Third International Conference on Financial Cryptography (FC '99)
February 22--25, 1999
Anguilla, British West Indies

By Ryan Lackey, Olin Sibert, and Alex van Someren
(, (, and (, resp.

[This report is my attempt to synthesize reports from each
contributor.  It is not a collaboration between its authors.  Thus,
all deserve credit for their contributions, but none is necessarily
responsible for specific statements. -Paul Syverson]

The third annual Financial Cryptography Conference (FC 99) was held in
Anguilla in the British West Indies from Monday February 22 through
Thursday February 25, 1999. The conference was a rousing success,
Attendance was up again with approximately 130 participants from
business, academia, and government with interests in cryptology,
computer security, and/or the financial industries. There were many
new attendees from previously unrepresented venues.  For example,
Victor Dostov led a contingent from St. Petersburg, Russia to hear
from others and to talk about their own PayCash system for anonymous
transactions.  They are backed financially by Tavrichesky Bank in
St. Petersburg, and one can find more information adn a demo of their
system at

Once again, the conference took place in the increasingly cramped
surroundings of the purpose-built conference facility at the
InterIsland Hotel in Anguilla, BWI. Fortunately, the industrial
dispute of American Airlines pilots apparently failed to disrupt the
arrival of delegates from the United States. However, as is by now
traditional, a certain amount of luggage remained sulking in San Juan,
Puerto Rico even after its owners had been delivered. All parties did
eventually seem to catch up with each other.

As usual, the conference delegates were welcomed by the Anguillan
Minister of Tourism. He reminded us that Anguilla's offshore tax haven
status continues to be an incentive for the conference to be located
there. Naturally, financial issues are thematic to the conference
itself: sponsor and exhibitor e-Gold brought this home by distributing
silver dollars to those who took time to learn more about their
service (of which more later).

One of the most popular technical themes was anonymous digital money
protocols. The basic principles of these schemes, using blind
signatures, have not changed significantly in recent times, but
improvements were presented which recognised practical
necessities. Firstly, that complete anonymity is e-cash schemes is
undesirable, due to the possibility of undetectable blackmail or bank
robbery, and the needs of the law enforcement agencies to trace money
involved in criminal activity. Secondly, that detection of abuse such
as double-spending of electronic coins needs to be practical.

The conference was sponsored by: 
E-Gold, gold-backed electronic payment system,; 
Euro RSCG Interactive, web development and marketing,; 
Hansa Bank, Anguilla offshore bank,; 
nCipher, high speed hardware cryptographic accelerators,;
Offshore Information Services, Anguilla server hosting,

The remainder of the description focuses on the technical program,
consisting of presentations by cryptology and computer security
researchers and practitioners.  Highlights included the Tuesday
"Crypto Predictions" invited talk by Adi Shamir, and the two panels on
certificate status (Tuesday) and copyright issues (Wednesday).
Speakers are [sometimes] identified by name and affiliation; an
asterisk(*) identifies the presenter.

As in 1998, the conference was opened by Victor Banks, the Anguillan
Minister of Finance, who thanked us for coming and said we were very
important to the island, both as an event and as the creators of the
concepts on which much of Anguilla's success might be based.  Banks
spoke of Anguilla's favorable position to attract financial
cryptography businesses, due to favorable tax situation, good weather,
suitable regulation (including strict financial secrecy laws), and
also proposed the idea of a "technology park" within which certain
undesirable features of Anguilla, such as the telecommunications
monopoly of Cable and Wireless, would be suspended.  He apologized for
being unable to stay, explaining that there was an election happening
on March 4.

Monday Morning (22 February) - Technical Program

After the opening remarks, the first conference session, "Electronic
Commerce", began.  This session was chaired by Matt Franklin.  

The first paper was "Experimenting with Electronic Commerce on the
PalmPilot" by Neil Daswani (*) and Dan Boneh (Stanford).

Neil described an electronic payment system implemented in a
PalmPilot.  For these purposes, the PalmPilot is used like a smart
card, but has no tamper resistance--so stored value schemes (like
Mondex) are problematic. However, the device is implicitly trustworthy
(and can interact with the user), so fraud by merchant terminals isn't
an issue.  The implementation is based on Rivest's PayWord scheme,
adjusted to minimize storage and processing requirements; in
particular, it uses RSA signatures in one direction (to the PalmPilot)
and Elliptic Curve in the other, taking advantage of the superior
performance of RSA verification and ECC signing.  They had to contend
with the Pilot's small memory, slow processor, and other limitations,
and in the process benchmarked various cryptographic algorithms on the
Pilot platform -- for instance, a 1024-bit RSA keypair generation
would take approximately 20 minutes, also rapidly draining the
device's batteries.  Their design was driven by these limitations to
use a hybrid ECC/RSA system, as certain operations in the RSA
cryptosystem were substantially faster than in the ECC cryptosystem
and vice versa.  It also used a hash chain in order to minimize the
number of public key operations required.  The experimental
application was to use a variant of the "Payword" scheme, called
PDA-Payword, to purchase goods from a vending machine on the Stanford
campus, using a docking system to interface with the pilot at point of
sale.  Their system only functioned with a single bank and single

Some of the audience questions and suggestions seemed very productive
-- online/offline precomputed signatures were suggested as a means of
minimizing online computation on the limited Pilot platform, as well
as schemes to use a desktop computer for high-speed calculation,
downloading partially computed signatures to the Pilot for later use.

"Blinding of Credit Card Numbers in the SET Protocol"
Hugo Krawcsyk (Technion, IBM Research), presented by Gene Tsudik(*)   

This paper describes a mechanism for blinding customer identity in SET,
necessary because customer identity is transmitted in the clear, in the
customer's certificate (which is transmitted in the clear because of
export considerations).  The transaction itself (which is encrypted)
carries the actual credit card number, which is matched against the
customer ID using an HMAC-based construction that provides both secrecy
and unforgeability.  These properties are important because credit card
numbers are relatively small (20 digits), so it should not be possible
to guess valid numbers, or to validate guesses.

This talk described in excruciating detail the design process which
led to the selection of the SHA-1 HMAC construction as the credit card
number blinding function in the SET protocol.  SET requires the
creation of a cardholder ID which is related to the cardholder's
credit card number, but must protect the credit card number itself
from evesdropping, as well as protection from exhaustive search of the
(small) credit card number space.  The function must also be collision
resistant.  However, linkability across transactions is acceptable.
HMAC SHA-1 meets these requirements, and has been selected as the
official SET blinding function.

After a brief coffee break, the next session commenced -- "Anonymity Control",
chaired by Yair Frankel.

"Trustee Tokens - Simple and Practical Anonymous Digital Coin Tracing"
Ari Juels(*) - RSA Laboratories

Ari presented a simplified anonymous coin system, trading off features
and trustee flexibility for simplicity of protocol.  The scheme requires
Alice to send a blank coin and blinding factor to a trustee, who
validates the coin, and returns a signed trustee token, which is then
used by the bank when issuing the actual coin.  The scheme can be
extended to prevent the trustee from spending coins, and to allow a
single trustee interaction to validate many coins.  It is based on
Chaumian E-cash, but may be extensible to other schemes as well.

