [YL95] S Yen and C Laih Improved Digital Signature Suitable for Batch Verification IEEE Transactions on Computers, Vol 44(7), pp.957-959, July 995 93 [YLL94] S Yen, C Laih, and A Lenstra Multi-exponentiation lEE Proceedings, Part E: Computers and Digital Techniques, Vol (6), pp.325-326, 994 • 94 ... o/tf)(JO FORM B KeyWords Batch cryptography, electronic cash, digital signature, electronic commerce, micropayment, anonymous cash, digital cash, batch signature, batch verifier, modular exponentiation,... comprising two key parts, the first part concerns batch cryptography specifically, whilst the second deals with how this form of cryptography may be applied to security related applications such... summarised as follows • Devise new cash schemes that apply batch signature and batch verification techniques • Determine whether batch cryptography is able to improve the efficiency of any devised