Ari believes that the extensions to blinded electronic cash have
compromised the initial simplicity and elegance of the design in their
pursuit of various features, including tracing of coins.  In this
system, the user interacts with a trustee during coin withdrawal,
providing the issuer of the coins with transcripts, or tokens, of
interaction with the trustee which assure the issuer that the trustee
can trace coins on demand.  This system can be layered on top of many
electronic cash schemes, and is relatively efficient.  A great deal of
efficiency can be realized by the user withdrawing large numbers of
trustee tokens instead of going to the trustee before every

In the questions following the presentation, the point was raised that
if the user had large numbers of trustee tokens on the user's hard
drive, they became an attractive target for theft if the user was
forced to withdraw coins.  Another audience member was concerned that
the trustee could steal coins of the user, which is addressed by using
a public key pair rather than the coin itself in the trustee token.
Finally, questions of general trustee policy and the requirements to
become a trustee were raised -- it is important that malicious users
not be able to be their own trustees, but also important that honest
users be given a wide enough selection of trustees to assure that the
trustees do not collude to spuriously unblind users' coins.

"A New Approach for Anonymity Control in Electronic Cash Systems"
Tomas Sander(*), Amnon Ta-Shma, International Computer Science Institute,   

This paper's goal is to be able to deter money laundering and related
activities by limiting the amount of E-cash that any particular user
can have, while still preserving the privacy of legitimate users.
This paper is one of the first online electronic cash systems to take
advantage of a fundamental observation -- of those activities
requiring financial privacy, only those made by criminals involve
large amounts of money -- honest users do not particularly want their
few large transactions, such as buying real estate, to be highly

Because traditional E-cash is transferrable, laundering is easy--but
introducing a "non-transferrability secret" (NTS) that is valuable to
the users, and required to effect transfers, motivates user not to
engage in inappropriate behaviour.  In their system, Sander and
Ta-Shmra restrict users to a single account, a maximum monthly
withdrawal of US$ 10 000, and incorporate a "non-transferability
secret" to prevent a subset of the users from pooling funds for
illegal purposes.  The system provides guaranteed anonymity for
transfers under $10k/month, without having to trust an external
trustee, unlike most other "fair electronic cash systems".  The scheme
is based on Brands' E-cash, because it appears that blind signature
schemes may be unable to be usable except by involving escrow agents.
A questioner pointed out that laundering can always occur in small
denominations spread over a large number of users, perhaps by
automated software.
Sander and Ta-Shmra concede that their system could be used for small
time criminals, but raise the question of exactly how desirable it is
to provide the authorities with highly detailed data on small
transactions, even technically illegal ones, if the cost is privacy
for average users.

In the next session, Fraud Management, chaired by David Goldschlag, there
was a last minute change of schedule.  Yacov Yacobi's talk was delayed
until Thursday and replaced by the following.

"Dynamic Fault-Robust Cryptosystems for Enterprise Organizational Change   
Yair Frankel(*) and Moti Young (CertCo)

This paper explored handling organizational changes (such as changes in
roles and duties, mergers and spinouts, etc.) that require reassignment
of cryptographic keys and rules involving keys.  "Views" are defined to
represent each party's knowledge of the system state and inference rules
for making deductions.  Fault-tolerant cryptographic primitives, such as
revocation, threshold schemes, can be used to accommodate changes.

A very interesting question was raised after this presentation: how
does one deal with root keys and the very top of the tree during major
corporate events such as mergers? There seems to be no clear answer to
this question, although there was some handwaving about involving the
board of directors.

"Assessment of Counterfeit Detection Systems for Smart Card Based E-Cash"
K. Ezawa, G. Napiorkowski, M. Kossarski(*) (Mondex International)

The authors describe a simulator for the Mondex environment, modeling
the behaviour of system participants (consumers, merchants, issuers), as
well as the monitoring systems, in the face of attacks.  Ledger controls
are used (and planned) in the system to detect introduction of
counterfeit value, matching total float against transactions.  The
attack scenario involved 200 days of normal use, followed by 6 days of
attack (1 test, 1 full attack, 1 monitoring, and 3 more full attack),
and was successfully detected. 
This presentation was primarily about the Mondex system
and Mondex's internal simulators.  They have a system which allows Mondex
to simulate the injection of counterfeit value into the system, then
monitor its dispersion through the system, under various fraud detection
mechanisms, to see how fast counterfeit value spreads diffuses through
the system and is redeemed.  Their model assumes payee cards cannot
distinguish between counterfeit and real mondex cash, and takes advantage
of the Mondex design feature whereby hardware-enforced value limits are
possible on each device.  They also have made the decision to maximize
Mondex income, rather than making fraud impossible -- if it costs a huge
amount of money to compromise a card, and the expected return is less,
there are not concerned, calling this simple vandalism.

A questioner asked what would be done in response to such an attack,
which was answered, roughly, as "we've thought about it, we have rules
and procedures, and we'll deal with it if it happens"

A point raised in separate discussion after the presentation is that a
widespread attack on the Mondex system may be successful, as if one
can spend a large amount of money to come up with an efficient way to
compromise cards, then compromise a large number of cards, it may be
possible to make a net profit.  Also, the question of compromising
Mondex without compromising the smartcards themselves, by tampering
with client software on the user's PC to divert payments covertly to
the attacker, was not addressed in the Mondex fraud prevention model.

Monday Afternoon (22 February) - Exhibitor Sessions

"Governance in DigiGold"
Ian Grigg (Systemics, E-Gold)

In this exhibitor talk, Ian described the processes that are used by
the gold-backed DigiGold banking system. There are three types: static
governance, representing the "Ricardian Contract" (which is both
human-readable and machine interpretable, and digitally signed) of the
bank with its customers; dynamic governance, providing realtime,
user-initiated auditing of the bank's operation, and structural
governance, which deals with separation of duties, auditing, and
limiting the trust placed in bank employees (and is required because
cryptography alone cannot stop insider fraud).

He presented his seven layer financial cryptography model, and
specifically went into his layer five, governance, which is
responsible for ensuring the underlying layers (cryptography, software
engineering, electronic cash, and accounting) are operating to support
the transport of value and the user-level application, and that the
transport of value and user-level application are conducted within
pre-defined rules.

Ian introduced several security features of general applicability
which are being implemented for the system.  The first
technique is static defense, using cryptographically signed contracts
which fully specify the behavior of various parties in the system.  In
the Ricardo system on which is built end-users agree to
contracts before using a particular currency, and a currency is
identified by the cryptographic hash of the currency's own contract,
ensuring that the contract cannot be changed without a user's
knowledge and acceptance.

The second technique is dynamic defense, using realtime auditing.
Many auditors involved in electronic commerce have spoken of increased
frequency of audits for electronic commerce businesses, and the
Ricardo system allows the ultimate evolution of this -- any end user
can perform a full audit on the entire system at any time.

The final set of techniques is structural protection, including the
very important separation of concerns.  In the DigiGold system, a
multiplicity of parties are involved in well defined roles to ensure
that no single party can defraud the system.  The e-gold system is
used to hold the gold reserves, the server operator is responsible
solely for technical operation of the DigiGold server, there is a day
to day operations manager responsible for handling normal user
transactions, a trusted third party who can generate new money but
only send it to the manager, and the legal entity that is DigiGold has
a board of direction responsible for ensuring various parts of the
system operate correctly.  Each of these roles can be subdivided to
require multiple individuals, and external auditing can be added to

 An interesting observation was that DigiGold started out using the
PGP web-of-trust signature model, then switched to X.509 as an
"emerging standard", and now plans to switch back to the PGP model
because it works so much more effectively.  Questions covered dispute
handling (some protection from protocols, maybe use personal hardware
devices to limit scope of fraud), understanding the bank's contract
(which experts will analyze, and render opinions), and the PGP/X.509

Locating and Managing Your Intellectual Property Offshore
Lynwood Bell(*) (Span/Hansa Group, Hansa Bank)

Lyn talked about how business enterprises can be structured to achieve
tax advantages by holding assets in Anguilla, and illustrated with two
examples: Murex, a pharmaceutical company, and the (unnamed) former
owner of the domain name "".  Murex holds its patents in
Anguilla, which means that infringement suits in other countries can
only shut down local manufacturing operations, not the whole business,
and also raises a significant barrier to suits in general--as well as
making the company operate free of corporate taxes.  The domain name
company is more of a pure tax play: it was able to sell the ""
name at a huge profit, all untaxed because it was realized in
Anguilla. Lyn characterized a few tests for offshore location: Can the
valuable asset be moved? Can the work be subcontracted to another
location (e.g., Anguilla company contracts to implementers in San Jose)?
Can revenues reach the haven (sales good, royalty income bad,
typically)? Is the plan defensible?  (If the enterprise makes its
initial invitation and business offer via an Anguilla-located server,
and does acceptance and transfer of title there as well, it's strongly
defensible, even if much other activity takes place elsewhere).

Lyn Bell distinguished between tax treaty and full tax haven countries,
differentiating between Anguilla (which is a tax haven) and Barbados (which
is a tax treaty country, at least with Canada).  The Span-Hansa group has
affiliates in both locations, and Bell described situations in which it 
would be appropriate for a business to choose one location over the other.

The presentation's most insistent point was that it is critical to
move one's business offshore before it has real value, whenever
possible.  Bell presented the example of Microsoft, one of the most
highly capitalized corporations in the world; for it to leave the
United States would carry an impossible tax burden.  He said that for
many conference attendees, it should be possible to move intellectual
property, such as a new electronic cash system, offshore immediately
after it is developed, before it has any real value, and thus avoid
taxes on it entirely.

He described several potential pitfalls, including the taxes on
royalties enforced by many nations.  Since many pieces of intellectual
property, including software, are licensed on a royalty basis, this is
an especially relevant issue.  Effectively, royalty streams are taxed
by many nations even if the parent entity is offshore.  Bell estimates
that the Span-Hansa group has been responsible for billions of dollars
in deals over the past 10 years.

Hansa Bank, and Counsel Ltd (the corporate services affiliate), offered a
special deal for conference attendees, establishment of an Anguillan
corporation for half the normal price of $1100, or $550, to take advantage
of the unique advantages of an Anguillan corporation.

Monday's evening event was a cocktail party at the Mariner's hotel on
Anguilla, one of the recommended hotels for the conference.  After
this cocktail party, some attendees went to a local French restaurant
for continued discussion of financial cryptography.  During that
conversation, one of the main problems of internet electronic payment
systems was discussed -- how to add value to the system quickly and
conveniently for the average user, and how to allow those users to
redeem value from the system.  Among the diners were Bob Hettinga,
founder of the Financial Cryptography conference series, and Paul
Guthrie, VP for Research at VISA International.

Hettinga suggested (and continued to maintain) that the ATM networks
(e.g. Cirrus, Plus) were the best means of doing this, having the
electronic cash mint act as a third party ATM, with electronic cash
withdrawals and deposits being treated exactly like physical cash.
Guthrie, who is familiar with the ATM networks since VISA owns one of
them, argued that the ATM networks were unsuitable due to security
requirements for PIN entry into only approved tamper-resistant
modules, general unavailability of third-party bank deposits on the
network as a whole, and other factors.  I suggested the ACH network as
a possibility, and some electronic cash vendors have taken preliminary
steps to use this system, through membership in NACHA.  Guthrie also
suggested SET, as this would allow credit card transactions to be
conducted security over the Internet (also offered by SSL) but would
also eliminate chargeback risk for the electronic cash issuer.
Additionally, the e-gold payment system was suggested as a
repudiation-free source of funding for electronic cash systems,
operating in ounces of gold, rather than traditional government

Another interesting topic raised during the discussion was recent
investigation by Shamir and Rivest which concludes the EFF's "Deep
Crack" massively parallel machine, could be used as the "micromint
hash engine" in Rivest's MicroMint micropayment system.  This system
requires a device capable of searching for a large number of n-way
hash collisions, something Deep Crack is capable of doing.


Tuesday's session opened with Adi Shamir's invited talk, "Crypto
Predictions", chaired by Jacques Stern.

"Crypto Predictions"
Adi Shamir(*) (Weizmann Institute)

Adi started off the Tuesday session with his "Three Laws of Commercial
Security": (1) Crypto is bypassed, not broken: improving the crypto
isn't very helpful, because it's already by far the strongest link in
the chain; (2) There are no secure systems, only varying degrees of
insecurity: don't bother adding bells and whistles because complexity is
your worse enemy; and (3) To halve the insecurity, expect to double the
cost: small early investments help a lot, so it's better to make the
system convenient, transparent, and cheap--don't strive for the
unreachable airtight goal.  By these principles, there are many adequate
security designs: paper money, postage stamps, mechanical locks, vending
machines, access control, smart cards, and tickets. Some of these
systems will be used for many years, regardless of technical advantages
of replacement solutions, because they are "good enough": cost to attack
is much greater than expected return.

He illustrated the notion of "bypass" attacks with some examples: The
first example breaks a "Provably correct implementation of
unconditionally secure key exchange protocol using quantum
cryptography" by sending light back down the optical fiber to read the
polarizer angle directly (rather than anything to do with the single
photons used in the protocol.  That is, after the keys are set up, one
taps the fiber and sends a strong pulse of light back through the
fiber at the original transmitter, then reads the internal reflections
from the transmitter itself to determine the earlier polarization
configuration of system.  Shamir says none of the systems under test
today resist this simple attack.  The second example fabricates a
false "Tamper-proof photo-ID document" by submitting a "photograph"
printed in two types of ink: one that fades over time, and one that
becomes apparent over time (perhaps after being exposed to strong UV
light).  This would allow the photograph to be changed after the fact
without tampering with the lamination at all.  The third example
allows cheating on multiple-choice exams by sending morse code through
a mobile phone or pager's vibrating indicator--a signal not
perceptible to the proctors.

Shamir broke with some of the security community by advocating some
measure of security through obscurity, at least for systems small
enough to attract attention from an attacker themselves.  He also
advocates a diversity of underlying designs.  He was primarily
concerned that a flaw would be found in a widely deployed system, such
that a "scripted" attack could be mounted on a large number of sites
with little marginal cost, and also that deploying a single system
widely raises the incentive for attackers to test it.

Generally, those in the Internet security community have encouraged
widely publishing their designs (unlike the intelligence, finance, and
telecommunications industries), such that a maximum number of
researchers can test it.  Shamir's proposal is something of a
departure from this, although his reasons are good.

Adi's prediction for E-commerce is that it will continue to expand
rapidly, generating both huge stock valuations and many business
failures, and will use primarily SSL ("good enough"), not SET, anonymous
cash, or other specialized schemes.

He predicts that E-Cash (e.g., Mondex) will not be successful short-term
as an alternative for cash in physical commerce, but may see success in
closed systems such as enterprises, universities, and the military; a
key is including E-Cash as part of a multi-application smart card.

Micropayments over the Internet, on the other hand, he predicts will
begin to be widely used (e.g., the MicroMint system) because they fill a
real need, have no export controls, and can be implemented and
integrated with today's technology.

Adi expects that Smart Cards are headed for a major crisis, largely
because of indirect attacks (fault analysis, timing analysis, power
analysis, etc.).  He described an extension to Kocher's power analysis
(joint with Eli Biham) which detects the Hamming weight of
individual bytes being written to memory and can therefore be used to
solve a series of linear equations to deduce values when bits are
related (as they are, for example, in DES key schedule generation).

Shamir had an even more grave predition about security on the desktop
computer.  He said, "I think the PC architecture is basically doomed
as a security device.  If I were selecting security features for the
world's worst security architecture, all of those features are present
in the PC."  The architecture is completely open, every file can be
modified by any program, programs come from unknown sources, etc. The
problem is getting worse, and is exacerbated by the overwhelming
complexity of operating systems (35 million lines of code in Windows
2000?).  The only secure solution seems to be a new class of simple,
securable devices.  He also recounted an interaction with the Israeli
state security apparatus in which they revealed absolutely no
investigations were seriously hampered by the use of encryption
technology by suspects, due to other weaknesses in overall security,
or simply quality investigative work.  "PCs are the worst possible
platform for secure computation, and the situation is getting worse."
He also quoted RFC 602, demonstrating that the problem has been around
since the days of the ARPAnet.  However, he admitted that this
analysis was only of the Microsoft Windows platform, not alternate
operating systems for personal computers.

He predicts a major relaxation of export controls over the next few
years, but an unanticipated consequence of the Y2K bug: it will permit
introduction of malicious code into many, many systems, allowing
information warfare attacks on those systems months or years later, long
after backups are decommissioned or useless.

Finally, for cryptographic algorithms, he predicts that the AES process
seems like it will yield ciphers "good enough" for any foreseeable
application (even 50 years of Moore's Law won't help for 256-bit keys);
that multivariate public key schemes will continue to prove
unsuccessful; and that factoring-based schemes seem to be OK today,
although it's been 10 years since a major factoring breakthrough, and
another may come soon.  In response to questions, Adi was skeptical
about quantum computation ever being practical for real problems, and
suggested that elliptic curve and factoring are about equally
vulnerable--for especially strong security, one could use both.

The next session, Public-Key Certificates, was chaired by Clifford Neuman.

"Reasoning About Certification: On Bindings Between Entities and Public   
Reto Kohlas(*), Ueli Maurer (ETH)

This paper addressed the need for a language and formal semantics to
express the relationships between public keys and responsible entities.
It's important to formalize the relationship, because simple statements
(e.g., "the entity owns the public key", "the entity claims sole
ownership of the public key") mean different things, and, worse, are
inherently suspect.  The important statement seems to be "the entity is
liable for statements signed with the key", and the authors introduce
the concept of Views (which may differ for different parties, such as
the transaction participants versus judges) and inference rules for
determining what statements are valid within a view.  The model is
incomplete: it needs to address attributes, authorization, timestamps,
and revocation. A questioner observed that there is a superficial
similarity to BAN logic; BAN deals with authentication, which is
different from this logic.

They presented several interesting statements: sole ownership of a key can
generally not be verified or certified; ownership of a key alone is generally
acceptable except for situations where the key is used to assume liability,
in which case legally binding commitments are needed; and 
self-certificates imply ownership of the corresponding private key.

"Online Certificate Status Checking in Financial Transactions: The Case   
For Reissuance"
Barbara Fox, Brian LaMacchia(*) (Microsoft)

The point of this paper is that the response to an online query ("is
this certificate still valid?") is really just another certificate,
likely with a limited validity period.  These certificates are
important for high-value transactions, because freshness is
increasingly important as transaction value increases.  Using
certificates, rather than another specialized form of "validity
response" also simplifies issuance of receipts (i.e., the certificate)
and sale of transactions (because a chain of freshness certificates
can be accumulated as the transaction passes from hand to
hand). LaMacchia also presented reissuing certificates with short
expiration periods rather than using OCSP as a way of minimizing
complexity and redesign in existing code.  Questioners asked about
representing repudiation semantics, and whether it's a good idea to
have the CA be making policy decisions about freshness, rather than
the certificate user.  Another question asked whether XML would be a
more convenient representation than X.509; it would, but we have X.509

Panel:  Certificate Revocation and Validation: One Year Later
Mike Mayers (VeriSign)
Ambarish Malpani (Valicert)
Patrick RIchard (Xcert)
Carl Ellison (Intel)

The last technical session on Tuesday was a panel following up on the
topic introduced at FC '98.  There has been good progress: the Online
Certificate Status Protocol has moved all the way to an IESG draft, but
there are still semantic and technical issues: revocation is, at best, a
mechanism for saying "not invalid". Alternative mechanisms (signed LDAP
attributes, extended protocols for certificate acquisition, extensions
to "delta CRLs") may become important. Legal issues are still unclear
(trust model, liability transfer).

Ambarish spoke about ValiCert's implementations, and stressed that
Validation Authorities (VAs) are inherently different from Certificate
Authorities (CAs): their processes are different, response requirements
are different. etc.  This distinction argues for using different
mechanisms (perhaps several) for validation as opposed to issuance; it
also provides a framework to charge for use of certificates, rather than

Patrick talked about problems with real-world use of certificates and
revocation; the problem is bounded within enterprise environments, and
therefore amenable to technical solutions, but harder in the global
Internet, which likely cannot be satisfied by a single ubiquitous
approach.  Internet transactions, in particular, need to determine
credit validity--and don't care as much about name bindings.

Carl characterized revocation as a performance problem, not a security
problem: you choose your techniques based on your requirements.
Classical "anti-matter certificates" are easy to understand, but
inherently flawed; time-disjoint CRLs are more complex, but have a sound
underlying mathematical model, and can be tuned to place the load where
it's most appropriate, by adjusting CRL size, lifetime (in fact, using
CRLs, it's not clear that an original certificate ever has to be
signed).  However, this isn't enough: even if there are separate CAs and
VAs, it's not the case that they are the parties who can determine
whether a certificate is valid for a particular transaction.  The real
issues are semantics of trust authorization and naming, not revocation.

Floor questions included discussion of OCSP versus CRLs, and the
tradeoffs between CRL issuance frequency and CRL size.  Small, frequent,
CRLs are like OCSP; large ones are more of a problem.  OCSP can build in
decision policies of the VA, rather than relying on the client to decide
(but is this always good?), can make the important CA/VA distinction,
and can support time synchronization.  OCSP can also allow use of a
low-assurance identity certificate, validated by a high-assurance VA.
Other questions dealt with the proliferation of certificate issuers
(e.g., every Windows PC, every PGP instance); this will be an issue, but
it's important to distinguish between issuers (signing keys) and parties
that accept liability.  A final question asked whether there's really a
need for fast revocation; in practice, it seems that there aren't many
examples, and most of them (e.g., money center banks) already deal with
the problem effectively and wouldn't rely on certificate revocation
anyway. Alternatively, "If you're going to validate the certificate on
every transaction with a trusted party, why bother issuing long-term
certificates at all".

After lunch, there were no commercial sessions.  There was, however, a
meeting of the International Financial Cryptography Association, which
runs Financial Cryptography the conference.  Ron Rivest did not run
again, replaced by Adam Shostack, and Lucky Green was reelected.  The
board of IFCA thus consists of Bob Hettinga, Ray Hirschfeld, Vince
Cate, Lucky Green, and Adam Shostack.  The question of where to hold
Financial Cryptography 00 was also preliminarily discussed, and
evaluation forms were handed out.

Tuesday's evening event was the conference rump session, chaired by Avi
Rubin, replacing Matt Blaze [who was vacationing in New Jersey, rather
than sweating it out in Anguilla with the rest of us.-P.S.]

A special feature of this year's rump session was a prize offered by
E-Gold: USD$350 equivalent in an e-gold account (effectively a little
over 1 ounce of physical gold, since E-gold is 100% backed with gold
and the price of gold was approximately $290 per troy oz).  This prize
was for the best rump session presentation, as decided by a panel
appointed by Avi.  [The most fun talk, which had the advantage of
being a temporally distributed presentation, was Avi's movie guide for
Crypto geeks. The titles are given here, but it loses alot without the
movie posters. -P.S.]
The top ten cryptography movies.  These were: BreakDES at Tiffany's;
9 1/2 Weeks to Factor RSA; Saving Private Data; Good Will Hunting; The
XOR Cyst; My Own Private Key; The China Remainder Syndrome; E T mod n;
Feistel Attraction; and There's Something About m-ary arithmetic where
m is the Product of Two Large Primes.

[N.B. I caught some, but possibly not all, attribution mistakes in
the Rump Session writeup  -P.S.]

Tomas Sander spoke on "Auditable Anonymous Electronic Cash",
addressing the problem that the consumer has no recourse (in many
E-cash schemes) if the issuer goes bankrupt, using a Merkle tree to
establish an auditable correspondence between withdrawals and

Stuart Stubblebine spoke on "Stack and Queue Integrity on Hostile
Platforms", describing how to use hash functions and MACs to enable a
trusted computer (such as a smart card) to manage large data
structures in untrusted storage with O(1) overhead.

Kazue Sako, who won the Rump Session award, spoke about a "Digital
Lottery Server", an mechanism for using hash functions to make a fair,
auditable, and random choice among several participants.  She also
introduced us to Hanako, Keiko, and Yuko, who are Alice and Bob's
Japanese cousins. Specifically, she described a theoretical fair
lottery system and implementation of a different lottery system, used
in several cases already on the world wide web, originally inspired by
a need to sell an event ticket on short notice.

Paul Syverson spoke on "Establishing Title for Dynamic Objects", about
the difficulty of defining ownership of objects whose title changes
over time. He gave a very brief and highly self-referential
presentation about dynamic object things and ownership, using the
presentation itself as an example of an object which has changed
ownership from one party to another.  This puzzled the audience while
they tried to figure it out. [This was basically a joke---masquerading
as a real piece of research---about a bunch of people without a
submission to FC constructing one so they could go to the
conference. The joke was on me: more than one person came up to me
afterwards wanting to know if they could get the paper -P.S.]

Josh Jaffe then gave a much more serious presentation, with actual 
machine-printed slides.  The talk was about using power analysis to
reverse engineer smartcards, and it showed visuals of the kind of signals
recovered from smartcards during the attacks.  He also described the 
mathematical techniques used to recover meaningful data from the apparent

Paul Kocher talked about "How not to Fix Single-DES Protocols".  He
described how a response by banks to the demonstrated weakness in
DES's short keyspace, using rapid keychange, can in fact lower
security against certain kinds of attacks.  He came up with a way of
breaking DES in 2 hours on a fast PC given certain assumptions about
key change rate.  The naive solution of changing DES keys frequently
actually makes systems with known plaintext easier to break by
exploiting the time-memory tradeoff: 2^40 precomputations to create a
table with 2^24 entries enable finding keys with 2^32 effort (at
O(2^16) operations per test).

Mark Miller described his "E" programming language -- a capabilities system
built on the idea that pure objects are equivalent to pure capabilities.
The system is the latest in a series of capabilities based adventures, and
is proposed as an ideal environment for working on smart contracts, self
enforcing documents which can be executed and evaluated by a machine, 
rather than a lawyer.

Ueli Maurer described a result in "General Secure Multiparty
Computation from Any Linear Secret Sharing Scheme", which involves a
technique for performing the "multiply" operation (as well as "add")
in linear schemes that is efficient and operates on any field.  This
included means of changing users in an existing group and other
important administrative features.

Rachel Willmer talked about "Smart Cards on the Internet".
 She asserted smartcards (not just Mondex but smart cashcards in
general) will in the future prove good at providing an equivalent for
cash on the Internet, sharing many of the same characteristics -
low-value, immediate settlement, relatively private, two-way
transactions - whereas credit and debit cards cannot do this.  Also
she noted that in the "real-world" trials, smartcards have proved good
at replacing coins, e.g. in parking meters, laundromats -- but not
proved as good in transactions already suitable for credit and debit
cards.  She also brought up the smartcard reader deployment problem,
but said these are coming down in price, which should help solve the
problem, although not necessarily in the US first.

Ian Goldberg talked about the "ZeroKnowledge Anonymity Service",
pointing out that "anonymous E-cash" isn't very anonymous when your IP
address is being disclosed while making payments on the Web.  The
ZeroKnowledge product enables efficient IP-level anonymity services
for arbitrary higher-level protocols.  The system appeared to be a
combination of mixmaster remailers, onion routers, crowds, and other
systems, commercially packaged.

Bryce Wilcox talked about "Using the Rivest and Shamir Interlock
Protocol for Half Duplex Communications", describing a scheme based on
contingent messages, in which each party anticipates the other party's
potential responses, to send inherently one-way communication with the
Interlock Protocol.

Viktor Dostov spoke on the "PayCash System for Online Payments",
addressing the problem that the bank must be trusted (because it can
fake double-spending) in a traditional Chaumian E-cash system, using a
structure called PayBooks.

Adam Shostack spoke on "Towards Eliminating the Middleman in Money
Laundering", describing a scheme involving apparently legitimate
merchants to enable distribution of illegal goods without involving an
explicit money launderer using cryptographic receipts from the store
as token currency.

Paul Lambert spoke on "An Efficient Public Key Language", a work in
progress designed to make efficient public key certificates
(especially elliptic curve) with simple semantics, small size (under
50 bytes, total), and no ASN.1.  This had applications such as tiny
certificates for 2-d barcode postage indicia, using very small
signatures, and an application-specific increase in efficiency by
eliminating verbose generic headers.

Neil Daswani spoke about a cryptographic deletion system.

Phil MacKenzie spoke on "Compromivacy", for compromise of privacy.
The compromise of privacy is assumed to be potentially worthwhile in
this system when a user interacts with a market research organization.
This was a scheme for transactions involving personal information by
selling the results of a buyer's queries against protected
information, with zero-knowledge proofs of validity.

Bryce Wilcox spoke on "Traditional PGP for Windows", using the
current-day PGP Developer's Kit to build a command-line PGP interface
compatible with PGP 5.0 keys and formats; it will be available open

Paul Syverson announced the oncoming availability of "2nd Generation
Onion Routing", which is going through the NRL review process now and
is expected to be released as an open source distribution.

Someone, who's name we lost gave a presentation describing
a new electronic currency, the "negabuck", eliminating fraud and theft by
declaring the currency to have negative value, such that no one would
want to counterfeit or steal it.  While this was intended to be humorous,
there actually are practical applications for certain negative-value 
currencies, such as tax scrip.

Marc Briceno gave a status report on the "DigiCash Acquisition
Consortium" he has organized, which expects very soon to announce a
flexible and opening

Vince Cate spoke about "Weaknesses of the Verifone Terminal",
observing that the protocols for communicating with a Verifone
merchant terminal permit a user to act as an arbitrary merchant,
request arbitrary refunds, and other weaknesses; apparently there is
no crypto, no authentication, no real security in those interactions.

The prize was awarded to Kazui Sako.  The panel approved of the 
Japanese equivalents of Alice, Bob, etc. used in describing her system,
and favored her actually-implemented system over some of the more theoretical
presentations.  Douglas Jackson of walked Sako through the
account creation process in front of the audience and then transfered
$350 in e-gold to her.  The prize for best rump session presentation was
in fact so popular that some with accepted papers in the formal sessions were
considering withdrawing their own papers from the formal session to enter 
in the rump session in order to have a chance at the prize, proving that 
financial cryptographers are often motivated by financial considerations 
as much as purely academic ones.  It would not be a surprise if such a
prize were offered in the future.


The first session on Wednesday, Steganography, was chaired by Yacov Yacobi.

Nicko van Someren presented work with Adi Shamir detailing new means
of efficiently searching large volumes of data for cryptographic data.
They took advantage of several special features of cryptographic data
(encrypted data as well as keys) -- the number theoretic properties of
RSA keys, the locally-high entropy in symmetric keys and encrypted
data, and simple high-speed tests, including visual
pattern-recognition.  They presented a "lunchtime attack" where one
could successfully recover a hidden key from a user's hard drive while
the user is away for lunch, as well as schemes to recover keys used in
copy protection and license control from program binaries themselves.

An important result of this is new reason for software publishers to
not depend upon compiled-in keys in user-readable software for
software licensing or security purposes.  Previously, it seemed that
hiding a key in the bulk of a large program might be enough defense,
but the visuals shown in this presentation clearly identified regions
of high-entropy key data in even a large program, and the analytical
tests were even more powerful.

The final talk in this session was presented by Markus Breitbach.  It
was work with Hideki Imai, "On channel capacity and modulation in
watermarking of digital still images".  The talk differentiated
between reversible and irreversible image transformations, and singled
out jamming attacks as a major potential problem to overcome, drawing
parallels to military communications systems.  A binary alphabet was
shown to be the most efficient in terms of channel capacity.

The next session was Content Distribution, chaired by Berry Schoenmakers.

The presentation talk in this section was presented by Avisha Wool,
work with Abdalla and Shavitt, "Towards making broadcast encryption
practical".  They described solutions for symmetric key encrypted
broadcasts, such as satellite television, with minimal requirements
for key storage, with the useful feature of being able to target a
particular subset of a subscriber base for a particular broadcast.
They made the fundamental observation that it is usually ok to allow
some free riders to view a broadcast, as long the number of free
riders can be bounded, and the chances of a given user viewing a
broadcast without paying are acceptably low.  They use a system which
is a hierarchical tree of keys, with users belonging to multiple
groups of increasing generality, such that when enough of a subtree is
filled with users, the parent key is used instead.  They did
mathematical analyses of various group sizes, modifications to the
basic scheme, and concluded that eliminating large groups and adding
more partially-overlapping small groups would improve the average
efficiency of the scheme.

The last academic paper presented on Wednesday was David Goldschlag's
"Conditional access concepts and principles", joint work with David Kravitz.
He detailed the business case for divx-style access control on media, 
the security rationale for
closed systems in conditional access control (such as the non-standard
storage format of Divx discs), and the risk analysis that is undertaken
before deploying such a system.  Two kinds of video decryption technology,
the external smartcard which returns keys used in satellite systems,
and the all-in-one key/decrypt module used in Divx, were presented,
and various strengths and weaknesses of each were explained.

The main point in this presentation was in some ways parallel to the
Mondex fraud-modeling presentation given earlier -- Conditional Access
technology (often confusingly called "CA" technology, unrelated to
Certificate Authorities) works best when the goal is to prevent
economic benefit to the attacker, rather than making all attacks
infeasible.  According to Goldschlag, the legitimate content
distributor has an advantage over pirates in distribution technology,
so as long as the conditional access scheme is sufficient to prevent
the pirate from leveraging the legitimate provider's infrastructure,
requiring the pirate to get into the business of content distribution
himself, it is successful.  The point was raised later that compressed
audio distribution (i.e. mp3) is already evolved to the point where
legitimate providers have little competitive advantage over pirates,
and others suggested that even video is not far from this point.  In
his presentation, Goldschlag said content redistribution is a major

Finally, Joan Feigenbaum chaired a panel, "Fair use, intellectual 
property, and the information economy", comprised of: Erin Sawyer
(Cooley Godward LLP); Jon Amster (replacing Ed Fish);
Dan Boneh (Stanford); Brian LaMacchia (Microsoft); David Goldschlag (DivX);
and Jon Callas (Network Associates).

The topics of copyright protection and the rights of consumer and
producer were the focus of this lively panel discussion. The
forthcoming US Digital Millenium Act attracted attention for its
attempt to give legal status to content protection mechanisms. Concern
was expressed that this would outlaw legitimate research into such
things as smartcard security, and that providers may use technical
means to enforce restrictions which the law could not. This led on to
'fair use' of copyright material, which is a right under UK law but
not under US, and the possibilities that this may be denied in
future. It was suggested that, in future, media would be licensed to
the user rather than sold - some panel members expressed fears that
this may be used to prevent analysis and criticism of the product and
this was a denial of free speech. It was also suggested that consumers
would be resistant to distribution arrangements which were more
restrictive that those currently available, and that this would lead
to growth in Internet sales outside of conventional channels.

Specific presentations went as follows:

Callas, who previously testified in Congress about the potentially
chilling effect of anti-circumvention legislation on security
research, described the compromise reached with the government by
which one can safely undertake security research without the consent
of the product's manufacturer -- one should ask the manufacturer for
permission, but a response is not required (it is unclear how this is
different from simple notification), and the results should be made
available to the manufacturer.

Goldschlag made a case for the "first sale doctrine" not applying to
the DivX conditional access DVD system.  He also cited the Japanese
music market, where first sale does seem to apply, and redistribution
is consequently rampant.  CDs in the Japanese market cost
approximately 80% more than in the US market as a result.

Sawyer described the "Uniform Commercial Code 2b", a massive effort by
the legal community to take into account current and future changes in
the business environment.  Sawyer disagrees with the effort's attempt
to have the legal community anticipate commercial reality, instead
suggesting that business should develop practices which should then be
reviewed by the legal community and incorporated into the law after
the fact.

LaMacchia spoke about the fair use defense, the future potential for
machine-interpretable and enforceable contracts (often called "smart
contracts" and discussed in the capabilities community), and also
emphasized that layering contract law, such as in conditional access
systes, on top of copyright protections on the underlying media is a
potentially bad idea.

Boneh made the case that it might not be bad for business, just
different, if copyright and access control are changed by new

Amster asserted that copyright and contract law must coexist, as
copyright is required to ascribe value to information and make it
property, and contract law can be used to restrict access to property.
He also didn't feel fair use should become a codified right, as it is
now a defense after the fact, and it might be acceptable now if even
that fair use went away.

When the question of technological enhancements allowing finer-grained
access control came up, Sawyer said contract also provides
finer-grained access control than copyright, and Goldschlag said that
this control might actually improve things for consumers -- middlemen
will now have the ability to individually price things for different
kinds of consumers, in the way that videocassettes sold to rental
firms sell for more than those sold to private individuals.  Callas
was afraid of copyright as a potential right to monopoly.  LaMacchia
was also concerned that the license terms under which users license
content may prohibit later commentary by the user on that work, either
legally or technically (by preventing cutting and pasting).

Finally, the confrontation between technical ability and the legal
system was brought up numerous times, from Bob Hettinga's assertion
that in a world with strong cryptography and realtime auction markets,
copyright is effectively unenforceable, to Paul Kocher's question of
how the world can deal with countries with unusually favorable laws,
such as Anguilla.  Jon Callas described how he "signs" electronic
software licenses -- verbally saying "I accept, with my
modifications", and Sawyer said those who have technical capabilities
to provide or limit access to content "should use it, and force
changes in the legal system".  One thing seems clear -- how technology
will interact with the legal system's copyright and contract law is
still an open question.

After lunch, there were commercial exhibition sessions.  First was
"Key provisioning, protection and processing -- scaleable hardware
crypto solutions", given by Alex van Someren of nCipher.  nCipher's
hardware uses both physical and logical means to protect keys during
the distribution process, ensuring that hardware tamper-resistant key
control is exercised at all times, while also providing means for
backup of keys and replacement of failed hardware.  The blue LED's on
the front of nCipher accelerators do not play a major security role,
but they are very attractive.

Next was "Who the hell is EuroRSCG Interactive", given by Paul
Dinnissen of EURO RSCG Interactive.  The company, formed by the merger
of a technical services firm and a Dutch marketing firm, was

On Wednesday evening, a party was held by e-gold on Anguilla's "crypto
hill", a local concentration of cryptographers.  At the event, e-gold
promoted their payment system, including offering to redeem the 1 oz
silver american eagle coins it distributed earlier to every attendee
for e-gold on the spot.  However, most elected to keep the coins and
those who opened their e-gold accounts usually used USD currency --
shiny metal triumphed over electrons, even in this crowd.

During the party, various electronic cash systems were discussed,
including the potential for issuing electronic currencies backed by
commoditized services, rather than physical assets or government debt.
The topic of how to add and remove money from an online system was
again a popular topic, and the presence of a large number of physical
precious metal coins reinforced the difficulty in converting such
assets into online instruments in an efficient way.


Thuesday's first session was Anonymity Mechanisms, chaired by Ari Juels.

The first presentation, given by Stuart Schechter, was of research
with Todd Parnell and Alex Hartemink, "Anonymous authentication of
membership in dynamic groups".  This introduced the concept of
"verifiably common secret encoding", descibed how it would be useful
to allow users to identify themselves to a publisher as a subscriber
without revealing additional identity information, and then developed
an implementation of the verifiably common secret encoding.  This
construction used a vector of separately encoded values, and thus is
linear in the number of members in the group.  They suggested various
means for partitioning large groups, although this does sacrifice

The main differences between this scheme and other schemes are that it
allows addition and deletion of members, unlike group signature
schemes, and it allows removal of users at any time, rather than
during a forcible audit of the entire system, as is required by the
blinded token based schemes.  After the presentation, Syverson (the
developer of the token based proposal for dynamic group membership
authentication) asserted that the weaknesses cited in this
presentation did not necessarily apply to a well-implemented
token-based authentication system.

Gene Tsudik next presented a review of the current state of group
signatures in "Some open issues and new directions in group
signatures", joint work with Giuseppe Ateniese.  This paper described
the current state of group signatures in academic literature and also
proposed new applications, with the intent of getting group signatures
adopted in some actual production system (until now, they've primarily
been an academic curiosity).  Interesting subtopics such as
multi-group signatures and subgroup signatures were discussed in
detail, including sample constructions based on the Camenisch and
Stadler 97 scheme.

After a brief coffee break, the next session began -- Auctions and
Markets, chaired by Clifford Neuman.

The first presentation was "Anonymous investing: Hiding the identities
of stockholders", by MacKenzie and Sorensen.  The system was based on
certified anonymous public keys and trustee-revocable anonymity, and
used an objected called an "eshare" to allow both revocably anonymous
transfer as well as voting and divided collection, unlike simple
electronic cash tokens.  In order to allow taxation of dividends, they
introduce the concept of dividend tax scrip, a kind of "negative
currency" which flows in a direction opposite to value to assure tax

They did mention the potential pitfalls of anonymous investing,
including rampant insider trading, extortion, and money laundering.
There system provided some protection in the form of tracing certain
transactions after the fact, but in the questions after the
presentations, it became clear that the threats are very hard to
completely defeat.  Additionally, during the question session a scheme
was suggested to allow divided and voting without any changes to
underlying cash systems, simply using reissue of a new token, much
like a bond minus a coupon, after a vote or dividend.

The next presentation was "Fair on-line auctions without special
trusted parties", by Stubblebine and Syverson, presented by Paul
Syverson.  The presentation began with an interactive auction with the
audience as bidders, demonstrating various attacks on an auction by a
malicious auctioneer in collusion with a bidder.  They described a
system structured such that no rational participant, including the
auctioneer, has incentive to cheat, and there is no requirement for
special third parties to ensure this, although an external
timestamping service/notary and external certified email delivery
service are greatly beneficial.  Their system does not require the use
of a distributed threshold computation auctioneer, unlike most fair
auction schemes, as they believe such a scheme can only effectively be
used by large organizations, rather than individual small auctioneers.
They focused on the English auction scheme, although they did
introduce other kinds of auctions briefly in introduction.  The system
uses aggregated notarized bid histories and hash chains to minimize
computational complexity in a fast-paced auction.  Given recent
interest in online auctions (using trusted auctioneer systems
primarily) and investigations into fraud, the concept of
cryptographically secure auctions is highly relevant.

The next session was Distributed Crypto, chaired by Joan Feigenbaum.

Due to earlier substitution, Yacov Yacobi's talk, "E-cash systems with
randomized audit" occured at this time.  In it, Yacobi developed a
quantitative model of risk for both coin and balance based wallets
when coins are checked on-line for validity with a probability from 0
to 1.  Yacobi described a plane (audit rate vs. breaking cost) such
that system designers could explore a soundness curve, defined by
where breaking cost exceeds expected theft.

Important results included dramatically higher security risks in
balance wallets than coin wallets, given randomized audit and
imperfect tamper-resistance, an optimial multi-spending of fraudulent
coins being shown to be double spending a given coin.

The final academic paper of Financial Cryptography 99 was presented by
Joy Mueller, "Improved magic-ink signatures using hints", joint
research with Markus Jakobsson.  Despite two power failures during the
talk (the state-owned electric utility on Anguilla went down, blacking
out the whole island for over an hour, as is common) and failed
attempts to run the overhead off an UPS, the presentation continued.

In the presentation, two improvements to magic ink DSS signatures were
proposed.  Magic ink DSS signatures could be used for signing
electronic cash, and have several useful properties over regular
signatures.  The improvements presented in this session were intended
to dramatically reduce the cost of tracing, as well as to introduce a
method for detecting the presence of forged currency in the system.

An interesting technique used to avoid secret sharing and multiparty
computation was to perform operations on encrypted data.  During the
presentation, Mueller presented a chart of various signature schemes
used for electronic cash, and it was apparent that only the magic ink
signatures using hints provided protection from certain attacks on the
mint itself.
Finally, there was another commercial exhibition session.

The first presentation was by Sutcliffe Hodge, acting manager of Cable
and Wireless Anguilla, on the "Evolution of Internet services in
Anguilla".  In this presentation, he expressed the willingness of
Cable and Wireless to work with business that wanted to set up
operations on Anguilla.  He refused to mention price, which is
approximately US$ 30k/month for a t1 circuit or over US$2/minute for
voice calls, but did mention an example of someone who wanted multiple
t3 service for an Internet business on Anguilla who they talked down
to t1 service (and eventually went to Canada instead).

This was a particularly interesting presentation since many have
throughout the conference expressed desire to move to Anguilla and set
up companies, if only the telecommunications situation were improved,
and Victor Banks, in his opening remarks, alluded to dissatisfaction
with the telecommunications situation on Anguilla.  This presentation
was similar to last year's talk by David Chaum, widely considered to
have held up progress in electronic cash by refusing to license core
patents on blinding technology which have only relatively recently
been circumvented, in that the audience was rather "vocal" in
expressing opinions.

During the presentation, Hodge suggested that Cable and Wireless did not
in fact have a monopoly on Anguilla, since instead of making phone calls,
one could instead choose to spend the money on ice cream or other 
entertainment.  He then said "and I eat a lot of ice cream", with a clear
implication as to the cost of telecommunications services on Anguilla.

When again asked by an audience member why Cable and Wireless has a
legal monopoly, Hodge brought in the large sunk cost of the phone
switch on Anguilla, with capacity for 20 000 on an island of 10 000,
and said that if another company entered the market, they would both
lose money.  He had no answer when someone suggested this natural
monopoly could then stand on its own without government monopoly.

The next presentation was about ACORN.  ACORN is Anguilla's Commercial
Online Registration Network, and it was presented by John Lawrence, of
Anguilla's Financial Services Department.  It is a system to allow
registered corporate agents, of which there are 19 on Anguilla, to
enter corporate registrations from anywhere in the world.  This would
allow US businesses to serve as Anguillan corporate registries,
increasing the attractiveness of Anguillan corporations to foreigners.

A particularly interesting and tangential point raised during the
ACORN presentation is the state of digital signature law on Anguilla.
Since they are accepted in working with the corporate registry, it is
possible that they would be considered valid signatures on other
documents as well, potentially between private parties on Anguilla.
This would make Anguilla even more attractive for financial
cryptography companies.

The final presentation was of SAXAS, the Secure Account Exchange
Arbitration System, developed by Secure Accounts, Ltd. on Anguilla.
It was presented by Vince Cate, including a demonstration of working
software.  The system consists of a Java application which keeps track
of three components of a contract -- the holder, the owner, and the
backer, which are roughly equivalent to a clearing agent, the
end-user, and the underwriter in traditional electronic cash

The SAXAS system is an accounting engine, operating without blinding
of any kind and thus not covered by patents, which uses secure digital
signatures to transfer arbitrary instruments among parties located
across the network (i.e. peer to peer transfers).  The system also
includes a gateway interface to link to external payment systems, a
means to create online markets in various currencies, and
non-repudiation of transactions.

Financial Cryptography 99 concluded, leaving Anguilla for at least another 
year.  Several Financial Cryptography companies have set up operations on
Anguilla as a result of things learned during the conferences, including
Secure Accounts, c2 networks, InterTrust, and others.